An Overview:: COSO's Guidance On Monitoring Internal Controls

An Overview:
COSO's Guidance on
Monitoring Internal Controls
Doug Steele
Partner, Specialty Advisory
Services
February 17th, 2009
© Grant Thornton LLP. All rights reserved.

Three legs to the "404-improvement" stool
Value to companies Value to auditors

through improved through ability to focus
COSO's
use of monitoring Guidance on on good monitoring
Monitoring controls
SEC's PCAOB's
Guidance AS5
(for mgmt) (for auditors)
Separate but
consistent
© Grant Thornton LLP. All rights reserved. 1
COSO's monitoring project
Overview
started project in January 2007
participants:
• core team 7
• review team 4
• COSO board 7
• COSO taskforce 15
• SEC/PCAOB observers 2
35

Overview of COSO's monitoring project
"Monitoring ensures that internal control continues to

operate effectively."
–1992 COSO Framework
Chapter 6
What's the problem?

• not recognizing good
monitoring
• not implementing good
monitoring
Example: recognizing the value of monitoring
Let's look at a simple example of the concept.

assume:
• a reconciliation control is deemed
important to financial reporting
• the supervisor of the area
performs an appropriately
detailed review of the
reconciliation each time
it is prepared
simple example (cont'd)

the supervisor's review
accomplishes two things:
• tells him or her whether the
control is working
• encourages continued effective
operation of the control

How do we often deal with this risk in today's 404

environment?
Management's Auditor's
404 Process 404 Audit Process
4. Test the 6. Test the
Review 2. Review Review
Reconciliation
3. Test the 5. Test the

Recon. 1. Perform Recon.
Reconciliation
How might it be done better in a large organization?

Monitoring Process 404 Audit Process
4a. Possibly
3. Test the
Use the Work
Review 2. Review of Others
Reconciliation
or
Any further testing of the
reconciliation will start 4b. Test
with lessons learned 1. Perform the Review
from testing the Reconciliation
reconciliation review
How might it be done better in a small organization?

Monitoring Process 404 Audit Process
If the reconciliation 3. Test the
review is performed at 2. Review Review
the senior-mgmt level, Reconciliation
no further evaluation Again, any further
may be necessary testing influenced by
1. Perform results from testing
Reconciliation the reconciliation
review
A model for monitoring

Establishing a foundation for monitoring
• tone from the top

• role of management and the board
• right people in monitoring roles
• baseline of effective internal control
Let's focus for a minute on the role of

management and the board, and the baseline
understanding of internal control effectiveness.

Develop
Develop and
and implement
implement Understand
Understand and
and prioritize
prioritize
cost-effective
cost-effective procedures
procedures risks
risks to
to organizational
organizational
to
to evaluate
evaluate that
that objectives
objectives
persuasive
persuasive
information
information
4
Implement
Monitoring
1
Prioritize
Risks
Effective
Monitoring
Identify
Identify
3
Identify
Information
2
Identify
Controls
Identify
Identify key
key
information
information that
that controls
controls across
across the
the
will
will persuasively
persuasively internal
internal control
control system
system
indicate
indicate whether
whether the
the that
that address
address those
those
internal
internal control
control system
system prioritized
prioritized risks
risks
is
is operating
operating effectively
effectively
1. Risk-based approach
Identify and Prioritize Risks
Meaningful Risk
Understand the
Internal Control System
Identify
Key Controls
Key Controls
Identify
Persuasive
Information
Persuasive Info
Develop
Monitoring
2. Understand internal controls and
identify key controls
• understand how the internal control system

manages meaningful risks
• identify those controls that are "key"
– their failure is (a) reasonably possible,
(b) material and (c) would not be detected by
other controls, and/or
– their operation will catch other weaknesses
before they can become material

Two important questions
• What information should the company evaluate?

(Hint: it should be relevant, reliable and timely.)
• What procedures should it employ?
– ongoing monitoring
– separate evaluations

3. Identify persuasive information
(with a focus here on relevance)
two types of relevant information:

• direct — clearly substantiates the Relevant
operation of controls and is most
Need Need
relevant Timely Reliable
Info Relevant, Info
• indirect — all other information Reliable &
Timely
that relates to the operation of
Reliable Need Timely
controls and is less relevant than Relevant
Info
direct information
indirect information can help identify when
controls fail, but does not provide absolute
support that controls operated effectively
Proper balance of direct vs. indirect is risk dependent
Direct Info
Direct Info
A Indirect Info
Direct Info
Direct Info
Indirect Info
B and
Direct Info
C Direct Info

4. Implement monitoring procedures
"An entity that perceives a need for frequent separate

evaluations should focus on ways to enhance its ongoing
monitoring activities and, thereby, to emphasize 'building in'
versus 'adding on' controls."
–1992 COSO Framework
Chapter 6
Ongoing monitoring: Separate evaluations:

• often closer to operation • often more objective
of controls • can revalidate results of
• offers earliest opportunity ongoing monitoring
to identify weaknesses
Putting it all together
Direct Indirect
•• Typically
Typically most
most •• Can
Can enhance
enhance
Ongoing persuasive
persuasive monitoring
monitoring efficiency
efficiency
monitoring •• Especially
Especially valuable
valuable in
in •• Provides
Provides support
support to
to
high-risk
high-risk areas
areas direct
direct info
info
•• Primarily
Primarily used
used to
to •• Typically
Typically least
least
Separate revalidate
revalidate conclusions
conclusions persuasive
persuasive
evaluation reached
reached through
through •• Can
Can help
help scope
scope other
other
ongoing
ongoing monitoring
monitoring SE
SE procedures
procedures

Monitoring Approach vs. Control Importance

Questions/comments

An Overview:: COSO's Guidance On Monitoring Internal Controls

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

An Overview:: COSO's Guidance On Monitoring Internal Controls

Cargado por

Copyright:

Formatos disponibles

An Overview:

© Grant Thornton LLP. All rights reserved.

Value to companies Value to auditors

started project in January 2007

© Grant Thornton LLP. All rights reserved. 2

"Monitoring ensures that internal control continues to

What's the problem?

Let's look at a simple example of the concept.

simple example (cont'd)

© Grant Thornton LLP. All rights reserved. 5

How do we often deal with this risk in today's 404

3. Test the 5. Test the

How might it be done better in a large organization?

How might it be done better in a small organization?

© Grant Thornton LLP. All rights reserved. 9

• tone from the top

Let's focus for a minute on the role of

© Grant Thornton LLP. All rights reserved. 10

Identify and Prioritize Risks

• understand how the internal control system

© Grant Thornton LLP. All rights reserved. 13

• What information should the company evaluate?

© Grant Thornton LLP. All rights reserved. 14

two types of relevant information:

© Grant Thornton LLP. All rights reserved. 16

"An entity that perceives a need for frequent separate

Ongoing monitoring: Separate evaluations:

© Grant Thornton LLP. All rights reserved. 18

© Grant Thornton LLP. All rights reserved. 19

© Grant Thornton LLP. All rights reserved. 20

También podría gustarte