BEC - COSO & Corp Governance Flashcards

1
Q

Control Environment - Integrity and Ethical Values

A

Most important principle - the organization demonstrates a commitment to INTEGRITY AND ETHICAL VALUES. “Tone at the top”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Control Environment - Board of Directors

A

The BoD demonstrates independence of management, and oversees development and monitoring of internal control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Control environment - Competence

A

The organization demonstrates commitment to attract, develops, and retain competent (high quality) individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Control environment - Accountability

A

The organization holds individuals accountable for their internal control responsibilities.

– do not want to put too much pressure on individuals or else it will work against the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Assessment - Objectives

A

Organization objectives have sufficient clarity to enable the identification and assessment of risks that threaten achievement of objectives including consideration of:

  • Precision of risk tolerance levels (quantify risk? Range?)
  • Materiality in relation to risk assessment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk Assessment - Assessment

A

The organization identifies risks to achievement of objectives and analyzes risks to guide risk management strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk Assessment - Fraud

A

The organization considers potential fraud in assessing risks to achieve objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Assessment - Change Management

A

The organize identifies and assesses changes in external environment, business model and organizational leadership that could impact system of internal control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control Activities - Risk Reduction

A

Control activities reduce the risks to the achievement of objectives to acceptable levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Control Activities - Technology Controls

A

The organization selects and implements general controls over technology which support the achievement of its objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Control Activities - Policies

A

The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure that implementation of these policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Information and Communication - Quality

A

Relevant, high-quality information supports internal control processes including organizational processes that identify information required to support internal control processes, capture internal and external sources of data & transform data into information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Information and Communication - Internal

A

Internal Communication supports internal control processes.

Can either support or hinder internal controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information and Communication - External

A

Communication with outsiders supports internal control processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Monitoring - Both ongoing and Periodic

A

Monitoring evaluates internal control including benchmarking and providing feedback.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Monitoring - Address Deficiencies

A

Parties charged with taking corrective action, including senior management and the BoDs, receive timely communication of internal control deficiencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Control Environment - Management

A

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Internal control is the responsibility of

A

Management (not the auditors)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is internal control?

A

a PROCESS designed to provide REASONABLE (cost-effective) assurance. (Not absolute assurance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who is responsible for Internal Control?

A

Management, the BoD and other personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the goals (the why) of internal control?

A

Regarding achievement of objectives related to:

  • Effectiveness and efficiency of operations
  • Reliable financial reporting
  • Compliance with laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Control deficiency

A

Least serious of the three types. Shortcomings that reduces likelihood of entity achieving its objectives. Management must assess the severity of deficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Significant deficiency

A

More serious than a control deficiency but less severe than a material weakness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Material weakness

A

Creates a reasonable possibility of a material misstatement of the entity’s financial statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Prevent control

A

Before controls. Ex:locks on building.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Detective controls

A

Detect errors after occurrence ex: reconcile accounting records to physical assets

*also have preventive benefits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Corrective controls

A

Reverse effects of error.

Ex: maintenance of backup files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

General control (holistic)

A

Apply broadly to most computerized functions. IT functions.

Ex: backup file systems, background checks of personnel.
Ex: security features (not specific), data transmission errors, restricting access to computer center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Application controls

A

Focus on applications (actual data input)

Ex: data checks (dates, dollar amounts)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Feedback control

A

Evaluate and respond to the results of a process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Feed-forward controls

A

Project future results and alter inputs in response

Ex: inventory ordering system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Contingency planning relates primarily to which two control procedures (categories)?

A

Detective and corrective procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Board of Directors responsibilities relating to internal control

A

Oversight of KEY internal control activities and enterprise wide risk management.

Create expectations about integrity and ethical values, transparency.

Accountable for performance of internal control responsibilities.

Have competency and Communication

Must be objective, capable and inquisitive

Have open and unrestricted communication channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Managements responsibility to internal control

A

Set the “tone at the top” they are the “first line of defense” in IC

Accountable to the BoD for internal control

Oversight and control over controls and risks

Compensation often based on achieving objectives.

Controls can be outsourced but they remain managements responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Support (business-enabling) functions on IC

A

“Second line of defense”

Ex: legal, compliance, finance, HR, IT

Help mgmt respond, communicate, and educate others regarding risks

Most likely to have responsibility for determining system access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Internal auditors regarding IC

A

“Third line of defense”

Independent of functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

All employees regarding IC

A

Communication problems related to operations, code of conduct, and other policy violations or illegal actions

38
Q

What is the BoD

A

Individuals elected as representatives of the stockholders.

39
Q

Why monitor controls?

