A Baseline of Understanding
.1 Internal control effectiveness is an ongoing process. People design and implement internal control processes, which can change over time. In some instances, the system was not designed or properly implemented at inception. In other instances, the controls are prop-erly designed and implemented, but changes occur in the surrounding environment in which they operate. Also, properly designed controls are implemented and are then faced with a change in the way the business or entity operates. All of these factors represent underlying reasons for monitoring internal control on a regular basis.
.2 Poorly designed and improperly implemented controls are two of many reasons for evaluating internal control effectiveness. In other instances, the surrounding environment is subject to changes in risks,
Monitoring Internal Control
1-6
personnel, processes, or technology. When this occurs, the internal control system may not change or properly modify to cope. This is probably one of the most compelling reasons for monitoring the inter-nal control system—to ensure that it continues to provide reasonable assurance for achieving the entity’s objectives. These changes, along with the potential for operational shifts, make monitoring a critical component of the COSO framework.
.3 Because of the three primary conditions described, it is essential to establish a baseline for monitoring, since it provides a starting point to conduct and engage in the monitoring process. Creating a baseline understanding of internal control provides the foundation for devel-opment and the design of monitoring procedures. Monitoring procedures include both ongoing monitoring steps and separate eval-uations. These procedures address any changes needed in the operation of controls or those that have been implemented. In either case, the ongoing monitoring process is designed to determine that proposed or implemented changes in internal control are functioning as intended.
Key Elements of Establishing an Internal Control Baseline
.1 There are four key elements of establishing an internal control mon-itoring baseline:
(A) Control baseline
(B) Change identification
(C) Change management
(D) Control revalidation
.2 Each of these four elements will be described and discussed in greater detail.
.3 It is essential to have a starting point when monitoring internal control that requires providing a thorough understanding of the internal control system design. The next step is determining whether the con-trols have been implemented so that the organization’s objectives are being achieved.
.4 Change identification evolves from a combination of ongoing mon-itoring and separate evaluations to establish if any changes have occurred in the internal control system. The change identification
Overview of the Monitoring Process
1-7
process deals with both changes that have been implemented and any contemplated modifications.
.5 Change management addresses changes in the internal control sys-tems that have been identified. This forms the establishment of a new control baseline and involves documenting any revisions that have been implemented. This effort produces a new control baseline.
.6 Control revalidation or updates deal with confirmation of the internal control system to determine and revalidate the system when no con-templative changes have occurred.
.7 The four steps do not create an established format for monitoring that is engraved in stone. Instead, it provides a suggested process of deter-mining if changes have been either identified or needed. If no changes are required, the process revalidates those conclusions in addition to verifying if necessary changes have been implemented. Changes in the operating environment, typically, are addressed with the risk assessment component of the COSO framework. Application of the framework should be linked to monitoring so that each of the five components support identification and management of changes impacting internal control.
No comments:
Post a Comment