Entity-level controls are high-level controls designed and implemented by the management and endorsed by the board of directors of the organization. Entity-level controls protect the whole organization and are pervasive as compared to internal controls designed for any specific department or function such as finance, marketing, manufacturing, sales, research and development.
What Is The Entity-Level Controls?
Entity-level controls serve as the overriding controls and aim to oversee those policies and directives set by management about the whole organization that are implemented and enforced at all levels by the employees and staff. Entity-level controls being the higher level of controls impact broader processes and audience.
An organization’s corporate culture and values are developed and maintained through the application of entity-level controls. The entity-level controls impact how employees and staff perform their duties and responsibilities.
The development and implementation of entity-level controls is a key component in the overall internal control system of any organization. Entity-level controls help to set the overall tone at the top for the organization and provide a strong basis for lower-level activity controls. All five components of internal controls – control environment, risk assessment, control activities, communication and information, and monitoring – are effectively implemented if the entity-level controls are strong and appropriately implemented.
Examples Of Entity-level Controls
Let’s discuss some common examples and best practices of entity-level controls.
Code of Conduct
Organizations define and document the companies code of conduct for the management and employees. Such code of conduct includes ethical principles and behaviors, which are expected from every employee of the organization. Code of conduct is disseminated to the employees for their review and agreement. Usually, a code of conduct is circulated by the human resource department at the start of each financial year. Employees are required to read, understand and comply with the principles laid down in the code of conduct.
The board members and senior management of the organization govern the business and operations. The board of directors sets the direction of the organization and senior management implements such direction to achieve business goals and objectives. The board reviews the performance of management periodically and issues necessary directions to the management to support it in the process of achieving targets and objectives.
The board reviews the performance every quarter by going over the company’s financial statements, significant internal audit issues, significant compliance breaches, and loss incidents that occurred during a period. Management provides such information to the board members periodically.
Conflict of Interest Statement
Developing a conflict of interest statement is an entity-level control, and its compliance is the implementation of such a statement. The board members and management are required to disclose their potential conflicts on an annual basis. The human resource department of the organization circulates such statements to the board and management for disclosure purposes. All the board members and management team members are required to respond to such a conflict-of-interest statement.
Having a whistleblower policy is an entity-level control where employees are encouraged to report suspicious transactions and activities to senior management without fear of losing their job. Whistle-blower policies give confidence to the employees that they can report any unwanted or unethical practices to higher authorities within the organization.
Internal Audit Function
Establishing a dedicated internal audit function is a part of the implementation of entity-level controls in the organization.
The internal audit function is headed by a chief internal auditor who reports directly to the board. Internal auditors are independent of management activities and have a direct reporting line to those charged with governance. Hiring and setting benefits for the chief internal auditor are made by the board audit committee members.
Information Technology (IT)
The use of information technology to run and automate the business processes is another element of entity-level control. The use of IT enables generating and sharing periodic operating reports to the board and management. The use of IT is:
- To implement security measures for managing the risks related to IT networks, network services, business applications, and databases;
- To ensure that IT premises and information assets are being accessed, managed, and processed by users and external parties in a controlled environment; and
- To ensure that all IT users, suppliers, and vendors are aware of their information security responsibilities.
As part of entity-level controls, the management develops and implements processes where all the employees are accountable for their wrong acts being performed within the organization. The disciplinary action plan is developed by the management to respond to the wrongful acts of the employees or staff. Such a disciplinary action plan is implemented through the human resource department of the organization.
Competent and Experienced Employees and Staff
An organization hires competent and experienced professionals to perform business and operations activities. The hiring of experienced and competent employees and staff is an example of the implementation of entity-level control. Hiring such employees and staff results in the effective and efficient running of the business affairs.
Assessing Entity-Level Controls
When a company considers outsourcing operations to a service organization, such as payroll and benefits processing or IT hosting and managed services, an assessment of the entity-level controls, as well as the operations processing controls, is part of the decision-making process.
Once engaged, the company analyzes the service organization’s controls in relation to their own operations and controls, considers the impact on internal company operations, and modifies their control structure as needed. This is done to ensure that the proper overall level of control is achieved and that any processes and controls required for the proper operation of the outsourced activities are in place.
Entity-level controls must exist and be implemented in order for an organization to function properly. They lay the groundwork for how the organization operates on a daily basis (employees and processes), as well as how the organization is perceived and interacts with external stakeholders. Entity-level controls are also an important component of an audit because they assess the overall tone at the top of the organization being audited and serve as the foundation for lower-level operational controls. To provide an overall strong control environment, all five components – control environment, risk assessment, monitoring, communication & information, and control activities – must be implemented.