Welcome to our final blog of our COSO 2013 series. Over the course of the series, we have discussed how to develop a control environment, execute risk assessments, design control activities, and how to use information to make decisions regarding your control environment and communicate your control objectives. In this blog, we will cover how to monitor your control program.
Overview of Monitoring Activities
The monitoring activities component of internal control, is critical to ensuring the success of your control program. Monitoring activities oversee the execution and performance of each component.
The monitoring activities component of internal control includes two principles:
- “The organization selects, develops, and performs ongoing/and or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action including senior management, and the board of directors, as appropriate.”
Implementing monitoring activities is crucial to ensuring a successful control program. This includes both the mix of ongoing, and separate evaluations. Companies should determine triggers that identify whether separate evaluations need to be performed based upon changes in the business, or control environment.
Additionally, companies need to ensure they have an effective method for not only communicating, but executing control remediation activities. Deficiencies in your program, should be communicated to all of the appropriate stakeholders, including the control owner, control performer, senior management, and the board of directors. One of the most important pieces of deficiencies, is making sure the appropriate action is taken in order to remediate the deficiency to prevent against future issues.
Technology should be leveraged in order to enhance your monitoring activities. Where possible, continuous monitoring controls should be implemented, particularly for high risk controls. Additionally, technology should be utilized to help communicate control deficiencies to the appropriate individuals, and not monitor and implement corrective actions.
COSO 2013’s Major Impacts on Monitoring Activities:
Much like the other components of internal control, the main difference between the new framework and the old is an increase reliance on technology to perform monitoring activities, and to ensure that deficiencies are not only communicated, but properly remediated. This and/or the increased focus on the following may impact your organizations’ monitoring activities:
- Performing ongoing monitoring activities
- Executing separate evaluations
- Utilizing technology to perform continuous monitoring activities
- Communicating control deficiencies
- Taking corrective action to remediate control deficiencies
How can ServiceNow help with Monitoring Activities?
Although monitoring activities are only one component of internal control, this is the component that seems to get the most attention in many organizations, especially those that are highly regulated. After all, it’s the monitoring activities that prove compliance. ServiceNow can assist with monitoring activities to ensure that ongoing and separate evaluations are executed consistently, centralized, and communicated effectively.
Choose technology that supports control design.
Governance, Risk, and Compliance
As we have discussed with each of the previous COSO components, the GRC application on ServiceNow is a powerful tool that can help centralize and automate GRC processes. The monitoring activities component of internal control benefits the most from GRC’s out-of-box functionality. Using ServiceNow GRC, risk managers can clearly define test steps, expected results, and a testing schedule for each of the controls in their environment. This helps to ensure that ongoing evaluations are continuously executed. When control tests do not meet the expected results, a remediation task is automatically created and assigned to a group to ensure timely follow-up to correct the control failure.
ServiceNow GRC also includes a mechanism for internal audit to conduct separate evaluations. With the tool, auditors can quickly gather control test data that was created throughout the audit period, analyze that information, and opine on the design and operating effectiveness of controls. Auditors can also issue observations, and assign those observations to the appropriate groups or individuals for completion.
All of these activities, control tests, and remediation tasks are tracked in a single location using the same platform that the business is already using for service management. Therefore, expectations are clear and can be tracked and measured effectively!
Reporting & Dashboards
ServiceNow’s reporting and dashboard capabilities allow risk managers to effectively and efficiently communicate important risk metrics to relevant parties. Custom dashboards can be tailored for specific audiences. For example, an executive dashboard can show summary reports of control failures, open remediation, and the related risks across the entity. Conversely, management level dashboards can show specific details for each control failure, remediation, and observation that applies to a given department.
That sums up our COSO 2013 series. We hope that you’ve enjoyed reading, and that you feel more informed about the changes that have come with the COSO 2013 update. If you have any questions for our GRC experts, comment below or email us at .
About the authors
“Life is too short to have only one OS” - nathan dupirack
