Monitoring Internal Controls and IT
My congratulations to ISACA on their draft guidance on “Monitoring Internal Controls and IT.” As they explain, “This draft publication expands on the 2009 COSO Guidance on Monitoring of Internal Controls – and brings specific emphasis and clarity to the monitoring of application and IT general controls, discussing the use of automation (tools) for increased efficiency and effectiveness of the organizational monitoring processes.”
I strongly recommend that everybody interested in continuous auditing or monitoring, or IT auditing and controls in general, have a look at the document. It is well written and has a number of important points.
You can obtain the document, as well as instructions on how to provide comments, at www.isaca.org/itmonitoring.
These are the comments I made, and I welcome your thoughts:
I would like to congratulate the team for a great product. I have four broad areas where I believe more can be done:
1. Emphasize the importance of risk monitoring, as well as control monitoring
An effective controls monitoring program, developed to address the impact of IT on business risks, depends on the continuous monitoring of business risks and changes in controls. Without this, there is a danger that the program will address last year’s risks instead those existing and emerging today. Risks change rapidly, both in nature and extent. A continuous controls monitoring program has to be sufficiently flexible to (a) understand when change is needed, and (b) effect the necessary change quickly.
2. Clarify and expand the notion of indirect vs. indirect evidence that controls are operating as intended
I am very encouraged that the paper picks up on the point that monitoring activity and transactions may provide a strong indicator that controls have failed by identifying exceptions – but does not always in general provide strong evidence that controls are operating as intended when no exceptions are found. However, you have to know this to find it in the text, because the paper does not explicitly state this to be a fact and explain why. The discussion should be expanded to make the point crystal clear: too many believe that monitoring transactions and activities is control monitoring, and it is not.
3. The nature, frequency, and extent of monitoring should be designed with risk in mind
Continuous monitoring is not necessarily strictly continuous. The nature and frequency of monitoring should be sufficient to provide reasonable assurance that the controls continue to operate as intended. Continuous monitoring can also be after-the-fact, as it is generally a detective control. The level of risk, and the frequency of operation of the controls, should be considered in designing the monitoring program. The higher the risk, the more frequent and closer the level of monitoring should be. The cost of monitoring should be commensurate with the risk of the controls failing.
4. Monitoring through day-to-day management
As explained in COSO ICF, supervision and management are forms of control monitoring. I believe this can and should be addressed more prominently in the guide.
I have attached a paper I wrote on this topic. Please feel free to use any part of the materials, and I am available if you have any questions on the attached or the above.