The fifth and final Objective is Monitoring Activities and as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. For the CCO or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future as is reinforced in the COSO 2013 Internal Controls Framework.
The Monitoring Activities objective consists of two principles: 1) The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning; and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.
Principle 16: Ongoing evaluation.
Principle 17: Evaluation and communication of deficiencies.
Discussion. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective.
The most important item to note is that all the controls need to be sustainable. You cannot just build one-off controls and not have a process in place to help you monitor all the controls that you need to cover. Controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.
There must also be a mechanism in place for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
Three key takeaways:
- Monitoring activities is inter-related with all other Principles and cannot be taken singularly.
- Monitoring activities helps to ensure that all controls are present and functioning.
- Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly.