Corporate Governance

Question 1

What is the primary duty of the board of directors?

Answer 1

To monitor management behavior.

Question 2

What is the responsibility of the Nominating or Corporate Governance Committee of the board of directors?

Answer 2

Oversees the board

Responsible for hiring new CEO

Question 3

What is the responsibility of the audit committee of the board of directors?

Answer 3

The audit committee appoints and oversees the external auditor.

Question 4

What is the duty of the compensation committee of the board of directors?

Answer 4

The compensation committee handles the CEO’s compensation package.

Question 5

What does the NYSE and NASDAQ require of the board of directors?

Answer 5

They require the board to be independent.

Question 6

What is the main goal in an executive compensation package?

Answer 6

The package should ensure that the goals of management should match those of the shareholders.

Question 7

How can an executive compensation package ensure that goals of management align with those of shareholders?

Answer 7

Executive compensation should create an incentive for management to govern in a shareholder-friendly way that doesn’t sacrifice the long-term success of the enterprise for short-term gain.

Question 8

Which influences help mold the direction that management takes?

Answer 8

They range from internal (Board of Directors- Audit Committee- Internal Control) to external (Creditors- SEC- IRS)

These influences should not be tainted by undue influence from management or have financial ties to management such as compensation-related duties

Question 9

What is shirking?

Answer 9

When management doesn’t act in the best interest of shareholders.

It can be alleviated by tying compensation to stock performance or company profit.

Question 10

What requirements are imposed on a public company under Sarbanes-Oxley?

Answer 10

Management must submit a report on the effectiveness of Internal Control in the 10K.

Management must disclose significant Internal Control deficiencies.

CEO/CFO must certify that the financial statements comply with securities laws and fairly present the financial condition of the company.

Question 11

What characteristics are promoted by the COSO framework on Internal Control?

Answer 11

Reliable financial reporting

Effective and efficient operations

Compliance

Question 12

What are the elements of the control environment?

Answer 12

Integrity & Ethics
Competence
The Board of Directors & Audit Committee
Management’s Operating Style
Organizational Structure
Authority & Roles of Responsibilities
HR Policies

Question 13

What are control activities?

Answer 13

A component of Internal Control that includes actions being taken to promote the control environment.

Question 14

What are the basic elements of Internal Control?

Answer 14

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring

Question 15

What is the significance of the Information and Communication aspect of Internal Control?

Answer 15

Management must have access to relevant and timely information to make good decisions.

Question 16

How does Monitoring affect Internal Control?

Answer 16

Internal Control activities must be constantly monitored and evaluated for effectiveness.

Question 17

What activities does the COSO framework for enterprise risk management include?

Answer 17

Identifies Risk Factors
Promotes Risk Response Decisions
Compares Management Risk vs. Shareholder Goals
Aids in evaluating opportunities
Promotes Quicker Capital movement

Does NOT eliminate all risk

Question 18

What are possible responses to risk under the COSO framework for enterprise risk management?

Answer 18

Avoid or Reduce

Share or Accept”

Question 19

What are the EIGHT COMPONENTS OF COSO ERM FRAMEWORK

Answer 19

Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
There are eight components of COSO's ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company’s ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company’s ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management’s risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

Question 20

Sarbanes Oxley definition of an audit committee financial expert

Answer 20

The Sarbanes-Oxley Act of 2002 explains that a financial expert must have experience with

  internal accounting controls, 
  an understanding of generally accepted accounting standards, 

and experience with the preparation or auditing of financial statements of generally comparable issuers.

Question 21

Change Control Process 5 steps

Answer 21

The change control process should never be released without testing. The procedures for a well-defined change control process would include the following:

1. Change control board approves the change and assigns a project manager.
2. Project manager makes sure all paperwork has been received and approved.
3. Project manager sets up schedules for all personnel involved.
4. The projects are completed.
5. Changes are tested and approved before release.

Question 22

Which of the following is most useful when risk is being prioritized?

A. Low- and high-probability exposures

B. Low- and high-degree loss exposures

C. Expected value

D. Uncontrollable risks

Answer 22

EXPECTED VALUE IS THE ANSWER
Expected value is the sum of the outcomes (payoff) of each event multiplied by the probability of each event occurring. It combines the likelihood of each outcome with the payoff of that outcome, and so is a way of prioritizing alternatives while considering risk. None of the other answer choices consider both the likelihood and payoff of each alternative course of action.

Expected value is the mean or average value of a random variable over an infinite number of outcomes. It is calculated by weighting the value of each possible outcome by its probability and summing over all values.

