3.2. Entity-Level Controls

3.2.1. APPLYING THE TOP-DOWN, RISK-BASED APPROACH

When determining which entity-level controls should be evaluated, it will help to consider whether the control has a direct or an indirect effect on the financial statements.

For example, corporate culture—the tone at the top—is an entity-level control that spans the entire organization. Management's attitude toward financial reporting will affect the way in which other controls operate. If management conveys the message that financial reporting is a necessary evil and that internal control does not matter, then the operating effectiveness of controls will erode. Chapter 2 described internal control as people driven, and if the people performing control procedures are told (implicitly or explicitly) that those control procedures are not that important, they won't perform them very diligently.

Culture is important because it enables the performance of other internal control procedures, but culture does not have a direct impact on the financial statements. By itself, management's high integrity and ethical values cannot prevent or detect misstatements with any degree of reliability.

The monitoring component of internal control also is an entity-level control. Suppose that management regularly reviews key performance indicators and investigates any anomalies. That monitoring procedure may operate at a level of precision that would allow management to detect a material error in the financial statements. ...

Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.