How to monitor internal controls - Wiley Online Library

JCAF19-4_10_20401.qxd

4/18/08

8:11 PM

Page 41

ticl

e

u at r

e ar

fe

How to Monitor Internal Controls Jan Colbert

I

groups have responsinternal control is bilities for oversight critical to the effecInternal controls are critical for any organization to of a system of internal tive functioning of function effectively. And with an effective system control and for the any organization. of controls in place, you minimize risk. But how design and operation Boards of directors, should you monitor controls to ensure their quality of the system. Further, CEOs, and internal and performance? © 2008 Wiley Periodicals, Inc. internal auditors have auditors all work to found COSO’s guidattain the entity’s ance useful. This objectives; the system reasonable assurance group may be asked by the of internal control is the means regarding the achieveboard or management to test by which these parties help to ment of objectives in controls. ensure that those objectives are the following categories: COSO recently published met. Controls help an entity to effectiveness and effia Discussion Document that operate efficiently. In addition, ciency of operations, addresses monitoring, one of with an effective system of conreliability of financial the five components originally trols in place, risk is minimized. reporting, and compliidentified in COSO’s 1992 Also, controls serve to promote ance with applicable framework. The publication the reliability of both operations laws and regulations. is entitled “Internal Control— and information that is produced Integrated Framework: Guidance relative to the operations. The Committee went on to on Monitoring Internal Control explain that a system of internal Systems” (COSO, 2007). In the DISCUSSION DOCUMENT control includes five compodocument, COSO stresses the ISSUED nents. They are: significance of monitoring, a control component entities often In its seminal document • control environment, underutilize. “Internal Control—Integrated • risk assessment, Because boards of directors, Framework,” the Committee of • information and CEOs, and internal auditors all Sponsoring Organizations of the communication, play valuable roles with respect Treadway Commission (COSO; • control activities, and to an entity’s internal control, 1992) defines internal control as: • monitoring. each component of internal conCOSO’s definition and the trol, including monitoring, is A process, effected by five components have proven significant to all of these groups. an entity’s board of useful to a variety of groups, Also, external auditors have an directors, management, including boards of directors interest in monitoring. The indeand other personnel, and CEOs. Respectively, these pendent audit firm is mandated designed to provide

© 2008 Wiley Periodicals, Inc. Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.20401

41

JCAF19-4_10_20401.qxd

4/18/08

8:11 PM

Page 42

42

The Journal of Corporate Accounting & Finance / May/June 2008

by the Sarbanes-Oxley Act of 2002 to examine the client’s system of internal control. All five components, including monitoring, must be considered. Further, the internal control audit must be integrated with the examination of the financial statements. Prior to the integrated audit, management, led by the CEO and perhaps with the support of the internal audit activity, assesses the effectiveness of the system of internal control. The external auditor then opines on the controls. The board of directors, in its oversight role, will peruse the reports produced by internal audit and by management and the CEO. The guidance in the Discussion Document regarding monitoring serves as an aid to each of these groups as they labor in their respective roles.

significant reliance on the system of internal control if both appropriate monitoring activities are conducted and management acts on the results. When a high degree of reliance can be attached to the monitoring aspect of internal control, testing of other aspects of the system, especially control activities, might appropriately be reduced.

sideration will be given to who will be participating in the monitoring activities, when and how often they will be performed, and to the elements of monitoring. Each of these aspects of the design of the monitoring component is discussed below and noted in Exhibit 1.

Ongoing, Continuous Monitoring

To appropriately design the system of internal control, management begins by assessing the risks the organization faces of not achieving its objectives. A system of internal control, including the monitoring component, can then be designed to address those risks. To most effectively utilize monitoring activities, they should be prioritized. That is, for transactions and events that carry more risk and, thus, are more critical, monitoring activities should be increased. Such activities may be performed more often. An alternative is that there might be

Some monitoring activities will be ongoing and continuous. That is, they are built into the system and are executed along with the normal activities of operations. Typically, continuous monitoring activities are automated. The system then produces exception reports that are reviewed by management, and appropriate actions can be taken.

WHAT IS MONITORING? Monitoring constitutes assessing the quality of the performance of the system of internal control over time. Such assessments of the functioning of controls help the entity to ascertain that controls are operating effectively.

