Professional Documents
Culture Documents
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
C. Control Activities
31. Are appropriate policies and procedures developed,
documented and implemented for each of the agency’s
critical processes?
32. Does appropriate agency management level have
ownership of the policies and procedures? Do the process
owners review the policies and procedures periodically to
determine if they continue to be appropriate for their own
activities?
33. Is there is an appropriate segregation of incompatible
activities within span of control?
34. Is the physical security over the agency IT assets reasonable
given the nature of its operations?
35. Are policies and procedures clearly communicated to
personnel to ensure that they are applied consistently and
conscientiously?
36. Are job roles, responsibilities, and related system/access
privileges periodically reviewed for proper segregation of
Internal Control Component Yes No Remarks
duties?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason: Management designed control activities
that will address the identified control objectives.
37. Do the top management and other Officials receive relevant,
sufficient and timely information to allow them to fulfill
their responsibilities?
38. Has the agency management documented the relevant
controls that mitigate the risk of errors in information
systems?
39. Does the agency's information system generate information
that is of sufficient quality to support the effective
operation of controls? Has management developed and
implemented controls related to: completeness and
accuracy of data; capture of data at the necessary
frequency; providing information when needed; protection
of sensitive data; retention of data complying with
(relevant) audit and regulatory needs?
40. Is there a current agency continuity plan and disaster
recovery plan for the significant components of critical
functions and processes, including IT infrastructure,
network components, operating system components,
databases, applications and data files? Are these plans
tested at least annually and updated for changing
conditions?
41. Are application programs and data files backed-up
regularly?
42. Is there a process to quickly disseminate critical
information throughout the agency when necessary?
43. Are policies and guidance generated and used throughout
the agency adequate and contain sufficient and meaningful
information so that its officials and employees can measure
actual results against their objectives?
44. Are agency employees' roles and responsibilities
communicated clearly and effectively ( ie. Through written
job description, reference manuals) by top management?
Are these roles and responsibilities uniformly understood?
45. Are all reported agency employees’ potential improprieties
reviewed, investigated, and resolved in a timely manner? Is
the top management notified of improprieties and the
actions taken to address them?
46. Is there is an Ethics Hotline or any process which provides
employees with an anonymous and confidential channel
through which they can report, among other things,
complaints related to overall operations, accounting,
internal controls over financial reporting, or auditing
matters?
47. Is the availability of the Ethics Hotline well communicated
throughout the agency? Are the procedures in place to
appropriately handle the receipt and retention of any issue
Internal Control Component Yes No Remarks
raised? Does management treat all issues raised with
serious concern for confidentiality, integrity, and ultimate
resolution?
48. Is the Agency able to prepare accurate and timely financial
reports (or operations reports), including interim reports?
49. Are external stakeholders satisfied with the agency’s
systems for transaction and information processing,
including the reliability and timeliness of reports it
produces?
50. Is there a process for tracking communications to the
public, vendors/suppliers, regulators, and other external
parties? Is ownership assigned to members of the agency
management to help ensure that it responds appropriately,
promptly, and accurately to these communications?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
E. Monitoring
51. Do the top management and/or other Officials review the
agency’s operational process controls to ensure that the
controls are being applied as expected?
52. Are agency procedures in place to monitor when its
operating controls are overridden; and, to determine if the
override was appropriate?
53. Do the internal control reviewers have the authority to
examine any aspect of the agency's operations?
54. Are agency policies and procedures in place to ensure that
corrective action is taken on a timely basis when control
gaps or exceptions occur?
55. Do the top management and/or other Official stake
adequate and timely action to correct its internal control
deficiencies reported by the Internal Audit Office, audited
agency external auditor and/or other parties (e.g.,
consultants)?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason: