Corporate Governance (18%)

Question 1

Providing user documentation, maintaining fire suppression equipment in the File Library, and using usernames and passwords to control access to the system are all examples of what type of Control?

Answer 1

General Controls

Question 2

Definition of Feedback Controls

Answer 2

A procedure in which the results of a process are evaluated and, if the results are undesirable, the process is adjusted to correct the results; most detective controls are also feedback controls.

Question 3

Detective Controls

Answer 3

After the fact control designed to detect an error after it has occurred. Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.

Question 4

Application Controls

Answer 4

Controls over specific data input, data processing, and data output activities. Designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.

Question 5

Corrective Controls

Answer 5

Paired with detective controls, they attempt to reverse the effects of the error or irregularity which has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.

Question 6

Sarbanes Oxley of 2002, the CEO and CFO may be penalized for misrepresenting the company’s finances by being?

Answer 6

Fined and Imprisoned

Question 7

17 Components of Internal Control - Risk Assessment Section

Answer 7

1. Organizational Objectives
2. Assessment
3. Fraud
4. Change Management

Question 8

TRUE OR FALSE - SOX stated that one member of the Audit Committee must be a “financial expert.”

Answer 8

FALSE The Sarbanes-Oxley Act provides that at least one member should be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation.

Question 9

Which of the following committees of the board of directors generally has the responsibility of overseeing CEO succession?

Answer 9

The nominating/corporate governance committee

Question 10

Control Environment as a Component of Internal Control has 5 principals

Answer 10

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It may be viewed as the foundation for the other components of internal control.

1. Ethics at the top of organization
2. Independent Management
3. Management establishes oversight
4. Competent talent in organization
5. Accountability

Question 11

Director’s Duty of Loyalty

Answer 11

The directors’ duty of loyalty means that they must put the interest of the corporation before their personal interest. Assume a director is approached with a business opportunity that would be of interest to and benefit the corporation. However, the director is also interested in the opportunity. The director must first offer the opportunity to the corporation before pursuing it on his or her own behalf.

Question 12

Auditing Standards divide internal control into five interrelated components (elements) as follows:

Answer 12

1. Control Environment,
2. Risk Assessment,
3. Control Activities,
4. Information and Communication, and
5. Monitoring.

Question 13

ERM - Risk Response

Answer 13

1. Avoidance - exiting activity to avoid risk
2. Reduction - taking steps to reduce risk likelihood or impact
3. Sharing - transfers risk via insurance, hedging or outsourcing
4. Acceptance - no action taken

Question 14

Three Objectives of Internal Control (ROC)

Answer 14

1. Reliability of reporting (financial statements)
2. Efficiency and effectiveness of operations (significant events, safeguarding assets)
3. Compliance with applicable laws and regulations.

Question 15

Internal Control Components of COSO & ERM

Answer 15

ERM has 8 Components (5 of which are same as COSO Components of IC)

1. Internal Environment (COSO)
2. Strategic Objective Setting
3. Event Identification
4. Risk Assessment (COSO)
5. Risk Response - ERM’s main focus for corporations
6. Control Activities (COSO)
7. Information and Communication (COSO)
8. Monitoring (COSO)

Question 16

SOX Act of 2002 did three things:

Answer 16

1. SOX directed public company audit committees to install procedures for ensuring that whistleblowers’ complaints are properly directed.
2. SOX provided a civil damages action for public company whistleblowers who suffer retaliation for providing information in an investigation or participating as a witness or otherwise in a proceeding involving federal securities law violations.
3. SOX made it a crime punishable by fine and/or imprisonment of not more than 10 years to retaliate against an informant who provided truthful information relating to the commission of any federal offense to a law enforcement officer (not just federal securities law violations).

Question 17

Dodd-Frank created an entirely new anti-retaliation provision that whistleblowers are likely to use instead of the SOX provision (even as amended), because:

Answer 17

1. Whistleblowers may sue directly in federal district court without going through the Department of Labor complaint process.
2. Whistleblowers may recover two times the amount of back pay owed with interest and attorneys’ fees if they establish that they are victims of retaliation.
3. The SOL is much longer - whistleblowers must file within three years of when they knew, or should have known, they had the right to sue and within six years of the violation.
4. Note that the SEC can also sue to punish such retaliation.

