BEC 2 - Corporate Governance, Internal Control, & Enterprise Risk Management Flashcards
What is role of Corporate Governance?
to make sure that certain objectives are met while the stakeholders needs and concerns are being addressed
What is the Board of Directors responsible for?
- Strategic Planning
- Selection/Oversight of management (compensation & monitoring)
- Dividend Policy
- Treasury Stock
- Budget Approvals
Traits about the Principles of Corporate Governance
- Developed by the Organization for Economic Cooperation & Development (OECD)
- 6 Key Areas (ES-ES-DB)
- Effective Corporate Governance Framework
- Shareholder Rights and Ownership Functions
- Equitable Treatment of Shareholders
- Stakeholders Role in Corporate Governance
- Disclosure & Transparency
- Board Responsibilities
Traits about the 1992 Cadbury Report
Relates to Corporate Governance
- Voluntary Code
- Companies listed on the London Stock Exchange and required comply or explain the extant of compliance (why and why not)
- Clear Division of responsibility at the top OR strong independent element on the Board
- Majority of Board should be outside Directors
- Board Compensation should be determined by non-exec. directors
- Board should select at Least 3 Non-Executive Directors on the Audit Committee
ES-ES-DB?
6 Key Areas of The OECD Principles of Corporate Governance
- Effective Corporate Governance Framework
- Shareholder Rights and Ownership Functions
- Equitable Treatment of Shareholders
- Stakeholders Role in Corporate Governance
- Disclosure & Transparency
- Board Responsibilities
What is Effective Corporate Governance Framework?
1st Key Area of OECD Principles of Corporate Governance
- should promote transparent and efficient markets
- be consistent with the rule of law
- clearly articulate the division of responsibilities among different supervisory, regulatory, and enforcement agencies
What is Shareholder Rights and ownership functions?
2nd Key Area of OECD Principles of Corporate Governance
- protect and facilitate the exercise of shareholders rights
What is Equitable Treatment of Shareholders?
3rd Key Area of OECD Principles of Corporate Governance
- all shareholders should have the opportunity to obtain redress for violation of their rights
What are the Stakeholders Role in Corporate Governance?
4th Key Area of OECD Principles of Corporate Governance
- recognize the rights of STAKEholders established by law or through mutual agreements
- cooperation b/w corporations and STAKEholders for overall wealth
What is Disclosure and Transparency?
5th Key Area of OECD Principles of Corporate Governance
- timely and accurate disclosure is made on all material matters regarding the corporation
- Includes: Financial Performance, Situation, Ownership, and Governance of the company
What are the Board Responsibilities?
6th Key Area of OECD Principles of Corporate Governance
- strategic guidance
- effective monitoring
- board’s accountability to the company and shareholders
Where does the Board get their authority and responsibilities from?
The Bylaws (internal rules of the Company) which becomes the corporate charter when approved with the Articles of Incorporation. Includes:
- Min and Max # of Directions
- Selection and compensation
- How often they should meet
- nature of the responsibilities
What are typical Duties of the Board of Directors?
- Fiduciary Duty & in Best Interest of the company
- Determine/Revise the mission and amend bylaws
- Strategic Planning & development of broad objectives and policies
- Selection and oversight of the CEO
- Securing the availability of Financial Resources
- Budget Approval
- Approval of Major Operating & Financial Proposals
- Accounting to STAKEholders (reliable financial info is reported)
- Advise to mgmt and determine mgmt compensation
- Dividend Policy
- Requiring Treasury Stock
NYSE and NASDAQ listed company requirements related to the Board of Directors
- Majority of Directors are required to be Independent
- Info must be provided to investors regarding Director Independence
- Non-Mgmt Directors are required to meet a on a REGULARLY SCHEDULED basis
- Directors must adopt and publish a code of conduct applicable to ALL PARTIES within an entity disclosing any waivers to directors or officers
- maintain an INDEPENDENT Audit Committee
- Must ID any relationships that automatically indicate a director that IS NOT INDPENDENT
A Director is NOT independent if:
- Recent employee/affiliate of the entity OR Former partner/employee of the external auditor
OR - A Family Member or Director received more than $120,000 from the corp (excluding director fees) for any 12-month period within the last 3 YEARS
OR - A Family member was a recent officer of the entity (5 Years NYSE, 3 Years NASDAQ)
OR - The Director is the executive of another entity that receives significant amounts of REVENUE from the entity
Business Judgement Rule
Director or Manager has protection against liability (LOSSES) when fulfilling fiduciary duty… Fraud is usually only reason the courts will go to trial
What do the Articles of Incorporation Include?
