Risk and Control Self Assessment Questionnaire Form by koh14466

VIEWS: 244 PAGES: 9

Risk and Control Self Assessment Questionnaire Form document sample

More Info
									                                                                                                   Audit Committee – February 27 2006
                                                                                                                    Item 10 – Annex 1
                      2005/06 Risk and Internal Control Assessment Questionnaire



Instructions.

 Your response to this questionnaire will be used to provide the Chief Executive assurance for his Statement on Internal Control
 for 2005/6. The questionnaire is designed to evaluate key components of internal control and will do so for key activities within the
 Agency. It will identify areas where the Agency needs to focus its control efforts and will provide a valuable benchmark against
 which the Agency can measure its success in achieving improvements.

 On completion of the questionnaire you are asked to sign a statement to confirm the following processes have been achieved for
 your area of responsibility

    •    Principal obligations and organisational objectives have been established
    •    Principal risks to achievement of objectives have been identified
    •    Key controls have been identified and evaluated to manage risks
    •    There are mechanisms in place to obtain assurances on the effectiveness of key controls

You are asked to complete the questionnaire at Part A and consider each statement and either agree or disagree with it.

If you agree with a statement, you should have evidence in support of this.

Examples of evidence that may support your statements include:

            •   Strategy/ Mission Statements                  •    Risk Registers
            •   Codes of Conduct;                             •    Independent Review/Evaluation Reports
            •   Service Plans;                                •    Procedure Manuals
            •   Job Descriptions;

If you disagree with a statement, you should address this weakness on the action plan for improvement, which is attached at
Part C.

If you agree with a statement but cannot provide evidence to support this, you are advised to indicate this in the comment box.

On Completion of the questionnaire, you need to evaluate your responses for each section and consider whether they impact on
your overall assurance of the system of internal control. The Statement of Internal Control at Part B should then be completed and
signed to confirm that your answers, to the best of your knowledge, give an accurate representation of internal controls for you
areas of responsibility.

Your signed questionnaire and statement will be a primary source of evidence for the evaluation of current standards of internal
control. If this document is not fully completed, signed and submitted on time the Chief Executive will not be able to take assurance
on the effectiveness of internal controls in your area.

If you have any queries about completing this questionnaire please contact Phil Davies (Head of Governance) on ext 555
(phildavies@eeda.org.uk).




                                                                                           Confidential – Data for Internal Use Only
                                                                  8-3
                                                   2005/06 Risk and Internal Control Questionnaire
                                                                                                                                           Part A

1. The Control Environment for Establishment of Principal Obligations and Organisational Objectives

The control environment has a direct influence on the way the EEDA’s activities are structured, objectives established, mandatory and
discretionary requirements met and risks assessed. It also influences control activities, information & communication systems and monitoring
activities. An effectively controlled RDA establishes policies and procedures, including a written code of conduct, which fosters shared values
and teamwork in pursuit of the Agency’s objectives

The control environment is assessed based on the following factors:

      A.     Integrity and ethical values;
      B.     Commitment to competence;
      C.     Organisational structure;
      D.     Scheme of delegation;
      E.     Human resource policies and practices
      F.     Information and communication


A      INTEGRITY AND ETHICAL VALUES
       Integrity and ethical values are essential elements of the control environment, effecting the design, administration and monitoring of other
       internal control components.

No     Detail                                                                      Agree     Disagree       Comments
A1.    The Agency’s Code of Conduct
       • Is comprehensive, relevant and address matters of significance
         to you.
       • Breaches in the Code are addressed and resolved consistently,
         timely and equitably.
       • The existence of the Code and the consequences of its breach
         are an effective deterrent to unethical behaviour.
       • Your employees fully and clearly understand what behaviour is
         acceptable and unacceptable under the Agency’s Code of
         Conduct and know what to do when they encounter improper
         behaviour
A2.    Conflicts of Interests policy and expected ethical standards
       • Are comprehensive, relevant and address matters of
         significance to you.
       • The importance of integrity and ethical behaviour is frequently
         and clearly communicated during staff meetings and one-to-one
         discussions.
       • A commitment to integrity and ethical behaviour is demonstrated
         by example in all day-to-day activities.
       • Employees are generally encouraged to do the right thing when
         faced with pressures to cut corners with regard to policies and
         procedures.

