Corp. Governance, COSO, ERM Chapter 1 Flashcards
What is the primary duty (role) of the board of directors?
To monitor management behavior.
What is the responsibility of the Nominating or Corporate Governance Committee of the board of directors?
Oversees the board Responsible for hiring new CEO
What is the responsibility of the audit committee of the board of directors?
The audit committee appoints and oversees the external auditor.
What is the duty of the compensation committee of the board of directors?
The compensation committee handles the CEO’s compensation package.
What does the NYSE and NASDAQ require of the board of directors?
They require the board to be independent.
How can an executive compensation package ensure that goals of management align with those of shareholders?
Executive compensation should create an incentive for management to govern in a shareholder-friendly way that doesn’t sacrifice the long-term success of the enterprise for short-term gain.
What is shirking?
When management doesn’t act in the best interest of shareholders. It can be alleviated by tying compensation to stock performance or company profit.
What is the main goal in an executive compensation package?
The package should ensure that the goals of management should match those of the shareholders.
Which influences help mold the direction that management takes?
They range from internal (Board of Directors- Audit Committee- Internal Control) to external (Creditors- SEC- IRS) These influences should not be tainted by undue influence from management or have financial ties to management such as compensation-related duties
What is the primary role of the board of directors?
The primary role is to safeguard the company’s asset and to ultimately maximize shareholder return.
What are some of the duties of the directors?
Election, removal and supervision of the officers (Directors generally review the conduct of the officers, and may remove and officer with or without cause); adoption, amendment, and repeal of bylaws; setting management compensation ; and initiating fundamental changes to the corporation’s structure.
Who has the sole discretion to declare dividends?
The board of directors. Distributions may be in the form of cash, property, or the corporation’s own shares. Shareholders have no power to compel a distribution.
Who are the Officers?
Are individual agents of the corporation who ordinarily manage its day-to-day operations and may bind the corporation to contracts made on its behalf. Officers may serve as directors. Officers may also be shareholders. Although not required, they may be. As part of their compensation, sr. mgmt may receive stock option to potentially purchase shares of the company’s CS.
What is “the business judgment rule”
The board must always act in the best interest of the company. However, directors are not insurers of the corporation’s success. A director will not be liable to the corporation for acts performed or decisions made in good faith, if conducted in a manner that the director believes to be in the best interest of the corp. and with the care an ordinarily prudent person in like position (called business judgment rule). Thus, directors will only be liable to the corporation for negligent acts or omissions (i.e. failure to obtain fire insurance, hiring a convict embezzler as treasurer)
What is “the right to rely”?
A director is entitled to rely on information , opinions, reports, or statements (FS), if provided by officers, employees, legal counsel, accountant.
Who would be liable for unlawful distributions?
Directors may be held liable for authorizing a distribution in violation of law, such as when : 1) Corporation would not be able to pay its debts as they become due in the regular course of business; or 2) Corporation’s total assets would be less than its total liabilities.
What is Indemnification in a Corporation?
Corporations are allowed to indemnify directors an officers for expenses of any lawsuit brought against them in their corporate capacity. (Except in a shareholder derivative suit.)
What are the limitations on director’s liability?
➢ Financial benefits received when not entitled
➢ Intentional harm inflicted on corporation or the shareholders
➢ Unlawful distributions authorized by director
➢ Intentional violation of criminal law
➢ Breaches of the duty of loyalty
Who is responsible for the selection and removal of officers?
officers are selected by the directors and may be removed by the directors with or without cause.
What is the officer authority?
Authority to enter into contracts and act on behalf of the corporation in the ordinary course of business (quorum).
➢ Actual – oral/written instruction
➢ Apparent – “tittle” CEO/CFO
What is “the corporate opportunity doctrine”?
if a director is presented with a business opportunity that is of interest to his company, the duty of loyalty prohibits the director from taking the opportunity for himself.
What is Sarbanes-Oxley Act of 2002?
The SOX Act of 2002 was enacted in response to corporate scandals that largely centered on the quality of corporate financial disclosure and highlighted the inadequate oversight of management, auditors and the Board of Directors. The Act has had a profound effect on the financial reporting requirements of public companies. There are numerous provisions for expanded disclosures. Key provisions of the act related to those disclosures are described in Title III and Title IV.
What the Title III of SOX relates to?
Corporate responsibility - it relates to the establishment of an audit committee and the representations made by key corporate officers, typically CEO and CFO. The establishment of an audit committee addresses the problems related to inadequate board oversight.
What topics pertaining to financial reporting the Title III of SOX includes?
