6.1. OVERALL OBJECTIVE OF TESTING ENTITY-LEVEL CONTROLS

The testing of internal control is required to support management's assertion about its effectiveness. The independent auditors will rely, in part, on this test work to reach their conclusions about management's assertion. To be effective, management's tests should have:

  • Clearly stated objectives

  • A design that is appropriate to achieve those objectives

  • A scope that is appropriate given the level of risk related to the control. (See Chapter 1 for a further discussion of the risk-based, top-down approach.)

6.1.1. Relationship between Entity-Level and Application-Level Controls

As described in Chapter 2, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework describes controls as existing at two different levels: the general, entity-wide level and the specific, application level. In order to plan and perform tests of entity-level controls, it is important to remember how these controls are fundamentally different from activity-level controls. Consider the next analogy.

Suppose that the citizens of Anytown wish to build a new school. The objective of building the new school is to educate the children of the community. In order to achieve that objective, certain elements must be in place: Good teachers must be hired; books, computers, and other resources must be acquired; and so on. All of these elements will have a direct effect on the quality of the children's education. At the end of his or her ...

Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.