Monitoring vs. Auditing Internal Controls

Dean

Internal Controls

The auditing of internal controls that provide assurance on the reliability of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations, should not be viewed as a part of the internal controls’ infrastructure, which includes control environment, risk assessment, information & communication, control activities, and monitoring (COSO, SOC, ISO 27001).

Process owners should guard against the temptation to wait and rely solely on the results of external audits to trigger considerations on the design and operating effectiveness of internal controls in their process. 

External Audit of Internal Controls

External audits can be SOC 1 or SOC 2 engagements or they can be projects performed by the company’s Internal Audit function.  These engagements are typically retrospective in their assessment and sometimes cover periods of substantial duration; for example, the past twelve months.  Therefore, these engagements may be late in bringing to light items of significant consequence to the organization (SOC for Service Organizations).

Process Owner Responsibility

Process owners should instead focus attention on monitoring mechanisms in their process that are designed to assure process objectives are met and risks are addressed consistent with the organization’s risk appetite.  That is, process owners should focus more on mechanisms that can detect and correct exposures instead of relying too heavily on external audits, which are meant to assess and opine to provide reasonable assurance to third-parties on the design, description, and operating effectiveness of process controls.

The good news for process owners ironically, is that external auditors can be a great resource to tap when considering internal controls design.  For example, external auditors can provide valuable insight during an organization’s pursuit of an ISO 27001 information security management system development and implementation initiative (ISO 27001).   

External Auditors

Although external auditors perform engagements to assess internal controls and must not perform the management function of internal controls monitoring, they, because of their garnered knowledge of internal controls, can nevertheless be a valuable resource to tap for recommendations on the design of internal control mechanisms.

Contact CompVisory with questions as we are always available to our current clients and to prospects considering engaging with us for our services.

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.

Visit Website