预读
I. Purpose of the Guidance
1.The Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the Internal Control — Integrated Framework (the COSO Framework) in 1992. Much has happened since the initial release. Most notably, some countries have implemented regulations requiring certain companies to publicly report on the effectiveness of internal control.COSO’s Guidance on Monitoring Internal Control Systems (COSO’s Monitoring Guidance) elaborates on the monitoring component of internal control discussed in the 1992 COSO Framework and in the subsequent Internal Control over Financial Reporting — Guidance for Smaller Public Companies issued in 2006 (COSO’s 2006 Guidance).
2.COSO initiated this project based on observations that many organizations were not fully utilizing the monitoring component of internal control. This fact became most clear as COSO witnessed the efforts of many companies to meet internal control certification and assertion requirements around the world.
3.COSO observed that some organizations had effective monitoring in certain areas, but were underutilizing the results of that monitoring to support their conclusions about the effectiveness of internal control, especially conclusions related to the effectiveness of internal control over financial reporting. Instead, they were adding redundant, often unnecessary procedures designed to evaluate controls for which management — through its existing monitoring efforts — already had sufficient support. Other organizations were not making the best use of ongoing monitoring1 procedures or lacked necessary monitoring procedures altogether, which may have caused them to implement inefficient year-end evaluations to support their conclusions about the effectiveness of internal control.
4.The objectives of COSO’s Monitoring Guidance are twofold:
•To help organizations improve the effectiveness and efficiency of their internal control2 systems. The COSO Framework emphasizes that organizations with effective internal control systems monitor the effectiveness of those systems over time3 — just as a manufacturing organization monitors the continued effectiveness and efficiency of its manufacturing procedures. This guidance is designed to help organizations
recognize and maximize the use of monitoring when it is effective and enhance monitoring in areas where improvement may be warranted.
•To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes. The Applying the Concepts” sections in Volume II of the guidance provide easy reference points — demonstrating how organizations might apply the general concepts of monitoring. Volume III goes further by providing a variety of monitoring examples from organizations interviewed during the project.
5.This guidance does not:
•Change the COSO Framework or COSO’s 2006 Guidance,
•Dictate risks or controls that organizations must consider,
•Mandate the exact monitoring procedures that organizations must follow,
•Increase the monitoring effort for organizations in areas where monitoring is already effective, or
•Mandate a certain level or formality of monitoring documentation, including the use of certain terms.4
6.This guidance should help management, board members, internal and external auditors, regulators, and others recognize effective monitoring where it exists and take into account its results with respect to their duties. In areas where monitoring is ineffective, this guidance should help organizations identify and correct weaknesses and move toward achieving effectiveness in monitoring. In so doing, organizations can improve their internal control system’s ability to provide reasonable assurance about the achievement of organizational objectives. Effective monitoring may also result in organizational improvements by (1) minimizing internal control failures and their errorsdefects that require correction, and (2) improving the quality and reliability of information used for decision making.
7.This guidance is designed to apply to all three objectives addressed in the COSO Framework: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. However, recognizing that its initial application may be related to evaluating internal control over financial reporting (ICFR), most of the examples concentrate on the financial reporting objective.
8.The Monitoring Guidance comprises three volumes. Volume I, the Guidance volume, is designed to demonstrate succinctly the core concepts embodied in COSO’s monitoring component. Volume II, the Application volume, is integral to Volume I and contains a more detailed description of the principles contained in Volume I. The Application volume should be read by those responsible for implementing the guidance and by those who are interested in gaining a greater understanding of the related concepts. Volume III, the Examples volume, contains examples from organizations whose monitoring efforts are consistent with the Monitoring Guidance.
II. Nature and Purpose of Monitoring
9.The COSO Framework states that monitoring ensures that internal control continues to operate effectively.”5 COSO’s 2006 Guidance enhances the understanding of monitoring by articulating the following two related principles:
See Vol. II, ¶¶ 1–2.
•Ongoing andor separate evaluations enable management to determine whether the other components of internal control6 continue to function over time.
•Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
10.COSO’s Monitoring Guidance builds on those two fundamental principles.
11.The COSO Framework recognizes that risks change over time and that management needs to determine whether the internal control system continues to be relevant and able to address new risks.”7 Thus, monitoring should evaluate (1) whether management reconsiders the design of controls when risks change, and (2) whether controls that have been designed to reduce risks to an acceptable level continue to operate effectively. Accordingly, this guidance continues to emphasize COSO’s belief that monitoring should be based on an analysis of risks to organizational objectives and an understanding of how controls may or may not manage or mitigate those risks.
See Vol. II, ¶¶ 38–41.
12.An overview of the framework and how its components work together is shown in Figure 1, which is an enhancement of the process approach to internal control developed in COSO’s 2006 Guidance. The enhancements include the explicit recognition that monitoring relates to all three internal control objectives and not just to the financial reporting objective.
13.This graphic also demonstrates that monitoring evaluates the internal control system’s ability, in its entirety, to manage or mitigate meaningful risks to organizational objectives.
See Vol. II, ¶¶ 11–19.
14.Each of the five components of internal control set forth in the COSO Framework is important to achieving an organization’s objectives. However, the fact that each component must be present and functioning does not mean that each must function perfectly. Accordingly, monitoring does not seek to conclude on the effectiveness of individual internal control components operating in isolation.