Guidance on Monitoring Internal Control Systems (2009)
The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO's Monitoring Guidance is designed to improve the use of monitoring by helping organizations:
- Identify and maximize effective monitoring
- Identify and improve ineffective or inefficient monitoring
In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.
The culmination of two years of expert critical debate, the guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSO's Internal Control—Integrated Framework
Guidance on Monitoring Internal Control Systems details
COSO's Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:
- Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness
- Designing and executing monitoring procedures that seek to evaluate "persuasive" information about "key controls" addressing "meaningful risks" to organizational objectives
- Assessing results and reporting them to appropriate parties
The guidance covers these and other topics in an easy-to-read, three-volume set.
The Three-Volume Set Includes:
- Volume I: Presents the fundamental principles of effective monitoring and develops the linkage to the COSO Framework
- Volume II: Presents in greater detail the principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring
- Volume III: Contains examples of effective monitoring
A free summary of the guidance and its intended purpose is posted on the "Excerpts" tab above.
Note: The On-Demand format is an electronic PDF download file that will be accessible immediately after completing your purchase. Access to this file – from the My Account > My Downloads page – expires 90 days from purchase date. This product purchase is non-refundable. For more information about this product or service concerns, please contact the AICPA Service Center at firstname.lastname@example.org or call 888-777-7077.
Members of the COSO organizations are eligible to receive copies of this document at the AICPA member price shown below. If you are a member of the AAA, FEI, IIA, or the IMA, please enter the appropriate coupon code in the Discounts box during checkout. Student and Educator members of all five organizations are eligible for discounts on the PDF Download and the Print & PDF Bundle. Please use appropriate code to obtain the discounted price.
|Product||Member of AAA, FEI, IIA, IMA||Student/ Educator Member of AAA, FEI, IIA, IMA||AICPA Student/ Educator Member|
|Print Publication (990021)||SBP||Not available||Not available|
|PDF Download (990021PDF)||SBK||SBL||No promo code needed|
|Print & PDF Bundle(990022HI)||SBP||SBP||No promo code needed|
Other COSO documents:
Internal Control—Integrated Framework (1992)
Enterprise Risk Management—Integrated Framework (2004)
Internal Control over Financial Reporting—Guidance for Smaller Public Companies (2006)
Monitoring: An Integral Component of Internal Control
Over the past decade, organizations have invested heavily in improving the quality of their internal control systems. They have made the investment for a number of reasons, notably: (1) good internal control is good business — it helps organizations ensure that operating, financial and compliance objectives are met, and (2) many organizations are required to report on the quality of internal control over financial reporting, compelling them to develop specific support for their certifications and assertions.
Internal control is designed to assist organizations in achieving their objectives. The five components of COSO's Internal Control — Integrated Framework (the COSO Framework) work in tandem to mitigate the risks of an organization's failure to achieve those objectives.
The COSO Board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand this important component of internal control. As a result, they underutilize it in supporting their assessments of internal control.
Figure 1 depicts the comprehensive nature of monitoring and illustrates how effective monitoring considers the collective effectiveness of all five components of internal control.
COSO's 2008 Guidance on Monitoring Internal Control Systems (COSO's Monitoring Guidance) was developed to clarify the monitoring component of internal control. It does not replace the guidance first issued in the COSO Framework or in COSO's 2006 Internal Control over Financial Reporting — Guidance for Smaller Public Companies (COSO's 2006 Guidance). Rather, it expounds on the basic principles contained in both documents, guiding organizations in implementing effective and efficient monitoring.
How Does Monitoring Benefit the Governance Process?
Unmonitored controls tend to deteriorate over time. Monitoring, as defined in the COSO Framework, is implemented to help ensure "that internal control continues to operate effectively."1 When monitoring is designed and implemented appropriately, organizations benefit because they are more likely to:
- Identify and correct internal control problems on a timely basis,
- Produce more accurate and reliable information for use in decision-making,
- Prepare accurate and timely financial statements, and
- Be in a position to provide periodic certifications or assertions on the effectiveness of internal control.
Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.
Fundamentals of Effective Monitoring
COSO's Monitoring Guidance builds on two fundamental principles originally established in COSO's 2006 Guidance:2
- Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time, and
- Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
The monitoring guidance further suggests that these principles are best achieved through monitoring that is based on three broad elements:
Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority; and (c) a starting point or "baseline" of known effective internal control from which ongoing monitoring and separate evaluations can be implemented;
- Designing and executing monitoring procedures focused on persuasive information about the operation of key controls that address meaningful risks to organizational objectives; and
- Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if needed.
Breadth of Monitoring Processes
Organizations may select from a wide variety of monitoring procedures, including but not limited to:
- Periodic evaluation and testing of controls by internal audit,
- Continuous monitoring programs built into information systems,
- Analysis of, and appropriate follow-up on, operating reports or metrics that might identify anomalies indicative of a control failure,
- Supervisory reviews of controls, such as reconciliation reviews as a normal part of processing,
- Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions,
- Audit committee inquiries of internal and external auditors, and
- Quality assurance reviews of the internal audit department.
Continued advancements in technology and management techniques ensure that internal control and related monitoring processes will change over time. However, the fundamental concepts of monitoring, as outlined in COSO's Monitoring Guidance, are designed to stand the test of time.
Using the Guidance to Move Monitoring Forward
Management can begin the monitoring process by encouraging the people with control system responsibility to read COSO's Monitoring Guidance and consider how best to implement it or whether it has already been incorporated into certain areas. Further, personnel with appropriate skills, authority and resources should be charged by management with addressing these four fundamental questions:
- Have we identified the meaningful risks to our objectives, for example, the risks related to producing accurate, timely and complete financial statements?
- Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in those risk areas?
- What information will be persuasive in telling us whether the controls are continuing to operate effectively?
- Are we presently performing effective monitoring that is not well utilized in the evaluation of internal control, resulting in unnecessary and costly further testing?
Management and the board of directors should understand the concepts of effective monitoring and how it serves their respective interests. As the board learns more about monitoring, it will develop the knowledge necessary to ask management in relation to any area of meaningful risk, "How do you know the internal control system is working?"
COSO's Monitoring Guidance is designed to help organizations answer these and other questions within the context of their own unique circumstances — circumstances that will change over time. As they progress in achieving effectiveness in monitoring, organizations likely will have the opportunity to further improve the process through the use of such tools as continuous monitoring software and exception reports tailored to their processes.
The guidance also covers other concepts that are important to effective and efficient monitoring, including:
- The characteristics associated with the objectivity of the evaluator;
- The period of time and the circumstances by which an organization can rely on adequately designed indirect information — when used in combination with ongoing or periodic persuasive direct information — to conclude that internal control remains effective;
- Determining the sufficiency and suitability of information used in monitoring to ensure that the results can adequately support conclusions about internal control; and
- Ways in which the organization can make monitoring more efficient without reducing its effectiveness.
COSO's Monitoring Guidance encompasses three volumes. Volume I presents the fundamental principles of effective monitoring and develops the linkage to the COSO Framework. Volume II conveys in greater detail the principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring. Volume III contains examples of effective monitoring.
Many organizations, through applying the concepts set forth in the guidance, should improve the effectiveness and efficiency of their internal control systems. To that end, COSO's Monitoring Guidance is designed to help organizations (1) identify effective monitoring where it already exists and use it to the maximum benefit, and (2) identify less effective or efficient monitoring, leading to improvements. In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.
1 COSO Framework, p. 69.
2 See principles #19 and #20 in COSO's Internal Control over Financial Reporting – Guidance for Smaller Public Companies issued in 2006 (COSO's 2006 Guidance).
