Management's evaluation of internal controls under Section 404(a) using the COSO 1992 control framework: Evidence from p
- PDF / 177,506 Bytes
- 21 Pages / 595 x 765 pts Page_size
- 118 Downloads / 207 Views
Parveen P. Gupta is Professor of Accounting and Department Chair at Lehigh University. His teaching and research activities focus on corporate governance, internal control evaluations under Sarbanes– Oxley Sections 302 and 404, risk and control self assessment, and internal auditing. He has authored numerous research monographs and research articles in a number of related areas. His most recent co-authored book on Sarbanes–Oxley was published by Risk Books. During the 2006–2007 academic year, he served as an Academic Accounting Fellow with the US Securities and Exchange Commission working on a variety of topics including internal control assessments under Section 404 and revisions to the Auditing Standard No. 2 which was replaced by the Auditing Standard No. 5.
EXECUTIVE SUMMARY KEYWORDS: Sarbanes–Oxley Act, Section 404, COSO 1992 control model, internal control assessment A large number of surveys and research studies have been conducted on documenting the costs and benefits of implementing Section 404 internal control certification requirements. Overall, these studies conclude that for companies of all sizes — accelerated and nonaccelerated filers — costs far outweigh the benefits and sustaining compliance with Section 404 at such high costs would make US capital markets much less competitive in future. None of these research studies, however, have focused on analysing one of the most key aspects of SOX 404 implementation
48
— that is, how companies are utilising the COSO 1992 control framework to carry their mandate under Section 404(a). Although the COSO Committee had issued in 2004 an ERM-based control framework, the COSO 1992 control model has remained the framework of choice for majority of the companies so far that have filled their Section 404 certifications. This research paper attempts to understand how the guidance presented in this control model is being utilised by documenting the current implementation practices at a cross-section of the SEC registrants. By analysing the responses of 374 survey participants from companies of all sizes, this research study documents that companies are relying more on the internal control auditing standard than utilising the guidance provided in the COSO 1992 control framework to conduct their ICFR evaluations. Such a significant nonreliance on the most widely cited control model should be of concern to the audit committees, senior company managers, external and internal auditors, standard-setting and regulatory agencies in the US and abroad as various other countries assess the practicality and viability of implementing similar rules in their jurisdictions. Given the findings reported in this research paper, investors may question the robustness of ICFR assessment assurances provided to them by the companies in their Section 404(a) management reports, audit committees may wonder if they are being provided with a false-sense of security that their company’s ICFR is effective. Similarly, external auditors may question the basis of their client’s claim that they have co
Data Loading...
