“After utilizing toolkits from The Art of Service, I was able to identify threats within my organization to which I was completely unaware. Using my team’s knowledge as a competitive advantage, we now have superior systems that save time and energy.” “As a new Chief Technology Officer, I was feeling unprepared and inadequate to be successful in my role. I ordered an IT toolkit Sunday night and was prepared Monday morning to shed light on areas of improvement within my organization. I no longer felt overwhelmed and intimidated, I was excited to share what I had learned.” “I used the questionnaires to interview members of my team. I never knew how many insights we could produce collectively with our internal knowledge.” “I usually work until at least 8pm on weeknights. The Art of Service questionnaire saved me so much time and worry that Thursday night I attended my son’s soccer game without sacrificing my professional obligations.” “After purchasing The Art of Service toolkit, I was able to identify areas where my company was not in compliance that could have put my job at risk. I looked like a hero when I proactively educated my team on the risks and presented a solid solution.” “I spent months shopping for an external consultant before realizing that The Art of Service would allow my team to consult themselves! Not only did we save time not catching a consultant up to speed, we were able to keep our company information and industry secrets confidential.” “Everyday there are new regulations and processes in my industry. The Art of Service toolkit has kept me ahead by using AI technology to constantly update the toolkits and address emerging needs.” “I customized The Art of Service toolkit to focus specifically on the concerns of my role and industry. I didn’t have to waste time with a generic self-help book that wasn’t tailored to my exact situation.” “Many of our competitors have asked us about our secret sauce. When I tell them it’s the knowledge we have in-house, they never believe me. Little do they know The Art of Service toolkits are working behind the scenes.” “One of my friends hired a consultant who used the knowledge gained working with his company to advise their competitor. Talk about a competitive disadvantage! The Art of Service allowed us to keep our knowledge from walking out the door along with a huge portion of our budget in consulting fees.” “Honestly, I didn’t know what I didn’t know. Before purchasing The Art of Service, I didn’t realize how many areas of my business needed to be refreshed and improved. I am so relieved The Art of Service was there to highlight our blind spots.” “Before The Art of Service, I waited eagerly for consulting company reports to come out each month. These reports kept us up to speed but provided little value because they put our competitors on the same playing field. With The Art of Service, we have uncovered unique insights to drive our business forward.” “Instead of investing extensive resources into an external consultant, we can spend more of our budget towards pursuing our company goals and objectives… while also spending a little more on corporate holiday parties.” “The risk of our competitors getting ahead has been mitigated because The Art of Service has provided us with a 360-degree view of threats within our organization before they even arise.” COSO Internal Control Complete Self-Assessment Guide Notice of rights You are licensed to use the Self-Assessment contents in your presentations and materials for internal use and customers without asking us - we are here to help. All rights reserved for the book itself: this book may not be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. The information in this book is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book. Copyright © by The Art of Service https://theartofservice.com support@theartofservice.com About The Art of Service The Art of Service, Business Process Architects since 2000, is dedicated to helping stakeholders achieve excellence. Defining, designing, creating, and implementing a process to solve a stakeholders challenge or meet an objective is the most valuable role… In EVERY group, company, organization and department. Unless you’re talking a one-time, single-use project, there should be a process. Whether that process is managed and implemented by humans, AI, or a combination of the two, it needs to be designed by someone with a complex enough perspective to ask the right questions. Someone capable of asking the right questions and step back and say, ‘What are we really trying to accomplish here? And is there a different way to look at it?’ With The Art of Service’s Self-Assessments, we empower people who can do just that — whether their title is marketer, entrepreneur, manager, salesperson, consultant, Business Process Manager, executive assistant, IT Manager, CIO etc... —they are the people who rule the future. They are people who watch the process as it happens, and ask the right questions to make the process work better. Contact us when you need any support with this Self-Assessment and any help with templates, blue-prints and examples of standard documents you might need: https://theartofservice.com support@theartofservice.com Included Resources - how to access Included with your purchase of the book is the COSO Internal Control SelfAssessment Spreadsheet Dashboard which contains all questions and SelfAssessment areas and auto-generates insights, graphs, and project RACI planning - all with examples to get you started right away. How? Simply send an email to access@theartofservice.com with this books’ title in the subject to get the COSO Internal Control Self Assessment Tool right away. The auto reply will guide you further, you will then receive the following contents with New and Updated specific criteria: •The latest quick edition of the book in PDF •The latest complete edition of the book in PDF, which criteria correspond to the criteria in... •The Self-Assessment Excel Dashboard, and... •Example pre-filled Self-Assessment Excel Dashboard to get familiar with results generation •In-depth specific Checklists covering the topic •Project management checklists and templates to assist with implementation INCLUDES LIFETIME SELF ASSESSMENT UPDATES Every self assessment comes with Lifetime Updates and Lifetime Free Updated Books. Lifetime Updates is an industry-first feature which allows you to receive verified self assessment updates, ensuring you always have the most accurate information at your fingertips. Get it now- you will be glad you did - do it now, before you forget. Send an email to access@theartofservice.com with this books’ title in the subject to get the COSO Internal Control Self Assessment Tool right away. Purpose of this Self-Assessment This Self-Assessment has been developed to improve understanding of the requirements and elements of COSO Internal Control, based on best practices and standards in business process architecture, design and quality management. It is designed to allow for a rapid Self-Assessment to determine how closely existing management practices and procedures correspond to the elements of the Self-Assessment. The criteria of requirements and elements of COSO Internal Control have been rephrased in the format of a Self-Assessment questionnaire, with a sevencriterion scoring system, as explained in this document. In this format, even with limited background knowledge of COSO Internal Control, a manager can quickly review existing operations to determine how they measure up to the standards. This in turn can serve as the starting point of a ‘gap analysis’ to identify management tools or system elements that might usefully be implemented in the organization to help improve overall performance. How to use the Self-Assessment On the following pages are a series of questions to identify to what extent your COSO Internal Control initiative is complete in comparison to the requirements set in standards. To facilitate answering the questions, there is a space in front of each question to enter a score on a scale of ‘1’ to ‘5’. 1 Strongly Disagree 2 Disagree 3 Neutral 4 Agree 5 Strongly Agree Read the question and rate it with the following in front of mind: ‘In my belief, the answer to this question is clearly defined’. There are two ways in which you can choose to interpret this statement; 1.how aware are you that the answer to the question is clearly defined 2.for more in-depth analysis you can choose to gather evidence and confirm the answer to the question. This obviously will take more time, most SelfAssessment users opt for the first way to interpret the question and dig deeper later on based on the outcome of the overall Self-Assessment. A score of ‘1’ would mean that the answer is not clear at all, where a ‘5’ would mean the answer is crystal clear and defined. Leave emtpy when the question is not applicable or you don’t want to answer it, you can skip it without affecting your score. Write your score in the space provided. After you have responded to all the appropriate statements in each section, compute your average score for that section, using the formula provided, and round to the nearest tenth. Then transfer to the corresponding spoke in the COSO Internal Control Scorecard on the second next page of the Self-Assessment. Your completed COSO Internal Control Scorecard will give you a clear presentation of which COSO Internal Control areas need attention. COSO Internal Control Scorecard Example Example of how the finalized Scorecard can look like: COSO Internal Control Scorecard Your Scores: BEGINNING OF THE SELF-ASSESSMENT: Table of Contents About The Art of Service9 Included Resources - how to access9 Purpose of this Self-Assessment11 How to use the Self-Assessment12 COSO Internal Control Scorecard Example14 COSO Internal Control Scorecard15 BEGINNING OF THE SELF-ASSESSMENT:16 CRITERION #1: RECOGNIZE17 CRITERION #2: DEFINE:23 CRITERION #3: MEASURE:36 CRITERION #4: ANALYZE:45 CRITERION #5: IMPROVE:61 CRITERION #6: CONTROL:78 CRITERION #7: SUSTAIN:94 COSO Internal Control and Managing Projects, Criteria for Project Managers:137 1.0 Initiating Process Group: COSO Internal Control138 1.1 Project Charter: COSO Internal Control140 1.2 Stakeholder Register: COSO Internal Control142 1.3 Stakeholder Analysis Matrix: COSO Internal Control143 2.0 Planning Process Group: COSO Internal Control145 2.1 Project Management Plan: COSO Internal Control147 2.2 Scope Management Plan: COSO Internal Control149 2.3 Requirements Management Plan: COSO Internal Control151 2.4 Requirements Documentation: COSO Internal Control153 2.5 Requirements Traceability Matrix: COSO Internal Control155 2.6 Project Scope Statement: COSO Internal Control157 2.7 Assumption and Constraint Log: COSO Internal Control159 2.8 Work Breakdown Structure: COSO Internal Control161 2.9 WBS Dictionary: COSO Internal Control163 2.10 Schedule Management Plan: COSO Internal Control166 2.11 Activity List: COSO Internal Control168 2.12 Activity Attributes: COSO Internal Control170 2.13 Milestone List: COSO Internal Control172 2.14 Network Diagram: COSO Internal Control174 2.15 Activity Resource Requirements: COSO Internal Control176 2.16 Resource Breakdown Structure: COSO Internal Control177 2.17 Activity Duration Estimates: COSO Internal Control179 2.18 Duration Estimating Worksheet: COSO Internal Control181 2.19 Project Schedule: COSO Internal Control183 2.20 Cost Management Plan: COSO Internal Control185 2.21 Activity Cost Estimates: COSO Internal Control187 2.22 Cost Estimating Worksheet: COSO Internal Control189 2.23 Cost Baseline: COSO Internal Control191 2.24 Quality Management Plan: COSO Internal Control193 2.25 Quality Metrics: COSO Internal Control195 2.26 Process Improvement Plan: COSO Internal Control197 2.27 Responsibility Assignment Matrix: COSO Internal Control199 2.28 Roles and Responsibilities: COSO Internal Control201 2.29 Human Resource Management Plan: COSO Internal Control203 2.30 Communications Management Plan: COSO Internal Control205 2.31 Risk Management Plan: COSO Internal Control207 2.32 Risk Register: COSO Internal Control209 2.33 Probability and Impact Assessment: COSO Internal Control211 2.34 Probability and Impact Matrix: COSO Internal Control213 2.35 Risk Data Sheet: COSO Internal Control215 2.36 Procurement Management Plan: COSO Internal Control217 2.37 Source Selection Criteria: COSO Internal Control219 2.38 Stakeholder Management Plan: COSO Internal Control221 2.39 Change Management Plan: COSO Internal Control222 3.0 Executing Process Group: COSO Internal Control224 3.1 Team Member Status Report: COSO Internal Control226 3.2 Change Request: COSO Internal Control228 3.3 Change Log: COSO Internal Control230 3.4 Decision Log: COSO Internal Control232 3.5 Quality Audit: COSO Internal Control234 3.6 Team Directory: COSO Internal Control237 3.7 Team Operating Agreement: COSO Internal Control239 3.8 Team Performance Assessment: COSO Internal Control241 3.9 Team Member Performance Assessment: COSO Internal Control243 3.10 Issue Log: COSO Internal Control245 4.0 Monitoring and Controlling Process Group: COSO Internal Control247 4.1 Project Performance Report: COSO Internal Control249 4.2 Variance Analysis: COSO Internal Control251 4.3 Earned Value Status: COSO Internal Control253 4.4 Risk Audit: COSO Internal Control255 4.5 Contractor Status Report: COSO Internal Control257 4.6 Formal Acceptance: COSO Internal Control259 5.0 Closing Process Group: COSO Internal Control261 5.1 Procurement Audit: COSO Internal Control263 5.2 Contract Close-Out: COSO Internal Control266 5.3 Project or Phase Close-Out: COSO Internal Control268 5.4 Lessons Learned: COSO Internal Control270 Index272 CRITERION #1: RECOGNIZE INTENT: Be aware of the need for change. Recognize that there is an unfavorable variation, problem or symptom. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. Who else hopes to benefit from it? <--- Score 2. Which controls would prevent disputes over the charges billed by independent contractors? <--- Score 3. Are there any specific expectations or concerns about the COSO Internal Control team, COSO Internal Control itself? <--- Score 4. Are there appropriate disclosures regarding going concern issues? <--- Score 5. What would happen if COSO Internal Control weren’t done? <--- Score 6. What problems are you facing and how do you consider COSO Internal Control will circumvent those obstacles? <--- Score 7. Are all material weaknesses serious problems for a registrant? <--- Score 8. What controls should have prevented actions? <--- Score 9. What information do you need from the other side? <--- Score 10. Are there open BCP issues to be resolved? <--- Score 11. What elements need to be put in place? <--- Score 12. Why do ngos and csos need boards of directors? <--- Score 13. Can its performance be measured and problems detected and corrected? <--- Score 14. What situation(s) led to this COSO Internal Control Self Assessment? <--- Score 15. What are the legitimate needs and interests of key stakeholders from an ESG perspective? <--- Score 16. What could prevent the achievement of the business objectives? <--- Score 17. What are the expected benefits of COSO Internal Control to the stakeholder? <--- Score 18. Has your organization addressed fraud prevention issues? <--- Score 19. How are you going to measure success? <--- Score 20. What skills and attributes do board directors need to work together as a leadership team? <--- Score 21. Which issues private and public keys? <--- Score 22. Are there any issues likely to lead to qualification of the accounts? <--- Score 23. Are audit reports issued promptly? <--- Score 24. Are there any capital management issues? <--- Score 25. What controls are necessary to prevent, deter, and detect fraud? <--- Score 26. Do all internal audit reports need to be reviewed by the external auditor? <--- Score 27. How much are sponsors, customers, partners, stakeholders involved in COSO Internal Control? In other words, what are the risks, if COSO Internal Control does not deliver successfully? <--- Score 28. What issues have been reported/ communicated? <--- Score 29. What issues are related to a lack of clarity over roles? <--- Score 30. What are the stakeholder objectives to be achieved with COSO Internal Control? <--- Score 31. What does COSO Internal Control success mean to the stakeholders? <--- Score 32. Does your organization issue receipts for all cash collections? <--- Score 33. As a sponsor, customer or management, how important is it to meet goals, objectives? <--- Score 34. How are the COSO Internal Control’s objectives aligned to the group’s overall stakeholder strategy? <--- Score 35. Can the independent auditor issue a report to management or the audit committee indicating that no significant deficiencies were noted during an audit of internal control over financial reporting? <--- Score 36. Is the misconduct part of a systemic problem? <--- Score 37. Why is the issue relevant to the business? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #2: DEFINE: INTENT: Formulate the stakeholder problem. Define the problem, needs and objectives. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. What are the rough order estimates on cost savings/opportunities that COSO Internal Control brings? <--- Score 2. Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)? <--- Score 3. Which organization defines the policy on internal audit? <--- Score 4. Is a quarterly assessment required and, if so, when? <--- Score 5. Is the team sponsored by a champion or stakeholder leader? <--- Score 6. How does your organization define a control deficiency? <--- Score 7. Has/have the customer(s) been identified? <--- Score 8. Is there benefit in a generally recognized framework to help define what good looks like? <--- Score 9. What are the Roles and Responsibilities for each team member and its leadership? Where is this documented? <--- Score 10. What is the scope of the program? <--- Score 11. How does management define a large portion for purposes of determining multilocation coverage? <--- Score 12. Has the COSO Internal Control work been fairly and/or equitably divided and delegated among team members who are qualified and capable to perform the work? Has everyone contributed? <--- Score 13. Is there a completed SIPOC representation, describing the Suppliers, Inputs, Process, Outputs, and Customers? <--- Score 14. Is the team equipped with available and reliable resources? <--- Score 15. How will variation in the actual durations of each activity be dealt with to ensure that the expected COSO Internal Control results are met? <--- Score 16. How does your organization define a significant deficiency in internal control? <--- Score 17. How did coso obtain input from stakeholders in determining the scope and nature of changes to the original framework? <--- Score 18. If substitutes have been appointed, have they been briefed on the COSO Internal Control goals and received regular communications as to the progress to date? <--- Score 19. Have material controls been defined for the business? <--- Score 20. What are sox 404 ongoing requirements? <--- Score 21. Are there any constraints known that bear on the ability to perform COSO Internal Control work? How is the team addressing them? <--- Score 22. What should be the requirements for an entry level internal audit position? <--- Score 23. Are different versions of process maps needed to account for the different types of inputs? <--- Score 24. What is the scope of the compliance framework? <--- Score 25. What are the dynamics of the communication plan? <--- Score 26. Is the COSO Internal Control scope manageable? <--- Score 27. How often do you revise your scope? <--- Score 28. What is your organizational scope of internal audit? <--- Score 29. Are customers identified and high impact areas defined? <--- Score 30. Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team? <--- Score 31. What customer feedback methods were used to solicit their input? <--- Score 32. Does the detailed design comply with the objectives of the general requirements definition? <--- Score 33. Has your organization defined its primary reason for existence? <--- Score 34. Is the audit fee commensurate with the scope of the audit? <--- Score 35. How will the COSO Internal Control team and the group measure complete success of COSO Internal Control? <--- Score 36. How was the ‘as is’ process map developed, reviewed, verified and validated? <--- Score 37. Is COSO Internal Control currently on schedule according to the plan? <--- Score 38. What are the compelling stakeholder reasons for embarking on COSO Internal Control? <--- Score 39. What would be the goal or target for a COSO Internal Control’s improvement team? <--- Score 40. How does your organization define short, medium and long term? <--- Score 41. Is there a COSO Internal Control management charter, including stakeholder case, problem and goal statements, scope, milestones, roles and responsibilities, communication plan? <--- Score 42. What are your automation and system integration requirements? <--- Score 43. Is there a critical path to deliver COSO Internal Control results? <--- Score 44. What do your organizations mission and vision require from an ESG perspective? <--- Score 45. Is there a completed, verified, and validated high-level ‘as is’ (not ‘should be’ or ‘could be’) stakeholder process map? <--- Score 46. Is there regularly 100% attendance at the team meetings? If not, have appointed substitutes attended to preserve cross-functionality and full representation? <--- Score 47. Is data collected and displayed to better understand customer(s) critical needs and requirements. <--- Score 48. How is internal control over financial reporting defined? <--- Score 49. Have the customer needs been translated into specific, measurable requirements? How? <--- Score 50. Are your operating, reporting and compliance objectives clearly defined? <--- Score 51. Did management restrict or limit the scope of the audit in any way? <--- Score 52. When is/was the COSO Internal Control start date? <--- Score 53. Has a project plan, Gantt chart, or similar been developed/completed? <--- Score 54. Is COSO Internal Control linked to key stakeholder goals and objectives? <--- Score 55. How do you keep key subject matter experts in the loop? <--- Score 56. Has a high-level ‘as is’ process map been completed, verified and validated? <--- Score 57. Will team members perform COSO Internal Control work when assigned and in a timely fashion? <--- Score 58. How does your organization define a material weakness in internal control? <--- Score 59. How does the COSO Internal Control manager ensure against scope creep? <--- Score 60. What is required if your organization already has an internal audit function? <--- Score 61. What critical content must be communicated – who, what, when, where, and how? <--- Score 62. Do the problem and goal statements meet the SMART criteria (specific, measurable, attainable, relevant, and time-bound)? <--- Score 63. What should be the scope of your internal control? <--- Score 64. What are the ESG-related regulations, requirements or obligations in your organizations markets? <--- Score 65. Is the current ‘as is’ process being followed? If not, what are the discrepancies? <--- Score 66. What are the boundaries of the scope? What is in bounds and what is not? What is the start point? What is the stop point? <--- Score 67. Has a team charter been developed and communicated? <--- Score 68. What knowledge or experience is required? <--- Score 69. Are there different segments of customers? <--- Score 70. Do internal auditors have to comply with any professional ethics requirements? <--- Score 71. Are internal auditors required to be certified? <--- Score 72. Is full participation by members in regularly held team meetings guaranteed? <--- Score 73. Has the direction changed at all during the course of COSO Internal Control? If so, when did it change and why? <--- Score 74. How is independence defined differently for internal auditors and external auditors? <--- Score 75. How does the ESG context link to value creation for the business more broadly? <--- Score 76. How is the team tracking and documenting its work? <--- Score 77. How did the COSO Internal Control manager receive input to the development of a COSO Internal Control improvement plan and the estimated completion dates/times of each activity? <--- Score 78. Are customer(s) identified and segmented according to their different needs and requirements? <--- Score 79. Are improvement team members fully trained on COSO Internal Control? <--- Score 80. Has everyone on the team, including the team leaders, been properly trained? <--- Score 81. Who are the COSO Internal Control improvement team members, including Management Leads and Coaches? <--- Score 82. Are team charters developed? <--- Score 83. What is the scope of an antifraud program and controls? <--- Score 84. Has anyone else (internal or external to the group) attempted to solve this problem or a similar one before? If so, what knowledge can be leveraged from these previous efforts? <--- Score 85. Does system meet the design specifications in the requirements definition? <--- Score 86. What specifically is the problem? Where does it occur? When does it occur? What is its extent? <--- Score 87. What role and scope has management and the audit committee established for its internal audit function? <--- Score 88. Are there laws or regulations, which define coherent principles, systems and functioning of internal audit? <--- Score 89. What constraints exist that might impact the team? <--- Score 90. Is the improvement team aware of the different versions of a process: what they think it is vs. what it actually is vs. what it should be vs. what it could be? <--- Score 91. Have internal audit functions been required previously? <--- Score 92. What is included in the scope for each indicator/metric? <--- Score 93. Is the team formed and are team leaders (Coaches and Management Leads) assigned? <--- Score 94. How often are the team meetings? <--- Score 95. What key stakeholder process output measure(s) does COSO Internal Control leverage and how? <--- Score 96. Are stakeholder processes mapped? <--- Score 97. When is the estimated completion date? <--- Score 98. When are meeting minutes sent out? Who is on the distribution list? <--- Score 99. Does the team have regular meetings? <--- Score 100. How can evidence be gathered to determine if controls work? <--- Score 101. Is a fully trained team formed, supported, and committed to work on the COSO Internal Control improvements? <--- Score 102. Will team members regularly document their COSO Internal Control work? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #3: MEASURE: INTENT: Gather the correct data. Measure the current performance and evolution of the situation. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. Do you review the initial budgets and identify areas of possible cost reductions? <--- Score 2. What has been the major impact of internal control breaches on service delivery? <--- Score 3. Are the risks related, that one risk may cause another to occur? <--- Score 4. Is your organizations culture promoting employee behaviors that are consistent with priorities? <--- Score 5. Is data collected on key measures that were identified? <--- Score 6. What charts has the team used to display the components of variation in the process? <--- Score 7. What are the key reasons that cause failures of success implementation of innovation? <--- Score 8. Is your organizational chart up to date? <--- Score 9. What is the root cause of the risk? <--- Score 10. What impact would a conclusion that the internal controls are ineffective have on your organization? <--- Score 11. Are there specific performance measures for internal auditing? <--- Score 12. Does the charter outline the reporting lines of the internal audit department? <--- Score 13. Is a solid data collection plan established that includes measurement systems analysis? <--- Score 14. Is key measure data collection planned and executed, process variation displayed and communicated and performance baselined? <--- Score 15. What is the significance of the risk in terms of cost to the enterprise? <--- Score 16. Is there a Performance Baseline? <--- Score 17. Does the board charter capture governance of ESG-related risks? <--- Score 18. What data was collected (past, present, future/ongoing)? <--- Score 19. Has management undertaken a fraud risk analysis, including the risk of fraud in financial reporting? <--- Score 20. When was the charter last reviewed and updated? <--- Score 21. Do the benefits of 404 exceed the cost? <--- Score 22. Do you know what your priority risks are? <--- Score 23. Does the rule require a written internal audit charter? <--- Score 24. Have you found any ‘ground fruit’ or ‘low-hanging fruit’ for immediate remedies to the gap in performance? <--- Score 25. Does the lack of strong business strategies cause IT projects to fail? <--- Score 26. Is data collection planned and executed? <--- Score 27. Are high impact defects defined and identified in the stakeholder process? <--- Score 28. What key measures identified indicate the performance of the stakeholder process? <--- Score 29. How does a shared-service center impact the assessment of internal control? <--- Score 30. Does there exist a risk management charter? <--- Score 31. What is the significance of the risk, in terms of cost to your organization? <--- Score 32. How does the staff estimate consultant project costs? <--- Score 33. What is the impact of a centralized versus decentralized organization? <--- Score 34. Is long term and short term variability accounted for? <--- Score 35. Does there exist an internal control charter? <--- Score 36. What is the likelihood of occurrence and potential impact of risks? <--- Score 37. What criteria does your organization use to prioritize risks? <--- Score 38. Is metadata available to perform analysis prior to using the data? <--- Score 39. How does your organization assess materiality when prioritizing financial reporting elements? <--- Score 40. Is the likelihood and impact of the individual risks a part of the evaluation? <--- Score 41. Is risk a priority consideration whenever business processes are improved? <--- Score 42. Is the internal audit charter and/or mandate appropriate? <--- Score 43. Which business decisions may be impacted by the risk? <--- Score 44. How will financial reform impact your organization? <--- Score 45. What can be done to fix the root cause of a problem and improve processes? <--- Score 46. How is the business value from IT controls frameworks measured? <--- Score 47. Has the function met the terms of its written charter? <--- Score 48. What particular quality tools did the team find helpful in establishing measurements? <--- Score 49. Are key measures identified and agreed upon? <--- Score 50. Does internal audit add value, and is that value measured? <--- Score 51. How does management identify and prioritize IT risks? <--- Score 52. Was a data collection plan established? <--- Score 53. Is allocation of gross pay including, any costing analysis correct? <--- Score 54. Are the audit committees responsibilities defined in a charter? <--- Score 55. Who participated in the data collection for measurements? <--- Score 56. Does internal control relate to data analysis? <--- Score 57. What are the key input variables? What are the key process variables? What are the key output variables? <--- Score 58. What has the team done to assure the stability and accuracy of the measurement process? <--- Score 59. Does internal control relate to the analysis of the control environment? <--- Score 60. Is Process Variation Displayed/Communicated? <--- Score 61. Are process variation components displayed/communicated using suitable charts, graphs, plots? <--- Score 62. How large is the gap between current performance and the customerspecified (goal) performance? <--- Score 63. What may have caused the internal control breaches? <--- Score 64. How does a risk impact your organizations ability to achieve its strategy and business objectives? <--- Score 65. What are the agreed upon definitions of the high impact areas, defect(s), unit(s), and opportunities that will figure into the process capability metrics? <--- Score 66. What is the best case cost estimate if it is necessary to incur the risk? <--- Score 67. Should management broaden the focus on compliance to managing business risk? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #4: ANALYZE: INTENT: Analyze causes, assumptions and hypotheses. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. Does risk management allow anticipating new opportunities? <--- Score 2. Does internal control relate to the development of control processes? <--- Score 3. What quality tools were used to get through the analyze phase? <--- Score 4. How are process owners engaged going forward? <--- Score 5. How will the COSO Internal Control data be analyzed? <--- Score 6. Are internal controls reviewed for potential fraud, corruption opportunities? <--- Score 7. Is your profiling process an integral part of organizational process? <--- Score 8. Are there policies, procedures and effective processes for hiring, compensating, promoting, training and terminating employees? <--- Score 9. What is the process for addressing environmental considerations? <--- Score 10. Is the performance gap determined? <--- Score 11. What are distributed database systems? <--- Score 12. Are there separate entities that include just IT operations or processes? <--- Score 13. Are losses documented, analyzed, and remedial processes developed to prevent future losses? <--- Score 14. Does the enterprise restrict business data and applications to organization controlled devices? <--- Score 15. Is data used in making accounting estimates reliable? <--- Score 16. Were any designed experiments used to generate additional insight into the data analysis? <--- Score 17. Are there constraints in deploying process owners/internal audit? <--- Score 18. Does the data apply to the defined scope of the risk? <--- Score 19. What are the common mistakes and pitfalls during the risk assessment process? <--- Score 20. Are gaps between current performance and the goal performance identified? <--- Score 21. What are the most promising growth opportunities ahead? <--- Score 22. Are processes in place to assure IT systems processes? <--- Score 23. Does the erm process connect esg to risk management? <--- Score 24. Does COSO Internal Control systematically track and analyze outcomes for accountability and quality improvement? <--- Score 25. Is there confidence in data quality? <--- Score 26. Have requirements been defined for primary business processes dependent on IT? <--- Score 27. How does system capture data and update master file? <--- Score 28. Does the process owner continuously anticipate, identify and react to routine events and changing circumstances and conditions that could affect the achievement of process objectives? <--- Score 29. Have you a clear understanding of critical finance and operational systems, including data storage? <--- Score 30. Is managements self-assessment process adequately managed, formalized and tested by internal audit? <--- Score 31. What are the key assumptions in the model or data? <--- Score 32. What processes should be in place with respect to periodic review and approval of access to critical and/or sensitive transactions and data? <--- Score 33. What processes should be in place with respect to establishing proper security and segregation of duties? <--- Score 34. Is data and process analysis, root cause analysis and quantifying the gap/opportunity in place? <--- Score 35. Did any value-added analysis or ‘lean thinking’ take place to identify some of the gaps shown on the ‘as is’ process map? <--- Score 36. What are the revised rough estimates of the financial savings/opportunity for COSO Internal Control improvements? <--- Score 37. Did any additional data need to be collected? <--- Score 38. Have changes been properly/adequately analyzed for effect? <--- Score 39. What were the crucial ‘moments of truth’ on the process map? <--- Score 40. Does internal control relate to data reporting? <--- Score 41. Was a cause-and-effect diagram used to explore the different types of causes (or sources of variation)? <--- Score 42. Where does an entity-controls review end and a process-controls review begin? <--- Score 43. What should the format of the data be? <--- Score 44. How do you identify and analyze stakeholders and their interests? <--- Score 45. How efficient is it for a local medium-size organization to comply with post-filing processes? <--- Score 46. What are the ESG-related strengths, weaknesses, opportunities and threats? <--- Score 47. Does there exist an internal evaluation of the risk management process? <--- Score 48. How might your organization view the framework in the context of sarbanes-oxley 404 compliance process? <--- Score 49. What is the cost of poor quality as supported by the team’s analysis? <--- Score 50. Does internal control relate to data collection? <--- Score 51. Have the types of risks that may impact COSO Internal Control been identified and analyzed? <--- Score 52. What steps in the process create value? <--- Score 53. What are the inputs to the process? <--- Score 54. What are the risks inherent in the processes chosen to implement the strategies? <--- Score 55. Do staff have the necessary skills to collect, analyze, and report data? <--- Score 56. How is the processor activity-level assessment conducted? <--- Score 57. Is there a defined process to notify the board when risk limits have been exceeded? <--- Score 58. Is it clear why individuals are responsible for collecting data? <--- Score 59. Who should participate during the risk assessment process? <--- Score 60. Which of your controls do you consider to be relevant to your audit, by process and by function? <--- Score 61. Does an effective implementation process support the code? <--- Score 62. How was the detailed process map generated, verified, and validated? <--- Score 63. How stringent is the governance process for innovations? <--- Score 64. Does there exist an external evaluation of the risk management process? <--- Score 65. Does the auditor have an internal process to measure client satisfaction? <--- Score 66. Are approved corporate receiving systems used for the receiving process? <--- Score 67. What are the evaluation criteria of the resulting configuration of controls and processes? <--- Score 68. How will the external auditor view IT controls during the attestation process? <--- Score 69. What are the key controls at your organization and process levels? <--- Score 70. Why are input controls more important than processing and output controls? <--- Score 71. Is there a process in place to provide for regular and automatic updates of the BCP? <--- Score 72. How can data lead to better corporate governance? <--- Score 73. What are the roles and responsibilities of the application and data owners in relation to the IT organization? <--- Score 74. Were there any improvement opportunities identified from the process analysis? <--- Score 75. Which stakeholder characteristics are analyzed? <--- Score 76. How do you know the process results are reliable? <--- Score 77. What did the team gain from developing a sub-process map? <--- Score 78. What primary or secondary data is available as an input to the measurement tool? <--- Score 79. Are upcoming labor negotiations considered in the process? <--- Score 80. Is management using control system output? <--- Score 81. Is there a process in place to identify and utilize toll credits? <--- Score 82. How do you apply your scoping regarding entities and processes? <--- Score 83. Is your data / information / knowledge reliable, relevant and timely? <--- Score 84. How and when should the audit committee be involved in managements evaluation process and in the independent public accountants attestation process? <--- Score 85. Have the opportunities for improvement and the related steps been identified? <--- Score 86. What does the data say about the performance of the stakeholder process? <--- Score 87. What tools were used to generate the list of possible causes? <--- Score 88. What kind of work can management expect of your organizations independent public accountant during the attestation process? <--- Score 89. Is the data quality assured and consolidated? <--- Score 90. Who are the application and data owners? <--- Score 91. Has there been due process in preparing the accounts and annual report and is that process robust? <--- Score 92. Is the COSO Internal Control process severely broken such that a re-design is necessary? <--- Score 93. Are the data reasonable under the circumstances? <--- Score 94. Is the information collected and processed? <--- Score 95. Have any additional benefits been identified that will result from closing all or most of the gaps? <--- Score 96. Do you have a process for tracking control deficiencies through evaluation and remediation? <--- Score 97. Have the problem and goal statements been updated to reflect the additional knowledge gained from the analyze phase? <--- Score 98. How many internal controls have similar companies implemented for transaction processes? <--- Score 99. What were the financial benefits resulting from any ‘ground fruit or lowhanging fruit’ (quick fixes)? <--- Score 100. Have all non-recommended alternatives been analyzed in sufficient detail? <--- Score 101. Have you identified the steps in the data collection process that may pose a risk to data quality? <--- Score 102. What steps does your innovation process follow? <--- Score 103. Are suitable processes in place to ensure accurate financial records are kept? <--- Score 104. Was a detailed process map created to amplify critical steps of the ‘as is’ stakeholder process? <--- Score 105. How is the program linked to other compliance processes and performance management systems? <--- Score 106. Where does an entity-level controls review end and a process controls review begin? <--- Score 107. Are all the data there that should be? <--- Score 108. Who or what supporting area provides the inputs to the process? <--- Score 109. What tools were used to narrow the list of possible causes? <--- Score 110. Who is the owner of the process? <--- Score 111. How often is key sustainability data collected? <--- Score 112. What are your key COSO Internal Control indicators that you will measure, analyze and track? <--- Score 113. When and how should the independent public accountant be involved during managements annual assessment process? <--- Score 114. What is the process used to set up vendor accounts? <--- Score 115. Are pertinent alerts monitored, analyzed and distributed to appropriate personnel? <--- Score 116. How are the artefacts and the design processes grounded by the knowledge base? <--- Score 117. What conclusions were drawn from the team’s data collection and analysis? How did the team reach these conclusions? <--- Score 118. Are internal audit procedures subject to effective process review by external auditors? <--- Score 119. Were Pareto charts (or similar) used to portray the ‘heavy hitters’ (or key sources of variation)? <--- Score 120. What processes are used for assessing risks? <--- Score 121. Do you need support for all or selected policy areas, IT controls and transaction processes? <--- Score 122. Is the gap/opportunity displayed and communicated in financial terms? <--- Score 123. Can internal controls be designed independently outside the risk management process? <--- Score 124. Is system processing complete, valid, accurate, timely, and authorized? <--- Score 125. Do risk and sustainability have operationally and strategically integrated processes? <--- Score 126. Does your organization systematically track and analyze outcomes related for accountability and quality improvement? <--- Score 127. What value does the process create or what outputs are produced? <--- Score 128. Have operating processes put financial resources at undue risk? <--- Score 129. Have the concerns of stakeholders to help identify and define potential barriers been obtained and analyzed? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #5: IMPROVE: INTENT: Develop a practical solution. Innovate, establish and test the solution and to measure the results. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. Are the risk management and internal control systems appropriate for your organizations business model? <--- Score 2. What esg-related risks are necessary and acceptable for achieving strategic ambitions? <--- Score 3. What should the role of internal audit be in evaluating your organizations use of outsourced services? <--- Score 4. What other control activities could enhance the business units risk management? <--- Score 5. What are the practical ways to embed a risk aware and control optimized culture in companies? <--- Score 6. How much experience do you have in supply chain risk management? <--- Score 7. Which departments regularly receive risk management information? <--- Score 8. What are the compliance risks facing your business operations? <--- Score 9. What is the appropriate method to assess risk severity? <--- Score 10. Has your organization appropriately considered all of the risks that could materially affect its objectives? <--- Score 11. Is there a common risk management language / terminology across your organization? <--- Score 12. Who is responsible for identifying, assessing and responding to risk? <--- Score 13. What is the role of the audit committee in evaluating the role of the external auditor? <--- Score 14. Is the risk identification related to the objectives? <--- Score 15. Is the board receiving regular reports about ESG-related risks? <--- Score 16. How is the risk management framework linked to your organizations overall assurance framework? <--- Score 17. Does there exist risk management objectives? <--- Score 18. Why would the strategy for implementing the different frameworks change for the different risks? <--- Score 19. What are your critical risks to the execution of the business model and strategy? <--- Score 20. What alternative risk responses are available to manage risk? <--- Score 21. What is risk appetite and how is it different from risk thresholds, tolerances or limits? <--- Score 22. How does management evaluate your organizations internal control with respect to unconsolidated investments accounted for under the equity method? <--- Score 23. Why was the COSO Enterprise Risk Management Integrated Framework created? <--- Score 24. What about internal audits role in providing insight on emerging risks? <--- Score 25. Is a formal risk assessment required? <--- Score 26. Are any of the self-assessed key controls addressing higher risk areas from a financial reporting standpoint? <--- Score 27. What is the primary purpose of the risk management oversight structure? <--- Score 28. Will implementation of the COSO Enterprise Risk Management Integrated Framework prevent fraud? <--- Score 29. Does the new technology increase risks that may hinder the accomplishment of objectives? <--- Score 30. What are the more common ways in which your organizations appetite for risk can be articulated? <--- Score 31. Why should companies evaluate the need to rebalance internal audit functions? <--- Score 32. Is your organization required to design and implement responses for every quality risk that has been identified? <--- Score 33. How is the board apprised of significant risk matters? <--- Score 34. What constitutes a change in internal control over financial reporting and how is materiality considered for purposes of evaluating the effects of changes? <--- Score 35. Do any peers experience similar weaknesses or face similar risks from ESG challenges? <--- Score 36. How does your organization determine the right amount of risk for the value it is trying to create for stakeholders, and how should it communicate its risk policy to stakeholders? <--- Score 37. Does risk management, as currently implemented in your organization, identify internal risks? <--- Score 38. What are the risks inherent in your business strategies and objectives? <--- Score 39. How do current investments, operations and commitments compare to your organizations risk appetite? <--- Score 40. Which are the risks where assurance will be provided based on audit work from previous years? <--- Score 41. How is an audit of internal control over financial reporting risk-based? <--- Score 42. What steps does management take to build risk management capabilities? <--- Score 43. What is the business case for addressing the risk? <--- Score 44. Should an internal audit function consider information technology risks? <--- Score 45. What should the certifying officers do when evaluating disclosure controls and procedures on a quarterly basis? <--- Score 46. Are risk owners clearly identified? <--- Score 47. What is the COSO Enterprise Risk Management Integrated Framework? <--- Score 48. Has the board appropriately challenged the evaluation? <--- Score 49. What is the role of the CFO and others in the financial management organization in enterprise risk management? <--- Score 50. How do your performance management and incentive systems link up to your risk management practices? <--- Score 51. Is there only one introduction that could guarantee real implementation of risk management? <--- Score 52. How does your organization identify, quantify and manage risks, given its appetite for risk? <--- Score 53. Have control requirements been established for IT information and related IT risks? <--- Score 54. Are evaluation activities appropriately organized and resourced to meet purposes? <--- Score 55. Do you take a riskbased approach to compliance? <--- Score 56. Do you have to hire more IT resources to mitigate risks related to segregation of duties issues? <--- Score 57. What is the appropriate level of depth when assessing risk? <--- Score 58. Do you gather and evaluate enough information to support your control conclusions? <--- Score 59. What are the common pitfalls that should be avoided in the management of risks? <--- Score 60. What is the relationship between risk assessment and risk management? <--- Score 61. Do your organizations mission, vision and core values address ESGrelated risks? <--- Score 62. What information is at risk by storage on a public cloud? <--- Score 63. Is the function assisting your organization in identifying and addressing the most significant risks? <--- Score 64. How do you evaluate organizations systems and routines? <--- Score 65. What limitations of existing enterprise risk management models prompted creation of a new framework? <--- Score 66. How will the risk response make it easier or more difficult to meet organization objectives? <--- Score 67. What esg-related risks should your organization avoid? <--- Score 68. Is risk management applied to all organizational objectives? <--- Score 69. How is accountability for managing risk determined? <--- Score 70. Are risk management activities / responsibilities included in job descriptions? <--- Score 71. Has a financial risk assessment been undertaken? <--- Score 72. Does management take undue business risks to achieve objectives? <--- Score 73. Are security and segregation of duty risks mitigated by system access controls? <--- Score 74. How is your risk strategy linked to your business strategy? <--- Score 75. How is internal audit able to assess and provide assurance on risks to strategic objectives? <--- Score 76. Has your organization defined its risk appetite including consideration of ESG-related risks? <--- Score 77. How long does it take senior and IT management to make major IT decisions? <--- Score 78. Should an internal audit function coordinate its efforts with your organizations chief risk officer? <--- Score 79. Does your organization conduct additional evaluation procedures implemented solely to meet regulatory or other requirements? <--- Score 80. Does there exist a risk inventory? <--- Score 81. Does there exists clear norms with respect to the different aspects of risk management? <--- Score 82. What is the probability of the risk occurring? <--- Score 83. Does risk management, as currently implemented in your organization, provide a risk hierarchy? <--- Score 84. Is the risk assessment adequate? <--- Score 85. Why should your organization assess risk? <--- Score 86. What are competitors and peers doing to identify, manage and disclose ESG-related risks? <--- Score 87. What alternative responses are available to manage risk? <--- Score 88. How well aligned is the overall distribution of risks you are undertaking with your risk appetite? <--- Score 89. What are the unique computing risks and challenges that the business is likely to encounter? <--- Score 90. How do you evaluate the effectiveness of internal control? <--- Score 91. How can effective and efficient risk based auditing reviews be ensured? <--- Score 92. How does management consider your organization-level issues around IT risks and controls? <--- Score 93. What is a portfolio view of risks and how is it practically applied? <--- Score 94. Are control activities specifically designed to mitigate the identified risks? <--- Score 95. What is the contribution of ESG-related risks to the overall organization exposure? <--- Score 96. Is it the accumulation of too much risk? <--- Score 97. What is the relationship between risk assessment and performance assessment? <--- Score 98. Are it auditors available to consider risks and related controls associated with operating systems? <--- Score 99. Does your organization assess the risks associated with significant changes? <--- Score 100. Who decides the capabilities needed to manage a given risk? <--- Score 101. What is the risk of incorrectly reporting an indicator? <--- Score 102. Does there exist a common risk management approach applicable to the whole organization? <--- Score 103. How do you identify risks in your organization? <--- Score 104. Is there an overall approach to IT risk and control consideration that should be followed? <--- Score 105. What levels of ESG-related risks are acceptable? <--- Score 106. What is a relevant, reliable, and representative indication of the risk needing measurement? <--- Score 107. What level of effort does the risk assessment seem to indicate? <--- Score 108. Is your risk management policy clearly articulated and communicated to your organization? <--- Score 109. What is an effective way for your organization to conduct a risk assessment? <--- Score 110. What factors does your organization consider in assessing the quality risks? <--- Score 111. Does a comprehensive risk profile exist for your organization? <--- Score 112. How might the framework assist organizations in structuring entities to best manage exposure to risk? <--- Score 113. Does management use indicators and thresholds to review the effectiveness of responses for ESG-related risks? <--- Score 114. Do you have a risk policy and is it publicly available on your website? <--- Score 115. What is boards role in risk oversight? <--- Score 116. How can erm help risk management and sustainability practitioners navigate esg-related risks? <--- Score 117. Is appropriate ownership of risk in place? <--- Score 118. Did personnel get training on risk management? <--- Score 119. Have risk management considerations been incorporated into performance goals? <--- Score 120. Is the risk common across the overall enterprise or unique to one business group? <--- Score 121. Has your organization formally designated an individual to serve as chief risk officer or equivalent? <--- Score 122. What steps does management take to enhance risk management capabilities? <--- Score 123. Have financing-related risks been appropriately identified and disclosed? <--- Score 124. Does management have clear strategies for dealing with the significant risks identified? <--- Score 125. Will the objectives be met based on the control activities in place over risks? <--- Score 126. How is your organizational risk management culture generated, and is it appropriate? <--- Score 127. Is risk being managed as you intended? <--- Score 128. How should the audit committee evaluate the effectiveness of internal audit? <--- Score 129. How long it took you to go through each risk, from start to finish? <--- Score 130. What needs to be known to better manage risks? <--- Score 131. What are the risks to brand and reputation inherent in the way your organization executes its strategies? <--- Score 132. Does the antifraud program consider the identified fraud risks? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #6: CONTROL: INTENT: Implement the practical solution. Maintain the performance and correct possible complications. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. Does your organization act on recommendations from internal audit and monitor the changes made? <--- Score 2. How does internal control regulation affect financial reporting? <--- Score 3. Which services are regularly affected by internal control breaches? <--- Score 4. What are the application-level control considerations? <--- Score 5. Does there exist a common internal control approach applicable to the whole organization? <--- Score 6. Is there a standard definition for internal controls? <--- Score 7. Does the appropriate control exist? <--- Score 8. Why do you have internal control? <--- Score 9. How should management address deficiencies and gaps in IT controls? <--- Score 10. Does your organization have a process to monitor estimated costs? <--- Score 11. Which component is the foundation of all other components in the internal control structure? <--- Score 12. Do all purchase orders comply with authorized payment and delivery expectation standard terms? <--- Score 13. How do you spread knowledge about internal control in your organization? <--- Score 14. Does the internal audit scrutinize the internal control system? <--- Score 15. Is there procedures for employees, management to report internal control weaknesses? <--- Score 16. Do the judgements reflect your organizations strategies? <--- Score 17. Is regular reporting and monitoring in place in the public organization on its exposure to fraud? <--- Score 18. What is a material weakness in internal control over financial reporting? <--- Score 19. Does there exist clear norms with respect to the different aspects of internal control? <--- Score 20. Who monitors compliance with internal control policies and procedures? <--- Score 21. Are entity-level controls the same thing as entity-wide controls? <--- Score 22. How does your organization incorporate risk assessment into its internal control plan? <--- Score 23. Are your organizations internal controls fit for purpose? <--- Score 24. What standards are available in theory for internal control? <--- Score 25. Which processes are monitored and reported? <--- Score 26. How does internal control relate to information security? <--- Score 27. What external regulations apply to the soft controls within your organization? <--- Score 28. Who should be responsible for internal control? <--- Score 29. Are internal controls consistently applied? <--- Score 30. What are some application control considerations for the order-to-cash cycle? <--- Score 31. Is project specific data used to develop the plan? <--- Score 32. How can application of the Framework contribute to efficiency in the design, implementation, and conduct of internal control? <--- Score 33. Can the external auditor use the work of the internal audit function and others for purposes of performing an audit of internal control over financial reporting? <--- Score 34. Will controls achieve desired objectives? <--- Score 35. What is managements responsibility for changes in internal controls that could affect the adequacy of internal controls after the date of managements assessment? <--- Score 36. Has your organization formally defined and standardized process for identifying risk? <--- Score 37. How do you rate the occurrence of internal control breaches in your organization? <--- Score 38. Is the model for monitoring presented in paragraph 19 a complete and accurate outline of the monitoring process? <--- Score 39. What are the types of internal controls? <--- Score 40. How should an internal control plan be prepared? <--- Score 41. Which esg-related risks should be reflected in the strategy? <--- Score 42. How do you report on internal control? <--- Score 43. How would management know if your organization-level controls provide a strong control environment? <--- Score 44. Does the audit committee approve internal audits annual audit plan? <--- Score 45. Does the system of internal control provide indicators of things going wrong? <--- Score 46. How are pervasive IT controls considered? <--- Score 47. Does your organization have controls over access to IT systems? <--- Score 48. Should any additional specific control be included? <--- Score 49. How is service delivery affected by the internal control systems? <--- Score 50. What internal control design assistance can the independent public accountant provide without impairing independence? <--- Score 51. Are agreed procedures in place for monitoring progress with the implementation of recommendations? <--- Score 52. What are some application control considerations for the procure-to-pay cycle? <--- Score 53. Are everyones control-related responsibilities clearly articulated and carried out? <--- Score 54. Are the objectives and principles of internal control communicated throughout your organization? <--- Score 55. Why should departments be concerned about internal control? <--- Score 56. How what is the concept internal control? <--- Score 57. What standards and guidance does the internal audit function follow? <--- Score 58. What are the demographics of companies reporting control deficiencies? <--- Score 59. How does monitoring benefit the governance process? <--- Score 60. How do others monitor operational effectiveness of internal controls in practice? <--- Score 61. How do you relate your internal control system to service delivery? <--- Score 62. What other factors are used to adjust the primary basis to determine the estimated prices for the project? <--- Score 63. How does your organization incorporate communications into its internal control plan? <--- Score 64. How does your organization incorporate control activities into its internal control plan? <--- Score 65. How long does it take to complete Internal Control? <--- Score 66. What is continuous monitoring and how does it strengthen the internal audit process? <--- Score 67. Is an internal audit function used as part of your organizations monitoring program? <--- Score 68. Is internal control related to the objectives? <--- Score 69. Are the internal control arrangements subject to review? <--- Score 70. Do you have a good mixture of manual and systematic controls? <--- Score 71. Why should you complete Internal Control? <--- Score 72. How do you get assurance over the effectiveness of your IT controls? <--- Score 73. Does the charter outline the standards under which internal audit will operate? <--- Score 74. What is the purpose of reporting and monitoring the data? <--- Score 75. What difference does it make if management has weak entity-level controls? <--- Score 76. Should disclosure of conditions on internal control be necessary? <--- Score 77. Is your system of internal control sufficiently robust and tailored to the size and nature of your organization? <--- Score 78. Are soft controls better than hard controls? <--- Score 79. What should boards be assessing the effectiveness of controls against? <--- Score 80. Who has responsibility for internal control? <--- Score 81. Do you monitor and require approvals for all capital expenditures? <--- Score 82. How do the components of internal control interact and affect each other? <--- Score 83. When planning the project, what key scoping decisions should be evaluated, and what criteria should management consider when making decisions? <--- Score 84. What are the key concepts of Internal Control? <--- Score 85. Does the monitoring system include attributes? <--- Score 86. How are managements reporting, control and compliance responsibilities integrated? <--- Score 87. Are you adopting a controls reliance or a substantive approach in your audit? <--- Score 88. What are registrant level controls? <--- Score 89. Which specific controls and procedures are expected to be in place? <--- Score 90. What level of assurance must management attain when reaching a conclusion on the design and operating effectiveness of internal controls? <--- Score 91. What control activities are performed in your organization? <--- Score 92. Are there any unrecorded adjustments resulting from the audit? <--- Score 93. Are continual process improvements jointly developed and monitored? <--- Score 94. What exactly are project controls? <--- Score 95. Are there systems in place for measuring and monitoring risks? <--- Score 96. What types of controls are general IT controls? <--- Score 97. Is the data collected in accordance with a time-tested or industry standard? <--- Score 98. Is your organization monitoring controls at a cost, effort or organizational level that is inconsistent with the amount of risk the controls mitigate? <--- Score 99. Is the increase in control matched by a corresponding increase in quality? <--- Score 100. Which internal control model is used? <--- Score 101. How does your organization incorporate its control environment into its internal control plan? <--- Score 102. How do your entity-level controls map to each of the principles? <--- Score 103. How do audits fit into the internal control structure? <--- Score 104. Is internal auditing responsive to risk assessment and monitoring internal control? <--- Score 105. How integrated are your IT controls into your overarching internal control framework? <--- Score 106. Are your controls keeping pace with your business? <--- Score 107. Does there exist internal control objectives? <--- Score 108. How does management know how effective internal control is? <--- Score 109. How are entity-level controls validated? <--- Score 110. What were the major issues for your organization during the year and are reflected in the reports? <--- Score 111. Does your organization have an adequate system of internal controls? <--- Score 112. How does your organization decrease its reliance on spreadsheets? <--- Score 113. How does your organization incorporate monitoring into its internal control plan? <--- Score 114. How do the internal controls at your organization affect your financial audit? <--- Score 115. What difference does it make if management has strong entity-level ITrelated controls? <--- Score 116. Does internal control relate to the existing information system? <--- Score 117. Has it kept pace with your organizations activities and information and control systems? <--- Score 118. Are the controls performed correctly? <--- Score 119. Who should be involved in Internal Controls? <--- Score 120. Are controls operating as intended? <--- Score 121. Is the risk register an appropriate reflection of the risks facing your organization? <--- Score 122. How frequently should monitoring activities be undertaken? <--- Score 123. What is a continuous assurance auditing and monitoring system? <--- Score 124. What is the Internal Controls Integrated Framework? <--- Score 125. Has proper consideration been given to application controls and security? <--- Score 126. Has your organization responded to technological advancement in internal controls? <--- Score 127. Is your organization utilizing COSOs Internal Control Integrated Framework? <--- Score 128. Are there any prerequisites for enrolling in Internal Control? <--- Score 129. Is internal control applied within all activities and departments? <--- Score 130. Are there established standards to control the use of the technique? <--- Score 131. Does there exist a permanent risk monitoring system? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. CRITERION #7: SUSTAIN: INTENT: Retain the benefits. In my belief, the answer to this question is clearly defined: 5 Strongly Agree 4 Agree 3 Neutral 2 Disagree 1 Strongly Disagree 1. What are operators struggling with to meet consumer and business demand? <--- Score 2. Who are the key stakeholders for the COSO Internal Control evaluation? <--- Score 3. Has management articulated the critical policies and estimates? <--- Score 4. Does a special department exist? <--- Score 5. What are the expected COSO Internal Control results? <--- Score 6. Does your organization have an audit committee? <--- Score 7. Who should make the COSO Internal Control decisions? <--- Score 8. What is the appropriate level of rigor to apply to an assessment? <--- Score 9. Do you have access to current enterprise policies and procedures? <--- Score 10. Does the market value financial expertise on audit committees of boards of directors? <--- Score 11. Who owns what data? <--- Score 12. Whom do you really need or want to serve? <--- Score 13. Where are esg challenges creating broad threats to future business value? <--- Score 14. What is a worst-case scenario for losses? <--- Score 15. Does management have the right priorities among projects? <--- Score 16. How are duties segregated in your organization? <--- Score 17. What is the external auditors deadline going to be? <--- Score 18. Who are the COSO Internal Control decision-makers? <--- Score 19. Do you have an adequately resourced internal audit function? <--- Score 20. Does internal audit have appropriate authority to undertake its responsibilities? <--- Score 21. Have you determined who is responsible for the metrics? <--- Score 22. How are you delivering value to your organization? <--- Score 23. How many locations and units must management perform testing on to achieve appropriate coverage? <--- Score 24. Are fully independent audit committees really necessary? <--- Score 25. How pervasive is business fraud? <--- Score 26. Are board members knowledgeable about the content and operation of the compliance and ethics program? <--- Score 27. Is there an established change management process? <--- Score 28. Are the persons responsible for any misconduct still with your organization? <--- Score 29. How is the activity-level assessment conducted? <--- Score 30. What risks do you need to manage? <--- Score 31. How will the data be checked for quality? <--- Score 32. Does your organization encourage regular staff meetings? <--- Score 33. Does the chief audit executive provide vision and leadership for the activities of auditing? <--- Score 34. How can risk management be tied procedurally to process elements? <--- Score 35. Where and how is IT managed at a high level within your organization? <--- Score 36. Can management rely on the statutory audit work performed by the external auditor for significant subsidiaries or joint ventures? <--- Score 37. Do the various units of your organization do it? <--- Score 38. Who needs budgets? <--- Score 39. How often is the program reviewed? <--- Score 40. Do the viable solutions scale to future needs? <--- Score 41. How were the experts works received by professional peers? <--- Score 42. What is the ratio of performance auditing to financial auditing? <--- Score 43. What gets examined? <--- Score 44. What are the overall responsibilities assumed by the officer or committee? <--- Score 45. What is your plan to assess your security risks? <--- Score 46. What is COSO Internal Control risk? <--- Score 47. How is your organization-level assessment conducted? <--- Score 48. What are the key trends in wireless? <--- Score 49. How are the internal audit units structured? <--- Score 50. Is the audit committee content that it has the appropriate skills mix? <--- Score 51. Have any earlier audit recommendations been incorporated into the detailed design? <--- Score 52. What COSO Internal Control coordination do you need? <--- Score 53. Does internal audit have appropriate resources, including skills, to deliver its objectives? <--- Score 54. Are members of the internal audit function technically competent and proficient? <--- Score 55. Is the COSO Internal Control solution sustainable? <--- Score 56. Does the internal audit staff have proper training and experience? <--- Score 57. Are all aspects of your organization included? <--- Score 58. Has the relevant information been derived from the full, audited financial statements? <--- Score 59. Is the COSO Internal Control risk managed? <--- Score 60. Can employees in your organization participate in internal audits? <--- Score 61. Would you develop a COSO Internal Control Communication Strategy? <--- Score 62. Is internal audit responsive to changes in the business? <--- Score 63. How should an internal audit function be staffed? <--- Score 64. Does the rule apply to companies with public debt? <--- Score 65. How do you build the right business case? <--- Score 66. Is the effectiveness of the compliance framework assessed? <--- Score 67. Are audit committee members independent of your organization and of management? <--- Score 68. How does the audit trail differ in an automated accounting system compared to a manual one? <--- Score 69. Do the policies encompass the whole group or are there local policies for each unit? <--- Score 70. Have you considered the significance of individual metrics to your business model? <--- Score 71. How has management satisfied itself regarding the value of assets and impairments? <--- Score 72. Have you ever participated in any enterprise-sponsored ethics training? <--- Score 73. Does your department communicate effectively--internally and externally? <--- Score 74. Is a satisfactory record maintained of overtime worked within your organization? <--- Score 75. What resources or support might you need? <--- Score 76. Who pays the cost? <--- Score 77. Are the most efficient solutions problem-specific? <--- Score 78. What are the performance and scale of the COSO Internal Control tools? <--- Score 79. What are the COSO Internal Control security risks? <--- Score 80. How does your organization evaluate strategic COSO Internal Control success? <--- Score 81. What are the deliverables when the COSO ERM framework is implemented? <--- Score 82. How does the business make its money? <--- Score 83. Are you familiar with the code of business conduct? <--- Score 84. How do your organizations policies compare with industry norms? <--- Score 85. Are there specific things your organization should accomplish the first year? <--- Score 86. Are the key business and technology risks being managed? <--- Score 87. Who should resolve the COSO Internal Control issues? <--- Score 88. Where is the cost? <--- Score 89. What training program does the internal audit department have? <--- Score 90. What assurance is there about the quality of Internal Audit work? <--- Score 91. What are hidden COSO Internal Control quality costs? <--- Score 92. Is risk periodically assessed? <--- Score 93. Does management carry out your organizations mission, vision, core values and strategy? <--- Score 94. Are all critical materials subject to inspection? <--- Score 95. How are COSO Internal Control risks managed? <--- Score 96. How much capital does your organization have? <--- Score 97. Will you achieve your business objectives? <--- Score 98. Is the misconduct symptomatic of the way your organization does business? <--- Score 99. Does your organization have procedures in place to take advantage of vendor discounts? <--- Score 100. Do the audit team members give confidence that you will receive a quality audit? <--- Score 101. How can management utilize internal audit most effectively? <--- Score 102. Which is a substantive audit test? <--- Score 103. What is an audit committees role with respect to an internal audit function? <--- Score 104. Has management resisted significant areas of disclosure? <--- Score 105. What, related to, COSO Internal Control processes does your organization outsource? <--- Score 106. What relationship will internal audit have with other assurance providers? <--- Score 107. What are the COSO Internal Control resources needed? <--- Score 108. What should internal audit report to the audit committee? <--- Score 109. Is the internal audit function adding value? <--- Score 110. Does your organization use its independent public accountants software and/or methodology to support managements assessment? <--- Score 111. How does self-assessment work going forward? <--- Score 112. What are the COSO Internal Control investment costs? <--- Score 113. Does the assessment appear honest and complete? <--- Score 114. Are there industry groups for internal auditors? <--- Score 115. Is management comfortable that the accounting policies are appropriate under the circumstances? <--- Score 116. Has your organization stabilized the work program to ensure the timely and systematic completion of projects? <--- Score 117. Are the risks fully understood, reasonable and manageable? <--- Score 118. What is your organizations view with respect to preserving the appearance of objectivity? <--- Score 119. How many people should be on the board? <--- Score 120. Who else is engaged with and knowledgeable about the business? <--- Score 121. Are audit findings reviewed, as appropriate, with management before release of final audit reports? <--- Score 122. Has the audit committee met with the auditor on a regular basis without management present? <--- Score 123. How does it differentiate itself in the marketplace? <--- Score 124. Is your organization in line with peers? <--- Score 125. Why is this needed? <--- Score 126. Should a privately held organization implement provisions of Sarbanes-Oxley? <--- Score 127. Is managements approval necessary in order to open your organization account? <--- Score 128. What is a system of checks-and-balances? <--- Score 129. Is your non financial performance revealing the true value of your business to investors? <--- Score 130. Is there adequate skilled manpower to execute activities in time? <--- Score 131. Does senior management actively support the anti-fraud program efforts? <--- Score 132. What additional tools are available to support the assessment? <--- Score 133. What is the timeline your organization will follow? <--- Score 134. Are procedures in place to handle cash forecasts? <--- Score 135. Are organization accounts and persons who sign checks authorized by the governing body? <--- Score 136. Is the suppliers quality level adequate? <--- Score 137. What were the criteria for evaluating a COSO Internal Control pilot? <--- Score 138. Can you integrate quality management and risk management? <--- Score 139. Is there a strict change management process? <--- Score 140. Has your internal audit function undergone a quality assessment or peer review recently? <--- Score 141. What steps does management take to set the foundation? <--- Score 142. How will the change process be managed? <--- Score 143. Which organizations are audited by internal audit? <--- Score 144. What significant changes took place during the year in the markets in which your organization operates? <--- Score 145. Why do you have IT in organizations? <--- Score 146. When should a process be art not science? <--- Score 147. Is there any other COSO Internal Control solution? <--- Score 148. Do you need to do a usability evaluation? <--- Score 149. Are there previous tests available for review? <--- Score 150. Does the public organizations management delegate authority? <--- Score 151. How easy is it to update the included frameworks in the DSS? <--- Score 152. How is the audit committee organized? <--- Score 153. What creative shifts do you need to take? <--- Score 154. Is your organization also preparing concise reports? <--- Score 155. What are the societal expectations with respect to your organizations behaviour? <--- Score 156. Do you have a mandate to audit the final beneficiary? <--- Score 157. Do you have an issue in getting priority? <--- Score 158. How does your organization ensure that the information is reliable? <--- Score 159. Do internal audit staff have sufficient technical knowledge to perform duties? <--- Score 160. How does your function compare to that of other companies in your industry? <--- Score 161. What is the legal authority of the audit committee? <--- Score 162. Is there a formal training program in place for your organization? <--- Score 163. Does the supreme audit organization perform financial audits, compliance audits and performance audits? <--- Score 164. Do program objectives flow from and link to your organization-wide goals and objectives? <--- Score 165. What role and responsibility do internal auditors have for fraud? <--- Score 166. Are you missing COSO Internal Control opportunities? <--- Score 167. Do all material receipts go through regular receiving operations? <--- Score 168. Are the integrated frameworks effective and efficient in achieving the anticipated goals? <--- Score 169. What are the requirements for audit information? <--- Score 170. How will corresponding data be collected? <--- Score 171. How efficient the DSS is in terms the utilised time/resource and the obtained outcomes? <--- Score 172. How can a good working environment be re-established? <--- Score 173. Is there any way to speed up the process? <--- Score 174. Why do employees lie, cheat, and steal on the job? <--- Score 175. Are the matters raised key areas for your organization? <--- Score 176. Why do it projects often fail to serve organizational goals? <--- Score 177. What COSO Internal Control events should you attend? <--- Score 178. What are your organizations mission, vision, core values, strategy and business objectives? <--- Score 179. Is valuation at request of and for owners? <--- Score 180. What can be found in your organizations by-laws? <--- Score 181. Is the work to date meeting requirements? <--- Score 182. Is the approved corporate purchasing system used for all material purchases? <--- Score 183. How, when and by whom will the system be backed up? <--- Score 184. Who audits the accounts and / or performance of the external auditor? <--- Score 185. Does your organization periodically provide statements of account balances to customers? <--- Score 186. What is the value chain of your organization? <--- Score 187. What industry does your organization belong to? <--- Score 188. Does the rule affect other stock exchanges and private companies? <--- Score 189. How do you start an internal audit function? <--- Score 190. What is the total gained value, from organizations perspective? <--- Score 191. What COSO Internal Control data will be collected? <--- Score 192. Does the enterprise have an audit committee? <--- Score 193. Does the contribution of internal auditors have a positive and pervasive value? <--- Score 194. Are departmental operating procedures current and adequate? <--- Score 195. Is the internal audit department efficient and effective in performing its responsibilities? <--- Score 196. Do your organization policies provide adequate provisions for employee training? <--- Score 197. What does the business unit want to accomplish? <--- Score 198. What are the clients issues and concerns? <--- Score 199. Is it needed? <--- Score 200. Who manages supplier risk management in your organization? <--- Score 201. Do you have the optimal project management team structure? <--- Score 202. What is the role of the board and the CEO? <--- Score 203. What is the level of expenditure and effort of similarly sized companies in your industry? <--- Score 204. Where does that entry level hire go from here? <--- Score 205. What should the audit committee look for in the criteria? <--- Score 206. What are the advantages of the emerging payment system? <--- Score 207. Are your information systems reliable and free from external attacks? <--- Score 208. Do you apply it in your organization? <--- Score 209. What was wrong and which are the objectives of the new system? <--- Score 210. Has your organization capitalised any expenses? <--- Score 211. What are the affordable COSO Internal Control risks? <--- Score 212. What is the root cause(s) of the problem? <--- Score 213. Are established procedures being complied with? <--- Score 214. How are training requirements identified? <--- Score 215. Who will facilitate the team and process? <--- Score 216. What are the roles and responsibilities of business unit and divisional management? <--- Score 217. What should you look for in an internal audit report? <--- Score 218. Does the audit committee or the board have its own legal and financial consultants and advisors? <--- Score 219. How can audit committee members add value? <--- Score 220. What should boards be doing now? <--- Score 221. What are the characteristics of a balanced board? <--- Score 222. Who is reviewing internal audit? <--- Score 223. What are predictive COSO Internal Control analytics? <--- Score 224. Is your erm working as intended? <--- Score 225. What are the procedures for making profit and cash flow projections? <--- Score 226. Does your organization have a comprehensive policy on password protection? <--- Score 227. Has internal audit ever undergone an external assessment? <--- Score 228. What do employees need in the short term? <--- Score 229. What are your most complex activities? <--- Score 230. Does a code of professional ethics for internal auditors exist in your country? <--- Score 231. Does the system of quality management cover all engagements performed by your organization? <--- Score 232. Do you feel the published rules and procedures are trivial or out of date? <--- Score 233. How does the framework help your organization? <--- Score 234. What mechanisms are in place to ensure the assurances are reliable? <--- Score 235. What level of error are you willing to accept in the population? <--- Score 236. What level of effectiveness would management normally expect in any significant business activity? <--- Score 237. Does the tone from your organizations leaders convey expectations on ESG? <--- Score 238. What will you do to enhance your leverage? <--- Score 239. Do vendor agreements bring new compliance risk ? <--- Score 240. What are the objectives of your audit? <--- Score 241. How is internal audit work actually performed? <--- Score 242. Are risk management tasks balanced centrally and locally? <--- Score 243. What are your business objectives and strategies? <--- Score 244. Should you have a conversation about the application of COSO or a similar framework? <--- Score 245. What are the implications of falling equity values on your organizations position? <--- Score 246. Is the management commentary consistent with the financial statements? <--- Score 247. What is your function within your organization? <--- Score 248. Is the audit committee content that it is avoiding any conflict of interest? <--- Score 249. How well is your organization designed to adapt to change? <--- Score 250. What is the mix of resources in internal audit? <--- Score 251. What is internal audits role with respect to SOA compliance? <--- Score 252. Has management considered other options? <--- Score 253. What are the incentives in your organization? <--- Score 254. Are activities efficient and effective? <--- Score 255. Do the assurances draw out material weaknesses or losses, which should be addressed? <--- Score 256. What are the costs? <--- Score 257. What are the strategic priorities for this year? <--- Score 258. Are you responding as an individual or organization? <--- Score 259. Are accounting policies appropriate and compliant with the reporting framework? <--- Score 260. How does the enterprise manage the performance of IT? <--- Score 261. Is it merely an advising committee? <--- Score 262. How does segregation of duties differ in an automated accounting system compared to a manual? <--- Score 263. Are all requirements met? <--- Score 264. What is your organizations view with respect to preserving objectivity? <--- Score 265. How has the frame work been enhanced? <--- Score 266. Which laws and regulations do your organization comply with? <--- Score 267. What COSO Internal Control data should be managed? <--- Score 268. Where do you need to exercise leadership? <--- Score 269. Do you understand your management processes today? <--- Score 270. What alternative accounting policies have been applied by peer-group companies? <--- Score 271. What types of IT audit skills should be included in an internal audit department? <--- Score 272. How does your organization innovate? <--- Score 273. Are policies and procedures in place to avoid understatement of expenditures? <--- Score 274. Are organization accounts reconciled monthly? <--- Score 275. What information is retained/captured and in what way? <--- Score 276. Is sufficient detail included in the audit reports? <--- Score 277. What roles does internal audit play in ERM implementation? <--- Score 278. How do you deal with COSO Internal Control risk? <--- Score 279. What types of operator procedures or instructions are used? <--- Score 280. Did you miss any major COSO Internal Control issues? <--- Score 281. What types of data do your COSO Internal Control indicators require? <--- Score 282. Are the companies chosen for comparison in the same market/ field/area/country? <--- Score 283. What does internal audit expect to get out of the session? <--- Score 284. Do you have organizational privacy requirements? <--- Score 285. What personal qualities, knowledge and skills should internal auditors possess? <--- Score 286. Which issues are too important to ignore? <--- Score 287. Will business be separated into separate units? <--- Score 288. Is the quality assurance team identified? <--- Score 289. How can you better manage risk? <--- Score 290. Is the audit committee content that it has sufficient time to give proper consideration to its business? <--- Score 291. What are the COSO Internal Control design outputs? <--- Score 292. Can the supreme audit organization contract out to other entities? <--- Score 293. How many people should be on a board? <--- Score 294. Which is the least desirable option for completing future audit engagements? <--- Score 295. What is the COSO Internal Control business impact? <--- Score 296. What should the role of internal audit be in connection with your organizations compliance efforts? <--- Score 297. Is the code consistent with other corporate functional and business unit policies and procedures? <--- Score 298. What is the role of the audit committee? <--- Score 299. How are sampling methodologies applied? <--- Score 300. What is the external auditors deadline going to be next year? <--- Score 301. What needs to stay? <--- Score 302. Is COSO Internal Control documentation maintained? <--- Score 303. What are the main skills of internal auditors? <--- Score 304. What are unexpected ways your organization can apply its strengths to ESG challenges? <--- Score 305. What are the main skills of the employees? <--- Score 306. Why does it contribute to the business objective? <--- Score 307. How did management select and apply critical accounting policies, judgements and estimates? <--- Score 308. What systems/processes must you excel at? <--- Score 309. Which audit roles are played by the internal auditor? <--- Score 310. What are the concrete COSO Internal Control results? <--- Score 311. Does your organization have written mission, philosophy or code of conduct statements? <--- Score 312. Does management take appropriate remedial action in response to departures from approved policies and procedures? <--- Score 313. How long to keep data and how to manage retention costs? <--- Score 314. How will the COSO Internal Control data be captured? <--- Score 315. What information do you rely on to achieve your objectives? <--- Score 316. Have any of your requests for information been denied? <--- Score 317. Which needs are not included or involved? <--- Score 318. Who is involved in the management review process? <--- Score 319. What is the purpose of the information system operations review? <--- Score 320. Should internal auditors play a role in your Sarbanes-Oxley activities? <--- Score 321. Which COSO Internal Control data should be retained? <--- Score 322. What actions does your organization take to establish a culture that promotes a commitment to quality? <--- Score 323. What experience does the auditor have in your industry? <--- Score 324. Which subsidiaries will you audit? <--- Score 325. What are the processes for audit reporting and management? <--- Score 326. Why the need? <--- Score 327. How is the artefact introduced into the application environment and how is it field tested? <--- Score 328. Who are the COSO Internal Control decision makers? <--- Score 329. Where is training needed? <--- Score 330. What are the key components of the new frame work? <--- Score 331. Are accounting policies disclosed for all significant items or transactions? <--- Score 332. What assumptions are made about the solution and approach? <--- Score 333. How should management communicate the project effort to your organization? <--- Score 334. What is the nature of the work environment? <--- Score 335. Is internal audit invited to become involved in all major projects that your organization sets up? <--- Score 336. Is the internal audit department objective? <--- Score 337. Does the bcp include key vendor and emergency supply contacts? <--- Score 338. Are events managed to resolution? <--- Score 339. What is the mandate of the audit committee? <--- Score 340. Where do the COSO Internal Control decisions reside? <--- Score 341. What types of internal audit consulting should be considered? <--- Score 