Professional Documents
Culture Documents
com
Table of Contents
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 1.....................................................................3
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 2...................................................................22
APPENDIX: ENTITY-LEVEL DOCUMENTATION REQUEST CHECKLIST...........................................................30
2 Source: www.knowledgeleader.com
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 1
Planning
Fieldwork
AUDIT OBJECTIVES
The objective of this audit work program is to evaluate the entity-level controls in an organization. The work
program specifically focuses on entity-level topics such as:
• Control Environment
− Integrity and ethical values
− Management commitment to competence
− An effective board of directors
− Management's philosophy and operating style
− Organizational structure
− Assignment of authority and responsibility
− Organization around the human resources department
• Risk Assessment
− Entity-level objectives
− Process-level objectives
− Risk identification and analysis
− Managing change
• Information and Communication
− Quality of information
− Effectiveness of communication
• Control Activities
− Process controls
• Monitoring
− Ongoing monitoring activities
− Evaluation of internal control system
− Reporting deficiencies
3 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
I. Control
The code of business conduct and ethical practices exists within all Company
XYZ locations and is distributed to all employees and is available on the
company’s public internet site.
Inspection Test
II. Control
Inspection Test
• Inspect the training materials from the (Insert Year) ethics and compliance
training events.
• Ensure that the curriculum includes appropriate attention to integrity and
ethical values.
• Verify that attendance is maintained and monitored.
III. Control
Inspection Test
IV. Control
Inspection Test
4 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
V. Control
Policies and procedures for the handling of ethics complaints exist and are
enforced. The company has established procedures for the confidential,
anonymous submission of concerns by employees about questionable
accounting or auditing matters. A process exists for thoroughly investigating
complaints, including determining which complaints will be investigated by
management and which complaints will be investigated by the audit
committee or its advisors.
Inspection Test
VI. Control
Inspection Test
VII. Control
5 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
VIII. Control
Inspection Test
IX. Control
Inspection Test
X. Control
Inspection Test
6 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
XI. Control
Inspection Test
XII. Control
Inspection Test
XIII. Control
Inspection Test
7 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
XIV. Control
Inspection Test
XV. Control
The audit committee has at least one financial expert as required by SEC
rules and the audit committee charter.
Inspection Test
XVI. Control
The audit committee meets regularly with external and internal auditors. The
board of directors and audit committee review significant accounting changes
quarterly at meetings with management and the external auditors.
Inspection Test
XVII. Control
The audit committee queries both management and the external auditors
regarding knowledge of any fraud. When allegations of fraud are made, the
audit committee is involved in the investigation.
Inspection Test
8 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
XVIII. Control
Inspection Test
XIX. Control
Inspection Test
XX. Control
Inspection Test
XXI. Control
9 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
XXII. Control
Inspection Test
XXIII. Control
Financial personnel is reviewed and trained to keep pace with the growth and
complexity of the business. Finance managers attend an annual conference,
which covers new policies, initiatives and accounting guidance. Training and
performance goals are discussed as part of the new performance
management system for key employees. Key employees are evaluated
annually in the performance management system.
Inspection Test
XXIV. Control
10 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
XXV. Control
Executives are held to the same code of conduct as all employees and are
required to acknowledge their understanding of the code.
Inspection Test
XXVI. Control
Inspection Test
XXVII. Control
Inspection Test
XXVIII. Control
Inspection Test
11 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
XXIX. Control
An ethics hotline is established and employees are aware it exists and know
how to use it. A hotline is designed for the confidential submission of
accounting and ethical concerns. Methods for reporting ethical concerns
have been established, as allowed by law. All employees have the following
methods available to them: directly reporting to the supervisor, a letter to the
audit committee or general counsel, and anonymous reporting via internet or
phone. When reports are received, they are handled according to the audit
committee policy on the handling of accounting and audit-related complaints.
Inspection Test
• Verify that an ethics hotline has been established for the confidential
submission of ethical complaints.
• Verify that the various methods of accessing the hotline (web, phone, in
writing) have been communicated to employees.
