Establishing a foundation for monitoring internal control begins with an effective tone at the top of the organization. The reason this is so important is that management’s attitude regarding monitoring will determine the selection of evaluators and the approach to monitoring. The tone set by management will influence the way employees conduct monitoring activities. In turn, the board of directors will influence and guide how management applies and conducts monitoring.
Maintaining a positive tone at the top requires communication of expectations and taking action when control problems arise. Appropriate communication is essential especially for personnel in key areas of operations, financial reporting and compliance. They need to understand that management expects them to be knowledgeable about risks that exist within their areas of responsibilities and that the monitoring procedures in place will help them manage and keep those risks to acceptable levels. There are a number of ways that expectations are communicated. Management can conduct periodic meetings, hold performance reviews, in addition to building expectations and standards into job descriptions. The level of documentation and communication will expand as organizational size and complexity increases.
Whenever control problems are identified, some action will be necessary and the action steps will vary depending on the severity and materiality of the deficiency. Examples of appropriate action will range from holding discussions with responsible parties, holding training sessions, to a complete redesign of control or monitoring activities.
Internal control monitoring involves establishing appropriate roles and responsibilities for both management and the board who then need to select evaluators who have the appropriate skills and knowledge. It is management’s responsibility to maintain the effectiveness of the organization’s internal control system. The role of the board of directors is that of oversight which is then expanded for publicly traded companies. In these instances the SEC provides specific requirements and responsibilities for both management and the board. Board roles will vary for private companies and non-profit organizations.
When a solid monitoring program is in place, the board typically exercises its oversight role by developing an understanding of the risks associated with achievement of organizational objectives. The board also needs to understand the controls implemented by the management team and the monitoring process they have instituted to ensure that the internal controls are operating effectively. There are certain controls that senior management will not be able to objectively monitor such as the risk of management override. In these instances the board needs to make a determination if a third party needs to evaluate these risks. Frequently, the board will utilize the internal audit function or a designated third party to conduct monitoring to provide assurance regarding risks in these areas.
There are a number of things that boards will utilize in performing its oversight function relative to implementing an effective monitoring process. It isn’t practical or possible for boards to understand all the details associated with each monitoring procedure. Some steps that boards might adopt will include making appropriate inquiries of management and observing how they are managing the business. Usually the internal audit function will have a number of evaluation projects underway and this function normally reports directly to the board or will have strong communication links with the board. This is especially true in publicly traded companies.
Other options for boards to monitor and gain feedback include the use of third party resources and specialists. External auditors will provide comments to the board regarding the adequacy of the internal control system. Additional procedures and steps that boards might utilize will be information from analysts and rating agencies together with feedback from inquiries made to customers, vendors, and non-management personnel.