Corporate Governance Flashcards
What is the primary duty of the board of directors?
To monitor management behavior.
What is the responsibility of the Nominating or Corporate Governance Committee of the board of directors?
Oversees the board
Responsible for hiring new CEO
What is the responsibility of the audit committee of the board of directors?
The audit committee appoints and oversees the external auditor.
What is the duty of the compensation committee of the board of directors?
The compensation committee handles the CEO’s compensation package.
What does the NYSE and NASDAQ require of the board of directors?
They require the board to be independent.
What is the main goal in an executive compensation package?
The package should ensure that the goals of management should match those of the shareholders.
How can an executive compensation package ensure that goals of management align with those of shareholders?
Executive compensation should create an incentive for management to govern in a shareholder-friendly way that doesn’t sacrifice the long-term success of the enterprise for short-term gain.
Which influences help mold the direction that management takes?
They range from internal (Board of Directors- Audit Committee- Internal Control) to external (Creditors- SEC- IRS)
These influences should not be tainted by undue influence from management or have financial ties to management such as compensation-related duties
What is shirking?
When management doesn’t act in the best interest of shareholders.
It can be alleviated by tying compensation to stock performance or company profit.
What requirements are imposed on a public company under Sarbanes-Oxley?
Management must submit a report on the effectiveness of Internal Control in the 10K.
Management must disclose significant Internal Control deficiencies.
CEO/CFO must certify that the financial statements comply with securities laws and fairly present the financial condition of the company.
What characteristics are promoted by the COSO framework on Internal Control?
Reliable financial reporting
Effective and efficient operations
Compliance
What are the elements of the control environment?
Integrity & Ethics Competence The Board of Directors & Audit Committee Management's Operating Style Organizational Structure Authority & Roles of Responsibilities HR Policies
What are control activities?
A component of Internal Control that includes actions being taken to promote the control environment.
What are the basic elements of Internal Control?
Control Environment Risk Assessment Control Activities Information and Communication Monitoring
What is the significance of the Information and Communication aspect of Internal Control?
Management must have access to relevant and timely information to make good decisions.
How does Monitoring affect Internal Control?
Internal Control activities must be constantly monitored and evaluated for effectiveness.
What activities does the COSO framework for enterprise risk management include?
Identifies Risk Factors Promotes Risk Response Decisions Compares Management Risk vs. Shareholder Goals Aids in evaluating opportunities Promotes Quicker Capital movement
Does NOT eliminate all risk
What are possible responses to risk under the COSO framework for enterprise risk management?
Avoid or Reduce
Share or Accept
Risk Management
Risk Management is the internal audit activity that evaluates the effectiveness and contributes to the improvement of management processes.
Methods laid down for internal controls are:
The methods laid down for internal controls are:
Risk assessment
Monitoring of controls
Control Testing
The chief executive officer and the chief financial officer generally meet with…. to determine the effectiveness of identification and communication of important information relative to financial disclosures
Including….
The chief executive officer and the chief financial officer generally meet with many people to determine the effectiveness of identification and communication of important information relative to financial disclosures, including independent auditors and legal counsel.
The signing officers must certify that they
The signing officers must certify that they have reviewed all required reports and, based on their knowledge, all reports are materially accurate, with no false statements or misleading omissions, and the financial information is presented fairly, including the financial statements, footnotes, and management’s discussion and analysis.
The COSO definition of ERM
The COSO definition of enterprise risk management is: “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Different kinds of risks
Risk reduction is the implementation of some compensating or mitigating control to offset the risk of an activity.
Risk avoidance is choosing not to engage in an activity.
Risk sharing is sharing the risk with another entity.
Risk acceptance is retaining a risk because it is deemed appropriate.
Risk Assessment
Risk assessment is the dynamic and iterative process for identification, analysis, and management of risks. Risks include external and internal factors such as changes in operating environment, new personnel, new or revamped information systems, rapid growth, new technology, new business models / products / activities, corporate restructurings, foreign operations, new accounting pronouncements, changes in economic conditions etc. A risk assessment component addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions or executive transitions.
