Internal Control Evaluation Questions

8/12/2019 Internal Control Evaluation Questions

http://slidepdf.com/reader/full/internal-control-evaluation-questions 1/27

Message to students:

I’ve let all the questions as they were written on the pieces of paper you’ve handed over tome and I’ve added some extra questions taken from the Internet and my own briefexperience with internal control standards.

I hope that the question-building exercise has been a good opportunity for you to revisitprevious courses such as business management change management business ethics andeven the quality management and performance classes taken so far I’ve seen traces ofconcepts and ideas from these courses in your questions and I’ve also seen lots of signs ofingenuity and creativity. Use these questions wisely in writing your projects and rememberthat if you start with the right questions you will end up somewhere very interesting.

Standard 1 – Ethics and integrity

Definition: The organization provides the necessary conditions such that allemployees are aware of the regulations that govern their behaviour and theprevention and reporting of frauds and irregularities.

Associated documents: code of ethics, integrity code, signed document ofacceptance of integrity standards, organizational newsletters/emails, employeesurveys regarding ethical behaviour, the internal regulations regarding the ethicscommittee, the decisions of the ethics committee, etc.

Questions to ask:

1) Are all employees knowledgeable about the ethical standards in the organization?Who is responsible for this? What proof do we have?2) Is there a code of ethics? Are there guidelines for its application?3) Are the employees given access to ethical trainings or ethical guidance?1. Does the entity have a code of ethics?2. Does the entity have a policy for whistleblowing?3. Does the entity have a policy regarding hiring relatives?4. Does the entity have an ethics committee? Is the ethics committee taking sounddecisions which enforce the entity’s values? 5. Does the entity have a procedure for the employees who want to signal

irregularities? Is this type of behaviour supported by management?from Balto ș Mihaela, Bo școdeal ă Bogdan, B ă nic ă Bogdan, Sasha Belinskii:6. What are some of the newer ethics concerns?7. What is the main activity of the ethics committee?8. How are the members of the commission delegated?9. How do the employees know that they make the right decision?10. Who is responsible for training the employees in regards to ethics?11. How can someone complain about the ethics of a company?



12. Who is responsible for the complaints?13. Who can modify the code?14. Which are the activities performed in order to remind the employees on ethicsconcerns?15. How useful are penalties applied for breaching the ethical codes?

16. Which are the common penalties applied?17. Is following the rules of conduct more important than obeying the law?18. Does a change in politics affect the ethics code?19. Does ethical behaviour affect the level of profit?20. Is the protection of environment included in your ethical code?

from Nae Lauren ț iu, Pătru ț ă Oana Cristina:21. Where is the code of conduct placed and who supervises its implementation?22. Is the Intranet monitored in any way so that fraud, bribery or irregularitiesoccur between the co-workers?23. How is the manager verified if transparency, honesty and conformity with laware well implemented?24. If procedures are subject to change, how long does it take for it to take effect?25. How are employees taxed if they go against regulations?26. Does the manager have the last word when it comes to decision making processin his department?27. In case the department is hiring and there is an imbalance gender-wise, doesthe manager try to balance it out?28. How is overtime treated in company?29. Who does the evaluation of the staff?30. How does the company prevent or punish information leaks?31. If ethics is a big deal, how are you supposed to “tell on” somebody when it could

be a sort of moll or snitch behaviour?Standard 2 – Attributions job positions and work duties

Definition : The organization permanently actualizes and sends its employees:the document regarding the mission of the organization, the internal regulationsand the job description.

Associated documents : job descriptions, internal regulations (regulamentintern de functionare sau regulament de organizare si functionare), job analysisreports, job audit reports, etc.

Questions to ask :

1. Does the entity have a written mission?2. Does the entity have internal regulations?3. Are these documents made available to all employees?4. Do the entity’s employees have access to their job descriptions?



5. Do the employees receive sufficient support from the management to performtheir work duties?

courtesy of Svenja Groll, Laura Gauvrit:6. Do you have a meeting with manager and employees periodically to discusscertain roles in company and plan development? – individual interview

7. Do description vacancies contain every single duty?8. Is the company structure of duties clear to every employee?9. How does company support employees if they achieve goals? – rewards?10. Is there some sort of document to define individual roles in organization?11. Who does the interviews?12. Who sets up job descriptions? Who distributes tasks?13. Who takes decisions about rewarding employees?14. Does every employee know which tasks and duties he especially/individuallyhas?15. Is every employee motivated to achieve goals in company and develop?16. Do the employees really achieve their set goals?

courtesy of the Internet:17. Are the internal regulations complete and updated?18. Is each job description accurate and clearly linked to the job positions withwhich it interacts vertically and horizontally?19. Are there any areas of overlap among job descriptions found in each departmentor in the whole organization?20. How often are job descriptions analysed and updated if necessary?

Standard 3 – Competence and performance

Definition: The manager ensures that all job positions are occupied byqualified personnel, who receive only work duties according to their qualificationsand ensures the proper conditions for the professional development of thepersonnel.

Associated documents: recruitment procedures, recruitment tests, jobrequirements (matrix), employee qualifications, training plan and procedures,history of training sessions, personal development plan, evaluation plan andprocedures, evaluation standards, evaluation results, etc.

Questions to ask:

1. Does each job position have a clear description of responsibilities and requiredqualifications?2. Is the recruitment process done in an organized manner? Does the manager havea job interview questionnaire for each job position?3. Does the entity check each employee’s credentials?



