What Is Monitoring of Controls and How Is It Implemented?

Monitoring of controls is a structured process organizations use to assess the quality and effectiveness of their internal control systems over time. It is a component of established internal control frameworks, such as the one from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The purpose of monitoring is to provide reasonable assurance that controls are present, functioning as intended, and remain resilient to changing risks.

This process is a continuous cycle of evaluation and improvement that helps an organization determine if its policies are being followed and mitigating risks. Effective monitoring ensures that any weaknesses or failures in the control system are identified promptly, allowing for timely correction. This proactive approach helps safeguard company assets, ensure the integrity of financial information, and maintain stakeholder confidence.

Types of Monitoring Activities

Monitoring activities are categorized into two main types: ongoing monitoring and separate evaluations. Ongoing monitoring is built into an organization’s recurring operations and is performed in real-time. These routine activities include management functions, variance analyses, and reconciliations. For example, a manager’s monthly review of a departmental budget-to-actual expense report is ongoing monitoring that can identify unauthorized or misclassified expenditures.

Separate evaluations are conducted periodically to provide a focused assessment of control effectiveness and can vary in scope and frequency. Common examples include annual internal audits, peer reviews, and control self-assessments. An internal audit of the accounts payable process is a separate evaluation that tests whether vendor invoices are properly approved, matched to receiving documents, and paid accurately.

These approaches can be further distinguished by their method: manual or automated. Manual monitoring involves direct human review, such as a supervisor inspecting a subordinate’s bank reconciliation. This method relies on human judgment and is used for controls that are not easily automated.

Automated monitoring uses technology to continuously check control performance and flag exceptions. An enterprise resource planning (ERP) system can be configured to automatically prevent duplicate invoice payments. Another example is an automated security system that generates an alert whenever a user attempts to access unauthorized parts of the IT network, providing immediate evidence of a potential control breach.

Designing a Monitoring Program

An effective monitoring program uses a risk-based approach to direct resources toward controls that mitigate the most significant threats. It begins with a risk assessment to prioritize financial, operational, and compliance risks. For example, a company might identify the risk of inaccurate financial reporting as high-priority, while the risk of minor office supply theft is deemed low.

Once risks are prioritized, the organization must identify the controls designed to mitigate them. A payroll control might be the requirement for a supervisor to approve all employee timecards before processing. The program would then be designed to test the consistent operation of this approval control.

The organization then determines the appropriate mix of ongoing monitoring and separate evaluations. For a high-volume process like order fulfillment, ongoing automated monitoring that flags shipments without payment might be suitable. For less frequent processes, such as the quarterly calculation of the allowance for doubtful accounts, a separate evaluation by a senior accountant may be more appropriate.

The design phase concludes by establishing the scope and frequency of these activities. The scope defines what will be tested, while the frequency determines how often the test will occur. High-risk areas may require daily or weekly monitoring, whereas lower-risk controls might be evaluated quarterly or annually, with the entire plan documented in a Risk Control Matrix (RCM).

The Monitoring Process in Action

The monitoring process involves gathering and evaluating evidence to determine if controls are functioning as designed. Evidence can be gathered by inspecting documents for signatures, observing employees, reperforming a control like a bank reconciliation, or examining system-generated logs.

To test a control requiring dual authorization for wire transfers over $10,000, a monitor would select a sample of such transfers. They would then gather supporting documentation for each, looking for evidence of two distinct and authorized approvals. This evidence must be sufficient to form a reasonable conclusion about the control’s effectiveness.

After gathering evidence, the monitor evaluates it against the established criteria for the control. The evaluation involves comparing the actual performance documented in the evidence to the expected standard. Any instance where the control did not operate as intended is identified as a control exception.

A deficiency exists when a control is either designed improperly or is not operating effectively. Following the previous example, if the monitor finds several wire transfers over $10,000 that were processed with only one approval, this would represent an operating deficiency. Each deficiency is documented with supporting evidence, an assessment of its potential impact, and its root cause.

Reporting and Corrective Action

Once deficiencies have been identified, the results must be communicated to the appropriate parties. This is formalized through a monitoring report distributed to individuals responsible for the controls, their managers, and, for significant issues, senior management and the board of directors. The report outlines the review’s scope, the controls tested, and a description of any findings.

The severity of a deficiency is classified to help prioritize remediation. A control deficiency is a flaw in design or operation, while a significant deficiency is important enough to merit the attention of oversight. The most serious level, a material weakness, represents a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.

Upon receiving the report, management develops a corrective action plan to remediate the identified weaknesses. This plan assigns responsibility, establishes a timeline, and details the steps that will be taken to fix the problem.

The remediation efforts themselves become subject to future monitoring to ensure they are effective and the original deficiency has been resolved. This continuous loop of monitoring, reporting, and correcting helps an organization maintain a resilient internal control environment.