- Name, Address, and Purpose of The Company
- Registering Agent (“attorney”)
- Name & Address of each incorporator
- # of shares AUTHORIZED
- Types of Stock
What Committees are required for Publicly Held Companies?
NAC
- Nominating Committee
- Auditing Committee
- Compensation Committee
What is the Nominatee Committee do?
- Responsible for overall corporate Governance
- Determine director suitability for service on the BoD
- Developing and Suggesting Corp. Gov. Principles and policies
- Oversee CEO Succession
- Enhance quality of board nominees
- Ensure integrity in nominating process
What is the Wall Street Reform and Consumer Protection Act?
- ” Dodd-Frank”
- requires disclosure about whether or not the chair of the BoD is also the CEO
- Must also explain why or why they are not the same individual
What is “Dodd-Frank”?
- Wall Street Reform and Consumer Protection Act
- requires disclosure about whether or not the chair of the BoD is also the CEO
- Must also explain why or why they are not the same individual
What is the Audit Committee?
- Required Committee in the Board of Directors
- Must be composed of INDEPENDENT Directors
- At least 1 member must be a FINANCIAL EXPERT (if there is not, must explain why not)
- Oversee the Financial Reporting process (reliable and timely to stakeholders)
- Select the External Auditor (det. compensation and oversee)
- Receive internal and external audit results
- Internal Control Responsibilities
Who does the External Auditor Report to?
- Report directly to the Audit Committee
What are the Audit Committee’s Internal Control responsibilities?
- oversee the establishment of appropriate controls
- Prevention and detection of fraud programs
- maintain code of ethics
- establish procedures for dealing with complains about accounting, internal control, or audit matters
- facilitate a process for employees to anonymously and confidentially express accounting concerns (WHISTLEBLOWERS)
What are main results of SOX?
- top management must individually certify the accuracy of financial information
- penalties for fraudulent financial activity are much more severe
- Increased the independence of the outside auditors
- increased the oversight role of boards of directors
- creation of PCAOB
What are the traits/responsibilities of a Compensation Committee?
- Made up of INDEPENDENT Directors
- establish compensation policies for directors and executives
- ensure their policies are consistent with mission stmt and objectives
- There are SEC, NYSE, NASDAQ specific requirements
What is a Financial Expert?
Director in the Audit Committee with:
- Understanding of GAAP and Financial Statements
- Experience preparing or auditing comparable F/S
- Experience applying F/S or Audit Knowledge to the accounting for estimates, accruals, and reserves
- Experience with INTERNAL AUDIT CONTROLS
- Understanding of the Audit Committee Functions
What are the SEC, NYSE and NASDAQ requirements for the Compensation committee?
- developing a compensation approach or philosophy
- Establish CEO/Exec. compensation
- use outside experts (as appropriate)
- receive and evaluate proposals regarding exec. Responsibilities put forth by the shareholders
Dodd Frank Act provisions that relate to the Compensation Committee
- Say on Pay ( shareholders vote on compensation and golden parachute)
- Independence - higher standard for members and advisors (enhanced disclosure use of compensation consultant s and possible conflicts of interest)
- Disclosure - exec. Compensation and entity financial performance & CEO$$$ vs. Median Employee$
- Clawbacks - restatement of F/S resulting in compensation recoupment (regardless of fault)
Officer Fixed Compensation Usually consists of
Salary & Prerequisites (perks)
Incentive Compensation
- Bonuses (easy to manipulated, based on accounting profit)
- Shared Based Compensation
Shared Based Compensation
Part of Executive Incentive Compensation
- Stock Options (Buy @ Fixed Price)
- Share Appreciation Rights (Cash Payments for Increases in Stock Price)
- Restricted Shares (Shares that may not be traded/sold for a specific period of time)
- Performance Shares (shares issued if specific objectives are met)
Stock Options and Officer Incentive Compensation
- May Focus on the Short Term
- If Stock Price is too low that the option will never be “in the money”, incentive is gone
Share Appreciation Rights and Officer Incentive Compensation
- May Focus on the Short Term
- If Stock Price is too low, all incentive will be lost
Restricted Shares and Officer Incentive Compensation
- Officer does not have to pay for the shares
- incentive to increase the stock price (at least during restriction period)
Performance Shares and Officer Incentive Compensation
- focuses on mgmt meeting of specific performance objective
- potentially very effective
What is one of the most common and effective ways to monitor Management?
