Page 1
Control Environment
1. Is there a written code of conduct that is communicated to all employees?
2. Are there clear lines of reporting and accountability within the organization?
3. What is the frequency of internal audit reviews?
4. Are there formal processes for addressing control deficiencies?
Risk Assessment
5. Has the organization identified and assessed all relevant business risks?
6. Are there processes in place to monitor changes in the business environment?
7. What is the frequency of the organization's risk assessment activities?
Control Activities
8. Are there written policies and procedures for all key business processes?
9. Are there appropriate segregation of duties for critical functions?
10. What is the organization's approach to physical security and access controls?
Information and Communication
11. Are there effective channels for communicating financial and operational information?
12. Are there mechanisms in place to ensure the reliability of information used in decision-making?
13. What is the organization's process for addressing employee complaints or concerns?
Monitoring
14. Are there ongoing monitoring activities to assess the effectiveness of internal controls?
15. What is the organization's approach to addressing control deficiencies identified through monitoring?
16. Are there independent reviews of the organization's internal control system?