The "Fluffiness" of Entity Level Controls
Internal controls are pretty black and white generally, which is why compliance testing can be oh-so-satisfying: It’s either operating or it’s not. It either passes or it fails. There is either evidence, or there isn’t. We got all kinds of tried and true sampling methodologies, and hey, if that’s not enough, we can even test the whole darn population sometimes.
But when it comes to entity level controls and corporate governance, things get soft and fluffy (but not cuddly) fast. Sure, some of them are still pretty straight forward (existence of an annual budget creation process!). But then we start to get into fostering of the corporate mission, upholding the code of conduct, keeping fair promotion practices, and it’s like trying to stuff a cloud into a box.
READ ON ...