Corporate Governance, Internal Control & Enterprise Risk Management Flashcards
audit committee
are members of board of directors
independent
inherit limitations
COCO
collusion (2 or more ppl conspire to circumvent control)
override by mgmt
cost/benefit restraint
obsolescence
Dodd frank act (Wall Street Reform and Consumer Protection Act of 2010)
dodd frank was passed to promote fin. stability in U.S.
improve accountability and transaparency of fin. systems
end "too big to fail" end bailouts (GM, citigroup, chrysler)
protect consumers from abusive fin. serv. practices
The Enterprise Risk Management–Integrating with Strategy and Performance Framework
risk-based approach designed to help management evaluate the interrelated impacts of decisions and deal with multiple risks.
It is separate from and additional to the COSO internal control framework and is a process effected by an entity’s board of directors, management, and other personnel
Codes of conduct
- must be comprehensive,
- must be periodically acknowledged,
- must communicate what constitutes both proper and improper behavior,
- must provide courses of action in the event of improper behavior,
- should be acknowledged by employees periodically
Consumer Financial Protection Bureau (CFPB)
budget is financed by Fed
financed by Fed reserve
housed within fed but operates independently
oversees most federal consumer financial protection issues (fair lending from credit cards, mortgage)
who is required to register w the SEC
hedge fund with over $150mill in assets
private equity funds with over $150 mill in assets
except to register with SEC
family offices
venture capital firms
cpa that destroys documents to impede investigation can be
Fined and/or imprisoned not more than 20 years
primary factor in measuring risk exposure is
expected value
risks are prioritized in terms of their likelihood of occurrence and their expected impact on the company. The expected value of the risk is considered important because it will be compared to the expected values of risks associated with alternative decisions in order to determine risk priority.
order of monitoring of internal control
- control baseline: understand of how IC was designed and implemented
- identify the need to make changes
- manage the changes
- revalidate or update the baseline
Revised Model Business Corporation Act requires articles of incorporation to contain a corporation’s name and the nature and purpose purpose of a corporation’s business
corporate name,
number of authorized shares,
name and address for the registered agent
name and address of each incorporator
nature and purpose purpose of a corporation’s business
internal control
CRIME
control activities risk assessment information and communication monitoring control Environment
control activities
- selects and develops control activities
- selects and develops general control over technology
- deploys through policies and procedures
risk assessment
- specifies suitable objectives
- identifies and analyzes risk
- assesses fraud risk
- ID and analyzes significant change
information and communication
- use relevant information
- communicates internally
- communicates externally
monitoring
- conducts ongoing and or separate evaluations
- evaluates and communicates deficiencies
ensures that internal control continues to operate effectively by evaluating its effectiveness on an ongoing basis, using separate evaluations, or both to identify when it is not
control environment
- demonstrates commitment to integrity and ethical values
- exercise oversight responsibilities
- est. structure, authority and responsibilities
- demonstrate commitment to competence
- enforces accountability
control environment
CHOPPER
C-ommitment to competence
H-uman resource policies and practices
O-rganizational structure
P-articipation of those charged w governance
P-hilosophy of management and mgt operating style
E-thical values and integrity
R-esponsibility assignment
control activities
PIPS
performance reviews (actual v. budget, financial to nonfinancial)
information processing
physical control
segregation of duties (ARCCS)
ARCC
authorization
record
custody
comparions (reconciliation)
The 3 principles associated with the control activities component of internal control
- Selection and development of control activities contribute to reducing risks to the achievement of the entity’s objectives
- general controls over technology are developed to support the achievement of the entity’s objectives
- policies identify expectations and procedures convert policies into actions.
Objectives may be divided into three categories,
(1) operations objectives,
(2) reporting objectives, or
(3) compliance objectives.
insolvent
liabilities exceed assets
audit committee financial expert should have knowledge of
GAAP, financial statements, and have experience with internal accounting controls
how to dissolve a corp
Revised Model Business Corporation Act requires a recommendation from the board of directors and subsequent approval of a majority of voting shareholders to voluntarily dissolve a corporation
who must make special certification statements regarding the establishment of internal control systems on Form 10-K
Both the principal executive officer and the principal financial officer
Control activities
are the actions established by policies and procedures that help ensure that management’s directives are carried out
Monitoring activities
are processes the entity uses to determine if all components of internal control are in place and are functioning as intended
Information and communication
refer to the processes by which management obtains or generates and uses information and how it is disseminated through the entity
Risk assessment
refers to an entity’s recognition of the fact that events may occur that pose risks to the achievement of the entity’s objectives and the process that is established to identify and evaluate those risks.
greatest impact on management’s ability to make effective decisions
relevance
Relevance implies that the information is accurate, timely and useful for decision-making purposes.
Exception orientation
is the reporting of unusual items or events
inherit risk v. residual risk
Inherent risk exists because one engages in an activity; it may be mitigated with various safeguards.
