Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Flashcards

Question 1

Q

Corporate Governance

Answer

A

Incudes the policies, procedures and mechanisms that are established to control management; it is designed to compensate for the agency problem

Question 2

Q

Agency Problem

Answer

A

Professional managers may not manage with the best interest of the entity; rather they manage for the best interest of themselves. This is becase shareholders are separated from operations (management) of the firm (the principals).

Question 3

Q

Internal Control (updated definition)

Answer

A

a process, effected by the entity’s BofD, management, and other personnel designed to provide reasonable assurance regarding the achievement objectives relating to operations, reporting, and compliance

Question 4

Q

COSO Internal Control Framework

Answer

A

CRIME

Control Activities
Risk Assessment
Information and Communication
Monitoring
Control Environment

Question 5

Q

COSO Enterprise Risk Management

Answer

A

Control Activities
Risk Assessment
Information and Communication
Monitoring
Internal Environment
Objective Setting
Event Identification
Risk Response

All components work together to allow an organization to identify risk to achieving the organization’s objectives and appropriately manage those risks.

Question 6

Q

Enterprise Risk Management

Answer

A

A process, effected by an entity’s BofD, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the organization, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organizational objectives

Question 7

Q

Articles of Incorporation

Answer

A

The document filed with the secretary of state to obtain a certificate of incorporation, which include:

proposed name of the corporation and initial address
purpose of the corporation
the powers of the corporation
the name of the registered agent of the corporation
name and address of each incorporator
number of authorized shares of stock and types of stock

Can be amended by BofD vote

Question 8

Q

Audit Committee

Answer

A

The (independent) committee of the BofD that oversees the accounting and financial reporting processes of the company and oversees the audits of financial statements of the company. The Sarbanes-Oxley Act (and the NYSE and NASDAQ) requires all members to be independent.

Duties: appointment, compensation and oversight external auditors, resolution of any disagreements between management and the external auditor

Question 9

Q

Black Swan Analysis

Answer

A

Evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely

Question 10

Q

Board of Directors

Answer

A

The body charged with running the corporation on behalf of the shareholders and other stakeholders. It is responsible for providing strategic direction and guidance about the establishment of the key business objectives of the corporation

Question 11

Q

Business Judgment Rule

Answer

A

A case law-derived concept that provides that a corporate director may not be held liable for errors in judgment providing the director acted with good faith, loyalty, and due care.

However, directors may be held personally liable for approving and paying illegal dividends. Also they are responsible for their own torts (wrongful acts) even if they are acting on behalf of the corporation

Question 12

Q

Compensation Committee

Answer

A

The committee of the BofD that reviews and approves executive compensation, makes recommendations to the board regarding incentive-based compensation, and attempts to align incentives with shareholder objectives and risk appetite.

Question 13

Q

The Dodd-Frank Act (2010)

Answer

A

Requires all members of the compensation committee to be independent and provides that in setting compensation, the members may request the company to engage compensation advisors that are independent of management.

Shareholders must be allowed a non-binding vote on executive compensation at least every 3 years, and a vote every 6 years as to whether the vote on compensation should be held more often

Requires non-binding vote by shareholders on “golden parachutes” to be provided to executives as a result of major transactions

Question 14

Q

Corporate Bylaws

Answer

A

Set forth how the directors and/or officers are selected, how meetings are conducted, the types and duties of officers, and the required meetings. Should also prescribe the proces for bylaw amendment. All officers and directors should have a copy

Question 15

Q

Duty of Loyalty

Answer

A

A concept that provides that directors and officers must put the interest of the corporation before their personal interest. Accordingly, if a director is approached with a business opportunity that would be of interest to and benefit the corporation, he must first offer the opportunity to the corporation before pursuing it on his own behalf.

Question 16

Q

Evaluator

Answer

A

An individual that monitors internal control within an organization

Question 17

Q

Executive Perquisites

Answer

A

Executive benefits other than compensation, such as retirement, use of corporate assets, golden parachutes, and corporate loans

Question 18

Q

Inherent Risk

Answer

A

The risk to the organization if management does nothing to alter its likelihood or impact

Question 19

Q

Residual Risk

Answer

A

The risk of the event after considering management’s response

Question 20

Q

Risk Appetite

Answer

A

The amount of risk an organization is willing to accept to achieve its objective

Question 21

Q

Risk Assessment

Answer

A

Analyzing the potential (likelihood and impact) effects of a risk

Question 22

Q

Risk Tolerance

Answer

A

The acceptable variation with respect to achieving a particular objective

Question 23

Q

Self- Serving Activities

Answer

A

Put management before the shareholder by shirking, taking too little or too much risk, or consuming excessive perks

Question 24

Q

Self-serving activies are eliminated by…

Answer

A

Corporate governance, which involves developing an appropriate legal structure, and establishing appropriate incentives (forms of compensation) and monitoring devices to prevent this inappropriate activity

Question 25

Q

Shareholders

Answer

A

Provide the basic capital of the corporation and elect the board of the directos. Shareholders include major stakeholder or the corporation, but are also employees, customers, suppliers, government regulators, and society.

Question 26

Q

Rights of Shareholders

Answer

A

annual meetings are required by bylaws
voting rights for articles of incorporation amendments or fundamental changes (mergers/ liquidations)
last to receive their capital during liquidation
right to receive dividends if declared by the BofD
right to subscribe to stock issues so that their ownership is not diluted as set forth in the Atricles of Incorporation (preemptive right= allowed to purchase shares before the general public)
right to inspect books and records in good faith and for a proper purpose
right to sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer

Shareholders have no right to manage the corporation unless they are also officers or directors (CEO CFO)

Question 27

Q

Derivative Legal Suit

Answer

A

Shareholdes sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer

Question 28

Q

Preferred Shareholders

Answer

A

Generally have no voting rights but they have preference as to dividends and receipt of capital upon liquidation of the company

Question 29

Q

Common Shareholders

Answer

A

In many cases have cumulative voting rights in the election of directors allowing them to cast one vote for each director of the corporation for each share of stock they own

Question 30

Q

Directors (of the Board)

Answer

A

Are fiduciaries of the corporation; elected by the common shareholders and have no individual power to bind the corporation. The power is collective (decisions made by majority vote).

Must exercise ordinary care and due diligence in performing their duties, and act in a manner that they believe is in the best interest of the corporation. They must disclose any conflicts of interest.

Question 31

Q

Examples of BofD Duties

Answer

A

determining the mission of the corporation
selection and removal of the CEO
amending the bylaws, unless this is a responsibility of the shareholders
determining management compensation
decisions regarding the declaration and payment of dividends
decisions regarding major acquisitions and capital structure
advising management
providing governance oversight, with the assistance of internal and external auditors
ensuring accurate financial reporting by the corporation
risk management

Question 32

Q

Officers

Answer

A

Operate the company base on the authority delegated to them by the board of directors; agent of the corporation that can bind the corporation within the scope of his or her authority; responsible for fair presentation of financial reports (including f/s)

SOX requires the CFOand CEO to certify to the financial statements

SOX generally prohibits personal loans to officers or directors of a public company; exceptions are made for loans “in the ordinary course of business”

Have a fiduciary duty to the corporation and are liable for their own torts

The corporation is not bound by the acts of an officer acting beyond their scope.

Question 33

Q

Forms of Executive Compensation

Answer

A

Used in attempt to align managements behavior with the objectives of the shareholders. i.e. management decisions with long-term goals of shareholders (long-term stock price)

base salary and bonuses
stock options
stock grants
executive perquisites (perks)

Question 34

Q

Executive Base Salary and Bonuses

Answer

A

This system compensates managers based on performance (measured by accounting profit.) Risky because this can provide incentive for managers to cook the books for short term gain

Question 35

Q

Stock Options

Answer

A

This system compensates managers with an incentive to manage the corporation to increase the stock price, which is consistent with the goal of shareholders

Disadvantage: managers may have an incentive to increase stock price in the short-term at the expense of long-term value.

A lot of times, time stipulations, such as 3 years or more, are placed on exercising the stock

Question 36

Q

Stock Grants

Answer

A

Involve issuing shares of stock as part of managements compensation. Two types:

restricted stock- cannot be sold by the manager for a specific period of time, usually 10 years
performance shares- issuance of stock if certain level of performance is met.