- Public Company Audit Committee Corporate
- Responsibility for Financial Reports
- Improper Influence on Conduct of Audits
- Forfeiture of Certain Bonuses and Profits
What requirements are imposed on a public company under Sarbanes-Oxley Title III - Corporate Responsibility?
Management must submit a report on the effectiveness of Internal Control in the 10K.
Management must disclose significant Internal Control deficiencies.
CEO/CFO must certify that the financial statements comply with securities laws and fairly present the financial condition of the company.
The SOX Act defines the responsibilities of the audit committee of an issuer as including:
1) Appointment of the auditor
2) Compensation of the auditor
3) Oversight of the auditor
- Resolve disagreements between management and the auditor.
- The accounting firm reports directly to the audit committee.
The SOX Act defines the criteria for the independence of audit committee members for issuers as including the following characteristics:
- Each member of the audit committee shall be a member of the BOD of the issuer, but shall be otherwise independent.
- Audit committee members may no accept any consulting, advisory or other compensation or fees from the issuer other than pursuant to their roles on the board.
- A unit committee members may not be an affiliated person (a person who can influence financial decisions) of the issuer.
The SOX Act assigns the following c_orporate responsability for financial reports_ for issuers:
The CEO and CFO must certify the following for annual and quarterly reports:
- The officers have read the report
- The report does not include untrue statements
- The FS are fairly stated.
- The signing officers make assertions regarding their responsibilities for IC
- The signing officers have disclosed IC weakness and instances of fraud to the auditors and AC.
- The status of changes to IC subsequent to the date of their evaluation.
The SOX Act assigns the following corporate responsibilities regarding internal controls that must accompany financial reports:
CEO and CFO must certify the following for annual and quarterly reports:
➢ The officers are responsible for establishing and maintaining IC
➢ IC have been designed to ensure material info has been made available
➢ IC have been evaluated for effectiveness as of a date within 90 days prior to the report
➢ Report includes their conclusions as to the effectiveness of IC based upon their evaluation.
The CEO and CFO signing the report assert must also represent whether there have been any significant changes to IC.
The SOX Act assigns the following corporate responsibilities regarding the required disclosures to the auditors and audit committee by officers:
CEO and CFO by signing report assert that they have made the following disclosures to the audit committee:
➢ All significant deficiencies in the design or operation of IC that might adversely affect the financial statements.
➢ Any fraud, regardless of materiality that involves any management or any other employee with a significant role in IC.
The SOX act specifically prohibits i_mproper influence on the conduct f audits_ defined as follows:
No officer or director, or any person acting under the direction thereof, may take any action that would fraudulently influence, coerce, mislead, or manipulate the auditor in a manner that would make the FS materially misleading.
The SOX act imposes certain financial penalties on offers who are responsible for material misstatements resulting from their misconduct. Penalties include:
If issuer is required to prepare accounting restatement due to material noncompliance under the securities laws, the CEO and CFO may be required to reimburse the issuer for:
➢ Bonuses or incentive-based or equity-based compensation
➢ Gains on sale of securities during the 12-month period
What are the key issuers SOX addresses?
• Corporate Responsibility - Title III • Enhanced financial disclosures - Title IV • Fraud - Title VIII
Title IV of the SOX act, “Enhanced Financial Disclosures”, includes the following topics:
- Disclosures in periodic reports (material adjustments, off-BS transactions - op. leases. contingent obligations. relationships w/unconsolidated subs)
- Enhanced Conflict of Interest Provisions (personal loans - except ordinary business)
- Disclosures of Transactions involving Management and Principal Stockholders > 10% (statement filed @ registration, when achieve 10%, and when ownership is changed)
- Management Assessment of IC (assessment of IC, statement that mgmt is responsible for establishing and maintaing adequate control structure and procedures, and assessment of effectiveness, auditor must attest - audit)
- Exemption (certain investment companies)
- Code of Ethics for Sr financial officers (if no code, must state why not. Code must promote honest, ethical conduct, FACT -full fair accurate and timely disclosures, in FS. Compliance w/ laws and regs)
- Disclosure of Audit Committee Financial Expert (must disclose the existence, if none why not? - mix of experience and knowledge, understanding of GAAP)
- Enhanced Review of Periodic Disclosures By Issuers (on form 10K - protection of investors - material restatements, significant volatility in stock prices, largest market capitalization, disparities in price-to-earnings ratio, significant affect material sector of the economy)
- Real Time Issuer Disclosures
The SOX act requires certain d_isclosures in periodic reports_:
Disclosures in periodic reports – intended to ensure application of GAAP and transparence to the reader. Enhanced disclosures include:
a. All material correcting adjustments identified by the auditor should be reflected in the FS.
