Corporate Rights, Responsibilities, & Authority

Question 1

Describe the three levels of the corporate pyramid.

Answer 1

Bottom: shareholders (vote for directors); Middle: directors (select officers and set broad policies); Top: officers (run firm day-to-day).

Question 2

Pro forma financial statements must be reconciled with what?

Answer 2

They must also include comparable GAAP numbers.

Question 3

What does the acronym SOX mean?

Answer 3

Sarbanes-Oxley Act.

Question 4

Under the Sarbanes-Oxley Act of 2002, what are the requirements and responsibilities of Audit Committees?

Answer 4

All directors must be independent; New role: select, compensate, fire outside auditor; Set up whistleblower procedures.

Question 5

List prohibitions observed by corporate insiders and outside auditors.

Answer 5

They must observe the following prohibitions: fraudulent influence; coercion; manipulation; and misleading.

Question 6

Define the “SOX Clawback provision”.

Answer 6

This provision allows firms to reclaim incentive and bonus payments to officers that turn out to have been made based on wrongdoing by those officers.

Question 7

Define “preventive controls”.

Answer 7

“Before the fact” controls designed to stop an error or irregularity from occurring. Examples of preventive controls include locks on building and doors, password protected access to files, and segregation of duties.

Question 8

Define “feedback controls”.

Answer 8

A procedure in which the results of a process are evaluated and, if the results are undesirable, the process is adjusted to correct the results; most detective controls are also feedback controls.

Question 9

Define “general controls”.

Answer 9

Controls over the environment as a whole. Apply to all functions, not just specific accounting applications. General controls help ensure that data integrity is maintained.

Question 10

Define “corrective controls”.

Answer 10

Paired with detective controls, they attempt to reverse the effects of the error or irregularity which has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.

Question 11

Define “detective controls”.

Answer 11

“After the fact” controls designed to detect an error after it has occurred (though preferably before the erroneous information is used to update the database or appears in reports). Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.

Question 12

Define “feed-forward controls”.

Answer 12

A process in which future results are projected based on current and past information and, if the future results are undesirable, the inputs to the system are changed to avoid the projected outcome. Many inventory ordering systems are essentially feed-forward controls: the system projects product sales over the relevant time period, identifies the current inventory level, and orders inventory sufficient to fulfill the sales demand.

Question 13

Define “internal control”.

Answer 13

A process, effected by the entity’s Board of Directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Question 14

Define “application controls”.

Answer 14

Controls over specific data input, data processing, and data output activities. Designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.

Question 15

Define “compliance objectives” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework).

Answer 15

Goals designed to ensure that the organization meets all legal and regulatory requirements. Compliance objectives are one of four organizational objectives, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework.

Question 16

Define “control activities” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework).

Answer 16

One of five components of internal control, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model. This component relates to the policies and procedures that ensure that actions are taken to address the risks related to the achievement of management’s objectives.

Question 17

Define “operations objectives” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework).

Answer 17

Goals that deal with the day-to-day operating activities of the organization (i.e. sales activities, warehousing, manufacturing, etc.). Operation objectives are one of four organizational objectives, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework

Question 18

Define “risk assessment” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework).

Answer 18

One of five components of internal control, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model. Risk assessment is a process of identifying, analyzing and managing the risks in achieving the organization’s objectives.

Question 19

Define “risk response” (as identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model).

Answer 19

Management’s response to risk that is dependent on management’s appetite for risk - observed risks may be avoided, reduced, shared, or accepted. Risk response is one of the three components of control identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model.

Question 20

Define “reporting objectives” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management -Integrated Framework).

Answer 20

Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting. Reporting objectives are one of four organizational objectives, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework.

Question 21

Define “objective setting” (as identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model).

Answer 21

Control that ensures that the company establishes objectives at each of the four specified levels (strategic, operational, reporting, and compliance). Objective setting is one of the three components of control identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model.

Question 22

Define “information and communications” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework).

Answer 22

One of five components of internal control, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model. This component involves the information and communication systems that enable an organization’s personnel to identify, process, and exchange the information needed to manage and control operations.

Question 23

Define “event identification” (as identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model).

Answer 23

Events that might affect - either positively or negatively - the organization’s ability to meet its objectives. Event identification is one of the three components of control identified in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management model.

Question 24

Define “monitoring” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework).

Answer 24

One of five components of internal control, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model. This component ensure the ongoing reliability of information, by monitoring and testing the system and its data.

Question 25

Define “control environment”

Answer 25

One of five components of internal control, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model. This control encompasses management’s philosophy towards controls, organizational structure, system of authority and responsibility, personnel practices, and policies and procedures. This component is the core or foundation of any system of internal control.

Question 26

Define “strategic objectives” (as outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework).

