Professional Documents
Culture Documents
Company X Sarbanes-Oxley Project FY 2017 Analysis of Internal Control at The Entity Level
Company X Sarbanes-Oxley Project FY 2017 Analysis of Internal Control at The Entity Level
The Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants.
Section 404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an
assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial
reporting. While the Companys independent auditors reviews and assesses managements internal controls, they
are not required to report on managements assessment of the effectiveness of internal controls.
A logical place to begin any comprehensive evaluation of internal controls is at the topentity-level controls that
may have a pervasive effect on the organization. This includes a consideration of factors in each of the five
components of internal control that can have a pervasive effect on the risk of errors or fraud. These five interrelated
components are:
Control Environment
Risk Assessment
Information and Communication
Control Activities
Monitoring
Documenting and evaluating internal control at the entity level does not by itself provide a complete perspective of
internal control of an entity. However, it is an important starting point because the assessment of entity-level
controlsparticularly when weaknesses are identifiedcan have a significant effect on the overall assessment of
the effectiveness of internal controls and procedures for financial reporting.
To evaluate internal control at the entity level, we have listed in this document numerous points to consider for each
of the five components of internal control. These points are not all-inclusive, and not all the points listed here will
apply to every company. Internal and external factors unique to a particular entity may result in companies
developing unique control mechanisms, and these unique factors and control mechanisms may give rise to
additional points to consider. While a no response to an individual point does not necessarily mean that the entire
component of internal control at the entity level is ineffective; a no response (particularly when there are several
no responses) should heighten awareness to potential weaknesses in internal control and indicate areas where
management should focus attention.
1
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Control Environment
The control environment reflects the tone set by top management and the overall attitude, awareness and actions of the board of directors, management, owners, and others concerning the importance of
internal control and the emphasis placed on control in the companys policies, procedures, methods, and organizational structure. It is the foundation for all other components of internal control, providing
discipline and structure.
Does the board of directors show concern for integrity and Yes No -
ethical values? Is there a code of conduct and/or ethics policy
and has it been adequately communicated?
Is managements commitment to integrity and ethical behavior Yes No -
communicated effectively throughout the company, both in
words and deeds? Does management lead by example?
Are those in top management hired from outside made familiar Yes No -
with the importance of high ethics and controls?
2
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
3
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
4
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Does the audit committee have a charter outlining its duties and Yes No -
responsibilities? Does the audit committee have adequate
resources and authority to discharge its responsibilities?
Organizational structure and assignment of authority and
responsibility
Is the organizational structure appropriate for the size, operating Yes No -
activities, and locations of the company?
5
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Are there screening procedures for job applicants, particularly for Yes No -
employees with access to assets susceptible to
misappropriation?
Are policies and procedures clear and are they issued, updated, Yes No -
and revised on a timely basis? Are they effectively
communicated to personnel at decentralized and/or foreign
locations?
6
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
7
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Risk Assessment
Risk assessment is the entitys identification and analysis of relevant risks (both internal and external) to the achievement of its objectives, forming a basis for determining how the risks should be managed.
8
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Does internal audit (or another group within the company) Yes No -
perform a periodic (at least annual) risk assessment? If yes,
does senior management review the risk assessment and
consider actions to mitigate the significant risks identified?
9
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
10
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
11
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Information
Information systems provide management with necessary
reports on the entitys performance relative to established
objectives, including relevant external and internal information
and information is provided to the right people in sufficient
detail and on time to enable them to carry out their
responsibilities efficiently and effectively.
12
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
13
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Are the disaster recovery and business continuity plans tested Yes No -
periodically (at least annually)?
14
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Are there written job descriptions and reference manuals that Yes No -
describe the duties of personnel?
15
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
16
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
17
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Control Activities
Control activities are the policies and procedures that help ensure that managements directives are carried out.
Does the entity review its policies and procedures periodically Yes No -
to determine if they continue to be appropriate for the
companys activities?
18
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
19
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
20
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
21
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
22
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Monitoring
Monitoring is a process that assesses the quality of internal control performance over time
23
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Has there been a recent quality assurance review of the internal Yes No
audit function by an external party such as the companys
independent auditors?
24
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
Does the internal audit department develop an annual plan that Yes No
considers risk in determining the allocation of resources?
25
Company X
Sarbanes-Oxley Project FY 2017
Analysis of Internal Control at The Entity Level
26