Entity-level Controls 2250

  • Has anyone considered scaling back on the testing of entity-level controls that offer no direct reduction of financial reporting risk at the assertion level?
    For example, following COSO, we have tested entity-level controls related to HR hiring process (background checks, interview process, compensation target setting), employee performance (annual personnel evaluations, personal bonus goals) employee development (programs offered) and internal communications among others that collectively impact the ‘tone at the top’, but have no direct relationship to financial reporting risks. The latest SEC guidance does not mention these types of controls, but focuses on the entity-level controls (financial reviews, account reconciliations, journal entry controls, system access, etc.) that have a direct impact in reducing financial statement risks of material errors.
    If you have dropped the indirect controls, please reply within this thread and give reasons for dropping those controls along with the name of your auditor, any issues that the auditor had in your new approach and how you worked through that with them.
    While tone at the top is important in a general sense, I cannot see how it has impacted the nature and extent of our controls testing.

  • Hi KyMike:
    We did recently scale back some of the entity-level controls that you described in your post. Specifically, we downgraded several of the hiring and interviewing controls from ‘key’ to ‘non-key’. We employ a third-party testing firm for SOX purposes and they suggested that we run this by our external auditors. Our auditors agreed, but this may have been because we are a non-accelerated filer and Year 1 for us will only require Management Attestation. Next year’s audit might be different. I’d suggest that you run these questions by your externals. The old chinese wall that once separated auditors from filers is now barely opaque. In my recent experience, they have been increasingly open to answering our questions as they come up.
    Best of luck.

  • I am in agreement with you kymike and I have been purusing the scaling back of these controls. I know of another blue chip company with a similar view. The difficulty I am experiencing is pursuading the external auditors to agree which is important as that influences the CFO/CEO in deciding to do less testing.

Log in to reply