BEC - COSO & Corp Governance

Question 1

Control Environment - Integrity and Ethical Values

Answer 1

Most important principle - the organization demonstrates a commitment to INTEGRITY AND ETHICAL VALUES. “Tone at the top”.

Question 2

Control Environment - Board of Directors

Answer 2

The BoD demonstrates independence of management, and oversees development and monitoring of internal control.

Question 3

Control environment - Competence

Answer 3

The organization demonstrates commitment to attract, develops, and retain competent (high quality) individuals.

Question 4

Control environment - Accountability

Answer 4

The organization holds individuals accountable for their internal control responsibilities.

– do not want to put too much pressure on individuals or else it will work against the organization.

Question 5

Risk Assessment - Objectives

Answer 5

Organization objectives have sufficient clarity to enable the identification and assessment of risks that threaten achievement of objectives including consideration of:

• Precision of risk tolerance levels (quantify risk? Range?)
• Materiality in relation to risk assessment.

Question 6

Risk Assessment - Assessment

Answer 6

The organization identifies risks to achievement of objectives and analyzes risks to guide risk management strategy

Question 7

Risk Assessment - Fraud

Answer 7

The organization considers potential fraud in assessing risks to achieve objectives.

Question 8

Risk Assessment - Change Management

Answer 8

The organize identifies and assesses changes in external environment, business model and organizational leadership that could impact system of internal control.

Question 9

Control Activities - Risk Reduction

Answer 9

Control activities reduce the risks to the achievement of objectives to acceptable levels.

Question 10

Control Activities - Technology Controls

Answer 10

The organization selects and implements general controls over technology which support the achievement of its objectives.

Question 11

Control Activities - Policies

Answer 11

The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure that implementation of these policies.

Question 12

Information and Communication - Quality

Answer 12

Relevant, high-quality information supports internal control processes including organizational processes that identify information required to support internal control processes, capture internal and external sources of data & transform data into information.

Question 13

Information and Communication - Internal

Answer 13

Internal Communication supports internal control processes.

Can either support or hinder internal controls.

Question 14

Information and Communication - External

Answer 14

Communication with outsiders supports internal control processes.

Question 15

Monitoring - Both ongoing and Periodic

Answer 15

Monitoring evaluates internal control including benchmarking and providing feedback.

Question 16

Monitoring - Address Deficiencies

Answer 16

Parties charged with taking corrective action, including senior management and the BoDs, receive timely communication of internal control deficiencies.

Question 17

Control Environment - Management

Answer 17

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives.

Question 18

Internal control is the responsibility of

Answer 18

Management (not the auditors)

Question 19

What is internal control?

Answer 19

a PROCESS designed to provide REASONABLE (cost-effective) assurance. (Not absolute assurance)

Question 20

Who is responsible for Internal Control?

Answer 20

Management, the BoD and other personnel

Question 21

What are the goals (the why) of internal control?

Answer 21

Regarding achievement of objectives related to:

• Effectiveness and efficiency of operations
• Reliable financial reporting
• Compliance with laws and regulations

Question 22

Control deficiency

Answer 22

Least serious of the three types. Shortcomings that reduces likelihood of entity achieving its objectives. Management must assess the severity of deficiency

Question 23

Significant deficiency

Answer 23

More serious than a control deficiency but less severe than a material weakness.

Question 24

Material weakness

Answer 24

Creates a reasonable possibility of a material misstatement of the entity’s financial statements.

Question 25

Prevent control

Answer 25

Before controls. Ex:locks on building.

Question 26

Detective controls

Answer 26

Detect errors after occurrence ex: reconcile accounting records to physical assets

*also have preventive benefits

Question 27

Corrective controls

Answer 27

Reverse effects of error.

Ex: maintenance of backup files

Question 28

General control (holistic)

Answer 28

Apply broadly to most computerized functions. IT functions.

Ex: backup file systems, background checks of personnel.
Ex: security features (not specific), data transmission errors, restricting access to computer center

Question 29

Application controls

Answer 29

Focus on applications (actual data input)

Ex: data checks (dates, dollar amounts)

Question 30

Feedback control

Answer 30

Evaluate and respond to the results of a process

Question 31

Feed-forward controls

Answer 31

Project future results and alter inputs in response

Ex: inventory ordering system

Question 32

Contingency planning relates primarily to which two control procedures (categories)?

Answer 32

Detective and corrective procedures

Question 33

Board of Directors responsibilities relating to internal control

Answer 33

Oversight of KEY internal control activities and enterprise wide risk management.

Create expectations about integrity and ethical values, transparency.

Accountable for performance of internal control responsibilities.

Have competency and Communication

Must be objective, capable and inquisitive

Have open and unrestricted communication channels

Question 34

Managements responsibility to internal control

Answer 34

Set the “tone at the top” they are the “first line of defense” in IC

Accountable to the BoD for internal control

Oversight and control over controls and risks

Compensation often based on achieving objectives.

Controls can be outsourced but they remain managements responsibility

Question 35

Support (business-enabling) functions on IC

Answer 35

“Second line of defense”

Ex: legal, compliance, finance, HR, IT

Help mgmt respond, communicate, and educate others regarding risks

Most likely to have responsibility for determining system access.

Question 36

Internal auditors regarding IC

Answer 36

“Third line of defense”

Independent of functions

Question 37

All employees regarding IC

Answer 37

Communication problems related to operations, code of conduct, and other policy violations or illegal actions

Question 38

What is the BoD

Answer 38

Individuals elected as representatives of the stockholders.

Question 39

Why monitor controls?

Answer 39

Entropy: over time, controls deteriorate.

Technology improvements

Changing in management techniques

People quit, take vacations

Question 40

Benefits of monitoring internal control

Answer 40

More timely, accurate and reliable information, F/Ss, etc.

Question 41

Who evaluates controls? And what are the two primary attributes?

Answer 41

Evaluators

Competence and objectivity

Question 42

Competence (in regards to an evaluator)

Answer 42

Evaluator’s knowledge of controls and related processes, including their operation and what constitutes a control deficiency.

Question 43

Board monitoring

Answer 43

Monitoring by board or Its committees

Ex: evaluating managements monitoring process and assessment of risk of management override of controls

Question 44

Self-Assessment

*“self” is the unit or function

Answer 44

Assessment may be. H personnel who operate the control or peer or supervisory review within the same unit as control.

Question 45

Self-review

*“self” is an individual

Answer 45

Least objective type of self-assessment.

Review of one’s own work.

Question 46

Order of review objectivity (from least to most)

Answer 46

Self, peer, supervisor, impartial

Question 47

Control Objectives

Answer 47

Specific targets against which the effectiveness of IC is evaluated. Typically state the risk that they should manage or mitigate.

Ex: allow a certain number of failures in a production process but over a particular number of failures it is considered a failure of control.

Question 48

Compensating controls

Answer 48

Accomplish the same objective as another control and can “compensate” for deficiencies in that control.

Question 49

Key controls

Answer 49

Most important to assessing IC system’s ability to manage or mitigate meaningful risks. (Critical risks)

Ex: having controls in place to make sure no fictitious transactions take place or fake vendors are set up. Can lead to fraud, misstatements.

Question 50

Key performance indicators

Answer 50

Metrics that assess critical success factors (things that have already happened)

Help measure progress towards goals and objectives.

Question 51

Direct information

Answer 51

Must link directly to a judgement regarding the effective operation of control

Highly persuasive

Ex: video footage of someone stealing

Question 52

Indirect information

Answer 52

Relevant to assessing whether controls are operating and underlying risk is mitigated.

No explicit evidence of operating effectively

Ex: analytical measures

Question 53

Persuasiveness of information

Answer 53

Degree to which information supports relevant conclusions

Question 54

Relevant information

Answer 54

Helps in assessing the operation of the underlying controls or control component

Question 55

Reliable information

Answer 55

Accurate, verifiable and from an objective source

Question 56

Sufficient information

Answer 56

Obtains when evaluators have gathered enough to form a reasonable conclusion

To be sufficient, evidence must be suitable

Question 57

Timely information

Answer 57

Produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an organization.

Question 58

Verifiable information (verifiability)

Answer 58

Can be established, confirmed or substantiated as true or accurate

Question 59

Key risk indicators

Answer 59

Forward-looking metrics

Identify critical potential problems

Enabling timely action

Question 60

Reviewing process includes:

Answer 60

Reviews of flow charts, and, risk and control documentation

Question 61

Benchmarking assessments

Answer 61

Comparing organizational controls and processes with best practices in comparable functions.

Question 62

Questionnaires

Answer 62

Assess the extent to which controls are operating as stipulated.

Question 63

Focus groups and interviews

Answer 63

Identify concerns and surprises related to changes in the system of internal control

Question 64

COSO Model: Step 1 of the control monitoring process

Answer 64

Establish a foundation

• Tone at the top (ethical values, mora principles)
• Organizational structure
• Baseline understanding of internal control effectiveness

Question 65

COSO Model: Step 2 of the control monitoring process

Answer 65

Design and execute

• Prioritize risks (determine severity of identified deficiencies)
• Identify controls
• Identify persuasive information about controls
• Implement monitoring procedures

Question 66

COSO Model: Step 3 of the control monitoring process

Answer 66

Assess and report

• Prioritize finding
• Report results to the appropriate level
• Follow up on corrective action

Question 67

Four-Stage process called the “monitoring-for-change-continuum”

Answer 67

1. Establish Control Baseline
   Begin with area where controls are well understood. Provides baseline for enhanced monitoring.
2. Change Identification
   Identify changes in control operations, design, or related risks.
3. Control Revalidation
   Periodically revalidate that controls remain effective (continuously)
4. Change Management
   When changes occur, verify that controls remain effective. Establishes a new control Baseline for the modified controls.

Question 68

Effective Change Control Processes

Answer 68

Internal control processes must anticipate and promptly react to changes.

