SOX and the COSO Principles
One of the requirements for the SOX compliance program is that the assessment is based on a recognized internal control framework. In practice, this is (almost) always the 2013 COSO Internal Control Framework.
COSO says that a system of internal control is effective if it “provides reasonable assurance regarding the achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.”
However, it goes on to say that for a system of internal control to be considered effective, all relevant principles must be “present and functioning”.
COSO says that they can be considered “present and functioning” if there are no related “major deficiencies” that would prevent there being reasonable assurance of achieving the objective(s); for SOX, this equates to having no related material weaknesses.
When the 2013 update was released, I said that this meant three things:
- It is necessary to confirm which of the COSO principles are relevant to the assessment.
- The way to confirm that they are present and functioning is by indicating which key controls are relied upon for that purpose and confirming that they are adequately designed and operating effectively.
- If there was a failure in a control relied upon for the presence and functioning of a principle, that failure could not be a material weakness. In other words, a principle can be considered present and functioning even if there are failures of related controls as long as those failures do not mean there is at least a reasonable possibility of a material error or omission in the filed financial statements.
XX
It is nearly eight years since that update when I suggested that one of more of the COSO principles might not be relevant for SOX – meaning that even their total absence would not amount to a material weakness (as defined).
For example, the second principle is:
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. of objectives.
I contend that while it may be relevant for some control objectives, it is not relevant for SOX. A private company that does not have independent directors can still have effective internal control over financial reporting.
XX
I have questions for you that I would appreciate your answering in the comments below for everybody to consider. (In other words, please do not post your answers only on LinkedIn.)
- Have you considered whether any of the COSO principles are not relevant for your SOX program?
- Which ones were considered not relevant?
- Have you discussed this with your external auditor?
- Did they agree, and if not why not?
XX
Thanks – and I look forward to your thoughts on the post and the answers to my questions.
XX
XX
PS – If you are interested in attending one of my SOX Masters classes, please contact Emily Jones at emilyj@marcusevansch.com.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
A question on this: Given that risk management is one of the five COSO elements of internal control and given that few companies seem to be doing it very well (a la NCSU’s annual survey), how does this ‘weakness’ factor into COSO reporting. Just curious.
Good question. It really doesn’t factor into SOX compliance. There is a risk assessment requirement, but that relates specifically to the risk of a material error or omission in the files financial statements. You can have that without any ERM program.