COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
The following points of focus highlight important characteristics relating to this principle:
-
Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
-
Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
-
Establishes Baseline Understanding—The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
-
Uses Knowledgeable Personnel—Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
-
Integrates with Business Processes—Ongoing evaluations are built into the business processes and adjust to changing conditions.
-
Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
-
Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback.
Monitoring can be done in two ways: through ongoing evaluations or separate evaluations, or some combination of the two. Ongoing evaluations are generally defined, routine operations, built in to business processes and performed on a real-time basis, reacting to changing conditions. Separate evaluations are conducted periodically by objective management personnel, internal audit, and/or external parties, among others. The scope and frequency of separate evaluations is a matter of management judgment.
Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed to evaluate controls periodically and are not ingrained in the routine operations of the entity. Since separate evaluations take place periodically, problems will often be identified more quickly by ongoing evaluations. Many entities with sound ongoing evaluations will nonetheless conduct separate evaluations of the components of internal control to reconfirm ongoing evaluation conclusions. An entity that perceives a need for frequent separate evaluations may consider identifying ways to enhance ongoing evaluations.
Management selects, develops, and performs a mix of monitoring activities usually including both ongoing and separate evaluations, to ascertain whether each of the five components of internal control is present and functioning. As part of monitoring the five components, management uses these evaluations to ascertain whether controls to effect principles across the entity and its subunits have been selected, developed, and deployed. The decision of whether to conduct ongoing or separate evaluations, or some combination of the two, may occur at different levels of the entity. Thought is given to the scope and nature of the entity's operations, changes in internal and external factors, and the associated risks when developing the ongoing and separate evaluations.
Management considers the rate that an entity or the entity's industry is anticipated to change. An entity in an industry that is quickly changing may need to have more frequent separate evaluations and may reconsider the mix of ongoing and separate evaluations during the period of change. For example, banks subject to financial regulatory reforms select and develop monitoring activities that anticipate future change and reactions to the changing regulatory environment. Usually, some combination of ongoing and separate evaluations will validate whether or not the components of internal control remain present and functioning.
Monitoring activities may be used to support external reporting including management assertions over the entity's system of internal control or other forms of compliance reporting. The requirements of external reporting or management assertions will usually affect the combination of ongoing and separate evaluations and how they are selected, developed, and performed.
Understanding the design and current state of a system of internal control provides useful baseline information for establishing ongoing and separate evaluations. When using monitoring activities it is necessary to have an understanding of how management has designed the system of internal control and how controls within each of the five components effect principles. As management gains experience with monitoring activities, its understanding will evolve based on the results of such activities. If an entity does not have a baseline understanding in areas with risks of higher significance, it may need to perform a separate evaluation of those areas to establish the baseline. When change occurs within any of the five components of internal control, the baseline may need to be evaluated to make sure monitoring activities remain appropriate or updated so they are aligned with other components of internal control.
Manual and automated ongoing evaluations monitor the presence and functioning of the components of internal control in the ordinary course of managing the business. Ongoing evaluations are generally performed by line operating or functional managers, who are competent and have sufficient knowledge to understand what is being evaluated, giving thoughtful consideration to implications of information they receive. By focusing on relationships, inconsistencies, or other relevant implications, they raise issues and follow up with other personnel as necessary to determine whether corrective or other action is needed.
Entities frequently use technology to support ongoing evaluations. Computerized continuous monitoring techniques have a high standard of objectivity (once programmed and tested) and allow for efficient review of large volumes of data at a low cost. Such techniques, combined with robust review and analysis of the results by knowledgeable and responsible personnel, can result in an efficient and effective program for ongoing evaluations.
The following examples illustrate ongoing evaluations.
A medium-size manufacturing entity has in place a process for conducting a monthly production meeting attended by the manufacturing supervisor, inventory manager, and demand planning supervisor to review current production levels and product modifications. The quality officer attends this routine meeting. As part of her ongoing evaluation of the controls in the production planning process, the quality officer evaluates information obtained in the meeting to raise probing questions of management and other personnel, to ascertain whether appropriate analysis and actions are being performed and followed up on in a timely manner, and to identify unusual trends or anomalies that may warrant immediate investigations. She also uses information obtained and analyzed during the meeting to recommend modifications to control activities relevant to the production planning process.
