Entity-level controls

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Entity-level controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.

Regulation surrounding entity-level controls[edit]

Sarbanes-Oxley Act of 2002[edit]

As a result of several accounting and auditing scandals, congress passed the Sarbanes-Oxley Act of 2002. Section 404 of the act requires company management to assess and report on the effectiveness of the company's internal control. It also requires the company's independent auditor to attest to management's disclosures regarding the effectiveness of internal control. The act also created the Public Company Accounting Oversight Board (PCAOB).[1]

PCAOB Auditing Standard 2201[edit]

The Public Company Accounting Oversight Board (PCAOB) became the primary regulator of audits of publicly traded companies.[2] In June 2007, the PCAOB adopted Auditing Standard 2201 (Supersedes AS No. 5).[3] This standard contains the standards over performing an audit of internal control over financial reporting that is integrated with an audit of financial statements.

The auditor must test entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. Depending on the auditor's evaluation of the effectiveness of the entity-level controls, the auditor can increase or decrease the amount of testing that they will perform.

Entity-level controls vary greatly in nature and precision. Their effect on the audit plan varies according to how precise they are.

Type Description Audit Effect
Indirect Some entity-level controls have an indirect effect on the chances of detecting or preventing a misstatement on a timely basis. They do not directly relate to risks at the financial statement assertion level. Affect control selection, and the nature, timing, and extent of the procedures performed.
Monitoring Some entity-level controls monitor the effectiveness of other controls. They could be designed to identify breakdowns of lower level controls. These controls are not precise enough by themselves to specifically address the assessed risk at the relevant assertion level. Reduce the testing of other controls if operating effectively.
Precise Some entity-level controls are precise enough to prevent or detect misstatements on a timely basis. If the control sufficiently addresses the risk, then additional tests of controls relating to that risk are not necessary

Common entity-level controls[edit]

  • Controls related to the control environment
  • Controls over management override
  • The company's risk assessment process
  • Centralized processing and controls, including shared service environments
  • Controls to monitor results of operations
  • Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
  • Controls over the period-end financial reporting process
  • Policies that address significant business control and risk management practices
  • Internal audit
  • Whistle-blower hotline
  • Code of conduct
  • IT environment and organizations
  • Self-assessment
  • Shared services
  • Disclosure committee
  • Oversight by the Board of Senior Management
  • Policies & procedures manual
  • Variance analysis reporting
  • Remediation mechanism
  • Management triggers embedded within IT systems
  • Internal communication and performance reporting
  • Tone setting
  • Board/audit committee reporting
  • External communication
  • Segregation of duties
  • Accounts reconciliations
  • System balancing and exception reporting
  • Change management
  • Risk assessment methodology
  • Risk assessment analytical techniques
  • Governance
  • Assignment of authority and responsibility
  • Hiring and retention practices
  • Fraud prevention/detection controls and analytical procedures

Evaluating entity-level controls[edit]

Auditor's evaluation[edit]

Entity-level controls, along with all other internal controls should be evaluated by independent auditors according to SAS 109 (AU 314) issued by the AICPA. SAS 109 stipulates that "auditors should obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures."[4]

The information gathered from obtaining an understanding of the five components of internal control should be used to do the following:

  • Identify types of potential misstatements
  • Consider factors that affect the risks of material misstatement
  • Design tests of controls, when applicable, and substantive procedures

Entity-level controls are generally included in the testing.

COSO internal control-integrated framework[edit]

The aforementioned five components of internal control refer to the five parts of the COSO framework.[5] The framework gives auditors a way to evaluate the controls of an entity.

The five components are:

  • Control environment
  • Risk assessment
  • Information and communication
  • Control activities
  • Monitoring

Entity-level controls often fit into one or more of the five COSO components.

COSO Components Background Checks Audit Committee Internal Audit Shared Services
Control Environment X X
Risk Assessment X X X
Information & Communication X X X X
Monitoring X X

Management's evaluation[edit]

There are four basic steps that management can use to evaluate entity-level controls:[citation needed]

Identify risks 
Use a top-down approach to identify and categorize risk.
Identify entity-level controls and link to risks 
Examine current entity-level controls to determine what controls have been placed into operation. Also, identify important entity-level controls that may be missing in the current framework. Then link the entity-level controls best suited to address the identified risks.
Evaluate the design and operating effectiveness of entity-level controls 
Determine how effectively each entity-level control addresses identified risks by considering, among other things: sensitivity; competency of the reviewer, frequency and consistency of the control's operation; whether the control is reliable and repeatable; and whether appropriate review and follow-up action is taking place.
Leverage entity-level controls as appropriate to mitigate risks 
By leveraging strong entity-level controls, management will be able to develop a more effective and efficient controls evaluation strategy.

Definitions of selected entity-level controls organized into the COSO framework[edit]

[citation needed]

Control environment[edit]

[citation needed]

Code of Conduct 
The norms to which the organization voluntarily agrees to comply. For example, the company's code of conduct might include a policy for prohibiting employees from accepting gifts from vendors.
A mechanism for monitoring how the resources of an organization are being put to an efficient use by management, with an emphasis on transparency and accountability
Assignment of Authority and Responsibility 
The term "authority" refers to the right to perform the organization's activities. The term "responsibility" refers to the obligation to perform assigned activities. It is important for the achievement of control objectives that authorities and responsibilities be consistent with the goals of its business activities and assigned to appropriate personnel.
Hiring and Retention Practices 
Hiring and retaining skilled resources is critical to an organization's success. Policies and procedures around job definition, recruitment, training, performance appraisal, employee retention programs, and management of employee exits are important components of managing human resources.
Fraud Prevention Prevent/Detect Controls and Analytical Procedures 
This refers to the anti-fraud controls and procedures used by management to prevent, detect and mitigate fraud. Examples might include segregation of duties, setting up an ethics hot line and periodic job rotation.

Risk assessment[edit]

[citation needed]

Risk Assessment Methodology 
A systematic approach to identify, assess and prioritize risks.
Risk Assessment Analytical Techniques 
Analytical techniques, if used appropriately, can serve as a tool in the risk assessment process. Since risk is an outcome of perception, analytical techniques help remove subjectivity, to a certain extent by collation and presentation of data in a systematic manner for assessment of potential impact and likelihood of occurrence or risks.

Information and communication[edit]

Internal Communication and Performance Reporting 
This refers to the lines of communication that run through an organization's structure, both top-down and bottom-up, including peer communication. Performance reporting is part of internal communication, and usually involves a two-way process of setting expectations and monitoring performance against agreed-upon expectations.
Tone Setting 
Tone setting refers to various components of the "tone at the top," that are the building blocks of the character of an organization. Having set the right tone, it is equally important to have open channels of communication so that those within and outside the organization understand and act upon it. Examples of such components of tone include code of ethics and corporate governance practices.
Board/Audit Committee Reporting 
Board members, including independent directors, assume fiduciary responsibilities which require them to have access to accurate and relevant information. While most countries have enacted laws regarding formal reporting to the Board of Directors and the Audit Committee of the Board, these usually constitute baseline procedures and requirements. Companies are free to adopt more stringent measures regarding Board/Audit Committee Reporting, such as holding more frequent formal Audit Committee Meetings than required by law.
External Communication 
This refers to the communication to the shareholders, stock market, customers, regulators, vendors, and other entities outside the company's formal boundaries. The annual report is an example of external communication around the company performance, financial statements, vision, goals and targets.


[citation needed]

Ongoing Monitoring Activities 
Periodic review of process and controls using relevant management reporting tools. For example, these would include monthly review of aging of accounts receivable to determine the extent of reserves required for doubtful debts.
Independent Assessment Mechanism 
Use of external specialists or professionals to review and assess internal controls. For example, this might include the use of external tax professionals to review the controls around tax positions developed by the in-house tax team.
Variance Analysis Reporting 
Comparison and reporting of actual performance against pre-determined benchmarks, if used appropriately, can serve as an early-warning mechanism. For example, a steady increase in debtor turnover might indicate varying levels of collection-related issues.
Remediation Mechanism 
This refers to a systematic approach to resolving identified internal control issues. While an issue could be identified by either an internal or an external monitoring mechanism, the remediation mechanism is usually management-owned.
Management Triggers Embedded Within IT Systems 
Most enterprise applications configure business rules in a manner as to prevent, require pre-approval, or alert relevant management personnel in the event that certain pre-set thresholds are not observed. For example, a sales application could deploy a control preventing sales transactions above the specified credit limit of a customer.


Entity-level controls have a pervasive influence throughout an organization. If they are weak, inadequate, or nonexistent, they can produce material weaknesses relating to an audit of internal control and material misstatements in the financial statements of the company. The presence of material misstatements could result in receiving an adverse opinion on internal controls and a qualified opinion on the financial statements. Material misstatements are expensive to fix, and receiving an adverse or qualified opinion generally results in a drop in stock price of a publicly traded company.


  • Reduction of the likelihood of a negative risk event by establishing and reinforcing the infrastructure that sets the control consciousness of the organization
  • A broad risk coverage over financial reporting and operations. For companies conducting evaluations of internal controls, the presence of effective entity-level controls can contribute to a more effective and efficient evaluation strategy
  • Generation of efficiencies in other business and operational processes
  • Reinforcement for all stakeholders of the importance of internal controls to the success of the business
  • Better understanding of how identified risks are mitigated, and redirect evaluation and other resources toward priority risk areas
  • Increased effectiveness and efficiency of management's risk assessment and controls evaluation


  1. ^ "Sarbanes-Oxley Act of 2002" (PDF). Retrieved 2009-04-21.[permanent dead link]
  2. ^ "SEC Description of the PCAOB". Retrieved 2009-04-21.
  3. ^ "Auditing Standard No. 5". Retrieved 2016-05-05.
  4. ^ "AU 314 / SAS 109" (PDF). Archived from the original (PDF) on December 3, 2008. Retrieved 2009-04-21.
  5. ^ "COSO Internal Control-Integrated Framework". Archived from the original on 2009-02-28. Retrieved 2009-04-21.

External links[edit]