Checklist to Measure the Maturity of Internal Control Processes According to the

COSO Framework

[Please answer each question based on the current status of the components of internal
control processes.

[Use a scale of (1 - 5) where:]

[1 = Non-existent]

[2 = Very weak]

[3 = Average]

[4 = Advanced]

[5 = Fully mature]

[Part One: Control Environment (20 Questions - 28.5%)]

Maturity Level
No. Question
(1-5)

Does the organization have a clear internal control charter approved by

1
the board of directors?

Is there a documented ethical framework that includes organizational

2
values and policies?

Are integrity and transparency reinforced as core values within the

3
organization?

Does the board of directors and the audit committee have a clear
4
understanding of their role in internal control?

5 Is the performance of the audit committee regularly evaluated?

Is there strong commitment from senior management to support and

6
implement internal control policies?

Are the roles and responsibilities of all employees clarified regarding

7
internal control?
 Maturity Level
No. Question
(1-5)

Is there a clear separation of conflicting responsibilities within

8
operational processes?

Are employees provided with periodic training on internal control and

9
professional ethics?

Is there a clear policy for protecting whistleblowers and ensuring no

10
retaliation against them?

Are disciplinary actions applied to those who violate internal control

11
policies?

Is the internal control environment evaluated by independent external

12
parties?

Is there a commitment to applying international standards for internal

13
control (e.g., COSO and IIA)?

Does the organization have a clear policy for managing conflicts of

14
interest?

Are employee behaviors monitored and evaluated to ensure compliance

15
with ethical standards?

Is there a system to monitor changes in regulatory requirements and

16
ensure compliance?

17 Are risks of fraud and misconduct regularly assessed?

Is there a clear policy for granting authorities and powers within the
18
organization?

Is an independent periodic audit conducted on the effectiveness of

19
control measures?

Does the organization foster a culture of accountability by following up

20
on corrective actions?
[Part Two: Risk Assessment (15 Questions - 21.5%)]

Maturity Level
No. Question
(1-5)

Does the organization have a formal framework for assessing

21
operational and financial risks?

Is the risk assessment updated periodically based on internal and

22
external changes?

23 Are all departments involved in identifying and analyzing risks?

24 Are risks classified based on their impact and likelihood of occurrence?

25 Is there a clear strategy for addressing critical risks?

Are stress tests and scenarios applied to understand the potential

26
impacts of risks?

Are future trends and changes that may affect the organization
27
analyzed?

Are risks associated with external parties (suppliers, partners)

28
assessed?

Is there a mechanism to identify new risks and deal with them

29
proactively?

Are data analysis tools and artificial intelligence used in risk

30
assessment?

31 Are there policies and procedures for managing cybersecurity risks?

Is risk assessment integrated into the strategic decision-making

32
process?

Is there a system to monitor financial risks and assess their impact on

33
liquidity and profitability?

Are key performance indicators (KPIs) applied to measure the

34
effectiveness of risk management?

Is there coordination between internal risk management and internal

35
audit?
[Part Three: Control Activities (15 Questions - 21.5%)]

Maturity Level
No. Question
(1-5)

Are preventive controls implemented to detect errors and deviations

36
before they occur?

37 Are all processes and policies formally documented?

Are there mechanisms to check employees' compliance with

38
operational procedures?

Are periodic audits conducted to verify the effectiveness of internal

39
controls?

Is there a system to ensure the accuracy of financial and operational

40
reports?

Are technological systems used to monitor compliance with control

41
policies?

Are periodic audits conducted to protect sensitive data and

42
information?

Is there a review and approval process for critical financial

43
transactions?

44 Are duties segregated to prevent fraud and errors?

45 Are surprise audits conducted on sensitive processes?

Is there a robust system for reviewing and controlling expenses and

46
expenditures?

Are the causes of operational problems analyzed and corrective

47
actions taken?

48 Is there a periodic review of the efficiency of cybersecurity controls?

49 Is compliance data analyzed to detect abnormal patterns?

Are weaknesses in the control system continuously identified and

50
corrected?
[Part Four: Information and Communication (10 Questions - 14%)]

Maturity Level
No. Question
(1-5)

Are accurate and comprehensive reports on the effectiveness of

51
controls provided to senior management?

Are open communication channels available for reporting internal

52
control issues?

Is it ensured that the information circulated within the organization is

53
reliable and accurate?

54 Are modern technologies used to analyze data and improve reporting?

Is there a clear policy for disclosing risks and controls to regulatory

55
bodies?

56 Are employees trained on best practices in documenting information?

Is there an automated system for exchanging information between

57
departments?

Is the effectiveness of communication between different departments

58
measured?

Is there integration between risk reports and financial and operational

59
reports?

60 Is the risk reporting process improved based on lessons learned?

[Part Five: Monitoring and Evaluation (10 Questions - 14%)]

Maturity Level
No. Question
(1-5)

Are periodic reviews conducted on the effectiveness of internal

61
controls?

62 Is there a dedicated team to assess compliance and risk control?

Is the performance of internal controls measured using key

63
performance indicators?
 Maturity Level
No. Question
(1-5)

Are corrective action plans implemented when weaknesses are

64
identified?

65 Is there a mechanism to assess the actual impact of control measures?

Is the implementation of corrective actions monitored and their

66
effectiveness evaluated?

Is the board of directors involved in reviewing the results of internal

67
audits?

68 Are control processes improved based on evaluation results?

69 Is the organization's performance compared to industry benchmarks?

70 Is there a framework for continuously updating control policies?