M1.1 Monitor Controls, Policies & Procedures

AboutMission & StructureFounders & Leadership CouncilAdvisory BoardSteering CommitteeMedia Partners/AffiliatesManagement TeamContact Us / FeedbackTechnology CouncilStandards & GuidelinesFrameworkProcess FoundationRisk Area DomainsExposure DraftsTechnology / XMLResourcesGRC illustrated seriesTopics & GroupsCase StudiesGRC360 MagazineExposure DraftsGRC SourceBlogsGRC 360° - Driving Principled Performance™GRC TechnologyOCEG Technology BlogBenchmarking SeriesAudit & EvaluationMeasurement & Metrics GuideUpcoming EventsWebinar SeriesMember to Member NetworkNews & AnnouncementsJob Postingswhy join?How Can OCEG Help Me?Benefits Overview:: Governance:: Risk Management:: Audit:: Compliance:: Ethics & culture:: Technologyjoin / upgrade now

Measurement + Benchmarking

Events + Networking

why join?

You are here :: home > knowledge network > FND-OCEG Foundation "Red Book" v1 > P-Process > D-Detect, Monitor & Evaluate > M-Ongoing Monitoring > M1-Control Assurance & Audit > M1.1 Monitor Controls, Policies & Procedures

M1.1 MONITOR CONTROLS, POLICIES & PROCEDURES

Conduct real-time, ongoing monitoring of the program to ensure that it is operating within defined tolerances.

Ongoing monitoring activities are generally performed as part of the recurring operational activity of the entity. They are distinguished from preventative and control activities in that they involve a level of analysis, review and focus on relationships and inconsistencies of underlying processes. For example, the routine tracking of students who took training and how that compares with the plan would be considered a control activity. The weekly review of how many students completed training and comparing that information with the certificates that were granted would be considered a monitoring activity.

Where appropriate, monitoring activities should be conducted in whole or in part by personnel who are not involved in conducting the day-to-day activity under evaluation. This may include supervisors or peer personnel who have a tangential relationship to the activities under evaluation.

Typical monitoring techniques include:
> reconciliation
> cross-referencing
> monitoring and analyzing logs

Standards & Guidance

M1.1.S01

Ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal or unacceptable conduct.

Compliance Programs, Codes of Conduct, Whistleblowers and Hotlines (2004)

M1.1.S02

Ensure that the organization's compliance and ethics program assessment is coordinated with other assessments conducted by the organization.

E2.2.S02

Ensure that the compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct

Core Practices

M1.1.101

Define the assessment process(es) used to assure compliance

M1.1.102

For each control, define ongoing monitoring activities that ensure that the program is operating within defined tolerances

M1.1.103

Define procedures and accountability for exceptions

M1.1.104

Define thresholds for immediately remediating the system or escalating the incident of noncompliance to a more sophisticated investigation, resolution and remediation

Additional Practices

M1.1.201

For each monitoring activity, consider using technology to automate monitoring

GUIDELINE DETAILS

Actions:	Download
Legend:	Source / Reference Resource Domain Supplement