Entity Level Controls 2354

  • AS 5 points out that management and external auditors should place more reliance on entity level controls. However, I am having trouble identifying more than two. I am referring to controls that have a direct impact on a specific financial statement risk and not the indirect controls such as an ethics policy. Has anyone identified any entity-level controls and how are you benefiting from them in your 404 work?

  • Here is my take on this - I think sometimes it is a matter of semantics. We have classified our controls into these buckets -
    Entity-level (policies, general corporate tone of mgmt)
    Company-level common controls (account reconciliations, JEs, SOD, system access, period close analytics) which are tested on a combined basis over all processes
    Process-specific controls (specific reviews of judgmental reserves, spreadsheets, etc)
    I also have not found any of our ELCs that provide FS assertion coverage. We do rely on the company-level controls to cover FS assurance at a high level.

  • Thanks for your comments. I was hoping you could provide specifics on how you have linked the CLC account reconciliations to your processes to allow you to eliminate key controls and/or reduce testing around process-specific controls. I am interested in balance sheet reconciliation and review controls as a company-level control but am concerned with the result of ‘failing’ the control. Balance sheet reconciliations are such an important control, what if you find exceptions in testing? Do you fail the entire control? How does that impact other exceptions that you feel are not a significant deficiency due to the compensating control ‘balance sheet reconcilations are performed, etc?’
    Your comments are appreciated.

  • There is some judgment required when looking at test exceptions as to whether or not to fail a control. When we look at reconciliations, we review to ensure that they include preparer and review signatures and dates work performed, tie back to supporting information (gl, subledger, excel control file, bank statement, etc.), schedule foots, outstanding items aged and cleared timely. If there is a lack of signatures or dates, we do not fail the control as we can generally determine that they were prepared / reviewed. Other exceptions may cause us to increase our sample size to help in our judgment as to operating effectively or deficient.
    If this control fails, then other controls that failed which rely on reconciliations would also fail.
    In general, we rely on (from top to bottom) -
    Period/quarter reviews (very detailed)
    Access Controls
    Account Reconciliations
    Account-specific controls for validity of supporting balances (generally the manually-calculated support such as lease reserves, AFDA, OAL, etc.)

  • Here is a link to a decent article on assessing entity-level controls.
    www dot journalofaccountancy.com/Issues/2005/Jun/AssessingCompanyLevelControls

  • ^ Thanks Kymike for sharing the link above - EXCELLENT resource

Log in to reply