I have received numerous questions regarding test Entity Level Control testing procedures. I hope this blog is helpful to everyone.
Entity Level Controls – as outlined in other areas of this web-site, Entity Level Controls (ELC) pertain to the “tone at the top” in a company – Corporate Governance Policies – (Code of conduct and ethics, communication and disclosure policy, Insider Trading, Whistle Blowing), Frequency and robustness of operating reviews, Overall attitude towards internal controls and Risk Assessment processes, Commitment of leadership towards investment in financial reporting systems and skilled personnel.
Now, what are the test procedures for ELC’s? Remember that with the top down risk based approach, and Auditing Standard#5, ELC’s are now that much more important. Based on experience with client testing and discussions with various companies, my suggestions for ELC’s test procedures are as follows:
• Which policies does the company have in place?
• Are the policies comprehensive – in other words, do they include code of ethics and conduct and other relevant policies?
• Are the policies made available on the company web-site?
• Are employees properly advised of the policies annually, and is there evidence of training and acknowledgement by employees maintained in company files?
• Has the company performed a top-down risk assessment of the financial statements and identified the significant and material processes and transactions?
• Are there regularly scheduled monthly operating reviews, and are the results documented with operating issues identified and follow up on?
• Are there explanations for any significant operating variances?
• Are there minutes and documentation to support the reviews?
Personnel assessment and systems investment:
• Does the company require skilled, qualified and experienced personnel in key positions? Are professional accounting designations required for senior finance roles?
• Does the company maintain ongoing training and certifications?
• Are the financial and operating systems adequate to support the transaction volume and complexity of the business operations?
Tone from the Top:
• This is a subjective analysis on the emphasis and seriousness that senior management displays towards internal controls and compliance. This can be quite easy to determine based on the results of the tests mentioned above, but can also be supported by reviewing the following:
o Has the company implemented the appropriate Internal Control Framework such as COSO? The Canadian Securities Administrators will require this as part of the proposed MI 52-109 requirements effective December 15, 2008? For further information on COSO, click here.
o Organizational structure and reporting lines – does the company have the requisite amount of independence in the audit, finance and other functional areas as evidenced by the organizational chart?
o Board of Director Audit Committee membership and meeting minutes.
o Do the CEO and President participate in the follow through and implementation of internal control reviews, gaps and remediation? Is this documented?
Although every organization will be unique and must be reviewed on a case by case basis, these ELC test procedures will likely ensure that companies have adequate ELC’s in place. One of the key components of this is – if there are ELC deficiencies, does the company have a process in place to ensure that senior level executives are accountable? This will fall back on the independence of the audit committee.
Please don’t hesitate to contact Edelkoort Smethurst Schein CPA’s LLP if you have any questions or comments.