AGENCY-LEVEL CONTROLS CHECKLIST

Agency: Prepared:
Date
Audit Period: Reviewed:
Date
Approved:
Date

I. ALCC Probing Questions

Internal Control Component Yes No NA Remarks

Control Environment

Integrity, Ethical Values, and behavior of key executives

A.1. The agency has a code of conduct or
equivalent policy that is communicated
and monitored.

A.2. The agency’s culture emphasizes the

importance of integrity and ethical behavior.
Senior management holds itself to the
highest standards and leads by example.

A.3. The agency’s communications reinforce a

consistent message regarding policies
and culture.

A.4. Agency management takes appropriate

action in response to departures from
approved policies and procedures or the code
of conduct.

A.5. There are appropriate policies for such

matters as conflicts of interest, and security
practices that are adequately
communicated throughout the agency.

A.6. Agency management maintains, monitors

and appropriately responds to a fraud hotline.

A.7. The agency has a whistleblower policy and

related whistleblower or ethics hotline,
which are appropriately communicated
throughout the agency, and include
procedures for handling complaints and for
accepting confidential submissions of
concerns about questionable transactions.

A.8. Agency management’s control consciousness

and operating style are _ .
 Internal Control Component Yes No NA Remarks
A.9. Agency management gives
appropriate attention to internal control,
including information technology
controls.
A.10. Agency management corrects
identified internal control deficiencies in
a timely manner.

A.11. Agency management tends to be

conservative with respect to selecting
accounting principles and
determining accounting estimates.

A.12. Agency management consults with us on

significant matters relating to accounting
and financial reporting issues.

Initial Assessment: Reason:

Effective
Ineffective

Agency management’s commitment to competence

A.13. The agency personnel have the
competence and training needed to deal
with the nature and complexity of the
agency’s operations.
A.14. Agency management has other processes
in place for handling complaints about
agency operational issues.

Initial Assessment: Reason:

Effective
Ineffective

Participation in governance and oversight by those charged with governance

A.15. Those charged with governance provide
effective oversight of the agency’s
operations.
A.16. There is an open line of communication
among those charged with governance and
COA auditors, and the nature and
frequency of communication is appropriate
given the size and complexity of the
agency.
A.17. Those charged with governance have
sufficient knowledge, experience and time
to perform their role effectively.
 Internal Control Component Yes No NA Remarks
A.18. Those charged with governance are
appropriately independent of agency
management given the size and complexity
of the agency.

Initial Assessment: Reason:

Effective

Ineffective

The organizational structure and assignment of authority and responsibility

A.19. The agency organizational structure
is appropriate given the nature, size
and complexity of the agency

A.20. Agency management engages in

communications so that members of
personnel understand the agency’s
objectives, their role in relation to these
objectives, and how they are held
accountable for the achievement of
these objectives.

A.21. There are appropriate methods for

establishing authority, responsibility and
lines of reporting.

A.22. There are written job descriptions, reference

manuals and other communications to
inform personnel of their duties.

Initial Assessment: Reason:

Effective
Ineffective

Human resource policies and practices

A.23. The agency has adequate standards and
procedures for hiring, training,
motivating, evaluating, promoting,
compensating, transferring, or
terminating personnel
A.24. Job performance is periodically evaluated
and reviewed with each employee.

Initial Assessment: Reason:

Effective
Ineffective
 Internal Control Component Yes No NA Remarks
Risk Assessment

B.1. Agency objectives are established,

communicated, and monitored. Key elements
of the agency’s strategic plan are
communicated throughout the agency so all
employees have a basic understanding of
the agency’s overall strategy.

B.2. A process is in place to periodically review

and update agency-wide strategic plans.
The strategic plan is reviewed and approved
by the agency’s board of directors.

B.3. The agency-wide strategic plan includes IT

or there is a separate IT strategic plan that
addresses the technology needs of the
agency to effectively and efficiently meet its
strategic plan.

B.4. There is an adequate mechanism for

identifying agency risks, including
those resulting from:

— Entering new markets or lines of

business
— Offering new products and services
— Privacy and data protection compliance
requirements
— Other changes in the operations,
economic, and regulatory
B.5. Theenvironment
internal audit (or another group within
the company) performs a periodic (at least
annual) risk assessment. Senior
management reviews the risk assessment
and considers actions to mitigate the
significant risks identified.

B.6. Management considers how much risk it is

willing to accept when setting strategic
direction or entering new markets, and does
it strive to maintain risk within those levels.

B.7. The board of directors and/or the audit

committee oversees and monitors the
risk assessment process and takes action
to address the significant risks identified.

B.8. There are groups or individuals who are

responsible for anticipating or identifying
changes with possible significant effects on
the agency. Processes are in place to
inform appropriate levels of management
about
 Internal Control Component Yes No NA Remarks
changes with possible significant effects
on the agency.

B.9. Budgets/forecasts are updated during

the year to reflect changing conditions.

B.10. Periodic reviews are performed or other

processes in place to, among other things,
anticipate and identify routine events or
activities that may affect the agency’s ability
to achieve its objectives and address them.

B.11. Management reports to the board of

directors and/or the audit committee on
changes that may have a significant effect on
the agency.
B.12. The board of directors and/or the audit
committee review and approve
significant changes in the agency’s
accounting practices.

B.13. There are processes to ensure the

accounting department is made aware of
changes in the operating environment so
they can review the changes and determine
what,
if any, effect the change may have on the
agency’s accounting practices.
B.14. There are channels of communication
between the accounting department
and/or individual(s) in charge of
monitoring
regulatory rules so the accounting
department is aware of regulatory changes
that could affect the agency’s accounting
Initial Assessment:
practices. Reason:
Effective
Ineffective

Information and Communication

Information
C.1. The agency is able to prepare accurate
and timely financial reports, including
interim reports.

C.2. The board of directors and management

receive sufficient and timely information
to allow them to fulfill their
responsibilities.
 Internal Control Component Yes No NA Remarks
C.3. Management’s objectives in terms of budget,
profit, and other financial and operating
goals are defined and measurable. Actual
results are measured against these
objectives.
C.4. There is a high level of user satisfaction
with information systems processing,
including reliability and timeliness of
reports.
C.5. There is a sufficient level of coordination
between the accounting and information
systems processing
functions/departments.
C.6. There are appropriate policies for
developing and modifying accounting
systems and controls (including changes to
and use of computer programs and/or data
files).
C.7. Management’s efforts to develop or revise
information systems (including accounting
systems) are responsive to its strategic
plans.
C.8. There are significant applications or
transactions that are executed /processed by
service organizations. Management has
documented the relevant controls at the
service organization, the company, or both
that mitigate the risk of errors. There are
policies for periodic monitoring of controls
either at the service organization or the
company and taking appropriate action to
mitigate potential new risks.

C.9. The board of directors or audit committee

is involved in monitoring information
systems projects and resource priorities.

C.10. The IT organization chart clearly reflects

areas of responsibility and lines of
reporting and communication.

C.11. There are defined responsibilities for

individuals responsible for implementing,
documenting, testing and approving
changes to computer programs that are
purchased or developed by information
systems personnel or users.

C.12. Systems conversions are well controlled

(e.g., completed pursuant to written
procedures or plans).

C.13. Financial management ensures and monitors

 Internal Control Component Yes No NA Remarks
user involvement in the development of
programs, including the design of
internal control checks and balances.

C.14. There is a high degree of cooperation and

interaction between users and the IT
department (e.g., procedures to ensure
ongoing monitoring by the IT department
of user satisfaction with IT processing and
policies for the development, modification,
and use of programs and data files).

C.15. Application programs and data files

are backed up regularly.

C.16. There is a current disaster recovery plan

for the significant components of the IT
infrastructure.

C.17. There is a business continuity plan that

incorporates the disaster recovery plan
and end-user department needs for timely
recovery of critical functions, systems,
processes and data.

C.18. The disaster recovery and business

continuity plans are tested periodically (at
least annually).

C.19. The disaster recovery and business

continuity plans are updated for changing
conditions.
Initial Assessment: Reason:
Effective
Ineffective

Communication
C.20. Lines of authority and responsibility
(including lines of reporting) within the
company are clearly defined and
communicated.
C.21. There are written job descriptions and
reference manuals that describe the duties
of personnel.

C.22. Policies and procedures are established

for and communicated to personnel at
decentralized locations (including regional
operations).

C.23. There is a training/orientation for new

 Internal Control Component Yes No NA Remarks
employees, or employees when starting a
new position, to discuss the nature and
scope of their duties and responsibilities.
Such training/orientation includes a
discussion of specific internal controls they
are responsible for.

C.24. There is a process for employees to

communicate improprieties. The process is
well communicated throughout the agency.
The process allows for anonymity for
individuals who report possible improprieties.
There is a process for reporting
improprieties, and actions taken to address
them, to senior management, the board of
directors, or the audit committee.

C.25. All reported potential improprieties are

reviewed, investigated, and resolved in
a timely manner.

C.26. Employees believe they have

adequate information to complete their
job responsibilities.

C.27. There is a process to quickly

disseminate critical information
throughout the agency when necessary.

C.28. There is a process for tracking

communications from customers, vendors,
regulators, and other external parties.

C.29. Ownership is assigned to a member of

management to help ensure that the
agency responds appropriately, promptly,
and accurately to communications from
customers, vendors, regulators, and other
external parties.

Initial Assessment: Reason:

Effective
Ineffective

Monitoring

Internal Audit function

D.1. The agency has an effective internal audit

 Internal Control Component Yes No NA Remarks
function.