Control activities embedded in the procurement process use software to automate the review of all payment transactions. A software routine embedded within the payable process immediately identifies any unusual transactions based on pre-established parameters (e.g., possible duplicate payments). The accounts payable supervisor daily investigates any identified anomalies, determines root causes, and evaluates and communicates any internal control deficiency to those in the procurement process responsible for taking corrective action.
The human resource department has developed policies and practices that support the organization's commitment to attract, develop, and retain competent staff. These practices include training, mentoring, and evaluation practices that encourage development and promotion of management positions. As part of the entity's human resource policies and practices, staff mentors semiannually prepare and present to the human resource supervisors a review of assigned individual's actual performance against expected performance levels and standards of conduct. The director of personnel attends these semiannual presentations as part of the ongoing evaluation of human resource policies and practices and provides objective, real-time feedback to department supervisors and mentors about the effectiveness of the review process, compliance with labor laws, and recommendations for improving subsequent processes.
An entity authorizes its accounts payable clerks to process contractor invoices with up to a 5% variance from amounts specified for services pursuant to executed contracts without seeking supervisory approval. The accounts payable manager monitors this control activity at the end of each month by reviewing disbursement activity and focusing specifically on two trends: the volume of disbursements where there are variances from contracts, and the frequency with which a particular clerk processes any variance payments. The accounts payable manager investigates any instance of an excessive variance or abnormal frequency or trend from both an operational and potential fraud perspective and takes action to assess and resolve root causes.
Separate evaluations are generally not ingrained within the business but can be useful in taking a fresh look at whether each of the five components of internal control is present and functioning. Such evaluations include observations, inquiries, reviews, and other examinations, as appropriate, to ascertain whether controls to effect principles across the entity and its subunits are designed, implemented, and conducted. Separate evaluations of the components of internal control vary in scope and frequency, depending on the significance of risks, risk responses, results on ongoing evaluations, and expected impacts on the control components in managing the risks. Higher priority risks and responses should be evaluated often in greater depth and/or more often than lower priority risks. While higher priority risks can be evaluated with both ongoing and separate evaluations, separate evaluation may provide feedback on the results of ongoing evaluations, and the number of separate evaluations can be increased as necessary.
A separate evaluation of the overall internal control system, or specific components of internal control, may be appropriate for a number of reasons: major strategy or management change, acquisitions or dispositions, changes in economic or political conditions, or changes in operations or methods of processing information. The evaluation scope is determined by which of the three objectives categories—operations, reporting, or compliance—are being addressed.
Separate evaluations are often conducted through the internal audit function, and while having an internal audit function is not a requisite of internal control, it can enhance the scope, frequency, and objectivity of such reviews. fn 25 Since separate evaluations are conducted periodically by independent managers, employees, or external reviewers to provide feedback with greater objectivity, evaluators need to be knowledgeable about the entity's activities and how the monitoring activities function, and understand what is being evaluated. Procedures designed to operate in a particular way may be modified over time to operate differently, or they may no longer be performed. Sometimes new procedures are established, but are not known to those who described the process and are not included in available documentation. Determining the actual functioning can be accomplished by holding discussions with personnel who perform or are affected by controls, by examining performance records, or by a combination of procedures.
The evaluator analyzes the presence and functioning of components of internal control, and the results of evaluations. The analysis is conducted against the backdrop of management's established standards for each component, with the ultimate goal of determining whether the process provides reasonable assurance with respect to the stated objectives.
There are a variety of approaches available to perform separate evaluations. The scope, nature, frequency, and formality of approaches vary with the relative importance of the risk responses and related components and principles of internal control that are being evaluated. Separate evaluations may include:
-
Internal Audit Evaluations—Internal auditors are often objective and competent resources, whether in-house or outsourced, and perform separate evaluations as part of their regular duties, or at the specific request of senior management or the board of directors. Typically, each year the internal audit function develops an internal audit plan of projects that are selected based on a risk-based approach aligned with organizational objectives and stakeholder priorities. For instance, areas of review may include compliance with code of conduct, design of the risk assessment process, reporting of data quality, and reporting of specific transactions and controls. Reports are distributed to senior management, the board of directors or its audit committee, and other parties positioned to take action on the recommendations in the report.
