There is no question that complying with Sarbanes-Oxley Section 404 requires much effort. This seven-page questionnaire includes important questions audit committees should ask throughout the inception of a project and the first year of compliance.

Failure to adequately restrict access to critical business information from outsiders (intruders) may result in unauthorized knowledge and use of confidential information by inappropriate parties. Access risk includes the risk that access to information (data or programs) will be inappropriately granted or refused. This questionnaire describes business risks and management practices for addressing external access.

This questionnaire discusses key objectives for closing the books, the outcome measures associated with each objective, and the activity measures that drive each outcome.

Copyright pirates, brand impersonators, patent flouters, and trade secret thieves have grown in number and skill along with new business opportunities. These, and any other original creative works that have economic value and are protected by law, can be categorized as intellectual property (IP). This questionnaire outlines the core risks related to IP.

The purpose of this questionnaire is to standardize key performance measures for improving the capital planning process.

Customer service is the way forward for any business wishing to thrive. It includes every aspect of selling and servicing a customer, pre-sale and post-sale, from merchandise questions to credit card security and delivery status to processing refunds, exchanges, and returns. This questionnaire addresses customer service management practices.

In successful systems design, three main components must be considered and managed effectively: quality, timeliness, and cost-effectiveness. This questionnaire deals with the risks and issues regarding this ‘balancing act.’

Data integrity risk encompasses risks associated with the authorization, completeness and accuracy of business transactions as they are entered into, processed, summarized, and reported by the various network-enabled systems. This questionnaire outlines data integrity business risks and practices for dealing with such risks.

IT performance is defined as the throughput of business transactions compared to user needs, expectations or requirements. This questionnaire describes business risks related to IT performance and suggested metrics.

Compliance risk can result in failure to conform with laws and regulations that apply to a business process at the international, country, state and local level. This questionnaire describes regulatory and other business risks related to compliance and includes a list of questions to consider.

Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

Outsourcing takes place when an organization transfers the ownership of a business process to a supplier or vendor. This questionnaire discusses the benefits – and risks – of outsourcing, and shares questions to consider when evaluating business risks.

This is a preliminary assessment questionnaire for the close the books process, which can be presented to managers or process owners before conducting an internal audit. It is intended to help the internal audit department understand existing business processes and management's view of the internal control environment.

Channel effectiveness risk is the risk that poorly performing or positioned supply chain and/or distribution channels may threaten a firm’s capacity to effectively and efficiently interact with suppliers, and to access current and potential customers and end users. This questionnaire outlines business risks, recommended practices for channel effectiveness, and questions to consider.

This questionnaire addresses segregating duties related to the accounts receivable process.

Records management is the process of controlling electronic or hard-copy documents over the course of their lifecycle. This questionnaire describes regulatory and business risks related to records management, and includes a list of questions about records management risks.

This document demonstrates how to properly segregate duties related to the financial reporting process.

Project management is a decision-making and strategic risk. It is defined as the application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed stakeholder needs and expectations from a project. This document includes questions to consider and performance measurements related to project management risk.

Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their job responsibilities. This excel-based template provides a number of COSO elements and their related control objectives for entity level controls.

This questionnaire serves as a guide in determining the severity of deficiencies cited during the internal control testing process. The results of this process are used to determine potential significant deficiencies and material weaknesses.

The objective of this questionnaire is to assist the board and management in assessing the organization’s current corporate governance environment.

There are three fundamental building blocks of effective cash management: working capital optimization, cash flow forecasting and liquidity management. This questionnaire is designed to help organizations assess the strengths and weaknesses of the working capital management process.

This questionnaire allows the audit committee to document the risks that could significantly influence the organization, and the related financial and operational impact.

Good business leaders are aware that the world is changing – dramatically. This questionnaire has 19 assessment questions for boards of directors and their audit committees to help ensure their organizations are ready to address change. There is also a tab with a 29 question questionnaire for management.

This questionnaire is designed to help risk management professionals determine how well their companies are addressing risks in this area and to bring awareness to ethics programs. It also provides guidelines on how to measure the performance of business ethics processes.

The role of the audit committee has significantly expanded in recent years. This is a sample self-assessment questionnaire for audit committees to use when evaluating the scope of their responsibilities. Topics include: risk management and internal controls; finance and accounting; audit resources and processes; and audit committee performance and operating practices.

This questionnaire helps to evaluate an internal audit department against leading practices during the quality assurance review (QAR) process.

This checklist should be used when planning the nature, timing and extent of work on an individual audit assignment. The audit team can use it in connection with a planning and scoping memorandum template to prepare detailed instructions for the work.

Risk oversight and risk management are a high priority on the agenda of most organizations. The purpose of this questionnaire is to help boards and management think about how they can develop a deeper knowledge of the risk oversight and risk management processes, understanding both the current state and desired future state.

"Anti-corruption has become a major global initiative. Still, it is naïve to expect that legislators, regulators, international trade organizations and other parties can eradicate customs and behaviors that have evolved over many centuries. This board of directors and management questionnaire focuses on corruption risk, the Foreign Corrupt Practices Act (FCPA) and other key considerations. "

Technology is permeating virtually every aspect of business today. The purpose of this questionnaire is to help organizations think about how they can develop a deeper knowledge of the IT infrastructure and processes, to understand both the current state and desired future state.

The checklist outlines key consideration for an international human resources audit.

This document is to serves as a pre-implementation checklist covering key system development life cycle areas to be considered by the project team.

This questionnaire lists internal controls to consider when reviewing the system development process. The format of the questionnaire allows you to check off whether the control is in place, and to document verification procedures and exceptions.

This document focuses on the recruitment process and provides questions to consider when developing process documentation.

The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

The questionnaire is designed for the IT application security process. It addresses topics such as access control mechanisms within the application, how users are identified, application security, password length, password history, new user access, user access change, standard access termination, and non-standard access termination.

The reality of today’s business environment is that the enterprise has no boundaries. Accordingly, the appropriate risk assessment approach applied to operational risks suggests the need for an end-to-end, extended enterprise view of the value chain; looking upstream to supplier relationships as well as downstream to channels. This document offers several questions to consider when evaluating supply chain risk.

The cost, effort and length of time required to convert to IFRS depend on several important factors and will vary for each organization. In evaluating these variables, consider the questions posed in this document.

