Components - Monitoring

Overview

Finally, since internal control is a dynamic process that has to be adapted continually to the risks and changes an entity faces, monitoring of the internal control system is essential in helping internal control remain aligned with changing objectives, environment, laws, resources, and risks. Internal control monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.

Principles

  1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

  2. Management should remediate identified internal control deficiencies on a timely basis.

Principle 16 - Perform Monitoring Activities

16.1 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Establishment of a Baseline

  • Internal Control System Monitoring

  • Evaluation of Results

Establishment of a Baseline

16.2 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system.

16.3 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system.

Internal Control System Monitoring

16.4 Management monitors the internal control system through ongoing monitoring and separate evaluations. Ongoing monitoring is built into the entity’s operations, performed continually, and responsive to change. Separate evaluations are used periodically and may provide feedback on the effectiveness of ongoing monitoring.

16.5 Management performs ongoing monitoring of the design and operating effectiveness of the internal control system as part of the normal course of operations. Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. Ongoing monitoring may include automated tools, which can increase objectivity and efficiency by electronically compiling evaluations of controls and transactions.

16.6 Management uses separate evaluations to monitor the design and operating effectiveness of the internal control system at a specific time or of a specific function or process. The scope and frequency of separate evaluations depend primarily on the assessment of risks, effectiveness of ongoing monitoring, and rate of change within the entity and its environment. Separate evaluations may take the form of self- assessments, which include cross operating unit or cross functional evaluations.

16.7 Separate evaluations also include audits and other evaluations that may involve the review of control design and direct testing of internal control. These audits and other evaluations may be mandated by law and are performed by internal auditors, external auditors, the inspectors general, and other external reviewers. Separate evaluations provide greater objectivity when performed by reviewers who do not have responsibility for the activities being evaluated.

16.8 Management retains responsibility for monitoring the effectiveness of internal control over the assigned processes performed by service organizations. Management uses ongoing monitoring, separate evaluations, or a combination of the two to obtain reasonable assurance of the operating effectiveness of the service organization’s internal controls over the assigned process. Monitoring activities related to service organizations may include the use of work performed by external parties, such as service auditors, and reviewed by management.

Evaluation of Results

16.9 Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. Management uses this evaluation to determine the effectiveness of the internal control system. Differences between the results of monitoring activities and the previously established baseline may indicate internal control issues, including undocumented changes in the internal control system or potential internal control deficiencies.

16.10 Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment. External parties can also help management identify issues in the internal control system. For example, complaints from the general public and regulator comments may indicate areas in the internal control system that need improvement. Management considers whether current controls address the identified issues and modifies controls if necessary.



Principle 17 - Evaluate Issues and Remediate Deficiencies

17.1 Management should remediate identified internal control deficiencies on a timely basis.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Reporting of Issues

  • Evaluation of Issues

  • Corrective Actions

Reporting of Issues

17.2 Personnel report internal control issues through established reporting lines to the appropriate internal and external parties on a timely basis to enable the entity to promptly evaluate those issues.

17.3 Personnel may identify internal control issues while performing their assigned internal control responsibilities. Personnel communicate these issues internally to the person in the key role responsible for the internal control or associated process and, when appropriate, to at least one level of management above that individual. Depending on the nature of the issues, personnel may consider reporting certain issues to the oversight body. Such issues may include

  • issues that cut across the organizational structure or extend outside the entity to service organizations, contractors, or suppliers and
  • issues that may not be remediated because of the interests of management, such as sensitive information regarding fraud or other illegal acts.

17.4 Depending on the entity’s regulatory or compliance requirements, the entity may also be required to report issues externally to appropriate external parties, such as the legislators, regulators, and standard-setting bodies that establish laws, rules, regulations, and standards to which the entity is subject.

Evaluation of Issues

17.5 Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. Management evaluates issues identified through monitoring activities or reported by personnel to determine whether any of the issues rise to the level of an internal control deficiency. Internal control deficiencies require further evaluation and remediation by management. An internal control deficiency can be in the design, implementation, or operating effectiveness of the internal control and its related process. Management determines from the type of internal control deficiency the appropriate corrective actions to remediate the internal control deficiency on a timely basis. Management assigns responsibility and delegates authority to remediate the internal control deficiency.

Corrective Actions

17.6 Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. These corrective actions include resolution of audit findings. Depending on the nature of the deficiency, either the oversight body or management oversees the prompt remediation of deficiencies by communicating the corrective actions to the appropriate level of the organizational structure and delegating authority for completing corrective actions to appropriate personnel. The audit resolution process begins when audit or other review results are reported to management, and is completed only after action has been taken that (1) corrects identified deficiencies, (2) produces improvements, or (3) demonstrates that the findings and recommendations do not warrant management action. Management, with oversight from the oversight body, monitors the status of remediation efforts so that they are completed on a timely basis.




  1. COSO Framework
  2. Green Book PDF
  3. GAO Green Book Site