Internal Control Factors
Updated 7/15/96
Management establishes internal controls to keep the organization
on course toward its financial goals, to help it achieve its mission,
to minimize surprises and risks, and to allow the organization to rapidly
deal with changes. The Committee of Sponsoring Organizations of the
Treadway Commission (commonly referred to as COSO) defined controls
as follows:
Activities undertaken by management to increase the likelihood of
achieving management objectives in the following areas:
- Efficiency and effectiveness of operations
- Reliability of financial reporting
- Compliance with laws and regulations
While management is ultimately responsible for the system of internal
control, virtually all employees have some role in controlling the organization.
Some controls are established at the organization level, others are
established by management of the local unit. To facilitate management's
analysis of internal control in its own unit we provide the following
list of internal control factors. This list is patterned after a control
environment worksheet initially prepared by KPMG Peat Marwick. Examples
which indicate stronger controls as well as those indicating weaker
controls are provided for each factor. The list is organized in sections
reflecting the five interrelated components of internal control defined
by COSO:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Management is encouraged to use this list of internal control factors
to determine their unit's internal control health. A lower rating for
a factor indicates a strong environment with minimal risk, whereas a
higher rating indicates a weaker environment and higher risk. Rate each
factor between 1 (strong) and 5 (weak).
Internal Audit would be pleased to consult on methods to improve your
environment.
SUMMARY OF INTERNAL CONTROL FACTORS
The Internal Control Factor list is organized as follows:
Control Environment
- Integrity and Ethical Values
- Commitment to Competence
- Management's Philosophy and Operating Style
- Organizational Structure
- Assignment of Authority and Responsibility
- Human Resource Policies and Practices
Risk Assessment
- Goals and Objectives
- Risks
- Managing Change
Control Activities
- Policies and Procedures
- Controls
- Controls over Information Systems
Information and Communication
- Access to Information
- Communication
Monitoring
- Management Supervision
- Outside Sources
- Response Mechanisms
- Self-Assessment Mechanisms
SECTION 1 - CONTROL ENVIRONMENT
| 1 - Integrity and Ethical Values |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 1a-Acceptable business practices. |
Unit members understand the University's policies covering matters
such as illegal acts or questionable payments. |
Policies are poorly understood |
|
|
|
|
|
| 1b-Codes of conduct.(Guide Memo 15) |
Unit members understand the University's policies governing relationships
with sponsors, suppliers, creditors, regulators, the community,
and the public at large. |
Policies are poorly understood. |
|
|
|
|
|
| 1c-Conflicts of interests (Research Policy Handbook 4.1 and Guide
Memo 15.2) |
Unit members understand the University's policies regarding potential
conflicts of interest (e.g.,outside business investments and interests
and employment of relatives of employees). |
Policies are poorly understood |
|
|
|
|
|
| 1d-Integrity. |
Unit management communicates high expectations regarding integrity
and ethical values. Management sets a good example. |
Management sets neither an example nor expectations regarding
integrity and ethical values. |
|
|
|
|
|
| 2 - Commitment to Competence |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 2a-Job descriptions. |
Responsibilities are clearly defined in writing and communicated
as appropriate. |
Responsibilities are poorly defined or poorly communicated. |
|
|
|
|
|
| 2b-Knowledge and Skills. |
Management understands the knowledge and skills required to accomplish
tasks. |
Management has not considered knowledge and skill requirements. |
|
|
|
|
|
| 2c-Employee competency. |
Management is aware of employee's competency levels. Management
is involved in training and increased supervision when competency
is low. |
Management has not considered the competency of the employees. |
|
|
|
|
|
| 3 - Management's Philosophy and
Operating Style |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 3a-Communication to Faculty, School and University. |
Management insists on full disclosures |
Management is secretive and reluctant to make full disclosures. |
|
|
|
|
|
3b-Laws and regulations. |
There is a concern for compliance with the letter and intent. |
Management is willing to risk noncompliance penalties. |
|
|
|
|
|
| 3c-Getting the job done. |
Management is concerned with doing the job right the first time. |
Management is willing to get the job done without regard to quality. |
|
|
|
|
|
| 3d-Exceptions to policy. |
Exceptions to policy are infrequent. When they occur they must
be approved and well documented. |
Exceptions to policy are the norm. |
|
|
|
|
|
| 3e-Approach to financial reporting. |
The approach shows a concern and appreciation for accurate and
timely reporting. Financial reporting estimates are conservative. |
Financial reporting is given low priority. |
|
|
|
|
|
| 3f-Emphasis on meeting budget and other financial and operating
goals. |
Results are actively monitored and followed up. Corrective action
is taken as necessary. We learn from our mistakes. |
Management is unwilling to accept results other than those projected
or planned, therefore there is fear of failure. |
|
|
|
|
|
| 3g-Approach to decision making. |
Process is both formal and consistent. Decisions are based on
logic after careful consideration of relevant facts. Procedures
and policies are in place to ensure the appropriate level of management
is involved in decisions. |
Decision making is not formal. Management makes decisions with
little study and analysis of the facts. |
|
|
|
|
|
| 4 - Organizational Structure |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 4a-Complexity of the organizational structure. |
The complexity of the structure is commensurate with the organization.
