Entity-level controls: internal auditors of U.S. listed companies in the Netherlands have developed a practical framework for Sarbanes-Oxley compliance.LIKE THEIR U.S. COUNTERPARTS, most large U.S. listed companies listed company n → compañía cotizable listed company n → société cotée en Bourse listed company list n → in the Netherlands are working toward making their internal control framework compliant with the U.S. Sarbanes-Oxley Act See SOX. of 2002. Since 2003, a group of internal control specialists from large Dutch corporations--including ABN ABN Advance beneficiary notice, see there ABRO ABRO Army Base Repair Organisation , Ahold a·hold n. Hold; grip: "I knew I could make it all right if I got . . . back to the hotel and got ahold of that bottle of brandy" Jimmy Breslin. , KLM KLM Kaiserliche Marine (Enigma: Rising Tide game) KLM Koninklijke Luchtvaart Maatschappij (Royal Dutch Airlines) KLM Klub Langer Menschen (German: Tall Person Club) Royal Dutch Airline, and Shell--have been compiling a framework of compliance best practices. This Sarbanes-Oxley platform was initiated by IIA-Netherlands and offers a network for participants to exchange ideas. One topic that led to discussions and differences of opinion among participants is entity-level controls. When the discussions began, relevant rule-making bodies had not issued detailed guidance on the topic, other than stressing the importance of these controls. At the same time, external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. had not published guidance that was practical for use in large companies. As a consequence, the IIA-Netherlands Sarbanes-Oxley platform formed a task force, composed of representatives from four companies, to develop a common standard for entity-level controls. All the participants shared their control documentation, which the task force used as a basis to develop a framework for entity-level controls. The resulting practical framework includes a list of 29 key controls that management and internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. can easily use to assess these controls. THE DUTCH FRAMEWORK The IIA-Netherlands task force's emphasis on entity-level controls parallels recent guidance from the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ). After a May 2005 round-table with key Sarbanes-Oxley stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. , both agencies directed companies to take a top-down, risk-based approach to compliance, with a strong emphasis on entity-level controls rather than transactional controls. The SEC's interpretive guidance for management and the PCAOB's Auditing Standard No. 5 (AS5) each detail a risk-based approach. Although the Dutch framework is based on Auditing Standard No. 2, the predecessor to AS5, it is equally relevant when considering the new guidance documents. The Dutch task force determined that entity-level controls exist on a higher level than transactional controls, set positive conditions and boundaries for transactional controls, and are the internal control infrastructure. AS5 gives the following examples of entity-level controls: * Controls within the control environment, including tone at the top, assignment of authority and responsibility, consistent policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , and companywide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units. * Senior management's risk assessment process. * Centralized processing Processing performed in one computer or in a cluster of coupled computers in a single location. Centralized processing evolved from the computers in the 1960s, which were stand-alone with all input and output in the same room. and controls, including shared services shared services, n.pl the administrative, clinical, or other service functions that are common to two or more hospitals or their health care facilities and used jointly or cooperatively by them. . * Controls to monitor operating results. * Controls to monitor other controls, including activities of the internal audit function, audit committee, and self-assessment programs. * The organization's period-end financial reporting process. * Board-approved policies that address significant business control and risk management practices. In addition to the new SEC and PCAOB guidance, the task force's framework is based on The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework. "Entity-level Control Framework" on page 53 illustrates the position and focus of entity-level controls within the five components of the COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) internal control framework--control environment, risk assessment, control activities, information and communication, and monitoring. The 29 controls the IIA-Netherlands task force identified for its framework represent a best-practice set of entity-level controls. Individual companies may identify more controls based on their own structure. CONTROL ENVIRONMENT The chart on page 53 shows that the basis for entity-level controls is the control environment, which has a pervasive effect on control consciousness and effectiveness within the company. Controls pertaining per·tain intr.v. per·tained, per·tain·ing, per·tains 1. To have reference; relate: evidence that pertains to the accident. 2. to the control environment include: * A bill of authority/authorization table is established. Procurement authorization should be delegated by senior management, including availability, periodic update, and authorization. Focus: Assignment of Authority. * Senior management consciously and willingly sets and maintains an appropriate tone at the top (e.g., communication throughout the year and behavior examples). Focus: Business Ethics business ethics, the study and evaluation of decision making by businesses according to moral concepts and judgments. Ethical questions range from practical, narrowly defined issues, such as a company's obligation to be honest with its customers, to broader social . * A code of conduct is established and disciplinary actions are taken in cases of violations (e.g., availability, confirmation of compliance, and follow-up of deviations). Focus: Business Ethics. * The company conducts a fraud risk assessment, has appropriate anti-fraud programs in place, and reports on fraud occurrences (e.g., availability, authorized, and monitored). Focus: Business Ethics. * The human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. department reviews the organizational design and availability of job descriptions (e.g., key financial positions). Focus: Human Resources Policies and Practices. * The supervisory board Supervisory board The board of directors that represents stakeholders in the governance of the corporation. (i.e., independent directors of the nonexecutive board) reviews corporate strategy and approves the annual budget. Focus: Strategic Planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. . * The audit committee ensures the existence, availability, appropriateness, and communication of the whistleblower whis·tle·blow·er or whis·tle-blow·er or whistle blower n. One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . procedure (e.g., independent reporting, anonymity, and performance reporting on reported occurrences and their resolutions). Focus: Whistleblower. These areas describe the top-level governance structure of an organization and the tone at the top as well as roles and responsibilities regarding the effectiveness of the control environment. RISK ASSESSMENT Risk assessment describes the way management identifies, summarizes, and controls the organization's key risks. The following areas describe how risk assessment is organized and formalized for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. in an organization: * Management assesses the likelihood and impact of risks (e.g., analyze, plan, and perform the assessment; check and act on the risk). Focus: Risk Management. * Meetings with the board, operating group control, legal, and information technology (IT) are held to discuss the legal implications and impact of new business on financial reporting and IT. Focus: Risk Management. These controls acknowledge that effective risk assessments--including assessments of financial reporting risk--reduce the risk that material misstatements in the organization's financial statements will not be addressed appropriately. CONTROL ACTIVITIES Based on the risk assessment, the organization implements control activities to ensure that management's objectives are met. These controls include: * Senior management ensures that certain high-risk processes and related significant accounts (e.g., deferred tax, goodwill and other intangibles, and investments in subsidiaries) are only processed and recorded at or via the corporate level. Focus: Accounting and Reporting. * Realistic targets are set and used in performance measurement (e.g., a well-balanced set of targets (finance, compliance)). Focus: Human Resources Policies and Practices. * Human resources policies are available (e.g., adequacy of hiring, retention, and promotion processes). Focus: Human Resources Policies and Practices. * A budget process is in place that is related to strategy, quantifies goals, and includes regular reporting reviews. Focus: Business Planning and Performance. * The design of bonus plans ensures that there are no incentives that could lead to inappropriate financial reporting. Appropriate incentives for executive personnel should be based on financial and nonfinancial goals and on the long-term development of the organization. Focus: Human Resources Policies and Practices. The importance of internal controls over financial reporting cannot be underestimated. Many accounting scandals Accounting scandals, or corporate accounting scandals are political and business scandals which arise with the disclosure of misdeeds by trusted executives of large public corporations. in recent years were caused by the negative effects of remuneration structures for senior management, which strongly emphasized target-setting and bonuses. Also, the IIA-Netherlands task force noted that material weaknesses discovered in recent years often were caused by the way in which management dealt with complicated accounting areas. INFORMATION AND COMMUNICATION Information and communication are crucial in implementing entity-level controls. Top-down information streams help ensure that management's strategic decisions lead to appropriate action on the operating level, while bottom-up information gives management insight on how its strategies are being dealt with on the operating level and provides information executives can use for risk assessments. Controls related to information and communication include: * An accounting and control manual has been developed and distributed effectively (e.g., existence and availability of the manual, authorization, and changes discussed and approved). Focus: Accounting and Reporting. * Senior management monitors the outcome of the periodic process (e.g., accounting standards, code of conduct, control standards, and sign-off structure) regarding letters of representation or in-control statements issued by divisions, business units, or operating companies operating company A business that engages in transactions with outsiders. . Focus: Compliance/Internal Control Function. Although manuals play an essential part in regulating and organizing the top-down and bottom-up information streams, management's role is crucial in the overall process of gathering and spreading the information. Moreover, in companies with a highly centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. IT infrastructure, the information and communication component should include centralized IT general controls. MONITORING Another important aspect of entity-level controls is monitoring--the procedures a company uses to ensure that controls throughout the organization work according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. plan. Monitoring-related controls include: * A mandatory training plan is in place for accounting personnel, and progress is monitored. Focus: Accounting and Reporting. * Senior management periodically reviews an overview of accounting, reporting, and internal control issues. Progress is monitored and reported in management meetings. Focus: Accounting and Reporting. * Top management oversees litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. and communication with financial regulators The Financial Regulator (Irish: Rialtóir Airgeadis), officially known as the Irish Financial Services Regulatory Authority (Central Bank and Financial Services Authority of Ireland Act 2003, Section 26 . Focus: Business Ethics. * The management team periodically holds divisional/operating company review meetings. The meetings discuss the consistency of corporate and divisional objectives and compare actual divisional/business unit/operating company results to budget. Focus: Business Planning and Performance. * The audit committee conducts a self-assessment of its performance (e.g., against charter, relationship/performance of internal and external auditors, and activities and competencies of committee members). Focus: Corporate Governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . * The audit committee exercises appropriate oversight of internal control matters (e.g., open communication with senior financial management). Focus: Corporate Governance. * The audit committee ensures that open communication with internal and external auditors is established and maintained (e.g., approves audit plan, actively participates in meetings, holds private meetings). Focus: Corporate Governance. * A pre-employment screening procedure is in place, including implementation instructions and definition of functions that require screening. Focus: Human Resources Policies and Practices. * Agreement is reached on future system development and ongoing IT projects (e.g., IT strategic plan is aligned to the business plan for development of information systems). Focus: Information Management. * An independent reporting line has been established from internal auditing to the audit committee. Focus: Internal Auditing. * Internal auditing reports periodically to the audit committee on performance (e.g., staffing, progress of the audit plan, the effectiveness of internal auditing, and approval of the internal audit charter). Focus: Internal Auditing. * The status of identified control issues (e.g., number, nature, remediation, and progress) is monitored through control remediation progress reporting. Focus: Compliance/Internal Control Function. * Executive directors ensure that a disclosure meeting is held quarterly with finance, legal, and management to discuss the details of financial results (e.g., profit and loss account, balance sheet, cash flow statement, and other disclosures). Focus: Accounting and Reporting. Although it is often difficult to categorize cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat controls under the five elements five elements, n.pl fire, water, earth, wood, and metal; in Chinese medicine, each of these five components is used to organize phenomena for use in clinical applications. Each of the elements corresponds to a specific function (i.e. of the COSO framework, monitoring may be the most critical area for Sarbanes-Oxley Section 404 compliance. In its interpretive guidance for management, the SEC notes that management's day-to-day interaction with the company's control structure will help executives assess the effectiveness of internal control over financial reporting. This ongoing interaction, whether formalized or not, can be regarded as monitoring. CONTROL TESTING Testing of entity-level controls described in the IIA-Netherlands' framework is characterized by the fact that in many cases the control description is focused on the existence of formal documentation, such as authorized policies, meeting agendas and minutes, and reports on performance. Testing is always the responsibility of management, as Sarbanes-Oxley Section 404 requires management to assess the effectiveness of internal controls. To a large extent, the test work programs will focus on the documentation already identified in the control descriptions, the implementation of relevant policies, and the actual operation of the policies and procedures. The examples that follow illustrate the documentation and evidence required for control testing. 