Entity-Level Assessment Report

upsetsubduedΔιαχείριση

9 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

109 εμφανίσεις

Entity
-
Level Assessment Report

<Date>

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

1

Background

The SEC has recommended the use of the COSO Framework for management’s
assessment of internal controls over financial reporting, as required by Section 404 of
the Sarbanes

Oxley Act of 2002. The COSO Framework uses the following three
dimensions that provide management with criteria by which to evaluate internal controls.

Objectives

Internal
controls are designed to provide reasonable assurance that the following
objectives are
achieved:


Effectiveness
and efficiency of
operations


Compliance
with laws and
regulations


Reliability
of financial
reporting

For
purposes of management’s assessment of internal controls over financial reporting
as required by Section 404, only
the “reliability
of financial reporting” objective is
relevant
.


Levels

Internal
controls must be evaluated at two levels
:


Entity level


Process level

Components

Internal
controls
are evaluated
in five components
:


Control Environment


Risk Assessment


Control Activities


Information and Communication


Monitoring

Executive Summary

Control
Environment

Risk Assessment

Control Activities

Information and
Communication

Monitoring

Sets the tone of an organization and serves as a foundation for
all other components.

Identifies and analyzes risks to achieving objectives.

Encompass policies, practices and procedures, which ensures
management’s directives are carried out.

Captures relevant information to use as a basis for decision
making. Also, effectively communicates roles and
responsibilities for maintaining internal controls.

Provides the ongoing assessment of internal control quality.

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

2

Purpose

The
purpose of this report is to document management’s assessment of internal controls over each of the five components at the
entity level
.
The
entity level
is
the
level of the organization where pervasive controls and an overall control structure are defined.
This
may occur at a
company
-
wide
level,
at
each business unit (in a decentralized environment), or a combination of both.
The process level
is
the
level at which key business process
activities take place, including processes
that
result in financial statement elements and other financial information, such as the accounts payable
process or hotel revenue
process.

The
procedures used to evaluate
Company X’s

(refer to as “company”) effectiveness
of internal controls at the
entity level
are as
follows:


Conduct
an
entity
-
level
survey of top management to assess their views on the
entity
-
level
controls (see Exhibit III
)


Review
documentation of
entity
-
level
controls as they
exist (for
instance, review the current code of
conduct, audit
committee charter, and similar
documentation for each COSO
component)


Review entity
-
level
information technology controls
(to come)


Assess
control effectiveness at the
entity level
and
make
recommendations for improvement
as
appropriate
)


Consider
the impact on
process
-
level controls

This
document first reports the results of the
entity
-
level
survey in
total
and then documents the work performed to assess the effectiveness of each
COSO component at the
entity level,
including assessment of the survey results and review of supporting documentation.
In
each component, we also
document the impact on
process
-
level
controls and any recommendations for
improvement.

Scope

In
order to facilitate management’s assessment of the
entity
-
level
controls, a survey was sent to
X

executive and senior management individuals (all
SVP’s and above) at the corporate and business unit
levels
(see Exhibit I for a listing of executives included in the survey).
This
survey contained
X

points of focus written as definitive statements.
Each
individual was asked to rate their agreement with the statements on a scale of 1 to
5, with
5
meaning “strongly agree”
and 1
meaning “strongly disagree.” In
addition to the scale rating, individuals were given the ability to provide written
comments for each definitive
statement.

The
graphic on the following page shows the overall survey results.

Executive Summary

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

3

This
scorecard
is based on the COSO Framework developed
by the Treadway Commission in 1992.
The
COSO
Framework defines internal control, describes its
components,
and provides criteria against which control
systems can be evaluated
.

Respondents rated their agreement with definitive
statements on a scale of 1
-
5. This scale was translated to be:

Entity
-
Level Survey Results Scorecard

Control Environment

Integrity and Ethical Values

Commitment to Competence

Attention and Direction of Board of Directors and Audit Committee

Management’s Philosophy and Operating Style

lr条湩z慴a潮慬 p瑲畣瑵牥

Assignment of Authority and Responsibility

Human Resources Policies and Procedures

Risk Assessment

Company
-
wide Objectives

Process
-
level Objectives

Risk Identification and Analysis

Managing Change

Control Activities

Policies and Procedures

Information System Controls

Regulatory Monitoring

Information and Communication

Quality of Information

Effectiveness of Communication

Monitoring

On
-
going Monitoring

Separate Evaluations

Reporting Deficiencies

Effective

Inadequate

Area of further analysis/potential improvement

The following pages describe
entity
-
level
controls by the five COSO components and include the
component definition, a description of the control environment for that component, the survey results, a
discussion of the supporting evidence reviewed, management’s assessment and recommendations (as
appropriate
),
and any open items.

Entity
-
Level Assessment Detailed Results

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

5

Control Environment

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Definition

The control environment sets the tone of an organization and influences the control consciousness of its employees. It is the

fo
undation for all other
components of internal control,

providing discipline and structure. Control environment factors include the integrity, ethical values and competence of
the entity's personnel; management's philosophy and operating style; the way management assigns authority

and
responsibility

and
organizes and
develops its personnel;

and the attention and direction provided by the board of directors.

Company’s Control Environment

The overall control environment at company is established by the company’s management team. Company has an independent and fi
nan
cially
literate audit committee of the board of directors that is responsible for oversight of the company’s control structure and e
湶i
r潮m敮琮tq桥 慵摩琠
committee meets on a periodic basis, including in executive sessions, with the company’s financial management, external audit
潲o

慮搠i湴nr湡l 慵摩琠
department in order to conduct its financial reporting and internal control oversight responsibilities. The audit committee’s

ro
les and responsibilities
are outlined in their charter. Company management has also formed a disclosure committee, which is primarily tasked with over
sig
ht of the
company’s entire disclosure process. Company’s internal audit department has been chartered to monitor the effectiveness of t
桥h
sys瑥t 潦 i湴nr湡l
c潮瑲潬s⁴ 慴a灲潶i摥s⁲敡s潮慢l攠ess畲慮u攠慳 瑯t瑨t⁲敬i慢ili瑹 潦 fi湡湣i慬⁲敳畬瑳Ⱐ瑨攠s慦敧畡r摩湧 潦 c潭灡湹⁡ s整eⰠt
桥h
潰敲慴e潮慬 敦fici敮cy
the company’s business processes, and the company’s effectiveness of complying with applicable laws and regulations.

The company has a code of conduct that is available to all employees through the company’s policies and procedures. A code of


湤畣琠
煵敳瑩潮湡ir攠es⁤ s瑲i扵瑥t⁡ 湵慬ly 瑯t慬l 摩r散瑯牳 潦 瑨t c潭灡湹 慮搠慢潶攬e慳 w敬l 慳 慬l 潷湥搠d湤慮慧敤 桯瑥t⁧ 湥r

m慮慧敲e 慮搠
摩r散瑯牳 fi湡湣攮eA摤i瑩潮慬lyⰠ慮 整eics⁨ 瑬i湥⁨ s⁢ 敮 敳瑡tlis桥搬dw桩c栠慬l潷s 敭灬潹敥s 瑯t慮潮ym潵sly r数潲琠煵os
瑩o
湡扬攠慣c潵湴n湧
慣瑩vi瑩敳Ⱐi湣l畤i湧 i湴nr湡l⁡ c潵湴n湧 c潮瑲潬s⁡ 搠i湡灰r潰ri慴a w潲o 灬慣攠e慴a敲e⸠q桥s攠c慬ls 慲攠a潧来搠批 瑨t l敧慬
摥d
慲瑭敮琬

w桩ch

慰灲潰pi慴aly f潬l潷s
-
up on all calls and discusses them with the audit committee chair, as required by the company’s correspond
ing policy and
procedures.

Additional means of communicating the company’s internal control objectives include various policies and procedures, internal


湴牯n
questionnaires, the company’s Intranet, and periodic management and department meetings. Included in the company’s policies a
湤n
灲潣敤畲敳 慲攠
數瑥tsiv攠e畭慮 r敳潵rc攠杵i摥li湥s 敮c潭灡ssi湧 桩ri湧Ⱐ扡ck杲潵湤 c桥cksⰠ瑲慩湩湧Ⱐm敮瑯物湧Ⱐf潲o慬ly 敶慬畡瑩湧 灥rf潲oa
湣e
Ⱐ慮搠
瑥牭i湡瑩湧 敭灬潹敥s.

The company also maintains detailed job descriptions, which highlight employees’ specific responsibilities, knowledge and ski
汬l
r敱畩r敭敮瑳.

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

6

Control Environment

Survey Results


Rated overall as the most effective component at company with a composite survey score of 4.6


Integrity and ethical values are viewed highly, along with management’s philosophy and the organizational structure


䡒e灯lici敳 w敲攠vi敷敤 慳⁡ 敱畡瑥t 扵琠牥t灯湤敮瑳 w敲攠c潮c敲湥搠r敧慲摩湧⁴ 攠e慣k 潦 敭灨慳is 潮⁣慲敥a 灬慮湩湧 慮搠瑲a
i湩
湧 灲潧p慭s
摥si杮敤 瑯t摥v敬潰⁳kills f潲oc慲敥a⁡ v慮c敭敮t


剥o灯湤敮瑳 w敲攠c潮c敲湥搠慢潵琠瑨t⁣潮sis瑥tcy 潦 灥rf潲o慮c攠敶慬畡瑩潮s 慭潮朠i湤ivi摵慬 摥灡r瑭敮瑳


Respondents indicated that processes have not been formalized relating to risks arising from environmental factors and intern
al
sources

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Supporting Evidence


Code of conduct procedures, including annual questionnaires sent to senior management


