COSO – Information and Communication & Monitoring Activities
The management of an entity need to evaluate the internal control of the firm to determine whether the components are not only present but also functioning.
In this publication, we will be looking at the final two of the five COSO components and the related principles
Information and Communication: Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.
Monitoring Activities: Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
The Information and Communication component and the Monitoring Activities component are the last two components of the Framework. The Information and Communication component has three (3) while the Monitoring Activities has two (2) principles.
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of internal control.
- The organization selects, develops, and performs ongoing and or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
The principles relating to Information and Communication include;
Principle 13 - The organization obtains or generates and uses relevant, quality information to support the functioning of internal control:
The importance of information to the management of an organization cannot be over-emphasized. Relevant information can be sourced both internally and externally and there could be new requirements by regulatory bodies on financial reporting or information to support the functioning of internal control. The management therefore has to make conscious efforts to obtain information on their internal control responsibilities.
The approaches that can be taken to achieve the objective of this principle include Creating an Inventory of Information Requirements, Obtaining Information from External Sources, Obtaining Information from Non-Finance Management, Creating and Maintaining Information Repositories, Using an Application to Process Data into Information, Enhancing Information Quality through a Data Governance Program and Identifying, Securing, and Retaining Financial Data and Information.
Principle 14 - The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control:
It is not sufficient to obtain the required information on management’s objectives and responsibilities on internal control, such information must properly communicated and cascaded to the appropriate persons. It has to be carried out in the right manner and at the appropriate time. Also, the use of separate reporting lines would be required for a Whistle Blowing program to function optimally.
The Framework recommends the following approaches to achieve this; Communicating Information Regarding External Financial Reporting Objectives and Internal Control, Communicating Internal Control Responsibilities, Developing Guidelines for Communication to the Board of Directors, Reviewing Financial and Internal Control Information with the Board of Directors, Communicating a Whistle-Blower Program to Company Personnel, Communicating through Alternative Reporting Channels and Establishing Cross-Functional and Multidirectional Internal Control Communication Processes and Forums.
Principle 15 - The organization communicates with external parties regarding matters affecting the functioning of internal control:
This principle deals with a plethora of issues. It states that the entity’s external parties have to be involved, as matters of internal control over financial reporting have to be communicated to interested parties or those expected to possess them. It also encourages the management of the entity to obtain information on its internal control through external sources including carrying out surveys.
Communicating Information to Relevant External Parties, Obtaining Information from Outside Sources, Surveying External Parties, Communicating the Whistle-Blower Program to Outside Parties and Reviewing External Audit Communications are the methodologies recommended by the Framework.
The principles relating to Monitoring Activities are;
Principle 16 - The organization selects, develops, and performs ongoing and or separate evaluations to ascertain whether the components of internal control are present and functioning:
The management of an entity need to evaluate the internal control of the firm to determine whether the components are not only present but also functioning. It can achieve this end by taking the following approaches; Periodically Reviewing the Mix of Monitoring Activities, Establishing a Baseline, Identifying and Using Metrics, Designing and Implementing a Dashboard, Using Technology to Support Monitoring Activities, Conducting Separate Evaluations, Using Internal Audit to Conduct Separate Evaluations and Understanding Controls at an Outsourced Service Provider
Principle 17 - The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate:
Once the evaluation of the entity’s internal control has been carried out and it has been determined that some components are either present but not functioning or not present at all, feedback has to be relayed to those concerned. The deficiencies identified should be addressed by taking corrective actions in due time. This objective can be attained by Assessing and Reporting Deficiencies, Monitoring Corrective Action and Developing Guidelines for Reporting Deficiencies.