In our previous article to better understand an entity’s internal control (COSO) framework, we covered Information and Communication. This article will focus on the internal control component of Monitoring Activities, which is the final internal control component of the COSO framework.
There are two principles related to the Monitoring Activities component of internal control:
- The entity selects, develops and performs ongoing and/or separate evaluations to determine whether or internal control components are present and also whether they are functioning.
- The entity evaluates if any internal control deficiencies exist and communicates, in a timely manner, known deficiencies to those parties responsible for taking a correction action (i.e. senior members of management, the board of directors, etc.)
In previous articles, it was discussed that an Organization needs to select and develop control activities to mitigate the risks identified for financial reporting objectives or for compliance under grant agreements. These control activities should also consider the potential for fraud. After control activities are identified, the Organization should communicate policies developed with employees and customers. Monitoring is a crucial step in order to determine whether the control environment of the organization is adequate, if risks identified were appropriate, if control activities designed were adequate and if designed internal control activities were appropriately to employees and customers of an Organization.
The first step of monitoring is the designing a process to ensure components of internal controls are functioning as designed. Before designing this process, management within the Organization should have a clear understanding of the internal control policies implemented and what they were designed to achieve. Management should also assess whether the policies have been appropriately communicated to individuals identified as necessary to perform the control activity. For example, a policy might have been designed in which bank reconciliations are performed by a staff accountant and reviewed by an accounting manager each month. This policy would likely have been created to ensure that all cash transactions are appropriately being accounted for each month. After understanding why the policy exists and evaluating whether key individuals have been appropriately informed of the policy, how would the Organization ensure the control process is being followed?
In this example, a monitoring process could consist of another individual (executive director, CFO, etc.) who periodically inquires with key individuals regarding the process and ask if they are performing the bank reconciliation or review. External evidence might also provide evidence that the control activity is being followed. Are the individuals described above being provided with copies of the reviewed bank reconciliations and if so, do the reviewed bank reconciliations agree to general ledgers or monthly financial statements? If bank reconciliations are not being accurately performed, does another individual need to perform the reconciliation?
In addition to monitoring existing control processes which have been established, Organizations will need to consistently consider changes in their business environment within the Organization. Changes in the business environment may indicate the need for additional assessment of risks for financial reporting objectives or for compliance under grant agreements. Examples of changes in business environment could be new types of revenue, new grant agreements, or perhaps changes in compliance and regulatory requirements of the business. In addition, monitoring of changes in personnel will need to be considered. In the bank reconciliation example above, if the accounting manager left and was not replaced, who would perform the review of the bank reconciliation?
After a monitoring process has been developed, the last step of monitoring is ensuring whether internal control deficiencies are being communicated in a timely manner to those parties responsible for correcting the deficiencies. As we had discussed in our previous COSO Framework article, an open line of communication between board members or owners, management, employees or any other outside party key to an Organization’s control objectives. In order to help ensure this communication takes place, a healthy and positive “tone at the top” reading the importance of internal controls and need to report issues will ensure these communications exist.
Parties responsible for correcting deficiencies may vary based on each Organization ranging from the controller or CFO, executive director or CEO, or a board of directors. These parties must be informed of the deficiency and the implications the deficiency could have on the Organization. Timeliness of this communication to parties responsible is also crucial. With regard to our bank reconciliation example, if an individual becomes aware that bank reconciliations are not being performed or reviewed every month, but this information is not communicated to anyone, how would the Organization begin to correct the deficiency? After deficiencies are reported, Organizations will need to consider a correction action plan necessary to address the deficiency. In our bank reconciliation example above, if the accounting manager leaves and is not replaced, can an owner or board member perform the review of the bank reconciliation? If no one can perform bank reconciliations, can the Organization hire an external accountant to perform the bank reconciliation? In some instances, the Organization may determine that a control deficiency exists due to time, personnel, or monetary constraints. In these instances, Organizations will need to consider the risks associated with the deficiency and accept whether or not they are willing to accept those risks.
Proper monitoring of internal control is crucial to ensure the entire COSO Framework ties together. Without proper monitoring, Organizations are not be aware whether reporting objectives are being met. Monitoring of internal controls will also help Organizations better understand their operations and ensure a happier future for continued business success. This concludes our series on the COSO Framework Principles. Please contact Traci Hanson, Shelley Goodrich, Sandra Weaver or Brady Gabel with specific questions. The Framework can be purchased from the COSO’s website at www.coso.org.