CPA Resources
CPA Resources

Identify surprises before it’s too late

By Christopher T. McKittrick

As a result of the financial crisis of the past year, a lot is being written and talked about on the subject of corporate governance, risk and compliance (GRC).

Much of this stems from the concern that corporate GRC structures failed to assure their organizations were ready to identify and react to the financial crisis (or any crisis) quickly and effectively. As can happen, making money over the prior few years may have served to cover a multitude of GRC sins and lead to some lackadaisical efforts in risk management. It is possible that relaxed approaches to risk management maybe even extended all the way down to basic internal and accounting controls. Suddenly, the financial crisis served as the “slap in the face” to remind us that the focus on GRC fundamentals at all levels should never go out of style.

Transparency and renewed focus on reliability in business processes and financial reporting is coming back into style and is more important than ever. Addressing GRC efforts will help to bring back public confidence in boards' and managements' ability to effectively lead through uncharted territory. As events continue to unfold that cause strategies and directions to change quickly, sound risk management and internal control will be highly important. All entities must show they have the ability to better foresee events, assess the risks they face, and make preparations to respond appropriately. Ongoing challenging times require organizations to assure even more reliability in their processes and in the quality of their data.

It is highly likely that due to the economic turbulence of the past year, many internal controls have changed because of reductions and realignment in staffing levels and duties.  Some business processes and internal controls probably are now out of date. These unidentified changes in processes and controls are pretty likely to lead to surprises. So management needs to take steps to reduce the possibility of unpleasant surprises and their related costs to be sure they are identified before it is too late to effectively address them.

Getting started

On Sept. 1, 2009, COSO (the Committee of Sponsoring Organizations of the Treadway Commission) took a step to remind boards of their important role in risk oversight by releasing another of its thought leadership papers. This one is entitled "Effective Enterprise Risk Oversight: The Role of the Board of Directors." (It can be downloaded at coso.org.). It stresses the key role of the board in monitoring an organization’s enterprise risk management (ERM) by pointing to “four areas that contribute to board oversight with regard to enterprise risk management":

  • Understand the entity’s risk philosophy and concur with the entity’s risk appetite.
  • Know the extent to which management has established effective enterprise risk management of the organization.
  • Review the entity’s portfolio of risk and consider it against the entity’s risk appetite.
  • Be apprised of the most significant risks and whether management is responding appropriately.

This Enterprise Risk Oversight reminder from COSO is another example of how COSO consistently develops guidance for organizations to help ensure the effectiveness of financial, operational, and compliance-related internal controls. There is little question that GRC needs to be addressed in ways that seek to avoid missing blind spots that could threaten future growth and financial stability -- both strategically and operationally. Both boards and executive management (in both public and private organizations) could stand to re-evaluate their risk management processes and policies.

One way to do this and to follow through on this recent COSO guidance may be for organizations to give even more consideration to another of COSO’s efforts – specifically, its "Internal Control - Integrated Framework: Guidance on Monitoring Internal Control Systems." Organizations should address the key question below in light of any changes which have occurred in the past year. It is extracted from the “Using the Guidance to Move Monitoring Forward” section of the Introduction portion of the Integrated Framework.

  • “Are our governance, risk and compliance frameworks fundamentally sound at both the strategic and operations levels?” 

Control monitoring fundamentals

Here are some additional excerpts from COSO’s "Internal Control - Integrated Framework: Guidance on Monitoring Internal Control Systems" introduction that may help with understanding the benefit of monitoring internal control, specifically when completing internal control risk assessments.

  • “Effective monitoring can help streamline the (internal control) assessment process, but many organizations do not fully understand this important component of internal control. As a result, they underutilize it in supporting their assessments of internal control.”
  • “Unmonitored controls tend to deteriorate over time. Monitoring, as defined in the COSO Framework, is implemented to help ensure "that internal control continues to operate effectively." When monitoring is designed and implemented appropriately, organizations benefit because they are more likely to (a) dentify and correct internal control problems on a timely basis, (b) produce more accurate and reliable information for use in decision-making, (c) prepare accurate and timely financial statements, and (d) be in a position to provide periodic certifications or assertions on the effectiveness of internal control. “
  • “Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.”

