Enterprise-level controls are the only mechanism available to management to provide assurance that appropriate control systems and procedures are in place at all levels of the company.
Management can typically obtain assurance regarding items that are critical only in conjunction with other enterprise-level items by assessing, documenting, and testing enterprise-level controls, and possibly also by using other evidence (self-assessments, internal audits, control monitoring, etc.) obtained at those items.
Therefore, assessing enterprise-level controls is an important component of a Section 404 project. As a practical guideline, management is advised to first test and evaluate the effectiveness of the design of enterprise-level controls, as the results of such testing will influence the nature, scope, and timing of additional procedures at the test items.
For companies with multiple business units, it is critical that enterprise-level controls are generally effective. When such controls do not exist or are ineffective, improving company-level controls should be a priority. The presence of a large number of deficiencies in company-level controls may require several months to resolve. Inadequate company-level controls may also indicate that the overall control environment is ineffective.
Company-level controls must be reviewed at key locations. Therefore, management’s assessment of company-level controls will influence the nature, timing, and extent of the control review at key business units.
Management should determine at what level of the organization company-wide controls operate (corporate, segment, business unit, or lower). Although management develops and issues accounting policies at the corporate level, management should conduct testing at key locations to confirm that the policies are being applied appropriately. Company-level controls extend to internal control components and the fraud prevention program.