䡵e慮 r敳潵rc攠灯lici敳 慮搠dr潣敤畲敳Ⱐi湣l畤i湧 瑲慩湩湧 灲潧p慭sⰠ灥rf潲o慮c攠敶慬畡瑩潮sⰠI潢 摥scri灴p潮sⰠI瑨tcs⁨ 瑬in
攬e
敭灬潹敥
r整e湴n潮⁰牯 敤畲敳 慮搠d敮摯r⁲敬慴a潮s桩灳


lr条湩z慴a潮慬 c桡r瑳


A畤i琠t潭mi瑴t攠c桡r瑥t


Standard practice instructions (SPI’s)

Management’s Assessment and Recommendations

Overall rating for this component is ________. Recommendations include:


b湳畲攠瑨t⁣潤攠潦 c潮摵c琠m敥瑳 瑨t⁳瑡t摡r摳 潦 瑨t 乥k v潲o⁓瑯tk bxc桡湧攠E乙pbFⰠi湣l畤i湧 摩s瑲i扵瑩潮 數瑥牮慬ly 慮搠i
湴n
r湡lly


q桥 r敳畬瑳 潦 瑨t 慮湵慬⁣潤攠潦 c潮摵c琠circ畬慴a潮⁳桯畬搠d攠牥灯r瑥t 瑯t瑨t 慵摩琠t潭mi瑴te

Open Items

Overall rating for this component is ________. Recommendations include:


q桥 慵摩琠t潭mi瑴t攠c桡r瑥爠is 扥i湧⁲敶is敤⁴ ⁣潮f潲o 瑯t乙pb s瑡t摡r摳⸠l瑨tr r敬敶慮琠c潭灡湹⁣桡r瑥牳 Ec潭灥湳慴a潮Ⱐ整e


慲攠慬s漠
扥i湧⁲敶is敤 瑯t敮s畲攠c潭灬i慮c攠wi瑨t乙pb s瑡t摡r摳


q桥 r敳畬瑳 潦 瑨t 慮湵慬⁣潤攠潦 c潮摵c琠煵敳瑩潮湡ir攠will 扥⁲数潲瑥搠瑯t瑨t⁡ 摩琠t潭mi瑴te

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

7

Risk Assessment

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Definition

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assess
men
t is the establishment
of objectives, which are linked at different levels and internally consistent. Risk assessment includes the identification an
d a
nalysis of relevant risks
to achievement of the objectives and the formation

of

a basis for determining how the risks should be managed. Because economic, industry,
regulatory and operational conditions will continue to change, mechanisms are needed to identify and deal with the special ri
sks

associated with
change.

Company’s Risk Assessment Process

Company’s executive leadership has established and communicated the company’s mission, strategy and overall business objectiv
es
with oversight
from the board of directors. Like the control environment, risk assessment at company occurs at both the company
-
wide level and

the business
-
unit
level. At the company
-
wide level, the following major risk assessment activities take place:


䍯C灯r慴a⁦i湡湣攬ei湦潲o慴a潮 sys瑥tsⰠ物Ik m慮慧敭敮琠慮搠l潳s⁣潮瑲潬⁲敧畬慲汹 m潮i瑯爠瑨t 數瑥牮慬⁥ vir潮m敮琬ti湣l畤in
朠c
潭灥瑩瑯爠
慮慬ysis 慮搠fi湡湣i慬⁲数潲瑩湧⁲敱畩r敭敮瑳Ⱐf潲oc桡湧敳 慮搠risks


䍯C灯r慴a敧慬 is⁲敳灯湳i扬攠e潲om潮i瑯物湧 r敧畬慴ary r敱畩r敭敮瑳 慮搠iss略sⰠI慮摬i湧⁣l慩msⰠ慮搠d瑨tr l敧慬 慣瑩潮s


䥮f敲湡e⁡ 摩琠t摥湴nfi敳敹 扵si湥ss 慮搠d潭灬i慮c攠risks 潮⁡ 慮湵慬⁢ sis


q桥 c潲灯o慴a 灲楶慣y 慮搠䥔 s散畲楴y 潦fic敳 慳s敳s 灲楶慣y 慮搠䥔 s散畲楴y risks


B畤来瑳 慲攠敳瑡tlis桥搠慮湵慬ly f潲o扯瑨t潰敲慴e潮s 慮搠d慰i瑡t⁥ 灥湤i瑵牥t 慮搠慲攠異摡瑥t 摵ri湧⁴ 攠e敡r 瑯tr敦l散琠c桡n
杩n
朠c潮摩瑩潮s

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

8

Management’s Assessment and Recommendations

Overall rating for this component is ________. No recommendations were noted at this time.

