It's one thing to build solid internal controls, but quite another to have a system in place to monitor those controls on a regular basis. While many companies do the former, not enough are good at the latter. That's the core take-away behind the latest release from COSO, the Committee of Sponsoring Organizations of the Treadway Commission. The recently released exposure draft, Guidance on Monitoring Internal Control Systems, was developed in cooperation with a team of partners at Grant Thornton LLP.
“Companies need more insight into how to become much more efficient and cost effective in maintaining internal controls,” says COSO chairman Larry Rittenberg, adding that the draft was developed after COSO members observed that some public companies monitor their internal controls over financial reporting just once a year, in order to comply with Section 404 of the Sarbanes-Oxley Act. “Companies should monitor their controls every day through ordinary operations, to make sure those controls [are] operating effectively,” Rittenberg explains. The proposed guidance provides practical guidance and concrete examples of using the monitoring component of the COSO internal control framework to develop effective and efficient internal controls. “Once you establish good internal controls you ought to think of how to maintain them,” Rittenberg adds.
As the report states, central to effective monitoring is a system of procedures that evaluates key controls over specific risks to the organization. The proposed guidance illustrates effective monitoring with examples taken from real companies–including an international insurer, a beverage maker and distributor and a small software company. The report contains a monitoring model that walks users through the process of prioritizing risks, identifying controls, identifying information and implementing monitoring practices. Among the examples of effective monitoring practices is a beverage manufacturer and distributor that has built monitoring procedures for the owners of certain controls, who perform self-assessments on a monthly, quarterly and annual basis and then report the results in a tool on the company's network. Supervisory reviews are then carried out by managers of the control owners.
In another example, the audit committee at a small manufacturing company directed internal audit to scrutinize manual journal entries with a focus on potential management overrides. The reviews were structured in such a way to determine the reasonableness and frequency of such entries, with an eye toward identifying potential fraudulent activities. “COSO believes that companies would benefit by examples of the leverage they could gain from their current monitoring activities, particularly public companies,” says Charles E. Landes, vice president for professional standards and services at the AICPA and a COSO board member. Landes notes that public companies that treat Section 404 compliance as “something additional to their own systems of internal control” needlessly duplicate their monitoring procedures, “and that's not what Sarbanes-Oxley wants.”
The proposed guidance also distinguishes direct information from indirect information for monitoring, and explains how indirect information can be used. As described, direct information confirms the operation of internal controls by observing, reperforming or testing them, whereas indirect information can be used to infer whether controls or control components continue to operate effectively. “Companies' monitoring has been mostly direct testing of internal controls,” says Rittenberg. “We're saying, 'let's think of combinations of direct and indirect information that may tell you that internal controls have deteriorated over time.'”
The full report can be downloaded via the COSO website, www.coso.org. Comments on the proposed guidance, which COSO expects to adopt this fall, are due by Aug. 15.
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.