Table of Contents
- Introduction 1
- Establish a Foundation for Monitoring
- Tone at the Top
- Example 1: Consistent development and communication of expectations regarding internal control, including monitoring
- Example 2: Use of a formal risk committee to develop and communicate monitoring expectations
- Example 3: Internal audit policy that encourages self-assessment and self-reporting of potential control problems
- Organizational Structure 4
Example 4: Clearly articulated roles and responsibilities through the establishment of preparer/reviewer standards for key journal entries
- Example 5: Use of a formal risk committee to develop and communicate expectations
- Example 6: Creation of a Risk Control function to facilitate both the development of controls and the monitoring of those controls
- Example 7: Clear assignment of oversight responsibilities
- Example 8: Audit committee's use of internal audit to address certain risks
- Example 9: Use of self-assessments to instill monitoring responsibilities throughout the management structure
- Example 10: Internal audit develops its plan in concert with the organization's strategic planning process
- Example 11: Board of directors' oversight adjusted based on risk
- Example 12: Open lines of internal and external communication
- Example 13: Modifications to monitoring to improve plant-level internal control oversight
- Baseline Understanding of Internal Control Effectiveness
- Example 14: Effective use of a control baseline
- Example 15: Establishing a baseline that begins with a list of prioritized risks
- Tone at the Top
- Design and Execute Monitoring Procedures
- Prioritize Risks
- Example 16: Adjustment of type, timing and extent of monitoring based on the results of risk assessment
- Example 17: Use of a formalized risk assessment methodology
- Example 18: Linkage of a formalized risk assessment methodology to related controls
- Identify Key Controls
- Example 19: Development of an audit program based on an analysis of key controls
- Example 20: Small manufacturing company's consideration of key controls
- Identify Persuasive Information
- Example 21: Integration of operations and finance into one technology platform
- Example 22: Use of indirect information in addressing operational risks
- Example 23: Balanced use of direct and indirect information in addressing operational risks
- Example 24: Improved use of indirect information to monitor payroll
- Implement Monitoring Procedures
- Example 25: Necessary modifications to improve ongoing monitoring
- Example 26: Employ ongoing self-assessment procedures with periodic reconfirmation by internal audit or others
- Example 27: Identified changes in business operations lead to reconsideration of, and potential changes in, monitoring
- Prioritize Risks
- Assess and Report Results
- Prioritize and Communicate Results
- Example 28: Use of a tool to help prioritize, track and report potential deficiencies
- Example 29: Use of a tool to help prioritize, track and report potential deficiencies
- Example 30: Use of qualified personnel to evaluate control deficiencies
- Example 31: Use of people trained specifically to evaluate the severity of potential deficiencies
- Report Internally
- Example 32: Established reporting protocols for identified deficiencies
- Example 33: Use of a spreadsheet to track and report deficiencies
- Example 34: Established grading scale and reporting protocol for identified deficiencies
- Report Externally
- Example 35: Benefits of joint planning between the organization and the external auditor
- Example 36: Consideration of the use of external specialists
- Prioritize and Communicate Results
- Other Considerations
- Monitoring Controls Outsourced to Others
- Example 37: Obtain and evaluate outside party's independent internal control audit report
- Using Technology for Effective Monitoring
- Example 38: Use of a monitoring-status tracking tool and dashboard report
- Example 39: Use of a monitoring-status tracking tool
- Example 40: Continuous monitoring of segregation-of-duties controls
- Example 41: Improved monitoring through the use of a reconciliation tracking tool
- Example 42: Continuous monitoring using conditional tests of transaction data
- Example 43: Continuous monitoring using conditional tests of transaction data
- Example 44: Continuous monitoring using regression analysis
- Example 45: Use of an IT tool to track system authorization changes and identify possible segregation-of-duties problems
- Example 46: Selection of "key" IT-related controls
- Monitoring Controls Outsourced to Others
- Comprehensive Examples
- Large Retail Organization's Monitoring of Controls Over Store Inventory
- Monitoring of Controls Over Certain Operational Risks in a Mid-Sized Manufacturing Organization
- Monitoring Certain IT Controls
- Appendix A: ABC Company COSO Usage Document
- Appendix B: Quarterly and Annual Management Representations
- Appendix C: Quarterly and Annual Disclosure Committee Review Procedures Checklist
- Appendix D: Enterprise-Wide Risk Matrix
About the Publisher