An effective organization of consequence, whether public or private, attempts to strike a balance between its mission (usually but not always profit) and its responsibilities to employees, the community, the government (laws and regulations), and society at large. This is accomplished through “corporate governance,” or what was once known as “business ethics.”
Most experts believe that to be truly effective, corporate governance must start at the top with a set of policies called entity-level controls.
What Are Entity-Level Controls?
From the standpoint of risk, audit and accounting professionals, entity-level controls are directed at the highest echelons of an organization.
Entity-level controls are policies, rules, procedures and standards of behavior that apply to members of the board of directors, senior company officers, top management, and rank-and-file employees. It’s a well-established fact that the behavior of upper management tends to “set the tone” for the subsequent behavior of everyone else down an organization's chain of command. This is why entity-level controls are often called “tone at the top controls.”
Direct and Indirect Controls
Entity-level control procedures fall into two categories; direct and indirect. Direct entity-level controls are those that exist to prevent purposeful or inadvertent material misstatements on financial statements, in legal proceedings or through press releases, and in interviews or marketing material. Indirect entity-level controls are broader in scope and pertain to things like internal communication, employee interaction and other aspects of business that affect the overall atmosphere of a company.
A proper approach to corporate governance will incorporate both direct and indirect controls into the entity-level control risk management process.
Examples of common entity-level controls will include the following:
- Mission statement
- Statement of values
- Code of ethics
- Code of conduct
- Audit (testing) and audit reporting requirements
- Employee handbook or rulebook
- Training manuals
- Internal complaint procedure
- Continuing education requirements
- Employee review process
Why Are Entity-Level Controls Important?
The most important intangible benefit of maintaining a robust entity-level control regime is that it sets standards of ethics, good behavior and sound business habits that are enforced from the top down.
A solid set of sound policies and sensible procedures that are applied equitably to everyone from the chairman of the board of directors down to a newly hired intern demonstrate to the entire organization (as well as the outside world) that misbehavior — especially fraudulent and unfair practice — is not tolerated or taken lightly. This is an important internal safeguard against the loss of valuable goodwill through reputational risk.
There are, of course, important tangible benefits as well. Some of them contribute directly to the bottom line. Some (but not all) are as follows.
- Errors are avoided.
- Stringent controls are proven to cut down on incidental (accidental) errors. This is especially important in financial and regulatory reporting.
- Errors due to malfeasance, criminal activity or poor work habits can also be limited by a diligently implemented entity-level control risk management process.
- Risk is mitigated.
- Entity-level control risk assessment is a fundamental aspect of auditing, accounting and risk systems. A solid risk assessment means better risk management.
- Human resources is managed.
- Good entity-level controls are personnel driven.
- The clear definition of roles and responsibilities in written and inspected controls can facilitate effective personnel management.
- Overall efficiency is increased.
- Clear and well-communicated controls save both time and money and will result in a more efficient business.
COSO: The Entity-Level Control Gold Standard
James Tredway Jr. and the Committee of Sponsoring Organizations (COSO) did the accounting and business world a great service in 1992 when they created the integrated principles known as the "COSO Framework." Many companies consider the COSO Framework the gold standard for guidance in establishing and implementing internal controls to avoid and control risk. As you may know, the framework emphasizes entity-level controls as a critical step in establishing transparency and setting an operational tone.
Even businesses that don’t adhere precisely to the framework and every aspect of the famous “COSO Cube” must acknowledge the critical nature of its five components:
- Control environment
- Risk assessment and management
- Control activities
- Monitoring (auditing and testing)
Neglect of any of the five elements can end up being a costly mistake made even more painful because it can so easily be avoided.
The Value of a Comprehensive, High-Quality Questionnaire/Checklist
It should be no secret that a comprehensive controls checklist is itself a critical internal control. In fact, a good questionnaire-based checklist ought to be first on any list for any category of controls. A questionnaire serves to start you off right and keep you on track throughout the design and implementation of a control strategy.
The value of a top-quality, well-designed questionnaire is that it helps establish a systematic routine of accuracy and avoids costly oversights and duplication of effort.
Put simply, the consistent use of accounting checklists, templates and questionnaires is an audit and accounting best practice that shouldn’t be ignored or avoided.
The KnowledgeLeader Entity-Level Control Environment Questionnaire
Our Entity-Level Control Environment Questionnaire is designed to harmonize perfectly with the COSO Framework while not requiring strict adherence to every aspect of the COSO Cube. Many COSO elements are provided, but the tool is 100% customizable to the needs of the professionals who are using it.
Our questionnaire covers more than 65 critical entity-level controls. It gives the COSO attributes that are addressed by the control and then asks more than a dozen questions about each. Although it includes almost 850 questions, each control and the associated questions can be addressed (or ignored) independently, even as they work seamlessly with the whole document.
Our subscribers have full access to this valuable tool and use it to meet three primary objectives that create a beneficial control environment.
- Adequate, Effective Policies
Codes of conduct, rule books and other written standards that document acceptable business practices and help avoid conflict.
Officers, directors, employees, partners and associates are all made aware of what is expected of them, what’s acceptable, and what is not.
As has been much discussed in this article, the “tone at the top” shapes the business environment all the way down.
We encourage you to visit our Entity-Level Control topic area to learn more about the related content we have to offer.