Вы находитесь на странице: 1из 3

Objectives addressed in the COSO Framework:

the effectiveness and efficiency of operations, the reliability of financial reporting, and
compliance with applicable laws and regulations.

The monitoring component helps ensure that the internal control system continues to operate
effectively, by providing value to the organization in three ways:
It enables management and the board to determine whether the internal control
system continues to operate effectively over time. Thus, it provides valuable support for
assertions about the internal control system’s effectiveness.
It improves the organization’s overall effectiveness and efficiency. Therefore, it helps
the organization identify and correct control deficiencies before they materially affect the
internal control system’s ability to achieve the organization’s objectives.
It promotes good control operation. When people who are responsible for internal
control know their work is subject to monitoring, they are more likely to perform their duties
properly.

The internal control is a process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting, and
Compliance with applicable laws and regulations

Internal controls are developed (1) in response to one or more identified risks that affect the
achievement of organizational objectives, (2) within the context of an effective control environment,
and (3) with proper information and communication. The process includes:
1. Setting objectives,
2. Identifying risks to achieving those objectives,
3. Prioritizing those risks, and
4. Designing and implementing responses to the risks (e.g., internal control).

Meaningful risks are those that, in a given time frame, might reasonably have a consequential
effect on organizational objectives.

Management implements monitoring by:

1. Establishing a foundation for monitoring, including:

-A tone at the top that stresses the importance of monitoring,


-An effective organizational structure that considers the roles of management and the board in
regard to monitoring, and places people with appropriate capabilities, objectivity, authority and
resources in monitoring roles, and
-A baseline understanding of internal control effectiveness.

2. Designing and executing monitoring procedures that:

-Evaluate controls in areas of meaningful risk,


-Select appropriate controls for evaluation from across any or all of the five components,
-Identify information that will be persuasive in conclusions about control effectiveness
-Evaluate that information through a mix of ongoing monitoring and separate evaluations.

3. Assessing and reporting results in order to:


-Prioritize findings,
-Provide support at the appropriate organization level for conclusions regarding the
effectiveness of internal control, and
-Facilitate prompt corrective actions and follow-up where necessary.

For each objective and risk, the organization might identify locations, operations or
processes where manifestation of the risk could be material.
Risk factors to consider at this stage include:
 Nature of operations — The way an organization is structured and the characteristics of
its operations can influence the need for and conduct of monitoring. Such
characteristics might include, but are not limited to, transaction volumes, operational
complexity, dollar amounts involved, geography, degree of centralization, information
system complexity and existence of foreign operations.
 Changes in operations — Mergers, joint ventures, acquisitions, system changes,
personnel and other changes are indicators of increased risk.
 Environmental factors — The external environment can affect an organization’s viability
and increase the need to monitor certain internal controls. External risk examples include
competition, changes in the market (e.g., technology, supply chain, customer
base or economy), regulation, and areas with a heightened risk of litigation or loss.
 Susceptibility to theft or fraud — Some factors can increase the potential for theft or
fraud. Examples include: the presence of valuable assets (e.g., cash, trade secrets, fungible
goods); employee performance metrics that may provide an incentive to commit fraudulent
acts; and process or system designs that make theft or fraud possible through access to
systems, execution of unauthorized transactions and/or override of controls.

This key-control analysis can be facilitated by considering factors that increase the risk that
the internal control system will fail to properly manage or mitigate a given risk. These control risk
factors might include the following:
Complexity — Controls that require specialized skill or training typically are more
susceptible to failure than simple controls.
Judgment — Controls that require a high degree of judgment, such as controls over the
determination of valuation allowances, are highly dependent on the experience and
training of those responsible for the judgments and are often associated with
meaningful risks.
Manual vs. automated — Manual controls are more susceptible to human error than
automated controls and, as a result, are often subjected to different levels of
monitoring than automated controls (e.g., they may be evaluated more frequently or
employ larger sample sizes when sampling is performed). However, when automated
controls fail, they tend to fail repeatedly in the same circumstances and, therefore, need
to be subjected to an appropriate level of monitoring when they address meaningful
risks. The table on page 35 contains some additional guidance about monitoring manual
and automated controls.
Known control failures — Previous control failures are a clear indicator of the need to
increase monitoring activities until corrective actions have effectively addressed the
cause of the control failure.
Competence/experience of personnel — Lack of qualifications or experience in
performing a given control increases the likelihood of control failure.
Risk of management override — Controls that might be overridden by management for
purposes that are contrary to organizational objectives may warrant specific monitoring
attention.
Likelihood of control failure detection — Other controls within the internal control
system may reasonably be expected to detect a given control’s failure before it becomes
material, decreasing the need to identify the given control as key. Conversely, a
reasonable belief that a control’s failure may be material, and not detected and
corrected on a timely basis, increases the need to identify the control as key.
Suitable information is a broad concept that implies that information is useful within the
context for which it is intended. In order to be suitable, information must be relevant, reliable
and timely. Sufficiency is a measure of the quantity of information (i.e., whether the evaluator has
enough suitable information). Reliable information is accurate, verifiable and comes from an
objective source.

Channel stuffing is the business practice of inflating sales figures by pushing more goods
through a distribution channel than it has the capacity to sell or use. Revenues are improperly
inflated for a period, with the excess goods being returned to the company at a future date.

Ongoing monitoring procedures using both direct and indirect information are built into the
routine, recurring operating activities of an organization. They include regular management and
supervisory activities, peer comparisons and trend analysis using internal and external data,
reconciliations, and other routine actions. They might also include automated tools that
electronically evaluate controls and/or transactions.

Helpful attributes of monitoring:


Integrates with operations — Ongoing monitoring is built into the organization’s routine
operating activities.
Provides objective assessments — Ongoing monitoring and/or separate evaluations
provide an objective consideration of internal control effectiveness
Uses knowledgeable personnel — Evaluators understand the components being
evaluated and how those components relate to activities supporting the organization’s
objectives.
Considers feedback — Management and the board28 receive feedback on the
effectiveness of internal control.
Adjusts scope and frequency — Management varies the scope and frequency of
separate evaluations depending on the significance of risks being controlled, the nature of the
controls mitigating those risks and the effectiveness of ongoing monitoring .

Report findings — Findings of internal control deficiencies are reported (1) to the individual
who owns the process and related controls and who is in a position to take corrective actions, and
(2) to at least one level of management above the process owner.

If the organization uses direct information in monitoring those controls, independent auditors might
use the results of that monitoring to provide support for their audit conclusions. Conversely, if the
organization uses indirect information in monitoring the controls, independent auditors may need to
perform their own separate tests using direct information — possibly increasing the cost of the
audit. Thus, when designing its monitoring procedures, the organization might consider the overall
costs involved both in monitoring and in supporting any third-party evaluations.

The ultimate goal of monitoring is met when


organizations use the most efficient means possible to gather and evaluate appropriately
persuasive information about the effectiveness of the internal control system in addressing
meaningful risks to organizational objectives.

Вам также может понравиться