Lines of reporting are clear and documentation is up-to-date. |
The organizational structure is "muddled" or unnecessarily complex
for the size and activities of the entity. |
|
|
|
|
|
| 4b-Organization charts. |
Documentation exists and is up to date. |
Documentation does not exist or is out-of-date. |
|
|
|
|
|
| 4c-Size of the management group. |
Size is commensurate with the complexity of the unit and its growth. |
Size is not appropriate (e.g., too many levels, too disbursed,
or too "thin"). |
|
|
|
|
|
| 4d-Stability of the management group. |
Turnover is low. |
Turnover is high. |
|
|
|
|
|
| 5 - Assignment of Authority and
Responsibility |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 5a-Delegation of authority and assignment of responsibility for
operational and financial |
Delegation of authority and assignment of responsibility is clearly
defined. Individuals are held accountable for results. |
Decisions are dominated by one or a few individuals. Roles and
responsibilities of middle management are unclear |
|
|
|
|
|
| 5b-Authority limits. |
Authority limits are clearly defined in writing and communicated
as appropriate. |
Policies and procedures covering authority limits are informal
or poorly communicated. |
|
|
|
|
|
| 5c-Delegated signature authority. |
Appropriate limits have been placed on each delegation of signature
authority. Management periodically reviews the on-line list of all
approvers to ensure it is appropriate and up to date. |
Signature authority is delegated without adequate consideration.
The unit never reviews the on-line list of designated approvers
for its accounts |
|
|
|
|
|
| 5d-Knowledge and experience . |
Key personnel are knowledgeable and experienced. Management does
not delegate authority to inexperienced individuals. |
Key personnel are inexperienced. Management delegates authority
without regard to knowledge and experience. |
|
|
|
|
|
| 5e-Resources. |
Management provides the resources needed for employees to carry
out their duties. |
Management does not provide necessary resources. |
|
|
|
|
|
| 6 - Human Resource Policies and
Practices |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 6a-Selection of personnel. |
A formal hiring process is in place.The personnel department is
involved in identifying potential employees based on job requirements. |
Formal hiring process does not exist. |
|
|
|
|
|
| 6b-Training. |
On-the-job and other training programs have defined objectives.
They are effective and important. |
Training programs are inconsistent, ineffective, or of low priority. |
|
|
|
|
|
| 6c-Supervision policies. |
Personnel are adequately supervised. They have a regular resource
for resolving problems. |
Regular supervision does not exist or is ineffective. |
|
|
|
|
|
| 6d-Inappropriate behavior. |
Inappropriate behavior is consistently reprimanded in a timely
and direct manner, regardless of the individual's position or status.