When it is appropriate for a chief risk officer (CRO) or an equivalent senior risk executive to be in place, both the board of directors and management – not to mention the company’s shareholders – have a stake in that executive’s success. Organizations should assess whether the executive, as well as risk management in general, is positioned to be successful in the organization.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting an accounts payable audit. It is intended to help the internal audit department understand existing accounts payable business processes and management's view of the internal control environment.

This questionnaire is for conducting an IT risk assessment. It covers topics appropriate for all levels of IT management, including: educate and train users; assess and manage IT risks; and IT strategic planning.

This questionnaire helps organizations assess the adequacy of their business continuity program.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting an audit of the billing, accounts receivable, credit, and collections process. It is intended to help the internal audit department understand existing business processes and management's view of the internal control environment.

This questionnaire allows members of the audit committee to review, critique, and evaluate the internal audit function on an annual/periodic basis.

Companies should make risk an integral part of their business planning and strategic management processes. In doing so, boards need to ask management to articulate clearly the financial and nonfinancial risks that the enterprise is taking with respect to proposed investments and transactions. Risk identification begins with asking the right questions. Example questions are included in this document.

Now more than ever, as the risk of personal liability rises, independent directors must take every precaution to protect themselves. Following the enactment of the Sarbanes-Oxley Act – and with bankruptcy filings currently at a 50-year high – independent directors are becoming a target for shareholders, management, creditors and regulatory agencies as evidenced by a recent increase in litigation against them. This questionnaire focuses on actions directors should take to reduce the risk of personal liability when an organization is in financial distress.

Given The IIA’s International Standards for the Professional Practice of Internal Auditing effective January 1, 2009, boards of directors and their audit committees evaluate how these changes impact the internal audit function and the organization. These questions focus on topics such as external quality assurance reviews, CAE interaction with the board, and risk management.

This checklist, which is derived from The IIA’s International Standards for the Professional Practice of Internal Auditing, can be used to evaluate the extent to which an organization’s internal audit function complies with the Standards.

This checklist provides a framework for standardizing the format of process maps/flow charts across the organization.

Business continuity management consists of the processes used by organizations to address unplanned service interruptions. This IT questionnaire can help assess an organization’s business continuity planning strategy. It includes questions on tactical alignment, business processes, technology, results management, human capital, stability and reliability. It also focuses on the continuance, recovery, and eventual restoration of critical business functions to their original conditions prior to service interruptions.

Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with the financial crisis and the unanswered questions around what directors might have done to thwart it. This document includes some suggested questions that boards of directors may consider, in the context and nature of the entity’s risks inherent in its operations.

It is fashionable today to talk about the role of risk management and why risk management fails in any industry. This questionnaire explores 10 common risk management failures and some key indicators that these issues exist within an organization.

The financial reporting risk profile (FRRP) is a proactive approach to identifying financial reporting issues and managing them to head off financial statement restatements before they occur, thereby enabling management to better focus efforts on more important matters and reduce reputation risk to an acceptable level. This questionnaire focuses on topics board members and management should consider when discussing FRRP.

Corporate governance requirements established by The Sarbanes-Oxley Act have permanently mandated executive certification of public reports for all registrants. In this environment, companies are feeling greater pressures to take further actions. This questionnaire focuses on what boards and management should do as they work to improve corporate governance.

Executive management has always been responsible for the quality and fairness of public reporting. However, under The Sarbanes-Oxley Act of 2002, the risks are higher and the consequences of failure more significant. This questionnaire addresses executive certification requirements.

The questionnaire focuses on evaluating internal controls over the inventory process. It discusses topics such as: analytical procedures, purchasing, safeguarding physical inventory, and distribution.

Without question, we live in a vastly different world than just one year ago and the environment remains dynamic and challenging. This questionnaire provides ideas for boards and their audit committees to consider during times of change. These ideas focus on enterprise-level, process and technology issues.

Disclosure and internal controls seem to be commanding the headlines these days, with particular emphasis on complying with Sections 302 and 404 of The Sarbanes-Oxley Act (SOX). This document poses questions to help determine where controls over information technology (IT) fit into the picture; why is IT important; and why management and executives should care.

Companies address a myriad of new corporate governance requirements established by U.S. Congress, the exchanges and regulators. While meeting these requirements, it is equally imperative to address the core business and profitability issues facing the organization, particularly in today’s increasingly demanding global marketplace. This document addresses questions focused on balancing corporate governance and business operational demands.

Organizations now have years of experience complying with the Sarbanes-Oxley Section 404. Because of this, it is a good time to reflect on lessons learned. This questionnaire focuses on how to improve the compliance process, such as deploying a top-down approach and implementing a risk-based approach.

In recent years, compliance with Sections 302 and 404 of The Sarbanes-Oxley Act of 2002 (SOX) has commanded the attention of CEOs and CFOs. Many organizations have progressed beyond the first year of SOX compliance to ongoing annual compliance. This questionnaire addresses how organizations can make SOX compliance a sustainable process.

When the SEC adopted rules mandated by the Sarbanes-Oxley Act of 2002, it, among other things, expanded and formalized the responsibilities of audit committees. The major exchanges also weighed in, defining expectations for audit committees. This document suggests keys questions to help the audit committee function effectively.

If there is one constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. This document discusses important questions for boards and management to consider when designing and implementing an effective code of ethics.

This document assists with the sales planning and forecasting process by listing various questions for process owners. Questions include: Is there a documented sales planning/forecasting process supported by related policies? Is the company business plan used to drive the sales plan and forecast, and are these plans routinely compared for consistency? And, is the sales planning/forecasting process accountabilities defined in conjunction with a calendar of activities, events, meetings, and so on?

An organization may have executives or employees willing to take risky bets or engage in activities that may not be in the enterprise’s best interests. This questionnaire focuses on improving transparency into an entity’s most significant risk exposures, with the objective of minimizing the risk of unwanted surprises.

S&P continues its initiative to assess quality of enterprise risk management (ERM) at all companies it reviews. The rating agency appears to be tying its historical sensitivity to significant and volatile unexpected losses to the rated entity’s ability to understand such volatility and prudently manage these risks through the application of ERM. This document includes questions management and board members should consider on this topic.

If the financial crisis has but a single lesson, it is this: what we don’t know can be more important than what we do know. This raises the ultimate rhetorical question, “Do we know what we don’t know?” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. This questionnaire suggests eight questions for executives and directors to help manage uncertainty.

