Corporate Governance

Question 1

Who has the right and responsibility to manage a corporation?

Answer 1

Its board of directors (BD)

Question 2

How many directors on the board should be independent?

Answer 2

At least two, if possible

Question 3

What other names can the board of directors be called?

Answer 3

(1) executive board
(2) board of managers
(3) board of trustees
(4) board of governors

Question 4

What is an audit committee?

Answer 4

An independent committee of board members that oversees the company’s financial reporting process, including internal auditing and interaction with any external auditors

Question 5

What must an audit committee include?

Answer 5

At least one financial expert

Question 6

What must all members of an audit committee be?

Answer 6

Independent of the corporation – not accepting compensatory fees for advisory, consulting, or other positions

Question 7

How are officers in a corporation related to directors?

Answer 7

Officers are appointed by the BD, and the same people can be officers and directors

Question 8

What is a disclosure committee?

Answer 8

A committee that may optionally be formed in order to cover various disclosure issues in financial reporting
-e.g. timeliness, materiality, reporting info to management

Question 9

Who is responsible for evaluating the operating effectiveness of internal controls over financial reporting (ICFR)?

Answer 9

Management, NOT the external auditor

The point is that the auditor should not audit his own work, but should audit management’s representations concerning internal controls

Question 10

What are the general purposes of the Sarbanes-Oxley (SOX) Act?

Answer 10

(1) regulating auditors of public companies
(2) establishing sound corporate governance
(3) enhancing corporate reporting and disclosure
(4) strengthening enforcement for various laws and regulations

Question 11

What does Section 302 of SOX require?

Answer 11

A company’s CEO and CFO must certify (1) accuracy, (2) reliability, and (3) completeness for financial statements, in addition to (4) reliability of internal controls

Question 12

Under Section 302 of SOX, what are the CEO and CFO sometimes called?

Answer 12

The signing officers

Question 13

Under Section 302 of SOX, are the CEO and CFO required to ensure their presented financial info’s conformity with GAAP?

Answer 13

Yes, but the requirements to which they must conform extend beyond GAAP as well – the overall goal is to fully inform investors

Question 14

What does Section 404 of SOX require?

Answer 14

A company’s management must oversee internal control over financial reporting (ICFR)

Question 15

Under Section 404 of SOX, what is management required to do regarding ICFR?

Answer 15

(1) prepare an annual report on ICFR
(2) prepare a statement of responsibility for ICFR
(3) conform to an acceptable framework for ICFR (e.g. COSO)
(4) prepare a statement of conclusion for ICFR’s operating effectiveness
(5) disclose any material weaknesses in ICFR

Question 16

Besides management’s duties, what else does Section 404 of SOX require?

Answer 16

The external auditor must attest to and report on management’s assessment of ICFR

Generally done when evaluating the annual and quarterly reports

Question 17

What does SOX require for companies’ disclosure controls?

Answer 17

Companies must maintain and evaluate controls governing info that is disclosed in various required reports

In particular, controls related to nonfinancial info (outside the financial statements) must be more clearly laid out

Question 18

When a company is evaluating its disclosure controls, what are the typical things it checks for?

Answer 18

(1) whether the right people are involved
(2) whether key risk areas are addressed
(3) possible weaknesses
(4) whether voiced concerns have been addressed

Question 19

Under SOX, what is the penalty for signing officers if they falsely certify the financial statements?

Answer 19

Up to $1 million and/or 10 years in prison

If willful, up to $5 million and/or 20 years in prison

Question 20

Which companies do not need to comply with SOX?

Answer 20

Nonpublic and nonprofit companies

They can voluntarily adopt SOX standards to have a recognized level of internal control quality

Question 21

What are different objectives for internal control?

Answer 21

(1) financial reporting
(2) operational effectiveness or efficiency
(3) regulatory compliance

Compliance with SOX deals with (1)

Question 22

What are inherent limitations to internal control?

Answer 22

Internal control is intended to provide “reasonable assurance” and thus always involves risk, such as miscalculations, conspiracy, and management override

Question 23

Who is responsible for a company’s internal control?

Answer 23

Management

Question 24

What is the most commonly adopted framework for internal control?

Answer 24

Committee Of Sponsoring Organizations’ (COSO) Integrated Framework

Question 25

What are the five key elements of the COSO framework?

Answer 25

(1) control environment
(2) risk assessment
(3) information and communication
(4) control activities
(5) monitoring

Question 26

Under the COSO framework, what is the control environment?

Answer 26

The overall foundation for the other components of internal control, involving how people act, think, and are aware of internal control. Includes:

• organizational structure
• HR policies
• management’s philosophy
• communication of company ethics

Question 27

Under the COSO framework, what is risk assessment?

Answer 27

The company’s identification of its own risks (particularly as related to financial statements), determining how to manage them

Question 28

Under the COSO framework, what are information and communication?

Answer 28

All processes and duties related to the keeping and transferring of info

Includes considerations for the flow of info from management “downward” and from lower levels “upward”

Question 29

Under the COSO framework, what are control activities?

Answer 29

Policies and procedures providing reasonable assurance that management decisions are carried out. Include:

• performance reviews
• physical controls
• segregation of duties
• information processing (general controls and application controls)

Question 30

Under the COSO framework, what is monitoring?

Answer 30

Keeping track of internal control quality over time, and correcting mistakes as needed – important due to internal controls’ natural tendency to deteriorate over time

Monitoring is management’s responsibility

Question 31

What is a control deficiency?

Answer 31

When a control, either in design or in operation, would not prevent or detect a misstatement on a timely basis

Not necessarily evidenced by some particular control failure, since they’re not supposed to be 100% effective

Question 32

What are two different kinds of control deficiency?

Answer 32

(1) design deficiency – in what it is intended to do, regardless of how well it does it
(2) operating deficiency – in how well it fulfills what it’s designed to do

Question 33

What are two different degrees of control deficiency?

Answer 33

(1) significant deficiency and (2) material weakness

Material weaknesses lead to the reasonable possibility of material misstatement in the financials; significant deficiencies are less bad but still deserve attention

Question 34

Can a deficiency be determined to be a material weakness purely quantitatively?

Answer 34

Generally, no – other qualitative factors should always be taken into consideration

The degree of deficiency is ultimately a matter of professional judgment

Question 35

What are the International Standards for the Professional Practice of Internal Auditing?

Answer 35

Standards set by the Institute of Internal Auditors (IIA) to be used by internal auditors in whatever environment they work in

In the context of internal auditing, these are just called the “Standards”

Question 36

What is the general structure of the Standards?

Answer 36

It ultimately includes two types of standards: (1) attribute standards and (2) performance standards, both of which are applicable to all internal auditing

Question 37

In the Standards, what is the difference between attribute standards and performance standards?

Answer 37

Attribute = pertain to the company’s or the internal auditor’s attributes (e.g. independence)

Performance = pertain to the performance of the actual internal auditing services themselves

Question 38

What is an internal audit charter?

Answer 38

A formal document defining the internal audit activity’s purpose, rights, and duties within the organization

Question 39

What are four attributes required among internal auditors?

Answer 39

(1) independence - no conflicts of interest
(2) objectivity - mentally unbiased, assumed responsibility
(3) proficiency - requisite skills
(4) due professional care - care of a reasonably prudent professional in the circumstances

(1) and (2) must be held both in fact and in appearance

Question 40

As an attribute standard, what must internal auditors continue to maintain?

Answer 40

Continuing professional education - continuously improving their knowledge of the profession

Question 41

What is required of internal auditors when reporting on their corporation’s quality assurance?

Answer 41

The chief audit executive is required to report on quality assurance and improvement programs to the board and to senior management

Question 42

What is a disclosure of nonconformance?

Answer 42

Any nonconformity with the Standards, code of ethics, or other professional auditing standards, if it affects the internal audit, must be communicated to the board and to senior management

Question 43

According to the performance standards for an internal audit, what is the chief audit executive responsible for?

Answer 43

(1) managing the internal audit
(2) determining the audit’s priority given the risks of unaudited activity and other business goals
(3) managing resources needed for the audit
(4) establishing policies and procedures for the audit
(5) reporting to the board and to senior management

Question 44

According to the performance standards for an internal audit, what are some objectives of the internal audit?

Answer 44

(1) improving corporate governance
(2) managing risk
(3) improving internal controls

Question 45

What is enterprise risk management (ERM)?

Answer 45

Developing a risk strategy for a company, considering its “risk appetite,” resources, and other factors

ERM is relevant to corporate governance mostly insofar as it addresses the risk of material misstatement on the financials

Question 46

What are four different ways to manage risk?

Answer 46

(1) risk avoidance
(2) risk reduction
(3) risk sharing
(4) risk acceptance

Question 47

What are the three components of the ERM framework?

Answer 47

(1) establishing company objectives
(2) identifying factors, internal and external, that might hinder or prevent the attainment of those objectives
(3) choosing a risk management strategy

Question 48

What sort of approach does the SEC recommend in monitoring the effectiveness of controls?

Answer 48

A “top-down” approach: starting at company-level controls, then finding controls related to more subsidiary processes or accounts, and so on

Question 49

What are the benefits of having effective company-level controls?

Answer 49

More time-intensive testing on smaller levels is not necessary – external auditors are not permitted to rely solely on company-level control evaluations, though their workload on lower levels can still be reduced by good company-level controls

Question 50

What is a very important practice when testing controls?

Answer 50

Sampling – varies based on population size, previous experience with control, nature of control, etc.

Question 51

When management assesses internal controls for itself, including sampling, who is responsible for the nature, extent, and timing of control testing?

Answer 51

Management

The auditor is responsible only for his sampling procedures; management cannot unduly rely on the auditor’s decisions to support their own assessment of control effectiveness

Question 52

What is the change control process?

Answer 52

A formal process which ensures that required changes to ICFR have been done

Question 53

Who can hold management responsible for properly executing the change control process?

Answer 53

The audit committee