Entity-level Controls

Internal auditors of U.S. listed companies in the Netherlands have developed a practical framework for Sarbanes-Oxley compliance.

Jaap Gerkes, RA
Senior Manager, Protiviti

Wilbert Jan van der Werf, RA
Senior manager, compliance and accounting, Europe
Applied Biosystems

Heiko van der Wijk, CIA, RA
Manager, Sarbanes-Oxley Office
KLM Royal Dutch Airline

Like their U.S. counterparts, most large U.S. listed companies in the Netherlands are working toward making their internal control framework compliant with the U.S. Sarbanes-Oxley Act of 2002. Since 2003, a group of internal control specialists from large Dutch corporations — including ABN ABRO, Ahold, KLM Royal Dutch Airline, and Shell — have been compiling a framework of compliance best practices. This Sarbanes-Oxley platform was initiated by IIA-Netherlands and offers a network for participants to exchange ideas.

One topic that led to discussions and differences of opinion among participants is entity-level controls. When the discussions began, relevant rule-making bodies had not issued detailed guidance on the topic, other than stressing the importance of these controls. At the same time, external auditors had not published guidance that was practical for use in large companies. As a consequence, the IIA-Netherlands Sarbanes-Oxley platform formed a task force, composed of representatives from four companies, to develop a common standard for entity-level controls. All the participants shared their control documentation, which the task force used as a basis to develop a framework for entity-level controls. The resulting practical framework includes a list of 29 key controls that management and internal auditors can easily use to assess these controls.

THE DUTCH FRAMEWORK

The IIA-Netherlands task force's emphasis on entity-level controls parallels recent guidance from the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). After a May 2005 roundtable with key Sarbanes-Oxley stakeholders, both agencies directed companies to take a top-down, risk-based approach to compliance, with a strong emphasis on entity-level controls rather than transactional controls. The SEC's interpretive guidance for management and the PCAOB's Auditing Standard No. 5 (AS5) each detail a risk-based approach. Although the Dutch framework is based on Auditing Standard No. 2, the predecessor to AS5, it is equally relevant when considering the new guidance documents. The Dutch task force determined that entity-level controls exist on a higher level than transactional controls, set positive conditions and boundaries for transactional controls, and are the internal control infrastructure. AS5 gives the following examples of entity-level controls:

  • Controls within the control environment, including tone at the top, assignment of authority and responsibility, consistent policies and procedures, and companywide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units.
  • Senior management's risk assessment process.
  • Centralized processing and controls, including shared services.
  • Controls to monitor operating results.
  • Controls to monitor other controls, including activities of the internal audit function, audit committee, and self-assessment programs.
  • The organization's period-end financial reporting process.
  • Board-approved policies that address significant business control and risk management practices.

In addition to the new SEC and PCAOB guidance, the task force's framework is based on The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework. "Entity-level Control Framework" (below) illustrates the position and focus of entity-level controls within the five components of the COSO internal control framework — control environment, risk assessment, control activities, information and communication, and monitoring. The 29 controls the IIA-Netherlands task force identified for its framework represent a best-practice set of entity-level controls. Individual companies may identify more controls based on their own structure.

Control EnvironmentEntity-level Control Framework
The chart at right shows that the basis for entity-level controls is the control environment, which has a pervasive effect on control consciousness and effectiveness within the company. Controls pertaining to the control environment include:

  • A bill of authority/authorization table is established. Procurement authorization should be delegated by senior management, including availability, periodic update, and authorization. Focus: Assignment of Authority.
  • Senior management consciously and willingly sets and maintains an appropriate tone at the top (e.g., communication throughout the year and behavior examples). Focus: Business Ethics.
  • A code of conduct is established and disciplinary actions are taken in cases of violations (e.g., availability, confirmation of compliance, and follow-up of deviations). Focus: Business Ethics.
  • The company conducts a fraud risk assessment, has appropriate anti-fraud programs in place, and reports on fraud occurrences (e.g., availability, authorized, and monitored). Focus: Business Ethics.
  • The human resources department reviews the organizational design and availability of job descriptions (e.g., key financial positions). Focus: Human Resources Policies and Practices.
  • The supervisory board (i.e., independent directors of the nonexecutive board) reviews corporate strategy and approves the annual budget. Focus: Strategic Planning.
  • The audit committee ensures the existence, availability, appropriateness, and communication of the whistleblower procedure (e.g., independent reporting, anonymity, and performance reporting on reported occurrences and their resolutions). Focus: Whistleblower.

