Entity Level Controls
Entity-level, or “tone-at-the-top,” controls define an organization’s corporate culture. They establish guidelines for an organization’s governance, financial analysis and integrity, and adherence to applicable laws and professional standards. They set forth an organization’s values and, though policies and procedures, clarify the desired behavior of the organization’s employees, management team, and board members.
Entity-level controls are sometimes categorized as “soft” controls because they relate to feelings, opinions, and some other non-quantifiable human characteristics. However, in this case, soft means powerful. Entity-level controls establish the foundation from which all other controls emanate because they address the behavior and attitudes of the most powerful people within the organization – the executive team and Board of Directors.
Accountability from Executives and Directors
No matter what they think or believe, executives always set the tone of the company. Entity-level controls help to ensure that tone is an appropriate one, and in the best interest of the company and its shareholders. Several of these controls are designed to increase the C-suite’s accountability to the company’s Board of Directors. Others are designed to ensure the Board of Directors – both individually and as a group – maintains the level of independence so critical to a healthy company.
Governance of the Organization These entity-level controls ensure an organization’s executives and Board of Directors identify, agree upon, and document guiding principles (or organizational values) and the desired behavior of employees to support those principles. They define consistent, standardized policies and procedures for all people in the organization, related to how employees are hired, trained, or terminated; how the board governs the executive management team; and how board independence and financial accountability are maintained. These controls also dictate how employee feedback is accepted and incorporated, such as through surveys, feedback review policies, and whistleblower policies.
Examples of documentation and activities that support these controls include:
• Mission, vision, or values statement
• Code of Ethics
• Employee handbook
• Board of Directors Policies and Procedures
• New hire and termination checklist
• Performance review policies
Financial Analysis and Integrity
Entity-level controls in this area will determine how often the organization compares budgeted vs. actual costs; when
Examples of documentation and activities that support these controls include:
• Finance department policies and procedures
• Attestations
•
• Executive Compensation or Bonus Structure
Adherence to Applicable Laws and Legislation
Controls in this area help an organization meet its compliance requirements. For example, an organization should have a control requiring legal counsel to update management on changing legislation; a control discussing who within the organization takes responsibility for compliance; and a control around the procedures required for a review of internal controls over financial reporting.
Examples of documentation and activities that relate to these controls include:
• Whistleblower policies and hotline
• Annual review of internal controls over financial reporting
• Compliance training
• Existence of an internal audit department that reports to audit committee
Monitor for Effectiveness
Entity-level controls relate to “soft” issues like trust, competence, integrity, and ethics. But that doesn’t mean these controls cannot be monitored and measured for effectiveness.
For example, if your company requires that a code of conduct be distributed to every new employee, be sure to collect an acknowledgement or attestation form that confirms each new employee has received and understands the code of conduct policies. Quarterly, test a sample of these attestation forms to ensure the policy is being followed. You can follow a similar approach with controls around new-hire training, performance reviews, and Board independence surveys.
Controls around executive compensation, such as one to ensure that corporate goals and objectives are not so tied to achieving financial metrics as to present a fraud risk in executive compensation, can be tested by reviewing aggregate compensation totals, including salaries, stock, bonuses, and other perks.
Tone at the Top Matters to Business Performance
Entity-level controls, like other internal controls over financial reporting, have procedural aspects designed to help determine their effectiveness. The outputs of the procedures, after being reviewed and tested for adherence to the control concepts, provide the basis for mitigating business risks. This overall system of risk identification and control adaptation ensure a company can achieve its strategic business objectives while acting within the ethical, legal, and regulatory boundaries established for their industry and organization type.
The best