KnowledgeLeader provides best practice articles, tools, guides and other resources on entity-level controls. This page contains some examples of the many resources and tools on entity-level controls that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2016 Sarbanes-Oxley Compliance Survey
Protiviti’s annual Sarbanes-Oxley compliance survey looks deeply into several areas, including costs, hours and control environments of a broad spectrum of organizations.
A Cost-Effective Approach to Validating Performance of the Internal Control Structure—Questionnaire
This questionnaire focuses on the implementation of a cost-effective approach for validating the operating effectiveness of ICFR that includes all primary sources of evidence, supporting management’s assertion in the annual internal control report.
Adopting the 2013 COSO Framework: Fiscal 2015 Update
This article outlines findings regarding adopting COSO 2013 and suggests that it’s just a matter of time before all companies use the revised framework in conjunction with their annual evaluations.
AICPA Issues Audit Risk Alert on Revenue Recognition, With More Guidance to Come
In this article, Protiviti’s Charles Soranno summarizes the Audit Risk Alert on Revenue Recognition recently issued by the AICPA.
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Audit Committee Charter Review Checklist
This checklist addresses a variety of topics and acts that often fall within the Audit Committee’s responsibilities. It provides a broad framework and a set of activities that can be undertaken by the Audit Committee to achieve appropriate oversight. This document is intended to only be used as a sample guide to understanding and reviewing the current charter.
Business Self-Assessment Methodology
Business Self-Assessment is Protiviti's dynamic self-assessment approach that leverages organizational knowledge to improve business performance at the entity or process level. Utilizing risk as its foundation, BSA uniquely integrates the assessment of strategic objectives, risks, controls and process-improvement opportunities.
Control Environment Audit Work Program
This audit work program focuses on the control environment component of the COSO Framework.
Control Self-Assessment Questionnaire: COSO
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This questionnaire can be used to assess an organization’s use of the COSO framework.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
COSO 2013 Internal Control–Integrated Framework Executive Summary
COSO's 2013 Internal Control–Integrated Framework (Framework) is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control. This executive summary provides an overview of the updated Framework.
COSO 2013: What Have We Learned?
United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a "suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability. No doubt Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other important lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.
Enterprise Risk Management Education and Awareness Presentation - Guide
The presentation focuses on enterprise risk management (ERM) and how to begin educating an organization on this concept.
Entity Level Internal Audit Methodology
The entity level business process audit methodology focuses on understanding and analyzing the business. This understanding is primarily used to identify the target processes and risks during the audit planning process. Tools are provided to help with each phase is the process.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their job responsibilities. This excel-based template provides a number of COSO elements and their related control objectives for entity level controls.
Entity Level Controls - Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity-Level Assessment Report
The purpose of this report is to document management’s assessment of the COSO internal control components – control environment, risk assessment, control activities, information and communication, and monitoring – at the entity level.
Entity-Level Controls – Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Controls Memo
This memo outlines a process for reviewing entity-level controls.
Entity-Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity-level controls address the "tone at the top” and include items such as ethics programs, investigation protocols and IT infrastructure controls. Adequate evidence of the entity-level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity-level controls are in place. This checklist provides a template in which to track the availability and status of such entity-level control documentation.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Entity-Level Questionnaire Results Report
This report provides an analysis of a company’s entity-level controls under the COSO framework. Key sections include control environment, risk assessment, control activities, information and communication, and monitoring.
Entity-Level Risk Assessment Audit Report
This sample audit report presents findings from an entity-level risk assessment review.
Entity-Level, IT, and Business Process Controls Questionnaires
Entity-level controls are the foundation for internal control, providing discipline and structure to the organization. IT general controls have a pervasive effect on the reliability, integrity and availability of processing and relevant data. Business process controls provide structure to generate revenue, account for costs incurred, and ultimately report on the financial state of the organization. These excel-based templates provide you the opportunity to document items such as whether these controls exist; whether they are designed properly; related test procedures; and management action plan for deficiencies. These questionnaires are intended to help you comply with corporate governance requirements.
Guide to the Sarbanes-Oxley Act FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act FAQ, which contains suggestions for Sarbanes-Oxley compliance matters, including effectively segregating incompatible duties, efficiently testing application security, and utilizing automated application controls to reduce the burden of manual procedures.
Guide to the Sarbanes-Oxley Act
As organizations complete their second year of Sarbanes-Oxley Act (SOX) compliance, executives and audit committees are expecting more value with lower costs. Fulfilling these expectations will require a shift from simply repeating the same SOX project each year to a sustainable, cost-effective compliance process that is embedded into business as usual. For many companies, significant opportunities to improve the efficiency and effectiveness of their SOX compliance efforts reside at the application level. The questions answered in this booklet have risen in our discussions with clients and others in the marketplace who frequently deal with SOX compliance matters and are focused on improving internal control over their critical business applications.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
The Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly-traded companies establish internal controls for financial reporting and must maintain those controls to ensure they are effective, with the purpose reducing corporate fraud. The priority goals of Section 404 align with management’s existing responsibilities when undertaking an IT conversion or implementation project. In this booklet, we provide guidance to Section 404 compliance project teams on the consideration of information technology (IT) risks and controls at both the entity and activity levels within an organization. We also explore how application-control assessments are integrated with the assessment of business-process controls, and addresses documentation, testing and remediation matters.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act: IT Risks and Controls FAQ
, which is the definitive resource guide on IT risks and control issues related to compliance with SOX Section 404.