D.2. The internal audit function is independent

of the activities they audit and are
prohibited from having operating
responsibilities.
D.3. The internal audit function adheres to
professional standards (e.g.,
International Standards for the
Professional Practice of Internal
Auditing).
D.4. The scope of internal audit activities is
appropriate given the nature, size and
structure of the agency.

D.5. The internal audit department develops an

annual plan that considers risk in
determining the allocation of resources.

D.6. The results of the internal audit activities

are reported to senior management and
COA auditors.

Initial Assessment: Reason:

Effective
Ineffective

Other monitoring activities

D.7. Periodic evaluations of internal control are
reported to agency management and
those charged with governance.

D.8. Personnel, in carrying out their regular

duties, obtain evidence as to whether the
system of internal control continues to
function.
D.9. Policies and procedures are in place to
ensure that corrective action is taken in a
timely manner when control exceptions occur.

D.10. Agency management takes adequate and

timely actions to correct deficiencies
reported by the internal audit function or the
independent auditors.

D.11. Internal audit or another department

performs periodic reviews of internal control

D.12. Agency management or those charged with

governance review communications from
external parties that highlight areas of
internal
 Internal Control Component Yes No NA Remarks
control in need of improvement.

Initial Assessment: Reason:

Effective

Ineffective

Control Activities
E.1. Are accounting and closing practices
followed consistently at interim dates (e.g.,
quarterly, monthly) throughout the year?

E.2. Is there appropriate involvement by

management in reviewing significant
accounting estimates and support for
significant unusual transactions and
non- standard journal entries?

E.3. Is there timely and appropriate

documentation for transactions?

E.4. Does the agency review its policies and

procedures periodically to determine if
they continue to be appropriate for the
agency’s activities?

E.5. Do members of management have

ownership of the policies and procedures?
Does the ownership include ensuring the
policies and procedures are appropriate for
the agency’s activities?

E.6. Is there a budgetary system?

E.7. Does management review key performance

indicators (e.g., budget, profit, financial
goals, operating goals) regularly (e.g.,
monthly, quarterly) and identify significant
variances?

Does management then investigate the

significant variances and is
appropriate corrective action taken?
E.8. Are variances in planned performance
communicated and discussed with the
board of directors and/or audit committee at
least quarterly?

E.9. Are financial statements submitted to

operating management? Are they
accompanied by analytical
comments?
 Internal Control Component Yes No NA Remarks
E.10. Is there an appropriate segregation of
incompatible activities (e.g., separation of
accounting for and access to assets, IT
operations function separate from systems
and programming, database
administration function separate from
application programming and systems
programming)?

Are organizational charts reviewed to

ensure proper segregation of duties exist?
E.11. Are appropriate approvals from management
required prior to allowing an individual
access to specific applications and
databases?
E.12. Are IT personnel prohibited from having
incompatible responsibilities or duties in
user departments?

E.13. Are there processes to periodically (e.g.,

quarterly, semi-annually) review system
privileges and access controls to the different
applications and databases within the IT
infrastructure to determine if system
privileges and access controls are
appropriate?
E.14. Has management established procedures
to periodically reconcile physical assets
(e.g., cash, receivables, inventories,
property and equipment) with related
accounting records?
E.15. Are physical inventories/c ycle counts taken
on a periodic basis and the perpetual
inventory system adjusted accordingly? Are
significant or recurring adjustments
investigated to determine the reason for the
adjustment and are appropriate actions
taken to address the reasons for the
adjustments?
E.16. Has management established procedures to
prevent unauthorized access to, or
destruction of, documents, records
(including computer programs and data
files), and assets?

E.17. Is data processing access to non-data

processing assets restricted (e.g.,
blank checks)?

E.18. Are access security software, operating

systems software, and application
software used to control both centralized
and decentralized access to:
 Internal Control Component Yes No NA Remarks

— Data
— Functional capabilities of programs
(e.g., execute, update, modify parameters,
read only)?

E.19. Is physical security over information

technology assets (both IT department
and users) reasonable given the nature of
the agency’s operations?

E.20. Is critical computer data backed up daily

and stored off-site?

E.21. Are controls in place over dial-up access to

the agency’s computer resources (e.g.,
firewalls; centralized directories to store
and manage user identities and resource
privileges; automated policy-based request,
approval, and fulfillment process for
enterprise access)?

E.22. Is there a dedicated security officer function

that monitors IT processing activities and are
there periodic reports to the board of
directors and/or audit committee on the
current state of IT security at the agency?

E.23. Are there systems to monitor and respond to

potential interruptions in agency operations
due to incidents stemming from malicious
intrusions, and to update security protocols
to prevent them? Are security violations and
other incidents automatically logged and
reviewed?

E.24. Does the agency conduct periodic

reviews/audits of IT security? If yes, are
the results of the review/audit reported to
the board of directors and/or audit
committee?
Initial Assessment: Reason:
Effective
Ineffective
II. ALCC Summary

Observations Recommendations AOM Ref.