Appendix B: Requirements of the Internal Control Plan Checklist in the Comptroller of the Commonwealth’s Internal Control Guide

An internal control plan should have a statement of awareness and compliance with Chapter 647 guidelines in addition to the eight ERM components.

A. Statement of Compliance with Chapter 647

B. Evidence of ERM Components—does it include all principles related to each Component?

1. Internal Environment—Leadership demonstrates a commitment to integrity, ethical values and competence
   a. Tone at the Top, Mission Statement, Ethical Expectations, Standards and Adherence to Conduct
   b. Department Head statement of support of the Internal Control Plan
   c. Is the ICP readily available, distributed and communicated throughout the organization?
2. Objective Setting—measurable targets or purpose of the organization’s efforts
   a. Goals and Objectives are defined, and aligned to the Mission Statement
3. Event Identification—occurrences that could prohibit the accomplishment of objectives
   a. Have risks that may impede the achievement of each objective been identified?
   b. Are risks linked to objectives?
4. Risk Assessment—Impact and likelihood of occurrence for each potential risk identified.
   a.  Assessment of risks is performed in determining how risks should be managed
   b. Potential for Fraud is considered in assessing risks
   
   A risk assessment can be a significant undertaking and result in a large volume of information. For purposes of the ICP, the Risk Assessment component need only be a short summary of how and when the assessment was conducted. The summary should include who was involved, the programs and activities considered, how risks were rated (what was the scale/methodology used and was it used applied consistently throughout the process), how they were prioritized and by whom? The existence and location of the risk assessment documentation should be referenced here.
5. Risk Response—how the organization will respond to an event
   a. Are responses appropriate for significance of risks?
   b. Necessary changes and management of risks is determined in order to achieve objectives
6. Control Activities—mitigation steps that are linked to risk events
   a. Policies and procedures
   b. Preventive and Detective controls
   c. Segregation of duties
   d. Are control activities linked to risks?
   
   Goals, objectives, risk events and control activities should be linked as follows:
   1. Goal #1
     a. Objective #1 for Goal #1
       i. Risk #1 for Objective #1 for Goal #1
         a. Internal Control #1 for Risk #1 for Objective #1 for Goal #1
         b. Internal Control #2 for Risk #1 for Objective #1 for Goal #1
       ii. Risk #2 for Objective #1 for Goal #1
         a. Internal Control #1 for Risk #2 for Objective #1 for Goal #1
         b. Internal Control #2 for Risk #2 for Objective #1 for Goal #1
7. Information and Communication—internal and external
   a. Information—quality information is generated for and/or from both external and internal sources
   b. Communication—internal communication is disseminated throughout the organization, and information to external parties is appropriately communicated
8. Monitoring—each component is evaluated to keep the Internal Control Plan up to date
   a. Ongoing and separate evaluations are used to ascertain whether each of the components of ERM is present and functioning.