Section 302 _and_amp; evaluation of issuer's internal controls 1995



  • Each quarter Management evaluates the effectiveness of the issuer’s internal controls. This quarterly assessment is certified by Management and included in the 10Q in accordance of section 302.
    An internal control is considered effective if there are no control deficiencies such that a material error is reasonable possible.
    To support this assessment, internal audit provides the control owner a self-assessment of which the control owner the effectiveness of the control confirms. The control owner reviews the design of the control. For example, the control owner states that the control is operating as intended and as described in process documentation.
    The self assessment is summarized and submitted to Management.
    The control owner performs this assessment at his/hers point of view.
    At the end of the year internal audit performs an evaluation of the un-remediated deficiencies to determine if a deficiency is a control deficiency, significant deficiency or material weakness.
    In my opinion this evaluation should be performed each quarter and the results of that evaluation are reported to management. If a material weakness exists, management is not able to certificate the 302 section since internal control is not effective.
    Is my understanding correct?
    For the certification of 10Q in accordance of section 302, Management relies on the performed self assessment by the control owners. This self assessment does not include the results of internal audit’s quarterly assessment.
    For example, internal audit notes a deficiency. The control owner states the control is effective (his point of view). We don’t perform a quarterly evaluation of the deficiency.
    Could Management certify the 10Q (section 302) and states the internal control is effective without evaluating the deficiency.
    Do we have a conflict?
    ’ Is this approach correct?
    ’ How to ensure that management is certifying the quarterly assessment of internal control (10Q in accordance of 302) correct?
    ’ Could someone share his experience?
    Thanks in advance.



  • Hi Rene - Below are some brief comments that might help:

    1. This search has some good articles on 10Q filing requirements for SOX and might provide additional information:
      Please add www and paste to browser
      google.com/search?hl=en-and-q=sox 10Q
    2. As SOX compliancy is a management responsibility , I agree that quarterly assessments and signoffs by executives are very important. SOX compliancy should be seen as a ‘continuous improvement’ process, that you build on. When deficiencies are found, it’s more important to address them going forward, (esp. if they are not significant materially).
    3. SOX Sub-certifications are also an important practice that executives rely on. For example, the CEO might ask the CIO, CFO, and other managers to certify their respective areas with the CEO’s certification being the final step for the company. This is a good practice for executives to ensure key areas are being met for SOX 302 compliancy requirements.
      Please add www and paste to browser
      google.com/search?hl=en-and-q=sox sub-certifications

Log in to reply