342. Does the supreme audit organizations have a jurisdictional status? <--- Score 343. What are the roles and responsibilities of support unit management? <--- Score 344. Why are systems increasingly popular? <--- Score 345. Can existing employees become internal auditors? <--- Score 346. Is there an appropriate anti-fraud policy in place and are losses suitably recorded? <--- Score 347. How many icfr employees are involved? <--- Score 348. Should another high level official, as your organizations chief financial officer, also sign the report? <--- Score 349. Have you determined who is responsible for reporting to the group level? <--- Score 350. Does a formal compliance policy and framework exist? <--- Score 351. What COSO Internal Control capabilities do you need? <--- Score 352. Are COSO Internal Control vulnerabilities categorized and prioritized? <--- Score 353. How are resources allocated to internal audit units? <--- Score 354. Which most seriously compromises the independence of the internal audit activity? <--- Score 355. What is the ratio of performance audit to financial audit? <--- Score 356. What users will be impacted? <--- Score 357. How do you manage COSO Internal Control risk? <--- Score 358. Who are your organizations principal advisers? <--- Score 359. Are the responses consistent with the audit committees knowledge of your organization? <--- Score 360. Does the problem have ethical dimensions? <--- Score 361. What is relevant financial experience likely to include? <--- Score 362. Are there any significant or unusual amounts due from officers or employees? <--- Score 363. Will business continue as single going concern? <--- Score 364. Is system operational and usable as specified in commitments and agreements? <--- Score 365. How is the internal audit profession regulated? <--- Score 366. How much data can be collected in the given timeframe? <--- Score 367. Does the executive committee seek observations, recommendations, and opinions from auditing? <--- Score 368. Are all material purchases authorized through formal, approved purchase orders? <--- Score 369. Are there regulatory / compliance issues? <--- Score 370. What is the problem and/or vulnerability? <--- Score 371. Are procedures documented for managing COSO Internal Control risks? <--- Score 372. What COSO Internal Control standards are applicable? <--- Score 373. How do you identify subcontractor relationships? <--- Score 374. What criteria will you use to assess your COSO Internal Control risks? <--- Score 375. What goals should be employed to best build and structure the IT department? <--- Score 376. How much should your organization spend on internal audit? <--- Score 377. Is confidential information protected consistent with your organizations commitments and agreements? <--- Score 378. What independent validation and compliance functions are there? <--- Score 379. What involvement did management have? <--- Score 380. How many trainings, in total, are needed? <--- Score 381. What are components and principles? <--- Score 382. How is information communicated between different levels of your organization? <--- Score 383. Does senior management actively support the antifraud program efforts? <--- Score 384. Who needs to know? <--- Score 385. Does your organization operate in all your offshore and overseas locations? <--- Score 386. What is the extent or complexity of the COSO Internal Control problem? <--- Score 387. Why do material and frequently recurring frauds succeed? <--- Score 388. Have been addressed by management? <--- Score 389. Is the audit committee seen as important internally as well as externally? <--- Score 390. How effective is your cyber security system? <--- Score 391. How does materiality apply in an audit? <--- Score 392. Are there any internal audit procedures? <--- Score 393. Why is wireless technology considered a key for future networks? <--- Score 394. Do you use your external auditors to perform internal audit work? <--- Score 395. Is there an internal audit function present within your organization? <--- Score Add up total points for this section: _____ = Total points for this section Divided by: ______ (number of statements answered) = ______ Average score for this section Transfer your score to the COSO Internal Control Index at the beginning of the Self-Assessment. COSO Internal Control and Managing Projects, Criteria for Project Managers: 1.0 Initiating Process Group: COSO Internal Control 1. How well did the chosen processes fit the needs of the COSO Internal Control project? 2. How can you make your needs known? 3. Contingency planning. if a risk event occurs, what will you do? 4. What are the constraints? 5. What are the required resources? 6. What communication items need improvement? 7. How well did the chosen processes produce the expected results? 8. Were sponsors and decision makers available when needed outside regularly scheduled meetings? 9. Specific - is the objective clear in terms of what, how, when, and where the situation will be changed? 10. Did you use a contractor or vendor? 11. Although the COSO Internal Control project manager does not directly manage procurement and contracting activities, who does manage procurement and contracting activities in your organization then if not the PM? 12. What business situation is being addressed? 13. When are the deliverables to be generated in each phase? 14. If the risk event occurs, what will you do? 15. What is the stake of others in your COSO Internal Control project? 16. How is each deliverable reviewed, verified, and validated? 17. How will it affect me? 18. Were decisions made in a timely manner? 19. What are the short and long term implications? 20. What will be the pressing issues of tomorrow? 1.1 Project Charter: COSO Internal Control 21. Why do you need to manage scope? 22. Does the COSO Internal Control project need to consider any special capacity or capability issues? 23. What goes into your COSO Internal Control project Charter? 24. Are you building in-house ? 25. Why do you manage integration? 26. Assumptions: what factors, for planning purposes, are you considering to be true? 27. How will you learn more about the process or system you are trying to improve? 28. Why the improvements? 29. What is the most common tool for helping define the detail? 30. Who is the COSO Internal Control project Manager? 31. When? 32. What is the justification? 33. Customer benefits: what customer requirements does this COSO Internal Control project address? 34. Environmental stewardship and sustainability considerations: what is the process that will be used to ensure compliance with the environmental stewardship policy? 35. Name and describe the elements that deal with providing the detail? 36. COSO Internal Control project deliverables: what is the COSO Internal Control project going to produce? 37. What are the known stakeholder requirements? 38. Review the general mission What system will be affected by the improvement efforts? 39. Why Outsource? 40. What metrics could you look at? 1.2 Stakeholder Register: COSO Internal Control 41. How should employers make voices heard? 42. What opportunities exist to provide communications? 43. How big is the gap? 44. What & Why? 45. How will reports be created? 46. Who are the stakeholders? 47. Who wants to talk about Security? 48. Is your organization ready for change? 49. How much influence do they have on the COSO Internal Control project? 50. What is the power of the stakeholder? 51. Who is managing stakeholder engagement? 52. What are the major COSO Internal Control project milestones requiring communications or providing communications opportunities? 1.3 Stakeholder Analysis Matrix: COSO Internal Control 53. What coalitions might build around the issues being tackled? 54. How can you counter negative efforts? 55. What are the key services, contractual arrangements, or other relationships between stakeholder groups? 56. What is relationship with the COSO Internal Control project? 57. Organizational Applicability? 58. Technology development and innovation? 59. What resources might the stakeholder bring to the COSO Internal Control project? 60. Who are potential allies and opponents? 61. Inoculations or payment to receive them? 62. Who will be responsible for managing the outcome? 63. Is changing technology threatening your organizations position? 64. Effects on core activities, distraction? 65. Who is most dependent on the resources at stake? 66. Who has not been involved up to now and should have been? 67. Why do you need to manage COSO Internal Control project Risk? 68. It developments? 69. Reliability of data, plan predictability? 70. Who will be affected by the work? 71. How to measure the achievement of the Immediate Objective? 72. New markets, vertical, horizontal? 2.0 Planning Process Group: COSO Internal Control 73. What do they need to know about the COSO Internal Control project? 74. Are work methodologies, financial instruments, etc. shared among departments, organizations and COSO Internal Control projects? 75. How do you integrate COSO Internal Control project Planning with the Iterative/Evolutionary SDLC? 76. Have more efficient (sensitive) and appropriate measures been adopted to respond to the political and socio-cultural problems identified? 77. If a task is partitionable, is this a sufficient condition to reduce the COSO Internal Control project duration? 78. Is the COSO Internal Control project supported by national and/or local organizations? 79. Have operating capacities been created and/or reinforced in partners? 80. Will the products created live up to the necessary quality? 81. How will users learn how to use the deliverables? 82. How are the principles of aid effectiveness (ownership, alignment, management for development results and mutual responsibility) being applied in the COSO Internal Control project? 83. How will you do it? 84. What will you do? 85. In what way has the COSO Internal Control project come up with innovative measures for problem-solving? 86. What type of estimation method are you using? 87. Why do it COSO Internal Control projects fail? 88. Are you just doing busywork to pass the time? 89. How can you tell when you are done? 90. What input will you be required to provide the COSO Internal Control project team? 91. Why is it important to determine activity sequencing on COSO Internal Control projects? 2.1 Project Management Plan: COSO Internal Control 92. Has the selected plan been formulated using cost effectiveness and incremental analysis techniques? 93. When is the COSO Internal Control project management plan created? 94. What are the deliverables? 95. Why Change? 96. Are there any scope changes proposed for a previously authorized COSO Internal Control project? 97. What are the assumptions? 98. Are there any client staffing expectations? 99. Does the implementation plan have an appropriate division of responsibilities? 100. What did not work so well? 101. Are the existing and future without-plan conditions reasonable and appropriate? 102. Are there any windfall benefits that would accrue to the COSO Internal Control project sponsor or other parties? 103. Is there an incremental analysis/cost effectiveness analysis of proposed mitigation features based on an approved method and using an accepted model? 104. What is the business need? 105. Are alternatives safe, functional, constructible, economical, reasonable and sustainable? 106. Are comparable cost estimates used for comparing, screening and selecting alternative plans, and has a reasonable cost estimate been developed for the recommended plan? 107. Is the budget realistic? 108. What are the training needs? 2.2 Scope Management Plan: COSO Internal Control 109. Are all payments made according to the contract(s)? 110. Is there an issues management plan in place? 111. Are risk triggers captured? 112. Are the appropriate IT resources adequate to meet planned commitments? 113. Is pert / critical path or equivalent methodology being used? 114. What are the risks that could significantly affect the budget of the COSO Internal Control project? 115. Time estimation – how much time will be needed? 116. Has a resource management plan been created? 117. Are you doing what you have set out to do? 118. Are written status reports provided on a designated frequent basis? 119. What happens if scope changes? 120. Are there checklists created to demine if all quality processes are followed? 121. What does the critical path really mean? 122. Are the people assigned to the COSO Internal Control project sufficiently qualified? 123. Does all COSO Internal Control project documentation reside in a common repository for easy access? 124. Has a provision been made to reassess COSO Internal Control project risks at various COSO Internal Control project stages? 125. Do you document disagreements and work towards resolutions? 126. Are software metrics formally captured, analyzed and used as a basis for other COSO Internal Control project estimates? 127. Are risk oriented checklists used during risk identification? 128. Is there a set of procedures defining the scope, procedures, and deliverables defining quality control? 2.3 Requirements Management Plan: COSO Internal Control 129. What is the earliest finish date for this COSO Internal Control project if it is scheduled to start on ...? 130. Did you avoid subjective, flowery or non-specific statements? 131. How often will the reporting occur? 132. Who will perform the analysis? 133. What are you counting on? 134. What performance metrics will be used? 135. Subject to change control? 136. Does the COSO Internal Control project have a Change Control process? 137. Describe the process for rejecting the COSO Internal Control project requirements. Who has the authority to reject COSO Internal Control project requirements? 138. How will requirements be managed? 139. Will you use tracing to help understand the impact of a change in requirements? 140. Do you have an agreed upon process for alerting the COSO Internal Control project Manager if a request for change in requirements leads to a product scope change? 141. Are all the stakeholders ready for the transition into the user community? 142. Could inaccurate or incomplete requirements in this COSO Internal Control project create a serious risk for the business? 143. How knowledgeable is the primary Stakeholder(s) in the proposed application area? 144. In case of software development; Should you have a test for each code module? 145. How knowledgeable is the team in the proposed application area? 146. What went wrong? 147. Is any organizational data being used or stored? 148. Who is responsible for monitoring and tracking the COSO Internal Control project requirements? 2.4 Requirements Documentation: COSO Internal Control 149. Who is involved? 150. Can the requirement be changed without a large impact on other requirements? 151. Where do system and software requirements come from, what are sources? 152. What images does it conjure? 153. What variations exist for a process? 154. How much does requirements engineering cost? 155. What is the risk associated with the technology? 156. What are the acceptance criteria? 157. How does the proposed COSO Internal Control project contribute to the overall objectives of your organization? 158. Who provides requirements? 159. Who is interacting with the system? 160. What are current process problems? 161. What is a show stopper in the requirements? 162. Completeness. are all functions required by the customer included? 163. What marketing channels do you want to use: e-mail, letter or sms? 164. Is the requirement realistically testable? 165. Can the requirements be checked? 166. How does what is being described meet the business need? 167. Does the system provide the functions which best support the customers needs? 168. If applicable; are there issues linked with the fact that this is an offshore COSO Internal Control project? 2.5 Requirements Traceability Matrix: COSO Internal Control 169. Why use a WBS? 170. How will it affect the stakeholders personally in career? 171. Is there a requirements traceability process in place? 172. What percentage of COSO Internal Control projects are producing traceability matrices between requirements and other work products? 173. How small is small enough? 174. What are the chronologies, contingencies, consequences, criteria? 175. Do you have a clear understanding of all subcontracts in place? 176. What is the WBS? 177. Why do you manage scope? 178. Will you use a Requirements Traceability Matrix? 179. Describe the process for approving requirements so they can be added to the traceability matrix and COSO Internal Control project work can be performed. Will the COSO Internal Control project requirements become approved in writing? 180. How do you manage scope? 2.6 Project Scope Statement: COSO Internal Control 181. Will the qa related information be reported regularly as part of the status reporting mechanisms? 182. Have the reports to be produced, distributed, and filed been defined? 183. Will all COSO Internal Control project issues be unconditionally tracked through the issue resolution process? 184. What should you drop in order to add something new? 185. Are the meetings set up to have assigned note takers that will add action/issues to the issue list? 186. Is an issue management process documented and filed? 187. Has the COSO Internal Control project scope statement been reviewed as part of the baseline process? 188. Is the plan for COSO Internal Control project resources adequate? 189. If there is an independent oversight contractor, have they signed off on the COSO Internal Control project Plan? 190. Once its defined, what is the stability of the COSO Internal Control project scope? 191. Will there be a Change Control Process in place? 192. Are the input requirements from the team members clearly documented and communicated? 193. Will the risk documents be filed? 194. Is there a Quality Assurance Plan documented and filed? 195. Has a method and process for requirement tracking been developed? 196. How often will scope changes be reviewed? 197. Were key COSO Internal Control project stakeholders brought into the COSO Internal Control project Plan? 198. Will the risk status be reported to management on a regular and frequent basis? 199. Is the plan under configuration management? 200. Is there a process (test plans, inspections, reviews) defined for verifying outputs for each task? 2.7 Assumption and Constraint Log: COSO Internal Control 201. Do documented requirements exist for all critical components and areas, including technical, business, interfaces, performance, security and conversion requirements? 202. Is the definition of the COSO Internal Control project scope clear; what needs to be accomplished? 203. Are funding and staffing resource estimates sufficiently detailed and documented for use in planning and tracking the COSO Internal Control project? 204. Would known impacts serve as impediments? 205. Are there ways to reduce the time it takes to get something approved? 206. What worked well? 207. Do you know what your customers expectations are regarding this process? 208. Are best practices and metrics employed to identify issues, progress, performance, etc.? 209. Is the amount of effort justified by the anticipated value of forming a new process? 210. Are there cosmetic errors that hinder readability and comprehension? 211. Are there unnecessary steps that are creating bottlenecks and/or causing people to wait? 212. Are there processes in place to ensure that all the terms and code concepts have been documented consistently? 213. Have COSO Internal Control project management standards and procedures been established and documented? 214. If it is out of compliance, should the process be amended or should the Plan be amended? 215. Contradictory information between document sections? 216. What if failure during recovery? 217. Does the system design reflect the requirements? 218. Does the plan conform to standards? 219. Has the approach and development strategy of the COSO Internal Control project been defined, documented and accepted by the appropriate stakeholders? 220. Have you eliminated all duplicative tasks or manual efforts, where appropriate? 2.8 Work Breakdown Structure: COSO Internal Control 221. Is the work breakdown structure (wbs) defined and is the scope of the COSO Internal Control project clear with assigned deliverable owners? 222. What is the probability that the COSO Internal Control project duration will exceed xx weeks? 223. Is it a change in scope? 224. When would you develop a Work Breakdown Structure? 225. Is it still viable? 226. Who has to do it? 227. Where does it take place? 228. Do you need another level? 229. How big is a work-package? 230. When does it have to be done? 231. How will you and your COSO Internal Control project team define the COSO Internal Control projects scope and work breakdown structure? 232. How much detail? 233. Why is it useful? 234. How far down? 235. Can you make it? 236. When do you stop? 2.9 WBS Dictionary: COSO Internal Control 237. Are direct or indirect cost adjustments being accomplished according to accounting procedures acceptable to us? 238. Are records maintained to show how undistributed budgets are controlled? 239. Cwbs elements to be subcontracted, with identification of subcontractors? 240. Are records maintained to show full accountability for all material purchased for the contract, including the residual inventory? 241. Are current work performance indicators and goals relatable to original goals as modified by contractual changes, replanning, and reprogramming actions? 242. Do the lines of authority for incurring indirect costs correspond to the lines of responsibility for management control of the same components of costs? 243. Are all elements of indirect expense identified to overhead cost budgets of COSO Internal Control projections? 244. Are the variances between budgeted and actual indirect costs identified and analyzed at the level of assigned responsibility for control (indirect pool, department, etc.)? 245. What size should a work package be? 246. Are the bases and rates for allocating costs from each indirect pool to commercial work consistent with the already stated used to allocate corresponding costs to Government contracts? 247. Is the anticipated (firm and potential) business base COSO Internal Control projected in a rational, consistent manner? 248. Are overhead cost budgets (or COSO Internal Control projections) established on a facility-wide basis at least annually for the life of the contract? 249. Does the contractors system provide for determination of price variance by comparing planned Vs actual commitments? 250. Changes in the nature of the overhead requirements? 251. Budgets assigned to major functional organizations? 252. Are overhead costs budgets established on a basis consistent with anticipated direct business base? 253. Are data elements (BCWS, BCWP, and ACWP) progressively summarized from the detail level to the contract level through the CWBS? 254. Appropriate work authorization documents which subdivide the contractual effort and responsibilities, within functional organizations? 255. Are the rates for allocating costs from each indirect cost pool to contracts updated as necessary to ensure a realistic monthly allocation of indirect costs without significant year-end adjustments? 256. Can the contractor substantiate work package and planning package budgets? 