When considering controls for an organization, it may not be known that there are more than one level or type of control. To manage their business operations, organizations will have entity-level, divisional, regulatory, transaction-level, and process-specific controls to name a few.
Of these controls, entity-level controls are considered to be a crucial part when:
- one company is assessing a subservice organization for consideration of conducting critical business interactions with that subservice organization or
- an external auditor or CPA firm performing an audit over an entity.
A company’s use of a service organization to perform certain critical operations on behalf of the company includes, as part of the assessment of the service organization, reviewing the service organization’s entity-level controls and overall control structure. This is because the service organization is serving as an arm of the company and represents the company in the operations that it performs. The company must determine if the designed and implemented controls at the service organization represent the appropriate control structure to meet the standards and vision of the company outsourcing its processes.
In terms of an external auditor or CPA firm performing an audit, assessment of a company’s entity-level controls is the first step in determining the makeup of the control structure and operating effectiveness of that control structure for the specific operations covered by the audit.
What is the “Definition” of Entity-Level Controls?
Entity-level controls have a general meaning for the various types of audit engagements and can also be more specific to a type of audit engagement. In general, entity-level controls are controls that are pervasive throughout the organization versus designed for a specific division or operation such as specifically for finance, manufacturing, research & development, etc.
Entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more general in nature or impact a broader audience.
These controls define an organization’s corporate culture and values. They also relate to internal values as well as external forces such as laws, regulations, and professional standards. The entity-level controls impact the way in which personnel operate and operational processes are designed and implemented.
Five Components of Entity-Level Controls
There are five components of entity-level controls to be considered. The following lists the five components and examples of items to consider with each component.
- Is there a board of directors (BOD) and executive management team that provides oversight to the company?
- How does the company demonstrate a commitment to integrity and ethical values?
- Has a company-wide code of conduct been implemented?
- Do actions of the BOD and executive management team enforce the commitment to integrity and ethical values and code of conduct (tone at the top)?
- How has management addressed the components of the company’s control structure in the risk assessment?
- What risk may exist at the entity-level?
- For a user organization, what risks to the organization are raised through the usage of a service organization and how are these risks addressed?
- In general:
- How does management identify, evaluate, and respond to risks associated with internal and external forces and activities and with the services provided to their customers?
- Has management addressed risks associated with adherence to laws, regulations, and professional standards?
- Have matters such as operational, financial, information technology, security, privacy, and fraud been addressed in the risk assessment?
- Have changes in the internal and external environment that impact the company been addressed in the risk assessment?
- How does management monitor that internal controls over the services provided to customers are operating as intended?
- What processes and procedures are in place to address potential control deficiencies when identified?
- How does management monitor communications from external stakeholders (customers, business partners, etc.), and what actions are taken to address these communications?
4. Information and communication
- How do the BOD and management team communicate (verbal and written) to their external stakeholders, the board of directors, and internal stakeholders (employees and non-employees)
- What tone does management set in these communications?
- How are internal stakeholders made aware of the company values, objectives, code of conduct, and individual responsibilities and expectations?
- How available is the BOD and management team to receive communications from internal stakeholders for items such as compliance issues?
5. Control activities
- What activities have been implemented to address the individual risks associated with the achievement of the company’s objectives?
- Are these activities manual or automated controls and business or system processes or a combination of both?
- Can these control activities be audited to evidence that they are operating as designed?
Assessing Entity-Level Controls
For any company considering outsourcing operations to a service organization, such as payroll and benefits processing or IT hosting and managed services, assessment of the entity-level controls along with the operations processing controls is part of the decision-making process when contracting with the service organization. Once engaged, the company analyzes the service organization’s controls in relation to their own operations and controls, considers the impact on internal company operations, and makes any needed modifications to their control structure. This is done so that the proper overall level of control is achieved and any processes and controls are in place that are needed for the proper functioning of the outsourced activities.
When planning an audit, such as a financial statement for a privately held or publicly traded company, SOC 1 or SOC 2, the auditor must consider the entity-level controls, as the makeup of these controls create the foundation under which the audit is built off of. The perceived status of entity-level controls gained while assessing the five components described above determines the risk levels defined and audit procedures executed for the specific areas covered by the audit. The auditor must perform risk assessment procedures to obtain an understanding of the impact on the organization and, thus, impact on the audit procedures to be performed. Once the analysis of entity-level controls and risk assessment is complete and reliance is determined, the auditor can plan the audit and design the tests of controls based on the scope of the audit.
The existence and implementation of entity-level controls is a key component of any organization. They provide the foundation under which the organization operates on a daily basis (employees and processes) and how the organization is perceived and interacts with external stakeholders. Entity-level controls also serve as a key part of an audit as they assess the overall tone at the top for the organization being audited and provide the basis for lower-level operational controls. All five components – control environment, risk assessment, monitoring, communication & information, and control activities are critical to have implemented to provide for an overall strong control environment.
If you would like assistance with your upcoming audit engagement or have any questions about the audit process, please feel free to contact us. We welcome the opportunity to discuss each unique service organization’s audit needs. The auditors at Linford & Co are highly experienced in third-party audits, including SOC 1, SOC 2, HITRUST assessments, and more.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.