{"id":5119,"date":"2010-06-22T06:13:19","date_gmt":"2010-06-22T12:13:19","guid":{"rendered":"http:\/\/www.sequenceinc.com\/fraudfiles\/?p=5119"},"modified":"2010-11-14T22:06:05","modified_gmt":"2010-11-15T04:06:05","slug":"%e2%80%9cmonitoring%e2%80%9d-that-works","status":"publish","type":"post","link":"https:\/\/www.sequenceinc.com\/fraudfiles\/%e2%80%9cmonitoring%e2%80%9d-that-works\/","title":{"rendered":"\u201cMonitoring\u201d That Works"},"content":{"rendered":"<p><a href=\"http:\/\/www.candelasolutions.com\/cpa\/\"><img decoding=\"async\" class=\"lazyload alignright\" title=\"candela\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27276%27%20height%3D%2792%27%20viewBox%3D%270%200%20276%2092%27%3E%3Crect%20width%3D%27276%27%20height%3D%2792%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-content\/uploads\/2010\/06\/candela.gif\" alt=\"\" width=\"276\" height=\"92\" \/><\/a>Guest Post by Ronald Kral, MBA, CPA,  CMA<br \/>\nManaging Partner of <a href=\"http:\/\/www.candelasolutions.com\/cpa\/\">Candela  Solutions LLC<br \/>\n<\/a><\/p>\n<p>All organizations use some form and degree of monitoring in reaching strategic, operational, reporting and compliance objectives. Yet, many organizations do not fully leverage the power of monitoring in reaching objectives or in supporting their regulatory control assessments. This article explores monitoring in an effort to reap the benefits of cost-efficient and effective control systems.<\/p>\n<p>The relevancy today is especially vivid considering the increase in modified or qualified external audit opinions pertaining to \u201cgoing concerns\u201d. While a company&#8217;s ability to continue functioning as a business entity relates primarily to operational objectives, it is achieved in large part through sound controls. Monitoring is a necessary component of the internal control process.<!--more--><\/p>\n<p><strong>COSO\u2019s Monitoring Guidance<br \/>\n<\/strong>The Committee of Sponsoring Organization of the Treadway Commission (COSO) released Guidance on Monitoring Internal Control Systems in January, 2009.\u00a0 This is a resource worthy of any internal auditor\u2019s, director\u2019s, or manager\u2019s library. It provides practical guidance and examples on how monitoring can be incorporated into an organization\u2019s internal control process. The guidance does not change the original Internal Control \u2013 Integrated Framework issued by COSO in 1992. This original COSO Framework and subsequent guidance defines monitoring as two related principles:<\/p>\n<p>1.\u00a0\u00a0 \u00a0Ongoing Monitoring Activities:\u00a0 These are geared towards monitoring the effectiveness of controls over the ordinary course of operations and includes:<\/p>\n<ul>\n<li> management activities<\/li>\n<li>supervisory activities<\/li>\n<li>comparisons<\/li>\n<li>reconciliations<\/li>\n<li>other routine actions including automated tools<\/li>\n<\/ul>\n<p>2.\u00a0\u00a0 \u00a0Separate Evaluations:\u00a0 Periodic efforts to verify the effectiveness of controls through evaluation other than the ordinary course of operations. This often provides a \u201cfresh look\u201d and is also a means to consider the effectiveness of ongoing monitoring activities. Examples include special reviews triggered by the board of directors and evaluations performed by internal audit.<\/p>\n<p>In addition to internally driven evaluations, organizations may be subject to external evaluation requirements performed by external auditors, regulators, and financial institutions. For these more highly regulated organizations, companies can often leverage their internal monitoring efforts when there is a healthy degree of internal independence. Separate evaluations typically lend themselves to greater independence by definition. Companies are also well advised to ensure that internal evaluators are competent and objective to heighten the probability that this work can be used by external evaluators.<\/p>\n<p><strong>Balance and Some Degree of Independence Counts<br \/>\n<\/strong>Without monitoring it is not possible to conclude if controls are operating effectively. Remember that a control is simply a policy, procedure, or activity within a process to accomplish an objective. A key message of COSO\u2019s Guidance on Monitoring Internal Control Systems is to \u201cbuild-in\u201d controls versus relying too heavily on \u201cadd-on\u201d controls. The concept of building-in controls directly relates to ongoing monitoring activities since they are ingrained into the daily activities of a company through management and supervision. These control activities are typically the first opportunity to identify and correct control deficiencies.<\/p>\n<p>This front-line of defense against errors, fraud, and shortcomings in reaching objectives must be reinforced through clear accountabilities and consequences. A culture of strong management and supervisory controls is essential in the ultimate outcome of successfully reaching objectives. Even if an organization is highly reliant on automated controls, it is people who must interpret the results of the automated controls. Automated controls should be widely used as they can be very powerful in helping managers and supervisors monitor outcomes to best make timely decisions.