In this article, I explain why entity-level controls are important and how to audit them.
Activity-level controls, those such as segregation of duties, get all the love. But what about entity-level controls? It seems to me they don’t receive the attention they deserve.
The fountainhead of internal controls is the Committee of Sponsoring Organizations (COSO). Auditors recognize the COSO control components when they see:
- Control environment
- Risk assessment
- Information and communication
- Control activities
Controls that address financial-statement-level risks are known as entity-level controls. For example, a poor control environment can pervasively affect financial statements. And controls that address risks at the assertion level–such as control activities–are known as activity-level controls.
Auditing standards require consideration of these five components in all audits. While auditors are more familiar with the fifth element, control activities, the others are important as well. Auditors review the design and implementation of controls of each component, not just control activities. In other words, auditors consider entity-level and activity-level controls. Or at least, they should.
The five components, when designed and working correctly, result in materially correct financial statements. In large businesses, the five components are often more clearly defined. Smaller entities, however, tend to blend the five, and they are less distinct. Regardless, the entity-level and activity-level controls are important in all companies, nonprofits, and governments.
If you prefer a video overview of entity-level controls, here it is.
1. Control Environment
The first element is control environment, what many refer to as the tone at the top. In examining this component, you learn about those charged with governance and management. Are they committed to financial statements without material misstatements? Do these leaders receive internal control reports? If the entity has internal auditors, how often do they meet with the board? If there are no internal auditors, how receptive is the board to annual audit communications regarding internal controls?
The control environment component is more subjective than the other four. Therefore, testing for appropriate design and implementation is more challenging. So, what should you look for? What documents should you review?
Code of Conduct
Some companies have a code of conduct. If they do, review it, and see if company personnel are familiar with it. Is the code a part of the company’s DNA or just a document for the filing cabinet?
In all entities, see if the board members and management actively govern. Read the minutes to understand the board’s participation level. Review the reports provided to them. See how often they receive these and whether they understand them.
Segregation of duties, an activity-level control, may be lacking, especially in smaller organizations. A compensating control is the board or owner’s review of financial statements. Additionally, in entities with budgets, the board might receive budget-to-actual reports. Moreover, the board might review a list of disbursements.
How often does the board or the owners meet? If monthly, great. If once a year, not so good.
Conflict of Interest Statement
Is there a conflict-of-interest statement and does the company abide by it? Do board members and management disclose their potential conflicts annually?
Does the entity have a whistle-blower policy? Can employees anonymously report suspicious activity? Who receives the whistle-blower reports? Who follows up on them and how often? How does the company respond to theft?
If the company has internal auditors, do they report directly to the board or to management? Internal auditors should have a direct line to those charged with governance. Additionally, internal auditors should be hired and fired by the board, not management. Internal auditors monitor the actions of management. That’s why they should report directly to the board.
Are appropriate resources given to the information technology (IT) personnel? Does IT provide periodic operating reports to the board and management? Do they have sufficient education and knowledge? What is IT doing to protect the information system? Is IT accountable to leadership? Are they transparent about their activities?
And what about management personnel? Are they accountable to the board? In some organizations, the chief executive officer (CEO) runs the company with little accountability. Not desirable in larger entities, but quite common and maybe necessary in smaller ones. The CEO and an owner might be one and the same in a smaller business.
After reviewing factors such as those mentioned above, consider that honesty is the key to control environment. And honesty is not what the leadership says, but what they do. So ask yourself, “Do they walk the talk?”
Even though the control environment is more subjective than the other four components, you still need to review the design and implementation of controls. You can only do so with controls, not personal characteristics. You can’t review the CEO’s ethics, for example, but you can read the code of conduct. You can’t review the CFO’s transparency, but you can examine a whistle-blower program. You can’t review board chair’s intelligence, but you can inspect monthly financial statements, as provided to the board. Look for controls, not just subjective characteristics. Asking, “Are your board members ethical?” is not enough.
But what if there are no control environment documents such as a code of conduct? In smaller entities, this is possible, but most organizations do provide financial reports to those in charge. If there are no controls, consider the impact on the risk of material misstatement. Also, consider whether compensating controls exist in the other four components of the internal control system.
Now, let’s look at the risk assessment.
2. Risk Assessment
Here again, examine the design and implementation of the risk assessment component. Smaller companies might present a challenge in doing so: No formal risk assessment process. An informal process, however, does not mean that controls are lacking.
Small Company Risk Assessment
A small business owner’s risk assessment process might include financial statements reviews. Why? Her knowledge of the business enables her to detect—at least some—misstatements. Moreover, the owner considers the competency of her accountants. She knows that smart accountants lead to good numbers. Additionally, she hires outside IT professionals to maintain the information system, or she uses cloud-based software such as QuickBooks. Why? Because IT is part of a healthy accounting system. As you can see, small business risk assessment can be informal, but still effective.
