“The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” (COSO Principle 16 – Performs Ongoing and/or Separate Evaluations COSO Framework) is the first of the two principles relating to the Monitoring Component of internal control. Organizations naturally proceed through change over time as they respond to opportunities and risks. Employee turnover, entering/leaving distribution channels, introducing/discontinuing product lines, location changes, technological change, and regulatory change are some forces driving change. These changes impact the internal control environment. Effective monitoring through ongoing and/or separate evaluations must be in place to identify and respond to these changes.
As most organizations have not yet risen on the maturity curve to have an active Enterprise Risk Management (ERM) program, it falls to the monitoring controls to achieve the objective that the internal control system ensures all five components are present and functioning. Improvement and expansion of monitoring controls over time can be used as one pathway to an ERM program. For those who have implemented ERM, many of the activities of that program should achieve most or all of the objectives of the monitoring component. It will be very interesting to see the COSO ERM Update when it is released, especially with reference to the revised COSO I/C Framework .
A control activity mitigates a particular risk or group of risks. The monitoring activity typically takes a higher perspective view of the internal control system to determine that it continues to operate effectively as management intended and is also flexible enough to respond to changing circumstances and emerging risks. Monitoring transactional type activities typically involves using baselines to define a “normal” or expected state and thereby identify outliers or unusual trends for investigation. A spike in product returns or customer service calls as compared to baseline may indicate a production or design flaw. A jump in an expense balance as compared to budget/forecast or prior periods may indicate expense misclassification, fraud or irresponsible spending. The actions taken in response to monitoring controls creates a healthy perception in an organization that management is paying attention. Even if the actions/transactions/expenses are appropriate, that someone asks for an explanation may prevent an employee or vendor from considering “bending the rules” in the future.
Monitoring must go beyond just having information and dashboards available. This is not a control. Evidence that the monitoring was performed including conclusions that “all is well” or actions taken in response to issues is necessary for the monitoring to qualify as a control (i.e., that is can stand up to independent review/audit). Done effectively, monitoring controls can qualify as “key” controls for SOX, replace lower level controls and thereby reduce the amount of time spent for SOX compliance. This does not mean that the lower level controls can be discontinued, only that a monitoring control can effectively ensure multiple controls are executed and reviewed and these monitoring controls (many fewer) are the ones in scope for the SOX compliance audit.
Technology can help by creating a “monitoring shell” around the execution of controls; formalizing and scheduling control activities to get “credit” for them as documented, repeatable and effective. Let’ look at some examples. Virtually all companies subject to external audit prepare analytic review schedules of financial information each quarter for the external auditors. Why not embrace this analytic review and leverage your effort by formalizing it as a control procedure that is assigned/scheduled via tasking software and all explanations, evidence of control execution and evidence of review are captured and date stamped within an application. Perhaps it makes sense to not only include analysis that the auditors request, but to expand the review to other accounts, or a comparison to budget/forecast/expectations, or comparisons to organizational key performance indicators (KPIs). Perhaps is makes sense to perform a subset of this analytic review monthly, especially if research into quarterly variances typically involves digging into monthly data. Similarly, perhaps your organization has divisional/location/store controllers that routinely review expenditures. Leverage this activity by formalizing it within technology to demonstrate consistent performance and evidence of completion and review to make it a formal monitoring control procedure. Formalizing such activities also fosters accountability, which those that always execute their responsibilities will love, and those that don’t will not.
In my 30+ years in external and internal audit, 13 of which as Chief Audit Executive, I could never understand why documenting monitoring activities to formalize them as controls was such a “tough sell”. I came to the general conclusion that documenting these activities forced responsibility and accountability, which many resisted. They viewed it as “one more way to fail” audit. My response was always if you believe these activities are important enough to spend the time, and I agree they are important activities, why resist formalizing them because your expectation is that the procedures should be done consistently? Formalizing and expanding monitoring controls is the path to an improved control environment and a more efficient oversight function, especially if your organization must comply with SOX. COSO concurs and issued a three volume Guidance on Monitoring Internal Control Systems to stress their belief that monitoring controls will improve both the effectiveness and efficiency of the internal control system. Monitoring, with the assistance of technology, will guide you further down the path toward leveraging compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/