Corporate Governance

Question 1

What is the primary duty of the board of directors?

Answer 1

To monitor management behavior.

Question 2

What is the responsibility of the Nominating or Corporate Governance Committee of the board of directors?

Answer 2

Oversees the board

Responsible for hiring new CEO

Question 3

What is the responsibility of the audit committee of the board of directors?

Answer 3

The audit committee appoints and oversees the external auditor.

Question 4

What is the duty of the compensation committee of the board of directors?

Answer 4

The compensation committee handles the CEO’s compensation package.

Question 5

What does the NYSE and NASDAQ require of the board of directors?

Answer 5

They require the board to be independent.

Question 6

What is the main goal in an executive compensation package?

Answer 6

The package should ensure that the goals of management should match those of the shareholders.

Question 7

How can an executive compensation package ensure that goals of management align with those of shareholders?

Answer 7

Executive compensation should create an incentive for management to govern in a shareholder-friendly way that doesn’t sacrifice the long-term success of the enterprise for short-term gain.

Question 8

Which influences help mold the direction that management takes?

Answer 8

They range from internal (Board of Directors- Audit Committee- Internal Control) to external (Creditors- SEC- IRS)

These influences should not be tainted by undue influence from management or have financial ties to management such as compensation-related duties

Question 9

What is shirking?

Answer 9

When management doesn’t act in the best interest of shareholders.

It can be alleviated by tying compensation to stock performance or company profit.

Question 10

What requirements are imposed on a public company under Sarbanes-Oxley?

Answer 10

Management must submit a report on the effectiveness of Internal Control in the 10K.

Management must disclose significant Internal Control deficiencies.

CEO/CFO must certify that the financial statements comply with securities laws and fairly present the financial condition of the company.

Question 11

What characteristics are promoted by the COSO framework on Internal Control?

Answer 11

Reliable financial reporting

Effective and efficient operations

Compliance

Question 12

What are the elements of the control environment?

Answer 12

Integrity & Ethics
Competence
The Board of Directors & Audit Committee
Management's Operating Style
Organizational Structure
Authority & Roles of Responsibilities
HR Policies

Question 13

What are control activities?

Answer 13

A component of Internal Control that includes actions being taken to promote the control environment.

Question 14

What are the basic elements of Internal Control?

Answer 14

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring

Question 15

What is the significance of the Information and Communication aspect of Internal Control?

Answer 15

Management must have access to relevant and timely information to make good decisions.

Question 16

How does Monitoring affect Internal Control?

Answer 16

Internal Control activities must be constantly monitored and evaluated for effectiveness.

Question 17

What activities does the COSO framework for enterprise risk management include?

Answer 17

Identifies Risk Factors
Promotes Risk Response Decisions
Compares Management Risk vs. Shareholder Goals
Aids in evaluating opportunities
Promotes Quicker Capital movement

Does NOT eliminate all risk

Question 18

What are possible responses to risk under the COSO framework for enterprise risk management?

Answer 18

Avoid or Reduce

Share or Accept

Question 19

Define the “SOX Clawback provision”.

Answer 19

This provision allows firms to reclaim incentive and bonus payments to officers that turn out to have been made based on wrongdoing by those officers.

Question 20

What does the acronym SOX mean?

Answer 20

Sarbanes-Oxley Act.

Question 21

List prohibitions observed by corporate insiders and outside auditors.

Answer 21

They must observe the following prohibitions:
fraudulent influence;
coercion;
manipulation;
and misleading.

Question 22

Pro forma financial statements must be reconciled with what?

Answer 22

They must also include comparable GAAP numbers.

Question 23

Describe the three levels of the corporate pyramid.

Answer 23

Bottom: shareholders (vote for directors);
Middle: directors (select officers and set broad policies);
Top: officers (run firm day-to-day).

Question 24

Under the Sarbanes-Oxley Act of 2002, what are the requirements and responsibilities of Audit Committees?

Answer 24

All directors must be independent;

New role: select, compensate, fire outside auditor; set up whistleblower procedures.

Question 25

Define “internal control.”

Answer 25

A process, effected by the entity’s Board of Directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Question 26

Define “feed-forward controls.”

Answer 26

A process in which future results are projected based on current and past information and, if the future results are undesirable, the inputs to the system are changed to avoid the projected outcome. Many inventory ordering systems are essentially feed-forward controls: the system projects product sales over the relevant time period, identifies the current inventory level, and orders inventory sufficient to fulfill the sales demand.

Question 27

Define “corrective controls.”

Answer 27

Paired with detective controls, they attempt to reverse the effects of the error or irregularity which has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.

Question 28

Define “detective controls.”

Answer 28

“After the fact” controls designed to detect an error after it has occurred (though preferably before the erroneous information is used to update the database or appears in reports). Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.

Question 29

Define “preventive controls.”

Answer 29

“Before the fact” controls designed to stop an error or irregularity from occurring. Examples of preventive controls include locks on building and doors, password protected access to files, and segregation of duties.

Question 30

Define “application controls.”

Answer 30

Controls over specific data input, data processing, and data output activities. Designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.

Question 31

Define “general controls.”

Answer 31

Controls over the environment as a whole. Apply to all functions, not just specific accounting applications. General controls help ensure that data integrity is maintained.

Question 32

Define “feedback controls.”

Answer 32

A procedure in which the results of a process are evaluated and, if the results are undesirable, the process is adjusted to correct the results; most detective controls are also feedback controls.

Question 33

Define “risk assessment” (according to the COSO internal control framework).

Answer 33

One of five components of internal control. The process of identifying, analyzing and managing the risks related to achieving the organization’s objectives.

Question 34

Define “control activities” (according to the COSO internal control and ERM frameworks).

Answer 34

One of five components of internal control. Relates to the policies and procedures that ensure that organizational actions address key risks related to the achievement of management’s objectives.

Question 35

Define “control environment” (according to the COSO internal control framework).

Answer 35

One of five components of internal control. Encompasses management’s philosophy towards controls, organizational structure, system of authority and responsibility, personnel practices, and policies and procedures. The core or foundation of any system of internal control.

Question 36

Define “monitoring” (according to the COSO internal control framework).

Answer 36

One of five components of internal control. This component ensures the ongoing reliability of information and control processes by monitoring and testing the control system.

Question 37

Define “information and communications” (according to the COSO internal control framework).

Answer 37

One of five components of internal control. Enable an organization’s personnel to identify, process, and exchange the information needed to manage and control operations.

Question 38

Define competence in the context of designing internal control.

Answer 38

A commitment to attract, develop, and retain highly qualified individuals consistent with achieving organizational objectives. Includes establishing policies, assessing competencies, and planning for turnover and succession.

Question 39

Define organizational policies.

Answer 39

The organization’s control activities that establish stakeholder expectations regarding conduct and operations.

Question 40

Define inbound communications.

Answer 40

Communications with outsiders to the organization, including customers, suppliers, external auditors, regulators, financial analysts and others.

Question 41

Define accountability in the context of designing internal control.

Answer 41

Holding individuals accountable for their internal control responsibilities.

Question 42

Define risk assessment precision.

Answer 42

Whether, and the extent to which, risk can be quantified.

Question 43

Define risk assessment materiality.

Answer 43

The determination of how large of a risk poses a threat to objectives.

Question 44

Define “objective setting” (according to the COSO ERM model).

Answer 44

A company must establish objectives at four levels (strategic, operational, reporting, and compliance).

Question 45

Define “risk response” (according ot the COSE ERM model).

Answer 45

Management’s response to risk. Depends on management’s risk appetite. May include risk avoidance, reduction, sharing, or acceptance.

Question 46

Define “reporting objectives” (according to the COSO ERM model).

Answer 46

One of four organizational objectives. Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting.

Question 47

Define “event identification” (according to the COSO ERM model).

Answer 47

Identifying events that might affect—either positively or negatively—the organization’s ability to meet its objectives.

Question 48

Define “operations objectives” (according to the COSO ERM model).

Answer 48

One of four organizational objectives. Goals concerned with day-to-day operating activities (i.e. sales activities, warehousing, manufacturing, etc.).

Question 49

Define “strategic objectives” (according to the COSO ERM model).

Answer 49

One of four organizational objectives. High-level goals that support the organization’s overall mission.

Question 50

Define “compliance objectives” (according to the COSO ERM model).

Answer 50

One of four organizational objectives. These are designed to ensure that the organization meets legal and regulatory requirements.

Question 51

What is meant by “the tone at the top?”

Answer 51

The extent to which top management is ethical and pro-active in establishing an ethical and moral tone and culture. Consider a counter-example: Kenneth Lay urged Enron employees to buy more Enron stock at the same time that he was selling millions of dollars in Enron stock options (called a “pump and dump” scheme).

Question 52

Define “cross-enterprise risk.”

Answer 52

A risk that occurs in multiple units in an organization. For example, a security breach that allowed unauthorized access to a system could occur at multiple sites or units within an organization. Hence, it is a “cross-enterprise” risk.

Question 53

According to COSO, what four critical accounting activities should be segregated?

Answer 53

1. Authorizing, 2. recording, 3. safeguarding, 4. reconciling, oversight and auditing.

Question 54

Define “risk appetite.”

Answer 54

According to COSO, the amount of risk exposure, or potential adverse impact from an event, that an organization chooses to accept or retain, as opposed to sharing, avoiding, reducing or eliminating the risk.

Question 55

Define “enterprise risk management.”

Answer 55

According to COSO, the methods and processes used by organizations to identify and manage the events and circumstances that influence the organization’s ability of achieve its objectives.

Question 56

Define “self-assessment.”

Answer 56

Either the person responsible for a control, or that person’s peer or supervisor, assesses control effectiveness.

Question 57

Define “competence” in relation to a control evaluator.

Answer 57

Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency.

Question 58

Define “compensating controls.”

Answer 58

Controls that accomplish the same objective as another control and will “compensate” for deficiencies in the first control.

Question 59

Define “timely information.”

Answer 59

Information is produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material.

Question 60

Define “key controls.”

Answer 60

Controls that are most important to monitor in order to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks.

Question 61

Define “evaluator.”

Answer 61

An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.

Question 62

Define “self-review.”

Answer 62

Person responsible for a control (but not that person’s peer or supervisor) assesses control effectiveness. The least objective type of “self assessment.”

Question 63

Define “objective or objectivity.”

Answer 63

The measure of the extent of factors that might influence a person to report inaccurate or incomplete information about risks or controls.

Question 64

Define “accuracy.”

Answer 64

The degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality.

Question 65

Define “suitable information.”

Answer 65

Must be relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame).

Question 66

How does monitoring benefit corporate governance?

Answer 66

Monitoring is the core, underlying control component in the COSO ERM model. Controls degrade over time, technologies change, and people forget or get lazy. Because of this, monitoring is essential to maintaining strong internal control and effective risk management.

Question 67

Define “verifiable or verifiability.”

Answer 67

Can be established, confirmed or substantiated as true or accurate.

Question 68

Define “reliable information.”

Answer 68

Information must be accurate (see “Accuracy”), verifiable (see “Verifiable”) and from an objective source (see “Objective”).

Question 69

Define “control objectives.”

Answer 69

These provide specific targets for evaluating the effectiveness of internal control. Typically stated in terms that describe the nature of the risk to be managed or mitigated.

Question 70

Define “relevant information.”

Answer 70

Information is meaningful to assessing a risk, control, or control component.

Question 71

Define “persuasiveness of information or persuasive information.”

Answer 71

The degree to which the information provides support for conclusions. Derived from its suitability (i.e., its relevance, reliability, and timeliness) and its sufficiency.

Question 72

Define “key performance indicators.”

Answer 72

Metrics that reflect critical success factors. They help organizations measure progress towards critical goals and objectives.

Question 73

Define “key risk indicators.”

Answer 73

Forward-looking metrics that identify critical potential problems, thus enabling an organization to take timely action, if necessary.

Question 74

Name the three activities that comprise assessing and reporting on control monitoring.

Answer 74

Prioritize findings, report results as appropriate, follow up to implement corrective actions.

Question 75

Define “control baseline.”

Answer 75

A starting point for control monitoring. A control assessment that provides sufficient, persuasive information to support a conclusion about control effectiveness, either across the entire organization or in a given area.

Question 76

List the four activities that comprise the design and execution of control monitoring.

Answer 76

Prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures.

Question 77

Define an internal control deficiency.

Answer 77

A condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the system to increase the likelihood of achieving objectives.

Question 78

Define “ongoing monitoring.”

Answer 78

Activities to monitor the effectiveness of internal control in the ordinary course of operations.

Question 79

What are the three elements of establishing a foundation for control?

Answer 79

The tone at the top, organizational structure, baseline understanding of control effectiveness.

Question 80

List the three elements that constitute “Mandatory” Guidance in the Institute of Internal Auditors’ (IIA) International Professional Practices Framework.

Answer 80

Definition of Internal Auditing;
Code of Ethics;
International Standards.

Question 81

What are attribute standards?

Answer 81

These standards involve the characteristics (“attributes”) of organizations and of the individuals performing internal audit services.

Question 82

What is the purpose of “Interpretations” of the International Standards?

Answer 82

Interpretations clarify the terms/concepts within the Attribute and Performance Standards (Interpretations are an integral part of the International Standards).

Question 83

Define implementation standards.

Answer 83

These standards differentiate the requirements specifically applicable to “assurance” activities and “consulting” activities within the Attribute Standards and the Performance Standards.

Question 84

What is the distinction between “Assurance” and “Consulting” activities in internal auditing?

Answer 84

Assurance involves three parties (the process owner; the user; and the internal auditor), whereas consulting only involves two parties (the client and the internal auditor).

Question 85

List the four principles of the Institute of Internal Auditors’ (IIA) Code of Ethics (Framework for the 12 Rules of Conduct).

Answer 85

Integrity;
Objectivity;
Confidentiality;
Competency.

Question 86

What is the Institute of Internal Auditors’ (IIA) definition of internal auditing?

Answer 86

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

Question 87

List the three elements that constitute “Strongly Recommended” Guidance in the Institute of Internal Auditors’ (IIA) International Professional Practices Framework.

Answer 87

Position papers;
Practice advisories;
Practice guides.

Question 88

List the two basic categories of standards that comprise the International Standards for the Professional Practice of Internal Auditing.

Answer 88

Attribute Standards;

Performance Standards.

Question 89

Define “Quality Assurance and Improvement Program (Standard 1300)”.

Answer 89

“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.”

Question 90

Define “Proficiency and Due Professional Care (Standard 1200)”.

Answer 90

“Engagements must be performed with proficiency and due professional care.”

Question 91

Define “Purpose, Authority, and Responsibility (Standard 1000)”.

Answer 91

“The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”

Question 92

Define “Independence and Objectivity (Standard 1100)”.

Answer 92

“The internal audit activity must be independent, and internal auditors must be objective in performing their work.”

Question 93

List the four primary themes of Attribute Standards.

Answer 93

Purpose, Authority, and Responsibility.
Independence and Objectivity.
Proficiency and Due Professional Care.
Quality Assurance and Improvement Program.

Question 94

Define the “Resolution of Senior Management’s Acceptance of Risks (Standard 2600)”.

Answer 94

“When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.”

Question 95

Define “Communicating Results (Standard 2400)”.

Answer 95

“Internal auditors must communicate the results of engagements.”

Question 96

Define “Nature of Work (Standard 2100)”.

Answer 96

“The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes, using a systematic and disciplined approach.”

Question 97

Define “Managing the Internal Audit Activity (Standard 2000)”.

Answer 97

“The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization.”

Question 98

Define “Engagement Planning (Standard 2200)”.

Answer 98

“Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.”

Question 99

Define the “Monitoring Progress (Standard 2500)”.

Answer 99

“The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.”

Question 100

Define “Performing the Engagement (Standard 2300)”.

Answer 100

“Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.”

Question 101

List the seven primary themes of Performance Standards.

Answer 101

(1) Managing the Internal Audit Activity; (2) Nature of Work; (3) Engagement Planning; (4) Performing the Engagement; (5) Communicating Results; (6) Monitoring Progress; and (7) Resolution of Senior Management’s Acceptance of Risks.