Key entity-level controls
|COSO Component||Entity-level Controls|
|Information & Communication||
- Audit procedure for information technology general control
- Determining whether the managements hold a positive attitude and approach toward integrity and ethics.
- Determining whether policies exists to define acceptable IT practices, conflict of interest, and or other expected standards of ethical behavior within the organization.
- Determining whether management take proper precaution and disciplinary action in circumstances where dishonor the policies.
- Determining whether practitioners and management receive complete necessary training to efficiently perform their duties.
- Determining whether the integrity code of conduct is being applied throughout daily operations.
- Determining whether the role of each employee is well defined, documented, and understood by all parties in the organization.
- Determining whether all procedures are properly documented by designated employee and the documentation is securely managed with restricted access.
- Determining whether there are processes in place to monitor the integrity and the ethical value within the department.
- Audit procedures and evidence that indicate operating effectiveness
- Audit procedures to determine operational efficiency
- Determining whether the tasks and goals are performed and achieved. It implies that the controls are operating efficiently when management and employees meet the expectations associated with their responsibilities.
- Evaluating the commitment of the management and employees when executing the internal controls set as higher level commitments from management and employees lead to higher level operating efficiency.
- Determining whether management is promoting and trying to enforce the internal controls in the organization.
- Observing the efficiency and effectiveness of communication between management and employees. It indicates that the controls are operating efficiently when management and employees keep an open and transparent communication channel.
- Observing the attitude of both management and employees towards integrity and ethics in the internal controls.
- Evidence that indicate operating effectiveness
The operation should be considered effective when management holds a positive tone throughout the organization and the communication between management and employees is effective and transparent. Having an ethics and integrity program that is honored by both management and employees is another indicator for effective operation.
- SHR Corporation’s entity-level controls are mostly soft in nature and therefore, can impact the corporation’s employees in terms of how they approach issues. Such entity-level controls do operate across the organization to mitigate risks that threaten the company while provide assurance that the objectives of the organization would be achieved. In addition, the entity-level controls have both internal and external effect. For instance, such control would impact on the effectiveness at transaction and processing level which could minimize the risks that would prevent the company from achieving its objectives.
Weakness in SHR Corporation’s entity-level controls include incidents where management is not dedicated to train and mentor employees. Lacking communication between management and employees could impact the operating effectiveness greatly. Another weakness would be when less reliance is placed on control activities that are performed by employees who require highly judgmental or complex tasks. In order to amend the listed weaknesses, management should be assessing the quality of the internal control performance across the organization. Monitoring activities are necessary and SHR should also acquire independent evaluation by internal auditors to minimize risks.
- Management and employees’ behavior could be affected by the entity-level controls that are carried out across the entire organization. Based on the risks that the organization is currently facing, the entity-level controls would require managements to assess and report on the effectiveness of the internal control of the organization. The independent internal auditors should confirm and evaluate such reports concerning the effectiveness of the corporation’s internal control.
- Management and employees’ behavior at business processing level could be positively impacted since entity-level controls could improve their accountability. Having an effective entity-level controls would help both management and employees comply with organization’s policies and code of conducts. Because entity-level controls provide assurance to the board and management that the established procedures and policies are performed throughout the organization’s operation.
- When auditing controls over the company’s purchases and accounts payable, SHR’s entity-level controls could affect professional skepticism since effective controls could minimize potential risks and misappropriation. Meanwhile, the entity-level controls would facilitate the assessment of process-level risks that could affect the operation of the organization. In addition, process-level controls could assist when conducting direct testes of transactions in order to ensure the financial statements are accurately presented.