BEC 2 - Corporate Governance, Internal Control, & Enterprise Risk Management Flashcards

Question

What are main results of SOX?

Answer 1

- top management must individually certify the accuracy of financial information - penalties for fraudulent financial activity are much more severe - Increased the independence of the outside auditors - increased the oversight role of boards of directors - creation of PCAOB

Answer 2

- Made up of INDEPENDENT Directors - establish compensation policies for directors and executives - ensure their policies are consistent with mission stmt and objectives - There are SEC, NYSE, NASDAQ specific requirements

Answer 3

Director in the Audit Committee with: - Understanding of GAAP and Financial Statements - Experience preparing or auditing comparable F/S - Experience applying F/S or Audit Knowledge to the accounting for estimates, accruals, and reserves - Experience with INTERNAL AUDIT CONTROLS - Understanding of the Audit Committee Functions

Answer 4

- developing a compensation approach or philosophy - Establish CEO/Exec. compensation - use outside experts (as appropriate) - receive and evaluate proposals regarding exec. Responsibilities put forth by the shareholders

Answer 5

1. Say on Pay ( shareholders vote on compensation and golden parachute) 2. Independence - higher standard for members and advisors (enhanced disclosure use of compensation consultant s and possible conflicts of interest) 3. Disclosure - exec. Compensation and entity financial performance & CEO$$$ vs. Median Employee$ 4. Clawbacks - restatement of F/S resulting in compensation recoupment (regardless of fault)

Answer 6

Salary & Prerequisites (perks)

Answer 7

1. Bonuses (easy to manipulated, based on accounting profit) 2. Shared Based Compensation

Answer 8

Part of Executive Incentive Compensation - Stock Options (Buy @ Fixed Price) - Share Appreciation Rights (Cash Payments for Increases in Stock Price) - Restricted Shares (Shares that may not be traded/sold for a specific period of time) - Performance Shares (shares issued if specific objectives are met)

Answer 9

- May Focus on the Short Term | - If Stock Price is too low that the option will never be "in the money", incentive is gone

Answer 10

- May Focus on the Short Term | - If Stock Price is too low, all incentive will be lost

Answer 11

- Officer does not have to pay for the shares | - incentive to increase the stock price (at least during restriction period)

Answer 12

- focuses on mgmt meeting of specific performance objective | - potentially very effective

Answer 13

- Internal auditors reporting directly to the Auditing Committee (not required) -

Answer 14

- Required by NYSE for listed companies - provides mgmt and the Audit Comm. With ongoing assessments of the company's RISK MANAGEMENT PROCESS and SYSTEM OF INTERNAL CONTROL

Answer 15

- Reports to the Audit Committee (required for NYSE Listed companies) - Responsible for the internal audit function

Answer 16

Developed by Institute of of Internal Auditors (IIA) 1. Definition of Internal Auditing 2. Code of Ethics 3. International Standards of the Professional Practice of Internal Auditing (ISPPIA)

Answer 17

1st Component of the IPPF - independent, objective ASSURANCE, and CONSULTING activity design to ADD VALUE & IMPROVE and org's operations - helps achieve objectives via systematic, disciplined approach to evaluate and improve the effectiveness of RISK MGMT, CONTROL, and GOVERNMENT processes

Answer 18

2nd Component of IPPF (principles & rules) 1. Integrity - honesty, law-abiding (to best knowledge), ethical 2. Objectivity - no impairment activities, disclose all material relevant facts known 3. Confidentiality - prudence and not using info for personal gain 4. Competency - qualified, in accordance with ISSPIA, improving proficiency, quality of svc

Answer 19

3rd Component of IPPF 1. Attributable Standards (4 Categories) 2. Performance Standards (7 Categories)

Answer 20

Part of ISPPIA (3rd Competent of IPPF) 1. Purpose, Authority & Responsibility (PAR) - definition, code, and standards 2. Independence and Objectivity (includes direct iteration with the BoD) 3. Proficiency and Due Professional Care 4. Quality Assurance & Improvement Program - internal&external assessments, reporting, use of "conformance with ISPPIA", disclosure of nonconformance

Answer 21

4th Category of the Attributable Standards in ISPPIA - Internal and External Assessments - reporting on the quality assurance and improvement program - use of "conforms with the ISPPIA" - disclosure of non-conformance

Answer 22

Part of ISPPIA (3rd Component of ISPPIA) 1. Managing the Internal Audit Activating - coordination/planning/communication etc, and reporting to Senior mgmt & BoD 2. Nature of Work - governance, risk mgmt, and control 3. Engagement Planning - Planing Considerations & Engagement objectives, scope, resource alloc, work program 4. Performing the Engagement - ID info, Analysis, Eval, Documenting info, Engagement Supervision 5. Communicating Results - criteria, quality,errors/omissions, Use of "conformance...", engagement disclosure of non-conformance, disseminate results , and overall opinions 6. Monitoring Progress 7. Communicating the Acceptance of Risks

Answer 23

1. Compensation Policies - fixed and incentive | 2. Monitoring - Internal and external auditing, I-Banks, securities analyst, Creditors/Agencies, Attorneys, SEC, IRS

Answer 24

Very Strict Rules: - prohibition against performance of many NON-AUDIT services - any non-attest services by the auditor must be PREAPPROVED by the Audit Comm. - Audit Partner ROTATION - Pub. Acctg Firm must be REGISTERED with PCAOB

Answer 25

Must communicate: - critical acctg policies and practices being used - Alternative treatments (GAAP approved) that have been discussed with mgmt (implication and preference) - any add'l written communication with mgmt (including any mgmt letter or schedule of unadjusted differences)

Answer 26

External Auditor examines internal control and attests to "Management Assessment of Internal Controls" in Annual Report (10-K)

Answer 27

- included in each annual 10-K report, indicating: 1. Mgmt's responsibility for establishing/maintaining adequate controls 2. Assessing the effectiveness of controls as of the end of the most recent fiscal period

Answer 28

Both may be imprisoned AND fined | - Ranges from $1 million + 10 years to $5 million + 20 years

Answer 29

- Generally Accepted Auditing Standards | - requires the external to communicate with those charged with governance regarding certain matters

Answer 30

- auditor's responsibility to form/express an opinion, but it does NOT relieve GOVERNANCE with any responsibilities - planned scope and timing of the audit - auditor's views about QUALITATIVE aspects of the entity's accounting practices ( estimates, why/why not approp. methods & if Governance is informed about the processes used, issues, findings, uncorrected misstates)

Answer 31

- entity's accounting practices (policies, estimates, accruals, disclosures) - why a practice is NOT appropriate under those circumstance - determines if Governance is informed - auditors conclusions about their reasonableness - difficulties, disagreements with management and other finding/issues - uncorrected MISTAKES and effects and effect of uncorrected misSTATES from prior periods

Answer 32

- Material corrected mistakes brought to mgmt's attention - significant finding or issues discussed with mgmt - auditor's views on matters that were subject of mgmt consultation with other accountants - written representations requested by the auditor

Answer 33

- Division of Corporate Finance - Division of Enforcement - Office of the Chief Accountant

Answer 34

- investigate possible securities law violations - recommends when the SEC should take action in a Federal Court OR before and Administrative Judge OR Negotiate settlement

Answer 35

- interpretive guidance to Acts | - reviews filings made under the 1933 Act to evaluate compliance with disclosure and accounting requirements

Answer 36

- transparency and relevancy of financial reporting - improving professional performance of auditors of pub. companies - ensuring the fair representation and credibility of F/S - establish/enforce accounting/auditing policy - 3 Major Groups: Accounting, Professional Practice, and International Affairs

Answer 37

1. Accounting 2. Professional Practice 3. International Affairs

Answer 38

- scrutiny of tax filings (Shareholders actions: can replace members or file class action lawsuits) - scrutiny of potential for corporate takeover (ineffective management)

Answer 39

- Jumpstart Our Business Startups - main purpose to encourage small biz (more jobs) - Extended period of complying with SOX provisions - Exempt from laws requiring shareholder vote on EXEC COMPENSATION - NOT required to have internal audits control (SOX Section 404)

