BEC 1 - Corporate Governance Flashcards
3 objectives within the COSO framework/of an internal control (ORC)
1) Operations - ensuring the efficiency and effectiveness of operations, and also ensuring assets are safeguarded
2) Reporting - ensuring the reliability, timeliness, and transparency of an entities internal and external financial and non financial reporting
3) Compliance - adhering to all laws and regulations
5 components of internal control (CRIME)
1) Control Environment - tone at the top
2) Risk Assessment - FS misstated, not efficient, breaking the law
3) Information and communication - Fair, Accurate, Complete, Timely
4) Monitoring - Effectiveness of controls and report deficiencies
5) (Existing) Control Activities - Policies and procedures to mitigate risks
Principles related to the Control Environment (EBOCA)
1) commitment to Ethics and integrity
2) Board independence and oversight
3) Organizational structure - establishing reporting lines
4) Commitment to Competence
5) Accountability - establishing performance measures and incentives
Principles related to Risk Assessment (SAFR)
1) Specify objectives
2) identify and Assess changes - in external environment, business model, leadership, etc
3) consider potential for Fraud
4) identify and analyze Risks - determine how risks should be managed
Principles related to Information and Communication (OIE)
1) Obtain and use information - use relevant, high quality information
2) Internally communication information
3) communicate with External parties
Principles related to Monitoring (SO D)
1) Separate and Ongoing evaluations - components of internal control are present and functioning
2) communication of Deficiencies
Principles related to Existing Control Activities (CATP)
1) select and develop Control Activities
2) select and develop Technology controls
3) deployment of Policies and Procedures
General Requirements for an effective system of internal controls
All five components and 17 principles that are relevant to be both PRESENT and FUNCTIONING
- Present: components and relevant principles are included in the design and implementation of the internal control system
- Functioning (operating effectively): components and relevant principles are currently operating as designed in the internal control system
Specific Requirements for an effective system of internal controls
Must have reasonable assurance that ORC objectives are being achieved
COSO framework guidance on what to DOCUMENT (COPS)
1) Overall assessment
2) Component evaluation
3) Principal evaluation
4) Summary of internal control deficiencies
Common risks identified using the COSO framework
- Material omission or misstatement (unintentional)
- Fraud
- Management override
- Illegal acts: violation of government regulations
Develop value through ERM (CPER)
- value Creation
- value Preservation
- value Erosion
- value Realization
5 components of ERM (GO PRO)
1) Governance and culture
2) strategy and Objective-setting
3) Performance
4) Review and Revision
5) Ongoing information, communication and reporting
Principles related to Governance and Culture (DOVES)
1) defines Desired culture
2) exercises board Oversight
3) demonstrates commitment to core Values
4) attracts, develops and retains capable Employees
5) establishes operating Structure
Principles related to Strategy and Objective Setting
1) evaluates alternative Strategies
2) formulates business Objectives
3) Analyzes business context
4) defines Risk appetite
Principles related to Performance
1) develops portfolio View
2) Assesses severity of risk
3) Prioritizes risk
4) Identifies risk events
5) implements risk Responses (ARTS)
Principles related to Review and Revision
1) assesses Substantial change
2) pursues Improvement in ERM
3) Reviews risk and performance
Principles related to Information, Communication and Reporting (Ongoing)
1) leverages information and Technology
2) communicates risk Information
3) reports on risk, culture and Performance
Risk responses (ARTS)
1) High frequency, High impact: Avoid
2) High frequency, Low impact: Reduce (hedge, derivatives, etc)
3) Low frequency, High impact: Transfer (insurance)
4) Low frequency, Low impact: Self insure / Accept
Residual Risk vs Inherent Risk
Inherent Risk - the risk present in any scenario where NO ATTEMPTs at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization
Residual Risk - the risk remaining after efforts have been made to reduce the inherent risk.