Large Company Risk Assessment
In larger companies, risk assessment is more robust. The board and management periodically meet to focus on risk assessment. And internal auditors test the accounting system and provide reports to leadership. It’s easier to review risk assessment design and implementation in such an environment.
Financial Statement Risk Assessment
Regardless of the entity size, companies normally use disclosure checklists to prepare their financial statements. Such checklists lower the risk of incomplete or omitted disclosures.
Does the company present consolidated financial statements? Then consolidating controls, such as a second-person review, are necessary. Improper consolidating procedures can easily result in material misstatements. Therefore, risk assessment should encompass the consolidation process.
Most importantly, company personnel should think about how the financial statements might contain material misstatements in light of the existing controls, accounting personnel, and business dynamics. So, has anyone considered how errors or fraud might occur? And is the risk assessment process documented? If yes, then the auditor should review it. If no, then the auditor should consider the company’s informal processes and whether they decrease the risk of material misstatements.
The risk assessment works best when monitoring reports are also used.
Monitoring provides feedback on the effectiveness of the financial reporting process. Error and fraud can occur even when a company has a great internal control structure. Not only should monitoring information be provided to the leadership of the organization, but companies should generate monitoring reports at lower levels. After all, you want to detect problems as soon as possible.
As we said in the risk assessment section above, larger companies often have internal auditors. And those auditors provide reports to the board and management about financial reporting, whether it is occurring properly or not. Such reporting during the year lessens the probability that the external auditors will detect material misstatements after year-end.
But even if an organization has no internal auditors, monitoring can still occur. The CFO can review monthly accounting reports. The payroll supervisor can compare the current compensation reports with earlier ones. The board can review budget-to-actual reports. The owner can compare production statistics with monthly financial statements.
Vetting the design and implementation of monitoring is usually much easier than reviewing the control environment or risk assessment. Why? Well, either accounting reports are generated and reviewed by company personnel or they are not.
If the monitoring reports enable the organization to detect and correct material misstatements, then this component is properly designed. And companies that generate and review monitoring reports have implemented the control.
Creating monitoring reports is a part of another entity-level control: information and communication.
4. Information and Communication
How does the entity communicate its internal controls? How does a company inform its employees about its financial reporting process? Do training manuals exist? Are the internal controls mapped in a flowchart? What reports are provided to the board and management, or to an owner of the company? Are dashboards used?
Most smaller entities communicate the internal control structure verbally. A new person is hired and the supervisor explains what is to be done. And oftentimes the supervisor knows what to do because the same was done for him on the day he was hired. Similar to control environment and risk assessment, the information and communication component is not always clearly defined in a smaller organization.
Larger entities often have formal internal control or accounting manuals; the policies are in black and white. But written internal control communications don’t always mean material misstatements are less likely. Personnel can still not understand their internal control responsibilities. The bottom line is whether the control structure is properly communicated. That can be done verbally or in writing.
Verbal and Written Communications
When internal controls are communicated verbally, the auditor needs to inquire of employees to see how they learned about the accounting system and related internal controls. Then observe the daily operations to see if the controls are performed properly.
When the internal control are communicated in writing, the auditor should review the guidance. And, again, observe the organization’s personnel to see if they understand the accounting system and controls.
Monthly financial statements and reporting statistics are vital to managing an organization and to ensuring the appropriateness of the information. Additionally, many entities use dashboards to see key information. Why? Well, you can’t steer a ship without knowing where it is.
Regarding information and communication, you want to know if the accounting handbooks, internal control reports, and financial reports lessen the probability of material misstatement. Does everyone know their internal control responsibilities? Are reports provided in a timely manner? If there is a breakdown in the controls, is that information communicated to those that can mend the weakness?
When you think of information and communication, think of Captain Kirk at the helm of his spaceship. The screen before him and the people around him kept him informed. Because he knew what was going on at all times, he was able to protect his friends and his ship. The same is true in a business, a nonprofit, or a government. Clear communications keep the financial statements in good order.
My purpose in writing this post is to remind you of the importance of entity level controls. Give them a little love and respect. Pay attention to them. In some ways, they are more important than activity-level controls. After all, if the board and management aren’t honest, what good are activity-level controls. And even if the leaders are honest, risk assessment is necessary to detect breakdowns in the control structure. Monitoring, as a sister to risk assessment, will help the company see control weaknesses. And finally, information and communication makes everyone aware of their responsibilities and internal controls weaknesses.
In a perfectly designed internal control system, each component complements and supports the other, making the risk of material misstatement less likely. Lower risk means less substantive work for the auditor, and higher risk means more.
Auditor’s Risk Assessment Summary
If you detect control weaknesses while examining the entity-level controls, consider how they affect your risk assessment. Bring those weaknesses into your risk assessment summary along with any others you detect in your other risk assessment work (e.g., walkthroughs, planning analytics).
Once all risks are brought together, you can develop your responses. Make sure you link your risks to the planned procedures. Otherwise, your peer reviewer may throw a red flag.
Here’s an article regarding responses titled Tests of Details: Substantive Procedures.
Learn from my CPA Hall Talk newsletter!
Get my free accounting and auditing digest with the latest content.
What is meant by entity-level controls? ›
ELCs are internal controls that pervasively impact an entity's environment and operations, which may consist of the following five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring.Who is responsible for entity-level controls? ›
Regulation surrounding entity-level controls
Section 404 of the act requires company management to assess and report on the effectiveness of the company's internal control. It also requires the company's independent auditor to attest to management's disclosures regarding the effectiveness of internal control.
Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and ...What is the main purpose of internal controls? ›
Internal controls are intended to prevent errors and irregularities, identify problems and ensure that corrective action is taken.What are entity level risks? ›
As entity level risks are environmental-type risks that can affect multiple cycles and financial statements areas, risks recorded in an engagement file using one or more of the entity level categories will appear in all risk report (e.g. RRPT, risk report at the top of all Risk Response Programs, etc.)How many controls are there in ITGC? ›
The six ITGC audit controls include physical and environmental security, logical security, change management, backup and recovery, incident management and information security.Which of the are the five major components of entity level control? ›
To provide an overall strong control environment, all five components – control environment, risk assessment, monitoring, communication & information, and control activities – must be implemented.What is ITGC framework? ›
IT general controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objectives of ITGCs are to ensure the integrity of the data and processes that the systems support.What are COSO principles? ›
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.What is a key control in auditing? ›
A key control is an action your department takes to detect errors or fraud in its financial statements. It is expected that departments have their processes and controls documented. Your department should already have key financial review and follow-up activities in place.
What are higher level controls? ›
The controller at the highest level of a control hierarchy is a command and control system. In contrast to a low-level controller whose workload is either purely or mostly periodic, a command and control system also computes and communicates in response to sporadic events and operators' commands.What are activity level controls? ›
Activity Level Controls. Activity level controls relate to a particular class of transactions, account balances or financial statement disclosures. Generally a business has three to six significant distinct business activities, which may include: Sales/accounts receivable/revenue recognition/cash collection.What is the most important internal control? ›
The most important control activities involve segregation of duties, proper authorization of transactions and activities, adequate documents and records, physical control over assets and records, and independent checks on performance.What are the benefits of internal controls? ›
- It establishes the processes. ...
- It improves process performance. ...
- It improves operational efficiency. ...
- It keeps duties separated. ...
- It mitigates business risk. ...
- It organizes information. ...
- It produces timely financial statements. ...
- It reduces errors.
Controls help to better define an organization's objectives so that employees and resources are focused on them. They safeguard against misuse of resources and facilitate corrective measures. Having good records means management will better understand what happened in the past and where change can be effective.What is entity assessment? ›
The objectives of this entity-level assessment are to confirm the existence of internal controls (e.g., policies, business practices, people, methodologies, etc.) and query senior finance executives for their individual impression of specific attributes that define key internal controls.What is a significant risk in audit? ›
(e) Significant risk – An identified and assessed risk of material misstatement that, in the auditor's judgment, requires special audit consideration.What is internal control according to COSO? ›
COSO defines internal control as “a. process, effected by an entity's board of directors, management, and other personnel, designed to provide. reasonable assurance regarding the achievement.What are the 4 domains of ITGC? ›
– Access to programs and data. – Program changes. – Computer operations. – Program development.
An IT Governance team should be responsible for defining the Controls by providing objectives and requirements for each Control. They will be used for reviews by Internal Audit as part of the audit criteria. The implementation of the IT general controls matrix is mandatory for the whole Organization.
How do I audit ITGC? ›
Audit steps performed and audit evidence gathered. Whether services of other auditors and experts were used and their contributions. Audit findings, conclusions and recommendations. Audit documentation relation with document identification and dates (your cross-reference of evidence to audit step)How do you implement SOX? ›
- Document all relevant policies, procedures and processes in your organization.
- Inventory your controls. Properly document your internal controls over financial reporting (ICFR). ...
- Implement segregation of duties (SoD) – make sure all roles and responsibilities are clearly defined.
- Develop Written Policies and Procedures.
- Perform Reconciliations Regularly.
- Review and Approve Processes/Transactions.
