Internal Control & Risk Assessment Resources

These resources are intended to help an agency understand its risks and identify controls to minimize those risks. Agencies may use the sample checklists and questionnaires as a start in their internal risk assessments and/or internal control evaluations and modify them as necessary. The agency internal control officer should approve any questionnaires or checklists prior to usage.

We invite and welcome agencies that have developed alternative checklists or questionnaires to share these with other agencies on this resource site. Especially needed are checklists that reflect updated controls applicable to new technologies such as electronic receipts or disbursements.

1. SAS 112 Communicating Internal Control Related Matters Identified in an Audit - Q & A (PDF)
   
   
2. Internal Control Publications
   
   
   • NASACT (National Association of State Auditors, Comptrollers, and Treasurers) Internal Control Guidebook. This could be used for general information or as the starting point for an agency’s internal control policy. If you use the Guidebook, read it in conjunction with SAAM Chapter 20 to be sure your agency policy is consistent with the requirements of SAAM.
   • NCOSC (North Carolina Office of State Controller) Internal Controls Questionnaire. This is a self-assessment internal control questionnaire that could be used as a starting point and customized to an agency’s needs.
   • State of Massachusetts Internal Control Guide.
   • COSO web site. COSO offers various internal control publications. Some are available to download free; others may be purchased.
   • GAO (United States Governmental Accountability Office), Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1, November 1999. This is good summary information on the 5 components of internal control, especially control activities.
   • GAO Governmentwide Purchase Cards: Actions Needed to Strengthen Internal Controls to Reduce Fraudulent, Improper, and Abusive Purchases, GAO-08-333, March 2008.
   • GAO Internal Control Management and Evaluation Tool, GAO-01-1008G, August 2001. This includes major and subsidiary considerations for each of the 5 internal control components to use in assessing internal control.
   • CobiT (Control Objectives for Information and Related Technology) website. You can download the CobiT summary and framework from here. Be sure to read and comply with the copyright language.
3. Small and Attractive Capital Assets Risk Assessment Guidelines (Word)
   
   
4. Sample Checklists and Questionnaires
   
   
• Sample Risk Assessment Questionnaires - General Risk Assessment
• Sample Self-Assessment Questions
• Self Risk Assessment Questionnaire - Sample 1
• Self Risk Assessment Questionnaire - Sample 2
• Self Risk Assessment Questionnaire - Sample 3
• Sample Internal Control Checklists for all Funds - Fixed Assets
• Sample Internal Control Checklists - General
• Sample Internal Control Checklists - Additional Checklists for Proprietary Funds
• Sample Internal Control Activities - Activities for all funds
• Sample Internal Control Activities - Sales
• Sample Internal Audit Programs - Programs for all Funds
• Sample Internal Audit Programs - Additional Programs for Proprietary Funds
5. Flow Chart of Internal Control Concepts (PDF)

Last modified: May 11, 2009
E-mail: OFM.Accounting@ofm.wa.gov