Entity Level Controls and Corporate Governance

What are entity level control and corporate governance?

“Entity-level, or “tone-at-the-top,” controls define an organization’s corporate culture. They
establish guidelines for an organization’s governance, financial analysis and integrity, and
adherence to applicable laws and professional standards. They set forth an organization’s
values and, though policies and procedures, clarify the desired behavior of the organization’s
employees, management team, and board members”
3 Aspects of Entity Level Controls:
-Corporate GovernanceGeneral policies and procedures that set the tone of the organization
- Financial ApplicationGoverns the responsibilities of departments and BoD in terms of
reviewing the financial statements
- Law & Legislative ApplicationOverall compliance with government regulators and other
legal entities

Corporate Governance:

He suggested that we should be able to compare and contrast them. Note: Corporate
Governance is an Entity Level Control so you will have to mention that in your answer. I would
also look at how to audit both ELCs and corporate governance, as well as, some risks that may
be associated with poor Entity Level Controls/Corporate Governance.

Regulation and Monitoring

Compare and contrast different forms of regulation (self-regulation like Canada vs government
regulation like in US) - included in this would be the reasons why Canada has tended to stay
self-regulated
Combination of self-regulation and government regulation works best
Self-Regulation: This type of regulation is done by the profession itself. The authority to
regulate the profession is delegated by the government to professional organizations. This
means that professional trade associations are the one who come up with standards for
auditors to follow. Monitoring is done using systems of practice inspections, and sanctions are
imposed by these bodies when auditors fail to follow the standards.

->authorship: experts in subject matter

->fast reactions
->public and business interests come into conflict
->reduced competition
->internal conflicts
->less powers
->industry bears the costs
->lower costs

Government Regulation: This type of regulation is seen as more rigorous and used when self-
regulation would not be strict enough. In this case, politicians are the ones who regulate and
monitor the profession. This is often done after scandals in the auditing industry when
politicians will feel the need to get involved to help the public.

->authorship: elected officials and politicians

->slow reactions
->pubic and political interests come into conflict
->reduced competition
->more power
->taxpayers bear the costs
->high costs
Auditing in Canada: Canada uses a more self-regulatory system. CPA Canada, a not-for-profit
corporation, supports the auditing profession by funding, staffing, and providing other
resources to support an independent standard-setting process by the AASB and AASOC. The
Canadian Public Accountability Board is the Canadian equivalent of the United States’ PCAOB.
CPAB oversees the auditing work provided by national accounting firms.

 auditing in Canada is a very self-regulated profession. There are many benefits to this,
including a better understanding by regulators of the technical profession and a better
responsiveness to changes in the industry. However, the disadvantages are also numerous and
include less power for regulators and less incentive to disciple your peers. Why has the auditing
industry and Canadian society determined that the benefits outweigh the disadvantages?

Public Sector Audits

a) what are the differences between a performance audit and a financial audit?
The main points for performance audits: they’re different every year unlike financial audits,
assurance is based on set criteria instead of management assertions, and subject matter is
different as it can be for government entities/projects.

b) what are the differences between a special examination audit and a financial audit? The
differences with special examinations: scope is different (whole entity for special exams, limited
for financial), and the auditor’s goals are different (financial audit checks into financial
statements, and with special exams, there’s three auditor questions: 1. Are assets safeguarded?
2. Are financial, physical, and human resources used efficiently? 3. Are operations run
efficiently?).

Enterprise Risk Management

Describe how the field of ERM was developed reactively:
ERM was initially introduced as a reaction to the confidence crisis that was occurring in the
market as a result of the Enron and Worldcom scandals. So after Sarbanes Oxley passed in
2002, COSO created the original ERM framework in 2014. This framework provided guidance to
companies on how to more effectively manage the risks they faced.
The field of ERM was further developed in 2009 when the SEC issued a new rule requiring that
public companies provide users of their financial information with increased disclosures
surrounding the issue of risk oversight. More specifically, there were disclosure requirements
on risks being faced, executive compensation and corporate governance.
How is ERM relevant to the audit profession?
Enterprise risk management is an important component of audit on both an internal and
external basis.
From an internal perspective, auditors need to be providing assurance that the company’s ERM
is mitigating both operational risks as well as the risk of misrepresenting the company’s
financial position.
From an external perspective, determining the effectiveness of a company’s control
environment is one of the key elements in planning an audit and determining overall audit risk.
As the auditor’s role evolves from simply evaluating financial statements to include more
relevant and useful information for investors, the importance of completely understanding the
ERM system of a company is magnified.

