Internal Audit Checklist – Entity Level Controls (ELC)

Sample
Process Risk Description Control Test Performed Frequency
Size

The company has Codes of Conduct that provide guidance 100% Event
for ethical behavior for all officers, directors and driven
employees, partners and consultants, as well as suppliers.
The codes include guidelines to promote integrity, sound
business practices, and legal compliance. Control evidence required: Signed Code of Conduct
Declaration Define the criteria for evaluating
The codes are reviewed and modified as needed.
compliance with the Code of Conduct. These criteria
Codes of Conduct are available on the company website. may include:
Annually, all employees are asked to sign a Certification
1. Clarity and accessibility of the Code of
Management does Form indicating that they have received, read, understood,
Conduct.
Ethics and not demonstrate and agree to abide by the Code of Conduct -Annually,
Code of partners and consultants are required to provide 2. Effectiveness of communication channels used
character, integrity
Conduct acknowledgement that they have received and have been in to disseminate the Code of Conduct.
and ethical values compliance with the relevant policies
3. Employee awareness and understanding of the
The requirement to share the Code of Conduct with key and Code of Conduct.
direct suppliers is documented in the Supplier
4. Reporting mechanisms for potential violations
Qualifications Procedures
concerns. Actions taken in response to reported
The Compliance team tracks the completion of employee violations.
training against the active employee headcount.
The Compliance team also reviews the list of employees
who have not completed the training and conducts timely
follow-ups.

Corporate The Constitutions The Board and other committees under the Board are Control evidence required: Corporate Governance 100% Yearly
Governance of Board and formed/ modified with the relevant statue requirements like Guidelines
Guidelines other committee Companies Act, IRDA requirements, RBI requirement etc. 1. Ensure that there is a written Corporate
 Sample
Process Risk Description Control Test Performed Frequency
Size
are not in line with (As applicable to the relevant entity) Governance Guideline specifying details such
the Companies as Board Independence, Committees,
Act/Regulator Qualification and expertise, executive
compensation, board evaluation etc.
requirements
2. Ensure that the board and other committees as
required by the statutes are formed and the roles
and responsibilities are clearly laid down.

Control evidence required: Board composition, 100% Ongoing

Corporate Governance Guidelines, Board Minutes,
MoA & AoA of the Company
1. Assess the effectiveness of the board of
directors in providing oversight and governance
Board powers are clearly defined. – to ensure that the organization's strategic
Board does not objectives are met, risks are managed
clearly define Board powers are derived from Companies Act, appropriately, and compliance with laws and
authority to be Memorandum of Association (MoA) & Articles of regulations is maintained.
Association (AoA.)
Board exercised at Board 2. Review the Board Structure, Composition,
Oversight level and Also, for Directors appointed during the year, a Board meeting minutes, oversight (strategic,
authority Resolution has been passed to define the general powers of compliance, financial, risk)
a Director.
delegated to other 3. Assess the effectiveness of board committees
Directors. Board meeting has been held once every quarter and (e.g. Audit committee, Governance committee)
attendance records have been maintained. in fulfilling their respective oversight
responsibilities.
4. Verify that board members act independently -
Compare the board's practices against industry
best practices and corporate governance
guidelines.

Board does not Board of Directors review the performance of the company 100% Monthly
Board Control evidence required: Board Minutes, MIS for
have a mechanism and adequacy of internal controls through regular
 Sample
Process Risk Description Control Test Performed Frequency
Size
Oversight to review Internal interactions with the CFO. the month, ICFR.
Control over Monthly reporting is done by the Senior Manager to the 1. Ensure that there is a strong control
Financial CFO who in turn reports to BOD. environment that promotes ethical behavior and
Reporting a commitment to internal controls.
Minutes of Board Meetings where the Internal Audit reports
(ICFR)adequacy are reviewed and adopted by the Board. 2. Ensure that minutes of meetings are reviewed
and performance. and adopted by the Board. Verify if monthly
There is an established process of monthly reporting on
MIS is prepared and reviewed by the
operations, performance and financial reporting.
management.
Monthly MIS prepared by the Senior Manager Finance is
reviewed by the CFO and Chairman & Managing Director.

Control evidence required: Risk and Control Matrix 100% Quarterly

On an annual basis, management performs a review of 1. Check whether all significant risks related to
Financial each process or activity identified and included
controls and processes including identification of risks and
Reporting and relevant financial statement assertions. in the risk control matrix.
related
Risk and The final version of the controls and process narratives and 2. Ensure that there is a clear and concise mapping
application and of each risk to the corresponding control
Control Matrix any changes made during the year are reviewed by the
information control/process owners to ensure they are accurate. activities designed to mitigate or manage that
systems are not risk.
reliable. The risk and control matrix, is maintained in the company's
control management system. 3. c. Verify that control procedures and protocols
adequately documented for each control
activity.