|
Inappropriate behavior of certain individuals is ignored. Reprimands
are neither timely nor direct. |
|
|
|
|
|
| 6e-Evaluation of personnel. |
An organized evaluation process exists. |
Evaluation process is ad hoc and inconsistent; actual performance
has little consequence. |
|
|
|
|
|
| 6f-Methods to compensate personnel. |
A formal compensation process exists. Its relationship to the
performance evaluation process is defined and communicated. |
Compensation adjustments are ad hoc and inconsistent. |
|
|
|
|
|
| 6g-Staffing of critical functions. |
Critical functions are adequately staffed such that workloads
are reasonable and acceptable. |
There is inadequate staffing and frequent periods of overwork
and "organizational stress." |
|
|
|
|
|
| 6h-Turnover. Particularly turnover in financially responsible
positions. |
Low levels of turnover. Management understands the root cause
of turnover. |
High levels of turnover. Management does not understand the root
cause of turnover. |
|
|
|
|
|
SECTION 2 - RISK ASSESSMENT
| 7 - Goals and Objectives |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 7a-Unit-wide objectives. |
Formal unit-wide mission or value statement established and communicated
throughout the unit. |
Unit-wide mission or value statement is nonexistent. |
|
|
|
|
|
| 7b-Critical success factors. |
Factors that are critical to achievement of unit-wide objectives
are identified. Resources are appropriately allocated between critical
success factors and objectives of lesser importance. |
Factors are not prioritized or not identified. |
|
|
|
|
|
| 7c-Activity-level objectives. |
Realistic objectives are established for all key activities including
operations, financial reporting and compliance considerations. |
Activity-level objectives are nonexistent. |
|
|
|
|
|
| 7d-Measurement of objectives. |
Unit-wide and activity level objectives include measurement criteria
and are periodically evaluated. |
Objectives are not measured Targets are not set. |
|
|
|
|
|
| 7e-Employee involvement. |
Employees of all levels are represented in establishing the objectives. |
Management dictates the objectives. |
|
|
|
|
|
| 7f-Long and short-range planning functions. |
Long and short-range plans are developed and are generally formal.
Changes in direction are made only after sufficient study is performed.
|
No organized planning process exists. There are frequent shifts
in direction or emphasis. |
|
|
|
|
|
| 7g-Budgeting system. |
Detailed budgets are developed by area of responsibility following
prescribed procedures and realistic expectations. Plans and budgets
support achievement of unit-wide action steps. |
Budgets are nonexistent or are "backed into" depending on desired
outcome. |
|
|
|
|
|
| 7h-Strategic planning for information systems. |
Planning for future needs is done well in advance of expected
needs and considers various scenarios. |
The information system lags significantly behind the needs of
the business. |
|
|
|
|
|
| 8 - Risks |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 8a-Identification and consideration of external risk factors.
|
A process exists to identify and consider the implications of
external risk factors (e.g., economic changes, changing sponsor,
student and community needs or expectations, new or changed legislation
or regulations, technological developments and natural catastrophes)
concurrent with establishing unit-wide objectives and plans. |
Potential or actual external risk factors are not identified or
evaluated effectively. |
|
|
|
|
|
| 8b-Identification and consideration of internal risk factors.
