Mike Garber, CGEIT, CIA, CITP, CPA
In the past few years, senior management’s interest in good internal controls has increased. Surveys in recent financial magazines show that many chief financial officers (CFOs) would like to have internal control monitoring programs in their enterprises, but do not know where to start to develop a program.1, 2
Many public and private agencies are requiring verification that internal controls are in place and operating effectively—at all times. In the US, the Sarbanes-Oxley Act of 2002 mandates effective controls for financial reporting. Many companies, particularly in Europe, require certifications that show compliance with various International Organization for Standardization (ISO) process standards. Credit card companies are requiring compliance with the Payment Card Industry Data Security Standard (PCI DSS). Internationally, privacy laws are gaining public attention. Companies need to ensure ongoing compliance in many business areas.
Compliance with laws and regulations is generally the responsibility of business management. Business management should lead the identification and implementation of good internal controls. Traditionally, internal audit organizations, IT compliance functions and public accountants have performed audits and reviews to measure compliance with company internal control processes, laws and standards.
However, audits and separate reviews determine internal control effectiveness only at a single point in time. Controls tend to degrade over time and between audits. With the current growing focus on internal controls, it is no wonder that both senior IT and finance management are now more interested in control monitoring.
Strong sponsorship and tone at the top are required for an effective monitoring program. Unlike audits and separate compliance reviews, monitoring requires ongoing testing and evaluation. Detailed sampling and testing for a monitoring program may need to be performed by IT staff or those in business operations, rather than by corporate audit and compliance organizations. Management of the areas in the scope of monitoring programs needs to understand the benefits of the monitoring program. Having the support of senior management will help facilitate cooperation of staff members who will need to perform the monitoring process.
An easy-to-understand project plan or project charter will facilitate communication with senior management and the business operations areas under consideration for monitoring and include the following steps.
Step 1—Prioritize RisksOne of the challenges IT professionals may face when being involved in a monitoring project is linking IT risks to business risk. This requires focusing on IT processes to determine how the business may be affected by internal and external IT risk factors.
This involves understanding:
Asking and answering questions such as the following can facilitate the IT professional’s understanding of the business process and the internal control environment:
Who performs the manual control activities?
Risks should be considered in the context of organizational/business objectives so they can be prioritized and appropriate resources can be allocated to manage them. A formal risk assessment can identify and evaluate the full range of risks against the stated business objectives and the enterprise’s unique business environment. It also can highlight functional areas that are most likely to impact enterprise objectives so that management can make informed choices about where to focus their monitoring efforts. No enterprise has unlimited resources. Information, people, applications and infrastructure allocated to reduce risk in one area inherently deplete resources that could be employed in other, potentially higher-risk areas.
Step 2—Identify Key Controls and InformationStart by identifying key controls in the process area under consideration for monitoring. In many organizations, processes have already been documented through past audits or compliance reviews. Using existing available documentation will help maintain focus on key controls— monitoring should focus only on key controls. Key controls are those that, if they fail, could materially affect the business objectives of the process or the organization. Past audits or reviews may help to identify controls that frequently fail or are more susceptible to business changes.
It is also important that the baseline of effective internal controls be identified and defined. The characteristics of the effective operation of the key controls identified need to be known to understand under what circumstances variation to the baseline would result in control failures. Past audit or review work can help to provide necessary information. By selecting key controls that address risks, management can efficiently focus its limited resources on high-value control activities.
Figure 1 describes considerations relating to the complexity and maturity of business and IT process control types.
Broad monitoring coverage for all key controls can be achieved by using a combination of direct and indirect information sources. Monitoring depth and frequency of specific key controls can be further determined by considering the following:
Once these factors are considered, the process of identifying the controls to be monitored and the information source for monitoring (direct or indirect) can begin. The following actions should be taken:
In short, the management team expects that its most important processes will be both well defined and tightly controlled. The rigor of managing and measuring a process can vary, however, and depends greatly on how the enterprise interprets the relative importance of one process in comparison to others.