A

Entropy: over time, controls deteriorate.

Technology improvements

Changing in management techniques

People quit, take vacations

40
Q

Benefits of monitoring internal control

A

More timely, accurate and reliable information, F/Ss, etc.

41
Q

Who evaluates controls? And what are the two primary attributes?

A

Evaluators

Competence and objectivity

42
Q

Competence (in regards to an evaluator)

A

Evaluator’s knowledge of controls and related processes, including their operation and what constitutes a control deficiency.

43
Q

Board monitoring

A

Monitoring by board or Its committees

Ex: evaluating managements monitoring process and assessment of risk of management override of controls

44
Q

Self-Assessment

*“self” is the unit or function

A

Assessment may be. H personnel who operate the control or peer or supervisory review within the same unit as control.

45
Q

Self-review

*“self” is an individual

A

Least objective type of self-assessment.

Review of one’s own work.

46
Q

Order of review objectivity (from least to most)

A

Self, peer, supervisor, impartial

47
Q

Control Objectives

A

Specific targets against which the effectiveness of IC is evaluated. Typically state the risk that they should manage or mitigate.

Ex: allow a certain number of failures in a production process but over a particular number of failures it is considered a failure of control.

48
Q

Compensating controls

A

Accomplish the same objective as another control and can “compensate” for deficiencies in that control.

49
Q

Key controls

A

Most important to assessing IC system’s ability to manage or mitigate meaningful risks. (Critical risks)

Ex: having controls in place to make sure no fictitious transactions take place or fake vendors are set up. Can lead to fraud, misstatements.

50
Q

Key performance indicators

A

Metrics that assess critical success factors (things that have already happened)

Help measure progress towards goals and objectives.

51
Q

Direct information

A

Must link directly to a judgement regarding the effective operation of control

Highly persuasive

Ex: video footage of someone stealing

52
Q

Indirect information

A

Relevant to assessing whether controls are operating and underlying risk is mitigated.

No explicit evidence of operating effectively

Ex: analytical measures

53
Q

Persuasiveness of information

A

Degree to which information supports relevant conclusions

54
Q

Relevant information

A

Helps in assessing the operation of the underlying controls or control component

55
Q

Reliable information

A

Accurate, verifiable and from an objective source

56
Q

Sufficient information

A

Obtains when evaluators have gathered enough to form a reasonable conclusion

To be sufficient, evidence must be suitable

57
Q

Timely information

A

Produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an organization.

58
Q

Verifiable information (verifiability)

A

Can be established, confirmed or substantiated as true or accurate

59
Q

Key risk indicators

A

Forward-looking metrics

Identify critical potential problems

Enabling timely action

60
Q

Reviewing process includes:

A

Reviews of flow charts, and, risk and control documentation

61
Q

Benchmarking assessments

A

Comparing organizational controls and processes with best practices in comparable functions.

62
Q

Questionnaires

A

Assess the extent to which controls are operating as stipulated.

63
Q

Focus groups and interviews

A

Identify concerns and surprises related to changes in the system of internal control

64
Q

COSO Model: Step 1 of the control monitoring process

A

Establish a foundation

  • Tone at the top (ethical values, mora principles)
  • Organizational structure
  • Baseline understanding of internal control effectiveness
65
Q

COSO Model: Step 2 of the control monitoring process

A

Design and execute

  • Prioritize risks (determine severity of identified deficiencies)
  • Identify controls
  • Identify persuasive information about controls
  • Implement monitoring procedures
66
Q

COSO Model: Step 3 of the control monitoring process

A

Assess and report

  • Prioritize finding
  • Report results to the appropriate level
  • Follow up on corrective action
67
Q

Four-Stage process called the “monitoring-for-change-continuum”

A
  1. Establish Control Baseline
    Begin with area where controls are well understood. Provides baseline for enhanced monitoring.
  2. Change Identification
    Identify changes in control operations, design, or related risks.
  3. Control Revalidation
    Periodically revalidate that controls remain effective (continuously)
  4. Change Management
    When changes occur, verify that controls remain effective. Establishes a new control Baseline for the modified controls.
68
Q

Effective Change Control Processes

A

Internal control processes must anticipate and promptly react to changes.

Control change management must consider cost vs. benefit.

Well-structured documentation

Appropriate procedures (will go in detail later)

69
Q

Change management is part of risk Assessment including consideration of:

A

Changes in operation

Personnel change

Changing technologies and information systems

Rapid, unexpected growth.

70
Q

Define “ongoing monitoring”

A

Activities to monitor the effectiveness of internal control in the ordinary course of operations.

