ENTITY LEVEL CONTROLS IN INTERNAL AUDITING

1.1 Entity-Level Controls - What are they?

Wikipedia has defined Entity Level Controls as

Entity-Level Controls are internal controls that help ensure that management directives
pertaining to the entire entity are carried out. They are the second level of a top-down
approach to understanding the risks of an organization. Generally, entity refers to the entire
company.


1.2 Regulations Related To Entity Level Controls

1.2.1 Sarbanes-Oxley Act of 2002

Auditing Standard No. 5 issued by PCAOB states that

The auditor must test entity-level controls that are important to the auditor's conclusion about
whether the company has effective internal control over financial reporting. Depending on the
auditor's evaluation of the effectiveness of the entity-level controls, the auditor can increase or
decrease the amount of testing that they will perform.

1.2.2 Reference From the IIA (Institute of Internal Auditors) Standards:

1. Std1220.A1 :
The internal auditor should exercise due professional care by considering the:
a. Extent of work needed to achieve the engagement's objectives.
b. Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.
c. Adequacy and effectiveness of risk management, control, and governance
processes.
d. Probability of significant errors, irregularities, or noncompliance.
e. Cost of assurance in relation to potential benefits.

2. Std 2130:
The internal audit activity should assess and make appropriate recommendations for
improving the governance process in its accomplishment of the following objectives:


a. Promoting appropriate ethics and values within the organization.
b. Ensuring effective organizational performance management and accountability.
c. Effectively communicating risk and control information to appropriate areas of the
organization.
d. Effectively coordinating the activities of and communicating information among the
board, external and internal auditors and management.

3. Std 2130.A1:
The internal audit activity should evaluate the design, implementation, and
effectiveness of the organization's ethics-related objectives, programs and activities.

4. St2130.C1:
Consulting engagement objectives should be consistent with the overall values and
goals of the organization.


1.2.3 Reference from the Standard on Internal Audit by ICAI:

SIA 2: Basic Principles Governing Internal Audit:

Internal control and risk management systems:

15. While the management is responsible for establishment and maintenance of appropriate
internal control and risk management systems, the role of the internal auditor is to suggest
improvements to those systems. For this purpose, the internal auditor should:

(i) Obtain an understanding of the risk management and internal control framework established
and implemented by the management.

(ii) Perform steps for assessing the adequacy of the framework developed in relation to the
organisational set up and structure.

(iii) Review the adequacy of the framework.

(iv) Perform risk based audits on the basis of risk assessment process.
Internal auditor may, however, also undertake work involving identification of of risks as well as
recommend design controls or gaps in existing controls to address those risks.




1.3 Significance of Entity Level Controls
Having considered such important reference of the Entity Level Controls in Internal
Auditing standards, The significance of the ELCs has to be set at the top of the audit
planning. As a matter of fact, one can consider following levels of Internal Controls in
the entitys organizational hierarchy.



One significant advantage of considering the ELCs in any audit is that the ELC sits at the
top of IT and business controls. Thereby it allows commenting on both the business and
IT controls.

One of the generally understood aspects is that Entity level controls are the controls set
by the management at the top via its philosophy, attitude and tone. However, these
may not be always in the form of generalized business environment. Specific
documents, policies or set procedures can be established for many ELCs. This makes the
testing of the ELCs for the auditor more objective rather than only commenting on the
management environment.

Nevertheless, the ELC testing does involve many times the comments on top
management, the audit of the auditing process itself and other sensitive areas.
An Internal auditor must stick to the scope prescribed in the such cases, understand the
reporting and auditing lines and still come up with fruitful audit points in order to add
real value.




1.4 Examples of Common Entity-Level Controls

A quick reference to the major Entity level controls that are significant in an organization can be
derived from following chart:


(Ref: Study on Entity Level Controls Ernst and Young@2008)

Further, based on various studies and references, FOLLOWING is the summary listing of
Controls classified as Entity Level Controls:

Each of the below are very important aspect of the internal control environment for the
organisation.
Consideration of these will lead the internal auditor on adding value on the important aspect
of the Entity Level controls and tone at the top.



SUMMARY LISTING OF THE IMPORTANT ENTITY LEVEL CONTROLS:

AREA CONTROL OBJECTIVE / ACTIVITY
TONE AT THE TOP Senior management consciously and willingly sets and maintains
an appropriate tone at the top with the use of effective
communication throughout the year and behavior examples.
REVIEW OF INTERNAL
AUDIT FUNCTION
Internal audit function of the company is adequate and
commensurate to the size and operations of the company. The
scope, frequency, reporting and response structure is clearly
defined and is adequate.
WHISTLE-BLOWER
POLICY
Whistle-blower hotline policy is in place for the company and is
communicated to all of the employees. Secrecy and other norms
are adhered to in such policy. Proper action is taken in all
applicable cases by the management.
CODE OF CONDUCT Code of conduct policy document is clearly set and is applicable to
all the employees. Regular updating, Proper communication, and
necessary action in case of failure is in place for the code of
conduct.
HUMAN RESOURCE
POLICIES
Human resources policies related to hiring, retiring, leave, work
levels, compensation etc. are clearly set, communicated and
updated.
PERFORMANCE
MONITORING
Realistic targets are set and used in performance measurement
(e.g., a well-balanced set of targets (finance, compliance)).
EMPLOYEE TRAINING A mandatory training plan is in place for accounting personnel,
and progress is monitored.
MONITORING THE
RESULTS
Controls to monitor results of operations for various divisions and
branches are in place.
MONITORING SELF
ASSESSMENT
PROGRAMS
Controls to monitor other controls self-assessment programs are
adequate and commensurate with the size and operations of the
company.
CONTROL OVER IT
ENVIRONMENT
IT environment and organizations are monitored on a regular
basis for the scope and division of operations. The responsibility
and authority for such division heads are clearly defined. All the
key decisions are properly backed up by authorized documents.
ACCESS MANAGEMENT
IN SYSTEM
Access Management is defined and implemented in consistency
with the management policy. Proper consideration for
Segregation of duties is given in such policy.
CHANGE MANAGEMENT Change management controls are clearly defined including the
authority and responsibility for the change.


