Identifying Company-Level Controls   SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Identifying Company Level Controls Source: PCAOB Release 2004-001 March 9, 2004 Page A–30 – Standard 52. Identifying Company-Level Controls. Controls that exist at the company-level often have a pervasive impact on controls at the process, transaction, or application level. For that reason, as a practical consideration, it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls first, because the results of that work might affect the way the auditor evaluates the other aspects of internal control over financial reporting. 53. Company-level controls are controls such as the following: • Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113 through 115 for further discussion); • Management's risk assessment process; • Centralized processing and controls, including shared service environments; • Controls to monitor results of operations; • Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; • The period-end financial reporting process; and • Board-approved policies that address significant business control and risk management practices. Note: The controls listed above are not intended to be a complete list of company-level controls nor is a company required to have all the controls in the list to support its assessment of effective company-level controls. However, ineffective company-level controls are a deficiency that will affect the scope of work performed, particularly when a company has multiple locations or business units, as described in Appendix B. 54. Testing company-level controls alone is not sufficient for the purpose of expressing an opinion on the effectiveness of a company's internal control over financial reporting.