B          COMMITMENT TO COMPETENCE
           The competence levels for all jobs within the Agency are assessed and employees in post have the requisite knowledge and skills to
           enable them to do a good job.

No         Detail                                                                  Agree     Disagree       Comments
B3.        All jobs within your area of responsibility are adequately defined in
           terms of the knowledge and skills needed to perform them.

B4.        Employees within your area of responsibility are properly trained
           and are capable of performing their jobs and their individual
           performance targets focus on both the long-term and short-term
           and address a broad spectrum of criteria (e.g. quality, productivity,
           leadership, teamwork and self-development.


                                                                                                     Confidential – Data for Internal Use Only
                                                                            8-4
                                              2005/06 Risk and Internal Control Questionnaire
                                                                                                                                           Part A
C      ORGANISATIONAL STRUCTURE
       The EEDA’s organisational structure provides the framework within which its activities for achieving organisational-wide objectives and
       mandatory and discretionary obligations are planned, executed, controlled and monitored.
No     Detail                                                              Agree           Disagree      Comments
C5.    The organisational structure in your function
       • Facilitates the flow of information both up and down within
           your function and across to other functions.
       • Provides adequate supervisory and managerial oversight.
C6.    Managers and process owners in your function
       • Periodically evaluates the organisational structure relevant to
           their function in light of changes in the scope, nature, or
           extent of your operations.
C7.    • Employees do not work excessive overtime and do not fulfil
           the responsibilities of more than one employee.

D      DEVOLVED RESPONSIBILITY
       This component includes the assignment of authority and responsibility for operating activities as well as establishing reporting
       relationships and authorisation protocols.
No     Detail                                                               Agree         Disagree        Comments
D8.    Management designates who is responsible for committing your
       function to financial or contractual obligations through a formal
       delegation of authority.
D9.    Delegation within you area defines and ensures
        • Limits for certain types of transactions are clearly
            communicated and understood by employees within your
            function.
        • Job descriptions for your function’s personnel include specific
            references to control related responsibilities.
        • Employees within your function are appropriately empowered.

E      HUMAN RESOURCE POLICIES AND PROCEDURES
       Human resource practices send messages to employees regarding expected levels of integrity, ethical behaviour and competence. Such
       practices relate to hiring, orientation, training, evaluating, counselling, promoting, compensating and remedial actions.
No     Detail                                                                      Agree        Disagree    Comments
E10.   Existing personnel policies and procedures facilitate recruiting and
       developing competent and trustworthy personnel necessary to
       achieve EEDA’s objectives.
E11.   Does your function ensure
        • New employees are made aware of their responsibilities and
            management’s expectations.
        • Performance appraisals adequately address internal control
            responsibilities and set forth criteria for integrity and ethical
            behaviour.
        • Supervisory personnel meet periodically with employees and
            discuss opportunities for improvement.


F      INFORMATION AND COMMUNICATION QUALITY OF INFORMATION

       Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their
       responsibilities. Effective communication must also occur in a broader sense, flowing down, across, and up the organisation. All
       personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must
       understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a
       means of communicating significant information upstream. There also needs to be effective communication with external parties such as
       customers, suppliers, regulators and other stakeholders.
       Information is needed at all levels of the organisation to operate effectively and move towards achievement of the business objectives.
       Information is identified, captured, processed and reported by information systems. To be effective, information gathering mechanisms
       must not only identify and capture needed financial and non-financial information; they must also process and report it in a time frame
       and way that is useful in controlling the EEDA’s activities.

No     Detail                                                                        Agree       Disagree     Comments
                                                                                                    Confidential – Data for Internal Use Only
                                                                       8-5
                                              2005/06 Risk and Internal Control Questionnaire
                                                                                                                                   Part A
F12.   Adequate information gathering mechanisms are in place
       • To capture and process data so that transactions can be conducted
           in an orderly and efficient manner.
       • For identifying emerging information needs
       • To generate reports that are adequate and contain sufficient and
           meaningful information.

