Guest Post by Ronald Kral, MBA, CPA, CMA
Managing Partner of Candela Solutions LLC

All organizations use some form and degree of monitoring in reaching strategic, operational, reporting and compliance objectives. Yet, many organizations do not fully leverage the power of monitoring in reaching objectives or in supporting their regulatory control assessments. This article explores monitoring in an effort to reap the benefits of cost-efficient and effective control systems.

The relevancy today is especially vivid considering the increase in modified or qualified external audit opinions pertaining to “going concerns”. While a company’s ability to continue functioning as a business entity relates primarily to operational objectives, it is achieved in large part through sound controls. Monitoring is a necessary component of the internal control process.

COSO’s Monitoring Guidance
The Committee of Sponsoring Organization of the Treadway Commission (COSO) released Guidance on Monitoring Internal Control Systems in January, 2009.  This is a resource worthy of any internal auditor’s, director’s, or manager’s library. It provides practical guidance and examples on how monitoring can be incorporated into an organization’s internal control process. The guidance does not change the original Internal Control – Integrated Framework issued by COSO in 1992. This original COSO Framework and subsequent guidance defines monitoring as two related principles:

1.    Ongoing Monitoring Activities:  These are geared towards monitoring the effectiveness of controls over the ordinary course of operations and includes:

• management activities
• supervisory activities
• comparisons
• reconciliations
• other routine actions including automated tools

2.    Separate Evaluations:  Periodic efforts to verify the effectiveness of controls through evaluation other than the ordinary course of operations. This often provides a “fresh look” and is also a means to consider the effectiveness of ongoing monitoring activities. Examples include special reviews triggered by the board of directors and evaluations performed by internal audit.

In addition to internally driven evaluations, organizations may be subject to external evaluation requirements performed by external auditors, regulators, and financial institutions. For these more highly regulated organizations, companies can often leverage their internal monitoring efforts when there is a healthy degree of internal independence. Separate evaluations typically lend themselves to greater independence by definition. Companies are also well advised to ensure that internal evaluators are competent and objective to heighten the probability that this work can be used by external evaluators.

Balance and Some Degree of Independence Counts
Without monitoring it is not possible to conclude if controls are operating effectively. Remember that a control is simply a policy, procedure, or activity within a process to accomplish an objective. A key message of COSO’s Guidance on Monitoring Internal Control Systems is to “build-in” controls versus relying too heavily on “add-on” controls. The concept of building-in controls directly relates to ongoing monitoring activities since they are ingrained into the daily activities of a company through management and supervision. These control activities are typically the first opportunity to identify and correct control deficiencies.

This front-line of defense against errors, fraud, and shortcomings in reaching objectives must be reinforced through clear accountabilities and consequences. A culture of strong management and supervisory controls is essential in the ultimate outcome of successfully reaching objectives. Even if an organization is highly reliant on automated controls, it is people who must interpret the results of the automated controls. Automated controls should be widely used as they can be very powerful in helping managers and supervisors monitor outcomes to best make timely decisions.

Organizations need to have a healthy balance of both ongoing controls and separate evaluations. Separate evaluations are mostly “add-on” activities since they occur outside the ordinary course of operations. They generally detect control breakdowns well after ongoing monitoring activities and can be resource intensive. However, they are also typically performed with a higher degree of objectivity when performed by persons who are outside the business unit. With supervisory controls there is a heightened risk of bias through the development of personal friendships and pressures to protect the business unit’s image. Business units are naturally concerned about how they are perceived outside their unit and this is why you want diversification with your monitoring activities. Separate evaluations can pay huge dividends by providing a fresh-independent look at the effectiveness of controls, including ongoing monitoring controls.

The Perception of Detection
The notion of consequences is very important. If people sense that their mistakes, performance shortcomings, or even worse – fraud, will not be detected; there is a heightened risk of control breakdown. They simply feel they will not get caught so they rationalize that becoming lazy, making errors, or committing fraud will go unnoticed. Without detection, there can be no consequences. This is one of the most fundamental desired characteristics of a healthy control environment. However, some cultures can go too far in creating an atmosphere of paranoia and going overboard on costs that have a diminishing level of returns in terms of control benefits.

To foster a good equilibrium of “perception of detection” in the culture, here are some suggestions:

• Implement a fraud hotline, including an anonymous reporting component.
• Provide periodic training of board members, management and supervisors on objectives and relating controls.
• Craft and implement a comprehensive corporate compliance program that spells out roles, accountabilities and consequences.
• Reinforce the corporate compliance program through a formal performance evaluation process to reward positive outcomes and correct negative results.
• Communicate a code of conduct that is simple to read and understand to all directors and employees.  Also consider a code of conduct for certain external stakeholders, such as vendors.
• Verify compliance to controls through a healthy balance of supervision and internal auditing.

And finally, let’s not forget the role of the board. Since the risk of management circumvention of controls is generally very high, there absolutely must be some form of executive monitoring at the board level.  This does not mean that directors need to actually be conducting the monitoring activities themselves, but rather that they direct activities through an internal audit function that does not report to management. It may also make sense to bring in a third-party evaluator, such as a second CPA firm, for high risk and sensitive areas when independence is either compromised or simply is elusive due to the organizational structure. After all, it is ultimately on the board’s shoulders to ensure that proper monitoring is indeed in place and working to protect shareholder interests.

Ronald Kral is the Managing Partner of Candela Solutions. Ron is also the Lead Partner of the Firm’s SEC Compliance Practice and is available to address inquiries.  He can be reached at [email protected].

© 2010 Candela Solutions LLC, One South Pinckney, Suite 310, Madison, WI 53703.