Step 5 – Monitoring Activities: The Continuous Pulse of Internal Control

Executive summary Step 5 – COSO Monitoring Activities If information and communication form the nervous system of an organization, monitoring activities are its pulse check. They test whether the internal control system is alive, effective, and responsive under real-world conditions. Monitoring does not simply ask whether policies exist—it provides continuous feedback on whether those policies are working, whether controls adapt to change, and whether weaknesses are being addressed before they spread. Without this constant pulse, organizations may convince themselves that their systems are strong, while in reality those controls are quietly eroding in the background. Within the COSO Internal Control – Integrated Framework, monitoring activities are the essential safeguard that prevents complacency. They consist of two complementary dimensions: ongoing evaluations embedded into daily operations, and separate, independent assessments performed by internal audit, compliance, or external parties. Ongoing evaluations deliver real-time assurance, while independent reviews bring objectivity and fresh perspective. Together, these mechanisms ensure that deficiencies are not only detected but also corrected and escalated to decision-makers in time. The lesson is clear: monitoring activities transform internal control from a static framework into a living system. They provide the assurance that the nervous system is functioning, that governance is responsive, and that risks are addressed before they become crises.

Where are we? At its core, the COSO Internal Control Framework identifies five integrated components: Control Environment – The foundation; it sets the tone at the top, defines integrity, ethical values, and governance structures. Risk Assessment – The identification and analysis of risks to achieving objectives, forming the basis for control activities. Control Activities – The specific actions, policies, and procedures that mitigate identified risks. Information & Communication – The nervous system that ensures relevant information flows across the organization and to stakeholders. Monitoring Activities – Ongoing and separate evaluations to ensure controls remain effective over time. These five components function as an integrated system. Weakness in one undermines the others.

Why Monitoring Matters

Controls are not static. They degrade with organizational growth, system changes, and evolving risks. Monitoring answers the question: Are our controls still working as designed?

COSO emphasizes two dimensions:

1. Ongoing evaluations embedded in operations, such as supervisory reviews and automated dashboards.

2. Separate evaluations conducted periodically by internal audit, compliance, or external parties.

Both dimensions are necessary. Ongoing monitoring provides real-time assurance; separate evaluations offer independent perspective.

---

International Case Lessons

Equifax Data Breach (United States, 2017)

Equifax failed to patch known vulnerabilities in critical systems. Monitoring of IT controls was inadequate, leading to a breach that exposed data of 147 million consumers. Ongoing evaluations were too weak, and separate evaluations failed to highlight urgency.

Deutsche Bank (Germany, multiple years)

Regulators repeatedly fined Deutsche Bank for inadequate anti–money laundering (AML) monitoring. Despite systems on paper, ongoing evaluations were ineffective, and internal audit struggled to enforce timely remediation.

Satyam Computer Services (India, 2009)

The “Enron of India” revealed billions in fictitious assets. Monitoring by both internal audit and board-level committees failed to challenge management’s representations, proving that separate evaluations are meaningless if independence is compromised.

Eskom (South Africa, 2020s)

The state-owned utility suffered from rolling blackouts due to mismanagement and corruption. Oversight committees received reports, but monitoring mechanisms were not enforced. A culture of neglect turned signals into noise.

Vale Dam Disaster (Brazil, 2019)

Despite risk assessments highlighting weaknesses in dam safety, monitoring mechanisms failed to escalate concerns effectively. External inspections were treated as formalities rather than active feedback, leading to catastrophic failure.

These cases demonstrate that monitoring is not about producing reports; it is about acting on them.

---

Characteristics of Effective Monitoring

1. Independence
   Monitoring must be objective. When the same people who design controls assess them, blind spots grow.

2. Timeliness
   Feedback must be delivered quickly. Delayed reports make remediation too late.

3. Escalation
   Monitoring without escalation is meaningless. Issues must reach the right level of management or the board.

4. Integration with Technology
   Modern monitoring uses data analytics, continuous auditing, and AI-based anomaly detection.

5. Culture of Accountability
   Even perfect systems fail if findings are ignored. Leadership must enforce remediation.

---

Best Practices: Keeping the Pulse Strong

• Embed Ongoing Monitoring
  Supervisors, automated alerts, and key performance indicators should continuously track the effectiveness of controls.
  Prevents: gradual control erosion going unnoticed.

• Conduct Independent Evaluations
  Internal audit and third parties should periodically review controls with fresh perspective.
  Prevents: complacency and self-assessment bias.

• Ensure Escalation Protocols
  Significant deficiencies must be reported directly to the board or audit committee.
  Prevents: management override or suppression of bad news.

• Use Technology
  Leverage continuous auditing, data analytics, and AI to identify anomalies in real time.
  Prevents: reliance on outdated manual sampling that misses systemic issues.

• Track Remediation
  Findings must lead to corrective action, documented and verified.
  Prevents: repeating issues and regulatory penalties.

Read the internal controls documents at COSO.org. But also interesting from a different perspective the University of California US San Diego – Best Practices in Internal Controls.

---

Challenges in Monitoring

1. Resource Constraints – Internal audit often lacks staff or funding.

2. Management Override – Findings are ignored or downplayed.

3. Global Complexity – Monitoring across multiple jurisdictions is inconsistent.

4. False Assurance – Reports exist, but no one challenges their validity.

---

Conclusion

Monitoring activities are the continuous pulse of internal control. They provide assurance that the nervous system is alive and functioning. Failures at Equifax, Satyam, and Vale show that when monitoring weakens, the consequences are severe—data breaches, financial collapse, or environmental disaster.

Organizations that invest in both ongoing and independent evaluations, supported by technology and enforced by governance, create resilience. Monitoring ensures that weaknesses are not only detected but corrected, preserving trust and long-term value.

This completes the five components of the COSO Internal Control – Integrated Framework. Together—control environment, risk assessment, control activities, information & communication, and monitoring activities—they form an integrated system of governance and assurance.

COSO Monitoring Activities

COSO Monitoring Activities

COSO Monitoring Activities

COSO Monitoring Activities COSO Monitoring Activities COSO Monitoring Activities COSO Monitoring Activities COSO Monitoring Activities COSO Monitoring Activities COSO Monitoring Activities