ERM Definition: Enterprise risk management is a process, effected by an entity’s board of

directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risk to
be within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.

ERM’s involve 3 main qualities:
 1. Integrated-ERM must span all lines of business.
 2.
Comprehensive-ERM must include all types of risks.
 3. Strategic-ERM must be aligned with
overall business strategy.

Types of Risk

As ERM involves all types of risks. These different risks can be classified into the following
framework;
 Strategic Risk- strategy, political, economic, regulatory, and global market
conditions as well as reputational and brand risk.

Operational Risk- related to human resources, channel effectiveness, customer satisfaction,

health and safety, product/service failure, capacity, efficiency, and change interaction. Financial
Risk- includes market, liquidity, and credit risk and often relates to volatility of currency,
interest rates, and commodities.

Hazard risk- includes risks that are insurable, including natural disaster, terrorism, and other
insurable liabilities.

Benefits of ERM
 Reduced impact/likelihood of risks – With the presence of risk,

organizations are able to mitigate their effectiveness as they occur. An ERM can help develop
potential risks in the future by providing early warnings.
 Lower earnings and capital volatility
– An ERM can help create a system for stable earnings. This creates increased insurance by
being able to quantify risks and being able to retrieve risk information in a timely and accurate
manner. This in-turn will increase shareholder confidence. Improve credit ratings – with the
presence of an ERM, it increases the confidence of third parties on risk assessment. Third
parties such as banks are more likely to approve loans if earnings are higher, performance is
improved, and the entity is less prone to risk. All of which improve the credit
rating.
 Regulatory compliance – An ERM system helps insure companies meet the regulatory
requirements. Although some organizations believe that their current systems are able to meet
the requirements, an ERM will reduce the risk of failing any regulations.

Business objectives and senior responsibilities – An ERM will increase the importance at senior
levels such as board of directors. An ERM can also provide a better cost management tool to
the organization, better economic conditions, and an increase in leverage.

Limitation of ERM
 Lack of resources – Certain companies may not have the flexibility
financially to implement or properly manage an effective ERM. What managers can do is to use
an approach where they can efficiently allocate resources in other aspects of the business with
more value or where risk is more probable.
 Lack of perceived value – as stated above, many
organizations do not see the benefit of implementing an ERM. Too much value is placed on
legal and regulatory compliance, but these instance only reveal costs rather than benefits.
Organizations believe that their current risk systems are adequate in foreseeing risk.
 Red
Tape Perception – Much like perceived value issues, workers tend to have a negative view on
inspections and legal documents to mitigate risk. To remove these barriers managers can
change the organizational culture to adjust the attitude towards this behavior and open lines of
communications.
 Competing priorities – In the study by ERM Initiative, they state that 51% of
barriers to ERM implementation is caused by the interference of other priorities. In instances
like Enron and WorldCom, their perceived competing priority as industry leaders. Companies
tend to focus on growth and sales without realising environmental risks. Managers can reduce
these effects by the acquisition of analytical data to maximize their growth efforts.
 Lack of
Senior ERM leadership – Much like the previous issues, leadership problems can be resolved by
opening lines of communication to risk managers. There are a lot of biases that are present in
organizational culture. This affects decisions where risk is evident. Decisions can be made
where risk is ignored.

Audit of NPO:
1. List and describe 3 examples of risks specific to NPOs.
2. What are the most common fraud risks for NPOs and what internal controls can mitigate
these risks?

(Can find solutions from risk/end of fraud risk and internal control sections of our report)

Internal auditing
1) Explain the importance of independence for internal auditors (IA).
2) What are three differences and/or similarities of IA and external auditing (EA)?
1) Explain the importance of independence for internal auditors (IA).
- IA main goal/duty to the organization, therefore has to be independent from the
management that runs the org.
- Toshiba case illustrates many failures of independence mechnisms which include
conflict of interest, improper reporting relationships, subordinated judgement,
overall threats to objectivity.
o CFO playing a role in as 1) a perpetrator of fraud, 2) the chief audit executive
(CAE) responsible for internal auditing, 3) part of the audit committee.
 CAE should report to level in org that ensures independence of IA
function – it can be the CFO for some firms, but not for Toshiba.
o Individual auditors noticing irregularities, too afraid to question the CFO
- IA can’t assume management’s role: IA recommends/follows up, management
implements.
- Proper independence = proper IA function = proper corporate governance.
(mechnism to ensure implementation of governance structure)

2) What are three differences and/or similarities of IA and external auditing (EA)?
Several points to choose from:
- IA is both assurance and advisory provider, but main role in assurance (assurance
operations perform as intended before they can advise on improvements of these
operations). EA of public companies restricted from providing non-audit services to
audit clients (SOX).
- IA evaluates whether the organization is operating as intended and provide
recommendations for improvements. EA are generally limited to providing
assurance on the fairness of the financial statements.
- IA's are responsible for evaluating fraud risk, therefore have a responsibility to
identify weakness’ in the organization's internal controls and provide
recommendations to improve anti-fraud control mechanisms. EA's must consider
the risk of material misstatements due to fraud in the financial statements, but are
not responsible for improving the organization's internal controls to mitigate fraud
risk.
- EA and IA use same type of analytics on the same information and have a plan,
examine, report phase
- IA does not have preliminary stage. EA has this stage to evaluate the client business
and acceptance/continuance (usage of analytics). IA can’t decline to perform
assurance on their own organization. Both do contact management to assess current
condition of operations
- Planning phase: examine which parts of the company may have weaknesses or
contributes to major portions of the operations. These significant areas would
require testing..
 - Testing: auditors will either choose substantive if they think the controls are good
enough, or control testing because financials will be bad if controls are bad. No point
in substantive testing if everything is going to be incorrect.
- Reporting: IA recommendations vs EA reasonable assurance no misstatements. EA
specifically highlights managements responsibilities (ex. for implementing controls).
Different goals but similar process.. depends on scope and what EA have agreed to do in their
engagement letter

Insurance Company Audits

For Audit of an Insurance Company, we came up with 3 questions:
1. What are the key accounts and relevant assertions for an insurance company?
Statement of Financial Position:
Reserves (Liabilities):
Assertions:
1. Completeness: account includes all appropriate significant adjustment expenses to
accurately reflect the risks
2. Valuation: unpaid claims must be discounted with appropriate rates and actuarial
practices

Unearned Premiums (Liabilities):

Assertions: Existence:

Investments:
Assertions:
1. Valuation: investments are being properly accounted for at fair value
2. Existence: the investments recorded do in fact exist

Cash:
Assertions:
1. Existence: company’s cash balance exists and they have proper access to the funds
2. Ownership: over “proper obligations to pay out all the liabilities and expenses”
(Smieliauskas and Bewley, pg.162)
3. Cutoff: cash is being recorded in the proper period

Income Statement:
Net Earned Premium:
Assertions:
1. Existence: standard with a revenue account for any company
 2. Ownership: increasingly important as IFRS 17 is implemented because insurance
companies must defer the contractual service margin (CSM)

Claims:
Assertions:
1. Existence:
2. Completeness:

Commissions:
Assertions:
1. Existence: the commissions payable and paid are to actual intermediaries and agents for
selling policies so as to not overstate the account

