Entity Level Controls – as outlined in other areas of this web-site, Entity Level Controls (ELC) pertain to the “tone at the top”. They include Corporate Governance Policies – (Code of conduct and ethics, communication and disclosure policy, Insider Trading, Whistle Blowing), Frequency and robustness of operating reviews, Overall attitude towards internal controls and Risk Assessment processes, Commitment of leadership towards investment in financial reporting systems and skilled personnel.
ELC’s took on a heightened level of importance in the U.S. when the PCAOB released Auditing Standard #5 on May 24, 2007 wherein the U.S. has rescinded the requirement of external auditors to provide a separate audit and opinion on a company’s assessment of its internal controls (the original requirement was part of SOX Section 404). To clarify the distinction – the audit and opinion of internal controls has always been done simultaneously with the audit and opinion of the financial statements, but previously with AS # 2, the auditor was also required to express an opinion on management’s assessment process. This is no longer required. Therefore, AS # 5 puts the onus and focus squarely on management to ensure that internal controls are designed and operating effectively. (The U.S. regulations are relevant to Canada insofar as many companies operate in both Canada and the US, and furthermore Canadians benefit from the experience of the US).
Companies should consider the effectiveness of their ELC’s in mitigating financial reporting risk. As an example, suppose there is a robust monthly management review process between divisions and corporate, which includes a thorough explanation of variances and operating results. This ELC control should be included as part of the overall internal controls that exist to control the division’s financial statement close process and the financial notes (disclosure) process, and therefore could possibly reduce the need for divisional testing.
This also aligns with a “top down risk based approach” wherein the SOX process begins with a risk assessment and review of the consolidated financial statements, and then looks at the ELC’s in place as the first “line of defence”.
It should be noted that ELC’s have always been part of the Internal Control Framework, but have now become that much more important. This provides companies with the opportunity to become more efficient in the design of internal controls, but at the same time requires that companies have in place the requisite level of oversight by senior management.