Introduction
The most important innovations that have been made to internal control in recent decades have been the result of COSO and the Sabarnes-Oxley Act (United States).
COSO provided a very solid integrated conceptual structure, it has become the main reference standard in the world. Together with COCO they are recognized as the Reliable Control Criteria (Suitable Control Criteria).
For COSO, internal control is a system, located at the highest organizational level, with strategic direction and a clear precision that combines objectives, components and levels. It is an extremely useful tool for the design, implementation, improvement and evaluation of internal control.
The Sabarnes-Oxley Act is a standard for the United States stock market, its timeliness and conceptual quality have allowed it to be welcomed as one of the main drivers of internal control in the world. It collects the conceptual structure of COSO, adds two new elements: the audit, internal control and the organizational perspective of COSO.
It differentiates between three major levels of internal control and their respective managers, which can be seen in the following table:
It is not easy to analyze the content that the SOX law offers on internal control. An approximation can be made from the texts that it contains on the subject:
1) Audit Reports: Informative, accurate and independent. It applies in a particular way to the internal control audit report.
a) Informative: It refers to the content that the report is expected to have. Without a doubt, you cannot limit yourself to expressing a clean opinion, with qualifications or denial of opinion. Section 101 establishes this characteristic, it should be read in the context of section 103 which indicates the content of such information (description of the scope of the tests, findings of the auditor, evaluation of the accounting records and a description of the material weaknesses in the controls. internal).
b) Exact: It should be read in the context of the documentation required to support the internal control audit, based on a reliable control criterion, particularly COSO.
c) Independent: It is nothing more than a reiteration of the strong demands that this law makes on auditors in relation to their independence.
2) Structure and Control Procedures: It should be understood as the equivalent of the internal control system referred to by COSO, incorporating an additional element: its location at the highest level of decision-making by issuers above the audit committee.
As part of the auditing standards, requirements are included for registered accounting firms related to: retention of working papers; Provision of concurrent or second partner review; Description of the scope of the tests that the auditor performs regarding the internal control structure and procedures.
The focus of attention is on the tests performed by the auditor regarding the internal control structure and procedures, required by section 404-B of the SOX Act. In addition to the description of the scope of the tests, the auditor must present:
a) The findings you found when applying such tests.
b) An assessment as to whether such internal control structures and procedures:
• Include records that accurately and reasonably reflect transactions and dispositions of assets.
• They provide reasonable assurance that transactions are recorded to allow the preparation of financial statements in accordance with NIF (Financial Reporting Standards).
c) A description of the material weaknesses in such internal controls.
In practical terms, the study and evaluation serve as the basis for determining the extent and timeliness of the audit procedures, the internal control audit that incorporates this law goes considerably further, since it is about issuing an audit report. (informative, accurate and independent) that contains an attestation made in accordance with the standards for attestation contracts issued or adopted.
3) Internal Accounting Controls: In the context of corporate responsibility, each committee must establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding matters related to accounting, internal accounting controls or auditing.
This is part of the understanding that the processes related to accounting, internal control and auditing are directly in charge of the audit committees.
4) Responsibilities of the Executives: Referring to the internal controls and the responsibilities that the executives who sign have with respect to them, that is, they certify with respect to them either in the annual or quarterly reports or in others that are presented to the SEC.
In the context of corporate responsibility for financial reporting, executing executives have specific responsibilities for internal controls. They certify that:
a) They have reviewed the report related to internal control.
b) To the best of your knowledge, the report does not contain any false statement of material fact or failure to state a necessary material fact.
c) Based on their knowledge, the financial statements present reasonably in all material respects the financial condition and results of the issuer's operations in and for the periods presented in the report.
The consequence of the above is that the executives who sign (certify) are responsible for establishing and maintaining internal controls:
a) They have to design internal controls to ensure that the material information related to the issuer and its consolidated subsidiaries is known by such executives and by others within the entity, particularly in the period for which such statements are being presented.
b) They have evaluated the effectiveness of the issuer's internal controls for the 90 days prior to the report.
In addition to the above, the executives who sign (certify) have the obligation to disclose to the auditors and the audit committee:
a) All significant deficiencies in the design or operation of the internal controls, which could adversely affect the issuer's ability to record, process, summarize and report financial data, as well as any material weaknesses in the internal controls that have identified for the issuer's auditors.
b) Any fraud, whether material or not, that involves management or other employees who have a significant role in the issuer's internal controls.
Likewise, the executives who sign (certify) must indicate in the report whether or not there were significant changes in internal controls or in other factors that could adversely affect internal controls, after the date of the evaluation they performed, including any corrective actions regarding significant deficiencies and material weaknesses.
5) Internal Control Audits: Refers to the set that possibly has aroused the most interest given that it corresponds to the most important innovation that the SOX Law makes to internal control: the audit of internal control and the infrastructure (conditions) necessary for it, that is, the assessment of internal controls made by management and its obligation to make an explicit statement (assertion) regarding it.
From a legal point of view, the set (report on internal control) and involves:
a) Indicate the responsibility of the administration for establishing a structure and internal control procedures, which are adequate, for the financial reporting process.
b) Contain an assessment, by the end of the issuer's most recent fiscal year, on the effectiveness of the issuer's control structure and procedures in relation to the financial reporting process.
Such set must be submitted to attestation, under attestation standards issued or adopted, by the registered public accounting firm. It explicitly states that such attestation does not constitute a contract other than the audit of the financial statements.
This is undoubtedly part of global efforts to refine (and expand) the scope of independent auditing. It is, traditionally, comprised only the audit of financial statements. Now, it comprises three closely related elements: audit of financial statements, audit of internal control and audit of compliance. This constitutes a strengthening of the independent audit, associated with the strong demands of independence for such auditors.
It should be highlighted how this revolves around the financial reporting process, a very important precision to avoid falling into the domains of other audits for which the experience of public accountants is not recognized: quality audits (based on standards ISO 9000) and audits of operations (according to engineering standards).
6) Audit and Internal Control Committee: Relationship between the audit committee and internal control, and particularly in relation to the financial expert.
Education and experience in internal accounting controls constitutes one of the aspects that must be considered with respect to the financial expert of the audit committee.
The name "financial expert" has caused quite a few surprises but is gaining more and more followers. This is a person who has education and experience as a public accountant or auditor or as a chief financial officer, controller or chief accounting officer of an issuer, or derived from a position that involves the performance of major functions. Such education and experience involves:
a) An understanding of the NIF's and financial statements.
b) Experience in the preparation or audit of financial statements of generally comparable issuers and the application of NIF's in connection with the accounting of estimates, accruals and reserves.
c) Experience in internal accounting control.
d) An understanding of the functions of the audit committee.
