COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
Management includes a balance of ongoing and separate evaluations
Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations
The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations
Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated
Ongoing evaluations are built into the business processes and adjust to changing conditions. Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
Separate evaluations are performed periodically to provide objective feedback
Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.