2. What risks apply specifically to the key accounts for an insurance company?
Risks in Insurance Companies:
Inherent Risk: is higher in companies that involves many transactions that are complex and
require a high degree of judgement (Investopedia, n.d.). Some common inherent risk factors
that an insurance company faces are as follows:
1. Use of actuarial estimates: uncertainty regarding the accurateness of estimates made.
2. Complex business relationships: longstanding and complicated relationships with
multiple parties increase complexity of operations especially if the company holds
control of another company that may be involved with entities that have SPEs, etc.
3. Reliance on outsourcing: opens insurance company up to risks such as underwriting,
fraud committed against the insurer, or even negative publicity due to relationships (e.g.
the Wells Fargo fraud scheme covered in class)
4. Climate change: changing climate has increased the frequency and severity of extreme
weather and natural disaster
5. Emerging technologies: the changing nature of transportation, advancement in medical
technologies, cyber security risks, the sharing economy and the connectivity of
technology and internet affect how the industry operates and the type of insurance
policyholders require
6. Economic challenges: any indications of a recession can be harmful to insurance
companies as much of their profit relies on investments and derivatives
(The Co-Operators, pg. 6)

Control Risk: is increased when there is an absence or greater expectation that controls related
to specific functions of the entity will fail (Accounting Simplified, n.d.). Some common control
risk factors with corresponding internal control mechanisms are as follows:
1. Risk assessment (life insurance): a poorly done calculation in determining whether or
not to insure an individual and at what premium, risks insurance company high costs
and losses.
Internal controls: ensure that the insurance application is designed to allow for accurate
assessment and is properly filled out, assess the risk of accumulation by observing if any
other contracts in the company cover the same party, assess that the medical
questionnaire and supplemental examinations constitute effective protection against
adverse selection.
2. Claims provisions (non-life insurance): only an estimation therefore misestimation is
always possible, distorting the picture of the company’s financial position. The issues of
control particularly involve underfunding, which distorts the balance sheet; mispricing,
which is concealed by miscalculation of costs; mismanagement of claims; and fraud or
the unjustified payment of real or fictitious claims.
Internal controls: measurement by internal auditors regarding quality of claims
management and the appropriateness of the amounts of provisions held. Internal audit
of claims both verifies the amounts at a given date (legally correct, sufficient and
adequate amounts) and verifies the procedures and methods of assessment (legally
correct, reasonable and properly implemented).
3. Safeguarding of investments: investments are subject to the variety of financial risks
(market, price, liquidity, currency, credit/issuer, systemic, legal, counterparty, fraud). An
insurance company’s investments back its commitments to policyholders, therefore
must be monitored and managed with care.
Internal controls: supervisory authority checks that insurers have in placed adequate
internal controls to ensure asset management complies with laws and regulations,
Board ensures the investment is in accordance with the insurance company’s
investment strategy, evaluate the risk protection mechanisms, segregation of duties,
proper valuation on balance sheet, etc.
4. Asset-liability management: subject to funding risk on traditional contracts which
includes reinvestment risk (risk that the rate of return on future investments will be
lower than the rates guaranteed in the insurance contracts), and liquidation risk (risk
that the company will be forced to transfer depreciated liabilities without
reimbursement).
Internal controls: an asset-liability committee (or investment committee) is the decision
making body and should identify risks specific to the insurance company, defines the
objectives of the company, and creates the financial strategy that includes acceptable
types of investments. Compliance to this strategy can be monitored by the committee at
several levels, by management, internal auditors, etc.
5. Derivative instruments: subject to a large variety of the financial risks of investments, as
well as derivative risk. Requires supervision, monitoring of positions, and strict internal
control because they are subject to the fluid nature of derivatives, in which transactions
 may be made very rapidly based on verbal orders and in volumes that are sometimes
considerable, making them quite hard to track.
Internal controls: insurers have in effect risk management systems that cover the risks
from derivative activities
6. Computer systems:
a. Error risk: use of complex computer processes involves repetitive operations
which could result even in a minor error being repeated throughout the system
causing material misstatement
b. Risk of malicious intent or fraud: user-friendliness of software (unlike traditional
accounting tools) allows any malicious person to make an erroneous entry
c. Risk of negligence: too much confidence can be placed in the operators of
technological resources but the greater the sophistication of the hardware being
used, the greater the need for strict control
d. The risk of chance mishaps: can include the crashing of a software program or an
accidental interruption by encoding that that exceeds a file’s capacity
Internal controls: monitor the reliability of hardware, data entered on computers, data
processing, data protection, and description of processes. Moreover, to prevent
destruction of hardware and data, and possibly to repair them, internal control
processes should follow a number of elementary rules with regard to security
mechanisms (locks, passwords) and the safeguarding of files and programs
7. The use of intermediaries: opens up the insurance company to a variety of risks such as
underwriting risk, in which the intermediary may accept a poor risk or even commit the
insurer beyond its limits, risk of fraud through the sale of fictitious policies or the
payment of undeserved benefits, risk of embezzlement of funds received from
policyholders or insurers, and financial risk relating to late remittance of funds collected
Internal controls: control the integrity of intermediaries, segregate duties between
intermediaries and departments that are in charge of pricing and issuing policies,
monitor the position of intermediaries regularly on basis of balance sheet ratios and
conduct regular internal audits ensuring intermediary does not pay out undeserved
benefits, is remitting all premiums to the company, and isn’t committing the company
beyond the authorized ceiling.
8. Outsourcing: subjects the company to risks like using intermediaries and can also
undermine the interests of policyholders (e.g. if, for a reason outside of the insurers, the
outsourced company fails to provide required services to policyholder)
Internal controls: guidelines prepared by the Board are clearly described in the
outsourcing contract and complied with by the provider; the company’s resources for
analyzing risks associated with outsourcing are adequate and effective; alternate
solutions exist if operational problems should arise in respect of service providers; and
the insurance company is empowered to terminate the outsourcing contract at any time
if difficulties arise that are harmful to its reputation, business policy, or financial
situation
 (Bellando, pg. 17-27)