Answer 40

- examine design & operating effectiveness of internal control over financial reporting (ICFR) - opinion on its effectiveness in preventing or detecting material misstatements - "integrated" - auditor relies much MORE ON INTERNAL CONTROL & less on substantiative procedures - COSO "Internal Control - Integrated Framework" is most commonly used framework

Answer 41

A process (affected by the BoD, mgmt, & Other personnel) designed to provide REASONABLE ASSURANCE regarding the achievement of OBJECTIVES relating to OPERATIONS, REPORTING, & COMPLIANCE

Answer 42

- the effectiveness & efficiency of operation - incorporate achievement of financial performance goals - safeguarding of assets - Part of COSO IC-Integrated Framework

Answer 43

- reliability, timeliness, & transparency of financial/non-financial reporting for both internal and EXTERNAL uses - Part of COSO IC-Integrated Framework

Answer 44

- complying with applicable laws and regulation | - Part of COSO IC-Integrated Framework

Answer 45

Committee of Sponsoring Organizations Treadway Commission

Answer 46

CRIME 5. Control activities 2. Risk Assessment 3. Information and Communication 4. Monitoring 1. control Environment

Answer 47

- combination of standards, processes, and structures that enable internal control to be effective - influences the control conscience of peoples - foundation of internal control - 5 Principles ( Integrity/Ethics, Governance Independence, Hierarchy & Structure, Competent Individuals, &Accountability) - CHOPPER

Answer 48

CHOPPER C - Commitment to Competence (4) H - Human Resource Policies & Procedures (4 & 5) O - Organizational Structure (planning,directing,controlling ops) P - Philosophy and operating style of Mgmt (1) P - Participation of BoD or Audit Comm. (2 - CG Independence) E - Ethical and Integrity Values (1) R - Responsibility and Authority Assignment (3)

Answer 49

the Control Environment - tone @ top - unethical managers lead to unethical employees (lead by example) - leadership - timely and consistent identification of response to deviations from standards

Answer 50

- Part of COSO Integrated Framework (Internal ControL) - recognition of events that pose risks to achieving objectives - process that is established to ID and Evaluate those risks

Answer 51

Accept: No Preventative Action Avoid: change the objective or discontinue activity Share: joint venture, insurance, or hedging Reduce: i.e. establish control activities, train staff for new tech

Answer 52

4 Principles 1. Objectives are clear to allow for ID/Eval (op objectives vs internal reporting objectives) 2. Risks ID and Analysis (Internal & External, speed/length, likelihood, & Responses) 3. Fraud Possibility (nature, types, characteristics, incentives, pressures, opportunities, attitudes) 4. Impact of Changes (external environment, business model, or leadership)

Answer 53

ID, Analysis, and Management of Risks (Risk Response) relevant to preparation of F/S - recording, processing, summarizing, estimating, and reporting

Answer 54

- Changes in the environment (competition) - New Personnel - New or Revamped Info Systems - Rapid Growth - New Tech - New Lines of business, products , activities - Corporate Restructurings - Foreign Operations - Accounting Pronouncements

Answer 55

- actions established by policies & procedures that help ensure that mgmt's directives are carried out - 3 Principles 1. Selection & Development of CA's to reduce risks (Risk Assessment Integration) 2. General Controls over Technology 3. POLICIES identify expectations (responsibility/accountability/tasks in timely manner) & PROCEDURES convert policies into actions (& reassessment of CAs)

Answer 56

``` PIPS P - Performance Reviews: actual vs budget, financial vs non financial I - Information Processing (IT) P- Physical Controls S - Segregation of Duties (ARCC) ```

Answer 57

Types of Control Activities P - Performance Reviews: actual vs budget, financial vs non financial I - Information Processing (IT) P- Physical Controls S - Segregation of Duties (ARCC) - reduce ability to perpetuate & conceal errors/irregularities

Answer 58

``` Segregation of Duties A - Authorizing of Transactions R - Recording transactions (posting) C - Custody of Assets C - Comparisons (reports) ```

Answer 59

- processes mgmt obtains/generates and uses information - how the info is disseminated throughout the entity & to appropriate business relationships - to make effective decisions from timely,reliable, & relevant info - 3 Principles (Relevant & Quality Info supports function, Internal Communication, & External Communication)

Answer 60

1. Relevant, quality info obtained/generated (sources, costs, info systems) 2. Internal Communication of Objectives & Responsibilities (nature & timing, open & proper communication). 3. External Communication (provide/obtain relevant & timely info)

Answer 61

- processes the entity uses to determine if all components & principles of internal control are in place & functioning in manner intended - 2 Principles 1. Evaluations - Separate periodic and/or on-going basis 2. Internal Control deficiencies are communicated for Corrective Action (timely)

Answer 62

Monitoring Activities should be done by Competent and Objective individuals 1. On-going Basis: (customer complaints) 2. Separate Periodic Basis: (audits)

Answer 63

1. Controls are not designed or implemented properly 2. Environment Changes 3. Operation has changed

Answer 64

The Internal Audit Staff, who reports to Board of Directors

Answer 65

1. Control Baseline - understanding of how IC was designed/implemented 2. Change ID - evals (ongoing/separate) to ID and address/initiate changes 3. Change Mgmt - when changes are needed ad they types likely to be effective 4. Control Revalidation/Update - new baseline understanding of the revised system

Answer 66

1st step in Monitoring sequence of activities | - development of an understanding of how the system of Internal Control was designed and implemented

Answer 67

COCCO C - Collusion O - Override by Management C - Competence: mistakes/errors, poor human judgement C - Cost/Benefits Constraints O - Obsolesces: Changes to operations or size

Answer 68

the limitations of COSO's Internal Control - Integrated Framework C - Collusion O - Override by Management C - Competence: mistakes/errors, poor human judgement C - Cost/Benefits Constraints O - Obsolesces: Changes to operations or size

Answer 69

a systematic process should be applied that will: 1. Provide assurance of all transaction/activities 2. Consider associated Risks 3. Be more conducive to effective controls

Answer 70

- developed around those repetitive transactions that affect the entity on a regular basis - IE: cash receipts & disbursements, purchases, payroll, sales

Answer 71

- Initiation (of transaction) - Authorization (before committing resources) - Execution (procedures and forms to complete) - Verification (safeguards against fraud and errors)

Answer 72

- Forms for proper completion - Info is given to ALL and ONLY appropriate parties - Segregation of Incompatible Duties (ARCCS)

Answer 73

to make certain change does NOT have any adverse effects

Answer 74

RAD-PM 1. Change Requests (ID) 2. Change Analysis (Evaluate the justification & cost/benefit) 3. Change Decisions (Decide on change based on analysis) 4. Planning & Implementing (planning, effects of change, & training) 5. Monitoring/Tracking Change (properly executed & has intended effects)

Answer 75

The Basic Change Control Process Components 1. Change Requests (ID) 2. Change Analysis (Evaluate the justification & cost/benefit) 3. Change Decisions (Decide on change based on analysis) 4. Planning & Implementing (planning, effects of change, & training) 5. Monitoring/Tracking Change (properly executed & has intended effects)

Answer 76

- acknowledgement of responsibility - assessment of ICFR as of most recent period - ID of framework used to eval ICFR - indication that the Auditor has issued attestation on mgmt's assessment

Answer 77

- Auditor is Independent - indication of mgmt's responsibility and assessment of effectiveness - ID Mgmt's report on ICFR - Indication that auditor's responsibility is an OPINION - Definition of ICFR - Stmt of Accordance with PCAOB (reasonable assurance) - Stmt describing what the audit consists of (understanding, assessing, eval, other necessary as appropriate) - Stmt of reasonable basis for the opinion - Limitation of Internal Control - Auditor's Opinion on effectiveness of most recent period - Signature of the Firm - City & State of report issuance

Answer 78

find balance between minimizing/managing RISK & maximizing return on OPPORTUNITIES toward objectives (stakeholders) - think "MITIGATE RISK & EXPLOIT OPPORTUNITIES"

Answer 79

- process (affected by BoD, Mgmt, and other personnel) applied in a STRATEGY setting and across the enterprise designed to ID potential events and MANAGE RISK within appetite to provide REASONABLE ASSURANCE for achievement of objectives - CRIME + 3

Answer 80

- Align Risk & Appetite - Enhance Risk Response Decisions - Reduce Operational Surprise and Losses - ID & Manage Multiple/Cross-Enterprise Risk (integration risks = "one solution may create more problems") - Seizing Opportunities - Improve Capital Deployment (financial & human for protection against risks)

Answer 81

S + ORC (ORC is from COSO's Integrated Framework) 1. Strategic (high-level goals from mission stmt) 2. Operations (use of resources for efficiency/productivity at each level) 3. Reporting (reliable and timely for DIVISION progress towards objectives) 4. Compliance (laws, regulations, & INTERNAL company policy)

Answer 82

- CRIME + 3 (Objective Setting, Event ID, Risk Response) - designed to incorporate internal controls 1. Internal Environment (formal & informal) 2. Objective Setting 3. Event Identification (opportunities vs threats) 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring

Answer 83

- establish unifying theme for the entity & direct actions and decisions

Answer 84

- Strategic sets the direction | - Operation/Reporting/Compliance Objectives provide the mechanisms for meeting those objectives

Answer 85

- Part of COSO's ERM (CRIME + 3) - the ID and monitoring of sources of information that pertain to areas of risk for the entity - Resources are limited therefore find which are critical to achieving objectives - 7 Techniques for event ID - Internal & External Factors

Answer 86

1. Event Inventories (list) 2. Internal Analysis (routine discussion) 3. Escalation/Threshold TRIGGERS (benchmark for alerts) 4. Facilitated Workshops or Interviews (learning) 5. Process Flow Analysis (all components) 6. Leading Event Indicators (ID indicative data) 7. Loss Event Data Methodologies (causes/trends)

Answer 87

- evaluate extent of potential effects (likelihood, degree) - 3 Broad Approaches (not mutually exclusive & apply to all levels) 1. B/S Approach (essential assets, theft/damage, intellectual property) 2. Process Approach (performance, allocation, use, timely, correctly--- PRODUCT QUALITY) 3. Event ID Approach (Event ID + Competition Standpoint 5 Forces)

Answer 88

Entity must seek to ID any event hat may affect any of these 5 Forces: 1. Customers (demand) 2. Suppliers (availability: financial, human, physical) 3. Competitors (advantages, innovations) 4. Potential Entrants into the Market (Change in Cost of Entry & Competition) 5. Substitutes (attention of customers & suppliers)

Answer 89

risk if NO ACTION is taken (ERM)

Answer 90

remaining amount of risk if action is taken (ERM)

Answer 91

3 ERM approaches: 1. Benchmarking (expected vs common) 2. Probabilistic Models (QUANTITATIVE: expected values) 3. Non-Probabilistic Models (QUALITATIVE: subjective assumptions)

Answer 92

- no action - when entity believe inherent risk is at an acceptable level - Cost of Action > Reduction in Risk

Answer 93

- when the entity cannot find a COST EFFICIENT manner of sharing risk

Answer 94

direct normal activities: - ARCC - Access - Policies/Procedures - Direct Supervision of employees (oversight) - Employee performance analysis (oversight)

Answer 95

preparing an organizational chart & up-to-date set of job descriptions - if combined with a favorable internal environment (E), enables every member to understand their position & potential contribution

Answer 96

1. Top Level Reviews 2. Direct Function or Activity Management 3. Information Processing Controls 4. Physical Controls 5. Performance Indicators 6. Segregating of Duties

Answer 97

- Category identified in ERM Control Activities - comparisons of actual performance vs. budget/forecasts/benchmarks - tracking of major initiatives (IE Product development, cost reduction)

Answer 98

- Category identified in ERM Control Activities | - managers review performance reports that the entity may be monitoring as part of event ID processes

Answer 99

- Verify transaction is authorized | - used to assure accuracy & completeness of information on the F/S

Answer 100

- Category identified in ERM Control Activities - physical security of assets (2 Categories) 1. Assets (physical counts) 2. Documents that control the assets (i.e.documents of title)

Answer 101

- Category identified in ERM Control Activities - analyzing data - ID expected results/trends - INVESTIGATE unexpected results/conditions and inconsistent behavior

Answer 102

- may enhance success but does not ensure it - future cannot be predicted - some events are beyond mgmt's control - No absolute assurance (only reasonable assurance) - COCCO