F13.   Effective communication is in place so that
       • Employee’s roles and responsibilities regarding internal control and
            risk assessment are communicated clearly and effectively by
            management and these roles and responsibilities are uniformly
            understood.
       • Management clearly communicates responsibilities and expectations
            for your function and everyone in your function uniformly
            understands them.
       • Information is communicated effectively both up and down within
            your function and across to other functions.

F14.   A clear communication channel has been established to
       • Report suspected improprieties.
       • Provide feedback to persons who report suspected impropriety
       • Ensure persons are immune from reprisals

F15.   Realistic mechanisms are in place for
       • Employees to provide recommendations for improvement.
       • Employee suggestions to be acknowledged by providing incentives
           or other meaningful recognition.

F16.   Third Parties
       • Management is receptive to comments by internal and external
            auditors and other review agencies regarding control deficiencies or
            suggestions for improvement. Appropriate actions are taken and
            documented.
       • Outside parties understand the Agency’s ethical and behavioural
            standards and expectations regarding dealings with EEDA.




                                                                                                Confidential – Data for Internal Use Only
                                                                     8-6
                                              2005/06 Risk and Internal Control Questionnaire
                                                                                                                                          Part A

2. Identification of Principal Risks to Achievement of Objectives.

Risks affect EEDA’s ability to maintain financial strength, positive public image and maintain the overall quality of its services and people.
Management must determine how much risk is to be prudently accepted and strive to maintain risk within these levels. Objective setting is a
precondition to risk assessment. There must first be objectives before management can identify risks to their achievement and take necessary
actions to manage the risks. Objective setting, then, is a key part of the management process. While not an internal control component, it is a
prerequisite to and an enabler of internal control.
The process of identifying and analysing risk is an on-going process and is a critical component of an effective internal control system.
Management must focus carefully on risks at all levels of the Agency and take necessary actions to manage them. Risks should be identified
and assessed at both EEDA-wide and an operational level. The risk assessment component of an effective internal control system is
evaluated based upon the following factors:
     A. EEDA-wide Objectives;
     B. Operational-level Objectives;
     C. Managing Change

A      EEDA-WIDE OBJECTIVES
       EEDA’s Corporate Plan represents its objectives. Assessments of EEDA’s strengths and weaknesses, and opportunities and threats,
       will lead to an overall strategy. EEDA-wide objectives should be linked and integrated with more specific objectives established for
       various activities. By setting objectives at both corporate and operational levels, EEDA can identify critical success factors. These are
       the key things that must go right if goals are to be attained. Objective setting enables management to identify measurement criteria for
       performance, with focus on critical success factors.
No     Detail                                                                   Agree         Disagree     Comments
A1.    EEDA’s RES, Corporate plan and Business plan have been
       established and clearly communicated.
A2     Adequate mechanisms are in place to identify and assess barriers
       to achieving objectives
A3.    Mechanisms are in existence to;
       • enable management to periodically assess whether EEDA
         objectives have been achieved.
       • Key performance indicators and measurement criteria for
         achieving EEDA objectives have been communicated and are
         uniformly understood.

B      OPERATIONAL-LEVEL OBJECTIVES
       EEDA-wide objectives must be broken down into operational-level objectives, consistent with the overall strategy and linked to activities
       throughout the Agency. Operational-level objectives need to be clear and readily understood by the people taking actions and
       responsibility for their achievement and they must be measurable.
No     Detail                                                               Agree         Disagree     Comments
B4.    Mechanisms are in existence to ensure.
       • Objectives for your function’s processes clearly linked to and
            support EEDA-wide strategies and objectives
       • EEDA-wide strategies and objectives are clearly understood
            by employees responsible for achieving results.
       • Specific criteria set to measure whether objectives for your
            function’s processes have been achieved
       • Resources are generally sufficient to achieve objectives for
            processes in your function and, if not, plans are in place to
            acquire needed resources.
       • Employees in your function participate in establishing
            objectives for processes and ultimately own results for which
            they are responsible.
B5     Adequate mechanisms are in place to identify and assess barriers
       to achieving objectives for processes in your function
B6     The process used to analyse risks in your function is clearly
       understood and includes estimating the significance of risks,
       assessing the likelihood of their occurring and determining steps
       to mitigate them.



