Correspondence: Parveen P. Gupta, Department of Accounting, College of Business and Economics, Lehigh University, 621 Taylor Street, Bethlehem, PA 18015, USA. Tel: +1 610 758 3443; E-mail: ppg0@Iehigh.edu

¹is Professor of Accounting and Department Chair at Lehigh University. His teaching and research activities focus on corporate governance, internal control evaluations under Sarbanes–Oxley Sections 302 and 404, risk and control self assessment, and internal auditing. He has authored numerous research monographs and research articles in a number of related areas. His most recent co-authored book on Sarbanes–Oxley was published by Risk Books. During the 2006–2007 academic year, he served as an Academic Accounting Fellow with the US Securities and Exchange Commission working on a variety of topics including internal control assessments under Section 404 and revisions to the Auditing Standard No. 2 which was replaced by the Auditing Standard No. 5.

Received 13 November 2007; Revised 13 November 2007; Published online 17 January 2008.

EXECUTIVE SUMMARY

A large number of surveys and research studies have been conducted on documenting the costs and benefits of implementing Section 404 internal control certification requirements. Overall, these studies conclude that for companies of all sizes — accelerated and nonaccelerated filers — costs far outweigh the benefits and sustaining compliance with Section 404 at such high costs would make US capital markets much less competitive in future. None of these research studies, however, have focused on analysing one of the most key aspects of SOX 404 implementation — that is, how companies are utilising the COSO 1992 control framework to carry their mandate under Section 404(a). Although the COSO Committee had issued in 2004 an ERM-based control framework, the COSO 1992 control model has remained the framework of choice for majority of the companies so far that have filled their Section 404 certifications. This research paper attempts to understand how the guidance presented in this control model is being utilised by documenting the current implementation practices at a cross-section of the SEC registrants. By analysing the responses of 374 survey participants from companies of all sizes, this research study documents that companies are relying more on the internal control auditing standard than utilising the guidance provided in the COSO 1992 control framework to conduct their ICFR evaluations. Such a significant nonreliance on the most widely cited control model should be of concern to the audit committees, senior company managers, external and internal auditors, standard-setting and regulatory agencies in the US and abroad as various other countries assess the practicality and viability of implementing similar rules in their jurisdictions. Given the findings reported in this research paper, investors may question the robustness of ICFR assessment assurances provided to them by the companies in their Section 404(a) management reports, audit committees may wonder if they are being provided with a false-sense of security that their company's ICFR is effective. Similarly, external auditors may question the basis of their client's claim that they have conducted the ICFR assessment 'in accordance with the COSO 1992 Framework.' Policy makers may question whether there is a need to more formally evaluate the suitability of the COSO 1992 control framework for Section 404(a) assessments and if there is a need to develop a set of generally accepted control assessment standards that would provide direct and practical guidance to company managements in conducting their internal control evaluations.