1 Source: www.knowledgeleader.

com
 Table of Contents
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 1.....................................................................3
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 2...................................................................22
APPENDIX: ENTITY-LEVEL DOCUMENTATION REQUEST CHECKLIST...........................................................30

2 Source: www.knowledgeleader.com
 ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 1

PROJECT TEAM (LIST MEMBERS)

Project Phase Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The objective of this audit work program is to evaluate the entity-level controls in an organization. The work
program specifically focuses on entity-level topics such as:
• Control Environment
− Integrity and ethical values
− Management commitment to competence
− An effective board of directors
− Management's philosophy and operating style
− Organizational structure
− Assignment of authority and responsibility
− Organization around the human resources department
• Risk Assessment
− Entity-level objectives
− Process-level objectives
− Risk identification and analysis
− Managing change
• Information and Communication
− Quality of information
− Effectiveness of communication
• Control Activities
− Process controls
• Monitoring
− Ongoing monitoring activities
− Evaluation of internal control system
− Reporting deficiencies

3 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

I. Control

The code of business conduct and ethical practices exists within all Company
XYZ locations and is distributed to all employees and is available on the
company’s public internet site.

Inspection Test

Obtain the code of conduct and verify that the code:

• Is approved by the board of directors
• Is available on the intranet
• Addresses specific areas mentioned in controls
• Offers guidance on actions to take if an employee encounters improper
behavior

II. Control

Integrity and ethics training takes place as part of regular events.

Inspection Test

• Inspect the training materials from the (Insert Year) ethics and compliance
training events.
• Ensure that the curriculum includes appropriate attention to integrity and
ethical values.
• Verify that attendance is maintained and monitored.

III. Control

The code of business conduct has been distributed and acknowledgment

cards are signed by each employee and are kept on file.

Inspection Test

• Select a sample of employees.

• Obtain the employee's signed code of business conduct and ethical
practices acknowledgment card.

IV. Control

Disciplinary action for departures from the code is enforced as explained in

the code. Consequences of failure to follow the code are also covered in
ethics training courses.

Inspection Test

• Obtain the code of conduct.

• Verify that the code contains consequences for deviations from the code.
• Interview X employees.

4 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Verify that the employees are aware of actual or potential disciplinary

actions that have been or may be taken in response to deviations from the
code.

V. Control

Policies and procedures for the handling of ethics complaints exist and are
enforced. The company has established procedures for the confidential,
anonymous submission of concerns by employees about questionable
accounting or auditing matters. A process exists for thoroughly investigating
complaints, including determining which complaints will be investigated by
management and which complaints will be investigated by the audit
committee or its advisors.

Inspection Test

• Obtain the policy on handling accounting- and audit-related complaints

and verify that it contains procedures for the collection and handling of
ethics complaints.
• Obtain the latest report from System X and verify that all calls have been
assigned to individuals or departments for investigation and have been
handled in a timely manner.
• Select a call from the System X list. Verify that documentation supports
the outcome of the investigation.
• Select a sample of employees. Ask about what they would do if an
employee reported an ethical complaint to them. Verify that they know the
correct procedure for reporting the complaint upward, to the legal
department, or to call/write or use the web to report the complaint.

VI. Control

Senior management consists of several functional areas. Formal job

descriptions exist for key positions within the organization. Management has
analyzed the tasks comprising particular jobs, considering such factors as
the extent to which individuals must exercise judgment and the extent of
related supervision. Job descriptions convey the essentials of the position:
general responsibilities, skills, experience and preferred educational
background required. They are used to ensure that competent, qualified
people are hired to fill positions at Company XYZ.

Inspection Test

• Select a sample of employees hired in the last year.

• Verify that a detailed job description exists for the employee's title.
• Verify that a copy of the employee's job description is filed in their
personnel file.

VII. Control

Accounting and financial personnel knowledge are sufficient to keep pace

with the growth and complexity of the business. Management demonstrates
a commitment to providing sufficient accounting and financial personnel to
keep pace with the growth and/or complexity of the business. Departmental

5 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

staffing is appropriate (particularly with regard to knowledge and experience

of management and supervisory levels within the accounting, information
systems and financial reporting areas).

Inspection Test

• Review organization charts for accounting personnel.

• Verify that there have been no long-term vacancies or that tasks from
vacancies have been re-assigned to other staff.
• Review entity-level survey results for responses on whether there is an
adequate amount of staff.

VIII. Control

Senior management consists of several functional areas. The board of

directors and the nominating and corporate governance committee are
responsible for assessing the effectiveness of management.

Inspection Test

• Obtain organization charts.

• Verify that the senior members of all departments report to appropriate C-
level employees.

IX. Control

The company risk assessment is presented to the board of directors. The

board of directors and/or the audit committee oversees and monitors the risk
assessment process and takes action to address the significant risks
identified.

Inspection Test

• Obtain the board of directors or audit committee minutes.

• Verify that the risk assessment results or another discussion of
organizational risks occurred at the board of directors or audit committee
meetings.

X. Control

The audit committee charter contains the authorities and responsibilities of

the audit committee and outlines duties, responsibilities, resources and
authority. The audit committee charter includes oversight responsibility for
understanding how management identifies, monitors and controls business
risks.

Inspection Test

• Obtain the audit committee charter.

• Verify that the charter contains the committee's authority and
responsibilities, including oversight responsibility for understanding how
management identifies, monitors and controls business risks.

