Compliance executives and internal auditors are one step closer to getting valuable and eagerly anticipated guidance on monitoring internal controls, one of the most misunderstood dimensions of an effective internal controls system.
COSO, the Committee of Sponsoring Organizations, finally released an exposure draft of its proposed monitoring guidance on June 4. The draft is open for public comment until Aug. 15, and COSO hopes to have a final document in the hands of corporate controllers and compliance officers by the end of this year.
“Content-wise, we’re close to what the final document will look like, but we need to get people’s feedback to see if we’ve made the guidance clearer and to see if the examples and tools we’ve provided are deemed helpful,” says Dave Richards, president of the Institute of Internal Auditors.
The guidance, which includes real-life examples of monitoring, is designed to help companies “recognize good internal control monitoring where it exists, and more fully use it to support their assertions,” says Trent Gazzaway, a partner at Grant Thornton and leader of the team that created the draft.
Many companies have good internal control monitoring in some important areas, but don’t take full advantage of the results to support their Section 404 assertions, Gazzaway says. Instead, they layer year-end monitoring on top of existing monitoring efforts, which is “often unnecessary and inefficient.”
Moreover, many companies lack effective monitoring procedures in other areas, forcing them to play catch-up at the end of the year with “less than optimal” evaluations of internal control, he adds.
Klumper
Cees Klumper, a partner in KPMG’s Business Advisory Services group in The Netherlands and a former top auditor at Ahold, agrees.
“Many organizations have yet to recognize the potentially significant value of bringing their monitoring component to the next level,” Klumper says. While most companies have reached “good maturity levels” in the control environment, risk assessment and control activities, monitoring “could oftentimes be improved upon,” he says.
Klumper lists numerous gains that effective monitoring can deliver: more clarity over how much assurance is needed for key controls; better control ownership with the right individuals; earlier identification of control weaknesses; structural improvements to internal controls; and the means to further strengthen the control culture within the organization.
EYE ON CONTROLS
Below is an excerpt from the COSO exposure draft on monitoring internal controls.
Monitoring involves (1) establishing a foundation for monitoring, (2) designing and executing monitoring procedures that are prioritized based on risk, and (3) assessing and reporting the results, including following up on corrective action where necessary.
Planning and organizational support form the foundation for monitoring, which includes (1) a tone from the top about the importance of internal control (including monitoring), (2) an organizational structure that considers the roles of
management and the board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity and authority, and (3) a baseline understanding of internal control effectiveness.
As with every internal control component, the ways in which management and the board express their beliefs about the importance of monitoring have a direct impact on its effectiveness. Management’s tone influences the way
employees conduct and react to monitoring. Likewise, the board’s tone influences the way management conducts and reacts to monitoring.
In most cases, the board is ultimately responsible for determining whether management has implemented effective internal control (including monitoring). It makes this assessment by (1) understanding the risks the organization faces, and (2) gaining an understanding of how senior management manages or mitigates those risks that are meaningful to the organization’s objectives. Obtaining this
understanding includes determining how management supports its beliefs about the effectiveness of the internal control system in those important areas.
Characteristics of Evaluators: Monitoring is conducted by evaluators who are appropriately competent and objective in the given circumstances. Competence refers to the evaluator’s knowledge of the controls and related
processes, including how controls should operate and what constitutes a control deficiency. The evaluator’s objectivity refers to the extent to which he or she can
be expected to perform an evaluation with no concern about possible personal consequences and no vested interest in manipulating the information for personal benefit or self-preservation.
Source
COSO Monitoring Draft, Executive Summary.
Klumper, who’s already reviewed the exposure draft, recommends that companies compare it to their current monitoring practices. “Chances are, your organization is not making the most out of monitoring and there are important advantages of doing so,” he says.
Why It Matters
Monitoring came to the forefront of internal control after the arrival of Section 404 of the Sarbanes-Oxley Act, which requires companies to report annually on the effectiveness of internal controls over financial reporting. The final COSO guidance should help companies streamline those efforts, but the authors of the guidance stress that the guidance can apply to monitoring all internal controls.
Richards
“Financial reporting controls are important, but they’re not where breakdowns usually occur,” Richards says. “It’s usually operational controls where companies need to take a concerted effort to identify key operational controls.”
The idea of monitoring is nothing new. Monitoring is discussed in COSO’s original 1992 document, Internal Control—Integrated Framework. But, Richards says, the reaction to SOX made it clear that many companies weren’t doing it well. As evidence, he cites the “upswell of complaints” by companies about the once-a-year assessment required under Section 404.
“People were reacting to assessing their internal controls as brand new,” Richards says. “If they had a good monitoring program implemented, the SOX requirements would’ve been an ‘oh never mind’ because they would’ve had it.”
One telling sign: When COSO did go looking for companies that do monitoring well, to use them as examples for other companies to follow, finding such exemplars “was a tough process,” Richards says.
Gazzaway
Gazzaway says monitoring controls isn’t so much difficult, as it is misunderstood. The average company has “relatively good monitoring procedures,” he says. “Implementing the guidance should not result in wholesale upheaval in many companies.” What the guidance should do, he says, is enable people to understand “in a consistent fashion” what effective monitoring looks like.
“It should foster a common language within and among companies, and between companies and their auditors,” he says. “It should facilitate the decision process about the level of monitoring and internal control evaluation that is necessary in a given risk area.”
What the guidance does not do is establish rules or prescriptive criteria for how monitoring must be done. While some commenters asked for guidance on monitoring various risks, such as revenue recognition risks, Gazzaway says his team resisted that “because the guidance would turn into a very rigid document that could not possibly cover every aspect of monitoring.”
Richards also stresses that the guidance “isn’t a cookbook.” Companies must do the work to determine which specific issues or risks are most important to them, what controls they have in place to mitigate those risks, and which controls they need to monitor. “You can’t pick this up and implement it overnight,” he says.
Gazzaway adds that companies don’t have to monitor every control that addresses every risk just to conclude that the internal control system is effective. “The art is in knowing which risks and controls to subject to what level of monitoring,” he says.
Richards notes that while some controls may need to be monitored daily, others may only need to be monitored quarterly or even annually, depending on the risk exposure and how often the control is exercised. For example, for a control that functions every day in accounts receivable, “looking at it once a year is far too late,” he says. Conversely, a control that’s only effective once year, such as inventory, may only need to be monitored once a year.
For links to the text of the exposure draft or to provide feedback online, see the box at right.
No comments yet