BEC - Corporate Governance

Question 1

Internal control

Answer 1

Internal Control is a process - effected by the entity’s BoD, mgmt, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations
2. Reliability of financial and nonfinancial reporting
3. Compliance w/applicable laws and regulations
   4.

Question 2

General objectives of internal control

Answer 2

1. Safeguard assets of the firm
2. Promote efficiency of the firm’s operations
3. Measure compliance w/mgmt’s prescribed policies and procedures
4. Ensure accuracy and reliability of accounting records and info:
   
   1. ID and record all valid transactions
   2. Provide timely info in appropriate detail to permit proper classification and financial reporting
   3. Accurately measure the financial value of transactions
   4. Accurately record transactions in the time period in which they occurred

Question 3

the COSO (Committee of Sponsoring Organizations) “Cube” model has 3 dimensions w/respect to internal control

Answer 3

1. What is internal control (i.e. fundamental components)
2. Why we have internal control (goals and objectives)
3. Where we have internal control

Question 4

What is Internal Control? (5 components)

Answer 4

1. Control - mgmt’s philosophy toward controls, organizational structure, system of authority -> this component is the core of any system of internal control
2. Risk assessment - the process of IDing, analysing, and managing the risks involved in achieving the organization’s objectives
3. Information and communication - the info and communication systems that enable an organization’s ppl to ID, process, and exchange the info needed to manage and control operations
4. Monitoring - to ensure the ongoing reliability of info, it’s necessary to monitor and test the system and its data
5. Control activities - the policies and procedures that ensure that actions are taken to address the risks related to the achievement of mgmt’s objectives

Question 5

Why Do We Have Internal Control? (3 components)

Answer 5

1. Operations - The effective and efficient use of an organization’s resources in pursuit of its core mission
2. Reporting - Preparing and disseminating timely and reliable info, including financial and nonfinancial info, internal and external reports
3. Compliance - complying w/applicable laws and regulations

Question 6

Control Environment (5 principles)

Answer 6

1. Commitment to integrity and ethical values
2. BoD demonstrates independence of management, and oversees the development and monitoring of internal control
3. Mgmt establishes organizational structures, reporting lines, and appropriate authorities
4. Competence - the organization will commit to attracting and retaining competent individuals
5. Accountability - The organization holds individuals accountable for their internal control responsibilities

Question 7

Risk assessment (4 principles)

Answer 7

1. Objectives - The organization specifies objectives w/sufficient clarity to enable the ID and assessment of risks that threaten the achievement of objectives
2. Assessment - Basically risk assessment
3. Fraud - the organization considers the potential for fraud in assessing risks to the achievement of objectives
4. Change management - The organization IDs and assesses changes in the external environment and new leadership

Question 8

Control Activities (3 principles)

Answer 8

1. Risk reduction - Organization control activities reduce the risks to the achievement of objectives to an acceptable level
2. Technology controls - The organization selects and implements general controls over technology, which support the achievement of its objectives
3. Policies - The organization deploys control activities through policies and procedures that establish stakeholder expectations

Question 9

Information and Communication (3 principles)

Answer 9

1. Quality - Relevant, high quality info supports internal control processes
2. Internal - internal communication supports internal control processes
3. External - communication w/outsiders support internal control processes

Question 10

Monitoring Activities (2 principles)

Answer 10

1. Ongoing and periodic - ongoing and separate evaluations to evaluate the functionality of the internal controls
2. Address deficiencies

Question 11

Management’s philosophy and operating style is a factor of…

Answer 11

the control environment

Question 12

What is Enterprise Risk Management (ERM)?

Answer 12

ERN is the culture, capabilities, and practices by which organizations manage risk to create, preserve, and realize value (performance)

Question 13

A major aspect of an enterprise risk management system is the alignment of management risk taking with shareholder risk appetite.

Question 14

According to COSO controls systems fail for all of the following reasons except:

Answer 14

They are properly designed and implemented but mgmt overrides them making them ineffective

Question 15

COSO defines risk as neutral (neither positive nor negative)

Question 16

ERM isn’t the same as internal control. ERM includes a broader mandate than internal control, in that ERM considers risk appetite and strategy as central concerns

Question 17

Why is ERM important?

Answer 17

• Expanding opportunities (or identifiying neew opportunities)
• IDing and managing entity-wide risk
• Increasing positive and reducing negative outocmes
• Reducing performance variability
• better deploying assets (and HR)
• increasing enterprise resilience

Question 18

ERM begins w/an entity’s mission, vision, values, and strategy

Question 19

3 risks exist in strategy selection and implementation

Answer 19

1. Misalignment - Does our strategy align w/our mission, vision, and core values?
2. Implications - Do we understand the risk implications of our chosen strategy?
3. Risks to Success - Will we be successful? Will we achieve the goals specified in our strategy?

Question 20

5 componenents of the ERM framework are

Answer 20

1. Governance and Culture
2. Strategy and Objective-setting
3. Performance
4. Review and revision
5. Information, Communication, and Reporting

Question 21

The BoD provides oversight of the strategy and is primarily responsible for risk oversight; management is responsible for day-to-day management of risk

Question 22

The BoD must be independent of management

Question 23

Governance is the identification and allocation of roles, authorities, and responsibilities among stakeholders, including identifying the organization’s risk culture.

Question 24

Tolerance is tactical (operational) and should be measurable and measured.

In contrast, risk appetite may be stated quantitatively or qualitatively

Question 25

A risk-aware organization identifies triggers tha twill prompt a reassessment of risk severity

Question 26

Risk response categories

Answer 26

1. Risk acceptance - No action i staken to change the severity of the risk (appropriate when risk is already w/in company’s risk appetite)
2. Risk avoidance - Act to remove the risk (i.e. ceasing a product line, declining to expand)
3. Risk pursuit - Accept increased risk to achieve improved performance
4. Risk reduction - Act to reduce severity of the risk
5. Risk sharing - Reduce the severity of the risk by transferring or sharing a portion of it (i.e. insurance, hedging, outsourcing, joint ventures etc.)

Question 27

An enterprise risk management system does not seek to eliminate all risks.

Risks are avoided, reduced, shifted, or accepted based on the risk appetite of the organization.

Question 28

Reviewing the strategy and business objectives will be helpful to understanding why the risk profile differed from expected.

Question 29

Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators applies at any level of business

Question 30

Processes and controls help an entity create and maintain reliable data

Question 31

Data management architecture refers to the fundamental design of the technology and related data.