1 - Internal Control Frameworks Flashcards
COSO issued the “internal Control - Integrated Framework” to assist organizations do what?
develop comprehensive assessments of IC effectiveness
This framework is also often referred to as “the framework”
How does the principles-based approach support an effective system o internal control under the COSO framework?
An EFFECTIVE system of IC requires the use of judgment in determining the sufficiency of controls, applying the proper controls, and assessing the effectiveness of the system of controls.
The principles-based approach of the COSO framework emphasizes the importance of MGT JUDGMENT
MS: One framework for controls does not fit all companies because every company is different (i.e. in size, its business, process, etc), and as such mgt must use judgment
Define “internal control”
a process that is designed and implemented by an organization’s management, board of directors, and other employees to provide REASONABLE ASSURANCE that the organization will achieve its OPERATING, REPORTING, and COMPLIANCE objectives
What are the objectives of internal controls
- financial Reporting
- effective & efficient Operations
- Compliance with laws & regulations
What is comprised in the “COSO Cube”
ORC - 3 main objectives
CRIME - 5 I/C components
Organizational structure
Describe the Operations objective
relates to the effectiveness and efficiency of an entity’s operations.
Want to ensure the assets of the org. are adequately safeguarded against potential losses
Describe the Reporting objective
pertains to the RELIABILITY, TIMELINESS, and TRANSPARENCY of an entity’s external & internal financial AND nonfinancial reporting as established by regulators
Describe the Compliance objective
established to ensure the entity is adhering to all applicable laws and regulations
What are the five components of internal control
Control environment Risk assessment Information & communication Monitoring Controls Existing Control activities
“CRIME”
What things are needed in order to achieve the 3 objectives of I/C?
ALL 5 components (CRIME) and the 17 principles that are relevant to be both PRESENT & FUNCTIONING
Describe Control Environment
Tone at the top - ethics
includes the processes, structures, and standards that provide the foundation for an entity to establish a system of I/C.
What are the principles related to Control Environment?
“EBOCA”
- Commitment to ETHICS & Integrity — establish standards/code of conduct
- Board Independence & Oversight — independent and knowledgeable
- Organizational Structure — reporting lines, the authority and responsibilities are all appropriate
- Commitment to Confidence — there is a commitment to hire, develop, and retain competent employees
- Accountability — establish performance measures, incentives, and rewards without excessive pressure
Describe Risk Assessment
an entity’s identification and analysis of risk to the achievement of its objectives
What principles are related to Risk Assessment
Make an entity “SAFR”
- Specify objectives — identify and assess risks related to those (not achieving ) objectives
- Identify and ASSESS Changes — the org identifies and assesses changes that could significantly affect I/C such as change in external environment, business model, and leadership
- Consider potential for FRAUD — assess fraud triangle
- Identify and analyze RISKS — determine how risks should me managed (Enterprise Risk Management)
Describe the Information & Communication component
these systems support the identification, capture, and exchange of information (b/t internal and external parties) in a timely and useful manner.
List the principles included in Information and Communication
“OIE”
- Obtain and use information — obtains or generates and uses RELEVANT, HIGH QUALITY information to support functioning of IC
- Internally communicate information – information necessary to support functioning of I/C is communicated in a flow of information up, down, and across the organization
- Communicate with external parties — two way external communication channels using a variety of methods and channels (i.e. CPA firm or consultants)
Describe Monitoring Activities
process of assessing the quality of I/C performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions
What principles relate to Monitoring Activities
“SOD”
- SO = Ongoing and/or Separate Evaluations — on whether the comoponent’s of I/C are present and functioning (the frequency of testing is dictated by RISK)
- Communication of deficiencies —report deficiencies in a timely manner and make sure corrective action is taken
Describe Existing Control Activities
the controls set forth by an entity’s policies and procedures to ensure that the directives initiated by mgt to mitigate risks are performed
Control activities may be detective or preventive
Segregation of duties is usually a big one
What principles relate to Existing Control Activities
“CAT PP”
- Select and develop CONTROL ACTIVITIES
- Select and develop TECHNOLOGY controls
- Deployment of POLICIES & PROCEDURES
Define present and functioning
present - included in the design and implementation of the I/C
functioning - operating as designed in the I/C system
What specific requirements must I/C have in order to be considered and EFFECTIVE SYSTEM?
Senior mgt and the board must have reasonable assurance that the entity:
- achieves effective and efficient operations
- complies with all applicable rules, regulations, laws, etc.
- prepares reports that are in conformity with the entitiy’s reporting objectives and standards.
