Identifying Company-Level Controls  
SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Identifying Company Level Controls

PCAOB Release 2004-001
March 9, 2004
Page A30 Standard

52. Identifying Company-Level Controls. Controls that exist at the company-level often have a pervasive impact on controls at the process, transaction, or application level. For that reason, as a practical consideration, it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls first, because the results of that work might affect the way the auditor evaluates the other aspects of internal control over financial reporting.

53. Company-level controls are controls such as the following:

Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113 through 115 for further discussion);
Management's risk assessment process;
Centralized processing and controls, including shared service environments;
Controls to monitor results of operations;
Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs;
The period-end financial reporting process; and
Board-approved policies that address significant business control and risk management practices.

Note: The controls listed above are not intended to be a complete list of company-level controls nor is a company required to have all the controls in the list to support its assessment of effective company-level controls. However, ineffective company-level controls are a deficiency that will affect the scope of work performed, particularly when a company has multiple locations or business units, as described in Appendix B.

54. Testing company-level controls alone is not sufficient for the purpose of expressing an opinion on the effectiveness of a company's internal control over financial reporting.