Question 23

Explain COSO - “Control Environment”

Answer 23

According to AU-C 315.A78, the control environment is as follows: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Question 24

Integrated Test Facility

Answer 24

An integrated test facility allows an auditor to introduce test data (simulated files) into an actual processing run to test the processing of that data. This provides evidence about operating effectiveness of the software.

“Controlled reprocessing” is incorrect because reprocessing the same data again with the same software provides no new information. “Input validation” is incorrect because input validation is a control that improves the accuracy of data entry, but does not provide information about control effectiveness. “Program code checking” is incorrect because manual program code checking in a complex system is a difficult task, sometimes impossible, which is more efficiently done by using test data in an integrated test facility.

A company may process most of its business transactions through an electronic data processing (EDP) system. In such case, the controls over the processing must be adequate to safeguard assets and provide reliability in the output produced. One of the methods of testing the controls over the processing is with an integrated test facility.

In an integrated test facility, test data is developed and integrated into the live processing of actual data resulting from business transactions. By assessing the results of the test data at the same time this data is processed with actual data, the auditor can help ensure that the data processed was reliable.

Question 25

Control Environment

Answer 25

The control environment created by management sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

To foster an organizational culture based on integrity and ethical values, management should encourage and reward honesty; actively teach and practice integrity; establish policies that clearly and explicitly describe honest and dishonest behaviors, especially for uncertain (i.e., gray areas) or unclear issues such as conflicts of interest and accepting gifts; thoroughly investigate all dishonest acts; promptly dismiss and/or prosecute employees found guilty of dishonesty; and require employees to report any incidents of dishonest, illegal, or unethical acts and discipline employees who knowingly fail to report violations.

Establishing an effective tone at the top is not related to adherence to fiscal budgets and goals.

According to AU-C 315.A78, the control environment is as follows: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Question 26

Explain the Directors’ duty to the Corporation

Answer 26

The board of directors is the governing body of a corporation, elected by and accountable to the shareholders in a business. and has a Duty of Loyalty Duty of loyalty is a fiduciary obligation to place the interest of the corporation above personal interests.

The Board of Directors should maintain an attitude of independence from top management in order to help with the checks and balances on the actions taken by the CEO and CFO. The Board is usually organized into committees to accomplish:

a. setting up compensation for board members and corporate officers.
b. establish and communicate a code of conduct.
c. reviewing significant management decisions.
d. designing and enforcing effective internal control procedures.
e. managing internal and external audits.

Question 27

Risk Assessment

Answer 27

Risk assessment is a systematic process of evaluating the potential risks that are involved in an audit or attestation engagement.

Risk assessment is one of the five components of internal control and the second level of the COSO pyramid depicting the structure of internal control. It is the identification and analysis of the risks that an entity faces in achieving its objectives and the determination of how those risks will be managed. All entities face risks from both internal and external sources. To be able to perform a risk assessment, the entity must have established its objectives.

Question 28

Two types of I/C Risk

Answer 28

There are two types of risk. Inherent risk is the risk that exists before management takes any steps to control the likelihood or impact of a risk. Residual risk is the risk that remains after management reacts to the risk, such as by implementing internal controls.

An internal control risk assessment has six steps and is performed as follows.

Identify threats. Companies face the following types of threats:

a. Strategic (doing the wrong things)
b. Operating (doing the right things, but in the wrong way)
c. Financial (financial resources are lost, wasted, or stolen; inappropriate liabilities are incurred)
d. Information (incorrect input data, faulty or irrelevant stored information, an unreliable system, incorrect or misleading reports)

Question 29

What is “Estimate” Risk and Exposure?

Answer 29

Estimate risk, which is a measure of how likely an error is to occur. Errors are more likely than fraud.

Estimate exposure, which is a measure of the magnitude of an error. For example, there is a small risk of an earthquake, but the exposure is enormous if it destroys the information system.

Question 30

Change Identification

Answer 30

To “identify and address changes” is part of change identification even on an ongoing basis.

Question 31

Written Policy and Procedure Magazine should contain;

Answer 31

a written policy and procedures manual that:

(1) explains proper business practices.
(2) documents how transactions and errors are to be processed and handled.
(3) contains the chart of accounts.
(4) contains example copies of forms and documents.
(5) can be used to train new and existing employees.