2.10 Schedule Management Plan: COSO Internal Control 257. Have activity relationships and interdependencies within tasks been adequately identified? 258. Are COSO Internal Control project team members involved in detailed estimating and scheduling? 259. Is funded schedule margin reasonable and logically distributed? 260. Were the budget estimates reasonable? 261. Who is responsible for estimating the activity durations? 262. Are procurement deliverables arriving on time and to specification? 263. Which status reports are received per the COSO Internal Control project Plan? 264. Does the COSO Internal Control project have a formal COSO Internal Control project Charter? 265. Have all unresolved risks been documented? 266. Are any non-compliance issues that exist due to your organizations practices communicated to your organization? 267. Are software metrics formally captured, analyzed and used as a basis for other COSO Internal Control project estimates? 268. Is the ims used by all levels of management for COSO Internal Control project implementation and control? 269. Is there an excessive and invalid use of task constraints and relationships of leads/lags? 270. Quality assurance overheads? 271. Timeline and milestones? 272. Were COSO Internal Control project team members involved in the development of activity & task decomposition? 273. Are right task and resource calendars used in the IMS? 274. Have COSO Internal Control project management standards and procedures been identified / established and documented? 275. Has a COSO Internal Control project Communications Plan been developed? 2.11 Activity List: COSO Internal Control 276. How detailed should a COSO Internal Control project get? 277. Who will perform the work? 278. Is infrastructure setup part of your COSO Internal Control project? 279. The wbs is developed as part of a joint planning session. and how do you know that youhave done this right? 280. What is your organizations history in doing similar activities? 281. Are the required resources available or need to be acquired? 282. How do you determine the late start (LS) for each activity? 283. Should you include sub-activities? 284. Can you determine the activity that must finish, before this activity can start? 285. When will the work be performed? 286. What is the LF and LS for each activity? 287. How should ongoing costs be monitored to try to keep the COSO Internal Control project within budget? 288. For other activities, how much delay can be tolerated? 289. How can the COSO Internal Control project be displayed graphically to better visualize the activities? 290. Is there anything planned that does not need to be here? 291. What went well? 292. How difficult will it be to do specific activities on this COSO Internal Control project? 293. What are the critical bottleneck activities? 294. In what sequence? 295. How will it be performed? 2.12 Activity Attributes: COSO Internal Control 296. Which method produces the more accurate cost assignment? 297. How many days do you need to complete the work scope with a limit of X number of resources? 298. Do you feel very comfortable with your prediction? 299. Were there other ways you could have organized the data to achieve similar results? 300. Have you identified the Activity Leveling Priority code value on each activity? 301. Resource is assigned to? 302. What conclusions/generalizations can you draw from this? 303. How do you manage time? 304. How much activity detail is required? 305. Activity: what is In the Bag? 306. Activity: fair or not fair? 307. Activity: what is Missing? 308. Does your organization of the data change its meaning? 309. How else could the items be grouped? 310. Can more resources be added? 311. What is the general pattern here? 312. Where else does it apply? 2.13 Milestone List: COSO Internal Control 313. What is the market for your technology, product or service? 314. Gaps in capabilities? 315. Level of the Innovation? 316. Loss of key staff? 317. Describe the industry you are in and the market growth opportunities. What is the market for your technology, product or service? 318. Do you foresee any technical risks or developmental challenges? 319. New USPs? 320. Political effects? 321. Legislative effects? 322. When will the COSO Internal Control project be complete? 323. Usps (unique selling points)? 324. Sustaining internal capabilities? 325. What background experience, skills, and strengths does the team bring to your organization? 326. How will the milestone be verified? 327. How late can the activity start? 328. Sustainable financial backing? 2.14 Network Diagram: COSO Internal Control 329. Can you calculate the confidence level? 330. What are the Major Administrative Issues? 331. What are the Key Success Factors? 332. Where do you schedule uncertainty time? 333. Are the gantt chart and/or network diagram updated periodically and used to assess the overall COSO Internal Control project timetable? 334. What job or jobs follow it? 335. What to do and When? 336. If a current contract exists, can you provide the vendor name, contract start, and contract expiration date? 337. What activities must follow this activity? 338. Which type of network diagram allows you to depict four types of dependencies? 339. What job or jobs could run concurrently? 340. Will crashing x weeks return more in benefits than it costs? 341. What controls the start and finish of a job? 342. What activity must be completed immediately before this activity can start? 343. Exercise: what is the probability that the COSO Internal Control project duration will exceed xx weeks? 344. Review the logical flow of the network diagram. Take a look at which activities you have first and then sequence the activities. Do they make sense? 345. How difficult will it be to do specific activities on this COSO Internal Control project? 346. Are the required resources available? 2.15 Activity Resource Requirements: COSO Internal Control 347. Other support in specific areas? 348. Time for overtime? 349. Do you use tools like decomposition and rolling-wave planning to produce the activity list and other outputs? 350. When does monitoring begin? 351. Why do you do that? 352. How many signatures do you require on a check and does this match what is in your policy and procedures? 353. What are constraints that you might find during the Human Resource Planning process? 354. How do you handle petty cash? 355. What is the Work Plan Standard? 356. Which logical relationship does the PDM use most often? 357. Are there unresolved issues that need to be addressed? 358. Anything else? 2.16 Resource Breakdown Structure: COSO Internal Control 359. Who delivers the information? 360. How should the information be delivered? 361. Changes based on input from stakeholders? 362. Who is allowed to perform which functions? 363. Why time management? 364. What defines a successful COSO Internal Control project? 365. The list could probably go on, but, the thing that you would most like to know is, How long & How much? 366. When do they need the information? 367. What can you do to improve productivity? 368. Why do you do it? 369. Is predictive resource analysis being done? 370. How can this help you with team building? 371. What is the primary purpose of the human resource plan? 372. What is COSO Internal Control project communication management? 373. Who will use the system? 374. Which resource planning tool provides information on resource responsibility and accountability? 2.17 Activity Duration Estimates: COSO Internal Control 375. Are COSO Internal Control project costs tracked in the general ledger? 376. Does a process exist to determine which risk events to accept and which events to disregard? 377. Calculate the expected duration for an activity that has a most likely time of 3, a pessimistic time of 10, and a optimiztic time of 2? 378. What do you think about the WBSs for them? 379. How does a COSO Internal Control project life cycle differ from a product life cycle? 380. Do COSO Internal Control project team members work in the same physical location to enhance team performance? 381. Will additional funds be needed for hardware or software? 382. Does a process exist to determine the potential loss or gain if risk events occur? 383. How can software assist in COSO Internal Control project communications? 384. Which is a benefit of an analogous COSO Internal Control project estimate? 385. How have experts such as Deming, Juran, Crosby, and Taguchi affected the quality movement and todays use of Six Sigma? 386. What are the ways to create and distribute COSO Internal Control project performance information? 387. Are team building activities completed to improve team performance? 388. Does the software appear easy to learn? 389. Is the COSO Internal Control project performing better or worse than planned? 390. What steps did your organization take to earn this prestigious quality award? 391. Under corresponding circumstances what would be the best thing to do? 392. How do functionality, system outputs, performance, reliability, and maintainability requirements affect quality planning? 393. Mass, power, cost ... why not time? 2.18 Duration Estimating Worksheet: COSO Internal Control 394. What is cost and COSO Internal Control project cost management? 395. What info is needed? 396. What utility impacts are there? 397. Why estimate costs? 398. How can the COSO Internal Control project be displayed graphically to better visualize the activities? 399. What went right? 400. Small or large COSO Internal Control project? 401. Value pocket identification & quantification what are value pockets? 402. What is an Average COSO Internal Control project? 403. Can the COSO Internal Control project be constructed as planned? 404. Science = process: remember the scientific method? 405. Is a construction detail attached (to aid in explanation)? 406. What questions do you have? 407. What is the total time required to complete the COSO Internal Control project if no delays occur? 408. When do the individual activities need to start and finish? 409. Do any colleagues have experience with your organization and/or RFPs? 410. Is this operation cost effective? 411. When does your organization expect to be able to complete it? 2.19 Project Schedule: COSO Internal Control 412. Is the structure for tracking the COSO Internal Control project schedule well defined and assigned to a specific individual? 413. What is COSO Internal Control project management? 414. Meet requirements? 415. What is the most mis-scheduled part of process? 416. What is the purpose of a COSO Internal Control project schedule? 417. Does the condition or event threaten the COSO Internal Control projects objectives in any ways? 418. What is the difference? 419. Have all COSO Internal Control project delays been adequately accounted for, communicated to all stakeholders and adjustments made in overall COSO Internal Control project schedule? 420. Are all remaining durations correct? 421. What is risk management? 422. Is COSO Internal Control project work proceeding in accordance with the original COSO Internal Control project schedule? 423. Is there a Schedule Management Plan that establishes the criteria and activities for developing, monitoring and controlling the COSO Internal Control project schedule? 424. Why is this particularly bad? 425. Are the original COSO Internal Control project schedule and budget realistic? 426. Eliminate unnecessary activities. Are there activities that came from a template or previous COSO Internal Control project that are not applicable on this phase of this COSO Internal Control project? 427. Are there activities that came from a template or previous COSO Internal Control project that are not applicable on this phase of this COSO Internal Control project? 428. How closely did the initial COSO Internal Control project Schedule compare with the actual schedule? 429. Was the COSO Internal Control project schedule reviewed by all stakeholders and formally accepted? 430. How do you use schedules? 2.20 Cost Management Plan: COSO Internal Control 431. Is COSO Internal Control project work proceeding in accordance with the original COSO Internal Control project schedule? 432. Are multiple estimation methods being employed? 433. Does the COSO Internal Control project have a Statement of Work? 434. Personnel with expertise? 435. Similar COSO Internal Control projects? 436. Have external dependencies been captured in the schedule? 437. Are the schedule estimates reasonable given the COSO Internal Control project? 438. Scope of work – What is the scope of work for each of the planned contracts? 439. Have stakeholder accountabilities & responsibilities been clearly defined? 440. Has the business need been clearly defined? 441. Is there an approved case? 442. Are assumptions being identified, recorded, analyzed, qualified and closed? 443. Are the COSO Internal Control project team members located locally to the users/stakeholders? 444. Does the business case include how the COSO Internal Control project aligns with your organizations strategic goals & objectives? 445. Are quality inspections and review activities listed in the COSO Internal Control project schedule(s)? 446. Were COSO Internal Control project team members involved in detailed estimating and scheduling? 447. Are trade-offs between accepting the risk and mitigating the risk identified? 448. Do all stakeholders know how to access this repository and where to find the COSO Internal Control project documentation? 449. Are milestone deliverables effectively tracked and compared to COSO Internal Control project plan? 2.21 Activity Cost Estimates: COSO Internal Control 450. Did the consultant work with local staff to develop local capacity? 451. Based on your COSO Internal Control project communication management plan, what worked well? 452. How many activities should you have? 453. Were the tasks or work products prepared by the consultant useful? 454. How quickly can the task be done with the skills available? 455. Can you delete activities or make them inactive? 456. What procedures are put in place regarding bidding and cost comparisons, if any? 457. How Award? 458. In which phase of the acquisition process cycle does source qualifications reside? 459. What is a COSO Internal Control project Management Plan? 460. What makes a good activity description? 461. How do you change activities? 462. Can you change your activities? 463. What were things that you need to improve? 464. Measurable - are the targets measurable? 465. What defines a successful COSO Internal Control project? 466. Were you satisfied with the work? 467. What is the last item a COSO Internal Control project manager must do to finalize COSO Internal Control project close-out? 468. Were the costs or charges reasonable? 2.22 Cost Estimating Worksheet: COSO Internal Control 469. What additional COSO Internal Control project(s) could be initiated as a result of this COSO Internal Control project? 470. What can be included? 471. Does the COSO Internal Control project provide innovative ways for stakeholders to overcome obstacles or deliver better outcomes? 472. What is the estimated labor cost today based upon this information? 473. Identify the timeframe necessary to monitor progress and collect data to determine how the selected measure has changed? 474. What happens to any remaining funds not used? 475. Is it feasible to establish a control group arrangement? 476. Is the COSO Internal Control project responsive to community need? 477. Ask: are others positioned to know, are others credible, and will others cooperate? 478. Can a trend be established from historical performance data on the selected measure and are the criteria for using trend analysis or forecasting methods met? 479. Who is best positioned to know and assist in identifying corresponding factors? 480. What is the purpose of estimating? 481. What will others want? 482. What costs are to be estimated? 483. Will the COSO Internal Control project collaborate with the local community and leverage resources? 484. How will the results be shared and to whom? 2.23 Cost Baseline: COSO Internal Control 485. Has the COSO Internal Control project documentation been archived or otherwise disposed as described in the COSO Internal Control project communication plan? 486. What is the consequence? 487. Is the requested change request a result of changes in other COSO Internal Control project(s)? 488. Has the COSO Internal Control project (or COSO Internal Control project phase) been evaluated against each objective established in the product description and Integrated COSO Internal Control project Plan? 489. Does a process exist for establishing a cost baseline to measure COSO Internal Control project performance? 490. What strengths do you have? 491. How long are you willing to wait before you find out were late? 492. Has operations management formally accepted responsibility for operating and maintaining the product(s) or service(s) delivered by the COSO Internal Control project? 493. Escalation criteria met? 494. How likely is it to go wrong? 495. What is your organizations history in doing similar tasks? 496. Has the actual cost of the COSO Internal Control project (or COSO Internal Control project phase) been tallied and compared to the approved budget? 497. If you sold 10x widgets on a day, what would the affect on profits be? 498. On time? 499. Is there anything unique in this COSO Internal Control projects scope statement that will affect resources? 500. What does a good WBS NOT look like? 501. Does it impact schedule, cost, quality? 502. How accurate do cost estimates need to be? 503. Are procedures defined by which the cost baseline may be changed? 504. What weaknesses do you have? 2.24 Quality Management Plan: COSO Internal Control 505. How does your organization determine the requirements and product/service features important to customers? 506. Is the process working, and people are not executing in compliance of the process? 507. Can the requirements be traced to the appropriate components of the solution, as well as test scripts? 508. Who is responsible for writing the qapp? 509. How are people conducting sampling trained? 510. Are qmps good forever? 511. How do you prioritize? 512. Show/provide copy of procedures for taking field notes? 513. Diagrams and tables to account for complex concepts and increase overall readability? 514. What are your organizations current levels and trends for the already stated measures related to customer satisfaction/ dissatisfaction and product/service performance? 515. Is it necessary? 516. How do you manage quality? 517. How does your organization recruit, hire, and retain new employees? 518. How are calibration records kept? 519. What are you trying to accomplish? 520. What would you gain if you spent time working to improve this process? 521. How does your organization use comparative data and information to improve organizational performance? 522. Do trained quality assurance auditors conduct the audits as defined in the Quality Management Plan and scheduled by the COSO Internal Control project manager? 2.25 Quality Metrics: COSO Internal Control 523. The metrics–what is being considered? 524. Was material distributed on time? 525. How is it being measured? 526. Is material complete (and does it meet the standards)? 527. Is there a set of procedures to capture, analyze and act on quality metrics? 528. How do you calculate corresponding metrics? 529. Have alternatives been defined in the event that failure occurs? 530. Which are the right metrics to use? 531. What is the timeline to meet your goal? 532. When is the security analysis testing complete? 533. What documentation is required? 534. How do you know if everyone is trying to improve the right things? 535. What method of measurement do you use? 536. Are quality metrics defined? 537. How are requirements conflicts resolved? 538. Was the overall quality better or worse than previous products? 539. What approved evidence based screening tools can be used? 540. Is there alignment within your organization on definitions? 541. Is a risk containment plan in place? 542. Which report did you use to create the data you are submitting? 2.26 Process Improvement Plan: COSO Internal Control 543. Are you following the quality standards? 544. Are you making progress on the improvement framework? 545. Are you making progress on your improvement plan? 546. What personnel are the coaches for your initiative? 547. Who should prepare the process improvement action plan? 548. Why do you want to achieve the goal? 549. What personnel are the champions for the initiative? 550. Does explicit definition of the measures exist? 551. Management commitment at all levels? 552. How do you measure? 553. Are there forms and procedures to collect and record the data? 554. Where do you want to be? 555. If a process improvement framework is being used, which elements will help the problems and goals listed? 556. What lessons have you learned so far? 557. Has a process guide to collect the data been developed? 558. What makes people good SPI coaches? 559. Where do you focus? 560. Modeling current processes is great, and will you ever see a return on that investment? 561. Purpose of goal: the motive is determined by asking, why do you want to achieve this goal? 2.27 Responsibility Assignment Matrix: COSO Internal Control 562. Not any rs, as, or cs: if an identified role is only informed, should others be eliminated from the matrix? 563. Are control accounts opened and closed based on the start and completion of work contained therein? 564. Are work packages assigned to performing organizations? 565. Are overhead cost budgets established for each organization which has authority to incur overhead costs? 566. Are significant decision points, constraints, and interfaces identified as key milestones? 567. Detailed schedules which support control account and work package start and completion dates/events? 568. Competencies and craftsmanship – what competencies are necessary and what level? 569. What happens when others get pulled for higher priority COSO Internal Control projects? 570. Are records maintained to show how management reserves are used? 571. Do you need to convince people that its well worth the time and effort? 572. Are detailed work packages planned as far in advance as practicable? 573. Availability – will the group or the person be available within the necessary time interval? 574. Is work progressively subdivided into detailed work packages as requirements are defined? 575. Does the contractors system identify work accomplishment against the schedule plan? 576. Are the actual costs used for variance analysis reconcilable with data from the accounting system? 577. What do you need to implement earned value management? 2.28 Roles and Responsibilities: COSO Internal Control 578. Implementation of actions: Who are the responsible units? 579. Attainable / achievable: the goal is attainable; can you actually accomplish the goal? 580. Once the responsibilities are defined for the COSO Internal Control project, have the deliverables, roles and responsibilities been clearly communicated to every participant? 581. What areas of supervision are challenging for you? 582. Does your vision/mission support a culture of quality data? 583. Was the expectation clearly communicated? 584. Are governance roles and responsibilities documented? 