6 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

XI. Control

The audit committee is an informed, vigilant and effective overseer of the

financial reporting process and the company's internal controls. The audit
committee is responsible for overseeing:
• The integrity of the financial statements
• The company's compliance with legal regulations
• The independence, qualifications and performance of the independent
auditors
• The performance of the internal audit function
The audit committee meets regularly, often in the presence of the auditors.
The audit committee is responsible for appointing external auditors, per the
audit committee charter.

Inspection Test

• Obtain the audit committee meeting minutes.

• Verify that the committee meets regularly and includes minutes regarding:
− The integrity of the financial statements
− The company's compliance with legal regulations
− The independence, qualifications and performance of the external
auditors
− The performance of the internal audit function

XII. Control

The board of directors and associated committees meet regularly with

management, as reflected in board minutes. Management discusses all
changes that may have a significant effect on the company at the board of
directors and audit committee meetings.

Inspection Test

• Obtain the board and committee minutes for the year.

• Verify that there is regular communication with management regarding
strategic initiatives and any changes or updates to the company's
operations.

XIII. Control

The board of directors performs a self-evaluation annually, as instructed in

the corporate governance guidelines. The results of the self-evaluation are
documented in board minutes.

Inspection Test

• Obtain the corporate governance guidelines and listing of board of

directors members from the corporate governance website and proxy.
• Verify that the board of directors is granted authority and responsibility by

7 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

the corporate governance guidelines.

• Verify that the makeup (e.g., number, background and expertise) of the
board of directors and associated committees is in line with the
guidelines.

XIV. Control

The board of directors is granted authority and responsibility by the corporate

governance guidelines. The makeup (e.g., number, background and
expertise) of the board of directors and associated committees is appropriate
given the size of the company.

Inspection Test

• Obtain the corporate governance guidelines and listing of board of

director members from the corporate governance website and proxy.
• Verify that the board of directors is granted authority and responsibility by
the corporate governance guidelines.
• Verify that the makeup (e.g., number, background and expertise) of the
board of directors and associated committees is in line with the
guidelines.

XV. Control

The audit committee has at least one financial expert as required by SEC
rules and the audit committee charter.

Inspection Test

• Obtain the latest proxy statement.

• Verify that at least one member of the audit committee is qualified as a
financial expert.

XVI. Control

The audit committee meets regularly with external and internal auditors. The
board of directors and audit committee review significant accounting changes
quarterly at meetings with management and the external auditors.

Inspection Test

• Obtain board of directors and audit committee minutes.

• Verify that the external and internal auditors meet with the audit
committee.

XVII. Control

The audit committee queries both management and the external auditors
regarding knowledge of any fraud. When allegations of fraud are made, the
audit committee is involved in the investigation.

Inspection Test

8 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Obtain audit committee minutes.

• Verify that fraud and/or hotline calls are discussed.

XVIII. Control

A cross-functional (operational and financial) executive management team

holds weekly meetings and is involved in decisions on significant
transactions.

Inspection Test

• Obtain evidence (e.g., agendas, meeting requests and observations) that

the executive committee meets regularly.

XIX. Control

Employees establish goals, are evaluated on their performance and are

compensated accordingly through a bonus. Incentive bonuses are
considered an appropriate percentage of total compensation and would not
foster unethical behavior. Incentives are not heavily dependent upon short-
term financial results. The human resources department develops an
incentive compensation plan that applies to the entire company. The plan is
reviewed by the board of directors.

Inspection Test

• Obtain the incentive compensation plan, including salary grades and

bonus percentages.
• Verify that the plan is reasonable and does not contain excessive
compensation or compensation based heavily on actions fostering
unethical behavior.
• Obtain the spreadsheet used to calculate bonuses.
• Select a sample of X employees and verify that the bonus calculation and
amount align with the policy.
• Verify that the individual performance portion of the calculation is
supported by a signed evaluation by the employee's supervisor.

XX. Control

Management reviews financial results for variances in the budget.

Budgets/forecasts are updated throughout the year to reflect changing
conditions. A monthly reporting package sent to corporate and regional
management contains variance analysis. Forecasts are provided by the
locations to regional and corporate management monthly or weekly.

Inspection Test

• Obtain the results of Section 404 testing.

• Verify that the monthly reporting package sent to corporate and regional
management contains variance analysis and is reviewed by management.

XXI. Control

9 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Management corrects identified control deficiencies and follows up on

recommendations from external auditors on internal control and policies and
procedures in a timely manner. Management corrects identified internal
control deficiencies on a timely basis and follows up on a timely and
appropriate basis on recommendations from external auditors on internal
controls and policies and procedures of the company. Control deficiency
responses are tracked in the SOX database. Internal audit reports also
contain management responses. Management tracks reported deficiencies
and action plans using the SOX database. The (Insert Position) follows up
with process owners to ensure that remedial action is taken.

Inspection Test

• Review reports from the SOX database.

• Inspect the SOX database to ensure that deficiencies noted are
responded to by management with action plans and corrected in a timely
manner.

XXII. Control

Management has developed an internal control steering committee (ICSC) to

assist in overseeing the system of internal controls. The ICSC meets with the
external auditors and SOX project team leadership on a bimonthly basis to
discuss the status of the Section 404 project and other issues related to
internal control. Finance managers regularly report the status of remediation
of control deficiencies to the director of Sarbanes-Oxley. This group reports
to the audit committee as requested. Internal control is also stressed in the
ethics and compliance training. In addition, the monthly certification process
requires certifiers to attest to the status of the control environment.

Inspection Test

• Obtain documentation of ICSC meetings when internal control is the focus

of the meetings.
• Verify that meetings are held regularly.
• Obtain evidence that internal control is a subject of the ethics and
compliance training or other training.

XXIII. Control

Financial personnel is reviewed and trained to keep pace with the growth and
complexity of the business. Finance managers attend an annual conference,
which covers new policies, initiatives and accounting guidance. Training and
performance goals are discussed as part of the new performance
management system for key employees. Key employees are evaluated
annually in the performance management system.

Inspection Test

• Obtain evidence that finance managers are trained on new policies,

initiatives and accounting rules.

XXIV. Control

10 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

A disclosure committee has been established by management to determine

what should be disclosed in the financial statements. This committee meets
prior to the release of each quarter's financial statements.

Inspection Test

• Obtain an agenda or other documentation from X meetings of the

disclosure committee.

XXV. Control

Executives are held to the same code of conduct as all employees and are
required to acknowledge their understanding of the code.

Inspection Test

• Obtain the signed code of conduct acknowledgment from all officers.

XXVI. Control

The organizational structure is not overly complex and is appropriate given

the size, operations and locations of the company. Lines of authority and
responsibility are indicated on the organizational charts maintained by the
assistant to HR.

Inspection Test

• Obtain organization charts for the company.

• Verify that the company structure is not overly complex and those
reporting relationships are established.

XXVII. Control

The delegation of authority policy addresses authorization and approval of

transactions.

Inspection Test

• Obtain the delegation of authority policy.

• Verify that the policy has been communicated to employees.

XXVIII. Control

Lines of reporting are established to provide open communication. Reporting

relationships are outlined on the organization charts. Finance managers
attend weekly conference calls with their division management to discuss a
variety of topics.

Inspection Test

• Obtain organization charts and verify that reporting relationships are

clearly established.
• Verify that conference calls are conducted regularly between division and

11 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

country finance managers.

XXIX. Control

An ethics hotline is established and employees are aware it exists and know
how to use it. A hotline is designed for the confidential submission of
accounting and ethical concerns. Methods for reporting ethical concerns
have been established, as allowed by law. All employees have the following
methods available to them: directly reporting to the supervisor, a letter to the
audit committee or general counsel, and anonymous reporting via internet or
phone. When reports are received, they are handled according to the audit
committee policy on the handling of accounting and audit-related complaints.

Inspection Test

• Verify that an ethics hotline has been established for the confidential
submission of ethical complaints.
• Verify that the various methods of accessing the hotline (web, phone, in
writing) have been communicated to employees.

XXX. Control

When a key employee leaves the company, responsibilities, including control

ownership, are transferred to a replacement. Company XYZ implemented a
succession planning process for executive-level employees.

Inspection Test

• Select a sample of employees.

• Obtain the succession planning book for each position and verify that
individuals have been identified in each book.

XXXI. Control

Financial reporting responsibility for each company is specified.

Inspection Test

• Obtain a list of all companies from the financial reporting system.

• Obtain a list of certifiers and verify that all companies have a certifier.

XXXII. Control

A background check is run for all employees before they are hired.
Background checks can include criminal background checks, reference
checks, approval of visa, employment or education check, or a combination
of these.

Inspection Test

• Obtain a sample of employees hired in the last year.

• Obtain evidence that a background check of the employee was conducted

12 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

prior to employment.

XXXIII. Control

Job performance is evaluated periodically with each employee, and goals

and objectives are reviewed. Job performance is evaluated periodically and
reviewed at least annually with each employee. Annual goals and objectives
are reviewed and established in connection with annual performance
reviews.

Inspection Test

• Select a sample of employees.

• Verify that each employee has a completed current evaluation with goals,
evaluation of competencies and supervisor signoff.

XXIV. Control

The mission statement and quality policy statement are clearly stated on the
corporate homepage of the Company XYZ website.

Inspection Test

• Obtain the mission statement or other document stating the company's

objectives.

XXXV. Control

A business plan exists and is updated annually. A business plan is created

during budgeting meetings between regional and location finance and
operations management.

Inspection Test

• Obtain the business plan.

• Verify that a budget is created for each location.

XXXVI. Control

An entitywide risk assessment is performed periodically.

Inspection Test

• Obtain the latest risk assessment.

• Verify that the assessment includes likelihood, potential impact and an
action plan to mitigate the risk.
• Verify that the assessment is reviewed by senior management.

XXXVII. Control

Monthly certifications and reporting occur.

13 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Inspection Test

• Obtain testing for monthly certifications and verify that monthly

certifications are submitted.
• Obtain the form and verify that certifications cover various types of risks
and identify related-party transactions.

XXXVIII. Control

Processes to identify changes in GAAP and regulatory issues exist and are
utilized.

Inspection Test

• Obtain Section 404 testing and verify that there is a process in place to
identify GAAP and regulatory changes and communicate those changes.
• Document any other methods for communicating accounting guidance
(e.g., training, conference calls, etc.) throughout the company.

XLIX. Control

Corporate policies are issued or updated regularly.

Inspection Test

• Obtain new policies issued or updated in the current year.