                                                                                                    Confidential – Data for Internal Use Only
                                                                      8-7
                                              2005/06 Risk and Internal Control Questionnaire
                                                                                                                                          Part A
C      MANAGING CHANGE
       As EEDA’s activities evolve, the internal control system requires change because an effective system under one set of conditions will not
       necessarily be effective under another. Mechanisms to manage change should be forward-looking, so EEDA can anticipate and plan for
       significant changes. Fundamental to risk assessment is a process to identify changed conditions and take actions as necessary. Early
       warning systems should be in place to identify conditions signalling new risks.
No     Detail                                                                 Agree      Disagree       Comments
C7.    Formal and/or informal mechanisms exist that anticipate, identify,
       and respond to routine events or activities that could have an
       impact upon achieving EEDA-wide or process-level objectives.
C8.    Mechanisms exist to incorporate changes to the EEDA wide and
       operational objectives.

3. Identifying and Evaluating Key Controls to Manage Principal Risks

Control activities are policies and procedures used to ensure objectives are met. Control activities vary depending upon the nature of the risk
mitigated and are carried out to ensure that the risks are minimised to an acceptable level. The control activities component of an effective
system of internal control is evaluated based upon the following factors:
     A. Policies and Procedures;
     B. Control Activities in Place.

A      POLICIES AND PROCEDURES
       Control activities usually involve two elements: a policy establishing what should be done and procedures to effect the policy.
       Regardless of whether a policy is written, it must be implemented conscientiously and consistently. A procedure will not be useful if
       performed mechanically without a continuing focus on conditions to which the policy is directed.
No     Detail                                                                    Agree      Disagree     Comments
A1.    Appropriate policies and procedures
       • Have been developed and implemented for each of your
            function’s major processes.
       • Identify how processes are to be performed and monitored and
            who is responsible for carrying them out.
       • Reviewed and monitored to address any exceptions to your
            function’s policies and procedures.

B      CONTROL ACTIVITIES IN PLACE
       Control activities are a significant part of the process by which EEDA strives to achieve its objectives. Control activities serve as
       mechanisms for managing and mitigating risk, thereby enabling the achievement of objectives. Control is built directly into processes
       and always relates back to the risk it was designed to mitigate.
No     Detail                                                                     Agree      Disagree       Comments
B2.    Control activities described in policy and procedure manuals are
       • Actually applied the way they are intended to be applied and
             relate clearly to identified risks.
       • Periodically review by supervisory personnel to assess the
             functioning and overall effectiveness of controls
B3.    Responsibilities in your function have been assigned so that
       • Individuals are precluded from processing data transactions in
             their entirety or from maintaining records for transactions in
             which the individual participated.
       • Individuals from your function have appropriate responsibility for
             control over assets and data and the processing of transactions.
       • Effective routine procedures verify the accuracy of data when it
             is entered, processed, generated, distributed or transferred
B4.    Effective contingency plans have been developed and documented
       for your function to deal with service interruptions if they occur and
       this is supported by periodic tests of contingency and disaster
       recovery plans take place to make sure they are current, operational
       and effective




                                                                                                   Confidential – Data for Internal Use Only
                                                                      8-8
                                              2005/06 Risk and Internal Control Questionnaire
                                                                                                                                          Part A
4. Obtaining Assurance on Effectiveness of Key Controls

Internal Control Systems need to be monitored – a process that assesses the quality of the system’s performance over time. This is
accomplished through on-going monitoring activities, separate evaluations or a combination of the two. Internal control deficiencies should be
reported to management, with serious matters reported to senior management. The monitoring component of an effective system of
internal control is evaluated based upon the following factors:
     A. On-going Monitoring;
     B. Separate Evaluations (Audits or other Independent Reviews);
     C. Significant Control Issues.