b. All material off-balance sheet transactions should be disclosed:
- Operating leases
- Contingent obligations – lawsuits
- Relations with unconsolidated subs – related parties
c. Conformance of pro-forma FS to the following requirements:
- No untrue statements
- No omitted material info
- Reconciled with GAAP basis FS d. Use of special purpose entities (SPE’s)
The SOX act requires certain conflict-of-interest provisions. Those provisions include:
Issuers are generally prohibited from making personal loans to directors or officers, except if the consumer credit loans are made in the ordinary course of business and no special preferential treatment is given.
The SOX act includes provisions for disclosure of transactions involving management and principal stockholders. Those provisions include:
a. Disclosure (filling a statement) for persons who generally have direct or indirect ownership of more than 10% of any class of most any equity security.
b. Statements are filed at the following items:
>> At the time of registration
>> When the person achieves 10% ownership
>> If there has been a change in ownership
The SOX act includes provisions for management assessment of IC. Those provisions include a report showing:
Management Assessment of IC – Section 404. Each annual report is required to contain a report that includes:
a. A statement that management is responsible for establishing and maintaining an adequate IC structure and procedures for reporting.
b. An assessment, as of the end of the most recent fiscal year of the effectiveness of the IC structure and procedures for financial reporting.
c. The auditor must attest to management’s assessment of IC.
The SOX act includes provision for audit committee disclosures. Those disclosures include:
At least one member of the audit committee should be a financial expert on the committee. Financial reports should disclose the existence of the financial expert or the reasons for the lack of an expert.
For purposes of service on the audit committee, what qualifies an individual for classification as a financial expert?
a. Qualification through education, past experience.
b. Knowledge of the financial expert should include:
>> Understanding of GAAP
>> Experience in the preparation of FS for comparable issuers
>> Application of GAAP
>> Experience with IC
>> Understanding of audit committee functions
The SOX act includes provision for Enhanced Review of Periodic Disclosures by Issuers. Those disclosures include:
The SEC is required to review disclosures made by issuers, including those in Form 10-K, on regular and systematic basis for the protection of investors. When scheduling review, the SEC should consider the following:
- Issuers that have issued material restatements
- Issuers that experience significant volatility in their stock prices.
- Issuers with largest market capitalization – material to market
- Emerging companies with disparities in price-to-earnings ratios
- Issuers whose operations significantly affect any material sector of the economy (large banks/insurance co).
Title VIII of the SOX act considers what topics?
Title VIII Corporate and Criminal Fraud Accountability considers the following topics:
- Criminal penalties for altering documents
- Statute of limitations for securities fraud
- Whitlesblower protection
- Criminal penalties for securities fraud
What are the criminal penalties for altering docs?
a. Individuals who alter, destroy, conceal, cover up, or make false entry in any record, document; or impede or obstruct an investigation – up to 20 years
b. Audit of issuers should retain audit and review work papers for a period of 7 years. Failure results in fine, imprisonment for no more than 10 years.
What is statute of limitation for securities fraud?
No later than the earlier of 2 after the discovery of facts, or 5 years after violation.
What are the for provisions for whistle-blower protection under Title VIII - Corporate and Criminal Fraud Accountability?
An employee, who lawful provides evidence of fraud may not be discharged, demoted, suspended, threatened, harassed, or in any way discriminated against for providing such info. Compensatory damages may include:
- Reinstatement with same seniority
- Back pay with interest
- Compensation for any special damages
What are the criminal penalties for securities fraud under Title VIII - Corporate and Criminal Fraud Accountability
Execution, attempt of execution of securities fraud will result in fines and/or imprisonment for no more than 25 years
Title IX of the SOX act considers what topics?
Title IX - White-Collar Crime Penalty Enhancements considers the following topics:
- Attempt and Conspiracy
- Amendment to Sentencing Guidelines Related to Certain While-Collar Offences
- Failure of Corporate Officers to Certify Financial Reports
What are the provisions for Attempt and Conspiracy under Title IX - White-Collar Crime Penalty Enhancements?
An individual who attempts (conspires) to commit any white-collar will be subject to the penalties as pre-determine by the US Sentencing Commission. This includes mail fraud, wire fraud, and violations of the Employee Retirement Income Security Act (ERISA).
