Risk Advisory Services Consultant | Freed Maxick
Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Organizations who have weak or no entity level controls in place can experience many problems. These five items can be risks associated with weak or non-existent entity level controls.
1.) Entity Level Controls Risk #1: Management Override of Controls
Management is the primary source of the design, implementation, and maintenance of entity level controls and therefore, there is potential for management to have the ability to override these controls. If a member of the management team has the opportunity, incentive, and/or pressure to override these controls and commit fraud, it is a risk that is not easily overcome. Those charged with governance, such as shareholders, the Board of Directors, and the Audit Committee, need to take an active approach in evaluating any possible scenarios in which fraud can occur and mitigate these risks. Additional steps can be taken in order to control the risk of management override if this risk is identified.
2.) Entity Level Controls Risk #2: Limited Segregation of Duties
The segregation of duties in any organization is one of the most important aspects to prevent fraud or error. One individual should not be responsible for the authorization, recording, and handling of transactions. Some organizations with a limited number of personnel may come across difficulties in implementing a segregation of duties. If this issue occurs, compensating controls need to be implemented in order to ensure objectives are being met, such as oversight, supervision, and monitoring by management or those charged with governance.
3.) Entity Level Controls Risk #3: Over-reliance on Detective Controls vs. Preventative Controls
Detective controls identify when something is wrong, but preventative controls find something before it occurs. Effective entity levels controls implement both preventative and detective controls. Some preventative controls include ongoing and updated training of policies and procedures, user names and passwords limited to specific personnel and systems, requiring multiple signatures on disbursements, and conducting a review and approval of purchase requests prior to purchase.
4.) Entity Level Controls Risk #4: Informal vs. Formal Controls
Entity level controls tend to be less formal than activity level controls and normally carried out by one or two key individuals, such as the owner or manager. Regardless whether these controls are formal or informal, they need to be actively monitored to ensure they are being performed.
5.) Entity Level Controls Risk #5: Poor Tone at the Top
Tone at the top refers to the ethical atmosphere that is created in the workplace by the organization's leadership. The tone that is set at the management level of an organization has a trickle-down effect on to the employees. If the tone set by managers supports ethics and integrity, employees will be more inclined to uphold those same values. However, if upper management appears unconcerned with ethics and focuses solely on the bottom line, employees will be more prone to commit fraud because they feel that ethics are not a focus or priority within the organization. Employees pay close attention to the behavior and actions of their superiors, and they follow their lead.
If you are interested in improving your organization’s entity level controls, our internal control consultants will conduct an examination of your organization to identify weak areas. We can recommend the appropriate level of control for your organization and develop systems to monitor, assess and update those controls.