Risk Assessment

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Survey Results


Composite survey score of 4.4


䍯C灡湹
-
wi摥 潢j散瑩v敳⁡牥 来湥r慬ly 畮摥rs瑯t搠批 m慮慧敭敮琠灥rs潮湥l 慴a瑨t⁢ si湥ss
-
畮i琠l敶敬


剩sk i摥湴nfic慴a潮 is⁣潮sis瑥t瑬y 灥rf潲o敤Ⱐ慬瑨t畧栠h桥 灲潣敳s is 琠t潲o慬iz敤ⰠI畴ur慴a敲⁨慮摬敤 慮⁡
-
桯c 扡sis


䵥慳畲敭敮琠cri瑥物愠慮搠d敹 灥rf潲o慮c攠i湤ic慴ars⁵ 敤 瑯t敶慬畡瑥t慣桩敶敭敮琠潦 c潭灡湹
-
wi摥 潢j散瑩v敳⁡牥 t

慬w慹s c潭灬整ely
畮摥rs瑯t搠潲⁣潮sis瑥t瑬y 慰灬i敤

Supporting Evidence

Supporting evidence used for the Risk Assessment component

included the company’s strategic plan, internal audit plan and legal department
policies and procedures

Open Items

None

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

9

Control Activities

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Definition

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure t
hat

necessary actions
are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, a
t a
ll levels and in all
functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, review
s o
f operating performance,
security of assets, and segregation of duties.

Company’s Control Activities

The company has a system of internal controls that is documented through the corporate policies, business practices, and proc
edu
res and relates to
the risks inherent to the business. Each business unit has some level of policies and procedures with corresponding monitorin
g d
evices to ensure
compliance (e.g.

a
ctual versus budget, balanced scorecard, area controllers, etc.).

Survey Results


Composite survey score of 4.3


Some policies and procedures may need to be reviewed and updated


Information systems passwords can be enhanced (e.g. many team members have the same password, like “company” or “user”)

Supporting Evidence

Supporting evidence for the control activities assessment includes policies and procedures and other monitoring mechanisms.

Management’s Assessment and Recommendations

Overall rating for this component is ________.

Open Items


Document current company practices into formal policies and update where need be


c潲o慬iz攠瑨t 䥔 灡ssw潲搠灯licy 慮搠d湦潲o攠c潭灬i慮ce

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

10

Information and Communication

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Definition

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out
the
ir responsibilities.

I
nformation systems produce reports containing operational, financial and compliance
-
related information, making it possible to r
un and control the
business. Effective communication also must occur in a broader sense, flowing vertically and horizontally within the organiza
tio
n. Top

management
must clearly communicate to all personnel
that control responsibilities must be taken very seriously.

They

must understand their own role in the
internal control system, as well as how individual activities relate to the work of others. They must have a means of communi
cat
ing significant
information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, reg
ula
tors and
shareholders.

Information and Communication Process

Company information includes daily, monthly, and quarterly financial and operational information at the business unit and con
sol
idated levels and
company results against established objectives. This information is communicated in a secure manner to relevant parties. Comp
any

communicates
specific job roles, responsibilities and goals through annual review meetings. Company
-
wide customer information is housed in a
central database
and is accessible by authorized employees. Cross
-
functional communication of risks or control issues is fostered through regular

management
meetings.

Development or revisions to systems is based on an IT strategic plan, which is linked to the company’s overall strategy.

Survey Results


Composite survey score of 4.4


q桥 湥敤 f潲o慣c畲慴攠慮搠dim敬y i湦潲o慴a潮 is⁵ 摥rs瑯t搠批 m慮慧敭e湴n慮搠d桥 䥔 摥灡r瑭敮t


剥o灯湤敮瑳 i湤ic慴a搠瑨t琠c潭m畮ic慴a潮 c桡湮敬s 數is琠t整e敥渠l潷敲el敶敬s 慮搠m慮慧敭敮琬t慬瑨t畧栠h桥r攠e慹 扥 愠a敥搠瑯t
扥b
瑥爠
敮c潵r慧攠瑨ts⁦l潷 i湦潲o慴a潮

Supporting Evidence

Supporting evidence for the information and communication assessment includes an IT strategic plan and budget, a mature and s
tab
le PeopleSoft
system, a corresponding disaster recovery plan, and user acceptance testing regarding system changes.

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

11

Information and Communication

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Management’s Assessment and Recommendations

Overall rating for this component is ________. Information systems recommendations will be documented as part of the IT asse
ssm
ent.

Items to be Covered as Part of the IT Assessment as Appropriate


Business Continuity


m桹sic慬 慮搠d潧ic慬⁓散畲楴y


䑡瑡⁃敮瑥爠t灥r慴a潮s


䍨慮来 䍯湴r潬


Ass整e䵡湡来m敮t


mr潢l敭 䵡湡来m敮t


mr潪散琠c畮摩湧


mr潪散琠䵡湡来m敮t


剥o潵rc攠ml慮湩湧


p瑲慴a杩c⁐l慮湩湧


pys瑥t 䑥a敬潰m敮t


s敮摯r⁍ 湡来m敮t

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

12

Monitoring

Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
Definition

Internal control systems need to be monitored.

