As part of any evaluation of internal controls, there is a need to understand these information and communication flows or processes in the enterprise.
An enterprise needs information at all levels to achieve its operational, financial, and compliance objectives. For example, the enterprise needs information to prepare financial reports that are communicated to outside investors, as well as internal cost and external market preference information to make correct marketing decisions. Thisinformation must flow from the top levels of the enterprise on down to lower levels as well as information from the lower levels flowing back to upper levels. COSO internal controls also emphasize the importance of keeping information and supporting systems consistent with overall enterprise needs.
Monitoring
The pyramid view of COSO internal controls in Exhibit 4.2 shows the monitoring component as the capstone, upper level of the COSO internal control components. While internal control systems will work effectively with proper support from management, control procedures, and both information and communication linkages, processes must be in place to monitor these activities. Monitoring has long been the role of IT and other internal auditors, who perform reviews to assess compliance with established procedures; however, COSO internal controls now take a broader view of monitoring as well and recognize that control procedures and other systems change over time.
COSO gives examples of this important component of internal control:
• Operating management normal functions
• Communications form external parties
• Enterprise structure and supervisory activities
• Physical inventories and asset reconciliation
INTERNAL CONTROL EVALUATION PROCESS
The COSO internal control guidance materials outline an evaluation process for reviewing internal controls. Such an evaluator should first develop an understanding of the system design, next test key controls, and then develop conclusions based on the test results.
COSO internal controls also mentions benchmarking, as an alternative approach. Benchmarking is the process of comparing an enterprise’s processes and control procedures with those of peer enterprises.
COSO internal controls recognize that many highly effective procedures are informal and undocumented. Many of these undocumented controls, however, can be tested and evaluated in the same manner as documented ones. While an appropriate level of documentation makes any evaluation of internal control more efficient and facilitates employees’ understanding of how the process works, that documentation is not always essential.
REPORTING INTERNAL CONTROL DEFICIENCIES
Other Dimensions of the COSO Internal Control Framework
Monitoring
The pyramid view of COSO internal controls in Exhibit 4.2 shows the monitoring component as the capstone, upper level of the COSO internal control components. While internal control systems will work effectively with proper support from management, control procedures, and both information and communication linkages, processes must be in place to monitor these activities. Monitoring has long been the role of IT and other internal auditors, who perform reviews to assess compliance with established procedures; however, COSO internal controls now take a broader view of monitoring as well and recognize that control procedures and other systems change over time.
COSO gives examples of this important component of internal control:
• Operating management normal functions
• Communications form external parties
• Enterprise structure and supervisory activities
• Physical inventories and asset reconciliation
INTERNAL CONTROL EVALUATION PROCESS
The COSO internal control guidance materials outline an evaluation process for reviewing internal controls. Such an evaluator should first develop an understanding of the system design, next test key controls, and then develop conclusions based on the test results.
COSO internal controls also mentions benchmarking, as an alternative approach. Benchmarking is the process of comparing an enterprise’s processes and control procedures with those of peer enterprises.
COSO internal controls recognize that many highly effective procedures are informal and undocumented. Many of these undocumented controls, however, can be tested and evaluated in the same manner as documented ones. While an appropriate level of documentation makes any evaluation of internal control more efficient and facilitates employees’ understanding of how the process works, that documentation is not always essential.
REPORTING INTERNAL CONTROL DEFICIENCIES
Whether internal control deficiencies are identified through processes in the internal control system itself, through monitoring activities, or other external events, they should be reported to appropriate levels of enterprise management. The key question for any internal controls evaluator is to determine what should be reported given the large body of details that may be encountered, and to whom the reports should be directed. COSO internal controls state that “all internal control deficiencies that can affect the entity’s attaining its objectives should be reported to those who can take necessary action.”
Other Dimensions of the COSO Internal Control Framework
COSO internal control framework is a three dimensional model, as shown in Exhibit 4.1.
1. Effectiveness and efficiency of operations.
2. Reliability of financial reporting.
3. Compliance with applicable laws and regulations
COSO INTERNAL CONTROL SYSTEMS MONITORING GUIDANCE
This guidance on monitoring internal systems suggests that enterprises implement internal control monitoring processes similar to the manner in which a manufacturing organization monitors the continued effectiveness and efficiency of its manufacturing procedures.
The materials suggest that enterprises establish a four-phase monitoring process as shown in Exhibit 4.3. This four-stage approach says that the enterprise should first prioritize and understand the risks to its organizational objectives, and then identify the controls that address those prioritized risks. The third step is the identification of information that will persuasively indicate that the internal control system is operating effectively.
The suggested model calls for implementing cost-effective procedures to evaluate the information gathered through monitoring processes.
COSO Monitoring Design and Implementation Process
No comments:
Post a Comment