Entity-Level Control Questionnaire

AS S U R A N C E A N D ADV I S O RY

BU S I N E S S SE RV I C E S

Evaluating InternalControlsConsiderations for Evaluating Internal Controlat the Entity Level

T he Sarbanes-Oxley Act of 2002 (theAct) makes reporting on internalcontrols mandatory for SEC registrants

and their independent auditors. Section 404 ofthe Act directs the SEC to adopt rules requiringannual reports of public companies to includean assessment, as of the end of the fiscal year,of the effectiveness of internal controls andprocedures for financial reporting. Section 404also requires the company’s independentauditors to attest to and report on management’sassessment. The SEC issued its proposed rulesin late October 2002. The SEC rule proposal, if adopted, would apply to companies whosefiscal years end on or after September 15, 2003.Therefore, companies should be getting readynow for the comprehensive documentation andevaluation of internal control that will be neededto support management’s assessment and theauditors’ attestation report. Our publication,Preparing for Internal Control Reporting—A Guide for Management’s Assessment underSection 404 of the Sarbanes-Oxley Act (theGuide) (Ernst & Young SCORE RetrievalFile No. EE0677), provides a methodologyand framework for completing the evaluation.

The methodology outlined in the Guide includes five phases:

1 Understand the Definition of Internal Control

1 Organize a Project Team to Conduct the Evaluation

1 Evaluate Internal Control at the Entity Level

1 Understand and Evaluate Internal Control at theProcess, Transaction, or Application Level

1 Evaluate Overall Effectiveness, Identify Matters forImprovement, and Establish Monitoring System

Additional guidance on the first two phases of themethodology is provided in the Guide. We will be providingmore information about the detailed documentation andevaluation —the last two phases—in future publications.This document is a tool to assist management in performingthe third phase: evaluating internal control at the entity level.

A logical place to begin any comprehensive evaluation ofinternal controls is at the top —entity-level controls thatmight have a pervasive effect on the organization. Thisincludes a consideration of factors in each of the fivecomponents of internal control that can have a pervasiveeffect on the risk of errors or fraud. These five interrelatedcomponents are:

1 Control Environment

1 Risk Assessment

1 Information and Communication

1 Control Activities

1 Monitoring

Documenting and evaluating internal control at the entitylevel does not by itself provide a complete perspective ofinternal control of an entity. However, it is an important

To Our Clients and Other Friends

EVA L UAT I N G IN T E R NA L CO N T RO L S

TO OU R CL I E N T S A N D OT H E R FR I E N D S

starting point because the assessment of entity-levelcontrols—particularly when weaknesses are identified —can have a significant effect on the overall assessment ofthe effectiveness of internal controls and procedures forfinancial reporting.

To help management evaluate internal control at the entitylevel, we have provided in this document numerous pointsto consider for each of the five components of internalcontrol. These points are not all-inclusive, and not all thepoints listed herein will apply to every company. Internaland external factors unique to a particular entity may resultin companies developing unique control mechanisms, andthese unique factors and control mechanisms may give riseto additional points to consider. While a “no” response toan individual point does not necessarily mean that theentire component of internal control at the entity level isineffective, a “no” response (particularly when there areseveral “no” responses) should heighten awareness topotential weaknesses in internal control and indicate areaswhere management should focus attention.

Management of many companies will prepare a singleevaluation of the organization’s internal control at theentity level. In other situations, such as larger companies

with multiple locations or lines of business that operate ona decentralized basis, it may be appropriate to perform aseparate evaluation of the entity level controls for theindividual locations or business lines and use the results inmaking an overall assessment at the entity level.

Ernst & Young has developed the Guide and thissupplemental publication based on our extensive knowledgeof and experience with evaluating internal controls overfinancial reporting. These publications cannot consider allpossible questions related to an assessment of a company’sinternal control, but they provide a useful methodology andframework to assist management in its evaluation. We wouldbe pleased to discuss the evaluation of internal control inyour company. We also have the knowledge and experienceto assist you in documenting internal controls.

An electronic copy of this document is available to clients,free of charge, on Ernst & Young Online. To obtain a privatepassword to Ernst & Young Online, or to simply request anelectronic copy of this document, contact your Ernst & Youngengagement team or local Ernst & Young representative.

1

Integrity, ethical values, and behavior of key executives

1 Does the board of directors show concern for integrity andethical values? Is there a code of conduct and/or ethicspolicy and has it been adequately communicated?

1 Is management’s commitment to integrity and ethicalbehavior communicated effectively throughout thecompany, both in words and deeds? Does managementlead by example?

1 Are those in top management hired from outside madefamiliar with the importance of high ethics and controls?

1 Does management act to remove or reduce incentives ortemptations that might prompt personnel to engage indishonest, illegal, or unethical acts?

1 Do rewards, such as bonuses and stock ownership, fosteran appropriate ethical tone (i.e., not given to those whomeet objectives but, in the process, circumvent establishedpolicies, procedures, or controls)?

1 Does management take appropriate disciplinary action inresponse to departures from approved policies andprocedures or violations of the code of conduct?

Management’s control consciousness and operating style

1 Is the management structure appropriate (i.e., not dominatedby one or a few individuals) and is there effective oversightby the board of directors or audit committee?

1 Does management’s financial reporting philosophy, includingits attitude toward the development of estimates, tend tobe conservative? Are biases that may affect significantaccounting estimates and other judgments minimized?

Control EnvironmentThe control environment reflects the tone set by top management and the overall attitude, awareness and actions of theboard of directors, management, owners, and others concerning the importance of internal control and the emphasisplaced on control in the company’s policies, procedures, methods, and organizational structure. It is the foundation for allother components of internal control, providing discipline and structure.

❏ Yes ❏ No Comments:








Points to Consider Responses/Comments

2 EVA L UAT I N G IN T E R NA L CO N T RO L S

CO N T RO L EN V I RO N M E N T

1 Is there a mechanism in place to regularly educate andcommunicate to management and employees theimportance of internal controls, and to raise their level ofunderstanding of controls?

1 Does management give appropriate attention to internalcontrol, including the effects of information systemsprocessing?

1 Does management correct identified internal controldeficiencies on a timely basis?

1 Are management incentives balanced (i.e., the portion ofmanagement compensation derived from bonuses, stockoptions, or other incentives does not promote an excessivelevel of interest in maintaining or increasing the entity’sstock price or earnings trend)?

1 Does management set realistic (i.e., not undulyaggressive) financial targets and expectations foroperating personnel?

Management’s commitment to competence

1 Do personnel appear to have the competence and trainingnecessary for their assigned level of responsibility or thenature and complexity of the entity’s business?

1 Does management possess broad functional experience (i.e., management comes from several functional areasrather than from just a few, such as production and sales)?

1 Is departmental staffing appropriate (particularly withregard to knowledge and experience of management andsupervisory levels within the accounting, informationsystems, and financial reporting areas)?

1 Does management show a willingness to consult with theauditors on and address significant matters relating tointernal control and accounting issues?

1 Does management demonstrate a commitment to providesufficient accounting and financial personnel to keep pacewith the growth and/or complexity of the business?












Board of directors’ and/or audit committee participation ingovernance and oversight

1 Is the makeup of the board of directors, including thenumber of directors and their background and expertise,appropriate given the nature of the company? Has theindependence of outside board members been adequatelyreviewed, including affiliations and relationships andtransactions with the company?

1 Is the board of directors and audit committee independentfrom management, such that necessary, and often probing,questions are raised?

1 Does the board of directors and/or audit committee giveadequate consideration to understanding management’sprocesses for monitoring business risks affecting theorganization?

1 Does the audit committee represent an informed, vigilant,and effective overseer of the financial reporting process andthe company’s internal control, including informationsystems processing and related computer controls?

1 Does the audit committee include at least one “financialexpert”?

1 Does the audit committee adequately maintain a directline of communication with the entity’s external andinternal auditors?

1 Does the audit committee have a charter outlining its dutiesand responsibilities? Does the audit committee have adequateresources and authority to discharge its responsibilities?

Organizational structure and assignment of authority and responsibility

1 Is the organizational structure adequate for the size,operating activities, and locations of the company?

1 Is the overall organizational structure appropriate (i.e., notoverly complex and not involving numerous or unusuallegal entities, managerial lines of authority, or contractualagreements without apparent business purpose)?

3












CO N T RO L EN V I RO N M E N T

1 Is there an appropriate structure for assigning ownershipof data, including who is authorized to initiate and/orchange transactions? Is ownership assigned for eachapplication and database within the IT infrastructure?

1 Are there appropriate policies for such matters as acceptingnew business, conflicts of interest, and security practices? Arethey adequately communicated throughout the organization?

1 Are there adequate policies and procedures for authorizationand approval of transactions at the appropriate level?

1 Is assignment of responsibilities clear, includingresponsibilities for information system processing andprogram development?

1 Does management review and make modifications to theorganizational structure of the company in light ofchanged conditions?

1 Is there adequate supervision and monitoring ofdecentralized operations (including accounting personneland information systems)?

1 Is there an appropriate segregation of incompatible activities(i.e., separation of accounting for and access to assets)?

Human resource policies and practices

1 Are there standards and procedures for hiring, training,motivating, evaluating, promoting, compensating, transferring,and terminating personnel that are applicable to all functionalareas (e.g., accounting, marketing, information systems)?

1 Are there screening procedures for job applicants,particularly for employees with access to assetssusceptible to misappropriation?

1 Are policies and procedures clear and are they issued,updated, and revised on a timely basis? Are theyeffectively communicated to personnel at decentralizedand/or foreign locations?

1 Are there written job descriptions, reference manuals orother forms of communication to inform personnel of their duties?

1 Is job performance periodically evaluated and reviewedwith each employee?














5

Evaluation of Control Environment: ❏ Effective ❏ Ineffective

Summarize the reasons supporting the evaluation, unless obvious:

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________


RI S K AS S E S S M E N T

Risk Assessment Risk assessment is the entity’s identification and analysis of relevant risks (both internal and external) to the achievementof its objectives, forming a basis for determining how the risks should be managed.

Entity-level objectives, including how they are supported by strategic plans and complemented on a process/application level,have been established and communicated. A risk assessmentprocess, including estimating the significance of risks, assessing the likelihood of their occurrence, and determining needed actions,has been established.

1 Are business objectives established, communicated, andmonitored? Are the key elements of the entity’s strategicplan communicated throughout the entity so all employeeshave a basic understanding of the company’s overallstrategy? Do the entity’s strategic plan and its businessobjectives complement each other?

1 Is a process in place to periodically review and updateentity-wide strategic plans? Is the strategic plan reviewedand approved by the entity’s board of directors?

1 Does the entity-wide strategic plan include IT or is there aseparate IT strategic plan that addresses the technologyneeds of the entity to effectively and efficiently meet itsstrategic plan?

1 Is there an adequate mechanism for identifying businessrisks, including those resulting from:

— Entering new markets or lines of business?

— Offering new products and services?

— Privacy and data protection compliance requirements?

— Other changes in the business, economic, andregulatory environment?









7

1 Does internal audit (or another group within the company)perform a periodic (at least annual) risk assessment? If yes,does senior management review the risk assessment andconsider actions to mitigate the significant risks identified?

1 Does management consider how much risk it is willing toaccept when setting strategic direction or entering newmarkets, and does it strive to maintain risk within those levels?

1 Does the board of directors and/or the audit committeeoversee and monitor the risk assessment process and takeaction to address the significant risks identified?

Mechanisms are in place to anticipate, identify, and react to changesthat may have a dramatic and pervasive effect on the entity (e.g., asset/liability management committee in a financial institution, commoditiestrading risk management group in a manufacturing entity) or that mayaffect achievement of entity or process/application-level objectives.

1 Are acquisitions and divestitures of significant businessesand assets well controlled (e.g., finalized after thecompletion of due diligence procedures, reviewed by anappropriate level of management)?

1 Are there groups or individuals who are responsible foranticipating or identifying changes with possiblesignificant effects on the entity? Are there processes inplace to inform appropriate levels of management aboutchanges with possible significant effects on the entity?

1 Are budgets/forecasts updated during the year to reflectchanging conditions?

1 Are periodic reviews performed or other processes inplace to, among other things, anticipate and identifyroutine events or activities that may affect the entity’sability to achieve its objectives and address them?

1 Does management report to the board of directors and/orthe audit committee on changes that may have asignificant effect on the entity?











RI S K AS S E S S M E N T

The accounting department has established processes to (1) identifysignificant changes in generally accepted accounting principles(GAAP) promulgated by relevant authoritative bodies, (2) notify theaccounting department of changes in the entity’s business practicesthat may affect the method or the process of recording transactions,and (3) identify significant changes in internal control or theoperating environment, including changes as a result of new orchanging regulations.

1 Does the accounting department have a process in place to identify and address changes in GAAP, as well as forapproving changes in accounting made to address suchchanges?

1 Does management work with the company’s independentauditors or other third party experts to determine if theyare addressing complex changes in GAAP appropriately?

1 Does the board of directors and/or the audit committeereview and approve significant changes in the entity’saccounting practices?

1 Are there processes to ensure the accounting department ismade aware of changes in the operating environment so theycan review the changes and determine what, if any, effect thechange may have on the entity’s accounting practices?

1 Are there channels of communication between theaccounting department and/or individual(s) in charge ofmonitoring regulatory rules so the accounting department isaware of regulatory changes that could affect the entity’saccounting practices?

1 Are there processes to ensure the accounting department(and board of directors and/or audit committee) is awareof significant transactions with related parties so they candetermine whether such transactions are appropriatelyaccounted for and disclosed?








9

Evaluation of Risk Assessment: ❏ Effective ❏ Ineffective


_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

Information and Communication Information and communication systems support the identification, capture, and exchange of information in a form andtime frame that enable management and other appropriate personnel people to carry out their responsibilities.

Information

Information systems provide management with necessary reports onthe entity’s performance relative to established objectives, includingrelevant external and internal information, and information is providedto the right people in sufficient detail and on time to enable them tocarry out their responsibilities efficiently and effectively.

1 Is the entity able to prepare accurate and timely financialreports, including interim reports?

1 Does the board of directors and management receivesufficient and timely information to allow them to fulfilltheir responsibilities?

1 Are management’s objectives in terms of budget, profit,and other financial and operating goals defined andmeasurable? Are actual results measured against theseobjectives?

1 Is there a high level of user satisfaction with informationsystems processing, including reliability and timeliness of reports?

1 Is there a sufficient level of coordination between theaccounting and information systems processingfunctions/departments?

Information systems are developed or revised based on a strategicplan that is interrelated with the entity’s overall business strategy,and is responsive to achieving the entity-level and process/applicationlevel objectives.

1 Are there appropriate policies for developing and modifyingaccounting systems and controls (including changes to anduse of computer programs and/or data files)?








IN F O R M AT I O N A N D CO M M U N I C AT I O N


11

1 Are management’s efforts to develop or revise informationsystems (including accounting systems) responsive to itsstrategic plans?

1 Are there significant applications or transactions that areexecuted /processed by service organizations? If yes, hasmanagement documented the relevant controls at the serviceorganization, the company, or both that mitigate the risk oferrors? Are there policies for periodic monitoring of controlseither at the service organization or the company and takingappropriate action to mitigate potential new risks?

Management commits the appropriate human and financialresources to develop the necessary information systems, andensures and monitors users involvement in the development(including revisions) and testing of programs.

1 Is the board of directors or audit committee involved inmonitoring information systems projects and resourcepriorities?

1 Does the IT organization chart clearly reflect areas ofresponsibility and lines of reporting and communication?

1 Are there defined responsibilities for individuals responsiblefor implementing, documenting, testing and approvingchanges to computer programs that are purchased ordeveloped by information systems personnel or users?

1 Are systems conversions well controlled (e.g., completedpursuant to written procedures or plans)?

1 Does financial management ensure and monitor userinvolvement in the development of programs, includingthe design of internal control checks and balances?

1 Is there a high degree of cooperation and interaction betweenusers and the IT department (e.g., procedures to ensureongoing monitoring by the IT department of user satisfactionwith IT processing and policies for the development,modification, and use of programs and data files)?

Management has established a business continuity/disasterrecovery plan for all primary data centers.

1 Are application programs and data files backed-up regularly?

1 Is there a current disaster recovery plan for the significantcomponents of the IT infrastructure?













IN F O R M AT I O N A N D CO M M U N I C AT I O N

1 Is there a business continuity plan that incorporates thedisaster recovery plan and end-user department needs fortimely recovery of critical business functions, systems,processes and data?

1 Are the disaster recovery and business continuity planstested periodically (at least annually)?

1 Are the disaster recovery and business continuity plansupdated for changing conditions?

Communication

Management communicates employees’ duties and controlresponsibilities in an effective manner, and has establishedcommunication channels for people to report suspected improprieties.

1 Are the lines of authority and responsibility (includinglines of reporting) within the company clearly defined andcommunicated?

1 Are there written job descriptions and reference manualsthat describe the duties of personnel?

1 Are policies and procedures established for andcommunicated to personnel at decentralized locations(including foreign operations)?

