COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I have been exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I conclude with a discussion on Objective V, Monitoring Activities.
The Framework Volume says:
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future as is reinforced in the COSO 2013 Internal Controls Framework.
In a 2014 Corporate Compliance Insights article, entitled “Implementing COSO’s 2013: 10 Questions that Need to be Answered”, Ron Kral explained it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.
The Monitoring Activities objective consists of two principles: 1) The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning; and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.
Principle 16: Ongoing evaluation. Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, that being monitoring and auditing.
For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated.
Principle 17: Evaluation and communication of deficiencies. This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.
For this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the Board or Compliance Committee, correct and then monitor the corrective action going forward. I would urge that every key internal compliance control in support of the 17 Principles should, as noted by Kral, be reviewed “by management in terms of their adequacy of design and operating efficiency.”
Discussion. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring a) recognizes the dynamics of change within an organization, and b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.
The most important item to note is that all the controls need to be sustainable. You cannot just build one-off controls and not have a process in place to help you monitor all the controls that you need to cover. Controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.
There must also be a mechanism in place for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
I hope you have enjoyed this special five-part series on the COSO Framework for Internal Controls and how it lays out for a compliance program. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2nd edition which is available for presale purchase. Use the code FOX25 and go here. The Compliance Handbook 2nd edition will be available in both print and eBook editions.