a guide for management. overview benefits of entity-level controls nature of entity-level controls...
TRANSCRIPT
A Guide for Management
Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control
objectives, and control examples
An approach for evaluating entity-level controls
Questions and answers
Reasons for This Presentation
Assists in fulfilling your responsibilities for financial reporting
Emphasizes the importance of entity-level controls and how they mitigate financial statement risks
Explains how entity-level controls differ from other controls
Illustrates the benefits of strong entity-level controls
Reasons for This PresentationProvides an approach for assessing the
adequacy of your entity-level controls
Benefits of Focusing on Entity-level ControlsPervasive effect on other controlsServe as a foundationCost-effective to implement and operateMay serve as key controls to prevent, detect,
and correct errors or fraud
Internal Control – An OverviewProcess employed by the company to provide
reasonable assurance of achieving financial reporting objectives
Consists of five interrelated componentsTo be effective, all components should be in
placeApplies to all companies—both small and largeHelps prevent, or detect and correct,
misstatements resulting from risks
Five Components of Internal Control
Which of the Components are Entity-Level Controls?Control EnvironmentRisk Assessment Information and CommunicationMonitoring Control Activities
Entity-Level Controls
Control ActivitiesNot Entity-Level Controls, But What Are They?
Make up the majority of controls at most entities
Apply to the processing of transactionsDesigned to achieve specific control
objectivesOften the focus of management, accounting
personnel, and auditors
Control Activities Are Critical, But ….
Why “Entity-Level?”Impact is pervasiveNot associated with specific accounts,
transactions, or disclosuresOften carried out by management
Why “Entity-Level?”Pervasiveness
ControlActivities
Entity-level Controls─Control Objectives
Control Environment ObjectivesThose charged with governance are actively
involved and have influence over financial reportingManagement demonstrates character, integrity, and
ethical valuesManagement’s philosophy and operating style are
consistent with a sound control environmentThe organizational structure is appropriate to
support effective financial reportingHuman resource policies and procedures promote
integrity, ethical behavior, and competenceAuthority and responsibility are appropriately
assignedThe organization is committed to competence
Control Environment
Control examples How risks are addressed
Those charged with governance provide input and oversight to the financial statements
Management is ethical in its business dealings
Management demonstrates a sincere interest in achieving effective internal control and correcting deficiencies
Mitigates risk of fraudulent financial reporting through objective oversight
Demonstrates management’s commitment to ethical actions
Ensures that internal controls are a priority and resources are allocated to their proper design and implementation
Control Environment
Control examples How risks are addressed
Lines of authority and responsibility are clearly defined
Employee recruitment and retention practices are guided by principles of integrity and the necessary competencies associated with the positions
Job descriptions and other forms of communication inform personnel of their duties
Job performance and competence are periodically evaluated
Ensures that the organizational structure includes appropriate levels of review and segregation of duties
Promotes the hiring and retention of employees with integrity and ensures that they understand their roles
Identifies employees with inadequate performance or job skills for corrective action
Risk Assessment ObjectivesFinancial reporting objectives are established,
documented, and communicated Accounting principles are properly appliedPractices are established for identifying risks When assessing risks, the entire organization and
extended relationships are considered Mechanisms are implemented to anticipate,
identify, and react to changes Risks are properly evaluated and mitigatedAn appropriate fraud risk assessment and
monitoring process exists
Risk Assessment
Control examples How risks are addressed
The accounting department has a process to identify and apply changes in GAAP
Processes exist to identify changes in the business that affect the processing or recording of transactions
Budgets or forecasts are updated to reflect changes in activities
Ensures that all significant transactions and events are captured, accounted for, and reported in conformity with GAAP
Ensures that changes in the business are monitored, communicated, and analyzed for proper financial reporting
Identifies the likelihood and impact of changes on the entity’s financial results
Risk Assessment
Control examples How risks are addressed Plans are developed to
mitigate significant identified risks, including designing and implementing appropriate controls
Fraud risk assessment is an integral part of the risk identification process
Fraud risk assessment considers incentives and pressures, attitudes and rationalizations, and opportunities to commit fraud
Ensures that actions are taken to mitigate risk by designing and implementing appropriate controls
Considers fraud risk separately to ensure appropriate controls
Assesses areas that have a higher inherent risk of fraud to consider how fraud might occur or how controls might be overridden
Information and Communication Objectives
Information is identified, captured, used, and distributed at all levels of the entity
Information for the functioning of internal control is identified, captured, used, and distributed to allow personnel to carry out their internal control responsibilities
Communication exists between management and those charged with governance to enable role fulfillment
All personnel receive a clear message that internal control responsibilities are to be taken seriously
There is effective upstream communication
Information
Control examples How risks are addressed
Policies and procedures exist for capturing financial data completely, accurately, and on a timely basis
Financial personnel meet with line management to discuss operating results
Deadlines exist for period-end reporting which include appropriate reviews
Ensures the completeness, accuracy, and timeliness of data that affects the accounting records
Provides reliability of information and results through review of appropriate details and discussion with operating personnel
Reinforces the timely processing, reporting, and review of information and results through adherence to deadlines
Communication
Control examples How risks are addressed There are timely
communications between management and those charged with governance
Employees receive adequate information to complete their jobs
Upstream communication is encouraged to improve performance and enhance internal control
All reported improprieties are reviewed and investigated
Enhances reliability through timely feedback
Prevents errors by ensuring personnel have a clear understanding of policies, procedures, and expectations regarding job responsibilities
Minimizes improprieties by motivating employees to use upstream communication knowing their comments will be taken seriously
Monitoring ObjectiveManagement monitors controls over financial
reporting through:Ongoing monitoring Independent evaluationsRemediation of identified deficiencies
Monitoring
Control examples How risks are addressed Ongoing monitoring is built
into operations throughout the entity and includes a definition of what constitutes a deviation
Ongoing monitoring provides feedback on controls as well as processes
Reports from external sources such as external auditors and regulators are considered for their internal control implications, and timely corrective actions are identified and taken
Enables personnel throughout the organization to identify when a control has failed
Identifies control deficiencies that might allow errors or fraud to occur and go undetected as well as inefficient or ineffective processing routines
Provides an objective viewpoint to help identify better ways of doing things
Monitoring
Control examples How risks are addressed
Findings of deficiencies are reported to the appropriate person who can take corrective action and if applicable, one level of management above
Deficiencies are communicated regularly and as necessary to management and those charged with governance
Ensures that follow-up will occur when deficiencies are identified
Deters fraud through involvement of multiple levels of management
Ensures that top level management is aware of deficiencies so appropriate resources can be allocated to taking corrective action
Steps for Assessing Entity-Level Controls
Tools for Making the Assessment
Supporting tools can help with your assessment:
Complete (or update) a narrative describing your entity-level controls using “Understanding the Design and Implementation of Internal Control”
Supplement the documentation by completing the related “Entity-level Control Form”
ConclusionEvaluate all entity-level components— even
at small entitiesScale your controls to the size of the entityConsider how entity-level controls interact
with each other and with key control activities
Consider how entity-level controls help mitigate risks of errors or fraud
Questions?