- ## Internal auditors reporting directly to the Auditing Committee (not required)
What is the Internal Audit Function?
- Required by NYSE for listed companies
- provides mgmt and the Audit Comm. With ongoing assessments of the company’s RISK MANAGEMENT PROCESS and SYSTEM OF INTERNAL CONTROL
What is a Chief Auditing Executive?
- Reports to the Audit Committee (required for NYSE Listed companies)
- Responsible for the internal audit function
What the Components of the International Professional Practices Framework?
Developed by Institute of of Internal Auditors (IIA)
- Definition of Internal Auditing
- Code of Ethics
- International Standards of the Professional Practice of Internal Auditing (ISPPIA)
What is the Definition of Internal Auditing
1st Component of the IPPF
- independent, objective ASSURANCE, and CONSULTING activity design to ADD VALUE & IMPROVE and org’s operations
- helps achieve objectives via systematic, disciplined approach to evaluate and improve the effectiveness of RISK MGMT, CONTROL, and GOVERNMENT processes
What are the Code of Ethics (Internal Auditing)?
2nd Component of IPPF (principles & rules)
- Integrity - honesty, law-abiding (to best knowledge), ethical
- Objectivity - no impairment activities, disclose all material relevant facts known
- Confidentiality - prudence and not using info for personal gain
- Competency - qualified, in accordance with ISSPIA, improving proficiency, quality of svc
What are the Int. Standards of Professional Practice of Internal Auditing (ISPPIA)?
3rd Component of IPPF
- Attributable Standards (4 Categories)
- Performance Standards (7 Categories)
What are the Attributable Standards?
Part of ISPPIA (3rd Competent of IPPF)
- Purpose, Authority & Responsibility (PAR) - definition, code, and standards
- Independence and Objectivity (includes direct iteration with the BoD)
- Proficiency and Due Professional Care
- Quality Assurance & Improvement Program - internal&external assessments, reporting, use of “conformance with ISPPIA”, disclosure of nonconformance
What is the Quality Assurance and Improvement Program
4th Category of the Attributable Standards in ISPPIA
- Internal and External Assessments
- reporting on the quality assurance and improvement program
- use of “conforms with the ISPPIA”
- disclosure of non-conformance
What are the Performance Standards?
Part of ISPPIA (3rd Component of ISPPIA)
- Managing the Internal Audit Activating - coordination/planning/communication etc, and reporting to Senior mgmt & BoD
- Nature of Work - governance, risk mgmt, and control
- Engagement Planning - Planing Considerations & Engagement objectives, scope, resource alloc, work program
- Performing the Engagement - ID info, Analysis, Eval, Documenting info, Engagement Supervision
- Communicating Results - criteria, quality,errors/omissions, Use of “conformance…”, engagement disclosure of non-conformance, disseminate results , and overall opinions
- Monitoring Progress
- Communicating the Acceptance of Risks
How does the Board of Directors meet responsibility of management oversight
- Compensation Policies - fixed and incentive
2. Monitoring - Internal and external auditing, I-Banks, securities analyst, Creditors/Agencies, Attorneys, SEC, IRS
SOX & the independence of external auditors
Very Strict Rules:
- prohibition against performance of many NON-AUDIT services
- any non-attest services by the auditor must be PREAPPROVED by the Audit Comm.
