For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Chapter 13: Monitoring

Once there were parking lots
Now it’s a peaceful oasis
You’ve got it, you’ve got it

This was a Pizza Hut
Now it’s all covered with daisies
You got it, you got it

I miss the honky tonks,
Dairy Queens, and 7-Elevens
You got it, you got it

And as things fell apart
Nobody paid much attention
You got it, you got it

I dream of cherry pies,
Candy bars, and chocolate chip cookies
You got it, you got it

We used to microwave
Now we just eat nuts and berries
You got it, you got it

This was a discount store,
Now it’s turned into a cornfield
You’ve got it, you’ve got it

Don’t leave me stranded here
I can’t get used to this lifestyle

The Talking Heads: Nothing But Flowers

Atrophy – gradual decline in effectiveness or vigor due to underuse or neglect.

You can’t just “Set it and forget it” 

I love to multitask when doing household chores.  I feel very satisfied when the dishwasher and the clothes washer are running at the same time.  My satisfaction rises even more when I can get my oldest daughter to vacuum simultaneously while I tidy up the living areas.  If I can also have a sauce simmering on the stove while my youngest practices piano, I achieve domestic nirvana!

My drive to be working on several tasks at once has driven me to buy silly products. I used to use ‘Scrubbing Bubbles’ until I realized I was paying a lot of money for nothing.  It is a great idea to spray the shower and then walk away to let those little bubbles eat away the soap scum.  Nice theory, too bad it doesn’t work.

Remember the ads for Ronco Chicken Rotisserie? “Set it and forget it!”  What a great marketing spin.  I almost bought one of those.  I love to start something and then walk away from it and do something else.  This is why my husband does most of the cooking.  My repeated, unintentional ventures into Cajun style cooking – where everything is “blackened” – was getting old.

I wish we could just set our kids and work colleagues on the right path once.  I wish they would keep on the path and never wander off.  I wish people wouldn’t forget or rebel against what they were supposed to do.  But wishing ain’t gettin’!

This component of the COSO model reminds us that we can’t just set things up and forget them.  We can’t walk away from our cooking, our kids or our work processes and hope for the best. Our controls and processes have to be monitored or chaos (and burnt toast) eventually rules.

As a wise counselor once told me, life is like riding a boat headed down a winding river.  Just as you get the boat going straight, the river bends and you have to paddle, paddle, paddle to keep from hitting the shore.  And sometimes you overcorrect and end up hitting the opposite shore, and you have to moderate and change your pace.  You can’t just get on the river and hope to get to the end without any corrections. You are going to have to work really hard to keep you on the narrow path that is the middle of the river.

Design is worthless without implementation

Have you ever used the ‘set it and forget it’ method with a process or a control?  Have you ever designed a process or a control then walked away because you have other things to do? Too bad that doesn’t work.

Upon asking the athletic department staff why she stopped going out for three bids on major purchases – the staff person might say, “That was a lot of work.  No one ever checked to see if I was doing it, and I got tired of keeping all those records.  When I need to buy something, I don’t want to slow down to fill out all that paperwork!”

Here we have someone who doesn’t understand the importance of the control.  She reasons that it is too time consuming to go through the mandated steps when the result is always the same anyway.   She has a solid, logical justification for blowing off a well-designed control.

This is why we have to monitor controls.  We can’t just ask the staff person to do their job once and assume she is always going to do what we asked.

Monitoring has two layers

Some monitoring is contemporary and ongoing and some is occasional.  Which monitoring method you use depends on your control objective and the resources you have to dedicate to monitoring controls.  Monitoring is viewed by some as a luxury that their organization can’t afford and, therefore, is one of the least frequently implemented components of the COSO model/Green Book.

The Green Book describes these two types of monitoring as ongoing monitoring and separate evaluations.

16.04 Management monitors the internal control system through ongoing monitoring and separate evaluations. Ongoing monitoring is built into the entity’s operations, performed continually, and responsive to change. Separate evaluations are used periodically and may provide feedback on the effectiveness of ongoing monitoring. 

