You’re not alone if you ever cracked open COSO or the GAO’s Green Book and thought, “Okay, just tell me where the monitoring controls are already.” Auditors and program managers everywhere flipped through pages hoping for a tidy list like:
- Monthly reconciliation
- Quarterly review
- Annual audit
And yet… nothing. No list or menu. No appendix titled, Monitoring Controls for People Who Just Want the Answer.
This is not an accident. This is by design.
Monitoring controls are the choose-your-own-adventure of internal control, and the COSO model and its twin, the Green Book, very intentionally refuse to play tour guide.
The cycle of creating controls
Monitoring controls are not created first. In fact, they are designed and implemented after you establish your base controls.
The usual sequence of designing controls goes like this:
1. Assess risk
Ask if something bad might happen. Fraud. Errors. Chaos. Some dude slipping through airport security with 20 ounces of shampoo.
2. Apply control activities
You respond to that risk with segregation of duties, access restrictions, screening, performance measurement, etc. The Green Book has a nice list of control activities in Table 1 on page 63.
3. Communicate
You might add in some information and communication controls to make sure the security team is communicating about control effectiveness. Also, add some control environment controls to set the tone.
4. Strengthen the environment
Set standards and exemplify good behaviors. Ensure leaders walk the talk and hold folks accountable. A control system is only as strong as the culture surrounding it and culture starts at the top.
5. Then because you aren’t sure base controls are working… monitoring
You pause, look around, and ask:
- “Is the scary thing we dread happening?”
- “Are the TSA agent’s still following screening protocols?”
- “Did anyone quietly turn the control off because it is so silly and burdensome” (X-Rays of stinky shoes, anyone?)
Monitoring is the layer asking whether your carefully designed controls are still alive, awake, and doing their chores.
Why COSO & GAO won’t provide a list
Auditors love lists. They feel safe and auditable. Lists fit nicely into binders and Excel spreadsheets.
Monitoring controls refuse to cooperate.
Here’s why: monitoring controls depend entirely on what you monitor.
For instance, your base control makes sure the same TSA agent who checks IDs isn’t also screening the content of carry-on bags. Here a monitoring control could be asking a supervisor to review agent assignments and duties daily to ensure separation.
The COSO literature and the GAO’s Green Book cannot give you a universal list of monitoring controls because they do not know your:
- Risks
- Control activities
- Technology
- Information and communication controls
- Control environment controls
- People
Monitoring is not “more controls”
Another common misunderstanding: monitoring is not about piling on extra controls like toppings on a pizza.
Monitoring is about checking whether the controls you already designed work as intended.
Back to airport security. Installing metal detectors, badge access, and screening procedures are control activities. Monitoring is watching whether those procedures actually catch anything meaningful, and whether the base controls are still aligned with current risks.
For instance, if the risk is criminals accessing the airplanes, you would monitor employee badges. Maybe a supervisor could match the list of those who possess a badge against the list of current authorized employees. The frequency of this reconciliation of the two lists would depend on the turnover rate of badges. Frequent turnover could consequently warrant a weekly review.
But if your risk is dangerous cargo (20 ounces of shampoo (!) and guns), you would monitor bag checks. For example, you could have a covert tester (or their proxy) periodically run prohibited items through the checkpoint to see if the contraband items are caught. After that, results of this test are logged by the covert tester, then reported to management so any flaws in the process would be addressed immediately.
Ongoing vs. Separate evaluations
COSO and the GAO do give us two types of monitoring, but again, no convenient checklist of monitoring controls like they created for the control activity component:
1. Ongoing monitoring is baked into daily operations. Reconciliations (my favorite control ever!). Supervisory reviews. Dashboards. Exception reports. The quiet hum of controls doing their thing day in and day out. The weekly reconciliation of badge data would fit into this category.
2. Separate evaluations are more episodic and best done by someone who is independent of the control structure. Internal audits. Peer reviews. Management reviews. Someone objective coming in later and asking uncomfortable but necessary questions. The covert testing of bag checks would fit in this category.
Bottom line? Monitoring controls must be customized
Monitoring controls are not universal because risk is not universal. No two entities will have the same risks and related controls. So, sorry, seeker of easy answers. No checklist exists for you to pull from.
Looking for high-quality and convenient CPE?
We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:
- Apr 15: Hands-on Excel for Auditors (3 CPE Hours)
- Apr 16: Auditing Government Contracts (4 CPE Hours)
- Apr 21: The Audit Balancing Act: Managing Time (4 CPE Hours)
- Apr 23: Detecting Conflicts of Interest, Kickbacks & Shadow Deals (2 CPE Hours)
- May 5: IT Auditing for Non-IT Auditors (2 CPE Hours)
Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study e-book and video courses, including the Agile Bundle. Government auditors must audit the right risks at the right time to serve the public. Agile is a powerful way to get there! Everything about your audit becomes flexible and responsive when using agile auditing principles, including audit report writing.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: