What are entity-level controls?

Inspection reports from the PCAOB and FRC consistently flag the same gap: audit files that document process-level controls in detail but treat entity-level controls (ELCs) as a tick box exercise. The team confirms "yes, a code of ethics exists" and moves on, without evaluating whether anyone enforces it. The result is a file that looks complete on the surface but misses the controls that sit above every transaction cycle.

ISA 315 (Revised 2019) organises the entity's system of internal control into five components. The first four (the control environment per ISA 315.21 , the entity's risk assessment process per ISA 315.22 , monitoring of controls per ISA 315.23 , and the information system per ISA 315.24 –25) operate at the entity level, across the organisation rather than within a specific transaction cycle. The fifth component, control activities ( ISA 315.26 ), includes both entity-level policies and process-level controls.

ELCs set the foundation for everything that happens at the process level. ISA 315 .A99 states that the control environment provides the context in which control activities operate. Management's commitment to competence and integrity, the governance structure, the assignment of authority and responsibility, and the organisation's approach to hiring and performance evaluation all shape whether process-level controls function as designed.

The auditor evaluates ELCs before assessing process-level controls because the entity-level assessment informs reliance decisions. If the control environment is weak (for example, management has a history of overriding controls or governance oversight is minimal) the auditor needs to consider whether any process-level control can be relied upon, regardless of how well it is designed.

Key Points

  • ELCs operate across the organisation, not within a specific process or transaction cycle.
  • ISA 315 .A99 treats the control environment as the foundation for all other control activities.
  • Weak ELCs undermine process-level reliance. A strong three-way match means less if management routinely overrides it.
  • All five components must be evaluated. A file that only covers transaction-level controls is incomplete under ISA 315.26 .

Why it matters in practice

The PCAOB's 2023 inspection findings noted that ELC assessments frequently consisted of checklists with yes/no answers and no supporting analysis. Teams confirmed that the entity "has a code of ethics" or "has an audit committee" without evaluating whether those structures function effectively. A code of ethics that sits in the employee handbook but nobody enforces or references in practice does not constitute an effective ELC.

A second common problem: teams evaluate ELCs in isolation without connecting the assessment to the audit approach. If the entity-level assessment identifies a weak control environment (for example, concentration of authority in the owner-manager with limited governance oversight) but the audit plan still relies on process-level controls without addressing this weakness, the file is internally inconsistent. The ELC assessment must flow through to the risk assessment and the planned audit response.

We've seen this on about half the engagements we review: last year's ELC section gets copied forward with no changes, the classic SALY approach. The team updates the date, ticks the same boxes, copies the prior-year conclusion, and moves on. Nobody stops to ask whether the control environment actually changed since last year. It is one of the most frustrating patterns in file review because the fix takes thirty minutes, but the omission undermines the logic of the entire audit plan.

ISA 315 .A99 requires the auditor to consider whether the control environment provides a basis for effective control activities. In practice, this means asking whether the people responsible for executing process-level controls have the competence and incentive to do so consistently. If the answer is uncertain, the auditor should consider increasing the extent of substantive procedures rather than relying on controls that may not operate as designed.

Key standard references

  • ISA 315.21 –25 sets out the five components of internal control, including the four entity-level components.
  • ISA 315 .A99 establishes the control environment as the foundation for effective control activities.
  • ISA 315.26 requires the auditor to evaluate control activities at both the entity level and the process level.
  • ISA 315 .A14 discusses how ELCs may operate differently in smaller entities with less formal governance structures.

Related terms

Internal Control AssessmentControl EnvironmentIT General Controls (ITGCs)Understanding the Entity and Its EnvironmentRisk of Material Misstatement

Related reading

How to Document Internal Controls for Audit
Blog guide

Frequently asked questions

Can a file that only assesses transaction-level controls pass inspection?

No. ISA 315.26 applies to the entire system of internal control, including entity-level components (control environment, risk assessment process, monitoring, information system). A file covering only three-way matching and bank reconciliations but ignoring entity-level controls is incomplete.

Does a weak control environment mean all process-level controls fail?

Not automatically, but ISA 315.A99 requires the auditor to consider whether the control environment supports effective functioning of control activities. A strong three-way match is worth less if the CEO routinely overrides it for related party transactions.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook