Uploaded by sotag26696

coso-internal-control-a-complete-guide-2021-edition

advertisement
“After utilizing toolkits from The Art of Service, I was able to identify threats
within my organization to which I was completely unaware. Using my team’s
knowledge as a competitive advantage, we now have superior systems that save
time and energy.”
“As a new Chief Technology Officer, I was feeling unprepared and inadequate to
be successful in my role. I ordered an IT toolkit Sunday night and was prepared
Monday morning to shed light on areas of improvement within my organization.
I no longer felt overwhelmed and intimidated, I was excited to share what I had
learned.”
“I used the questionnaires to interview members of my team. I never knew how
many insights we could produce collectively with our internal knowledge.”
“I usually work until at least 8pm on weeknights. The Art of Service
questionnaire saved me so much time and worry that Thursday night I attended
my son’s soccer game without sacrificing my professional obligations.”
“After purchasing The Art of Service toolkit, I was able to identify areas where
my company was not in compliance that could have put my job at risk. I looked
like a hero when I proactively educated my team on the risks and presented a
solid solution.”
“I spent months shopping for an external consultant before realizing that The Art
of Service would allow my team to consult themselves! Not only did we save
time not catching a consultant up to speed, we were able to keep our company
information and industry secrets confidential.”
“Everyday there are new regulations and processes in my industry. The Art of
Service toolkit has kept me ahead by using AI technology to constantly update
the toolkits and address emerging needs.”
“I customized The Art of Service toolkit to focus specifically on the
concerns of my role and industry. I didn’t have to waste time with a
generic self-help book that wasn’t tailored to my exact situation.”
“Many of our competitors have asked us about our secret sauce. When I tell
them it’s the knowledge we have in-house, they never believe me. Little do they
know The Art of Service toolkits are working behind the scenes.”
“One of my friends hired a consultant who used the knowledge gained working
with his company to advise their competitor. Talk about a
competitive disadvantage! The Art of Service allowed us to keep our knowledge
from walking out the door along with a huge portion of our budget in consulting
fees.”
“Honestly, I didn’t know what I didn’t know. Before purchasing
The Art of Service, I didn’t realize how many areas of my business needed to be
refreshed and improved. I am so relieved The Art of Service was there to
highlight our blind spots.”
“Before The Art of Service, I waited eagerly for consulting company reports to
come out each month. These reports kept us up to speed but provided little value
because they put our competitors on the same
playing field. With The Art of Service, we have uncovered unique insights to
drive our business forward.”
“Instead of investing extensive resources into an external consultant, we can
spend more of our budget towards pursuing our company goals and objectives…
while also spending a little more on corporate holiday parties.”
“The risk of our competitors getting ahead has been mitigated because The Art
of Service has provided us with a 360-degree view of threats within our
organization before they even arise.”
COSO Internal Control
Complete Self-Assessment Guide
Notice of rights
You are licensed to use the Self-Assessment contents in your presentations
and materials for internal use and customers without asking us - we are
here to help.
All rights reserved for the book itself: this book may not be reproduced or
transmitted in any form by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of the publisher.
The information in this book is distributed on an “As Is” basis without warranty.
While every precaution has been taken in the preparation of the book, neither the
author nor the publisher shall have any liability to any person or entity with
respect to any loss or damage caused or alleged to be caused directly or
indirectly by the instructions contained in this book or by the products described
in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this
book, and the publisher was aware of a trademark claim, the designations appear
as requested by the owner of the trademark. All other product names and
services identified throughout this book are used in editorial fashion only and for
the benefit of such companies with no intention of infringement of the
trademark. No such use, or the use of any trade name, is intended to convey
endorsement or other affiliation with this book.
Copyright © by The Art of Service
https://theartofservice.com
support@theartofservice.com
About The Art of Service
The Art of Service, Business Process Architects since 2000, is dedicated to
helping stakeholders achieve excellence.
Defining, designing, creating, and implementing a process to solve a
stakeholders challenge or meet an objective is the most valuable role… In
EVERY group, company, organization and department.
Unless you’re talking a one-time, single-use project, there should be a process.
Whether that process is managed and implemented by humans, AI, or a
combination of the two, it needs to be designed by someone with a complex
enough perspective to ask the right questions.
Someone capable of asking the right questions and step back and say, ‘What are
we really trying to accomplish here? And is there a different way to look at it?’
With The Art of Service’s Self-Assessments, we empower people who can do
just that — whether their title is marketer, entrepreneur, manager, salesperson,
consultant, Business Process Manager, executive assistant, IT Manager, CIO
etc... —they are the people who rule the future. They are people who watch the
process as it happens, and ask the right questions to make the process work
better.
Contact us when you need any support with this Self-Assessment and any
help with templates, blue-prints and examples of standard documents you
might need:
https://theartofservice.com
support@theartofservice.com
Included Resources - how to access
Included with your purchase of the book is the COSO Internal Control SelfAssessment Spreadsheet Dashboard which contains all questions and SelfAssessment areas and auto-generates insights, graphs, and project RACI
planning - all with examples to get you started right away.
How? Simply send an email to
access@theartofservice.com
with this books’ title in the subject to get the COSO Internal Control Self
Assessment Tool right away.
The auto reply will guide you further, you will then receive the following
contents with New and Updated specific criteria:
•The latest quick edition of the book in PDF
•The latest complete edition of the book in PDF, which criteria correspond to the
criteria in...
•The Self-Assessment Excel Dashboard, and...
•Example pre-filled Self-Assessment Excel Dashboard to get familiar with
results generation
•In-depth specific Checklists covering the topic
•Project management checklists and templates to assist with implementation
INCLUDES LIFETIME SELF ASSESSMENT UPDATES
Every self assessment comes with Lifetime Updates and Lifetime Free Updated
Books. Lifetime Updates is an industry-first feature which allows you to receive
verified self assessment updates, ensuring you always have the most accurate
information at your fingertips.
Get it now- you will be glad you did - do it now, before you forget.
Send an email to access@theartofservice.com with this books’ title in the subject
to get the COSO Internal Control Self Assessment Tool right away.
Purpose of this Self-Assessment
This Self-Assessment has been developed to improve understanding of the
requirements and elements of COSO Internal Control, based on best practices
and standards in business process architecture, design and quality management.
It is designed to allow for a rapid Self-Assessment to determine how closely
existing management practices and procedures correspond to the elements of the
Self-Assessment.
The criteria of requirements and elements of COSO Internal Control have been
rephrased in the format of a Self-Assessment questionnaire, with a sevencriterion scoring system, as explained in this document.
In this format, even with limited background knowledge of COSO Internal
Control, a manager can quickly review existing operations to determine how
they measure up to the standards. This in turn can serve as the starting point of a
‘gap analysis’ to identify management tools or system elements that might
usefully be implemented in the organization to help improve overall
performance.
How to use the Self-Assessment
On the following pages are a series of questions to identify to what extent your
COSO Internal Control initiative is complete in comparison to the requirements
set in standards.
To facilitate answering the questions, there is a space in front of each question to
enter a score on a scale of ‘1’ to ‘5’.
1 Strongly Disagree
2 Disagree
3 Neutral
4 Agree
5 Strongly Agree
Read the question and rate it with the following in front of mind:
‘In my belief,
the answer to this question is clearly defined’.
There are two ways in which you can choose to interpret this statement;
1.how aware are you that the answer to the question is clearly defined
2.for more in-depth analysis you can choose to gather evidence and confirm the
answer to the question. This obviously will take more time, most SelfAssessment users opt for the first way to interpret the question and dig deeper
later on based on the outcome of the overall Self-Assessment.
A score of ‘1’ would mean that the answer is not clear at all, where a ‘5’ would
mean the answer is crystal clear and defined. Leave emtpy when the question is
not applicable or you don’t want to answer it, you can skip it without affecting
your score. Write your score in the space provided.
After you have responded to all the appropriate statements in each section,
compute your average score for that section, using the formula provided, and
round to the nearest tenth. Then transfer to the corresponding spoke in the COSO
Internal Control Scorecard on the second next page of the Self-Assessment.
Your completed COSO Internal Control Scorecard will give you a clear
presentation of which COSO Internal Control areas need attention.
COSO Internal Control
Scorecard Example
Example of how the finalized Scorecard can look like:
COSO Internal Control
Scorecard
Your Scores:
BEGINNING OF THE
SELF-ASSESSMENT:
Table of Contents
About The Art of Service9
Included Resources - how to access9
Purpose of this Self-Assessment11
How to use the Self-Assessment12
COSO Internal Control
Scorecard Example14
COSO Internal Control
Scorecard15
BEGINNING OF THE
SELF-ASSESSMENT:16
CRITERION #1: RECOGNIZE17
CRITERION #2: DEFINE:23
CRITERION #3: MEASURE:36
CRITERION #4: ANALYZE:45
CRITERION #5: IMPROVE:61
CRITERION #6: CONTROL:78
CRITERION #7: SUSTAIN:94
COSO Internal Control and Managing Projects, Criteria for Project
Managers:137
1.0 Initiating Process Group: COSO Internal Control138
1.1 Project Charter: COSO Internal Control140
1.2 Stakeholder Register: COSO Internal Control142
1.3 Stakeholder Analysis Matrix: COSO Internal Control143
2.0 Planning Process Group: COSO Internal Control145
2.1 Project Management Plan: COSO Internal Control147
2.2 Scope Management Plan: COSO Internal Control149
2.3 Requirements Management Plan: COSO Internal Control151
2.4 Requirements Documentation: COSO Internal Control153
2.5 Requirements Traceability Matrix: COSO Internal Control155
2.6 Project Scope Statement: COSO Internal Control157
2.7 Assumption and Constraint Log: COSO Internal Control159
2.8 Work Breakdown Structure: COSO Internal Control161
2.9 WBS Dictionary: COSO Internal Control163
2.10 Schedule Management Plan: COSO Internal Control166
2.11 Activity List: COSO Internal Control168
2.12 Activity Attributes: COSO Internal Control170
2.13 Milestone List: COSO Internal Control172
2.14 Network Diagram: COSO Internal Control174
2.15 Activity Resource Requirements: COSO Internal Control176
2.16 Resource Breakdown Structure: COSO Internal Control177
2.17 Activity Duration Estimates: COSO Internal Control179
2.18 Duration Estimating Worksheet: COSO Internal Control181
2.19 Project Schedule: COSO Internal Control183
2.20 Cost Management Plan: COSO Internal Control185
2.21 Activity Cost Estimates: COSO Internal Control187
2.22 Cost Estimating Worksheet: COSO Internal Control189
2.23 Cost Baseline: COSO Internal Control191
2.24 Quality Management Plan: COSO Internal Control193
2.25 Quality Metrics: COSO Internal Control195
2.26 Process Improvement Plan: COSO Internal Control197
2.27 Responsibility Assignment Matrix: COSO Internal Control199
2.28 Roles and Responsibilities: COSO Internal Control201
2.29 Human Resource Management Plan: COSO Internal Control203
2.30 Communications Management Plan: COSO Internal Control205
2.31 Risk Management Plan: COSO Internal Control207
2.32 Risk Register: COSO Internal Control209
2.33 Probability and Impact Assessment: COSO Internal Control211
2.34 Probability and Impact Matrix: COSO Internal Control213
2.35 Risk Data Sheet: COSO Internal Control215
2.36 Procurement Management Plan: COSO Internal Control217
2.37 Source Selection Criteria: COSO Internal Control219
2.38 Stakeholder Management Plan: COSO Internal Control221
2.39 Change Management Plan: COSO Internal Control222
3.0 Executing Process Group: COSO Internal Control224
3.1 Team Member Status Report: COSO Internal Control226
3.2 Change Request: COSO Internal Control228
3.3 Change Log: COSO Internal Control230
3.4 Decision Log: COSO Internal Control232
3.5 Quality Audit: COSO Internal Control234
3.6 Team Directory: COSO Internal Control237
3.7 Team Operating Agreement: COSO Internal Control239
3.8 Team Performance Assessment: COSO Internal Control241
3.9 Team Member Performance Assessment: COSO Internal Control243
3.10 Issue Log: COSO Internal Control245
4.0 Monitoring and Controlling Process Group: COSO Internal Control247
4.1 Project Performance Report: COSO Internal Control249
4.2 Variance Analysis: COSO Internal Control251
4.3 Earned Value Status: COSO Internal Control253
4.4 Risk Audit: COSO Internal Control255
4.5 Contractor Status Report: COSO Internal Control257
4.6 Formal Acceptance: COSO Internal Control259
5.0 Closing Process Group: COSO Internal Control261
5.1 Procurement Audit: COSO Internal Control263
5.2 Contract Close-Out: COSO Internal Control266
5.3 Project or Phase Close-Out: COSO Internal Control268
5.4 Lessons Learned: COSO Internal Control270
Index272
CRITERION #1: RECOGNIZE
INTENT: Be aware of the need for change. Recognize that there is an
unfavorable variation, problem or symptom.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Who else hopes to benefit from it?
<--- Score
2. Which controls would prevent disputes over the charges billed by
independent contractors?
<--- Score
3. Are there any specific expectations or concerns about the COSO Internal
Control team, COSO Internal Control itself?
<--- Score
4. Are there appropriate disclosures regarding going concern issues?
<--- Score
5. What would happen if COSO Internal Control weren’t done?
<--- Score
6. What problems are you facing and how do you consider COSO Internal
Control will circumvent those obstacles?
<--- Score
7. Are all material weaknesses serious problems for a registrant?
<--- Score
8. What controls should have prevented actions?
<--- Score
9. What information do you need from the other side?
<--- Score
10. Are there open BCP issues to be resolved?
<--- Score
11. What elements need to be put in place?
<--- Score
12. Why do ngos and csos need boards of directors?
<--- Score
13. Can its performance be measured and problems detected and corrected?
<--- Score
14. What situation(s) led to this COSO Internal Control Self Assessment?
<--- Score
15. What are the legitimate needs and interests of key stakeholders from an
ESG perspective?
<--- Score
16. What could prevent the achievement of the business objectives?
<--- Score
17. What are the expected benefits of COSO Internal Control to the stakeholder?
<--- Score
18. Has your organization addressed fraud prevention issues?
<--- Score
19. How are you going to measure success?
<--- Score
20. What skills and attributes do board directors need to work together as a
leadership team?
<--- Score
21. Which issues private and public keys?
<--- Score
22. Are there any issues likely to lead to qualification of the accounts?
<--- Score
23. Are audit reports issued promptly?
<--- Score
24. Are there any capital management issues?
<--- Score
25. What controls are necessary to prevent, deter, and detect fraud?
<--- Score
26. Do all internal audit reports need to be reviewed by the external
auditor?
<--- Score
27. How much are sponsors, customers, partners, stakeholders involved in
COSO Internal Control? In other words, what are the risks, if COSO Internal
Control does not deliver successfully?
<--- Score
28. What issues have been reported/ communicated?
<--- Score
29. What issues are related to a lack of clarity over roles?
<--- Score
30. What are the stakeholder objectives to be achieved with COSO Internal
Control?
<--- Score
31. What does COSO Internal Control success mean to the stakeholders?
<--- Score
32. Does your organization issue receipts for all cash collections?
<--- Score
33. As a sponsor, customer or management, how important is it to meet goals,
objectives?
<--- Score
34. How are the COSO Internal Control’s objectives aligned to the group’s
overall stakeholder strategy?
<--- Score
35. Can the independent auditor issue a report to management or the audit
committee indicating that no significant deficiencies were noted during an
audit of internal control over financial reporting?
<--- Score
36. Is the misconduct part of a systemic problem?
<--- Score
37. Why is the issue relevant to the business?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #2: DEFINE:
INTENT: Formulate the stakeholder problem. Define the problem, needs and
objectives.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. What are the rough order estimates on cost savings/opportunities that COSO
Internal Control brings?
<--- Score
2. Has the improvement team collected the ‘voice of the customer’ (obtained
feedback – qualitative and quantitative)?
<--- Score
3. Which organization defines the policy on internal audit?
<--- Score
4. Is a quarterly assessment required and, if so, when?
<--- Score
5. Is the team sponsored by a champion or stakeholder leader?
<--- Score
6. How does your organization define a control deficiency?
<--- Score
7. Has/have the customer(s) been identified?
<--- Score
8. Is there benefit in a generally recognized framework to help define what
good looks like?
<--- Score
9. What are the Roles and Responsibilities for each team member and its
leadership? Where is this documented?
<--- Score
10. What is the scope of the program?
<--- Score
11. How does management define a large portion for purposes of
determining multilocation coverage?
<--- Score
12. Has the COSO Internal Control work been fairly and/or equitably divided
and delegated among team members who are qualified and capable to perform
the work? Has everyone contributed?
<--- Score
13. Is there a completed SIPOC representation, describing the Suppliers, Inputs,
Process, Outputs, and Customers?
<--- Score
14. Is the team equipped with available and reliable resources?
<--- Score
15. How will variation in the actual durations of each activity be dealt with to
ensure that the expected COSO Internal Control results are met?
<--- Score
16. How does your organization define a significant deficiency in internal
control?
<--- Score
17. How did coso obtain input from stakeholders in determining the scope
and nature of changes to the original framework?
<--- Score
18. If substitutes have been appointed, have they been briefed on the COSO
Internal Control goals and received regular communications as to the progress to
date?
<--- Score
19. Have material controls been defined for the business?
<--- Score
20. What are sox 404 ongoing requirements?
<--- Score
21. Are there any constraints known that bear on the ability to perform COSO
Internal Control work? How is the team addressing them?
<--- Score
22. What should be the requirements for an entry level internal audit
position?
<--- Score
23. Are different versions of process maps needed to account for the different
types of inputs?
<--- Score
24. What is the scope of the compliance framework?
<--- Score
25. What are the dynamics of the communication plan?
<--- Score
26. Is the COSO Internal Control scope manageable?
<--- Score
27. How often do you revise your scope?
<--- Score
28. What is your organizational scope of internal audit?
<--- Score
29. Are customers identified and high impact areas defined?
<--- Score
30. Is the team adequately staffed with the desired cross-functionality? If not,
what additional resources are available to the team?
<--- Score
31. What customer feedback methods were used to solicit their input?
<--- Score
32. Does the detailed design comply with the objectives of the general
requirements definition?
<--- Score
33. Has your organization defined its primary reason for existence?
<--- Score
34. Is the audit fee commensurate with the scope of the audit?
<--- Score
35. How will the COSO Internal Control team and the group measure complete
success of COSO Internal Control?
<--- Score
36. How was the ‘as is’ process map developed, reviewed, verified and
validated?
<--- Score
37. Is COSO Internal Control currently on schedule according to the plan?
<--- Score
38. What are the compelling stakeholder reasons for embarking on COSO
Internal Control?
<--- Score
39. What would be the goal or target for a COSO Internal Control’s
improvement team?
<--- Score
40. How does your organization define short, medium and long term?
<--- Score
41. Is there a COSO Internal Control management charter, including stakeholder
case, problem and goal statements, scope, milestones, roles and responsibilities,
communication plan?