Never has there been a greater need for transparency into the nature and magnitude of risks undertaken in executing the corporate strategy. An effective risk assessment process lays the foundation for management to respond to questions confidently as the business environment remains in a constant state of flux. This questionnaire addresses key issues that boards should consider as they evaluate their confidence in the organization’s enterprise risk assessment process.

This questionnaire focuses on issues that audit committees and management should consider as they collaborate to comply with the SECs rules pursuant to Section 301 of the Sarbanes-Oxley Act of 2002. Section 301 focuses on establishing an effective complaint and confidential, anonymous reporting process. These requirements are important because the SEC’s rules direct the national securities associations to prohibit the listing of any security of a company that is not compliant with them.

This checklist contains a set of questions that can be used when performing an ethics audit. Topics include: policies and procedures, communication, training, change management, violations, penalties and enforcement.

Many executives have no idea what the value proposition of enterprise risk management (ERM) is. Some executives and directors may even consider ERM a fad or “flavor of the month,” and are just humoring the dialogue wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This document poses practice questions focused on implementing ERM.

A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.

An important contribution of risk management is to help executives and their boards make better choices during the strategy-setting process. Boards and management need an effective enterprise risk assessment (ERA) process to effectively discharge their responsibilities, especially in today’s rapidly changing environment. This questionnaire focuses on the vital steps in executing an effective ERA, and why integrating these assessments with strategy-setting is important.

There are many practical issues surrounding the possible future use of IFRS by U.S. public companies or by entities in other countries using a different version of GAAP not conformed to IFRS. This questionnaire considers these issues and the ramifications of transitioning from country-specific GAAP to IFRS.

Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information is produced as evidence when an organization faces legal or regulatory action. This document poses questions for the board and management to reduce the costs, burden and time associated with e-discovery.

As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. This document focuses on questions for board members and management to consider when managing risks related to outsourcing or offshoring business activities.

When preparing for an initial public offering (IPO), it is vital to pay close attention to the underlying business and IT processes, policies and internal controls. This questionnaire focuses on certain aspects of the IPO preparation process and specific areas management should address – common financial reporting challenges, the close process, Sarbanes-Oxley compliance and IT infrastructure.

Organizations are looking to internal audit to provide assurances that existing and emerging risks are identified, monitored and managed so that they can move forward with confidence in executing their business model. These questions explore how internal audit can contribute to organizations as they recover from the crisis and what management and boards should expect from audit going forward.

How will your company transition its Section 404 compliance activity from an ad hoc, high-cost project to an ongoing, cost-effective process? This questionnaire focuses on implementing a cost-effective approach to validating the operating effectiveness of ICFR. These questions address management’s assessment process, not the external audit of ICFR.

No one is arguing that the oft-stated assertion that the first year cost of complying with Section 404 is sky high. Evidence makes it clear that the administrative burden of compliance is significant enough for most companies to warrant a review of strategies and tactics for maximizing value-add from the compliance process. While the SOX-stated purpose of protecting investors by improving the reliability for public reporting is an important goal, both executive management and directors are asking tough questions. This document provides a sampling of these questions.

The purpose of this questionnaire is to document the revenue recognition review completed by the finance department. It evaluates whether persuasive evidence exists to support revenue recognition, the delivery method scheduled, and that established collection procedures exist.

This checklist addresses a variety of topics and acts that often fall within the Audit Committee’s responsibilities. It provides a broad framework and a set of activities that can be undertaken by the Audit Committee to achieve appropriate oversight. This document is intended to only be used as a sample guide to understanding and reviewing the current charter.

This questionnaire is to be utilized as a checklist of the basic controls for Sections 302 and 404 of the Sarbanes-Oxley Act. This document focuses on the Human Resources function and its associated internal control structure.

This form has been designed to highlight potentially conflicting duties performed by one individual which could impact the effectiveness of controls over a cash receipts application.

The tool can be used in assessing the effectiveness of a company’s ERM process. This tool is organized by the eight components of the COSO ERM Framework and users are prompted to assess senior management’s effectiveness in performing the key elements the eight components and whether or not the activities are integrated into a continuous process.

The following document outlines a set of steps to be followed when reviewing segregation of duties in significant cash disbursement applications.

This questionnaire helps determine whether new technologies, information systems and initiatives or proposed programs and policies meet basic privacy requirements. The purpose of such an initiative is to provide documented assurance that privacy issues have been appropriately identified, adequately addressed or communicated to more senior management for further direction.

The purpose of this questionnaire is to ensure that all necessary quarterly financial reporting disclosures are addressed, and any changes to these disclosures are explained by management.

The purpose of this IT process questionnaire is to ensure that all changes to IT resources and infrastructure configurations are carried out in a planned and authorized manner. It involves distinct processes both for managing change requests and also for deploying those changes throughout the enterprise.

This questionnaire provides an outline for reviewing documentation associated with a data conversion. Sections of the questionnaire include template review observations, documentation review observations, compliance recommendations, and compliance rating.

IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.

The purpose of this checklist is to assist a project team in ensuring that the administrative elements of wrapping-up an audit project are completed in accordance with company requirements. This checklist covers topics such as holding a closing meeting, drafting the report, and obtaining sign-off on the audit report.

The purpose of this checklist is to assist a project team in ensuring that the administrative elements of an audit project are completed in accordance with company requirements. This checklist covers topics such as scope of project, setting project expectations with auditee, and determining which audit tools to use on the project.

The purpose of this checklist is to assist a project team in completing the administrative elements of a project in accordance with company requirements. This checklist covers topics such as workpaper requirements, communication protocol, and scheduling the closing meeting.

This questionnaire has been designed to facilitate an assessment of existing controls to determine if they align with the IT Governance Institute (ITGI) control objectives. This questionnaire will allow the reviewer to determine which control objectives and illustrative controls are in-scope, and document which control objectives and illustrative controls are currently addressed with existing controls.

The purpose of this tool is to help a healthcare company perform an IT risk assessment. The risk assessment worksheets document IT components, IT processes and IT projects, and provide business process definitions. The assessment also allows the user to configure options, and rank all identified risks automatically.

The purpose of this questionnaire is to document a review of the sales order entry process. This process focuses on evidence of an arrangement, delivery, price and fees, international requirements, and collections.

This sample spreadsheet is used to track details associated with financial process effectiveness for the accounts payable process. Data tracked in this spreadsheet includes activities, effort by level (measured in hours), and milestones.

