The conference room fell silent. It was 2017, and I was sitting across from the board of a $300 million manufacturing company. Their external auditor had just identified a material weakness in their internal controls—the kind that makes stock prices drop and careers end.
"But we have controls everywhere," the CFO protested, gesturing at thick binders of policies. "We spent millions implementing them!"
The auditor's response was simple: "You have controls. But you have no idea if they're actually working."
That's when I learned the hard truth: controls without monitoring are just expensive theater.
After fifteen years of helping organizations build and maintain effective control environments, I've seen this pattern repeat itself across industries. Companies invest heavily in control design and implementation, then assume everything will just... work. It's like installing a sophisticated alarm system in your house and never checking if the sensors are functioning.
The COSO Internal Control Framework addresses this through its fifth component: Monitoring Activities. And if you're serious about internal controls—whether for SOX compliance, operational efficiency, or enterprise risk management—understanding monitoring activities isn't optional. It's survival.
What COSO Monitoring Activities Actually Mean (And Why Most People Get It Wrong)
Let me clear up a common misconception right away. When most people hear "monitoring," they think about their IT team watching dashboards or security teams reviewing logs. That's part of it, but COSO monitoring is much broader and, frankly, more important.
"Monitoring activities in COSO aren't about catching bad guys. They're about ensuring your entire control system is functioning as designed, day after day, month after month."
According to COSO, monitoring activities are the processes used to assess the quality of internal control performance over time. This involves two distinct approaches:
Ongoing Evaluations - Built into business processes, occurring in real-time
Separate Evaluations - Periodic assessments conducted outside of normal operations
Think of it this way: Ongoing evaluations are like your car's dashboard warning lights that alert you to problems as you drive. Separate evaluations are like taking your car to a mechanic for a comprehensive inspection. You need both.
The Two-Pillar Approach: A Framework That Actually Works
Let me share a story that illustrates why both types of monitoring matter.
In 2019, I consulted with a financial services firm that had what they thought was a robust control environment. They conducted quarterly internal audits (separate evaluations) and felt confident in their controls.
Then we discovered something disturbing: their accounts payable system had been approving duplicate invoices for seven months. The control was supposed to flag duplicates automatically. It had failed in a system update, and nobody noticed because their separate evaluations only happened quarterly.
The cost? $2.3 million in duplicate payments, most of which they never recovered.
Had they implemented ongoing monitoring—automated alerts when duplicate payments occurred—they would have caught the issue within days, not months.
Here's how these two approaches work together:
Monitoring Type | Frequency | Detection Speed | Coverage | Cost | Best For |
|---|---|---|---|---|---|
Ongoing Evaluations | Continuous/Real-time | Immediate to Daily | Specific, high-risk areas | Lower per control | High-volume, repeatable processes |
Separate Evaluations | Periodic (Monthly/Quarterly/Annual) | Delayed (after review cycle) | Comprehensive, all controls | Higher per review | Complex controls, judgment-based processes |
Ongoing Evaluations: Your First Line of Defense
I've always told clients: if you can automate the monitoring, you should automate the monitoring.
Ongoing evaluations are built into your regular business processes. They happen automatically, continuously, and don't require special projects or dedicated resources to execute.
Here's what this looks like in practice:
Example 1: Automated System Controls
A retail client implemented automated monitoring for their pricing controls. Every time a price override occurred (sales reps could discount up to 15%), the system:
Logged the transaction
Verified the discount was within policy limits
Flagged exceptions for immediate manager review
Generated weekly trend reports
This ongoing evaluation caught a rogue employee who was systematically offering 14.9% discounts to friends and family—right at the threshold where most managers wouldn't look twice. The automated trending spotted the pattern in three weeks.
Example 2: Management Reviews Built Into Workflow
At a healthcare organization I worked with, department managers reviewed all expenses over $5,000 before payment. But here's the key: this wasn't a special review process. It was built into their approval workflow in the ERP system. The manager couldn't approve invoices without seeing transaction details, vendor information, and budget impact.
That's ongoing monitoring. It happens as part of regular business operations, not as an additional step.
Example 3: Real-Time Dashboard Monitoring
A logistics company implemented real-time monitoring dashboards for their warehouse operations. Supervisors could see:
Inventory variances (updated every 4 hours)
Unusual transaction patterns (flagged immediately)
Access control violations (alerted within seconds)
Missing required documentation (highlighted daily)
One supervisor noticed that inventory variances spiked every Thursday afternoon. Investigation revealed that a temporary worker was systematically stealing high-value items. The pattern was caught in two weeks instead of the quarterly cycle their old separate evaluations followed.
"The best controls are the ones that tell you about problems before your auditors do."
Separate Evaluations: The Deep Dive You Can't Skip
Now, here's where many organizations make a critical mistake. They implement ongoing monitoring and think they're done. They're not.
Separate evaluations serve different purposes:
They assess whether ongoing monitoring itself is working
They evaluate controls that can't be effectively monitored in real-time
They provide independent verification of control effectiveness
They identify systemic issues that individual transactions might not reveal
I learned this lesson painfully in 2016 while working with a pharmaceutical company. They had excellent ongoing monitoring for their financial controls—automated reconciliations, exception reports, management reviews. Everything looked good.
Then during an annual separate evaluation, we discovered that while all the controls were executing properly, they weren't testing the right things. Their bank reconciliation controls were catching data entry errors, but they'd missed a fundamental flaw in how they classified certain transactions. The ongoing monitoring was working perfectly... at monitoring the wrong things.
It took a separate evaluation—where we stepped back and assessed the overall control design—to catch the issue.
Here's how effective separate evaluations work:
Evaluation Type | Typical Frequency | Who Performs | Focus Areas | Deliverable |
|---|---|---|---|---|
Self-Assessment | Quarterly | Process owners | Control execution, basic effectiveness | Control attestation, exception log |
Management Review | Semi-annual | Senior management | Trends, patterns, strategic alignment | Management report, remediation plans |
Internal Audit | Annual or risk-based | Internal audit team | Independent verification, control design | Audit report, findings, recommendations |
External Audit | Annual | External auditors | Compliance, material misstatement risk | Audit opinion, management letter |
Building an Effective Separate Evaluation Program
Let me walk you through how I've helped organizations build evaluation programs that actually work.
Step 1: Risk-Based Prioritization
Not all controls need the same level of evaluation. I worked with a technology company that was trying to evaluate 847 controls annually. Their internal audit team was drowning.
We implemented a risk-based approach:
Risk Level | Controls | Evaluation Frequency | Evaluation Depth |
|---|---|---|---|
Critical | 45 controls | Quarterly | Comprehensive testing (30+ samples) |
High | 156 controls | Semi-annually | Thorough testing (15-20 samples) |
Medium | 389 controls | Annually | Standard testing (5-10 samples) |
Low | 257 controls | Every 2 years | Limited testing (1-5 samples) |
This reduced their evaluation workload by 60% while actually improving their control assurance for high-risk areas.
Step 2: Defining Clear Testing Procedures
Here's something I see organizations struggle with constantly: vague evaluation procedures.
"Review and verify proper authorization" sounds reasonable until someone has to actually do it. What does "proper" mean? How many samples? What documentation?
Compare that to this:
Control: All purchase orders over $10,000 require CFO approval before processing.
Testing Procedure:
Select 25 purchase orders over $10,000 from the period
For each PO, verify:
Date of CFO approval precedes processing date
Approval signature matches authorized signature card
Approval authority was valid at time of transaction
No post-dating or backdating of approvals
Document any exceptions with business justification
Calculate exception rate and compare to 5% threshold
That's testable. That's specific. That's how you get consistent results.
Step 3: Documentation That Actually Helps
I've reviewed thousands of monitoring work papers. Most are garbage—checkbox exercises that provide no real assurance.
