Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CMA Part 1 > 12 . Internal Controls / Corporate Governance > Flashcards

12 . Internal Controls / Corporate Governance Flashcards

1
Q

Corporate Governance and Legal Aspects of Internal Control

A
  • Corporate governance is by which corporations are controlled and directed
  • Governance by definition is a combination of people, policies, procedures and processes that help ensure that an entity effectively and efficiently is achieving it’s objectives
  • Corporate governance can be either Internal or External
  • The organizational culture:
    1) Set value, objectives and strategies
    2) Defines rules and behaviors
    3) Measure performance
    4) Specific accountability
  • Governance applies to ALL organizations
  • Governance then Risk Management then IC
  • Corporation is a legal entity created under the authority of state statue to carry out the purpose permitted by the statue and article of corporation
  • Corporations are governed by Shareholders who elect BOD and approves fundamental changes in corporate structure
  • Article of Incorporation must be filed with secretary state or another designated official and it contains:
    1) Corporation name
    2) Corporation street address
    3) Number f authorized shares of stock
    4) Name and address of each incorporator
    5) name of the registered agent
  • Bylaws govern the internal structure of corporation. It is adopted by BOD
  • Governance have 2 major components:
    1) Strategic direction
    2) Oversight
  • Strategic direction determines:
    1) The business model
    2) Overall objectives
    3) The approach to risk taking
    4) The limits of organizational conduct
  • Oversight is the governance component with which INTERNAL AUDITING is MOST CONCERNED
  • Oversight elements:
    1) Risk management activities performed by senior management
    2) Internal and external assurance activities
  • The board is the source of overall direction and authority to management. Also has ULTIMATE RESPONSIBILITY OF OVERSIGHT
  • Senior management is responsible of overseeing the establishment and implementation of IC
  • A director, officer and employees are Fiduciary with regard to the corporation
  • A director breach duty if his action prompted by confidential information results in abuse of corporate opportunity
  • Management performs day to day governance functions and determine:
    1) What specific risk are to be managed
    2) Who will be risk owner
    3) How risk will be managed
  • Risk Owners function:
    1) Evaluate the adequacy of the design of risk management activity
    2) Determine whether risk management activity is operating as designed
    3) Establish monitoring activity
    4) Ensure information are reported
  • Risk committee functions:
    1) Identify risk
    2) connect them to risk management process
    3) Delegate them to risk owners
    4) Consider whether delegated risks are within the company tolerance level
  • Governance, expectations including tolerance level MUST be PERIODICALLY reevaluated by BOD and SENIOR MANAGEMENT
  • Foreign Corrupt Practice Act (FCPA) enacted in 1977 is designed to prevent payment to foreign officials.foreign clerical or ministerial employees are NOT foreign officials
  • ALL companies having certificate of registration in the US is subject to this act
  • FCPA consists of 2 provisions:
    1) Anti Bribery - applies on ALL domestic corporations engaged in interstate commerce
    2) Maintaining accounting records and IC - applies of companies registered under 1937 act (public). The accounting records MUST be in accordance to GAAP and the company to maintain accountability for assets
  • Access to assets is permitted ONLY in accordance with management general or specific authorization
  • FCPA covers 4 dimensions:
    1) Anti Bribery
    2) IC system
    3) Transparency of accounting records
    4) Code of ethics
  • Types of penalties for not complying with FCPA:
    1) Individuals - 100K or imprisonment of 5 years or BOTH
    2) Corporation - 2M. Fines imposed on individuals may not be paid directly by an employer
  • Sarbanes Oxley act of 2002 created PCAOB that applies on audits of issuers
