By Jeffrey T. Willoughby, CPA, CFF, CFE
Locking the door to your home is one way to protect what’s inside from being taken or damaged, but what if you decided to only lock your door on Mondays? What if those with bad intent discovered you only lock your door on Mondays?
That may sound silly, but some treat internal controls like a Monday door-lock. Internal controls are an essential part of protecting assets, but they can only serve their protective purpose when they are effective and monitored to ensure they are doing what they are designed to do. One of the most important aspects of the control environment is monitoring. Continual monitoring allows you to see what is working and what is not, it allows you to provide a timely response, and a better control environment provides for more confident financial reporting.
Which Controls Are Working?
Some controls designed to protect assets include segregation of duties to combat internal fraud, misappropriation, or error. When monitoring internal controls, you will better be able to tell if the segregated duties are providing the protection intended. If one of the objectives is to prevent employees from pocketing cash, but that control is only monitored on Mondays (same day that you lock your door), cash could be disappearing the other days of the week.
If two controls are in place and neither are monitored, there is no way to determine if either one is performing effectively. In the locked door example, assume a door and a window are supposed to be locked nightly. If both are continually monitored, it would be easy to determine if one or both are actually locked. However, if only monitored on Mondays, there is no way to tell if one or both are secure the other days of the week. Continuous monitoring allows for correction and additional attention on controls that are not working.
Continual monitoring of controls also provides the ability to prepare timely responses. According to a report prepared by IBM, the average time to identify and contain a data breach is 280 days and the median cost of a data breach is $3.86 million.1 The same report indicates that the average savings when containing a breach to less than 200 days is more than $1 million. Why? Timely response.
Clearly, a timely response to a breach or compromise of information reduces the length of the event and the overall associated cost. This might even suggest that the strength of the controls may be less important than the time taken to discover and respond. Continual monitoring of internal controls would allow a company to take corrective action more quickly, thus reducing loss exposure.
One of the goals of an effective internal control environment is to provide greater assurance on the reliability of financial information. Through continual monitoring, it is easier to identify weaknesses and therefore lessen the time for corrective action, thereby reducing the costs associated with a compromise. All of these things lead to a better control environment, which results in more confident and accurate financial reporting.
According to the PCAOB, internal control over financial reporting is “a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements.”2 Continual monitoring of internal controls will provide greater confidence in financial recordkeeping and result in more accurate and meaningful financial statements.
Greater confidence also enables organizations to make better decisions about resources, planning for the future, and any other decision where management needs to have conviction in the accuracy of its financial information.
In a COVID-19 World
All of the issues identified above have been magnified as result of COVID-19. Remote working and more electronic communication and monitoring during the COVID-19 pandemic has made control environments more susceptible to weaknesses. Continual monitoring is even more important as controls that were effective previously cannot be assumed to still be effective. Also, response times may be longer as people are more decentralized and lines of communication may be a little slower than previously. This calls for even more effort at adjusting controls found to be weak or ineffective. COVID-19 has changed many things about the environment we live and work in, including our internal controls environment. By continually monitoring and adjusting the controls in place, we can hopefully preserve and protect our assets and provide clear and accurate financial reporting.
Internal controls are an important part of a business protecting its resources, but to be effective those controls must be continually monitored. This will allow organizations to identify weaknesses, determine which efforts are working and which are not, provide timely responses, and improve financial reporting. In today’s COVID-19 environment, additional strain is being put on resources of all businesses and the continual monitoring of internal controls is an even more important area to ensure those resources are being adequately protected. So, make sure you are monitoring controls every day of the week … not just Mondays.
1 IBM, Cost of a Data Breach Report, 2020.
2 PCAOB, AS No. 5, para. 87.
Jeffrey T. Willoughby, CPA, CFF, CFE, is a director with Forensic Resolutions Inc., located in Philadelphia and Westmont, N.J. He can be reached at email@example.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.