Control change management must consider cost vs. benefit.

Well-structured documentation

Appropriate procedures (will go in detail later)

Question 69

Change management is part of risk Assessment including consideration of:

Answer 69

Changes in operation

Personnel change

Changing technologies and information systems

Rapid, unexpected growth.

Question 70

Define “ongoing monitoring”

Answer 70

Activities to monitor the effectiveness of internal control in the ordinary course of operations.

Question 71

What is COSO ERM-integrated framework

Answer 71

Defines essential control components. Finds a common language to define risk management processes. It also guides risk management processes.

Requires a “portfolio” view of risk

Question 72

ERM Defined

Answer 72

A process effected by an entity’s BoD, management and other personnel, APPLIED IN STRATEGY SETTING AND ACROSS THE ENTERPRISE, DESIGNED TO IDENTIFY POTENTIAL RVENTS THAT MAY AFFECT THE ENTITY, AND MANAGE RISKS TO BE WITHIN ITS RISK APPETITE, to provide reasonable assurance regarding the achievement of entity objectives.

*CAPS are differences from original COSO

Question 73

COSO ERM control Activities (Components)

Answer 73

1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
8. Monitoring

Question 74

COSO ERM FRAMEWORK - 4 Categories of Objectives

Answer 74

1. Strategic
2. Operations*
3. Reporting*
4. Compliance*

*come from the original COSO framework

Question 75

COSO ERM framework - levels of activity

Answer 75

Entity (or enterprise)
Division or subsidiary
Business unit processes

(From largest to smallest)

Question 76

Define Risk Appetite

Answer 76

Amount of risk an organization accepts in pursuit of its goals

Central to ERM

May state in numbers, words, or ranges

Question 77

COSO ERM - Existing Risk Profile

Answer 77

Existing levels and distributions of risk across categories

Question 78

COSO ERM - Risk Capacity

Answer 78

The maximum risk that an organization may bear.

Question 79

COSO ERM - Risk Tolerance

Answer 79

The amount of allowed variation around specific objectives.

Standard deviation or variance idea.

Question 80

COSO ERM - Attitudes Towards Risk

Answer 80

Stakeholders’ objectives and attitudes towards growth and risk.

Question 81

COSO ERM - Define Strategic Objectives

Answer 81

One of four organizational objectives (this one is only for ERM - NOT original COSO)

High-level goals that support the organization’s overall mission.

Integrate strategy and ERM

Question 82

COSO ERM - Define Risk Response

Answer 82

Managements response to risk

Depends on managements’ risk appetite

May include risk avoidance,reduction, sharing, or acceptance

Question 83

Critical Accounting Functions that should be segregated (4 of them)

Answer 83

1. Authorizing events
   Ex: approving checks, credit authorizations
2. Recording events
   Ex: inputting something into the accounting system
3. Safeguarding resources
   Ex: could be physical, or virtual (behind firewalls or restricted access servers)
4. Reconciling, oversight and auditing

Question 84

Segregation of Duties Software (SoD)

Answer 84

Helps identify and resolve conflicts

Ex: will tell you I someone is doing a specific function, the software will tell you what they shouldn’t be able to do (COSO)

Question 85

Managing Internal Control Change - Define Change Agents

Answer 85

Promote and facilitate change: catalysts; ensure that changes are understood and embraced

Question 86

Limitations of ERM (3 key limitations)

Answer 86

1. Risk - the future is uncertain
2. Things happen - failure to achieve objectives may occur despite good ERM operates at multiple levels in an organization.
3. ERM (and internal control) provides reasonable not obsolete assurance

Question 87

Corporate Responsibility - Audit Committees

Answer 87

• All members must be independent and at least one must be a “financial expert”.
• Hire, supervise, compensate, and fire outside auditors.
• Must set up procedures for handling tips from whistleblowers and preserving confidentiality.

Question 88

Corporate responsibility - CEOs and CFOs must certify:

Answer 88

• that they have reviewed the arroyo and annual reports that their companies must file with the SEC
• that to their knowledge the reports do not contain any materially untrue statements or half-truths
• that based on their knowledge the financial information is fairly presented
• they are responsible for establishing and maintaining their company’s internal financial controls
• they have designed such control to ensure the relevant material information is made known to them
• they have recently (within 90 days) evaluated the effectiveness of the Internal controls
• they have presented in the report their conclusions about the controls’ effectiveness

Question 89

CEOs and CFOs must certify to the auditors and audit committee that they have reported on:

Answer 89

All significant deficiencies and material weaknesses in the controls

Any fraud, whether or not material, that involves management or other employees playing a significant role in the internal controls

Question 90

Corporate Responsibility - Define Clawbacks

Answer 90

If an issuer must materially restate its F/Ss as a result of “misconduct”, which apparently need NOT be intentional, the CEO and CFO shall reimburse the company for bonuses received due to the misstatement and for profits they realized from sale of the company’s stock during that period.

Question 91

According to SOX you must retain workpapers for

Answer 91

7 years. But if you keep them for less than 5 it’s a crime