Management books say “What gets measured, gets done.” Likewise, controls that are not monitored tend to get compromised. After all, how important can a control be if no one ever checks to make sure it is being followed? If you regularly drive a road with a 45 MPH speed limit but never encounter a police officer monitoring that limit, how fast do you drive when you are in a hurry?
I try not to get overly technical in these articles – my primary goal is that you actually read them, but the five elements of internal controls are:
- The Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
Future articles will examine each of these elements in a bit more detail, but this month I want to start with Monitoring.
Being 5th on the list tends to give the impression Monitoring is the least important, not true. Without monitoring, the otherwise best-designed control system is likely to fail.
The theory of Monitoring is simple. It is checking to see if control activities which are believed to be in place, are actually being performed. It can be part of an internal audit plan but it need not be that formal. Monitoring is periodic – remember we are always concerned with efficiency. Effective and efficient Monitoring is:
- Periodic, not constant
- Somewhat “random.” Staying with the police officer analogy; if an officer monitors that road only on Mondays… Likewise, if you review just the first payroll of each quarter, that pattern will be noticed.
- Public – those affected need to know their activities are being reviewed
- Results of Monitoring must be communicated timely to all those affected, including timely corrective action of any deficiencies. If the review reveals no deficiencies, that should be celebrated as well. Monitoring is not about punishment.
Let’s assume you’re not large enough to have an internal audit function, not surprising. Let’s also assume you are not trained in forensic techniques, no problem.
I suggest you take a particular transaction or function and do a “walk-through” of that transaction with the person(s) responsible for that function. There aren’t that many; purchasing, payables, billing and collection, payroll, among others. If reviewing payroll, ask the payroll clerk how he/she performs the function.
- What is the source of the hours by employee?
- Does anyone review the input?
- Is that review documented?
- Is overtime monitored, approved, documented?
- How is the information communicated to the payroll service?
- Who is authorized to make and communicate changes to base/hourly payroll?
- What are the procedures for post payroll review?
- Does he/she know to come to you with anything that looks suspicious or unusual?
- Does he /she believe the procedures are sufficient/efficient/consistently followed? How could they be improved? Is there a bottleneck?
That last point is often neglected. Who better to know whether the control activities make sense but the person performing the task? It sounds like a lot but I don’t think this baseline review would take more than 30 minutes. Then, periodically throughout the year, ask to receive the payroll inputs and reports for review to make sure the system is still working as designed.
Lastly, if you need assistance, contact us. Your professionals at HW&Co would be happy to review one or more of your internal control systems (go back and read the Fraud Lurks article on Risk Assessment). We can provide you with best practices suggestions or perhaps provide comfort that your control procedures are appropriately designed and operating.