MONITORING IS A process carried out by the entity that assesses and ensures the quality of internal control performance over time. It is an entity responsibility to monitor controls implementation and effectiveness, and that role cannot be assumed by the independent auditor, even when the independent auditor is charged with evaluating and testing controls as a basis for an opinion on internal controls effectiveness or if auditor tests controls to reduce other audit tests as part of the audit strategy. Monitoring involves assessing the design and operation of controls on a timely and periodic basis and taking necessary corrective actions. Monitoring may be done on both an ongoing, routine basis and as part of a separate evaluation. A basic principle of effective auditing applies to monitoring: A highly predictable process will not yield reliable results over time.

As mentioned previously, in 2009, COSO published a report specifically directed at monitoring, describing what it is and is not and some examples of how to design and assess monitoring effectiveness. In the initial implementation of this concept, it became apparent that a broad number of companies and auditors had differing views on this component. One particularly difficult issue was the extent to which monitoring could provide fully adequate compensating control over transaction controls that were determined to be ineffective. Powerful detection capabilities were sometimes being ascribed to ...