Categories
Blog

Day 19 of One Month to More Effective Internal Controls – COSO Objective V: Monitoring Activities

Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different entity levels, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on the assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management, and the board of directors. Deficiencies are communicated to management and the board of direc­tors as appropriate.” However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control. The nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities have been growing in importance over the past few years and will continue to do so in the future. The Five Principles of an Effective Compliance Program, Principle 5, includes ongoing monitoring, reinforced in the 2013 COSO Framework. In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is essential to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to conclude that its ICFR is effective safely. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

I. Objective-Monitoring Activities The Monitoring Activities objective consists of two principles. They are: Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing Evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle expects your organization to oversee, monitor, and audit. For the CCO or compliance practitioner, you will need to consider several different areas and concepts going forward. A current risk assessment or other evaluation of business changes should be based on some baseline understanding of your underlying compliance risk. Whatever you select will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments, and objectively evaluated.

Principle 17 – Evaluation And Communication Of Deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3, What did you do when you found out about it? I do not know what it does. Therefore, under this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the weaknesses up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

II. Discussion Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use to support this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it also allows you to evaluate the effectiveness of that corrective action. The most important thing is that all the controls need to be sustainable. You cannot just build one-off controls that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one-and-done. There must also be a mechanism for communicating controls that do not work or can be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect, and remediate.

Three Key Takeaways:

  1. Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
  2. Monitoring activities helps to ensure that all controls are present and functioning.
  3. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Ongoing monitoring of your internal controls helps to endure they are sustainable and not overridden.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Episode 46 – The Potted Plant Edition

HSBC v. Moore

In this case, a federal district court had ordered the release of a redacted monitor’s report in the HSBC money-laundering Deferred Prosecution Agreement (DPA) based upon the request of an interested citizen. Both the Department of Justice (DOJ) and HSBC appealed the order, and the Court of Appeals supported their position in overturning the trial court’s decision. The case is about a hook, line, and sinker overturning of any trial court jurisdiction one can have. The district court tried to claim it did not have the same role as a “potted plant,” but the Court of Appeals left no doubt that is the only role it sees for any district court where a DPA is filed. We discuss the implications for the compliance practitioner, FCPA enforcement, and potential future changes. Are district court’s simply potted plants when it comes to DPA oversight?