Sometime back, I had discussed how company level controls work here and here. Today, I am discussing the first type of company level controls i.e. indirect company level controls. Just a reminder though, company level controls can be bifurcated into -

- Indirect Company Level Controls; and
- Direct Company Level Controls

Indirect company level controls normally have an indirect relationship with the control activities. At a process or transaction level, auditors get limited comfort from effective indirect company level controls. By limited comfort I mean that testing efforts may be reduced based on indirect CLC's. However indirect company level controls do not provide evidence of operating effectiveness of key controls. Indirect company level controls work in tandem with the softer COSO components. Examples of indirect company level controls may include, management style and philosophy, control environment, control culture, policies defined by management, top management's approach to control, fraud risk management by top management etc.

More on Internal Controls

Continous Auditing of Controls
How to Evaluate Internal Control Exceptions?
Role of Process Owners in SOX Compliance
Cost Estimates for Sarbanes Oxley Compliance