Section 404 puts the onus on the management to evalute the effectiveness of internal control based on a recognized framework. This means that management just cannot say that they have evaluated internal controls, but infact have to use an evaluation framework that is well recognized. Since the SEC specifically mentions COSO Internal Control Integrated Framework as an appropriate framework, many companies find it safe to follow it. However, other frameworks such as the Turnbull, CoCo, Kontrag are alos available. The COSO framework looks at internal controls across three dimensions. Let me try an explain using the COSO cube shown below:

First Dimension - COSO's first dimension covers the objectives of internal controls. This is shown on top of the COSO cube. These are bifurcated into operations, financial reporting and compliance. The three fold objectives translates into: a) an organization which runs effectively, b) financial reporting is accurately performed and c) organzation complies with all statutes.

Second Dimension - The second COSO dimension covers organizations and activities within the company. This is shown along the right side of the cube. Once the internal controls have been established, they apply
to all organizational units and activities of the company.

Third Dimension - The third dimension which forms the face of the COSO cube, covers specific activites which are required for effective internal controls. There are five specific activities mentioned namely control environment, risk assessment, control activities, information & communication and monitoring.

Related Posts

Section 404 Project Scoping , Sarbanes Oxley Investor Protection