  • Oversight of the work of the internal and external auditors includes coordination with internal audit activity is the responsibility of BOD
  • Audit committee supports appropriate monitoring and organizing the recommendation made by internal auditor and protects his independence
  • The act requires each member of audit committee to be INDEPENDENT from BOD and management. Means not to be affiliated with or receives compensation other than being a member from issuer
  • Audit committee must be at least 3 fully independent members and 1 independent financial expert selected by the BOD should be rotated at BOD discretion
  • Audit committee must be directly responsible for:
    1) Appointing, compensating and overseeing the work of independent auditor. The independent auditor must report DIRECTLY to the audit COMMITTEE
    2) Selecting and dismissal of CAE
  • Audit committee must establish procedures for:
    1) The receipt, retention and treatment of complaints received regarding accounting, internal control and auditing matters
    2) The confidential submission of employees concerns regarding questionable accounting or auditing matters
  • To avoid conflict between CEO and audit committee, the CAE requests the board to establish policy covering the internal audit activity relations with audit committee
  • Sarbanes Oxley SECTION 201 prohibits nonaudit services expect for tax services if it was preapproved by the audit committee
  • Sarbanes Oxley SECTION 203 - Rotation of Audit partner. The audit firm must rotate the audit lead, reviewer and coordinator every 5 years
  • Sarbanes Oxley SECTION 204 - Auditor report to audit committee which includes: Audit committee DOESN’T APPROVE THE CHOICE OF ACCOUNTING POLICY
    1) All critical accounting policies and practices used
    2) All alternative treatments of financial information within GAAP
    3) Other material WRITTEN communication with management
  • Sarbanes Oxley SECTION 302 - Corporate responsibility of Financial Reports. The SEC shall require for each company filing periodic reports under 1934 act that the CEO and CFO:
    1) The signing officer reviewed the report
    2) Report DOESN’T contain any untrue statement or omit of fact
    3) FS are presented fairly in all aspects
    4) Management responsibility of IC - evaluate the effectiveness of IC as of date WITHIN 90 DAYS PRIOR to date report
    5) The signing officers have disclosed to the auditor and audit committee and BOD ALL significant deficiencies in the design or operation of IC or FRAUD whether MATERIAL or NOT
    6) The signing officers indicates in the report whether significant change was made in IC subsequent to the date of evaluation
  • Sarbanes Oxley SECTION 404 - Management responsibility to establish and documents IC procedures and include in the annual report: DOESN’T REQUIRE MANAGEMENT TO ASSURE THE EFFECTIVENESS AS YEAR END
    1) Management responsibility of IC
    2) Management assessment on the effectiveness of IC
    3) Framework used to assess the effectiveness of IC
    4) A statement about whether significant changes in controls were made after their evaluation
    5) A statement that EXTERNAL auditor has issued attestation report on management assessment. Two opinions, one of IC and one on FS - EXTERNAL auditor evaluation of IC is NOT subject to separate engagement, is must be IN CONJUNCTION with the audit of FS
  • Sarbanes Oxley SECTION 407 - Financial Expert who is a person has through education and experience as public accountant or auditor or controller and has the following:
    1) Understands GAAP
    2) Experienced in preparation of audited FS
    3) Experienced with internal accounting controls
    4) Understanding of audit committee function
  • Fraud differs from errors because it is INTENTIONAL - IC are designed to PREVENT FRAUD. Because of the concealment aspect of fraudulent activity such as collusion and falsification of documents, the controls CANT give absolute assurance that material fraud will be PREVENTED or DETECTED.
  • The concept of internal controls providing “reasonable assurance” recognizes that Control procedures should not have an adverse effect on efficiency or profitability.