Step 3—Implement MonitoringImplementing a monitoring program begins with the development of a project plan. Six Sigma and other project management methodologies provide excellent templates for planning and communication. Figure 2 provides an example of a practical project charter template.
Once the project plan has been developed, the process of determining the frequency for monitoring, developing the monitoring procedures and setting thresholds for monitoring that utilize indirect information can begin. The following actions should be taken:
To be successful, accountable process owners need to be able to rely on the monitoring process itself for reliable results. Consequently, their involvement is essential during the development process and once the monitoring process is operational.
To ensure correct results and conclusions, the monitoring process must be repeatable and it must minimize the variations in how monitoring is performed. In cases in which a monitoring process is critical to an enterprise, it may be necessary to implement controls over the monitoring process itself to detect and manage variability in how the data are extracted, validated, analyzed and reported.3
Wherever possible, monitoring programs should leverage automation. Automation of testing can reduce the effort needed to perform internal control monitoring and reduce resistance to implementation of a monitoring program. Automated monitoring is less likely than manual monitoring to produce variations in the monitoring processes. As stated previously, effective IT general controls must be in place for development and subsequent operation of automated monitoring solutions. These include controls over software development, software maintenance, and system and user testing. Such controls are covered in detail in various ISACA publications, such as COBIT® 4.1, Enterprise Value: Governance of IT Investments, The Val IT™ Framework 2.0and the IT Assurance Guide: Using COBIT®.
After monitoring program design and implementation are complete and the system is operational, processes need to be in place to monitor and assess the results. Although testing would have been performed to validate functionality during development, ongoing activities that need to be considered include:
Once the monitoring process flags a potential control failure, identifying the root cause will aid in defining appropriate corrective actions. The goals of root-cause analysis are to identify and correct the primary reason for the failure of the controls. More information may need to be gathered, such as when, where and how the failure occurred. Did it occur because of a recurring condition that could be resolved by process improvements, or was it due to a less common or special circumstance that would have been difficult to predict or anticipate? Further testing or sampling may be required to determine whether the failure is repeated.
It is important to identify the appropriate levels of enterprise management that must be informed about the condition or event, the type of corrective action that is or will be taken, and the expected time frame for mitigation (assuming it is not postrecovery). Management should receive information that is clear and concise (preferably stated in nontechnical business terms) to enable efficient and effective understanding of the impact to the enterprise and clients.
As a minimum for reporting, the results of monitoring should include the items listed in figure 3.
Any warranted and cost-justifiable changes should be noted, and any changes resulting from corrective actions taken should be mapped back to any processes affected. Documentation should be updated and appropriate personnel notified. Also, the monitoring process should be regularly reviewed to help ensure that the monitoring process and the controls it monitors continue to operate effectively.
Senior management is interested in saving time, money and other resources in business processes. Finance and IT management want to know that internal controls under their responsibility are operating effectively at all times. Internal audit and IT governance personnel can meet the needs of their management through the development of efficient and cost-effective internal controls monitoring programs.
To develop a good internal controls monitoring program, the following are needed:
The new ISACA publication Monitoring Internal Control Systems and IT is available in the ISACA Bookstore and posted for complimentary download on the ISACA web site, www.isaca.org.
1 CFO Magazine, 10 December 20092 CFO Magazine, 12 January 20103 An analytically based process is available to help ensure the accuracy of monitoring. Measurement Systems Analysis (MSA) is a Six Sigma-based process for analyzing the monitoring processes for potential variation and defects. For further information on how to create and use an MSA process, refer to a Six Sigma Black Belt resource or to web sites such as iSixSigma.com.
Mike Garber, CGEIT, CIA, CITP, CPAhas many years’ experience as both director for IT governance and as IT audit director for Motorola Inc. (USA), a Fortune 500 company. Since his retirement, Garber has become an independent consultant, focusing on audit practice optimization and risk assessments. Most recently, he was a member of the ISACA core team that wrote Monitoring Internal Control Systems and IT.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.