Entity Level Controls and Testing 1004



  • Has anyone here moved to a more top down approach in year two - relying more on entity level controls and testing them thoroughly? My company is planning for year 2, and we would love to be able to do this, but the idea seems so abstract. We haven’t gotten any good examples of this kind of reliance and testing yet. Any thoughts?



  • Based on my experience, I just received recently the request of data for the external auditors testing and it does not seem top level at all. The data requested is more like a substantive financial review of the BS accounts. too less controls evidences request.
    That is what is happening and despite the recommendation of SEC.
    :x :x
    bye



  • It is discouraging that so many audit engagements are misapplying Audit Standard 2. From my experience, many engagements are spending excessive amounts of time testing the design and operating effectiveness of every control over every assertion of every account balance. It appears as if this trend will continue at least into Year 2, dispite the SEC and PCAOB comments directing auditors to take a risk-based approach to testing for the effectiveness of internal controls over financial reporting.
    Auditors should be focusing on ‘significant’ controls over ‘material’ (considering both qualitative and quantitative factors) account balances. Auditor refusal to practice in such a manner increased the costs of compliane to levels approximately five times the aggressive estimates.
    We can only hope that auditors change their testing strategies, sooner rather than later, so that the benefits from Sox, which are significant, can be realized without the talks of the costs stealing the spotlight.
    Companies receiving an unqualified opinion in Year 1 on their internal controls over financial reporting, do, in my opinion, have significant opportunities to save money moving to Year 2. AS2 requires that management evaluate ‘the operating effectiveness of controls based on procedures sufficient to assess their operating effectiveness.’ Given that all controls were working as of the end of Year 1, management should be able to rely on effective monitoring controls (as described in COSO’s Internal Control - Integrated Framework) to assess the operating effectiveness of the controls at the end of Year 2.
    This would greatly reduce the amount the amount of testing required on process and application level controls. Management would, however, need to document and test thoroughly any new, or changed, processes put in place during Year 2. Testing the monitoring controls, given they are effective, should be sufficient evidence that the controls are still working.
    But until auditors, and management alike, are able to see the forest for the trees, we will continue in a cycle of excessive costs and resulting complaints from the companies who need to be in compliance.



  • A couple of comments to add:

    1. As far as I can see our auditors have taken a materiality based approach to determining which accounts and processes that they look at. Occassionally they’ve gotten off track but we’ve generally managed to bring them back in line. The key to this though is having someone who has sufficient knowledge and experience to talk their language.
    2. I’m not convinced that auditee companies actually need to do anything on entity-level controls. There is an auditor requirement to assess them resulting from PCAOB AS2 - but this doesn’t apply to the companies themselves. I also find it hard to make the linkage between meeting your financial statement assertions based on having a good internal audit department rather than looking at process level controls.
    3. Similarly using monitoring controls seems to me something that sounds good in theory but less effective in practice. Consider the hypothetical situation where you have reviewed/carried out your monitoring controls to give you assurance over the process level controls - yet your auditors test the process level controls (because they have to) and find them to be ineffective. And that is after assuming that your company actually has effective monitoring controls - I have seen very few in practice.


  • The key to this though is having someone who has sufficient knowledge and experience to talk their language.
    This is a really good point. In IT enviroments, this is the No. 1 problem.



  • You’re not joking about IT, the regular financial/business processes are bad enough but I don’t know which has the bigger communication gap IT auditors and IT departments or IT auditors and financial auditors.



  • In my argument for the use of monitoring control, I am assuming that controls at the application level have been found to be effective by management and the external auditors in year 1 and that there have been no changes to the company’s control processes. If found effective in prior years and no process changes have been made, I believe reliance can be gained from monitoring controls. The external auditors can test all of the controls they already tested (in prior years) and they should not find any exceptions.
    Dennis, you bring up a great point - monitoring controls are rarely effective and implementing this strategy in practice would be difficult. Given the litigation-happy business environment, I doubt management or external auditors would be comfortable relying solely on monitoring controls. It is just a possibility for cost savings as we progress through years of SOX implementation.



  • Ernst and Young have come up with Efficient Testing Strategies for 2006. One of the pivotal recommendation by them is to leverage entity-level controls sufficiently. Therefore, ELC has a reflection on scope of process controls.



  • Ernst and Young have come up with Efficient Testing Strategies for 2006. One of the pivotal recommendation by them is to leverage entity-level controls sufficiently. Therefore, ELC has a reflection on scope of process controls.
    Have they published anything on this yet? I have seen a lot of ‘theoretical’ talk about reliance on ELC to reduce the scope of testing, but have not yet seen any practical real-world examples.



  • Unfortunately, it is still a theory. But, I am planning to evolve a top down approach for 2006 for my company.
    I can give an example here:
    We check segregation of duties (SOD) conflict by completing SOD Matrix evolved by Ernst and Young. This is part of our Entity Level Control
    I would keep the forum posted on more examples.


Log in to reply