Monitoring is one of five elements that make up an internal control over financial reporting, according to the COSO framework.* As such it is important in determining the effectiveness of internal controls for purposes of Sarbanes-Oxley compliance. In particular section 404.

To comply with Section 404, publicly traded companies in their financial reports, have to sign off not only that they have internal controls, but that they are also effective.

The four other elements for internal controls are the control environment, risk assessment, control activities and information & communication.

Monitoring assesses the quality of internal processes over time.

Note monitoring does not actually control anything in the business sense, except for the design and assessment other internal controls. Where necessarry it involves taking corrective action.

Monitoring of internal controls covers a lot of ground. Examples include;-

 *Regular management and supervisory activities. These should be carried out in the normal course of business.
 *Recommendations from auditors for strengthening internal controls.
 *Sign off procedures for people using the various controls. This can be used by management to monitor the performance of the control.
 *External parties may also monitor the controls. For instance customers confirm the effectiveness, everytime they receive a good or service. Conversely, complaints about deliveries going astray, indicate a weakness.
 *Auditors make recommendations on the ways internal controls can be strengthened. Weaknesses are also noted and corrective action may be prescribed.

Auditors in particular have a duty regarding internal controls. Under section 404 they have to attest to the effectiveness of the company they are auditing.

There is however an important constraint on auditing firms regarding giving advice to firms. The same firm can not act as a consultant on improving internal controls and as an auditor. In the case of Enron, Anderson was acting in both capacities and therefore, relevant section was bought in.

Reporting deficiencies is an essential requirement of the monitoring process, it it is to work efficiently.

A "deficiency" is given a wide definition in COSO. A deficiency means any "condition worthy of attention".

The deficiency should be reported to the person responsible for the control. The person above the responsible person should also be informed.

In some instances there will be resistance to being informed of deficiences, denial or a refusal to take corrective action. In these instances, a different approach might be needed, that goes outside of the normal control environment. This is known as whistleblowing.

Whistleblowing, can be frowned upon and its practitioners, ostracised or harassed. Sarbanes-Oxley consequently increased the protection for whistleblowers in public companies.

* COSO = Committee Of Sponsoring Organisations of the Treadway Commission.

Related Articles
CenterBeam Certified On SAS 70 Type II
CFOs Call For Leeway on SOX
ITIL - process control
ITIL - change record
ITIL - Change Management
ITIL - change control