It's one thing to build solid internal controls, but quiteanother to have a system in place to monitor those controls on aregular basis. While many companies do the former, not enough aregood at the latter. That's the core take-away behind the latestrelease from COSO, the Committee of Sponsoring Organizations of theTreadway Commission. The recently released exposure draft,Guidance on Monitoring Internal Control Systems, wasdeveloped in cooperation with a team of partners at Grant ThorntonLLP.

“Companies need more insight into how to become much moreefficient and cost effective in maintaining internal controls,”says COSO chairman Larry Rittenberg, adding that the draft wasdeveloped after COSO members observed that some public companiesmonitor their internal controls over financial reporting just oncea year, in order to comply with Section 404 of the Sarbanes-OxleyAct. “Companies should monitor their controls every day throughordinary operations, to make sure those controls [are] operatingeffectively,” Rittenberg explains. The proposed guidance providespractical guidance and concrete examples of using the monitoringcomponent of the COSO internal control framework to developeffective and efficient internal controls. “Once you establish goodinternal controls you ought to think of how to maintain them,”Rittenberg adds.

As the report states, central to effective monitoring is asystem of procedures that evaluates key controls over specificrisks to the organization. The proposed guidance illustrateseffective monitoring with examples taken from realcompanies–including an international insurer, a beverage maker anddistributor and a small software company. The report contains amonitoring model that walks users through the process ofprioritizing risks, identifying controls, identifying informationand implementing monitoring practices. Among the examples ofeffective monitoring practices is a beverage manufacturer anddistributor that has built monitoring procedures for the owners ofcertain controls, who perform self-assessments on a monthly,quarterly and annual basis and then report the results in a tool onthe company's network. Supervisory reviews are then carried out bymanagers of the control owners.