XXX. Control
Inspection Test
XXXI. Control
Inspection Test
XXXII. Control
A background check is run for all employees before they are hired.
Background checks can include criminal background checks, reference
checks, approval of visa, employment or education check, or a combination
of these.
Inspection Test
12 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
prior to employment.
XXXIII. Control
Inspection Test
XXIV. Control
The mission statement and quality policy statement are clearly stated on the
corporate homepage of the Company XYZ website.
Inspection Test
XXXV. Control
Inspection Test
XXXVI. Control
Inspection Test
XXXVII. Control
13 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
XXXVIII. Control
Processes to identify changes in GAAP and regulatory issues exist and are
utilized.
Inspection Test
• Obtain Section 404 testing and verify that there is a process in place to
identify GAAP and regulatory changes and communicate those changes.
• Document any other methods for communicating accounting guidance
(e.g., training, conference calls, etc.) throughout the company.
XLIX. Control
Inspection Test
XL. Control
Inspection Test
XLI. Control
Inspection Test
XLII. Control
14 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
XLIII. Control
Inspection Test
• Obtain the results of the entity-level survey and verify that employees
have an acceptable level of coordination between the IT and accounting
departments.
• Obtain IT steering committee agendas and verify that accounting is
represented.
• Obtain organization charts and verify that individuals are identified in the
accounting department who consult with IT.
XLIV. Control
Inspection Test
XLV. Control
Any changes made to the IT system are authorized and in line with the
business objectives. A system change control policy is in place.
Inspection Test
XLVI. Control
Disclosure matrix details all activities completed for the 10-K and the person
responsible for each activity.
Inspection Test
15 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
XLVII. Control
Inspection Test
XLVIII. Control
Inspection Test
XLIX. Control
Inspection Test
• Obtain the internal audit charter and verify that the IA director reports
functionally to the audit committee.
• Obtain organization charts and verify that the internal audit department is
independent of the activities it audits.
L. Control
Inspection Test
• Obtain the internal audit plan of audits for (Insert Time Period).
• Obtain reports issued from those audits.
• Verify that the reports contain action items and management responses.
16 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
LI. Control
Inspection Test
LII. Control
Inspection Test
LIII. Control
The internal audit department has a plan of audits and also conducts special
audits when issues arise.
Inspection Test
LIV. Control
Inspection Test
LV. Control
Inspection Test
17 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
LVI. Control
Inspection Test
LVII. Control
Officer and key manager meetings are held quarterly. Topics covered include
updates from all functional leaders, business developments and initiatives,
financials, and business updates from the various divisions.
Inspection Test
LVIII. Control
Inspection Test
LIX. Control
Inspection Test
18 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
LX. Control
Inspection Test
LXI. Control
Inspection Test
LXII. Control
Inspection Test
LXIII. Control
19 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
Inspection Test
LXIV. Control
Inspection Test
LXV. Control
Inspection Test
LXVI. Control
The board of directors adopted the code of conduct in (Insert Year) and has
signed acknowledgments.
Inspection Test
20 Source: www.knowledgeleader.com
Time Project Work Step Initial Index
LXVII. Control
Inspection Test
21 Source: www.knowledgeleader.com
ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 2
PURPOSE
The (Company) SOX 404 project has primarily been focused on process-level controls. However, part of the SOX
404 assessment and testing involves an evaluation of the entity-level controls that have a pervasive effect on the
organization. Entity-level controls are grouped into five components: control environment, risk assessment,
information and communication, control activities and monitoring activities. We conducted an initial survey related
to overall entity-level controls during the fall of (Insert Year) and no significant issues were noted. We will need to
evidence these controls and test how they are operating during (Insert Year).
In connection with the entity-level controls, the PCAOB indicated that specific attention should be placed on a
company’s anti-fraud program and controls. The guidance that is likely to be used here by the public accounting
firms is SAS 99.
The auditors will likely evaluate controls specifically intended to address the risks of fraud that have a likelihood of
having a material effect on the financial statements. Part of management’s responsibility when designing a
company’s internal controls over financial reporting is to design and implement programs and controls to prevent,
deter and detect fraud. After identifying significant accounts, relevant assertions and significant processes, the
auditor will likely evaluate the points at which errors or fraud could occur.
The internal auditor’s guidance, “Evaluating Internal Controls,” indicates that the above areas are a logical place
to begin their review. As a result, we need to get this work completed no later than [Insert Date], [Insert Year]).
Control Environment
There are seven subcomponents of the control environment:
• Integrity and ethical values
• Commitment to competence and development of people
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and procedures
• Participation by those charged with governance
22 Source: www.knowledgeleader.com
When evaluating the control environment, we will also address anti-fraud programs and the effectiveness of the
audit committee. Anti-fraud programs and controls are related to the prevention, deterrence and detection of
fraud. During an assessment of internal controls over financial reporting, the focus of management’s assessment
should include those programs and controls that are intended to mitigate the risk of fraudulent actions that could
have an impact on financial reporting.
The key elements of an anti-fraud program, which we will be evaluating in the entity-level control environment,
include:
• A culture of honesty and ethics committed to doing the right things as well as doing things right
• Evaluation of fraud risks and implementation of appropriate controls to mitigate these risks
• Development of an appropriate oversight process
When evaluating the effectiveness of an audit committee, the following should be considered:
• Independence of committee members
• Defined roles and responsibilities
• Level of involvement with internal/external auditor and management
• Compliance
• Financial expertise
Examples of items we will be testing (mostly through inspection and observation) include:
• Board of directors minutes
• HR policies and procedures, including job descriptions
• Employee files and listings
• Employee turnover statistics
• Reports and organizational charts
Workplan Questions
General Policies:
• Review the policies for annual approval by the ethics advisory panel and BOD.
• Confirm that management has a process to confirm that employees are aware of the code of ethics (i.e.,
employee signature, training, availability for review, etc.).
• Verify that the code of ethics applies to the entire company, including geographic locations (international and
domestic).
• Request evidence that management performs alternative procedures (e.g., test user controls, test controls at
service organizations or request the service organization auditor to perform agreed-upon procedures) to
address the internal controls performed by the service organization supporting the relevant information
processing objectives.
23 Source: www.knowledgeleader.com
HR Policies:
• Review reported incidents of conflict-of-interest situations and how they were resolved.
• Review signatures of employees signing off on areas related to personal investments, affiliations, business
gifts and confidential information. Identify how the company ensures that there is no conflict of interest in these
areas (i.e., review periodic written reports).
• Review resolution of incidents of reported conflict-of-interest areas.
• Review approval by CEO and general counsel of advisory board participants. Review the backgrounds of
board members and identify if they have financial expertise.
• Review the action hotline reports. Call the hotline X-XXX-XXX-XXXX and ensure that someone answers and
takes appropriate steps to document complaints. Evidence that personnel who investigate the reports take
appropriate actions.
• Identify the process for investigating complaints, including determining which complaints will be investigated by
management and which complaints will be investigated by the audit committee and/or its advisors.
• If policy changes are required, identify how they are created and communicated to employees and supervisors.
• Review the process for reviewing employee expenses. Sample reports for supervisor approval. If there are
exceptions, what evidence is documented for the reason?
• Review the records from which loans have been made and ensure that they fit within the stated exceptions.
(This policy is from 1982. Does it need to be updated, if nothing else, the date?)
• Verify if the vice president of finance and administration has approved the books and records of the company.
Review any questionable entries and the steps that were made to verify evidence for the entry. (This policy is
from 1982. Does it need to be updated, if nothing else, the date?)
• Verify if the treasurer (and vice presidents of finance) have approved all bank accounts of the company. (This
policy is from 1982. Halfway through the policy, the date changes to 1996. It should be updated to reflect one
current date for the entire policy.)
• Review the internal audit plan and ensure that it includes an assessment of risk for both the annual audit plan
as well as individual audits. Ensure that the assessment addresses fraud risk at companywide, business-unit
and significant account levels.
• Verify if the annual audit plan has been approved by the audit committee. (This policy is from 1982, 1989 and
1990. Does it need to be updated, if nothing else, the date?)
• Ensure that audit committee members have the financial expertise to allow them the knowledge to make sound
decisions for the company.
• Ensure that personnel is aware of internal control policies that promote operational efficiency, safeguard
assets and ensure the reliability of financial information. Review transactions to ensure that they have been
authorized and properly recorded. (This policy is from 1982. Does it need to be updated, if nothing else, the
date?)
• Ensure that key management personnel, to whom significant responsibility has been delegated in these areas,
have the necessary skills and experience.
• Review minutes from meetings.
• Do they do background checks – and do we need to review controls?
• Do we cover the review of nonroutine transactions by the audit committee/management?
24 Source: www.knowledgeleader.com
• Call the action hotline and see how the representative handles situations. Ensure that the hotline is working
and is available.
• Review the code of business conduct and a sample of signoffs from employees stating their understanding.
• Review the ethics and compliance organizational structure chart and ensure that it’s current.
• Review the prohibiting insider trading policy and a sample of signoffs showing employee understanding.
• Review the prohibiting insider trading policy and identify how possible violations are handled.
• Review annual certification of the policy prohibiting insider trading for appropriate signatures.
• Review the securities trading policy request form for appropriate signatures.
• Determine how accessible all the business conduct policies are to employees?
• Determine what is done with the employee internal survey. Determine what actions are taken for items with a
high unfavorable percentage.
• Ask if the policy covers FERC rules around a regulated pipeline. Interview personnel to ensure that they are
familiar, understand and comply with the regulation.
Corporate Governance:
• Ensure that directors are independent.
• Ensure that directors meet the board membership criteria.
• Ensure that each of the board committees, including the audit committee, compensation committee, executive
committee, finance committee, and nominating and governance committee, have knowledgeable personnel on
board and are aware of roles and responsibilities.
• Review the audit committee charter.
• Review the compensation committee charter.
• Review the executive committee charter.
• Review the finance committee charter.
• Review the nominating and governance committee charter.
• Review the code of ethics for senior officer signature pages.
• Ensure that the company follows NYSE standards compliance.
• Ensure that the by-laws of the company are met.
Risk Assessment
The subcomponents for the risk assessment include:
• Business Risk Assessment
• Inherent Risks
• Fraud Risks
After reviewing the results of the (Insert Year) entity-level control survey, we will perform an updated (Insert Year)
entity-level control survey. This will include:
• Updating questions as appropriate
• Ensuring that the survey system is ready to go
• Selecting employees to be surveyed
• Selecting periods to conduct surveys
• Updating letters for Person X to send
• Executing surveys
25 Source: www.knowledgeleader.com
• Reviewing survey results
We will also conduct an overall fraud risk assessment, which will include:
• Identifying and documenting the most likely scenarios that the company might face related to the four likely
areas of fraud noted above (The internal auditor has some examples and templates to help get this process
started.)
• Identifying the controls in place at an entity- and process-level that help mitigate the potential for fraud
• Identifying any potential gaps in controls that need remediation
This process will likely involve interviews with the controllers and BU presidents.
Examples of items we will be testing (mostly through inspection and observation) include:
• Company goals/objectives and associated risks
• Reports submitted to and reviewed by the BOD and audit committee
• Risk assessments
• Committee minutes
Workplan Questions:
• Review the internal audit plan and ensure that it includes an assessment of risk for both the annual audit plan
as well as individual audits. Ensure that the assessment addresses fraud risk at the companywide, business-
unit and significant account levels.
• Identify documented fraud risk assessment policies and procedures (including management-identified potential
schemes and scenarios).
• Ensure that the board of directors and audit committee members have the financial expertise to allow them the
knowledge to make sound decisions for the company.
• Anti-fraud questions (We will need to interview management to discuss scenarios):
− Interview senior-level management (controller and chief operating officer for each BU).