585. Be specific; avoid generalities. Thank you and great work alone are insufficient. What exactly do you appreciate and why? 586. Do the values and practices inherent in the culture of your organization foster or hinder the process? 587. Influence: what areas of organizational decision making are you able to influence when you do not have authority to make the final decision? 588. What is working well? 589. Is there a training program in place for stakeholders covering expectations, roles and responsibilities and any addition knowledge others need to be good stakeholders? 590. How well did the COSO Internal Control project Team understand the expectations of specific roles and responsibilities? 591. What are your major roles and responsibilities in the area of performance measurement and assessment? 592. To decide whether to use a quality measurement, ask how will you know when it is achieved? 593. Are COSO Internal Control project team roles and responsibilities identified and documented? 594. Do you take the time to clearly define roles and responsibilities on COSO Internal Control project tasks? 595. Required skills, knowledge, experience? 596. What is working well within your organizations performance management system? 2.29 Human Resource Management Plan: COSO Internal Control 597. What did you have to assume to be true to complete the charter? 598. What skills, knowledge and experiences are required? 599. Are target dates established for each milestone deliverable? 600. COSO Internal Control project definition & scope? 601. Were COSO Internal Control project team members involved in detailed estimating and scheduling? 602. Are corrective actions and variances reported? 603. Is the structure for tracking the COSO Internal Control project schedule well defined and assigned to a specific individual? 604. Are all vendor contracts closed out? 605. Are the COSO Internal Control project team members located locally to the users/stakeholders? 606. Is there a Quality Management Plan? 607. Are the quality tools and methods identified in the Quality Plan appropriate to the COSO Internal Control project? 608. Are people motivated to meet the current and future challenges? 609. Does all COSO Internal Control project documentation reside in a common repository for easy access? 610. Are meeting minutes captured and sent out after the meeting? 611. Have reserves been created to address risks? 612. Does the COSO Internal Control project have a formal COSO Internal Control project Charter? 613. How are you going to ensure that you have a well motivated workforce? 2.30 Communications Management Plan: COSO Internal Control 614. Who will use or be affected by the result of a COSO Internal Control project? 615. Are stakeholders internal or external? 616. Who to learn from? 617. Are you constantly rushing from meeting to meeting? 618. In your work, how much time is spent on stakeholder identification? 619. What are the interrelationships? 620. Are the stakeholders getting the information others need, are others consulted, are concerns addressed? 621. How will the person responsible for executing the communication item be notified? 622. Are others needed? 623. How much time does it take to do it? 624. What data is going to be required? 625. Who have you worked with in past, similar initiatives? 626. Why do you manage communications? 627. What is the stakeholders level of authority? 628. What approaches do you use? 629. Why is stakeholder engagement important? 630. Who needs to know and how much? 631. What help do you and your team need from the stakeholder? 632. Are there potential barriers between the team and the stakeholder? 633. Who is involved as you identify stakeholders? 2.31 Risk Management Plan: COSO Internal Control 634. How is risk response planning performed? 635. How can the process be made more effective or less cumbersome (process improvements)? 636. Degree of confidence in estimated size estimate? 637. Monitoring -what factors can you track that will enable you to determine if the risk is becoming more or less likely? 638. For software; does the software interface with new or unproven hardware or unproven vendor products? 639. Number of users of the product? 640. Is the number of people on the COSO Internal Control project team adequate to do the job? 641. Prioritized components/features? 642. Risk documentation: what reporting formats and processes will be used for risk management activities? 643. What are the chances the event will occur? 644. Management -what contingency plans do you have if the risk becomes a reality? 645. Why do you need to manage COSO Internal Control project Risk? 646. How will the COSO Internal Control project know if your organizations risk response actions were effective? 647. Is the customer willing to establish rapid communication links with the developer? 648. Are tools for analysis and design available? 649. Does the customer have a solid idea of what is required? 650. What things are likely to change? 651. What risks are necessary to achieve success? 652. How much risk can you tolerate? 653. How is the audit profession changing? 2.32 Risk Register: COSO Internal Control 654. How could corresponding Risk affect the COSO Internal Control project in terms of cost and schedule? 655. Who needs to know about this? 656. What would the impact to the COSO Internal Control project objectives be should the risk arise? 657. Are there any gaps in the evidence? 658. What are the major risks facing the COSO Internal Control project? 659. When will it happen? 660. How is a Community Risk Register created? 661. What should you do now? 662. What is the reason for current performance gaps and do the risks and opportunities identified previously account for this? 663. What has changed since the last period? 664. What may happen or not go according to plan? 665. Preventative actions - planned actions to reduce the likelihood a risk will occur and/or reduce the seriousness should it occur. What should you do now? 666. People risk -are people with appropriate skills available to help complete the COSO Internal Control project? 667. What should the audit role be in establishing a risk management process? 668. What is the probability and impact of the risk occurring? 669. Recovery actions - planned actions taken once a risk has occurred to allow you to move on. What should you do after? 670. How well are risks controlled? 671. How often will the Risk Management Plan and Risk Register be formally reviewed, and by whom? 672. Are your objectives at risk? 2.33 Probability and Impact Assessment: COSO Internal Control 673. Is security a central objective? 674. What will be the likely political environment during the life of the COSO Internal Control project? 675. Who should be notified of the occurrence of each of the risk indicators? 676. Are the facilities, expertise, resources, and management know-how available to handle the situation? 677. Which of corresponding risk factors can be avoided altogether? 678. What is the probability of the risk occurring? 679. Can the COSO Internal Control project proceed without assuming the risk? 680. What are the current demands of the customer? 681. Are the software tools integrated with each other? 682. What are the current requirements of the customer? 683. Are the risk data complete? 684. How will economic events and trends likely affect the COSO Internal Control project? 685. Is the process supported by tools? 686. Are end-users enthusiastically committed to the COSO Internal Control project and the system/product to be built? 687. What is the risk appetite? 688. Do you have a mechanism for managing change? 689. Is the technology to be built new to your organization? 690. What are the preparations required for facing difficulties? 691. Do you have a consistent repeatable process that is actually used? 2.34 Probability and Impact Matrix: COSO Internal Control 692. What needs to be DONE? 693. Which phase of the COSO Internal Control project do you take part in? 694. Is there any sign of biased ranking? 695. What are the risks involved in appointing external agencies to manage the COSO Internal Control project? 696. Are you working on the right risks? 697. What should be the level of difficulty in handling the technology? 698. What can you do about it? 699. What things might go wrong? 700. How can you understand and diagnose risks and identify sources? 701. What action would you take to the identified risks in the COSO Internal Control project? 702. What would be the effect of slippage? 703. Sensitivity analysis -which risks will have the most impact on the COSO Internal Control project? 704. How is the COSO Internal Control project going to be managed? 705. What are the chances the risk events will occur? 706. Are COSO Internal Control project requirements stable? 707. How are risks and risk management perceived in the COSO Internal Control project? 708. Do end-users have realistic expectations? 2.35 Risk Data Sheet: COSO Internal Control 709. What is the likelihood of it happening? 710. What do people affected think about the need for, and practicality of preventive measures? 711. Has the most cost-effective solution been chosen? 712. What do you know? 713. Is the data sufficiently specified in terms of the type of failure being analyzed, and its frequency or probability? 714. What is the chance that it will happen? 715. What are you weak at and therefore need to do better? 716. Whom do you serve (customers)? 717. Has a sensitivity analysis been carried out? 718. How do you handle product safely? 719. Who has a vested interest in how you perform as your organization (our stakeholders)? 720. Type of risk identified? 721. What is the environment within which you operate (social trends, economic, community values, broad based participation, national directions etc.)? 722. What are you trying to achieve (Objectives)? 723. If it happens, what are the consequences? 724. What will be the consequences if it happens? 725. Potential for recurrence? 726. What are you here for (Mission)? 727. How reliable is the data source? 2.36 Procurement Management Plan: COSO Internal Control 728. Has a sponsor been identified? 729. Are COSO Internal Control project team roles and responsibilities identified and documented? 730. Is documentation created for communication with the suppliers and Vendors? 731. Has a COSO Internal Control project Communications Plan been developed? 732. Why is procurement planning important? 733. What areas are overlooked on this COSO Internal Control project? 734. Are estimating assumptions and constraints captured? 735. Has the schedule been baselined? 736. Has the COSO Internal Control project scope been baselined? 737. Is a stakeholder management plan in place that covers topics? 738. How will multiple providers be managed? 739. Does the COSO Internal Control project have a Statement of Work? 740. Are the COSO Internal Control project plans updated on a frequent basis? 741. Is there a formal set of procedures supporting Issues Management? 742. What is a COSO Internal Control project Management Plan? 743. Do COSO Internal Control project teams & team members report on status / activities / progress? 744. Are the budget estimates reasonable? 2.37 Source Selection Criteria: COSO Internal Control 745. Does your documentation identify why the team concurs or differs with reported performance from past performance report (CPARs, questionnaire responses, etc.)? 746. What does a sample rating scale look like? 747. How can business terms and conditions be improved to yield more effective price competition? 748. What information is to be provided and when should it be provided? 749. When is it appropriate to conduct a preproposal conference? 750. What is the basis of an estimate and what assumptions were made? 751. What management structure does your organization consider as optimal for performing the contract? 752. What should clarifications include? 753. How should comments received in response to a RFP be handled? 754. How long will it take for the purchase cost to be the same as the lease cost? 755. What benefits are accrued from issuing a DRFP in advance of issuing a final RFP? 756. In order of importance, which evaluation criteria are the most critical to the determination of your overall rating? 757. What information may not be provided? 758. How do you ensure an integrated assessment of proposals? 759. What can not be disclosed? 760. Does an evaluation need to include the identification of strengths and weaknesses? 761. What should be the contracting officers strategy? 762. Is a cost realism analysis used? 763. Who is on the Source Selection Advisory Committee? 2.38 Stakeholder Management Plan: COSO Internal Control 764. Why is it important to reduce deliverables to a smallest component? 765. Are staff skills known and available for each task? 766. Is the schedule updated on a periodic basis? 767. Is there an on-going process in place to monitor COSO Internal Control project risks? 768. Which risks pose the highest threat? 769. Which impacts could serve as impediments? 770. What are reporting requirements? 771. Have process improvement efforts been completed before requirements efforts begin? 772. Are adequate resources provided for the quality assurance function? 773. What process was used to identify risks to the COSO Internal Control projects success? 774. Have all team members been part of identifying risks? 775. After observing execution of process, is it in compliance with the documented Plan? 2.39 Change Management Plan: COSO Internal Control 776. Clearly articulate the overall business benefits of the COSO Internal Control project -why are you doing this now? 777. Different application of an existing process? 778. How much COSO Internal Control project management is needed? 779. How will the stakeholders share information and transfer knowledge? 780. Has the training co-ordinator been provided with the training details and put in place the necessary arrangements? 781. What work practices will be affected? 782. What type of materials/channels will be available to leverage? 783. Which relationships will change? 784. What are the major changes to processes? 785. Will the readiness criteria be met prior to the training roll out? 786. When does it make sense to customize? 787. What are the responsibilities assigned to each role? 788. How frequently should you repeat the message? 789. How badly can information be misinterpreted? 790. What is the most cynical response it can receive? 791. Why is it important? 792. What can you do to minimise misinterpretation and negative perceptions? 793. What is the worst thing that can happen if you communicate information? 794. Is it the same for each of the business units? 3.0 Executing Process Group: COSO Internal Control 795. Will new hardware or software be required for servers or client machines? 796. How can your organization use a weighted decision matrix to evaluate proposals as part of source selection? 797. It under budget or over budget? 798. Is the COSO Internal Control project performing better or worse than planned? 799. Who will provide training? 800. How can software assist in COSO Internal Control project communications? 801. If action is called for, what form should it take? 802. When do you share the scorecard with managers? 803. How do you measure difficulty? 804. What factors are contributing to progress or delay in the achievement of products and results? 805. What were things that you did very well and want to do the same again on the next COSO Internal Control project? 806. How will you avoid scope creep? 807. Why do you need a good WBS to use COSO Internal Control project management software? 808. What are the critical steps involved with strategy mapping? 809. Do the partners have sufficient financial capacity to keep up the benefits produced by the programme? 810. What are the main types of goods and services being outsourced? 811. After how many days will the lease cost be the same as the purchase cost for the equipment? 3.1 Team Member Status Report: COSO Internal Control 812. How can you make it practical? 813. How much risk is involved? 814. What specific interest groups do you have in place? 815. Does your organization have the means (staff, money, contract, etc.) to produce or to acquire the product, good, or service? 816. Are the attitudes of staff regarding COSO Internal Control project work improving? 817. Why is it to be done? 818. How it is to be done? 819. How will resource planning be done? 820. Do you have an Enterprise COSO Internal Control project Management Office (EPMO)? 821. Are the products of your organizations COSO Internal Control projects meeting customers objectives? 822. Will the staff do training or is that done by a third party? 823. Does every department have to have a COSO Internal Control project Manager on staff? 824. Is there evidence that staff is taking a more professional approach toward management of your organizations COSO Internal Control projects? 825. What is to be done? 826. The problem with Reward & Recognition Programs is that the truly deserving people all too often get left out. How can you make it practical? 827. When a teams productivity and success depend on collaboration and the efficient flow of information, what generally fails them? 828. Does the product, good, or service already exist within your organization? 829. Are your organizations COSO Internal Control projects more successful over time? 830. How does this product, good, or service meet the needs of the COSO Internal Control project and your organization as a whole? 3.2 Change Request: COSO Internal Control 831. Who is communicating the change? 832. How do team members communicate with each other? 833. How to get changes (code) out in a timely manner? 834. What can be filed? 835. Who is responsible to authorize changes? 836. When to submit a change request? 837. Since there are no change requests in your COSO Internal Control project at this point, what must you have before you begin? 838. How can changes be graded? 839. Screen shots or attachments included in a Change Request? 840. Change request coordination ? 841. Are there requirements attributes that can discriminate between high and low reliability? 842. Have scm procedures for noting the change, recording it, and reporting it been followed? 843. Has a formal technical review been conducted to assess technical correctness? 844. What are the requirements for urgent changes? 845. Are you implementing itil processes? 846. How many times must the change be modified or presented to the change control board before it is approved? 847. Has your address changed? 848. What should be regulated in a change control operating instruction? 849. How fast will change requests be approved? 3.3 Change Log: COSO Internal Control 850. Is the change request within COSO Internal Control project scope? 851. Is the requested change request a result of changes in other COSO Internal Control project(s)? 852. Will the COSO Internal Control project fail if the change request is not executed? 853. Is the change request open, closed or pending? 854. Should a more thorough impact analysis be conducted? 855. Is the submitted change a new change or a modification of a previously approved change? 856. Who initiated the change request? 857. When was the request approved? 858. How does this change affect scope? 859. When was the request submitted? 860. How does this relate to the standards developed for specific business processes? 861. Is the change backward compatible without limitations? 862. Does the suggested change request represent a desired enhancement to the products functionality? 863. How does this change affect the timeline of the schedule? 864. Does the suggested change request seem to represent a necessary enhancement to the product? 865. Is this a mandatory replacement? 866. Do the described changes impact on the integrity or security of the system? 867. Where do changes come from? 3.4 Decision Log: COSO Internal Control 868. What is the average size of your matters in an applicable measurement? 869. Does anything need to be adjusted? 870. Is your opponent open to a non-traditional workflow, or will it likely challenge anything you do? 871. What is your overall strategy for quality control / quality assurance procedures? 872. Do strategies and tactics aimed at less than full control reduce the costs of management or simply shift the cost burden? 873. It becomes critical to track and periodically revisit both operational effectiveness; Are you noticing all that you need to, and are you interpreting what you see effectively? 874. Behaviors; what are guidelines that the team has identified that will assist them with getting the most out of team meetings? 875. At what point in time does loss become unacceptable? 876. Is everything working as expected? 877. Linked to original objective? 878. What makes you different or better than others companies selling the same thing? 879. How effective is maintaining the log at facilitating organizational learning? 880. What alternatives/risks were considered? 881. How do you know when you are achieving it? 882. Meeting purpose; why does this team meet? 883. What was the rationale for the decision? 884. How consolidated and comprehensive a story can you tell by capturing currently available incident data in a central location and through a log of key decisions during an incident? 885. Decision-making process; how will the team make decisions? 886. How do you define success? 887. How does an increasing emphasis on cost containment influence the strategies and tactics used? 3.5 Quality Audit: COSO Internal Control 888. Is the reports overall tone appropriate? 889. What has changed/improved as a result of the review processes? 890. Have the risks associated with the intentions been identified, analyzed and appropriate responses developed? 891. What are you trying to do? 892. How does your organization know that its security arrangements are appropriately effective and constructive? 893. How does your organization know that its relationships with industry and employers are appropriately effective and constructive? 894. How does your organization know that its Mission, Vision and Values Statements are appropriate and effectively guiding your organization? 895. Are goals well supported with strategies, operational plans, manuals and training? 896. It is inappropriate to seek information about the Audit Panels preliminary views including questions like why do you ask that? 897. How does your organization know that its staff have appropriate access to a fair and effective grievance process? 898. How does your organization know that its range of activities are being reviewed as rigorously and constructively as they could be? 899. Are there appropriate indicators for monitoring the effectiveness and efficiency of processes? 900. Is the process of self review, learning and improvement endemic throughout your organization? 901. Are multiple statements on the same issue consistent with each other? 902. How does the organization know that its system for maintaining and advancing the capabilities of its staff, particularly in relation to the Mission of the organization, is appropriately effective and constructive? 903. Is there a risk that information provided by management may not always be reliable? 904. How does your organization know that its support services planning and management systems are appropriately effective and constructive? 