• Verify that authority is granted for determining which policies to issue and
then drafting and issuing those policies.

XL. Control

A record retention policy exists and is communicated throughout the

organization.

Inspection Test

• Obtain the record retention policy.

• Obtain evidence that document categorization and disposal occur
regularly, as stated in the policy.

XLI. Control

An IT strategic plan exists and is regularly monitored by the IT department.

Inspection Test

• Obtain the IT strategic plan.

• Verify that the plan covers at least X years and is monitored.

XLII. Control

IT systems provide timely and reliable reports.

14 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Inspection Test

• Obtain the standard reporting package from the financial reporting

system.
• Obtain the results of the entity-level survey and verify that employees
have an acceptable level of satisfaction with the IT system.

XLIII. Control

Coordination exists between the IT and accounting departments.

Inspection Test

• Obtain the results of the entity-level survey and verify that employees
have an acceptable level of coordination between the IT and accounting
departments.
• Obtain IT steering committee agendas and verify that accounting is
represented.
• Obtain organization charts and verify that individuals are identified in the
accounting department who consult with IT.

XLIV. Control

Policy development and accounting system modification exist. The process

change control policy has been issued. A policy committee exists to issue
and revise policies.

Inspection Test

• Obtain the process change control policy.

• Verify that there is a process in place for reviewing and approving
changes to processes prior to implementation.

XLV. Control

Any changes made to the IT system are authorized and in line with the
business objectives. A system change control policy is in place.

Inspection Test

• Obtain the system change control policy.

• Verify that procedures exist for initiating, testing and approving changes to
systems.

XLVI. Control

Disclosure matrix details all activities completed for the 10-K and the person
responsible for each activity.

Inspection Test

• Obtain the disclosures matrix.

15 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Verify that responsibility and procedures for all aspects of financial

reporting are assigned and carried out.

XLVII. Control

Litigation is monitored centrally by the corporate legal department. Any

litigation from vendors, tenants and other external parties is monitored.

Inspection Test

• Obtain Section 404 testing and verify that litigation is monitored.

XLVIII. Control

Critical information is disseminated through corporate email and posted for

employees who do not have access to email.

Inspection Test

• Obtain a sample of the company’s internal communication policy.

• Review announcements made on the company's internal website.
• Obtain other communications that exist (e.g., conference calls and letters
from the CEO).
• Verify that important information is communicated regularly to employees.
• Verify that communication channels are acceptable for employees to
receive the information.

XLIX. Control

The internal audit function is independent of the activities it audits. The

internal audit charter states that the internal audit director reports functionally
to the chairman of the audit committee and administratively to the CFO.

Inspection Test

• Obtain the internal audit charter and verify that the IA director reports
functionally to the audit committee.
• Obtain organization charts and verify that the internal audit department is
independent of the activities it audits.

L. Control

Internal audit issues reports based on its audits to management. Internal

audit reports also contain management responses.

Inspection Test

• Obtain the internal audit plan of audits for (Insert Time Period).
• Obtain reports issued from those audits.
• Verify that the reports contain action items and management responses.

16 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

LI. Control

The internal audit charter outlines accountability, independence,

responsibility and authority for internal audit.

Inspection Test

• Obtain the internal audit charter.

• Verify that it outlines accountability, independence, responsibility and
authority for the internal audit department.

LII. Control

The internal audit department performs a periodic risk assessment. Audits

are planned around the risks identified in the risk assessment.

Inspection Test

• Obtain the recent internal audit risk assessment.

• Verify that planned audits address the high-risk areas.

LIII. Control

The internal audit department has a plan of audits and also conducts special
audits when issues arise.

Inspection Test

• Obtain the internal audit outline of planned audits.

• Verify that audits are conducted as planned.

LIV. Control

FCPA and anti-bribery policies exist and are enforced.

Inspection Test

• Obtain a list of agents from the legal department.

• Verify that all marketing agents have been vetted by Company XYZ by
obtaining the marketing memo stating the business purpose for using the
agent, due diligence questionnaire, results of background check and an
executed agency agreement (contract).
− Verify transactional due diligence.
− Verify completion of the agent certification.

LV. Control

Authority and responsibility for maintaining compliance with anti-bribery laws

are established.

Inspection Test

17 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Obtain the anti-bribery and Foreign Corrupt Practices Act compliance

program policy.
• Verify that the program contains details of the company's efforts to comply
with anti-bribery laws, establishes authority for ensuring compliance and
establishes consequences for failure to comply.

LVI. Control

Employees are evaluated on adherence to ethics and integrity. These are

core competencies employees are evaluated regularly.

Inspection Test

• Obtain standard performance evaluation forms.

• Verify that ethics and integrity are a competency on which employees are
evaluated.

LVII. Control

Officer and key manager meetings are held quarterly. Topics covered include
updates from all functional leaders, business developments and initiatives,
financials, and business updates from the various divisions.

Inspection Test

• Obtain evidence of quarterly officer and key manager meetings.

LVIII. Control

Board of directors reviews long-term strategic and business plans. The

corporate governance guidelines direct the board of directors to review the
company's long-term strategic and business plans. The business plan is
created annually at budget meetings and is presented to the board of
directors.

Inspection Test

• Obtain board of directors and related committee meeting minutes.

• Verify that the board of directors reviews the company's long-term
strategic and business plans.

