Fiscal Management

Internal Control Tools for Audit Committees

This tool gives audit committees basic information about internal control, effective use in the organization, and the requirements of management with respect to the system of internal control over financial reporting. The toolkit is useful for not-for-profit grantees to understand the basics of internal control. The primary responsibility of the audit committee with respect to internal control is the system of internal control over financial reporting.

The following is an excerpt from AICPA Audit Committee Toolkit.

Instructions for Using This Tool. This tool is created around the five interrelated components of an internal control structure. Within each component is a series of questions that the audit committee should focus on to assure itself that controls are in place and functioning. These questions should be discussed in an open forum with the individuals who have a basis for responding to the questions. The audit committee should ask for detailed answers and examples from the management team, including key members of the financial management team, internal auditors, and independent auditors to assure itself that the system is operating as management represents. Evaluation of the internal control structure is not a one-time, but rather a continuous, event for the audit committee. The audit committee should always have its eyes and ears open for potential weaknesses in internal control and should continuously probe the responsible parties regarding the operation of the system. These questions are written in a manner such that a no response indicates a weakness that must be addressed.

Integrity and Ethical Values

  • Does the organization have a comprehensive code of conduct, and/or other policies addressing acceptable business practice, conflicts of interest, and expected standards of ethical and moral behavior?    
  • Is the code distributed to all employees? Are all employees required to annually acknowledge that they have read, understood, and complied with the code? Does management demonstrate through actions its own commitment to the code of conduct? 
  • Are dealings with clients and other constituents, customers, suppliers, employees, and other parties based on honesty and fair business practices?
  • Does management take appropriate action in response to violations of the code of conduct? Is management explicitly prohibited from overriding established controls? 
  • What controls are in place to provide reasonable assurance that controls are not overridden by management? Are deviations from this policy investigated and documented? 
  • Are violations (if any) and the results of investigations brought to the attention of the audit committee? Is the organization proactive in reducing fraud opportunities by (1) identifying and measuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a position within the organization to own the fraud prevention program, and (4) implementing and monitoring appropriate preventative and detective internal controls and other deterrent measures? Does the company use an anonymous ethics and fraud hotline and, if so, are procedures in place to investigate and report results to the audit committee? (See also the tool Sample Whistleblower Tracking Report, in this toolkit.) 

Commitment to Competence

  • Are the level of competence and the requisite knowledge and skills defined for each job in the accounting and internal audit organizations?
  • Does management make an effort to determine whether the accounting and internal audit organizations have adequate knowledge and skills to do their jobs?

Board of Directors or Audit Committee

  • Are the audit committee's responsibilities defined in a charter? If so, is the charter updated annually and approved by the board of directors? 
  • Are audit committee members independent of the company and of management? 
  • Do audit committee members have the knowledge, industry experience, and financial expertise to serve effectively in their role? 
  • Are a sufficient number of meetings held, and are the meetings of sufficient length and depth to cover the agenda and provide healthy discussion of issues? 
  • Does the audit committee constructively challenge managements planned decisions, particularly in the area of financial reporting, and probe the evaluation of past results?
  •  Are regular meetings held between the audit committee and the CFO, the CAE (internal audit), other key members of the financial management and reporting team, and the independent auditors? Are executive sessions conducted on a regular basis?
  • Does the audit committee approve internal audits of the annual audit plan? Does the audit committee receive key information from management in sufficient time in advance of meetings to prepare for discussions at the meetings? 
  • Does a process exist for informing audit committee members about significant issues on a timely basis and in a manner conducive to the audit committee having a full understanding of the issues and their implications?
  • Is the audit committee informed about personnel turnover in key functions including the audit team (both internal and the independent auditors), senior executives, and key personnel in the financial accounting and reporting teams? 
  • Are unusual employee turnover situations observed for patterns or other indicators of problems? 

Managements Philosophy and Operating Style

  • Is the accounting function viewed as a team of competent professionals bringing information, order, and controls to decision-making? 
  • Is the selection of accounting principles made in the long-term best interest of the organization (as opposed to short-term maximization of income)? 
  • Are assets, including intellectual assets, protected from unauthorized access and use? 
  • Do managers respond appropriately to unfavorable signals and reports? 
  • Are estimates and budgets reasonable and achievable? 

Organizational Structure

  • Is the organizational structure within the accounting function and the internal audit function appropriate for the size of the organization? 
  • Are key managers in the accounting and internal audit functions given adequate definition of their responsibilities? 
  • Do sufficient numbers of employees exist, particularly at the management levels in the accounting and internal audit functions, to allow those individuals to effectively carry out their responsibilities? 

Assignment of Authority and Responsibility

  • Is the authority delegated appropriate for the responsibilities assigned?
  • Are job descriptions in place for management and supervisory personnel in the accounting and internal audit functions?
  • Do senior managers get involved as needed to provide direction, address issues, correct problems, and/or implement improvements?

Human Resources Policies and Practices

  • Are policies and procedures in place for hiring, training, promoting, and compensating employees in the accounting and internal audit functions?
  • Do employees understand that sub-standard performance will result in remedial action? Is remedial or corrective action taken in response to departures from approved policies?
  • Do employees understand the performance criteria necessary for promotions and salary increases?

Risk Assessment

  • Does the organization consider risks from external sources such as creditor demands, economic conditions, regulation, or labor relations?
  • Does the organization consider risks from internal sources such as key employees (retention and succession planning), financing and the availability of funding for key programs, competitive compensation and benefits, information systems security, and backup systems?
  • Is the risk of a misstatement of the financial statements considered, and are steps taken to mitigate that risk?
  • If applicable, are the risks associated with foreign/off-shore operations considered, including their impact on the financial reporting process?

Control Activities

  • Does the organization have a process in place to ensure that controls as described in its policy and procedures manuals are applied as they are meant to be applied?
  • Do the policy and procedures manuals document all important policies and procedures? Are these policies and procedures reviewed and updated on a regular basis? If so, by whom?
  • Do supervisory personnel review the functioning of controls? If so, how is that review conducted and what happens to the results?
  •  Is appropriate and timely follow-up action taken on exceptions? 

Information and Communication

  • Is a process in place to collect information from external sources, such as industry, economic, and regulatory information, that could have an impact on the organization and/or the financial reporting process? 
  • Are milestones to achieve financial reporting objectives monitored to ensure that timing deadlines are met?< Is necessary operational and financial information communicated to the right people in the organization on a timely basis and in a format that facilitates its use, including new or changed policies and procedures? 
  • Is a process in place to respond to new information needs in the organization on a timely basis? Is there a process in place to collect and document errors or complaints to analyze, determine cause, and eliminate a problem from recurring in future? 
  • Is a process established and communicated to officers, employees, and others, about how to communicate suspected instances of wrongdoing by the company or employees of the company? 
  • Further, does a process exist to ensure that anyone making such a report is protected from retaliation for making such a report?


  • Do officers and employees understand their obligation to communicate observed weaknesses in design or compliance with the internal control structure of the organization to the appropriate supervisory or management personnel? 
  • Are interactions with external stakeholders periodically evaluated to determine if they are indicative of a weakness in the internal controls structure? (For example, consider the frequency of complaints about incorrect invoices, statements, and acknowledgments) 
  • Is there follow up on recommendations from the internal and external auditors for improvements to the internal control system?
  • Are personnel required to sign off, indicating their performance of critical control activities such as performing reconciliations?
  •  Does the internal audit team have the right number of competent and experienced staff? Do they have access to the board of directors and audit committee? 
  • Is the reporting structure in place to ensure their objectivity and independence? 
  • Is the work of the internal audit team appropriate to the organization's needs, and prioritized with the audit committee's direction?