The terms a SOX and controls team actually uses, defined in plain language by practitioners. For the full walkthrough, see the SOX compliance guide in the Learn hub.
The external auditor's independent opinion on the effectiveness of a company's ICFR. It is required under Section 404(b) for issuers subject to it and performed under the PCAOB standard AS 2201.
One of the five COSO components. The actual control actions, such as approvals, reconciliations, system access controls, and segregation of duties, that address the risks of material misstatement.
The least severe control finding. A control is missing, or it is designed or operating such that it does not allow management or employees to prevent or detect misstatements on a timely basis. More severe findings are a significant deficiency and a material weakness.
The Committee of Sponsoring Organizations of the Treadway Commission. Its 2013 Internal Control Integrated Framework is the control framework most US issuers use to structure and assess ICFR, organizing internal control into five components and seventeen principles.
Whether a control, operating as described, would prevent or detect a material misstatement in the relevant assertion. It is evaluated by understanding the control and tracing a transaction through it in a walkthrough. Distinct from operating effectiveness.
The controls that ensure information required in SEC filings is recorded, processed, and reported on time. The CEO and CFO certify responsibility for these under Section 302. Broader than ICFR, which is focused on financial reporting specifically.
A control that operates across the organization rather than within a single process, such as board and audit committee oversight, the code of conduct, or company-wide monitoring. It sits near the control-environment end of COSO and complements process-level controls.
The process that provides reasonable assurance about the reliability of financial reporting and the preparation of financial statements. Section 404 is built around assessing whether ICFR is effective.
Controls over the technology environment, mainly access, change management, and operations, that support the reliability of automated controls and system-generated data. When ITGCs are weak, you cannot rely on the automated controls that sit on top of them.
A control that, if it failed, could allow a material misstatement to reach the financial statements. Key controls are the subset a SOX program documents in the risk-control matrix and tests for design and operation.
Management's own annual conclusion, required under Section 404(a), on whether ICFR is effective as of year-end. It is stated in the annual report and must name the control framework used, almost always COSO.
The most severe control finding. A deficiency, or combination of deficiencies, such that there is a reasonable possibility a material misstatement will not be prevented or detected on a timely basis. A single material weakness causes ICFR to be reported as not effective and is disclosed publicly.
The threshold above which a misstatement could influence the decisions of a reasonable user of the financial statements. It drives both scoping, deciding what is in scope, and severity, deciding how serious a deficiency is.
Whether a control actually ran as designed throughout the period, performed by a person with the right authority and competence. It is tested by examining a sample of occurrences across the period. Distinct from design effectiveness.
The Public Company Accounting Oversight Board, created by SOX to oversee the audits of public companies. Its Auditing Standard 2201 governs the audit of internal control over financial reporting that is integrated with the financial statement audit.
The document that maps each financial statement risk to the control that mitigates it and the test that proves it. It is the spine of a SOX program, and a clear one lets an auditor trace a clean line from risk to control to evidence.
The SOX provision requiring the CEO and CFO to personally certify, each quarter and year, that the reports are accurate and that disclosure controls exist and were evaluated. It is a certification that cannot be delegated.
The SOX provision on ICFR. 404(a) requires a management assessment of ICFR effectiveness, and 404(b) requires the external auditor attestation for issuers subject to it. Smaller filers are often exempt from 404(b) but not 404(a).
Dividing responsibility so that no single person controls all parts of a transaction, such as authorizing it, recording it, and holding custody of the asset. It reduces the risk of both error and fraud and is a common control activity.
A control finding less severe than a material weakness but important enough to merit attention by those responsible for financial reporting oversight. It is reported to the audit committee, and ICFR can still be concluded effective.
Tracing a single transaction from its origination through the process and into the financial statements, following the control as it operates, to confirm the control exists and is designed as documented. It is a test of one, used for design effectiveness rather than operation.
Compliance Command Center turns these terms into a defensible, auditor-ready ICFR program: practitioners run it, software does the drafting.
See Compliance Command Center Read the SOX guide