Christopher McKittrick

Is Continuous Monitoring in Your Future?

Effective monitoring can help streamline the risk assessment process, but many organizations do not fully understand this important component.

September 7, 2010
by Christopher McKittrick, CPA, CFE

As a result of the financial crisis and ongoing economic uncertainty, a lot is being written and talked about on the subject of corporate governance, risk and compliance (GRC). Much of this stems from the concern that corporate GRC structures failed to assure that organizations were ready to identify and react to the financial crisis, or any crisis, quickly and effectively. As can happen, making money over the prior few years may have served to cover a multitude of GRC sins and lead to some lackadaisical efforts in risk management. It is possible that relaxed approaches to risk management maybe even extended all the way down to basic internal and accounting controls. And suddenly, the financial crisis served as the much needed “slap in the face” to remind us that the focus on GRC fundamentals at all levels should never go out of style.

Transparency and renewed focus on reliability in business processes and financial reporting are coming back into style and are more important than ever. Addressing GRC efforts will help to bring back public confidence in boards’ and management’s ability to effectively lead through the uncharted territory ahead of us. As events continue to unfold that cause strategies and directions to change quickly, sound risk management and internal control will be even more important. All entities must show they have the ability to better foresee events, assess the risks they face and make preparations to respond appropriately. Ongoing challenging times require organizations to assure even more reliability in their processes and in the quality of their data.

Don’t miss AICPA’s upcoming Strengthening Your Enterprise’s Risk Oversight for Strategic Benefit conference, October 14 – 15, New York, NY

It is highly likely that due to the economic turbulence many internal controls have changed because of reductions and realignment in staffing levels and duties. Some business processes and internal controls probably are now out of date. These unidentified changes in processes and controls are pretty likely to lead to “surprises.” Management needs to take steps to reduce the possibility of any unpleasant surprises and their related costs to be sure they are identified before it is too late to effectively address them.

Getting Started

On September 1, 2009, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) took a step to remind boards of their important role in risk oversight. They released Effective Enterprise Risk Oversight: The Role of the Board of Directors and can be downloaded at the COSO website. It stresses the key role of the board in monitoring an organization’s enterprise risk management (ERM) by pointing to “four areas that contribute to board oversight with regard to enterprise risk management:

  • Understand the entity’s risk philosophy and concur with the entity’s risk appetite.
  • Know the extent to which management has established effective enterprise risk management of the organization.
  • Review the entity’s portfolio of risk and consider it against the entity’s risk appetite.
  • Be apprised of the most significant risks and whether management is responding appropriately.”

This Enterprise Risk Oversight reminder from COSO is another example of how COSO consistently develops guidance for organizations to help ensure the effectiveness of financial, operational and compliance-related internal controls. There is little question that GRC needs to be addressed in ways that seek to avoid missing blind spots that could threaten future growth and financial stability — both strategically and operationally. Both boards and executive management, in both public and private organizations, could stand to re-evaluate their risk man­agement processes and policies.

One way to do this, and to follow through on this recent COSO Effective Enterprise Risk Oversight guidance may be for organizations to give even more consideration to another of COSO’s efforts — specifically its Internal Control — Integrated Framework: Guidance on Monitoring Internal Control Systems. It suggests that organizations should address the below key question in light of any changes which have occurred in the recent past. The question is extracted from the “Using the Guidance to Move Monitoring Forward” section of the Introduction portion of the Integrated Framework.

  • “Are our governance, risk and compliance frameworks fundamentally sound at both the strategic and operations levels?”

Control Monitoring Fundamentals

Here are some additional excerpts from COSO’s Internal Control  — Integrated Framework: Guidance on Monitoring Internal Control Systems — Introduction, which may help with understanding the benefit of monitoring internal control … specifically when completing internal control risk assessments.

  • “Effective monitoring can help streamline the (internal control) assessment process, but many organizations do not fully understand this important component of internal control. As a result, they underutilize it in supporting their assessments of internal control.”
  • “Unmonitored controls tend to deteriorate over time. Monitoring, as defined in the COSO Framework, is implemented to help ensure “that internal control contin­ues to operate effectively.” When monitoring is designed and implemented appropriately, organizations benefit because they are more likely to:
    • Identify and correct internal control problems on a timely basis,
    • Produce more accurate and reliable information or use in decision-making,
    • Prepare accurate and timely financial statements and
    • Be in a position to provide periodic certifications or assertions on the effectiveness of internal control.

“Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.”

Continuous Monitoring Is a Key Tool

One step that can help avoid blind spots is integrating specific risk management practices such as continuous controls monitoring (CCM) into basic operating activities. Since continuous monitoring technology directly monitors the performance of internal accounting controls it can deliver an excellent measurement regarding an internal control system’s operational effectiveness. CCM can provide improved visibility, and it is possible it may even identify operational improvements that would help the business grow. An added benefit is that CCM feedback also could serve to improve external confidence (e.g., external auditors) in financial reporting results.

Also consider this key question that the Guidance on Monitoring Internal Control Systems suggests should be addressed by management.

  • “Are we presently performing effective monitoring that is not well utilized in the evaluation of internal control, resulting in unnecessary and costly further testing?”

In particular, let’s further explore the ideas of “smarter, quicker and less expensive audits” and “unnecessary and costly further testing.” I interpret these two premises to mean it is highly likely that both internal audit costs and external audit fees may be higher than they could be with an effective monitoring program in place. Surely the easiest higher cost to identify is higher external audit fees. CCM might identify cost reductions and business process improvements that result in smarter, quicker and less expensive audits.


Effective GRC efforts are more than frameworks and plans. Effective GRC efforts require effective execution of control activities on a regular basis. COSO has laid out some good guidelines for reliability, suitability and efficiency in control monitoring activities that can aid an organization’s GRC activities. There is a high degree of probability that CCM can pay for itself by improved audit effectiveness in locating and resolving errors quickly and thoroughly and thus offer cost reductions in both internal and external audit efforts.

COSO has given us the guidance and examples that are needed to get going. So be smart … maybe even be a hero…and get going on continuous monitoring. COSO has laid it out for you.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Christopher McKittrick, CPA, MBA, CFE is a lecturer at NC State University's College of Management in the Department of Accounting and an independent consultant with Perspective Business Advisors. He has over 30 years of business experience in leadership positions in audit, financial management and information systems. He has worked in a broad range of industries including public accounting, hospitality and gaming, manufacturing, software and public relations/advertising. His roles have included vice president-chief financial officer, internal audit director, information systems director, re-engineering team leader, and corporate/division controller.