Question 32

Ways High-level corporate executives should make individual departments or individuals responsible for specific business objectives or processes and then hole them accountable. They can do the following:

Answer 32

Enforces Accountability.. High-level corporate executives should make individual departments or individuals responsible for specific business objectives or processes and then hold them accountable. They can do this with:

a. formal job descriptions.
b. a formal code of conduct that covers ethical behavior standards, conflicts of interest, acceptable business practices, and regulatory requirements.
c. a written policy and procedures manual that:
(1) explains proper business practices.
(2) documents how transactions and errors are to be processed and handled.
(3) contains the chart of accounts.
(4) contains example copies of forms and documents.
(5) can be used to train new and existing employees.
d. employee training programs.
e. operating plans, schedules, and budgets.

Question 33

According to COSO, which of the following is a compliance objective?

A.
To maintain adequate staffing to keep overtime expense within budget

B.
To maintain a safe level of carbon dioxide emissions during production

C.
To maintain material price variances within published guidelines

Incorrect D.
To maintain accounting principles that conform to GAAP

Answer 33

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the internal control structure provides reasonable assurance that business objectives are achieved in three areas: operations, financial reporting, and compliance with applicable laws and regulations, which fits the answer choice “to maintain a safe level of carbon dioxide emissions during production.” OSHA regulations requiring a safe workplace cover the maintenance of a safe level of emissions to protect workers. The other answer choices refer to the COSO objectives of operating effectiveness/efficiency and financial statement reliability.

Question 34

ERM objectives.

Answer 34

It expands on the elements of the internal control integrated framework and is much more comprehensive. The objective is to achieve all the goals of the control framework and help the organization to:

a. attain reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized,
b. continuously assess risks and identify the appropriate action to take and the resources to allocate to overcome or mitigate risk,
c. achieve its financial and performance targets, and
d. avoid adverse publicity and damage to the entity’s reputation.

Question 35

Eight Components of Coso and definitions

Answer 35

There are eight components of COSO’s ERM framework:

1. Internal environment. The people in a business and the environment in which they operate are the foundation for all other ERM components.
2. Objective setting. Management must put into place a process to formulate objectives in order to help the company assess and respond to risks.
3. Event identification. Certain events can affect the company’s ability to implement its strategy and achieve its objectives. Management must identify these events and determine whether they represent risks or opportunities.
4. Risk assessment. Identified risks are evaluated to determine how they affect the company’s ability to achieve its objectives and how to manage them. Both qualitative and quantitative methods are used to assess risks.
5. Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.
6. Control activities. To ensure that management’s risk responses are effectively carried out, policies and procedures should be implemented.
7. Information and communication. Information about ERM components needs to be communicated through all levels of the company and with external parties.
8. Monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

Question 36

IA International Standards for the Professional Practice of Internal Auditing 2130

Answer 36

Internal auditors are required by the International Standards for the Professional Practice of Internal Auditing (set forth by the IIA, Institute of Internal Auditors) to assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal auditors do not act as management by implementing control activities. In fact, they are prohibited from doing so and must remain independent. Internal auditors cannot assess operations for which they have been responsible.

They can evaluate internal control effectiveness
They can evaluate internal control efficiency
They can promote continuous improvement
They CANNOT implement internal controls.

Question 37

According to COSO, the four categories of entity objectives in the enterprise risk management framework include each of the following, except:

A.
effective and efficient use of the entity’s resources.

B.
compliance with applicable laws and regulations.

C.
implementation of internal controls.

Incorrect D.
reliability of reporting.

Answer 37

The four categories of entity objectives in the enterprise risk management framework are:

strategic (high-level goals, aligned with and supporting the entity’s mission),
operations (effective and efficient use of its resources),
reporting (reliability of reporting), and
compliance (compliance with applicable laws and regulations).

The actual implementation of internal controls is not one of the entity objectives.

Question 38

Which component of Coso Internal Control is designed to ensure that IC continues to operate effectively?

Answer 38

“Monitoring”of controls assesses the quality of internal control performance over time, including assessing the design and operation of controls on a timely basis and taking necessary corrective actions.

Question 39

Purpose of organizational structure and why is it important?

Answer 39

To define lines of authority, Organizational structures help no one unless they are well-defined. The structure helps define lines of authority, so an organization does not have too many people in management. This structure creates working relationships between the various employees in the organization.

Question 40

What is Controlled Reprocessing

Answer 40

uses same data again with the same software provides no new information.

Question 41

What is Input Validation?

Answer 41

Input validation is a control that improves the accuracy of data entry, but does not provide information about control effectiveness.

Question 42

Role of Internal Auditor includes

Answer 42

Giving assurance that the risks of the organization are properly evaluated.

Evaluating the risk-management process.

Coordinating ERM activities.

In large organization the IA will report directly to BOD.