What are the provisions for Amendment to Sentencing Guidelines Related to Certain White-Collar Offences under Title IX - White-Collar Crime Penalty Enhancements?
a. The US sentencing commission will review and amend, as needed, the Federal Sentencing Guidelines. In the event the Sentencing Commission determines a growing trend of a particular offence, it will review to determine if any modification is necessary.
b. The Sentencing Commission will review any additional aggravating or mitigating circumstances for a particular offense that could justify an exception to the existing sentencing ranges.
What are the provisions for Failure of Corporate Officers to Certify Financial Reports under Title IX - White-Collar Crime Penalty Enhancements?
a. Any issuer periodic report filed with SEC must be accompanied by:
- Written statement that the report fully complies with the Securities Exchange Act of 1934.
- Written statement that the info contained fairly presents, in all material respects the financial condition and operating results of the issuer.
- Written statements above must be signed by the CEO and CFO (or equivalent) (who bears responsibility)
b. Any party that certifies the financial report and/or its content knowing that it does not satisfy all the requirements shall be fined or be imprisoned. Specifically, a party who:
- Knowing – fine $1,000,000 and/or jail no more than 10 years.
- Willfully - $5,000,000 and/or jail for no more than 20 years.
Title XI of SOX considers what topics?
Title XI - Corporate Fraud Accountability considers
- Tampering with Record or Impeding an Official Proceeding
- Temporary Freeze Authority for the SEC
- Authority of the SEC to Prohibity Persons Form Serving as Officers or Directors
- Retaliation Agains Informants
What are the provisions fo Tampering with Record or Impeding an Official Proceeding under Title XI - Corporate Fraud Accountability
Any individual who alters, destroys, or conceals a document (record) with the intent to modify the document and its integrity or the availability of the document in an official proceeding shall be fined and/or subject to not more than a 20year prision term.
What are the provisions for Temporary Freeze Authority for the SEC under Title XI - Corporate Fraud Accountability
If the SEC determines it is likely that the Issuer will be required to make penalty payments, the SEC may petition a federal district court to require the issuer to escrow the ayments in an interest-bearing account for 45 days.
What are the provisions for Authority of the SEC to Prohibit Persons From Serving as Officers or Directors under Title XI - Corporate Fraud Accountability
For any cease-and-desist proceedings, the SEC may issue an order to conditionally or unconditionally prohibit an individual from serving as an officer or director of the Issuer for a stipulated period or permanently, if that individual violated securities rules and regulations and the SEC determines that this individual is unfit to continue to serve as a officer or director of the issuer.
What are the provisions for Retaliation Against Informants under Title XI - Corporate Fraud Accountability
Any individual who knowingly takes any harmful action against another person with the intent to retaliate for that person providing truthfull information to the SEC regading a possible federal offense shall be fined and/or imprisioned for not more than 10 years.
What is COSO?
The Committee on Sponsoring Organizations (COSO), an independent private sector initiative, was established in the mid 1980s to study the factors that lead to fraudulent financial reporting. The COSO is sometimes referred to as the Treadway Commission after its original Chairman, James Treadway, Jr., an executive in the private sector. The private “sponsoring organizations” included the 5 major financial professional associations in the US:
- The AAA – American Accounting Association,
- AICPA – American Institute of Certified Public Accountants,
- FEI – Financial Executives Institute,
- IIA – Institute of Internal Auditors, and
- IMA – Institute of Management Accountants
What is the COSO framework?
In 1992, the COSO issued Internal Control – Integrated Framework (Framework) to assist organizations in developing comprehensive assessments of internal control effectiveness. – Best practices –
Fundamental concepts have evolved into 17 principles that have been categorized within the 5 major internal control components (CRIME). The COSO’s framework is widely regarded as an appropriate and comprehensive basis to document the assessment of internal controls over financial reporting.
The framework is used by company management and its board of directors to obtain an initial understanding of what constitutes an effective system of IC and to provide insight as to when IC are being properly applied. It also provides confidence to external stakeholders that an organization has a system of IC in place that is conducive to achieving its objective.
How is the COSO apllication to Management and Board?
The framework assists an entity’s managmeent and BoD in the follwoin areas:
- Effectively applying IC within the overall organization
- Determining the requirements of an effective system of IC
- Allowing judgment and flexibility
- Identifying and analyzing risks
- Eliminating redundant, ineffective, or inefficient controls.
- Extending IC application beyond an organization’s financial reporting (efficient & effective operation compliance w/ laws)
How is the COSO apllication to Stakeholders?
The framework provides value to external stakeholders and other parties that interact with the organization by providng:
- Greater understanding of what constitutes an effective system of IC
- Greater confidence that management will be able to eliminate ineffective, redundant, or inefficient controls.
- Greater confidence that the Board has effective oversight of the Organization’s IC
- Improved confidence that the organization will achieve objectives and will be able to identify, analyze, and respond to risks affecting the organization.
What characteristics are promoted by the COSO framework on internal control?
There are 3 categories of objectives within the framework:
- Operations Objectives - Effective and efficient operations
- Reporting Objectives - Reliable financial reporting
- Compliance Objectives - established to to ensure adherence to all applicable laws and regulations.
What is the COSO cube?
The COSO cube exemplify the direct relationship between an entity’s 3 objectives (ORC)
- Operations
- Reporting
- Compliance,
its 5 integrated IC components (CRIME),
- Control Environment
- Risk Assessment
- Information and Communication
- Monitoring
- (Existing) Control Activities
and the organization structure of the entity.
- Entity Level
- Division
- Operating Unit
- Function
What id the definition of IC - Internal Control?
Internal control is a process that is designed and implemented by an organization’s management, BoD, and other employee to provide reasonable assurance that it will achieve its compliance operating, and reporting objectives.
What are the 5 integrated components of internal control?
- Control Environment
- Risk Assessment
- Information and Communication
- Monitoring
- Existing Control Activities
What is the Control Environment component of internal control and its 5 related principles?
The control environment includes the processes, structures, and standards that provide the foundation for an entity to establish as system of internal control. “Tone at the top” approach.
The elements are: EBOCA
Commitment to Ethics & Integrity
Board Independence and Oversight
Organizational Structure
Commitment to Competence
Accountability
What is the Risk Assessment component of Internal Control and its 4 related principles?
Risk Assessment is an entity’s identification and analysis of risks to the achievement of its objectives. The 4 principles are SICI
- Specify Objectives – Organization creates objectives that allow for identification and assessment of the risks related to those objectives
- Identify and Analyze Risks – identify and analyze risks across the entity in order to determine how risks should be managed
- Consider Potential for Fraud - in assessing risks
- Identify and Assess Changes – that could significantly impact the system.
What is the Information and Communication component of internal control and its 3 related principles?
It supports the identification, capture, and exchange of information in a timely and useful manner. 3 principles relate to information and communication that are: “FACT” (Fair, Accurate, Complete, Timely)
- Obtain and Use Information – The organization uses relevant, high-quality information that supports the functioning of IC.
- Internally Communicate Information – internal audit, audit committee, management.The organization internally communicates information necessary to support the functioning of IC, including relevant objectives.
- Communicate with External Parties – CPA firm. The organization communicates with external parties regarding matters that affect the functioning of IC.
Internal control information is needed to facilitate the function of control components and is identified, captured, used and distributed in a timely manner that enables personnel to fulfill their responsibilities. Reporting that triggers prompt exception resolution, root cause analysis, and control updates illustrate this principle.
What is the Monitoring component of internal control and its 2 related principles?
Is the process of assessing the quality of IC performance over time by assessing the design and operation of controls on a timely basis and taking corrective actions.
- Ongoing and/or Separate Evaluations – Frequency of testing is dictated by risk. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of IC are present and functioning.
- Communication of Deficiencies – Report and correct deficiencies. The organization evaluates and communicates IC deficiencies in a timely manner to parties responsible for taking corrective action.
Internal Control activities must be constantly monitored and evaluated for effectiveness.
What is the (Existing) Control Activities componente of Internal Control and its 3 related principles
Are set forth by an entity’s policies and procedures to ensure that the directives initiated by management to mitigate risks are performed. Control Activities may be detective or preventative in nature and may include automated and manual activities (e.g. approvals, reconciliations, verifications). Segregation of duties is usually part of the control activities developed by the organization, and when not practical, management should develop alternative controls.
- Select and Develop Control Activities - The Organization selects and develops control activities that contribute to the mitigation of risks to acceptable levels.
- Select and Develop Technology Controls – “IT”. The Organization selects and develops general control activities over technology to support the achievement of objectives.
- Deployment of Policies and Procedures - The Organization deploys c_ontrol activities through policies that establish what is expected and procedures that put policies into action_.
A component of internal control that includes actions being taken to promote the control environment.
What are the specific requirements for an effective Internal Control?
To be considered an effective system of IC, Sr. management and the board must have reasonable assurance that the entity:
- Achieves effect and efficient operations when:
- External threats unlikely to have significant impact on achievement of objectives; or
- The Organization can reasonably predict or mitigate the impact of external events to acceptable level.
