Entity-Level vs. Activity-Level Controls--We have to know the difference!
Entity-Level (Key) Controls:
Key controls for small entities are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. These controls may be informal and ordinarily carried out by one or a few persons such as an owner/manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. Successful operation of key controls, subjected to auditors’ tests of controls, may reduce control risk to a moderate or even low level. An assessed lower level of control risk can result in reductions of more expensive tests of balances evidence, even on small audits!
Components of key controls for both large and small entities are:
• Management’s integrity and ethical values
• Management’s commitment to doing things right.
• Management’s ways of doing things.
• The involvement of persons charged with governance.
• The delegation of authority and responsibility.
• Personnel policies and procedures.
The COSO Report states that control activities are the policies and procedures established to help ensure that management directives are carried out. The key controls described above are primary to accomplishing this objective. Absent the design of key controls, or when key controls are designed but not operating, activity-level controls may be necessary to prevent misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. Knowledge of these controls should be part of the auditor’s risk assessment procedures (although in small entities there often aren't many actitivity-level controls). The degree to which these controls may be regarded as substantive evidence by an auditor depends on the extent to which tests of controls may be performed.
As part of my Small Audit Handbook which will be published in 2010, I've developed a Small Audit Internal Control Questionnaire which distinguishes between key and activity-level controls by financial statement classification. A beta copy of this SAICQ is available as a gift to my readers by signing up for the free email news on our website, www.cpafirmsupport.com, before the end of 2009.