New approach to entity-wide controls assessment adds
value
By Tom Andreesen, Mike Head, Paul Sobel, and Kurt Reding
On April 25, 2007, at the Super Strategies Audit Best Practices Conference sponsored by the MIS Training Institute, Mike Head – TD Ameritrade Managing Director of Corporate Audit; Kurt Reding – Professor at Friends University; Paul Sobel - Mirant Corporation Vice President of Internal Audit; and Tom Andreesen - Protiviti Managing Director hosted a double session on evaluating entity-wide controls. This article highlights their perspective on this value-added approach to assessing internal control.
The concept of entity-wide controls has been around since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced its Internal Control Framework in 1992. Yet, there continues to be confusion over the definition of entity-wide controls, as well as over how to evaluate and test these controls. Clearing up this confusion will help management and internal audit functions more efficiently evaluate internal controls, allowing the organizations they serve to establish a more robust and reliable control framework.
Before the enactment of the Sarbanes-Oxley Act (SOX) in 2002, few organizations conducted comprehensive evaluations of their entity-wide controls. Since the enactment of SOX, the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) have required public companies to perform entity-wide control evaluations.
Unfortunately, neither the SEC nor PCAOB have provided much “how-to” guidance for this evaluation process. Even after COSO’s latest round of guidance, issued in 2006 for smaller publicly held companies, the SEC and PCAOB produced more of a conceptual framework, with the SEC focused on management and the PCAOB focused on auditors. It appears that the goal of the SEC and PCAOB is to reduce the strain SOX compliance on organizations. To assist with this effort, their emphasis now is on a top-down risk-based approach to assessing controls, recognizing that if there are serious breakdowns in entity-wide controls, those breakdowns could be fatal to an organization.
Organizations that are exempted from SOX compliance also can benefit from adopting the COSO Framework and strong entity-wide controls.
Linking controls to specific risks
To leverage a top-down approach and reduce the need for testing controls at the process and transaction levels, there must be a methodology (framework) to link entity-wide controls to specific control objectives and risks at the process and transaction level.
If an organization can link entity-wide controls to “key” process- and transaction-level controls and perform effective testing of the entity-wide controls, management, as well as auditors, should be able to place more reliance on the entity-wide controls. This will not only make SOX compliance more efficient, it will also help improve operations and make annual audit planning more effective.
To date, most organizations have used a checklist approach to evaluating entity-wide controls. However, this approach fails to link entity-wide controls to lower-level process- and transaction-level control evaluations. As a result, most organizations have not yet realized the full benefits of effective entity-wide controls.
Part of the problem may be in defining and understanding entity-wide controls. The SEC uses the term “entity-level controls.” The PCAOB refers to “company-level controls.” To complicate matters even further, COSO recently introduced the term “entity-wide controls,” which is a departure from their previous use of the term “entity-level controls.”
COSO’s first use of “entity-wide” appeared in their guidance for smaller publicly held companies on evaluating internal controls over financial reporting (released in June 2006). There has been no explanation for the shift in terms. This begs the question: Is COSO thinking of something different from before, or is the Committee simply applying a new name to a prior concept?
In this new guidance, COSO defines entity-wide to mean, “Controls that occur at the entity level of a company and have a pervasive influence across the organization. Entity-wide controls may exist in any of the five components of internal control.” This is a critical point because of the historically strong association of entity-wide controls with the control environment component of internal control only. Yet, COSO has clearly stated that the other four components – risk assessment, control activities, information and communication, and monitoring – may also engage entity-wide controls.
Defining entity-wide controls
We would like to suggest the following definition of entity-wide controls:
“Controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.”
Examples include: code of ethics; risk management policies and procedures; fraud prevention and detection programs; human resources policies and procedures; management’s control deficiency escalation process; IT general controls; and controls over period-end financial reporting process.
Even with strong (effective) entity-wide controls in place, an organization still must have effective process, transaction and application controls. The organization must also evaluate and test these lower-level controls to validate that they are adequately designed, operating effectively and supporting the achievement of business objectives. Many controls that are considered less critical from a SOX compliance standpoint (non-ICFR) are still very important to supporting the business model. From an internal control certification point-of-view (SOX compliance), an organization may not have to test and opine on these non-ICFR controls, but they should still be evaluated for effectiveness by management.
We believe entity-wide controls can be categorized into two main classifications; entity-level and business unit-level. Another way to look at these two classifications might be to characterize them as “indirect” and “direct” entity-wide controls, with direct controls being those entity-wide controls that can be readily linked to process- and transaction-level controls.
A good definition of entity-level controls is “Entity-wide controls implemented by the board and senior management to (1) establish the control culture and expectations of the organization and (2) prescribe guidance that pervasively affects the organization’s overall system of internal controls.”
