SOX and the COSO Principles

0
324

One of the requirements for the SOX compliance program is that the assessment is based on a recognized internal control framework. In practice, this is (almost) always the 2013 COSO Internal Control Framework.

COSO says that a system of internal control is effective if it “provides reasonable assurance regarding the achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.”

However, it goes on to say that for a system of internal control to be considered effective, all relevant principles must be “present and functioning”.

COSO says that they can be considered “present and functioning” if there are no related “major deficiencies” that would prevent there being reasonable assurance of achieving the objective(s); for SOX, this equates to having no related material weaknesses.

When the 2013 update was released, I said that this meant three things:

  1. It is necessary to confirm which of the COSO principles are relevant to the assessment.
  2. The way to confirm that they are present and functioning is by indicating which key controls are relied upon for that purpose and confirming that they are adequately designed and operating…

Подробнее…