Web www.software-risk.co.uk

Monitoring is one of five elements that make up an internal control over financial reporting, according to the COSO framework.* As such it is important in determining the effectiveness of internal controls for purposes of Sarbanes-Oxley compliance. In particular section 404.

To comply with Section 404, publicly traded companies in their financial reports, have to sign off not only that they have internal controls, but that they are also effective.

The four other elements for internal controls are the control environment, risk assessment, control activities and information & communication.

Monitoring assesses the quality of internal processes over time.

Note monitoring does not actually control anything in the business sense, except for the design and assessment other internal controls. Where necessarry it involves taking corrective action.

Monitoring of internal controls covers a lot of ground. Examples include;-

 *Regular management and supervisory activities. These should be carried out in the normal course of business.
 *Recommendations from auditors for strengthening internal controls.
 *Sign off procedures for people using the various controls. This can be used by management to monitor the performance of the control.
 *External parties may also monitor the controls. For instance customers confirm the effectiveness, everytime they receive a good or service. Conversely, complaints about deliveries going astray, indicate a weakness.
 *Auditors make recommendations on the ways internal controls can be strengthened. Weaknesses are also noted and corrective action may be prescribed.

Auditors in particular have a duty regarding internal controls. Under section 404 they have to attest to the effectiveness of the company they are auditing.

There is however an important constraint on auditing firms regarding giving advice to firms. The same firm can not act as a consultant on improving internal controls and as an auditor. In the case of Enron, Anderson was acting in both capacities and therefore, relevant section was bought in.

Reporting deficiencies is an essential requirement of the monitoring process, it it is to work efficiently.

A "deficiency" is given a wide definition in COSO. A deficiency means any "condition worthy of attention".

The deficiency should be reported to the person responsible for the control. The person above the responsible person should also be informed.

In some instances there will be resistance to being informed of deficiences, denial or a refusal to take corrective action. In these instances, a different approach might be needed, that goes outside of the normal control environment. This is known as whistleblowing.

Whistleblowing, can be frowned upon and its practitioners, ostracised or harassed. Sarbanes-Oxley consequently increased the protection for whistleblowers in public companies.

* COSO = Committee Of Sponsoring Organisations of the Treadway Commission.

Related Articles
SEC Proposes Years Exemption on 404
PortAuthority Goes Global
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
GAO Supports SOX Cost Claims
Foreign Companies Repeating US SOX Mistakes
SEC Chief Account Defends SOX

Similar Areas

Process Improvement Items

Sarbanes-Oxley Items

Finance Items

Accounting Items

Management Items

Selected Books

Keywords

Sarbanes-Oxley

Sarbanes-Oxley compliance

Section 404

internal control

internal controls

404

SOX

auditors

404 and auditors

404 and consultants

whistleblowing

whistleblower

internal controls and monitoring

404 and auditors