Yes, and no. Auditing and monitoring are very similar in their approach to gathering evidence and reporting, so sometimes it is hard to distinguish between the two. So close in fact, that many professionals are confused about which is which.
Add that to wacky stakeholder expectations, and you end up with quite a jumble. Auditors complain that their stakeholders want them to be monitors, and monitors complain that their stakeholders think they should follow auditing standards. Both auditors and monitors tell me, “They just don’t understand what we do!” True, true. So true.
But expecting the stakeholder to magically get a clue is silly. I suggest that you talk through this table with them so you can both decide which you are going to do: auditing or monitoring:
Questions to ask | Monitor | Auditor |
Standards? | No standards | Follow professional standards |
Main user? | Work on behalf of management | Work for those in charge of governance, public |
Scope of work? | Verify most relevant compliance items and controls | Perform formal risk assessment to choose what to audit |
Motivation? | Compliance driven | Risk driven |
Responsibilities? | Assess, report, and help make improvements | Assess and report |
Independence? | Not independent | Independent |
Contents of the Report? | Report conditions, seldom effects or causes | Report conditions, cause, and effects |
Monitors are a luxurious extra layer
Monitors are an integral part of the control system. I think of monitors as a luxurious extra layer of control that only a few organizations can afford. Kind of like a fur coat on top of your suit. You might be OK with just the suit, but the fur coat will make double sure that you stay warm and make you look rico suave to boot.
Monitoring is one of the seventeen principle components of the COSO model/Green Book.
16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
Monitors work on behalf of management to make sure that the organization is in compliance with laws and regulations and following policies and procedures. Monitors often have a limited span of responsibility (for instance, only one program, like a drug rehab program) and are expected to give assurance about compliance frequently – like every year or every two years.
Monitors go where management tells them to go.
Most monitors also help their clients make improvements when the clients are not in compliance.
Auditors are more like a net
Auditors on the other hand, are usually not as intimate with the auditees. Auditors function best when they do not stick around to help. Auditors are more like a lovely woven net spread over the entire organization that identifies big fish (risks) and lets the smaller fish (minor issues) go.
Auditors perform a risk assessment and work with the governing body (not management) to decide where to go, because auditors get to chose where they audit, which may or may not satisfy management’s desire to verify that key laws, regulations, policies, and procedures have been complied with.
Yes, auditors also give the organization an extra layer of assurance, but because they have such a wide span of responsibility, they may not look at an area for years and years. Sometimes they skip areas that are important to management entirely because they have more pressing risks to attend to.
Auditing standards are not built for monitors
Although the work that monitors and auditors do is very similar, auditing standards are not a very good fit for monitors and for that reason, many monitors do not follow auditing standards.
Monitors say things like, “We are following the Yellow Book in spirit.” When I first heard that, I thought that monitors cherry-picked the easy auditing standards and were conveniently blowing off the more complex standards.
But now I understand that not formally adopting auditing standards is an appropriate stance for monitors to take, as the Yellow Book is written for auditors, not monitors.
Monitors have a hard time following the planning standards in the Yellow Book because they often don’t conduct project-specific risk assessments. Monitors are also not independent of the subject matter they audit.
Auditing standards and guidance can help monitors be their best
Although auditing standards and techniques aren’t an exact fit for monitors, monitors can pick up some good ideas from auditing standards and training.
A good number of monitors attend every public class I offer in Austin and I love having them there and I do explain where their procedures will differ and offer alternatives. But if you know of a public class built just for monitors, please write to me at leita@yellowbook-cpe.com so I can point them to it.
As always, thanks for reading!
If you are an auditor or a monitor, you’ll get a lot out of my Essential Skills Bundle.