The Sarbanes-Oxley Act is intended to strengthen
There is no way to ensure the enforcement of relevant laws and regulations. The Sarbanes-Oxley Act is intended to strengthen the enforcement of relevant laws and regulations, regulate the auditors of public companies, enhance corporate reporting and disclosure, and clarify sound corporate governance.
Monitoring
Approval of high-dollar transactions by supervisors is authorizing, not monitoring. Monitoring includes evaluation processes and initiating corrective actions. Follow-up on complaints, periodic analysis of variances, and comparisons of information from diverse sources all are monitoring activities.
Which of the following would least likely be a limitation existing in a sound system of internal controls over financial reporting?
Incompatible Duties
A system can be designed with no one employee performing incompatible duties. However, collusion, management override, or errors in judgment cannot be eliminated entirely, even from a sound system of internal control.
Validating Company Level controls
Validating company-level controls generally includes periodic discussions with key management, reviewing company-wide policies, and reviewing company planning and budgeting reports. Application controls are not company-level controls; they are unlikely to be tested to validate company-level controls.
ERM Framework
Principles-based approach that can be applied across global markets and provides greater risk and performance transparency.
A major emphasis in the 2017 framework is risk, performance measurement, and transparency as related to global markets, given the current landscape of the world economy.
It’s a principle-based framework for boards and management in entities of all sizes. COSO’s Internal Control framework provides a control-based approach to an organization.
ERM framework does not replace the COSO internal control framework and is neither a subjective approach to profit-sharing rather it is an approach to risk management.
Primary Control
Primary controls are activities that are critical to mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance.
Secondary Control
Secondary controls are activities that contribute to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered as important as primary controls.
A Significant Deficiency
A significant deficiency is a deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness.
Internal Control Deficiency
A deficiency in internal controls is significant if it could adversely affect the company’s financial reporting process and the critical processes that feed data and information to the financial reporting process.
Under SEC rules, external auditors are permitted to assist management in the evaluation of internal controls by
Under SEC rules, external auditors may prepare or gather information, as long as the client management directs the process, including deciding which controls to document. Management is ultimately responsible for documenting internal controls and must be actively involved in the process. Restructuring the controls or deciding on which suggestions to implement would impair the auditor’s independence.
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in
Risks
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in risk. An organization achieves its objectives through effective monitoring of internal control. One of the primary objectives of monitoring to evaluate,
(1) whether management reconsiders the design of controls when risks change, and
(2) whether controls that have been designed to reduce risks to an acceptable level continue to operate effectively.
Audit Committee Responsibilities
The audit committee
1) oversees the financial reporting process,
2) monitors the choice of accounting policies and principles, and is
3) responsible for the appointment, compensation, and oversight of the external auditors.
The external auditors plan and approve their audit plan.
Corporate Governance include
Corporate governance is the framework of rules and practices which ensures accountability, fair¬ness, and appropriate disclosure in a corporation’s relationship with all its stakeholders. This framework consists of explicit and implicit contracts with owners, creditors, customers, employees, government, and the community.
Which of the following activities is least relevant to internal control over financial reporting?
While important, employee development is least relevant of these items to internal control. The segregation of duties is a control activity relevant to internal control over financial reporting. Duties are segregated by their relationship to recordkeeping (information processing), custody of assets (physical controls) and authorization.
The chief executive officer and chief financial officer must certify that they have done all of the following except
Disclosed all changes in internal control over financial reporting in the certification report
The chief executive officer (CEO) and chief financial officer (CFO) need to disclose changes that have a material effect on internal control over financial reporting (ICOFR). Changes in internal control that have an immaterial effect need not be disclosed. The CEO and CFO must certify that they have verified that properly designed disclosure controls and procedures have been implemented to ensure awareness of material information. The CEO and CFO must certify that they have verified that properly designed ICOFR was implemented. The CEO and CFO must certify that they have evaluated the effectiveness of the disclosure controls and procedures and presented their conclusions.
Executive Directors
Managers who are also directors are often called executive directors.
Which of the following statements is correct regarding the requirements of the Sarbanes-Oxley Act of 2002 for an issuer’s board of directors?