A      ON-GOING MONITORING
       On-going monitoring procedures are built into the EEDA’s normal recurring operating activities. Monitoring procedures that are an
       inherent part of the Agency are more effective than procedures performed in connection with separate evaluations (audits). EEDA
       should focus on ways to enhance its on-going monitoring activities and, thereby, emphasise “building in” versus “adding on” controls.
No     Detail                                                                              Agree         Disagree        Comments
A1     Management has established performance measures for processes in your
       function and receives periodic reports against those measures.
A2     Personnel responsible for reports in your function are asked to “sign off” on their
       accuracy and integrity and are held accountable if deficiencies are discovered.
A3.    In the event of known control breakdowns or deficiencies, controls that should
       have prevented or detected problems are reassessed and modified as
       appropriate.

B      SEPARATE EVALUATIONS
       The frequency of separate evaluations necessary for management to have reasonable assurance about the effectiveness of the
       internal control system is a matter of judgment. In making that determination, consideration should be given to the following: the nature
       and degree of changes occurring and their associated risk; the competence and experience of the people implementing the controls;
       and the results of on-going monitoring.
No     Detail                                                                                Agree         Disagree       Comments
B4.    Your service ensures that
        • Controls most critical to mitigating high priority risks in your function are
            evaluated with requisite frequency.
        • Evaluations of the entire internal control system are performed when there
            are major strategy changes or operations and methods of processing
            financial information are changed.
        • An appropriate level of documentation is developed by your function to
            facilitate the understanding of how your internal control system works.
B5.    The Governance Team personnel who have the experience and skills necessary
       to understand your function’s operations.
B6.    Relationships with other review agencies have been formalised to ensure that all
       parties are aware of their roles and responsibilities, contacts and agreed services
       provided to and by EEDA

C      SIGNIFICANT CONTROL ISSUES
       Deficiencies in an organisation’s internal control system surface from many sources, including the organisation’s on-going monitoring
       procedures, separate evaluations of the internal control system and external parties. The term “significant control issue” is defined
       broadly as a weakness within an internal control system worthy of attention. A significant control issue, therefore, may represent a
       perceived, potential or real shortcoming, or an opportunity to strengthen the control system to provide a greater likelihood that EEDA’s
       objectives will be achieved.
No     Detail                                                                                 Agree            Disagree        Comments
C7.    Control deficiencies are identified
        • By on going monitoring activities of the Agency, including managerial
            activities and everyday supervision of employees.
        • By separate evaluations of your internal control system.
C8.    Internal control deficiencies that can effect the attainment of the Agency’s
       objectives
        • Are reported to those who can take necessary action (to at least one level of
            management above the person directly responsible).
        • Senior management ensures that follow-up actions are taken in response to
            reported control deficiencies.

                                                                                                   Confidential – Data for Internal Use Only
                                                                      8-9
                                          2005/06 Risk and Internal Control Questionnaire
                                                                                                                               Part B


SUMMARY ASSESSMENT OF INTERNAL CONTROL

Taking into consideration my evaluation of the components of an effective system of internal control in previous sections of this
questionnaire, I can confirm that:


                                                                                                       Agree     Disagree

                1. Principal statutory obligations and organisational objectives have been
                   established


                2. Principal risks to achievement of objectives have been identified


                3. Key controls have been identified and evaluated to manage principal risks


                4. There are mechanisms in place to obtain assurances on effectiveness of key
                   controls


                                                                                 *Indicate as necessary




NAME                                                                TITLE


SIGNATURE (sign in black ink)                                       DATE




Please complete and return the questionnaire, together with the signed statement and the action plan if you have
identified any weaknesses or improvements.




                                                                                            Confidential – Data for Internal Use Only
                                                                8 - 10
                                                               2005/06 Risk and Internal Control Questionnaire
                                                                                                                                                                             Part C

                              ACTION PLAN FOR ADDRESSING INTERNAL CONTROL ISSUES AND CONTINUOUS IMPROVEMENT

REPORT:              PLEASE IDENTIFY YOUR AREA OF RESPONSIBILITY           DATE:                                 REFERENCE:

                Internal Control Issue    Risk to the achievement               Action to be taken                 Responsible Officer            Date of
Questionnaire




                       Identified         of Identified Objectives
 Reference




                                                                                                                                              Implementation




                                                                                                                                 Confidential – Data for Internal Use Only
                                                                                   8 - 11

								
To top