Network Expertise

The ABCs of Internal Controls Monitoring

Many recent publications note lack of automation in internal controls monitoring in many organizations. What exactly is monitoring and how organizations of different sizes can achieve benefits from the use of continuous monitoring software?

The monitoring of internal controls requires the organization to evaluate whether internal controls are operating as intended and timely communicate any deficiencies to those with authority to take corrective action. The COSO Framework prescribes monitoring activities in the form of separate and ongoing evaluations, or a combination of both. The figure below provides an overview of manual and automated internal controls monitoring in separate and ongoing evaluations.

 Separate evaluations refer to periodic checks that are not built into the routine operations of the organization. Separate evaluations occur with varying frequencies depending on management’s judgment of risks involved and importance of the processes to the organization. Ongoing evaluations, on the other hand, refer to routine monitoring activities which are built into the operations of the organization. Ongoing evaluations include “regular management and supervisory activities, peer comparisons and trend analysis using internal and external data, reconciliations, and other routine actions” (COSO 2009). Both separate and ongoing evaluations can be performed manually (by user) or with the help of software (automated).

Manual processes require human involvement to physically perform an internal control. In manual separate evaluations, a person evaluates a control with varying frequencies after a control, transactions or processes take place. In manual ongoing evaluations, a person uses software every time a control operates and approves every change to that software.

Some organizations use software to monitor the effectiveness of the internal control systems. These automatedevaluations help management to review internal controls and transactions across various business processes, divisions, or the entire organization. In automated separate evaluations, software periodically performs integrity checks (i.e., every N transactions or after X amount of time). Automated ongoing evaluations are also termed continuous monitoring because software performs internal controls evaluating all controls, transactions and processes in real time (e.g., software checks transactions against baselines, flags transactions with conflicts). The main benefit associated with the continuous controls monitoring is that it often offers the first opportunity to identify and remedy control deficiencies. For example, continuous monitoring software can flag invalid transactions in real time and prevent them from being processed further.

The internal controls monitoring software notifies users of regular activity confirmations and flags any suspicious activity, exceptions, or errors with the help of alerts which aredelivered to users with varying frequencies mostly by email or through dashboards.

A report on the benefits of continuous monitoring published by FERF in 2011 described the monitoring practices in large organizations and presented a list of software tools available in the marketplace. Some continuous monitoring functionality can be embedded or built into an ERM system such as Oracle or SAP, while others are external software modules such as ACL, Approva, Caseware, Infogix, Oversight Systems, Infogix, and Trintech.

In its 2010 publication, Deloitte outlined real-world continuous monitoring solutions to issues encountered in regular business operations. The issues and solutions are summarized in the table below.

 While many tend to think that continuous monitoring can mostly be implemented in large organizations with vast resources, small and medium size organizations can benefit as well. A recent article in the Journal of Accountancy explains how QuickBooks and the Business Alerts wizard within Microsoft Dynamics GP can be used for continuous monitoring in smaller organizations. For example, in QuickBooks a user can set up predefined roles available in security settings in order to specify only those portions accounting system that are relevant to an employee’s job functions. Also, the Business Alerts wizard can be used to generate alerts when any changes take place within the system (e.g., a change in payroll rates, or a negative checking account balance). The article suggests using alerts to monitor adjusting entries of unusually high amounts or unusually high frequency. Also, to monitor cash disbursements it is helpful to use Benford analysis available in ACL and IDEA software to detect disbursements that are just below the authorized level. Monitoring credit and debit card payments can prove useful in uncovering unauthorized employee weekend purchases or transactions with unapproved vendors. The article further suggests using continuous monitoring techniques to analyze sales returns, and employee and payroll data.

Overall, the use of software with carefully designed alerts can prove to be an efficient and effective way for many organizations, large or small, to analyze large volumes of transactions to assess both internal controls and operations of the entire organization.

In order to help us improve our understanding of current monitoring practices and assess your opinions on internal controls monitoring, we urge you to participate in a short survey. It will take 10-15 minutes to complete.

To participate, please click (or paste into your browser) the following link:

Thank you in advance for your help with this important project.

Julia Kokina, CPA, MAcc, is a Ph.D. candidate in International Business, Accounting at the College of Business Administration at the University of Texas at El Paso.