What results when there is an ineffective I/C
= greater risk that ORC is not achieved
GAAS uses the terms “material weakness” and “Significant deficiency”
COSO uses the term “major deficiency”
Describe a “major deficiency” and what results if one exists
represents a material I/C deficiency that significantly reduces the likelihood that an organization can achieve its objectives
if identified, the entity may NOT conclude that it has met the requirements for an effective I/C system under the COSO framework
List some inherent I/C limitations
human failure faulty or biased judgment external events collusion mgt override suitability of entity objectives
What is comprised in applying the internal control framework
- manage application
- evaluate effectiveness
- deficiency assertions
How will mgt use the COSO framework to document its IC assessment
“COPS”
Follow these steps:
Overall assessment
(which are supported by..)
Component evaluations (which are supported by…)
Principal evaluations (which serve as the source for isolating and defining internal control deficiencies)
Summary of IC deficiencies (if any)
What are the common risks normally identified using the COSO framework
material omission
fraud
mgt override of controls
illegal acts
What is the underlying premise of ERM
the underlying premise of ERM is that every entity exists to provide value for stakeholders and that all entities face risk in the pursuit of value for their stakeholders.
value = increased stock price and/or pay dividends
Define “risk” according to COSO
Risk is the possibility that events will occur and affect the achievement of strategy and business objectives
How is value developed
“CPER”
creation
preservation
erosion (don’t want this)
realization
Describe value creation
your benefit has to exceed your resource costs
ROIC > Cost of Capital
+NPV
need to create a profit
costs = people, financial capital, technology, process and brand and value must outweigh this
Describe value preservation
want to have SUSTAINABLE operating profit (not a one time deal, ongoing)
Describe value erosion
we don’t want the value of the business to go down (i.e when cost > benefit)
stock price goes down
ROIC < cost/hurdle rate
-NPV
Describe value realization
when benefits are received by stakeholders either monetary or nonmonetary in form
Dividends or stock price/capital gain
Customer satisfaction
Describe mission
represents the CORE PURPOSE of the entity. Represents the WHY the company exists and what it hopes to accomplish
Describe vision
represents the aspirations of the entity and WHAT it hopes to achieve over time (
Describe core values
represent an organization’s beliefs and ideals about what is good or bad
the HOW the org plans to achieve goals (ethics, culture, core values)
What elements are included in Enterprise Risk Managment
CCPIS
Culture
Capabilities (competitive advantage)
Practices
Integration with strategy setting and performance
Describe culture as it relates to ERM
represents COLLECTIVE THINKING of the people within an org.
Culture plays an important role in SHAPING DECISIONS regarding risk
correlate with core values
Describe capabilities as it relates to ERM
Competitive advantage
produces value for an entity
exploitation of competitve advantage and adaptation to change are skill sets embedded within ERM
Describe practices as it relates to ERM
continually applied at all levels of the entity (not just the board or officers, the entire entity)
Describe integration with strategy setting and performance as it relates to ERM
Why do you exist? Ie what is your mission?
&
What’s your vision? strategy?
Describe risk appetite
represents the types and amounts of risk, on a broad level, than an organization is willing to accept in pursuit of value
it’s a range rather than a specific limit and provides guidance encouraging a firm to pursue or not pursue certain endeavors
expressed first in mission and vision
varies between products, business units, or over time
what is the relationship of value and risk appetite
directly related
Greater the risk, greater the expected return
What is the application of ERM intended to do?
provide management with a REASONABLE EXPECTATION of success
Define risk inventory
all risk that could impact an entity
could be societal, economic, demographic, or legal risk etc
Define reasonable expectation as it relates to ERM
the amount of risk of having strategy and business objectives that is appropriate for an entity, recognizing that no one can predict risk with precision
Define risk profile
a composite view of the risk assumed at a PARTICULAR level of the entity or aspect of the business (product line, geographic area, customer) to consider the TYPES, SEVERITY, & INTERDEPENDENCE of risk
describe portfolio view
entity wide risks
more of a holistic view
are we diversified
at the parents as opposed to the product level
organization sustainability
the ability of an entity to withstand the impact of a large-scale event
i.e. financial crisis
What are the components of ERM
5 components
“GO PRO”
- Governance and culture (similar to control environment, tone at the top)
- Strategy and objective -setting (mission/vission, define your risk appetite)
- Performance (evaluate, id and respond to risk using ARTS)
- Review and Revision
- Information, communication, and Reporting (ongoing)
What are the principles of ERM
20!
See pg 20 in the book. Have to write it to remember it. Not worth making flashcards for but you HAVE to review it
What are Risk Responses as it relates to ERM
ARTS
Avoid (high frequency & high severity risks)
Reduce (high frequency & low severity) - hedge/derivatives/security alarms
Transfer/Share (High severity and low frequency) - buy insurance
Self-insure/Accept (Low frequency and low severity) - you chose to be in that industry
What are the three main components of the Sarbanes Oxley Act of 2002?
Corporate Responsibility
Enhanced Disclosures
Fraud - how to deal with it
Who does Sarbanes Oxley affect
the financial reporting of PUBLIC companies
Who is typically included in “Corporate Responsibility”?
Audit Committee
and
CEO/CFO representations
Who does the auditor of an engagement report to?
the audit committee
What are the responsibilities of the audit committee?
it is directly responsible for the appointment, compensation, and oversight of the work of the public accounting firm employed by the public company
also responsible for resolving disputes between the auditor and management
are to be members of the issuer’s board of directors BUT are otherwise completely INDEPENDENT (they may not accept compensation from the issuer for consulting/advisory services)
Must establish procedures to accept reports of complaints regarding regarding things (whistleblower hotlines)
What representations must the CEO and/or CFO sign regarding annual and quarterly reports?
- they have reviewed the report
- the report does not contain untrue statements or omit material information
- the F/S fairly present in all material respects the financial condition and results of operations of the issuer
- **CEO and CFO sign off that THEY are responsible for internal controls (regarding I/C DESIGN, EVALUATIONS of effectiveness, their CONCLUSIONS as to the EFFECTIVENESS of I/C based on evaluation)
- **CEO and CFO sign of that they made disclosures to the issuer’s auditors and audit committee regarding (1) all SD and MW in the design or operation of I/C that might adversely affect F/S and (2) ANY fraud regardless of materiality that involves management or any other employee with a significant role in I/C
- **CEO and CFO must also disclose any significant changes to internal controls
What does the improper influence on the conduct of audits relate to
No officer or director may take any action that would fraudulently influence, coerce, mislead or manipulate the auditor in a manner that would make the F/S materially misstatement
in other words, they must cooperate with the auditor
If an issuer is required to prepare an accounting restatement due to material noncompliance with any financial reporting requirement, what happens?
the CEO and CFO may be required to reimburse the issuer for:
- –bonuses or incentive-based or equity-based compensation
- –gains on sale of securities during that 12 month period
What are “enhanced financial disclosures” otherwise known as
Title IV
What are the enhanced financial disclosures for Periodic reports (quarterly or annually)
- all material correcting adjustments identified by the auditor
- all material OFF-BALANCE SHEET transactions (operating leases, contingent obligations, relationships with unconsolidated subsidiaries (equity method))
What are the enhanced financial disclosures for conflicts of interest
issuers are generally prohibited from making personal loans to directors or executive officers
–exceptions apply when credit loans are made in the ordinary course of business
Descibr the enhanced financial disclosure for transactions involving management and principal stockholders
related parties!!
disclosures are required for persons who generally have direct or indirect ownership of more than 10% ownership of the company
Descibe Section 404
Each annual report is required to contain a report that includes:
- statement that management is repsonsible for establishing and maintaining adequate internal control structure and procedures for financial reporting
- an assessment as of the most recent fiscal year of the issuer, of the effectiveness of I/C structure and procedures for financial reporting
What should be included in the code of conduct/ethics? (be familiar!)
- honest and ethical conduct (including handling of conflicts of interest)
- full, fair, accurate, and timely disclosures in periodic financial reports (FACT)
- compliance with laws, rules, and regulations
Describe the disclosure of audit committee financial expert
at least one member of the audit committee should be a financial expert. The issuers financial reports must disclose the EXISTENCE of a financial expert on the committee OR the reasons why the committee does not have one (i.e. the guy just died)
What knowledge must the “financial expert(s)” on the audit committee have?
- understanding of GAAP
- experience in the preparation or auditing of financial statements for comparable issuers
- application of GAAP
- experience with I/C
- understanding of audit committee functions
this experience with allow the to help resolve disputes between management and the auditor
What are the responsibilities of the SEC as it relates to disclosures?
SEC is required to review disclosures made by ISSUERS, including those in from 10k, on a regular and systematic basis for the protection of investors
How frequently should the SEC schedule reviews?
SEC should consider
- historically has the issuer had a material restatements
- has the issuer experienced significant volatility in their stock price compared to other issuers
- issuers with large market cap
- issuers whose operations significantly affect any material sector of the economy (“too big to fail”) – big insurance co’s/banks etc.
