#21 | Part 5 – Entity-level Controls in Demystifying SOX 404 – Auditing Standards 5
In this blog, you will learn more about identifying entity-level controls or ELCs as part of Auditing Standards No. 5. We discussed entity-level controls in part 4, but we’ll talk about it here in more detail. So if you want to learn more about SOX 404 requirements, then read on.
To go back to the first 4 parts of these blog series, you can view them here.
Part 1 – Integrated Audit Planning
Part 2 – Fraud Risk
Part 3 – Work of Others and Materiality
Part 4 – Top-Down Approach
Part 5 will cover the following sections:
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Define Entity-Level Controls
As defined in part 4, entity-level controls are controls that are pervasive throughout the organization across sales, finance, and operations. In paragraphs 22 and 23 of AS5, PCAOB explains that it is important to evaluate the ELCs in the timing and the extent of what testing you do.
It also describes how entity-level controls vary in nature and precision. There are those that are important, but they do not give you direct correlations to help you detect errors or figure out if the financial statements are misstated.
An example is having a regular communication from the CFO/CEO that talks about our values like the following: “We will have high integrity. We will act transparently. We will act with respect. We will treat each other nicely. We will not pressure each other or do illegal and immoral acts.”
- Is this important? Yes, having this policy is important and great for setting the tone for the organization.
- Does it directly affect the financial statements? No, because it is something general and cannot prove anything to you.
Still in paragraph 23, the highlighted bullet below explains that there are some entity-level controls that are designed at a detailed level or granularity that it does relate to your financial statements and your relevant assertions. If you find this type of entity-level controls and you test that control, you may not need to test additional controls.
An example of this control could be on a quarterly basis, the CFO with the executive team, reviews the budget-to-actuals, budget-to-forecast, and forecast-to-actual for changes within 2% to see the business operating results. To make this ELC sufficient, it has to be detailed enough that the CFO would be able to spot it if the cash balance was off or if a large transaction is classified wrong in the P&L.
Paragraph 24 shows a list of what entity-level controls include. One of these is controls over management override.
Management override happens when there is involvement of senior management in performing controls and in the final reporting process during period-end. Concern about management override applies to all companies.
An example of this is when the CFO comes in and say, “I want you to do this, and” everybody does exactly what he/she wants without questioning it.
The note under this bullet says that when you’re assessing controls around overrides, it doesn’t matter if you’re a large company or small company. But for smaller companies, it may be particularly important because there is increased involvement from top management, so the controls are going to be different than larger companies.
Here, maybe the detail oversight by an audit committee focuses enough on the financial results that it’s enough to ensure that management doesn’t override certain decisions.
Going back to the list, you can see here the coverage of ELCs like looking at the risk assessment process, monitoring the operating results, checking controls over the period-end financial close process, and having policies and procedures in place for significant procedures.
This is found in paragraph 25 of AS5. As part of evaluating the control environment, the following should be assessed by the auditor:
- Whether management’s philosophy and operating style promote effective internal control over financial reporting
- Whether sound integrity and ethical values, particularly of top management, are developed and understood
- Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control
Some guide questions to use are as follows: Is the board independent? Do they meet regularly? Do they have regular agendas? Do they have evidence documented in minutes? Who will be participating?
Period-end Financial Reporting
Paragraph 26 of AS5 says the auditor must evaluate the period-end financial reporting. When it comes to regulations, the following interpretations should be remembered:
- When it says “should,” it means “nice to do.”
- When the rule says “must”, it means it is required.
In this evaluation, the period-end financial reporting process includes the following:
- Procedures used to enter transaction total into the general ledger
- Procedures related to the selection and application of accounting policies
- An example, where this can be critical, is revenue recognition. The policy and how the company decides to adopt this are very important because that is how you treat all the transactions going forward in the future.
- Procedures used to initiate, authorize, record, and process journal entries in the GL
- Related to journal entries, people have learned that this is where the risk of override often happens. The risk of fraud increases when people are recording, initiating, and approving journal entries by themselves. One key control companies do is to have separate people prepare and approve journal entries.
- Procedures used to record recurring and non-recurring adjustments to the annual and quarterly financial statements
- Going back to the root causes of Enron, WorldCom and Tyco, they were all around journal entries. The journal entries that don’t happen regularly are more prone to errors because people can slip things in or forget to record them.
- Procedures for preparing annual and quarterly financial statement and related disclosures
In paragraph 27 of AS5, it says that we also focus on the IT involvement as part of the evaluation. That is why when you see SOX, there is always discussion of IT general controls. One of the things to look out for is the impact of systems.
Nowadays, all companies use multiple systems. Systems basically either process the transactions or they route the transaction. If the system data isn’t complete or has inaccurate data, it will impact the company across the board.
Another thing to highlight here is the consolidation where you can mess with earnings or change results. Here, maybe you include certain entities, you exclude others or the change in exchange rates that you use for consolidation or elimination.
This is the end of part 5 of the Auditing Standards No. 5. The next part of this series is about Identifying Significant Accounts and Disclosures.
Leave a Reply