Continuous monitoring is a key tool

One step that can help avoid blind spots is integrating specific risk management practices such as continuous controls monitoring (CCM) into basic operating activities. Since continuous monitoring technology directly monitors the performance of internal accounting controls it can deliver an excellent measurement regarding an internal control system’s operational effectiveness. CCM can provide improved visibility and it is possible it may even identify operational improvements that could help the business grow. An added benefit is that continuous monitoring feedback also could serve to improve external confidence (e.g. external auditors) in financial reporting results.

The Enterprise Risk Oversight reminder and COSO Guidance on Monitoring dovetails with the discussion of PCAOB’s Auditing Standard No. 5 (AS 5) in July’s McKittrick Report. In that report, I discussed how both auditors and organizations have had some time now to live with and understand the impact of AS 5 and concluded the article as follows:

“… there may be additional opportunity for improved use of COSO’s suggested continuous monitoring programs … to deliver benefits such as these:

  • Timely identification and/or deterrence of possible fraud.
  • More rapid response to control problems and opportunities.
  • Cost reductions and business process improvements.
  • Smarter, quicker and less expensive audits.”

Also consider the below, which is one of the key questions that the Guidance on Monitoring Internal Control Systems suggests should be addressed by management.

  • “Are we presently performing effective monitoring that is not well utilized in the evaluation of internal control, resulting in unnecessary and costly further testing?”

In particular, let’s further explore the ideas of “smarter, quicker and less expensive audits” and “unnecessary and costly further testing.” I interpret these two premises to mean it is highly likely that both internal audit costs and external audit fees may be higher than they could be with an effective monitoring program in place. Surely the easiest higher cost to identify is higher external audit fees.

Internal audit opportunities

But there does appear to be an opportunity to improve internal audit effectiveness and reduce costs with continuous monitoring. Protiviti, a global business consulting and internal audit firm, recently published the results of its 2009 Internal Audit Capabilities and Needs Survey. The firm notes that over the course of the three surveys conducted on the topic, the most “consistent high priorities for chief audit executives and internal audit professionals (are):

  • Enterprise Risk Management;
  • fraud (monitoring, detection and prevention); anda
  • continuous auditing and omcputer-assisted audit techniques.” 

The Protiviti survey also shows that chief audit executives rank “Computer Assisted Audit Techniques” and “Continuous Auditing” as the No. 1 area where internal audit functions need to improve their audit process knowledge. Based on this, it would appear there are probably cost improvement opportunities in internal audit functions, too.

External audit opportunities, too!

It also is highly probable that effective continuous controls monitoring helps to overcome some weaknesses in internal control and thus helps to improve risk assessment efforts with external auditors. A well-designed and executed monitoring program that results in timely communication, investigation and correction of internal control deficiencies before they can materially affect financial results is a sound basis for auditors to evaluate and modify their risk assessments and testing plans.

While 100 percent monitoring may be a gold standard, other levels may be relied upon by external auditors if appropriately strong. A monitoring program that involves less than 100% transaction monitoring  can still provide highly reliable testing  results. Appropriate follow-up actions are key for any monitoring program to demonstrate management’s commitment to internal control. The program itself just needs to be sufficient to ensure the reliability of the monitoring information as well as the effectiveness of the internal control system. Further, a well designed monitoring program has the potential to supplant some of the work of external auditors. A good monitoring program could lead to the elimination or reduction of separate testing efforts by external auditors resulting in a more efficient external audit process and a reduction in audit costs.

Summary

Effective GRC efforts are more than frameworks and plans.  Effective GRC efforts require effective execution of control activities on a regular basis.  COSO has laid out some good guidelines for reliability, suitability and efficiency in control monitoring activities that can aid an organization’s GRC activities. There is a high degree of probability that CCM can pay for itself by improved audit effectiveness in locating and resolving errors quickly and thoroughly and thus offer cost reductions in both internal and external audit efforts.

COSO has given us the guidance and examples that are needed to get going.  So be smart … maybe even be a hero: Get going on continuous monitoring. COSO has laid it out for you.

Christopher T. McKittrick is an independent consultant with Perspective Business Advisors. He has over 30 years of business experience in leadership positions in audit, financial management, and information systems. He has worked in a broad range of industries including public accounting, hospitality and gaming, manufacturing, software, and public relations/advertising. His roles have included vice president-chief financial officer, internal audit director, information systems director, re-engineering team leader, and corporate/division controller. Chris most recently served as director of members in business, industry, and government for the AICPA. He obtained both his BS and MBA from Drexel University in Philadelphia, and is a CPA and CFE.

Bookmark and Share

This content has not yet been Rated.

To Rate content, please Login.