|
A process exists to identify and consider the implications of
internal risk factors (e.g., new personnel, new information systems,
changes in management responsibilities, new or changed educational
or research programs and unit morale) concurrent with establishing
unit-wide objectives and plans. |
Potential or actual internal risk factors are not identified or
evaluated effectively. |
|
|
|
|
|
| 8c-Prioritization of risks. |
The likelihood of occurrence and potential monetary impact (or
publicity risk) have been evaluated. Risks have been categorized
as tolerable or requiring action. |
Risks have not been prioritized. |
|
|
|
|
|
| 8d-Approach to studying risks. |
In-depth, cost benefit studies are performed before committing
the unit. |
Risks are accepted with little or no study. |
|
|
|
|
|
| 8e-Process for monitoring risks. |
A risk management program is in place to monitor and minimize
exposures. |
Exposure is dealt with on a case by case basis. Policies or programs
to manage risks do not exist. |
|
|
|
|
|
| 8f-Attitude toward consultation with external advisors. |
External advisors are consulted as needed to supplement internal
expertise. |
There are no external advisors. |
|
|
|
|
|
| 8g-Attitude toward Internal Audit. |
Internal Audit's assistance is requested whenever internal control
issues are surfaced. |
Internal Audit is never consulted. |
|
|
|
|
|
| 9 - Managing Change |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 9a-Commitment to change. |
Management fosters assessment of change and is open to input on
requirements. |
Management fosters status quo, even when changes are necessary
to meet the functional requirements of the business. |
|
|
|
|
|
| 9b-Support of change. |
Management is willing to commit resources to make change happen. |
Management offers no resources to facilitate change. |
|
|
|
|
|
| 9c-Routine change. |
Mechanisms exist to identify, prioritize, and react to routine
events (i.e., turnover) that affect achievement of unit-wide objectives
or action steps. |
Procedures are not present or are ineffective. |
|
|
|
|
|
| 9d-Economic change. |
Mechanisms exist to identify and react to economic changes. |
Procedures are not present or are ineffective. |
|
|
|
|
|
| 9e-Regulatory change. |
Mechanisms exist to identify and react to regulatory changes (e.g.,
maintain membership in industry associations that monitor laws and
regulations, participate in University forums such as Research Administrators
Brown Bag or School of Medicine Administrators Round Table). |
Procedures are not present or are ineffective |
|
|
|
|
|
| 9f-Technological change. |
Mechanisms exist to identify and react to technological changes
and changes in the functional requirements of the unit. |
Procedures are not present or are ineffective. |
|
|
|
|
|
SECTION 3 - CONTROL
ACTIVITIES
| 10 - Policies and Procedures |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 10a-Access to University policies and procedures. |
Unit staff have available up to date University policy and procedures
in hard copy (printed) form or on-line (through Portfolio), and
know how to use them. |
University policy and procedure manuals are not available. |
|
|
|
|
|
| 10b-Unit policies and procedures. |
The unit has documented its own policies and procedures.
They are well understood by unit staff. |
Unit policies and procedures do not exist. |
|
|
|
|
|
| 11 - Controls |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 11a-Senior management (University or School) reviews. |
Senior management monitors the unit's performance against objectives
and budget. |
Senior management does not monitor unit performance. |
|
|
|
|
|
| 11b-Top level (unit-wide) objective performance reviews by unit
management. |
Reviews are made of actual performance objectives and performance
in prior periods for all major initiatives. Management analyzes
and follows up as needed. |
Analyses are not performed or management does not follow up on
deviations. |
|
|
|
|
|
| 11c-Top level (unit-wide) financial performance reviews by unit
management. |
Reviews are made of actual performance versus budgets, forecasts,
and performance in prior periods for all major initiatives. Management
analyzes and follows up as needed. |
Analyses are not performed or management does not follow up on
deviations. |
|
|
|
|
|
| 11d-Direct functional or activity management by unit management.
|
Performance reviews are made of specific functions or activities,
focusing on compliance, financial or operational issues. |
No performance reviews occur. |
|
|
|
|
|
| 11e-Performance indicators. |
Unexpected operating results or unusual trends are investigated.