- Understand the extent to which operations are managed effectively and efficiently when:
- External events may have significant effect on achievement of objectives; or
- The O can reasonably predict or mitigate the impact of external events to acceptable level.
- Complies with all applicable rues regulation, external standards, and laws.
- Prepare reports that in conformity with entity’s reporting objectives and all applicable standards, rules, and regulations.
What are the general requirements for an effective Internal Control?
An effective system of IC provides reasonable assurance that the entity’s objectives will be achieved. An effective system of IC requires:
- All 5 (CRIME) components and 17 principles that are relevant to be both present and functioning.
- Present – it means the components and principles are included in the design and implementation of IC system.
- Functioning – demonstrates that the components and principles are currently operating as designed in the IC system
- All 5 (CRIME) components operate together as an integrated system, in order to reduce, to an acceptable level, the risk that the
When is an Internal Control considered Ineffective?
A major deficiency represents a material IC deficiency or combination of deficiencies that significantly reduces the likelihood that an organization can achieve its objectives.
When major deficiency is identified the entity may not conclude that it has met the requirements for an effective IC under COSO.
How can diferentiate the COSO framework vs. the Audit framework?
COSO useful for identifying and evaluating an entity’s internal control in an audit context, an external auditor focuses on how a given control prevents or detects an correct material misstatements in financial reporting
Auditing standards have 3 categories of IC deficiencies that may be identified: a (control) deficiency, significant deficiency, and material weakness.
What are the IC framework limitations?
- Human error
- Faulty or biased judgment in decision making
- Suitability of entity’s objectives
- Events beyond entity’s control
- Collusion
- Management override
What is ERM- Enterprise Risk Management?
According to COSO, “Risk is he possibility that an event will occur and adversely affect the achievement of objectives.”
In 2004, the COSO issued ERM – Integrated Framework to assist organizations in developing a comprehensive response to risk management.
ERM is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
How does COSO defines ERM?
A process effected by an entity’s BoD, management and other personnel, applied in strategy settin and accross the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to privide reasonable assurance regarding the achievement of entity objectives.
What activities does the COSO framework for enterprise risk management include?
Identifies Risk Factors Promotes Risk Response Decisions Compares Management Risk vs. Shareholder Goals Aids in evaluating opportunities Promotes Quicker Capital movement Does NOT eliminate all risk
The ERM framework encompasses the following themes:
- Aligning Risk Appetite and Strategy – The O set strategy and objectives on willingness to bear risk
- Enhancing Risk Response Decisions – ERM can be used to evaluate how the O will respond to risk and how to improve the effectiveness of risk decision making
- Reducing Operational Surprises and Losses.
- Identifying and managing multiple and cross-enterprise risks
- Seizing opportunities – better capitalize on opportunities
- Improving deployment of capital
What are the 4 categories in which ERM defines enterprise objectives?
SORC
Strategic – high level goals designed to achieve the mission. Establishing objectives that will support the mission and vision of an organization generally involve supporting the mission with s trategic objectives, supported by strategies and related objectives.
Operations – Achievement of objectives through the effective and efficient use of resources. A document including a commitment to conduct focus groups with customers and suppliers to determine the responsiveness of the company to the needs of various parties is most likely related to a operation objective.
Reporting – Achievement of reliable and consistent reporting. A document including a commitment to develop a uniform chart of accounts for all divisions of he conglomerate is most likely related to a reporting objective.
Compliance – Ensuring compliance with laws and regulations. A document including a commitment to establish an ethics hotline and assign an officer to conduct ethics training and monitor reports through the hotline is a commitment that would most likely be a related to a compliance objective.
What are the components of ERM?
IS EAR AIM
Internal Environment CRIME
Setting Objectives SORC
Event Identification CRIME
Assissment of risk CRIME
Risk response CRIME
Control Activities (existing) CRIME
Information and Communication CRIME
Monitoring CRIME
Which are the 8 key elements of the Internal Environment of ERM?
Similar to the Control Environment of IC framework. Internal environment – tone @ the top “EBOCA” HR E. Commitment to Ethical values and integrity – Adoption and demonstration of high ethical values by management will shape the internal environment
B. Board oversight – The appropriate oversight provided by the BOD establishes an organization-wide tone that recognizes their authority and promotes accountability of management
O. Organization structure
C. Commitment to Competence
A. Accountability
+ RHR
R. Risk managment philosophy (aggressive or conservative) – shared beliefs and attitudes of management that impact the entire organization.
