Entity-level controls
Entity-Level Controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.
Regulation Surrounding Entity-Level Controls
Sarbanes-Oxley Act of 2002
As a result of several accounting and auditing scandals, congress passed the Sarbanes-Oxley Act of 2002. Section 404 of the act requires company management to assess and report on the effectiveness of the company's internal control. It also requires the company's independent auditor to attest to management's disclosures regarding the effectiveness of internal control. The act also created the Public Company Accounting Oversight Board (PCAOB).[1]
PCAOB
This body became the primary regulator of audits of publicly traded companies.[2] In June 2007, the PCAOB adopted Auditing Standard No. 5 (AS5). This standard contains the standards over performing an audit of internal control over financial reporting that is integrated with an audit of financial statements.
Auditing Standard No. 5
The auditor must test entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. Depending on the auditor's evaluation of the effectiveness of the entity-level controls, the auditor can increase or decrease the amount of testing that they will perform.[3]
Entity-level controls vary greatly in nature and precision. Their affect on the audit plan varies according to how precise they are.
Type |
Description |
Audit Effect |
Indirect |
Some entity-level controls have an indirect effect on the chances of detecting or preventing a misstatement on a timely basis. They do not directly relate to risks at the financial statement assertion level. |
Affect control selection, and the nature, timing, and extent of the procedures performed. |
Monitoring |
Some entity-level controls monitor the effectiveness of other controls. They could be designed to identify breakdowns of lower level controls. These controls are not precise enough by themselves to specifically address the assessed risk at the relevant assertion level. |
Reduce the testing of other controls if operating effectively. |
Precise |
Some entity-level controls are precise enough to prevent or detect misstatements on a timely basis. |
If the control sufficiently addresses the risk, then additional tests of controls relating to that risk are not necessary |
Common Entity-Level Controls
- Controls related to the control environment
- Controls over management override
- The company's risk assessment process
- Centralized processing and controls, including shared service environments
- Controls to monitor results of operations
- Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
- Controls over the period-end financial reporting process
- Policies that address significant business control and risk management practices
- Internal audit
- Whistle-blower hotline
- Code of conduct
- IT environment and organizations
- Self-assessment
- Shared services
- Disclosure committee
- Oversight by the Board of Senior Management
- Policies & procedures manual
- Variance analysis reporting
|
- Remediation mechanism
- Management triggers embedded within IT systems
- Internal communication and performance reporting
- Tone setting
- Board/audit committee reporting
- External communication
- Segregation of duties
- Accounts reconciliations
- System balancing and exception reporting
- Change management
- Risk assessment methodology
- Risk assessment analytical techniques
- Governance
- Assignment of authority and responsibility
- Hiring and retention practices
- Fraud prevention/detection controls and analytical procedures
|
Evaluating Entity-Level Controls
Auditor's Evaluation
Entity-level controls, along with all other internal controls should be evaluated by independent auditors according to SAS 109 (AU 314) issued by the AICPA. SAS 109 stipulates that "auditors should obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures."[4]
The information gathered from obtaining an understanding of the five components of internal control should be used to do the following:
- Identify types of potential misstatements
- Consider factors that affect the risks of material misstatement
- Design tests of controls, when applicable, and substantive procedures
Entity-level controls are generally included in the testing.
COSO Internal Control-Integrated Framework
The aforementioned five components of internal control refer to the five parts of the COSO framework.[5] The framework gives auditors a way to evaluate the controls of an entity.
The five components are:
- Control environment
- Risk assessment
- Information and communication
- Control activities
- Monitoring
Entity-level controls often fit into one or more of the five COSO components.
Example
COSO Components |
Background Checks |
Audit Committee |
Internal Audit |
Shared Services |
Control Environment |
X |
X |
|
|
Risk Assessment |
X |
X |
X |
|
Information & Communication |
X |
X |
X |
X |
Monitoring |
|
X |
X |
|
Note: All entity-level controls are control activities. The table illustrates how they relate to the other four components.
Management's Evaluation
There are four basic steps that management can use to evaluate entity-level controls:
- Identify risks
- Use a top-down approach to identify and categorize risk.
- Identify entity-level controls and link to risks
- Examine current entity-level controls to determine what controls have been placed into operation. Also, identify important entity-level controls that may be missing in the current framework. Then link the entity-level controls best suited to address the identified risks.
- Evaluate the design and operating effectiveness of entity-level controls
- Determine how effectively each entity-level control addresses identified risks by considering, among other things: sensitivity; competency of the reviewer, frequency and consistency of the control's operation; whether the control is reliable and repeatable; and whether appropriate review and follow-up action is taking place.
- Leverage entity-level controls as appropriate to mitigate risks
- By leveraging strong entity-level controls, management will be able to develop a more effective and efficient controls evaluation strategy.
Definitions of Selected Entity-Level Controls Organized Into the COSO Framework
Control Environment
- Code of Conduct
- The norms to which the organization voluntarily agrees to comply. For example, the company's code of conduct might include a policy for prohibiting employees from accepting gifts from vendors.
- Governance
- A mechanism for monitoring how the resources of an organization are being put to an efficient use by management, with an emphasis on transparency and accountability
- Assignment of Authority and Responsibility
- The term "authority" refers to the right to perform the organization's activities. The term "responsibility" refers to the obligation to perform assigned activities. It is important for the achievement of control objectives that authorities and responsibilities be consistent with the goals of its business activities and assigned to appropriate personnel.
- Hiring and Retention Practices
- Hiring and retaining skilled resources is critical to an organization's success. Policies and procedures around job definition, recruitment, training, performance appraisal, employee retention programs, and management of employee exits are important components of managing human resources.
