Under Control: Do You Have the Right Entity-Level Controls to Protect Your Organization?

In a highly automated, globally connected world, your organization cannot rely solely on employees — even your most reliable ones — to manage risk. No matter how excellent those employees may be, the sources of fraud, waste, and error are too complex and interconnected to be managed without a reliable system of internal control.

Instituting a set of top-down, organization-wide (usually called “entity-level”) controls, or ELCs, is a best practice for any effectively governed organization, whether it’s a public or private company, government agency, or not-for-profit organization. Public companies are required to institute ELCs as part of meeting the internal control requirements of Sarbanes-Oxley (SOX) Section 404. Other organizations may face similar requirements, such as the Model Audit Rule or the Federal Deposit Insurance Corporation Improvement Act (FDICIA), which are also founded on the premise that management must assess internal control structures and procedures to ensure operating effectiveness. Whether required or not, ELCs can provide a foundation for effective governance over financial statement risk and processes to mitigate those risks. ELCs also set the tone for ethical behavior and business conduct, providing means for holding employees and third parties accountable for their actions.

How Can Internal Controls Help Manage Risks?

Internal controls are policies, procedures, and technical safeguards that protect an organization’s assets by preventing errors and inappropriate actions. These controls fall into three broad categories: detective (to detect errors or irregularities), preventative (to prevent undesirable events from occurring), and corrective (to correct issues and prevent future errors or irregularities).

Controls can be further separated into two levels based on what is being protected. Process-level controls, as the name indicates, are specific to a particular department, role, and process; for example, there is a set of recommended controls over financial reporting, and a different set governing payroll. Entity-level controls, by contrast, are top-down controls designed to function at the highest level and apply to the entire organization. Many ELCs involve policies, codes of conduct, or governance processes such as oversight of executives by a board.

When followed consistently, these internal controls help protect organizations from costly mistakes, fraud, and inaccurate reporting of financial results.

Using the COSO Internal Control Integrated Framework to Develop ELCs

Achieving an effective internal control environment is a key management responsibility for every organization. The COSO Internal Control Integrated Framework has become the authoritative standard across the globe. Implementing COSO is required for public companies that must comply with SOX regulations, and following its guidance is recommended for any organization — public or private, large, or small.

The COSO framework specifically defines an internal control as “a process enacted by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives, including effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.”

Entity-level controls are internal controls at the highest level, with the broadest applicability. Clear, well-designed ELCs set the “tone at the top” and establish a standard for ethical business practices, accountability, and strong governance. Effective ELCs are applied equitably across the organization, from the C-Suite to interns.

The COSO Framework begins with five components that need to be in place and integrated to ensure strong internal control, and ELCs must be developed for all five. These components provide a foundation for sound internal control through directed leadership, shared values and a culture that emphasizes accountability, all of which are supported through an effective and universally understood set of top-down ELCs.

The five components are further codified into 17 principles, which are the elements that must be in place for an entity’s control structure to be considered effective and supported by 77 detailed “points of focus.” (See the accompanying COSO mapping tool for the full list.) The points of focus provide guidance for assessing whether the components of internal control, especially ELCs, are in place and designed to cover significant areas of risk.

Organizational processes and controls should be mapped against the principles and points of focus, both to identify existing ELCs and to identify potential gaps that may expose the organization to unnecessary or unintended risks. The tool provided with this article is designed to assist you in that mapping process.

These are the five COSO Framework components and their underlying 17 principles:

Control environment

1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to operation, external financial reporting, external non-financial reporting, internal reporting, and compliance objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and communication

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

Monitoring activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

As the initial step in developing a system of internal control, management must identify and document the relevant ELCs. Once identified, each control is mapped to the relevant COSO component, principle and point of focus to ensure all aspects of the COSO framework have been considered. This evaluation provides the foundation for evaluating the strength of management participation in establishing a robust control environment.

Performing the Control-Mapping Exercise

When mapping controls, consider the following elements:

• What controls are currently identified?
• Do the controls sufficiently address all principles of the COSO framework?
• What data or resources exist to support the performance of the control?
• Who is responsible for the operation of each control, and is it performed consistently?

Using the first COSO component, “Control Environment,” as an example, let’s look at how to identify controls and map them to the corresponding principles. The Control Environment addresses whether management has established a set of standards, processes and structures that provide the basis for carrying out internal control, including expected standards of conduct. Within this component, the first principle serves to establish whether the organization “demonstrates a commitment to integrity and ethical values.” What process or requirement has your management put in place to demonstrate this commitment? A sample ELC might read as follows:

The organization has issued a Code of Conduct and Ethics that is acknowledged by employees during the new hire process. The Code of Conduct sets forth the standards of business conduct for all employees and agents, including officers and directors. Adherence to organizational policies, including the Code of Conduct, is a condition of employment.

Creating a Code of Conduct and Ethics (and requiring employees to acknowledge receiving it) is an ELC that satisfies Principle 1.

Having identified this control, look further to determine whether it satisfies any other principles by reviewing the points of focus of each principle. Under Principle 5, whether the “organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives” for example, we note point of focus number 17, which states “Management and the Board of Directors establish performance measures, incentives and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.” Therefore, issuing and enforcing a code of conduct satisfies both Principle 1 and Principle 5. Strong ELCs typically satisfy multiple principles.

Once all identified controls have been mapped to the framework, any principles not satisfied by at least one control represent a control gap for which a new control should be implemented.

It is important to retain evidence that controls are being executed to validate their operation and effectiveness. In relation to the Code of Ethics control, for example, the code should be regularly updated and approved by management or the board of directors. In addition, employee acknowledgment (via signed form, certification, etc.) should be retained to evidence operation of the control and that all employees were provided with the standards consistently.

Finally, who is truly responsible for each control? Executives may “own” a control, at least on paper, but who actually operates the control and does the work? In our example, for instance, the Chief Operating Officer may have nominal responsibility, with in-house counsel responsible for developing the code and the Director of Human Resources responsible for ensuring all employees acknowledge and comply with it. Such division of responsibility should be documented to ensure accountability for the execution of the controls.

Reviewing Your ELCs

It is not enough to set up ELCs once and then assume your organization is protected. Organizations change, people change, organizational structures shift, and the business environment evolves. Therefore, to keep up with these changes, at least once a year someone needs to evaluate whether the internal controls are still in place, still being followed, and still effective.

In addition, if your organization has undergone a major structural change such as a merger, acquisition, or expansion (for example, a new geographic territory, new product line or new service offerings), then you should re-evaluate both the appropriateness and implementation of ELCs.

These are the basic steps to follow when evaluating ELCs:

• Map existing ELCs to the 17 principles of the COSO framework
• Determine whether important ELCs are missing; are there any principles unaddressed by current controls?
• Create new controls to address any identified gaps
• Evaluate each control for design effectiveness
• Test the implementation and performance of each control entity-wide; assess supporting documentation
• Develop a plan to add or improve controls as needed

Although specific ELCs should be customized based on your organization, there are several foundational controls that we would expect to see. Weaver has provided a downloadable tool that maps these expected ELCs to the COSO principles and helps you assess, at a glance, whether you have gaps in your internal control environment.

If you would like professional support with ELCs or any other aspect of SOX compliance, Weaver can help. Contact us with your questions or concerns about your organization’s system of internal controls, internal audits, risk management or SOX compliance.

©2023