Self-Assessment Checklist

Unit management throughout the University is responsible to establish internal controls to keep their unit on course toward its financial goals, to help it achieve its mission, to minimize surprises and risks, and to allow the organization to successfully deal with change. Internal controls are defined as activities undertaken to increase the likelihood of achieving management objectives in three areas:

  • Efficiency and effectiveness of operations
  • Reliability of financial reporting
  • Compliance with laws and regulations

Some internal controls are established at the institutional level; others are established by unit management. To achieve success, unit management needs to (1) be knowledgeable about, and support, institutional controls, and (2) implement practical and effective internal controls specific to the particular unit.

The following checklist is provided to facilitate a self-assessment of internal controls by management of individual departments. It is intended to address general aspects of internal controls, and does not include specific controls applicable to individual units.

Organization of the checklist is consistent with the five interrelated components of internal control defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

We encourage department heads and other unit management to use this self-assessment checklist to evaluate internal controls in their areas of responsibility. Management should also add to the checklist other controls that apply specifically their units.

Internal Audit would be pleased to consult on methods to improve your internal controls.

Section 1 – Control Environment

1 - Integrity and Ethical Values

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

1.1 Acceptable business practices. Unit management (faculty and supervisory staff) understand the University's policies covering matters such as legitimate use of University resources. Policies are poorly understood.  
1.2 Codes of conduct. Unit management understand the University's policies governing relationships with sponsors, suppliers, creditors, regulators, the community, and the public at large. Policies are poorly understood.  
1.3 Conflicts of interests. Unit management understand the University's policies regarding potential conflicts of interest. Policies are poorly understood.  
1.4 Integrity. Unit management sets a good example and regularly communicates high expectations regarding integrity and ethical values. Management does not set a good example and/or does not communicate high expectations regarding integrity and ethical values.  

 

2 – Commitment to Competence

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

2.1 Job descriptions.

Responsibilities are clearly defined in writing and communicated as appropriate.

Responsibilities are poorly defined or poorly communicated.  
2.2 Knowledge and Skills.

Unit management (faculty and supervisory staff) understand the knowledge and skills required to accomplish tasks.

Management does not adequately consider knowledge and skill requirements.  
2.3 Employee competence. Unit management is aware of competency levels, and is involved in training and increased supervision when competency is low. Management is not adequately aware of competency levels, or does not actively address problems.  

 

3 – Management's Philosophy and Operating Style

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

3.1 Communication with Faculty, College and University Unit management insists on full and open disclosure of financial or business issues with appropriate faculty, college and University personnel. Management is secretive and reluctant to conduct business or deal with issues in an open manner.  
3.2 Laws and regulations. There is active concern and effort to ensure compliance with the letter and intent of laws and regulations. Management is willing to risk the consequences of noncompliance.  
3.3 Getting the job done. Management is concerned with and exerts effort to get the job done right the first time. Management is willing to get the job done without adequate regard to quality.  
3.4 Exceptions to policy. Exceptions to policy are infrequent. When they occur they must be approved and well documented. Exceptions to policy are the norm and are rarely documented.  
3.5 Approach to financial accountability. Management's approach shows concern and appreciation for accurate and timely reporting. Budgeting and other financial estimates are generally conservative. Financial accountability is given low priority.  
3.6 Emphasis on meeting budget and other financial and operating goals. Realistic budgets are established and results are actively monitored. Corrective action is taken as necessary. The unit learns from, and does not repeat, mistakes. Management either shows little concern (climate of laxness), or makes unreasonable demands (climate of fear).  
3.7 Approach to decision making. Decision-making processes are deliberate and consistent. Decisions are made after careful consideration of relevant facts. Policies and procedures are in place to ensure appropriate levels of management are involved. Decision making is nearly always informal. Management makes arbitrary decisions with inadequate discussion and analysis of the facts.  

4 – Organizational Structure

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

4.1 Complexity of the organizational structure. Complexity of the structure is commensurate with the organization. Lines of reporting are clear and documentation is up-to-date. Lines of responsibility are unclear or unnecessarily complicated for the size and activities of the entity.  
4.2 Organization charts. Documentation exists and is up to date. Documentation does not exist or is out-of-date. The documented structure does not correspond with actual responsibilities.  
4.3 Size of the management group. Size is commensurate with the complexity of the unit and its growth. Size is not appropriate (e.g., too many levels, too dispersed, or too "thin").  
4.4 Stability of the management group. Low turnover.

High turnover.

 

5 – Assignment of Authority and Responsibility

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

5.1 Delegation of authority and assignment of responsibility for operating and financial functions. Delegation of authority and assignment of responsibility is clearly defined. Individuals are held accountable for results. Decisions are dominated by one or a few individuals. Roles and responsibilities of middle management are unclear.  
5.2 Authority limits. Authority limits are clearly defined in writing and communicated as appropriate. Policies and procedures covering authority limits are informal or poorly communicated.  
5.3 Delegated signature authority. Appropriate limits have been placed on each delegation of signature authority. Management reviews and updates signature records as turnover occurs. Signature authority is delegated without adequate consideration. Delegated authority is not in line with employee knowledge, training, or competence.  
5.4 Knowledge and experience. Key personnel are knowledgeable and experienced. Management does not delegate authority to inexperienced individuals. Key personnel are inexperienced. Management delegates authority without regard to knowledge and experience.  
5.5 Resources. Management provides the resources needed for employees to carry out their duties. Management does not provide necessary resources.  

6 – Human Resource Policies and Practices

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

6.1 Selection of personnel. A careful hiring process is in place. The Human Resources Department is involved in identifying potential employees based on job requirements. The hiring process is informal, and sometimes proceeds without adequate involvement by higher-level supervisors.  
6.2 Training. On-the-job and other training programs have defined objectives. They are effective and important. Training programs are inconsistent, ineffective, or are given low priority.  
6.3 Supervision policies. Personnel are adequately supervised. They have a regular resource for resolving problems. Regular supervision does not exist or is ineffective. Employees are frustrated and feel they 'have nowhere to go' with issues.  
6.4 Inappropriate behavior.

Inappropriate behavior is consistently reprimanded in a timely and direct manner, regardless of the individual's position or status.

Reprimands are not timely, direct, or are not consistently applied (climate of favoritism).  
6.5 Evaluation of personnel. An organized evaluation process exists. The evaluation process is ad hoc and inconsistent. Performance issues are not formally addressed.  
6.6 Methods to compensate personnel. Compensation decisions are based on a formal process with meaningful involvement of more than one level of management. The effect of performance evaluations on compensation decisions is defined and communicated. Compensation decisions are ad hoc, inconsistent, or inadequately reviewed by management.  
6.7 Staffing of critical functions. Critical functions are adequately staffed, with reasonable workloads. There is inadequate staffing and frequent periods of overwork and "organizational stress."  
6.8 Turnover. Particularly turnover in financially responsible positions. Low turnover. Management understands root causes of turnover.

High turnover. Management does not understand root causes.

 