H. Human resources standards(hire, train, evaluate, compensate, promote) – The commitment to hiring the most qualified people will influence the internal environment.
R. Risk Appetite - The amount of risk an organization will accept in the pursuit of value maximization. Risk appetite factors heavily into balancing strategy with return.
Which are the key elements that supports the objective setting in ERM?
Organizations set objectives and then identify the events that may prevent the achievement of those objectives.
- Strategic Objectives
- Related Objectives
- Operations Objectives
- Reporting Objectices
- Compliance Objectives
- Selected Objectives
- Risk Appetite
- Risk Tolerances
What are the key elements of the Event Identification component of the COSO’s ERM Integrated framework?
- Events
- Influencing Factors
- Event Interdependencies
- Event Categories
- Distinguising Risks and Opportunities
What is the element Events in ERM’s Event Identification?
are the core of risk assessment processes. An event is an internal or external occurrence that impacts strategy or the achievement of the objectives. It is the uncertainty of the event along with its potential severity or benefit hat drives the risk assessment and response process.
What is the element _Influencing Factors t_hat supports Event Identification in the ERM framework?
Occurrences can come from anywhere. Events can be external such as economic (recession), natural (storms), and social (changes in society). Events might also be internal such as technology choices, personnel, etc.
What is the element Event Identification Techniques in ERM’s component Event Identification?
Event Identification Techniques – There are many methods used to identify events. Workshops and brainstorming sessions might be useful. Analytics applied to date including trend analysis might be used. Techniques may include:
- Event Inventories – List of potential events common to companies in particular industries.
- Internal Analysis – Analysis performed by internal staff as part of business planning.
- Escalation or Threshold Triggers – Comparison of activity to predefined criteria may trigger identification of events (e.g. variance from standards).
What is the element Event Interdependency in ERM’s component Event Identification?
Event identification considres event interdependencies. ex. Changes in interest rates might impact exchange rates, which could change supplier costs or foreign demand.
What is the element Event Categories in ERM’s component Event Identification?
Events might be categorized in any number of ways to ensure comprehensive consideration of potential events. The can be:
- External
- Economic
- Natural Environment
- Political
- Social
- Technological
- Internal
- Infrastructure (e.g. assets, capital)
- Personnel
- Process
- Technology
What is the element Distinguishing Risks and Opportunities in ERM’s component Event Identification?
They can be Negative or Positive
- Negative events that will prevent achievement of objectives are risks.
- Positive events that promote achievements of objectives are opportunities.
What are the key elements of the Risk Assessment component of COSO’s ERM Integrated Framework?
- Inherent and Residual Risk
- Establishing Likelihood and Impact
- Data Souces
- Assessment Techiques
- Event Relationships
Explain “Inherent and Residual Risk” in the component Risk Assessment.
Inherent and Residual Risks
- Inherent Risk the risk to an organization that exists if management takes no action to change the likelihood or impact of an adverse event.
- Residual Risk is the risk to an organization that exists after management takes action to mitigate the adverse impact of the event.
Explain “Establishing Likelihood and Impact” in the component Risk Assessment.
Likelihood of an event is the probability that an event might occur.
Impact of an event is the consequence of its occurrence. Impact is alternatively referred to as severity or seriousness.
In establishing the likelihood and impact of events, managers should use the same time horizon as strategic plans.
Explain “Data Souces” in the component Risk Assessment.
Data Sources are generally drawn from past experience or similar events.
Explain “Assessment Techiques” in the component Risk Assessment.
Assessment Techniques include empirical and intuitive methods such as:
- Benchmarking – use common date from organizations with similar characteristics
- Probability Models – Statistical data – more objective – historical. Use of a range of events and impacts with the likelihood estimated using assumptions.
- Non-probabilistic Models – Opinion – outcome of lawsuit. Use of subjective assumptions to estimate event impact without estimating likelihood.
Explain “Event Relationship” in the component Risk Assessment.
Managers must determine if individual events correlate or unrelated.
What are the key elements of the Risk Response component of COSO’s ERM Integrated Framework?
Management’s response to risk must align with the organization’s overall risk appetite. Risk Response is suppertod by the following:
- Evaluating Possible Responses
- Seleted Responses
- Portfolio View
What are possible responses to risk under the COSO framework for enterprise risk management?
- Avoid - or terminate - Ex: discontinue an underperforming product.
- Reduce - or mitigate - Ex: invest in techonology to monitor inventory.
- Share - or transfer - Ex: buy insurance to cover potential losses
- Accept - if the Company takes no action.