Question 18

If an accountant learns such “original information” (i.e. whistleblower related) while acting as an internal auditor, or while working for a public accounting firm performing a mandated audit, he or she is disqualified from receiving a bounty?

Answer 18

Yes. Auditors are already duty-bound to report such information and as such they are viewed as not needing the incentive of a bounty to fulfill their obligation.

However, there are a few exceptions where the auditor could claim a bounty.

Question 19

COSO Cube

Answer 19

Question 20

COSO Model Pyramid Structure

Answer 20

Question 21

COSO ERM Model Cube

Answer 21

Question 22

Attribute Standards - Internal Audit Charter

Answer 22

“The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”

Question 23

Attribute Standards - Organizational Independence

Answer 23

• “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.
• The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”

Question 24

Attribute Standards - Quality Assurance and Improvement Program

Answer 24

• “The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.”
• “The quality assurance and improvement program must include both internal and external assessments.”

Question 25

Attribute Standards:

Requirements of the Quality Assurance and Improvement Program - Internal Assessments

Answer 25

“Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.”

A related Interpretation states, “Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.”

Question 26

Attribute Standards:

Requirements of the Quality Assurance and Improvement Program - External Assessments

Answer 26

“External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:

• The need for more frequent external assessments; and
• The qualifications and independence of the external reviewer or review team, including any potential conflict of interest.”

Question 27

High Level Attribute Standards

Answer 27

• Purpose, Authority, and Responsibility (Standard 1000)
• Independence and Objectivity (Standard 1100)
• Proficiency and Due Care (Standard 1200)
• Quality Assurance & Improvement Program (Standard 1300)

Question 28

High Level Performance Standards

Answer 28

• Managing the Internal Audit Activity (Standard 2000)
• Nature of Work (Standard 2100)
• Engagement Planning (Standard 2200)
• Performing the Engagement (Standard 2300)
• Communicating Results (Standard 2400)
• Monitoring Progress (Standard 2500)
• Resolution of Senior Management’s Acceptance of Risks (Standard 2600)

Question 29

Performance Standards: Managing the Internal Audit Activity - Planning

Answer 29

The chief audit executive should consider the entity’s risk management framework, including established risk appetites set by management.

Question 30

Performance Standards: Nature of Work - Risk Management

Answer 30

Determining that the risk management processes are effective is a judgment as to whether

1. the organization’s mission and objectives are aligned;
2. significant risks are identified/assessed;
3. risk responses are appropriate relative to risk appetites; and
4. relevant risk information is captured and communicated in a timely manner.

Question 31

Performance Standards - Resolution of Senior Management’s Acceptance of Risks

Answer 31

“When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.”

Question 32

The Dodd-Frank Act of 2010 established a requirement that:

• All members of the compensation committee of the board of directors be independent.
• All members of the audit committee of the board of directors be independent.
• All members of the corporate governance committee of the board of directors be independent.
• All members of the board of directors be independent.

Answer 32

• All members of the compensation committee of the board of directors be independent.

Question 33

SEC

Answer 33

The SEC is responsible for protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. In achieving these responsibilities, the SEC enforces the U.S. securities laws.

• Division of Corporate Finance - reviews public filings.
• Division of Enforcement - law enforcement
• Office of Chief Accountant - accounting and auditing advisor for SEC

Question 34

Dodd-Frank’s Corporate Responsibility Provisions (other than whistleblowing (see separate card))

Answer 34

Say on Pay and Say on Golden Parachutes: Section 951 of the Dodd-Frank Act requires public companies to provide their shareholders with a periodic non-binding “advisory” vote to approve the compensation of its executives.

Independence for Compensation Committies and Compensation Consultants/Advisors: requires the SEC to direct the stock exchanges to adopt independence standards for public companies’ compensation committees considering certain factors established by the SEC.

Pay for Performance and Pay Equity Disclosures: Section 953 requires public companies to make disclosures regarding the relationship between a company’s executive compensation and its financial performance. Public companies must also disclose the ratio between a company’s CEO’s total compensation and the median total compensation for all other company employees.

Clawback Compensation: equires the SEC to direct the stock exchanges to require listed companies to develop and implement compensation claw-back policies enabling the recovery of incentive-based compensation from current or former executive officers following a restatement of financial results.

