COSO Principle 16 – Performs Ongoing and/or Separate Evaluations

Monitoring must go beyond just having information and dashboards available. This is not a control. Evidence that the monitoring was performed including conclusions that “all is well” or actions taken in response to issues is necessary for the monitoring to qualify as a control (i.e., that is can stand up to independent review/audit). Done effectively, monitoring controls can qualify as “key” controls for SOX, replace lower level controls and thereby reduce the amount of time spent for SOX compliance. This does not mean that the lower level controls can be discontinued, only that a monitoring control can effectively ensure multiple controls are executed and reviewed and these monitoring controls (many fewer) are the ones in scope for the SOX compliance audit.

Continue Reading »