Entity-level controls help ensure that management directives are carried out across the entire organization. Regulations like Sarbanes-Oxley and standards from the IIA and ICAI provide requirements for entity-level controls. Some key entity-level controls include tone at the top set by senior management, whistleblower policies, training programs, performance monitoring, access management in IT systems, and risk management processes. Internal auditors should evaluate the design and effectiveness of entity-level controls, which form an important part of the overall internal control framework.
Entity-level controls help ensure that management directives are carried out across the entire organization. Regulations like Sarbanes-Oxley and standards from the IIA and ICAI provide requirements for entity-level controls. Some key entity-level controls include tone at the top set by senior management, whistleblower policies, training programs, performance monitoring, access management in IT systems, and risk management processes. Internal auditors should evaluate the design and effectiveness of entity-level controls, which form an important part of the overall internal control framework.
Entity-level controls help ensure that management directives are carried out across the entire organization. Regulations like Sarbanes-Oxley and standards from the IIA and ICAI provide requirements for entity-level controls. Some key entity-level controls include tone at the top set by senior management, whistleblower policies, training programs, performance monitoring, access management in IT systems, and risk management processes. Internal auditors should evaluate the design and effectiveness of entity-level controls, which form an important part of the overall internal control framework.
Entity-Level Controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.
1.2 Regulations Related To Entity Level Controls
1.2.1 Sarbanes-Oxley Act of 2002
Auditing Standard No. 5 issued by PCAOB states that
The auditor must test entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. Depending on the auditor's evaluation of the effectiveness of the entity-level controls, the auditor can increase or decrease the amount of testing that they will perform.
1.2.2 Reference From the IIA (Institute of Internal Auditors) Standards:
1. Std1220.A1 : The internal auditor should exercise due professional care by considering the: a. Extent of work needed to achieve the engagement's objectives. b. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. c. Adequacy and effectiveness of risk management, control, and governance processes. d. Probability of significant errors, irregularities, or noncompliance. e. Cost of assurance in relation to potential benefits.
2. Std 2130: The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
a. Promoting appropriate ethics and values within the organization. b. Ensuring effective organizational performance management and accountability. c. Effectively communicating risk and control information to appropriate areas of the organization. d. Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.
3. Std 2130.A1: The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs and activities.
4. St2130.C1: Consulting engagement objectives should be consistent with the overall values and goals of the organization.
1.2.3 Reference from the Standard on Internal Audit by ICAI:
SIA 2: Basic Principles Governing Internal Audit:
Internal control and risk management systems:
15. While the management is responsible for establishment and maintenance of appropriate internal control and risk management systems, the role of the internal auditor is to suggest improvements to those systems. For this purpose, the internal auditor should:
(i) Obtain an understanding of the risk management and internal control framework established and implemented by the management.
(ii) Perform steps for assessing the adequacy of the framework developed in relation to the organisational set up and structure.
(iii) Review the adequacy of the framework.
(iv) Perform risk based audits on the basis of risk assessment process. Internal auditor may, however, also undertake work involving identification of of risks as well as recommend design controls or gaps in existing controls to address those risks.
1.3 Significance of Entity Level Controls Having considered such important reference of the Entity Level Controls in Internal Auditing standards, The significance of the ELCs has to be set at the top of the audit planning. As a matter of fact, one can consider following levels of Internal Controls in the entitys organizational hierarchy.
One significant advantage of considering the ELCs in any audit is that the ELC sits at the top of IT and business controls. Thereby it allows commenting on both the business and IT controls.
One of the generally understood aspects is that Entity level controls are the controls set by the management at the top via its philosophy, attitude and tone. However, these may not be always in the form of generalized business environment. Specific documents, policies or set procedures can be established for many ELCs. This makes the testing of the ELCs for the auditor more objective rather than only commenting on the management environment.
Nevertheless, the ELC testing does involve many times the comments on top management, the audit of the auditing process itself and other sensitive areas. An Internal auditor must stick to the scope prescribed in the such cases, understand the reporting and auditing lines and still come up with fruitful audit points in order to add real value.
1.4 Examples of Common Entity-Level Controls
A quick reference to the major Entity level controls that are significant in an organization can be derived from following chart:
(Ref: Study on Entity Level Controls Ernst and Young@2008)
Further, based on various studies and references, FOLLOWING is the summary listing of Controls classified as Entity Level Controls:
Each of the below are very important aspect of the internal control environment for the organisation. Consideration of these will lead the internal auditor on adding value on the important aspect of the Entity Level controls and tone at the top.
