Entity Level Controls

loverofsoxgal · Soxer Joined: Oct 25, 2007 Posts: 15 Location: Arkansas

AS 5 points out that management and external auditors should place more reliance on entity level controls. However, I am having trouble identifying more than two! I am referring to controls that have a direct impact on a specific financial statement risk and not the indirect controls such as an ethics policy. Has anyone identified any entity-level controls and how are you benefiting from them in your 404 work?

kymike · SoxGuru Joined: Jun 02, 2004 Posts: 636 Location: USA

Here is my take on this - I think sometimes it is a matter of semantics. We have classified our controls into these buckets -

Entity-level (policies, general corporate tone of mgmt)
Company-level common controls (account reconciliations, JEs, SOD, system access, period close analytics) which are tested on a combined basis over all processes
Process-specific controls (specific reviews of judgmental reserves, spreadsheets, etc)
ITCG

I also have not found any of our ELCs that provide FS assertion coverage. We do rely on the company-level controls to cover FS assurance at a high level.

loverofsoxgal · Soxer Joined: Oct 25, 2007 Posts: 15 Location: Arkansas

Thanks for your comments. I was hoping you could provide specifics on how you have linked the CLC account reconciliations to your processes to allow you to eliminate key controls and/or reduce testing around process-specific controls. I am interested in balance sheet reconciliation and review controls as a company-level control but am concerned with the result of "failing" the control. Balance sheet reconciliations are such an important control, what if you find exceptions in testing? Do you fail the entire control? How does that impact other exceptions that you feel are not a significant deficiency due to the compensating control "balance sheet reconcilations are performed, etc?"

Your comments are appreciated.

kymike · SoxGuru Joined: Jun 02, 2004 Posts: 636 Location: USA

There is some judgment required when looking at test exceptions as to whether or not to fail a control. When we look at reconciliations, we review to ensure that they include preparer and review signatures and dates work performed, tie back to supporting information (gl, subledger, excel control file, bank statement, etc.), schedule foots, outstanding items aged and cleared timely. If there is a lack of signatures or dates, we do not fail the control as we can generally determine that they were prepared / reviewed. Other exceptions may cause us to increase our sample size to help in our judgment as to operating effectively or deficient.

If this control fails, then other controls that failed which rely on reconciliations would also fail.

In general, we rely on (from top to bottom) -

Period/quarter reviews (very detailed)
SOD
Access Controls
Account Reconciliations
Account-specific controls for validity of supporting balances (generally the manually-calculated support such as lease reserves, AFDA, OAL, etc.)

kymike · SoxGuru Joined: Jun 02, 2004 Posts: 636 Location: USA

Here is a link to a decent article on assessing entity-level controls.

www dot journalofaccountancy.com/Issues/2005/Jun/AssessingCompanyLevelControls

harrywaldron · Posted: Tue Feb 22, 2011 9:39 am Post subject:

^ Thanks Kymike for sharing the link above - EXCELLENT resource


Create an account	Home · Topics · Downloads · Your Account · Submit News · Top 10


Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.