Monitoring is
a process that assesses the quality of the system's performance over time. This is
accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occ
urs

in the course of
operations. It includes regular management

activities,
supervisory activities, and other actions personnel take in performing their duties. The scope
and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monito
rin
g procedures.
Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

Company’s Monitoring Activities

Monitoring activities occur

primarily
at four different levels within the organization:


Board of Directors:

Monitors the organization’s performance against the strategic plan


Management:

Monitors code of conduct

and
actual results versus plan

through annual questionnaire, compliance with directives, and
responsiveness to internal audit


Process Owners:

Monitor the control within their areas through reconciliations, checklists and self
-
reviews


Internal Audit:

Monitors compliance with the company’s policies and procedures and reports the results of their reviews to the audit committe
e

Survey Results


Composite survey score of 4.5


q桥 im灯r瑡tc攠潦 i湴nr湡l⁣潮瑲潬⁩s 畮摥rs瑯t搠批 m潳琠敭灬潹敥s 慮搠慬l l敶敬s 潦 m慮慧敭敮t


䵯s琠牥t灯湤敮瑳 w敲攠慷慲攠潦 瑨t⁩湴nr湡l⁡ 摩琠t畮c瑩潮 慮搠i湴nr湡l c潮瑲潬⁡ 瑩vi瑩敳


p潭攠r敳灯湤敮瑳 i湤ic慴a搠d桡琠瑨t⁰牯 敳s f潲oc慰瑵物湧⁡ 搠r数潲瑩湧⁩湴nr湡l c潮瑲潬⁤ fici敮ci敳 潮⁡ 瑩m敬y 扡sis⁣潵ld



扥瑴tr 摥fi湥搠
慮搠c潭m畮ic慴ad

Supporting Evidence

Supporting evidence for the monitoring assessment includes management monitoring reports and the audit committee
-
approved intern
al audit plan.
Other evidence of monitoring will be gathered during the process review, including on
-
going monitoring activities.

Management’s Assessment and Recommendations

Overall rating for this component is ________. Recommendations include:


Increased organizational knowledge of internal control monitoring mechanisms

Entity
-
Level Assessment

Exhibit I

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

14

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Survey Participant:

Title:

Date:

Background

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating interna
l c
ontrols.
This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definiti
ve
standard against
which organizations measure the effectiveness of their systems of internal control.

The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other perso
nne
l, designed to
provide reasonable assurance of the achievement of objectives in a number of areas, including the reliability of financial re
por
ting.”

COSO defines the following five components, which work to support the achievement of an entity’s mission, strategies, and rel
ate
d business
objectives:


Control Environment


Risk Assessment


Control Activities


Information and Communication


Monitoring

In an effective internal control system, these COSO components work to establish the foundation for sound internal control. T
he
following survey
has been designed to evaluate the Company’s system of internal control within the context of the five COSO components describ
ed
above. The
survey will assist in identifying areas where the Company, business unit, or function needs to focus control efforts. The sur
vey

will also assist in
determining the scope for documentation and testing work done at the business unit or function level and will provide a valua
ble

benchmark
against which the company can measure its success in achieving improvements.

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

15

Instructions

Each section of this survey is preceded by an explanation of its COSO component. The survey is composed of several definitive

st
atements that
relate to that component.
Please indicate your opinion


based on your knowledge, experience and beliefs


towards each statement
made on a scale of 1 to 5 (with 1 meaning you strongly disagree with the statement and 5 meaning you strongly agree with the
statement). An example is presented below:

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Statement

Strongly Agree

Strongly Disagree

Employees new to your department are made
aware of their responsibilities and
management’s expectations.

New employees in your department are given
a formal orientation and new employee
training. The training is supplemented by
reference material and both are sufficiently
tailored to your department’s activities. On
-
the
-
job training continues as needed, and
appropriate reference materials, such as job
descriptions and duties, policies and
procedures manuals, etc. are in place.

Employees are educated early about the
performance evaluation process and the areas
on which they will be rated.

New employee training does not take place.

New employees are given little or no guidance
regarding management’s expectations on how
they will be rated

and

on
-
the
-
job training is not
provided. Reference materials either do not
exist or are not accessible to new employees.

If you do not have knowledge about a specific statement or believe the question does not apply to you, please mark “N/A.”

Space has been
provided at the end of each section for any written comments you would like to make.

PLEASE RETURN THE COMPLETED SURVEY TO <NAME> IN <NAME OF THE OFFICE> NO LATER THAN <MONTH DATE, YEAR>. Any
questions or concerns with respect to this survey should also be addressed to…

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

16

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment

The control environment is influenced by a company’s history and culture and sets the tone of the organization, influencing t
he
control
consciousness of its personnel. It is the foundation for all other components of internal control and has a pervasive influen
ce
on the more
detailed elements of internal control, including detailed control activities and how controls are monitored. Effectively cont
rol
led companies
strive to have competent people, instill a company
-
wide attitude of integrity and control consciousness, and set a positive “ton
e at the
top.” They establish policies and procedures (including a written code of conduct), which foster shared values and teamwork i
n p
ursuit of
the company’s objectives. The control environment is evaluated based on the following factors:

Integrity and Ethical Values

Commitment to Competence

Board of Directors/Audit Committee

Management’s Philosophy and Operating Style

Organizational Structure

Assignment of Authority and Responsibility

Human Resource Policies and Procedures

Integrity and Ethical Values

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

17

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

1.
There is a code of conduct and/or ethics policy that stipulates acceptable business
practices, conflicts of interest, and standards of ethical behavior. The code of conduct is
adequate to assist you in making ethical business decisions and has been effectively
communicated.

2.
There is an established "tone at the top,” including explicit guidance regarding acceptable
behaviors and actions. The board of directors and senior management demonstrate, in
words and actions, their concern for integrity and ethical values.

3.
Management’s business dealings with all constituents, such as employees, suppliers,
customers, investors, creditors, insurers, competitors, auditors, etc., are consistently
conducted at high ethical levels, with a clear expectation that others conduct themselves
likewise.

4.
The “tone at the top” is shared and practiced by executives and management throughout
the organization and management at all levels demonstrates a commitment to integrity and
ethical behavior by example in their day
-
to
-
day activities.

5.
Management addresses and resolves violations of behavioral and ethical standards
consistently, timely and equitably.

Comments:

A
c
ompany’s
objectives and the way they are achieved are based on preferences, value judgments and management styles.
Those
preferences and value judgments then translate into standards of behavior, which reflect management’s integrity and its commi
tme
nt to
ethical
values. Those
behaviors should go beyond mere compliance with the law
.
Integrity and ethical values are essential elements of the
control environment, affecting the design, administration and monitoring of other internal control components
.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Integrity and Ethical Values

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

18

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

6.
Employees are competent and properly trained to handle their assigned
responsibilities/workload and to deal with the inherent risks and complexities of their jobs
and the company’s business.

7.
Key managers have adequate knowledge and experience to perform their responsibilities.

8.
As a group, management possesses broad experience with diverse functional
backgrounds, such as accounting, finance, systems, operations, marketing, etc.

Comments:

Management should specify the competence levels for particular jobs and translate those levels into requisite knowledge and s
kil
ls. The
necessary knowledge and skills may in turn depend on an individual’s training and experience. Among the many factors consider
ed
in
developing knowledge and skill levels are the nature and degree of judgment to be applied to a specific job. There often can
be
a trade
-
off
between the extent of supervision and the requisite competence level of the individual.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Commitment to Competence

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

19

k

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

9.
The board of directors/audit committee gives adequate consideration to understanding how
management identifies, monitors and controls risks affecting the organization.

10.
The board constructively challenges management’s planned decisions

(
e.g. strategic
initiatives,

major transactions and probes for explanations of past results).

11.
A process exists to inform the board of significant issues in a timely manner.

Comments:

The control environment and “tone at the top” are influenced significantly by the entity’s board of directors and its audit c
omm
ittee.
Factors include the board/audit committee’s independence from management, experience and stature of its members, extent of it
s
involvement with and scrutiny of activities, and the appropriateness of its actions.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Board of Directors/Audit Committee

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

20

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

12.
Senior management seeks to minimize risk when possible.

T
ransactions that involve higher
risk are analyzed and scrutinized more thoroughly.

13.
Situations involving pressure to meet unrealistic performance targets do not exist or are
properly controlled.

14.
Decisions are not significantly influenced by a desire to meet an earnings target, nor does
management try to influence operating decisions in order to meet earnings targets.

15.
There is a strong emphasis on internal controls being well
-
designed and operating
effectively in all areas of operations.

16.
Management views the accounting function as an important element in the overall system
of internal control.

17.
There are strong ethical attitudes and actions towards financial reporting, including
appropriate resolution of disputes over application of accounting treatments.

18.
Management’s financial reporting philosophy, including its attitude toward the development
of estimates, tends to be conservative.

Comments:

Management’s philosophy and operating style affect the way the company is managed, including the kind of business risk accept
ed.

A
company can be characterized by the willingness of management to take risks and the degree of formality in which operations a
re
conducted.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Management’s Philosophy and Operating Style

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

21

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

19.
Managers and key personnel (process owners) in your function have access to senior
management to address significant issues.

20.
There is frequent interaction between senior management and operating management.

21.
Sufficient numbers of employees exist, particularly in management and supervisory
capacities.

Comments:

A company’s organizational structure provides the framework within which activities for achieving company
-
wide objectives are pl
anned,
executed, controlled and monitored. Significant aspects of establishing a relevant organizational structure include defining
key

areas of
authority and responsibility and establishing appropriate lines of reporting.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Organizational Structure

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

22

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

22.
There is an appropriate assignment of responsibility and delegation of authority to deal with
operating functions and regulatory requirements.

23.
There is a proper balance between delegation of authority needed to “get the job done” and
the involvement of senior management where needed.

24.
There is an appropriate number of people, particularly with respect to data processing and
accounting functions, with the requisite skill levels relative to the size of the entity and
nature and complexity of activities and systems.