  • 4 types of audit approaches:
    1) Substantive approach (Vouching or direct verification approach) - Tests large volume of transaction without focus on specific areas of the FS
    2) Balance sheet approach - Focus on BS account with only LIMITED procedures on IS
    3) System approach approach - assess the effectiveness of the IC and focus on areas where it is considered that system objectives will not be met
    4) Risk based approach (business risk approach) - Directs toward areas of the FS that may contain misstatement. This approach requires auditor to identify the key to day tasks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk and Internal Control

A
  • Risk assessment is the process whereby management identifies organizational vulnerabilities
  • Risk management is the ongoing process of designing and operating internal control to mitigate the risk identified in the risk assessment
  • Risk may be in Qualitative terms or Quantitative terms such as severity and likelihood
  • The AICPA audit risk model:
    1) Inherent risk (IR) is the susceptibility of one of the company objectives arising from the nature of the objective. This risk will be materially misstated assuming no related control strategy is in place
    2) Control risk (IR)is the risk that control in place will FAIL to prevent an obstacle
    3) Detection risk (DR) is the risk that an obstacle to an objective WONT be detected before loss has occurred. This risk can be changed at auditor discretion
    4) Total risk or Audit risk (TR) is IR + CR + DR. Is the risk that the auditor may fail to modify his opinion on materially misstated information OR may fail to detect significant error or weakness during examination
  • Objectives of IC: ORC
    1) Operations - relate to achieving the entity mission through financial performance, productivity, quality, innovation and customer satisfaction along with safeguarding of assets
    2) Reporting - (Internal, external), (Financial, nonfinancial)
    3) Compliance with laws and regulations - compliance with internal policies and procedures is an OPERATIONAL matter
  • IC is more likely to provide reasonable assurance of achieving REPORTING AND COMPLIANCE objectives
  • Operational effectiveness may NOT be within the entity control because it is affected by human judgement and external factors.
  • Senior management is responsible for establishing and maintaining IC
  • Internal audit function has a consulting and advisory role also evaluates the adequate and effectiveness of IC
  • The responsibility of maintaining adequate IC is placed on companies NOT individuals
  • Two main factors have changed the relationship between internal and external auditors:
    1) The increasing professionalism of internal auditors
    2) Evolving economics of external auditor
  • Flowchart is a symbolic representation that is useful for understanding, evaluating and documenting IC. Depicts in visuals, assist in identifying strength and weaknesses in IC
  • Flowchart DOESN’T show risk and is NOT kept up to date. Normal sequence is from top to bottom, left to right
  • Flowchart symbols Imp. review P.15
  • One of the requirement of Sarbanes Oxley act is that the annual FS audit also address the firm IC
  • A material weakness in IC over financial reporting may exist even when FS are not materially misstated
  • AICPA defines material weakness is a deficiency or combination of deficiencies in IC that results in reasonable possibility that a martial misstatement of FS will not be prevented or timely detected
  • COSO framework is widely accepted as the standard for the design and operation of IC
  • IC definition under COSO is a process affected by BOD, management and other personnel, design to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance
  • Reasonable assurance means that IC WONT hender operations efficiency and cost must NOT exceed benefit
  • Components of IC: CRIME
    1) Control activities
    2) Risk assessment
    3) Information and communications
    4) Monitoring
    5) Control Environment
  • Control Environment Set standard, processes and structures:
    1) Integrity and ethical values - setting the tone at the top by management, establish standards for conduct, evaluate performance and take corrective actions
    2) Oversight by board
    3) Structure, reporting lines and appropriate authorities and responsibilities
    4) Commitment to attract, develop and retain competent individuals - Set policies and practices to reflect expectations of competence, BOD and management evaluates competences, the organization attract and develop and retain talents, Senior management and BOD plan and prepare for succession
    5) Organization holds individuals accountable
  • Risk assessment principles:
    1) Identify risk
    2) Assess risk
    3) Prioritize risk
    4) Response to risk
    5) Monitor risk
  • Risk responses type:
    1) Risk sharing/ transfer
    2) Risk mitigation
    3) Risk acceptance
    4) Risk avoidance
    5) Risk exploitation - seeks risk
  • Control Activities - These policies and procedures ensures that management directives and risk responses are carried out whether automated, manual they may be preventive or detective
  • Control activities principle:
    1) Select and develops control activities - contributes to the mitigation of risk
    2) General control activities - support achievement of objectives
    3) Deploy control activities though Policies that establishes what is expected and Procedures that put policies in place
  • Information and Communications - enables the organization to obtain, generate and use communication information to Maintain accountability and Measure and review performance
  • Information and Communication principles:
    1) Relevant and quality information
    2) Internal communication
    3) External communication
  • Monitoring is the a process that assess the quality of IC performance over time.