SUMMARY LISTING OF THE IMPORTANT ENTITY LEVEL CONTROLS:
AREA CONTROL OBJECTIVE / ACTIVITY TONE AT THE TOP Senior management consciously and willingly sets and maintains an appropriate tone at the top with the use of effective communication throughout the year and behavior examples. REVIEW OF INTERNAL AUDIT FUNCTION Internal audit function of the company is adequate and commensurate to the size and operations of the company. The scope, frequency, reporting and response structure is clearly defined and is adequate. WHISTLE-BLOWER POLICY Whistle-blower hotline policy is in place for the company and is communicated to all of the employees. Secrecy and other norms are adhered to in such policy. Proper action is taken in all applicable cases by the management. CODE OF CONDUCT Code of conduct policy document is clearly set and is applicable to all the employees. Regular updating, Proper communication, and necessary action in case of failure is in place for the code of conduct. HUMAN RESOURCE POLICIES Human resources policies related to hiring, retiring, leave, work levels, compensation etc. are clearly set, communicated and updated. PERFORMANCE MONITORING Realistic targets are set and used in performance measurement (e.g., a well-balanced set of targets (finance, compliance)). EMPLOYEE TRAINING A mandatory training plan is in place for accounting personnel, and progress is monitored. MONITORING THE RESULTS Controls to monitor results of operations for various divisions and branches are in place. MONITORING SELF ASSESSMENT PROGRAMS Controls to monitor other controls self-assessment programs are adequate and commensurate with the size and operations of the company. CONTROL OVER IT ENVIRONMENT IT environment and organizations are monitored on a regular basis for the scope and division of operations. The responsibility and authority for such division heads are clearly defined. All the key decisions are properly backed up by authorized documents. ACCESS MANAGEMENT IN SYSTEM Access Management is defined and implemented in consistency with the management policy. Proper consideration for Segregation of duties is given in such policy. CHANGE MANAGEMENT Change management controls are clearly defined including the authority and responsibility for the change.
SHARED PROCESSING Controls over Centralized processing, including shared service environments are established and proper Service levels are defined in all cases. Controls exist for monitoring the failure on such SLAs. ACCOUNTING MANUAL An accounting and control manual has been developed and distributed effectively (e.g., existence and availability of the manual, authorization, and changes discussed and approved). REVIEW OF ACCOUNTING AND REPORTING STRUCTURE Senior management periodically reviews an overview of accounting, reporting, and internal control issues. Progress is monitored and reported in management meetings. AUTHORIZATION TABLE A bill of authority/authorization table is established. Procurement authorization should be delegated by senior management, including availability, periodic update, and authorization. FINANCIAL REPORTING Controls over the period-end financial reporting process are specifically structured. Important activities related to provisions, consolidation, key account disclosures, accounting decisions, are properly backed up by policies and authorization. BOOK CLOSURE Senior management ensures that certain high-risk processes and related significant accounts, like deferred tax, goodwill, corporate borrowings, etc are only processed and recorded at or via the corporate level and not at the branch level or shared service level. BUDGETING A budget process is in place that is related to strategy, quantifies goals, and includes regular reporting reviews. RISK MANAGEMENT Proper Risk assessment methodology is in place for each levels of the management. RISK ASSESSMENT Risk assessment analytical techniques are in use and implemented at all levels of the management. ADHERENCE TO BOARD DECISIONS Board-approved policies that address significant business control and risk management practices are adhered to by the executive management. AUDIT COMMITTEE OVERSIGHT The audit committee exercises appropriate oversight of internal control matters (e.g., open communication with senior financial management). LEGAL COMPLIANCE RESPONSIBILITIES
Response to the Legal environment and compliance are defined at the top level including responsibilities, adherence and authorities.
GOING CONCERN STATUS Monitoring over Going Concern status on one or more units / branches is reviewed constantly. FRAUD PREVENTION Fraud prevention/detection controls and analytical procedures are in place and prescribed for appropriate levels of management.
1.4 Testing of Entity Level Controls in Internal Auditing:
Most of the control descriptions in ELC are focused on the management attitude, philosophy and willingness on implementing the control environment. Even if the comments on the business decisions can be subjective in few cases, the testing of the ELCs need not be subjective in all levels. Intentions always have to be backed by the actions and in case of ELCs also, management has to show the willingness by action. A control implemented will always have evidences to prove the fact. Hence the testing for the ELCs will involve review of the existing policies, review of the future plans and propositions as well as review of the history of management behavior. Below is the list of important evidences / test procedures for some of the major areas of the Entity Level Controls. Internal Auditor can review these documents can be done alongwith the compliance on these issues either with the prescribed policies or with the best practices.
IMPORTANT EVIDENCES / TESTING DOCUMENTS FOR ELC REVIEW:
Business Code of Conduct Policy Document Ethics Policy Document Authorization Matrix / Manual Board of Directors Minutes of Meetings and Resolutions Audit Committee Minutes of the Meeting Accounting Manual including Book Closure Procedures Fraud Detection and Prevention Policies including penal actions Implementation details for whistle-Blower policy IT Strategy document for long & short term business plan Service level Agreements and contracts for shared service providers. Executive management compensation policies and related documents Budgetary Review procedures manual Risk Management methodology document, etc.
Annexure:
Below is the Summary of the Audit Objectives that are to be covered in the Entity Level Controls. An Audit approach based on these objectives can also achieve long lasting results on the value added by the internal audit.
Audit Objectives:
I Control Environment Integrity and ethical values Management commitment to competence An effective Board of Directors Management's philosophy and operating style Organizational structure Assignment of authority and responsibility Organization around the Human Resources Department.
II. Risk Assessment Entity-level objectives Process level objectives Risk identification and analysis Managing change
III. Information and Communication Quality of information Effectiveness of communication
IV. Control Activities Process controls V. Monitoring Ongoing monitoring activities Evaluation of internal control system Reporting deficiencies
*********
Researched and prepared by
YOGESH JOSHI MCom, ACA, DISA, CISA, CIA ca.yogeshjoshi@gmail.com