BEC 1 - Corporate Governance and Internal Control

Question 1

A public company audit committee must have at least one “financial expert” and they must have all of the following:

Answer 1

(a) an understanding of GAAP and financial statements; (b) experience in preparing or auditing F/S; (c) experience with internal auditing controls; and (d) an understanding of audit committee functions

Question 2

Under SOX, it is a crime to punish a public company whistleblower who provides truthful information relating to

Answer 2

any federal offense

Question 3

Under the SOX retaliation cause of action, it is a crime to punish a public company whistleblower who provides truthful information relating to

Answer 3

federal securities law violations only

Question 4

Under Dodd-Frank, if the SEC determines to impose penalties above $1 million, what percentage would be within the range of mandatory rewards?

Answer 4

Between 10-30% of sanctions imposed.

Question 5

Public companies must adopt a code of ethics for:

Answer 5

senior financial officers.

CFOs, comptrollers, principal accounting officers, and others performing similar functions.

Question 6

T/F: Detective controls are more costly than preventive and corrective controls.

Answer 6

True
Detective controls have to be continually performed to be effective, whereas, preventive controls are pretty much set once they have been put into place.

Question 7

T/F: Application controls are controls over the computing environment as a whole.

Answer 7

False.
General controls are controls over the environment as a whole helping to ensure that data integrity is maintained.

Application controls are controls over specific data input, data processing and data output activities ensuring the accuracy, completeness, and validity of transaction processing. Narrowly focused on those accounting applications that are involved with data entry, updates, and reporting.

Question 8

Preventive controls attempt to stop an error or irregularity before it occurs. They are typically “passive.” Meaning, once they are in place, they simply need to be activated to be effective. Examples include:

Answer 8

Locks on buildings and doors, use of username and password to gain access to computer resources, and building segregation of duties into the organizational structure.

Question 9

Detective controls attempt to detect an error after it has occurred. They are typically “active” as they must be continually performed in order to be effective. Examples include:

Answer 9

Data entry edits (checks for missing data, values that are too large or too small), reconciliation of accounting records to physical assets (bank recs, inventory counts), and tests of transactions to determine whether they comply with management’s policies and procedures (audits).

Note they can take on preventive characteristics. Surveillance cameras

Question 10

Corrective controls are always paired with detective controls. They attempt to reverse the effects of the observed error or irregularity. Examples include:

Answer 10

Maintenance of backup files, disaster recovery plans, and insurance.

Question 11

The COSO “cube” model for internal control contains 5 fundamental components, which are:

Answer 11

C - Control activities
R - Risk assessment
I - Information and communication
M - Monitoring
E - Control environment

Question 12

Which of the 5 fundamental components of the COSO “cube” model is described as:
* Management’s philosophy toward controls, organizational structure, system of authority and responsibility, personnel practices, policies, and procedures. This component is the core or foundation of any system of internal control.

Answer 12

Control Environment

Question 13

Which of the 5 fundamental components of the COSO “cube” model is described as:
* The process of identifying, analyzing, and managing the risks involved in achieving the organization’s objectives. This topic is covered in greater depth in the “Risk Management Policies and Procedures” lesson.

Answer 13

Risk assessment

Question 14

Which of the 5 fundamental components of the COSO “cube” model is described as:
* The information and communication systems that enable an organization’s people to identify, process, and exchange the information needed to manage and control operations.

Answer 14

Information and communication

Question 15

Which of the 5 fundamental components of the COSO “cube” model is described as:
* In order to ensure the ongoing reliability of information, it is necessary to monitor and test the system and its data.

Answer 15

Monitoring

Question 16

Which of the 5 fundamental components of the COSO “cube” model is described as:
* The policies and procedures that ensure that actions are taken to address the risks related to the achievement of management’s objectives.

Answer 16

Control Activities

Question 17

T/F: The COSO model was developed to help guide efforts to articulate and improve accounting controls.

Answer 17

True.

Question 18

T/F: A sustainability report is primarily an external, nonfinancial report.

Answer 18

True

Question 19

In the COSO "cube" model, each of the following is a control objective except
	A.  Compliance.
	B.  Monitoring.
	C.  Operations.
	D.  Reporting.

Answer 19

B. Monitoring is correct because it is not a control objective in the COSO model.

Question 20

T/F: Management should establish oversight of outsourcing service providers.

Answer 20

True

Question 21

Under COSO Internal Control Principles, what are the 5 principals of control under control environment?

Answer 21

1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence of management, and oversees the development and monitoring of internal control
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives, including integrating organizational structures and services including outsourced service providers.
4. Competence – The organization demonstrates a commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives.
5. Accountability – The organization holds individuals accountable for their internal control responsibilities

Question 22

Under COSO Internal Control Principles, what are the 4 objectives under risk assessment?

Answer 22

1. Objectives – The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks that threaten the achievement of objectives.
2. Assessment – The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risk should be managed.
3. Fraud – The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. Change management – The organization identifies and assesses changes in the external environment, business model and organizational leadership that could impact the system of internal control.

