COSO Emphasizes Tone at the Top and Outside Auditors in Monitoring Internal Controls

COSO has proposed guidance on monitoring internal controls that relies heavily on tone at the top and risk assessment, as well as having a role for the outside auditors of the company’s financial statements. The board and its audit committee also have key roles to play in the effective monitoring of internal controls. According to COSO, monitoring is an integral part of internal control over financial reporting. Further, it is important that internal control be viewed as a continuous process and that effective monitoring be implemented as a component of that process.

The COSO guidance comes against the backdrop of a new SEC-PCAOB initiative to significantly revise the internal control reporting mandates of Section 404 of Sarbanes-Oxley. COSO, the sponsoring organizations of the Treadway Commission, supports the PCAOB’s new risk-based internal control audit standard, AS5 and finds that its focus on a top down risk-based approach is consistent with COSO’s own internal control framework. However, COSO is concerned that many companies have not fully integrated the monitoring component of its internal control framework into their overall control structures.

According to COSO, a primary element of monitoring is the control environment in which monitoring operates. This aspect requires a proper tone at the top regarding the importance of internal controls and monitoring, as well as an organizational structure that places evaluators with appropriate skills and authority in monitoring roles.

Another critical element is to devote monitoring resources commensurate with the underlying level of risk. It is the job of management to specify financial reporting objectives with sufficient clarity to enable the identification of risks to reliable financial reporting. Regarding financial reporting risks, management identifies risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. With respect to fraud risk, said COSO, the potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.

A third key element to effective monitoring is the company’s communication structure and the ability to report results of monitoring, including control weaknesses, to the right people in a timely manner. The results of monitoring should be reported to management in a reasonable time frame. To whom and how often the general results of monitoring are reported depends on the level of risk and the importance of the related controls.

In COSO’s view, controls performed below the senior-management level can be monitored by management personnel. However, controls performed directly by senior management, and controls designed to prevent or detect senior-management override of other controls, cannot be monitored objectively by senior management. In these circumstances, noted COSO, monitoring should be performed by the audit committee.

The board is also in the best position to evaluate whether management has implemented
effective monitoring procedures elsewhere in the organization. It makes this assessment by gaining an understanding of how senior management has met its responsibilities. In most organizations, it is neither feasible nor necessary for the board to understand all of the details of every monitoring procedure, but the board should have a reasonable basis for concluding that management has implemented an effective monitoring system.

COSO expects directors to obtain persuasive information in support of their conclusions through inquiry of management; the internal audit function, hired specialists, and external auditors. The board’s consideration of the external auditor’s results is an important issue.

Auditors must maintain their objectivity in both fact and appearance, and, as such, they are not part of an audit client’s internal control system. However, an organization that does not appropriately consider the results of the external auditor’s work would have a weakness in its monitoring procedures.

If the external auditor’s work identifies possible errors or control weaknesses, the company should consider those results in the context of its own monitoring. However, neither management nor the board should plan to reduce its monitoring efforts in other areas simply because the auditor did not find errors or control weaknesses.