905. How does your organization know that its research funding systems are appropriately effective and constructive in enabling quality research outcomes? 906. How does your organization know that its quality of teaching is appropriately effective and constructive? 907. How does your organization know that its system for managing intellectual property issues is appropriately effective, constructive and fair? 3.6 Team Directory: COSO Internal Control 908. Where will the product be used and/or delivered or built when appropriate? 909. Who will report COSO Internal Control project status to all stakeholders? 910. How do unidentified risks impact the outcome of the COSO Internal Control project? 911. Process decisions: do job conditions warrant additional actions to collect job information and document on-site activity? 912. What are you going to deliver or accomplish? 913. Who will write the meeting minutes and distribute? 914. Is construction on schedule? 915. Who are your stakeholders (customers, sponsors, end users, team members)? 916. What needs to be communicated? 917. Who will talk to the customer? 918. Who should receive information (all stakeholders)? 919. Who is the Sponsor? 920. Who are the Team Members? 921. Process decisions: which organizational elements and which individuals will be assigned management functions? 922. Process decisions: are there any statutory or regulatory issues relevant to the timely execution of work? 923. When does information need to be distributed? 924. Where should the information be distributed? 925. Does a COSO Internal Control project team directory list all resources assigned to the COSO Internal Control project? 926. Do purchase specifications and configurations match requirements? 3.7 Team Operating Agreement: COSO Internal Control 927. How will your group handle planned absences? 928. What are the current caseload numbers in the unit? 929. Communication protocols: how will the team communicate? 930. Do you record meetings for the already stated unable to attend? 931. Do you brief absent members after they view meeting notes or listen to a recording? 932. How will you resolve conflict efficiently and respectfully? 933. What individual strengths does each team member bring to the group? 934. Do you post meeting notes and the recording (if used) and notify participants? 935. What is the number of cases currently teamed? 936. Do you determine the meeting length and time of day? 937. Are there differences in access to communication and collaboration technology based on team member location? 938. Do you listen for voice tone and word choice to understand the meaning behind words? 939. Do you post any action items, due dates, and responsibilities on the team website? 940. How will you divide work equitably? 941. Did you draft the meeting agenda? 942. What is culture? 943. Seconds for members to respond? 944. Did you determine the technology methods that best match the messages to be communicated? 945. What types of accommodations will be formulated and put in place for sustaining the team? 946. Do you begin with a question to engage everyone? 3.8 Team Performance Assessment: COSO Internal Control 947. Delaying market entry: how long is too long? 948. What are teams? 949. What makes opportunities more or less obvious? 950. To what degree will team members, individually and collectively, commit time to help themselves and others learn and develop skills? 951. To what degree are staff involved as partners in the improvement process? 952. How do you keep key people outside the group informed about its accomplishments? 953. To what degree does the teams work approach provide opportunity for members to engage in results-based evaluation? 954. To what degree can all members engage in open and interactive considerations? 955. To what degree are corresponding categories of skills either actually or potentially represented across the membership? 956. To what degree does the teams approach to its work allow for modification and improvement over time? 957. To what degree is there a sense that only the team can succeed? 958. How do you recognize and praise members for contributions? 959. What do you think is the most constructive thing that could be done now to resolve considerations and disputes about method variance? 960. Effects of crew composition on crew performance: Does the whole equal the sum of its parts? 961. To what degree does the teams work approach provide opportunity for members to engage in open interaction? 962. To what degree are fresh input and perspectives systematically caught and added (for example, through information and analysis, new members, and senior sponsors)? 963. How hard do you try to make a good selection? 964. What is method variance? 965. To what degree are the goals realistic? 966. To what degree do members understand and articulate the same purpose without relying on ambiguous abstractions? 3.9 Team Member Performance Assessment: COSO Internal Control 967. How do you make use of research? 968. What is the role of the Reviewer? 969. Are the draft goals SMART ? 970. To what degree do the goals specify concrete team work products? 971. What resources do you need? 972. How was the determination made for which training platforms would be used (i.e., media selection)? 973. To what degree does the team possess adequate membership to achieve its ends? 974. What is needed for effective data teams? 975. How is performance assessment used in making future award decisions including options and extend/compete decisions? 976. How do you currently account for your results in the teams achievement? 977. What innovations (if any) are developed to realize goals? 978. Do the goals support your organizations goals? 979. What entity leads the process, selects a potential restructuring option and develops the plan? 980. Are the goals SMART ? 981. What changes do you need to make to align practices with beliefs? 982. What are best practices in use for the performance measurement system? 983. Is it clear how goals will be accomplished? 984. What is the target group for instruction (e.g., individual and collective or small team instruction)? 3.10 Issue Log: COSO Internal Control 985. What are the typical contents? 986. How do you reply to this question; you am new here and managing this major program. How do you suggest you build your network? 987. What is a Stakeholder? 988. What is the status of the issue? 989. What effort will a change need? 990. Can an impact cause deviation beyond team, stage or COSO Internal Control project tolerances? 991. Do you feel a register helps? 992. Is access to the Issue Log controlled? 993. Who reported the issue? 994. Are the stakeholders getting the information they need, are they consulted, are concerns addressed? 995. What are the stakeholders interrelationships? 996. Which stakeholders are thought leaders, influences, or early adopters? 997. How is this initiative related to other portfolios, programs, or COSO Internal Control projects? 998. Why do you manage human resources? 999. Why multiple evaluators? 1000. How were past initiatives successful? 1001. What would have to change? 1002. Who were proponents/opponents? 4.0 Monitoring and Controlling Process Group: COSO Internal Control 1003. User: who wants the information and what are they interested in? 1004. How many potential communications channels exist on the COSO Internal Control project? 1005. How well did the chosen processes fit the needs of the COSO Internal Control project? 1006. What resources are necessary? 1007. Where is the Risk in the COSO Internal Control project? 1008. Change, where should you look for problems? 1009. How to ensure validity, quality and consistency? 1010. Are there areas that need improvement? 1011. What input will you be required to provide the COSO Internal Control project team? 1012. Are the necessary foundations in place to ensure the sustainability of the results of the programme? 1013. What were things that you did well, and could improve, and how? 1014. What departments are involved in its daily operation? 1015. Use: how will they use the information? 1016. How will staff learn how to use the deliverables? 1017. What areas were overlooked on this COSO Internal Control project? 1018. What is the timeline? 1019. What are the goals of the program? 4.1 Project Performance Report: COSO Internal Control 1020. Next Steps? 1021. To what degree do individual skills and abilities match task demands? 1022. To what degree can the cognitive capacity of individuals accommodate the flow of information? 1023. To what degree do team members feel that the purpose of the team is important, if not exciting? 1024. To what degree does the information network provide individuals with the information they require? 1025. To what degree are sub-teams possible or necessary? 1026. What degree are the relative importance and priority of the goals clear to all team members? 1027. What is in it for you? 1028. To what degree do members articulate the goals beyond the team membership? 1029. To what degree does the teams work approach provide opportunity for members to engage in fact-based problem solving? 1030. To what degree can the team measure progress against specific goals? 1031. To what degree can team members vigorously define the teams purpose in considerations with others who are not part of the functioning team? 1032. How is the data used? 1033. To what degree do the relationships of the informal organization motivate taskrelevant behavior and facilitate task completion? 1034. What is the degree to which rules govern information exchange between groups? 1035. To what degree can the team ensure that all members are individually and jointly accountable for the teams purpose, goals, approach, and work-products? 1036. To what degree will new and supplemental skills be introduced as the need is recognized? 4.2 Variance Analysis: COSO Internal Control 1037. Is work properly classified as measured effort, LOE, or apportioned effort and appropriately separated? 1038. The anticipated business volume? 1039. Is the anticipated (firm and potential) business base COSO Internal Control projected in a rational, consistent manner? 1040. How do you manage changes in the nature of the overhead requirements? 1041. What costs are avoidable if one or more customers are dropped? 1042. What is the actual cost of work performed? 1043. Who is generally responsible for monitoring and taking action on variances? 1044. How do you identify and isolate causes of favorable and unfavorable cost and schedule variances? 1045. Other relevant issues of Variance Analysis -selling price or gross margin? 1046. What business event causes fluctuations? 1047. Are there externalities from having some customers, even if they are unprofitable in the short run? 1048. What is the total budget for the COSO Internal Control project (including estimates for authorized and unpriced work)? 1049. How are variances affected by multiple material and labor categories? 1050. What is exceptional? 1051. Is the entire contract planned in time-phased control accounts to the extent practicable? 4.3 Earned Value Status: COSO Internal Control 1052. If earned value management (EVM) is so good in determining the true status of a COSO Internal Control project and COSO Internal Control project its completion, why is it that hardly any one uses it in information systems related COSO Internal Control projects? 1053. Where is evidence-based earned value in your organization reported? 1054. Earned value can be used in almost any COSO Internal Control project situation and in almost any COSO Internal Control project environment. it may be used on large COSO Internal Control projects, medium sized COSO Internal Control projects, tiny COSO Internal Control projects (in cut-down form), complex and simple COSO Internal Control projects and in any market sector. some people, of course, know all about earned value, they have used it for years - but perhaps not as effectively as they could have? 1055. How much is it going to cost by the finish? 1056. Verification is a process of ensuring that the developed system satisfies the stakeholders agreements and specifications; Are you building the product right? What do you verify? 1057. When is it going to finish? 1058. What is the unit of forecast value? 1059. Are you hitting your COSO Internal Control projects targets? 1060. How does this compare with other COSO Internal Control projects? 1061. Where are your problem areas? 1062. Validation is a process of ensuring that the developed system will actually achieve the stakeholders desired outcomes; Are you building the right product? What do you validate? 4.4 Risk Audit: COSO Internal Control 1063. Do you have written and signed agreements/contracts in place for each paid staff member? 1064. Have you reviewed your constitution within the last twelve months? 1065. Extending the consideration on the halo effect, to what extent are auditors able to build skepticism in evidence review? 1066. Are there any forms the staff is required to sign? 1067. If applicable; are compilers and code generators available and suitable for the product to be built? 1068. Are procedures developed to respond to foreseeable emergencies and communicated to all involved? 1069. Is the customer technically sophisticated in the product area? 1070. Will participants be required to sign a legally counselled waiver or risk disclaimer when entering an event? 1071. Do all coaches/instructors/leaders have appropriate and current accreditation? 1072. Are you aware of the industry standards that apply to your operations? 1073. Have risks been considered with an insurance broker or provider and suitable insurance cover been arranged? 1074. Are COSO Internal Control project requirements stable? 1075. What are the risks that could stop you from achieving your KPIs? 1076. Are risk management strategies documented? 1077. How will you maximise opportunities? 1078. Have all involved been advised of any obligations they have to sponsors? 1079. Who is responsible for what? 4.5 Contractor Status Report: COSO Internal Control 1080. What was the overall budget or estimated cost? 1081. What was the final actual cost? 1082. Describe how often regular updates are made to the proposed solution. Are corresponding regular updates included in the standard maintenance plan? 1083. What was the budget or estimated cost for your organizations services? 1084. What was the actual budget or estimated cost for your organizations services? 1085. What process manages the contracts? 1086. Who can list a COSO Internal Control project as organization experience, your organization or a previous employee of your organization? 1087. Are there contractual transfer concerns? 1088. If applicable; describe your standard schedule for new software version releases. Are new software version releases included in the standard maintenance plan? 1089. What is the average response time for answering a support call? 1090. What are the minimum and optimal bandwidth requirements for the proposed solution? 1091. How long have you been using the services? 1092. How is risk transferred? 1093. How does the proposed individual meet each requirement? 4.6 Formal Acceptance: COSO Internal Control 1094. Was the sponsor/customer satisfied? 1095. What is the Acceptance Management Process? 1096. Have all comments been addressed? 1097. Was the COSO Internal Control project work done on time, within budget, and according to specification? 1098. Do you perform formal acceptance or burn-in tests? 1099. Does it do what COSO Internal Control project team said it would? 1100. How well did the team follow the methodology? 1101. Was the COSO Internal Control project goal achieved? 1102. What features, practices, and processes proved to be strengths or weaknesses? 1103. What function(s) does it fill or meet? 1104. What can you do better next time? 1105. Was the client satisfied with the COSO Internal Control project results? 1106. General estimate of the costs and times to complete the COSO Internal Control project? 1107. Does it do what client said it would? 1108. Who supplies data? 1109. Do you buy pre-configured systems or build your own configuration? 1110. Was business value realized? 1111. Did the COSO Internal Control project achieve its MOV? 1112. Who would use it? 1113. How does your team plan to obtain formal acceptance on your COSO Internal Control project? 5.0 Closing Process Group: COSO Internal Control 1114. What is the COSO Internal Control project name and date of completion? 1115. What is an Encumbrance? 1116. Was the schedule met? 1117. What were things that you did very well and want to do the same again on the next COSO Internal Control project? 1118. Did the COSO Internal Control project team have the right skills? 1119. Will the COSO Internal Control project deliverable(s) replace a current asset or group of assets? 1120. What areas were overlooked on this COSO Internal Control project? 1121. Is there a clear cause and effect between the activity and the lesson learned? 1122. How critical is the COSO Internal Control project success to the success of your organization? 1123. How well defined and documented were the COSO Internal Control project management processes you chose to use? 1124. Is this a follow-on to a previous COSO Internal Control project? 1125. What level of risk does the proposed budget represent to the COSO Internal Control project? 1126. Can the lesson learned be replicated? 1127. How will you know you did it? 1128. What was learned? 1129. Were cost budgets met? 1130. What areas does the group agree are the biggest success on the COSO Internal Control project? 5.1 Procurement Audit: COSO Internal Control 1131. Is the issuance of purchase orders scheduled so that orders are not issued daily? 1132. Was the expert likely to gain privileged knowledge from his activity which could be advantageous for him in a subsequent competition? 1133. In a competitive dialogue, were solutions proposed or confidential information given by a candidate not revealed to others without his/her express agreement? 1134. Does the manual contain policies relating to all business management functions? 1135. Does the cash disbursement policy prohibit drawing checks to cash or bearer? 1136. Is free and fair (international) competition promoted by organizational policies and legislation, in line with legal, trade organizations and other policies? 1137. Does the department evaluate and benchmark the performance of the procurement function/ unit against other comparable procurement functions/units? 1138. Are the official minutes written in a clear and concise manner? 1139. Was the performance description adequate to needs and legal requirements? 1140. Does your organization maintain a current file of vendors and vendor catalogues? 1141. Were there no material changes in the contract shortly after award? 1142. Is there no evidence of favouritism towards a particular contractor during the evaluation and negotiation processes? 1143. Are there procedures for trade-in arrangements? 1144. Are the established budget and timetable (milestones) respected? 1145. Is the routing of copies of purchase order forms defined? 1146. Is it assessed whether well-functioning markets exist for the departments services/tasks? 1147. Was the decision on the award process accurate and adequately communicated? 1148. If an electronic auction or a dynamic purchasing system was used, did the tender documents specify details on access to information, electronic equipment used and connection specifications? 1149. Does the procurement COSO Internal Control project comply with European Communities regulations and rules? 1150. Are the purchase order forms designed for efficient and simple completion? 5.2 Contract Close-Out: COSO Internal Control 1151. How/when used ? 1152. Have all contract records been included in the COSO Internal Control project archives? 1153. Parties: Authorized? 1154. Parties: who is involved? 1155. How is the contracting office notified of the automatic contract close-out? 1156. Was the contract sufficiently clear so as not to result in numerous disputes and misunderstandings? 1157. Was the contract complete without requiring numerous changes and revisions? 1158. How does it work? 1159. What is capture management? 1160. Has each contract been audited to verify acceptance and delivery? 1161. What happens to the recipient of services? 1162. Change in knowledge? 1163. Are the signers the authorized officials? 1164. Change in attitude or behavior? 1165. Have all acceptance criteria been met prior to final payment to contractors? 1166. Was the contract type appropriate? 1167. Have all contracts been completed? 1168. Have all contracts been closed? 1169. Change in circumstances? 5.3 Project or Phase Close-Out: COSO Internal Control 1170. What security considerations needed to be addressed during the procurement life cycle? 1171. In addition to assessing whether the COSO Internal Control project was successful, it is equally critical to analyze why it was or was not fully successful. Are you including this? 1172. What was the preferred delivery mechanism? 1173. Is the lesson significant, valid, and applicable? 1174. What is the information level of detail required for each stakeholder? 1175. Did the COSO Internal Control project management methodology work? 1176. Who exerted influence that has positively affected or negatively impacted the COSO Internal Control project? 1177. Who controlled the resources for the COSO Internal Control project? 1178. What were the desired outcomes? 1179. Who is responsible for award close-out? 1180. Complete yes or no? 1181. What information is each stakeholder group interested in? 1182. Planned completion date? 1183. What are the marketing communication needs for each stakeholder? 1184. What is this stakeholder expecting? 1185. What is a Risk? 1186. How much influence did the stakeholder have over others? 1187. What process was planned for managing issues/risks? 5.4 Lessons Learned: COSO Internal Control 1188. What rewards do the individuals seek? 1189. How well defined were the acceptance criteria for COSO Internal Control project deliverables? 1190. Was the COSO Internal Control project manager sufficiently experienced, skilled, trained, supported? 1191. How timely was the training you received in preparation for the use of the product/service? 1192. Did the delivered product meet the specified requirements and goals of the COSO Internal Control project? 1193. If issue escalation was required, how effectively were issues resolved? 1194. Were the COSO Internal Control project objectives met (if not, briefly account for what wasnt met)? 1195. What would you change? 1196. Was the change control process properly implemented to manage changes to cost, scope, schedule, or quality? 1197. What were the major enablers to a quick response? 1198. How useful was your testing? 1199. What mistakes did you successfully avoid making? 1200. How well did the COSO Internal Control project Manager respond to questions or comments related to the COSO Internal Control project? 1201. What are the performance measures? 1202. Was any formal risk assessment carried out at the start of the COSO Internal Control project, and was this followed up during the COSO Internal Control project? 1203. What things mattered the most on this COSO Internal Control project? 1204. What are the needs of the individuals? 1205. How does the budget cycle affect the case? Index (Index page number references Only of use in Print Version)