This checklist focuses on what risks or controls a small company must assess in order to address their IT due diligence practices. Topics covered in this document include: IT management, personnel, and contractors as well as many more.

This is a sample spreadsheet used to track details associated with improving the general accounting process. Data tracked in this spreadsheet includes activities, effort by level (measured in hours), and milestones.

The purpose of this template is to provide guidance to business units in the performance of walkthroughs associated with Sarbanes-Oxley Act compliance requirements. It may also be used by management in other matters related to the evaluation of internal controls over financial reporting.

This questionnaire focuses on the financial close process, specifically manual journal entries in the consolidation system. This document includes a process description, key risks, expected key controls, and key questions to ask during this process review.

This questionnaire focuses on the financial close process, specifically elimination of intercompany transactions and consolidating financial data. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.

This questionnaire focuses on the financial close process, specifically consolidation system chart of accounts maintenance. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.

This is the final section of a thirteen part mainframe data center general controls questionnaire. The questionnaire covers data center continuity of operations.

Fixed assets are important to a company because of their relative permanence in the company’s operations and their use in operating activities. This excel-based template provides a number of business activities and related control objectives for each activity. This questionnaire has been updated with the following: involvement of the purchasing department, presence of a corporate depreciation policy, and monthly financial close procedures.

This is the twelfth section of a thirteen part mainframe data center general controls questionnaire. The questionnaire covers the management of telecommunications resources.

This is the eleventh section of a thirteen part mainframe data center general controls questionnaire. This section covers systems hardware and software inventory management.

This is the tenth section of a thirteen part mainframe data center general controls questionnaire. This section covers systems database administration.

This is the ninth section of a thirteen part mainframe data center general controls questionnaire. This section covers systems vendor support.

This is the eighth section of a thirteen part mainframe data center general controls questionnaire. This section covers systems software support.

This questionnaire focuses on the financial close process, specifically generating financial statements and related disclosures. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.

This is the seventh section of a thirteen part mainframe data center general controls questionnaire. This section covers security administration.

This is the sixth section of a thirteen part mainframe data center general controls questionnaire. This section covers security administration.

This questionnaire focuses the financial close process, specifically reviewing and analyzing consolidated financial information and business segment information. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.

This questionnaire focuses the financial close process, specifically when data is uploaded the general ledger (G/L) to the consolidations system. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.

This is the fifth section of a thirteen part mainframe data center general controls questionnaire. This section covers program, data file and transaction security.

This is the fourth section of a thirteen part mainframe data center general controls questionnaire. This section covers environmental controls.

This is a multi-section questionnaire that can be used, for example, during an internal audit of an E-Commerce organization.

This is the third section of a thirteen part mainframe data center general controls questionnaire. This section covers physical security.

This is the second section of a thirteen part mainframe data center general controls questionnaire. This section covers Computer Operations.

This is the first section of a thirteen part mainframe data center general controls questionnaire. This section covers Organization and Management.

Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting a fixed asset audit. It is intended to help the internal audit department understand existing business processes involving fixed assets and management's view of the internal control environment. This document has been updated with items such as: fixed asset system change management, capital expense policy, and periodic review of depreciation expense.

The purpose of this interview questionnaire is to assess the IT processes associated with a Service Level Agreement (SLA). The questionnaire addresses topics such as identifying critical systems, applications, and services; change services; and continuity planning.

The purpose of this checklist is to document the activities performed as part of the monthly financial close process at a company. For each step covered in this checklist, users are encouraged to document the responsible person, date due, and whether the task has been completed and reviewed. This tool has been updated with additional general financial close procedures and steps related to recording fixed assets.

This checklist outlines steps to follow when an employee stops working for a company. These steps should be modified to reflect each organization’s employee termination process.

This checklist outlines steps to follow when a new employee starts working with a company. These steps should be modified to reflect each organization’s new hire orientation process.

Internal Audit can use this checklist when reviewing whether the employee expense reimbursement process is conducted according to the company’s Travel & Expense Policy. Deviations from the established policy could result in unauthorized reimbursements and/or additional costs for the company. Updates made to this checklist include steps to gain an understanding of the current reimbursement policy and process.

The purpose of this document is to provide a list of items to consider when performing due diligence on a potential acquisition. This checklist is intended to be a list of financial items to consider during this process. This list should be customized to fit the nature of the acquisition process.

This checklist contains detailed steps to undertake to check the security of systems using Oracle, from checking and installing the latest patches, to ensuring privileges are restricted and access is correctly controlled.

This checklist is to be used to audit a Linux environment. It attempts to provide a generic set of controls to consider when auditing a Linux environment, and does not account for the differences between the different Linux distributions on the market (e.g. Red Hat, Caldera, Mandrake, etc.).

This checklist contains detailed steps to undertake to check the security of systems running the Sun Solaris operating system, from checking and installing the latest patches, to ensuring all permissions are correct and system accounts are protected.

The purpose of this checklist is to facilitate the merging of company subsidiary divisions and their duplicate processes. Included are guidelines for this facilitation process and topics to address during scheduled meetings.

This checklist contains detailed steps to undertake to check the security of systems running the Red Hat Linux operating system, from checking and installing the latest patches, to ensuring all permissions are correct and system accounts are protected.

This IBM AIX security access control checklist includes detailed information on ways to reduce the security exposure so that the specified expected result is obtained.

The purpose of this interview questionnaire is to assess the IT Help Desk process associated with a Service Level Agreement (SLA). The questionnaire addresses topics such as documentation of IT calls, follow-up communication with end users, and meeting end user needs.

Entity-level controls are the foundation for internal control, providing discipline and structure to the organization. IT general controls have a pervasive effect on the reliability, integrity and availability of processing and relevant data. Business process controls provide structure to generate revenue, account for costs incurred, and ultimately report on the financial state of the organization. These excel-based templates provide you the opportunity to document items such as whether these controls exists; whether they are designed properly; related test procedures; and management action plan for deficiencies. These questionnaires are intended to help you comply with corporate governance requirements.

The purpose of this checklist is to document the activities performed as part of the acquisitions/new business development process by a company. The steps covered in this checklist focus on pre-acquisition activities, performing due diligence, post acquisition activities, and management approval.

This is the second of two checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The second checklist deals with problem management.

Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.

This is the first of two checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The first checklist deals with incident management.

An improperly established relationship between IT and users poses the risk that users may lack guidance on acquiring information processing tools. The objective of the questionnaire is to determine whether adequate procedures are in place for acquiring hardware and software.

An improperly established relationship between IT and users poses the risk of ineffective organizational infrastructure. The existence and effectiveness of a user group will determine the level of risk within an organization. This questionnaire helps assess the effectiveness of a user group.

An improperly established relationship between IT and users poses the risk that there may be inadequate user computing standards. Users may experience unnecessarily long learning curves because user computing standards and procedures are not adequately enforced. The objective of this questionnaire is to define adequate control procedures and to determine whether those procedures are in place.

An improperly established relationship between IT and users poses the risk that there may be inadequate user security procedures. The objective of the questionnaire is to define adequate control procedures and to determine whether those procedures are in place.

An improperly established relationship between IT and users poses the risk that users may make ineffective use of corporate data. Users are either unable to access corporate data or that data is not used effectively. The objective of this questionnaire is to define adequate control procedures and to determine whether those procedures are in place.

An improperly established relationship between IT and users poses the risk that users may be dissatisfied with the central IT function. This questionnaire helps to determine whether users are not getting the type of service desired, and whether communication of this dissatisfaction is inadequate.

An improperly established relationship between IT and users poses the risk that users may have inadequate knowledge of IT systems. Users may require more technical knowledge to use the available technology efficiently, effectively, and economically. The objective of this questionnaire is to assess whether users have the systems knowledge they need to be effective.

This checklist is designed to assist in reviewing and documenting the risk profile of your organization’s information processing activities. The checklist contains ten sections, in accordance with ISO/IEC 27002:2005.

This sample questionnaire can be used when performing an audit of a medical clinic’s operational processes. It is intended to help an internal audit department complete a baseline compliance review of these activities. Questions focus on topics such as maintenance of patient medical records, patient relations, physician consultation practices, and storage of medical equipment.

This excel-based template provides an example of how to review control design effectiveness to ensure the control mitigates the associated risk. You would use this review process sheet to document the reviewer’s comments and associated response. The excel form also provides guidance in designing controls to address financial reporting assertions.

This sample checklist can be utilized when performing an audit of medical records documentation. It is intended to help an internal audit department understand the existing documentation process related to medical records. Items of review include the filing system used, document retention, and training materials.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting an information technology general controls (ITGC) audit. It is intended to help the internal audit department understand existing business processes involving ITGC and management's view of the internal control environment.

The financial close process is important to a company as it is the function directly related to producing company financial results for each period end. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

This sample questionnaire can be utilized when performing an audit of medical records, coding, and billing compliance processes. It is intended to help an internal audit department understand the existing process related to medical records, coding and billing and assess the compliance of these processes. Questions focus on topics such as policies and procedures, records management, and training in billing techniques.

This is an example medical record review questionnaire that can be utilized when performing a healthcare audit. It is intended to help an internal audit department understand the existing process related to medical records management and assess the compliance of this process.

This is an example of a self assessment questionnaire that can be presented to managers or process owners before conducting an audit. It is intended to help the Internal Audit department understand existing controls around financial reporting and general ledger processes.

This excel-based template provides an example of how to review SOX testing documentation. You would use this review process sheet to document the reviewer’s comments and tester’s response. The excel form allows you to record comments related to the test plan, test execution, and documentation format.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting an audit of the budget process. It is intended to help the internal audit department understand existing business processes and management's view of the internal control environment.

This risk assessment questionnaire can be used to identify the failure scenarios, likelihood, and severity of over 100 environmental, man-made, business, and IT risks.

The ultimate goal of Enterprise Risk Management (ERM) is to evaluate total returns relative to total risks, leading to more informed business decisions. This questionnaire can be used when assessing an organization’s enterprise risk management strategy. It focuses on the internal environment, objective setting, event identification, risk assessment, risk response, control activities, and information and communication.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting a payroll audit. It is intended to help the internal audit department understand the existing business processes and management's view of the internal control environment.

This questionnaire helps to assess the risks involved in the implementation of any new or updated software application.

In complying with the Sarbanes-Oxley Act, it is management’s responsibility to design, adhere to and monitor the significant operating and financial controls of the organization. This short self-assessment questionnaire has been designed to obtain management’s input in order to establish a common understanding of the level of control of an organization or department.

This checklist assists with the scoping of an application controls review and/or implementation review that covers both pre- and post-implementation procedures. The primary goal is to identify those areas that Internal Audit will focus on during the implementation.

The purpose of this questionnaire is to assess the internal controls related to a company’s tax compliance process. This document outlines sample tax compliance controls and assists in identifying if the control is in place.

This questionnaire serves as a guide in determining the severity of control application deficiencies cited during the SOX control testing process. The results of this process are used to determine potential significant deficiencies/material weaknesses. Topics in this questionnaire assist management in assessing IT application controls.

This questionnaire can be used as a guide to determine the severity of any deficiencies cited during the control testing process. A SOX control deficiency assessment can be completed using this information and other information provided by management in reaching its decision.

Chief Audit Executives can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements. The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas.

The self-assessment process is an important exercise for audit committees to complete as they are responsible for important activities such as the quality and integrity of a company’s accounting practices and controls and compliance with legal and regulatory requirements. This is a sample self-assessment checklist for audit committees to use when evaluating their current involvement in a company’s control environment.

Policies are an important part of the internal control over financial reporting evaluation process. This is a sample checklist to use when identifying the availability and status of company policies associated with the financial reporting process. This tool also assists with organizing policies by financial statement, area of significance, and financial statement element.

The treasury process is important to a company because it is the function overseeing the cash flow of the company’s operations and its use related to payments, receipts, and investments. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

This questionnaire can be distributed at the end of an internal audit project. It communicates a department’s commitment to providing the highest quality services and helps manage expectations. The feedback can be used to improve service and identify important areas of focus for future internal audit projects.

Self-assessments are intended to help the internal audit department understand existing business processes and understand management's view of the internal control environment. This is a sample checklist to follow when issuing self-assessment questionnaires to managers or process owners. Items in the checklist include self-assessment set-up processes, issuing the self-assessment, compiling the results, and reporting to management.

The payroll process is important to a company as it is the key to compensating employees for the contributions to the company’s operations and generation of revenues. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

Inventory is an important asset for many companies as it is often a large asset on the company’s financial statements and represents a source of revenue in the near future through sales of the goods. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

Revenue process controls are important to financial reporting because this process measures the accomplishments of the operating activities of a company. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

Expenditure process controls are important to financial reporting as this process focuses on costs companies incur while delivering goods, rendering services, or other activities that are central to the company’s operations. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.

