COSO's New Guidance for Monitoring Internal Controls: What You Need to Know and How It Can Help Your Organization Mitigate Risk
In late January of 2009, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released new guidance for monitoring internal control systems. This initiative, led by COSO and Grant Thornton LLP, was designed to help organizations better utilize the monitoring component over internal control systems.
Over the past several years, organizations have devoted vast amounts of resources into developing internal control systems in order to mitigate risk surrounding organizational objectives. The COSO Financial Controls Framework has been the main template used by organizations to create their internal control system.
While the COSO Framework has helped organizations come a long way in strengthening their internal control systems, it has been widely noted that one of the five main components of the framework has been overlooked by its users.
Over time, as an organization grows and changes, the risks grow and change accordingly. As this change occurs, the corresponding internal controls tend to deteriorate and become less effective. In order to identify and mitigate these new or developing risks, organizations must have an adequate internal control monitoring system in place. This is where COSO’s new Guidance on Monitoring Internal Control Systems comes into play.
The new COSO Guidance for Monitoring Internal Control Systems recommends a comprehensive three steps model for proper monitoring of internal control systems. The three steps are as follows:
- Establishing a foundation for monitoring, which includes:
- Establishing a proper tone at the top (management) regarding the importance of internal control monitoring
- An organizational structure that considers the roles of management and the board in regard to monitoring, as well as the use of evaluators with appropriate capability, objectivity, and authority
- Creation of a baseline understanding of internal control effectiveness.
- The core of effective and efficient monitoring lies in designing and executing monitoring procedures that evaluate important controls over meaningful risks to organizational objectives. This process involves:
- Understanding and prioritizing risks to organization objectives
- Identify key controls across the internal control system that address those prioritized risks
- Identify information that will persuasively indicate whether the internal control system is operating effectively
- Develop and implement cost effective procedures to evaluate that persuasive information
- Assessing and reporting results of monitoring to either confirm previously established expectations about the effectiveness of internal control or to identify deficiencies for corrective action. This includes:
- Prioritizing findings
- Reporting results to the appropriate level
- Following up on corrective action
If ran correctly, an effective monitoring model, like the one above, can provide a wide range of benefits for its users, some of which include:
- Promptly identifying new risks and putting the correct controls in place to mitigate those risks
- Produce more accurate and reliable financial and non-financial information
- Identify and correct organizational inefficiencies
- Taking credit for good monitoring where it exists, thus possibly reducing audit fees.
For more information, a free introduction on this new guidance can be obtained on COSO's website: http://www.coso.org/GuidanceonMonitoring.htm