SOX requires that executive officers of public companies confirm that a clearly understood internal control environment exists at the senior levels of the overall enterprise as well as the operating units and that the internal control environment is enforced and effective. The objectives of this entity-level assessment are to confirm the existence of internal controls (e.g., policies, business practices, people, methodologies, etc.) and query senior finance executives for their individual impression of specific attributes that define key internal controls.
The expectation is that senior management and the SOX project manager agree on the current assessment of entity-level controls and agree (or reassess) the extent of field work necessary for SOX Phase I. This sample audit report presents findings from an entity-level risk assessment review.