Internal Controls form an integral part of the overall control environment in the organization. Recently, many organizations have started to consider internal controls based on a maturity framework much more like the maturity models for software process commonly known as CMM levels. I have an interesting theory that the maturity levels in the software processes can also be applied to Sarbanes Oxley Internal Control too. The maturity levels namely Initial, Repeatable, Defined, Managed and Optimized can be tailored to suit Internal Controls. Here is what I consider would be the maturity levels for internal controls in a Sarbanes Oxley scenario:

Initial - This is the most basic maturity level where control activities are not even designed. It is represented by an unpredictable control environment.

Repeatable or Informal - In the second maturity level, controls are mostly dependent on people. Controls are designed and are in place but the same have not been documented. Also, there is a lack of awareness and communication of the control activities.

Defined or Standardized - Here, controls are designed and documented. Control activities are communicated to employees. However, deviations from such control activities will probably not be detected.

Managed or Monitored - This maturity level is represented by standard controls with periodic testing plans, reporting to management. Documentation software, Sarbanes Oxley automation tools may be used to a limited extent.

Optimized - The last and final maturity level corresponds to an integrated internal control framework. Efforts are made for continous improvements in internal controls with stress on enterprise wide risk management. Real time disclosure controls are a part of this maturity level. Software tools are used extensively to document, test, report, analyze and communicate internal control data within the enterprise.

More on Sarbanes Oxley >>

Identifying Company Level Controls , IT Best Practices for Sarbanes OXley