Significant Entity Controls Overview
|
Significant entity-level control objectives are as the name suggests important. Any review of internal controls must take them all into account, in some cases they will be the only ones reviewed. The starting point for any evaluation of internal controls is the COSO framework. The framework makes it clear that some controls are more important than others. Entity-level control objectives are those that have a pervasive effect on how controls are designed and implemented. Processes to recruit senior finance management, would be a good example. A lower level of control is the activity-level. In COSO, the distinction between entity-level and activitiy-level controls are based on the pervasiveness and business process involved. Prior to fully reviewing internal controls, we need to establish what we consider what defines a significant control. Items to consider are:- Key Business Activities What are the business's most important activities and processes. Value-chain related activities essential to success should be considered significant. Industry charachteristics Corporations do not operate in a vacum. Business activities have to be seen in the context of the industry in which the entity does business. Reviewing of the fnancial health and practices of the industry will give guidance for individual accounts. Not only entity level controls can be significant. Activity-level controls can be significant as well. The foreign currency transaction earlier is likely to be considered activity level. (An aside is how looking at the industry would have affected a review of WorldCom. Some of whose very doubtful accounting practices were an accepted part of the telecommunications industry.) Significant risks Internal controls need to be viewed in the context of an overall risk management strategy. In terms of Sarbanes-Oxley and risk, significant controls are those that help the entity mitigate significant financial reporting risks. Financial Reporting Considerations Sarbanes-Oxley and especially section 404 is all about giving assurance about the accuracy of financial reporting. Consequently we should have a good grounding in the financial statements, balances and transaction classes. The entity's financial reporting process and critical accounting policies have to be understood as well. Mandated Significant Controls Controls that are mentioned in the internal auditing standard from the Public Company Accounting Oversight Board as worthy of evaluation, should also be considered as significant for review purposes. Note that significant controls is not a one-size-fits all consideration. Every entity has to be looked at objectively in the context of its circumstances. For example company A has extensive operations in the US, Europe and Asia. As part of the financial reporting process, earnings and costs have to be converted from local currency to dollars. Internal controls over currency conversion should be considered significant in this case. Company B has no customers, suppliers or personnel outside the US. Foreign currency transactions are amount to $150 over 5 years. For the company, internal controls over FOREX are not significant. Some control objectives are presumed to be significant. This assertion is drawn from the auditing standard from the PCAOB. In a future article we shall revisit each one in depth. Corporate Culture Values, norms and shared beliefs all go to make up culture. From these components we can see behavior being driven by them. COSO found that effectiveness of an entity's internal control can not rise above its ethical values. Consequently "ethical values are essential elements of internal control, because they affect the design, administration, and monitoring of other control components." Personnel policies Personnel controls are generally grouped into 3.
General computer controls A useful guide to computer controls is the Control Objectives for Information and related Technology (COBIT) from the IT Governance Institute. COBIT splits general computer control objectives into 4 domains.
For many organisations, IT is so pervasive and essential, reviewing IT controls should be undertaken as a sub-review. Alignment between entity objectives and control structures Internal controls are not designed and operated for the sake of executives health. Instead they are implemented because of a need to meet business objectives. Controls to be effective have to be aligned with stated business objectives. For alignment to occur there firstly has to be linkage between the companys strategies and its objectives. Risk Identification Risk assessment is one of five elements of internal control identified by COSO. Risk identification is the first stage of that element. The risks can be internal or external. A failure to identify risk has horrendous consequences. Thus risk identification is usually regarded as significant. Top level financial reporting This refers not to routine systematic transaction processing. Instead it deals with financial reporting "events". They are usually a) performed at a senior level, b) are centralized. Examples include recognition of an asset impairment loss or posting of general ledger adjustments. System-wide monitoring Monitoring is another element of internal control according to COSO. The introduction of the Sarbanes-Oxley Act and section 404 has increased the need for it. Executives and auditors now have to attest to the effectiveness of internal controls, every quarter. This implicitly means that the entity has to be aware of the effectiveness of internal controls on an ongoing basis. Without an effective monitoring system, entities might have to conduct all their test work close to the report date.
|
Related Articles
Similar Areas Selected Books Keywords internal control and personnel acquisition and implementation
|