- -emerging companies with disparities in PE ratios
What happens when individuals alter destroy, conceal, cover up, falsify, etc. with the intent to impede, obstruct, or influence an investigation?
They will be fined, imprisoned for not more than 20 years or both
How long should auditors of issuers retain audit and review workpapers?
seven years from the end of the fiscal period in which the audit or review was conducted
failure to do so will result in a fine, imprisonment (for not more than 10 years or both)
What is the statue for securities fraud?
no later than the EARLIER OF 2 years after the discovery of the facts constituting the violation or 5 years after the violation
2+5
Describe whistle-blower protection
a whistleblower who lawfull provides evidence of fraud may NOT be discharged, demoted, suspended, threatened, harassed, or in any other matter discriminated against for providing such information.
If the above occurs, the employee may be provided compensatory damages including:
- reinstatement with the same seniority status they would have had
- back pay with interest
- compensation for any special damages (i.e. litiation costs, expert witness fees, reasonable attorney fees)
Any issuer F/S filed with the SEC must be accompanied by what?
- a WRITTEN statement that the periodic report fully complies with the Sec. Exchange act of 1934
- a WRITTEN statement that the info contined in report FAIRLY presents, in all material respects, the financial condition and operating results of the issuer
- the WRITTEN statements above must be signed by the CEO and CFO
if someoe certifies a periodic financial report KNOWING that it does not satisfy all the requriements, what are the repercussions?
he or she will be fined and/or imprisoned. Specifically a party who:
- certifies & knows it doesn’t comply = $1M fine and/or imprisoned no more than 10 years
- WILLINGLY certifes & knows it doesn’t comply (fraud, intentional) = $5M fine and/or nor more than 20 years imprisoned
What relationship does risk and return have?
directly related
What are risk and return a function of?
Both market conditions AND the risk preferences
What are the basic risk preference behaviors
Risk-indifferent behavior
Risk-averse behavior
Risk-seeking behavior
Describe risk-indifferent behavior
you’re the exception if this is your behavior.
an attitude toward risk in which an increase in the level of risk does not result in an increase in management’s required rate of return
You seek the highest rate of return
Describe risk-averse behavior
the general rule
most people exude this behavior
an attitude toward risk in which an increase in the level of risk results in an increase in managements’s required rate of return
Describe risk-seeking behavior
exception - VERY unusual
attitude toward risk in which an increase in the level of risk results in a DECREASE in management’s required rate of return
very rare
Interest rate risk
aka “Yield Risk”
As the interest rate increases, the value of fixed income goes down (inverse relationship)
Fluctuations in the value of the instrument in response to changes in interest rates (ex: I have a bond that pays a fixed rate. If interest rates go, other people can get bonds that pay out higher rates. As such, the value of my bond will go down)
Market/Systematic/Nondiversifiable Risk
fluctuations in value as a result of operating within an economy
Unavoidable
Ex: war, inflatiion, international incident, political events
Unsystematic/firm-specific/diversifiable risk
nonmarket
represents the portion of a firm’s or industry’s risk that is associated with random causes and can be eliminated through DIVERSIFICATION
Attributed to firm-specific/industry-specific events
Ex: strikes, lawsuits, regulatory actions, or the loss of a key account
Credit risk
affects borrowers (the cost of borrowing)
Includes a company’s inability to secure financing OR secure favorable credit terms as a result of poor credit ratings.
Relationships:
As credit risk goes up, the cost of borrowing goes up.
If your credit rating goes down, you’re a greater credit risk and your cost of borrowing goes up
If you have a poor credit rating, lenders will demand a higher interest rate (collateral may also be required)
Default risk
affects lenders
the possibility that debtors may not repay the principal or interest as it becomes due on a timely basis
historically, US treasury securities have the lowest default risk (i.e. risk free rate = tbill)
Liquidity risk
affects lenders (investors)
lenders/investors are exposed to liquidity risk when they desire to sell their security but cannot do so in a timely manner OR when material PRICE CONCESSIONS have to be made to do do
Ex: “not publicly traded” items, real estate
Price risk
affects investors
the exposure that investors have to a decline in the value of their individual securities or portfolios
price risk is diversifiable (can be diversified away)
Stated rate general characteristics
given
aka nominal rate
always on an annual basis and before any compounding
Effective interest rate characteristics
periodic rate - can be paid annual (1), semiannual (2), quarterly (4), etc.
compute effective interest rate
= interest paid per period / net proceeds of loan
interest paid per period = (Price X stated rate) / # periods
Define Maturity Risk Premium (MRP)
risk increases with the term to maturity
longer the term to maturity = the higher the required rate of return
the longer the maturity = more risk because you have greater exposure to interest rate risk over time
Define Purchasing Power Risk or Inflation Premium
used to calculate the nominal risk free rate
the compensation investors require to bear the risk that price levels will change and affect asset values
Describe liquidity risk premium
the risk an investment security cannot be sold on a short notice without making significant price concessions
describe default risk premium
risk that the issuer of the security will fail to pay interest and/or principal due on a timely basis
What can diversification help with?
unsystematic (firm-specific) risk
What is considered nondiversifiable risks?
market, systematic risk
How to mitigate interest rate risk
can mitigate by investing in floating rate debt securities (i.e. rather than invest in fixed income, invest in variable securities)
can mitigate by investing derivatives (.e. forwards or interest rate swaps)
-interest rate swaps –> if you think rates are going to go up (and hence, you’re fixed income will be worth less, you’ve want to enter into an agreement where you pay a fixed rate (ex: 8%) and the other party pays you a variable rate (ex: LIBOR + 1%)
how to mitigate market risk
very difficult because it’s inherent in the market and economy
aka systematic risk
it is nondiversifiable
investing in derivatives where you could profit when the market declines (and hence offset your losses) - SHORTS
how to mitigate unsystematic risk
minimized through diversification
-want to invest in assets that are either uncorrelated or inversely correlated
how to mitigate credit risk
how to reduce the cost of borrowing (from the borrowing/debtor’s perspective)
how do I mitigate the risk that my credit rating goes down and I can’t favorable loans
ratio analysis (i.e. a high current ratio results in a higher credit rating) - want to improve your credit ratings. A high credit means you’re very credit worthy and will get loans at a lower interest rate.
how to mitigate default riskq
from the Lendor/Creditor perspective
an entity may choose to lend only to borrowers with low risk of default
another option, adjust the interest rate charged to better reflect the risk of each borrower (a riskier borrower will have to pay a higher interest rate on the loan you give them)
how to mitigate liquidity risk
mitigate by allocating a greater percentage of capital to investments that trade on ACTIVE MARKETS (invest more in stocks and bonds rather than real estate, which is not publicly traded)
how to mitigate price risk
mitigate through…
diversification
short selling or derivatives (hedging, put options - you buy the right to sell at a certain price)
Why does exchange rate risk exist
exists because of the relationship between domestic and foreign currencies may be subject to volatility
What are the factors that influence exchange rates
trade factors and financial factors
Describe the “Trade Factor” relative to inflation rates
relative to inflation rates
when domestic inflation exceeds foreign inflation, holders of domestic currency are motivated to purchase foreign currency to maintain the PURCHASING POWER of their money (ex: my USD 1 can buy me more in another country. I’m going to that country for vacation).
the increase in demand for foreign currency forces the value of the foreign currency to rise in relation to domestic currency
Describe the “trade factor” relative to income levels
as income increases in one country realtive to another, exchange rates chase as a result of increased demand for foreign currencies in the country in which income is increasing
Describe trade factor - government controls
as opposed to freely fluctuating equilibrium
various trade and exchange barriers that artificially suppress the natural forces of supply and demand affect exchange rates.
ex: tariffs on imported goods would have the effect of discouraging the purchase of those imported goods thereby reducing the demand for that currency
Describe financial factors - relative interest rates and capital flows
interest rates create demand for currencies by motivating either domestic or foreign investments.
currency with the higher interest rate attracts investments thus there is greater demand for the currency, and the value of the currency goes up
What are the trade related factors as it relates to impacts on exchange rates
relative inflation rates
relative income levels
government controls (trade restrictions)
What are the financial factors as it relates to impacts on exchange rates
relative interest rates
capital flow
Define “Transaction Exposure”
Gain/Loss
the potential that an org could suffer economic loss or gain upon settlement of an INDIVIDUAL as a result of exchange rates
Define “Economic Exposure”
the potential that the PRESENT VALUE of an organization’s cash flows could increase or decrease as a result of changes in exchange rates
In terms of changes in foreign currency, what specifically does present value and G/L relate to
PV - Economic exposure
G/L - Transaction exposure
Define “Translation Exposure”
the risk that assets, liabilities, equity, or income of a CONSOLIDATED organization that includes foreign subsidiaries will change as a result of changes in exchange rates
What affects translation exposure?
the degree of foreign involvement (more = more risk)
Locations of foreign investments (the more volatile the exchange rate = the higher the translation risk)