Comments:

This component includes the assignment of authority and responsibility for operating activities and the establishment of repo
rti
ng
relationships and authorization protocols. It is essential that each individual knows that his or her actions interrelate and

co
ntribute to the
achievement of objectives.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Assignment of Authority and Responsibility

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

23

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

25.
Policies and procedures for hiring, training, promoting and compensating employees are in
place and ensure that those employed by the company meet the job criteria and do not
have questionable backgrounds.

26.
Employees new to your department are made aware of their responsibilities and
management’s expectations.

27.
Supervisory personnel meet periodically with employees to review job performance and
discuss opportunities for improvement.

28.
Managers and employees agree with the measures used to monitor their performance.

29.
Personnel policies address adherence to appropriate ethical and moral standards.

30.
Retention and promotion criteria are understood by all employees.

Comments:

Human resource practices send messages to employees regarding expected levels of integrity, ethical behavior and competence.
Suc
h
practices relate to hiring, orientation, training, evaluation, counseling, promoting, compensation and remedial actions.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Environment


Human Resource Policies and Procedures

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

24

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Risk Assessment

All companies, regardless of size, structure, nature or industry, encounter risks at all levels within their organizations. M
ana
gement must
determine how much risk is to be prudently accepted and strive to maintain risk within these levels. Risk assessments may tak
e p
lace
formally or informally, but risks should be identified, prioritized and communicated. The risk assessment component of contro
l i
s
evaluated based upon the following factors:

Company
-
Wide Objectives

Process
-
Level Objectives

Risk Identification and Analysis

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

25

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

31.
Management has established and clearly communicated the company’s mission, strategy
and business objectives.

32.
Key performance indicators and measurement criteria for achieving company
-
wide
objectives have been communicated and are uniformly understood.

33.
Business plans and budgets are consistent with company
-
wide objectives, strategic plans
and current conditions.

Comments:

Objectives may be implicit or explicitly stated, such as to continue a past level of performance. At the company level, objec
tiv
es are often
represented by the company’s mission and value statements. Specific objectives flow from the company’s broad strategy. Compan
y
-
w
ide
objectives are linked and integrated with more specific objectives established for various activities.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Risk Assessment


Company
-
wide Objectives

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

26

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

34.
Resources at the business unit and department level are generally sufficient to achieve
objectives for processes in these areas.

I
f not, plans are in place to acquire needed
resources.

35.
Each business unit

and department within each business unit has a budget and is
measured on performance measures consistent with company
-
wide objectives.

36.
Business unit and department plans, budgets, and activities are established with input from
process owners within each business unit and department.

Comments:

More specific objectives flow from the company’s broad strategy. Company
-
wide objectives must be broken down into process
-
level
objectives, consistent with the overall strategy, and linked to the activities throughout the organization. Process
-
level object
ives need to be
clear and readily understood by the people taking actions and responsibility for their achievement and they must be measurabl
e.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Risk Assessment


Process
-
level Objectives

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

27

The process of identifying and analyzing risk is an ongoing and critical component of an effective internal control system. M
ana
gement
must focus carefully on risks at all levels of the company and take necessary actions to manage them. Risks should be identif
ied

and
assessed at both a company
-
wide and a process
-
level.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Risk Assessment


Risk Identification and Analysis

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

37.
There are processes in place to identify risks arising from environmental factors (general
business environment, new competition, etc.) and to communicate such risks promptly to
management.

38.
There are processes in place to identify risks arising from internal sources (new computer
systems, changes in key personnel, etc.) and to communicate such risks promptly to
management.

39.
The risk analysis process is thorough and relevant, including estimating the significance of
risks, assessing the likelihood of their occurrence, and determining the necessary actions.

40.
The risk analysis results are communicated to appropriate members of management and
those directly affected by the risk.

Comments:

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

28

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Activities

Control activities are policies and procedures used to ensure management directives are met. Control activities vary dependin
g u
pon the
nature of the risk mitigated and are carried out to ensure that the risks are minimized to an acceptable level. The controls
act
ivities
component of control is evaluated based on the following factors:

Policies and Procedures

Information System Controls

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

29

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

41.
Policies and procedures are in place (whether

formally documented or not) for all critical
business processes.

42.
Policies and procedures are formally documented for all critical business processes.

43.
Appropriate and timely actions are taken on exceptions to policies and procedures.

44.
Policies and procedures are updated and reviewed on a timely basis.

Comments:

Control activities usually involve two elements: a policy establishing what should be done and procedures to affect the polic
y.
Many times,
policies are communicated orally. Unwritten policies can be effective when the policy is a long
-
standing and well
-
understood pra
ctice and
when communication channels involve only limited management layers. Regardless of whether or not a policy is written, it must

be

implemented conscientiously and consistently. A procedure will not be useful if performed mechanically without a continuing f
ocu
s on
conditions to which the policy is directed.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Activities


Policies and Procedures

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

30

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

45.
There are provisions for reasonable protection against physical destruction of information
systems and financial and other records by fire or other means.

46.
There is adequate segregation of responsibilities and restriction of access to information
systems.

47.
There are adequate controls over processing programs and data files.

48.
Online access to computer files is appropriately limited.

49.
Effective contingency plans have been developed and documented to deal with service
interruptions if they occur.

50.
Periodic tests of contingency and disaster plans take place to make sure they are current,
operational and effective.

