Control Environment - Tone at the Top

Yes

No

NotSure

Comments

Integrity and Ethical Values

1. Does the organization have a comprehensive code of conduct, and/or other policies addressing acceptable business practice, conflicts of interest, and expected standards of ethical and moral behavior?

2. Is the code distributed to all employees?

3. Are all employees required to annually acknowledge that they have read, understood, and complied with the code?

4. Does management demonstrate through actions its own commitment to the code of conduct?

5. Are dealings with clients and other constituents, customers, suppliers, employees, and other parties based on honesty and fair business practices?

6. Does management take appropriate action in response to violations of the code of conduct?

7. Is management explicitly prohibited from overriding established controls? What controls are in place to provide reasonable assurance that controls are not overridden by management? Are deviations from this policy investigated and documented? Are violations (if any) and the results of investigations brought to the attention of the audit committee?

8. Is the organization proactive in reducing fraud opportunities by (1) identifying and measuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a position within the organization to “own” the fraud prevention program, and (4) implementing and monitoring appropriate preventative and detective internal controls and other deterrent measures?

9. Does the company use an anonymous ethics and fraud hotline and, if so, are procedures in place to investigate and report results to the audit committee? (See also the tool “Sample Whistle blower Tracking Report,” in this toolkit.)

Commitment to Competence

1. Are the level of competence and the requisite knowledge and skills defined for each job in the accounting and internal audit organizations?

2. Does management make an effort to determine whether the accounting and internal audit organizations have adequate knowledge and skills to do their jobs?

Board of Directors and/or Audit Committee

1. Are the audit committee’s responsibilities defined in a charter? If so, is the charter updated annually and approved by the board of directors? (See also the tool “Audit Committee Charter Matrix,” in this toolkit.)

2. Are audit committee members independent of the company and of management? Do audit committee members have the knowledge, industry experience, and financial expertise to serve effectively in their role?

3. Are a sufficient number of meetings held, and are the meetings of sufficient length and depth to cover the agenda and provide healthy discussion of issues?

4. Does the audit committee constructively challenge management’s planned decisions, particularly in the area of financial reporting, and probe the evaluation of past results?

5. Are regular meetings held between the audit committee and the CFO, the CAE (internal audit), other key members of the financial management and reporting team, and the independent auditors? Are executive sessions conducted on a regular basis? (See also the tool “Conducting an Audit Committee Executive Session: Guidelines and Questions,” in this toolkit.)

6. Does the audit committee approve internal audit’s annual audit plan?

7. Does the audit committee receive key information from management in sufficient time in advance of meetings to prepare for discussions at the meetings?

8. Does a process exist for informing audit committee members about significant issues on a timely basis and in a manner conducive to the audit committee having a full understanding of the issues and their implications? (See also the tool “Issues Report from Management,” in this toolkit.)

9. Is the audit committee informed about personnel turnover in key functions including the audit team (both internal and the independent auditors), senior executives, and key personnel in the financial accounting and reporting teams? Are unusual employee turnover situations observed for patterns or other indicators of problems?

Management’s Philosophy and Operating Style

1. Is the accounting function viewed as a team of competent professionals bringing information, order, and controls to decision-making?

2. Is the selection of accounting principles made in the long-term best interest of the organization (as opposed to short-term maximization of income)?

3. Are assets, including intellectual assets, protected from unauthorized access and use?

4. Do managers respond appropriately to unfavorable signals and reports?

5. Are estimates and budgets reasonable and achievable?

Organizational Structure

1. Is the organizational structure within the accounting function and the internal audit function appropriate for the size of the organization?

2. Are key managers in the accounting and internal audit functions given adequate definition of their responsibilities?

3. Do sufficient numbers of employees exist, particularly at the management levels in the accounting and internal audit functions, to allow those individuals to effectively carry out their responsibilities?

Assignment of Authority and Responsibility

1. Is the authority delegated appropriate for the responsibilities assigned?

2. Are job descriptions in place for management and supervisory personnel in the accounting and internal audit functions?

3. Do senior managers get involved as needed to provide direction, address issues, correct problems, and/or implement improvements?

Human Resources Policies and Practices

1. Are policies and procedures in place for hiring, training, promoting, and compensating employees in the accounting and internal audit functions?

2. Do employees understand that sub-standard performance will result in remedial action?

3. Is remedial or corrective action taken in response to departures from approved policies?

4. Do employees understand the performance criteria necessary for promotions and salary increases?

Risk Assessment

1. Does the organization consider risks from external sources such as creditor demands, economic conditions, regulation, or labor relations?

2. Does the organization consider risks from internal sources such as key employees (retention and succession planning), financing and the availability of funding for key programs, competitive compensation and benefits, information systems security, and backup systems?

3. Is the risk of a misstatement of the financial statements considered, and are steps taken to mitigate that risk?

4. If applicable, are the risks associated with foreign/off-shore operations considered, including their impact on the financial reporting process?

Control Activities

1. Does the organization have a process in place to ensure that controls as described in its policy and procedures manuals are applied as they are meant to be applied? Do the policy and procedures manuals document all important policies and procedures? Are these policies and procedures reviewed and updated on a regular basis? If so, by whom?

2. Do supervisory personnel review the functioning of controls? If so, how is that review conducted and what happens to the results? Is appropriate and timely follow-up action taken on exceptions?

Information and Communication

1. Is a process in place to collect information from external sources, such as industry, economic, and regulatory information, that could have an impact on the organization and/or the financial reporting process

2. Are milestones to achieve financial reporting objectives monitored to ensure that timing deadlines are met?

3. Is necessary operational and financial information communicated to the right people in the organization on a timely basis and in a format that facilitates its use, including new or changed policies and procedures?

4. Is a process in place to respond to new information needs in the organization on a timely basis?

5. Is there a process in place to collect and document errors or complaints to analyze, determine cause, and eliminate a problem from recurring in future?

6. Is a process established and communicated to officers, employees, and others, about how to communicate suspected instances of wrongdoing by the organization or employees of the organization? Further, does a process exist to ensure that anyone making such a report is protected from retaliation for making one? (See also the tool entitled “Sample Whistle blower Tracking Report,” in this toolkit.)

Monitoring

1. Do officers and employees understand their obligation to communicate observed weaknesses in design or compliance with the internal control structure of the organization to the appropriate supervisory or management personnel?

2. Are interactions with external stakeholders periodically evaluated to determine if they are indicative of a weakness in the internal controls structure? (For example, consider the frequency of complaints about incorrect invoices, statements, and acknowledgments.)

3. Is there follow-up on recommendations from the internal and external auditors for improvements to the internal control system?

4. Are personnel required to sign off, indicating their performance of critical control activities such as performing reconciliations?

5. Does the internal audit team have the right number of competent and experienced staff? Do they have access to the board of directors and audit committee? Is the reporting structure in place to ensure their objectivity and independence? Is the work of the internal audit team appropriate to the organization’s needs, and prioritized with the audit committee’s direction?