What Belongs on an Entity-Level Controls Checklist?

Entity-level controls are foundational policies that establish an organization’s “tone at the top.” They serve as the bedrock for more detailed, transaction-specific controls and have a pervasive impact across the entire entity. Their purpose is to promote reliable financial reporting, efficient operations, and legal compliance.

Strong entity-level controls are a company’s first defense against fraud and accounting errors, providing the structure to ensure management’s directives are followed. Without this solid foundation, even well-designed controls at the transaction level can be undermined. For public companies, effective entity-level controls are a requirement under the Sarbanes-Oxley Act (SOX), which mandates that management report on the effectiveness of internal controls.

The Five Components of Internal Control

The framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is built on five interrelated components. These provide a structure for designing and assessing entity-level controls to support financial reporting objectives.

Control Environment

The control environment sets the tone of an organization and is the foundation for all other components of internal control. A checklist for this component focuses on the integrity and ethical values demonstrated by leadership. This includes having a formal code of conduct, with documentation showing it has been distributed and acknowledged by employees.

An effective board of directors is independent of management and exercises diligent oversight of financial reporting. Checklist questions would probe whether audit committee members are independent and have the financial expertise to challenge management. Documentation includes charters for the board and its committees, along with meeting minutes that show evidence of oversight activities.

A commitment to competence involves policies for hiring, training, and retaining qualified personnel in key financial roles. The checklist should confirm that job descriptions are clear and that there is a defined assignment of authority documented in an organizational chart.

Risk Assessment

Risk assessment is the process of identifying and analyzing risks that could prevent an organization from achieving its objectives. A checklist for this component would verify that the company has a systematic process for identifying internal and external risks to financial reporting. Documentation for this area includes formal risk assessment reports or similar analyses.

The process should include a fraud risk assessment that considers how and where fraud could occur, such as through management override of controls. The assessment should also analyze the likelihood and potential impact of identified risks, forming a basis for determining how they should be managed.

An organization’s risk assessment must also consider the potential for changes in the business or economic environment. This includes shifts in operations, new personnel, or new information systems. The checklist should ensure a mechanism is in place to identify these changes and adapt the risk assessment accordingly.

Control Activities

Control activities are the policies and procedures that help ensure management’s directives are carried out and that actions are taken to address risks. A checklist for this area would examine controls over the period-end financial reporting process. This includes verifying controls over the application of accounting policies, the process for making significant estimates, and the preparation of financial statement disclosures.

Controls over management override are a specific area of focus. Checklist items address how the organization prevents and detects management’s ability to circumvent controls. This includes scrutinizing non-standard journal entries, reviewing accounting estimates for bias, and understanding the business rationale for significant unusual transactions.

The checklist should also cover policies that address business control and risk management practices. This involves confirming procedures for data security, business continuity, and transaction authorization. Evidence of these activities includes policy manuals and documentation of management review controls, such as sign-offs on account reconciliations.

Information and Communication

Information and communication are the processes of identifying, capturing, and exchanging information in a form and timeframe that enable people to carry out their responsibilities. A checklist for this component assesses the quality of information used to support other controls. It would question whether financial reports provided to management are accurate, timely, and detailed enough to identify potential issues.

Communication involves providing an understanding of individual roles and responsibilities related to internal control. The checklist should verify that these responsibilities are clearly communicated through policy manuals and training programs. This ensures employees know what is expected and understand how their duties fit into the larger control framework.

A key element of communication is a confidential whistleblower policy. The checklist must confirm a clear process for employees to report suspected wrongdoing without fear of retaliation. Documentation includes the policy itself, records of its communication, reports from whistleblower hotlines, and evidence of ethics training programs.

Monitoring Activities

Monitoring is a process that assesses the quality of the internal control system’s performance over time through ongoing activities or separate evaluations. A checklist for this component would examine how management regularly monitors the effectiveness of controls. This can include supervisory activities, such as reviewing account reconciliations or performance reports, that are designed to spot anomalies.

Separate evaluations, such as those performed by an internal audit function, provide a more periodic assessment of control effectiveness. The checklist should confirm the existence and objectivity of an internal audit function that reports directly to the audit committee. Documentation supporting monitoring includes internal audit reports and reports used by management to oversee operations.

The checklist must also address the process for reporting and remediating control deficiencies. There should be a clear protocol for communicating identified weaknesses to the appropriate level of management and the board. Records showing the timely reporting of these deficiencies are necessary evidence.

How to Assess Entity-Level Controls

Assessing entity-level controls is a systematic process to determine if they are designed and operating effectively. The process begins with planning to define the scope and objectives of the assessment. This involves identifying the key controls across the five COSO components that are most important for preventing or detecting material misstatements.

The execution phase relies on three primary methods for gathering evidence. Inquiry involves interviewing key personnel, such as senior management and audit committee members, to understand their processes. Observation means watching processes as they are performed to confirm they operate as described. Inspection is the examination of documents like board minutes, signed code of conduct acknowledgments, and internal audit reports.

The final step is to document the assessment results. For each control on the checklist, the assessor must record the procedures performed and the evidence obtained. This documentation should support a conclusion on whether the control is designed effectively and operating as intended.

Addressing Identified Control Deficiencies

When an assessment identifies a control deficiency, the organization must take structured steps to address it. The first action is to evaluate the severity of the weakness. A deficiency can be classified as a simple deficiency, a significant deficiency, or a material weakness, with the latter being the most severe and requiring public disclosure in annual filings.

After evaluation, management must develop a detailed remediation plan. This plan should define the specific corrective actions, assign responsibility for implementation, and set a clear timeline for completion. For example, if a deficiency was caused by a lack of expertise, the plan might involve hiring new personnel or providing targeted training.

Significant deficiencies and material weaknesses must be reported to senior management and the audit committee. This communication ensures that those charged with governance are aware of the issues and can oversee the remediation process.

The final stage is follow-up and re-testing. The organization must verify that the plan was executed and that the new or modified control is operating effectively. This involves re-testing the control after it has operated for a sufficient period to demonstrate it is working consistently and to conclude that the deficiency has been remediated.