Section 2 – Risk Assessment

7 – Organizational Goals and Objectives

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

7.1 Unit-wide objectives. A formal unit-wide mission or value statement is established and communicated throughout the unit. A unit-wide mission or value statement does not exist.  
7.2 Critical success factors. Factors that are critical to achievement of unit-wide objectives are identified. Resources are appropriately allocated between critical success factors and objectives of lesser importance. Success factors are not identified or prioritized.  
7.3 Activity-level objectives. Realistic objectives are established for all key activities including operations, financial reporting and compliance considerations. Activity-level objectives do not exist.  
7.4 Measurement of objectives. Unit-wide and activity level objectives include measurement criteria and are periodically evaluated. Performance regarding objectives is not measured. Targets are not set.  
7.5 Employee involvement. Employees at all levels are represented in establishing the objectives. Management dictates objectives without adequate employee involvement.  
7.6 Long and short-range planning. Long and short-range plans are developed and are written. Changes in direction are made only after sufficient study is performed. No organized planning process exists. There are frequent shifts in direction or emphasis.  
7.7 Budgeting system. Detailed budgets are developed by area of responsibility following prescribed procedures and realistic expectations. Plans and budgets support achievement of unit-wide action steps. Budgets do not exist or are "backed into" depending on desired outcome.  
7.8 Strategic planning for information systems. Planning for future needs is done well in advance of expected needs and considers various scenarios. The information system lags significantly behind the needs of the business.  

8 – Risk Identification and Prioritization

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

8.1 Identification and consideration of external risk factors. A process exists to identify and consider the implications of external risk factors (economic changes, changing sponsor, student and community needs or expectations, new or changed legislation or regulations, technological developments, etc.) on unit-wide objectives and plans. Potential or actual external risk factors are not effectively identified or evaluated.  
8.2 Identification and consideration of internal risk factors. A process exists to identify and consider the implications of internal risk factors (new personnel, new information systems, changes in management responsibilities, new or changed educational or research programs, etc.) on unit-wide objectives and plans. Potential or actual internal risk factors are not effectively identified or evaluated.  
8.3 Prioritization of risks. The likelihood of occurrence and potential impact (monetary and otherwise) have been evaluated. Risks have been categorized as tolerable or requiring action. Risks have not been prioritized.  
8.4 Approach to studying risks. In-depth, cost / benefit studies are performed before committing significant unit resources. Risks are accepted with little or no study.  
8.5 Process for monitoring risks. A risk management program is in place to monitor and help mitigate exposures. Exposure is dealt with on a case by case basis. Regular efforts or programs to manage risks do not exist.  
8.6 Consultation with external advisors. External advisors are consulted as needed to supplement internal expertise. Internal expertise regarding risk and control issues is inadequate. Assistance is never sought from outside sources.  

9 – Managing Change

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

9.1 Commitment to change. Management promotes continuous improvement and solicits input and feedback on the implications of significant change. Management promotes the status quo, even when changes are needed to meet important business needs.  
9.2 Support of change. Management is willing to commit resources to achieve positive change. Management offers no resources to facilitate change.  
9.3 Routine change. Mechanisms exist to identify, prioritize, and react to routine events (i.e., turnover) that affect achievement of unit-wide objectives or action steps. Procedures are not present or are ineffective.  
9.4 Economic change. Mechanisms exist to identify and react to economic changes. Procedures are not present or are ineffective.  
9.5 Regulatory change. Mechanisms exist to identify and react to regulatory changes (maintain membership in associations that monitor laws and regulations, participate in University forums, etc.). Procedures are not present or are ineffective.  
9.6 Technological change. Mechanisms exist to identify and react to technological changes and changes in the functional requirements of the unit. Procedures are not present or are ineffective.  

Section 3 – Control Activities

10 – Written Policies and Procedures

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

10.1 Access to University policies and procedures. Unit staff have available up to date University policy and procedures and know how to use them. University policy and procedures are not available or are rarely used.  
10.2 Unit policies and procedures. The unit has documented its own policies and procedures. They are well understood by unit staff. Unit policies and procedures do not exist.  