These areas describe the top-level governance structure of an organization and the tone at the top as well as roles and responsibilities regarding the effectiveness of the control environment.

Risk Assessment
Risk assessment describes the way management identifies, summarizes, and controls the organization's key risks. The following areas describe how risk assessment is organized and formalized in an organization:

  • Management assesses the likelihood and impact of risks (e.g., analyze, plan, and perform the assessment; check and act on the risk). Focus: Risk Management.
  • Meetings with the board, operating group control, legal, and information technology (IT) are held to discuss the legal implications and impact of new business on financial reporting and IT. Focus: Risk Management.

These controls acknowledge that effective risk assessments — including assessments of financial reporting risk — reduce the risk that material misstatements in the organization's financial statements will not be addressed appropriately.

Control Activities
Based on the risk assessment, the organization implements control activities to ensure that management's objectives are met. These controls include:

  • Senior management ensures that certain high-risk processes and related significant accounts (e.g., deferred tax, goodwill and other intangibles, and investments in subsidiaries) are only processed and recorded at or via the corporate level. Focus: Accounting and Reporting.
  • Realistic targets are set and used in performance measurement (e.g., a well-balanced set of targets (finance, compliance)). Focus: Human Resources Policies and Practices.
  • Human resources policies are available (e.g., adequacy of hiring, retention, and promotion processes). Focus: Human Resources Policies and Practices.
  • A budget process is in place that is related to strategy, quantifies goals, and includes regular reporting reviews. Focus: Business Planning and Performance.
  • The design of bonus plans ensures that there are no incentives that could lead to inappropriate financial reporting. Appropriate incentives for executive personnel should be based on financial and nonfinancial goals and on the long-term development of the organization. Focus: Human Resources Policies and Practices.

The importance of internal controls over financial reporting cannot be underestimated. Many accounting scandals in recent years were caused by the negative effects of remuneration structures for senior management, which strongly emphasized target-setting and bonuses. Also, the IIA-Netherlands task force noted that material weaknesses discovered in recent years often were caused by the way in which management dealt with complicated accounting areas.

Information and Communication
Information and communication are crucial in implementing entity-level controls. Top-down information streams help ensure that management's strategic decisions lead to appropriate action on the operating level, while bottom-up information gives management insight on how its strategies are being dealt with on the operating level and provides information executives can use for risk assessments. Controls related to information and communication include:

  • An accounting and control manual has been developed and distributed effectively (e.g., existence and availability of the manual, authorization, and changes discussed and approved). Focus: Accounting and Reporting.
  • Senior management monitors the outcome of the periodic process (e.g., accounting standards, code of conduct, control standards, and sign-off structure) regarding letters of representation or in-control statements issued by divisions, business units, or operating companies. Focus: Compliance/Internal Control Function.

Although manuals play an essential part in regulating and organizing the top-down and bottom-up information streams, management's role is crucial in the overall process of gathering and spreading the information. Moreover, in companies with a highly centralized IT infrastructure, the information and communication component should include centralized IT general controls.

Monitoring
Another important aspect of entity-level controls is monitoring — the procedures a company uses to ensure that controls throughout the organization work according to plan. Monitoring-related controls include:

  • A mandatory training plan is in place for accounting personnel, and progress is monitored. Focus: Accounting and Reporting.
  • Senior management periodically reviews an overview of accounting, reporting, and internal control issues. Progress is monitored and reported in management meetings. Focus: Accounting and Reporting.
  • Top management oversees litigation and communication with financial regulators. Focus: Business Ethics.
  • The management team periodically holds divisional/operating company review meetings. The meetings discuss the consistency of corporate and divisional objectives and compare actual divisional/business unit/operating company results to budget. Focus: Business Planning and Performance.
  • The audit committee conducts a self-assessment of its performance (e.g., against charter, relationship/performance of internal and external auditors, and activities and competencies of committee members). Focus: Corporate Governance.
  • The audit committee exercises appropriate oversight of internal control matters (e.g., open communication with senior financial management). Focus: Corporate Governance.
  • The audit committee ensures that open communication with internal and external auditors is established and maintained (e.g., approves audit plan, actively participates in meetings, holds private meetings). Focus: Corporate Governance.
  • A pre-employment screening procedure is in place, including implementation instructions and definition of functions that require screening. Focus: Human Resources Policies and Practices.
  • Agreement is reached on future system development and ongoing IT projects (e.g., IT strategic plan is aligned to the business plan for development of information systems). Focus: Information Management.
  • An independent reporting line has been established from internal auditing to the audit committee. Focus: Internal Auditing.
  • Internal auditing reports periodically to the audit committee on performance (e.g., staffing, progress of the audit plan, the effectiveness of internal auditing, and approval of the internal audit charter). Focus: Internal Auditing.
  • The status of identified control issues (e.g., number, nature, remediation, and progress) is monitored through control remediation progress reporting. Focus: Compliance/Internal Control Function.
  • Executive directors ensure that a disclosure meeting is held quarterly with finance, legal, and management to discuss the details of financial results (e.g., profit and loss account, balance sheet, cash flow statement, and other disclosures). Focus: Accounting and Reporting.

