Brief History of

Internal Control
Legislation

SEC Acts of 1933 and 1934

Securities Act of 1933
(1) require that investors receive financial and other significant information
concerning securities being offered for public sale; and
(2) prohibit deceit, misrepresentations, and other fraud in the sale of securities.

Securities Exchange Act of 1934

This act created the Securities and Exchange Commission (SEC) and empowered
it with broad authority over all aspects of the securities industry, which included
authority regarding auditing standards.

Copyright Law1976
This law, which has had multiple revisions, added
software and other intellectual properties into the
existing copyright protection laws.

Foreign Corrupt Practices Act (FCPA) of

1977
Among its provisions, the FCPA requires companies registered with
the SEC to do the following:
(1) Keep records that fairly and reasonably reflect the transactions
of the firm and its financial position.
(2) Maintain a system of internal control that provides reasonable
assurance that the organizations objectives are met.

Committee of Sponsoring
Organizations1992
The sponsoring organizations included Financial Executives
International (FEI), the Institute of Management Accountants
(IMA), the American Accounting Association (AAA), AICPA, and the
IIA. The Committee spent several years promulgating a response.
Because it was determined early on that the best deterrent to
fraud was strong internal controls, the committee decided to focus
on an effective model for internal controls from a management
perspective. The result was the COSO Model.

Sarbanes-Oxley Act of 2002

This law supports efforts to increase public confidence in capital
markets by seeking to improve corporate governance, internal
controls, and audit quality.
The main purpose of SOX is to protect shareholders from
fraudulent representations in corporate financial statements.
Managements responsibilities for this are codified in Sections
302 and 404 of SOX.

Section 302 requires that corporate management (including the

CEO) certify their organizations internal controls on a quarterly and

annual basis. External auditors must perform the following procedures
quarterly to identify any material modifications in controls that may
impact financial reporting:
Interview management regarding any significant changes in the design
or operation of internal control that occurred subsequent to the
preceding annual audit or prior review of interim financial information.
Evaluate the implications of misstatements identified by the auditor
as part of the interim review that relate to effective internal controls.
Determine whether changes in internal controls are likely to
materially affect internal control over financial reporting.

Section 404 requires the management of public companies to assess

the effectiveness of their organizations internal controls. This entails

providing an annual report addressing the following points:
(1) Understand the flow of transactions (including IT aspects)
(2) Using a risk-based approach, assess both the design and operating
effectiveness of selected internal controls related to material
accounts.
(3) Assess the potential for fraud in the system and evaluate the
controls designed to prevent or detect fraud.
(4) Evaluate and conclude on the adequacy of controls over the
financial statement reporting process.
(5) Evaluate entity-wide (general) controls that correspond to the
components of the COSO framework.