Comments:

Information system controls are of two types: general controls and application system controls. These controls apply to all l
eve
ls of
systems from the company’s overall network to end
-
user computing environments.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Control Activities


Information System Controls

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

31

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Information and Communication

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out
the
ir
responsibilities. All personnel must receive a clear message from top management that control responsibilities must be taken
ser
iously
and they must have a means of communicating significant information upstream. There also needs to be effective communication
wit
h
external parties such as customers, suppliers, regulators and shareholders. The information and communication component of co
ntr
ol is
evaluated based upon the following factors:

Quality of Information

Effectiveness of Communication

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

32

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

51.
Management supports the development of necessary information systems as demonstrated
by the commitment of appropriate resources.

52.
Information is provided to the appropriate people in sufficient detail on time so they can
carry out their responsibilities efficiently and effectively.

53.
The company develops or revises its information systems based on a strategic plan for IS


linked to the entity’s overall information needs.

54.
The amount and nature of information you receive is optimal to allow you to perform your
job effectively and efficiently.

Comments:

Information is identified, captured, processed and reported by information systems. Information gathering mechanisms may be
computerized, manual, or a combination of the two. They may be formal or informal. Keeping information consistent with needs
bec
omes
particularly important when a company operates in a rapidly changing environment. To be effective, information gathering mech
ani
sms
must not only identify and capture needed financial and non
-
financial information


they must also process and report it in a timeframe and
way that is useful in controlling the company’s activities.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Information and Communication


Quality of Information

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

33

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

55.
Adequate communication channels exist to ensure the proper flow of material information
from lower levels upward.

56.
Communications include the flow of best practices across business units.

57.
Management is receptive to employee suggestions of ways to enhance productivity, quality
or other similar improvements.

58.
Management performs timely and appropriate follow
-
ups resulting from communications
received from customers, vendors, regulators and other external parties.

Comments:

Communication is inherent in information processing. Information must be provided to appropriate personnel so that they can c
arr
y out
their financial reporting responsibilities. Communication also must take place in a broader sense, dealing with expectations,

responsibilities of individuals and groups, and other important matters.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Information and Communication


Effectiveness of Communication

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

34

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Monitoring

Internal control systems need to be monitored


a process that assesses the quality of the system’s performance over time. This
is
accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Internal control defic
ien
cies
should be reported upstream, with serious matters reported to senior management and the board. The monitoring component of co
ntr
ol is
evaluated based on the following factors:

Ongoing Monitoring

Separate Evaluations

Reporting Deficiencies

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

35

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

59.
Management periodically performs monitoring functions of internal controls in key areas to
ensure that the system of internal control continues to function as needed.

60.
The company periodically compares recorded amounts to physical assets (inventory, fixed
assets, cash, etc.)

61.
The company proactively responds to internal and external audit recommendations and
implements recommendations as a means to strengthen internal controls.

Comments:

Ongoing monitoring procedures are built into the company’s normal recurring operating activities. Monitoring procedures, whic
h a
re an
inherent part of the company, are generally more effective than procedures performed in connection with separate evaluations
(au
dits).
Since separate evaluations take place after the fact, problems will often be identified more quickly by the ongoing monitorin
g r
outines. A
company should focus on ways to enhance its ongoing monitoring activities and emphasize “building in” versus “adding on” cont
rol
s.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Monitoring


On
-
going Monitoring

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

36

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

62.
The company has an internal audit function that adequately monitors and addresses the
company’s risks.

63.
Internal audit has personnel who have the experience and skills necessary to understand
operations.

64.
Internal audits are performed on all the company’s key risks.

Comments:

The frequency of separate evaluations necessary for management to have reasonable assurance about the effectiveness of the in
ter
nal
control system is a matter of management’s judgment. In making that determination, consideration should be given to the follo
win
g: the
nature and degree of changes occurring and their associated risks, the competence and experience of the people implementing t
he
controls, and the results of ongoing monitoring.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Monitoring


Separate Evaluations

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com/

37

Strongly

Agree

Strongly Disagree

5

4

3

2

1

N/A

65.
A process exists for capturing and reporting identified internal control deficiencies on a
timely basis.

66.
There are appropriate reporting protocols. If employees identify internal control deficiencies,
they know to whom to report them.

67.
If internal control deficiencies are noted, appropriate follow
-
up action is taken.

Comments:

Deficiencies in a company’s internal control system surface from many sources, including the company’s on
-
going monitoring proce
dures,
separate evaluations of the internal control system and external parties. The term “deficiency” is defined broadly as a cond
iti
on within an
internal control system worthy of attention. A deficiency, therefore, may represent a perceived, potential or real shortcomin
g,
or an
opportunity to strengthen the control system to provide a greater likelihood that the company’s objectives will be achieved.

Sarbanes
-
Oxley Entity
-
Level Controls Assessment

Monitoring


Reporting Deficiencies