<\/p>\n<p>Organizations need to have a healthy balance of both ongoing controls and separate evaluations. Separate evaluations are mostly \u201cadd-on\u201d activities since they occur outside the ordinary course of operations. They generally detect control breakdowns well after ongoing monitoring activities and can be resource intensive. However, they are also typically performed with a higher degree of objectivity when performed by persons who are outside the business unit. With supervisory controls there is a heightened risk of bias through the development of personal friendships and pressures to protect the business unit\u2019s image. Business units are naturally concerned about how they are perceived outside their unit and this is why you want diversification with your monitoring activities. Separate evaluations can pay huge dividends by providing a fresh-independent look at the effectiveness of controls, including ongoing monitoring controls.<\/p>\n<p><strong>The Perception of Detection<br \/>\n<\/strong>The notion of consequences is very important. If people sense that their mistakes, performance shortcomings, or even worse \u2013 fraud, will not be detected; there is a heightened risk of control breakdown. They simply feel they will not get caught so they rationalize that becoming lazy, making errors, or committing fraud will go unnoticed. Without detection, there can be no consequences. This is one of the most fundamental desired characteristics of a healthy control environment. However, some cultures can go too far in creating an atmosphere of paranoia and going overboard on costs that have a diminishing level of returns in terms of control benefits.<\/p>\n<p>To foster a good equilibrium of \u201cperception of detection\u201d in the culture, here are some suggestions:<\/p>\n<ul>\n<li>Implement a fraud hotline, including an anonymous reporting component.<\/li>\n<li>Provide periodic training of board members, management and supervisors on objectives and relating controls.<\/li>\n<li>Craft and implement a comprehensive corporate compliance program that spells out roles, accountabilities and consequences.<\/li>\n<li>Reinforce the corporate compliance program through a formal performance evaluation process to reward positive outcomes and correct negative results.<\/li>\n<li>Communicate a code of conduct that is simple to read and understand to all directors and employees.\u00a0 Also consider a code of conduct for certain external stakeholders, such as vendors.<\/li>\n<li>Verify compliance to controls through a healthy balance of supervision and internal auditing.<\/li>\n<\/ul>\n<p>And finally, let\u2019s not forget the role of the board. Since the risk of management circumvention of controls is generally very high, there absolutely must be some form of executive monitoring at the board level.\u00a0 This does not mean that directors need to actually be conducting the monitoring activities themselves, but rather that they direct activities through an internal audit function that does not report to management. It may also make sense to bring in a third-party evaluator, such as a second CPA firm, for high risk and sensitive areas when independence is either compromised or simply is elusive due to the organizational structure. After all, it is ultimately on the board\u2019s shoulders to ensure that proper monitoring is indeed in place and working to protect shareholder interests.<\/p>\n<p><em>Ronald Kral is the Managing Partner of Candela Solutions. Ron is  also the Lead Partner of the Firm\u2019s SEC Compliance Practice and is  available to address inquiries.\u00a0 He can be reached at  rkral@CandelaSolutions.com.<\/p>\n<p><a href=\"http:\/\/www.candelasolutions.com\/cpa\/\">Candela Solutions  LLC<\/a> is a new breed of CPA firm building value for clients through  strong governance, risk management and compliance services. Visit our  website at www.CandelaSolutions.com for more information.<\/p>\n<p>\u00a9 2010 Candela Solutions LLC, One South Pinckney, Suite 310,  Madison, WI 53703. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Guest Post by Ronald Kral, MBA, CPA, CMA Managing Partner of Candela Solutions LLC All organizations use some form and degree of monitoring in reaching strategic, operational, reporting and compliance objectives. Yet, many organizations do not fully leverage the power [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[16],"tags":[],"class_list":["post-5119","post","type-post","status-publish","format-standard","hentry","category-auditing-regulations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p6Z0e-1kz","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/posts\/5119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/comments?post=5119"}],"version-history":[{"count":0,"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/posts\/5119\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/media?parent=5119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/categories?post=5119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sequenceinc.com\/fraudfiles\/wp-json\/wp\/v2\/tags?post=5119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}