How the COSO Framework Helps You Comply with SOX

Published June 4, 2020 by 5 min read

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control-Integrated Framework. COSO is an organization that aims to improve organizational performance and corporate governance through effective internal control, enterprise risk management, and fraud deterrence.

COSO is a joint initiative of five private-sector organizations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

To implement the COSO internal control framework, you need to assess the new framework’s five components, i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities, as well as its 17 principles against your current internal control system, and make any necessary adjustments.

Auditors evaluating your internal control over financial reporting (ICFR) will judge it against the COSO standard. When even one of the 17 principles doesn’t function properly, a “major deficiency” exists, which is a “material weakness” under the Sarbanes-Oxley Act (SOX) Section 404.

Sarbanes-Oxley Act

That means if you don’t enforce the principles of the COSO framework, you could be violating the requirements of the federal Sarbanes-Oxley Act. The United States Congress passed the Sarbanes-Oxley Act (SOX) in 2002 to help protect investors and the public from fraudulent financial reporting by corporations. 

The Sarbanes-Oxley Act of 2002 aims to ensure that companies with public shareholders accurately represent their financial state so that their investors can better understand the risks. As such, the Sarbanes-Oxley Act mandates greater auditor independence, enhanced corporate governance, documentation of internal controls, and improved financial disclosures. 

To comply with the Sarbanes-Oxley Act, you must have the correct internal controls in place to ensure your financial data is accurate. All your financial and business transaction records and data, including electronic records and messages, are subject to audit. In addition, the networks and devices you use to transmit and store pertinent documents must also comply with the Sarbanes-Oxley Act.

The Sarbanes-Oxley Act applies to:

  • Every publicly held American company,
  • Any international company that has registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC),
  • Any accounting firm or other third party that provides financial services to either a publicly held American company or an international company that has registered equity or debt securities with the SEC.

Private companies can also adopt SOX-related guidelines to decrease liability costs, guarantee capital, and engender public goodwill. In addition, if a private company anticipates that it will be acquired by a public company, adopting SOX regulations can be critical. That’s because lending institutions and investors may be more apt to support a company if they perceive that the organization employs strong governance practices.

Prepare for SOX Compliance

The first thing your IT manager should do to prepare your company for SOX compliance is to understand the sections of the Sarbanes-Oxley Act that have specific implications for data management, reporting, and security. 

Section 302

This section relates to your financial reporting. The Sarbanes-Oxley Act requires that your CEO and CFO certify that all your financial records are complete and accurate. That means they’re required to confirm that they accept personal responsibility for all internal controls and that they have reviewed these internal controls in the previous 90 days. These internal controls include your information security infrastructure so you can ensure that you’re enforcing high-security standards.

Section 404

This section provides additional requirements for monitoring and maintaining the internal controls that pertain to your accounting and financials. Section 404 mandates that you have an outside firm conduct an audit of these internal controls every year. The independent auditor determines how effective your internal controls are and reports the findings to the SEC.

A SOX compliance audit measures how well your company manages its internal controls. While the Sarbanes-Oxley Act doesn’t mention information security specifically, internal control is considered as any type of protocol that deals with the infrastructure handling your financial data. 

Penalties for SOX non-compliance

Formal penalties for SOX non-compliance can include fines, removal from listings on public stock exchanges, and the invalidation of the insurance policies of your directors and officers. Under the Sarbanes-Oxley Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of up to $5 million and up to 20 years in prison.

COSO Framework

Although the COSO framework can benefit any company, it’s particularly relevant for public companies that are subject to Section 404 of the Sarbanes-Oxley Act. Most of the public companies that have to comply with Section 404 of the Sarbanes Oxley Act have used COSO’s framework to implement internal controls and evaluate their effectiveness.

The COSO framework is built around these five interconnected components:

  1. Control environment: The set of standards, processes, and structures that provide the foundation to enable your company to carry internal control across your organization.
  2. Risk assessment: The process for identifying and assessing risks associated with achieving your organization’s objectives.
  3. Control activities: These actions help ensure that your company carries out the instructions issued by management to mitigate risks. These directives can include reconciliations, verifications, authorizations and approvals, segregation of duties, and business performance reviews.
  4. Information and communication: This is the flow of information that’s required to support your internal control function. This includes upstream and downstream communication within your organizations and with external parties, such as suppliers, customers, shareholders, and regulators.
  5. Monitoring: The ongoing evaluation of the performance of your internal control system over time.

Your internal control system is considered effective only if all five of these components and the relevant principles are “present” and “functioning.” That means your organization has to design and implement a system that incorporates these components and principles. 

In addition, your organization also must ensure that these components and principles operate together in an integrated way and “continue to exist in the conduct of the system of internal control to achieve specific objectives,” according to the COSO framework.

The principles of the COSO framework recognize that investors and other stakeholders demand greater transparency and accountability. Therefore, the framework includes: 

  • Details about the need to consider potential fraud when you assess your risks,
  • Information about the impact of information technology on your business processes and reporting, and 
  • Details about non-financial and internal reporting as well as financial reporting.

The COSO framework allows your directors and leadership to exercise judgment in designing, implementing, and adhering to the internal controls that are appropriate for the company and its operating environment.

COSO also provides 87 “points of focus” across the 17 principles to help you design, implement, and monitor internal controls. The points of focus are specific things you need to consider when you evaluate whether the controls over a COSO principle are present and functioning. For example, there are four supporting points of focus for the principle “The organization demonstrates commitment to integrity and ethical values.” The four points of focus are:

  • Sets the tone at the top,
  • Establishes standards of conduct, 
  • Evaluates adherence to standards of conduct,
  • Addresses deviations in a timely manner.

Bottom Line

Making the transition to the COSO framework can take time, so it makes sense to start the process as soon as you can. Begin by becoming familiar with the 17 principles and other guidelines, including the 87 points of focus. Then, assess the state of your internal control system and create a plan to correct any weaknesses. 

SOX compliance means more than just passing an audit, as your company can benefit in other ways by implementing the relevant data governance procedures.

For example, SOX compliance initiatives can help you improve internal control over your financial reporting and also drive continuous improvement.

And along with helping you reduce the risk of fines and other penalties, you can use SOX as a framework for:

  • Auditing existing IT infrastructure, identifying inefficiencies, redundancies, and extra controls,
  • Streamlining reporting and auditing processes, increasing productivity, and reducing costs, and 
  • Managing security risks more effectively and responding more rapidly if there’s a security breach.

Even though the COSO framework wasn’t specifically created for the Sarbanes-Oxley Act, the guidelines of the COSO framework satisfy SOX requirements. Consequently, many auditors use COSO to audit for SOX compliance. 

Essentially, COSO helps you protect your data, especially your financial information, from tampering and unauthorized changes of any kind.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo