An internal control system has many moving parts, each of which is getting more complex. The Sarbanes-Oxley Act of 2002 (SOX) significantly changed the importance of an organization’s internal controls to mitigate risks over financial reporting. The act requires public company management and internal auditors to have in-depth internal control knowledge. For most organizations, this meant understanding COSO’s 1992 Internal Control Framework. In 2013, COSO revised the framework, pressuring organizations to reassess their system of internal controls. Areas of greatest change for organizations included the need to re-evaluate their reliance on information technology (IT) and increased emphasis on identifying potential fraud risk.
If structured and operating effectively, an internal control system supports more than SOX compliance and applies to more than just public companies. It also supports operational process improvements and many of the organization’s compliance objectives. In fact, expectations of an internal control system now require consideration of risks in all aspects of your business related to achieving operational, financial reporting and compliance objectives.
An integral part of complying with COSO’s 2013 framework is documenting reliance on the system of internal control over outsourced services. Accordingly, organizations may expect or contractually obligate third-party service organizations to verify the effectiveness of controls that affect user entities’ financial reporting, e.g., complete and accurate transaction processing and relevant IT controls, or controls that affect the privacy of a user entity’s information or compliance with laws or regulations, e.g., security, availability and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers. To satisfy this requirement, outsourced vendors typically use Service Organization Control (SOC) Reports®. SOC reports vary based on the nature and type of controls relevant to the service provided by the vendor, as well as the assurance needs of their customer (the user entity). For example, SOC 1 engagements (formerly SAS 70 engagements) are performed under SSAE 18 standards for U.S. service organizations (ISAE 3402 standards for international service organizations); the report covers controls over service organization functions relevant to user entity internal control over financial reporting. Even with the assurance from SOC reports, the relevance of identified control deficiencies over activities outsourced to a third-party vendor can be difficult to assess. Where additional assurance is warranted, companies often protect themselves by including in the vendor service agreement the right to perform an on-sight internal control evaluation or forensic investigation.
In addition to SOX and other compliance objectives, internal audit departments should stay abreast of financial accounting standards updates regarding external auditor use of their work. Internal audit departments have a distinct advantage if they work with management and external auditors to understand what the department can do to facilitate the work of the external auditor.
Internal control is intended to assess and mitigate many aspects of an organization’s operational, financial and compliance risks. It is an ongoing process that integrates activities, plans, attitudes, policies, systems and resources designed to provide reasonable assurance that the organization will achieve its objectives and mission.