11 – Control Procedures

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

11.1 Senior management (University or College) reviews. Senior management monitors the unit's performance against objectives and budget. Senior management does not monitor unit performance.  
11.2 Top level (unit-wide) objective performance reviews by unit management. Reviews are made of actual performance compared to objectives and previous periods for all major initiatives. Management analyzes and follows up as needed. Analyses are not performed or management does not follow up on significant deviations.  
11.3 Top level (unit-wide) financial performance reviews by unit management. Reviews are made of actual performance versus budgets, forecasts, and performance in prior periods for all major initiatives. Management analyzes and follows up as needed. Analyses are not performed or management does not follow up on significant deviations.  
11.4 Direct functional or activity management by unit management. Performance reviews are made of specific functions or activities, focusing on compliance, financial or operational issues. No performance reviews occur.  
11.5 Performance indicators. Unexpected operating results or unusual trends are investigated. Operating results and trends are not monitored.  
11.6 Accounting statements and key reconciliations. Accounting statements and key reconciliations are completed timely. Management performs a diligent review and signifies approval by signature and date. Reconciliations are not performed timely or regularly. Management does not carefully review or formally approve statements or reconciliations.  
11.7 Sponsored project account management. Sponsored project accounts are reviewed and reconciled. PIs certify the expenditures timely. Unit management monitors the portfolio of sponsored accounts for compliance and fiscal responsibility. Sponsored project accounts are not monitored; reconciliations and certifications are not timely.  
11.8 Use of restricted funds (gifts). Restrictions on use are well documented, and are understood by employees who administer the funds. Usage is monitored by management, accounts are reconciled. Restrictions are not clearly documented. Restricted fund accounts are not monitored; usage may not match restrictions.  
11.9 Information processing. Controls exist to monitor the accuracy and completeness of information as well as authorization of transactions. No information processing controls are in place.  
11.10 Physical controls. Equipment, supplies, inventory, cash and other assets are physically secured and periodically counted and compared to the amounts shown on control records. Equipment, supplies, inventory, cash and other assets are not protected. Control records do not exist or are not up to date.  
11.11 Training and guidance for asset custodians. Adequate guidance and training are provided to personnel responsible for cash or similar assets. No training or guidance is provided.  
11.12 Separation of duties. Financial duties are divided among different people (responsibilities for authorizing transactions, recording them and handling the asset are separated). No significant separation of financial duties among different employees.  
11.13 Record retention. Unit employees understand which records they are responsible to maintain and the required retention period. Records are appropriately filed. Unit employees do not understand which records they are responsible for maintaining. The filing system is inadequate.  
11.14 Disaster response plan. A disaster response and recovery plan has been developed and is understood by key personnel. No disaster response or recovery plan exists.  

12 – Controls over Information Systems

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

12.1 Local information systems and LANs. System operations are documented; software is appropriately acquired and maintained; access to the system, programs and data is controlled; the system is maintained in a secure environment; applications are appropriately developed and maintained. Inadequate controls over local information systems or LANs.  
12.2 Application controls. The unit controls its computer applications by diligent and timely response to edit lists, rejected transactions and other control and balancing reports. Controls ensure a high level of data integrity including completeness, accuracy, and validity of all information in the system. Application controls are not used.  
12.3 Back Up. Key data and programs on LANs or desktop computers are appropriately backed up and maintained. Off-site storage is adequate considering possible risks of loss. No formal back up procedures exist. Management has not informed staff of back up requirements.  

Section 4 – Information and Communication

13 – Access to Information

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

13.1 Relevant external information. Unit members receive relevant information regarding legislation, regulatory developments, economic changes or other external factors that affect the unit. Relevant information is not available.  
13.2 Management reporting system. An executive information system exists. Information and reports are provided timely. Report detail is appropriate for the level of management. Data is summarized to facilitate decision making. A formal reporting system does not exist. Reports are not timely or are not at appropriate levels of detail.  
13.3 Management of information security. Information is evaluated and classified based on level of integrity, confidentiality and availability. Individuals with access to information are trained to understand their responsibilities related to the information. Information used by the unit has not been evaluated and classified. Employees are not trained with respect to information security.  