Hedging Disclosure: The SEC is required to issue rules requiring public companies to disclose whether employees and directors are permitted to hedge against any decrease in the value of the a public company’s stock.

Proxy Access: SEC required to issue rules permitting public company shareholders to nominate directors using the company’s proxy solicitation materials.

Question 35

Dodd-Frank’s Corporate Responsibility Provisions - Whistleblowing

Answer 35

Section 922 created a significant financial incentive for whistleblowers that voluntarily provide “original information” to the SEC that leads to the recovery of more than US$1 million in monetary sanctions from the violation of the federal securities laws. The provision impacts both public and private companies as there are a number of ways in which a private company can violate the federal securities laws (e.g., seeking investors). In addition to the financial incentives for whistleblowers, Section 922 creates a private right of action for whistleblowers who suffer retaliation which prohibits employers from discharging, demoting, suspending, threatening, harassing or otherwise discriminating against a whistleblower because of any lawful act or report by the whistleblower. In May 2011, the SEC adopted rules to establish a whistleblower program, and such rules are now effective.

Question 36

SOX and Dodd-Frank - application to public and private companies?

Answer 36

NO…SOX only applies to publicly traded organizations. However, there is one exception where the whistleblower provision of Dodd-Frank does apply in certain circumstances to private companies.

Question 37

Risk Assessment as a Component of Internal Control has 4 principals

Answer 37

1. Strategic Objectives (to acknowledge, identify and strategy development)
2. Assessment
3. Fraud must be considered as a risk
4. Change Management

Question 38

Control Activities as a Component of Internal Control has 3 principals

Answer 38

1. Risk Reduction (integrate controls with risk strategy and assessment)
2. Technology Controls
3. Policies

The exam may ask if Risk Reduction is part of the Risk Assessment component and it is NOT.

Question 39

Information & Communication as a Component of Internal Control has 3 principals

Answer 39

1. Quality information
2. Internal (whistleblower)
3. External

Question 40

Monitoring as a Component of Internal Control has 2 principals

Answer 40

1. Must be ongoing and periodic (benchmarking)
2. Must address control deficiencies

Question 41

COSO ERM Objectives and Purpose

SORC Objectives

Answer 41

COSO ERM provides common language with regard to RISK and is effected by an organization’s management.

1. Strategic Objective
2. Operations Objective
3. Reporting Objective
4. Compliance Objective

Question 42

International Internal Auditing Standards

• Attribute
• Performance

Answer 42

Attribute Standards focus on the implementation of the internal audit, characteristics of the individuals performing the audit and internal audit activities.

Performance Standards focus on high level management of the internal audit and creates measurement criteria.

Question 43

Control Framework showing relationships amongst the control types

Answer 43

Remember that:

1. Preventative - before the fact, passive controls
2. Detective - after the fact, active controls, second line of defense
3. Corrective - if error then action to correct, often paired with detective controls

Controls also fall under the umbrella of being either General Controls or Application Controls.

1. General Controls are often preventative controls over the design and operation of the Computer System.
2. Applications Controls deal with data input/output and processing and are often detective controls.

Question 44

Financial Expert on the Audit Committee

Answer 44

The Sarbanes-Oxley Act provides that at least one member should (but doesn’t have to) be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation. A financial expert is one that possesses all of the following attributes:

1. An understanding of generally accepted accounting principles and financial statements
2. Experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
3. An understanding of internal controls and procedures for financial reporting
4. An understanding of audit committee functions

Question 45

What would a whistleblower’s reward be for providing original information to the SEC that led to imposed penalties of $2,000,000?

Answer 45

Answer is in the range of 10-30% of the sanctions imposed. i.e. $200,000 - $600,000

Question 46

Director Independence

Answer 46

• A director is not independent if s/he has been an employee of the corporation or an affiliate in the last 5 years (3 years for NASDAQ).
• A director is not independent if a family member has been an officer of the corporation or affiliate in the last 5 years (3 years for NASDAQ).
• A director is not independent if s/he was a former partner or employee of the corporation’s external auditor in the last 5 years (3 years for NASDAQ).
• A director is not independent if s/he or a family member in the last 3 years received more than $120,000 (for a twelve-month period) in payments from the corporation other than for director compensation.
• A director is not independent if s/he is an executive of another entity that receives significant amounts of revenue from the corporation.