Internal Control Survey Template
Use this internal control self-assessment (ICSA) survey to spot where controls break (design, execution, or evidence) by process and location -- then turn the gaps into a prioritized fix list. Before you send, pick your scope (processes + locations), then tag respondents by role (owner / performer / approver). Customize fast: keep the core People/Process/Technology/Governance blocks, add one process module, and remove anything out of scope (SOX/ICFR vs operational).
Trusted by 5000+ Brands
When to Run This Internal Control Survey
Pre-testing SOX/ICFR readiness pulse (input, not assurance)
Example timing window (adjust to your testing calendar and risk): Send this about 2-4 weeks before walkthroughs and testing. Ask owners, performers, and approvers where evidence breaks down (missing, late, unclear). Use results to focus your testing plan and coaching, not to conclude control effectiveness. For common ICSA use cases, see Arizona's internal control self-assessment surveys guidance.
Post-incident or near-miss review
Example window (adjust for severity and close cycle): Run it within about 10 business days after a late reconciliation, override pattern, policy exception spike, or close delay. Separate questions by role so you can pinpoint where the chain broke: design (owner), execution (performer), or challenge/monitoring (approver).
After a major change (ERP, shared services, re-org)
Example stabilization window (adjust to go-live complexity): Send it about 30-60 days after go-live or org changes. Confirm responsibilities, access, and monitoring still work as intended. Tag respondents by location and process so you can spot site-by-site drift.
Next action: Pick one trigger above, then move to the question blocks and remove anything outside your scope.
Internal Control Survey Questions (with a Process-by-Process Customization Map)
Build your survey from four blocks so non-auditors answer consistently: People (clarity/training), Process (steps/evidence), Technology (access/tools), and Governance (review/escalation). Keep most items on a 5-point agree/disagree scale or a simple frequency scale. Use Likert scale questions for clear, trendable scoring, and save open comments for root cause hints.
-
Keep: An internal starter set of ~8-12 core questions that apply to every process (ownership, evidence, review, escalation). Adjust after your first baseline run.
-
Add: One process module (AP, payroll, revenue, close/reporting, vendor master, IT access/change) with ~3-6 targeted items. Calibrate length to respondent burden.
-
Remove: Any question that would ask for sensitive data. Ask for evidence type (report name, timestamp, approver), not transaction details.
Write questions in plain language, avoid leading wording, and keep response options consistent. A practical checklist for survey quality is in AAPOR's best practices for survey research.
"I know who owns this control and who performs each step."
Why it matters: Control gaps start with unclear ownership. You cannot fix evidence or timing if roles are fuzzy.
When to use: Include in every run. Segment by owner vs performer vs approver to spot responsibility drift.
"I have been trained on what evidence to keep (what, where, and how long)."
Why it matters: Teams can do the work but still fail on evidence standards. This item separates execution from documentation.
When to use: Use when you see rework during testing or frequent follow-ups for support.
"This control is performed on time (by the due date or cadence)."
Why it matters: Late controls create blind spots. Timeliness problems usually point to workload, handoffs, or unclear triggers.
When to use: Use in close/reporting, reconciliations, and monitoring controls. Pair with a frequency scale if timing varies.
"If the control cannot be completed as designed, we log an exception and document the disposition."
Why it matters: Unlogged exceptions hide control breakdowns. Logging and disposition protects you when conditions change.
When to use: Include when you have manual controls, shared services handoffs, or frequent policy exceptions.
"Approvals (or reviews) consistently challenge unusual items, not just completeness."
Why it matters: A check-the-box review does not reduce risk. You want review precision -- what gets checked and why.
When to use: Use for management review controls, journal entry review, and reconciliation review.
"System access supports segregation of duties (no one person can create and approve the same item)."
Why it matters: Bad access design can bypass good process steps. This question flags SoD risk without asking for usernames or roles.
When to use: Use for AP, payroll, vendor master, and any process with creation + approval steps.
"Reports used as evidence are complete and accurate (and we can show how we know)."
Why it matters: IT-dependent reports fail when teams cannot show report logic, parameters, or access controls.
When to use: Add for any control that relies on an ERP query, BI report, or system-generated exception list.
"I know the escalation path when I see a control issue (who to tell and how fast)."
Why it matters: A control that cannot be escalated becomes a silent failure. Escalation clarity supports fast containment.
When to use: Include in every run. Compare performers vs approvers to see where issues get stuck.
"What is the biggest barrier to performing this control on time (handoff, workload, system, unclear instructions, other)?"
Why it matters: You need a fixable root cause, not a low score. This prompt gives you a short list of obstacles to triage.
