How to Monitor Internal Controls

Monitoring helps determine whether internal controls are adequately designed, properly executed and effective at any given point in time.

What to Look For

Internal control is adequately designed and properly executed if all five internal control components of the University-adopted Committee of Sponsoring Organizations (COSO) methodology (Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring) are present and functioning as designed. 

Internal control is effective if management and interested stakeholders have reasonable assurance that:

  • They understand the extent to which operations objectives are being achieved.
  • Published financial statements are being prepared reliably.
  • There is compliance with applicable laws and regulations.

Purpose of Monitoring

Just as control activities help to ensure that risk management actions are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner, and that the end result is effective internal control. 

Ongoing monitoring activities evaluate and improve the design, execution and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments (done by department employees) and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control.

Role of Management

Management's role in the internal control system is critical to its effectiveness. Managers, like auditors, don't have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas. Spot-checking transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.