Assessing Company-Level Controls

Another hurdle on the road to compliance.

THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities.

COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures.

CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement.

THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance and better financial results.

J. STEPHEN McNALLY, CPA, is director of finance of Campbell USA, a division of Campbell Soup Co. in Camden, N.J. His e-mail address is . This article is based on one the author wrote for the winter 2005 issue of the Pennsylvania CPA Journal.

hat are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act approaches for some companies, many have yet to face a critical hurdle: the assessment of their company-level controls. The Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels.

This article provides a six-step process CPAs can use to meet this critical aspect of section 404 compliance. The steps are based in part on the author’s experiences as director of finance for Campbell Soup Co. Although only public companies subject to section 404 are required to formally assess company-level controls, nonpublic companies and other types of organizations may wish to do similar evaluations as a best practice.

A Role to Play
In what areas of Sarbanes-Oxley compliance work was internal audit involved during 2004?

Source: PricewaterhouseCoopers LLP, 2004 survey of 441 companies, .

Company-level controls permeate an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. One example is the control environment itself, which includes the tone at the top, the corporate code of conduct, policies and procedures, the assignment of authority and responsibility, management’s risk assessment processes, fraud-prevention efforts and other company-wide programs that apply to all locations and business units. Company-level controls also monitor the results of operations and the functionality of other controls, including self-assessment programs and internal audit reviews. Oversight activities by senior management, the audit committee and the board also demonstrate these controls.

Section 404 says senior management at public companies must

State its responsibility for establishing and maintaining adequate internal control over financial reporting and disclosure.

Assess the effectiveness of the company’s internal controls for the current fiscal year.

Identify the framework used to make this evaluation.

To comply, many companies have adapted the COSO internal control framework and its five components—control environment, risk assessment, control activities, information and communication, and monitoring.

The PCAOB says public companies must give adequate consideration to all five components, including detailed control activities at the process and transactional level as well as the other COSO components known collectively as company-level controls. In Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, the PCAOB says the external auditor should evaluate whether management’s documentation includes all five components of internal control over financial reporting when determining whether it provides reasonable support for management’s overall assessment.

Auditors should test and evaluate the design effectiveness of company-level controls first and adjust their approach for evaluating the other aspects of internal control over financial reporting accordingly. CPAs should consider ineffective company-level controls a deficiency that might affect the scope of work performed in an audit, particularly when a company has multiple locations or business units.

As part of the internal process of ensuring compliance with the company-level control aspects of section 404, CPAs can recommend companies follow six steps. In general the steps include defining key milestones, building an assessment structure for company-level controls, documenting control design, testing control effectiveness and engaging in gap remediation and continuous improvement efforts.

Step One: Define project plan and key milestones. The first compliance step CPAs should take involves planning—outlining the project (including key activities and timelines) and identifying critical milestones. This helps assess the resources needed to complete the company-level controls effort in a timely manner and gauge the team’s progress compared to expectations.

In this instance the key activities in the project plan may represent overlapping tasks to be performed in parallel rather than in sequence. For example, management typically needs to determine the existence and nature of a process- or transactional-level control before collecting evidence to test its effectiveness. However, when it comes to company-level controls, evidence collection may occur at any point during the overall compliance effort. Some evidence (codes of conduct, corporate policies, organization charts and the like) may facilitate the building of a customized assessment structure or provide insight into the design of the organization’s company-level controls and also represent evidence to support the effectiveness of these controls. For instance, when we reviewed the charter for Campbell’s audit committee, it provided insight into the oversight activities this committee performed, in addition to offering evidence that such a document existed.

Step Two: Build an assessment structure for company-level controls. To methodically evaluate these controls, companies need a formal structure within the context of the overall internal control framework adopted by management. To build this structure, CPAs should first review appropriate authoritative literature—including COSO’s Internal Control—Integrated Framework, PCAOB Auditing Standard no. 2 and Sarbanes-Oxley itself—and solicit the input of the company’s external auditors and any consultants providing subject matter expertise on the company’s overall section 404 compliance efforts. CPAs also should talk to peers at other companies, attend seminars on company-level controls compliance and use other available tools (for example, KPMG’s Web site).