Answer 26

High-level goals that support the overall mission of the organization. Strategic objectives are one of four organizational objectives, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework.

Question 27

Define competence in the context of designing internal control.

Answer 27

A commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives.

Question 28

Define accountability in the context of designing internal control.

Answer 28

Holding individuals accountable for their internal control responsibilities.

Question 29

Define inbound communications.

Answer 29

Communications outsiders to the organization, including customers, suppliers, external auditors, regulators, financial analysts and others.

Question 30

Define risk assessment precision.

Answer 30

Whether, and the extent to which, risk can be quantified.

Question 31

Define risk assessment materiality.

Answer 31

The determination of how large of a risk poses a threat to objectives.

Question 32

Define organizational policies.

Answer 32

The organization’s control activities that establish stakeholder expectations regarding conduct and operations.

Question 33

Define “reliable information”.

Answer 33

Information must be accurate (see “Accuracy”), verifiable (see “Verifiable”) and from an objective source (see “Objective”).

Question 34

Define “accuracy”

Answer 34

The degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality.

Question 35

Define “key performance indicators”.

Answer 35

Metrics that reflect critical success factors. They help organizations measure progress towards goals and objectives.

Question 36

Define “compensating controls”.

Answer 36

Controls that accomplish the same objective as another control and that can be expected to “compensate” for deficiencies in the first control.

Question 37

Define “key risk indicators”.

Answer 37

Forward-looking metrics that seek to identify potential problems, thus enabling an organization to take timely action, if necessary.

Question 38

Define “timely information”.

Answer 38

Information is produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material.

Question 39

Define “objective or objectivity”.

Answer 39

The measure of the extent of factors that might influence a person to report inaccurate or incomplete information about risks or controls.

Question 40

Define “evaluator”.

Answer 40

An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.

Question 41

Define “sufficient information”.

Answer 41

Enough information to form a reasonable conclusion.

Question 42

Define “suitable information”.

Answer 42

Must be relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame).

Question 43

Define “board monitoring”.

Answer 43

Execution of monitoring procedures by the board of directors or its committees. Includes oversight of management’s performance in relation to all of the COSO components, including evaluating management’s own monitoring process and assessing the risk that management may override controls.

Question 44

Define “indirect information”.

Answer 44

Relevant, but secondary, information for assessing whether a risk is mitigated by a control.

Question 45

Define “verifiable or verifiability”.

Answer 45

Can be established, confirmed or substantiated as true or accurate.

Question 46

Define “self-review”.

Answer 46

Person responsible for a control (but not that person’s peer or supervisor) assesses control effectiveness. The least objective type of “self assessment.”

Question 47

Define “relevant information”.

Answer 47

Information is meaningful to assessing a risk, control, or control component.

Question 48

Define “direct information”.

Answer 48

Directly substantiates the operation of controls and is obtained by observing controls in operation, reperforming them, or otherwise directly evaluating their operation.

Question 49

Define “key controls”.

Answer 49

Controls that are most important to monitor in order to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks.

Question 50

Define “self-assessment”.

Answer 50

Person responsible for a control, or that person’s peer or supervisor, assesses control effectiveness.

Question 51

Define “control objectives”.

Answer 51

They provide specific targets for evaluating the effectiveness of internal control. Typically stated in terms that describe the nature of the risk that should be managed or mitigated.

Question 52

Define “competence”.

Answer 52

Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency.

Question 53

Define “persuasiveness of information or persuasive information”.

Answer 53

The degree to which the information provides support for conclusions. Derived from its suitability (i.e., its relevance, reliability, and timeliness) and its sufficiency.

Question 54

Define “control baseline”.

Answer 54

A control assessment in which sufficient, persuasive information supports a reasonable conclusion about control effectiveness, either across the entire organization or in a given area. An appropriate starting point for effective control monitoring.

Question 55

Define “ongoing monitoring”.

Answer 55

Activities to monitor the effectiveness of internal control in the ordinary course of operations.

Question 56

Define “control environment”.

Answer 56

Sets the tone of an organization by influencing the control consciousness of its people. The foundation for all other components of internal control.

Question 57

Describe information and communication.

Answer 57

The “nerve-center function” of an internal control system. Pertinent information - internal and external - must be identified, captured, and communicated in a form and time frame that enable personnel to carry out their responsibilities.

Question 58

Define “control activities”.

Answer 58

Policies and procedures that help ensure that management directives are carried out. May include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

Question 59

Define “deficiency or internal control deficiency”.

Answer 59

A condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the internal control system to provide a greater likelihood of achieving an entity’s objectives.

Question 60

Define “enterprise risk management”.

Answer 60

Methods and processes used by organizations to identify and manage events and circumstances that may impact the ability of that entity to achieve its objectives.

