As advanced as an Internal Control Plan can be, it is not self-sustaining. Independent and/or ongoing evaluations are required to determine if each component is functioning effectively, and to allow deficiencies to be addressed in a timely manner.
Monitoring is the process of comparing what you would expect to what actually happens. Within the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, that takes place in three stages:
- Set the tone from the top – The ways in which an executive board and management demonstrate their perspective on monitoring will directly impact the degree of its effectiveness.
- Organization structure – Management, senior management and board members will have different roles and responsibilities in monitoring; outside parties may also be consulted for impartial reviews.
- Baseline understanding of internal control effectiveness – Knowledge and support for an organization’s objectives will make the monitoring process more effective and efficient.
- Prioritize risks – Identify which are significant enough to warrant control monitoring.
- Identify controls – Those that are key in determining the system’s effectiveness.
- Identify persuasive information about controls – Details that indicate whether the controls are functioning as initially designed.
- Implement monitoring procedures – Persuasive information enables the type and frequency of monitoring to be determined.
- Prioritize findings – Based on likelihood of error, compensating controls, impact on objectives, etc.
- Report results to the appropriate level – Internal or external reporting depending upon severity of deficiency and how widespread the impact.
- Follow up on corrective action – Ensure recommendations are implemented by the established deadline.
1. Establish A Foundation
2. Design and Execute
3. Assess and Report
Let’s take a look at a company that was experiencing inventory shrinkage, as an example. The company’s inventory controls identified product was missing but not how it was disappearing. The company designed and installed a key system and surveillance camera in its warehouse as a control activity. Subsequent to the installation the company assessed and reported that the loss of inventory was eliminated, indicating the implementation of this control activity was effective. If the shrink problem had not been eliminated or reduced, the process would be modified with a redesigned control activity.
Internal control systems typically become inadequate for one of two reasons:
- The risks environment changes and associated controls are not adjusted accordingly;
- Risks are no longer sufficiently mitigated or managed due to internal control system changes.
The message here is to pay extra attention to your internal controls when significant change is occurring at your company. Mergers, significant expansion, reductions in your workforce and industry disruptions are examples of types of changes when risk controls rise. Installing new systems and large scale procedural alterations are examples of internal control changes that can create more risk in your business.
Running your company is like running a fine-tuned engine. When you’ve invested in the best components, processes and products, taking the time to follow up with regular maintenance is simply maximizing its potential. It will not only save you time and money, it will also ensure optimum performance that may take you further than you imagined possible.