A customized assessment structure likely will consist of 20 to 30 objectives across the four COSO components that relate specifically to company-level controls (excluding the control activities component). Because these objectives represent management’s control expectations for complying with section 404 company-level controls, management will need to formally assess the design and operating effectiveness of each. If management can determine it meets each objective based on these assessments, it can conclude that the organization’s company-level controls are adequate overall. (See the box below for an example of company-level control objectives.)

To facilitate management’s assessment, CPAs should support each company-level control objective with underlying guidance, or points of focus, representing key considerations in examining each objective. For example, one of Campbell’s objectives related to the COSO control environment component concerned whether management, through its attitudes and actions, demonstrated character, integrity and ethical values. This objective was supported by several points of focus: Management sets the appropriate “tone at the top”; maintains codes of conduct and other policies regarding acceptable behavior; follows ethical guidelines in dealing with employees, suppliers, customers and others; removes or reduces temptations that might cause staff to engage in unethical acts; and responds in a timely and appropriate manner to violations of the company’s code of conduct. When making their overall assessment of a given objective, CPAs should carefully consider each point of focus and the implications of any best-practice controls that seem to be missing.

Step Three: Obtain input on the design of company-level controls. Gaining insight into the design of company-level controls is sometimes more challenging than assessing detailed process- or transactional-level control activities. Company-wide controls often are not readily apparent; management gave little consideration to them in the past with the result that nobody perceived them as formal controls, making them harder to identify. To solve this problem CPAs can leverage section 404 and other documentation already created to assess the organization’s internal control activities. For example, section 404 documentation covering the safeguarding of cash, inventory and fixed assets can support the company-level control objective that management’s philosophy and operating style are consistent with a sound control environment.

CPAs also can review corporate, accounting and human resources policies; employee standards of conduct; organization charts; internal communications; board of director materials and other existing documentation, as well as interview appropriate subject-matter experts. Representatives from the corporate controlling, internal audit, IT, legal and HR functions can provide insight into high-level oversight and other company-level controls performed at, or dictated by management at, the corporate level. Business unit experts can help CPAs understand how such controls are implemented at the local level, for example clarifying how the local team translates the entity-wide strategies and objectives into its plans and activities. Finally, senior executives can discuss how they set the tone at the top, provide oversight, assign accountability, perform risk assessment and in other ways directly influence the organization’s company-level controls.

At Campbell, for example, the corporate controller explained how the company established its corporate accounting policies, the interaction between corporate and local finance staff, the competency of financial talent and, most important, the activities performed by Campbell’s disclosure committee. The corporate secretary and vice-president of audit helped us understand risk management, fraud reporting, management’s response to reported improprieties, audit committee and overall board oversight activities, and the development of Campbell’s annual internal audit plan.

Step Four: Document and assess company-level controls. The next step in the compliance process is to formally document and evaluate the design of company-level controls. CPAs should begin by detailing the company’s control activities that support each objective in the assessment structure they built in step two.

To get started with the evaluation process, review the insights you obtained from existing documentation and interviews with functional experts, business unit contacts and senior management. Then examine each point of focus for a given objective, considering the adequacy of existing company-level controls relative to best practices. In other words, assess whether the design of the organization’s current controls is adequate for each objective. Finally, to the extent you identify any gaps in the design of these controls, document and begin implementing appropriate remediation plans as soon as possible.

Step Five: Test the effectiveness of company-level controls. Traditional validation testing is typically used to assess the operating effectiveness of controls at the process and transactional levels; the type and frequency of a control activity drives the extent of testing CPAs perform. But few company-level controls lend themselves to selecting a sample size and then doing this traditional testing. Testing the operating effectiveness of an organization’s company-level controls requires creativity. CPAs must use other techniques—observing disclosure committee meetings, interviewing members of the senior leadership team, reviewing board minutes, obtaining a copy of the organization’s internal communications plan and evidence of its execution, selecting a sample of reported improprieties to assess how management responded or conducting an employee survey.