Ongoing monitoring includes reconciliations

Matching information to corresponding information from a different source is one of the best ways to make sure the information is correct.  Sometimes matching is called a reconciliation; sometimes it is called a comparison.  For instance, you might reconcile the general ledger record of purchases by the coach to the credit card statement, you might match the expense reports submitted by the coach to the credit card transactions or the general ledger, or you might match or compare the expense report to receipts.

16.05 Management performs ongoing monitoring of the design and operating effectiveness of the internal control system as part of the normal course of operations. Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. Ongoing monitoring may include automated tools, which can increase objectivity and efficiency by electronically compiling evaluations of controls and transactions. 

Separate Evaluations

Separate evaluations are performed occasionally, not contemporarily.  Separate evaluations are best performed by someone who does not have responsibility for any of the processes or controls. It would be great if the monitor is truly independent of the subject matter and if this monitor would not suffer any negative consequences for telling the truth. For instance, the fine arts department could do a periodic review of the purchases made by the athletic department.  The arts department might actually enjoy monitoring and telling the truth about the athletic department!  A formal audit can also serve as a separate evaluation.

16.06 Management uses separate evaluations to monitor the design and operating effectiveness of the internal control system at a specific time or of a specific function or process. The scope and frequency of separate evaluations depend primarily on the assessment of risks, effectiveness of ongoing monitoring, and rate of change within the entity and its environment. Separate evaluations may take the form of self- assessments, which include cross operating unit or cross functional evaluations. 

16.07 Separate evaluations also include audits and other evaluations that may involve the review of control design and direct testing of internal control. These audits and other evaluations may be mandated by law and are performed by internal auditors, external auditors, the inspectors general, and other external reviewers. Separate evaluations provide greater objectivity when performed by reviewers who do not have responsibility for the activities being evaluated. 

Auditors beware!

Notice that auditors are not mentioned in the Green Book when discussing one of the types of monitoring – ongoing monitoring. There is a reason for that!  Auditors have to be careful NOT to get involved in the day-to-day management of programs and activities because they will compromise their auditor independence.  If an auditor helps manage a program, they will not be able to objectively evaluate the program.

The Institute of Internal Auditors encourages auditors to use a technology called ‘continuous monitoring’ to help catch errors and control breakdowns.  Continuous monitoring scans transactions continually and creates reports of outlying or unusual transactions.  Once the unusual transactions are identified, management or the auditor can follow up and resolve the outlying or unusual transactions.

The GAO is not a fan of auditors implementing continuous monitoring on behalf of management.  The GAO is much stricter about auditor independence than the Institute of Internal Auditors and expressly prohibits auditors from being involved in continuous monitoring in its Government Auditing Standards (Yellow Book).  In the GAO’s view, monitoring is the duty of management not the auditor, and when the auditor performs continuous monitoring, the auditor’s independence is impaired.

The last sentence of the following excerpt from the GAO’s Yellow Book is as firm an admonishment as the GAO can muster!

YB 2011 3.54 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing, or maintaining monitoring procedures. Monitoring involves the use of either ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures performed on behalf of management are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created if an auditor performs or supervises ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level. 

Monitoring asks that you don’t assume, you verify

The monitoring component encourages managers not to assume that controls are working as they were designed, but instead, to put extra controls in place to ensure that controls are working as they were designed.  If you set it and forget it, a significant error or fraud can occur and go undetected because the controls you thought were in place were not actually in place.   Or you could end up wedged against the bank of the river holding a can of Scrubbing Bubbles and a piece of Cajun toast.  Neither of these is a desirable situation!

Another Layer to the Green Book

When I was younger, I was often unpleasantly surprised to find out that responsibilities have layers.  I thought I had gone through the final step… but no!  Instead I realized there was another step, another layer of complexity that needed to be embraced.  And then I found another layer and another layer.

