Auditing Entity-Level Controls is the process of evaluating a company’s overall control environment, which includes the policies, procedures, and processes that are used to support financial reporting. The purpose of auditing entity-level controls is to provide assurance that the company has a strong control environment and that it is effectively mitigating risks to financial reporting.
The auditor assesses the design and operating effectiveness of the entity-level controls and documents the audit evidence in the audit working papers. The auditor may also identify any control deficiencies and make recommendations for improvement. Finally, the auditor communicates the results to management and provides assurance that the company has a strong control environment.
The following steps are typically involved in auditing entity-level controls:
- Understanding the company’s control environment
- Evaluating the design of entity-level controls
- Assessing the operating effectiveness of entity-level controls
- Documenting the audit evidence
- Communicating the results to management.
1. Understanding the company’s control environment
Understanding the company’s control environment is the first step in auditing entity-level controls. This involves obtaining an understanding of the company’s policies, procedures, and processes that support financial reporting. The following activities are typically involved in understanding the company’s control environment:
- Reviewing company policies and procedures
- Understanding the company’s business processes
- Assessing the company’s risk management practices
- Evaluating the company’s governance structure
- Understanding the company’s culture and values
- Evaluating the company’s compliance with laws and regulations.
2. Evaluating the design of entity-level controls
Evaluating the design of entity-level controls is the second step in auditing entity-level controls. This involves evaluating the company’s policies, procedures, and processes that support financial reporting to determine if they are appropriately designed to mitigate risks to financial reporting. The following activities are typically involved in evaluating the design of entity-level controls:
- Evaluating the appropriateness of control objectives
- Assessing the design of entity-level controls
- Determining if entity-level controls are comprehensive
- Evaluating the alignment of entity-level controls with the company’s business processes
- Determining if entity-level controls are efficient and effective.
3. Assessing the operating effectiveness of entity-level controls
Assessing the operating effectiveness of entity-level controls is the third step in auditing entity-level controls. This involves evaluating the actual performance of the entity-level controls to determine if they are operating effectively in practice. The following activities are typically involved in assessing the operating effectiveness of entity-level controls:
- Testing entity-level controls
- Evaluating the results of control testing
- Assessing the reliability of the evidence
- Determining the impact of any control deficiencies
- Documenting the audit evidence.
4. Documenting the audit evidence
Documenting the audit evidence is an important aspect of the audit process, including auditing entity-level controls. This involves recording the evidence obtained during the audit in the audit working papers, including the evidence obtained during testing and evaluating the operating effectiveness of entity-level controls. The following activities are typically involved in documenting the audit evidence:
- Recording the evidence in the audit working papers
- Maintaining the audit evidence in a manner that supports the auditor’s conclusions
- Ensuring the audit evidence is complete and accurate
- Storing the audit evidence in a secure and accessible manner
- Keeping the audit evidence for a sufficient period of time.
5. Communicating the results to management
Communicating the results to management is an important aspect of the audit process, including auditing entity-level controls. This involves conveying the results of the audit, including any issues or deficiencies identified, to the company’s management. The following activities are typically involved in communicating the results to management:
- Presenting the audit results to management
- Discussing any issues or deficiencies identified during the audit
- Providing recommendations for improving internal controls
- Obtaining management’s response to the audit findings
- Documenting the communication of audit results.
Check List for Entity Level Controls
- Review the overall IT organization structure
- Review the IT strategic planning process with business strategies
- Determine whether technology and application strategies and roadmaps exist, and evaluate processes for long-range technical planning.
- Review performance indicators and measurements for IT.
- Review the IT organization’s process for approving and prioritizing new projects.
- Evaluate standards for governing the execution of IT projects and for ensuring the quality of products developed or acquired by the IT organization.
- Ensure that IT security policies exist and provide adequate requirements for the security of the environment.
- Review and evaluate risk-assessment processes in place for the IT organization.
- Review and evaluate policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data’s life cycle.
- Ensure that effective processes exist for complying with applicable laws and regulations that affect IT and for maintaining awareness of changes in the regulatory environment.
- Review and evaluate processes for ensuring that end users of the IT environment have the ability to report problems, are appropriately involved in IT decisions, and are satisfied with the services provided by IT.
- Review and evaluate processes for managing third-party services, ensuring that their roles and responsibilities are clearly defined and monitoring their performance.
- Review and evaluate processes for controlling nonemployee logical access.
- Review and evaluate processes for ensuring that the company is in compliance with applicable software licenses.
- Review and evaluate controls over remote access into the company’s network (such as dial-up, VPN, and dedicated external connections).
- Ensure that hiring and termination procedures are clear and comprehensive.
- Review and evaluate policies and procedures for controlling the procurement and movement of hardware.
- Ensure that system configurations are controlled with change management to avoid unnecessary system outages.
- Ensure that media transportation, storage, reuse, and disposal are addressed adequately by company-wide policies and procedures.
- Verify that capacity monitoring and planning are addressed adequately by company policies and procedures.
- Based on the structure of your company’s IT organization and processes, identify and audit other entity-level IT processes.