According to the 2002 Sarbanes-Oxley because only the Audit Committee and Compensation Committee should be independent. of 2002,
the board of directors must have an audit committee entirely composed of members who are independent of management influence. As per SOX title III, 301- An independent audit committee is responsible for the appointment, compensation, and oversight of any audit work performed by the audit firm.
The four categories of entity objectives in the ERM framework are:
The four categories of entity objectives in the ERM framework are:
Strategic – High-level goals aligned with and support of the entity’s mission
Operations – Effective and efficient use of the entity’s resources
Reporting – Reliability of reporting
Compliance – Compliance with applicable laws and regulations
Implementation of internal controls is part of the internal control framework and proces
Within the COSO Internal Control—Integrated Framework, which of the following principles is designed to ensure
that internal controls continue to operate effectively?
monitoring is a process that evaluates the quality of internal control performance over time by ensuring that internal controls continue to operate effectively as designed.
Control environment, risk assessment and information and communication are intended to ensure that internal controls are implemented correctly.
Fiduciary duties
Fiduciary duties of directors can be broadly classified into two categories: the duty of care and the duty of loyalty. Duty of care implies making informed decisions by participating actively in the decision-making process. Duty of loyalty implies to act in the best interest of the corporation and its stockholders by setting aside personal interests ahead of those of the corporation or shareholder
Control Activities Risk Assessment Information & Communication Monitoring Control Environment
Control activities are those policies and procedures established to provide reasonable assurance that management decisions are executed, including providing for the physical security of assets.
Risk assessment is an entity’s identification, analysis, and management of risks relevant to the preparation of financial statements.
Information and communication refers to the identification, retention, and transfer of information in a timely manner enabling personnel to execute their responsibilities.
monitoring is a process that evaluates the quality of internal control performance over time by ensuring that internal controls continue to operate effectively as designed.
The control environment establishes the overall attitude, awareness, and actions concerning the importance and emphasis of internal control in the entity.
Primary Controls Secondary Controls Material Weakness Significant Deficiency Deficiency
Primary controls are activities that are critical to mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance.
Secondary controls are activities that contribute to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered as important as primary controls.
A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by employees in the normal course of performing their assigned functions.
A significant deficiency is a deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness.
A deficiency in internal controls is significant if it could adversely affect the company’s financial reporting process and the critical processes that feed data and information to the financial reporting process.
Which group is best suited to oversee the change control process?
The audit committee oversees the change control process because it can hold management accountable for taking the appropriate action and implementing the change. As an independent party, the audit committee is best suited for this oversight role.
Validating company-level controls generally includes the following steps except
Reviewing company planning and budgeting reports
Application controls are not company-level controls; they are unlikely to be tested to validate company-level controls. Validating company-level controls generally includes periodic discussions with key management, reviewing company-wide policies, and reviewing company planning and budgeting report
4 ways to deal with risks
There are four ways an entity can deal with risk. First is risk sharing, such as through joint ventures. Second is risk acceptance, which is accepting the project or activity as is, with the belief that current levels of risk are manageable and acceptable. Third is risk avoidance, where an entity declines to proceed with the project. Fourth is risk reduction, where an entity takes certain actions in order to reduce the level of risk. Relocating production facilities is an example of reducing the risk of local raw material shortages. Risk acceptance typically results in no change from the status quo. Risk sharing typically involved another entity.
Internal Control is designed to
Internal control is a process designed to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
ERM comprises of
Enterprise risk management encompasses:
Aligning risk appetite and strategy – Management’s consideration of the entity’s risk appetite in evaluating alternative strategies, setting related objectives, and developing means and mechanisms to manage related risks.
Enhancing risk response decisions – To decide amongst risk avoidance, reduction, sharing, and acceptance.
Reducing operational surprises and losses
Identifying and managing multiple and cross-enterprise risks
Seizing opportunities – Capitalize on available opportunities.
Improving deployment of capital – Effective and optimal capital allocation and use.
An entity’s strategy for combating the risk at hand is to develop risk appetite, rather than decreasing it as the premium for risk is higher returns.
