Skip to main content

Monitoring Actions: Principle 16 | Makes Continuous and Separate Evaluations

To determine whether each of the five components of internal control, including controls over the principles within each of the internal control components, is present and operating. 

It uses continuous, discrete, or a combination of the two. Ongoing evaluations built into business processes at different levels of the organization provide timely information. Separate assessments, which are conducted periodically, vary in scope and frequency depending on the assessment of risks, the effectiveness of continuous evaluations, and other management evaluations. 

The findings are evaluated according to the criteria determined by the regulatory authorities, standard-setting institutions, or the organization’s management and board of directors, and deficiencies are reported to the management and the board of directors according to their suitability.

Principle 16: Conduct continuous and Separate Assessments

The organization selects, develops, and performs continuous assessments and discrete assessments to determine whether internal control components are present and operational.

Focus Points:

The following focal points highlight essential features of this principle.

Considers a Mix of Continuous and Discrete Assessments

Management makes a balanced use of continuous and discrete evaluations.

Monitoring can be done in two ways: through continuous, discrete, or a combination of the two. 

Ongoing evaluations: Defined routine activities that are typically built into business processes, implemented in real-time, and responsive to changing conditions. 

Separate evaluations are performed periodically by, among others, objective management personnel, internal auditors, and external parties. The extent and frequency of separate evaluations is a matter requiring management judgment.

Management selects, develops, and implements a mix of monitoring actions, often involving ongoing and discrete assessments, to determine whether all five components of internal control are present and operating.

Takes Rate of Change into Account

Management considers the rate of change in business and business processes when selecting and developing continuous and discrete assessments.

Management evaluates the expected rate of change in an organization or industry. An organization operating in a rapidly changing sector may need to conduct more frequent discrete assessments and consider implementing a combination of continuous and discrete reviews during periods of change. For example, banks subject to financial reforms by regulatory authorities select and develop monitoring actions that can anticipate future changes and reactions to the changing regulatory environment. Monitoring actions can be used to support external reporting.

Creates a Baseline Understanding

The design and current status of the internal control system provide a basis for continuous and separate evaluations.

Understanding the design and current status of an internal control system provides essential information that can be useful for making ongoing and discrete evaluations. When using monitoring actions, it is necessary to understand how management designed the internal control system and how the controls within each of the five components affect the policies. As management gains experience with monitoring actions, its understanding will vary depending on the outcome of such activities.

Employs Knowledgeable Staff

Assessors who conduct continuous and discrete evaluations have sufficient knowledge to understand what is being evaluated.

Continuous assessments, operated manually or automatically, monitor the existence and operation of internal control components in the ordinary course of business management. Competent activity or function managers usually conduct continuous evaluations with sufficient information to understand what is being evaluated and consider the possible consequences of the information they receive. 

Organizations often use technology for continuous evaluations. Combined with a robust review and analysis of results by knowledgeable and responsible personnel, such techniques can result in an efficient and effective program of ongoing evaluations.

Separate reviews are often conducted through the internal audit function. Although the presence of an internal audit function is not required in internal control, it can increase the scope, frequency, and objectivity of such reviews. Because individual evaluations should be conducted by independent directors, independent staff, and external reviewers to provide more objective feedback, evaluators need to know how the organization’s activities and monitoring actions work and understand what is being evaluated.

Integrated with Business Processes

Continuous evaluations are built into business processes and adapt to changing conditions.

For example, Control actions built into the purchasing process leverage software to automate reviewing all payment transactions. A software program built into the payment process instantly detects any unusual transactions (for example, possible duplicate payments) based on previously established parameters. 

The accounts payable supervisor investigates all detected disorders daily, determines and evaluates their root causes, and communicates any internal control deficiencies to those responsible for implementing corrective actions in the purchasing process.

Adjusts Scope and Frequency

Management adjusts the scope and frequency of individual assessments depending on the risks.

Separate evaluations of internal control components: They vary in scope and frequency depending on the severity of risks, risk responses, results from continuous assessments, and expected effects on control components in risk management. Higher-priority risks often must be assessed more thoroughly and frequently than lower-priority risks. 

High-priority risks can be assessed both continuously and separately. On the other hand, separate evaluations can provide feedback on the results obtained from continuous assessment, and the number of separate evaluations can be increased as necessary.

Evaluates impartially

Separate evaluations are conducted periodically to provide unbiased feedback.

There are a variety of approaches to implementing separate assessments. The scope, type, frequency, and formality of approaches vary depending on the relative importance of the risk responses and the relevant internal control components and principles being evaluated. Separate evaluations may include the following.

  • Internal Audit Evaluations: Internal auditors, whether in-house or as an outsourced service, are generally impartial and competent sources and perform separate evaluations as part of their regular duties or at the specific request of senior management and the board of directors.
  • Other Neutral Evaluations: In organizations that do not have an internal audit unit or have another quality unit that performs internal audit-like activities (such as a controls compliance group), other impartial internal and external reviewers such as management, compliance officers, operational experts, IT security experts or consultants may be used.
  • Cross-Operating Unit Assessments or Functional Assessments: An organization may use personnel from different operating units or functional areas to evaluate internal control components. For example, the quality audit personnel of activity unit A may periodically evaluate the internal controls of activity unit B.
  • Benchmarking/Peer Reviews: Some organizations compare or contrast their internal control components with the internal control components of other organizations. Such comparisons are made directly with another organization or under the auspices of trade or industry associations.
  • Self-Assessments: Separate evaluations can also be implemented as self-evaluations, in which the people responsible for a particular unit or function evaluate whether the internal control components related to their activities are present and operational. For example, In a company, the line manager responsible for the food product division manages the evaluation of internal control actions related to food safety regulations.

Bu gönderi şu adreste de mevcuttur: Türkçe