Committee of Sponsoring Organizations (COSO)
Internal Control Integrated Framework

Monitoring Activities


Summary

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

Monitoring activities assess whether each of the five components of internal control is present and functioning. The organization uses ongoing, separate evaluations, or some combination of the two, to ascertain whether the components of internal control (including controls to effect principles across the entity and its subunits) are present and functioning. Monitoring is a key input into the organization’s assessment of the effectiveness of internal control. It provides valuable support for assertions, if required, regarding the effectiveness of the system of internal control.

An entity’s system of internal control will often change. The entity’s objectives and the components of internal control may also change over time. Also, procedures may become less effective or obsolete, may no longer be in place and functioning, or may be deemed insufficient to support the achievement of the new or updated objectives. Monitoring activities are selected, developed, and performed to ascertain whether each component continues to be present and functioning or if change is needed. When a component or a principle drawn from the five components is not present and functioning, some form of internal control deficiency exists. Management also needs to determine whether the system of internal control continues to be relevant and is able to address new risks.

Where appropriate, monitoring activities identify and examine expectation gaps relating to anomalies and abnormalities, which may indicate one or more deficiencies in an entity’s system of internal control. In reviewing and investigating expectation gaps management often identifies root causes of such gaps.

When distinguishing between a monitoring activity and a control activity, organizations need to consider underlying details of the activity in determining whether an activity is a control activity versus a monitoring activity, especially where the activity involves some level of supervisory review. Supervisory reviews are not automatically classified as monitoring activities and it may be a matter of judgment whether a review is classified as a control activity or a monitoring activity. For example, the intent of a monthly completeness control activity would be to detect and correct errors, where a monitoring activity would ask why there were errors in the first place and assign management the responsibility of fixing the process to prevent future errors. In simple terms, a control activity responds to a specific risk, whereas a monitoring activity assesses whether controls within each of the five components of internal control are operating as intended, among other things.



Principles relating to the Monitoring Activities component

  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.


Conducts Ongoing and/or Separate Evaluations

Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
  • Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
  • Establishes Baseline Understanding—The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
  • Uses Knowledgeable Personnel—Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
  • Integrates with Business Processes—Ongoing evaluations are built into the business processes and adjust to changing conditions.
  • Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
  • Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback.


Evaluates and Communicates Deficiencies

Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
  • Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
  • Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.



U.S. Government Accountability Office (GAO)
Standards for Internal Control in the Federal Government

Monitoring Activities

Overview

Finally, since internal control is a dynamic process that has to be adapted continually to the risks and changes an entity faces, monitoring of the internal control system is essential in helping internal control remain aligned with changing objectives, environment, laws, resources, and risks. Internal control monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.

Principles

  1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

  2. Management should remediate identified internal control deficiencies on a timely basis.


Principle 16 - Perform Monitoring Activities

16.01 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Establishment of a Baseline

  • Internal Control System Monitoring

  • Evaluation of Results

Establishment of a Baseline

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system.

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system.

Internal Control System Monitoring

16.04 Management monitors the internal control system through ongoing monitoring and separate evaluations. Ongoing monitoring is built into the entity’s operations, performed continually, and responsive to change. Separate evaluations are used periodically and may provide feedback on the effectiveness of ongoing monitoring.

16.05 Management performs ongoing monitoring of the design and operating effectiveness of the internal control system as part of the normal course of operations. Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. Ongoing monitoring may include automated tools, which can increase objectivity and efficiency by electronically compiling evaluations of controls and transactions.

16.06 Management uses separate evaluations to monitor the design and operating effectiveness of the internal control system at a specific time or of a specific function or process. The scope and frequency of separate evaluations depend primarily on the assessment of risks, effectiveness of ongoing monitoring, and rate of change within the entity and its environment. Separate evaluations may take the form of self- assessments, which include cross operating unit or cross functional evaluations.

16.07 Separate evaluations also include audits and other evaluations that may involve the review of control design and direct testing of internal control. These audits and other evaluations may be mandated by law and are performed by internal auditors, external auditors, the inspectors general, and other external reviewers. Separate evaluations provide greater objectivity when performed by reviewers who do not have responsibility for the activities being evaluated.

16.08 Management retains responsibility for monitoring the effectiveness of internal control over the assigned processes performed by service organizations. Management uses ongoing monitoring, separate evaluations, or a combination of the two to obtain reasonable assurance of the operating effectiveness of the service organization’s internal controls over the assigned process. Monitoring activities related to service organizations may include the use of work performed by external parties, such as service auditors, and reviewed by management.

Evaluation of Results

16.09 Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. Management uses this evaluation to determine the effectiveness of the internal control system. Differences between the results of monitoring activities and the previously established baseline may indicate internal control issues, including undocumented changes in the internal control system or potential internal control deficiencies.

16.10 Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment. External parties can also help management identify issues in the internal control system. For example, complaints from the general public and regulator comments may indicate areas in the internal control system that need improvement. Management considers whether current controls address the identified issues and modifies controls if necessary.



Principle 17 - Evaluate Issues and Remediate Deficiencies

17.01 Management should remediate identified internal control deficiencies on a timely basis.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Reporting of Issues

  • Evaluation of Issues

  • Corrective Actions

Reporting of Issues

17.02 Personnel report internal control issues through established reporting lines to the appropriate internal and external parties on a timely basis to enable the entity to promptly evaluate those issues.

17.03 Personnel may identify internal control issues while performing their assigned internal control responsibilities. Personnel communicate these issues internally to the person in the key role responsible for the internal control or associated process and, when appropriate, to at least one level of management above that individual. Depending on the nature of the issues, personnel may consider reporting certain issues to the oversight body. Such issues may include

  • issues that cut across the organizational structure or extend outside the entity to service organizations, contractors, or suppliers and
  • issues that may not be remediated because of the interests of management, such as sensitive information regarding fraud or other illegal acts.

17.04 Depending on the entity’s regulatory or compliance requirements, the entity may also be required to report issues externally to appropriate external parties, such as the legislators, regulators, and standard-setting bodies that establish laws, rules, regulations, and standards to which the entity is subject.

Evaluation of Issues

17.05 Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. Management evaluates issues identified through monitoring activities or reported by personnel to determine whether any of the issues rise to the level of an internal control deficiency. Internal control deficiencies require further evaluation and remediation by management. An internal control deficiency can be in the design, implementation, or operating effectiveness of the internal control and its related process. Management determines from the type of internal control deficiency the appropriate corrective actions to remediate the internal control deficiency on a timely basis. Management assigns responsibility and delegates authority to remediate the internal control deficiency.

Corrective Actions

17.06 Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. These corrective actions include resolution of audit findings. Depending on the nature of the deficiency, either the oversight body or management oversees the prompt remediation of deficiencies by communicating the corrective actions to the appropriate level of the organizational structure and delegating authority for completing corrective actions to appropriate personnel. The audit resolution process begins when audit or other review results are reported to management, and is completed only after action has been taken that (1) corrects identified deficiencies, (2) produces improvements, or (3) demonstrates that the findings and recommendations do not warrant management action. Management, with oversight from the oversight body, monitors the status of remediation efforts so that they are completed on a timely basis.