AGENCY-LEVEL CONTROLS CHECKLIST

Agency: Prepared: Date

Audit Period: Reviewed: Date

N N
Internal Control Component Yes Remarks
o A
Control Environment
Integrity, Ethical Values, and behavior of key
executives
A.1. The agency has a code of conduct or equivalent
policy that is communicated and monitored.
A.2. The agencys culture emphasizes the importance
of integrity and ethical behavior. Senior management
holds itself to the highest standards and leads by
example.
A.3. The agencys communications reinforce a
consistent message regarding policies and culture.
A.4. Agency management takes appropriate action in
response to departures from approved policies and
procedures or the code of conduct.
A.5. There are appropriate policies for such matters as
conflicts of interest, and security practices that are
adequately communicated throughout the agency.
A.6. Agency management maintains, monitors and
appropriately responds to a fraud hotline.
A.7. The agency has a whistle blower policy and
related whistle blower or ethics hotline, which are
appropriately communicated throughout the agency,
and include procedures for handling complaints and for
accepting confidential submissions of concerns about
questionable transactions.
A.8. Agency managements control consciousness and
operating style are _________.
A.9. Agency management gives appropriate attention
to internal control, including information technology
controls.
A.10. Agency management corrects identified internal
control deficiencies in a timely manner.
A.11. Agency management tends to be conservative
with respect to selecting accounting principles and
determining accounting estimates.
A.12. Agency management consults with us on
significant matters relating to accounting and financial
reporting issues.
Agency managements commitment to
competence
A.13. The agency personnel have the competence and
training needed to deal with the nature and complexity
of the agencys operations.
A.14. Agency management has other processes in
place for handling complaints about agency operational
issues.
Participation in governance and oversight by
those charged with governance
 N N
Internal Control Component Yes Remarks
o A
A.15. Those charged with governance provide effective
oversight of the agencys operations.
A.16. There is an open line of communication among
those charged with governance and COA auditors, and
the nature and frequency of communication is
appropriate given the size and complexity of the
agency.
A.17. Those charged with governance have sufficient
knowledge, experience and time to perform their role
effectively.
A.18. Those charged with governance are appropriately
independent of agency management given the size and
complexity of the agency.
The organizational structure and assignment
of authority and responsibility
A.19. The agency organizational structure is
appropriate given the nature, size and complexity of the
agency
A.20. Agency management engages in
communications so that members of personnel
understand the agencys
objectives, their role in relation to these objectives, and
how they are held accountable for the achievement of
these objectives.
A.21. There are appropriate methods for establishing
authority, responsibility and lines of reporting.
A.22. There are written job descriptions, reference
manuals and other communications to inform
personnel of their duties.
Human resource policies and practices
A.23. The agency has adequate standards and
procedures for hiring, training, motivating, evaluating,
promoting, compensating, transferring, or terminating
personnel
A.24. Job performance is periodically evaluated and
reviewed with each employee.
Risk Assessment
B.1. Agency objectives are established, communicated,
and monitored. Key elements of the agencys strategic
plan are communicated throughout the agency so all
employees have a basic understanding of the agencys
overall strategy.
B.2. A process is in place to periodically review and
update agency-wide strategic plans. The strategic plan
is reviewed and approved by the agencys board of
directors.
B.3. The agency-wide strategic plan includes IT or
there is a separate IT strategic plan that addresses the
technology needs of the agency to effectively and
efficiently meet its strategic plan.
B.4. There is an adequate mechanism for identifying
agency risks, including those resulting from:
Entering new markets or lines of business
Offering new products and services
Privacy and data protection compliance
requirements
Other changes in the operations, economic,
and regulatory environment
 N N
Internal Control Component Yes Remarks
o A
B.5. The internal audit (or another group within the
company) performs a periodic (at least annual) risk
assessment. Senior management reviews the risk
assessment and considers actions to mitigate the
significant risks identified.
B.6. Management considers how much risk it is willing
to accept when setting strategic direction or entering
new markets, and does it strive to maintain risk within
those levels.
B.7. The board of directors and/or the audit committee
oversees and monitors the risk assessment process
and takes action to address the significant risks
identified.
B.8. There are groups or individuals who are
responsible for anticipating or identifying changes with
possible significant effects on the agency. Processes
are in place to inform appropriate levels of
management about changes with possible significant
effects on the agency.
B.9. Budgets/forecasts are updated during the year to
reflect changing conditions.