Question 61

What activities should be considered regarding segregation of critical accounting duties?

Answer 61

Consider five critical activities related to internal control, which should be separated to lessen fraud risk: Authorizing events, Executing events, Recording events, Safeguarding resources and assets, Reconciling, oversight and auditing, e.g., Board of Director’s review, internal and external audits, and reconciling system logs with known system activity.

Question 62

Define “risk appetite”.

Answer 62

The amount of risk exposure, or potential adverse impact from an event, that an organization chooses to accept or retain, as opposed to sharing, avoiding, reducing or eliminating it.

Question 63

Define “cross-enterprise risk”.

Answer 63

A term primarily used by the ERP company SAP. A risk that occurs in multiple units in an organization. For example, the risk of a security breach that allowed unauthorized access to a system could occur at multiple sites or units within an organization.

Question 64

What is meant by “the tone at the top?”

Answer 64

The extent to which top management is ethical and is pro-active in establishing the organization’s ethical tone and culture. Consider a counter-example: Kenneth Lay urged Enron employees to buy more Enron stock at the same time that he was selling millions of dollars in Enron stock options (called a “pump and dump” scheme).

Question 65

List the four principles of the Institute of Internal Auditors’ (IIA) Code of Ethics (Framework for the 12 Rules of Conduct).

Answer 65

1. Integrity; 2. Objectivity; 3. Confidentiality; 4. Competency.

Question 66

What is the Institute of Internal Auditors’ (IIA) definition of internal auditing?

Answer 66

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

Question 67

List the three elements that constitute “Mandatory” Guidance in the Institute of Internal Auditors’ (IIA) International Professional Practices Framework.

Answer 67

1. Definition of Internal Auditing; 2. Code of Ethics; 3. International Standards.

Question 68

List the three elements that constitute “Strongly Recommended” Guidance in the Institute of Internal Auditors’ (IIA) International Professional Practices Framework.

Answer 68

1. Position papers; 2. Practice advisories; 3. Practice guides.

Question 69

Define implementation standards.

Answer 69

These standards differentiate the requirements specifically applicable to “assurance” activities and “consulting” activities within the Attribute Standards and the Performance Standards.

Question 70

What is the distinction between “Assurance” and “Consulting” activities in internal auditing?

Answer 70

Assurance involves three parties (the process owner; the user; and the internal auditor), whereas consulting only involves two parties (the client and the internal auditor).

Question 71

What is the purpose of “Interpretations” of the International Standards?

Answer 71

Interpretations clarify the terms/concepts within the Attribute and Performance Standards (Interpretations are an integral part of the International Standards).

Question 72

List the two basic categories of standards that comprise the International Standards for the Professional Practice of Internal Auditing.

Answer 72

1. Attribute Standards; 2. Performance Standards.

Question 73

What are attribute standards?

Answer 73

These standards involve the characteristics (“attributes”) of organizations and of the individuals performing internal audit services.

Question 74

Define “Quality Assurance and Improvement Program (Standard 1300)”.

Answer 74

“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.”

Question 75

List the four primary themes of Attribute Standards.

Answer 75

1. Purpose, Authority, and Responsibility. 2. Independence and Objectivity. 3. Proficiency and Due Professional Care. 4. Quality Assurance and Improvement Program.

Question 76

Define “Independence and Objectivity (Standard 1100)”.

Answer 76

“The internal audit activity must be independent, and internal auditors must be objective in performing their work.”

Question 77

Define “Proficiency and Due Professional Care (Standard 1200)”.

Answer 77

“Engagements must be performed with proficiency and due professional care.”

Question 78

Define “Purpose, Authority, and Responsibility (Standard 1000)”.

Answer 78

“The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”

Question 79

Define “Nature of Work (Standard 2100)”.

Answer 79

“The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes, using a systematic and disciplined approach.”

Question 80

Define “Performing the Engagement (Standard 2300)”.

Answer 80

Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.”

Question 81

Define the “Resolution of Senior Management’s Acceptance of Risks (Standard 2600)”.

Answer 81

“When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.”

Question 82

Define “Managing the Internal Audit Activity (Standard 2000)”

Answer 82

“The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization.”

Question 83

Define the “Monitoring Progress (Standard 2500)”.

Answer 83

“The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.”

Question 84

List the seven primary themes of Performance Standards.

Answer 84

(1) Managing the Internal Audit Activity; (2) Nature of Work; (3) Engagement Planning; (4) Performing the Engagement; (5) Communicating Results; (6) Monitoring Progress; and (7) Resolution of Senior Management’s Acceptance of Risks.

Question 85

Define “Engagement Planning (Standard 2200)”.

Answer 85

“Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.”

Question 86

Define “Communicating Results (Standard 2400)”.

Answer 86

“Internal auditors must communicate the results of engagements.”