Control evidence required: Quarterly Risk review 100% Quarterly

The Company On a quarterly basis, the Chief Risk Officer (CRO) reports presentation
Risk does not carry out to the Risk committee about the results of the risk 1. Ensure that the risk assessment process is well-
Assessment assessment. The assessment includes Business risk, defined and aligned with the organization's
the risk
Process Solvency Position, Asset Liability Management, Industry goals.
assessment position, etc.
2. Check whether relevant stakeholders, including
management, department heads, and subject
 Sample
Process Risk Description Control Test Performed Frequency
Size
matter experts are involved in the risk
assessment process.

Control evidence required: List of whistle blower 100% Quarterly

Define the criteria for evaluating the effectiveness
and efficiency of the whistleblower mechanism,
including:
1. User access: The mechanism should be
accessible to all relevant stakeholders.
The Management monitors/reviews the complaint received
2. Anonymity: Whistle-blowers should be able to
The complaints through whistle blower policy.
report without fear of identification.
received through The Ombudsman appointed enquire/ do a investigation of
Whistle blower 3. Confidentiality: The mechanism should
Whistle Blower the complaints received and suitable action is taken if found
safeguard the confidentiality of the reporter, and
Mechanism policies are not guilty.
the information provided.
enquired/ On a quarterly basis, the report is provided to Managing
resolved. 4. Acknowledgment and follow-up: The system
Director & Company secretary and the same is reviewed
should acknowledge receipt of the report and
and placed with Board.
allow for follow-up communication.
5. Timeliness: Reports should be processed
promptly.
6. Resolution: The mechanism should facilitate
appropriate investigations and resolution of
reported issues.

The company maintains an organizational structure with 1. Check whether reporting lines are well-defined 100% Yearly
Roles and
requisite positions supported by job descriptions that and clearly communicated throughout the
Organizational Responsibilities explain skill levels and responsibilities. organization and roles, responsibilities, and job
Structure not clearly
Organizational chart is in place and maintained up to date descriptions are clearly outlined for each
defined position within the organization.
to communicate lines of reporting.
 Sample
Process Risk Description Control Test Performed Frequency
Size
The company has set in place a succession plan (prepared 2. Review whether the succession plan for critical
by the HR Department) that identifies critical business business operations and positions are clearly
operations and positions (designation with Managers & laid down and maintained.
above level) and a backup plan is ensured to avoid impact
on normal business operations.

1. Role Definition: Verify that each role or 100% Yearly

position in the authority matrix has a clear and
well-defined scope of responsibilities.
2. Responsibility Assignment: Ensure that each
task or activity in the organization is assigned to
at least one responsible party in the authority
matrix
3. Accountabilities: Check that each task or
Roles, activity has a single person or role designated as
responsibilities, "Accountable" for its successful completion
authorization and Departmental policies and Management Guidelines outline
Authorization 4. Role Mapping: Validate that each individual's
responsibilities, authorization, and approval levels for
Matrix approval levels name or role listed in the authority matrix
transactions.
not clearly matches their actual position and
defined. responsibilities in the organization.
5. Approval Process: If there is an approval
process defined in the authority matrix, verify
that the steps and criteria for approval are clear
and adhered to.
6. Delegation and Escalation: Assess whether
the authority matrix includes provisions for
delegation of responsibilities and escalation
procedures for unresolved issues.
 Sample
Process Risk Description Control Test Performed Frequency
Size

1. Ensure that there is a well-documented policy 100% Yearly

and procedures manual regarding segregation
Duties and
Segregation of duties (SOD) controls are implemented of duties.
responsibilities
throughout the sites where ERP has been implemented. 2. b. Check whether there exists a mechanism to
Segregation of are not
SOD deficiencies are monitored, and management address conflicts identified during the
Duties (SOD) appropriately
identifies compensating controls that are present and transaction flow analysis.
assigned/segregat
functioning to mitigate SOD risks. 3. c. Check whether the SOD controls are
ed
reviewed and tested as part of internal and
external audits

Control evidence required: Approved Strategic plans 100% Yearly

Strategic plans and objectives.
and objectives are Management periodically reviews entity wide strategic
Strategic Plan plans and objectives. The Board of Director approves the Ensure that the strategic plan includes a clear and
not clearly compelling vision statement that defines the
entity-wide strategic plans and objectives.
defined. organization's long-term aspirations and are aligned
with the core values of the organization.

Control evidence required: Approved Budget 100% Yearly

The budget and actuals.
estimates are not 1. Ensure that the budget is accurate, reflecting
prepared/set for Management establishes business plans and budgets as well realistic estimates of revenues and expenses and
the business as measures results against plans quarterly. aligned with the organization's strategic
Budget vs teams. The Senior Analyses are independently reviewed for appropriate objectives and operational plans.
Actuals Management does assumptions and methodology. 2. Check whether the assumptions and
not review the Significant unusual relationships, variances, and exceptions methodologies used in preparing the budget are
business are identified, investigated, and justified. clearly documented and communicated.
operations on 3. Verify whether the budget incorporates
timely basis. contingency plans to address unexpected events
or changes in the business environment.
 Sample
Process Risk Description Control Test Performed Frequency
Size
4. Check whether unusual variances and
exceptions are identified and justified.