B.10. Periodic reviews are performed or other
processes in place to, among other things, anticipate
and identify routine events or activities that may affect
the agencys ability to achieve its objectives and
address them.
B.11. Management reports to the board of directors
and/or the audit committee on changes that may have
a significant effect on the agency.
B.12. The board of directors and/or the audit committee
review and approve significant changes in the agencys
accounting practices.
B.13. There are processes to ensure the accounting
department is made aware of changes in the operating
environment so they can review the changes and
determine what, if any, effect the change may have on
the agencys accounting practices.
B.14. There are channels of communication between
the accounting department and/or individual(s) in
charge of monitoring regulatory rules so the accounting
department is aware of regulatory changes that could
affect the agencys accounting practices.
Information and Communication
Information
C.1. The agency is able to prepare accurate and timely
financial reports, including interim reports.
C.2. The board of directors and management receive
sufficient and timely information to allow them to fulfill
their responsibilities.
C.3. Managements objectives in terms of budget,
profit, and other financial and operating goals are
defined and measurable. Actual results are measured
against these objectives.
C.4. There is a high level of user satisfaction with
information systems processing, including reliability
and timeliness of reports.
C.5. There is a sufficient level of coordination between
the accounting and information systems processing
functions/departments.
 N N
Internal Control Component Yes Remarks
o A
C.6. There are appropriate policies for developing and
modifying accounting systems and controls (including
changes to and use of computer programs and/or data
files).
C.7. Managements efforts to develop or revise
information systems (including accounting systems) are
responsive to its strategic plans.
C.8. There are significant applications or transactions
that are executed /processed by service organizations.
Management has documented the relevant controls at
the service organization, the company, or both that
mitigate the risk of errors. There are policies for
periodic monitoring of controls either at the service
organization or the company and taking appropriate
action to mitigate potential new risks.
C.9. The board of directors or audit committee is
involved in monitoring information systems projects and
resource priorities.
C.10. The IT organization chart clearly reflects areas of
responsibility and lines of reporting and
communication.
C.11. There are defined responsibilities for individuals
responsible for implementing, documenting, testing
and approving changes to computer programs that are
purchased or developed by information systems
personnel or users.
C.12. Systems conversions are well controlled (e.g.,
completed pursuant to written procedures or plans).
C.13. Financial management ensures and monitors
user involvement in the development of programs,
including the design of internal control checks and
balances.
C.14. There is a high degree of cooperation and
interaction between users and the IT department (e.g.,
procedures to ensure ongoing monitoring by the IT
department of user satisfaction with IT processing and
policies for the development, modification, and use of
programs and data files).
C.15. Application programs and data files are backed
up regularly.
C.16. There is a current disaster recovery plan for the
significant components of the IT infrastructure.
C.17. There is a business continuity plan that
incorporates the disaster recovery plan and end-user
department needs for timely recovery of critical
functions, systems, processes and data.
C.18. The disaster recovery and business continuity
plans are tested periodically (at least annually).
C.19. The disaster recovery and business continuity
plans are updated for changing conditions.
Communication
C.20. Lines of authority and responsibility (including
lines of reporting) within the company are clearly
defined and communicated.
C.21. There are written job descriptions and reference
manuals that describe the duties of personnel.
C.22. Policies and procedures are established for and
communicated to personnel at decentralized locations
(including regional operations).
 N N
Internal Control Component Yes Remarks
o A
C.23. There is a training/orientation for new employees,
or employees when starting a new position, to discuss
the nature and scope of their duties and
responsibilities. Such training/orientation includes a
discussion of specific internal controls they are
responsible for.
C.24. There is a process for employees to
communicate improprieties. The process is well
communicated throughout the agency. The process
allows for anonymity for individuals who report possible
improprieties. There is a process for reporting
improprieties, and actions taken to address them, to
senior management, the board of directors, or the audit
committee.
C.25. All reported potential improprieties are reviewed,
investigated, and resolved in a timely manner.
C.26. Employees believe they have adequate
information to complete their job responsibilities.
C.27. There is a process to quickly disseminate critical
information throughout the agency when necessary.
C.28. There is a process for tracking communications
from customers, vendors, regulators, and other
external parties.
C.29. Ownership is assigned to a member of
management to help ensure that the agency responds
appropriately, promptly, and accurately to
communications from customers, vendors, regulators,
and other external parties.
Monitoring
D.1. The agency has an effective internal audit
function.
D.2. The internal audit function is independent of the
activities they audit and are prohibited from having
operating responsibilities.
