Management's evaluation of internal controls under Section 404(a) using the COSO 1992 control framework: Evidence from practice

Abstract

A large number of surveys and research studies have been conducted on documenting the costs and benefits of implementing Section 404 internal control certification requirements. Overall, these studies conclude that for companies of all sizes — accelerated and nonaccelerated filers — costs far outweigh the benefits and sustaining compliance with Section 404 at such high costs would make US capital markets much less competitive in future. None of these research studies, however, have focused on analysing one of the most key aspects of SOX 404 implementation — that is, how companies are utilising the COSO 1992 control framework to carry their mandate under Section 404(a). Although the COSO Committee had issued in 2004 an ERM-based control framework, the COSO 1992 control model has remained the framework of choice for majority of the companies so far that have filled their Section 404 certifications. This research paper attempts to understand how the guidance presented in this control model is being utilised by documenting the current implementation practices at a cross-section of the SEC registrants. By analysing the responses of 374 survey participants from companies of all sizes, this research study documents that companies are relying more on the internal control auditing standard than utilising the guidance provided in the COSO 1992 control framework to conduct their ICFR evaluations. Such a significant nonreliance on the most widely cited control model should be of concern to the audit committees, senior company managers, external and internal auditors, standard-setting and regulatory agencies in the US and abroad as various other countries assess the practicality and viability of implementing similar rules in their jurisdictions. Given the findings reported in this research paper, investors may question the robustness of ICFR assessment assurances provided to them by the companies in their Section 404(a) management reports, audit committees may wonder if they are being provided with a false-sense of security that their company's ICFR is effective. Similarly, external auditors may question the basis of their client's claim that they have conducted the ICFR assessment 'in accordance with the COSO 1992 Framework.' Policy makers may question whether there is a need to more formally evaluate the suitability of the COSO 1992 control framework for Section 404(a) assessments and if there is a need to develop a set of generally accepted control assessment standards that would provide direct and practical guidance to company managements in conducting their internal control evaluations.