  • Monitoring activities principles:
    1) Ongoing or separate evaluations or Both
    2) Evaluates and communicates control deficiencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internal Auditing

A
  • Internal auditing definition under IIA is an INDEPENDENT, OBJECTIVE ASSURANCE and CONSULTING ACTIVITY designed to add value and improve an organizations operations. It helps an organization accomplish its objectives and to evaluate and improve the effectiveness of Governance, Risk management and Control
  • IIA provides guidance at both Organizational and Individual auditor level
  • CAE reporting lines:
    1) Functional to BOD
    2) Administrative to Senior Management i;e CEO
  • Written Charter defined Purpose, Authority and Responsibility of internal audit activity (PAR)
  • The charter establish internal audit activity position within the organization:
    1) Authorize access to records
    2) Authorize access to personnel
    3) Authorize access to physical properties
    4) Define scope of internal audit activities
  • The CAE responsibilities:
    1) Establish policies and procedures to assess objectivity of individual internal auditors
    2) Ensuring that internal audit activities is able to fulfill its responsibilities
    3) Obtaining competent advice and assistance if needed
    4) Establish a structure for reporting results
  • CAE forms an annual opinion on the adequacy of IC processes. BOD oversight financial reporting processes
  • CAE develops the proposed audit plan to provide sufficient evidence to evaluate control
  • CAE evaluates the plan coverage , if the scope of plan is insufficient to permit expression of an opinion about RISK MANAGEMENT and CONTROL, the CAE inform Senior management and BOD about gaps in audit coverage
  • Internal auditors obtain an understanding of the design of IC
  • Audit plan should be flexible enough to permit adjustments during the year:
    1) It covers ALL MAJOR operations and functions
    2) The plan considers relevant work performed by others including management assessment and work performed by external auditor
  • Scope of Internal Audit:
    1) Governance
    2) Risk Management
    3) Control
  • Three principle functions of internal auditing within an organization is to aid:
    1) Upper management in the maintenance of firm IC
    2) Upper management in improving the efficiency of operations
    3) The external auditor in conducting the audit of FS
  • Incidents that MUST be reported IMMEDIATELY to upper management and BOD:
    1) Fraud
    2) Illegal acts
    3) Material weakness in IC
    4) Significant penetration of information system
  • Internal auditor reports fraud to BOD and Senior management if it has been established to a REASONABLE CERTAINTY
  • Steps to be followed if internal auditor suspects wrong doing:
    1) Inform appropriate authorities WITHIN the organization
    2) Recommend any necessary investigation
    3) Follow up to see that internal audit activities has been met
  • Financial auditing includes evaluating and improving the effectiveness of IC over financial reporting and the reliability and integrity of financial reports. Comparing internally created transaction with an external source will test the effectiveness of accounting and record keeping controls
  • Safeguarding of assets is a function of FINANCIAL audit
  • Compliance Audit - Comply with laws and regulations, it is considered ASSURANCE service. Primary objective is to determine whether controls are functioning as planned
  • Operational Audit (Process Audit) - Is a process to appraise EFFICIENCY and ECONOMY of operations and the EFFECTIVENESS to achieve entity objectives
  • Operational audit is performed at all levels, department, divisions and function. Cost saving is an objective of operational engagement
  • The report of operational audit must contain:
    1) Where problem exists
    2) Emphasize the absence of problems
  • Operational auditing tools: FOQ
    1) Financial analysis
    2) Observation
    3) Questionnaire of employees
  • Operational audit is a benchmarking activity
  • Privacy engagement addresses the SECURITY of information, NOT accuracy
  • Internal auditor procedures:
    1) Inquiry
    2) Examination of documents
    3) Observation
    4) Reperfom procedures
  • Due professional care that internal auditor must apply CARE and skill expected of a reasonably competent auditor
  • Due professional care DOESN’T imply infallibility - النجاح المؤكد. Due professional care DOESN’T guarantee that ALL significant risks will be identified
  • To improve efficiency, internal auditor may rely upon the work of external auditor if it is coordinated with internal audit work
  • Internal auditors must consider the use of technology based audit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CMA Part 1 (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions