In January 2009, COSO published “Monitoring Guidance” to help organizations better monitor the effectiveness of their internal control system, and take corrective action if needed. This has direct implications for ongoing SOX work, so I thought it would be useful to highlight some of the more salient points. Further details can be found on the COSO web-site.
COSO notes the following:
Over the past decade, organizations have invested heavily in improving the quality of their internal control systems. They have made the investment for a number of reasons, notably: (1) good internal control is good business — it helps organizations ensure that operating, financial and compliance objectives are met, and (2) many organizations are required to report on the quality of internal control over financial reporting, compelling them to develop specific support for their certifications and assertions.
Management’s assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand this important component of internal control. As a result, they underutilize it in supporting their assessments of internal control.
Unmonitored controls tend to deteriorate over time. Monitoring, as defined in the COSO Framework, is implemented to help ensure “that internal control continues to operate effectively.”1 When monitoring is designed and implemented appropriately, organizations benefit because they are more likely to:
- Identify and correct internal control problems on a timely basis,
- Produce more accurate and reliable information for use in decision-making,
- Prepare accurate and timely financial statements, and
- Be in a position to provide periodic certifications or assertions on the effectiveness of internal control.
Over time, effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.
Management can begin the monitoring process by encouraging the people with control system responsibility to read COSO’s Monitoring Guidance and consider how best to implement it or whether it has already been incorporated into certain areas. Further, personnel with appropriate skills, authority and resources should be charged by management with addressing these four fundamental questions:
- Have we identified the meaningful risks to our objectives, for example, the risks related to producing accurate, timely and complete financial statements?
- Which controls are “key controls” that will best support a conclusion regarding the effectiveness of internal control in those risk areas?
- What information will be persuasive in telling U.S. whether the controls are continuing to operate effectively?
- Are we presently performing effective monitoring that is not well utilized in the evaluation of internal control, resulting in unnecessary and costly further testing?
Many organizations, through applying the concepts set forth in the guidance, should improve the effectiveness and efficiency of their internal control systems. To that end, COSO’s Monitoring Guidance is designed to help organizations (1) identify effective monitoring where it already exists and use it to the maximum benefit, and (2) identify less effective or efficient monitoring, leading to improvements. In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.
This tucks in nicely with the current economic environment, wherein many organizations are struggling with expense and project budgets, yet fully cognizant of the need to maintain strong internal controls and SOX projects. This would appear to be a way to achieve both.
I hope this helps. Please contact Edelkoort Smethurst Schein CPA’s LLP if you have any questions or comments.