When to use: Use after each low-scoring section or only for high-risk processes to limit burden.
| Process | Typical control themes to cover | SOX/ICFR scope -- keep/add/remove | Operational scope -- keep/add/remove |
|---|---|---|---|
| AP | 3-way match, approvals, vendor changes, SoD, payment runs, exception handling | Keep: approvals, SoD, evidence quality. Add: IT-dependent report reliability. Remove: cycle-time opinion items. | Keep: timeliness, handoffs, exception log. Add: rework drivers. Remove: deep ICFR-only evidence wording. |
| AR / revenue | price/term authorization, credit approvals, revenue recognition triggers, adjustments, monitoring | Keep: authorization, review precision, evidence standards. Add: override controls. Remove: tooling wishlist. | Keep: handoffs, exception handling. Add: dispute workflow clarity. Remove: audit-trail phrasing if out of scope. |
| Payroll | new hire/term changes, rate changes, time approval, SoD, reconciliations | Keep: approvals, SoD, reconciliation evidence. Add: access/change controls. Remove: efficiency-only prompts. | Keep: timing, backup coverage. Add: escalation and corrections. Remove: ICFR jargon. |
| Close / reporting | account reconciliations, journal entry review, variance analysis, cutoffs, monitoring | Keep: review precision, evidence quality, timeliness. Add: report completeness/accuracy. Remove: general satisfaction. | Keep: bottlenecks and handoffs. Add: standardization opportunities. Remove: SOX-only documentation checks if not needed. |
| Vendor master | vendor setup/change approvals, validations, SoD, monitoring for duplicates/fraud | Keep: approvals, SoD, monitoring. Add: override/exception controls. Remove: throughput questions. | Keep: training/clarity. Add: handoff clarity and queues. Remove: detailed ICFR evidence phrasing. |
| IT access / change | user provisioning, privileged access, change approvals, emergency changes, monitoring | Keep: access SoD, review evidence, report reliance. Add: monitoring cadence. Remove: business process-only items. | Keep: clarity and escalation. Add: incident handoffs. Remove: finance-specific control steps. |
Next action: Start with 1-2 in-scope processes (internal starter guidance; adjust for capacity), keep the core block, then add the matching process module before you send.
Who to Survey and How to Deploy (Owners vs Performers vs Approvers)
Build your respondent list by process and location, then split it into three role groups. Start with the people closest to the work because they can name the real breakpoints. Use sampling rules of thumb: cover every in-scope site and include at least an internal starter minimum of ~2-3 people per role per process when possible (adjust based on process size and staffing).
- Control owners (design/ownership): They define the control, evidence, and acceptance criteria.
- Control performers (execution): They run the control step-by-step and generate evidence.
- Approvers/reviewers (monitoring/challenge): They review, question, and document the disposition of exceptions.
Use attributed answers when you need follow-up on specific steps, evidence types, or ownership. Use anonymous answers for barriers (workload, pressure to override, unclear instructions) because fear changes what people report. Keep a short anonymous module at the end and label it clearly.
Reduce response bias by separating improvement feedback from performance management. Tell respondents exactly how you will use results: to fix process and training, not to score individuals. Keep wording neutral and avoid "gotcha" questions.
-
Tag respondents: Add fields for process, location, and role (owner/performer/approver) so you can segment results.
-
Schedule reminders: Send 2 reminders (example cadence: day 3 and day 7; adjust to your survey length and close calendar). Set a firm cutoff date.
-
Use role-based routing: Show owners a few design questions, performers the execution/evidence questions, and approvers the review/challenge questions.
Next action: Create three audience lists (owners, performers, approvers), then send a small pilot (for example, ~5-10 respondents; adjust as needed) and fix confusing wording.
Results Guide: Score Control Health and Triage Remediation (Risk-Based)
-
Convert answers to a 0-100 section score
Use a simple, consistent mapping (internal starter model): Strongly disagree = 0, Disagree = 25, Neutral = 50, Agree = 75, Strongly agree = 100. Average items within each block (People/Process/Technology/Governance) and compute an overall process score. If you use frequency scales, map them to 0-100 in the same spirit and keep the mapping unchanged over time.
-
Assign Red/Amber/Green (RAG) thresholds
Set cutoffs you can defend and trend, then calibrate after your first baseline and to your risk appetite. Internal starter thresholds (adjust as needed): Red < 60, Amber = 60-79, Green = 80+. Keep the same cutoffs across cycles so the trend is meaningful.
-
Segment to find the root cause pattern
Break results by process, site, and role. Watch for splits: if owners score "design is clear" high but performers score "evidence is clear" low, your fix is training and work instructions.
-
Triage Reds using likelihood x impact
Rank fixes with a simple scale that your stakeholders will actually use (example: 1-5 likelihood and 1-5 impact), then multiply (1-25). Use the same risk thinking described in ISO 31000 risk management guidelines, but keep the math simple so process owners can apply it.
- Likelihood: How often does this control break?
- Impact: What happens if it breaks (misstatement, fraud risk, compliance breach, major delay)?
-
Build an action register and a one-page synthesis
Write every prioritized issue into a small action register: issue, root cause, control step affected, owner, due date, and validation approach. End your readout with a SWOT-style summary: Strengths to institutionalize, Weaknesses to remediate, Opportunities to automate/standardize, Threats (fraud, turnover, system changes).
You now have a scored view by process/site/role and a fix list with owners and dates.
Next action: Score --> segment --> triage, then assign owners for the top 5 items (internal starter count; adjust to capacity) before you socialize the findings.
