We strike up conversations about all manner of topics with finance professionals across North America, but discussions about Continuous Controls Monitoring (CCM) can be difficult. In part it is challenging because not many of us have extensive experience with Internal Control. For example, on numerous occasions we've heard comments like “Yes, our internal controls are great; we have segregation of duties!”
With this in mind, and in consideration of the problems that a weak system of Internal Control causes, we thought we would explore some of the basics in this post.
Perhaps the simplest way is to use an analogy:
Imagine you are driving in your vehicle. Your objective? To safely get to the grocery store and back, taking the most efficient route possible.
On your route, there are risks - other vehicles, pedestrians, traffic lights - which threaten to slow you down or even derail you completely on your journey. But you're not powerless. Your car has a number of features that allow you to navigate these dangers - the mirrors, the steering wheel. the turn signals, etc. The skillful use of these features can greatly increase the likelihood of you getting to the grocery store.
Imagine you climbed into your vehicle and all you found was a brake pedal - no steering wheel, no turn signals, no headlights.... Would you start off on your trip? Most likely not - a single safety feature is not enough! You need a wide array of components working as an integrated system in order to have a safe and efficient trip.
Your organization's internal control system is the same. Segregation of duties is an important component (see Control Activities below) of the system. But it alone is not enough to protect your organization and ensure the attainment of your goals. What is needed is an entire framework of internal control.
There are a number of different frameworks but the most popular and the one recommended by the GFOA is COSO. Below, the COSO pyramid illustrates the components of a their framework:
This is often referred to as “tone at the top” and represents the many elements of the internal environment that define how the entity will conduct its activities overall. These include “soft controls” such as shared values, high ethical standards and expectations, and openness. However, it also includes “hard controls” such as formal job descriptions and performance reviews, and enforced disciplinary practices for violations from expected behavior.
It is hard to over-estimate the importance of this component. In fact, in January of this year the GFOA published a best practice regarding the control environment we strongly encourage you to read.
Risk is defined as an event that will impact the achievement of one or more objectives. Risk assessment involves the identification and assessment of likelihood and impact of relevant risks.
Control activities are those actions carried out to mitigate risk in order to increase the likelihood that objectives will be achieved. Generally they break down into two categories: Preventative & Detective.
Here we see the role of segregation of duties. It is an example of one type of control activity (preventative). It involves separation of the responsibility for the various aspects of a transaction – initiation, custody, recording and reconciling. For example, separating the approval of a purchase (initiating), the ability to create a purchase order (custody), actually creating the purchase order (recording), and performing the 3-way match mentioned above (reconciling).
Communication is the glue that holds this system together. Information is obtained both from internal activities, such as transaction data, and external sources, such as regulatory requirements. Appropriately and effectively communicating information across and outside the entity is essential for the achievement of objectives.
How do you know the control activities you are counting on are present and functioning? This is the role of monitoring. Unfortunately it is all-too-frequently overlooked.
Your control monitoring system can either be based on manual effort from staff, or automatic checking from one of your computer systems. The other important aspect of your monitoring system is its frequency: periodic or continuous. Manual monitoring very rarely approaches continuous unless you have the resources for MANY dedicated internal auditors. It's much more likely that it will be periodic. Your automated monitoring protocols are more likely to be continuous, although the way you implement them will determine their frequency.
Monitoring tends to be one of the weakest elements in most organization's internal control structure for two reasons:
It should be clear now that breaking some high-risk tasks into a pieces and segregating them among different staff is just one small (but important) piece of an effective internal control system. But it's not nearly enough.
Developing a proper framework involves much more, and relies on a robust, continuous monitoring program in order to safely "drive" your organization to your objective.
Click the image below to learn more about how to ensure a more efficient, effective and organization.