I remember one moment of frustration regarding my ‘dream’ car vividly. When I was 16 I wanted a cool car so I could have more freedom, but first I had to pass the driving test.  Check.  Then I had to learn how to change a tire and add water and oil. Check.  Next, Dad withholds cool car and instead buys me a junky car because he imagined that I would bang up my first car (he was right). Check.

Dad decides I can handle a somewhat cooler car when I am 18.  Sweet!  Check.  Proceed to drive the somewhat cooler car slowly through a notorious speed trap in Houston only to get a ticket for having an expired inspection sticker.  What?  Wait.  What the heck is an inspection sticker? Nobody told me about annual inspections.  How much does that cost?

Well, I don’t want you finishing up this book about internal controls and then gasp, “Inspection stickers!  No one told me about inspection stickers!”  My dad’s response to my complaint was, “What did you think that big square thing with the date on it in the driver’s side window was?”  No good answer for that.

So I want to pause to cover another important layer of the COSO model that you may not have considered yet – although it sits right in the introduction of the Green Book– the requirement that the controls work together in an integrated manner.

Green Book: OV2.04 … The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. 

Integrate the controls

What does ‘integrate’ mean?  Integrate means that various parts are linked together or coordinated.

Maybe an example will demonstrate what integrated controls look like.  Let’s say that your control objective is to prevent unallowable charges on credit cards issued to the buildings and maintenance folks.

The ideal controls sound like they both help satisfy the control objective AND belong together.  See if you can see how these controls fit together:

Control Environment:  Hire accountants skilled at performing reconciliations
Control Activity: Require buildings and maintenance employees submit receipts and invoices to support credit card charges
Monitoring: Accountants match receipts to invoices each month and evaluate charges for allowability.
Information and communication: Accounting emails a report detailing unallowable charges and un-reconciled/undocumented charges to the executive team each month

Several people have been very proud to show me their tricked out, ‘dream’ Green Book spreadsheet. One of my favorites was a spreadsheet that listed the 17 principles along the left hand side as row titles.  And then the 12 compliance items for federal programs were listed along the top as column headers.  The controls in place were the contents of the cells.  But I had to inform the proud creator that simply listing a control in a cell wasn’t all that needed to be done, the controls also needed to be integrated.  They were not happy.  Layer, layer, layer.


Just like learning how to take care of a car, the process of creating controls is long and full of little surprises.  Whenever I see the word iterative, I now know what they really mean is you are now embracing the ‘never ending quest for improvement’.  Iterative also means that it will never be perfect, which is hard for some folks to tolerate.  Anybody who has tried to design a control process, document a control process, and implement a control process can attest to it being imperfect and never, ever done.

And the Green Book goes on to say that simply copying other people’s control system probably isn’t going to work either.  Bummer.

Green Book: OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

Where we have been and where we are going

I hope you have been enjoying the book so far.  First we had to learn what the top, side, and front of the cube meant, from a very broad view.  Then we took a deep dive into risk assessment.  Next it is time to mitigate the risks we have identified.  We will endeavor to embrace our responsibilities and avoid unpleasant surprises by layering on controls for the remaining four components of the COSO model: control activities, information and communication, monitoring, and control environment.

If you would like to catch up on what I have written so far about the Green Book, please see these article/chapters.

Internal controls a la GAO’s Green Book

Chapter 2: Grounding the Green Book in Reality

Chapter 3: The Face of the Cube

Chapter 4: The remaining dimensions of the cube

Chapter 5: Ranking What You Care About: The Risk Assessment Component

Fraud Risk per the GAO’s Green Book

Fraud Risk Factors a.k.a. the Fraud Triangle

Completing the risk assessment

The next chapter should sound very familiar if you have every worked on controls before.  We will use concepts like ‘segregation of duties’ and ‘authorization.’   We are far from done. Iterate, integrate, iterate, integrate….

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.



Lost your password?