In this article, I explain why entity-level controls are important and how to audit them.
Activity-level controls, those such as segregation of duties, get all the love. But what about entity-level controls? It seems to me they don’t receive the attention they deserve.
The fountainhead of internal controls is the Committee of Sponsoring Organizations (COSO). Auditors recognize the COSO control components when they see:
- Control environment
- Risk assessment
- Information and communication
- Control activities
Controls that address financial-statement-level risks are known as entity-level controls. For example, a poor control environment can pervasively affect financial statements. And controls that address risks at the assertion level--such as control activities--are known as activity-level controls.
Auditing standards require consideration of these five components in all audits. While auditors are more familiar with the fifth element, control activities, the others are important as well. Auditors review the design and implementation of controls of each component, not just control activities. In other words, auditors consider entity-level and activity-level controls. Or at least, they should.
The five components, when designed and working correctly, result in materially correct financial statements. In large businesses, the five components are often more clearly defined. Smaller entities, however, tend to blend the five, and they are less distinct. Regardless, the entity-level and activity-level controls are important in all companies, nonprofits, and governments.
The first element is control environment, what many refer to as the tone at the top. In examining this component, you learn about those charged with governance and management. Are they committed to financial statements without material misstatements? Do these leaders receive internal control reports? If the entity has internal auditors, how often do they meet with the board? If there are no internal auditors, how receptive is the board to annual audit communications regarding internal controls?
The control environment component is more subjective than the other four. Therefore, testing for appropriate design and implementation is more challenging. So, what should you look for? What documents should you review?
Some companies have a code of conduct. If they do, review it, and see if company personnel are familiar with it. Is the code a part of the company’s DNA or just a document for the filing cabinet?
In all entities, see if the board members and management actively govern. Read the minutes to understand the board’s participation level. Review the reports provided to them. See how often they receive these and whether they understand them.
Segregation of duties, an activity-level control, may be lacking, especially in smaller organizations. A compensating control is the board or owner’s review of financial statements. Additionally, in entities with budgets, the board might receive budget-to-actual reports. Moreover, the board might review a list of disbursements.
How often does the board or the owners meet? If monthly, great. If once a year, not so good.
Is there a conflict-of-interest statement and does the company abide by it? Do board members and management disclose their potential conflicts annually?
Does the entity have a whistle-blower policy? Can employees anonymously report suspicious activity? Who receives the whistle-blower reports? Who follows up on them and how often? How does the company respond to theft?
If the company has internal auditors, do they report directly to the board or to management? Internal auditors should have a direct line to those charged with governance. Additionally, internal auditors should be hired and fired by the board, not management. Internal auditors monitor the actions of management. That’s why they should report directly to the board.
Are appropriate resources given to the information technology (IT) personnel? Does IT provide periodic operating reports to the board and management? Do they have sufficient education and knowledge? What is IT doing to protect the information system? Is IT accountable to leadership? Are they transparent about their activities?
And what about management personnel? Are they accountable to the board? In some organizations, the chief executive officer (CEO) runs the company with little accountability. Not desirable in larger entities, but quite common and maybe necessary in smaller ones. The CEO and an owner might be one and the same in a smaller business.
After reviewing factors such as those mentioned above, consider that honesty is the key to control environment. And honesty is not what the leadership says, but what they do. So ask yourself, “Do they walk the talk?”
Even though the control environment is more subjective than the other four components, you still need to review the design and implementation of controls. You can only do so with controls, not personal characteristics. You can’t review the CEO’s ethics, for example, but you can read the code of conduct. You can’t review the CFO’s transparency, but you can examine a whistle-blower program. You can’t review board chair’s intelligence, but you can inspect monthly financial statements, as provided to the board. Look for controls, not just subjective characteristics. Asking, “Are your board members ethical?” is not enough.
But what if there are no control environment documents such as a code of conduct? In smaller entities, this is possible, but most organizations do provide financial reports to those in charge. If there are no controls, consider the impact on the risk of material misstatement. Also, consider whether compensating controls exist in the other four components of the internal control system.
Now, let’s look at the risk assessment.
Here again, examine the design and implementation of the risk assessment component. Smaller companies might present a challenge in doing so: No formal risk assessment process. An informal process, however, does not mean that controls are lacking.
A small business owner’s risk assessment process might include financial statements reviews. Why? Her knowledge of the business enables her to detect—at least some—misstatements. Moreover, the owner considers the competency of her accountants. She knows that smart accountants lead to good numbers. Additionally, she hires outside IT professionals to maintain the information system, or she uses cloud-based software such as QuickBooks. Why? Because IT is part of a healthy accounting system. As you can see, small business risk assessment can be informal, but still effective.
In larger companies, risk assessment is more robust. The board and management periodically meet to focus on risk assessment. And internal auditors test the accounting system and provide reports to leadership. It’s easier to review risk assessment design and implementation in such an environment.
Regardless of the entity size, companies normally use disclosure checklists to prepare their financial statements. Such checklists lower the risk of incomplete or omitted disclosures.
Does the company present consolidated financial statements? Then consolidating controls, such as a second-person review, are necessary. Improper consolidating procedures can easily result in material misstatements. Therefore, risk assessment should encompass the consolidation process.
Most importantly, company personnel should think about how the financial statements might contain material misstatements in light of the existing controls, accounting personnel, and business dynamics. So, has anyone considered how errors or fraud might occur? And is the risk assessment process documented? If yes, then the auditor should review it. If no, then the auditor should consider the company’s informal processes and whether they decrease the risk of material misstatements.
The risk assessment works best when monitoring reports are also used.
Monitoring provides feedback on the effectiveness of the financial reporting process. Error and fraud can occur even when a company has a great internal control structure. Not only should monitoring information be provided to the leadership of the organization, but companies should generate monitoring reports at lower levels. After all, you want to detect problems as soon as possible.
As we said in the risk assessment section above, larger companies often have internal auditors. And those auditors provide reports to the board and management about financial reporting, whether it is occurring properly or not. Such reporting during the year lessens the probability that the external auditors will detect material misstatements after year-end.
But even if an organization has no internal auditors, monitoring can still occur. The CFO can review monthly accounting reports. The payroll supervisor can compare the current compensation reports with earlier ones. The board can review budget-to-actual reports. The owner can compare production statistics with monthly financial statements.
Vetting the design and implementation of monitoring is usually much easier than reviewing the control environment or risk assessment. Why? Well, either accounting reports are generated and reviewed by company personnel or they are not.
If the monitoring reports enable the organization to detect and correct material misstatements, then this component is properly designed. And companies that generate and review monitoring reports have implemented the control.
Creating monitoring reports is a part of another entity-level control: information and communication.
Information and Communication
How does the entity communicate its internal controls? How does a company inform its employees about its financial reporting process? Do training manuals exist? Are the internal controls mapped in a flowchart? What reports are provided to the board and management, or to an owner of the company? Are dashboards used?
Most smaller entities communicate the internal control structure verbally. A new person is hired and the supervisor explains what is to be done. And oftentimes the supervisor knows what to do because the same was done for him on the day he was hired. Similar to control environment and risk assessment, the information and communication component is not always clearly defined in a smaller organization. Larger entities often have formal internal control or accounting manuals; the policies are in black and white. But written internal control communications don’t always mean material misstatements are less likely. Personnel can still not understand their internal control responsibilities. The bottom line is whether the control structure is properly communicated. That can be done verbally or in writing.
When internal controls are communicated verbally, the auditor needs to inquire of employees to see how they learned about the accounting system and related internal controls. Then observe the daily operations to see if the controls are performed properly.
When the internal control are communicated in writing, the auditor should review the guidance. And, again, observe the organization’s personnel to see if they understand the accounting system and controls.
Monthly financial statements and reporting statistics are vital to managing an organization and to ensuring the appropriateness of the information. Additionally, many entities use dashboards to see key information. Why? Well, you can’t steer a ship without knowing where it is.
Regarding information and communication, you want to know if the accounting handbooks, internal control reports, and financial reports lessen the probability of material misstatement. Does everyone know their internal control responsibilities? Are reports provided in a timely manner? If there is a breakdown in the controls, is that information communicated to those that can mend the weakness?
When you think of information and communication, think of Captain Kirk at the helm of his spaceship. The screen before him and the people around him kept him informed. Because he knew what was going on at all times, he was able to protect his friends and his ship. The same is true in a business, a nonprofit, or a government. Clear communications keep the financial statements in good order.
My purpose in writing this chapter is to remind you of the importance of entity-level controls. Give them a little love and respect. Pay attention to them. In some ways, they are more important than activity-level controls. After all, if the board and management aren’t honest, what good are activity-level controls. And even if the leaders are honest, risk assessment is necessary to detect breakdowns in the control structure. Monitoring, as a sister to risk assessment, will help the company see control weaknesses. And finally, information and communication makes everyone aware of their responsibilities and internal controls weaknesses.
In a perfectly designed internal control system, each component complements and supports the other, making the risk of material misstatement less likely. Lower risk means less substantive work for the auditor, and higher risk means more.
Risk Assessment Summary
If you detect control weaknesses while examining the entity-level controls, consider how they affect your risk assessment. Bring those weaknesses into your risk assessment summary along with any others you detect in your other risk assessment work (e.g., walkthroughs, planning analytics).
Once all risks are brought together, you can develop your responses. Make sure you link your risks to the planned procedures. Otherwise, your peer reviewer may throw a red flag.
Here's an article regarding responses titled Tests of Details: Substantive Procedures.