<--- Score
42. What are your automation and system integration requirements?
<--- Score
43. Is there a critical path to deliver COSO Internal Control results?
<--- Score
44. What do your organizations mission and vision require from an ESG
perspective?
<--- Score
45. Is there a completed, verified, and validated high-level ‘as is’ (not ‘should be’
or ‘could be’) stakeholder process map?
<--- Score
46. Is there regularly 100% attendance at the team meetings? If not, have
appointed substitutes attended to preserve cross-functionality and full
representation?
<--- Score
47. Is data collected and displayed to better understand customer(s) critical needs
and requirements.
<--- Score
48. How is internal control over financial reporting defined?
<--- Score
49. Have the customer needs been translated into specific, measurable
requirements? How?
<--- Score
50. Are your operating, reporting and compliance objectives clearly
defined?
<--- Score
51. Did management restrict or limit the scope of the audit in any way?
<--- Score
52. When is/was the COSO Internal Control start date?
<--- Score
53. Has a project plan, Gantt chart, or similar been developed/completed?
<--- Score
54. Is COSO Internal Control linked to key stakeholder goals and objectives?
<--- Score
55. How do you keep key subject matter experts in the loop?
<--- Score
56. Has a high-level ‘as is’ process map been completed, verified and validated?
<--- Score
57. Will team members perform COSO Internal Control work when assigned and
in a timely fashion?
<--- Score
58. How does your organization define a material weakness in internal
control?
<--- Score
59. How does the COSO Internal Control manager ensure against scope creep?
<--- Score
60. What is required if your organization already has an internal audit
function?
<--- Score
61. What critical content must be communicated – who, what, when, where, and
how?
<--- Score
62. Do the problem and goal statements meet the SMART criteria (specific,
measurable, attainable, relevant, and time-bound)?
<--- Score
63. What should be the scope of your internal control?
<--- Score
64. What are the ESG-related regulations, requirements or obligations in
your organizations markets?
<--- Score
65. Is the current ‘as is’ process being followed? If not, what are the
discrepancies?
<--- Score
66. What are the boundaries of the scope? What is in bounds and what is not?
What is the start point? What is the stop point?
<--- Score
67. Has a team charter been developed and communicated?
<--- Score
68. What knowledge or experience is required?
<--- Score
69. Are there different segments of customers?
<--- Score
70. Do internal auditors have to comply with any professional ethics
requirements?
<--- Score
71. Are internal auditors required to be certified?
<--- Score
72. Is full participation by members in regularly held team meetings guaranteed?
<--- Score
73. Has the direction changed at all during the course of COSO Internal Control?
If so, when did it change and why?
<--- Score
74. How is independence defined differently for internal auditors and
external auditors?
<--- Score
75. How does the ESG context link to value creation for the business more
broadly?
<--- Score
76. How is the team tracking and documenting its work?
<--- Score
77. How did the COSO Internal Control manager receive input to the
development of a COSO Internal Control improvement plan and the estimated
completion dates/times of each activity?
<--- Score
78. Are customer(s) identified and segmented according to their different needs
and requirements?
<--- Score
79. Are improvement team members fully trained on COSO Internal Control?
<--- Score
80. Has everyone on the team, including the team leaders, been properly trained?
<--- Score
81. Who are the COSO Internal Control improvement team members, including
Management Leads and Coaches?
<--- Score
82. Are team charters developed?
<--- Score
83. What is the scope of an antifraud program and controls?
<--- Score
84. Has anyone else (internal or external to the group) attempted to solve this
problem or a similar one before? If so, what knowledge can be leveraged from
these previous efforts?
<--- Score
85. Does system meet the design specifications in the requirements
definition?
<--- Score
86. What specifically is the problem? Where does it occur? When does it occur?
What is its extent?
<--- Score
87. What role and scope has management and the audit committee
established for its internal audit function?
<--- Score
88. Are there laws or regulations, which define coherent principles, systems
and functioning of internal audit?
<--- Score
89. What constraints exist that might impact the team?
<--- Score
90. Is the improvement team aware of the different versions of a process: what
they think it is vs. what it actually is vs. what it should be vs. what it could be?
<--- Score
91. Have internal audit functions been required previously?
<--- Score
92. What is included in the scope for each indicator/metric?
<--- Score
93. Is the team formed and are team leaders (Coaches and Management Leads)
assigned?
<--- Score
94. How often are the team meetings?
<--- Score
95. What key stakeholder process output measure(s) does COSO Internal
Control leverage and how?
<--- Score
96. Are stakeholder processes mapped?
<--- Score
97. When is the estimated completion date?
<--- Score
98. When are meeting minutes sent out? Who is on the distribution list?
<--- Score
99. Does the team have regular meetings?
<--- Score
100. How can evidence be gathered to determine if controls work?
<--- Score
101. Is a fully trained team formed, supported, and committed to work on the
COSO Internal Control improvements?
<--- Score
102. Will team members regularly document their COSO Internal Control work?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #3: MEASURE:
INTENT: Gather the correct data. Measure the current performance and
evolution of the situation.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Do you review the initial budgets and identify areas of possible cost
reductions?
<--- Score
2. What has been the major impact of internal control breaches on service
delivery?
<--- Score
3. Are the risks related, that one risk may cause another to occur?
<--- Score
4. Is your organizations culture promoting employee behaviors that are
consistent with priorities?
<--- Score
5. Is data collected on key measures that were identified?
<--- Score
6. What charts has the team used to display the components of variation in the
process?
<--- Score
7. What are the key reasons that cause failures of success implementation of
innovation?
<--- Score
8. Is your organizational chart up to date?
<--- Score
9. What is the root cause of the risk?
<--- Score
10. What impact would a conclusion that the internal controls are
ineffective have on your organization?
<--- Score
11. Are there specific performance measures for internal auditing?
<--- Score
12. Does the charter outline the reporting lines of the internal audit
department?
<--- Score
13. Is a solid data collection plan established that includes measurement systems
analysis?
<--- Score
14. Is key measure data collection planned and executed, process variation
displayed and communicated and performance baselined?
<--- Score
15. What is the significance of the risk in terms of cost to the enterprise?
<--- Score
16. Is there a Performance Baseline?
<--- Score
17. Does the board charter capture governance of ESG-related risks?
<--- Score
18. What data was collected (past, present, future/ongoing)?
<--- Score
19. Has management undertaken a fraud risk analysis, including the risk of
fraud in financial reporting?
<--- Score
20. When was the charter last reviewed and updated?
<--- Score
21. Do the benefits of 404 exceed the cost?
<--- Score
22. Do you know what your priority risks are?
<--- Score
23. Does the rule require a written internal audit charter?
<--- Score
24. Have you found any ‘ground fruit’ or ‘low-hanging fruit’ for immediate
remedies to the gap in performance?
<--- Score
25. Does the lack of strong business strategies cause IT projects to fail?
<--- Score
26. Is data collection planned and executed?
<--- Score
27. Are high impact defects defined and identified in the stakeholder process?
<--- Score
28. What key measures identified indicate the performance of the stakeholder
process?
<--- Score
29. How does a shared-service center impact the assessment of internal
control?
<--- Score
30. Does there exist a risk management charter?
<--- Score
31. What is the significance of the risk, in terms of cost to your
organization?
<--- Score
32. How does the staff estimate consultant project costs?
<--- Score
33. What is the impact of a centralized versus decentralized organization?
<--- Score
34. Is long term and short term variability accounted for?
<--- Score
35. Does there exist an internal control charter?
<--- Score
36. What is the likelihood of occurrence and potential impact of risks?
<--- Score
37. What criteria does your organization use to prioritize risks?
<--- Score
38. Is metadata available to perform analysis prior to using the data?
<--- Score
39. How does your organization assess materiality when prioritizing
financial reporting elements?
<--- Score
40. Is the likelihood and impact of the individual risks a part of the
evaluation?
<--- Score
41. Is risk a priority consideration whenever business processes are
improved?
<--- Score
42. Is the internal audit charter and/or mandate appropriate?
<--- Score
43. Which business decisions may be impacted by the risk?
<--- Score
44. How will financial reform impact your organization?
<--- Score
45. What can be done to fix the root cause of a problem and improve
processes?
<--- Score
46. How is the business value from IT controls frameworks measured?
<--- Score
47. Has the function met the terms of its written charter?
<--- Score
48. What particular quality tools did the team find helpful in establishing
measurements?
<--- Score
49. Are key measures identified and agreed upon?
<--- Score
50. Does internal audit add value, and is that value measured?
<--- Score
51. How does management identify and prioritize IT risks?
<--- Score
52. Was a data collection plan established?
<--- Score
53. Is allocation of gross pay including, any costing analysis correct?
<--- Score
54. Are the audit committees responsibilities defined in a charter?
<--- Score
55. Who participated in the data collection for measurements?
<--- Score
56. Does internal control relate to data analysis?
<--- Score
57. What are the key input variables? What are the key process variables? What
are the key output variables?
<--- Score
58. What has the team done to assure the stability and accuracy of the
measurement process?
<--- Score
59. Does internal control relate to the analysis of the control environment?
<--- Score
60. Is Process Variation Displayed/Communicated?
<--- Score
61. Are process variation components displayed/communicated using suitable
charts, graphs, plots?
<--- Score
62. How large is the gap between current performance and the customerspecified (goal) performance?
<--- Score
63. What may have caused the internal control breaches?
<--- Score
64. How does a risk impact your organizations ability to achieve its strategy
and business objectives?
<--- Score
65. What are the agreed upon definitions of the high impact areas, defect(s),
unit(s), and opportunities that will figure into the process capability metrics?
<--- Score
66. What is the best case cost estimate if it is necessary to incur the risk?
<--- Score
67. Should management broaden the focus on compliance to managing
business risk?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #4: ANALYZE:
INTENT: Analyze causes, assumptions and hypotheses.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Does risk management allow anticipating new opportunities?
<--- Score
2. Does internal control relate to the development of control processes?
<--- Score
3. What quality tools were used to get through the analyze phase?
<--- Score
4. How are process owners engaged going forward?
<--- Score
5. How will the COSO Internal Control data be analyzed?
<--- Score
6. Are internal controls reviewed for potential fraud, corruption
opportunities?
<--- Score
7. Is your profiling process an integral part of organizational process?
<--- Score
8. Are there policies, procedures and effective processes for hiring,
compensating, promoting, training and terminating employees?
<--- Score
9. What is the process for addressing environmental considerations?
<--- Score
10. Is the performance gap determined?
<--- Score
11. What are distributed database systems?
<--- Score
12. Are there separate entities that include just IT operations or processes?
<--- Score
13. Are losses documented, analyzed, and remedial processes developed to
prevent future losses?
<--- Score
14. Does the enterprise restrict business data and applications to
organization controlled devices?
<--- Score
15. Is data used in making accounting estimates reliable?
<--- Score
16. Were any designed experiments used to generate additional insight into the
data analysis?
<--- Score
17. Are there constraints in deploying process owners/internal audit?
<--- Score
18. Does the data apply to the defined scope of the risk?
<--- Score
19. What are the common mistakes and pitfalls during the risk assessment
process?
<--- Score
20. Are gaps between current performance and the goal performance identified?
<--- Score
21. What are the most promising growth opportunities ahead?
<--- Score
22. Are processes in place to assure IT systems processes?
<--- Score
23. Does the erm process connect esg to risk management?
<--- Score
24. Does COSO Internal Control systematically track and analyze outcomes
for accountability and quality improvement?
<--- Score
25. Is there confidence in data quality?
<--- Score
26. Have requirements been defined for primary business processes
dependent on IT?
<--- Score
27. How does system capture data and update master file?
<--- Score
28. Does the process owner continuously anticipate, identify and react to
routine events and changing circumstances and conditions that could affect
the achievement of process objectives?
<--- Score
29. Have you a clear understanding of critical finance and operational
systems, including data storage?
<--- Score
30. Is managements self-assessment process adequately managed,
formalized and tested by internal audit?
<--- Score
31. What are the key assumptions in the model or data?
<--- Score
32. What processes should be in place with respect to periodic review and
approval of access to critical and/or sensitive transactions and data?
<--- Score
33. What processes should be in place with respect to establishing proper
security and segregation of duties?
<--- Score
34. Is data and process analysis, root cause analysis and quantifying the
gap/opportunity in place?
<--- Score
35. Did any value-added analysis or ‘lean thinking’ take place to identify some
of the gaps shown on the ‘as is’ process map?
<--- Score
36. What are the revised rough estimates of the financial savings/opportunity for
COSO Internal Control improvements?
<--- Score
37. Did any additional data need to be collected?
<--- Score
38. Have changes been properly/adequately analyzed for effect?
<--- Score
39. What were the crucial ‘moments of truth’ on the process map?
<--- Score
40. Does internal control relate to data reporting?
<--- Score
41. Was a cause-and-effect diagram used to explore the different types of causes
(or sources of variation)?
<--- Score
42. Where does an entity-controls review end and a process-controls review
begin?
<--- Score
43. What should the format of the data be?
<--- Score
44. How do you identify and analyze stakeholders and their interests?
<--- Score
45. How efficient is it for a local medium-size organization to comply with
post-filing processes?
<--- Score
46. What are the ESG-related strengths, weaknesses, opportunities and
threats?
<--- Score
47. Does there exist an internal evaluation of the risk management process?
<--- Score
48. How might your organization view the framework in the context of
sarbanes-oxley 404 compliance process?
<--- Score
49. What is the cost of poor quality as supported by the team’s analysis?
<--- Score
50. Does internal control relate to data collection?
<--- Score
51. Have the types of risks that may impact COSO Internal Control been
identified and analyzed?
<--- Score
52. What steps in the process create value?
<--- Score
53. What are the inputs to the process?
<--- Score
54. What are the risks inherent in the processes chosen to implement the
strategies?
<--- Score
55. Do staff have the necessary skills to collect, analyze, and report data?
<--- Score
56. How is the processor activity-level assessment conducted?
<--- Score
57. Is there a defined process to notify the board when risk limits have been
exceeded?
<--- Score
58. Is it clear why individuals are responsible for collecting data?
<--- Score
59. Who should participate during the risk assessment process?
<--- Score
60. Which of your controls do you consider to be relevant to your audit, by
process and by function?
<--- Score
61. Does an effective implementation process support the code?
<--- Score
62. How was the detailed process map generated, verified, and validated?
<--- Score
63. How stringent is the governance process for innovations?
<--- Score
64. Does there exist an external evaluation of the risk management process?
<--- Score
65. Does the auditor have an internal process to measure client satisfaction?
<--- Score
66. Are approved corporate receiving systems used for the receiving
process?
<--- Score
67. What are the evaluation criteria of the resulting configuration of
controls and processes?
<--- Score
68. How will the external auditor view IT controls during the attestation
process?
<--- Score
69. What are the key controls at your organization and process levels?
<--- Score
70. Why are input controls more important than processing and output
controls?
<--- Score
71. Is there a process in place to provide for regular and automatic updates
of the BCP?
<--- Score
72. How can data lead to better corporate governance?
<--- Score
73. What are the roles and responsibilities of the application and data
owners in relation to the IT organization?
<--- Score
74. Were there any improvement opportunities identified from the process
analysis?
<--- Score
75. Which stakeholder characteristics are analyzed?
<--- Score
76. How do you know the process results are reliable?
<--- Score
77. What did the team gain from developing a sub-process map?
<--- Score
78. What primary or secondary data is available as an input to the
measurement tool?
<--- Score
79. Are upcoming labor negotiations considered in the process?
<--- Score
80. Is management using control system output?
<--- Score
81. Is there a process in place to identify and utilize toll credits?
<--- Score
82. How do you apply your scoping regarding entities and processes?
<--- Score
83. Is your data / information / knowledge reliable, relevant and timely?
<--- Score
84. How and when should the audit committee be involved in managements
evaluation process and in the independent public accountants attestation
process?
<--- Score
85. Have the opportunities for improvement and the related steps been
identified?
<--- Score
86. What does the data say about the performance of the stakeholder process?
<--- Score
87. What tools were used to generate the list of possible causes?
<--- Score
88. What kind of work can management expect of your organizations
independent public accountant during the attestation process?
<--- Score
89. Is the data quality assured and consolidated?
<--- Score
90. Who are the application and data owners?
<--- Score
91. Has there been due process in preparing the accounts and annual report
and is that process robust?
<--- Score
92. Is the COSO Internal Control process severely broken such that a re-design
is necessary?
<--- Score
93. Are the data reasonable under the circumstances?
<--- Score
94. Is the information collected and processed?
<--- Score
95. Have any additional benefits been identified that will result from closing all
or most of the gaps?
<--- Score
96. Do you have a process for tracking control deficiencies through
evaluation and remediation?
<--- Score
97. Have the problem and goal statements been updated to reflect the additional
knowledge gained from the analyze phase?
<--- Score
98. How many internal controls have similar companies implemented for
transaction processes?
<--- Score
99. What were the financial benefits resulting from any ‘ground fruit or lowhanging fruit’ (quick fixes)?
<--- Score
100. Have all non-recommended alternatives been analyzed in sufficient
detail?
<--- Score
101. Have you identified the steps in the data collection process that may
pose a risk to data quality?
<--- Score
102. What steps does your innovation process follow?
<--- Score
103. Are suitable processes in place to ensure accurate financial records are
kept?
<--- Score
104. Was a detailed process map created to amplify critical steps of the ‘as is’
stakeholder process?
<--- Score
105. How is the program linked to other compliance processes and
performance management systems?
<--- Score
106. Where does an entity-level controls review end and a process controls
review begin?
<--- Score
107. Are all the data there that should be?
<--- Score
108. Who or what supporting area provides the inputs to the process?
<--- Score
109. What tools were used to narrow the list of possible causes?
<--- Score
110. Who is the owner of the process?
<--- Score
111. How often is key sustainability data collected?
<--- Score
112. What are your key COSO Internal Control indicators that you will
measure, analyze and track?
<--- Score
113. When and how should the independent public accountant be involved
during managements annual assessment process?
<--- Score
114. What is the process used to set up vendor accounts?
<--- Score
115. Are pertinent alerts monitored, analyzed and distributed to
appropriate personnel?
<--- Score
116. How are the artefacts and the design processes grounded by the
knowledge base?
<--- Score
117. What conclusions were drawn from the team’s data collection and analysis?
How did the team reach these conclusions?
<--- Score
118. Are internal audit procedures subject to effective process review by
external auditors?
<--- Score
119. Were Pareto charts (or similar) used to portray the ‘heavy hitters’ (or key
sources of variation)?
<--- Score
120. What processes are used for assessing risks?
<--- Score
121. Do you need support for all or selected policy areas, IT controls and
transaction processes?
<--- Score
122. Is the gap/opportunity displayed and communicated in financial terms?
<--- Score
123. Can internal controls be designed independently outside the risk
management process?
<--- Score
124. Is system processing complete, valid, accurate, timely, and authorized?
<--- Score
125. Do risk and sustainability have operationally and strategically
integrated processes?
<--- Score
126. Does your organization systematically track and analyze outcomes
related for accountability and quality improvement?