This questionnaire is intended to be sent to relevant departments upon completion of work performed by internal audit. This tool contains a sample email providing instruction on completing the questionnaire. The questionnaire contains drop-down menus with pre-populated answers to assist in the questionnaire reporting process.

This checklist is to be used when conducting periodic hazard assessments. If any deficiencies are found, the corrections should be recorded using the Corrective Action Report following the checklist.

The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity level controls address the “tone at the top” and include items such as ethics programs, investigation protocols, and IT infrastructure controls. Adequate evidence of the entity level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity level controls are in place. This checklist provides a template in which to track the availability and status of such entity level control documentation.

This checklist provides a list of SOX considerations for companies gearing up SOX efforts in 2005 and those continuing their second year of compliance. The checklist offers advice on topics such as project management, project details, and committees. Using this type of checklist will facilitate moving SOX compliance efforts towards best practice.

This checklist provides guidance on how to prepare audit work papers to ensure quality and clarity. The checklist identifies organizational tasks, required information, and formatting that should be complete prior to submitting audit work papers for review. Using this type of checklist will facilitate the review process performed by superiors or management.

This self-assessment checklist is intended to be used as a preliminary checklist before an audit. It gives the auditee an opportunity to inform internal audit about controls and processes they employ, and it also gives the auditee ideas about other controls and processes that may be appropriate.

This checklist can be used to evaluate the adequacy of Section 404 process documentation prior to submitting it to the external auditor for review and prior to creating testing plans.

This checklist provides guidance on how to track documentation related to tests of controls. It focuses on examples of documentation needed to complete tests of controls, a template to record the completeness and accuracy of the documentation received, and areas to track missing required documentation and sampling requests made to the client.

Consider the best practice items in this questionnaire when assessing your user password standards.

This questionnaire has been designed to facilitate an assessment of whether the controls within a business unit are currently operating effectively. To meet the guidelines of Section 404 requiring management attestation as of a company’s fiscal year-end, this questionnaire is used to identify any changes that have occurred or are planned prior to year-end. Questions in this tool focus on verifying that process documentation is complete and accurate, all key internal controls and key information systems have been identified, and all areas within a business unit that are relevant to Sarbanes-Oxley have been identified.

The purpose of this checklist is to provide guidance to help a process owner prepare for a process walkthrough. It also includes post-walkthrough questions to help the process owner document any questions or issues raised.

This questionnaire helps you assess disaster recovery preparation by comparing your plans to best practices.

This high-level self-assessment questionnaire is intended to be used to assist with Sarbanes-Oxley Act control remediation efforts. It provides the auditee with an opportunity to inform internal audit about controls and processes they employ, and it also gives the auditee ideas about other controls and processes that may be appropriate.

Sourcing the root causes of performance gaps and business risks is vital to business process improvement and establishes the basis for other performance assessment activities. This guide provides several questions that can serve as a starting point for sourcing the root causes of problems or risks.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting an audit of Purchasing and Inventory Management. It is intended to help the internal audit department understand existing business processes and management's view of the internal control environment.

This is an example of a preliminary assessment questionnaire that can be presented to managers or process owners before conducting a cash disbursement audit. It is intended to help the internal audit department understand existing business processes and management's view of the internal control environment.

A fundamental element of internal control is the segregation of certain key duties. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain undetected by providing for separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. The following segregation of duties questionnaires are available: Treasury, Revenue, Purchasing and Accounts Payable, Payroll, Fixed Assets, Expenditure, Inventory, and Hotel Revenue.

A fundamental element of internal control is the segregation of certain key duties, in order to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for revenue in a hotel or similar establishment.

A fundamental element of internal control is the segregation of certain key duties, in order to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for inventory.

A fundamental element of internal control is the segregation of certain key duties, in order to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for fixed assets.

A fundamental element of internal control is the segregation of certain key duties, in order to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for expenditure.

A fundamental element of internal control is the segregation of certain key duties. This helps ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties in the purchasing and accounts payable process.

A fundamental element of internal control is the segregation of certain key duties. This helps to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for treasury functions.

A fundamental element of internal control is the segregation of certain key duties. This helps ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties within the payroll process.

A fundamental element of internal control is the segregation of certain key duties, in order to ensure that no-one is in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This questionnaire can be used to determine the adequacy of segregation of duties among those responsible for revenue.

This checklist contains a set of questions that can be used to determine the extent to which various best business practices are being followed in the area of payroll. The answers to these questions will help to determine areas for improvement.

This checklist contains a set of questions that can be used to determine the extent to which various best business practices are being followed when performing a month-end close. The answers to these questions will help to determine areas for improvement.

This checklist contains a set of questions that can be used to determine the extent to which various best business practices are being followed in the areas of Collections and Cash Applications. The answers to these questions will help to determine areas for improvement.

The USA PATRIOT Act requires that all financial institutions maintain an anti-money laundering (AML) program that is tested by independent auditors. This audit checklist is intended to assist financial institutions in preparing for the independent tests of their AML programs. It identifies areas that are generally within the audit scope, and lists the types of information that the auditors will likely request.

This checklist contains a set of questions that can be used to determine the extent to which various best business practices are being followed in the area of billing. The answers to these questions will help to determine areas for improvement.

This checklist contains a set of questions that can be used to determine the extent to which various best business practices are being followed in the area of accounts payable. The answers to these questions will help to determine areas for improvement.

This evaluation worksheet for internal audit departments provides a checklist of best practice suggestion for five components of an internal audit function: roles & structure, people, process, technology, and knowledge.

The purpose of this questionnaire is to facilitate the quarterly assessment of controls surrounding the financial reporting process. This questionnaire can be provided to managers or process owners to support efforts to identify any changes in controls, and to help meet the requirements set out by the SEC.

This questionnaire is designed to facilitate communication of items that should be considered for disclosure in SEC filings. It does not include all possible disclosure items, but does include some examples of primary types of items that should be considered.

This is a segregation of duties overview, matrix, and questionnaire for the procurement and accounts payable process. It will assist internal auditors in identifying individuals who may be performing incompatible duties that could lead to a circumvention of internal controls.

These checklists help ensure handheld devices are correctly configured and used, and provide assistance in performing audits of environments containing handheld devices.

This questionnaire assists with the collection of information regarding the control environment of all aspects of an IT department.