-
Other Objective Evaluations—For entities that lack an internal audit group or for those that have other quality functions that perform internal audit-like activities (such as a controls compliance group), management may use other internal or external objective reviewers, such as compliance officers, operations specialists, IT security specialists, or consultants. For example, an entity's IT security specialist may periodically evaluate the entity's compliance with relevant information security standards. fn 26
-
Cross Operating Unit or Functional EvaluationsAn entity may use personnel from different operating units or functional areas to evaluate components of internal controls. For —example, quality audit personnel from operating unit A may periodically evaluate the internal controls of operating unit B. Also, adding personnel from different operating units or functional areas on evaluations may improve communications between the operating unit or functional area.
-
Benchmarking/Peer Evaluations—Some entities compare or benchmark components of internal control against those of other entities. Such comparisons might be done directly with another entity or under the auspices of trade or industry associations. Other entities may be able to provide comparative information. A word of caution: when conducting comparisons, consider the differences that always exist in objectives, facts, and circumstances.
-
Self-Assessments—Separate evaluations may take the form of self-assessments (also called self-reviews), where those responsible for a particular unit or function will assess the presence and functioning of components of internal control relating to their activities. For example, in one company the chief executive of a food product division directs the evaluation of its internal control activities related to food safety regulations. She personally assesses the controls associated with strategic choices and high-level objectives as well as the components of internal environment, and individuals in charge of the division's various operating activities assess the presence and functioning of components relative to their spheres of responsibility. Since self-assessments may have less objectivity, depending on the person conducting the self-assessment, than other separate evaluation approaches, the evaluator or those using the report will determine the weight and value to be placed on the results.
Entities that use outsourced service providers for services such as third-party warehousing, Internet hosting, healthcare claims processing, retirement plan administration, or loan services need to understand the activities and controls associated with the services and how the outsourced service provider's internal control system impacts the entity's system of internal control.
Entities may use the following approaches to understand the outsourced service provider's system of internal control:
-
The user of outsourced services may conduct its own separate evaluations of the outsourced service provider's system of internal control as relevant to the entity. In these circumstances an entity should build into its contract with any outsourced service provider a right-to-audit clause to allow for its own separate evaluation and access to visit the provider.
-
Relevant information concerning internal control at an outsourced service provider may be attained by reviewing an independent audit or examination report. fn 27 When reviewing such reports, organizations consider the content of the assertions and attestations to be satisfied that the outsourced service provider's controls interface with the entity's controls, and that the tests and results of the outsourced service provider's controls provide sufficient comfort to the user entity. Entities also consider the period of time covered by an independent audit or examination report since it might not coincide with or provide the complete coverage needed by the entity. In these circumstances an entity should build into its contract with any outsourced service provide a requirement for an independent audit or examination report.
-
When considering circumstances such as the nature and scope of information transferred between parties and the nature of the processing and reporting the outsourced service provider performs, an entity may be able to determine that there is sufficient internal control over processing provided by the outsourced service provider without additional documentation.
fn 25 Some external bodies may require an entity to have an internal audit function. For example the New York Stock Exchange requires all corporations who list securities on the exchange to have an internal audit function (NYSE Listed Company Manual 303A.07(d)).
fn 26 An entity might use ISO/IEC 27002, published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), which provides recommended practices for information security management for use by those responsible for designing, implementing or maintaining information security management systems.
fn 27 Examples of attestations for external financial reporting include a Service Organization Control (SOC) report issued pursuant to the AICPA's Statement on Standards for Attestation Engagements No 16 (SSAE 16 or SOC 1) or the International Standard on Assurance Engagements 3402 report (ISAE 3402).
| Generated November 9, 2014 22:46:48 |