- Maintain Adequate Supporting Documentation.
- Provide Adequate Training to Staff.
- Perform a Self-Evaluation of Your Internal Control.
- Overview. There are two basic categories of internal controls – preventive and detective. ...
- Preventive Controls. ...
- Detective Controls. ...
- Last Reviewed. ...
- Training. ...
- Physical and Environmental Security. Data centers must be protected from unplanned environmental events and unauthorized access that could potentially compromise normal operations. ...
- Logical Security. ...
- Backup and Recovery. ...
- Incident Management. ...
- Information Security. ...
- People. ...
- Process. ...
One of the key factors about ITGC is the relevance it has on the assurance of automated controls, such as those involved with Sarbanes-Oxley Section 404 audits. In case of the absence of ITGC review, statutory auditors cannot rely upon the IT systems that are being used across the business cycles by the client.Why is COSO important? ›
One of the primary benefits to implementing the COSO Framework is that it helps business processes to be performed in a uniform manner according to a set of internal controls. Depending on how these controls are designed, they can improve efficiency while also reducing risks.What is the objective of COSO? ›
The ultimate goal of the COSO Framework is to provide assurance that objectives have been achieved in the critical areas of operations, reporting, and compliance. The COSO framework objectives are divided into three distinct disciplines: operations, reporting, and compliance.What are the 5 components of internal control? ›
There are five interrelated components of an internal control framework: control environment, risk assessment, control activities, information and communication, and monitoring.What are the 7 important control activities? ›
Tip. The seven internal control procedures are separation of duties, access controls, physical audits, standardized documentation, trial balances, periodic reconciliations, and approval authority.
What are effective controls? ›
Effective Control is a term that describes the powers that a person or position has within an organisation. We are obliged to verify the identity of all persons with Effective Control of an organisation.What are the 7 internal control procedures? ›
- Separation of duties.
- Access controls.
- Physical audits.
- Standardised financial documents.
- Periodic trial balances.
- Periodic reconciliations.
- Approval authority.
Why Is SOX Compliance So Important? In the simplest analysis, SOX compliance is important because it's the law. Public companies have no choice except to comply with all relevant sections. Non-compliance is illegal, and can lead to substantial fines and penalties for both the company and its individual leaders alike.What are the 5 hierarchy of risk control? ›
- Eliminate the risk. The most effective control measure involves eliminating the hazard and its associated risk. ...
- Reduce the risk through substitution, isolation or engineering controls. ...
- Reduce the risk using administrative controls. ...
- Reduce the risk using personal protective equipment (PPE)
High value or key items. The auditor may decide to select specific items within a population because they are of high value, or exhibit some other characteristic, for example items that are suspicious, unusual, particularly risk-prone or that have a history of error. • All items over a certain amount.What are information processing controls? ›
Information Processing Controls
Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.
1. Control environment. The foundation of internal controls is the tone of your business at management level. Integrity and ethical values, management philosophy and operating style, and assignment of authority and responsibility fall under the control environment umbrella.Why is it important for control activities? ›
Control activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out. In other words, control activities are actions taken to minimize risk.Which control is most important report? ›
Internal control is most important in the report. Good internal controls are essential to assuring the accomplishment of goals and objectives. It helps to ensure efficient and effective operations that accomplish the motive of the unit.Are internal controls effective? ›
Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
How do internal controls impact organizations? ›
An effective system of internal control can give managers the means to provide accountability for their programs, as well as the means to obtain reasonable assurance that the programs they direct meet established goals and objectives.What will happen if companies do not impose internal controls? ›
Without internal controls, a business operates inefficiently, in an unreliable manner and out of compliance with applicable laws and regulations. Effective internal controls reduce the risk of loss and help ensure that financial statements are reliable.Why is the control function important to an organization's success? ›
The purpose of the control function is to ensure that the organization makes progress towards the established goals. This is done prior to implementation of the gameplan as a manager anticipates what might go wrong.Why are internal controls so important to the company investors? ›
Why are Internal Controls Important? The purpose of internal controls is to prevent risk events and to protect your company's ability to maintain operations should an event occur. Having these systems in place will prevent lost profits and help you grow your business moving forward.What is the purpose of internal controls quizlet? ›
What is the purpose of an Internal Control System? Protect assets, establish reliable accounting, promote efficient operations, and urge adherence to company policies.What is the purpose of internal controls quizlet smartbook? ›
What is the purpose of internal controls? - Companies create internal controls to protect assets and ensure reliable accounting.What is the purpose of internal controls chegg? ›
Internal control is a system which assists a company to achieve its objectives by using the correct measures, procedures, and policies. It attempts to control those risks, which may affect the achievements of company's goals and objectives.