- Fraud Prevention Prevent/Detect Controls and Analytical Procedures
- This refers to the anti-fraud controls and procedures used by management to prevent, detect and mitigate fraud. Examples might include segregation of duties, setting up an ethics hot line and periodic job rotation.
Risk Assessment
- Risk Assessment Methodology
- A systematic approach to identify, assess and prioritize risks.
- Risk Assessment Analytical Techniques
- Analytical techniques, if used appropriately, can serve as a tool in the risk assessment process. Since risk is an outcome of perception, analytical techniques help remove subjectivity, to a certain extent by collation and presentation of data in a systematic manner for assessment of potential impact and likelihood of occurrence or risks.
Information and Communication
- Internal Communication and Performance Reporting
- This refers to the lines of communication that run through an organization's structure, both top-down and bottom-up, including peer communication. Performance reporting is part of internal communication, and usually involves a two-way process of setting expectations and monitoring performance against agreed-upon expectations.
- Tone Setting
- Tone setting refers to various components of the "tone at the top," that are the building blocks of the character of an organization. Having set the right tone, it is equally important to have open channels of communication so that those within and outside the organization understand and act upon it. Examples of such components of tone include code of ethics and corporate governance practices.
- Board/Audit Committee Reporting
- Board members, including independent directors, assume fiduciary responsibilities which require them to have access to accurate and relevant information. While most countries have enacted laws regarding formal reporting to the Board of Directors and the Audit Committee of the Board, these usually constitute baseline procedures and requirements. Companies are free to adopt more stringent measures regarding Board/Audit Committee Reporting, such as holding more frequent formal Audit Committee Meetings than required by law.
- External Communication
- This refers to the communication to the shareholders, stock market, customers, regulators, vendors, and other entities outside the company's formal boundaries. The annual report is an example of external communication around the company performance, financial statements, vision, goals and targets.
Control Activities
- Policies and Procedures
- Policies are the business rules and formalized practices that the organization and its employees need to observe. These policies and procedures are governed by both legal/regulatory requirements, and management philosophy. For example, accounting policies are typically aligned to prevailing accounting standards, whereas credit policy is dependent on management's risk appetite.
- Internal Audit Reviews
- Internal audit serves as a tool for both the Audit Committee and management to deep-dive into identified high risk areas for identification of issues and recommendations on their remediation. Internal audit frequently reports to the Audit Committee, and can be either internally- or externally-staffed.
- Segregation of Duties
- This concept requires an independent review of work performed by an individual, preventing an individual from being able to both start - and complete - a critical transaction. Segregation of duties is a key anti-fraud control.
- Accounts Reconciliations
- Periodic reconciliation of accounts helps identification of errors, omissions and even fraud. For example, a reconciliation of customer accounts could identify payments received, but not applied, to the correct customer account.
- System Balancing and Exception Reporting
- System balancing refers to built-in system checks to verify the integrity of data transferred from another application. Examples include a mechanism for comparing batch totals between an original data source and data transferred into a new application. Exception reporting relates to reporting of exception items to management so that more effective use of management time can be achieved. For example, the Sales Manager could potentially review all sales transactions for a day. But it is more time-efficient if the review and approval process is focused on transactions that are not sold at the list price, or sold above a certain pre-determined percentage of discount.
- Change Management
- This refers to management of changes to processes, people, organizational structure, etc, in a manner as to minimize business disruptions that might otherwise harm overall business performance.
Monitoring
- Ongoing Monitoring Activities
- Periodic review of process and controls using relevant management reporting tools. For example, these would include monthly review of aging of accounts receivable to determine the extent of reserves required for doubtful debts.
- Independent Assessment Mechanism
- Use of external specialists or professionals to review and assess internal controls. For example, this might include the use of external tax professionals to review the controls around tax positions developed by the in-house tax team.
- Variance Analysis Reporting
- Comparison and reporting of actual performance against pre-determined benchmarks, if used appropriately, can serve as an early-warning mechanism. For example, a steady increase in debtor turnover might indicate varying levels of collection-related issues.
- Remediation Mechanism
- This refers to a systematic approach to resolving identified internal control issues. While an issue could be identified by either an internal or an external monitoring mechanism, the remediation mechanism is usually management-owned.
- Management Triggers Embedded Within IT Systems
- Most enterprise applications configure business rules in a manner as to prevent, require pre-approval, or alert relevant management personnel in the event that certain pre-set thresholds are not observed. For example, a sales application could deploy a control preventing sales transactions above the specified credit limit of a customer.
Importance of Entity-Level Controls
Entity-level controls have a pervasive influence throughout an organization. If they are weak, inadequate, or nonexistent, they can produce material weaknesses relating to an audit of internal control and material misstatements in the financial statements of the company. The presence of material misstatements could result in receiving an adverse opinion on internal controls and a qualified opinion on the financial statements. Material misstatements are expensive to fix, and receiving an adverse or qualified opinion generally results in a drop in stock price of a publicly traded company.
Benefits of Entity-Level Controls
- Reduction of the likelihood of a negative risk event by establishing and reinforcing the infrastructure that sets the control consciousness of the organization
- A broad risk coverage over financial reporting and operations. For companies conducting evaluations of internal controls, the presence of effective entity-level controls can contribute to a more effective and efficient evaluation strategy
- Generation of efficiencies in other business and operational processes
- Reinforcement for all stakeholders of the importance of internal controls to the success of the business
- Better understanding of how identified risks are mitigated, and redirect evaluation and other resources toward priority risk areas
- Increased effectiveness and efficiency of management's risk assessment and controls evaluation
References
External links