4. Is there a job performance evaluation policy which explains the criteria forevaluation of each job?5. Are all job positions occupied by qualified personnel? Is there any training policyin the organization?

courtesy of Louet Adeline:

6. Does the manager discuss the performance review?7. Does there exist a specific standard of evaluation?8. Which are the steps of evaluation of competence?9. Based on what qualities the performance will be evaluated?10. Which criteria are analysed on the software test?11. What are the required qualifications?12. Who is in charge of performing the evaluation?13. About what kind of experiences are we talking?14. Are the university studies enough for attending at this job if the person hasnecessary experience?15. What kind of recruitment does the manager use for an interview?16. What are the criteria for the manager in order to find the better employee for akind of job?17. What qualification should the future employee have for a job?18. How should the future employee process to have a good qualification, moreprecisely, knowledge, abilities and experience?

courtesy of Balto ș Mihaela, Bo școdeală Bogdan, Bă nica Bogdan, SashaBelinskii:19. Do the employees have constant trainings in order to improve themselves?20. Do the employees have on the job or off the job training?21. Do all the employees know their responsibilities?

22. How are the employees supervised?23. How many levels of supervisors does the entity have?24. How does the manager support the employees to perform their duties?25. Who can fire the employees besides the manager?26. If the employees are doing more than necessary are they rewarded?27. Which is the maximum overtime an employee can work before it affectsefficiency?28. How does the manager plan the strategy for the employees?29. Is the manager aware of the responsibilities of the employees?30. How is the organizational culture implemented for the new employees?

courtesy of Dianu Cătălina Simona, Cercelaru Mădălina, DiaconescuMichael Adrian, Folea Andrei, Cîrlig Daria:31. Is there a way to find out how incompetent are the employees in an effectivecompany?32. Is there an independent oversight to support the findings of the company?33. Is there a standardised way to ensure that employees who share the same job,share the same competence level?34. It is the experience important to ensure competence in the work place?



35. How does the company evaluate the competence of its employees?36. Is there a way to ensure that employees who have certain competences are givesthe appropriate position?37. Is there a way to verify that favouritism isn ’t practices when checking forcompetences?

Standard 4 – Sensitive job positions

Definition : The public entity identifies the job positions considered sensitiveand establishes an adequate politics for rotating the employees who have takenthese positions.

Associated documents : list of sensitive positions, procedure toevaluate/establish sensitive positions, list of persons employed in sensitivepositions, rotation plan, etc.

Questions to ask :

1. Does the entity have a list of all sensitive job positions?2. What are the criteria based on which the entity decides that a job positions issensitive?3. Does the entity have plans to rotate the employees in sensitive positions onceevery 3-5 years?4. Does it have mechanisms which ensure that these job rotations do not affect theactivity of the entity?5. Does the entity have a list of employee’s names on sensitive job positions?

courtesy of Br ă tulescu Miruna, Burghelea Octavia, Ani ț a Diana, CristianBordea, Alexandru Sava:6. What are the negative effects of job rotation?7. On which criteria is the plan for job rotation formulated?8. What are the skills needed for sensitive job positions?9. What are the opinions of the employees regarding rotation?10. What are the risks that a company faces when it adopts the job rotationprocedure?11. In which department is it the most difficult to adapt after rotation?12. Which department is the most accessible to adapt?13. Does job rotation affect the performance of the company? If yes, in what way?14. Does the rotation apply to management?

courtesy of Nicolae Ciprian, Nitu Alexandru, P ătrănoiu Radu :15. Does the list reflect the risk within the relation between the sensitive jobs andthe objectives of the company?16. Who is responsible for implementing the standard?17. Do you have a mechanism in place in order to prevent the effects of personnelrotation?



18. Who is supervising the employees’ r otation?19. Do you have a policy for the sensitive job positions?20. Is the policy efficient in the company?21. What actions do you think should be taken in order to improve the policy?22. Do you have any criteria for the recruitment of the personnel for the sensitive

position?23. What are the actions taken by the management when an employee in a sensitiveposition resigns?24. Who is responsible for recruitment on a sensitive position?25. What timeframe does an employee on a sensitive position have?26. Do you think having a sensitive job position policy is a competitive advantage?Why?

courtesy of XX:27. Who is responsible for detecting such jobs?28. How often do you conduct an analysis for such jobs?29. how many people handle the process?30. How often do you rotate the employees?31. On what grounds do you rotate the employees?32. Does the rotation modify the payment of that employee?33. Is the policy applicable to all sensitive job positions?34. To what extent do you let the personnel handle classified information aboutemployees?35. How often are employees informed about the modifications in the company?36. How are the employees trained to handle these rotations?37. Is the CEO involved in the rotation process?38. Can an employee be fired during a rotation cycle?

39. How many times can an employee handle the same job?40. Is a rotation procedure costly?41. Is a rotation procedure affecting the clients in any way?42. Is the human resources department involved in the rotation procedure?43. Are employees satisfied by the rotation procedure?

Standard 5 – Delegation

Definition : The manager establishes, in writing, the limits of the competencesand responsibilities which he/she is delegating.

Associated documents : procedure for delegation of authority, delegation ofauthority agreement, etc.

Questions to ask :

1. Is there a policy concerning the delegation of authority in the entity?2. Are there documents which have to be signed by all parties involved?



