Monitoring Activities

Written By Parker Skaats

This is our final post in our series of five, providing a comprehensive overview of the five components of internal control as specified in the Green Book. If you are interested in the other components of internal control, please check out, control environment, risk assessment, control activities, and information & communication.

Understanding Monitoring Activities

Monitoring Activities

Monitoring activities encompass various processes conducted by an organization to assess the quality of its performance over time. These activities are designed to detect and address failures in control measures, ensuring that the organization continues to achieve its objectives efficiently and effectively. Monitoring can be conducted through ongoing activities or separate evaluations, and it is vital for prompting necessary adjustments in the control environment and other areas of internal controls.

The Two Principles of Monitoring Activities

Principle #16: Establish and operate monitoring activities to monitor the internal control system and evaluate the results

  • Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system.

  • Management monitors the internal control system through ongoing monitoring and separate evaluations. Ongoing monitoring is built into the entity’s operations, performed continually, and responsive to change.

  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. Management uses this evaluation to determine the effectiveness of the internal control system. Differences between the results of monitoring activities and the previously established baseline may indicate internal control issues, including undocumented changes in the internal control system or potential internal control deficiencies

Principle #17: Remediate identified internal control deficiencies on a timely basis

  • Personnel report internal control issues through established reporting lines to the appropriate internal and external parties on a timely basis to enable the entity to promptly evaluate those issues.

  • Personnel may identify internal control issues while performing their assigned internal control responsibilities. Personnel communicate these issues internally to the person in the key role responsible for the internal control or associated process and, when appropriate, to at least one level of management above that individual.

  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.

  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. These corrective actions include resolution of audit findings.

Evaluating Monitoring Activities during Performance Audits

When auditors assess monitoring activities during performance audits, they focus on how effectively an organization conducts both ongoing and separate evaluations of its internal controls. Auditors examine whether these monitoring activities are appropriately scaled to the organization’s risk profile and whether they provide management with timely information to initiate corrective actions. This includes reviewing how findings from monitoring activities are communicated to relevant stakeholders and how swiftly and effectively management responds to these findings.

Auditors also evaluate the tools and techniques used for monitoring to determine their adequacy in providing a continuous assurance that the organization’s controls are functioning as intended. This may involve assessing the integration of monitoring mechanisms into IT systems, the frequency of performance reviews, and the thoroughness of compliance checks.

Conclusion

Effective monitoring is crucial for the sustainability of an organization’s internal controls. By ensuring that monitoring activities are robust, organizations can adapt more dynamically to changes and improve their control processes continuously. By understanding and improving monitoring activities, organizations enhance their ability to achieve objectives and maintain compliance, thereby strengthening their governance frameworks and operational resilience.

This final post concludes our series on the GAO Green Book and its components of internal control. We hope you have found these insights valuable and enjoyed learning about the crucial elements that contribute to effective internal governance. If you would like to learn more about the COSO Framework, the Green Book, and how to assess internal controls in performance audits, please feel free to check out our upcoming course Assessing Controls in Performance Audits.

Parker Skaats
Previous

2024 Yellow Book Update: Quality Management System
Next

Information & Communication Component of Internal Control