Both Sections 302 and 404 use definitions of ‘‘effective’’ internal control similar to those
developed in 1992 by the Committee of Sponsoring Organizations (COSO) of the
Treadway Commission. The SEC thus defines internal control as ‘‘a process, effected by an
entity’s board of directors, management and other personnel, designed to provide
reasonable assurance regarding the reliability of financial reporting.’’ Although the COSO
framework broadly defines internal control in terms of achieving (1) the effectiveness and
efficiency of operations, (2) reliability of financial reporting, and (3) compliance with
applicable laws and regulations (Statements on Auditing Standards, Section 319),
Sarbanes-Oxley only pertains to internal control related to the reliability of financial
reporting.8Internal control is a major focus of recent regulatory changes under Sarbanes-Oxley.
However, empirical research on the determinants of internal control quality prior to
Sarbanes-Oxley is extremely limited. The most direct evidence is provided by Krishnan