An organization-wide survey in particular can provide solid evidence about the effectiveness of company-level controls, enabling CPAs to gauge employee awareness of the company’s mission, vision and core strategies; adherence to its code of conduct; and use of its whistleblower hotline. A survey also can provide a benchmark against which to measure improvement in controls over time.

Internal Controls: Design and Documentation (text, # 731851JA).

Internal Controls: Design and Evaluation Under COSO and AS No. 2 (text, # 732512JA).

Implementing SOX 404: An Advanced Analysis (webcast archived on CD-ROM, # 737177HSJA).

COSO Enterprise Risk Management: Integrated Framework (paperback, # 990015JA).

Internal Control—Integrated Framework (COSO Report: paperback, # 990012JA).

How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control (hardcover, # 029881JA).

Internal Control Reporting—Implementing Sarbanes Oxley Section 404 (paperback, # 029200JA).

PCAOB Auditing Standard No. 2: A Guide for Financial Managers (paperback, # 006619JA).

For more information or to order, go to or call the Institute at 888-777-7077.

Step Six: Engage in gap remediation and continuous improvement. If you do identify gaps in the design of company-level controls while testing their operating effectiveness, you should initiate remediation efforts as soon as possible. For example, one control objective related to the COSO control environment component involves management demonstrating character, integrity and ethical values through its attitudes and actions. But, if management has not implemented an anonymous whistleblower hotline or established procedures for appropriately handling improprieties reported via the hotline, there likely is a gap in this company-level control. To remedy the problem CPAs should help management take appropriate actions, including setting up a hotline, improving the handling of complaints or establishing a timeline for responding to calls.

In the spirit of improving overall corporate governance, CPAs need to recognize the difference between adequate and best-in-class company-level controls. CPAs should focus on continuous improvement, looking for ways to make the process of assessing company-level controls more efficient and the controls more effective. For example, although an organization’s internal audit team may already use a comprehensive risk-assessment process to support the development of its annual audit plan, it may be able to enhance the process by using a detailed questionnaire on fraud risk factors.

Documenting and assessing company-level controls are key to overall compliance with section 404. More important, CPAs who focus on such controls are likely to find ways to enhance them and ultimately improve the organization’s overall governance. Stronger corporate governance for Campbell Soup and other public companies should translate into stronger business results and increased shareholder value. It could likewise mean greater value for owners of private companies and help nonprofit organizations fulfill their mission. The bottom line: Identifying and assessing company-level controls, performing gap remediation and maintaining a continuous-improvement mindset benefit public companies, private companies, NPOs and other entities alike.

Company -Level Control Objectives
Control Environment
Through its attitudes and actions, management demonstrates character, integrity and ethical values.

Management’s philosophy and operating style are consistent with a sound control environment.

Management assigns authority and responsibility.

Human resource policies and procedures are consistent with and reinforce the control environment.

The audit committee and overall board of directors are actively involved and have significant influence over the organization.

Risk Assessment
Management has established practices for identifying, evaluating and appropriately mitigating risks.

Information and Communication
Management gathers information from and disseminates information to the appropriate people on a timely basis.

Management has established an effective “whistleblower” program as it relates to financial reporting.

Management has established effective ongoing monitoring activities.

Management performs separate evaluations of the organization’s internal control environment to confirm its effectiveness.


Cybersecurity threats proliferating for midsize and smaller businesses

This report details how SMBs can properly protect private information from breaches, design and implement a cybersecurity policy, and create safeguards for training and education.


Test yourself on these often confused words

The spelling checker on your word processing program can do only so much to flag problems. Your best insurance is to learn the troublesome words that trip up writers and use them correctly by the standards of formal, written English.