Entity Control Risk Matrix
The agency does not provide guidance for disciplinary actions, when appropriate
Management's Commitment to Competence Personnel do not possess and maintain the level of competence that allows them to
accomplish their assigned duties
Personnel do not understand the importance of developing and implementing good
internal control
Management has not identified appropriate knowledge and skills needed for various
Management does not provide needed training
Management does not provide candid and constructive counseling
Management does not provide performance appraisals
Management Philosophy & Operating Style Management takes too much risk
Management has not adopted performance-based management
Management has a dismissive attitude toward information systems
Management has a dismissive attitude toward accounting functions
Management has a dismissive attitude toward personnel functions
Management has a dismissive attitude toward monitoring functions activities
Management has a dismissive attitude toward audits and evaluations
Management does not have a good relationship with Congress
Management does not have a good relationship with central oversight agencies such
as OMB
Management does not have a good relationship with the OIG
Organizational Structure The agency's organizational structure does not provide a framework for planning,
directing, and controlling operations to achieve agency objectives
The agency's organization structure does not define key areas of authority and
The agency's organization structure does not establish appropriate lines of reporting
Assignment of Authority & Responsibility The agency does not have procedures in place to delegate authority and responsibility
The agency does not have documented procedures in place to delegate authority and
Reviews by Management at the Functional or Activity Level Management does not compare actual performance to
planned or expected results and analyze significant differences
The agency has not established, and/or does not regularly review, performance
measures and indicators
Segregation of Duties The agency has not properly segregated key duties and responsibilities
Employees are authorizing and executing transactions and other significant events
outside the scope of their authority
Access Restrictions to and Accountability for Resources and Documentation is not readily available for examination
Physical Control Over Vulnerable Assets Information systems lack general controls
Information systems lack application controls
Management does not provide adequate training for the personnel to ensure job
Management does not provide adequate incentives for the personnel to ensure job
Management does not continually assess personnel skills.
Management does not provide qualified and continuous supervision of internal control
Management does not retain valuable personnel.
Management does not plan for personnel replacement.
Controls over Information Processing Data entry edit checks are not conducted.
Transactions are not accounted for using numerical sequences.
Access to data, files, and programs are not controlled.
Establishment and Review of Performance Measures and Analsysis cannot be conducted due to inconsistent or nonexistent performance
Indicators indicators.
Proper Execution of Transactions and Events Personnel are unclear of levels of authority.
Personnel enter into contracts or agreements that are beyond their scope of authority.
Accurate and Timely Recording of Transactions and Events Transactions are not entered in a timely manner
Information Systems - General Controls The agency does not have a corporate information systems architecture
The agency is developing information systems outside of the corporate architecture
Information Systems - Application Controls The agency does not have disaster recovery plans in place
Management has not recently revisited the sufficiency of disaster recovery plans
Information & Communication Internal relevant, reliable, and timely communications Information does not generally flow down, across, and up the agency
Management does not have access to operational and/or financial data
An agency must have relevant, reliable, and Pertinent operational and/or financial information is not identified, captured, and
timely communications relating to internal distributed in a form and time frame that permits employees to perform their duties
and external events in order to properly run efficiently
and control its operations. Information is
External relevant, reliable, and timely communications There is a lack of adequate means of communicating with, and obtaining information
needed throughout the agency to achieve
from, external stakeholders that may have a significant impact on the agency
all of its objectives.
achieving its goals
Identify Risks and Risk Factors, Internal and External Management has not comprehensively identified risks at the Agency-level
Risk Analysis and Actions Management does not assess risk significance
Management does not assess the likelihood of risk occurrence
Management does not assess what actions should be taken to mitigate risks
Management does not manage risk
Management does not have mechanisms in place to identify and deal with risks that
are unique to the operating environment of the Government
Monitoring Regular Management and Supervisory Activities Ongoing monitoring does not occur in the course of normal operations
Monitoring efforts do not include regular management and supervisory activities
Internal control monitoring assesses the
quality of performance over time and Monitoring efforts do not include comparisons, reconciliations, and other actions that
ensures that the findings of audits and other people take in performing their duties
reviews are promptly resolved. Deficiencies found during ongoing monitoring are not communicated to the individual
responsible for the function
Deficiencies found during ongoing monitoring are not communicated to at least one
level of management above the individual responsible for the function
Serious matters found during ongoing monitoring are not reported to top management
Separate evaluations of Controls There are no separate evaluations of internal control effectiveness
Separate evaluations of controls do not focus directly on their effectiveness at a
specific time
Deficiencies found during separate evaluations are not communicated to the individual
responsible for the function
Deficiencies found during separate evaluations are not communicated to at least one
level of management above the individual responsible for the function
Serious matters found during separate evaluations are not reported to top
Policies and Procedures for Audit Findings Policies and procedures have not been established for ensuring that findings of audits
and other reviews are promptly resolved
Review and Evaluate Findings Management does not promptly evaluate findings from audits and other reviews
Develop Action Plan in Response to Findings Management does not determine the proper actions in response to findings and
recommendations from audits and other reviews
Complete Findings Action Plan Management does not complete, within established timeframes, all actions that correct
or otherwise resolve the matters brought to management's attention
- This is a listing of possible Entity Control risks. It is not necessarily all-inclusive of every possible risk that may impact an Entity Control area
or sub-category.
- The term "agency" in this context means not only the organization as a whole, but also distinct sub-components of the organization.
- This information was derived from Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999).
It is recommended that these Standards be reviewed for more detailed information on Entity Controls.