71
Q

What is COSO ERM-integrated framework

A

Defines essential control components. Finds a common language to define risk management processes. It also guides risk management processes.

Requires a “portfolio” view of risk

72
Q

ERM Defined

A

A process effected by an entity’s BoD, management and other personnel, APPLIED IN STRATEGY SETTING AND ACROSS THE ENTERPRISE, DESIGNED TO IDENTIFY POTENTIAL RVENTS THAT MAY AFFECT THE ENTITY, AND MANAGE RISKS TO BE WITHIN ITS RISK APPETITE, to provide reasonable assurance regarding the achievement of entity objectives.

*CAPS are differences from original COSO

73
Q

COSO ERM control Activities (Components)

A
  1. Internal Environment
  2. Objective Setting
  3. Event Identification
  4. Risk Assessment
  5. Risk Response
  6. Control Activities
  7. Information and Communication
  8. Monitoring
74
Q

COSO ERM FRAMEWORK - 4 Categories of Objectives

A
  1. Strategic
  2. Operations*
  3. Reporting*
  4. Compliance*

*come from the original COSO framework

75
Q

COSO ERM framework - levels of activity

A

Entity (or enterprise)
Division or subsidiary
Business unit processes

(From largest to smallest)

76
Q

Define Risk Appetite

A

Amount of risk an organization accepts in pursuit of its goals

Central to ERM

May state in numbers, words, or ranges

77
Q

COSO ERM - Existing Risk Profile

A

Existing levels and distributions of risk across categories

78
Q

COSO ERM - Risk Capacity

A

The maximum risk that an organization may bear.

79
Q

COSO ERM - Risk Tolerance

A

The amount of allowed variation around specific objectives.

Standard deviation or variance idea.

80
Q

COSO ERM - Attitudes Towards Risk

A

Stakeholders’ objectives and attitudes towards growth and risk.

81
Q

COSO ERM - Define Strategic Objectives

A

One of four organizational objectives (this one is only for ERM - NOT original COSO)

High-level goals that support the organization’s overall mission.

Integrate strategy and ERM

82
Q

COSO ERM - Define Risk Response

A

Managements response to risk

Depends on managements’ risk appetite

May include risk avoidance,reduction, sharing, or acceptance

83
Q

Critical Accounting Functions that should be segregated (4 of them)

A
  1. Authorizing events
    Ex: approving checks, credit authorizations
  2. Recording events
    Ex: inputting something into the accounting system
  3. Safeguarding resources
    Ex: could be physical, or virtual (behind firewalls or restricted access servers)
  4. Reconciling, oversight and auditing
84
Q

Segregation of Duties Software (SoD)

A

Helps identify and resolve conflicts

Ex: will tell you I someone is doing a specific function, the software will tell you what they shouldn’t be able to do (COSO)

85
Q

Managing Internal Control Change - Define Change Agents

A

Promote and facilitate change: catalysts; ensure that changes are understood and embraced

86
Q

Limitations of ERM (3 key limitations)

A
  1. Risk - the future is uncertain
  2. Things happen - failure to achieve objectives may occur despite good ERM operates at multiple levels in an organization.
  3. ERM (and internal control) provides reasonable not obsolete assurance
87
Q

Corporate Responsibility - Audit Committees

A
  • All members must be independent and at least one must be a “financial expert”.
  • Hire, supervise, compensate, and fire outside auditors.
  • Must set up procedures for handling tips from whistleblowers and preserving confidentiality.
88
Q

Corporate responsibility - CEOs and CFOs must certify:

A
  • that they have reviewed the arroyo and annual reports that their companies must file with the SEC
  • that to their knowledge the reports do not contain any materially untrue statements or half-truths
  • that based on their knowledge the financial information is fairly presented
  • they are responsible for establishing and maintaining their company’s internal financial controls
  • they have designed such control to ensure the relevant material information is made known to them
  • they have recently (within 90 days) evaluated the effectiveness of the Internal controls
  • they have presented in the report their conclusions about the controls’ effectiveness
89
Q

CEOs and CFOs must certify to the auditors and audit committee that they have reported on:

A

All significant deficiencies and material weaknesses in the controls

Any fraud, whether or not material, that involves management or other employees playing a significant role in the internal controls

90
Q

Corporate Responsibility - Define Clawbacks

A

If an issuer must materially restate its F/Ss as a result of “misconduct”, which apparently need NOT be intentional, the CEO and CFO shall reimburse the company for bonuses received due to the misstatement and for profits they realized from sale of the company’s stock during that period.

91
Q

According to SOX you must retain workpapers for

A

7 years. But if you keep them for less than 5 it’s a crime