Chapter 8
Does Internal Control Really Matter?
If you've been dealing with Sarbanes-Oxley Section 404 as an audit committee member, CEO, CFO, or auditor, or otherwise dealing with financial reporting, you probably have heard more about and spent more time with internal control than you ever imagined. And you undoubtedly have come to know about COSO's Internal Control—Integrated Framework, which serves as the standard against which your company's internal control system is evaluated.
Let's get one important fact out of the way. When we talk about internal control under SOX 404, we mean internal control over financial reporting—that is, the process to produce reliable public financial statements. But internal control has as much—actually more—to do with two other major categories of corporate objectives. Some controls are directed at helping ensure compliance with laws and regulations affecting a company, and others are in place to see that the company's business operations objectives are achieved. These latter controls, called operations controls, deal with everything from implementation of a new marketing plan to efficient inventory control to effectively carrying out profitable research and development activities to recruiting and training employees. One might think those three categories of objectives would include everything a company seeks to accomplish, and one would be correct. What doesn't fall under financial reporting or compliance by definition falls under operations. ...