Residual risk is the risk that remains after safeguards are employed
if one takes action to reduce risk,
then the portion reduced is no longer a residual risk
if theres no safeguard to reduce risk
then inherit risk equals residual risk
Publicly-traded companies have to disclose purchases of conflict minerals that ultimately came from the Democratic Republic of Congo
If they are substantial users of conflict minerals
Title XV of Dodd frank act - miscellaneous provision
4 categories of entity objectives in the enterprise risk management (ERM) framework are:
- strategic, referring to high-level goals, supporting and aligned with the entity’s mission
- operations, referring to efficient and effective use of the entity’s resources
- reporting, referring to reliable reporting
- compliance, which refers to compliance with applicable laws and regulations.
An effective FRMP
- initiates a visible and rigorous fraud governance process,
- entails a thorough periodic fraud risk assessment, and
- responds quickly to fraud allegations.
bylaws
establish a corporation’s internal rules and procedures for corporate governance. Bylaws take effect after the corporation is created (through articles of incorporation) and generally have a larger impact on day-to-day operations.
The Volcker rule
- is named after a Federal Reserve chairman first appointed by Jimmy Carter.
- limits banking entities’ ability to engage in proprietary trading
- limits banking entities’ ownership of hedge funds and private equity funds
The COSO framework outlines four responses to risk:
- risk avoidance, (not doing activity at all to avoid risk)
- risk sharing, ( buy insurance to share risk)
- risk acceptance (take not action and accepting risk)
- risk reduction (doing something to reduce risk)
sifi
- they are systemically-important financial institutions
- required to engage in additional disclosures and risk-management practices (living wills and stress tests)
- identified by the Financial Stability Oversight Council (FSOC)
- The reference value for SIFIs is $50 billion
title IX of dodd frank act
Title IX of the Dodd-Frank Act gives authorizes stockholders to vote to approve executive compensation every 3 years and to vote every 6 years to determine if voting to approve compensation every 3 years is frequent enough. It also authorizes them to vote to disapprove a “golden parachute” arrangement, although the vote is not binding
clawback provision of dodd frank act
Require executives to return some compensation if their companies undergo accounting restatements due to either unintentional mistakes or fraud
BOD
responsible for appointing the external auditor and has the authority to terminate the firm as well
can declare dividends.
Directors are appointed by the stockholders, who would also have the authority to remove a director.
CFO or CEO misrepresents the company’s finances may be penalized by being
imprisoned and fined
The penalties could range from $1 million and 10 years to $5 million and 20 years in prison
whistle blower bounty program
can get monetary incentive for whistle blowing
to receive 10-30% of proceeds over $1mill
TARP
troubled asset relief program
ACFE
association of certified fraud examiners
who usually uncovers fraud?
40% by whistle blower and tips
15% by mgmt and internal auditors
4% by external auditors
audit committee’s role includes to
(1) consider the risk of management override of controls;
(2) monitor fraud risks throughout the entity (using internal auditor or other personnel);
(3) meets privately with appropriate individuals (e.g., internal auditor, external auditors);
(4) consider reputation risk when reviewing work of management, internal auditors, and external auditors;
(5) remain cognizant of the external auditor’s responsibilities pertaining to fraud; and
(6) seek counsel when responding to allegations of fraud.
fraud losses
estimated 5% of revenue
(140k) duration of 18 months
highest impact on small entity
fraud risk management program (FRMP)
- establish governance policies
- conduct comprehensive risk assessment
- plan and execute preventative and detective control processes
- perform timely and confidential investigations
- monitor and assess program, periodically on and ongoing basis. or both. reporting results and improving the processes
parties who manage fraud risk
- those charged w governance (audit committee)
- BOD
- mgmt ( ceo, cfo coo)
- internal auditors
- employees
business processes
- initiation
- authorization
- execution
- verification
enterprise risk management (ERM)
in 2017 updated it and calls it enterprise risk management - integrating with strategy and performance
to strategically ID events that may affect the entity and to manage those risk in accordance with the entity’s risk appetite, to provide reasonable assurance of achieving the entity’s objective
ERM framework has 5 components (COPe RR)
COPe RR
Culture and governance
Objective setting and strategy
Performance
Review and revision
Reporting, information, and communication
Culture and governance
- exercise board risk oversight
- est. operating structures
- define desired culture
- demonstrate commitment to core values
- attracts, develops, and retain capable ind.
Objective setting and strategy
- analyze business context
- define risk appetite
- evalutates alt. strategies
- formulates business obj.
performance
- ID risk
- assess severities of risk
- prioritizes risk
- implements risk response
- develop portfolio view
review and revision
- assess substantial change
- reviews risk and performance
- pursues improvement in ERM
reporting, info and communcation
- leverage information systems
- communicate risk information
- reports on risk, culture, and performance
inherit limitations of ERM
- future cant be predicted w certainty
- some events beyond mgmt control, may not be able to pursue all objectives to the extent desired
- no system process, no matter how well designed, will always accomplish what its intended to accomplish (no absolute assurance)
ERM provide reasonable assurance not absolute because
- decisions made depend on human judgement, which is not perfect
- system an suffer breakdowns due to change s in personnel, technology or failure
- collusions (segr. of duties ignored)
- cost vs benefits
- mgmt overide