SHARED PROCESSING Controls over Centralized processing, including shared service
environments are established and proper Service levels are
defined in all cases. Controls exist for monitoring the failure on
such SLAs.
ACCOUNTING MANUAL An accounting and control manual has been developed and
distributed effectively (e.g., existence and availability of the
manual, authorization, and changes discussed and approved).
REVIEW OF
ACCOUNTING AND
REPORTING
STRUCTURE
Senior management periodically reviews an overview of
accounting, reporting, and internal control issues. Progress is
monitored and reported in management meetings.
AUTHORIZATION TABLE A bill of authority/authorization table is established. Procurement
authorization should be delegated by senior management,
including availability, periodic update, and authorization.
FINANCIAL REPORTING Controls over the period-end financial reporting process are
specifically structured. Important activities related to provisions,
consolidation, key account disclosures, accounting decisions, are
properly backed up by policies and authorization.
BOOK CLOSURE Senior management ensures that certain high-risk processes and
related significant accounts, like deferred tax, goodwill, corporate
borrowings, etc are only processed and recorded at or via the
corporate level and not at the branch level or shared service level.
BUDGETING A budget process is in place that is related to strategy, quantifies
goals, and includes regular reporting reviews.
RISK MANAGEMENT Proper Risk assessment methodology is in place for each levels of
the management.
RISK ASSESSMENT Risk assessment analytical techniques are in use and
implemented at all levels of the management.
ADHERENCE TO BOARD
DECISIONS
Board-approved policies that address significant business control
and risk management practices are adhered to by the executive
management.
AUDIT COMMITTEE
OVERSIGHT
The audit committee exercises appropriate oversight of internal
control matters (e.g., open communication with senior financial
management).
LEGAL COMPLIANCE
RESPONSIBILITIES

Response to the Legal environment and compliance are defined
at the top level including responsibilities, adherence and
authorities.


GOING CONCERN
STATUS
Monitoring over Going Concern status on one or more units /
branches is reviewed constantly.
FRAUD PREVENTION Fraud prevention/detection controls and analytical procedures
are in place and prescribed for appropriate levels of
management.




1.4 Testing of Entity Level Controls in Internal Auditing:

Most of the control descriptions in ELC are focused on the management attitude,
philosophy and willingness on implementing the control environment. Even if the
comments on the business decisions can be subjective in few cases, the testing of the
ELCs need not be subjective in all levels.
Intentions always have to be backed by the actions and in case of ELCs also,
management has to show the willingness by action. A control implemented will always
have evidences to prove the fact.
Hence the testing for the ELCs will involve review of the existing policies, review of the
future plans and propositions as well as review of the history of management behavior.
Below is the list of important evidences / test procedures for some of the major areas of the
Entity Level Controls.
Internal Auditor can review these documents can be done alongwith the compliance on these
issues either with the prescribed policies or with the best practices.

IMPORTANT EVIDENCES / TESTING DOCUMENTS FOR ELC REVIEW:

Business Code of Conduct Policy Document
Ethics Policy Document
Authorization Matrix / Manual
Board of Directors Minutes of Meetings and Resolutions
Audit Committee Minutes of the Meeting
Accounting Manual including Book Closure Procedures
Fraud Detection and Prevention Policies including penal actions
Implementation details for whistle-Blower policy
IT Strategy document for long & short term business plan
Service level Agreements and contracts for shared service providers.
Executive management compensation policies and related documents
Budgetary Review procedures manual
Risk Management methodology document, etc.






Annexure:

Below is the Summary of the Audit Objectives that are to be covered in the Entity Level
Controls. An Audit approach based on these objectives can also achieve long lasting results on
the value added by the internal audit.

Audit Objectives:

I Control Environment Integrity and ethical values
Management commitment to competence
An effective Board of Directors
Management's philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Organization around the Human Resources
Department.

II. Risk Assessment Entity-level objectives
Process level objectives
Risk identification and analysis
Managing change

III. Information and Communication Quality of information
Effectiveness of communication

IV. Control Activities Process controls
V. Monitoring Ongoing monitoring activities
Evaluation of internal control system
Reporting deficiencies


*********


Researched and prepared by

YOGESH JOSHI
MCom, ACA, DISA, CISA, CIA
ca.yogeshjoshi@gmail.com