Monitoring as Part of Internal Control In performing monitoring activities, appropriate personnel take part in examining both the design of the system and its operation. Such examinations must be performed in a timely manner in order to provide the maximum benefit to the entity. Management is then responsible for taking appropriate action in response to findings. Parties with an interest in internal control can place

DOI 10.1002/jcaf

Separate Monitoring Besides employing ongoing, continuous monitoring techniques, the entity might also choose to utilize separate monitoring activities. These entail distinct monitoring by management or perhaps by the internal auditors. Separate monitoring may take place as a result of the information gathered from ongoing, continuous activities or in response to specified risks.

DESIGNING MONITORING As managers design the system of internal control, they will identify risks to the entity of achieving its objectives. These risks should be prioritized and resources allocated to address the risks. As management designs its system of internal control, con-

Risks, Priorities, Resources

Exhibit 1

Designing the Monitoring Component of Internal Control • Identify risks and prioritize. • Determine who will perform the monitoring activities. • Consider the timing of monitoring activities. • Decide how often monitoring activities will occur.

© 2008 Wiley Periodicals, Inc.

JCAF19-4_10_20401.qxd

4/18/08

8:11 PM

Page 43


greater coverage during each examination. For example, if sales returns for a manufacturer have increased due to poor quality, the company might elect to inspect more product before shipment, or inspections could take place daily rather than on a weekly cycle. Sufficient resources must be devoted to monitoring activities. By designating appropriate levels of funds, management sends a strong message as to how significant monitoring activities are. Besides monitoring, another significant aspect of the design of the system of internal control relates to the control environment. The control environment refers to the tone at the top of the organization. When the board and the CEO stress the critical nature of the monitoring component of the system, these parties send a strong message. One way of operationalizing the tone at the top is to establish an organizational structure conducive to the enhancement of controls. Qualified, dedicated personnel should then be hired to implement and operate the system. As part of the monitoring component of internal control, formal channels of communication with those empowered to take action should be established. The results of the monitoring activities should quickly be channeled to individuals who have the authority and the capability to react. Timely corrective actions help the organization achieve its objectives in an effective and efficient manner.

Who Performs Monitoring? For monitoring to be effective, appropriate personnel


must perform the activities. Individuals may engage in monitoring as one aspect of their work. For others, such as inspectors, quality control personnel, and internal auditors, monitoring is the focus of their positions. Management must design the system of internal control such that monitoring occurs and is conducted in a timely manner by knowledgeable employees. Only then can the results of monitoring be addressed. Entity personnel must clearly understand what information can be acted upon at the level of the individual receiving the results and what should be forwarded to the next level. Also, individu-

One way of operationalizing the tone at the top is to establish an organizational structure conducive to the enhancement of controls. als working in the monitoring aspect of the system should be able to summarize and filter information so that it is useful to those utilizing it to improve the organization. While management is ultimately responsible for the system of internal control, including monitoring, members of management are not mandated themselves to perform the monitoring activities. Internal auditors may be asked to step in. Another option is to outsource the function. Either of these choices may be costeffective. Also, by utilizing the expertise of internal auditors or third-party providers, members of management are freed up for other activities.

43

When and How Often? When considering the timing of monitoring activities, management must consider multiple factors. For example, the industry, the specific entity, and the qualifications of monitoring personnel performing monitoring duties all play a role in the timing and frequency of this component of internal control.

Elements of Monitoring Management is responsible for both the design and operation of the entire system of internal control, including the monitoring component. Another component, the control environment, interrelates with monitoring. The control environment encompasses the tone at the top of the organization. The board of directors is responsible for an appropriate tone for the organization. An overall attitude by the board that effective controls are essential to the running of the organization will permeate throughout the entire entity. Further, if Board members stress the importance of the monitoring component and ask to see the results of monitoring activities, management will grasp how critical the component is to the overall objectives of the organization. As an example of overseeing the results of monitoring, members of the board might request monthly summaries of monitoring activities. Various managers can then be queried about resulting actions taken. They will then quickly recognize how important the monitoring component is to the governance of the entity.

DOI 10.1002/jcaf

JCAF19-4_10_20401.qxd

4/18/08

8:11 PM

Page 44

44


Exhibit 2

Steps and Actions: Results of Monitoring • Develop likelihood and significance ranking. • Report on internal control internally. • Report on internal control externally.

REPORTING AND ACTION ON THE RESULTS OF MONITORING For the monitoring component to be effective, weaknesses in internal control must be communicated to appropriate personnel within the organization. An indication of the significance of each weakness should accompany its description. Besides reporting weaknesses and their importance internally, external communications regarding internal control may be mandated by law or regulation. Regardless of whether the recipient is internal or external to the entity, prompt communication is critical. Armed with timely information, individuals responsible for the operations scrutinized can then select appropriate courses of action. Further, decision makers located outside the organization can make appropriate choices. The steps in the reporting of and actions to be taken on the results of monitoring are shown in Exhibit 2.

