Strong, effective internal controls are crucial to developing an efficient operating environment that drives business growth. Good internal control activities can help organizations deliver value to stakeholders and achieve strategic objectives, while also assuring compliance with applicable laws, regulations, and industry best practices.
This guide will take a deeper look into internal controls monitoring, along with suggestions for how to make the process easier.
What Is Internal Control Monitoring?
Internal control monitoring involves organizations (and third parties) performing ongoing evaluations to determine whether internal controls are operating as intended. Monitoring activities also communicate any deficiencies to the relevant authorities promptly to enforce timely corrective action.
What Are the Five Components of Internal Control?
Internal control isn’t a single event. Rather, it is a series of ongoing actions and activities occurring throughout operations. It compromises the following five interrelated components:
An organization’s control environment sets the attitude toward internal control adopted by management and employees. Although the control environment is an intangible thing, it provides discipline and structure, and encompasses ethical commitment and technical competence. Hence it serves as the foundation of all other components of internal control.
Risk refers to any event that can prevent an organization from achieving its objectives. Risk assessment is the process of identifying and evaluating risks (both internal and external) and deciding how to respond to them. Based on the results, management has to decide whether to accept the risk, reduce the risk to acceptable levels, or eliminate the risk altogether.
Control activities are manual and automated tasks that help to assure risk responses are carried out effectively. Control activities include policies and procedures, authorization, approval, verification, security over assets, and segregation of duties. These activities take place across an organization — at all levels and in all functions — and minimize or prevent risks that impede the accomplishment of the organization‘s objective and mission.
Information and Communication
An organization’s control structure should capture and exchange information about risk within the organization and with external third parties. It’s also critical that all information be communicated in a timely and accurate manner.
Monitoring involves evaluating the effectiveness of an organization’s internal control over a specific time period, to assure that internal controls continue to operate effectively. Monitoring is effective when it leads to the identification and correction of control weaknesses before those weaknesses materially affect the achievement of the organization’s objectives.
Why Is Monitoring Internal Controls Important?
Monitoring internal controls helps an organization to achieve its strategic, operating, compliance, and reporting objectives. When monitoring is designed and implemented accurately, organizations find it easier to:
- Protect the effectiveness and efficiency of operations
- Identify and correct internal control problems on a timely basis
- Prepare reliable and accurate financial statements
- Assure compliance with applicable laws and regulations
In a nutshell, monitoring internal controls gives an organization’s leadership teams greater peace of mind where they know everything is operating as intended without them having to oversee every aspect of the organization.
How to Apply COSO Guidance to Internal Control Monitoring
COSO’s (Committee of Sponsoring Organizations) monitoring guidance is built on two fundamental principles:
- “Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time, and,
- Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.”
To apply these principles through monitoring and to have an effective internal control review system in place, organizations need to implement the following three broad elements:
- Establish a foundation for monitoring. This involves having a control-conscious attitude at the top (that is, a strong control environment), complete with an effective organizational structure where monitoring roles are assigned to people with appropriate capabilities, objectivity, and authority. Having a starting point from which ongoing monitoring and effective evaluations can be implemented is critical.
- Design and execute monitoring procedures. All procedures should be focused on persuasive information concerning the operation of key controls that address critical risks to organizational objectives.
- Assess and report results. This includes carefully evaluating the security of all identified deficiencies and then reporting the monitoring results to the appropriate authority and board for timely action and follow-up as needed.
Actionable Tips for Internal Controls Monitoring
Let’s look at a few tips to help you improve your organization’s internal control environment and assure better outcomes:
- Thoroughly assess potential risks that threaten the organization’s ability to achieve its business objectives or service commitments. These can be identified through monitoring control activities carried out by the organization or a formal risk assessment.
- Identify new controls or figure out how to modify existing control activities to mitigate the risks.
- Design and communicate control changes to the personnel responsible for implementing, carrying out, and reviewing the related control activities.
- Implement the control changes effectively. Document the changes that are made.
- Carefully monitor the organization’s control activities. This helps to determine the effectiveness of the operation and the outcomes from their execution.
What’s the Difference Between Preventive and Detective Controls?
Internal controls can be categorized as either preventative or detective. Let’s take a look at the differences between these two types:
- Preventive controls. These controls help to prevent errors or irregularities from occurring in the first place. They are directly built into internal control systems. Although these controls do involve a significant effort in the initial design and implementation status, they don’t require significant ongoing investments.
- Detective controls. These controls detect errors and irregularities that have already taken place, and assure prompt correction. Contrary to preventive control, detective controls are a continuous operating expense, and hence they’re more expensive. But they are necessary, since detective controls supply the means to correct data errors, modify controls, or recover missing assets.
How Do Internal Controls Monitoring and Auditing Work Together?
The best way to explain the relationship between internal control and internal audit is to consider the Three Lines Model published by the Institute of Internal Auditors.
Internal controls are the responsibility of management, and internal controls reside in the First and Second lines (that is, in operating units and in certain management functions such as finance or accounting).
On the other hand, internal audit is part of the Third Line, which involves assessing the effectiveness of the first (Operational Management Functions) and second (Risk and Compliance Management Functions) lines of defense.
Additionally, an internal audit should report directly to the board of directors, and specifically to the audit committee; to maintain independence and objectivity when evaluating other company functions that operate at the first two lines of defense.
Together, internal audit and internal control are designed to provide reasonable assurance that overall established objectives and goals are met efficiently. Both should exist in some form in every organization, regardless of size and complexity.
Tools for Monitoring Internal Control
Here are the main categories of tools that make the monitoring of internal controls thorough, effective, and seamless:
- Communication and collaboration tools to set up audit trails and documentation, such as email, instant messaging, webcast conferences, and virtual teamwork spaces.
- Security-focused generic tools that supply finely detailed analyses for segregation of duties, antivirus protection, intrusion detection, encryption, and firewall implementation, among other components.
- Regulatory and technical reference tools provide a strong environment for obtaining accurate and up-to-date regulatory information concerning an organization.
- Document management and workflow tools to monitor workflows and processes to make them more event-driven and simpler to manage.
- Data mining, file retrieval, pattern recognition, and business intelligence tools to collect data from other systems and organize and analyze them.
- Business performance management and real-time compliance tools to provide management with real-time, enterprise-wide data.
Reciprocity’s ZenGRC simplifies and improves the accuracy of the risk management process, which helps support internal controls. Organizations can use it to regularly monitor the effectiveness of their internal control and expose and eliminate internal control weaknesses.