This compliance checklist provides a summary of the Sarbanes-Oxley Act requirements, final and proposed SEC rules, and the corporate governance standards proposed by the New York Stock Exchange. It includes a disclosure-only checklist, which identifies new and proposed SEC disclosure requirements.

Settlement risk is the risk that either the buyer or seller, or both, cannot fulfill their obligations in a transaction. This questionnaire can be used to help assess settlement risks in ebusiness.

Transaction authenticity risk is the risk of failure to authenticate a party’s identity, to ensure transactions and contractual agreements are legal and enforceable. This questionnaire can be used to help assess transaction authority risks in ebusiness.

This questionnaire is designed to help the auditee address the status of their compliance with the company's general control structure, and with specific process level controls.

Financial Instrument risk is the risk of not attaining successful trades due to the properties of the financial instruments used. This questionnaire can be used to help assess currency risks in ebusiness.

Currency risk is the risk that business operations or the value of an investment will be affected by changes in exchange rates. This questionnaire can be used to help assess currency risks in ebusiness.

Organizational alignment can be defined as systematic coordination and alignment of three interrelated driving forces – organizational strategy, organizational culture, and organizational infrastructure – to contribute as efficiently and effectively as possible to meeting organizational goals and objectives. This questionnaire can be used to help assess organizational alignment risks in ebusiness.

This high-level self assessment questionnaire can be used by an auditee prior to a review of the IT organization.

This checklist can be used by IT and telecom personnel when planning an office relocation. It gives the planner an opportunity to inform internal audit about controls and processes employed to minimize the risk of a move; and also suggests other controls and processes that may be appropriate.

This high-level self assessment questionnaire can be used by an auditee prior to a review of IT data management.

Fraud is the intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right. There are numerous frauds within the business world and many have transitioned into the Internet community. This questionnaire can be used to help assess the risk of fraud in ebusiness.

This high-level self assessment questionnaire can be usedby an auditee prior to a review of IT operations management.

The prime function of this high-level self-assessment questionnaire is to provide an overall check on controls prior to a review of security management.

In recruiting, companies must become as concerned with selling themselves to potential employees as they are with selling their products and services to consumers. This questionnaire can be used to help assess online human resources recruiting risks in ebusiness.

This is a high-level self-assessment questionnaire for use in a review of business continuity management.

This high-level self assessment questionnaire can be used by an auditee prior to a review of IT application management.

Failure to adequately restrict access to critical business information from outsiders (intruders) may result in unauthorized knowledge and use of confidential information by inappropriate parties. This questionnaire can be used to help assess external access risks in ebusiness.

Copyright pirates, brand impersonators, patent flouters, and trade secret thieves have grown in number and skill along with new business opportunities on the Internet. These and any other original creative works that are protected by law can be categorized as Intellectual Property (IP). This questionnaire can be used to help assess IP risks in ebusiness.

Customer Relationship Management is rapidly becoming a requirement in order to remain competitive. Customer Service is an essential but often overlooked aspect of online business. This questionnaire can be used to help assess customer service risks in ebusiness.

This high-level self assessment questionnaire can be used by an auditee prior to a review of IT Asset Management. It gives the auditee an opportunity to inform internal audit about controls and processes they employ, and also gives the auditee ideas about other controls and processes that may be appropriate.

This questionnaire can help you analyze your risk management processes.

This checklist allows a Disaster Recovery Plan to be rated. Being able to recover critical systems is important to every organization, but to be successful, an enterprise must establish a method to rank applications and systems and to recover them in a timely manner.

Supply chain activities are made up of five main phases; plan, source, make, deliver, and sell. This questionnaire helps to analyze many attributes of the "sell" phase in a company's total supply chain, and to identify improvement opportunities based on the answers.

The security of the equipment and the buildings used by an organization is as important as the security of a specific platform. This questionnaire is the starting point for a physical security assessment.

This guide is designed to assist management in analyzing the effectiveness of a company's management control structure MCS over financial reporting. It consists of a guide to the four main components of the MCS and how they work together, and checklists that can be used to evaluate the effectiveness of those components.

This questionnaire can be used to help assess privacy and data protection risks in ebusiness.

Internal security, as it relates to ebusiness, is the task associated with minimizing the risk of loss of information and system resources, corruption of data, disruption of access to the data, and unauthorized disclosure of information. This questionnaire can be used to help assess internal security risks in ebusiness.

Availability risk is the risk that the people, processes and technology that support critical business functions will not be available for business operations. This questionnaire can be used to help assess availability risk in ebusiness.

A risk checklist should be reviewed and completed each year as part of the internal audit planning process. This example covers business, financial, operational, and information services risks; and can help internal audit departments to focus their audit work where it can be most beneficial.

This questionnaire is used in or before an audit kick-off meeting to elicit input from the auditee(s) and to help better focus the audit work. The questionnaire covers areas such as policies and procedures, reporting requirements, and control issues.

This checklist can help an organization prepare for a SAS 70. It is also useful for any organization that wants to review controls over organization and administration, computer operation, application development and maintenance, physical security, logical security, system software maintenance and implementation, and telecommunications and networks.

Data output controls are used to ensure the integrity of output, and the correct and timely distribution of output produced. This questionnaire helps auditors evaluate the adequacy of output controls to ensure that data processing results are reliable, output control totals are accurate, and reports are distributed in a timely manner.

Prior to a review, the internal audit department can use this questionnaire to help the auditee address compliance with company control requirements, to let the auditee bring up any issues that need to be known, and to help the auditors gain important pre-audit knowledge.

This checklist will assist auditors in reviewing a completed audit report. It outlines each section of the report and provides lists of items that should be included to produce a quality report.

Technical safeguards enforce the security policies and procedures throughout the network infrastructure. This self-assessment questionnaire is the starting point for a technical safeguards assessment.

Security policies can be rendered useless if the organization does not support the information technology security program. This questionnaire rates the organizational suitability.

A security policy is the basis of any security effort, and provides a framework with which to assess the rest of the organization. This self assessment questionnaire is, therefore, the starting point for a Security Assessment.

Enterprises must take precautions to protect their information when being transmitted via various telecom processes. This questionnaire is the starting point for a telecom security assessment.

This guide can help bank management and internal auditors to analyze the effectiveness of the internal control structure over financial reporting as it relates to information systems.

This sample workbook can be used by the internal audit department of a healthcare provider to assess the baseline controls at a target company.

