Control over Operational Performance
We've said internal control over financial reporting addresses only one of a company's major categories of objectives, the others being compliance with laws and regulations and effectiveness and efficiency of operations. The distinction is critical but sometimes overlooked, even by smart and capable people. More fascinating is that some accomplished businesspeople believe that because their companies comply with SOX 404, they have what's needed with respect to the entirety of internal control and even extending to risk management.
Working recently with a large multinational company, I spent time with each of the directors, one of whom is a nationally known and highly regarded educator and business advisor. His explicit message to me was that since the company already complies with SOX 404, including auditor attestation, risk management is well addressed in the organization—and there's no need, therefore, for the board to look into that area. Using all the tact I could muster, I asked whether he had considered that the SOX 404 rule focuses only on internal control over financial reporting—and does not address internal control over either operations or compliance objectives—and while there is a risk-identification/analysis element therein, 404 does not extend to a company's broader risk management processes. After much discussion he better understood that the company's and auditor's compliance with 404 doesn't provide comfort regarding ...