Management specifies financial reporting rules and 100% As and

standards which are consistent with accounting principles when
Regulatory suitable and appropriate for the entity.
noncompliance 1. Ensure that all employees and relevant
Reviews by/consultations with the Statutory Auditors as
stakeholders aware of the organization's
and financial required by the regulation (annual review) or as considered
policies and procedures
misstatements if necessary by the management, are done.
Financial suitable 2. Verify whether there is a process to monitor and
Internal audit coverage extends to compliance review.
Reporting assess compliance with policies regularly
accounting Accounting policies and principles followed are stated in
principles, 3. Check whether internal controls in place to
the 'Notes to accounts' in the financial statements.
policies or rules detect and prevent non-compliance with
Circulars/email issued for closure of financial transactions
policies
not followed. are shared. Internal audit is done by professional firms and
Internal Audit Reports identify the issues observed. Annual
review is done by Statutory Auditors.

Absence of an 100% As and

appropriate 1. Ensure that all related parties, including when
individuals, entities, and key management
mechanism of
Various compliances under different statutes in relation to personnel, identified and appropriately
related party disclosed.
Review of transactions with a related party (transfer pricing related
transactions compliance and return filing) are verified.
Related Party 2. Check whether related party transactions have
identification can
Transactions Audit Committee and Board approval are taken for related been assessed for materiality and are material
lead to regulatory transactions adequately disclosed.
party transactions.
non-compliance
3. Is audit committee approval and board approval
and / or financial
obtained for related party transactions.
misstatements

Internal Audit A robust system The Internal Audit function is led by and staffed with 100% Ongoing
1. Ensure that audit objectives aligned with the
qualified, competent personnel with appropriate
 Sample
Process Risk Description Control Test Performed Frequency
Size
of monitoring professional credentials and designations. organization's goals and risks
through periodic For purposes of independence, Internal Audit reports 2. Verify whether scope of internal audit is
internal audits or functionally to the Audit Committee of BOD and adequately defined and documented
control Self administratively to the CEO.
3. Ensure that internal audit function is
Assessments has Internal Audit completes an annual risk assessment and independent and free from undue influence or
not been audit plan and provides periodic updates of its activities to conflicts of interest
established. executive management and the Audit Committee.
4. Check whether the auditor possesses the
necessary skills, knowledge, and qualifications
to perform their duties effectively

Company 1. Ensure that IT policies cover all relevant areas, 100% Quarterly
infrastructure and such as information security, data privacy, IT
IT systems being governance, IT asset management, acceptable
used for IT policies and practices are properly documented and use, and disaster recovery.
communicated to achieve consistency across business units.
Information fraudulent 2. Verify if the IT policies in alignment with the
technology activities thereby Policies are communicated to users via the Company organization's overall business objectives and
controls affecting the Intranet and policy updates are approved annually by risk appetite.
management. Adequate measures are taken to protect
reputation and 3. Check whether the IT policies are in compliance
sensitive information and data privacy.
increasing the with relevant laws, regulations, and industry
legal risks standards applicable to the organization's
attached. operations

In the absence of Control evidence required: Dedicated email id 100% As and

clear created to register complaints; details available when
Information &
on company website.
Communicatio communicating
There are properly identified communication channels
n -External channels for 1. Ensure that email ids are created specifically for
(email ids) for third parties under grievance mechanism.
Communicatio external parties, addressing third party grievance.
n
employee/ 2. Verify whether the email id is made available
management on the company website.
 Sample
Process Risk Description Control Test Performed Frequency
Size
malpractices may 3. Ensure that ethical considerations are
not come to light, prioritized in all external communication
may have a efforts.
reputation risk 4. Verify whether key personnel are trained to
with respect to handle crisis communication effectively;
third parties.

Risk events, Control evidence required: Procedure on 100% Monthly

Formal communication process established for escalating Communication Protocol, MIS
exceptional and
disruption to operations, occurrence of risk events and any 1. Ensure that a formal communication process is
unusual events
material exceptional event. established for escalating disruption for
Information & remain unreported
Periodic MIS / Dash Boards, highlighting of all exceptions. operations.
Communicatio to the
Board meetings, management review discusses discuss 2. Verify whether there is an established
n-Management management and
unusual events. communication protocol for different types of
Oversight hence the risk
Monthly MIS prepared by the Senior Manager - Finance information (e.g., financial, operational,
management strategic).
department is reviewed and approved by the CFO,
framework is not
Chairman & Managing Director. 3. Ensure that the monthly MIS is reviewed and
duly enhanced
approved by the Senior management.