LIX. Control

A compensation committee of the board of directors has been established to:

• Review and approve executive compensation.
• Administer and make recommendations on incentive and equity
compensation plans.
• Produce an executive compensation report as required by the SEC.

Inspection Test

18 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Obtain the compensation committee charter.

• Verify that the charter grants the committee authority to:
− Review and approve executive compensation.
− Administer and make recommendations on incentive and equity
compensation plans.
− Produce an executive compensation report as required by the SEC.
• Verify that the compensation committee performs the duties listed above.

LX. Control

The board of directors adopted corporate governance guidelines to assist it

in executing its responsibilities under law and NYSE regulations.

Inspection Test

• Obtain the corporate governance guidelines.

• Verify that the guidelines cover board qualifications, director
responsibilities, functioning of the board and board committees.

LXI. Control

An entity-level survey is conducted annually, focusing on the control

environment, risk assessment, information and communication, and
monitoring areas of COSO. The survey is conducted anonymously to
employees at all levels and from locations worldwide. Management reviews
the results and produces a report.

Inspection Test

• Obtain the results of the latest entity-level survey.

• Verify that the survey covers all COSO components.
• Verify that the results of the survey are communicated to senior
management.

LXII. Control

The anti-bribery compliance program (ACP) establishes an FCPA steering

committee that is responsible for administering and enforcing the ACP.
Agents acting on behalf of Company XYZ are vetted by the FCPA steering
committee. In addition to approving agents, the FCPA committee addresses
other issues raised.

Inspection Test

• Obtain FCPA steering committee minutes.

• Verify that meetings are conducted quarterly related to the company's
compliance with the FCPA and other anti-bribery laws.

LXIII. Control

19 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Management has established an internal control steering committee to

monitor and report on the company's system of internal control.

Inspection Test

• Select a sample of X ICSC meetings.

• Obtain minutes/agenda from the meetings.
• Verify that control deficiencies are discussed.

LXIV. Control

The board of directors established a nominating and corporate governance

committee to:
• Identify potential board of directors members.
• Recommend candidates to fill a board of directors vacancies.
• Recommend committee assignments.
• Monitor the performance of the board of directors, individual directors and
senior management.
• Review board of director's compensation.
• Develop corporate governance policies and procedures.
• Meet several times per year.

Inspection Test

• Obtain the minutes to the nominating and corporate governance

committee.
• Verify that the committee addresses the responsibilities listed in its
charter.

LXV. Control

A SOX project management office (SOX PMO) has been established to

direct and monitor Section 404 compliance. The SOX PMO is responsible for
maintaining documentation, testing and reporting on the system of internal
control.

Inspection Test

• Obtain documentation showing the planning of Section 404 compliance

efforts.
• Verify that management is monitoring the design and operating
effectiveness of controls and managing remediation.

LXVI. Control

The board of directors adopted the code of conduct in (Insert Year) and has
signed acknowledgments.

Inspection Test

20 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Obtain the signed code acknowledgments from all current board of

directors members.

LXVII. Control

The legal department maintains a list of all approved marketing/operations

agents. Corporate accounting performs a quarterly analysis of accruals and
payments made to agents. The accountant requests roll-forward statements
from each base containing current accruals and cash payments. The
accountant creates a schedule of accruals and payments made to agents
and reconciles the list of agents to the approved list of agents. If there are
any that do not reconcile, the legal department is contacted to resolve the
discrepancy. The accountant then sends the schedule to the CAO, corporate
controller and legal department.

Inspection Test

• Obtain a quarterly roll-forward schedule of agency fees paid.

• Verify that accounting prepares a schedule of agency accruals and fees
paid.
• Verify that agents paid are reconciled to the approved list provided by the
legal department.

21 Source: www.knowledgeleader.com
 ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 2

PURPOSE
The (Company) SOX 404 project has primarily been focused on process-level controls. However, part of the SOX
404 assessment and testing involves an evaluation of the entity-level controls that have a pervasive effect on the
organization. Entity-level controls are grouped into five components: control environment, risk assessment,
information and communication, control activities and monitoring activities. We conducted an initial survey related
to overall entity-level controls during the fall of (Insert Year) and no significant issues were noted. We will need to
evidence these controls and test how they are operating during (Insert Year).

In connection with the entity-level controls, the PCAOB indicated that specific attention should be placed on a
company’s anti-fraud program and controls. The guidance that is likely to be used here by the public accounting
firms is SAS 99.

The auditors will likely evaluate controls specifically intended to address the risks of fraud that have a likelihood of
having a material effect on the financial statements. Part of management’s responsibility when designing a
company’s internal controls over financial reporting is to design and implement programs and controls to prevent,
deter and detect fraud. After identifying significant accounts, relevant assertions and significant processes, the
auditor will likely evaluate the points at which errors or fraud could occur.

Management’s documentation should include two things related to fraud:

• Sufficient information about the flow of transactions to identify the points at which material misstatements due
to error or fraud could occur
• Identification of the controls implemented to prevent or detect fraud and address these potential
misstatements, including who performs the controls and the related segregation of duties (The majority of
these should have already been tested as part of our process-level control testing.

The internal auditor’s guidance, “Evaluating Internal Controls,” indicates that the above areas are a logical place
to begin their review. As a result, we need to get this work completed no later than [Insert Date], [Insert Year]).

