Integrity and Ethical Values 1. Does the management set the “tone at the top” by demonstrating a commitment to integrity and ethics through both its words and deeds? 2. Have appropriate entity policies regarding acceptable business practices, conflicts of interest, and codes of conduct been established and adequately communicated? 3. Have incentives and temptations that might lead to unethical behaviour been reduced or eliminated? Board of directors and audit committee 1. Are there regular meetings of the board and are minutes prepared on a timely basis? 2. Do board members have sufficient knowledge, experience and time to serve effectively? 3. Is there an audit committee composed of outside directors? Management’s philosophy and operating style 1. Are business risks carefully considered and adequately monitored? 2. Is management’s selection of accounting principles and development of accounting estimates consistent with objective and fair reporting? 3. Has management demonstrated a willingness to adjust the financial statements for material misstatements? Human resource policies and practices 1. Do existing personnel policies and procedures result in the recruitment or development of competent and trustworthy people needed to support an effective internal control structure? 2. Do personnel understand the duties and procedures applicable to the job? 3. Is the turnover of personnel in key positions at an acceptable level? INTERNAL CONTROL QUESTIONNAIRE ORGANISATIONAL CONTROLS
QUESTION YES, NO, N/A Comments
Organisational controls 1. Are the following duties segregated within the computer department: Systems design? Computer programming? Computer operations? Data entry? Custody of systems documentation, programs and files? Data control? 2. Are the following duties performed only outside the computer department: Initiation and authorisation of transactions? Authorisation of changes in systems, programs and master files? Preparation of source documents? Correction of errors in source documents? Custody of assets? Systems development and maintenance controls 1. Is there adequate participation by users and internal auditors in new systems development? 2. Is proper authorisation, testing and documentation required for system and program changes? 3. Is access to systems software restricted to authorised personnel? 4. Are there adequate controls over data files (both master and transaction files) during conversion to prevent unauthorised changes? Access controls 1. Is access to computer facilities restricted to authorised personnel? 2. Is access to data files and programs restricted to authorised personnel? 3. Are computer processing activities reviewed by management? Other controls 1. Is there a disaster contingency plan to ensure continuity of operations? 2. Is there off-site storage of back-up files and programs? 3. Are sufficient generations of programs, master files and transaction files maintained to facilitate recovery and reconstruction of computer processing? 4. Are there adequate safeguards against fire, water damage, power failure, power fluctuations, theft etc?