− Discuss likely scenarios for fraud.
− Identify scenarios and link scenarios to controls.
− Identify common scenarios for potential financial statement fraud.
− Identify key controls and if they are currently being tested.
Examples of items we will be testing (mostly through inspection and observation) include:
• A financial reporting procedures manual
26 Source: www.knowledgeleader.com
• Accounting policies and procedures
• Organizational charts and structures
• Company policies and procedures related to the distribution of information (verbal and electronic)
Workplan Questions:
• Review the company investment policy as it relates to its objectives, portfolio strategies, constraints,
investment vehicles, safekeeping, maturities and exceptions clause. (There is no date on this policy.)
• Review the operational intercompany policy.
• Review a sample of affiliate billing disputes and ensure that they are resolved timely and that adjustments are
documented.
• Review affiliate operational transactions and ensure that contracts are executed.
• Anti-Trust Compliance Manual (Insert Date): Identify how the anti-trust policy is distributed, how updates are
communicated, etc.
Control Activities
The most common control activities performed include:
• Top-level reviews
27 Source: www.knowledgeleader.com
• Direct functional or activity management
• Information processing
• Safeguarding of assets/physical controls
• Performance indicators
• Segregation of duties
Examples of items we will be testing (mostly through inspection and observation) include:
• Organizational charts and structures indicating lines of reporting as it relates to financial reporting
• Identified deficiencies, their impacts and resolutions
• Policies and procedures for how information is processed (BPO impacts this)
• Policies, procedures and job responsibilities to ensure segregation of duties
Workplan Questions:
• Ensure that approvals by the board, CEO, senior vice president, officers, directors, and managers are within
predetermined limits for financing commitments, commercial and operating commitments, purchase
requisitions and purchase orders, disbursements, tax payments, settlements and claims, and write-down
assets or setup reserves.
• Review the below questions for the U.S. and Europe authority limitations policy.
• Identify how the head of the relevant business unit notifies the CRO of individuals authorized to trade and
originate transactions on behalf of the company.
• Identify how violations are handled and how questions are documented related to the legality of a transaction.
• Review employee signoff of the policy, including signoffs by the risk management committee, risk control, chief
risk officer, legislative risk/contract management and credit risk management.
• Ensure that only commodities authorized to trade are being traded. (Testing vs. Entity-Level).
• Identify if/when limits were exceeded and if the proper personnel was notified, including the CEO, CFO, CAO,
senior vice president of the company and CFO of the company.
• Ensure that the appropriate level of management has approved transactions within the preset authority term
limits.
• Review signatures of the anti-trust compliance manual acknowledgment form.
• Review segregation of duties matrices that are being produced and the process to maintain them.
• Discuss physical security with the company security group - both assets and buildings.
• Determine what type of performance indicators top management receives and what actions are taken.
Monitoring
The following are subcomponents for monitoring:
• Ongoing monitoring
• Separate evaluations/periodic monitoring
• Reporting deficiencies
Examples of items we will be testing (mostly through inspection and observation) include:
• Internal audit reports and work papers
• Self-assessments
28 Source: www.knowledgeleader.com
Workplan Questions:
• Review internal audit reports and work papers.
• Review self-assessments and the resolution of any issues.
• Determine whether internal or external auditor recommendations are acted upon.
• Obtain evidence of whether external consulting assessments are performed and the results are acted upon.
29 Source: www.knowledgeleader.com
APPENDIX: ENTITY-LEVEL DOCUMENTATION REQUEST CHECKLIST
1 Code of Conduct
3 By-Laws
4 Proxy Statement
6 Management Letters
9 Passed Adjustments
10 Business Plans
15 Anti-Fraud Programs
25 Organizational Chart
30 Source: www.knowledgeleader.com
No. Document Name Source Received Notes
26 Subsidiary Structure
28 Accounting Procedures
35 Hiring Policies
36 Job Descriptions
39 Training Programs
46 Strategic IT Plan
47 IT Organization Chart
31 Source: www.knowledgeleader.com