Entity-Level Controls

The Backbone of an Internal Control Framework

Download the Framework

Within the challenging and ever-changing environment surrounding entities, the importance of obtaining a clean audit opinion through the adherence to a strong governance framework, the implementation of effective internal controls, and compliance with evolving regulatory requirements has never been greater. To mitigate an entity’s inherent risks, while providing reasonable assurance that effective internal controls are in place, management needs to adapt by clearly understanding their entity’s environment while incorporating a go-forward strategy to enhance their entity’s operations through entity-level controls (ELCs).

ELCs are internal controls that pervasively impact an entity's environment and operations, which may consist of the following five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring. The entity can demonstrate to internal and external users that their goals and objectives have been met by designing, implementing, and maintaining effective ELCs. All five components are intertwined to create a holistic approach to establish an effective internal control framework and support financial reporting assertions.

Five Components of Internal Control

Component Description1 How Can Management Prepare?
Control Environment The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.

Preparations to Consider: Review, and update as necessary, documents such as the current organizational chart, code of ethics, employee handbook, and HR manuals.

Examples: Oversight committees, standards of conduct, organizational charts, and HR manuals.

Risk Assessment Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

Preparations to Consider: Perform an internal risk assessment while considering the entity's risk appetite and the risk for both internal and external fraud.

Examples: Forecasting and strategic planning of risks and risk tolerances, and analysis of deficiencies related to operations, non-financial reporting, financial reporting, and compliance.

Control Activities The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.

Preparations to Consider: Establish effective control activities to accomplish the entity’s goals and objectives, and establish effective ELCs that set standards for the entity’s activity-level controls.

Examples: System application controls, segregation of duties, and physical inventories.

Information & Communication The quality information management and personnel communicate and use to support the internal control system.

Preparations to Consider: Evaluate how ELCs are communicated and disseminated throughout the entity. Update training manuals as needed and ensure annual trainings are held as necessary to communicate expectations to employees.

Examples: Complete and accurate asset populations, whistleblower policies, ethics hotlines, and quarterly newsletters.

Monitoring Activities management establishes and operates to assess the quality of performance over time and promptly resolves the findings of audits and other reviews.

Preparations to Consider: Define the frequency of management’s review of ELCs.

Examples: Ongoing evaluations of employee performance and timely remediation of both internal (e.g., internal audit reports and audit committee meeting minutes) and external feedback (e.g., general public and regulatory agencies).


GAO, September 2014, Standards for Internal Control in the Federal Government, https://www.gao.gov/assets/gao-14-704g.pdf.

About the Experts

Back to top