3. Are there proper rules in regards to the responsibilities which can be delegatedand the employees to which these can be delegated to?

courtesy of Br ă tulescu Miruna, Burghelea Octavia, Ani ț a Diana, CristianBordea, Alexandru Sava:4. Does the employee have the necessary knowledge for his/her delegated task?

5. How do the employees find out about the delegation?6. Is there a special training for the delegated employee?7. Is the employee presented with the risks of this delegation?8. Does the manager have a list with the potential employees for the delegation?9. How does the manager choose the employees to be delegated?10. Do delegated employees have certain benefits?

courtesy of Mois ă Laura :11. What is the criteria based on which one delegated the tasks?12. Does the task division always match the job description?13. Is there any sort of written agreement regarding delegation?14. Who is in charge of task division? Is it the manager in yourcompany/organization?15. Why is the decision making authority delegation essential in yourcompany/organization?16. What are the main steps taken when delegating?17. What is the strategy?18. When is the redelegation needed?19. Was there any case when delegation was not effective when it came to legalmatter?20. Is there anything to improve when it comes to your delegation policy?21. Which are the sources of authority in your organization?

22. Is there any document mentioning how to establish delegating authority?23. Is the delegation directive applicable to all your departments and activities? Ifnot, which are the exceptions?24. How often, statistically speaking, do you use program delegation?25. Is it stipulated anywhere that the personal delegation of authority is to beexercised by one and only one individual?26. What are the main responsibilities of the assistant secretary?27. What qualification should the principal officers have?28. What is the difference between position delegation and personal delegation?29. Is there, if any, communication at any level between the delegator and thedelegate?30. Whom should the delegated person report to and when?31. Is this approach effective on the long term?

courtesy of Manea Stephanie, Iorganda Cristina, Alexandra Iancu, AndraIliescu:32. When the manager is out of office, do you delegate responsibilities?33. What are the criteria used for choosing the delegate?34. Do you have only one or more delegates?



35. Do you monitor the delegates’ activities? 36. How did the delegates manage in the past?courtesy of XX:37. Are all employees allowed to delegate within the company?38. What are the responsibilities of the delegated person?

39. On what grounds can the person delegated be changed for another one?40. Is there a selection process for delegating a person?41. What is the process of delegation consisting of?42. What are benefits of being delegated?43. Is the salary of the delegated person influenced in any way?44. Can the delegated person delegate someone to do the job as well?45. Is there any system to centralise the delegations?46. What happens when the person delegated is unavailable?47. Is there a policy concerning what one can and cannot delegate?48. Are there any penalties for the delegated person is it fails to complete the tasks?49. Are there any penalties for the person who delegates?50. Can one person delegate more than one employees for the same job?51.What are the requirements of the delegated person?52. When does a delegation end? Is there a deadline?53. Is there a communication scheme between the delegators and the delegatedperson?54. Is there any formal of internal control for delegation?

Standard 6 - Organizational structure

Definition: The public entity defines its own organizational structure, the

competences, responsibilities, duties and obligations to report for each structuralcomponent and informs its employees in writing.

Associated documents: organizational chart, organizational structure auditreports, mission statement and strategy, etc.

Questions to ask:

1. Does the entity have an organizational chart including all personnel?2. Is the organizational structure appropriate for the size and complexity of theentity? Are there any frictions between departments/employees?3. Are the lines of authority and responsibility clearly defined?

courtesy of Edouard Bianco, Bernieke Roetert, Mură ri ț a Radu-Ionu ț :4. What does the competence refer to when involving a job position?5. How do they carry their plans?6. Does the organizational chart show all the responsibilities associated with the jobposition?7. How does the organizational chart look like?



46. Who says how involved the CEO must be?47. In which situation do you have to change the organizational structure?48. How do you implement the changes?49. Clear chain of command/line of authority?

courtesy of Cordo ș Anto nia, Decu Cristina Loredana, Dră ghici Claudia,

Enache Lumini ț a, Du ț u Tiberiu, Azutigah Faustina:50. Does the company have a job description for every post?51. Who is responsible for each department in the company?52. What kind of company it is? (private or public)53. What kind of structure does the company have? (horizontal or vertical)54. What is the area of activity of the company?55. Who is responsible of writing the job description?56. How many employees does the company have?57. Does the company have a board of directors?58. Is the decision making process a centralized one or decentralized?59. How many jobs are available in the company at this moment?60. Is it a fast growing company or a slow one?61. What is the minimum level of education needed?62. Do they accept internship positions?63. Does the company have an organizational structure?64. Are the responsibilities for each employeees well defined?65. Do they offer training for emplooyees?66. Who is responsible of defining new positions?67. Who is responsible for with the evaluations of the employees/68. Do the employees report to the line manager or the general director?

CATEGORY TWO: Standards regarding performance and riskmanagement

Standard 7 – Objectives

Definition: The public entity has to establish its defining objectives, related tothe purposes of the entity, as well as the complementary objectives, related toinformation viability, conformity to law, internal regulations and policies and tocommunicate the objectives to all its employees and interested parties.

Associated documents: strategic plans, procedure for strategic planning,webistes and booklets used to communicate objectives to employees, etc.

Questions to ask:

1. Does the entity have clear strategic objectives?2. Are these objectives translated into operations objectives for each department?



3. Are these objectives SMART?4. Are the objectives of the entity related to the entity’s mission? 5. Are the entity’s objectives communicated to all employees?

from Negru Dan, Garayev Javid, Merlu șcă Ionu ț :6. What the public entity has to establish?

7. What the public entity has to relate?8. How many general requirements are stipulated in standard 7?9. The general objectives and the mission of public entity are having the sameagreement?10. How should the objectives be?11. What mission do you have?12. What responsibilities have the chief of production department?13. What actions is having the manager of the company?14. How many departments do you have in the company?15. How many departments in your company are sufficient in order to implementyour objectives?16. In order to implement your strategic plan, how should you train youremployees?

from Butucea Daniela:17. Are the company’s objectives legal? 18. Are the objectives respecting the internal regulations and policies?19. Can these objectives be achieved with the existing resources?20. Can these objectives satisfy the needs of the employees and customers?21. Are the entity’s objectives understood be every employee and interested party? 22. Are these objectives relevant for the stakeholders of the company?23. Does every employee know his/her specific objective in the company? Is it in

accordance with the entity’s ones? 24. Have all departments established their objectives in accordance with th e entity’spurposes?25. Are all the employees qualified enough to reach these objectives?26. Can these objectives be accomplished in due time?27. Are the entity’s objectives clearly detailed and verified so that they are theaccurate ones?28. Are the activities of the entity covering its all defined objectives?29. Are these objectives realistic or can they be achieved with the existing funds?30. Does the entity revise often its initial objectives?31. Are the results for each activity of each department in accordance with theentity’s objectives?

Standard 8 - Planning

Definition : The public entity draws up plans which put in agreement theactivities required to attain its objectives with the maximum amount of resources,so that the risks to not realize the objectives are minimum.



Associated documents : strategic plans, operational plans for each

division/department, employee personal development plans, procedure regardingplanning activities, etc.

Questions to ask:

1. Did the management establish strategic and operational plans to achieve theorganization’s goals? 2. Do these plans clearly describe objectives to be achieved, the methods to be used,how resources are organized and the timeline for completion?3. Do these plans include financial budgets?4. Are these plans communicated to personnel responsible for implementing them?5. Are the plans converted into specific tasks that are assigned to specificemployees?

courtesy of Pătr a șcu Anca:6. Are there any risks not to realize the objectives?7. Who draws up the plans?8. How are the objectives attained?9. What does planning refer to?10. What are the factors that influence the degree of detailing the structuring of theplanning process?11. What are the types of plans?12. What do plans depend on when establishing their types?13. What is specific for the multiannual plan?14. What type of process is planning?

15. Are there any requirements in case a change in the plan intervenes?16. How should the allocation of resources be made?17. What do factors like the size of the public entity and the decisional structurehave the most influence on, in the planning process?18. Is there any correlation between the number of resources used and the risksregarding the realization of the objectives?19. What should we have in mind when allocation resources?20. What do plans put in agreement in order to have minimum risks in realizing theobjectives?21. What is the correlation between planning and management?22. When should the plan be updated?

courtesy of Bulm ă u Veronica:23. What degree of flexibility do your plans have?24. Is the entire managerial team involved in the planning?25. When and how are operational plans established?26. Do these plans include specific objectives for each department of the company?27. How do you submit for approval these plans?



28. For how many years (what period of time) do you establish your multiannualplans?29. Is the evaluation of the extent to which the plans have been respected andachieved corresponding with the closing of the financial year?30. When assessing the conformance with the plans, how do you penalize not

respected plans and how do you reward performance?31. Do you have a periodical checking of how plans are put in place?32. Do you provide guidance and do you take corrective actions to ensure therealization of the plans?33. Do you maintain a culture of or Do you conduct your activities resorting toDeming’s cycle: PDCA (Plan -Do-Check-Act)?34. How often are you willing to revise your planning in order to update it to newinternal needs or what’s happening in the external environment? 35. Are you conducting on an annual basis SWOT analysis and analyzing Porter’sfive forces model in order to adapt your plans for the following period?36. Is your annual plan a detailing or a more complete version of the general andbroader objectives comprised in the multiannual plans?37. In what proportion are generally your plans actually realized? Are you satisfiedwith the degree of completion of the initial plans?

courtesy of Ionu ț Rus and Elena Gu șanu:38. Describe the entire process of planning in your company?39. Planning involves the creation of a plan. Who comes up with that plan?40. What is planning?41. What’s the hardest part of planning? 42. Who identifies the company’s goals, needs, wants? 43. What type of plan does the company want to implement? Annual

plans/multiannual plans.44. What are the measures for multiannual plan in order to achieve the goals?45. Who formulates the alternatives if the plan is not working?46. Who evaluates the alternatives if the plan is not working?47. Who is responsible for the failure of the plan?48. Do they have information regarding financial resources?49. Do you reconsider your plan during the implementation process?40. Who participates in the planning process?

Standard 9 - Coordination

Definition : In order to achieve its objectives, the decisions and actions of thestructural components of the public entity have to be coordinates to ensureconvergence and coherence.

Associated documents : meeting briefs or minutes, organisational structure,procedures regarding consultative decision making,



Questions to ask :

1. Does the entity involve all departments/divisions when setting strategicobjectives?2. Does top management organize regular meetings with head of departments?

3. Do head of departments organize regular meetings with their departmentmembers to explain department goals and allocate tasks?4. Are the entity’s goals clearly communicated to each employee so that they knowexactly how they are contributing to reaching the goals?

courtesy of Abdi Abdel Rahman, Mustafa Zurfat, Arsenescu Vlad, AssoumBassam:5. How does the top management know that the employees have information aboutthe various tasks?6. How can a specialized structure help the management coordinate activities?7. Should the employees bear in mind the consequences of their actions on theentire public entity?8. What are the consequences if the employee fails to understand the activities ofthe entire public entity?9. Does efficient coordination require pre-consultation inside and between thestructures of the public entity?10. How does the pre-consultation help the public entity in order to have efficientcoordination?

courtesy of Că lin Ioana Cristina, Catargiu Oana Mihaela, Ciubotaru Adrian,Cioacă Alexandru, Federovici Adrian:11. Are the tasks within the company coherent?12. Are they comprehensible?

13. Are they comprehensive?14. Are managers responsible for team failures?15. Do all the departments have the same strategic objectives?16. Do they have regular meetings at the level of heads of departments?17. Do employees beside managemenet have meetings?18. Is the communication between departments effective?19. Is the communication between heads of departments and subordinates effective?20. Does the company have an internal magazine?21. Does the magazine help them maintain their coordination to obtain thecompany’s objectives? 22. Does the company have an intranet?23. Are responsibilities communicated through the intranet?24. Does the intranet improve the allocation of resources throughtout the company?

Standard 10 – Monitoring performance



Definition : The public entity ensures the monitoring of performance for eachpolicy and activity using relevant quantitative and qualitative indicators, includingthose referring to economy, efficiency and effectiveness.

Associated documents : performance/activity reports, financial reports, HR

reports, reporting procedures, etc.

Questions to ask :

1. Does management receive regular reports on the activities of the entity?3. What type of reports is management receiving?2. Who is responsible for the compilation of these reports?4. Does the management have a clear evaluation policy for the reports?

courtesy of Abdi Abdel Rahman, Mustafa Zurfat, Arsenescu Vlad, AssoumBassam:5. What tools for monitoring are used?6. What indicators should we look for?7. How strict should policies be according to the type/size of the company?8. What should the management receive from the activities of the public entity?9. What happens when the management rarely received reports?10. How does the management evaluate the performance of the entity?11. What types of corrective measures are applied?12. From who or what department do we receive reports?13. How do objectives of a company influence monitoring?14. How do employees access information?

courtesy of the Internet:

15. Is progress toward goal achievement periodically assessed?16. Does this periodic assessment include comparison of actual financial data tobudgets and explanation of variances?17. Is this assessment based on reliable and objective measurements?18. Is this assessment done timely and at a frequency that allows timelyadjustments?19. Are the results of the progress assessment shared with personnel responsible foraction?20. Are the responsible personnel requested to take action to modify the goals oradjust the plan and processes?21. Does management follow up to ensure that the appropriate action was taken?

courtesy of Călin Ioana Cristina, Catargiu Oana Mihaela, Ciubotaru Adrian,Cioacă Alexandru, Federovici Adrian: 22. Are there regular evaluation of performance?23. Does the company have annual reports issued?24. Does the complexity of taskes affect the monitoring process?25. Are the annual reports public?26. Are they using financial indicators to monitor performance?



27. What kind of financial indicators do they use?28. Does the company have an internal audit?29. After analysing the reports, does the company take corrective measures?30. Does the company measure employees’ p erformance by how fast and efficientcomplete their task?

31. Is the audit committee independent from the company’s management?

Standard 11 – Risk management

Definition: The public entity systematically analyses, at least once a year, therisks of its activities, elaborates the corresponding plans in order to limit thepossible consequences of these risks and names the responsible employees for therealization of those plans.

Associated documents : risk register, risk assessment policies, risk alertdocument,

Questions to ask:

1. Does the entity have a risk register?2. How often is the risk register evaluated and changed?3. Who is responsible for risk identification?4. Are all risks treated in a proper manner?

courtesy of Abdi Abdel Rahman, Mustafa Zurfat, Arsenescu Vlad, AssoumBassam:

5. How many levels of risk are there?6. Who has the obligation to create and maintain a system of international andmanagerial control?7. What are the obligations of the manager?8. How can we evaluate risk?

courtesy of the Internet:9) Are there qualitative and quantitative methods properly used to identify risksand determine risk rankings on a scheduled and periodic basis?10) How is risk identified, ranked, analysed and mitigated and communicated toappropriate staff?11) Is risk identification and discussion a subject of senior level managementmeetings?12) Does risk identification take place as a part of short-term and long-termforecasting and strategic planning?13) Are risks identified at the employee and mid-management level brought to theattention of senior-level managers?



14) Are the risks posed by external factors taken into consideration? (E.g.legislation changes, new regulations, technological advancements, business,political and economic changes, major suppliers and contractors)15) Are the risks posed by internal factors taken into consideration? (E.g.downsizing, business process reengineering or redesign of operating processes,

disruption of information systems processing, availability of backup systems, lack ofqualification of personnel, heavy reliance on contractors or other related parties toperform critical operations, unusual employee access to vulnerable assets, inabilityto provide succession planning and retain key personnel, inadequacy ofcompensation)16) Are past failures taken into consideration?17) Are there criteria for determining low, medium and high risks?18) Are all the appropriate levels of management and employees involved in the riskanalysis?19) Are there decisions on how to best manage or mitigate the risks and whatspecific actions should be taken?

