Entity-level control

Last updated March 13, 2024

An entity-level control is a control that helps to ensure that management directives pertaining to the entire entity are carried out. These controls are the second level^{[ clarification needed ]} to understanding the risks of an organization. Generally, entity refers to the entire company.

Regulation surrounding entity-level controls
Sarbanes-Oxley Act of 2002
PCAOB Auditing Standard 2201
Common entity-level controls
Evaluating entity-level controls
Auditor's evaluation
COSO internal control-integrated framework
Management's evaluation
Definitions of selected entity-level controls organized into the COSO framework
Control environment
Risk assessment
Information and communication
Monitoring
Importance
Benefits
References
External links

Regulation surrounding entity-level controls

Sarbanes-Oxley Act of 2002

As a result of several accounting and auditing scandals, congress passed the Sarbanes-Oxley Act of 2002. Section 404 of the act requires company management to assess and report on the effectiveness of the company's internal control. It also requires the company's independent auditor to attest to management's disclosures regarding the effectiveness of internal control. The act also created the Public Company Accounting Oversight Board (PCAOB).^[1]

PCAOB Auditing Standard 2201

The Public Company Accounting Oversight Board (PCAOB) became the primary regulator of audits of publicly traded companies.^[2] In June 2007, the PCAOB adopted Auditing Standard 2201 (Supersedes AS No. 5).^[3] This standard contains the standards over performing an audit of internal control over financial reporting that is integrated with an audit of financial statements.

The auditor must test entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. Depending on the auditor's evaluation of the effectiveness of the entity-level controls, the auditor can increase or decrease the amount of testing that they will perform.

Entity-level controls vary greatly in nature and precision. Their effect on the audit plan varies according to how precise they are.

Type	Description	Audit Effect
Indirect	Some entity-level controls have an indirect effect on the chances of detecting or preventing a misstatement on a timely basis. They do not directly relate to risks at the financial statement assertion level.	Affect control selection, and the nature, timing, and extent of the procedures performed.
Monitoring	Some entity-level controls monitor the effectiveness of other controls. They could be designed to identify breakdowns of lower level controls. These controls are not precise enough by themselves to specifically address the assessed risk at the relevant assertion level.	Reduce the testing of other controls if operating effectively.
Precise	Some entity-level controls are precise enough to prevent or detect misstatements on a timely basis.	If the control sufficiently addresses the risk, then additional tests of controls relating to that risk are not necessary

Common entity-level controls

Controls related to the control environment
Controls over management override
The company's risk assessment process
Centralized processing and controls, including shared service environments
Controls to monitor results of operations
Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
Controls over the period-end financial reporting process
Policies that address significant business control and risk management practices
Internal audit
Whistle-blower hotline
Code of conduct
IT environment and organizations
Self-assessment
Shared services
Disclosure committee
Oversight by the Board of Senior Management
Policies & procedures manual
Variance analysis reporting

Remediation mechanism
Management triggers embedded within IT systems
Internal communication and performance reporting
Tone setting
Board/audit committee reporting
External communication
Segregation of duties
Accounts reconciliations
System balancing and exception reporting
Change management
Risk assessment methodology
Risk assessment analytical techniques
Governance
Assignment of authority and responsibility
Hiring and retention practices
Fraud prevention/detection controls and analytical procedures

Evaluating entity-level controls

Auditor's evaluation

Entity-level controls, along with all other internal controls should be evaluated by independent auditors according to SAS 109 (AU 314) issued by the AICPA. SAS 109 stipulates that "auditors should obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures."^[4]

The information gathered from obtaining an understanding of the five components of internal control should be used to do the following:

Identify types of potential misstatements
Consider factors that affect the risks of material misstatement
Design tests of controls, when applicable, and substantive procedures

Entity-level controls are generally included in the testing.

COSO internal control-integrated framework

The aforementioned five components of internal control refer to the five parts of the COSO framework.^[5] The framework gives auditors a way to evaluate the controls of an entity.

The five components are:

Control environment
Risk assessment
Information and communication
Control activities
Monitoring

Entity-level controls often fit into one or more of the five COSO components.

Example
COSO Components	Background Checks	Audit Committee	Internal Audit	Shared Services
Control Environment	X	X
Risk Assessment	X	X	X
Information & Communication	X	X	X	X
Monitoring		X	X

Management's evaluation

There are four basic steps that management can use to evaluate entity-level controls:^{[ citation needed ]}

Identify risks: Use a top-down approach to identify and categorize risk.
Identify entity-level controls and link to risks: Examine current entity-level controls to determine what controls have been placed into operation. Also, identify important entity-level controls that may be missing in the current framework. Then link the entity-level controls best suited to address the identified risks.
Evaluate the design and operating effectiveness of entity-level controls: Determine how effectively each entity-level control addresses identified risks by considering, among other things: sensitivity; competency of the reviewer, frequency and consistency of the control's operation; whether the control is reliable and repeatable; and whether appropriate review and follow-up action is taking place.
Leverage entity-level controls as appropriate to mitigate risks: By leveraging strong entity-level controls, management will be able to develop a more effective and efficient controls evaluation strategy.

Definitions of selected entity-level controls organized into the COSO framework

Control environment

Code of Conduct: The norms to which the organization voluntarily agrees to comply. For example, the company's code of conduct might include a policy for prohibiting employees from accepting gifts from vendors.
Governance: A mechanism for monitoring how the resources of an organization are being put to an efficient use by management, with an emphasis on transparency and accountability
Assignment of Authority and Responsibility: The term "authority" refers to the right to perform the organization's activities. The term "responsibility" refers to the obligation to perform assigned activities. It is important for the achievement of control objectives that authorities and responsibilities be consistent with the goals of its business activities and assigned to appropriate personnel.
Hiring and Retention Practices: Hiring and retaining skilled resources is critical to an organization's success. Policies and procedures around job definition, recruitment, training, performance appraisal, employee retention programs, and management of employee exits are important components of managing human resources.
Fraud Prevention Prevent/Detect Controls and Analytical Procedures: This refers to the anti-fraud controls and procedures used by management to prevent, detect and mitigate fraud. Examples might include segregation of duties, setting up an ethics hot line and periodic job rotation.

Risk assessment

Risk Assessment Methodology: A systematic approach to identify, assess and prioritize risks.
Risk Assessment Analytical Techniques: Analytical techniques, if used appropriately, can serve as a tool in the risk assessment process. Since risk is an outcome of perception, analytical techniques help remove subjectivity, to a certain extent by collation and presentation of data in a systematic manner for assessment of potential impact and likelihood of occurrence or risks.

Information and communication

Internal Communication and Performance Reporting: This refers to the lines of communication that run through an organization's structure, both top-down and bottom-up, including peer communication. Performance reporting is part of internal communication, and usually involves a two-way process of setting expectations and monitoring performance against agreed-upon expectations.
Tone Setting: Tone setting refers to various components of the "tone at the top," that are the building blocks of the character of an organization. Having set the right tone, it is equally important to have open channels of communication so that those within and outside the organization understand and act upon it. Examples of such components of tone include code of ethics and corporate governance practices.
Board/Audit Committee Reporting: Board members, including independent directors, assume fiduciary responsibilities which require them to have access to accurate and relevant information. While most countries have enacted laws regarding formal reporting to the board of directors and the Audit Committee of the Board, these usually constitute baseline procedures and requirements. Companies are free to adopt more stringent measures regarding Board/Audit Committee Reporting, such as holding more frequent formal Audit Committee Meetings than required by law.
External Communication: This refers to the communication to the shareholders, stock market, customers, regulators, vendors, and other entities outside the company's formal boundaries. The annual report is an example of external communication around the company performance, financial statements, vision, goals and targets.

Monitoring

Ongoing Monitoring Activities: Periodic review of process and controls using relevant management reporting tools. For example, these would include monthly review of aging of accounts receivable to determine the extent of reserves required for doubtful debts.
Independent Assessment Mechanism: Use of external specialists or professionals to review and assess internal controls. For example, this might include the use of external tax professionals to review the controls around tax positions developed by the in-house tax team.
Variance Analysis Reporting: Comparison and reporting of actual performance against pre-determined benchmarks, if used appropriately, can serve as an early-warning mechanism. For example, a steady increase in debtor turnover might indicate varying levels of collection-related issues.
Remediation Mechanism: This refers to a systematic approach to resolving identified internal control issues. While an issue could be identified by either an internal or an external monitoring mechanism, the remediation mechanism is usually management-owned.
Management Triggers Embedded Within IT Systems: Most enterprise applications configure business rules in a manner as to prevent, require pre-approval, or alert relevant management personnel in the event that certain pre-set thresholds are not observed. For example, a sales application could deploy a control preventing sales transactions above the specified credit limit of a customer.

Importance

Entity-level controls have a pervasive influence throughout an organization. If they are weak, inadequate, or nonexistent, they can produce material weaknesses relating to an audit of internal control and material misstatements in the financial statements of the company. The presence of material misstatements could result in receiving an adverse opinion on internal controls and a qualified opinion on the financial statements. Material misstatements are expensive to fix, and receiving an adverse or qualified opinion generally results in a drop in stock price of a publicly traded company.

Benefits

Reduction of the likelihood of a negative risk event by establishing and reinforcing the infrastructure that sets the control consciousness of the organization
A broad risk coverage over financial reporting and operations. For companies conducting evaluations of internal controls, the presence of effective entity-level controls can contribute to a more effective and efficient evaluation strategy
Generation of efficiencies in other business and operational processes
Reinforcement for all stakeholders of the importance of internal controls to the success of the business
Better understanding of how identified risks are mitigated, and redirect evaluation and other resources toward priority risk areas
Increased effectiveness and efficiency of management's risk assessment and controls evaluation.

Related Research Articles

The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act,, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley, SOX or Sarbox, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.

<span class="mw-page-title-main">Audit</span> Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

<span class="mw-page-title-main">Financial audit</span> Type of audit

A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.

An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.

<span class="mw-page-title-main">Auditor's report</span> Type of written document

An auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.

Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002. Please see PCAOB AS 2401.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

<span class="mw-page-title-main">External auditor</span> Person who audits an entitys financial statements and is independent of that entity

An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">SOX 404 top–down risk assessment</span>

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.

The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.

<span class="mw-page-title-main">Control self-assessment</span> Technique to assess process effectiveness

Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.

Certified Sarbanes-Oxley Professional (CSOXP) is a credential awarded by the governance, risk & compliance group. The CSOXP credential communicates that certified professionals have the knowledge listed below:

Risk assurance is often associated with accounting practices and is a growing industry whereby internal processes are developed to create a "checks and balances" system. These checks predominantly identify differences between risk appetite and real risk .Business risk refers to factors that can affect the company, both internally and externally. There are various types of business risks: strategic, compliance, financial and operational. Risk assurance aims to mitigate any of these areas. As such, companies can pre-analyse the industry to scout for potential risks or if a risk has already occurred, managers can analyse the problem in an attempt to mitigate the effects.

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

References

↑ "Sarbanes-Oxley Act of 2002" (PDF). Retrieved 2009-04-21.^{[ permanent dead link ]}
↑ "SEC Description of the PCAOB". Archived from the original on 2009-04-09. Retrieved 2009-04-21.
↑ "Auditing Standard No. 5". Archived from the original on 2019-04-02. Retrieved 2016-05-05.
↑ "AU 314 / SAS 109" (PDF). Archived from the original (PDF) on December 3, 2008. Retrieved 2009-04-21.
↑ "COSO Internal Control-Integrated Framework". Archived from the original on 2009-02-28. Retrieved 2009-04-21.

"Entity-Level Controls" (PDF). Archived (PDF) from the original on 2011-07-06. Retrieved 2009-04-21.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Sarbanes-Oxley Act of 2002" (PDF). Retrieved 2009-04-21.^{[ permanent dead link ]}

[2] "SEC Description of the PCAOB". Archived from the original on 2009-04-09. Retrieved 2009-04-21.

[3] "Auditing Standard No. 5". Archived from the original on 2019-04-02. Retrieved 2016-05-05.

[4] "AU 314 / SAS 109" (PDF). Archived from the original (PDF) on December 3, 2008. Retrieved 2009-04-21.

[5] "COSO Internal Control-Integrated Framework". Archived from the original on 2009-02-28. Retrieved 2009-04-21.

[1]

[2]

[3]

[4]

[5]