Effective documentation answers three questions:
What was tested? (Specific control, sample size, period)
What did we find? (Results, exceptions, patterns)
What does it mean? (Conclusion about control effectiveness)
Here's a template I've used successfully:
Control ID: AP-007
Control Description: Three-way match (PO, receipt, invoice) required for all payments
Evaluation Period: Q3 2024
Sample Size: 40 transactions (randomly selected from 1,247 total)
Testing Performed: Verified existence of PO, receiving document, and invoice
Results:
- 37 samples: Complete documentation, proper matching
- 2 samples: Minor timing differences (within 3-day window)
- 1 sample: Missing receiving document (Exception #2024-Q3-001)
Exception Details: Invoice #45789 processed without receiving confirmation
Root Cause: Receiving clerk on leave, backup process not followed
Management Response: Additional training scheduled, backup procedures clarified
Conclusion: Control operating effectively with minor improvement needed
Risk Level: Low
Follow-up Required: Verify training completion by 10/31/2024
This tells a story. It provides assurance. It documents issues and resolutions. It's useful.
The Integration Challenge: Making Monitoring Work Together
Here's where things get interesting. The real power of COSO monitoring comes from integrating ongoing and separate evaluations into a coherent system.
I worked with a healthcare system in 2021 that had this figured out beautifully. Here's their approach:
Ongoing Monitoring Layer:
Real-time system controls (automated, continuous)
Daily exception reports (reviewed by supervisors)
Weekly KPI dashboards (reviewed by managers)
Monthly trend analysis (reviewed by directors)
Separate Evaluation Layer:
Quarterly self-assessments (by process owners)
Semi-annual management reviews (by VPs)
Annual internal audits (risk-based sample)
External audit (annual, focused on financial controls)
But here's the key: the separate evaluations included reviewing the ongoing monitoring activities themselves.
Their internal audit didn't just test controls. They tested:
Was the automated monitoring functioning correctly?
Were exception reports being reviewed?
Were managers taking action on KPI variances?
Was the monitoring itself designed appropriately?
This meta-monitoring caught issues that neither layer alone would have found.
For example, they discovered that an automated control was flagging exceptions correctly, but the exception report was going to an email distribution list that included an employee who'd left the company six months earlier. Nobody else on the list was reviewing the exceptions because they assumed someone else was handling it.
The control was working. The monitoring was working. But the monitoring of the monitoring wasn't working.
"Effective monitoring isn't just about watching your controls. It's about watching your watchers, and watching them watching."
Common Pitfalls I've Seen Organizations Make
Let me share the mistakes I see repeatedly, so you can avoid them:
Pitfall 1: Monitoring Without Action
A financial institution I consulted with had beautiful exception reports. Detailed, timely, comprehensive. They printed them every day and filed them.
That was it. They monitored, but never acted on what they found.
I discovered this when investigating why a particular control kept failing. "Oh, we know about that," the controller said. "It's been on our exception report for six months."
Lesson: Monitoring without remediation is just documentation of failure. Every exception should trigger:
Investigation of root cause
Determination of impact
Corrective action plan
Follow-up verification
Pitfall 2: Over-Reliance on Technology
Automated monitoring is powerful, but it's not infallible.
A retail client had automated inventory monitoring that should have flagged unusual variances. It failed to catch a sophisticated theft scheme because the thieves understood the monitoring logic and stayed just below the thresholds.
Human judgment in separate evaluations caught the pattern. The automated system was looking at individual transactions. The auditor looked at patterns over time.
Lesson: Technology enables monitoring at scale, but human insight catches what algorithms miss.
Pitfall 3: Checking Boxes Instead of Seeking Truth
I've seen too many organizations where monitoring becomes a compliance exercise rather than a search for truth.
Process owners conduct self-assessments and rate everything as "effective" because that's easier than documenting problems. Internal auditors plan their testing to avoid sensitive areas because dealing with findings is politically uncomfortable.
This is monitoring theater—the appearance of oversight without the substance.
Real monitoring asks: "Is this control actually working? If not, why not? What do we need to fix?"
Fake monitoring asks: "What do I need to document to satisfy the auditors?"
The difference in outcomes is profound.
Pitfall 4: Static Monitoring in a Dynamic Environment
Controls that were adequate last year might not be adequate today. Monitoring programs need to evolve.
A technology company I worked with had monitoring procedures designed in 2015. By 2020, their business had changed dramatically:
Transaction volume increased 10x
They'd moved to cloud infrastructure
They'd acquired three companies
They'd expanded internationally
But their monitoring program? Still testing 25 samples quarterly, just like in 2015.
Their risk profile had changed completely, but their monitoring hadn't adapted.
Lesson: Review your monitoring program at least annually. Ask:
Have our risks changed?
Are we monitoring the right things?
Is our sample size still appropriate?
Do we have the right skills and tools?
Building a Monitoring Program: A Practical Roadmap
Based on my experience with over 40 organizations, here's a roadmap that actually works:
Phase 1: Assessment (Weeks 1-4)
Activity | Deliverable | Owner |
|---|---|---|
Document existing controls | Control matrix | Process owners |
Identify current monitoring activities | Monitoring inventory | Internal audit |
Assess gaps and risks | Risk assessment | Risk management |
Benchmark against peers | Comparison report | External consultant |
Phase 2: Design (Weeks 5-8)
Activity | Deliverable | Owner |
|---|---|---|
Design ongoing monitoring | Automated controls, reports | IT + Process owners |
Plan separate evaluations | Audit plan, schedule | Internal audit |
Define testing procedures | Test scripts | Internal audit + Process owners |
Establish reporting structure | Reporting templates | Management |
Phase 3: Implementation (Weeks 9-16)
Activity | Deliverable | Owner |
|---|---|---|
Configure automated monitoring | Live monitoring tools | IT |
Train process owners | Training completion | HR + Internal audit |
Execute pilot evaluations | Pilot results | Internal audit |
Refine based on feedback | Updated procedures | Internal audit |
Phase 4: Operation (Ongoing)
Activity | Frequency | Owner |
|---|---|---|
Execute ongoing monitoring | Continuous | Process owners |
Review exception reports | Daily/Weekly | Management |
Conduct separate evaluations | Per schedule | Internal audit |
Report to audit committee | Quarterly | CAE |
Update monitoring program | Annually | Internal audit + Management |
Technology Enablement: Tools That Make Monitoring Possible
Let me be blunt: you cannot effectively monitor a complex organization without technology. The scale and speed of modern business make manual monitoring impossible.
Here's what I've seen work:
For Ongoing Monitoring:
Tool Category | Use Case | Example Solutions | Typical ROI |
|---|---|---|---|
GRC Platforms | Control documentation, workflow, testing | SAP GRC, Oracle GRC, ServiceNow | 12-18 months |
SIEM Solutions | Real-time security monitoring | Splunk, IBM QRadar, LogRhythm | 6-12 months |
Business Intelligence | KPI dashboards, trend analysis | Tableau, Power BI, Qlik | 3-6 months |
ERP Built-in Controls | Transaction-level monitoring | SAP, Oracle, NetSuite | Immediate (if licensed) |
Process Mining | Automated process discovery | Celonis, UiPath, Signavio | 12-24 months |
For Separate Evaluations:
Tool Category | Use Case | Example Solutions | Typical ROI |
|---|---|---|---|
Audit Management | Planning, execution, tracking | AuditBoard, Workiva, Galvanize | 8-12 months |
Data Analytics | Automated testing, population analysis | ACL, IDEA, Alteryx | 6-9 months |
Document Management | Evidence collection, work papers | SharePoint, Box, Confluence | 3-6 months |
Collaboration Tools | Issue tracking, communication | Jira, Monday.com, Asana | Immediate |
A Real Implementation Story
Let me share how one company brought this together successfully.
In 2020, I worked with a $500M distribution company implementing their monitoring program. Here's what they did:
Technology Stack:
ServiceNow GRC for control documentation and workflow
Power BI for real-time monitoring dashboards
AuditBoard for separate evaluation management
Alteryx for data analytics and automated testing
Ongoing Monitoring:
127 automated controls in ERP system
43 daily exception reports
18 weekly KPI dashboards
6 monthly management reports
Separate Evaluations:
Quarterly self-assessments (187 key controls)
Semi-annual management reviews (47 high-risk areas)
Annual internal audits (risk-based plan)
External audit (SOX-required testing)
Results after 18 months:
73% reduction in control failures
54% reduction in audit findings
89% reduction in time spent on compliance documentation
$2.1M in avoided losses from caught control failures
The CFO told me: "We spent $380,000 implementing this program. We've saved that much three times over, plus we actually sleep at night now."
Practical Tips from the Trenches
After fifteen years of implementing monitoring programs, here are the lessons that actually matter:
1. Start Small, Scale Smart
Don't try to monitor everything at once. I've seen organizations paralyze themselves with ambition.
Start with your highest-risk areas—usually:
Financial reporting controls
Access to sensitive data
High-value transactions
Regulatory compliance areas
Get those working well, learn from the experience, then expand.
2. Make It Easy for Process Owners
Process owners have day jobs. If monitoring feels like extra work, it won't get done consistently.
Build monitoring into existing processes. Use tools people already know. Automate everything possible.
One client integrated control attestations into their quarterly business reviews. Managers were already preparing those reviews—adding control attestation was a natural extension, not an additional burden.
3. Calibrate Your Thresholds
I see organizations set monitoring thresholds that generate either:
Too many alerts (everything's an exception, alert fatigue sets in)
Too few alerts (significant issues slip through)
You need to calibrate based on your actual operations.
A logistics company set their inventory variance threshold at 1%. They got 200 alerts per day. Nobody could keep up.
We analyzed their data and found that normal operations produced 0.5-2% variance. Variances over 3% almost always indicated real problems.
We reset the threshold to 3%. Alerts dropped to 5-10 per day, and the hit rate on actual issues went from 15% to 87%.
4. Train Your Team (Really Train Them)
I cannot emphasize this enough: monitoring is a skill that requires training.
Process owners need to understand:
Why monitoring matters
What they're looking for
How to document effectively
What to do when they find issues
Internal auditors need specialized training in:
Risk assessment
Sampling methodologies
Testing techniques
Root cause analysis
Don't assume people know this. The quality of your monitoring is directly proportional to the skills of your team.
5. Create Feedback Loops
Monitoring should improve your controls, not just report on them.
Establish regular forums where:
Monitoring results are discussed
Patterns and trends are analyzed
Control improvements are proposed
Lessons learned are shared
A healthcare client holds monthly "Control Effectiveness Reviews" where process owners, internal audit, and senior management review monitoring results and make real-time decisions about control improvements.
This turns monitoring from a backward-looking compliance exercise into a forward-looking improvement engine.
"The goal of monitoring isn't to catch failures. It's to eliminate them."
Measuring Monitoring Effectiveness
How do you know if your monitoring program is working? Here are metrics I track:
Metric | Target | Red Flag |
|---|---|---|
Control failure rate | <2% of tested controls | >5% |
Time to detect issues | <30 days for critical controls | >90 days |
Exception resolution rate | >95% within SLA | <80% |
Audit finding trend | Decreasing year-over-year | Increasing |
Management action item age | <60 days average | >120 days |
Monitoring coverage | >90% of key controls | <70% |
Process owner satisfaction | >4.0/5.0 | <3.0/5.0 |
But here's the ultimate measure: Do you find your own problems before auditors find them?
If your separate evaluations consistently identify issues that surprise management, that's good—you're finding problems before they become crises.
If your external auditors consistently find issues you didn't know about, that's bad—your monitoring isn't working.
The Human Element: Culture and Monitoring
Here's something most compliance guides won't tell you: monitoring only works if people care.
