If You Don't Monitor Your Internal Controls, Fraud Can Find Its Way In
The most effective way to mitigate the risk of fraud in your business or organization is by designing and implementing strong internal controls. But even the best laid plans are susceptible to fraud if no one is monitoring those systems.
Fraud is perpetrated in large companies, small family-run businesses, nonprofits, and governmental entities all the time — and the victims are always incredulous. As auditors, we see clients develop strong control environments with effective control activities, but all too often they miss the opportunity to ensure those controls are working effectively and efficiently as changes occur in their organizations.
Monitoring controls is just as important as designing them
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission developed the widely used “Internal Control – Integrated Framework” (COSO Framework) that consists of five equally important components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
Most organizations excel at the first four on the list. They tend to put so much faith in them that they get a little lax when it comes to monitoring controls. And they’re always surprised when they break down.
To understand the importance of monitoring, we need to first understand why internal controls fail: because they aren’t updated with organizational change. When you regularly monitor your controls, however, you start to see the deficiencies that emerge when your controls don’t keep up with change. This allows you to make the necessary adjustments for proper risk mitigation.
Operations and risk environments — and their supporting internal control structures — change with new staffing, technology updates, or evolving organizational polices. The COSO Framework states that “monitoring ensures that internal control continues to operate effectively.” Monitoring should be performed through ongoing and separate evaluations of the internal control components and the related communications that come from those evaluations.
Monitoring controls is an ongoing, cyclical process
To establish effective monitoring procedures, your organization must start at the top. Key members of your management and governance teams need to set a precedent that evaluating internal controls is important, not only to mitigate risks but to ensure controls are working efficiently.
After the proper tone is set, you must prioritize risks and execute ongoing monitoring and separate evaluations to monitor those risks. It is understandable that not every control process can be evaluated each year, but completing a proper risk assessment and starting with those more significant areas are essential when developing a proper monitoring plan. Lastly, it is important to designate the appropriate individuals to monitor and develop those procedures as they take place.
Monitoring is a continuous cycle, and this graphic helps illustrate it. A single control process may go through evaluations several times over the course of a monitoring cycle to revalidate the controls or set a new baseline. The most significant information that comes out of each cycle are those deficiencies, or areas of improvement, that you can take to the change management process. Change management is the design and implementation of a new control system to improve the efficiency or effectiveness of a control activity. Each time change management occurs, a new baseline is set to create the most effective and efficient control for your organization.
Prioritize, report, and correct control deficiencies
To get the most effective results from the change management process, you should:
• Prioritize the deficiencies you’ve identified — Prioritizing helps you allocate the right time and energy to the most important risk mitigation projects.
• Report them — It is important that you report deficiencies to the appropriate individuals who can effectively make change. For example, if an internal auditor performs ongoing evaluations over the payroll process, it may be more effective to take that information to the payroll manager, along with the CFO, instead of taking the results directly to the CFO, who may not be as familiar with the relevant details.
• Develop corrective action plans — To effectively make change, it is important that corrective action plans are developed and communicated with sufficient and suitable information. If a change is being made to a control that will soon be obsolete due to technology upgrades, that corrective action plan is not relevant. Additionally, if the information provided to key individuals does not include persuasive information, then an effective control cannot be properly implemented.
Internal controls are an organization’s greatest weapon in the fight against fraud, but they become obsolete with change. Monitoring your procedures in an ongoing, cyclical fashion keeps your controls relevant, effective, and efficient.
(Source: CliftonLarsonAllen - Perspectives - October 24, 2017)