Examples of (1) include: audit committee oversight of internal controls; top management’s attitude toward financial reporting; and the board and top management’s risk appetite.
Examples of (2) include: code of ethics and compliance policies; organization-level risk assessment; IT policies; and monitoring business units’ performance.
Business unit-level controls would be those entity-wide controls executed by business unit management to mitigate risks threatening the business unit and to provide assurance that business unit objectives are achieved. These controls are generally consistent among business units but may vary in their execution from one business unit to another.
Examples of business unit-level controls include: monthly analyses of budget-versus-actual results; IT general controls; the controls over the period-end closing and financial reporting process; and business unit-level risk committees and activities.
Process-level controls are not entity-wide controls. Process owners implement these controls to mitigate the risks threatening a specific process and provide assurance that process objectives are achieved. Process-level controls are generally consistent across processes but may vary in their execution from one process to another.
Examples of process-level controls include: reconciliations of key accounts; physical verifications of assets (e.g., inventory counts); processing of employee performance evaluations; process-level risk assessments; and monitoring/oversight of specific transactions.
Transaction-level controls also do not operate entity-wide. These controls mitigate the risks threatening the execution of individual transactions and provide assurance that transaction objectives are achieved. Transaction-level controls are generally consistent among different types of transactions but may vary in their execution from one transaction type to another.
Examples of transaction-level controls include: authorizations, documentation (e.g., source documents), segregation of duties, and IT application controls (input, processing, and output).
Look beyond the descriptors
Do not get too hung up on the descriptors we have chosen. The point of these definitions is to recognize that entity-wide controls should exist at all levels of an organization. It is important to identify those controls that are directly tied to key business activities and significant processes. Whether the goal is accurate financial reporting, compliance with laws and regulations, or operational efficiency, an organization needs to tie entity-wide controls to those process- and transaction-level controls essential to an organization’s business. This starts with assessing the design and operating effectiveness of entity-wide controls and subsequently linking them to key process- and transaction-level controls.
To create a logical framework and see how these different levels of controls work together on a consistent basis, we suggest starting with an entity-level controls assessment. Entity-level controls can be thought of as “gate keeping” controls. If these entity-level controls are unreliable, an organization may not be able to rely on any other controls. Assuming the entity-level controls assessment allows you to pass through that gate; you can then begin assessing the next level of entity-wide controls. (Again, we refer to those as business unit-level controls.)
Keep in mind that this is a suggested approach. There will always be a need for judgment within each organization. However, we believe if all appropriate entity-level controls appear to be in place and operating effectively, the business unit-level controls assessment can then take place and proceed as follows:
- Scenario: Several business unit-level controls exist. – Perform moderate testing of process-level controls and limited testing of transaction-level controls.
- Scenario: A few business unit-level controls exist. – Perform moderate testing of process-level controls and moderate testing of transaction-level controls.
- Scenario: No business unit-level controls exist. – Perform extensive testing of process-level controls and moderate testing of transaction-level controls.
However, if entity-level control gaps exist, but they are not pervasive or significant, you might need to adjust the business unit-level controls assessment and continue testing controls as described above. Remember, if these gaps are pervasive or significant, or both, this could be a fatal situation. Material weaknesses could result, making reliance on any controls risky at best.
‘Soft’ versus ‘hard’ controls
Control testing approaches vary depending on what is being tested. “Soft” controls – those tending to reflect the organization’s culture – are generally by their nature more difficult for management and auditors to assess than “hard” process controls. Inquiries and surveys, while useful, are not sufficient for testing soft controls. Results must be corroborated, and a body of evidence should support conclusions.
Internal auditors also need a more sophisticated level of expertise to effectively assess entity-wide controls. They must have a top-down perspective, able to see the forest as well as the trees. They need experience to sense when things are not right and have the credibility and fortitude to stand up to senior managers, when necessary.
Forward thinking is a critical skill as well. Entity-wide control evaluations should precede the annual risk assessment and audit planning process. This usually means they should be performed in the last quarter of the preceding year. Better yet, do not think in calendar terms. Think in terms of a planning cycle. Consider the entity-wide controls assessment as a key springboard to decisions made in the annual planning process. This is not in conflict with the common SOX testing approach where entity-wide controls are evaluated and tested in the first half of the year. If the entity-wide evaluation is performed, say in the 4th quarter, to support audit planning for the following year, it can serve as a “roll-forward” evaluation for the current year as well as a preliminary evaluation for the upcoming year. Appropriate testing embedded in the annual audit plan can also support the annual control evaluation.
The bottom line is apparent. If organizations have robust and effective entity-wide controls, and use a top-down, risk-based internal control assessment approach, they should be able to reduce their reliance on process- and transaction-level controls and on mitigating and compensating controls. This, in turn, will reduce the resources needed to test such controls, resulting in greater efficiency and potentially lower costs to the organization.
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
