Entity Level Controls - General

1. Entity Level Controls - General • Tone from the top • Risk appetite • Organizational environment/atmosphere • Usually soft in nature • Soft control: influence how people think/act, but do not directly result in evidence of risk mitigation (e.g. ethical climate, active BOD/Audit Committee, employee handbook, etc.)

2. Entity Level Control - Defined • Per Institute of Internal Auditors Research Foundation: “Control activities that operate pervasively across and throughout the organization to mitigate risk threatening the organization as a whole and to provide assurance that organizational objectives are achieved.”

3. Entity Level Controls - Overview Mitigate risks that exist at company-wide level Both internally and externally Pervasive effect Impact how effective control activities at the process and transaction levels can operate Work in unison with process/transaction controls against risks that threaten the achievement of strategic and business objectives

4. Entity Level Controls – Specific examples Code of ethics Risk management policies/procedures Fraud prevention/detection program HR Hiring policies/procedures Management control deficiency process Variance analysis IT general controls

5. Entity Level Controls - example Weakness: Management not committed to attracting, training and developing competent employees Impact: Less reliance can be placed on control activities performed by employees requiring complex or highly judgmental tasks

6. SHR Corporation Case – Entity Level Controls Question: What are strengths of ELC over SHR’s ethics program? Where there any ELC weaknesses in SHR’s ethics program? If weakness, recommendation to strengthen? Overall conclusion?

7. ELC Strengths:

8. ELC weaknesses: Recommendations:

9. What do you think about SHR’s overall ELC?