Guidance on Monitoring internal control systems

In January 2009 COSO issued Guidance on Monitoring Internal Control Systems. This publication was intended to provide in depth input on how to apply the monitoring component of the original COSO framework. It is essential for all parties working with internal control to understand how a monitoring framework and foundation can improve the effectiveness of business processes.

Internal control processes have raised questions and issues since the creation of the Sarbanes-Oxley Act of 2002. Management is required to assess internal control systems and provide quarterly certifications. Further, external auditors are required to audit management’s assessment in conjunction with an audit of the financial statements. The framework for establishing internal control systems was developed by COSO (known as the Committee of Sponsoring Organization of the Treadway Commission). The original framework, Internal Control – Integrated Framework was introduced in 1992 and clarified with the issuance of guidance for smaller companies in 2006.

Monitoring of internal control is performed through application of both ongoing evaluations and separate evaluations. These evaluations ascertain whether other components of internal control continue to function as designed and intended. In addition, these evaluations facilitate identification of internal control deficiencies and communicate them to appropriate officials responsible for taking corrective action. More serious deficiencies are communicated to higher levels of management and to the board of directors when appropriate.

Business risks change over time. The internal control system needs to be capable of determining that the controls in place are relevant and effective in addressing new risks. A monitoring process must be capable of addressing the need for revisions in the design of controls based on changing risk. Effective internal control systems must be capable of containing risks at an acceptable level to ensure effective and efficient operations on an ongoing basis.

Monitoring is a process of assessing risks linked to achieving operational objectives. The COSO model requires establishing a monitoring foundation consisting of procedures for evaluating risks. Monitoring activities include assessment of controls and reporting the results of the assessment together with any required corrective action steps.