Control Health Monitoring

A control that is documented but not operating is worse than a missing control — it creates false confidence. Control health monitoring verifies that every control in the compliance matrix is operating as designed, producing evidence, and meeting its performance criteria. The monitoring runs continuously, not on a schedule. A control that fails on Tuesday should produce an alert on Tuesday, not a finding in next quarter's internal audit.

1. Operating Status For each control, define a health check that verifies the control is active. The quarterly risk assessment control is healthy if a report was produced within the last 90 days. The human oversight control is healthy if review records exist for the current period. Health checks run automatically and produce a green/amber/red status.
2. Evidence Currency For each control, verify that the associated evidence artifact is current — within the required timeframe. A healthy control that produces stale evidence is a compliance gap waiting for an auditor. Evidence currency checks run daily and alert the control owner when evidence approaches its expiration.
3. Performance Metrics For controls with quantitative criteria — response times, testing frequencies, review coverage rates — monitor the actual performance against the required thresholds. A bias testing control that requires quarterly testing but has been performing semi-annually is technically non-compliant. Performance monitoring catches the drift before the audit does. [RISK]: Controls that operate below their required performance threshold are partially non-compliant even if they produce evidence.