- Audit Partner ROTATION
- Pub. Acctg Firm must be REGISTERED with PCAOB
External Auditor and Audit Committee
Must communicate:
- critical acctg policies and practices being used
- Alternative treatments (GAAP approved) that have been discussed with mgmt (implication and preference)
- any add’l written communication with mgmt (including any mgmt letter or schedule of unadjusted differences)
External Auditor and Internal Control
External Auditor examines internal control and attests to “Management Assessment of Internal Controls” in Annual Report (10-K)
Management Assessment of Internal Controls
- included in each annual 10-K report, indicating:
1. Mgmt’s responsibility for establishing/maintaining adequate controls
2. Assessing the effectiveness of controls as of the end of the most recent fiscal period
Under SOX, if the CEO or CFO misrepresents financial information…
Both may be imprisoned AND fined
- Ranges from $1 million + 10 years to $5 million + 20 years
What is GAAS?
- Generally Accepted Auditing Standards
- requires the external to communicate with those charged with governance regarding certain matters
What Matters must the External Auditor communicate with those charged with Governance?
- auditor’s responsibility to form/express an opinion, but it does NOT relieve GOVERNANCE with any responsibilities
- planned scope and timing of the audit
- auditor’s views about QUALITATIVE aspects of the entity’s accounting practices ( estimates, why/why not approp. methods & if Governance is informed about the processes used, issues, findings, uncorrected misstates)
What are the Qualitative Accounting Aspects of an External Auditor views?
- entity’s accounting practices (policies, estimates, accruals, disclosures)
- why a practice is NOT appropriate under those circumstance
- determines if Governance is informed
- auditors conclusions about their reasonableness
- difficulties, disagreements with management and other finding/issues
- uncorrected MISTAKES and effects and effect of uncorrected misSTATES from prior periods
When those charge with Governance are independent from mgmt, what additional matters must the external auditor communicate?
- Material corrected mistakes brought to mgmt’s attention
- significant finding or issues discussed with mgmt
- auditor’s views on matters that were subject of mgmt consultation with other accountants
- written representations requested by the auditor
What are the SEC components relevant to monitoring management?
- Division of Corporate Finance
- Division of Enforcement
- Office of the Chief Accountant
SEC Division of Enforcement
- investigate possible securities law violations
- recommends when the SEC should take action in a Federal Court OR before and Administrative Judge OR Negotiate settlement
SEC Division of Corporate Finance
- interpretive guidance to Acts
- reviews filings made under the 1933 Act to evaluate compliance with disclosure and accounting requirements
SEC Office of the Chief Accountant
- transparency and relevancy of financial reporting
- improving professional performance of auditors of pub. companies
- ensuring the fair representation and credibility of F/S
- establish/enforce accounting/auditing policy
- 3 Major Groups: Accounting, Professional Practice, and International Affairs
3 Major Groups of the SEC Office of the Chief Accountant
- Accounting
- Professional Practice
- International Affairs
IRS and Monitoring Management
- scrutiny of tax filings (Shareholders actions: can replace members or file class action lawsuits)
- scrutiny of potential for corporate takeover (ineffective management)
JOBS Act of 2012 and Monitoring Management
- Jumpstart Our Business Startups
- main purpose to encourage small biz (more jobs)
- Extended period of complying with SOX provisions
- Exempt from laws requiring shareholder vote on EXEC COMPENSATION
- NOT required to have internal audits control (SOX Section 404)
PCAOB Audit 5 Integrated Audit
- examine design & operating effectiveness of internal control over financial reporting (ICFR)
- opinion on its effectiveness in preventing or detecting material misstatements
- “integrated” - auditor relies much MORE ON INTERNAL CONTROL & less on substantiative procedures
- COSO “Internal Control - Integrated Framework” is most commonly used framework
Internal Control (described by COSO)
A process (affected by the BoD, mgmt, & Other personnel) designed to provide REASONABLE ASSURANCE regarding the achievement of OBJECTIVES relating to OPERATIONS, REPORTING, & COMPLIANCE
Operating Objectives
- the effectiveness & efficiency of operation
- incorporate achievement of financial performance goals
- safeguarding of assets
- Part of COSO IC-Integrated Framework
Reporting Objectives
- reliability, timeliness, & transparency of financial/non-financial reporting for both internal and EXTERNAL uses
- Part of COSO IC-Integrated Framework
Compliance Objectives
- complying with applicable laws and regulation
- Part of COSO IC-Integrated Framework
COSO
Committee of Sponsoring Organizations Treadway Commission
What are the components of COSO’s Internal Control - Integrated Framework?
CRIME
- Control activities
- Risk Assessment
- Information and Communication
- Monitoring
- control Environment
Control Environment
- combination of standards, processes, and structures that enable internal control to be effective
- influences the control conscience of peoples
- foundation of internal control
- 5 Principles ( Integrity/Ethics, Governance Independence, Hierarchy & Structure, Competent Individuals, &Accountability) - CHOPPER
What are the factors are included in the control environment?
CHOPPER
C - Commitment to Competence (4)
H - Human Resource Policies & Procedures (4 & 5)
O - Organizational Structure (planning,directing,controlling ops)
P - Philosophy and operating style of Mgmt (1)
P - Participation of BoD or Audit Comm. (2 - CG Independence)
E - Ethical and Integrity Values (1)
R - Responsibility and Authority Assignment (3)
What is most significant internal control as indicated by COSO?
the Control Environment
- tone @ top
- unethical managers lead to unethical employees (lead by example)
- leadership
- timely and consistent identification of response to deviations from standards
What is Risk Assessment (COSO)?
- Part of COSO Integrated Framework (Internal ControL)
- recognition of events that pose risks to achieving objectives
- process that is established to ID and Evaluate those risks
Risk responses
Accept: No Preventative Action
Avoid: change the objective or discontinue activity
Share: joint venture, insurance, or hedging
Reduce: i.e. establish control activities, train staff for new tech
What are the Principles for Risk Assessment?
4 Principles
- Objectives are clear to allow for ID/Eval (op objectives vs internal reporting objectives)
- Risks ID and Analysis (Internal & External, speed/length, likelihood, & Responses)
- Fraud Possibility (nature, types, characteristics, incentives, pressures, opportunities, attitudes)
- Impact of Changes (external environment, business model, or leadership)
Risk Assessment for Financial reporting Purposes?
ID, Analysis, and Management of Risks (Risk Response) relevant to preparation of F/S
- recording, processing, summarizing, estimating, and reporting
Internal & External Risk Factors relevant to financial reporting
- Changes in the environment (competition)
- New Personnel
- New or Revamped Info Systems
- Rapid Growth
- New Tech
- New Lines of business, products , activities
- Corporate Restructurings
- Foreign Operations
- Accounting Pronouncements
What is Control Activities?
- actions established by policies & procedures that help ensure that mgmt’s directives are carried out
- 3 Principles
1. Selection & Development of CA’s to reduce risks (Risk Assessment Integration)
2. General Controls over Technology
3. POLICIES identify expectations (responsibility/accountability/tasks in timely manner) & PROCEDURES convert policies into actions (& reassessment of CAs)
Types of Control Activities
PIPS P - Performance Reviews: actual vs budget, financial vs non financial I - Information Processing (IT) P- Physical Controls S - Segregation of Duties (ARCC)
PIPS
Types of Control Activities
P - Performance Reviews: actual vs budget, financial vs non financial
I - Information Processing (IT)
P- Physical Controls
S - Segregation of Duties (ARCC) - reduce ability to perpetuate & conceal errors/irregularities
ARCC
Segregation of Duties A - Authorizing of Transactions R - Recording transactions (posting) C - Custody of Assets C - Comparisons (reports)
Information and Communication
- processes mgmt obtains/generates and uses information
- how the info is disseminated throughout the entity & to appropriate business relationships
- to make effective decisions from timely,reliable, & relevant info
- 3 Principles (Relevant & Quality Info supports function, Internal Communication, & External Communication)
Principles of Information and Communication
- Relevant, quality info obtained/generated (sources, costs, info systems)
- Internal Communication of Objectives & Responsibilities (nature & timing, open & proper communication).
- External Communication (provide/obtain relevant & timely info)
Monitoring Activities
- processes the entity uses to determine if all components & principles of internal control are in place & functioning in manner intended
- 2 Principles
1. Evaluations - Separate periodic and/or on-going basis
2. Internal Control deficiencies are communicated for Corrective Action (timely)
How do you assess the quality of Internal Control Performance?
Monitoring Activities should be done by Competent and Objective individuals
- On-going Basis: (customer complaints)
- Separate Periodic Basis: (audits)
Why do Internal Control systems fail?
- Controls are not designed or implemented properly
- Environment Changes
- Operation has changed
Who should evaluate Internal Control?
The Internal Audit Staff, who reports to Board of Directors
What are the Monitoring sequence of Activities?