What are the key elements of the Control Activities component of COSO’s ERM Integrated Framework?
Control Activities are the policies an procedures used to effect management’s response to risk. The key elements of Control Activities are:
- Integration with Risk Response
- Types of Control Activities
- Policies and Procedures
- Controls over Information Systems
- Entity Specific
Explain “Integration with Risk Response” in ERM’s component Control Activities.
Policies and procedures should mirror the actions anticipated by the risk response and should be anticipated to be effective.
Explain “Types of Control Activities” in ERM’s component Control Activities.
- Top-level Reviews – variance analysis – Review of major initiatives and budget vs. actual performance by senior executive managers.
- Direct Function or Activity Management – Review of performance reports and reconciliations b operating managers to ensure the transaction and other operations are executed as prescribed.
- Information Processing
- Physical Controls – Assets are kept in physically secure locations.
- Performance Indicators – Red Flags – Ratio Analysis – An assigned employee or manager should compare financial or operating results to predetermined standards. Any material variances should be investigated by the assigned employee.
- Segregation of Duties – ARC - There should be adequate segregation of the authorization, record keeping and custodial functions to ensure that no one individual can control a transaction from beginning to end and thereby manipulate results
Explain “Information and Communication” in ERM’s component Control Activities.
Information and Communication includes the identification, capture, and communication of information throughout the Organization in an effective manner.
- Information is needed at all levels of the organization to manage risks.
- Strategic and Integrated Systems
- Integration with Operations
- Depth and Timeliness of Information
- Information quality (Appropriate, Timely, Current, Accurate, Accessible)
- Communication
- Internal
- External
- Means of Communication (e-mail, formal correspondence, social network, etc)
Explain “Monitoring” in ERM’s component Control Activities.
Monitoring should be used to manage risk
- Ongoing Monitoring Activities
- Separate Evaluations
- Reporting Deficiencies
What are the elements of Effectiveness?
Each component of ERM must be present and funcioing. The components are the effectiveness criteria
There can be no material weakness for ERM to be considered effective.
What is the significance of Effective ERM?
Management and BoD have reasonable assurance that:
- They understand the extent to which theentity’s strategic and operating objectives are being achieved.
- Reporting is reliable and applicable laws and regulations are being complied with.
What are the limitations of ERM?
ERM is an outanding tool, but is subject to human judgment. ERM evaluations could be made in error and managers could override controls.
What is change control process?
Change control managment and processes consider the manner in which management monitors and authorizes changes to a variety of information technology matters including software application programs, system software, database administration, network and security, and job scheduling.
How change managment in less complex computer environment is applied?
Less complex operations generally relate to small companies that have implemented prepackaged applications without significant modifications. Although user configurations are possible, they do not impact the function of the applications.
- Selection and Deployment of Systems
- Sr management approves the selection of the system
- Implementation follows the logical steps
- Risk Assessment is performed
- Application controls are considered
- Security requirements are considered
- Data conversion requirement are developed
- Testing is performed
- Implementation is completed
- Post implementation reviews are performed
- Patch Managment process
- Patches are tested prior to implementation
- patches might be tested by 3rd parties
- Only authorized individuals are allowed to move changes into production and the function of manking the change is segregated from the function of putting the change into production.
How change managment in more complex computer environment is applied?
More complex operations may relate to larger companies that involve a wider variety of changes than less complex operations.
- Complex computer evirnments may have the following characteristcs:
- Source code may be developed in house for critical applications
- Prepackaged software may have special customization to meet specific entity requirements
- Change managments control adapt to more sophisticated requirements.
- change that require documentation are defined
- Access and updates to source code are managed with version control systems.
- All significant changes are tested before being released into production
- Back out plans exist for changes that cannot be performed in segregated environments.
- Only authorized individuals are permitted to move changes into production and that function is where possible, segregated from the individual responsible for making change
- Notification, evaluation, and documentation steps are performed by a system manager to resolve emergency change requests.
- Where segregation of duties is not practical, management partitions servers into development, test, and production environments to mimic segregation of duties and reviews the operation of partitioned environments on a periodic basis.
*
What are the 4 stages of the change continuum identified by COSO?
The COSO identifies 4 stages of the change continuum:
- control baseline,
- change identification
- change management
- control validation/update.
Change Identification considers the risk assessment component of internal control and identifies change in process or risk and verifies that the design of underlying controls remains effective. Monitoring through the use of ongoing and separate evaluations should consider the ability to identify and address changes in the change identification stage of the monitoring for change continuum.