Fraud Risk: can emanate from internal and external factors. Insurance contracts provide both
the insured and insurer with the opportunity of exploitation. The severity of the fraud can
range from just a slight exaggeration to deliberately causing loss of assets (EY, 2011).

Three categories of fraud in insurance companies are:

1. Policyholder and claims fraud: a fraud against insurer by policyholder and/or other
parties in the purchase and/or execution of an insurance product
2. Intermediary fraud: a fraud by intermediaries against insurer and/or policyholders
3. Internal fraud: a fraud against insurer by employee on his/her own volition or in
collusion with parties that are internal or external to insurer
(EY, 2011, pg. 3)
Common fraud techniques affecting insurance companies include:
1. Commission rebating: where a portion of the premium or commission on the premium
is returned to the insured to place business with a specific insurer (Rebating, n.d.)
2. Fake documentation: where documents, typically medical bills, are forged to profit the
fraudster
3. Collusion between parties: two parties collude to profit from a fraud committed against
an insurance company, an example being a hospital and a patient colluding by the
patient signing for a treatment that is more expensive than the required one and both
profiting from the claim
Misselling: a practice where a product or service is deliberately misrepresented or customer
is mislead about its suitability through tactics such as omission of key information,
misleading advice, or sale of unsuitable product based on the customer’s expressed needs
and preferences
3. What is an actuary's main role in an insurance company? How does this contribute to
inherent risk in an audit?
The main job of the actuary in an audit is to confirm the reasonableness of the actuarially
determined reserves of an insurance company. The auditor’s actuaries conduct
reasonability tests and review the calculations that support the reported amounts on a
company’s financial statements (Frese, R., & Bloemer, T., 2017). Like all other auditors,
actuaries must remain independent as per GAAS, and there can be inherent conflicts when
offering consulting services to a company for which they also offer accounting or audit
services

Environmental audit:
1. What is environmental auditing?
2. What are the differences between environmental audits and financial audits?