Entity-level controls are the policies and procedures that drive actions and behaviors throughout an organization. These controls originate from the highest levels and are commonly referred to as “tone at the top” controls.

These controls must be clearly stated and properly communicated, as not doing so can lead to a material weakness during an audit. Material weaknesses can cost companies more than just their reputation: Credit Suisse and Mattel have recently disclosed material weaknesses which led to fines and lowered stock prices.

What Are Entity-Level Controls?

Entity-level controls define an organization’s culture and values, as they oversee how management directives that pertain to organizational operations are implemented and enforced.

While these controls are focused directly on financial statement reporting, they also take into account indirect activities that can lead to a misstatement or incorrect disclosure.

Entity-level controls are typically things such as codes of conduct, employee guidelines, and mission statements, as well as internal audit and compliance guidelines.

Entity-Level Controls Risk Management Standards

As an important part of an organization’s risk management framework, each control must contribute to the systematic approach to assessing risk.

When designing a control and determining whether it is a direct entity level or indirect entity level control, consider how each control will assist in compliance with several key components, as defined by the COSO framework.

First released in 1992, the COSO framework was designed to provide reasonable assurance that an organization operates ethically, with transparency, and in accordance with established industry standards.

There are five components to the COSO framework:

Control environment - This component helps to ensure that all business processes are based on industry standards, thus adhering to regulatory and compliance requirements.

Risk assessment and management – This component helps to establish that risk is an inherent part of doing business and, therefore, asks that organizations adopt a risk management plan and ongoing risk assessments to identify and reduce risks.

Control activities – Control activities are controls that are put in place to ensure that business processes do not introduce new risks, such as activities that detect and prevent errors.

Information and communication – This fourth component ensures that an aspect of any internal controls program is to provide appropriate, timely, and relevant communication to all stakeholders.

Monitoring – The last COSO component asks that appropriate oversight of the internal controls system is provided by an internal and/or external auditor regularly, with reports provided to the board of directors or executive committee.

Entity-Level Controls Risk Management Procedures

With the COSO framework as a guide, there are several risk management procedures to consider implementing right now:

Control environment

• Establish governance oversight to monitor activities and ensure supervision.
• Draft and publish a formal code of ethics and conduct.
• Define clear roles and responsibilities to align with business objectives.

Risk assessment and management

• Conduct a thorough risk assessment to identify internal and external risks to the organization.
• Create or evaluate risk mitigation activities, tailored to risks that have been identified.
• Continuously monitor internal and external changes (e.g., a new procedure or external regulation).

Control activities

• Establish policies and procedures for functions and activities within finance, IT, and other critical areas to ensure the organization meets its objectives.
• Clearly understand who performs activities that are critical to the organization to reduce error and risk.
• Deploy fraud prevention measures to mitigate risk.

Information and communication

• Provide ways for employees to communicate deficiencies in controls as well as compliance and regulatory concerns.
• Provide accurate and timely updates on financial performance, as well as impactful governance and compliance activities.
• Conduct training for all employees on the role they play in managing risk, as well as controls that apply to their workflow.

Monitoring

• Perform audits regularly to evaluate control effectiveness and to identify deficiencies.
• Ask that each department or function within the organization self-assesses controls that pertain to their workflow.
• Establish a process to remediate all deficiencies through corrective action or process improvement.

Entity-Level Controls Risk Management Templates

There are several templates that all organizations should consider utilizing to help them identify, design, and assess the effectiveness of their program.

Entity-level controls risk assessment questionnaire

This questionnaire lists several COSO elements and their related objects as they pertain to entity-level controls. The questionnaire allows you to document if the control exists, the control’s COSO attribute, testing procedures, as well as the management action plan for any deficiencies.

Entity-level controls audit work program

This entity-level controls risk management tool details the steps that any organization can take right now to perform an entity-level controls audit. Some of the steps include:

• Verifying there are steps to handle ethics complaints.
• Ensure that job descriptions are in personnel files by reviewing a sample of employees.
• Reviewing organizational charts for accounting personnel to verify there have been no long-term vacancies.

Entity-level controls assessment report

This template can be used to document management’s assessment of entity-level controls via the five COSO components. The report should detail the effectiveness of the controls and make any recommendations to improve as appropriate. Any significant issues should be reported to senior leadership via this report.

Entity-Level Controls Risk Management Best Practices

To strengthen and improve your organization’s entity-level controls program, consider the following best practices:

Focus on continuous improvement, not pass or fail.

Too often audit programs focus solely on issues and deficiencies. Once an assessment is completed, take the opportunity to assess how you can make your organization better as you implement any audit findings. Ask yourself a few questions:

1. How can we mature our risk management program?
2. Where can we strengthen our policies and procedures?
3. How can we best let all employees know their role in managing organizational risk?

Assess your organization’s maturity.

Entity-level controls are a gauge of an organization’s maturity. Take some time—perhaps annually— to ask yourself several questions:

4. Are our risk management practices appropriate given the level of risk to the organization right now?
5. Given our standing in the industry, and compared to our peers, is our risk management program comparable?
6. Are the entity-level controls we have in place reasonable and practical?

As the entity-level control program is a living, ongoing program, taking a step back to review will only make it stronger.

Learn more about entity-level controls risk management by exploring these related resources on KnowledgeLeader:

• Topic Guide: Entity-level controls
• Entity-Level Controls Fraud Questionnaire
• Entity-Level Controls Monitoring Questionnaire