Question 23

Under COSO Internal Control Principles, what are the 3 principals of control under control activities?

Answer 23

1. Risk reduction – Organizational control activities mitigate (i.e., reduce) the risks to the achievement of objectives to acceptable levels.
2. Technology controls – The organization selects and implements general controls over technology which support the achievement of its objectives.
3. Policies – The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure the implementation of these policies.

Question 24

Under COSO Internal Control Principles, what are the 3 principals of control under information and communication?

Answer 24

1. Quality – Relevant, high-quality information supports the internal control processes.
2. Internal – Internal communication supports internal control processes.
3. External – Communication with outsiders supports internal control processes.

Question 25

Under COSO Internal Control Principles, what are the 2 principals of control under monitoring?

Answer 25

1. Ongoing and periodic – Ongoing and separate evaluations evaluate internal control functioning.
2. Address deficiencies – Parties responsible for taking corrective action, including senior management and the board of directors, receive timely communication of internal control deficiencies.

Question 26

Why manage risk? Four elements on the horizontal, representing the objectives of managing enterprise risk:

Answer 26

strategic, operations, reporting, and compliance

a. Strategic objectives – High-level goals that support the overall mission of the organization
b. Operations objectives – Goals that deal with the day-to-day operating activities of the organization (sales activities, warehousing, manufacturing, etc.)
c. Reporting objectives – Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting
d. Compliance objectives – Goals designed to ensure that the organization meets all legal and regulatory requirements

Question 27

What will we manage? Eight control components

Answer 27

Internal (control) environment, Objective Setting, Event identification, Risk assessment, Risk response, Control Activities, Information & Communication, Monitoring

Question 28

Where will we manage risk? Four organizational levels, indicated in the third dimension (depth)

Answer 28

Subsidiary, Business Unit, Division, Entity-Level

Risks and objectives differ depending on the specified organizational level

Question 29

According to COSO ERM, the goals of risk management include:

Answer 29

1. Aligning risk appetite and strategy – Assessing and documenting the organization’s risk appetite improves the match between desired and chosen risk. It also permits the development of mechanisms to manage risks.
2. Improving risk responses – Enterprise risk management permits better choices from among alternative risk responses - risk avoidance, reduction, sharing, and acceptance.
3. Reducing operational surprises and losses – Risk identification and management enhances the capacity to identify potential events and establish responses, reducing surprises and associated costs or losses.
4. Identifying and managing multiple and cross-enterprise risks – Every enterprise faces risks across the organization; enterprise risk management facilitates effective responses to the interrelated impacts, as well as integrated responses to multiple related risks.
5. Seizing opportunities – By considering a full range of potential events, management can better identify and proactively act on opportunities.
6. Improving capital deployment – Risk information allows management to better assess capital needs and improve capital allocation.

Question 30

What is the expected value of a loss when analyzing and decomposing risk?

Answer 30

It is the likelihood of the loss, multiplied by the amount of a loss, should one occur.

Question 31

Segregation of Duties (SoD) - Consider four critical activities related to internal control, which should be separated to lessen fraud risk:

Answer 31

1. Authorizing events – e.g., approving customer credit, authorizing payment of an invoice, approving shipping to a customer;
2. Recording events – e.g., completing source documents, such as a customer invoice or bill of lading, posting events into the general ledger;
3. Safeguarding resources related to events (custody) – e.g., maintaining the cash in a bank vault or the inventory in a store;
4. Reconciling, overseeing and auditing – e.g., board of directors’ review, internal and external audits, and reconciling system logs with known system activity.

Question 32

According to COSO, what are the two primary attributes of effective evaluators?

Answer 32

Competence and objectivity are the two main attributes of effective evaluators that are identified by COSO.

Question 33

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

Answer 33

Change Identification is the monitoring for change process that would include ongoing and separate evaluations intended to identify and address changes in internal control effectiveness.

Question 34

In a large public corporation, evaluating internal control procedures should be the responsibility of
A. Accounting management staff who report to the CFO.
B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operations officer.
D. Security management staff who report to the chief facilities officer.

Answer 34

B. The key to recognizing the correctness of this answer is that the question asks who should engage in “evaluating” internal control procedures (not design or implement control procedures). Among the offered choices, an independent internal audit staff, i.e., who report to the board of directors or an audit committee, but not the CFO, are best qualified to monitor and evaluate internal control procedures.

Question 35

According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum?

Answer 35

The change management stage involves evaluating the design and implementation of changes and establishing a new baseline.

Question 36

List the four activities that comprise the design and execution of control monitoring.

Answer 36

Prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures.

Question 37

What is a condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the system to increase the likelihood of achieving objectives?

Answer 37

An internal control deficiency

Question 38

Name the three activities that comprise assessing and reporting on control monitoring.

Answer 38

Prioritize findings, report results as appropriate, follow up to implement corrective actions.

Question 39

What are the three elements of establishing a foundation for control?

Answer 39

The tone at the top, organizational structure, baseline understanding of control effectiveness.