Benchmarks and Follow-Up Actions to Close the Loop
Track a few internal targets quarter-over-quarter so you can prove improvement. Keep definitions stable across cycles and report your completion rate the same way each time (AAPOR explains consistent outcome reporting in Standard Definitions for survey outcome rates).
Important: The numeric targets and windows below are internal starter targets/examples to help you launch a measurement program. Set your baseline first, then calibrate thresholds and timelines to your close calendar, process complexity, and risk appetite.
| Metric to track | Example internal starter target (adjust after baseline) | How to measure from survey + follow-up |
|---|---|---|
| % controls with clearly stated evidence requirements | >= 90% in Green processes (starter target) | Use the evidence-clarity question + spot-check a small sample (for example, ~5-10) of evidence types (no sensitive data). |
| % reconciliations completed by due date | >= 95% in close/reporting (starter target) | Pair the timeliness question with a count of late items by period (month/quarter). |
| % key controls with a documented backup performer | >= 85% (starter target) | Add one yes/no item per process module, then verify backups exist in SOPs or role coverage notes. |
| % respondents who know escalation paths | >= 90% (starter target) | Use the escalation question; if low, update the "who to tell" job aid and re-run in ~30-60 days (example window; adjust). |
| % exceptions logged with documented disposition | >= 80% (starter target, then push higher) | Use the exception logging question, then request a small sample (for example, ~5 recent) exception log entries for completeness checks. |
| Score band | Do this next (within a defined window) | Who to involve | Artifacts to request (avoid sensitive data) |
|---|---|---|---|
| Red (< 60) | Run a small set of targeted interviews (for example, ~2-3 per role) within ~7 days (example window; adjust). Add a short-term containment check within ~72 hours (example; adjust). | Owner, performers, approver/reviewer, internal audit or compliance | Evidence examples (report name + timestamp), approval screenshot description, exception log entries (redacted) |
| Amber (60-79) | Pick the top 1-2 drivers, update SOPs, and add a targeted training note. Re-check in ~60-90 days (example window; adjust). | Owner, lead performer, approver | Updated work instruction, review checklist, training completion roster (no personal performance notes) |
| Green (80+) | Standardize what works and monitor drift. Sample-check quarterly or after change (starter cadence; adjust). | Owner and process excellence/finance ops | Control description, evidence standard, escalation path job aid |
- Re-survey cadence: Starter guidance: quarterly for high-risk or high-change processes; semiannual for important stable processes; annual for a broad baseline (adjust based on risk and resourcing).
- Communication plan: Send a 1-page summary to process owners, a theme-level rollup to leadership, and a short list of remediation commitments for audit committee inputs where applicable.
- Close the loop on culture drivers: If low scores point to fear of escalation or weak policy knowledge, run a follow-on compliance survey template to measure speak-up and training gaps.
Next action: Pick 5 metrics, set your internal targets, and schedule the next survey date before you start remediation.
Frequently Asked Questions
Does an internal control survey prove SOX/ICFR compliance or replace testing?
No. Your survey gives you directional input, not audit assurance. Use it to surface design, evidence, and execution gaps early, then focus walkthroughs and testing where risk and low scores overlap. For formal ICFR audit expectations, align your work with PCAOB AS 2201 on ICFR audits.
Should responses be anonymous or attributed?
Use anonymous responses when you want honest reporting on barriers (pressure, workload, unclear instructions) because fear changes answers. Use attributed responses when you need direct follow-up on a specific control step, evidence type, or ownership handoff. A practical hybrid is best: keep most items attributed, then add a short anonymous module for obstacles and improvement ideas.
How do I tailor this survey for SOX/ICFR vs operational controls?
Keep the same core blocks (People/Process/Technology/Governance), then swap the process modules. For SOX/ICFR, keep evidence quality, review precision, segregation of duties, and IT-dependent report questions. For operational controls, add handoffs, exception handling, and monitoring cadence, and remove ICFR-only wording that does not change day-to-day behavior.
How often should we run an internal control health survey?
Set cadence by risk and change. Starter guidance is quarterly for high-risk or high-change processes, semiannual for stable but important processes, and annual for an enterprise baseline (adjust based on resourcing and your close calendar). Re-run after major system/process changes and again after remediation to verify the fix stuck.
What scoring approach works best for prioritizing fixes?
Score sections to 0-100, then assign Red/Amber/Green thresholds you will keep over time. Use internal starter cutoffs (then calibrate after your baseline), and triage the Reds using likelihood x impact (a simple 1-5 x 1-5 works well). Segment results by process, location, and role before you launch remediation so you fix the real root cause.
What should we do immediately when scores are red for a process?
Use a rapid-response playbook with timelines calibrated to severity. As an example, you can confirm the theme with a few targeted interviews, request examples of evidence types (not sensitive data), and pinpoint the failing step (design vs execution vs documentation) within ~72 hours, then assign an owner and set a short-term containment action while you build the long-term fix and validation.
Related Survey Templates
FREE TO START -- NO CREDIT CARD REQUIRED