If the most serious internal control violation is a failure to implement internal controls in the first place, the failure to monitor existing internal controls is a close contender. Identify where in the organization effective monitoring occurs and leverage those successes. Conversely, identify instances where monitoring is non-existent or ineffective and implement process improvements. The Internal Control – Integrated Framework, which is the internal control framework of choice, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), includes monitoring of internal controls as one of the five essential and integrated components of effective internal controls.
Rochester Drug Cooperative (Rochester) is a recent case study on the breakdown of effective monitoring. For Rochester, the breakdown led to arrests of senior management officials.
As an approved drug distributor, Rochester has a legal obligation to maintain effective internal controls over sales to dispensers, to prevent the diversion of controlled drugs to illegitimate uses. For instance, routine monitoring procedures should identify orders that are of an unusual size or frequency or deviate from a normal pattern, because these could be red flags for illegitimate uses. The Internal Control – Integrated Framework describes these routine monitoring procedures as ongoing evaluations.
Rochester implemented controls to address the above, but they were not operating effectively, and the monitoring process failed. Rochester reportedly ignored red flags that some of its customers were dispensing drugs improperly. The compliance function, which is part of the second line of defense against risk, appeared to have been working as designed. However, it was thwarted by operational managers or process owners (the first line of defense) who failed to take appropriate corrective action when notified that there were process deficiencies.
Senior management was complicit, and an additional monitoring process, the reporting and communication to the board, also appeared to have failed. Consequently, the unwillingness of the first line of defense to take appropriate corrective action was allowed to go unchecked. (Read more about the Institute of Internal Audit’s (IIA’s) Lines of Defense model in Finance and Accounting PolicyPro, Volume II, GV 1.08 – Relationship with Internal Auditors and about Rochester on the IIA’s website at Willful Subversion of Second Line of Defense Can Land You in Jail).
There are numerous strategies which organizations can use to monitor internal controls effectively, including the following:
- Testing by internal audit, which is an example of what the Internal Control – Integrated Framework defines as periodic or separate evaluations;
- Analysing and following up on exception reports. Anomalies or exceptions may be indicators of internal control failures; and
- Reconciling, reviewing and other supervisory activities, as part of normal ongoing operating procedures.
It is not enough to implement internal controls. They have to work. To determine if your internal controls work, you have to monitor them. When you receive the results from your monitoring processes, you have to do something about them. You have to review, investigate, and if necessary, take corrective action so that internal controls can operate effectively. Boards should ensure that senior management teams implement effective monitoring and report to the board about the same.
Read more about strategies to help you monitor internal controls effectively, in Finance and Accounting PolicyPro (GV 6.04 – Internal Control Monitoring).
Policies and procedures are essential to monitoring internal controls, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contain sample policies, procedures and other documents, plus authoritative commentary in the area of finance and accounting, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Finance and Accounting PolicyPro here.
Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)
Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)
- Job rotations and vacations as internal controls - October 7, 2020
- New guidance on zero trust architecture from NIST - September 2, 2020
- Protecting domain names - August 5, 2020