Standard 15 –Hypotheses re-evaluations

Questions to ask:

1. Does the entity regularly evaluate the external and internal environment to see ifit matches the hypotheses used when setting the goals?2. Does the entity have regular meetings to discuss changes in the environment anddecide upon necessary measures?

courtesy of Anghel Ioana-Cristina:3. Who has the task of analysing the internal environment?4. Who has the task of analysing the changes in the external environment?5. How were the hypotheses initially established?6. Was there a meeting?7. Who participated in the meetings?8. Who had the greatest input and influence during those meetings?9. When do you decide that it is time to re-evaluate those initial hypotheses?10. Who takes the decision to modify the hypotheses?11. How do you actually make the modifications?12. Who is involved in this process – what people in the company?13. How are the decisions communicated inside the organization?14. Who in the enterprise re-evaluates the objectives?15. Are the objectives changed in accordance with the changes in the hypotheses?16. How often does this enterprise take into consideration to re-evaluate thehypotheses by analysing the changes in the environment?17. How important is in your organization the evaluation of the internal andexternal environment?



18. Did the hypothesis re-evaluation help you so far from a competitive point ofview?19. If the a nswer is “yes”, how did it help your organization? 20. Analysing the internal and external environment and re-evaluating the previoushypotheses occupies an important role in your management style?

CATEGORY THREE: Standards regarding information andcommunication

Standard 12 – Information

Description : The public entity establishes the types of information, thecontent, the frequency, quality, the sources and recipients of the information so thatthe managers and the employees, by receiving and transmitting information, areable to fulfill their duties.

Associated documents : procedures regarding levels of access to information,security, information gathering, documentation of information flows (diagrams),information system audit reports

Questions to ask:

1. Is internally generated information critical to achieving the entity’s objectivesidentified and regularly reported to management?2. Does the entity obtain and report to managers any relevant external informationthat may affect the achievement of its mission, goals and objectives particularlyrelated to legislative or regulatory developments and political or economic changes?3. Do managers receive analytical information that helps them identify specificactions that need to be taken?4. Is information provided at the right level of detail for different levels ofmanagement?5. Is information summarized and presented appropriately and provides pertinentinformation while permitting a closer inspection of details as needed?6. Is information available on a timely basis to allow effective monitoring of events,activities and transactions and to allow prompt reaction?7. Is the information systems management based on a strategic plan for informationsystems that is linked to the entity’s overall strategic plan?8. Is there a mechanism for identifying emerging information needs?9. Are improvements in technology monitored, analyzed, evaluated and introducedto help the entity respond more rapidly and efficiently to those it serves?



10. Does management continually monitor the quality of the information captured,maintained and communicated as measured by such factors as appropriateness ofcontent, timeliness, accuracy and accessibility?11. Is management allocating enough human and financial resources for thedevelopment of the information system?

12. Does each employee have access to the information required to perform his/hercurrent activities?13. Is this information easy to find, complete, easy to understand and updated?14. Is access to information given on a need-to-know basis or is information freelyavailable to all employees?15. Who is responsible for establishing the needs for information of each employee?16. Who gives access to information to each employee?17. Does the entity perform audits on its information system regularly?18. Does the entity monitor information leaks and does it have a procedure tohandle these situations?19. Does the entity regulate the information that reaches the external environment?20. Does it have clear procedures for information protection and externaldissemination?

Standard 13 – Communication

Description : The public entity must develop an efficient system for internaland external communication which ensures a rapid, fluent and precise diffusion ofinformation, so that it arrives complete and in time to its users.

Associated documents : public relations policy, customer relationship policy,internal communication manual/guide, training plans for interpersonalcommunication skills, strategies for team building, communication audit reports,etc.

Questions to ask :

1. Are there any mechanisms to ensure the easy flow of information down, acrossand up the organization?2. Is there communication between functional activities such as betweenprocurement activities and production activities?3. Does the personnel have a means of communicating information upstream withinthe entity through someone other than a direct supervisor and is there a genuinewillingness to listen on the part of management?4. Do employees indicate that informal or separate lines of communications existwhich serve as a “fail -safe” control for normal communications avenues?



5. Does the personnel understand that there will be no reprisals for reportingadverse information, improper conduct, or circumvention of internal controlactivities?6. Does management communicate frequently with internal oversight groups suchas senior management councils and keep them informed of performance, risks,

major initiatives and other significant events?7. Have open and effective communication channels ben established with customers,suppliers, contractors, consultants and other groups that can provide significantinput on quality and design of entity’s products and services? 8. Are all outside pa rties clearly informed of the entity’s ethical standards and dothey understand that improper actions will not be tolerated?9. Is communication from external parties encouraged since it can be a source ofinformation on how well internal control is functioning?10. Are complaints or inquiries from customers welcomed?11. Is management using effective communication methods such as policy andprocedures manuals, management directives, memoranda, bulletin board notices,internet and intranet web pages, videotaped messages, e-mail and speeches?12. Are there special structures created in the organization responsible for handlingcommunication with suppliers, customers, etc.?13. Is the communication with the external environment done in a timely, completeand satisfactory manner?14. Do employees have at their disposal the necessary means to communicate witheach other and upper management so that they achieve their goals efficiently and intime?15. Is the management encouraging communication between the employees workingon the same project? Does the entity have procedures/strategies to improve

communication between its employees?16. Does the entity regularly audit its communication processes and strategies?17. Does the entity have a crisis communication plan?18. Did the entity perform a stakeholder analysis to identify all the relevant partiesthat it has to communicate with?19. Are all the relevant stakeholders covered by the entity’s communication policy? 20. Is the overall communication strategy of the entity congruent with its missionand values?

Standard 14 – Correspondence and archives

Description : The public entity organizes the reception/expedition, registrationand archival of correspondence so that the system is accessible to the manager,employees and interested parties with attributions in these matters.

Associated documents : correspondence policy, correspondence archive(nomenclator arhivistic), archived documents.

Questions to ask :



1. Are all the relevant communication lines properly monitored so that all incomingcorrespondence is acknowledged, registered, and sent to the right personnel forhandling?2. Is all relevant past and current correspondence archived and easily accessible? Is

the entity using an appropriate strategy to ensure that archives are well organizedand easy to use?3. Does the entity have a list and a description of all relevant correspondencedocuments that are to be archived along with the technological means used toarchive them?4. Has the entity defined different categories of correspondence which requiredifferent storage and retention strategies?5. Does the entity have in place clear procedure with respect to the registration ofthe incoming correspondence based on the type of communication channel used?6. Does the entity have in place clear procedure with respect to the transmittal ofoutgoing correspondence based on the type of communication channel used?7. Does the correspondence policy ensure that all the received and transmittedinformation arrives at its destination in a timely and uncompromised manner?8. Does the entity have the necessary technological resources to archive all theimportant correspondence?9. Is each piece of correspondence traceable inside the organization? Does the entityknow for all internal and external correspondence where it was issued, who issuedit, when it was received, who received it, what was its flow through the entity andwhere it ended up?10. Is there a special organizational structure inside the entity responsible forcorrespondence monitoring and archival?

11. Does the entity have a standard formatting for all internal and externalcorrespondence?12. Does the entity have access to all correspondence channels required for propercommunication with internal and external stakeholders (e-mail, fax, postal address,etc.)?

Standard 16 – Signaling irregularities

Description : The employees, notwithstanding the communication they realizein relation to the achievement of their objectives, also have the possibility to signalirregularities based on a distinct procedure, without being victims of an unethical ordiscriminatory behavior.

Associated documents : procedures referring to methods of signallingirregularities, reports regarding irregularities, action plans based on signalledirregularities, etc.

Questions to ask :



1. Is there an established way for employees to signal irregularities to theirsuperiors and upper management?2. Does the information system allow employees to send reports of irregularities toupper management?

3. Does the entity’s management investigate the irregularities signalled by theemployees in a timely and efficient manner?4. Are measures taken so that reported irregularities don’t affect the entity’sactivities?5. Does the entity monitor the type of irregularities that the employees signal and isthis information used as an input for changes in procedures?6. Does the entity have procedures to protect those employees who signalirregularities, especially when it comes to co- workers’ behaviour? 7. Is signalling irregularities an activity encouraged by the management? Doesmanagement clearly ask the employees to signal irregularities on a regular basis?8. Does the management check if the information the employees provide is true anddo they require proofs before starting an official investigation?9. How often do employees signal irregularities?10. What type of irregularities do employees signal most often?11. What employees signal irregularities most often?12. How quickly does the management react to a notification of an irregularity?13. Does the entity treat all irregularities in the same way or are there differentcategories of irregularities which require different reactions on behalf ofmanagement?14. Are all irregularities signalled to the same person or does the entity require adifferent person to be responsible for only one category of irregularities (financial,

operational, control etc.)?

CATEGORY FOUR: Standards regarding control activities

Standard 17 – Procedures

Description : For the activities of the public entity and especially the economicoperations, the public entity elaborates written procedures which are to becommunicated to all the employees.

Associated documents : procedures audit reports, list of procedures performedby the employees,

Questions to ask :

1. Does the entity have a database with the activities performed at allorganizational levels?



2. Is each activity described in a written document available to all interestedparties?3. Is the description of each procedure easy to read, understand and follow?4. Are all procedures regularly audited and updated if changes are necessary?5. Who is responsible for reviewing procedures and submitting improvement plans?

6. Do procedures describe the documents needed to be filed after, during or priorany activity? Does each procedure leave a paper trail?7. Do the procedures the entity has in place cover all the possible situations that theemployee might encounter? Are they complete?8. Are all the employees informed regarding the procedures they need to follow?9. Is there a control mechanism to ensure that each employee follows the relevantprocedures?10. Who designs the procedures and according to what principles and legislation?11. Are employees penalized for not following the required procedural steps?12. Does the entity have knowledge of the critical steps in each procedure and areemployees informed about the consequences of not following the critical steps?13. Do procedures contribute to employees’ efficiency or do they hinder their work?14. Is each procedure described with the proper amount of details so that employeesfind it easy to follow it?15. Is there a mechanism to check if all procedures are coordinated and that theycreate coherent processes?16. Is the employee knowledge of relevant procedures checked regularly?17. Is there a mechanism to rapidly inform employees of procedure changes? Howlong does it take since a procedure is changes till all employees start following it?18. Does each employee receive a manual of procedures?19. Does the entity train its employees with regard to following procedures?

20. Do the entity’s procedures ensure a proper observance of all legal requirementspertaining to the activity of the entity?

Standard 18 – Separation of attributions

Description : The operational and financial elements of each action must beperformed by persons independent from each other, and the functions of initiationand inspection must be separated.

Associated documents : organizational chart, process flow maps,

Questions to ask :

1. Does the entity have in place the necessary organizational structures in order toseparate the operational activities from the financial activities?2. Does the entity separate the operational activities from the control activities?



