Checklist for Evaluating Internal Controls

Checklist for Evaluating Internal Controls

        Evaluating internal controls is an auditor’s responsibility for two reasons, one to follow the guidelines and structures of SOX Act and two to evaluate the control risk of the company. (Louwers, Ramsay, Sinason & Strawser, 2007). Internal controls should start with management and work down to employees. Making sure all procedures start from the top and are followed and distributed out to employees to follow.

Company-level controls:                                                                                          Yes  No  N/A

• Is the internal structure of the company set up in a way where        

management override would be accomplished with minimal

effort?

• Does management conduct thorough risk assessments at periodic

intervals, and are the risk assessments documented and used for

application in the internal control environment?

• Is there a code of conduct? Has it been received by every manager

and employee?

• Does the IT system limit access to programs, data, and other

applications on an as needed basis?

• Do all employees have a copy of the policies and procedures

manuals? Have all employees indicated that they understood

the information and directives in these manuals?

• Has the tone-setting at the top been established?
• Is there proper segregation of duties within the organization?
• Are internal communication processes of adequate quality?
• Are employees being trained properly at their position in the

company?

• Are background checks being done on all new employees?
• Are references being called for those who are in high positions?
• Is management involved in hiring or training?
• Are friends or family being hired over those who are more

experienced?

• Are passwords changed every quarter?
• Are login information for each employee only give them access

to what they need to do their job? Do employees have access to

information that are is not for their need to know?

• Are logins terminated with those employees fired as a reasonable

time frame?

• Are work from home employees monitored? Are there procedures

in place to monitor and report back the work done at this time?

“People are the key component of an entity’s internal control. A company may have policy manuals, forms, computer-controlled information and accounting, and other features of control, but people make the system work” (Louwers, Ramsay, Sinason & Strawser, 2007).

Significant processes:

Inventory:                                                                                                                Yes   No   N/A

• Are inventory records maintained and subsequently audited by an

internal auditor on a regular basis?

• Are physical inventory counts documented at least once per year?
• What system is in place to track inventory? Is it being monitored

and checked daily by an employee that gets signed off by a supervisor

or higher management?

Accounts Payable:

• Is there proper segregation of duties in the A/P cycle?
• Is there different employees taking in checks and then applying

payments?

• Are vendor lists randomly verified to validate all new vendors as

actual vendors?

• Are the main vendor’s account balances verified against the

vendor’s balances from their own records?

• Are all new accounts verified? Who can set up the accounts?
• Are checks that come in at a high value being monitored and

recorded for accuracy?

• Are reports going to management of invalid account numbers,

invalid customers, non-sufficient funds, bounced checks, and

misapplied payments?

• Does management have reports being worked and followed?

Payroll:

• Are employee addresses and bank account numbers checked

through accounting software at periodic intervals, to determine that

there are no two employees with the same bank account number?

• Are time cards secured and delivered to the payroll department

under a proper segregation of duties?

• Are new employee entries verified and approved by management?
• Who can set up new employee accounts?
• Does the system alert repeat bank accounts?
• Are reports issued from HR to show number of new employees

that compare to new employees entered into the system?

Accounts Receivable:                                                                                             Yes  No  N/A