1. ACCOUNTING AND CONTROL MANUAL Evidence and documentation: Testers should ensure that the accounting and control manual is available--including a communication plan--and the manual should be approved by senior management. Comments of internal and external auditors should be documented, including follow-up. Updates of the manual should be documented as well. Moreover, testers should ensure that the manual has appropriate change procedures. Testing considerations: The tests should verify whether reviews of the accounting and control manual are performed regularly and documented to ensure timely updates are made to reflect changes in applicable generally accepted accounting principles The standard accounting rules, regulations, and procedures used by companies in maintaining their financial records. Generally accepted accounting principles (GAAP) provide companies and accountants with a consistent set of guidelines that cover both broad accounting and company structure. They should also verify that senior management has approved such changes before release and distribution. Finally, they should verify that applicable finance staff have access to the most recent version of the manual. 2. CODE OF CONDUCT Evidence and documentation: Testers should ensure that an authorized code of conduct is made publicly available (e.g., on the company's intranet) and that compliance with the code is confirmed annually. Appropriate management should conduct an annual evaluation of deviations from the code (e.g., letter of representation, ethics committee ethics committee A multidisciplinary hospital body composed of a broad spectrum of personnel–eg, physicians, nurses, social workers, priests, and others, which addresses the moral and ethical issues within the hospital. See DNR, Institutional review board. ). There should also be periodic reporting on deviations from the code, as well as remediation and an action plan. Testing considerations: Testing should verify, based on interviews with employees at various levels of the company, whether they are aware of the code of conduct and whether senior management frequently addresses the code in communications and e-mail. Control tests should verify annual confirmation of the code by new employees for a sample of employees and check whether the current version of the code is published on the intranet. They should also verify the existence of formal reporting procedures regarding violations of the code. In addition, they should examine the minutes of meetings that deal with the violations to verify whether all reported violations are discussed, disciplinary actions are defined, and follow-up actions are initiated. 3. SUPERVISORY BOARD'S SELF-ASSESSMENT Evidence and documentation: Testers should ensure the existence of a supervisory board charter, including a description of the profiles and competencies of independent directors on the board. They should also ensure that the board has scheduled a self-assessment. A questionnaire or other tool should be used to ensure that the self-assessment is conducted in a structured way and addresses all relevant matters. Self-assessment results should be formally documented and agreed on by the supervisory board. Testing considerations: Testing should verify whether written evidence of self-assessments exists (e.g., agenda, minutes, and summarized questionnaire) and whether the self-assessment is guided by the questionnaire and conclusions are established. GOING FORWARD With the new set of compliance rules and regulations in mind, the need for a practical set of entity-level controls has only increased. Because Dutch companies This is a list of companies from the Netherlands. See for lists of companies from other countries. Independent companies
RONALD RONALD Rocketborne Optical Neutral gas Analyzer with Laser Diodes R. BOUMAN, RA, with ICC ICC See: International Chamber of Commerce Consultancy BV, contributed to this article. To comment on this article, e-mail the authors at heiko.vanderwijk@theiia.org. JAAP GERKES, RA SENIOR MANAGER PROTIVITI WILBERT JAN VAN DER DER - Distinguished Encoding Rules WERF WERF Water Environment Research Foundation (Alexandria, VA, USA) WERF Waste Experimental Reduction Facility , RA SENIOR MANAGER, COMPLIANCE AND ACCOUNTING, EUROPE APPLIED BIOSYSTEMS Applied Biosystems, Inc. (formerly NASDAQ: ABIO) is the original name of a pioneer biotechnology company founded in 1981 in Foster City, California, among the Silicon Valley cities of the southern San Francisco Bay Area. HEIKO VAN DER WIJK, CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , RA MANAGER, SARBANES-OXLEY OFFICE KLM ROYAL DUTCH AIRLINE RELATED ARTICLE: Entity-level Control Framework The company hierarchy includes supervisory board, audit committee, executive board, group management, business unit/operating company/subsidiary management, and process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance . [ILLUSTRATION OMITTED] |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion