As mentioned earlier, entity-level controls are controls that are pervasive across an organization. In other words, they are the areas that you can audit once and feel confident that you have covered the topic for the whole company. This chapter covers the areas that the auditor generally should expect to see centralized. If the topics covered in this chapter are not centralized or at least centrally coordinated at your company, it should lead to questions as to their overall effectiveness. Most of these topics set the "tone at the top" for the IT organization and provide overall governance of the IT environment. If they are not centralized and/or standardized, it should cause the auditor to question the ability of the overall IT environment to be well controlled.
The problem is that there is no set definition of what is and is not an entity-level control, and it will vary by company, depending on how the IT environment is defined. An area that is an entity-level process at one company will not necessarily be an entity-level process at another company. However, there's really no mystery to it-it all comes down to what's centralized and pervasive at your company. If a critical IT process is centralized at your company, it is a good candidate for being covered in an entity-level controls review.
For example, in Chapter 4 we cover the topic of auditing data centers and disaster-recovery plans (DRPs). In that chapter we will discuss auditing areas such as physical security, environmental controls, system monitoring, etc. Many companies have multiple decentralized data centers, meaning that these controls are not centralized for those companies. However, there are also many companies that have one data center and one set of processes for executing the areas just mentioned. In those companies, areas such as physical security, environmental controls, and system monitoring would qualify as entity-level controls because they are centralized and pervasive. However, we will not cover those areas in this chapter because they are covered in Chapter 4. The point is that auditors must use judgment and knowledge of the company to determine what is and is not an entity-level control.
However, as mentioned earlier, the topics mentioned in this chapter generally should be centralized to a large degree because they provide for the core principles of IT governance. If these areas have been decentralized with no central coordination, the auditor should dig deep before signing off as to their effectiveness.
Put another way, the areas covered in this chapter should be considered the minimum for an entity-level controls review. Other areas (such as data center operations) might be added based on the environment at your company.
Strong IT entity-level controls form a foundation for the IT control environment within a company. They demonstrate that IT management is taking internal controls, risk management, and governance seriously. A strong overall control environment and attitude coming from the top tends to trickle down throughout the organization and lead to strong controls over decentralized processes and functions. Conversely, weak entity-level controls increase the likelihood that controls will be weak throughout the organization because upper management has not demonstrated and communicated to the organization that internal controls are valued. This generally leads to inconsistency at the lower levels because the personalities and values of lower-level managers will be the sole determining factors in how seriously internal controls are taken within the organization.
It is critical for upper management to communicate and set the tone that internal controls, risk management, and governance are valued and will be rewarded. Without this message, departments are more likely to focus on cutting costs, managing their budgets, and meeting their schedules, with no consideration given to internal controls.