D.3. The internal audit function adheres to professional
standards (e.g., International Standards for the
Professional Practice of Internal Auditing).
D.4. The scope of internal audit activities is appropriate
given the nature, size and structure of the agency.
D.5. The internal audit department develops an annual
plan that considers risk in determining the allocation of
resources.
D.6. The results of the internal audit activities are
reported to senior management and COA auditors.
Other monitoring activities
D.7. Periodic evaluations of internal control are
reported to agency management and those charged
with governance.
D.8. Personnel, in carrying out their regular duties,
obtain evidence as to whether the system of internal
control continues to function.
D.9. Policies and procedures are in place to ensure
that corrective action is taken in a timely manner when
control exceptions occur.
D.10. Agency management takes adequate and timely
actions to correct deficiencies reported by the internal
audit function or the independent auditors.
D.11. Internal audit or another department performs
periodic reviews of internal control
 N N
Internal Control Component Yes Remarks
o A
D.12. Agency management or those charged with
governance review communications from external
parties that highlight areas of internal control in need of
improvement.
Control Activities
E.1. Are accounting and closing practices followed
consistently at interim dates (e.g., quarterly, monthly)
throughout the year?
E.2. Is there appropriate involvement by management
in reviewing significant accounting estimates and
support for significant unusual transactions and
nonstandard journal entries?
E.3. Is there timely and appropriate documentation for
transactions?
E.4. Does the agency review its policies and
procedures periodically to determine if they continue to
be appropriate for the agencys activities?
E.5. Do members of management have ownership of
the policies and procedures? Does the ownership
include ensuring the policies and procedures are
appropriate for the agencys activities?
E.6. Is there a budgetary system?
E.7. Does management review key performance
indicators (e.g., budget, profit, financial goals, operating
goals) regularly (e.g., monthly, quarterly) and identify
significant variances? Does management then
investigate the significant variances and is appropriate
corrective action taken?
E.8. Are variances in planned performance
communicated and discussed with the board of
directors and/or audit committee at least quarterly?
E.9. Are financial statements submitted to operating
management? Are they accompanied by analytical
comments?
E.10. Is there an appropriate segregation of
incompatible activities (e.g., separation of accounting
for and access to assets, IT operations function
separate from systems
and programming, database administration function
separate from application programming and systems
programming)? Are organizational charts reviewed to
ensure proper segregation of duties exist?
E.11. Are appropriate approvals from management
required prior to allowing an individual access to
specific applications and databases?
E.12. Are IT personnel prohibited from having
incompatible responsibilities or duties in user
departments?
E.13. Are there processes to periodically (e.g.,
quarterly, semi-annually) review system privileges and
access controls to the different applications and
databases within the IT infrastructure to determine if
system privileges and access controls are appropriate?
E.14. Has management established procedures to
periodically reconcile physical assets (e.g., cash,
receivables, inventories, property and equipment) with
related accounting records?
E.15. Are physical inventories/cycle counts taken on a
periodic basis and the perpetual inventory system
 N N
Internal Control Component Yes Remarks
o A
adjusted accordingly? Are significant or recurring
adjustments investigated to determine the reason for
the
adjustment and are appropriate actions taken to
address the reasons for the adjustments?
E.16. Has management established procedures to
prevent unauthorized access to, or destruction of,
documents, records (including computer programs and
data files), and assets?
E.17. Is data processing access to non-data processing
assets restricted (e.g., blank checks)?
E.18. Are access security software, operating systems
software, and application software used to control both
centralized and decentralized access to
Data
Functional capabilities of programs (e.g.,
execute, update, modify parameters, read
only)?
E.19. Is physical security over information technology
assets (both IT department and users) reasonable
given the nature of the agencys operations?
E.20. Is critical computer data backed up daily and
stored off-site?
E.21. Are controls in place over dial-up access to the
agencys computer resources (e.g., firewalls;
centralized directories to store and manage user
identities and resource privileges; automated policy-
based request, approval, and fulfillment process for
enterprise access)?
E.22. Is there a dedicated security officer function that
monitors IT processing activities and are there periodic
reports to the board of directors and/or audit committee
on the current state of IT security at the agency?
E.23. Are there systems to monitor and respond to
potential interruptions in agency operations due to
incidents stemming from malicious intrusions, and to
update security protocols to prevent them? Are security
violations and other incidents automatically logged and
reviewed?
E.24. Does the agency conduct periodic reviews/audits
of IT security? If yes, are the results of the review/audit
reported to the board of directors and/or audit
committee?