SOC 1 SSAE 18 states that management's monitoring activities may provide evidence regarding the design and operating effectiveness of controls, thus allowing management of the service organization to use "monitoring" as a key element in supporting management's assertion.
What is the "monitoring" concept?
"Monitoring" is a process whereby the effectiveness of internal controls are assessed by activities that are generally built into the daily operational activities of service organizations, along with separate evaluations, if necessary. Monitoring activities can vary widely, ranging on a number of different processes and procedures, such as the following:
- Evaluating one's daily operational activities
- Utilizing internal audit personnel or other similar personnel who are performing a wide-range of procedures throughout various departments of a service organization.
- Automated system checks and balances, such as batch processing, reconciliations, quality assurance checks, system error checks.
- Correspondence with any third-party entities.
- Any additional processes, procedures, and safeguards as necessary.
The Essentials to Performing "Monitoring" Activities for SOC 1 SSAE 18 Compliance
Most service organization successfully undertake monitoring activities via a combination of ongoing daily operational activities, along with separate evaluations. The phrase "separate evaluations" can essentially mean any number of activities outside of a service organization's ongoing daily operational activities.
Common examples of "separate evaluations" may include surprise audits by third party entities, such as clients or government regulatory agencies, due-diligence audits or reports conducted by prospective clients or even one-time or random internal evaluations as needed. In short, there seems to be a wide-variety of activities that could possibly fall under the phrase of "separate evaluations" for the purposes of SOC 1 SSAE 18.
Additionally, the concept of monitoring for purposes of SOC 1 SSAE 18 includes assessing the effectiveness of one's control environment and taking the necessary action for correcting and remediating any weaknesses or deficiencies found. Monitoring is not a static, one-time event, but a constant effort by all in assessing and improving upon one's system of internal controls within any organization.
Are you Monitoring your Controls for SOC 1 SSAE 18?
To put the concept of monitoring into better perspective, ask yourself what activities does your organization initiate for monitoring and how may these activities provide evidence in ultimately supporting your (i.e., management's) assertion, which is a key deliverable for SOC 1 SSAE 18 reporting. Looking for a competitive, fixed-fee for SOC 1 SSAE 18 and all your SOC 2 and SOC 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
Lastly, as described by the Committee of Sponsoring Organizations, (COSO), “monitoring” is defined as the following:
“Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties…”
Turn to the Experts at NDNB for SOC 1 SSAE 18 Assistance