I've seen technically perfect monitoring programs fail because the organizational culture treated them as bureaucratic overhead. And I've seen imperfect programs succeed because leadership genuinely wanted to know if things were working.
The difference comes down to three cultural elements:
1. Tone at the Top
When I worked with a manufacturing company in 2022, the CEO opened every quarterly business review by discussing monitoring results. Not sales. Not profits. Control effectiveness.
That sent a message: "This matters."
Within six months, every department head was proactively discussing monitoring results and control improvements. The culture shifted from compliance-driven to performance-driven.
2. Accountability Without Fear
Monitoring should reveal problems, not create scapegoats.
I've seen organizations where finding a control failure meant career risk for the process owner. The result? People stopped reporting issues accurately.
Effective organizations treat control failures as learning opportunities. The question isn't "Who screwed up?" It's "What broke, and how do we fix it?"
3. Continuous Improvement Mindset
The best organizations view monitoring results as inputs for improvement, not judgments on performance.
A financial services client I worked with has a monthly "Control Optimization" meeting where they review monitoring data and ask:
Which controls are generating the most exceptions?
Are those real issues or design problems?
Can we automate manual controls?
Should we add monitoring to unmonitored areas?
This mindset transforms monitoring from a compliance burden into a competitive advantage.
Looking Ahead: The Future of Monitoring
Based on what I'm seeing in leading organizations, here's where monitoring is heading:
Continuous Control Monitoring (CCM)
We're moving from periodic sampling to continuous population testing. Technology makes it possible to test 100% of transactions, not just samples.
I'm working with a client implementing CCM for their accounts payable process. Instead of testing 25 transactions quarterly, they're testing all 15,000 transactions continuously. The system flags exceptions in real-time.
The shift is profound: from "Did our sample indicate effectiveness?" to "We know with certainty that all transactions met requirements."
Artificial Intelligence and Machine Learning
AI is transforming monitoring from rule-based to pattern-based.
Traditional monitoring: "Flag any invoice over $10,000 without three approvals."
AI-enhanced monitoring: "Flag any invoice that deviates from historical patterns for that vendor, amount, timing, or approver—even if it technically meets policy requirements."
I've seen AI monitoring catch fraud schemes that would have passed traditional controls because they understood what "normal" looked like and could spot anomalies that rule-based systems missed.
Integrated Risk and Control Monitoring
Organizations are breaking down silos between compliance, risk management, and operational monitoring.
Instead of separate programs for:
SOX controls
Operational KPIs
Risk indicators
Cybersecurity monitoring
Quality metrics
Leading organizations are building unified monitoring platforms that provide holistic visibility into organizational performance and risk.
Final Thoughts: Making Monitoring Matter
Let me bring this full circle to that board meeting in 2017.
That manufacturing company—the one with controls but no monitoring—made the decision to invest in a comprehensive monitoring program. It wasn't easy. It took 18 months, cost over $500,000, and required significant changes to how they operated.
Three years later, their external auditor noted that they had "significantly strengthened their control environment and demonstrated consistent control effectiveness."
But more importantly, the CFO told me: "We run the business differently now. We don't guess if things are working—we know. We don't find out about problems from auditors—we find them ourselves. And we fix them before they become crises."
That's what effective monitoring delivers: confidence, clarity, and control.
Your Action Plan
If you're building or improving a monitoring program, here's where to start:
This Week:
Inventory your current monitoring activities
Identify your highest-risk processes
Assess gaps in current monitoring coverage
This Month:
Design monitoring approach for top 5 risk areas
Define clear testing procedures and thresholds
Identify quick wins (automated reports, system controls)
This Quarter:
Implement pilot monitoring for high-risk areas
Train process owners and evaluators
Execute first round of separate evaluations
Refine based on lessons learned
This Year:
Scale monitoring to all key controls
Implement technology enablement
Establish regular reporting and review cycles
Measure and optimize effectiveness
The journey isn't easy, but it's essential. Because in today's complex business environment, controls without monitoring are just hopes without evidence.
And hope is not a strategy.