In January 2009 COSO issued Guidance on Monitoring Internal Control Systems. This publication was intended to provide in depth input on how to apply the monitoring component of the original COSO framework. It is essential for all parties working with internal control to understand how a monitoring framework and foundation can improve the effectiveness of business processes.
Internal control processes have raised questions and issues since the creation of the Sarbanes-Oxley Act of 2002. Management is required to assess internal control systems and provide quarterly certifications. Further, external auditors are required to audit management’s assessment in conjunction with an audit of the financial statements. The framework for establishing internal control systems was developed by COSO (known as the Committee of Sponsoring Organization of the Treadway Commission). The original framework, Internal Control – Integrated Framework was introduced in 1992 and clarified with the issuance of guidance for smaller companies in 2006.
Monitoring of internal control is performed through application of both ongoing evaluations and separate evaluations. These evaluations ascertain whether other components of internal control continue to function as designed and intended. In addition, these evaluations facilitate identification of internal control deficiencies and communicate them to appropriate officials responsible for taking corrective action. More serious deficiencies are communicated to higher levels of management and to the board of directors when appropriate.
Business risks change over time. The internal control system needs to be capable of determining that the controls in place are relevant and effective in addressing new risks. A monitoring process must be capable of addressing the need for revisions in the design of controls based on changing risk. Effective internal control systems must be capable of containing risks at an acceptable level to ensure effective and efficient operations on an ongoing basis.
Monitoring is a process of assessing risks linked to achieving operational objectives. The COSO model requires establishing a monitoring foundation consisting of procedures for evaluating risks. Monitoring activities include assessment of controls and reporting the results of the assessment together with any required corrective action steps.
An effective monitoring foundation is dependent on establishing an effective “tone at the top” of the organization and a high priority on effective internal controls. This requires that the top management team and the board of directors be involved in the evaluation process. Monitoring of internal control is dependent on the selection and utilization of evaluators which have a solid baseline understanding of internal control. They also need to have suitable capabilities, resources, and authority to conduct a meaningful assessment of internal control.
Evaluators need to be both competent and objective in addition to having a thorough knowledge of the internal control system and its related processes. It is essential that evaluators understand how the controls should operate and what constitutes a control deficiency. Objectivity is determined based on an evaluator’s ability to assess the internal control system without any concern for personal consequences resulting from the evaluation. There should be no vested interest in manipulation of the results of the evaluation either for personal benefit or self-preservation.
A monitoring foundation requires that the management team and the board of directors will ensure objectivity and select competent evaluators. This sets the “tone at the top” and provides for a solid control environment to ensure effectiveness of the other four components of COSO framework.
If “tone at the top” is weak and ineffective, then any monitoring effort is destined for failure. Every aspect and component of internal control is dependent on the attitude and beliefs communicated and conveyed by the management team and the board. If there is a negative attitude toward monitoring, this will be reflected in the attitudes of employees and how they perform the monitoring process. Management and the board set the tone at the top and it is important for them to walk the walk and not just talk the talk.
The board is responsible for governance and oversight in their role of providing guidance to the management team. Boards of publicly traded companies have legal responsibilities that were enhanced by the Sarbanes-Oxley Act of 2002. This has translated into more competent boards of both public and private companies.
We now have both a legal and moral responsibility to provide a process for objectively monitoring internal control. The new COSO guidance on monitoring clears up many questions dealing with monitoring and documenting internal control. Guidance on Monitoring Internal Control Systems is available from COSO and the AICPA. Also, I am developing a self-study program for Bisk which will be available in a few months or contact me with your internal control questions.