- Control Baseline - understanding of how IC was designed/implemented
- Change ID - evals (ongoing/separate) to ID and address/initiate changes
- Change Mgmt - when changes are needed ad they types likely to be effective
- Control Revalidation/Update - new baseline understanding of the revised system
Control Baseline
1st step in Monitoring sequence of activities
- development of an understanding of how the system of Internal Control was designed and implemented
What are the Limitations of Internal Control?
COCCO
C - Collusion
O - Override by Management
C - Competence: mistakes/errors, poor human judgement
C - Cost/Benefits Constraints
O - Obsolesces: Changes to operations or size
What is COCCO?
the limitations of COSO’s Internal Control - Integrated Framework
C - Collusion
O - Override by Management
C - Competence: mistakes/errors, poor human judgement
C - Cost/Benefits Constraints
O - Obsolesces: Changes to operations or size
What should be included when designing an internal control structure?
a systematic process should be applied that will:
- Provide assurance of all transaction/activities
- Consider associated Risks
- Be more conducive to effective controls
What is the foundation of the internal control structure?
- developed around those repetitive transactions that affect the entity on a regular basis
- IE: cash receipts & disbursements, purchases, payroll, sales
What should be included in the process for each system?
- Initiation (of transaction)
- Authorization (before committing resources)
- Execution (procedures and forms to complete)
- Verification (safeguards against fraud and errors)
What does a well designed system for a business process include?
- Forms for proper completion
- Info is given to ALL and ONLY appropriate parties
- Segregation of Incompatible Duties (ARCCS)
Why does management need to develop a process for controlling change?
to make certain change does NOT have any adverse effects
What area basic change control processes components?
RAD-PM
- Change Requests (ID)
- Change Analysis (Evaluate the justification & cost/benefit)
- Change Decisions (Decide on change based on analysis)
- Planning & Implementing (planning, effects of change, & training)
- Monitoring/Tracking Change (properly executed & has intended effects)
RAD-PM
The Basic Change Control Process Components
- Change Requests (ID)
- Change Analysis (Evaluate the justification & cost/benefit)
- Change Decisions (Decide on change based on analysis)
- Planning & Implementing (planning, effects of change, & training)
- Monitoring/Tracking Change (properly executed & has intended effects)
What should management’s report on Internal Control Over Financial Reporting include (ICFR)?
- acknowledgement of responsibility
- assessment of ICFR as of most recent period
- ID of framework used to eval ICFR
- indication that the Auditor has issued attestation on mgmt’s assessment
What does the Auditor’s report attesting to mgmt’s assessment include?
- Auditor is Independent
- indication of mgmt’s responsibility and assessment of effectiveness
- ID Mgmt’s report on ICFR
- Indication that auditor’s responsibility is an OPINION
- Definition of ICFR
- Stmt of Accordance with PCAOB (reasonable assurance)
- Stmt describing what the audit consists of (understanding, assessing, eval, other necessary as appropriate)
- Stmt of reasonable basis for the opinion
- Limitation of Internal Control
- Auditor’s Opinion on effectiveness of most recent period
- Signature of the Firm
- City & State of report issuance
What is the Purpose of Enterprise Risk Management?
find balance between minimizing/managing RISK & maximizing return on OPPORTUNITIES toward objectives (stakeholders)
- think “MITIGATE RISK & EXPLOIT OPPORTUNITIES”
Who created a framework for Enterprise Risk Management (ERM)?
COSO
What is COSO’s definition of ERM?
- process (affected by BoD, Mgmt, and other personnel) applied in a STRATEGY setting and across the enterprise designed to ID potential events and MANAGE RISK within appetite to provide REASONABLE ASSURANCE for achievement of objectives
- CRIME + 3
What are the capabilities of ERM?
- Align Risk & Appetite
- Enhance Risk Response Decisions
- Reduce Operational Surprise and Losses
- ID & Manage Multiple/Cross-Enterprise Risk (integration risks = “one solution may create more problems”)
- Seizing Opportunities
- Improve Capital Deployment (financial & human for protection against risks)
What are the areas ERM can assist in meeting objectives?
