Don’t get too comfortable just because you have internal controls in place. You should monitor them for deficiencies that may arise as your organization changes.
This article was originally published on 10/10/17 and has been updated as of 2/3/23 to reflect recent fraud studies and insights.
The most effective way to mitigate the risk of fraud in your business or organization is by designing and implementing strong internal controls. But even the best laid plans are susceptible to fraud if no one is monitoring those systems.
Fraud may be perpetrated in large companies, small family-run businesses, nonprofits, and governmental entities at any time — and the victims are always incredulous. Time and again, I hear them say, “I just didn’t think it could happen here.” As auditors, we see clients develop strong control environments by implementing effective control activities, but all too often miss the opportunity to ensure those controls are working effectively and efficiently as changes occur in their organizations.
Monitoring controls is just as important as designing them
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission developed the widely used “Internal Control – Integrated Framework” (COSO Framework) that consists of five equally important components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
Most organizations excel at the first four on the list. They tend to put so much faith in the design of controls that they get a little lax when it comes to monitoring the operating effectiveness of the controls. And they’re always surprised when the controls break down.
To understand the importance of monitoring, we need to first understand that internal controls fail when they aren’t updated with organizational change. When you regularly monitor control effectiveness, however, you start to see deficiencies that emerge when your controls don’t keep up with organizational change. Monitoring allows you to make the necessary adjustments for proper risk mitigation.
Operations and risk management environments — and their supporting internal control structures — change with new staffing, technology updates, or evolving organizational polices. The COSO Framework states that “monitoring ensures that internal control continues to operate effectively.” Monitoring should be performed through ongoing and separate evaluations of the internal control components and the related communications that come from those evaluations.
Monitoring controls is an ongoing, cyclical process
To establish effective monitoring procedures, your organization must start at the top. Key members of your management and governance teams need to set a precedent that evaluating internal controls is important, not only to mitigate risks but to ensure controls are working effectively.
After the proper tone is set, you must prioritize risks and execute ongoing monitoring and separate evaluations to monitor those risks. It is understandable that not every control process can be evaluated each year, but completing a proper risk assessment and starting with those more significant areas are essential when developing a proper monitoring plan. Lastly, it is important to designate the appropriate individuals to develop monitoring procedures and ensure they are properly executed.
Monitoring is a continuous cycle, and the following graphic helps illustrate. A single control process may go through evaluations several times over the course of a monitoring cycle to revalidate the controls or set a new baseline. The most significant information that comes out of each cycle are those deficiencies, or areas of improvement, that you can take to the change management process. Change management includes the design and implementation of an updated control system to improve the efficiency or effectiveness of a control activity. Each time change management occurs, a new baseline is set to create the most effective and efficient control for the organization.
Prioritize, report, and correct control deficiencies
To get the most effective results from the change management process, you should:
- Prioritize the deficiencies you’ve identified — Prioritizing helps you allocate the right time and energy to the most important risk mitigation projects.
- Report — It is important that you report deficiencies to the appropriate individuals who can effectively make change. For example, if an internal auditor performs ongoing evaluations over the payroll process, it may be more effective to take that information to the payroll manager, along with the CFO, instead of taking the results directly to the CFO, who may not be as familiar with the relevant details.
- Develop corrective action plans — To effectively make change, it is important that corrective action plans are developed and communicated with sufficient and suitable information. If a change is being made to a control that will soon be obsolete due to technology upgrades, that corrective action plan may not be relevant. Additionally, if the information provided to key individuals does not include persuasive information, then an effective control cannot be properly implemented.
How we can help
Internal controls are an organization’s greatest weapon in the fight against fraud, but they may become obsolete with change. Monitoring your procedures in an ongoing, cyclical fashion keeps your controls relevant, effective, and efficient. CLA’s risk management professionals help organizations of all sizes in all industries assess their exposure to risk. We can work with you to help design, implement, and monitor control processes and mechanisms that help keep fraud at bay.
If you find yourself in a situation where your internal controls have already broken down, you may need forensic accounting services to analyze suspicious transactions. CLA’s forensic professionals combine technical knowledge with audit and assurance experience to help you identify and assess financial irregularities and can design an action plan that fits your unique situation.