<--- Score
127. What value does the process create or what outputs are produced?
<--- Score
128. Have operating processes put financial resources at undue risk?
<--- Score
129. Have the concerns of stakeholders to help identify and define potential
barriers been obtained and analyzed?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #5: IMPROVE:
INTENT: Develop a practical solution. Innovate, establish and test the solution
and to measure the results.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Are the risk management and internal control systems appropriate for
your organizations business model?
<--- Score
2. What esg-related risks are necessary and acceptable for achieving
strategic ambitions?
<--- Score
3. What should the role of internal audit be in evaluating your organizations
use of outsourced services?
<--- Score
4. What other control activities could enhance the business units risk
management?
<--- Score
5. What are the practical ways to embed a risk aware and control optimized
culture in companies?
<--- Score
6. How much experience do you have in supply chain risk management?
<--- Score
7. Which departments regularly receive risk management information?
<--- Score
8. What are the compliance risks facing your business operations?
<--- Score
9. What is the appropriate method to assess risk severity?
<--- Score
10. Has your organization appropriately considered all of the risks that
could materially affect its objectives?
<--- Score
11. Is there a common risk management language / terminology across your
organization?
<--- Score
12. Who is responsible for identifying, assessing and responding to risk?
<--- Score
13. What is the role of the audit committee in evaluating the role of the
external auditor?
<--- Score
14. Is the risk identification related to the objectives?
<--- Score
15. Is the board receiving regular reports about ESG-related risks?
<--- Score
16. How is the risk management framework linked to your organizations
overall assurance framework?
<--- Score
17. Does there exist risk management objectives?
<--- Score
18. Why would the strategy for implementing the different frameworks
change for the different risks?
<--- Score
19. What are your critical risks to the execution of the business model and
strategy?
<--- Score
20. What alternative risk responses are available to manage risk?
<--- Score
21. What is risk appetite and how is it different from risk thresholds,
tolerances or limits?
<--- Score
22. How does management evaluate your organizations internal control
with respect to unconsolidated investments accounted for under the equity
method?
<--- Score
23. Why was the COSO Enterprise Risk Management Integrated
Framework created?
<--- Score
24. What about internal audits role in providing insight on emerging risks?
<--- Score
25. Is a formal risk assessment required?
<--- Score
26. Are any of the self-assessed key controls addressing higher risk areas
from a financial reporting standpoint?
<--- Score
27. What is the primary purpose of the risk management oversight
structure?
<--- Score
28. Will implementation of the COSO Enterprise Risk Management
Integrated Framework prevent fraud?
<--- Score
29. Does the new technology increase risks that may hinder the
accomplishment of objectives?
<--- Score
30. What are the more common ways in which your organizations appetite
for risk can be articulated?
<--- Score
31. Why should companies evaluate the need to rebalance internal audit
functions?
<--- Score
32. Is your organization required to design and implement responses for
every quality risk that has been identified?
<--- Score
33. How is the board apprised of significant risk matters?
<--- Score
34. What constitutes a change in internal control over financial reporting
and how is materiality considered for purposes of evaluating the effects of
changes?
<--- Score
35. Do any peers experience similar weaknesses or face similar risks from
ESG challenges?
<--- Score
36. How does your organization determine the right amount of risk for the
value it is trying to create for stakeholders, and how should it communicate
its risk policy to stakeholders?
<--- Score
37. Does risk management, as currently implemented in your organization,
identify internal risks?
<--- Score
38. What are the risks inherent in your business strategies and objectives?
<--- Score
39. How do current investments, operations and commitments compare to
your organizations risk appetite?
<--- Score
40. Which are the risks where assurance will be provided based on audit
work from previous years?
<--- Score
41. How is an audit of internal control over financial reporting risk-based?
<--- Score
42. What steps does management take to build risk management
capabilities?
<--- Score
43. What is the business case for addressing the risk?
<--- Score
44. Should an internal audit function consider information technology
risks?
<--- Score
45. What should the certifying officers do when evaluating disclosure
controls and procedures on a quarterly basis?
<--- Score
46. Are risk owners clearly identified?
<--- Score
47. What is the COSO Enterprise Risk Management Integrated
Framework?
<--- Score
48. Has the board appropriately challenged the evaluation?
<--- Score
49. What is the role of the CFO and others in the financial management
organization in enterprise risk management?
<--- Score
50. How do your performance management and incentive systems link up to
your risk management practices?
<--- Score
51. Is there only one introduction that could guarantee real implementation
of risk management?
<--- Score
52. How does your organization identify, quantify and manage risks, given
its appetite for risk?
<--- Score
53. Have control requirements been established for IT information and
related IT risks?
<--- Score
54. Are evaluation activities appropriately organized and resourced to meet
purposes?
<--- Score
55. Do you take a riskbased approach to compliance?
<--- Score
56. Do you have to hire more IT resources to mitigate risks related to
segregation of duties issues?
<--- Score
57. What is the appropriate level of depth when assessing risk?
<--- Score
58. Do you gather and evaluate enough information to support your control
conclusions?
<--- Score
59. What are the common pitfalls that should be avoided in the management
of risks?
<--- Score
60. What is the relationship between risk assessment and risk management?
<--- Score
61. Do your organizations mission, vision and core values address ESGrelated risks?
<--- Score
62. What information is at risk by storage on a public cloud?
<--- Score
63. Is the function assisting your organization in identifying and addressing
the most significant risks?
<--- Score
64. How do you evaluate organizations systems and routines?
<--- Score
65. What limitations of existing enterprise risk management models
prompted creation of a new framework?
<--- Score
66. How will the risk response make it easier or more difficult to meet
organization objectives?
<--- Score
67. What esg-related risks should your organization avoid?
<--- Score
68. Is risk management applied to all organizational objectives?
<--- Score
69. How is accountability for managing risk determined?
<--- Score
70. Are risk management activities / responsibilities included in job
descriptions?
<--- Score
71. Has a financial risk assessment been undertaken?
<--- Score
72. Does management take undue business risks to achieve objectives?
<--- Score
73. Are security and segregation of duty risks mitigated by system access
controls?
<--- Score
74. How is your risk strategy linked to your business strategy?
<--- Score
75. How is internal audit able to assess and provide assurance on risks to
strategic objectives?
<--- Score
76. Has your organization defined its risk appetite including consideration
of ESG-related risks?
<--- Score
77. How long does it take senior and IT management to make major IT
decisions?
<--- Score
78. Should an internal audit function coordinate its efforts with your
organizations chief risk officer?
<--- Score
79. Does your organization conduct additional evaluation procedures
implemented solely to meet regulatory or other requirements?
<--- Score
80. Does there exist a risk inventory?
<--- Score
81. Does there exists clear norms with respect to the different aspects of risk
management?
<--- Score
82. What is the probability of the risk occurring?
<--- Score
83. Does risk management, as currently implemented in your organization,
provide a risk hierarchy?
<--- Score
84. Is the risk assessment adequate?
<--- Score
85. Why should your organization assess risk?
<--- Score
86. What are competitors and peers doing to identify, manage and disclose
ESG-related risks?
<--- Score
87. What alternative responses are available to manage risk?
<--- Score
88. How well aligned is the overall distribution of risks you are undertaking
with your risk appetite?
<--- Score
89. What are the unique computing risks and challenges that the business is
likely to encounter?
<--- Score
90. How do you evaluate the effectiveness of internal control?
<--- Score
91. How can effective and efficient risk based auditing reviews be ensured?
<--- Score
92. How does management consider your organization-level issues around
IT risks and controls?
<--- Score
93. What is a portfolio view of risks and how is it practically applied?
<--- Score
94. Are control activities specifically designed to mitigate the identified
risks?
<--- Score
95. What is the contribution of ESG-related risks to the overall organization
exposure?
<--- Score
96. Is it the accumulation of too much risk?
<--- Score
97. What is the relationship between risk assessment and performance
assessment?
<--- Score
98. Are it auditors available to consider risks and related controls associated
with operating systems?
<--- Score
99. Does your organization assess the risks associated with significant
changes?
<--- Score
100. Who decides the capabilities needed to manage a given risk?
<--- Score
101. What is the risk of incorrectly reporting an indicator?
<--- Score
102. Does there exist a common risk management approach applicable to
the whole organization?
<--- Score
103. How do you identify risks in your organization?
<--- Score
104. Is there an overall approach to IT risk and control consideration that
should be followed?
<--- Score
105. What levels of ESG-related risks are acceptable?
<--- Score
106. What is a relevant, reliable, and representative indication of the risk
needing measurement?
<--- Score
107. What level of effort does the risk assessment seem to indicate?
<--- Score
108. Is your risk management policy clearly articulated and communicated
to your organization?
<--- Score
109. What is an effective way for your organization to conduct a risk
assessment?
<--- Score
110. What factors does your organization consider in assessing the quality
risks?
<--- Score
111. Does a comprehensive risk profile exist for your organization?
<--- Score
112. How might the framework assist organizations in structuring entities to
best manage exposure to risk?
<--- Score
113. Does management use indicators and thresholds to review the
effectiveness of responses for ESG-related risks?
<--- Score
114. Do you have a risk policy and is it publicly available on your website?
<--- Score
115. What is boards role in risk oversight?
<--- Score
116. How can erm help risk management and sustainability practitioners
navigate esg-related risks?
<--- Score
117. Is appropriate ownership of risk in place?
<--- Score
118. Did personnel get training on risk management?
<--- Score
119. Have risk management considerations been incorporated into
performance goals?
<--- Score
120. Is the risk common across the overall enterprise or unique to one
business group?
<--- Score
121. Has your organization formally designated an individual to serve as
chief risk officer or equivalent?
<--- Score
122. What steps does management take to enhance risk management
capabilities?
<--- Score
123. Have financing-related risks been appropriately identified and
disclosed?
<--- Score
124. Does management have clear strategies for dealing with the significant
risks identified?
<--- Score
125. Will the objectives be met based on the control activities in place over
risks?
<--- Score
126. How is your organizational risk management culture generated, and is
it appropriate?
<--- Score
127. Is risk being managed as you intended?
<--- Score
128. How should the audit committee evaluate the effectiveness of internal
audit?
<--- Score
129. How long it took you to go through each risk, from start to finish?
<--- Score
130. What needs to be known to better manage risks?
<--- Score
131. What are the risks to brand and reputation inherent in the way your
organization executes its strategies?
<--- Score
132. Does the antifraud program consider the identified fraud risks?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #6: CONTROL:
INTENT: Implement the practical solution. Maintain the performance and
correct possible complications.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Does your organization act on recommendations from internal audit and
monitor the changes made?
<--- Score
2. How does internal control regulation affect financial reporting?
<--- Score
3. Which services are regularly affected by internal control breaches?
<--- Score
4. What are the application-level control considerations?
<--- Score
5. Does there exist a common internal control approach applicable to the
whole organization?
<--- Score
6. Is there a standard definition for internal controls?
<--- Score
7. Does the appropriate control exist?
<--- Score
8. Why do you have internal control?
<--- Score
9. How should management address deficiencies and gaps in IT controls?
<--- Score
10. Does your organization have a process to monitor estimated costs?
<--- Score
11. Which component is the foundation of all other components in the
internal control structure?
<--- Score
12. Do all purchase orders comply with authorized payment and delivery
expectation standard terms?
<--- Score
13. How do you spread knowledge about internal control in your
organization?
<--- Score
14. Does the internal audit scrutinize the internal control system?
<--- Score
15. Is there procedures for employees, management to report internal
control weaknesses?
<--- Score
16. Do the judgements reflect your organizations strategies?
<--- Score
17. Is regular reporting and monitoring in place in the public organization
on its exposure to fraud?
<--- Score
18. What is a material weakness in internal control over financial
reporting?
<--- Score
19. Does there exist clear norms with respect to the different aspects of
internal control?
<--- Score
20. Who monitors compliance with internal control policies and
procedures?
<--- Score
21. Are entity-level controls the same thing as entity-wide controls?
<--- Score
22. How does your organization incorporate risk assessment into its internal
control plan?
<--- Score
23. Are your organizations internal controls fit for purpose?
<--- Score
24. What standards are available in theory for internal control?
<--- Score
25. Which processes are monitored and reported?
<--- Score
26. How does internal control relate to information security?
<--- Score
27. What external regulations apply to the soft controls within your
organization?
<--- Score
28. Who should be responsible for internal control?
<--- Score
29. Are internal controls consistently applied?
<--- Score
30. What are some application control considerations for the order-to-cash
cycle?
<--- Score
31. Is project specific data used to develop the plan?
<--- Score
32. How can application of the Framework contribute to efficiency in the
design, implementation, and conduct of internal control?
<--- Score
33. Can the external auditor use the work of the internal audit function and
others for purposes of performing an audit of internal control over financial
reporting?
<--- Score
34. Will controls achieve desired objectives?
<--- Score
35. What is managements responsibility for changes in internal controls that
could affect the adequacy of internal controls after the date of managements
assessment?
<--- Score
36. Has your organization formally defined and standardized process for
identifying risk?
<--- Score
37. How do you rate the occurrence of internal control breaches in your
organization?
<--- Score
38. Is the model for monitoring presented in paragraph 19 a complete and
accurate outline of the monitoring process?
<--- Score
39. What are the types of internal controls?
<--- Score
40. How should an internal control plan be prepared?
<--- Score
41. Which esg-related risks should be reflected in the strategy?
<--- Score
42. How do you report on internal control?
<--- Score
43. How would management know if your organization-level controls
provide a strong control environment?
<--- Score
44. Does the audit committee approve internal audits annual audit plan?
<--- Score
45. Does the system of internal control provide indicators of things going
wrong?
<--- Score
46. How are pervasive IT controls considered?
<--- Score
47. Does your organization have controls over access to IT systems?
<--- Score
48. Should any additional specific control be included?
<--- Score
49. How is service delivery affected by the internal control systems?
<--- Score
50. What internal control design assistance can the independent public
accountant provide without impairing independence?
<--- Score
51. Are agreed procedures in place for monitoring progress with the
implementation of recommendations?
<--- Score
52. What are some application control considerations for the procure-to-pay
cycle?
<--- Score
53. Are everyones control-related responsibilities clearly articulated and
carried out?
<--- Score
54. Are the objectives and principles of internal control communicated
throughout your organization?
<--- Score
55. Why should departments be concerned about internal control?
<--- Score
56. How what is the concept internal control?
<--- Score
57. What standards and guidance does the internal audit function follow?
<--- Score
58. What are the demographics of companies reporting control deficiencies?
<--- Score
59. How does monitoring benefit the governance process?
<--- Score
60. How do others monitor operational effectiveness of internal controls in
practice?
<--- Score
61. How do you relate your internal control system to service delivery?
<--- Score
62. What other factors are used to adjust the primary basis to determine the
estimated prices for the project?
<--- Score
63. How does your organization incorporate communications into its
internal control plan?
<--- Score
64. How does your organization incorporate control activities into its
internal control plan?
<--- Score
65. How long does it take to complete Internal Control?
<--- Score
66. What is continuous monitoring and how does it strengthen the internal
audit process?
<--- Score
67. Is an internal audit function used as part of your organizations
monitoring program?
<--- Score
68. Is internal control related to the objectives?
<--- Score
69. Are the internal control arrangements subject to review?
<--- Score
70. Do you have a good mixture of manual and systematic controls?
<--- Score
71. Why should you complete Internal Control?
<--- Score
72. How do you get assurance over the effectiveness of your IT controls?
<--- Score
73. Does the charter outline the standards under which internal audit will
operate?
<--- Score
74. What is the purpose of reporting and monitoring the data?
<--- Score
75. What difference does it make if management has weak entity-level
controls?
<--- Score
76. Should disclosure of conditions on internal control be necessary?
<--- Score
77. Is your system of internal control sufficiently robust and tailored to the
size and nature of your organization?
<--- Score
78. Are soft controls better than hard controls?
<--- Score
79. What should boards be assessing the effectiveness of controls against?
<--- Score
80. Who has responsibility for internal control?
<--- Score
81. Do you monitor and require approvals for all capital expenditures?
<--- Score
82. How do the components of internal control interact and affect each
other?
<--- Score
83. When planning the project, what key scoping decisions should be
evaluated, and what criteria should management consider when making
decisions?
<--- Score
84. What are the key concepts of Internal Control?
<--- Score
85. Does the monitoring system include attributes?
<--- Score
86. How are managements reporting, control and compliance
responsibilities integrated?
<--- Score
87. Are you adopting a controls reliance or a substantive approach in your
audit?
<--- Score
88. What are registrant level controls?
<--- Score
89. Which specific controls and procedures are expected to be in place?
<--- Score
90. What level of assurance must management attain when reaching a
conclusion on the design and operating effectiveness of internal controls?
<--- Score
91. What control activities are performed in your organization?
<--- Score
92. Are there any unrecorded adjustments resulting from the audit?
<--- Score
93. Are continual process improvements jointly developed and monitored?
<--- Score
94. What exactly are project controls?
<--- Score
95. Are there systems in place for measuring and monitoring risks?
<--- Score
96. What types of controls are general IT controls?
<--- Score
97. Is the data collected in accordance with a time-tested or industry
standard?
<--- Score
98. Is your organization monitoring controls at a cost, effort or
organizational level that is inconsistent with the amount of risk the controls
mitigate?
<--- Score
99. Is the increase in control matched by a corresponding increase in
quality?
<--- Score
100. Which internal control model is used?
<--- Score
101. How does your organization incorporate its control environment into
its internal control plan?
<--- Score
102. How do your entity-level controls map to each of the principles?
<--- Score
103. How do audits fit into the internal control structure?
<--- Score
104. Is internal auditing responsive to risk assessment and monitoring
internal control?
<--- Score
105. How integrated are your IT controls into your overarching internal
control framework?
<--- Score
106. Are your controls keeping pace with your business?
<--- Score
107. Does there exist internal control objectives?
<--- Score
108. How does management know how effective internal control is?
<--- Score
109. How are entity-level controls validated?
<--- Score
110. What were the major issues for your organization during the year and
are reflected in the reports?
<--- Score
111. Does your organization have an adequate system of internal controls?
<--- Score
112. How does your organization decrease its reliance on spreadsheets?
<--- Score
113. How does your organization incorporate monitoring into its internal
control plan?
<--- Score
114. How do the internal controls at your organization affect your financial
audit?
<--- Score
115. What difference does it make if management has strong entity-level ITrelated controls?
<--- Score
116. Does internal control relate to the existing information system?
<--- Score
117. Has it kept pace with your organizations activities and information and
control systems?
<--- Score
118. Are the controls performed correctly?
<--- Score
119. Who should be involved in Internal Controls?
<--- Score
120. Are controls operating as intended?
<--- Score
121. Is the risk register an appropriate reflection of the risks facing your
organization?
<--- Score
122. How frequently should monitoring activities be undertaken?
<--- Score
123. What is a continuous assurance auditing and monitoring system?
<--- Score
124. What is the Internal Controls Integrated Framework?
<--- Score
125. Has proper consideration been given to application controls and
security?
<--- Score
126. Has your organization responded to technological advancement in
internal controls?