S + ORC (ORC is from COSO’s Integrated Framework)
- Strategic (high-level goals from mission stmt)
- Operations (use of resources for efficiency/productivity at each level)
- Reporting (reliable and timely for DIVISION progress towards objectives)
- Compliance (laws, regulations, & INTERNAL company policy)
What are the Components of ERM?
- CRIME + 3 (Objective Setting, Event ID, Risk Response)
- designed to incorporate internal controls
1. Internal Environment (formal & informal)
2. Objective Setting
3. Event Identification (opportunities vs threats)
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
8. Monitoring
Strategic Objectives
- establish unifying theme for the entity & direct actions and decisions
Objective Setting
- Strategic sets the direction
- Operation/Reporting/Compliance Objectives provide the mechanisms for meeting those objectives
Event Identification
- Part of COSO’s ERM (CRIME + 3)
- the ID and monitoring of sources of information that pertain to areas of risk for the entity
- Resources are limited therefore find which are critical to achieving objectives
- 7 Techniques for event ID
- Internal & External Factors
ERM’s 7 Techniques for Event Identification
- Event Inventories (list)
- Internal Analysis (routine discussion)
- Escalation/Threshold TRIGGERS (benchmark for alerts)
- Facilitated Workshops or Interviews (learning)
- Process Flow Analysis (all components)
- Leading Event Indicators (ID indicative data)
- Loss Event Data Methodologies (causes/trends)
Risk Assessment (ERM)
- evaluate extent of potential effects (likelihood, degree)
- 3 Broad Approaches (not mutually exclusive & apply to all levels)
1. B/S Approach (essential assets, theft/damage, intellectual property)
2. Process Approach (performance, allocation, use, timely, correctly— PRODUCT QUALITY)
3. Event ID Approach (Event ID + Competition Standpoint 5 Forces)
What are Forces of Competition?
Entity must seek to ID any event hat may affect any of these 5 Forces:
- Customers (demand)
- Suppliers (availability: financial, human, physical)
- Competitors (advantages, innovations)
- Potential Entrants into the Market (Change in Cost of Entry & Competition)
- Substitutes (attention of customers & suppliers)
Inherent Risk
risk if NO ACTION is taken (ERM)
Residual Risk
remaining amount of risk if action is taken (ERM)
Reduction in Risk
Err:509
Ways to Quantify Risk
3 ERM approaches:
- Benchmarking (expected vs common)
- Probabilistic Models (QUANTITATIVE: expected values)
- Non-Probabilistic Models (QUALITATIVE: subjective assumptions)
Risk Acceptance
- no action
- when entity believe inherent risk is at an acceptable level
- Cost of Action > Reduction in Risk
When is it appropriate to “reduce” risk?
- when the entity cannot find a COST EFFICIENT manner of sharing risk
Most Control Activities are designed to…
direct normal activities:
- ARCC
- Access
- Policies/Procedures
- Direct Supervision of employees (oversight)
- Employee performance analysis (oversight)
What is a group of control activities at the highest level?
preparing an organizational chart & up-to-date set of job descriptions
- if combined with a favorable internal environment (E), enables every member to understand their position & potential contribution
Categories of Control Activities Identified in ERM
- Top Level Reviews
- Direct Function or Activity Management
- Information Processing Controls
- Physical Controls
- Performance Indicators
- Segregating of Duties
What is Top Level Reviews?
- Category identified in ERM Control Activities
- comparisons of actual performance vs. budget/forecasts/benchmarks
- tracking of major initiatives (IE Product development, cost reduction)
What is Direct Function/Activity Management?
- Category identified in ERM Control Activities
- managers review performance reports that the entity may be monitoring as part of event ID processes
What is Information Processing Controls?
- Verify transaction is authorized
- used to assure accuracy & completeness of information on the F/S
What are Physical Controls?
- Category identified in ERM Control Activities
- physical security of assets (2 Categories)
1. Assets (physical counts)
2. Documents that control the assets (i.e.documents of title)
What are Performance Indicators?
- Category identified in ERM Control Activities
- analyzing data
- ID expected results/trends
- INVESTIGATE unexpected results/conditions and inconsistent behavior
Inherent Limitations of of ERM
- may enhance success but does not ensure it
- future cannot be predicted
- some events are beyond mgmt’s control
- No absolute assurance (only reasonable assurance)
- COCCO