14 – Communication Patterns

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

14.1 Trust. Management promotes and fosters trust between employees, supervisors and other units. Interactions among faculty, staff and/or with other units is characterized by low levels of trust.  
14.2 Policy enforcement and discipline. Employees who violate an important policy are disciplined. Management's communications and actions are consistent with policies. Violations, while not condoned officially, are often overlooked. Management's actions are inconsistent with official policies.  
14.3 Recommendations for improvement. Employees are encouraged to provide recommendations for improvement. Ideas are recognized and rewarded. Employees' ideas are not welcomed.  
14.4 Formal communications. Formal methods are used to communicate unit policies and procedures (e.g., manuals, training programs, written codes of conduct, and acceptable business practices). To the extent that they exist, policies are buried in unused manuals and documents.  
14.5 External communications. Standards and expectations are communicated to key outside groups or individuals (e.g., vendors, consultants, donors, sponsors, subcontractors, sub-recipients). No external communication of standards and expectations.  
14.6 Informal communications. Employees are kept informed of important matters (downward communication) and are able to communicate problems to persons with authority (upward communication). There is effective functional coordination within the unit (lateral communication). Most information is received by the "grapevine."  
14.7 Communication with evaluators. Information is openly shared with outside evaluators. Information is kept secret from outside evaluators.  

Section 5 – Monitoring

15 – Management Supervision

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

15.1 Effectiveness of key control activities. Management routinely spot-checks transactions, records and reconciliations to ensure expectations are met. Management never performs spot-checks.  
15.2 Management supervision of accounting function. Accounting policies are defined and adopted after appropriate consideration. Policies are effectively communicated (in writing). Policies are ad hoc or poorly communicated.  
15.3 Management supervision of new systems development. Policies are defined for developing new systems or changes to existing systems (cost/benefit analysis, team composition, user specifications, documentation, acceptance testing, and user approval). Policies and procedures are ad hoc, poorly communicated, or ineffective.  
15.4 Budget analysis. Budgets are compared to actual results and deviations are followed up on a timely basis. Adequate consideration is given to commitments. An analysis of actual versus budgeted results is not performed, or management does not follow up on deviations.  

16 – Outside Sources

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

16.1 Industry and professional associations. Data is used to compare the unit's performance with peers or industry standards. Comparative data is not regularly monitored.  
16.2 Regulatory authorities. Reports from regulatory bodies are considered for their internal control implications. Response is limited to what is necessary to "get by" the regulators.  
16.3 Sponsors, students, suppliers, creditors, and other third parties. Root causes of inquiries or complaints are investigated and considered for internal control implications. Inquiries or complaints are dealt with case-by-case, with little or no follow-up.  
16.4 External auditors. Information provided by external auditors about control-related matters are considered and acted on at high levels. Findings are referred to lower levels or are explained away.  

17 – Response Mechanisms

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

17.1 Management follow-up of violations of policies. Timely corrective action is taken. Follow-up is sporadic.  
17.2 External or internal audit findings. Findings are considered and immediately acted upon at appropriate levels. Consideration of findings is delegated to lower levels or is given low priority.  
17.3 Changes in conditions (e.g., economic, regulatory, technological, or competitive). Changes are anticipated and routinely integrated into ongoing long- and short-range planning. Responses are reactive rather than proactive.  

18 – Self-Assessment Mechanisms

Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment

Strong-Weak

1 2 3 4 5

18.1 Monitoring of control environment. Management periodically assesses employee attitudes, reviews the effectiveness of the organization structure, and evaluates the appropriateness of policies and procedures. Assessment processes do not exist.  
18.2 Evaluation of risk assessment process. Management periodically evaluates the effectiveness of its risk assessment process. Assessment processes do not exist.  
18.3 Assessment of design and effectiveness of internal controls. Internal controls are subject to a formal and continuous internal assessment process. Assessment processes do not exist.  
18.4 Evaluation of information and communication systems. Management periodically evaluates the accuracy, timeliness and relevance of its information and communication systems. Management questions information on management reports that appears unusual or inconsistent. Assessment processes do not exist.