Entity Level Controls 2214

  • Hi SOX Colleagues,
    I’m working in The Netherlands as compliancy officer and currently rethinking the Entity Level Control documentation. Somehow I think that we could improve the procedure. Currently we are working with a questionnair file which addresses al the relevant items, but this is not easily translated in specific control aspects to be tested and documented. A lot of items are linked to existing key controls already, and simply answering the questions is not the same as testing it.
    Can someone help me on best practises or examples on how others are covering this specific element of the control environment?

  • Hi SOX-NL,
    As all other elements, control environment has pervasive impact on internal control. I do use questionnaires for conduct interviews and align COSO requirements to the internal control.
    The questionnaire used as a guide don’t need to be answered one by one, and I use to group them by type.
    The level of test we do consider entity level as a manual control with annual frequency and I need only one example to guarantee operating effectiveness. Other cases, like employee sing on ethics code, I use to test as multiple times a day, and test a sample of 40 employees.

  • Ricardo,
    Thanks for your reply. I tried to group them also but still wasn’t happy with the result.
    I’m currently working on a break down structure meaning, we have elements on Corporate Level only [US office] covering all world wide entities; elements on European HQ in The Netherlands; elements on Line of Business Management and finally just some going done into the entity level on country level. By doing this I would like to create clear focus points by putting the control elements as high as possible in the organizational structure and only bring it done when it is really needed.
    What do you think of such a breakdown?

Log in to reply