COSO Proposes Guidance on Monitoring Internal Controls Over Financial Reporting
COSO has proposed guidance on monitoring internal controls over financial reporting that relies heavily on tone at the top and risk assessment. According to COSO, monitoring is an integral part of internal control over financial reporting. Further, it is important that internal control be viewed as a continuous process and that effective monitoring be implemented as a component of that process. In COSO’s view, the core of effective monitoring lies in designing and executing monitoring procedures that evaluate important controls over meaningful risks to the company’s objectives
The COSO guidance comes against the backdrop of a new SEC-PCAOB initiative to significantly revise the internal control reporting mandates of Section 404 of Sarbanes-Oxley. COSO, the sponsoring organizations of the Treadway Commission, supports the PCAOB’s new risk-based internal control audit standard, AS5 and finds that its focus on a top down risk-based approach is consistent with COSO’s own internal control framework. However, COSO is concerned that many companies have not fully integrated the monitoring component of its internal control framework into their overall control structures.
The organizations comprising COSO are the American Accounting Association, the AICPA, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants).
The guidance builds on two fundamental principles. The first is that ongoing evaluations enable management to determine whether the other components of internal control4 continue to function over time. The second principle is that internal control deficiencies should be identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
COSO recognizes that risks change over time and that there is a need for management to determine whether the internal control system continues to be relevant and able to address new risks. Thus, monitoring should assess whether management reconsiders the design of controls when risks change, and verifies the continued operation of existing controls that have been designed to reduce risks to an acceptable level.
Thus, the guidance emphasizes COSO’s belief that monitoring should be based on a fundamental analysis of risks and an understanding of how controls may or may not manage or mitigate those risks. More specifically, monitoring involves establishing a foundation for monitoring, designing and executing monitoring procedures that are prioritized based on risk, and assessing and reporting the results, including following up on corrective action where necessary
Management has the primary responsibility for the effectiveness of a company’s internal control system. Management establishes the system and makes sure that it continues to operate effectively. Controls performed below the senior-management level can be
monitored by management personnel or their objective designees
However, controls performed directly by members of senior management cannot be monitored objectively by those individuals or their designees. In such circumstances, other members of senior management may be able to monitor the controls. For example, the chief legal officer might monitor controls over new corporate contracts entered into by the chief operating officer. The board may also need to monitor such controls, which it frequently accomplishes through an audit committee and an internal audit function.
Board-level monitoring becomes increasingly important regarding controls that are at risk of senior management override. In most cases, the board is ultimately responsible for determining whether management has implemented effective internal controls. It makes this assessment by understanding the risks the organization faces and gaining an understanding of how senior management manages or mitigates those risks that are meaningful to the company’s objectives. Obtaining this understanding includes determining how management supports its beliefs about the effectiveness of the internal control system in those important areas.
Previously effective internal control systems become ineffective for one of
two reasons, reasoned COSO, the risk environment changes without corresponding controls adjustments or the operation of the internal control system changes such that it no longer adequately manages existing risks.
When ongoing-monitoring identifies a change in the environment, the organization determines whether a corresponding change is needed in the internal control system. When monitoring identifies a change in the internal control system, the organization needs to verify whether that change was designed and implemented properly.
The monitoring process is complete when the results are compiled and reported to appropriate personnel. This final stage enables the results of monitoring to either confirm previously established expectations about the effectiveness of internal control or highlight identified deficiencies for possible corrective action.