A Guide for Management

Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control

objectives, and control examples

An approach for evaluating entity-level controls

Questions and answers

Reasons for This Presentation

Assists in fulfilling your responsibilities for financial reporting

Emphasizes the importance of entity-level controls and how they mitigate financial statement risks

Explains how entity-level controls differ from other controls

Illustrates the benefits of strong entity-level controls

Reasons for This PresentationProvides an approach for assessing the

adequacy of your entity-level controls

Benefits of Focusing on Entity-level ControlsPervasive effect on other controlsServe as a foundationCost-effective to implement and operateMay serve as key controls to prevent, detect,

and correct errors or fraud

Internal Control – An OverviewProcess employed by the company to provide

reasonable assurance of achieving financial reporting objectives

Consists of five interrelated componentsTo be effective, all components should be in

placeApplies to all companies—both small and largeHelps prevent, or detect and correct,

misstatements resulting from risks

Five Components of Internal Control

Which of the Components are Entity-Level Controls?Control EnvironmentRisk Assessment Information and CommunicationMonitoring Control Activities

Entity-Level Controls

Control ActivitiesNot Entity-Level Controls, But What Are They?

Make up the majority of controls at most entities

Apply to the processing of transactionsDesigned to achieve specific control

objectivesOften the focus of management, accounting

personnel, and auditors

Control Activities Are Critical, But ….

Why “Entity-Level?”Impact is pervasiveNot associated with specific accounts,

transactions, or disclosuresOften carried out by management

Why “Entity-Level?”Pervasiveness

ControlActivities

Entity-level Controls─Control Objectives

Control Environment ObjectivesThose charged with governance are actively

involved and have influence over financial reportingManagement demonstrates character, integrity, and

ethical valuesManagement’s philosophy and operating style are

consistent with a sound control environmentThe organizational structure is appropriate to

support effective financial reportingHuman resource policies and procedures promote

integrity, ethical behavior, and competenceAuthority and responsibility are appropriately

assignedThe organization is committed to competence

Control Environment

Control examples How risks are addressed

Those charged with governance provide input and oversight to the financial statements

Management is ethical in its business dealings

Management demonstrates a sincere interest in achieving effective internal control and correcting deficiencies

Mitigates risk of fraudulent financial reporting through objective oversight

Demonstrates management’s commitment to ethical actions

Ensures that internal controls are a priority and resources are allocated to their proper design and implementation

Control Environment

Control examples How risks are addressed

Lines of authority and responsibility are clearly defined

Employee recruitment and retention practices are guided by principles of integrity and the necessary competencies associated with the positions

Job descriptions and other forms of communication inform personnel of their duties

Job performance and competence are periodically evaluated

Ensures that the organizational structure includes appropriate levels of review and segregation of duties

Promotes the hiring and retention of employees with integrity and ensures that they understand their roles

Identifies employees with inadequate performance or job skills for corrective action

Risk Assessment ObjectivesFinancial reporting objectives are established,

documented, and communicated Accounting principles are properly appliedPractices are established for identifying risks When assessing risks, the entire organization and

extended relationships are considered Mechanisms are implemented to anticipate,

identify, and react to changes Risks are properly evaluated and mitigatedAn appropriate fraud risk assessment and

monitoring process exists

Risk Assessment

Control examples How risks are addressed

The accounting department has a process to identify and apply changes in GAAP

Processes exist to identify changes in the business that affect the processing or recording of transactions

Budgets or forecasts are updated to reflect changes in activities

Ensures that all significant transactions and events are captured, accounted for, and reported in conformity with GAAP

Ensures that changes in the business are monitored, communicated, and analyzed for proper financial reporting

Identifies the likelihood and impact of changes on the entity’s financial results

Risk Assessment

Control examples How risks are addressed Plans are developed to

mitigate significant identified risks, including designing and implementing appropriate controls

Fraud risk assessment is an integral part of the risk identification process

Fraud risk assessment considers incentives and pressures, attitudes and rationalizations, and opportunities to commit fraud

Ensures that actions are taken to mitigate risk by designing and implementing appropriate controls

Considers fraud risk separately to ensure appropriate controls

Assesses areas that have a higher inherent risk of fraud to consider how fraud might occur or how controls might be overridden

Information and Communication Objectives

Information is identified, captured, used, and distributed at all levels of the entity

Information for the functioning of internal control is identified, captured, used, and distributed to allow personnel to carry out their internal control responsibilities

Communication exists between management and those charged with governance to enable role fulfillment

All personnel receive a clear message that internal control responsibilities are to be taken seriously

There is effective upstream communication

Information

Control examples How risks are addressed

Policies and procedures exist for capturing financial data completely, accurately, and on a timely basis

Financial personnel meet with line management to discuss operating results

Deadlines exist for period-end reporting which include appropriate reviews

Ensures the completeness, accuracy, and timeliness of data that affects the accounting records

Provides reliability of information and results through review of appropriate details and discussion with operating personnel

Reinforces the timely processing, reporting, and review of information and results through adherence to deadlines

Communication

Control examples How risks are addressed There are timely

communications between management and those charged with governance

Employees receive adequate information to complete their jobs

Upstream communication is encouraged to improve performance and enhance internal control

All reported improprieties are reviewed and investigated

Enhances reliability through timely feedback

Prevents errors by ensuring personnel have a clear understanding of policies, procedures, and expectations regarding job responsibilities

Minimizes improprieties by motivating employees to use upstream communication knowing their comments will be taken seriously

Monitoring ObjectiveManagement monitors controls over financial

reporting through:Ongoing monitoring Independent evaluationsRemediation of identified deficiencies

Monitoring

Control examples How risks are addressed Ongoing monitoring is built

into operations throughout the entity and includes a definition of what constitutes a deviation

Ongoing monitoring provides feedback on controls as well as processes

Reports from external sources such as external auditors and regulators are considered for their internal control implications, and timely corrective actions are identified and taken

Enables personnel throughout the organization to identify when a control has failed

Identifies control deficiencies that might allow errors or fraud to occur and go undetected as well as inefficient or ineffective processing routines

Provides an objective viewpoint to help identify better ways of doing things

Monitoring

Control examples How risks are addressed

Findings of deficiencies are reported to the appropriate person who can take corrective action and if applicable, one level of management above

Deficiencies are communicated regularly and as necessary to management and those charged with governance

Ensures that follow-up will occur when deficiencies are identified

Deters fraud through involvement of multiple levels of management

Ensures that top level management is aware of deficiencies so appropriate resources can be allocated to taking corrective action

Steps for Assessing Entity-Level Controls

Tools for Making the Assessment

Supporting tools can help with your assessment:

Complete (or update) a narrative describing your entity-level controls using “Understanding the Design and Implementation of Internal Control”

Supplement the documentation by completing the related “Entity-level Control Form”

ConclusionEvaluate all entity-level components— even

at small entitiesScale your controls to the size of the entityConsider how entity-level controls interact

with each other and with key control activities

Consider how entity-level controls help mitigate risks of errors or fraud

Questions?