1. Entity Level Controls - General Tone from the top Risk appetite Organizational environment/atmosphere Usually soft in nature –Soft control: influence how people think/act, but do not directly result in evidence of risk mitigation (e.g. ethical climate, active BOD/Audit Committee, employee handbook, etc.)

2. Entity Level Control - Defined Per Institute of Internal Auditors Research Foundation: “Control activities that operate pervasively across and throughout the organization to mitigate risk threatening the organization as a whole and to provide assurance that organizational objectives are achieved.”

3. Entity Level Controls - Overview Mitigate risks that exist at company-wide level –Both internally and externally Pervasive effect –Impact how effective control activities at the process and transaction levels can operate Work in unison with process/transaction controls against risks that threaten the achievement of strategic and business objectives

4. Entity Level Controls – Specific examples  Code of ethics  Risk management policies/procedures  Fraud prevention/detection program  HR Hiring policies/procedures  Management control deficiency process  Variance analysis  IT general controls

5. Entity Level Controls - example Weakness: Management not committed to attracting, training and developing competent employees Impact: Less reliance can be placed on control activities performed by employees requiring complex or highly judgmental tasks

6. SHR Corporation Case – Entity Level Controls Question: 1.What are strengths of ELC over SHR’s ethics program? 2.Where there any ELC weaknesses in SHR’s ethics program?  If weakness, recommendation to strengthen? 3.Overall conclusion?

7. ELC Strengths:

8. ELC weaknesses: Recommendations:

9. What do you think about SHR’s overall ELC?