If you're a finance executive for a public or private company, you're likely familiar with the COSO internal-control framework. COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is an organization that was convened in the 1970s to study how to combat fraudulent financial reporting.
Since then, its five sponsoring organizations--Financial Executives International, American Institute of Certified Public Accountants, American Accounting Association, The Institute of Internal Auditors and the Institute of Management Accountants--have continued to meet on a regular basis to develop guidance and further the organization's work.
The Internal Control--Integrated Framework, published by COSO in 1992, is the central internal-control framework in the United States, and has been translated into several languages. The framework emphasizes, but is not limited to, internal control over finanical reporting. COSO has also published separate guidance on Enterprise Risk Management (2004) and Guidance for Smaller Public Companies, in 2006.
New Guidance on Monitoring
At press time, COSO was preparing to publish its final Guidance on Monitoring Internal Control Systems. Monitoring is one of the five core components of COSO's internal-control framework, which consists of: Control Environment (including Tone at the Top); Risk Assessment; Control Activities; Monitoring; and Information and Communication. The major tenets of COSO's new monitoring guidance are shown in the figure, "A Model for Monitoring" on the following page.
R. Trent Gazzaway, Grant Thornton's managing partner, Corporate Governance, who led development of the COSO project, explains the new monitoring material: "We designed the guidance to help companies recognize and take credit for good monitoring where it exists (thus reducing possibly unnecessary control testing); and implement good monitoring where it might be lacking.
"If either or both of these objectives are achieved, then companies will recognize improvements in both effectiveness and efficiency."
Likewise, he adds, "auditors should be able to perform [the] most cost-effective audits when they see the results of effective monitoring."
One point raised in the monitoring guidance--which was the subject of much dialogue within the COSO task force--was around use of, or specifically, the level of "persuasiveness" of direct versus indirect information. Direct information confirms whether a control is operating...