Although it is often difficult to categorize controls under the five elements of the COSO framework, monitoring may be the most critical area for Sarbanes-Oxley Section 404 compliance. In its interpretive guidance for management, the SEC notes that management's day-to-day interaction with the company's control structure will help executives assess the effectiveness of internal control over financial reporting. This ongoing interaction, whether formalized or not, can be regarded as monitoring.

CONTROL TESTING

Testing of entity-level controls described in the IIA-Netherlands' framework is characterized by the fact that in many cases the control description is focused on the existence of formal documentation, such as authorized policies, meeting agendas and minutes, and reports on performance. Testing is always the responsibility of management, as Sarbanes-Oxley Section 404 requires management to assess the effectiveness of internal controls. To a large extent, the test work programs will focus on the documentation already identified in the control descriptions, the implementation of relevant policies, and the actual operation of the policies and procedures. The examples that follow illustrate the documentation and evidence required for control testing.

1. Accounting and Control Manual
Evidence and documentation: Testers should ensure that the accounting and control manual is available — including a communication plan — and the manual should be approved by senior management. Comments of internal and external auditors should be documented, including follow-up. Updates of the manual should be documented as well. Moreover, testers should ensure that the manual has appropriate change procedures.

Testing considerations: The tests should verify whether reviews of the accounting and control manual are performed regularly and documented to ensure timely updates are made to reflect changes in applicable generally accepted accounting principles and company structure. They should also verify that senior management has approved such changes before release and distribution. Finally, they should verify that applicable finance staff have access to the most recent version of the manual.

2. Code of Conduct
Evidence and documentation: Testers should ensure that an authorized code of conduct is made publicly available (e.g., on the company's intranet) and that compliance with the code is confirmed annually. Appropriate management should conduct an annual evaluation of deviations from the code (e.g., letter of representation, ethics committee). There should also be periodic reporting on deviations from the code, as well as remediation and an action plan.

Testing considerations: Testing should verify, based on interviews with employees at various levels of the company, whether they are aware of the code of conduct and whether senior management frequently addresses the code in communications and e-mail. Control tests should verify annual confirmation of the code by new employees for a sample of employees and check whether the current version of the code is published on the intranet. They should also verify the existence of formal reporting procedures regarding violations of the code. In addition, they should examine the minutes of meetings that deal with the violations to verify whether all reported violations are discussed, disciplinary actions are defined, and follow-up actions are initiated.

3. Supervisory Board's Self-assessment
Evidence and documentation: Testers should ensure the existence of a supervisory board charter, including a description of the profiles and competencies of independent directors on the board. They should also ensure that the board has scheduled a self-assessment. A questionnaire or other tool should be used to ensure that the self-assessment is conducted in a structured way and addresses all relevant matters. Self-assessment results should be formally documented and agreed on by the supervisory board.

Testing considerations: Testing should verify whether written evidence of self-assessments exists (e.g., agenda, minutes, and summarized questionnaire) and whether the self-assessment is guided by the questionnaire and conclusions are established. Testing should verify that all members of the supervisory board participate in the self-evaluation. Moreover, testing should verify that meeting agendas and minutes and follow-up actions, if applicable, are formally identified and results of previous actions are evaluated.

GOING FORWARD

With the new set of compliance rules and regulations in mind, the need for a practical set of entity-level controls has only increased. Because Dutch companies continue to wrestle with the complexity of compliance, the IIA-Netherlands' Sarbanes-Oxley platform group has proven to be a valuable initiative. By sharing information and best practices, the group has provided all participants with a practical framework, rather than theoretical concepts, which has helped companies implement a solid set of entity-level controls.

Ronald R. Bouman, RA, with ICC Consultancy BV, contributed to this article.

To comment on this article, e-mail the authors at heiko.vanderwijk@theiia.org .

 

Entity Level
I need to Know the Entity Level Process
Posted By: JOSE LOPEZ
2009-09-10 9:27 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP