Sarbanes-Oxley (SOX) Act

Internal controls are essential for running a successful operation, whether small or large. In 2002, the U.S. Congress passed the Sarbanes-Oxley Act (SOX), a powerful piece of legislation focusing on internal controls. The legislation intended to prevent corporate accounting fraud, impacting financial reporting and the accounting and auditing profession. The bill was a response to a wave of corporate accounting scandals, notably the collapse of Enron and its massive bankruptcy filing in 2001. This bill had an impact not only on firms located in the United States, but also on those that do business outside the country.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group dedicated to providing leadership and guidance in the development of frameworks on risk management, internal control, and anti-fraud measures. Based on an integrated control framework, it develops recommendations for public companies (and their independent auditors), the Securities and Exchange Commission (SEC), and other regulators to comply with SOX. The by-products of this legislation include software packages with functionality to document internal controls and programs designed to assist companies to meet the requirements of the act.

Two specific sections of SOX, namely section 404 and section 302, require the chief financial officer (CFO) and chief executive officer (CEO) of public companies to personally certify the accuracy of the financial statements and attest to the effectiveness of internal controls over financial reporting. Section 404 of SOX requires the CEO and CFO to attest to the effectiveness of their organization's internal controls over financial reporting as part of the annual report. Section 302 of SOX requires the CFO and CEO to certify personally that their company's financial statements are accurate and complete and that internal controls are adequate. This requires top management in public companies to understand their internal controls and makes them legally liable if they knowingly misrepresent the state of internal controls. This does not mean that the CFO and CEO create, implement, and monitor each internal control themselves. The organization relies on both internal and external auditors to ensure internal controls are functioning appropriately. An internal auditor is an employee of the company in charge of objectively monitoring and evaluating financial and organizational activities. An external auditor is an independent auditor outside the organization that reviews the financial reporting to confirm accuracy. External auditors have a responsibility to review internal controls, and internal auditors typically run the mechanics of internal control. External auditors will communicate internal control weaknesses and suggestions for control improvements in the management letter as part of the audit process.

However, the need for internal controls should not just be driven by legislation. In any organization, maintaining accurate and reliable records is important for decision-making.

Managers require reliable records and reports to make sound costing and pricing decisions, as well as other operational and strategic decisions. In addition to maintaining adequate controls over financial reporting and accounting records, internal controls affect the protection and safeguarding of assets of an organization. Overseeing internal controls is an important management responsibility for any organization. For instance, a company that provides laptops to its employees would require an explanation if any of the laptops go missing. Another example is a retailer seeking to prevent or minimize loss from theft or damage of the inventory it sells in the stores.

An employee files an expense report for travel and meals for reimbursement. The employee normally cannot approve and process his or her own expense report. The report needs to be approved by a manager and is then forwarded to the accounts payable department for processing. This control is enforced because an employee may resort to filing false claims or commit employee fraud—internal fraud committed by an employee against the company, such as cash theft, expense reimbursement fraud, or use of company funds to pay for personal purchases. A segregation of duties establishes responsibilities and divides workflow to prevent fraud or other unethical practices, ensuring that transactions are properly authorized. A well-defined organizational structure with clear lines of authority and responsibility should be in place to facilitate the review and approval process.