Monitoring of Controls

Why this section of the file matters

On most mid-tier engagements, the monitoring of controls section is a tick box exercise. The team writes "management reviews monthly management accounts" and moves on. But this section exists for a reason: if the entity doesn't monitor whether its controls are working, the risk of undetected breakdowns goes up, and that should change how you scope your substantive work.

ISA 315.21 (e) requires the auditor to obtain an understanding of the entity's monitoring activities on every engagement. This isn't about documenting what the entity says it does. It's about evaluating whether the entity would actually notice if a control stopped working.

What the standard requires

ISA 315 .A127 describes two forms of monitoring. Ongoing monitoring is built into routine operations: daily supervisory reviews, management review of exception reports, and reconciliation processes that flag anomalies in real time. Separate evaluations are periodic assessments performed outside the normal course of operations, such as internal audit (IA) reviews or external compliance reviews.

The scale and formality of monitoring varies with the entity. ISA 315 .A131 acknowledges that smaller entities may not have a formal IA function or documented monitoring procedures. This doesn't mean monitoring is absent. The owner-manager who personally reviews bank reconciliations every week is performing monitoring, even if it isn't labelled as such.

ISA 315 .A134 requires the auditor to consider whether the entity's monitoring provides information relevant to the risk assessment. If the entity has identified control deficiencies through its own monitoring, those findings are directly relevant to the auditor's assessment of risks of material misstatement (RoMM).

What actually happens on engagements

At firms like ours, on smaller engagements, teams frequently write "not applicable" for the monitoring component and move on. I've reviewed files where the SALY wording has been carried forward for three years without anyone checking whether it's still accurate. The absence of monitoring is itself an audit-relevant fact. If the entity has no process for identifying whether its controls are working, the risk that controls have broken down without detection increases. That risk should feed into the overall risk assessment and may affect the nature and extent of substantive procedures.

Where teams do document monitoring, they often fail to evaluate its quality. Recording that the entity has an IA function isn't enough. The auditor needs to consider the scope of IA's work, the competence of the team performing it, whether findings are reported to those charged with governance (TCWG), and whether corrective action is taken. An IA function that identifies issues but has no authority to enforce remediation provides limited assurance.

Here's the uncomfortable part: on a surprising number of engagements, the entity's own monitoring has already flagged exactly the control weaknesses the auditor should be worried about. ISA 315 .A134 requires considering whether monitoring provides useful information for the risk assessment. If the entity's IA identified a control weakness in revenue recognition six months ago and management hasn't addressed it, that finding is directly relevant to how the auditor assesses the RoMM in revenue. The file should show this link explicitly, not bury it in a generic controls narrative.

Key standard references

• ISA 315.21 (e) requires understanding of the entity's monitoring activities.
• ISA 315 .A127 defines what monitoring of controls means.
• ISA 315 .A134 requires considering whether monitoring provides risk-relevant information.
• ISA 315 .A135 permits using monitoring results in the risk assessment.

Related terms

Related reading

Frequently asked questions