This checklist serves as a guide for reviewing a disaster recovery plan. The focus of this review is on information technology continuity, recovery, and restoration.

This questionnaire helps to assess network security at universities. To facilitate the analysis, the questionnaire uses an adaptation of the Carnegie Mellon University Software Engineering Institute’s Process Maturity Model.

This checklist contains questions to consider in preparation for acquisitions of US businesses.

This questionnaire is intended to be sent to managers throughout an organization with the intention of gaining their opinions on a number of predetermined potential audit areas. Although this example is healthcare-specific, it can be customized and modified for other industries.

This questionnaire can be used to gain a high level understanding of an organization's information technology infrastructure.

This checklist lists the steps to be taken to ensure the security of critical systems and data after an individual with system privileges has been dismissed.

Either premature destruction or loss of records or failure to destroy obsolete records can cause serious problems. This questionnaire helps to assure that records are retained in compliance with any regulatory requirements, and with company policy.

This checklist identifies and classifies various types of risks surrounding the practice of ebusiness in the financial services industry - particularly in the UK. It also presents a list of recommended practices surrounding IT for ebusiness.

This checklist can be used to determine the existence of accounts payable controls.

This questionnaire can be used to conduct interviews with the External Auditor to solicit their views and feedback on a company's Internal Audit function.

This questionnaire can be used to solicit feedback from Internal Audit customers (senior management and others) during a quality assurance review process.

This checklist can be used to determine the existence of notes receivable controls.

This checklist can be used to determine the existence of cash funds controls.

The following questions can be used to help decide whether a co-sourcing or outsourcing arrangement would help an organization meet internal audit needs and objectives.

This checklist can be used to determine the existence of inventory and cost of sales controls.

Establishing an International Joint Venture can be a risky undertaking involving significant central management time and resources sometimes considerably beyond that originally anticipated. This checklist identifies just some of the factors that can result in complications.

This questionnaire can be used as a starting point for internal auditors creating a self-assessment form to test accounting controls for property management transactions. More generally, this questionnaire can be used as a template for auditors creating a self-assessment form for any business process or function.

A management team that clearly supports and actively creates an environment of quality financial reporting, sound business controls, and ethical behavior is extremely important to audit committee effectiveness. This questionnaire can be used to assess a management team against these ideals.

This customer satisfaction survey allows management to review, critique, and evaluate the internal audit function on an annual basis. Part 1 is a questionnaire in the form of a Report Card, and Part 2 is a sample of results obtained using the Card.

This is an example of a preliminary assessment questionnaire which can be presented to managers or process owners prior to conducting an audit.

The questions in the checklist can be considered prior to process reviews or operational internal audits. They can be used in facilitated self-assessment sessions, risk assessment workshops or questionnaires, basic auditing work programs, and auditing interviews.

This checklist and guide helps to identify items that should be considered and provided for when organizing a meeting.

This is an example of a preliminary assessment questionnaire which can be presented to managers or process owners prior to conducting an audit.

The purpose of this assessment questionnaire is to monitor the company's internal control structure and processes on a quarterly basis.

This is an example of a preliminary assessment questionnaire, to be presented to managers or process owners prior to conducting an audit.

This questionnaire can be used as a starting point for creating a self-assessment form to test controls within the property management function.

This checklist helps an audit team plan for the first meeting with an auditee for any given project. It prompts the audit team to identify process owners, consider discussion topics, and gather background information in preparation for the meeting.

This workbook demonstrates one way that an internal auditor can creatively use a simple, graphical questionnaire to gain an understanding of the controls around any business process.

This questionnaire can be used to perform a benchmarking survey for order processing. It allows the internal audit department to compare the order processing functions of various divisions within the company, and to assess their effectiveness in comparison with each other.

This questionnaire should be filled out by an auditee prior to the commencement of any audit work in that department.

The focus of this guide is the Integration phase of a merger or acquisition. The success or failure of this phase will determine whether the merger or acquisition ultimately meets company business goals.

This checklist was created to help internal auditors market and sell their services better, and to increase internal audit value and productivity. The list includes tips for improving customer satisfaction, communicating value, and making internal audit essential to the success of the business.

This checklist can be used to determine the existence of accounts receivable and sales controls.

This generic customer satisfaction questionnaire can be used to survey internal audit's performance on an audit or review.

This checklist can be used to determine the existence of accrued liabilities and other expenses controls.

This questionnaire can be used when conducting a quality assurance interview with a Director of Internal Audit.

Satisfaction surveys solicit first-hand feedback from auditees on how well the audit team is meeting expectations. Each of these five example survey questionnaires can help the audit team understand and measure their service performance.

This checklists identifies good internal controls for general finance-related processes within a company.

This questionnaire provides client feedback at the end of an internal audit. The feedback helps the IA group understand how their work is perceived, how effective they have been, and how they can improve their services.

This checklist can be used to determine the existence of payroll controls.

This checklist can be used to determine the existence of investments controls.

This questionnaire can be used to solicit feedback during interviews with Internal Audit personnel, particularly as part of a Quality Assurance Review process.

This checklist can be used to determine the existence of prepaid expenses and deferred charges controls.

This checklist can be used to determine the existence of shareholders' equity controls.

This checklist can be used to determine the existence of cash receipts controls.

This checklist is in the form of a template that can be used by a Quality Assurance Review team when reviewing individual audit project work files. Each section of the checklist refers to an Internal Audit Standard.

This checklist can be used to determine the existence of long-term liabilities controls.

This checklist can be used to identify the existence of intangibles controls.

This checklist can be used to determine the existence of fixed assets controls.

This sample questionnaire consists of an introductory letter and a survey that can be used to solicit feedback about Internal Audit performance - in particular during a Quality Assurance Review (QAR).

This checklist can be used to determine the existence of cash disbursement controls.

This questionnaire is used to survey the activities employees perform during a "typical" day, and identify what percentage of their time they spend of each activity.

Facilitated meetings provide a moderated forum for discussions, ideas, and feedback. This checklist helps set-up and manage such a meeting.

This brief checklist contains a useful set of questions to consider to help pinpoint specific problems and sources of inefficiency. Internal auditors should ask themselves these questions as they evaluate the process under review.

This checklist identifies thirty common situations to avoid when performing an activity-based management project.

These checklists were created by the MIS Training Institute as guidelines to help internal auditors determine whether they are adding value to their organization, and how they can improve their usefulness and productivity.