DOI 10.1002/jcaf

Ranking—Likelihood and Significance To aid those with responsibilities for considering the results of monitoring activities, a ranking system for control deficiencies might be employed. Such a system aids in prioritizing issues. A numeric scale could be used; a qualitative scale is also appropriate. Regardless of whether a qualitative or numeric scale is employed, both the likelihood of the event occurring and its significance should be incorporated into the measure. The likelihood represents the probability that a control will not prevent or detect a specific risk from occurring. Significance is the potential impact to the organization assuming the risky event occurs. The professional judgments incorporated into both the likelihood and the significance rankings of any particular risk are admittedly subjective. Still, scales provide a valuable tool to summarize information concerning the likelihood and significance of a risk. Those whose responsibility it is to address risks can more readily prioritize issues to be handled and deploy resources quickly and appropriately by utilizing the estimates in the scales.

Reporting Internally As noted, management is ultimately responsible for the monitoring component of the system of internal control. However, members of management are not required to actually perform the monitoring activities themselves. Managers may ask internal auditors to engage in monitoring activities or perhaps

a third-party provider might be engaged to handle monitoring. A combination of managers, internal auditors, or third parties might also be utilized. Internal summaries regarding the system of control will be presented to the board of directors by management. If the internal auditors have participated in monitoring, that group will also report to the governing body. Communications to the Board should set forth the results of monitoring at a high level. More detailed reports, with findings specific to each area, should be presented to the managers of the departments responsible for the specific controls addressed in the testing.

Reporting Externally Many organizations are required to report externally on internal control. Monitoring activities aid the entity in producing data for the mandated reports. The Sarbanes-Oxley Act notes that management must report on the effective operation of the system of internal control. Management’s report is included in the organization’s annual filing with the Securities and Exchange Commission (SEC). Typically, the CEO and the president sign that report for the organization. For the top officers to have the confidence needed to affix their signatures to the report on controls, assurances from the various levels and units of the organization must be forthcoming. The monitoring activities in each area aid the various managers in providing assurances regarding controls. These are eventually integrated and result in the report on


JCAF19-4_10_20401.qxd

4/18/08

8:11 PM

Page 45


the entire system presented by the CEO and the president. Besides the public report on internal controls made by management, the corporation’s external auditors issue an opinion on the effectiveness of the system. In performing the audit that serves to support the opinion, the independent audit firm examines aspects of the system, including monitoring activities. While the outside firm is solely responsible for its opinion on internal controls, the external auditors are permitted, and even encouraged, to utilize tests that other parties have performed. Thus, work completed by management, by the internal audit activity, or by third parties may be examined by the external auditors. The results from these groups may yield valuable insights into areas on which the external auditors should focus. Further, armed with the findings of

management, the internal auditors, and/or an outside entity, the CPA firm may be able to reduce its testing. This approach results in costeffective coverage of testing the system of internal control. The external report on controls may be studied by a variety of users. For example, for a public company, regulatory agencies such as the SEC and the Public Company Accounting Oversight Board (PCAOB) will receive a copy, as will the stock exchange on which the organization is listed. Analysts and investors will also scrutinize the information. In the case of litigation, a report on the effective system of internal control, including the monitoring component, might be used by either the plaintiff or the defense. Thus, when reporting externally, the organization must bear in mind multiple potential users of the report.

45

MORE TO COME COSO’s Discussion Document constitutes the first phase of a broader monitoring project. The Committee has indicated that the second phase will include examples, case studies, and tools related to the monitoring component. Still, this initial guidance in the Discussion Document is useful to members of boards of directors, CEOs, and internal auditors as they work together to monitor their systems of internal control.

REFERENCES Committee of Sponsoring Organizations of the Treadway Commission (COSO). (1992). Internal control—Integrated framework. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2007). Internal control—Integrated framework: Guidance on monitoring internal control systems. Discussion Document.

Jan Colbert, CIA, CPA, Cr.FA, PhD, is a professor of accounting at Eastern Kentucky University in Richmond. She writes on COSO topics, the Sarbanes-Oxley Act, corporate governance issues, internal controls, and other matters. Dr. Colbert teaches auditing and assurance services, as well as various statistics, accounting, and corporate governance courses in the MBA program.


DOI 10.1002/jcaf