Information and Communication Audit Work Program
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the information and communication component of the COSO Framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Internal Audit Staffing and Audit Plan Report
This report addresses current internal audit staffing levels and audit plan progress.
Internal Control Audit Instructions Memo
This memo documents instructions for reviewing and testing a company's internal control environment.
Internal Control Issues Log
This sample serves as a template to use when documenting internal control issues and associated remediation plans. It provides an outline of information to use in this tracking process including: process, nature of issue, observation, control description, and action plan.
Internal Controls Sustainability Training Guide
This training presentation focuses on building a sustainable internal control process. This type of process focuses on developing and executing a communication plan, monitoring the business and rule changes, and analyzing for continuous improvement opportunities.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
Monitoring Audit Work Program: Sample 2
The objective of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO. It specifically focuses on the attributes of ongoing monitoring, separate evaluations and reporting deficiencies.
Monitoring Controls (Entity-Level) Audit Work Program
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO, as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies. Each section of this work program focuses on a specific attribute and the documentation that evidences the operating effectiveness of entity-levelcontrols. After each attribute, the work program details the steps for evaluating each entity-level control.
Nominating and Governance Committee Charter: Sample 4
This charter outlines the purpose, authority and responsibilities of the nominating and governance committee and describes its membership and administrative procedures.
Process and Activity-Level Controls Assessment Guide
The document summarizes the steps needed to assess controls at the process or activity-level. The steps include selecting priority elements, understanding the processes, sourcing risks, documenting key controls, assessing control design, validating control operation and reporting.
Protiviti's Sarbanes-Oxley Section 404 Compliance Initiatives Methodology
Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach.
Reducing the Risk of Rogue Trading
"Tone at the top” is vital to managing the use of financial derivatives, as dysfunctional behavior can undermine established policies and controls, creating organizational "blind spots” that can lead to inappropriate risk-taking. Effective internal control design, including segregation of authorization, execution and settlement activities, is the first line of defense against unauthorized trading or speculation. Significant losses are an excellent example of what can happen when the trading of financial derivatives goes awry. This issue of Board Perspectives: Risk Oversight focuses on tone at the top, effective internal controls, and provides seven important questions for boards and senior executives to consider about organization’s use of financial instruments.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Sarbanes-Oxley 404 Compliance Project Testing Guidelines and Documentation Standards Presentation
An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor.
Sarbanes-Oxley Section 404 Management Testing Plan Policy
This sample policy helps to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of a company and its subsidiaries’ internal control over financial reporting.
Sarbanes-Oxley Section 404: Compliance Plan – Sample
This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.
Sarbanes-Oxley Sustainable Compliance Questionnaire
This questionnaire addresses how organizations can make Sarbanes-Oxley compliance sustainable while improving business processes that impact financial reporting.
Sarbanes-Oxley Testing Strategy Memo
This memo documents a company's high-level testing strategy for Sarbanes-Oxley compliance.
Sarbanes-Oxley Year-End Audit Committee Report
This report to the audit committee focuses on the progress of the Sarbanes-Oxley Section 404 program.
Section 404 Compliance: Planning for Next Year
Year Two of Section 404 compliance for most accelerated filers is shaping up to be a year of incremental improvement. Management has taken a hard look at items such as number of key controls and testing scopes. This issue of The Bulletin focuses on some of the opportunities companies should consider as they plan for Year Three.
Self-Assessment on Internal Controls Report
This report focuses on a self-assessment initiative, evaluating the effectiveness of the design of internal controls for a company’s operations and budget process. It describes the approach, the results, and the recommendations that resulted from the initiative.
Self-Assessment Process: Process Owner Accountability Questionnaire
Self-assessment is a recognized best practice and has been applied to risks and controls for many years. This questionnaire provides a format to evaluate current self-assessment practices and identify areas for improvement.
Six Elements of Infrastructure for Public Company Readiness
The six elements of infrastructure is a useful tool for categorizing issues, understanding where problems are occurring within the organization, and drawing conclusions to form the basis for recommendations. Consider these elements when designing a new process or assessing an existing process. This example focuses on aspects of an initial public offering (IPO).
The Global Privacy and Information Security Landscape FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Global Privacy and Information Security Landscape FAQ, which discusses over 350 key laws and regulations, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the European Union General DP Directive, and the Electronic Communications Privacy Act.
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
The Updated COSO Internal Control Framework FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Updated COSO Internal Control Framework FAQ
, which addresses various questions regarding the 2013 new Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
The Updated COSO Internal Control Framework
In May of 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its long-awaited updated Internal Control – Integrated Framework (New Framework). The New Framework is an important development; it facilitates efforts by organizations to develop cost-effective systems of internal control and supports organizations as they adapt to the increasing complexity of a changing business environment. Companies using the 1992 framework should familiarize themselves with the New Framework and companion materials, determine their transition plan, and communicate to the appropriate stakeholders the release of the New Framework and its implications to the organization. In this booklet, we address various questions regarding the New Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Top 10 Lessons Learned From Implementing COSO 2013
In this issue of The Bulletin, we share 10 lessons learned from COSO 2013 successful implementations from a variety of sources—working with our clients, information gathered from thousands of attendees at our webinar series, and our annual SOX Compliance Survey.