COSO's new guidance for monitoring internal control: a new COSO publication is designed to leverage the monitoring function to make internal control more efficient and effective.
Since then, its five sponsoring organizations--Financial Executives International, American Institute of Certified Public Accountants, American Accounting Association, The Institute of Internal Auditors and the Institute of Management Accountants--have continued to meet on a regular basis to develop guidance and further the organization's work.
The Internal Control--Integrated Framework, published by COSO in 1992, is the central internal-control framework in the United States, and has been translated into several languages. The framework emphasizes, but is not limited to, internal control over finanical reporting. COSO has also published separate guidance on Enterprise Risk Management (2004) and Guidance for Smaller Public Companies, in 2006.
New Guidance on Monitoring
At press time, COSO was preparing to publish its final Guidance on Monitoring Internal Control Systems. Monitoring is one of the five core components of COSO's internal-control framework, which consists of: Control Environment (including Tone at the Top); Risk Assessment; Control Activities; Monitoring; and Information and Communication. The major tenets of COSO's new monitoring guidance are shown in the figure, "A Model for Monitoring" on the following page.
R. Trent Gazzaway, Grant Thornton's managing partner, Corporate Governance, who led development of the COSO project, explains the new monitoring material: "We designed the guidance to help companies recognize and take credit for good monitoring where it exists (thus reducing possibly unnecessary control testing); and implement good monitoring where it might be lacking.
"If either or both of these objectives are achieved, then companies will recognize improvements in both effectiveness and efficiency."
Likewise, he adds, "auditors should be able to perform [the] most cost-effective audits when they see the results of effective monitoring."
One point raised in the monitoring guidance--which was the subject of much dialogue within the COSO task force--was around use of, or specifically, the level of "persuasiveness" of direct versus indirect information. Direct information confirms whether a control is operating effectively.
Gazzaway says the team saw two opposing weaknesses in the way indirect information, in particular, was being used in monitoring. Some companies, he notes, were placing too much reliance over too long a period of time on indirect information like budget -to-actual comparisons and key performance indicators.
"As a consequence, small errors were allowed to fester under the radar screen until they became material." In fact, he adds, "in many cases the indirect information looked normal entirely because the underlying internal controls were broken."
Secondly, continues Gazzaway, certain companies were not taking advantage of indirect information as much as they could. Using indirect information along with direct information can improve the efficiency of monitoring. It may also enable an organization to identify control deficiencies earlier. "We wanted to help companies strike a right balance in the use of both direct and indirect information."
A model for monitoring Establish a Foundation * Tone from the top * Organizational structure * Baseline understanding of internal control effectiveness Design & Execute * Prioritize risks * Identify controls * Identify persuasive information about controls * Implement monitoring procedures Assess & Report * Prioritize findings * Report results to the appropriate level * Follow up on corrective action Supported Conclusions Regarding Control Effectiveness Source: COSO
FEI's representative on the COSO board is FEI past-President and CEO Michael P. Cangemi, who's been studying internal control his entire career. He says monitoring is "very important, since it could possibly reduce the extent of year-end audits."
This study, Cangemi says, provides "an opportunity to, over time, and with the use of computers, replace the historical backward-looking audit model and evolve to a more continuous audit model."
The benefits, he notes, in that you are auditing closer to real time, provide "new opportunities for efficiencies."
Impact on smaller Firms
How will the new COSO guidance impact small public companies? FEI Task Force on Monitoring Chair Richard D. Brounstein, chief financial officer of New Cardio Inc.--who served on the U.S. Securities and Exchange Commission Advisory Committee on Smaller Public Companies--says the guidance is scalable from a conceptual point of view. (He's also FEI's member representative on COSO's project task force.)
Brounstein believes COSO has tried to avoid bright lines where possible. For example, it's not always possible for companies to employ separate internal audit departments or to have as much separation of duty as in larger companies with more employees, he explains.
"The guidance tries to be flexible in focusing on the need to consider the level of objectivity of those charged with monitoring, and to weigh the persuasiveness of their findings accordingly, in combination with other forms of direct and indirect information with a risk-based focus," says Brounstein.
He also believes the guidance can be a useful tool in generating discussion between chief financial officers, audit committees and the firm's outside auditor.
For example, there are tradeoffs in terms of how much the auditor can rely on that work in considering the most cost-effective balance of resources to fulfill the company's and auditor's duties under the securities laws and The Sarbanes-Oxley Act. "This will become particularly pertinent when nonaccelerated filers become subject to the 404(b) audit requirement," Brounstein opines.
COSO Future Projects
COSO has been undergoing a strategic-planning process to formulate its future direction. When meeting in December with the presidents of the five sponsoring organizations, the board presented the organization's overall goals and sought feedback.
Chief among COSO's areas of focus, is its role as a thought leader in internal control. In the interest of global harmonization, it is considering outreach to other organizations in the U.S. and abroad in the area of internal control as well as risk management and fraud.
A Collaborative Process
The new guidance on monitoring is just one example of the collaborative process COSO has successfully used over the years.
The process utilizes the expertise of the membership of its five sponsoring organizations. It draws on the knowledge and experience of its board, as well as on a broader project task force with representatives of the five organizations and additional experts.
COSO has also utilized an audit firm to do the "heavy lifting" in developing its guidance, under the oversight of its project task forces and board. The 1992, 2004 and 2006 guidance cited above was led by a project team from Coopers & Lybrand (later, Pricewaterhouse-Coopers); the current project on monitoring is led by a project team from Grant Thornton LLP, which is headed by Gazzaway.
Overseeing the project is COSO's board, including its chairman, Larry R. Rittenberg, a professor at the University of Wisconsin.
EDITH ORENSTEIN (firstname.lastname@example.org) is director. Technical Policy Analysis, for FEI.
RELATED ARTICLE: Key Points in Monitoring
The following 10 general principles may be helpful in determining how best to utilize COSO's Monitoring Guidance:
1. Organizations should follow a systematic process in determining "what" and "how" to monitor.
2. Monitoring considers how the entire internal control system addresses meaningful risks, not how individual control activities operate in isolation.
3. The board has important oversight responsibilities in monitoring internal control (especially the controls that relate to ensuring a strong tone from the top) and in mitigating the risk of management override.
4. A baseline understanding of internal control design and operating effectiveness serves as a good starting point for implementing monitoring procedures that are both effective and efficient.
5. Determining what to monitor should be influenced by:
a. The significance and likelihood of the underlying risk;
b. The nature of the controls that are designed to manage or mitigate the risk; and
c. The persuasiveness of the information needed to conclude whether the identified controls are operating effectively.
6. Organizations should consider using ongoing monitoring, when feasible, over separate evaluations where the risks and availability of information merit such an approach.
7. Effective monitoring relies on the development of persuasive information about the continued operation of controls or control elements, as evaluated by an appropriately competent and objective evaluator.
8. Management must be enabled and expected to exercise reasonable judgment in determining the optimal approach to monitoring.
9. Monitoring generally includes the use of both direct and indirect information. However, indirect information can be used only for a finite period of time without some direct information supporting a conclusion that the underlying control is operating.
10. Identified control deficiencies should be:
a. Evaluated as to their severity;
b. Reported to appropriate personnel; and
c. Considered for corrective action.
Source: COSO draft, Dec. 2008
Watch for COSO's new monitoring guidance on its Web site, www.coso.org, and related news postings on FEI's Web site: www.financialexecutives.org.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||REGULATION; committee of sponsoring organizations|
|Date:||Jan 1, 2009|
|Previous Article:||Frozen credit provides opportunities in commercial real estate.|
|Next Article:||Treasurers can protect cash flow during the crisis.|