APPENDIX A: RECENT HISTORY OF INTERNAL CONTROL STANDARDS
The written documentation regarding internal control has evolved over many years, and many parties have been involved in the effort. An example of earlier descriptions of internal control is provided by the AICPA in its Statements on Auditing Standards (SAS). One of the functions of an auditor is to examine and assess the effectiveness of internal controls. Thus, the AICPA provided guidelines as to proper internal controls and the auditor's responsibility with regard to internal controls. In 1977, the United States Congress passed the Foreign Corrupt Practices Act (FCPA) that was intended to prevent U.S. corporations from bribing foreign officials while soliciting business. That Act required corporations that sell stock in an SEC regulated stock exchange to maintain a system of internal controls. The FCPA incorporated some language from the AICPA internal control guidelines. In 1988, the AICPA issued SAS 55, which further emphasized management's obligation to maintain internal controls. In 1992, the Committee of Sponsoring Organizations (COSO) issued the COSO report, which details the findings of a comprehensive study of internal control and is recognized within the accounting industry as the definition and description of internal control.
Since that time, the AICPA has rewritten SAS guidelines to incorporate COSO concepts. SAS 55 was replaced by SAS 78 in 1994, and in 2002 SAS 78 was amended by SAS 94, the current internal control guide in SAS 94 maintains the COSO internal control concepts. In addition, SAS 99 expands the auditor's duties with regard to internal control and fraud. An auditor must now approach all audits with skepticism about management's honesty and assume that management fraud might have occurred. This means that the auditor must think about the risks and controls in the company and try to determine what kind of frauds could occur. The auditor must also test for management override of controls.
In the summer of 2002, the United States Congress passed the Sarbanes–Oxley Act in an attempt to curb the fraud and stock market abuses of the previous two years. Section 302 of this bill designates management (specifically, the chief executive officer, chief financial officer, and others performing similar functions) of the company as having responsibility for the establishment and maintenance of an effective system of internal controls. This system must be evaluated on an ongoing basis. Any significant changes or deficiencies in the system, as well as all instances of fraud within the company, must be reported to the SEC. Compliance with these requirements must be confirmed by management in writing.
Section 404 of the Sarbanes–Oxley Act requires public companies to include an internal control report within their annual report to stockholders. This report must include the following:
- A statement that acknowledges management's responsibility to establish and maintain an adequate system of internal controls
- An assessment of the effectiveness of the internal control structure
The Sarbanes-Oxley Act created the Public Company Accounting Oversight Board (PCAOB) to oversee the audits of public companies. In 2006 the PCAOB issued Auditing Standard No. 5, which established requirements applicable to an audit of management's assessment of the effectiveness of internal control over financial reporting that is integrated in the audit of the financial statements of a public company.
Thus, legislation underscores the idea that not only is the establishment and operation of an internal control system a good practice, but it also is legally mandatory for publicly traded companies.
This history of internal control emphasizes the increasing importance placed on the role of internal controls in preventing or detecting fraud, including financial statement fraud.