1 Is there training/orientation for new employees, oremployees when starting a new position, to discuss thenature and scope of their duties and responsibilities? Doessuch training/orientation include a discussion of specificinternal controls they are responsible for?

1 Is there a process for employees to communicateimproprieties? Is the process well communicated throughoutthe entity? Does the process allow for anonymity forindividuals who report possible improprieties? Is there aprocess for reporting improprieties, and actions taken toaddress them, to senior management, the board ofdirectors, or the audit committee?

1 Are all reported potential improprieties reviewed,investigated, and resolved in a timely manner?











There is adequate communication across the organization to enablepeople to discharge their responsibilities effectively, andmanagement takes timely and appropriate follow-up action oncommunications received from customers, vendors, regulators, orother external parties.

1 Do employees believe they have adequate information tocomplete their job responsibilities?

1 Is there a process to quickly disseminate criticalinformation throughout the entity when necessary?

1 Is there a process for tracking communications fromcustomers, vendors, regulators, and other external parties?

1 Is ownership assigned to a member of management tohelp ensure the entity responds appropriately, timely, andaccurately to communications from customers, vendors,regulators, and other external parties?

13

Evaluation of Information and Communication: ❏ Effective ❏ Ineffective


_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________







CO N T RO L AC T I V I T I E S

Control Activities Control activities are the policies and procedures that help ensure that management’s directives are carried out.

Necessary policies and procedures exist with respect to each of theentity’s activities, and controls called for by policy are being applied.

1 Are accounting and closing practices followed consistently atinterim dates (e.g., quarterly, monthly) throughout the year?

1 Is there appropriate involvement by management inreviewing significant accounting estimates and supportfor significant unusual transactions and non-standardjournal entries?

1 Is there timely and appropriate documentation fortransactions?

1 Does the entity review its policies and proceduresperiodically to determine if they continue to beappropriate for the company’s activities?

1 Do members of management have ownership of thepolicies and procedures? Does the ownership includeensuring the policies and procedures are appropriate forthe company’s activities?

Management has clear objectives in terms of budget, profit, andother financial and operating goals, and these objectives are clearlywritten, communicated throughout the entity, and are activelymonitored. Planning and reporting systems are in place to identifyvariances from planned performance and communicate suchvariances to the appropriate level of management. The appropriatelevel of management investigates variances and takes appropriateand timely corrective actions.

1 Is there a budgetary system?

1 Does management review key performance indicators (e.g.,budget, profit, financial goals, operating goals) regularly(e.g., monthly, quarterly) and identify significant variances?Does management then investigate the significant variancesand is appropriate corrective action taken?









15

1 Are variances in planned performance communicated anddiscussed with the board of directors and/or auditcommittee at least quarterly?

1 Are financial statements submitted to operating management?Are they accompanied by analytical comments?

Duties are logically divided or segregated (whether manually orthrough appropriate set up of information technology (IT)applications) among different people to reduce the risk of fraud or inappropriate actions.

1 Is there an appropriate segregation of incompatibleactivities (e.g., separation of accounting for and access toassets, IT operations function separate from systems andprogramming, database administration function separatefrom application programming and systems programming)?Are organizational charts reviewed to ensure propersegregation of duties exist?

1 Are appropriate approvals from management requiredprior to allowing an individual access to specificapplications and databases?

1 Are IT personnel prohibited from having incompatibleresponsibilities or duties in user departments?

1 Are there processes to periodically (e.g., quarterly, semi-annually) review system privileges and access controls tothe different applications and databases within the ITinfrastructure to determine if system privileges and accesscontrols are appropriate?

Periodic comparisons are made of amounts recorded in theaccounting system with physical assets. Adequate safeguards are inplace to prevent unauthorized access to or destruction ofdocuments, records, and assets.

1 Has management established procedures to periodicallyreconcile physical assets (e.g., cash, receivables,inventories, property and equipment) with relatedaccounting records?

1 Are physical inventories/cycle counts taken on a periodicbasis and the perpetual inventory system adjustedaccordingly? Are significant or recurring adjustments











CO N T RO L AC T I V I T I E S

investigated to determine the reason for the adjustmentand are appropriate actions taken to address the reasonsfor the adjustments?

1 Has management established procedures to preventunauthorized access to, or destruction of, documents,records (including computer programs and data files), and assets?

1 Is data processing access to non-data processing assetsrestricted (e.g., blank checks)?

Policies for controlling access to programs and data files have beenestablished. Access security software, operating system software,and/or application software is used to control access to data programs.An information security function is in place and responsible for moni-toring compliance with information security polices and procedures.

1 Are access security software, operating systems software,and application software used to control both centralizedand decentralized access to:

— Data

— Functional capabilities of programs (e.g., execute,update, modify parameters, read only)?

1 Is physical security over information technology assets(both IT department and users) reasonable given thenature of the company’s business?

1 Is critical computer data backed up daily and stored off-site?

1 Are controls in place over dial-up access to the company’scomputer resources (e.g., firewalls; centralized directoriesto store and manage user identities and resource privileges;automated policy-based request, approval, and fulfillmentprocess for enterprise access)?

1 Is there a dedicated security officer function that monitorsIT processing activities and are there periodic reports to theboard of directors and/or audit committee on the currentstate of IT security at the company?











17

1 Are there systems to monitor and respond to potentialbusiness interruptions due to incidents stemming frommalicious intrusions, and to update security protocols toprevent them? Are security violations and other incidentsautomatically logged and reviewed?

1 Does the company conduct periodic reviews/audits of ITsecurity? If yes, are the results of the review/auditreported to the board of directors and/or audit committee?

Evaluation of Control Activities: ❏ Effective ❏ Ineffective


_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________





MO N I TO R I N G

Monitoring Monitoring is a process that assesses the quality of internal control performance over time.

Periodic evaluations of internal control are made and personnel, incarrying out their regular duties, obtain evidence as to whether thesystem of internal control continues to function.

1 Do procedures require that management review controlprocesses to ensure that the controls are being applied asexpected?

1 Are procedures in place to monitor when controls areoverridden and to determine if the override was appropriate?

1 Are policies/procedures in place to assure that correctiveaction is taken on a timely basis when control exceptionsoccur?

Management (1) implements internal control recommendationsmade by internal and independent auditors, (2) corrects knowndeficiencies on a timely basis, and (3) responds appropriately toreports and recommendations from regulators.

1 Does management take adequate and timely actions tocorrect deficiencies reported by the internal audit function?

1 Does management respond timely and appropriately to thefindings and recommendations of the independentauditors regarding internal control and policies andprocedures of the Company?

1 Does the company receive findings and recommendationsfrom regulators? If yes, do they adequately and timelyaddress the findings?

1 Are there other quasi-audit functions (e.g., credit review ina financial institution or risk management in an insurancecompany) that report to management and affect the overallcontrol environment?









19

There is an internal audit function that management uses to assist intheir monitoring activities.

1 Is the level of staffing, training, and specialized skillsadequate given the environment (e.g., use of experienced,trained information systems auditors in complex andhighly automated environments)?

1 Is the internal audit function independent (in terms ofauthority and reporting relationships) of the activities they audit?

1 Are internal auditors prohibited from having operatingresponsibilities that conflict with their monitoring role?

1 Do internal auditors have direct access to the board ofdirectors or audit committee?

1 Does the internal audit function adhere to professionalstandards, such as those issued by the Institute of InternalAuditors?

1 Has there been a recent quality assurance review of theinternal audit function by an external party such as thecompany’s independent auditors?

1 Is the scope of internal audit activities (e.g., balancebetween financial and operational audits, coverage androtation of decentralized operations) appropriate given thenature, size and structure of the company?

1 Is the scope of planned internal audit activities reviewedin advance with:

— Senior management?

— Board of directors or audit committee?

— Independent auditors?

1 Does the internal audit department develop an annual planthat considers risk in determining the allocation ofresources?

1 Do the internal auditors have the authority to examine anyaspect of the entity’s operations?















MO N I TO R I N G

1 Are the results of the internal audit activities reported to:

— Senior management?

— Board of directors or audit committee?

— Independent auditors?

Evaluation of Monitoring: ❏ Effective ❏ Ineffective


_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________





21

Overall Evaluation of Internal Control at the Entity Level: ❏ Effective ❏ Ineffective

Based on factors documented in the previous sections and any additional factors (documented below or in a separatememorandum), conclude on the overall effectiveness of internal control at the entity level (providing a basis formanagement’s conclusion, if not obvious).

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

Entity-Level Control Questionnaire

Documents

Transcript of Entity-Level Control Questionnaire