SARBANES-OXLEY REQUIRES MANAGEMENT to include an assessment of internal controls over financial reporting, using a suitable framework, in the annual report. While a number of frameworks are available, some do not adequately assess technology controls.
SEC RULES SAY MANAGEMENT MUST BASE its evaluation of the effectiveness of internal controls over financial reporting on a recognized control framework issued by a group that followed due-process procedures. The framework must be free from bias, complete and relevant to the task at hand, and must permit consistent quantitative and qualitative measurements.
Journal of Accountancy Online
, March 2005