ENTITY-LEVEL CONTROL WORK PLAN

The tone at the top is one of the most crucial elements of entity-level controls. These controls establish the overall
framework and guidelines within which the process-level controls operate. It is very difficult for process controls to
be considered effective if entity-level controls are not in place and functioning properly. There are five interrelated
components to consider:

Control Environment
There are seven subcomponents of the control environment:
• Integrity and ethical values
• Commitment to competence and development of people
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and procedures
• Participation by those charged with governance

22 Source: www.knowledgeleader.com
When evaluating the control environment, we will also address anti-fraud programs and the effectiveness of the
audit committee. Anti-fraud programs and controls are related to the prevention, deterrence and detection of
fraud. During an assessment of internal controls over financial reporting, the focus of management’s assessment
should include those programs and controls that are intended to mitigate the risk of fraudulent actions that could
have an impact on financial reporting.

For example, fraud might include:

• Fraudulent Financial Reporting: Inappropriate earnings management or “cooking the books” (e.g., improper
revenue recognition, intentional overstatement of assets or understatement of liabilities, etc.)
• Misappropriation of Assets: Embezzlement and theft
• Expenditures and Liabilities Incurred for Improper or Illegal Purposes: Bribery and influence payments
that can result in reputation loss
• Fraudulently Obtained Revenue and Assets and/or Avoidance of Costs and Expenses: Scams and tax
fraud that can result in reputation loss

The key elements of an anti-fraud program, which we will be evaluating in the entity-level control environment,
include:
• A culture of honesty and ethics committed to doing the right things as well as doing things right
• Evaluation of fraud risks and implementation of appropriate controls to mitigate these risks
• Development of an appropriate oversight process

When evaluating the effectiveness of an audit committee, the following should be considered:
• Independence of committee members
• Defined roles and responsibilities
• Level of involvement with internal/external auditor and management
• Compliance
• Financial expertise

Examples of items we will be testing (mostly through inspection and observation) include:
• Board of directors minutes
• HR policies and procedures, including job descriptions
• Employee files and listings
• Employee turnover statistics
• Reports and organizational charts

Workplan Questions
General Policies:
• Review the policies for annual approval by the ethics advisory panel and BOD.
• Confirm that management has a process to confirm that employees are aware of the code of ethics (i.e.,
employee signature, training, availability for review, etc.).
• Verify that the code of ethics applies to the entire company, including geographic locations (international and
domestic).
• Request evidence that management performs alternative procedures (e.g., test user controls, test controls at
service organizations or request the service organization auditor to perform agreed-upon procedures) to
address the internal controls performed by the service organization supporting the relevant information
processing objectives.

23 Source: www.knowledgeleader.com
HR Policies:
• Review reported incidents of conflict-of-interest situations and how they were resolved.
• Review signatures of employees signing off on areas related to personal investments, affiliations, business
gifts and confidential information. Identify how the company ensures that there is no conflict of interest in these
areas (i.e., review periodic written reports).
• Review resolution of incidents of reported conflict-of-interest areas.
• Review approval by CEO and general counsel of advisory board participants. Review the backgrounds of
board members and identify if they have financial expertise.
• Review the action hotline reports. Call the hotline X-XXX-XXX-XXXX and ensure that someone answers and
takes appropriate steps to document complaints. Evidence that personnel who investigate the reports take
appropriate actions.
• Identify the process for investigating complaints, including determining which complaints will be investigated by
management and which complaints will be investigated by the audit committee and/or its advisors.
• If policy changes are required, identify how they are created and communicated to employees and supervisors.
• Review the process for reviewing employee expenses. Sample reports for supervisor approval. If there are
exceptions, what evidence is documented for the reason?
• Review the records from which loans have been made and ensure that they fit within the stated exceptions.
(This policy is from 1982. Does it need to be updated, if nothing else, the date?)
• Verify if the vice president of finance and administration has approved the books and records of the company.
Review any questionable entries and the steps that were made to verify evidence for the entry. (This policy is
from 1982. Does it need to be updated, if nothing else, the date?)
• Verify if the treasurer (and vice presidents of finance) have approved all bank accounts of the company. (This
policy is from 1982. Halfway through the policy, the date changes to 1996. It should be updated to reflect one
current date for the entire policy.)
• Review the internal audit plan and ensure that it includes an assessment of risk for both the annual audit plan
as well as individual audits. Ensure that the assessment addresses fraud risk at companywide, business-unit
and significant account levels.
• Verify if the annual audit plan has been approved by the audit committee. (This policy is from 1982, 1989 and
1990. Does it need to be updated, if nothing else, the date?)
• Ensure that audit committee members have the financial expertise to allow them the knowledge to make sound
decisions for the company.
• Ensure that personnel is aware of internal control policies that promote operational efficiency, safeguard
assets and ensure the reliability of financial information. Review transactions to ensure that they have been
authorized and properly recorded. (This policy is from 1982. Does it need to be updated, if nothing else, the
date?)
• Ensure that key management personnel, to whom significant responsibility has been delegated in these areas,
have the necessary skills and experience.
• Review minutes from meetings.
• Do they do background checks – and do we need to review controls?
• Do we cover the review of nonroutine transactions by the audit committee/management?

Business Conduct Policies:

• Identify how the core values and beliefs are distributed to personnel, how are they updated and who creates
them (CEO signature).
• Identify how supervisors, management, VPs and the business ethics resources center document and handle
reported concerns.

24 Source: www.knowledgeleader.com
• Call the action hotline and see how the representative handles situations. Ensure that the hotline is working
and is available.
• Review the code of business conduct and a sample of signoffs from employees stating their understanding.
• Review the ethics and compliance organizational structure chart and ensure that it’s current.
• Review the prohibiting insider trading policy and a sample of signoffs showing employee understanding.
• Review the prohibiting insider trading policy and identify how possible violations are handled.
• Review annual certification of the policy prohibiting insider trading for appropriate signatures.
• Review the securities trading policy request form for appropriate signatures.
• Determine how accessible all the business conduct policies are to employees?
• Determine what is done with the employee internal survey. Determine what actions are taken for items with a
high unfavorable percentage.
• Ask if the policy covers FERC rules around a regulated pipeline. Interview personnel to ensure that they are
familiar, understand and comply with the regulation.

Corporate Governance:
• Ensure that directors are independent.
• Ensure that directors meet the board membership criteria.
• Ensure that each of the board committees, including the audit committee, compensation committee, executive
committee, finance committee, and nominating and governance committee, have knowledgeable personnel on
board and are aware of roles and responsibilities.
• Review the audit committee charter.
• Review the compensation committee charter.
• Review the executive committee charter.
• Review the finance committee charter.
• Review the nominating and governance committee charter.
• Review the code of ethics for senior officer signature pages.
• Ensure that the company follows NYSE standards compliance.
• Ensure that the by-laws of the company are met.

Risk Assessment
The subcomponents for the risk assessment include:
• Business Risk Assessment
• Inherent Risks
• Fraud Risks

After reviewing the results of the (Insert Year) entity-level control survey, we will perform an updated (Insert Year)
entity-level control survey. This will include:
• Updating questions as appropriate
• Ensuring that the survey system is ready to go
• Selecting employees to be surveyed
• Selecting periods to conduct surveys
• Updating letters for Person X to send
• Executing surveys

25 Source: www.knowledgeleader.com
• Reviewing survey results

We will also conduct an overall fraud risk assessment, which will include:
• Identifying and documenting the most likely scenarios that the company might face related to the four likely
areas of fraud noted above (The internal auditor has some examples and templates to help get this process
started.)
• Identifying the controls in place at an entity- and process-level that help mitigate the potential for fraud
• Identifying any potential gaps in controls that need remediation
This process will likely involve interviews with the controllers and BU presidents.

Examples of items we will be testing (mostly through inspection and observation) include:
• Company goals/objectives and associated risks
• Reports submitted to and reviewed by the BOD and audit committee
• Risk assessments
• Committee minutes

Workplan Questions:
• Review the internal audit plan and ensure that it includes an assessment of risk for both the annual audit plan
as well as individual audits. Ensure that the assessment addresses fraud risk at the companywide, business-
unit and significant account levels.
• Identify documented fraud risk assessment policies and procedures (including management-identified potential
schemes and scenarios).
• Ensure that the board of directors and audit committee members have the financial expertise to allow them the
knowledge to make sound decisions for the company.
• Anti-fraud questions (We will need to interview management to discuss scenarios):
− Interview senior-level management (controller and chief operating officer for each BU).
− Discuss likely scenarios for fraud.
− Identify scenarios and link scenarios to controls.
− Identify common scenarios for potential financial statement fraud.
− Identify key controls and if they are currently being tested.

Information and Communication

The following methods should be considered:
• Accounting systems
• Policy manuals
• Management’s reports
• Newsletters
• Accounting policy updates
• Technical updates
• Staff meetings
• Training

Examples of items we will be testing (mostly through inspection and observation) include:
• A financial reporting procedures manual

26 Source: www.knowledgeleader.com
• Accounting policies and procedures
• Organizational charts and structures
• Company policies and procedures related to the distribution of information (verbal and electronic)

Workplan Questions:
• Review the company investment policy as it relates to its objectives, portfolio strategies, constraints,
investment vehicles, safekeeping, maturities and exceptions clause. (There is no date on this policy.)
• Review the operational intercompany policy.
• Review a sample of affiliate billing disputes and ensure that they are resolved timely and that adjustments are
documented.
• Review affiliate operational transactions and ensure that contracts are executed.
• Anti-Trust Compliance Manual (Insert Date): Identify how the anti-trust policy is distributed, how updates are
communicated, etc.

Business Conduct Policies:

• FERC Compliance Plan: Review the background of the FERC compliance officer.
• FERC Compliance Plan and Standards of Conduct Compliance Policy: Review the background of the
internal audit director and chief compliance officer.
• Access Control Policy: Review employee signoffs of the policy.
• IT Asset Procurement Policy: Review the business reason and approved procurement requests for devices
covered by the policy.
• Reporting Lost or Stolen IT Assets Policy: Review management’s responsibilities to report lost or stolen
company-owned IT assets to asset management.
• Inventory Control Agent Installation Policy: Ensure that inventory control agents/tags are located on
company-owned assets and that employees are aware not to remove these agents.
• Acceptable Use Policy: Review employee signoff of the policy.
• Password Policy: Review employee signoff of the policy and perform a “walk-through” of work areas to
ensure that passwords are not in view (i.e., posted to a PC, etc.). (Password standards are tested through IT
testing.)
• Enterprise Records Retention Policy: Review the records management program and the records retention
policy and take a sample by which to test if records are properly stored.
• Review retention schedules for proper levels of management approval.
• Review the approval of enterprise records for imaging records.
• Review document destruction records for the records manager, legal department and other approvers to be
listed.
• Cover updates in accounting standards/rules.
• Review newsletter and general employee communication.
• Review the frequency of staffing meetings/town halls etc.
• Review training/technical updates (e.g., from FERC or industry groups).
• Review training for anti-fraud.

Control Activities
The most common control activities performed include:
• Top-level reviews

27 Source: www.knowledgeleader.com
• Direct functional or activity management
• Information processing
• Safeguarding of assets/physical controls
• Performance indicators
• Segregation of duties

Examples of items we will be testing (mostly through inspection and observation) include:
• Organizational charts and structures indicating lines of reporting as it relates to financial reporting
• Identified deficiencies, their impacts and resolutions
• Policies and procedures for how information is processed (BPO impacts this)
• Policies, procedures and job responsibilities to ensure segregation of duties

Workplan Questions:
• Ensure that approvals by the board, CEO, senior vice president, officers, directors, and managers are within
predetermined limits for financing commitments, commercial and operating commitments, purchase
requisitions and purchase orders, disbursements, tax payments, settlements and claims, and write-down
assets or setup reserves.
• Review the below questions for the U.S. and Europe authority limitations policy.
• Identify how the head of the relevant business unit notifies the CRO of individuals authorized to trade and
originate transactions on behalf of the company.
• Identify how violations are handled and how questions are documented related to the legality of a transaction.
• Review employee signoff of the policy, including signoffs by the risk management committee, risk control, chief
risk officer, legislative risk/contract management and credit risk management.
• Ensure that only commodities authorized to trade are being traded. (Testing vs. Entity-Level).
• Identify if/when limits were exceeded and if the proper personnel was notified, including the CEO, CFO, CAO,
senior vice president of the company and CFO of the company.
• Ensure that the appropriate level of management has approved transactions within the preset authority term
limits.
• Review signatures of the anti-trust compliance manual acknowledgment form.
• Review segregation of duties matrices that are being produced and the process to maintain them.
• Discuss physical security with the company security group - both assets and buildings.
• Determine what type of performance indicators top management receives and what actions are taken.

Monitoring
The following are subcomponents for monitoring:
• Ongoing monitoring
• Separate evaluations/periodic monitoring
• Reporting deficiencies

Examples of items we will be testing (mostly through inspection and observation) include:
• Internal audit reports and work papers
• Self-assessments

28 Source: www.knowledgeleader.com
Workplan Questions:
• Review internal audit reports and work papers.
• Review self-assessments and the resolution of any issues.
• Determine whether internal or external auditor recommendations are acted upon.
• Obtain evidence of whether external consulting assessments are performed and the results are acted upon.

To effectively test each of the five areas, we will:

• Discuss the approach with the internal auditor.
• Gather evidence of key policies, hotlines, procedures and other documents as necessary that set the
framework for the entity-level controls. This will likely involve corporate, legal, HR, internal audit, ethics, tax
and other select corporatewide functions of the company.
• Obtain evidence that these controls are functioning:
− This may involve some interviews with senior executives and audit committee members over their review
and approval of various items throughout the year.
− Document processes, key controls and test results are consistent with the current SOX documentation
approach.
• (We’re not performing the survey). Inventory the elements of the anti-fraud program currently in place and
under development.
• Either test the identified controls or link to the test of key controls already being conducted.
• Perform remediation in any areas where compensating controls are not sufficient.
• Discuss results with the PMO, steering committee and internal auditor.

29 Source: www.knowledgeleader.com
 APPENDIX: ENTITY-LEVEL DOCUMENTATION REQUEST CHECKLIST

No. Document Name Source Received Notes

1 Code of Conduct

2 Code of Conduct Acknowledgements

3 By-Laws

4 Proxy Statement

5 SEC Comment Letters

6 Management Letters

7 Corporate Governance Policies

8 Bios of Committee Members

9 Passed Adjustments

10 Business Plans

11 Management Operating Reports

12 2004 Corporate Budget

13 2004 Risk Assessment

14 Anti-Fraud Risk Assessment

15 Anti-Fraud Programs

16 Audit Committee Charter

17 Audit Committee Meeting Minutes

18 Audit Committee Agenda/Schedule

19 Internal Audit Charter

20 Internal Audit Job Descriptions

21 Internal Audit Organizational Chart

22 Internal Audit Training Program

23 2004 Internal Audit Plan

24 Other Committee Charters

25 Organizational Chart

30 Source: www.knowledgeleader.com
 No. Document Name Source Received Notes

26 Subsidiary Structure

27 Significant Relationship Monitoring

28 Accounting Procedures

29 Corporate Purchasing Policies

30 Purchasing Chart of Authority

31 Expenditure Chart of Authority

32 Vendor Relationship Guidelines

33 New-Employee Orientation Materials

34 Human Resources Policies

35 Hiring Policies

36 Job Descriptions

37 Background Check Procedures

38 Employee Discipline Policies

39 Training Programs

40 Employee Evaluation Policies

41 Incentive Compensation Plans

42 Employee Retention Procedures

43 Ethics Hotline Procedures/Analysis

44 Mission and Value Statements

45 Critical System List

46 Strategic IT Plan

47 IT Organization Chart

48 Report Change Request Monitoring

49 Financial Systems Monitoring

31 Source: www.knowledgeleader.com