|
Operating results and trends are not monitored. |
|
|
|
|
|
| 11f-Key reconciliations. |
Accounts are reconciled on a timely basis. Other data is reconciled
as needed. |
Reconciliations are not routinely performed. |
|
|
|
|
|
| 11g-Sponsored project account management. (Guide Memo 36) |
Sponsored project accounts are reviewed and reconciled. PIs certify
the expenditures timely. Management monitors the portfolio of sponsored
accounts for compliance and fiscal responsibility. |
Sponsored project accounts are not monitored; reconciliations
and certifications are not timely. |
|
|
|
|
|
| 11h-Restricted fund (e.g., gifts) use. |
Restrictions on use are well understood. Usage is monitored by
management, accounts are reconciled. |
Restricted fund accounts are not monitored; usage may not match
restrictions. |
|
|
|
|
|
| 11i-Information processing |
Controls monitor the accuracy and completeness of information
as well as authorization of transactions. |
No information processing controls are in place. |
|
|
|
|
|
| 11j-Physical controls. |
Equipment, supplies, inventory, cash and other assets are physically
secured and periodically counted and compared to the amounts shown
on control records (e.g., EIS or CAMS). |
Equipment, supplies, inventory, cash and other assets are not
protected. Control records such as EIS or CAMS are not up to date. |
|
|
|
|
|
| 11k-Training and guidance for asset custodians. |
Adequate training and guidance are provided for personnel responsible
for cash or similar assets. |
No training or guidance is provided. |
|
|
|
|
|
| 11l-Segregation of duties. |
Duties are divided among different people (e.g., responsibilities
for authorizing transactions, recording them and handling the asset
are separated). |
Inappropriate duties are combined. |
|
|
|
|
|
| 11m-Record retention. |
Unit employees understand which records they are responsible for
main- taining and the required retention period. Records are appropriately
filed. |
Unit employees do not understand which records they are responsible
for maintaining. The filing system is inadequate. |
|
|
|
|
|
| 11n-Disaster response plan. |
A disaster response plan, ensuring business continuity, has been
developed and is understood by key personnel. |
No disaster response plan exists. |
|
|
|
|
|
| 12 - Controls over Information
Systems |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 12a-Local information systems and LANs. |
System operations are documented; software is appropriately acquired
and maintained; access to the system, programs and data is controlled;
the system is maintained in a secure environment; applications are
appropriately developed and maintained. |
Unit has no controls over its local information systems or LANs. |
|
|
|
|
|
| 12b-Application controls. |
Unit controls its computer applications by diligent and timely
response to edit lists, rejected transactions and other control
and balancing reports. Controls ensure a high level of data integrity
including completeness, accuracy, and validity of all information
in the system. |
Application controls are not used. |
|
|
|
|
|
| 12c-Back Up. |
Key data and programs on LANs or desktop computers are appropriately
backed up and maintained. Off- site storage is adequate considering
possible risks of loss. |
No formal back up procedures exist. Management has not informed
staff of back up requirements. |
|
|
|
|
|
SECTION 4 - INFORMATION AND COMMUNICATION
| 13 - Access to Information |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 13a-Relevant external information. |
Unit members receive relevant information regarding legislation,
regulatory developments, economic changes or other external factors
which affect the unit. |
Relevant information is not available. |
|
|
|
|
|
| 13b-Management reporting system. |
An executive information system exists. Information and reports
are provided on a timely basis. Detail of reports is appropriate
for the level of management. Data is summarized to facilitate decision
making. |
A formal reporting system does not exist. Reports are not timely
or are not at appropriate levels of detail. |
|
|
|
|
|
| 13c-Management of information security. |
Information is evaluated and classified based on level of integrity,
confidentiality and availability. All individuals with access to
information are not trained to understand their responsibilities
related to the information. |
Information used by the unit has not been evaluated and classified.
Employees are trained with respect to information security. |
|
|
|
|
|
| 14 - Communication |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 14a-Trust. |
Trust between employees, supervisors and other units is fostered.
|
Unit members do not trust each other or other units. |
|
|
|
|
|
| 14b-Enforcement of policies. |
Employees violating an important policy are disciplined. Management's
communications and actions are consistent with policies. |
Violations, while not condoned officially, are overlooked. Management's
actions are inconsistent with official policies. |
|
|
|
|
|
| 14c-Recommendations for improvement. |
Employees are encouraged to provide recommendations for improvement.
Their ideas are recognized and rewarded. |
Employees' ideas are not welcomed. |
|
|
|
|
|
| 14d-Formal communications. |
Formal methods are used to communicate unit policies and procedures
(e.g., manuals, training programs, written codes of conduct, and
acceptable business practices). |
To the extent that they exist, policies are buried in unused manuals
and documents. |
|
|
|
|
|
| 14e-External communications. |
Standards and expectations are communicated to key outside groups
or individuals (e.g., vendors, consultants, donors, sponsors, subcontractors,
sub-recipients). |
External communication of standards and expectations does not
occur. |
|
|
|
|
|
| 14f-Informal communications. |
Employees are kept informed of important matters (downward communication)
and are able to communicate problems to persons with authority (upward
communication). There is effective functional coordination within
the unit (lateral communication). |
Most information is received by the "grapevine." |
|
|
|
|
|
| 14g-Communication with internal auditors. |
Information is shared freely with internal auditors. |
Information is kept secret from internal auditors. |
|
|
|
|
|
SECTION 5 - MONITORING
| 15 - Management Supervision |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 15a-Effectiveness of key control activities. |
Management routinely spot-checks transactions, records and reconciliations
to ensure expectations are met. |
Management never performs spot-checks. |
|
|
|
|
|
| 15b-Management supervision of accounting function. |
Accounting policies are defined and adopted after appropriate
consideration. Policies are effectively communicated (e.g., through
manuals). |
Policies are ad hoc or poorly communicated |
|
|
|
|
|
| 15c-Management supervision of new systems development. |
Policies are defined for development of new systems or changes
to systems (e.g., cost/benefit analysis, compo- sition of team,
user specifications, documentation, acceptance testing, and user
approval). |
Policies and procedures are ad hoc, poorly communicated, or ineffective. |
|
|
|
|
|
| 15d-Budget analysis. |
Budgets are compared to actual results and deviations are followed
up on a timely basis. Adequate consideration is given to commitments.
|
An analysis of actual versus budgeted results is not performed,
or management does not follow up on deviations. |
|
|
|
|
|
| 16 - Outside Sources |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 16a-Industry and professional associations. |
Data is used to consider performance and to identify changes and
trends. |
Data not monitored regularly. |
|
|
|
|
|
| 16b-Regulatory authorities. |
Reports from regulatory bodies are considered for their internal
control implications. |
Response is limited to what is necessary to "get by" the regulators. |
|
|
|
|
|
| 16c-Sponsors, students, suppliers, creditors, and other third
parties. |
Cause of inquiry or complaint is investigated and considered for
internal control implications. |
Dealt with on a case-by-case basis. Consideration is not given
to possible effect on controls. |
|
|
|
|
|
| 16d-External auditors. |
Information provided by external auditors about control-related
matters are considered and acted upon at high levels. |
Findings delegated to lower levels of the unit or explained away. |
|
|
|
|
|
| 17 - Response Mechanisms |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 17a-Management follow-up of violations of policies. |
Timely corrective action is taken. |
Follow-up is sporadic. |
|
|
|
|
|
| 17b-External or internal audit findings. |
Findings are considered and immediately acted upon at appropriate
levels. |
Consideration of findings are delegated to lower levels of the
unit or given low priority. |
|
|
|
|
|
| 17c-Changes in conditions (e.g., economic, regulatory, technological,
or competitive). |
Changes are anticipated and routinely integrated into ongoing
long- and short-range planning. |
Responses are reactive rather than proactive. |
|
|
|
|
|
| 18 - Self-Assessment Mechanisms |
| Description of Factor |
Indication of Stronger Controls |
Indication of Weaker Controls |
Assessment of Factor |
| Strong - Weak |
| |
1 |
2 |
3 |
4 |
5 |
| 18a-Monitoring of control environment. |
Management periodically assesses employee attitudes, reviews the
effectiveness of the organization structure, and evaluates the appropriateness
of policies and procedures. |
Assessment process does not exist. |
|
|
|
|
|
| 18b-Evaluation of risk assessment process. |
Management periodically evaluates the effectiveness of its risk
assessment process. |
Assessment process does not exist. |
|
|
|
|
|
| 18c-Assessment of design and effectiveness of internal controls. |
Internal controls are subject to a formal and continuous interna
assessment process. |
Assessment process does not exist. |
|
|
|
|
|
| 18d-Evaluation of information and communication systems. |
Management periodically evaluates the accuracy, timeliness and
relevance of its information and communication systems. Management
questions information on management reports that appears unusual
or inconsistent. |
Assessment process does not exist. |
|
|
|
|
|
|
