COSO implementation has been an important endeavor for many companies listed on exchanges in the United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability.
Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.