Chapter 3: Governance Flashcards
Which of the following is not an appropriate governance role for an organization’s board of directors?
a. Evaluating and approving strategic objectives.
b. Influencing the organization’s risk-taking philosophy.
c. Providing assurance directly to third parties that the organization’s governance processes are effective.
d. Establishing broad boundaries of conduct, outside of which the organization should not operate.
C is the best answer. It is not appropriate for a board to provide assurance to third parties on the effec-tiveness of an organization’s governance processes. Only management should provide such assurance directly to third parties.
Which of the following are typically governance responsibilities of senior management?
I. Delegating its tolerance levels to risk managers.
II. Monitoring day-to-day performance of specific risk management activities.
III. Establishing a governance committee of the board.
IV. Ensuring that sufficient information is gathered to support reporting to the board.
a. I and IV.
b. II and III.
c. I, II, and IV.
d. I, II, III, and IV.
A is the best answer. Both I and IV are senior management responsibilities. Choice II is a responsibility of risk owners and III is a responsibility of the board.
ABC utility company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC’s perspective, what type of stakeholder is this industry association?
a. Directly involved in the operation of the company.
b. Interested in the success of the company.
c. Influences the company.
d. Not a stakeholder.
C is the best answer. An industry association is not directly involved in its members’ business. While an industry association may be interested in seeing all of its members be successful, besides ongoing membership fees the association will not have any other direct interest in the success of the company. However, through its lobbying efforts and guidance, the industry association will affect how the com-pany thinks and acts about its business.
Who is responsible for establishing the strategic objectives of an organization?
a. The board of directors.
b. Senior management.
c. Consensus among all levels of management.
d. The board and senior management jointly.
B is the best answer. Senior management is responsible for the strategic planning process. While the board is responsible for providing strategic direction and guidance relative to the establishment of key business objectives, including strategic objectives, senior management is ultimately responsible for establishing such objectives.
Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization’s governance process?
a. The board of directors.
b. Senior management.
c. Risk owners.
d. The internal audit function.
B is the best answer. The board, risk owners, and the internal audit function will all provide input regarding new or emerging risks, but senior management is responsible for identifying relevant risks affecting the organization and ensuring the governance process covers all appropriate risks.
The internal audit function should not:
a. Assess the organization’s governance and risk management processes.
b. Provide advice about how to improve the organization’s governance and risk management processes.
c. Oversee the organization’s governance and risk management processes.
d. Coordinate its governance and risk management-related activities with those of the independent outside auditor.
C is the best answer. The board and senior management are responsible for overseeing the organiza-tion’s governance and risk management processes. The internal auditor is responsible for providing independent and objective assurance and consulting services pertaining to these processes. The inter-nal audit function should coordinate its governance and risk management-related services with the services provided by the independent outside auditor
Which of the following would not be considered a first line of defense in the Three Lines of Defense model?
a. A divisional controller conducts a peer review of compliance with financial control standards.
b. An accounts payable clerk reviews supporting documents before processing an invoice for payment.
c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed properly.
d. A production line worker inspects finished goods to ensure the company’s quality standards are met.
A is the best answer. A divisional controller conducting a peer review of compliance with financial con-trol standards is a second line of defense activity. The control activity is being conducted by someone not directly responsible for compliance with financial control standards. Each of the other answers is a control activity being conducted by an individual involved in the area of the organization in which the control is implemented.
Which of the following would be considered a first line of defense in the Three Lines of Defense model?
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.
b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.
c. The external audit team observes the counting of inventory on December 31.
d. An internal audit team conducting an engagement to provide assurance on the company’s Sarbanes-Oxley compliance with internal controls over financial reporting.
A is the best answer. B is an example of the 2nd line, D is an example of the 3rd line, and C is not specifi-cally covered in the Three Lines of Defense model.
Which of the following would be considered a second line of defense in the Three Lines of Defense model?
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.
b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.
c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met.
d. An internal audit team conducting an engagement to provide assurance on the company’s Sarbanes-Oxley compliance with internal controls over financial reporting.
B is the best answer. A is an example of the 1st line, D is an example of the 3rd line, and C is not specifi-cally covered in the Three Lines of Defense model
Companies in industries that are heavily regulated may be subject to audits by the regulator’s auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered:
a. Part of the first line of defense.
b. Part of the second line of defense.
c. Part of the third line of defense.
d. Not a line of defense.
C is the best answer. Some believe the Three Lines of Defense model only relates to assurance activities within the organization. However, the nature of regulatory audits is similar to assurance provided by the internal audit activity as regulators have a similar level of independence and objectivity.
Which of the following is not a role of the internal audit function in best practice governance activities?
a. Support the board in enterprisewide risk assessment.
b. Ensure the timely implementation of audit recommendations.
c. Monitor compliance with the corporate code of conduct.
d. Discuss areas of significant risks.
A is the best answer. Operating management is responsible for risk management, executive manage-ment is responsible for oversight, and internal auditors serve in the capacity of oversight and advisory
roles.
Which of the following statements regarding corporate governance is not correct?
a. Corporate control mechanisms include internal and external mechanisms.
b. The compensation scheme for management is part of the corporate control mechanisms.
c. The dilution of shareholders’ wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue.
d. The internal audit function of a company has more responsibility than the board for the company’s corporate governance.
B is the best answer. It is the role of management to ensure the timely implementation of the audit rec-ommendations. The internal audit function is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit function works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.
What types of business events tend to drive new legislation and guidance?
a. Economic downturns.
b. Fraud or other corporate wrongdoing.
c. Elections or other political changes.
d. Economic growth.
D is the best answer. The board is ultimately responsible for the company’s corporate governance, not the internal auditor function.
In governance, what are the key responsibilities of the board of directors?
- Establishing a governance committee.
- Articulating requirements for reporting to the board
- Reevaluating governance expecatations periodically
In governance, what are the key responsibilities of
senior management?
- Ensure that the full scope of direction and authority delegated by the board is properly understood
- Identifying the processes and activities within the organization that are an integral part of executing the governance direction provided by the board
- Evaluating what other business consideratons or factors might create a justification for delegating a lower tolerance level to risk owners than that delegated from the board
- Ensuring that sufficient information is gathered from the risk owners to support its reporting requirements to the board.