Standard 20 – Managing errors/deviations

Description : The public entity ensures that for all the situations where

deviations from the policies or procedures established appear adequate documentsare made, approved at the corresponding level, before the initiation of theoperations.

Standard 21 – Continuing activities

Description: The public entity takes the necessary measures so that itsactivities can continue at any moment, in all circumstances and in all areas, withparticular emphasis in the financial-economic area.

Standard 22 – Control strategies

Description : The public entity must build policies adequate for the controlstrategies and programs conceived in order to achieve its objectives and maintainequilibrium between these strategies.

Standard 23 – Access to resources

Description : The manager establishes, by emitting documents ofauthorization, the persons who have access to material, financial and informational

resources of the public entity and names the persons in charge of the protection andcorrect use of these resources.

Associated documents : documents of authorization,

Questions to ask :

1. Is the access to financial resources strictly monitored and controlled?2. Did the management establish clear rules with respect to the use of financialresources and the way in which they are allocated and spent?3. Is the access to material resources strictly monitored and controlled?4. Does the entity have efficient mechanisms in place to ensure that the employeeswho damage the entity’s properties are identified and properly penalized? 5. Does the entity perform regular audits of its material resources to check fordeterioration or misappropriation of resources?6. Is the access to information resources strictly monitored and controlled?



CATEGORY FIVE: Standards regarding auditing and evaluation

Standard 24 – Control audit and evaluation

Definition: The public entity institutes a function of evaluation of internalcontrol and elaborates policies and programs to perform these activities.

Associated documents : procedure to evaluate internal control, internalcontrol evaluation questionnaire, internal control evaluation policy, internal controlevaluation certification, etc.

Questions to ask:

1. Who is in charge of evaluating the internal control?2. Is there a policy for the evaluation of the internal control activities?3. Is the person in charge of the evaluation of the internal control sending regularreports to upper management?4. Are the irregularities signalled by this person/department taken intoconsideration by upper management?5. What is the procedure for the evaluation of the internal control activities?

courtesy of Nicolae Alina and Meca Ruxandra:6. What actions should be made by the manager?7. Does the public entity have a function of evaluation of internal control?8. Does the public entity elaborate policies?9. Does the public entity have programs to perform activities?

10. Who is responsible for the verification and evaluation of the internal controlsystem?11. What kind of measures should the manager take in case of irregularities?12. What guarantees the contribution of internal controls to achieve the objectives?13. To what is referring the evaluation of the efficiency?14. Is that an option that belongs to the manager?15. Who establishes the evaluation of the effectiveness of the control?16. Who decides the evaluation of the effectiveness has to be established?17. What proof does the public entity have?18. Who establishes the audit control?19. Which are the general requirements of the standard?

courtesy of Br ă tulescu Miruna, Burghelea Octavia, Ani ț a Diana, CristianBordea, Alexandru Sava:20. How many people are in charge of internal control?21. Can the public entity hire an outsourcing company for the internal control?22. How often are activities of internal control performed?23. Does the manager supervise the internal control?24. What corrective measures can be taken to solve irregularities?



25. How do you establish the efficiency of the internal control?26. What are the risks of not implementing an evaluation procedure?

courtesy of Manea Stephanie, Iorganda Cristina, Alexandra Iancu, AndraIliescu:27. Does the manager supervise the internal control team?

28. What measures do you use when you identify the problems?29. How often do you evaluate the well-functioning of the company?30. Do you evaluate each department separately or the entire company at once?31. How do you evaluate the effectiveness of the control?32. Is the evaluation announced or unannounced to employees?33. What evaluation procedures or standards do you have?

Standard 25 – Internal audit

Definition: The public entity sets up or has access to an audit structure withcompetent auditors whose activity is performed usually according to some programsbased on risk evaluation.

Associated documents: internal audit plan, organizational structure, internalaudit reports, etc.

Questions to ask:

1. Does the entity have an internal auditor?2. Is the internal auditor qualified for the position?3. Is there an annual audit plan?

courtesy of Br ă tulescu Miruna, Burghelea Octavia, Ani ț a Diana, CristianBordea, Alexandru Sava:4. How often are the audit reports made?5. Does the company hire an external auditor?6. Does the company have an audit department?7. What happens if the manager cannot implement the changes suggested by theauditors?8. Can the auditor also offer business consultancy?9. How important is the auditor’s opinion to the manager?

courtesy of Mirea Diana, Nan Silvia:10. Should we have an internal audit function?11. What does the internal function do?12. What is the mandate of the internal auditor?13. To whom does the internal auditor report?14. Are the internal auditing activities conducted by in house resources or are theyoutsourced?15. How does the internal audit get and maintain the expertise it needs to conductits assignments?



16. Are the activities of the internal audit in coordination with those of the externalauditors?17. How is the internal audit plan developed?18. What does the internal audit plan not cover?19. What is the relationship of internal audit with an audit committee?

20. How are the internal audit findings reported?21. How managers respond to internal audit findings and recommendations?22. What services does the internal audit provide related to fraud?23. How is the effectiveness of the internal audit assessed?24. Does internal audit have sufficient resources?25. Does the internal audit function get support from the CEO/manager of thecompany?26. Does this organization have adequate controls over its major risks? Are theysatisfying?27. Are there any other matters in your organization wants to bring to the auditcommittee attention?28. Are there other ways in which internal audit and the audit committee cansupport each other?29. Is the audit committee satisfied with the internal audit function?

Internal Control Evaluation Questions

Documents

Transcript of Internal Control Evaluation Questions