Key Points in COSO Discussion Document: “Guidance on Monitoring Internal Control Systems”

September 17, 2007

FEI Summary

Following are some of the key points in the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Discussion Document released Sept. 17, 2007 entitled, “Guidance on Monitoring Internal Control Systems.” The comment deadline is Oct. 31; a web-based portal for submitting comments, including a list of questions on which COSO seeks specific comment, is available here.

 .

• The DD on Monitoring builds on, but is not intended to amend, COSO’s 1992 Internal Control-Integrated Framework (which identified five core components of internal control: control environment; risk assessment; control activities; information and communication; and monitoring), and the 20 principles of effective monitoring established in COSO’s 2006 Small Business Guidance.
• Importantly, COSO notes in the current document (the Monitoring Discussion Document) that the 20 principles in COSO’s small business guidance published in 2006 are equally applicable to companies of all sizes.
• Th[e] discussion document is designed, as stated in its Executive Summary, “to further develop the understanding of effective monitoring so that organizations can:
• recognize and properly utilize effective monitoring where it exists, and
• implement effective monitoring where it is needed.”
• Three “primary elements” of effective monitoring are identified and elaborated on in the DD:
• The control environment in which monitoring operates;
• The organization’s ability to prioritize effective monitoring procedures and devote monitoring resources commensurate with the underlying level of risk; and
• The organization’s communication structure and its ability to report results of monitoring, including control weaknesses, to the right people in a timely manner.
• ‘Persuasiveness’ of information gained from Monitoring in reaching a conclusion about the effectiveness of internal control is a key focus of the draft guidance. Persuasiveness varies, as described in the DD, according to such factors as:
• Indirect vs. direct information about operation of a control (indirect information about internal control being, e.g. Key Performance Indicators concerning  financial results; direct information being, e.g., results of operation of an internal control obtained from observation, reperformance of the control, or testing of that control). Note: COSO specifically seeks comment on its reference to “indirect” vs. direct information and persuasiveness;
• Relevance, reliability, timeliness of information obtained from Monitoring; and
• Competence and objectivity of person performing monitoring/
• “Correction” of control weaknesses, vs. simply communicating control weaknesses to appropriate parties who are in a position to correct them, is emphasized in the DD.
• Note: readers will want to consider if the language on correction of weaknesses throughout the DD is consistently and suitably principles-based according to risk and cost-benefit, and in accordance with COSO’s 1992 framework and 2006 guidance.
• “Reasonable assurance” is used in the DD and defined in its glossary consistent with the definition provided in SEC rules under the Foreign Corrupt Practices Act.
• “Reporting to External Parties” is a separate section near the end of the DD, and indicates there may be cost-benefit considerations to deciding how much direct vs. indirect information, and related documentation, and the level of competence and objectivity of those involved in monitoring at the company, when considering the needs of its auditors in relying on that information, if an external assertion by management and/or the auditor is required under the Sarbanes-Oxley Act, or if required for another reason or voluntarily provided. 

Prepared Sept. 17, 2007 by: Edith Orenstein, Director of Technical Policy Analysis, Financial Executives International (FEI). This summary does not represent FEI opinion, unless specifically stated above.