KnowledgeLeader provides best practice articles, tools, guides and other resources on entity-level controls. This page contains some examples of the many resources and tools on entity-level controls that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
Internal Control Structure Validation Questionnaire
This questionnaire focuses on the implementation of a cost-effective approach for validating the operating effectiveness of ICFR that includes all primary sources of evidence, supporting management’s assertion in the annual internal control report.
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Business Self-Assessment Methodology
Business Self-Assessment is Protiviti's dynamic self-assessment approach that leverages organizational knowledge to improve business performance at the entity or process level. Utilizing risk as its foundation, BSA uniquely integrates the assessment of strategic objectives, risks, controls and process-improvement opportunities.
Control Environment Audit Work Program
This audit work program focuses on the control environment component of the COSO Framework.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
COSO 2013 Internal Control–Integrated Framework Executive Summary
COSO's 2013 Internal Control–Integrated Framework (Framework) is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control. This executive summary provides an overview of the updated Framework.
COSO 2013: What Have We Learned?
United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a "suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability. No doubt Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other important lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.
Enterprise Risk Management Education and Awareness Guide
The presentation focuses on enterprise risk management (ERM) and how to begin educating an organization on this concept.
Entity-Level Control Environment Questionnaire
This questionnaire template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire, you can document whether the control exists, whether it was designed properly, related test procedures, and management's action plan for deficiencies.
Entity-Level Controls Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their job responsibilities. This excel-based template provides a number of COSO elements and their related control objectives for entity level controls.
Entity-Level Controls Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity-Level Controls Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity-Level Controls Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Controls Memo
This memo outlines a process for reviewing entity-level controls.
Entity-Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity-level controls address the "tone at the top” and include items such as ethics programs, investigation protocols and IT infrastructure controls. Adequate evidence of the entity-level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity-level controls are in place. This checklist provides a template in which to track the availability and status of such entity-level control documentation.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Entity-Level Risk Assessment Audit Report
This sample audit report presents findings from an entity-level risk assessment review.
Guide to the Sarbanes-Oxley Act
As organizations complete their second year of Sarbanes-Oxley Act (SOX) compliance, executives and audit committees are expecting more value with lower costs. Fulfilling these expectations will require a shift from simply repeating the same SOX project each year to a sustainable, cost-effective compliance process that is embedded into business as usual. For many companies, significant opportunities to improve the efficiency and effectiveness of their SOX compliance efforts reside at the application level. The questions answered in this booklet have risen in our discussions with clients and others in the marketplace who frequently deal with SOX compliance matters and are focused on improving internal control over their critical business applications.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
The Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly-traded companies establish internal controls for financial reporting and must maintain those controls to ensure they are effective, with the purpose reducing corporate fraud. The priority goals of Section 404 align with management’s existing responsibilities when undertaking an IT conversion or implementation project. In this booklet, we provide guidance to Section 404 compliance project teams on the consideration of information technology (IT) risks and controls at both the entity and activity levels within an organization. We also explore how application-control assessments are integrated with the assessment of business-process controls, and addresses documentation, testing and remediation matters.
Information and Communication Audit Work Program
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the information and communication component of the COSO Framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Internal Audit Staffing and Audit Plan Report
This report addresses current internal audit staffing levels and audit plan progress.
Internal Control Audit Instructions Memo
This memo documents instructions for reviewing and testing a company's internal control environment.
Internal Controls Sustainability Training Guide
This training presentation focuses on building a sustainable internal control process. This type of process focuses on developing and executing a communication plan, monitoring the business and rule changes, and analyzing for continuous improvement opportunities.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
Monitoring Entity-Level Controls Audit Work Program
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO, as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies. Each section of this work program focuses on a specific attribute and the documentation that evidences the operating effectiveness of entity-levelcontrols. After each attribute, the work program details the steps for evaluating each entity-level control.
Process and Activity-Level Controls Assessment Guide
The document summarizes the steps needed to assess controls at the process or activity-level. The steps include selecting priority elements, understanding the processes, sourcing risks, documenting key controls, assessing control design, validating control operation and reporting.
Protiviti's Sarbanes-Oxley Section 404 Compliance Initiatives Methodology
Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach.
Reducing the Risk of Rogue Trading
"Tone at the top” is vital to managing the use of financial derivatives, as dysfunctional behavior can undermine established policies and controls, creating organizational "blind spots” that can lead to inappropriate risk-taking. Effective internal control design, including segregation of authorization, execution and settlement activities, is the first line of defense against unauthorized trading or speculation. Significant losses are an excellent example of what can happen when the trading of financial derivatives goes awry. This issue of Board Perspectives: Risk Oversight focuses on tone at the top, effective internal controls, and provides seven important questions for boards and senior executives to consider about organization’s use of financial instruments.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Sarbanes-Oxley 404 Compliance Project Testing and Documentation Standards Guide
An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by internal audit to lessen the work required by the external auditor.
Sarbanes-Oxley Section 404 Management Testing Plan Policy
This sample policy helps to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of a company and its subsidiaries’ internal control over financial reporting.
Sarbanes-Oxley Section 404 Compliance Guide
This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.
Sarbanes-Oxley Sustainable Compliance Questionnaire
This questionnaire addresses how organizations can make Sarbanes-Oxley compliance sustainable while improving business processes that impact financial reporting.
Sarbanes-Oxley Testing Strategy Memo
This memo documents a company's high-level testing strategy for Sarbanes-Oxley compliance.
Sarbanes-Oxley Year-End Audit Committee Report
This report to the audit committee focuses on the progress of the Sarbanes-Oxley Section 404 program.
Section 404 Compliance: Planning for Next Year
Year Two of Section 404 compliance for most accelerated filers is shaping up to be a year of incremental improvement. Management has taken a hard look at items such as number of key controls and testing scopes. This issue of The Bulletin focuses on some of the opportunities companies should consider as they plan for Year Three.
Internal Controls Self-Assessment Report
This report focuses on a self-assessment initiative, evaluating the effectiveness of the design of internal controls for a company’s operations and budget process. It describes the approach, the results, and the recommendations that resulted from the initiative.
Self-Assessment Process Questionnaire: Process Owner Accountability
Self-assessment is a recognized best practice and has been applied to risks and controls for many years. This questionnaire provides a format to evaluate current self-assessment practices and identify areas for improvement.
Six Elements of Infrastructure for Public Company Readiness
The six elements of infrastructure is a useful tool for categorizing issues, understanding where problems are occurring within the organization, and drawing conclusions to form the basis for recommendations. Consider these elements when designing a new process or assessing an existing process. This example focuses on aspects of an initial public offering (IPO).
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
The Updated COSO Internal Control Framework FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Updated COSO Internal Control Framework FAQ
, which addresses various questions regarding the 2013 new Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
The Updated COSO Internal Control Framework
In May of 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its long-awaited updated Internal Control – Integrated Framework (New Framework). The New Framework is an important development; it facilitates efforts by organizations to develop cost-effective systems of internal control and supports organizations as they adapt to the increasing complexity of a changing business environment. Companies using the 1992 framework should familiarize themselves with the New Framework and companion materials, determine their transition plan, and communicate to the appropriate stakeholders the release of the New Framework and its implications to the organization. In this booklet, we address various questions regarding the New Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Top 10 Lessons Learned From Implementing COSO 2013
In this issue of The Bulletin, we share 10 lessons learned from COSO 2013 successful implementations from a variety of sources—working with our clients, information gathered from thousands of attendees at our webinar series, and our annual SOX Compliance Survey.