<--- Score
127. Is your organization utilizing COSOs Internal Control Integrated
Framework?
<--- Score
128. Are there any prerequisites for enrolling in Internal Control?
<--- Score
129. Is internal control applied within all activities and departments?
<--- Score
130. Are there established standards to control the use of the technique?
<--- Score
131. Does there exist a permanent risk monitoring system?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
CRITERION #7: SUSTAIN:
INTENT: Retain the benefits.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. What are operators struggling with to meet consumer and business
demand?
<--- Score
2. Who are the key stakeholders for the COSO Internal Control evaluation?
<--- Score
3. Has management articulated the critical policies and estimates?
<--- Score
4. Does a special department exist?
<--- Score
5. What are the expected COSO Internal Control results?
<--- Score
6. Does your organization have an audit committee?
<--- Score
7. Who should make the COSO Internal Control decisions?
<--- Score
8. What is the appropriate level of rigor to apply to an assessment?
<--- Score
9. Do you have access to current enterprise policies and procedures?
<--- Score
10. Does the market value financial expertise on audit committees of boards
of directors?
<--- Score
11. Who owns what data?
<--- Score
12. Whom do you really need or want to serve?
<--- Score
13. Where are esg challenges creating broad threats to future business
value?
<--- Score
14. What is a worst-case scenario for losses?
<--- Score
15. Does management have the right priorities among projects?
<--- Score
16. How are duties segregated in your organization?
<--- Score
17. What is the external auditors deadline going to be?
<--- Score
18. Who are the COSO Internal Control decision-makers?
<--- Score
19. Do you have an adequately resourced internal audit function?
<--- Score
20. Does internal audit have appropriate authority to undertake its
responsibilities?
<--- Score
21. Have you determined who is responsible for the metrics?
<--- Score
22. How are you delivering value to your organization?
<--- Score
23. How many locations and units must management perform testing on to
achieve appropriate coverage?
<--- Score
24. Are fully independent audit committees really necessary?
<--- Score
25. How pervasive is business fraud?
<--- Score
26. Are board members knowledgeable about the content and operation of
the compliance and ethics program?
<--- Score
27. Is there an established change management process?
<--- Score
28. Are the persons responsible for any misconduct still with your
organization?
<--- Score
29. How is the activity-level assessment conducted?
<--- Score
30. What risks do you need to manage?
<--- Score
31. How will the data be checked for quality?
<--- Score
32. Does your organization encourage regular staff meetings?
<--- Score
33. Does the chief audit executive provide vision and leadership for the
activities of auditing?
<--- Score
34. How can risk management be tied procedurally to process elements?
<--- Score
35. Where and how is IT managed at a high level within your organization?
<--- Score
36. Can management rely on the statutory audit work performed by the
external auditor for significant subsidiaries or joint ventures?
<--- Score
37. Do the various units of your organization do it?
<--- Score
38. Who needs budgets?
<--- Score
39. How often is the program reviewed?
<--- Score
40. Do the viable solutions scale to future needs?
<--- Score
41. How were the experts works received by professional peers?
<--- Score
42. What is the ratio of performance auditing to financial auditing?
<--- Score
43. What gets examined?
<--- Score
44. What are the overall responsibilities assumed by the officer or
committee?
<--- Score
45. What is your plan to assess your security risks?
<--- Score
46. What is COSO Internal Control risk?
<--- Score
47. How is your organization-level assessment conducted?
<--- Score
48. What are the key trends in wireless?
<--- Score
49. How are the internal audit units structured?
<--- Score
50. Is the audit committee content that it has the appropriate skills mix?
<--- Score
51. Have any earlier audit recommendations been incorporated into the
detailed design?
<--- Score
52. What COSO Internal Control coordination do you need?
<--- Score
53. Does internal audit have appropriate resources, including skills, to
deliver its objectives?
<--- Score
54. Are members of the internal audit function technically competent and
proficient?
<--- Score
55. Is the COSO Internal Control solution sustainable?
<--- Score
56. Does the internal audit staff have proper training and experience?
<--- Score
57. Are all aspects of your organization included?
<--- Score
58. Has the relevant information been derived from the full, audited
financial statements?
<--- Score
59. Is the COSO Internal Control risk managed?
<--- Score
60. Can employees in your organization participate in internal audits?
<--- Score
61. Would you develop a COSO Internal Control Communication Strategy?
<--- Score
62. Is internal audit responsive to changes in the business?
<--- Score
63. How should an internal audit function be staffed?
<--- Score
64. Does the rule apply to companies with public debt?
<--- Score
65. How do you build the right business case?
<--- Score
66. Is the effectiveness of the compliance framework assessed?
<--- Score
67. Are audit committee members independent of your organization and of
management?
<--- Score
68. How does the audit trail differ in an automated accounting system
compared to a manual one?
<--- Score
69. Do the policies encompass the whole group or are there local policies for
each unit?
<--- Score
70. Have you considered the significance of individual metrics to your
business model?
<--- Score
71. How has management satisfied itself regarding the value of assets and
impairments?
<--- Score
72. Have you ever participated in any enterprise-sponsored ethics training?
<--- Score
73. Does your department communicate effectively--internally and
externally?
<--- Score
74. Is a satisfactory record maintained of overtime worked within your
organization?
<--- Score
75. What resources or support might you need?
<--- Score
76. Who pays the cost?
<--- Score
77. Are the most efficient solutions problem-specific?
<--- Score
78. What are the performance and scale of the COSO Internal Control
tools?
<--- Score
79. What are the COSO Internal Control security risks?
<--- Score
80. How does your organization evaluate strategic COSO Internal Control
success?
<--- Score
81. What are the deliverables when the COSO ERM framework is
implemented?
<--- Score
82. How does the business make its money?
<--- Score
83. Are you familiar with the code of business conduct?
<--- Score
84. How do your organizations policies compare with industry norms?
<--- Score
85. Are there specific things your organization should accomplish the first
year?
<--- Score
86. Are the key business and technology risks being managed?
<--- Score
87. Who should resolve the COSO Internal Control issues?
<--- Score
88. Where is the cost?
<--- Score
89. What training program does the internal audit department have?
<--- Score
90. What assurance is there about the quality of Internal Audit work?
<--- Score
91. What are hidden COSO Internal Control quality costs?
<--- Score
92. Is risk periodically assessed?
<--- Score
93. Does management carry out your organizations mission, vision, core
values and strategy?
<--- Score
94. Are all critical materials subject to inspection?
<--- Score
95. How are COSO Internal Control risks managed?
<--- Score
96. How much capital does your organization have?
<--- Score
97. Will you achieve your business objectives?
<--- Score
98. Is the misconduct symptomatic of the way your organization does
business?
<--- Score
99. Does your organization have procedures in place to take advantage of
vendor discounts?
<--- Score
100. Do the audit team members give confidence that you will receive a
quality audit?
<--- Score
101. How can management utilize internal audit most effectively?
<--- Score
102. Which is a substantive audit test?
<--- Score
103. What is an audit committees role with respect to an internal audit
function?
<--- Score
104. Has management resisted significant areas of disclosure?
<--- Score
105. What, related to, COSO Internal Control processes does your
organization outsource?
<--- Score
106. What relationship will internal audit have with other assurance
providers?
<--- Score
107. What are the COSO Internal Control resources needed?
<--- Score
108. What should internal audit report to the audit committee?
<--- Score
109. Is the internal audit function adding value?
<--- Score
110. Does your organization use its independent public accountants software
and/or methodology to support managements assessment?
<--- Score
111. How does self-assessment work going forward?
<--- Score
112. What are the COSO Internal Control investment costs?
<--- Score
113. Does the assessment appear honest and complete?
<--- Score
114. Are there industry groups for internal auditors?
<--- Score
115. Is management comfortable that the accounting policies are
appropriate under the circumstances?
<--- Score
116. Has your organization stabilized the work program to ensure the timely
and systematic completion of projects?
<--- Score
117. Are the risks fully understood, reasonable and manageable?
<--- Score
118. What is your organizations view with respect to preserving the
appearance of objectivity?
<--- Score
119. How many people should be on the board?
<--- Score
120. Who else is engaged with and knowledgeable about the business?
<--- Score
121. Are audit findings reviewed, as appropriate, with management before
release of final audit reports?
<--- Score
122. Has the audit committee met with the auditor on a regular basis
without management present?
<--- Score
123. How does it differentiate itself in the marketplace?
<--- Score
124. Is your organization in line with peers?
<--- Score
125. Why is this needed?
<--- Score
126. Should a privately held organization implement provisions of
Sarbanes-Oxley?
<--- Score
127. Is managements approval necessary in order to open your organization
account?
<--- Score
128. What is a system of checks-and-balances?
<--- Score
129. Is your non financial performance revealing the true value of your
business to investors?
<--- Score
130. Is there adequate skilled manpower to execute activities in time?
<--- Score
131. Does senior management actively support the anti-fraud program
efforts?
<--- Score
132. What additional tools are available to support the assessment?
<--- Score
133. What is the timeline your organization will follow?
<--- Score
134. Are procedures in place to handle cash forecasts?
<--- Score
135. Are organization accounts and persons who sign checks authorized by
the governing body?
<--- Score
136. Is the suppliers quality level adequate?
<--- Score
137. What were the criteria for evaluating a COSO Internal Control pilot?
<--- Score
138. Can you integrate quality management and risk management?
<--- Score
139. Is there a strict change management process?
<--- Score
140. Has your internal audit function undergone a quality assessment or
peer review recently?
<--- Score
141. What steps does management take to set the foundation?
<--- Score
142. How will the change process be managed?
<--- Score
143. Which organizations are audited by internal audit?
<--- Score
144. What significant changes took place during the year in the markets in
which your organization operates?
<--- Score
145. Why do you have IT in organizations?
<--- Score
146. When should a process be art not science?
<--- Score
147. Is there any other COSO Internal Control solution?
<--- Score
148. Do you need to do a usability evaluation?
<--- Score
149. Are there previous tests available for review?
<--- Score
150. Does the public organizations management delegate authority?
<--- Score
151. How easy is it to update the included frameworks in the DSS?
<--- Score
152. How is the audit committee organized?
<--- Score
153. What creative shifts do you need to take?
<--- Score
154. Is your organization also preparing concise reports?
<--- Score
155. What are the societal expectations with respect to your organizations
behaviour?
<--- Score
156. Do you have a mandate to audit the final beneficiary?
<--- Score
157. Do you have an issue in getting priority?
<--- Score
158. How does your organization ensure that the information is reliable?
<--- Score
159. Do internal audit staff have sufficient technical knowledge to perform
duties?
<--- Score
160. How does your function compare to that of other companies in your
industry?
<--- Score
161. What is the legal authority of the audit committee?
<--- Score
162. Is there a formal training program in place for your organization?
<--- Score
163. Does the supreme audit organization perform financial audits,
compliance audits and performance audits?
<--- Score
164. Do program objectives flow from and link to your organization-wide
goals and objectives?
<--- Score
165. What role and responsibility do internal auditors have for fraud?
<--- Score
166. Are you missing COSO Internal Control opportunities?
<--- Score
167. Do all material receipts go through regular receiving operations?
<--- Score
168. Are the integrated frameworks effective and efficient in achieving the
anticipated goals?
<--- Score
169. What are the requirements for audit information?
<--- Score
170. How will corresponding data be collected?
<--- Score
171. How efficient the DSS is in terms the utilised time/resource and the
obtained outcomes?
<--- Score
172. How can a good working environment be re-established?
<--- Score
173. Is there any way to speed up the process?
<--- Score
174. Why do employees lie, cheat, and steal on the job?
<--- Score
175. Are the matters raised key areas for your organization?
<--- Score
176. Why do it projects often fail to serve organizational goals?
<--- Score
177. What COSO Internal Control events should you attend?
<--- Score
178. What are your organizations mission, vision, core values, strategy and
business objectives?
<--- Score
179. Is valuation at request of and for owners?
<--- Score
180. What can be found in your organizations by-laws?
<--- Score
181. Is the work to date meeting requirements?
<--- Score
182. Is the approved corporate purchasing system used for all material
purchases?
<--- Score
183. How, when and by whom will the system be backed up?
<--- Score
184. Who audits the accounts and / or performance of the external auditor?
<--- Score
185. Does your organization periodically provide statements of account
balances to customers?
<--- Score
186. What is the value chain of your organization?
<--- Score
187. What industry does your organization belong to?
<--- Score
188. Does the rule affect other stock exchanges and private companies?
<--- Score
189. How do you start an internal audit function?
<--- Score
190. What is the total gained value, from organizations perspective?
<--- Score
191. What COSO Internal Control data will be collected?
<--- Score
192. Does the enterprise have an audit committee?
<--- Score
193. Does the contribution of internal auditors have a positive and pervasive
value?
<--- Score
194. Are departmental operating procedures current and adequate?
<--- Score
195. Is the internal audit department efficient and effective in performing
its responsibilities?
<--- Score
196. Do your organization policies provide adequate provisions for
employee training?
<--- Score
197. What does the business unit want to accomplish?
<--- Score
198. What are the clients issues and concerns?
<--- Score
199. Is it needed?
<--- Score
200. Who manages supplier risk management in your organization?
<--- Score
201. Do you have the optimal project management team structure?
<--- Score
202. What is the role of the board and the CEO?
<--- Score
203. What is the level of expenditure and effort of similarly sized companies
in your industry?
<--- Score
204. Where does that entry level hire go from here?
<--- Score
205. What should the audit committee look for in the criteria?
<--- Score
206. What are the advantages of the emerging payment system?
<--- Score
207. Are your information systems reliable and free from external attacks?
<--- Score
208. Do you apply it in your organization?
<--- Score
209. What was wrong and which are the objectives of the new system?
<--- Score
210. Has your organization capitalised any expenses?
<--- Score
211. What are the affordable COSO Internal Control risks?
<--- Score
212. What is the root cause(s) of the problem?
<--- Score
213. Are established procedures being complied with?
<--- Score
214. How are training requirements identified?
<--- Score
215. Who will facilitate the team and process?
<--- Score
216. What are the roles and responsibilities of business unit and divisional
management?
<--- Score
217. What should you look for in an internal audit report?
<--- Score
218. Does the audit committee or the board have its own legal and financial
consultants and advisors?
<--- Score
219. How can audit committee members add value?
<--- Score
220. What should boards be doing now?
<--- Score
221. What are the characteristics of a balanced board?
<--- Score
222. Who is reviewing internal audit?
<--- Score
223. What are predictive COSO Internal Control analytics?
<--- Score
224. Is your erm working as intended?
<--- Score
225. What are the procedures for making profit and cash flow projections?
<--- Score
226. Does your organization have a comprehensive policy on password
protection?
<--- Score
227. Has internal audit ever undergone an external assessment?
<--- Score
228. What do employees need in the short term?
<--- Score
229. What are your most complex activities?
<--- Score
230. Does a code of professional ethics for internal auditors exist in your
country?
<--- Score
231. Does the system of quality management cover all engagements
performed by your organization?
<--- Score
232. Do you feel the published rules and procedures are trivial or out of
date?
<--- Score
233. How does the framework help your organization?
<--- Score
234. What mechanisms are in place to ensure the assurances are reliable?
<--- Score
235. What level of error are you willing to accept in the population?
<--- Score
236. What level of effectiveness would management normally expect in any
significant business activity?
<--- Score
237. Does the tone from your organizations leaders convey expectations on
ESG?
<--- Score
238. What will you do to enhance your leverage?
<--- Score
239. Do vendor agreements bring new compliance risk ?
<--- Score
240. What are the objectives of your audit?
<--- Score
241. How is internal audit work actually performed?
<--- Score
242. Are risk management tasks balanced centrally and locally?
<--- Score
243. What are your business objectives and strategies?
<--- Score
244. Should you have a conversation about the application of COSO or a
similar framework?
<--- Score
245. What are the implications of falling equity values on your
organizations position?
<--- Score
246. Is the management commentary consistent with the financial
statements?
<--- Score
247. What is your function within your organization?
<--- Score
248. Is the audit committee content that it is avoiding any conflict of
interest?
<--- Score
249. How well is your organization designed to adapt to change?
<--- Score
250. What is the mix of resources in internal audit?
<--- Score
251. What is internal audits role with respect to SOA compliance?
<--- Score
252. Has management considered other options?
<--- Score
253. What are the incentives in your organization?
<--- Score
254. Are activities efficient and effective?
<--- Score
255. Do the assurances draw out material weaknesses or losses, which
should be addressed?
<--- Score
256. What are the costs?
<--- Score
257. What are the strategic priorities for this year?
<--- Score
258. Are you responding as an individual or organization?
<--- Score
259. Are accounting policies appropriate and compliant with the reporting
framework?
<--- Score
260. How does the enterprise manage the performance of IT?
<--- Score
261. Is it merely an advising committee?
<--- Score
262. How does segregation of duties differ in an automated accounting
system compared to a manual?
<--- Score
263. Are all requirements met?
<--- Score
264. What is your organizations view with respect to preserving objectivity?
<--- Score
265. How has the frame work been enhanced?
<--- Score
266. Which laws and regulations do your organization comply with?
<--- Score
267. What COSO Internal Control data should be managed?
<--- Score
268. Where do you need to exercise leadership?
<--- Score
269. Do you understand your management processes today?
<--- Score
270. What alternative accounting policies have been applied by peer-group
companies?
<--- Score
271. What types of IT audit skills should be included in an internal audit
department?
<--- Score
272. How does your organization innovate?
<--- Score
273. Are policies and procedures in place to avoid understatement of
expenditures?
<--- Score
274. Are organization accounts reconciled monthly?
<--- Score
275. What information is retained/captured and in what way?
<--- Score
276. Is sufficient detail included in the audit reports?
<--- Score
277. What roles does internal audit play in ERM implementation?
<--- Score
278. How do you deal with COSO Internal Control risk?
<--- Score
279. What types of operator procedures or instructions are used?
<--- Score
280. Did you miss any major COSO Internal Control issues?
<--- Score
281. What types of data do your COSO Internal Control indicators require?
<--- Score
282. Are the companies chosen for comparison in the same market/
field/area/country?
<--- Score
283. What does internal audit expect to get out of the session?
<--- Score
284. Do you have organizational privacy requirements?
<--- Score
285. What personal qualities, knowledge and skills should internal auditors
possess?
<--- Score
286. Which issues are too important to ignore?
<--- Score
287. Will business be separated into separate units?
<--- Score
288. Is the quality assurance team identified?
<--- Score
289. How can you better manage risk?
<--- Score
290. Is the audit committee content that it has sufficient time to give proper
consideration to its business?
<--- Score
291. What are the COSO Internal Control design outputs?
<--- Score
292. Can the supreme audit organization contract out to other entities?
<--- Score
293. How many people should be on a board?
<--- Score
294. Which is the least desirable option for completing future audit
engagements?
<--- Score
295. What is the COSO Internal Control business impact?
<--- Score
296. What should the role of internal audit be in connection with your
organizations compliance efforts?
<--- Score
297. Is the code consistent with other corporate functional and business unit
policies and procedures?
<--- Score
298. What is the role of the audit committee?
<--- Score
299. How are sampling methodologies applied?
<--- Score
300. What is the external auditors deadline going to be next year?
<--- Score
301. What needs to stay?
<--- Score
302. Is COSO Internal Control documentation maintained?
<--- Score
303. What are the main skills of internal auditors?
<--- Score
304. What are unexpected ways your organization can apply its strengths to
ESG challenges?
<--- Score
305. What are the main skills of the employees?
<--- Score
306. Why does it contribute to the business objective?
<--- Score
307. How did management select and apply critical accounting policies,
judgements and estimates?
<--- Score
308. What systems/processes must you excel at?
<--- Score
309. Which audit roles are played by the internal auditor?
<--- Score
310. What are the concrete COSO Internal Control results?
<--- Score
311. Does your organization have written mission, philosophy or code of
conduct statements?
<--- Score
312. Does management take appropriate remedial action in response to
departures from approved policies and procedures?
<--- Score
313. How long to keep data and how to manage retention costs?
<--- Score
314. How will the COSO Internal Control data be captured?
<--- Score
315. What information do you rely on to achieve your objectives?
<--- Score
316. Have any of your requests for information been denied?
<--- Score
317. Which needs are not included or involved?
<--- Score
318. Who is involved in the management review process?
<--- Score
319. What is the purpose of the information system operations review?
<--- Score
320. Should internal auditors play a role in your Sarbanes-Oxley activities?
<--- Score
321. Which COSO Internal Control data should be retained?
<--- Score
322. What actions does your organization take to establish a culture that
promotes a commitment to quality?
<--- Score
323. What experience does the auditor have in your industry?
<--- Score
324. Which subsidiaries will you audit?
<--- Score
325. What are the processes for audit reporting and management?
<--- Score
326. Why the need?
<--- Score
327. How is the artefact introduced into the application environment and
how is it field tested?
<--- Score
328. Who are the COSO Internal Control decision makers?
<--- Score
329. Where is training needed?
<--- Score
330. What are the key components of the new frame work?
<--- Score
331. Are accounting policies disclosed for all significant items or
transactions?
<--- Score
332. What assumptions are made about the solution and approach?
<--- Score
333. How should management communicate the project effort to your
organization?
<--- Score
334. What is the nature of the work environment?
<--- Score
335. Is internal audit invited to become involved in all major projects that
your organization sets up?
<--- Score
336. Is the internal audit department objective?
<--- Score
337. Does the bcp include key vendor and emergency supply contacts?
<--- Score
338. Are events managed to resolution?
<--- Score
339. What is the mandate of the audit committee?
<--- Score
340. Where do the COSO Internal Control decisions reside?
<--- Score
341. What types of internal audit consulting should be considered?
<--- Score
342. Does the supreme audit organizations have a jurisdictional status?
<--- Score
343. What are the roles and responsibilities of support unit management?
<--- Score
344. Why are systems increasingly popular?
<--- Score
345. Can existing employees become internal auditors?
<--- Score
346. Is there an appropriate anti-fraud policy in place and are losses
suitably recorded?
<--- Score
347. How many icfr employees are involved?
<--- Score
348. Should another high level official, as your organizations chief financial
officer, also sign the report?
<--- Score
349. Have you determined who is responsible for reporting to the group
level?
<--- Score
350. Does a formal compliance policy and framework exist?
<--- Score
351. What COSO Internal Control capabilities do you need?
<--- Score
352. Are COSO Internal Control vulnerabilities categorized and
prioritized?
<--- Score
353. How are resources allocated to internal audit units?
<--- Score
354. Which most seriously compromises the independence of the internal
audit activity?
<--- Score
355. What is the ratio of performance audit to financial audit?
<--- Score
356. What users will be impacted?
<--- Score
357. How do you manage COSO Internal Control risk?
<--- Score
358. Who are your organizations principal advisers?
<--- Score
359. Are the responses consistent with the audit committees knowledge of
your organization?
<--- Score
360. Does the problem have ethical dimensions?
<--- Score
361. What is relevant financial experience likely to include?
<--- Score
362. Are there any significant or unusual amounts due from officers or
employees?
<--- Score
363. Will business continue as single going concern?
<--- Score
364. Is system operational and usable as specified in commitments and
agreements?
<--- Score
365. How is the internal audit profession regulated?
<--- Score
366. How much data can be collected in the given timeframe?
<--- Score
367. Does the executive committee seek observations, recommendations, and
opinions from auditing?
<--- Score
368. Are all material purchases authorized through formal, approved
purchase orders?
<--- Score
369. Are there regulatory / compliance issues?
<--- Score
370. What is the problem and/or vulnerability?
<--- Score
371. Are procedures documented for managing COSO Internal Control
risks?
<--- Score
372. What COSO Internal Control standards are applicable?
<--- Score
373. How do you identify subcontractor relationships?
<--- Score
374. What criteria will you use to assess your COSO Internal Control risks?
<--- Score
375. What goals should be employed to best build and structure the IT
department?
<--- Score
376. How much should your organization spend on internal audit?
<--- Score
377. Is confidential information protected consistent with your
organizations commitments and agreements?
<--- Score
378. What independent validation and compliance functions are there?
<--- Score
379. What involvement did management have?
<--- Score
380. How many trainings, in total, are needed?
<--- Score
381. What are components and principles?
<--- Score
382. How is information communicated between different levels of your
organization?
<--- Score
383. Does senior management actively support the antifraud program
efforts?
<--- Score
384. Who needs to know?
<--- Score
385. Does your organization operate in all your offshore and overseas
locations?
<--- Score
386. What is the extent or complexity of the COSO Internal Control
problem?
<--- Score
387. Why do material and frequently recurring frauds succeed?
<--- Score
388. Have been addressed by management?
<--- Score
389. Is the audit committee seen as important internally as well as
externally?
<--- Score
390. How effective is your cyber security system?
<--- Score
391. How does materiality apply in an audit?
<--- Score
392. Are there any internal audit procedures?
<--- Score
393. Why is wireless technology considered a key for future networks?
<--- Score
394. Do you use your external auditors to perform internal audit work?
<--- Score
395. Is there an internal audit function present within your organization?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score
for this section
Transfer your score to the COSO Internal Control Index at the beginning of the
Self-Assessment.
COSO Internal Control and Managing Projects, Criteria for Project
Managers:
1.0 Initiating Process Group: COSO Internal Control
1. How well did the chosen processes fit the needs of the COSO Internal Control
project?
2. How can you make your needs known?
3. Contingency planning. if a risk event occurs, what will you do?
4. What are the constraints?
5. What are the required resources?
6. What communication items need improvement?
7. How well did the chosen processes produce the expected results?
8. Were sponsors and decision makers available when needed outside regularly
scheduled meetings?
9. Specific - is the objective clear in terms of what, how, when, and where the
situation will be changed?
10. Did you use a contractor or vendor?
11. Although the COSO Internal Control project manager does not directly
manage procurement and contracting activities, who does manage procurement
and contracting activities in your organization then if not the PM?
12. What business situation is being addressed?
13. When are the deliverables to be generated in each phase?
14. If the risk event occurs, what will you do?
15. What is the stake of others in your COSO Internal Control project?
16. How is each deliverable reviewed, verified, and validated?
17. How will it affect me?
18. Were decisions made in a timely manner?
19. What are the short and long term implications?
20. What will be the pressing issues of tomorrow?
1.1 Project Charter: COSO Internal Control
21. Why do you need to manage scope?
22. Does the COSO Internal Control project need to consider any special
capacity or capability issues?
23. What goes into your COSO Internal Control project Charter?
24. Are you building in-house ?
25. Why do you manage integration?
26. Assumptions: what factors, for planning purposes, are you considering to be
true?
27. How will you learn more about the process or system you are trying to
improve?
28. Why the improvements?
29. What is the most common tool for helping define the detail?
30. Who is the COSO Internal Control project Manager?
31. When?
32. What is the justification?
33. Customer benefits: what customer requirements does this COSO Internal
Control project address?
34. Environmental stewardship and sustainability considerations: what is the
process that will be used to ensure compliance with the environmental
stewardship policy?
35. Name and describe the elements that deal with providing the detail?
36. COSO Internal Control project deliverables: what is the COSO Internal
Control project going to produce?
37. What are the known stakeholder requirements?
38. Review the general mission What system will be affected by the
improvement efforts?
39. Why Outsource?
40. What metrics could you look at?
1.2 Stakeholder Register: COSO Internal Control
41. How should employers make voices heard?
42. What opportunities exist to provide communications?
43. How big is the gap?
44. What & Why?
45. How will reports be created?
46. Who are the stakeholders?
47. Who wants to talk about Security?
48. Is your organization ready for change?
49. How much influence do they have on the COSO Internal Control project?
50. What is the power of the stakeholder?
51. Who is managing stakeholder engagement?
52. What are the major COSO Internal Control project milestones requiring
communications or providing communications opportunities?
1.3 Stakeholder Analysis Matrix: COSO Internal
Control
53. What coalitions might build around the issues being tackled?
54. How can you counter negative efforts?
55. What are the key services, contractual arrangements, or other relationships
between stakeholder groups?
56. What is relationship with the COSO Internal Control project?
57. Organizational Applicability?
58. Technology development and innovation?
59. What resources might the stakeholder bring to the COSO Internal Control
project?
60. Who are potential allies and opponents?
61. Inoculations or payment to receive them?
62. Who will be responsible for managing the outcome?
63. Is changing technology threatening your organizations position?
64. Effects on core activities, distraction?
65. Who is most dependent on the resources at stake?
66. Who has not been involved up to now and should have been?
67. Why do you need to manage COSO Internal Control project Risk?
68. It developments?
69. Reliability of data, plan predictability?
70. Who will be affected by the work?
71. How to measure the achievement of the Immediate Objective?
72. New markets, vertical, horizontal?
2.0 Planning Process Group: COSO Internal Control
73. What do they need to know about the COSO Internal Control project?
74. Are work methodologies, financial instruments, etc. shared among
departments, organizations and COSO Internal Control projects?
75. How do you integrate COSO Internal Control project Planning with the
Iterative/Evolutionary SDLC?
76. Have more efficient (sensitive) and appropriate measures been adopted to
respond to the political and socio-cultural problems identified?
77. If a task is partitionable, is this a sufficient condition to reduce the COSO
Internal Control project duration?
78. Is the COSO Internal Control project supported by national and/or local
organizations?
79. Have operating capacities been created and/or reinforced in partners?
80. Will the products created live up to the necessary quality?
81. How will users learn how to use the deliverables?
82. How are the principles of aid effectiveness (ownership, alignment,
management for development results and mutual responsibility) being applied in
the COSO Internal Control project?
83. How will you do it?
84. What will you do?
85. In what way has the COSO Internal Control project come up with innovative
measures for problem-solving?
86. What type of estimation method are you using?
87. Why do it COSO Internal Control projects fail?
88. Are you just doing busywork to pass the time?
89. How can you tell when you are done?
90. What input will you be required to provide the COSO Internal Control
project team?
91. Why is it important to determine activity sequencing on COSO Internal
Control projects?
2.1 Project Management Plan: COSO Internal
Control
92. Has the selected plan been formulated using cost effectiveness and
incremental analysis techniques?
93. When is the COSO Internal Control project management plan created?
94. What are the deliverables?
95. Why Change?
96. Are there any scope changes proposed for a previously authorized COSO
Internal Control project?
97. What are the assumptions?
98. Are there any client staffing expectations?
99. Does the implementation plan have an appropriate division of
responsibilities?
100. What did not work so well?
101. Are the existing and future without-plan conditions reasonable and
appropriate?
102. Are there any windfall benefits that would accrue to the COSO Internal
Control project sponsor or other parties?
103. Is there an incremental analysis/cost effectiveness analysis of proposed
mitigation features based on an approved method and using an accepted model?
104. What is the business need?
105. Are alternatives safe, functional, constructible, economical, reasonable and
sustainable?
106. Are comparable cost estimates used for comparing, screening and selecting
alternative plans, and has a reasonable cost estimate been developed for the
recommended plan?
107. Is the budget realistic?
108. What are the training needs?
2.2 Scope Management Plan: COSO Internal Control
109. Are all payments made according to the contract(s)?
110. Is there an issues management plan in place?
111. Are risk triggers captured?
112. Are the appropriate IT resources adequate to meet planned commitments?
113. Is pert / critical path or equivalent methodology being used?
114. What are the risks that could significantly affect the budget of the COSO
Internal Control project?
115. Time estimation – how much time will be needed?
116. Has a resource management plan been created?
117. Are you doing what you have set out to do?
118. Are written status reports provided on a designated frequent basis?
119. What happens if scope changes?
120. Are there checklists created to demine if all quality processes are followed?
121. What does the critical path really mean?
122. Are the people assigned to the COSO Internal Control project sufficiently
qualified?
123. Does all COSO Internal Control project documentation reside in a common
repository for easy access?
124. Has a provision been made to reassess COSO Internal Control project risks
at various COSO Internal Control project stages?
125. Do you document disagreements and work towards resolutions?
126. Are software metrics formally captured, analyzed and used as a basis for
other COSO Internal Control project estimates?
127. Are risk oriented checklists used during risk identification?
128. Is there a set of procedures defining the scope, procedures, and deliverables
defining quality control?
2.3 Requirements Management Plan: COSO Internal
Control
129. What is the earliest finish date for this COSO Internal Control project if it is
scheduled to start on ...?
130. Did you avoid subjective, flowery or non-specific statements?
131. How often will the reporting occur?
132. Who will perform the analysis?
133. What are you counting on?
134. What performance metrics will be used?
135. Subject to change control?
136. Does the COSO Internal Control project have a Change Control process?
137. Describe the process for rejecting the COSO Internal Control project
requirements. Who has the authority to reject COSO Internal Control project
requirements?
138. How will requirements be managed?
139. Will you use tracing to help understand the impact of a change in
requirements?
140. Do you have an agreed upon process for alerting the COSO Internal Control
project Manager if a request for change in requirements leads to a product scope
change?
141. Are all the stakeholders ready for the transition into the user community?
142. Could inaccurate or incomplete requirements in this COSO Internal Control
project create a serious risk for the business?
143. How knowledgeable is the primary Stakeholder(s) in the proposed
application area?
144. In case of software development; Should you have a test for each code
module?
145. How knowledgeable is the team in the proposed application area?
146. What went wrong?
147. Is any organizational data being used or stored?
148. Who is responsible for monitoring and tracking the COSO Internal Control
project requirements?
2.4 Requirements Documentation: COSO Internal
Control
149. Who is involved?
150. Can the requirement be changed without a large impact on other
requirements?
151. Where do system and software requirements come from, what are sources?
152. What images does it conjure?
153. What variations exist for a process?
154. How much does requirements engineering cost?
155. What is the risk associated with the technology?
156. What are the acceptance criteria?
157. How does the proposed COSO Internal Control project contribute to the
overall objectives of your organization?
158. Who provides requirements?
159. Who is interacting with the system?
160. What are current process problems?
161. What is a show stopper in the requirements?
162. Completeness. are all functions required by the customer included?
163. What marketing channels do you want to use: e-mail, letter or sms?
164. Is the requirement realistically testable?
165. Can the requirements be checked?
166. How does what is being described meet the business need?
167. Does the system provide the functions which best support the customers
needs?
168. If applicable; are there issues linked with the fact that this is an offshore
COSO Internal Control project?
2.5 Requirements Traceability Matrix: COSO
Internal Control
169. Why use a WBS?
170. How will it affect the stakeholders personally in career?
171. Is there a requirements traceability process in place?
172. What percentage of COSO Internal Control projects are producing
traceability matrices between requirements and other work products?
173. How small is small enough?
174. What are the chronologies, contingencies, consequences, criteria?
175. Do you have a clear understanding of all subcontracts in place?
176. What is the WBS?
177. Why do you manage scope?
178. Will you use a Requirements Traceability Matrix?
179. Describe the process for approving requirements so they can be added to
the traceability matrix and COSO Internal Control project work can be
performed. Will the COSO Internal Control project requirements become
approved in writing?
180. How do you manage scope?
2.6 Project Scope Statement: COSO Internal Control
181. Will the qa related information be reported regularly as part of the status
reporting mechanisms?
182. Have the reports to be produced, distributed, and filed been defined?
183. Will all COSO Internal Control project issues be unconditionally tracked
through the issue resolution process?
184. What should you drop in order to add something new?
185. Are the meetings set up to have assigned note takers that will add
action/issues to the issue list?
186. Is an issue management process documented and filed?
187. Has the COSO Internal Control project scope statement been reviewed as
part of the baseline process?
188. Is the plan for COSO Internal Control project resources adequate?
189. If there is an independent oversight contractor, have they signed off on the
COSO Internal Control project Plan?
190. Once its defined, what is the stability of the COSO Internal Control project
scope?
191. Will there be a Change Control Process in place?
192. Are the input requirements from the team members clearly documented and
communicated?
193. Will the risk documents be filed?
194. Is there a Quality Assurance Plan documented and filed?
195. Has a method and process for requirement tracking been developed?
196. How often will scope changes be reviewed?
197. Were key COSO Internal Control project stakeholders brought into the
COSO Internal Control project Plan?
198. Will the risk status be reported to management on a regular and frequent
basis?
199. Is the plan under configuration management?
200. Is there a process (test plans, inspections, reviews) defined for verifying
outputs for each task?
2.7 Assumption and Constraint Log: COSO Internal
Control
201. Do documented requirements exist for all critical components and areas,
including technical, business, interfaces, performance, security and conversion
requirements?
202. Is the definition of the COSO Internal Control project scope clear; what
needs to be accomplished?
203. Are funding and staffing resource estimates sufficiently detailed and
documented for use in planning and tracking the COSO Internal Control project?
204. Would known impacts serve as impediments?
205. Are there ways to reduce the time it takes to get something approved?
206. What worked well?
207. Do you know what your customers expectations are regarding this process?
208. Are best practices and metrics employed to identify issues, progress,
performance, etc.?
209. Is the amount of effort justified by the anticipated value of forming a new
process?
210. Are there cosmetic errors that hinder readability and comprehension?
211. Are there unnecessary steps that are creating bottlenecks and/or causing
people to wait?
212. Are there processes in place to ensure that all the terms and code concepts
have been documented consistently?
213. Have COSO Internal Control project management standards and procedures
been established and documented?
214. If it is out of compliance, should the process be amended or should the Plan
be amended?
215. Contradictory information between document sections?
216. What if failure during recovery?
217. Does the system design reflect the requirements?
218. Does the plan conform to standards?
219. Has the approach and development strategy of the COSO Internal Control
project been defined, documented and accepted by the appropriate stakeholders?
220. Have you eliminated all duplicative tasks or manual efforts, where
appropriate?
2.8 Work Breakdown Structure: COSO Internal
Control
221. Is the work breakdown structure (wbs) defined and is the scope of the
COSO Internal Control project clear with assigned deliverable owners?
222. What is the probability that the COSO Internal Control project duration will
exceed xx weeks?
223. Is it a change in scope?
224. When would you develop a Work Breakdown Structure?
225. Is it still viable?
226. Who has to do it?
227. Where does it take place?
228. Do you need another level?
229. How big is a work-package?
230. When does it have to be done?
231. How will you and your COSO Internal Control project team define the
COSO Internal Control projects scope and work breakdown structure?
232. How much detail?
233. Why is it useful?
234. How far down?
235. Can you make it?
236. When do you stop?
2.9 WBS Dictionary: COSO Internal Control
237. Are direct or indirect cost adjustments being accomplished according to
accounting procedures acceptable to us?
238. Are records maintained to show how undistributed budgets are controlled?
239. Cwbs elements to be subcontracted, with identification of subcontractors?
240. Are records maintained to show full accountability for all material
purchased for the contract, including the residual inventory?
241. Are current work performance indicators and goals relatable to original
goals as modified by contractual changes, replanning, and reprogramming
actions?
242. Do the lines of authority for incurring indirect costs correspond to the lines
of responsibility for management control of the same components of costs?
243. Are all elements of indirect expense identified to overhead cost budgets of
COSO Internal Control projections?
244. Are the variances between budgeted and actual indirect costs identified and
analyzed at the level of assigned responsibility for control (indirect pool,
department, etc.)?
245. What size should a work package be?
246. Are the bases and rates for allocating costs from each indirect pool to
commercial work consistent with the already stated used to allocate
corresponding costs to Government contracts?
247. Is the anticipated (firm and potential) business base COSO Internal Control
projected in a rational, consistent manner?
248. Are overhead cost budgets (or COSO Internal Control projections)
established on a facility-wide basis at least annually for the life of the contract?
249. Does the contractors system provide for determination of price variance by
comparing planned Vs actual commitments?
250. Changes in the nature of the overhead requirements?
251. Budgets assigned to major functional organizations?
252. Are overhead costs budgets established on a basis consistent with
anticipated direct business base?
253. Are data elements (BCWS, BCWP, and ACWP) progressively summarized
from the detail level to the contract level through the CWBS?
254. Appropriate work authorization documents which subdivide the contractual
effort and responsibilities, within functional organizations?
255. Are the rates for allocating costs from each indirect cost pool to contracts
updated as necessary to ensure a realistic monthly allocation of indirect costs
without significant year-end adjustments?
256. Can the contractor substantiate work package and planning package
budgets?
2.10 Schedule Management Plan: COSO Internal
Control
257. Have activity relationships and interdependencies within tasks been
adequately identified?
258. Are COSO Internal Control project team members involved in detailed
estimating and scheduling?
259. Is funded schedule margin reasonable and logically distributed?
260. Were the budget estimates reasonable?
261. Who is responsible for estimating the activity durations?
262. Are procurement deliverables arriving on time and to specification?
263. Which status reports are received per the COSO Internal Control project
Plan?
264. Does the COSO Internal Control project have a formal COSO Internal
Control project Charter?
265. Have all unresolved risks been documented?
266. Are any non-compliance issues that exist due to your organizations
practices communicated to your organization?
267. Are software metrics formally captured, analyzed and used as a basis for
other COSO Internal Control project estimates?
268. Is the ims used by all levels of management for COSO Internal Control
project implementation and control?
269. Is there an excessive and invalid use of task constraints and relationships of
leads/lags?
270. Quality assurance overheads?
271. Timeline and milestones?
272. Were COSO Internal Control project team members involved in the
development of activity & task decomposition?
273. Are right task and resource calendars used in the IMS?
274. Have COSO Internal Control project management standards and procedures
been identified / established and documented?
275. Has a COSO Internal Control project Communications Plan been
developed?
2.11 Activity List: COSO Internal Control
276. How detailed should a COSO Internal Control project get?
277. Who will perform the work?
278. Is infrastructure setup part of your COSO Internal Control project?
279. The wbs is developed as part of a joint planning session. and how do you
know that youhave done this right?
280. What is your organizations history in doing similar activities?
281. Are the required resources available or need to be acquired?
282. How do you determine the late start (LS) for each activity?
283. Should you include sub-activities?
284. Can you determine the activity that must finish, before this activity can
start?
285. When will the work be performed?
286. What is the LF and LS for each activity?
287. How should ongoing costs be monitored to try to keep the COSO Internal
Control project within budget?
288. For other activities, how much delay can be tolerated?
289. How can the COSO Internal Control project be displayed graphically to
better visualize the activities?
290. Is there anything planned that does not need to be here?
291. What went well?
292. How difficult will it be to do specific activities on this COSO Internal
Control project?
293. What are the critical bottleneck activities?
294. In what sequence?
295. How will it be performed?
2.12 Activity Attributes: COSO Internal Control
296. Which method produces the more accurate cost assignment?
297. How many days do you need to complete the work scope with a limit of X
number of resources?
298. Do you feel very comfortable with your prediction?
299. Were there other ways you could have organized the data to achieve similar
results?
300. Have you identified the Activity Leveling Priority code value on each
activity?
301. Resource is assigned to?
302. What conclusions/generalizations can you draw from this?
303. How do you manage time?
304. How much activity detail is required?
305. Activity: what is In the Bag?
306. Activity: fair or not fair?
307. Activity: what is Missing?
308. Does your organization of the data change its meaning?
309. How else could the items be grouped?
310. Can more resources be added?
311. What is the general pattern here?
312. Where else does it apply?
2.13 Milestone List: COSO Internal Control
313. What is the market for your technology, product or service?
314. Gaps in capabilities?
315. Level of the Innovation?
316. Loss of key staff?
317. Describe the industry you are in and the market growth opportunities. What
is the market for your technology, product or service?
318. Do you foresee any technical risks or developmental challenges?
319. New USPs?
320. Political effects?
321. Legislative effects?
322. When will the COSO Internal Control project be complete?
323. Usps (unique selling points)?
324. Sustaining internal capabilities?
325. What background experience, skills, and strengths does the team bring to
your organization?
326. How will the milestone be verified?
327. How late can the activity start?
328. Sustainable financial backing?
2.14 Network Diagram: COSO Internal Control
329. Can you calculate the confidence level?
330. What are the Major Administrative Issues?
331. What are the Key Success Factors?
332. Where do you schedule uncertainty time?
333. Are the gantt chart and/or network diagram updated periodically and used
to assess the overall COSO Internal Control project timetable?
334. What job or jobs follow it?
335. What to do and When?
336. If a current contract exists, can you provide the vendor name, contract start,
and contract expiration date?
337. What activities must follow this activity?
338. Which type of network diagram allows you to depict four types of
dependencies?
339. What job or jobs could run concurrently?
340. Will crashing x weeks return more in benefits than it costs?
341. What controls the start and finish of a job?
342. What activity must be completed immediately before this activity can start?
343. Exercise: what is the probability that the COSO Internal Control project
duration will exceed xx weeks?
344. Review the logical flow of the network diagram. Take a look at which
activities you have first and then sequence the activities. Do they make sense?
345. How difficult will it be to do specific activities on this COSO Internal
Control project?
346. Are the required resources available?
2.15 Activity Resource Requirements: COSO Internal
Control
347. Other support in specific areas?
348. Time for overtime?
349. Do you use tools like decomposition and rolling-wave planning to produce
the activity list and other outputs?
350. When does monitoring begin?
351. Why do you do that?
352. How many signatures do you require on a check and does this match what
is in your policy and procedures?
353. What are constraints that you might find during the Human Resource
Planning process?
354. How do you handle petty cash?
355. What is the Work Plan Standard?
356. Which logical relationship does the PDM use most often?
357. Are there unresolved issues that need to be addressed?
358. Anything else?
2.16 Resource Breakdown Structure: COSO Internal
Control
359. Who delivers the information?
360. How should the information be delivered?
361. Changes based on input from stakeholders?
362. Who is allowed to perform which functions?
363. Why time management?
364. What defines a successful COSO Internal Control project?
365. The list could probably go on, but, the thing that you would most like to
know is, How long & How much?
366. When do they need the information?
367. What can you do to improve productivity?
368. Why do you do it?
369. Is predictive resource analysis being done?
370. How can this help you with team building?
371. What is the primary purpose of the human resource plan?
372. What is COSO Internal Control project communication management?
373. Who will use the system?
374. Which resource planning tool provides information on resource
responsibility and accountability?
2.17 Activity Duration Estimates: COSO Internal
Control
375. Are COSO Internal Control project costs tracked in the general ledger?
376. Does a process exist to determine which risk events to accept and which
events to disregard?
377. Calculate the expected duration for an activity that has a most likely time of
3, a pessimistic time of 10, and a optimiztic time of 2?
378. What do you think about the WBSs for them?
379. How does a COSO Internal Control project life cycle differ from a product
life cycle?
380. Do COSO Internal Control project team members work in the same
physical location to enhance team performance?
381. Will additional funds be needed for hardware or software?
382. Does a process exist to determine the potential loss or gain if risk events
occur?
383. How can software assist in COSO Internal Control project
communications?
384. Which is a benefit of an analogous COSO Internal Control project
estimate?
385. How have experts such as Deming, Juran, Crosby, and Taguchi affected the
quality movement and todays use of Six Sigma?
386. What are the ways to create and distribute COSO Internal Control project
performance information?
387. Are team building activities completed to improve team performance?
388. Does the software appear easy to learn?
389. Is the COSO Internal Control project performing better or worse than
planned?
390. What steps did your organization take to earn this prestigious quality
award?
391. Under corresponding circumstances what would be the best thing to do?
392. How do functionality, system outputs, performance, reliability, and
maintainability requirements affect quality planning?
393. Mass, power, cost ... why not time?
2.18 Duration Estimating Worksheet: COSO Internal
Control
394. What is cost and COSO Internal Control project cost management?
395. What info is needed?
396. What utility impacts are there?
397. Why estimate costs?
398. How can the COSO Internal Control project be displayed graphically to
better visualize the activities?
399. What went right?
400. Small or large COSO Internal Control project?
401. Value pocket identification & quantification what are value pockets?
402. What is an Average COSO Internal Control project?
403. Can the COSO Internal Control project be constructed as planned?
404. Science = process: remember the scientific method?
405. Is a construction detail attached (to aid in explanation)?
406. What questions do you have?
407. What is the total time required to complete the COSO Internal Control
project if no delays occur?
408. When do the individual activities need to start and finish?
409. Do any colleagues have experience with your organization and/or RFPs?
410. Is this operation cost effective?
411. When does your organization expect to be able to complete it?
2.19 Project Schedule: COSO Internal Control
412. Is the structure for tracking the COSO Internal Control project schedule
well defined and assigned to a specific individual?
413. What is COSO Internal Control project management?
414. Meet requirements?
415. What is the most mis-scheduled part of process?
416. What is the purpose of a COSO Internal Control project schedule?
417. Does the condition or event threaten the COSO Internal Control projects
objectives in any ways?
418. What is the difference?
419. Have all COSO Internal Control project delays been adequately accounted
for, communicated to all stakeholders and adjustments made in overall COSO
Internal Control project schedule?
420. Are all remaining durations correct?
421. What is risk management?
422. Is COSO Internal Control project work proceeding in accordance with the
original COSO Internal Control project schedule?
423. Is there a Schedule Management Plan that establishes the criteria and
activities for developing, monitoring and controlling the COSO Internal Control
project schedule?
424. Why is this particularly bad?
425. Are the original COSO Internal Control project schedule and budget
realistic?
426. Eliminate unnecessary activities. Are there activities that came from a
template or previous COSO Internal Control project that are not applicable on
this phase of this COSO Internal Control project?
427. Are there activities that came from a template or previous COSO Internal
Control project that are not applicable on this phase of this COSO Internal
Control project?
428. How closely did the initial COSO Internal Control project Schedule
compare with the actual schedule?
429. Was the COSO Internal Control project schedule reviewed by all
stakeholders and formally accepted?
430. How do you use schedules?
2.20 Cost Management Plan: COSO Internal Control
431. Is COSO Internal Control project work proceeding in accordance with the
original COSO Internal Control project schedule?
432. Are multiple estimation methods being employed?
433. Does the COSO Internal Control project have a Statement of Work?
434. Personnel with expertise?
435. Similar COSO Internal Control projects?
436. Have external dependencies been captured in the schedule?
437. Are the schedule estimates reasonable given the COSO Internal Control
project?
438. Scope of work – What is the scope of work for each of the planned
contracts?
439. Have stakeholder accountabilities & responsibilities been clearly defined?
440. Has the business need been clearly defined?
441. Is there an approved case?
442. Are assumptions being identified, recorded, analyzed, qualified and closed?
443. Are the COSO Internal Control project team members located locally to the
users/stakeholders?
444. Does the business case include how the COSO Internal Control project
aligns with your organizations strategic goals & objectives?
445. Are quality inspections and review activities listed in the COSO Internal
Control project schedule(s)?
446. Were COSO Internal Control project team members involved in detailed
estimating and scheduling?
447. Are trade-offs between accepting the risk and mitigating the risk identified?
448. Do all stakeholders know how to access this repository and where to find
the COSO Internal Control project documentation?
449. Are milestone deliverables effectively tracked and compared to COSO
Internal Control project plan?
2.21 Activity Cost Estimates: COSO Internal Control
450. Did the consultant work with local staff to develop local capacity?
451. Based on your COSO Internal Control project communication management
plan, what worked well?
452. How many activities should you have?
453. Were the tasks or work products prepared by the consultant useful?
454. How quickly can the task be done with the skills available?
455. Can you delete activities or make them inactive?
456. What procedures are put in place regarding bidding and cost comparisons,
if any?
457. How Award?
458. In which phase of the acquisition process cycle does source qualifications
reside?
459. What is a COSO Internal Control project Management Plan?
460. What makes a good activity description?
461. How do you change activities?
462. Can you change your activities?
463. What were things that you need to improve?
464. Measurable - are the targets measurable?
465. What defines a successful COSO Internal Control project?
466. Were you satisfied with the work?
467. What is the last item a COSO Internal Control project manager must do to
finalize COSO Internal Control project close-out?
468. Were the costs or charges reasonable?
2.22 Cost Estimating Worksheet: COSO Internal
Control
469. What additional COSO Internal Control project(s) could be initiated as a
result of this COSO Internal Control project?
470. What can be included?
471. Does the COSO Internal Control project provide innovative ways for
stakeholders to overcome obstacles or deliver better outcomes?
472. What is the estimated labor cost today based upon this information?
473. Identify the timeframe necessary to monitor progress and collect data to
determine how the selected measure has changed?
474. What happens to any remaining funds not used?
475. Is it feasible to establish a control group arrangement?
476. Is the COSO Internal Control project responsive to community need?
477. Ask: are others positioned to know, are others credible, and will others
cooperate?
478. Can a trend be established from historical performance data on the selected
measure and are the criteria for using trend analysis or forecasting methods met?
479. Who is best positioned to know and assist in identifying corresponding
factors?
480. What is the purpose of estimating?
481. What will others want?
482. What costs are to be estimated?
483. Will the COSO Internal Control project collaborate with the local
community and leverage resources?
484. How will the results be shared and to whom?
2.23 Cost Baseline: COSO Internal Control
485. Has the COSO Internal Control project documentation been archived or
otherwise disposed as described in the COSO Internal Control project
communication plan?
486. What is the consequence?
487. Is the requested change request a result of changes in other COSO Internal
Control project(s)?
488. Has the COSO Internal Control project (or COSO Internal Control project
phase) been evaluated against each objective established in the product
description and Integrated COSO Internal Control project Plan?
489. Does a process exist for establishing a cost baseline to measure COSO
Internal Control project performance?
490. What strengths do you have?
491. How long are you willing to wait before you find out were late?
492. Has operations management formally accepted responsibility for operating
and maintaining the product(s) or service(s) delivered by the COSO Internal
Control project?
493. Escalation criteria met?
494. How likely is it to go wrong?
495. What is your organizations history in doing similar tasks?
496. Has the actual cost of the COSO Internal Control project (or COSO Internal
Control project phase) been tallied and compared to the approved budget?
497. If you sold 10x widgets on a day, what would the affect on profits be?
498. On time?
499. Is there anything unique in this COSO Internal Control projects scope
statement that will affect resources?
500. What does a good WBS NOT look like?
501. Does it impact schedule, cost, quality?
502. How accurate do cost estimates need to be?
503. Are procedures defined by which the cost baseline may be changed?
504. What weaknesses do you have?
2.24 Quality Management Plan: COSO Internal
Control
505. How does your organization determine the requirements and
product/service features important to customers?
506. Is the process working, and people are not executing in compliance of the
process?
507. Can the requirements be traced to the appropriate components of the
solution, as well as test scripts?
508. Who is responsible for writing the qapp?
509. How are people conducting sampling trained?
510. Are qmps good forever?
511. How do you prioritize?
512. Show/provide copy of procedures for taking field notes?
513. Diagrams and tables to account for complex concepts and increase overall
readability?
514. What are your organizations current levels and trends for the already stated
measures related to customer satisfaction/ dissatisfaction and product/service
performance?
515. Is it necessary?
516. How do you manage quality?
517. How does your organization recruit, hire, and retain new employees?
518. How are calibration records kept?
519. What are you trying to accomplish?
520. What would you gain if you spent time working to improve this process?
521. How does your organization use comparative data and information to
improve organizational performance?
522. Do trained quality assurance auditors conduct the audits as defined in the
Quality Management Plan and scheduled by the COSO Internal Control project
manager?
2.25 Quality Metrics: COSO Internal Control
523. The metrics–what is being considered?
524. Was material distributed on time?
525. How is it being measured?
526. Is material complete (and does it meet the standards)?
527. Is there a set of procedures to capture, analyze and act on quality metrics?
528. How do you calculate corresponding metrics?
529. Have alternatives been defined in the event that failure occurs?
530. Which are the right metrics to use?
531. What is the timeline to meet your goal?
532. When is the security analysis testing complete?
533. What documentation is required?
534. How do you know if everyone is trying to improve the right things?
535. What method of measurement do you use?
536. Are quality metrics defined?
537. How are requirements conflicts resolved?
538. Was the overall quality better or worse than previous products?
539. What approved evidence based screening tools can be used?
540. Is there alignment within your organization on definitions?
541. Is a risk containment plan in place?
542. Which report did you use to create the data you are submitting?
2.26 Process Improvement Plan: COSO Internal
Control
543. Are you following the quality standards?
544. Are you making progress on the improvement framework?
545. Are you making progress on your improvement plan?
546. What personnel are the coaches for your initiative?
547. Who should prepare the process improvement action plan?
548. Why do you want to achieve the goal?
549. What personnel are the champions for the initiative?
550. Does explicit definition of the measures exist?
551. Management commitment at all levels?
552. How do you measure?
553. Are there forms and procedures to collect and record the data?
554. Where do you want to be?
555. If a process improvement framework is being used, which elements will
help the problems and goals listed?
556. What lessons have you learned so far?
557. Has a process guide to collect the data been developed?
558. What makes people good SPI coaches?
559. Where do you focus?
560. Modeling current processes is great, and will you ever see a return on that
investment?
561. Purpose of goal: the motive is determined by asking, why do you want to
achieve this goal?
2.27 Responsibility Assignment Matrix: COSO
Internal Control
562. Not any rs, as, or cs: if an identified role is only informed, should others be
eliminated from the matrix?
563. Are control accounts opened and closed based on the start and completion
of work contained therein?
564. Are work packages assigned to performing organizations?
565. Are overhead cost budgets established for each organization which has
authority to incur overhead costs?
566. Are significant decision points, constraints, and interfaces identified as key
milestones?
567. Detailed schedules which support control account and work package start
and completion dates/events?
568. Competencies and craftsmanship – what competencies are necessary and
what level?
569. What happens when others get pulled for higher priority COSO Internal
Control projects?
570. Are records maintained to show how management reserves are used?
571. Do you need to convince people that its well worth the time and effort?
572. Are detailed work packages planned as far in advance as practicable?
573. Availability – will the group or the person be available within the necessary
time interval?
574. Is work progressively subdivided into detailed work packages as
requirements are defined?
575. Does the contractors system identify work accomplishment against the
schedule plan?
576. Are the actual costs used for variance analysis reconcilable with data from
the accounting system?
577. What do you need to implement earned value management?
2.28 Roles and Responsibilities: COSO Internal
Control
578. Implementation of actions: Who are the responsible units?
579. Attainable / achievable: the goal is attainable; can you actually accomplish
the goal?
580. Once the responsibilities are defined for the COSO Internal Control project,
have the deliverables, roles and responsibilities been clearly communicated to
every participant?
581. What areas of supervision are challenging for you?
582. Does your vision/mission support a culture of quality data?
583. Was the expectation clearly communicated?
584. Are governance roles and responsibilities documented?
585. Be specific; avoid generalities. Thank you and great work alone are
insufficient. What exactly do you appreciate and why?
586. Do the values and practices inherent in the culture of your organization
foster or hinder the process?
587. Influence: what areas of organizational decision making are you able to
influence when you do not have authority to make the final decision?
588. What is working well?
589. Is there a training program in place for stakeholders covering expectations,
roles and responsibilities and any addition knowledge others need to be good
stakeholders?
590. How well did the COSO Internal Control project Team understand the
expectations of specific roles and responsibilities?
591. What are your major roles and responsibilities in the area of performance
measurement and assessment?
592. To decide whether to use a quality measurement, ask how will you know
when it is achieved?
593. Are COSO Internal Control project team roles and responsibilities
identified and documented?
594. Do you take the time to clearly define roles and responsibilities on COSO
Internal Control project tasks?
595. Required skills, knowledge, experience?
596. What is working well within your organizations performance management
system?
2.29 Human Resource Management Plan: COSO
Internal Control
597. What did you have to assume to be true to complete the charter?
598. What skills, knowledge and experiences are required?
599. Are target dates established for each milestone deliverable?
600. COSO Internal Control project definition & scope?
601. Were COSO Internal Control project team members involved in detailed
estimating and scheduling?
602. Are corrective actions and variances reported?
603. Is the structure for tracking the COSO Internal Control project schedule
well defined and assigned to a specific individual?
604. Are all vendor contracts closed out?
605. Are the COSO Internal Control project team members located locally to the
users/stakeholders?
606. Is there a Quality Management Plan?
607. Are the quality tools and methods identified in the Quality Plan appropriate
to the COSO Internal Control project?
608. Are people motivated to meet the current and future challenges?
609. Does all COSO Internal Control project documentation reside in a common
repository for easy access?
610. Are meeting minutes captured and sent out after the meeting?
611. Have reserves been created to address risks?
612. Does the COSO Internal Control project have a formal COSO Internal
Control project Charter?
613. How are you going to ensure that you have a well motivated workforce?
2.30 Communications Management Plan: COSO
Internal Control
614. Who will use or be affected by the result of a COSO Internal Control
project?
615. Are stakeholders internal or external?
616. Who to learn from?
617. Are you constantly rushing from meeting to meeting?
618. In your work, how much time is spent on stakeholder identification?
619. What are the interrelationships?
620. Are the stakeholders getting the information others need, are others
consulted, are concerns addressed?
621. How will the person responsible for executing the communication item be
notified?
622. Are others needed?
623. How much time does it take to do it?
624. What data is going to be required?
625. Who have you worked with in past, similar initiatives?
626. Why do you manage communications?
627. What is the stakeholders level of authority?
628. What approaches do you use?
629. Why is stakeholder engagement important?
630. Who needs to know and how much?
631. What help do you and your team need from the stakeholder?
632. Are there potential barriers between the team and the stakeholder?
633. Who is involved as you identify stakeholders?
2.31 Risk Management Plan: COSO Internal Control
634. How is risk response planning performed?
635. How can the process be made more effective or less cumbersome (process
improvements)?
636. Degree of confidence in estimated size estimate?
637. Monitoring -what factors can you track that will enable you to determine if
the risk is becoming more or less likely?
638. For software; does the software interface with new or unproven hardware or
unproven vendor products?
639. Number of users of the product?
640. Is the number of people on the COSO Internal Control project team
adequate to do the job?
641. Prioritized components/features?
642. Risk documentation: what reporting formats and processes will be used for
risk management activities?
643. What are the chances the event will occur?
644. Management -what contingency plans do you have if the risk becomes a
reality?
645. Why do you need to manage COSO Internal Control project Risk?
646. How will the COSO Internal Control project know if your organizations
risk response actions were effective?
647. Is the customer willing to establish rapid communication links with the
developer?
648. Are tools for analysis and design available?
649. Does the customer have a solid idea of what is required?
650. What things are likely to change?
651. What risks are necessary to achieve success?
652. How much risk can you tolerate?
653. How is the audit profession changing?
2.32 Risk Register: COSO Internal Control
654. How could corresponding Risk affect the COSO Internal Control project in
terms of cost and schedule?
655. Who needs to know about this?
656. What would the impact to the COSO Internal Control project objectives be
should the risk arise?
657. Are there any gaps in the evidence?
658. What are the major risks facing the COSO Internal Control project?
659. When will it happen?
660. How is a Community Risk Register created?
661. What should you do now?
662. What is the reason for current performance gaps and do the risks and
opportunities identified previously account for this?
663. What has changed since the last period?
664. What may happen or not go according to plan?
665. Preventative actions - planned actions to reduce the likelihood a risk will
occur and/or reduce the seriousness should it occur. What should you do now?
666. People risk -are people with appropriate skills available to help complete
the COSO Internal Control project?
667. What should the audit role be in establishing a risk management process?
668. What is the probability and impact of the risk occurring?
669. Recovery actions - planned actions taken once a risk has occurred to allow
you to move on. What should you do after?
670. How well are risks controlled?
671. How often will the Risk Management Plan and Risk Register be formally
reviewed, and by whom?
672. Are your objectives at risk?
2.33 Probability and Impact Assessment: COSO
Internal Control
673. Is security a central objective?
674. What will be the likely political environment during the life of the COSO
Internal Control project?
675. Who should be notified of the occurrence of each of the risk indicators?
676. Are the facilities, expertise, resources, and management know-how
available to handle the situation?
677. Which of corresponding risk factors can be avoided altogether?
678. What is the probability of the risk occurring?
679. Can the COSO Internal Control project proceed without assuming the risk?
680. What are the current demands of the customer?
681. Are the software tools integrated with each other?
682. What are the current requirements of the customer?
683. Are the risk data complete?
684. How will economic events and trends likely affect the COSO Internal
Control project?
685. Is the process supported by tools?
686. Are end-users enthusiastically committed to the COSO Internal Control
project and the system/product to be built?
687. What is the risk appetite?
688. Do you have a mechanism for managing change?
689. Is the technology to be built new to your organization?
690. What are the preparations required for facing difficulties?
691. Do you have a consistent repeatable process that is actually used?
2.34 Probability and Impact Matrix: COSO Internal
Control
692. What needs to be DONE?
693. Which phase of the COSO Internal Control project do you take part in?
694. Is there any sign of biased ranking?
695. What are the risks involved in appointing external agencies to manage the
COSO Internal Control project?
696. Are you working on the right risks?
697. What should be the level of difficulty in handling the technology?
698. What can you do about it?
699. What things might go wrong?
700. How can you understand and diagnose risks and identify sources?
701. What action would you take to the identified risks in the COSO Internal
Control project?
702. What would be the effect of slippage?
703. Sensitivity analysis -which risks will have the most impact on the COSO
Internal Control project?
704. How is the COSO Internal Control project going to be managed?
705. What are the chances the risk events will occur?
706. Are COSO Internal Control project requirements stable?
707. How are risks and risk management perceived in the COSO Internal
Control project?
708. Do end-users have realistic expectations?
2.35 Risk Data Sheet: COSO Internal Control
709. What is the likelihood of it happening?
710. What do people affected think about the need for, and practicality of
preventive measures?
711. Has the most cost-effective solution been chosen?
712. What do you know?
713. Is the data sufficiently specified in terms of the type of failure being
analyzed, and its frequency or probability?
714. What is the chance that it will happen?
715. What are you weak at and therefore need to do better?
716. Whom do you serve (customers)?
717. Has a sensitivity analysis been carried out?
718. How do you handle product safely?
719. Who has a vested interest in how you perform as your organization (our
stakeholders)?
720. Type of risk identified?
721. What is the environment within which you operate (social trends,
economic, community values, broad based participation, national directions
etc.)?
722. What are you trying to achieve (Objectives)?
723. If it happens, what are the consequences?
724. What will be the consequences if it happens?
725. Potential for recurrence?
726. What are you here for (Mission)?
727. How reliable is the data source?
2.36 Procurement Management Plan: COSO Internal
Control
728. Has a sponsor been identified?
729. Are COSO Internal Control project team roles and responsibilities
identified and documented?
730. Is documentation created for communication with the suppliers and
Vendors?
731. Has a COSO Internal Control project Communications Plan been
developed?
732. Why is procurement planning important?
733. What areas are overlooked on this COSO Internal Control project?
734. Are estimating assumptions and constraints captured?
735. Has the schedule been baselined?
736. Has the COSO Internal Control project scope been baselined?
737. Is a stakeholder management plan in place that covers topics?
738. How will multiple providers be managed?
739. Does the COSO Internal Control project have a Statement of Work?
740. Are the COSO Internal Control project plans updated on a frequent basis?
741. Is there a formal set of procedures supporting Issues Management?
742. What is a COSO Internal Control project Management Plan?
743. Do COSO Internal Control project teams & team members report on status /
activities / progress?
744. Are the budget estimates reasonable?
2.37 Source Selection Criteria: COSO Internal
Control
745. Does your documentation identify why the team concurs or differs with
reported performance from past performance report (CPARs, questionnaire
responses, etc.)?
746. What does a sample rating scale look like?
747. How can business terms and conditions be improved to yield more effective
price competition?
748. What information is to be provided and when should it be provided?
749. When is it appropriate to conduct a preproposal conference?
750. What is the basis of an estimate and what assumptions were made?
751. What management structure does your organization consider as optimal for
performing the contract?
752. What should clarifications include?
753. How should comments received in response to a RFP be handled?
754. How long will it take for the purchase cost to be the same as the lease cost?
755. What benefits are accrued from issuing a DRFP in advance of issuing a
final RFP?
756. In order of importance, which evaluation criteria are the most critical to the
determination of your overall rating?
757. What information may not be provided?
758. How do you ensure an integrated assessment of proposals?
759. What can not be disclosed?
760. Does an evaluation need to include the identification of strengths and
weaknesses?
761. What should be the contracting officers strategy?
762. Is a cost realism analysis used?
763. Who is on the Source Selection Advisory Committee?
2.38 Stakeholder Management Plan: COSO Internal
Control
764. Why is it important to reduce deliverables to a smallest component?
765. Are staff skills known and available for each task?
766. Is the schedule updated on a periodic basis?
767. Is there an on-going process in place to monitor COSO Internal Control
project risks?
768. Which risks pose the highest threat?
769. Which impacts could serve as impediments?
770. What are reporting requirements?
771. Have process improvement efforts been completed before requirements
efforts begin?
772. Are adequate resources provided for the quality assurance function?
773. What process was used to identify risks to the COSO Internal Control
projects success?
774. Have all team members been part of identifying risks?
775. After observing execution of process, is it in compliance with the
documented Plan?
2.39 Change Management Plan: COSO Internal
Control
776. Clearly articulate the overall business benefits of the COSO Internal
Control project -why are you doing this now?
777. Different application of an existing process?
778. How much COSO Internal Control project management is needed?
779. How will the stakeholders share information and transfer knowledge?
780. Has the training co-ordinator been provided with the training details and put
in place the necessary arrangements?
781. What work practices will be affected?
782. What type of materials/channels will be available to leverage?
783. Which relationships will change?
784. What are the major changes to processes?
785. Will the readiness criteria be met prior to the training roll out?
786. When does it make sense to customize?
787. What are the responsibilities assigned to each role?
788. How frequently should you repeat the message?
789. How badly can information be misinterpreted?
790. What is the most cynical response it can receive?
791. Why is it important?
792. What can you do to minimise misinterpretation and negative perceptions?
793. What is the worst thing that can happen if you communicate information?
794. Is it the same for each of the business units?
3.0 Executing Process Group: COSO Internal Control
795. Will new hardware or software be required for servers or client machines?
796. How can your organization use a weighted decision matrix to evaluate
proposals as part of source selection?
797. It under budget or over budget?
798. Is the COSO Internal Control project performing better or worse than
planned?
799. Who will provide training?
800. How can software assist in COSO Internal Control project
communications?
801. If action is called for, what form should it take?
802. When do you share the scorecard with managers?
803. How do you measure difficulty?
804. What factors are contributing to progress or delay in the achievement of
products and results?
805. What were things that you did very well and want to do the same again on
the next COSO Internal Control project?
806. How will you avoid scope creep?
807. Why do you need a good WBS to use COSO Internal Control project
management software?
808. What are the critical steps involved with strategy mapping?
809. Do the partners have sufficient financial capacity to keep up the benefits
produced by the programme?
810. What are the main types of goods and services being outsourced?
811. After how many days will the lease cost be the same as the purchase cost
for the equipment?
3.1 Team Member Status Report: COSO Internal
Control
812. How can you make it practical?
813. How much risk is involved?
814. What specific interest groups do you have in place?
815. Does your organization have the means (staff, money, contract, etc.) to
produce or to acquire the product, good, or service?
816. Are the attitudes of staff regarding COSO Internal Control project work
improving?
817. Why is it to be done?
818. How it is to be done?
819. How will resource planning be done?
820. Do you have an Enterprise COSO Internal Control project Management
Office (EPMO)?
821. Are the products of your organizations COSO Internal Control projects
meeting customers objectives?
822. Will the staff do training or is that done by a third party?
823. Does every department have to have a COSO Internal Control project
Manager on staff?
824. Is there evidence that staff is taking a more professional approach toward
management of your organizations COSO Internal Control projects?
825. What is to be done?
826. The problem with Reward & Recognition Programs is that the truly
deserving people all too often get left out. How can you make it practical?
827. When a teams productivity and success depend on collaboration and the
efficient flow of information, what generally fails them?
828. Does the product, good, or service already exist within your organization?
829. Are your organizations COSO Internal Control projects more successful
over time?
830. How does this product, good, or service meet the needs of the COSO
Internal Control project and your organization as a whole?
3.2 Change Request: COSO Internal Control
831. Who is communicating the change?
832. How do team members communicate with each other?
833. How to get changes (code) out in a timely manner?
834. What can be filed?
835. Who is responsible to authorize changes?
836. When to submit a change request?
837. Since there are no change requests in your COSO Internal Control project at
this point, what must you have before you begin?
838. How can changes be graded?
839. Screen shots or attachments included in a Change Request?
840. Change request coordination ?
841. Are there requirements attributes that can discriminate between high and
low reliability?
842. Have scm procedures for noting the change, recording it, and reporting it
been followed?
843. Has a formal technical review been conducted to assess technical
correctness?
844. What are the requirements for urgent changes?
845. Are you implementing itil processes?
846. How many times must the change be modified or presented to the change
control board before it is approved?
847. Has your address changed?
848. What should be regulated in a change control operating instruction?
849. How fast will change requests be approved?
3.3 Change Log: COSO Internal Control
850. Is the change request within COSO Internal Control project scope?
851. Is the requested change request a result of changes in other COSO Internal
Control project(s)?
852. Will the COSO Internal Control project fail if the change request is not
executed?
853. Is the change request open, closed or pending?
854. Should a more thorough impact analysis be conducted?
855. Is the submitted change a new change or a modification of a previously
approved change?
856. Who initiated the change request?
857. When was the request approved?
858. How does this change affect scope?
859. When was the request submitted?
860. How does this relate to the standards developed for specific business
processes?
861. Is the change backward compatible without limitations?
862. Does the suggested change request represent a desired enhancement to the
products functionality?
863. How does this change affect the timeline of the schedule?
864. Does the suggested change request seem to represent a necessary
enhancement to the product?
865. Is this a mandatory replacement?
866. Do the described changes impact on the integrity or security of the system?
867. Where do changes come from?
3.4 Decision Log: COSO Internal Control
868. What is the average size of your matters in an applicable measurement?
869. Does anything need to be adjusted?
870. Is your opponent open to a non-traditional workflow, or will it likely
challenge anything you do?
871. What is your overall strategy for quality control / quality assurance
procedures?
872. Do strategies and tactics aimed at less than full control reduce the costs of
management or simply shift the cost burden?
873. It becomes critical to track and periodically revisit both operational
effectiveness; Are you noticing all that you need to, and are you interpreting
what you see effectively?
874. Behaviors; what are guidelines that the team has identified that will assist
them with getting the most out of team meetings?
875. At what point in time does loss become unacceptable?
876. Is everything working as expected?
877. Linked to original objective?
878. What makes you different or better than others companies selling the same
thing?
879. How effective is maintaining the log at facilitating organizational learning?
880. What alternatives/risks were considered?
881. How do you know when you are achieving it?
882. Meeting purpose; why does this team meet?
883. What was the rationale for the decision?
884. How consolidated and comprehensive a story can you tell by capturing
currently available incident data in a central location and through a log of key
decisions during an incident?
885. Decision-making process; how will the team make decisions?
886. How do you define success?
887. How does an increasing emphasis on cost containment influence the
strategies and tactics used?
3.5 Quality Audit: COSO Internal Control
888. Is the reports overall tone appropriate?
889. What has changed/improved as a result of the review processes?
890. Have the risks associated with the intentions been identified, analyzed and
appropriate responses developed?
891. What are you trying to do?
892. How does your organization know that its security arrangements are
appropriately effective and constructive?
893. How does your organization know that its relationships with industry and
employers are appropriately effective and constructive?
894. How does your organization know that its Mission, Vision and Values
Statements are appropriate and effectively guiding your organization?
895. Are goals well supported with strategies, operational plans, manuals and
training?
896. It is inappropriate to seek information about the Audit Panels preliminary
views including questions like why do you ask that?
897. How does your organization know that its staff have appropriate access to a
fair and effective grievance process?
898. How does your organization know that its range of activities are being
reviewed as rigorously and constructively as they could be?
899. Are there appropriate indicators for monitoring the effectiveness and
efficiency of processes?
900. Is the process of self review, learning and improvement endemic throughout
your organization?
901. Are multiple statements on the same issue consistent with each other?
902. How does the organization know that its system for maintaining and
advancing the capabilities of its staff, particularly in relation to the Mission of
the organization, is appropriately effective and constructive?
903. Is there a risk that information provided by management may not always be
reliable?
904. How does your organization know that its support services planning and
management systems are appropriately effective and constructive?
905. How does your organization know that its research funding systems are
appropriately effective and constructive in enabling quality research outcomes?
906. How does your organization know that its quality of teaching is
appropriately effective and constructive?
907. How does your organization know that its system for managing intellectual
property issues is appropriately effective, constructive and fair?
3.6 Team Directory: COSO Internal Control
908. Where will the product be used and/or delivered or built when appropriate?
909. Who will report COSO Internal Control project status to all stakeholders?
910. How do unidentified risks impact the outcome of the COSO Internal
Control project?
911. Process decisions: do job conditions warrant additional actions to collect
job information and document on-site activity?
912. What are you going to deliver or accomplish?
913. Who will write the meeting minutes and distribute?
914. Is construction on schedule?
915. Who are your stakeholders (customers, sponsors, end users, team
members)?
916. What needs to be communicated?
917. Who will talk to the customer?
918. Who should receive information (all stakeholders)?
919. Who is the Sponsor?
920. Who are the Team Members?
921. Process decisions: which organizational elements and which individuals
will be assigned management functions?
922. Process decisions: are there any statutory or regulatory issues relevant to
the timely execution of work?
923. When does information need to be distributed?
924. Where should the information be distributed?
925. Does a COSO Internal Control project team directory list all resources
assigned to the COSO Internal Control project?
926. Do purchase specifications and configurations match requirements?
3.7 Team Operating Agreement: COSO Internal
Control
927. How will your group handle planned absences?
928. What are the current caseload numbers in the unit?
929. Communication protocols: how will the team communicate?
930. Do you record meetings for the already stated unable to attend?
931. Do you brief absent members after they view meeting notes or listen to a
recording?
932. How will you resolve conflict efficiently and respectfully?
933. What individual strengths does each team member bring to the group?
934. Do you post meeting notes and the recording (if used) and notify
participants?
935. What is the number of cases currently teamed?
936. Do you determine the meeting length and time of day?
937. Are there differences in access to communication and collaboration
technology based on team member location?
938. Do you listen for voice tone and word choice to understand the meaning
behind words?
939. Do you post any action items, due dates, and responsibilities on the team
website?
940. How will you divide work equitably?
941. Did you draft the meeting agenda?
942. What is culture?
943. Seconds for members to respond?
944. Did you determine the technology methods that best match the messages to
be communicated?
945. What types of accommodations will be formulated and put in place for
sustaining the team?
946. Do you begin with a question to engage everyone?
3.8 Team Performance Assessment: COSO Internal
Control
947. Delaying market entry: how long is too long?
948. What are teams?
949. What makes opportunities more or less obvious?
950. To what degree will team members, individually and collectively, commit
time to help themselves and others learn and develop skills?
951. To what degree are staff involved as partners in the improvement process?
952. How do you keep key people outside the group informed about its
accomplishments?
953. To what degree does the teams work approach provide opportunity for
members to engage in results-based evaluation?
954. To what degree can all members engage in open and interactive
considerations?
955. To what degree are corresponding categories of skills either actually or
potentially represented across the membership?
956. To what degree does the teams approach to its work allow for modification
and improvement over time?
957. To what degree is there a sense that only the team can succeed?
958. How do you recognize and praise members for contributions?
959. What do you think is the most constructive thing that could be done now to
resolve considerations and disputes about method variance?
960. Effects of crew composition on crew performance: Does the whole equal
the sum of its parts?
961. To what degree does the teams work approach provide opportunity for
members to engage in open interaction?
962. To what degree are fresh input and perspectives systematically caught and
added (for example, through information and analysis, new members, and senior
sponsors)?
963. How hard do you try to make a good selection?
964. What is method variance?
965. To what degree are the goals realistic?
966. To what degree do members understand and articulate the same purpose
without relying on ambiguous abstractions?
3.9 Team Member Performance Assessment: COSO
Internal Control
967. How do you make use of research?
968. What is the role of the Reviewer?
969. Are the draft goals SMART ?
970. To what degree do the goals specify concrete team work products?
971. What resources do you need?
972. How was the determination made for which training platforms would be
used (i.e., media selection)?
973. To what degree does the team possess adequate membership to achieve its
ends?
974. What is needed for effective data teams?
975. How is performance assessment used in making future award decisions
including options and extend/compete decisions?
976. How do you currently account for your results in the teams achievement?
977. What innovations (if any) are developed to realize goals?
978. Do the goals support your organizations goals?
979. What entity leads the process, selects a potential restructuring option and
develops the plan?
980. Are the goals SMART ?
981. What changes do you need to make to align practices with beliefs?
982. What are best practices in use for the performance measurement system?
983. Is it clear how goals will be accomplished?
984. What is the target group for instruction (e.g., individual and collective or
small team instruction)?
3.10 Issue Log: COSO Internal Control
985. What are the typical contents?
986. How do you reply to this question; you am new here and managing this
major program. How do you suggest you build your network?
987. What is a Stakeholder?
988. What is the status of the issue?
989. What effort will a change need?
990. Can an impact cause deviation beyond team, stage or COSO Internal
Control project tolerances?
991. Do you feel a register helps?
992. Is access to the Issue Log controlled?
993. Who reported the issue?
994. Are the stakeholders getting the information they need, are they consulted,
are concerns addressed?
995. What are the stakeholders interrelationships?
996. Which stakeholders are thought leaders, influences, or early adopters?
997. How is this initiative related to other portfolios, programs, or COSO
Internal Control projects?
998. Why do you manage human resources?
999. Why multiple evaluators?
1000. How were past initiatives successful?
1001. What would have to change?
1002. Who were proponents/opponents?
4.0 Monitoring and Controlling Process Group:
COSO Internal Control
1003. User: who wants the information and what are they interested in?
1004. How many potential communications channels exist on the COSO Internal
Control project?
1005. How well did the chosen processes fit the needs of the COSO Internal
Control project?
1006. What resources are necessary?
1007. Where is the Risk in the COSO Internal Control project?
1008. Change, where should you look for problems?
1009. How to ensure validity, quality and consistency?
1010. Are there areas that need improvement?
1011. What input will you be required to provide the COSO Internal Control
project team?
1012. Are the necessary foundations in place to ensure the sustainability of the
results of the programme?
1013. What were things that you did well, and could improve, and how?
1014. What departments are involved in its daily operation?
1015. Use: how will they use the information?
1016. How will staff learn how to use the deliverables?
1017. What areas were overlooked on this COSO Internal Control project?
1018. What is the timeline?
1019. What are the goals of the program?
4.1 Project Performance Report: COSO Internal
Control
1020. Next Steps?
1021. To what degree do individual skills and abilities match task demands?
1022. To what degree can the cognitive capacity of individuals accommodate the
flow of information?
1023. To what degree do team members feel that the purpose of the team is
important, if not exciting?
1024. To what degree does the information network provide individuals with the
information they require?
1025. To what degree are sub-teams possible or necessary?
1026. What degree are the relative importance and priority of the goals clear to
all team members?
1027. What is in it for you?
1028. To what degree do members articulate the goals beyond the team
membership?
1029. To what degree does the teams work approach provide opportunity for
members to engage in fact-based problem solving?
1030. To what degree can the team measure progress against specific goals?
1031. To what degree can team members vigorously define the teams purpose in
considerations with others who are not part of the functioning team?
1032. How is the data used?
1033. To what degree do the relationships of the informal organization motivate
taskrelevant behavior and facilitate task completion?
1034. What is the degree to which rules govern information exchange between
groups?
1035. To what degree can the team ensure that all members are individually and
jointly accountable for the teams purpose, goals, approach, and work-products?
1036. To what degree will new and supplemental skills be introduced as the need
is recognized?
4.2 Variance Analysis: COSO Internal Control
1037. Is work properly classified as measured effort, LOE, or apportioned effort
and appropriately separated?
1038. The anticipated business volume?
1039. Is the anticipated (firm and potential) business base COSO Internal
Control projected in a rational, consistent manner?
1040. How do you manage changes in the nature of the overhead requirements?
1041. What costs are avoidable if one or more customers are dropped?
1042. What is the actual cost of work performed?
1043. Who is generally responsible for monitoring and taking action on
variances?
1044. How do you identify and isolate causes of favorable and unfavorable cost
and schedule variances?
1045. Other relevant issues of Variance Analysis -selling price or gross margin?
1046. What business event causes fluctuations?
1047. Are there externalities from having some customers, even if they are
unprofitable in the short run?
1048. What is the total budget for the COSO Internal Control project (including
estimates for authorized and unpriced work)?
1049. How are variances affected by multiple material and labor categories?
1050. What is exceptional?
1051. Is the entire contract planned in time-phased control accounts to the extent
practicable?
4.3 Earned Value Status: COSO Internal Control
1052. If earned value management (EVM) is so good in determining the true
status of a COSO Internal Control project and COSO Internal Control project its
completion, why is it that hardly any one uses it in information systems related
COSO Internal Control projects?
1053. Where is evidence-based earned value in your organization reported?
1054. Earned value can be used in almost any COSO Internal Control project
situation and in almost any COSO Internal Control project environment. it may
be used on large COSO Internal Control projects, medium sized COSO Internal
Control projects, tiny COSO Internal Control projects (in cut-down form),
complex and simple COSO Internal Control projects and in any market sector.
some people, of course, know all about earned value, they have used it for years
- but perhaps not as effectively as they could have?
1055. How much is it going to cost by the finish?
1056. Verification is a process of ensuring that the developed system satisfies the
stakeholders agreements and specifications; Are you building the product right?
What do you verify?
1057. When is it going to finish?
1058. What is the unit of forecast value?
1059. Are you hitting your COSO Internal Control projects targets?
1060. How does this compare with other COSO Internal Control projects?
1061. Where are your problem areas?
1062. Validation is a process of ensuring that the developed system will actually
achieve the stakeholders desired outcomes; Are you building the right product?
What do you validate?
4.4 Risk Audit: COSO Internal Control
1063. Do you have written and signed agreements/contracts in place for each
paid staff member?
1064. Have you reviewed your constitution within the last twelve months?
1065. Extending the consideration on the halo effect, to what extent are auditors
able to build skepticism in evidence review?
1066. Are there any forms the staff is required to sign?
1067. If applicable; are compilers and code generators available and suitable for
the product to be built?
1068. Are procedures developed to respond to foreseeable emergencies and
communicated to all involved?
1069. Is the customer technically sophisticated in the product area?
1070. Will participants be required to sign a legally counselled waiver or risk
disclaimer when entering an event?
1071. Do all coaches/instructors/leaders have appropriate and current
accreditation?
1072. Are you aware of the industry standards that apply to your operations?
1073. Have risks been considered with an insurance broker or provider and
suitable insurance cover been arranged?
1074. Are COSO Internal Control project requirements stable?
1075. What are the risks that could stop you from achieving your KPIs?
1076. Are risk management strategies documented?
1077. How will you maximise opportunities?
1078. Have all involved been advised of any obligations they have to sponsors?
1079. Who is responsible for what?
4.5 Contractor Status Report: COSO Internal Control
1080. What was the overall budget or estimated cost?
1081. What was the final actual cost?
1082. Describe how often regular updates are made to the proposed solution. Are
corresponding regular updates included in the standard maintenance plan?
1083. What was the budget or estimated cost for your organizations services?
1084. What was the actual budget or estimated cost for your organizations
services?
1085. What process manages the contracts?
1086. Who can list a COSO Internal Control project as organization experience,
your organization or a previous employee of your organization?
1087. Are there contractual transfer concerns?
1088. If applicable; describe your standard schedule for new software version
releases. Are new software version releases included in the standard
maintenance plan?
1089. What is the average response time for answering a support call?
1090. What are the minimum and optimal bandwidth requirements for the
proposed solution?
1091. How long have you been using the services?
1092. How is risk transferred?
1093. How does the proposed individual meet each requirement?
4.6 Formal Acceptance: COSO Internal Control
1094. Was the sponsor/customer satisfied?
1095. What is the Acceptance Management Process?
1096. Have all comments been addressed?
1097. Was the COSO Internal Control project work done on time, within budget,
and according to specification?
1098. Do you perform formal acceptance or burn-in tests?
1099. Does it do what COSO Internal Control project team said it would?
1100. How well did the team follow the methodology?
1101. Was the COSO Internal Control project goal achieved?
1102. What features, practices, and processes proved to be strengths or
weaknesses?
1103. What function(s) does it fill or meet?
1104. What can you do better next time?
1105. Was the client satisfied with the COSO Internal Control project results?
1106. General estimate of the costs and times to complete the COSO Internal
Control project?
1107. Does it do what client said it would?
1108. Who supplies data?
1109. Do you buy pre-configured systems or build your own configuration?
1110. Was business value realized?
1111. Did the COSO Internal Control project achieve its MOV?
1112. Who would use it?
1113. How does your team plan to obtain formal acceptance on your COSO
Internal Control project?
5.0 Closing Process Group: COSO Internal Control
1114. What is the COSO Internal Control project name and date of completion?
1115. What is an Encumbrance?
1116. Was the schedule met?
1117. What were things that you did very well and want to do the same again on
the next COSO Internal Control project?
1118. Did the COSO Internal Control project team have the right skills?
1119. Will the COSO Internal Control project deliverable(s) replace a current
asset or group of assets?
1120. What areas were overlooked on this COSO Internal Control project?
1121. Is there a clear cause and effect between the activity and the lesson
learned?
1122. How critical is the COSO Internal Control project success to the success of
your organization?
1123. How well defined and documented were the COSO Internal Control
project management processes you chose to use?
1124. Is this a follow-on to a previous COSO Internal Control project?
1125. What level of risk does the proposed budget represent to the COSO
Internal Control project?
1126. Can the lesson learned be replicated?
1127. How will you know you did it?
1128. What was learned?
1129. Were cost budgets met?
1130. What areas does the group agree are the biggest success on the COSO
Internal Control project?
5.1 Procurement Audit: COSO Internal Control
1131. Is the issuance of purchase orders scheduled so that orders are not issued
daily?
1132. Was the expert likely to gain privileged knowledge from his activity which
could be advantageous for him in a subsequent competition?
1133. In a competitive dialogue, were solutions proposed or confidential
information given by a candidate not revealed to others without his/her express
agreement?
1134. Does the manual contain policies relating to all business management
functions?
1135. Does the cash disbursement policy prohibit drawing checks to cash or
bearer?
1136. Is free and fair (international) competition promoted by organizational
policies and legislation, in line with legal, trade organizations and other policies?
1137. Does the department evaluate and benchmark the performance of the
procurement function/ unit against other comparable procurement
functions/units?
1138. Are the official minutes written in a clear and concise manner?
1139. Was the performance description adequate to needs and legal
requirements?
1140. Does your organization maintain a current file of vendors and vendor
catalogues?
1141. Were there no material changes in the contract shortly after award?
1142. Is there no evidence of favouritism towards a particular contractor during
the evaluation and negotiation processes?
1143. Are there procedures for trade-in arrangements?
1144. Are the established budget and timetable (milestones) respected?
1145. Is the routing of copies of purchase order forms defined?
1146. Is it assessed whether well-functioning markets exist for the departments
services/tasks?
1147. Was the decision on the award process accurate and adequately
communicated?
1148. If an electronic auction or a dynamic purchasing system was used, did the
tender documents specify details on access to information, electronic equipment
used and connection specifications?
1149. Does the procurement COSO Internal Control project comply with
European Communities regulations and rules?
1150. Are the purchase order forms designed for efficient and simple
completion?
5.2 Contract Close-Out: COSO Internal Control
1151. How/when used ?
1152. Have all contract records been included in the COSO Internal Control
project archives?
1153. Parties: Authorized?
1154. Parties: who is involved?
1155. How is the contracting office notified of the automatic contract close-out?
1156. Was the contract sufficiently clear so as not to result in numerous disputes
and misunderstandings?
1157. Was the contract complete without requiring numerous changes and
revisions?
1158. How does it work?
1159. What is capture management?
1160. Has each contract been audited to verify acceptance and delivery?
1161. What happens to the recipient of services?
1162. Change in knowledge?
1163. Are the signers the authorized officials?
1164. Change in attitude or behavior?
1165. Have all acceptance criteria been met prior to final payment to
contractors?
1166. Was the contract type appropriate?
1167. Have all contracts been completed?
1168. Have all contracts been closed?
1169. Change in circumstances?
5.3 Project or Phase Close-Out: COSO Internal
Control
1170. What security considerations needed to be addressed during the
procurement life cycle?
1171. In addition to assessing whether the COSO Internal Control project was
successful, it is equally critical to analyze why it was or was not fully successful.
Are you including this?
1172. What was the preferred delivery mechanism?
1173. Is the lesson significant, valid, and applicable?
1174. What is the information level of detail required for each stakeholder?
1175. Did the COSO Internal Control project management methodology work?
1176. Who exerted influence that has positively affected or negatively impacted
the COSO Internal Control project?
1177. Who controlled the resources for the COSO Internal Control project?
1178. What were the desired outcomes?
1179. Who is responsible for award close-out?
1180. Complete yes or no?
1181. What information is each stakeholder group interested in?
1182. Planned completion date?
1183. What are the marketing communication needs for each stakeholder?
1184. What is this stakeholder expecting?
1185. What is a Risk?
1186. How much influence did the stakeholder have over others?
1187. What process was planned for managing issues/risks?
5.4 Lessons Learned: COSO Internal Control
1188. What rewards do the individuals seek?
1189. How well defined were the acceptance criteria for COSO Internal Control
project deliverables?
1190. Was the COSO Internal Control project manager sufficiently experienced,
skilled, trained, supported?
1191. How timely was the training you received in preparation for the use of the
product/service?
1192. Did the delivered product meet the specified requirements and goals of the
COSO Internal Control project?
1193. If issue escalation was required, how effectively were issues resolved?
1194. Were the COSO Internal Control project objectives met (if not, briefly
account for what wasnt met)?
1195. What would you change?
1196. Was the change control process properly implemented to manage changes
to cost, scope, schedule, or quality?
1197. What were the major enablers to a quick response?
1198. How useful was your testing?
1199. What mistakes did you successfully avoid making?
1200. How well did the COSO Internal Control project Manager respond to
questions or comments related to the COSO Internal Control project?
1201. What are the performance measures?
1202. Was any formal risk assessment carried out at the start of the COSO
Internal Control project, and was this followed up during the COSO Internal
Control project?
1203. What things mattered the most on this COSO Internal Control project?
1204. What are the needs of the individuals?
1205. How does the budget cycle affect the case?
Index
(Index page number references Only of use in Print Version)
Download