Annex B

INTERNAL CONTROL CHECKLIST

I. ICC Probing Questions

Internal Control Component Yes No Remarks
A. Control Environment
1. Do the top management and other Officials support
integrity and ethical values?
2. Do the top management and other Officials lead the
commitment to integrity and ethical values by example in
their day-to-day activities and demonstrate through their
directives, actions and behavior the importance of integrity
and ethical values?
3. Are the Code of Conduct and/or Ethics policy, as well as
other policies regarding acceptable practices, conflicts of
interest, etc., comprehensive and have been clearly and
adequately communicated throughout the agency?
4. Does the top management strictly prohibit circumvention of
established policies and procedures, except where specific
guidance has been provided? Does it also demonstrate
commitment to this principle and take appropriate
disciplinary action in response to violations of established
policies and procedures?
5. Do the top management and other Officials act to remove or
reduce incentives or temptations that might prompt
personnel to engage in dishonest, legal, or unethical acts?
6. Does the top management give appropriate attention to
internal controls, including regularly educating and
communicating the importance of internal controls to its
employees?
7. Does the top management show willingness to consult with
the internal control reviewers or the external auditor on
significant matters relating to internal control and
accounting issues?
8. Do the agency’s oversight bodies give adequate
consideration to understanding management's processes
for monitoring risks affecting the agency?
9. Is the overall agency structure appropriate and does it
facilitate the flow of information both up and down within
each function, as well as across other functions? Is the
structure reviewed and modified to accommodate changes
in operating conditions, as necessary?
10. Are there appropriate policies for such matters as creating
new Offices/Divisions/Units, reviewing potential conflicts
of interest, approving transactions and implementing
security practices and are they adequately communicated
throughout the agency?
11. Is the read equate supervision and monitoring of
decentralized operations (including accounting and
 Internal Control Component Yes No Remarks
information systems personnel and services)?
12. Do the top management and other Officials demonstrate
commitment to provide sufficient training to audit,
information technology, technical and administrative
personnel to keep pace with the growth and complexity of
the agency’s operations?
13. Do the agency’s personnel have the competence and
training necessary for their assigned level of responsibility
and the nature and complexity of their assigned
responsibilities?
14. Are there standards and procedures for hiring, training,
motivating, evaluating, promoting, compensating,
transferring, and terminating personnel that are applicable
to all functional areas (e.g., auditing, accounting,
information systems, administration, etc.)?
15. Are there screening procedures for job applicants
particularly for employees with access to assets susceptible
to misappropriation?
16. Are human resources policies and procedures (i.e. written
job description, Personnel Handbook/Manual) clear and
issued and updated on a timely basis?
17. Are Human Resource policies and procedures effectively
communicated to personnel?
18. Do the top management and other Officials set realistic (i.e.,
not unduly aggressive) operational targets and
expectations for operating personnel?
19. Is job performance periodically evaluated and reviewed
with each employee by supervisory personnel?
B.. Risk assessment
20. Has the agency established and clearly communicated its
mission, operating strategy, and objectives?
21. Is a process in place to periodically review and update the
agency-wide strategic plans? Are these plans reviewed and
approved by the top management?
22. Are feedback mechanisms in place and do they enable the
agency officials to periodically assess whether agency-wide
objectives have been achieved?
23. Are objectives established for agency processes? Are they
clearly linked to the audit clients’ strategies and their
overall objectives in support? Are the objectives clearly
understood by employees responsible for achieving the
results?
24. Are there adequate mechanisms in place for identifying
agency risks and barriers to achieving its objectives,
including those resulting from: Entering new
program/projects or lines of operation; Taking on new
policies; Offering new services; Complying with privacy and
data protection compliance requirements; Adapting to
other changes in the political, social, economic and
regulatory environment in terms of auditing and reporting
etc.?
25. Does the top management consider how much risk it is
willing to accept when setting strategic direction and does
 Internal Control Component Yes No Remarks
it strive to maintain risks within those levels?
26. Do the top management and other Officials oversee and
monitor the risk assessment process? Do they take action to
address the significant risks identified?
27. Do the top management and other Officials prepare risk
assessment of agency operations to consider risk related to
fraudulent activity and how the operations could be
impacted?
28. Does the assessment of fraud risk consider the
opportunities for unauthorized acquisition, use or disposal
of assets, altering the reporting records or committing
other inappropriate acts?
29. Are periodic reviews performed or are other processes in
place to anticipate, identify, and communicate to the
appropriate levels of agency’s management events or
activities that may affect the agency's ability to achieve
their objectives, as well as avenues to address these
changes?
30. Do other Officials report to the top management on the
changes in both the external and internal environment that
may have a significant effect on the agency?
C. Control Activities
31. Are appropriate policies and procedures developed,
documented and implemented for each of the agency’s
critical processes?
32. Does appropriate agency management level have
ownership of the policies and procedures? Do the process
owners review the policies and procedures periodically to
determine if they continue to be appropriate for their own
activities?
33. Is there is an appropriate segregation of incompatible
activities within span of control?
34. Is the physical security over the agency IT assets reasonable
given the nature of its operations?
35. Are policies and procedures clearly communicated to
personnel to ensure that they are applied consistently and
conscientiously?
36. Are job roles, responsibilities, and related system/access
privileges periodically reviewed for proper segregation of
duties?
37. Do the top management and other Officials receive relevant,
sufficient and timely information to allow them to fulfill
their responsibilities?
38. Has the agency management documented the relevant
controls that mitigate the risk of errors in information
systems?
39. Does the agency's information system generate information
that is of sufficient quality to support the effective
operation of controls? Has management developed and
implemented controls related to: completeness and
accuracy of data; capture of data at the necessary
frequency; providing information when needed; protection
 Internal Control Component Yes No Remarks
of sensitive data; retention of data complying with
(relevant) audit and regulatory needs?
40. Is there a current agency continuity plan and disaster
recovery plan for the significant components of critical
functions and processes, including IT infrastructure,
network components, operating system components,
databases, applications and data files? Are these plans
tested at least annually and updated for changing
conditions?
41. Are application programs and data files backed-up
regularly?
42. Is there a process to quickly disseminate critical
information throughout the agency when necessary?
43. Are policies and guidance generated and used throughout
the agency adequate and contain sufficient and meaningful
information so that its officials and employees can measure
actual results against their objectives?
44. Are agency employees' roles and responsibilities
communicated clearly and effectively ( ie. Through written
job description, reference manuals) by top management?
Are these roles and responsibilities uniformly understood?
45. Are all reported agency employees’ potential improprieties
reviewed, investigated, and resolved in a timely manner? Is
the top management notified of improprieties and the
actions taken to address them?
46. Is there is an Ethics Hotline or any process which provides
employees with an anonymous and confidential channel
through which they can report, among other things,
complaints related to overall operations, accounting,
internal controls over financial reporting, or auditing
matters?
47. Is the availability of the Ethics Hotline well communicated
throughout the agency? Are the procedures in place to
appropriately handle the receipt and retention of any issue
raised? Does management treat all issues raised with
serious concern for confidentiality, integrity, and ultimate
resolution?
48. Is the Agency able to prepare accurate and timely financial
reports (or operations reports), including interim reports?
49. Are external stakeholders satisfied with the agency’s
systems for transaction and information processing,
including the reliability and timeliness of reports it
produces?
50. Is there a process for tracking communications to the
public, vendors/suppliers, regulators, and other external
parties? Is ownership assigned to members of the agency
management to help ensure that it responds appropriately,
promptly, and accurately to these communications?
E. Monitoring
51. Do the top management and/or other Officials review the
agency’s operational process controls to ensure that the
controls are being applied as expected?
 Internal Control Component Yes No Remarks
52. Are agency procedures in place to monitor when its
operating controls are overridden; and, to determine if the
override was appropriate?
53. Do the internal control reviewers have the authority to
examine any aspect of the agency's operations?
54. Are agency policies and procedures in place to ensure that
corrective action is taken on a timely basis when control
gaps or exceptions occur?
55. Do the top management and/or other Official stake
adequate and timely action to correct its internal control
deficiencies reported by the Internal Audit Office, audited
agency external auditor and/or other parties (e.g.,
consultants)?