Assessing the Control Environment Using a Balanced Scorecard Approach

Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires that companies subject to the Securities and Exchange Act of 1934 include in their annual reports a report of management on the company's internal control over fmancial reporting. This must contain management's assessment and a statement of the effectiveness of the controls. Almost no guidance, however, has been provided on how to evaluate the critical component of internal controls: the control environment. The control environment reflects top management's awareness and commitment to the importance of controls throughout the organization, and encompasses management integrity, ethical values, and operating philosophy. The key to successful internal control is having a control environment that sets a tone of integrity which influences the ethical and control consciousness of employees. The external auditor reviews management's report and makes an independent evaluation as part of an integrated audit of internal controls and financial statements. The auditor issues separate reports that provide "reasonable assurance": The auditor's internal control report provides reasonable assurance concerning whether the company maintained, in all material respects, effective internal control over financial reporting. The audit report provides reasonable assurance concerning whether the financial statements fairly present financial position, results of operations, and changes in cash flows. According to PCAOB Auditing Standard (AS) 2, An Audit of Intemal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (March 9, 2004), the concept of reasonable assur-