The Securities and Exchange Commission has approved an auditing standard for internal control over financial reporting by the Public Company Accounting Oversight Board, a private, nonprofit company established by the Sarbanes-Oxley Act. The auditing standard covers section 404 of Sarbanes-Oxley, which requires companies and auditors to attest to the effectiveness of internal control over financial reporting. The oversight board had approved the standard in March.
Beginning Nov. 15, companies will have to include such attestations with their 2004 annual reports. Companies with market capitalization of less than $75 million and foreign companies listed on U.S. stock exchanges have until July 15, 2005, to comply.
The Public Company Accounting Oversight Board auditing standard identifies four major categories of IT control: program development, program changes, computer operations and access to programs and data.
The oversight board has embraced recommendations issued by the Committee of Sponsoring Organizations, an umbrella group of accounting organizations; the recommendations, known as the COSO framework, are intended to improve the quality of financial reporting. Although many companies have adopted the COSO framework voluntarily, they've relied mostly on simple accounting tools such as spreadsheets. However, once Sarbanes-Oxley required CEOs and CFOs to state that their financial reporting controls are effective, the issue moved to the front burner and teams of legal, finance and IT execs have been quickly assembled to formulate a compliance plan.