Question 37

Q

Executive Perquisites

Answer

A

Retirement benefits, use of corporate assets, golden parachutes, and corporate loans

Question 38

Q

The best forms of executive compensation

Answer

A

a combination of fixed compensation and incentive compensation that is related to long-term stock price.

Bonuses are effective if they are based on a composite of performance measures in addition to net profit, such as the amount of research and development expenditures, the corporation’s market share, the number of new products developed, and/ or the percentage of stock held by institutional investors (pension plan) (who intend to hold the stock for the long-term)
***These are referred to as balanced scorecards

Question 39

Q

Monitoring Devices

Answer

A

Monitor management behavior

Internal: board of directors and internal auditors
External: external auditors, analysts, credit agencies, attorneys, the SEC and the IRS

Question 40

Q

Board Oversight

Answer

A

For effective governance oversight, board members must be competent and a majority should be independent (not part of management and does not receive benefit other than the compensation of being a board member)

Question 41

Q

Inside Directors

Answer

A

Officers, employees or stockholders who are on the board of directors

Question 42

Q

Wall Street Reform and Consumer Protection (Dodd-Frank) Act of 2010

Answer

A

Requires public corporations to disclose why or why not the chairman of the board is also the CEO

Question 43

Q

Board Committees for Effective Governance

Answer

A

the nominating/ corporate governance committee
the compensation committee
the audit committee

Question 44

Q

The Nominating/ Corporate Governance Committee

Answer

A

oversees board organization, including committee assignments
determines director qualifications and training
develops corporate governance principals
oversees CEO succession

Question 45

Q

Members of the Audit Committee Should…

Answer

A

1 should be a “financial expert” and if the audit committee does not have a financial expert they must disclose why

Financial Expert (a judgement call made by Board):

understanding of GAAP and financial statements
experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
understanding of internal controls and procedures for financial reporting
understanding of audit committee functions

Obtain these from: education and experience as a principal financial officer, PA, controller, or equivalent; experience supervising an individual in one of the previously mentioned positions; experience overseeing or assessing the performance of companies or public accountants with respect to preparing, auditing or evaluating financial statements; other relevant experience

Question 46

Q

Whistleblowers and Audit Committee

Answer

A

Audit committee should establish rules for the receipt, and treatment of complaints by employees

Question 47

Q

Dodd-Frank Act and Whistleblowers

Answer

A

Dodd-Frank provides for civil actions by whistleblowers who are retaliated against by the company; SOX prohibits retaliation

** goes farther than SOX for whistleblowers

Question 48

Q

Section 302 of the SOX act

Answer

A

Requires certification that the CEO and CFO:

have reviewed the quarterly and annual financial reports filed with the SEC and they believe they are fairly stated and contain no material misstatements
are responsible for establishing and maintaining internal control
having executed IC and believe controls are effective as indicated in managements report on IC
have reported to the auditors and the audit committee all significant deficiencies in IC, and are not aware of any post-evaluation changes that could significantly affect IC

Question 49

Q

NYSE & NASDAQ Rules Related to Corporate Governance and Director Independence

Answer

A

Require listed corporations to:

have a majority of independent directors on their board
make determination of independence of members and provide info to investors about the determination
identify certain relationships that automatically preclude a member from being independent
have non-management directors meet at a regularly scheduled executive sessions
adopt and make publically available a code of conduct applicable to all directors, officers, and employees, and disclose any waivers of the code for directors or executive officers
have an independent audit committee.

Question 50

Q

NYSE & NASDAQ rules that make a director not independent

Answer

A

if a director has been an employee of the corporation or an affiliate in the last 5 years (3 for NASDAQ)
if a family member of a director has been an officer of the corporation or affiliate in the last 5 years (3 for NASDAQ)
if director was a former partner or employee of the corporation’s external auditor in the last 5 years (3 for NASDAQ)
if a director or a family member in the last 3 years received more than $120,000 (in 12 month period) in payments from the corporation other than for director compensation
if a director is an executive of another entity that receives significant amounts of revenues from the corporation (vendor or supplier to the corp)

Question 51

Q

Internal Auditors

Answer

A

Perform audits of the risk management activities, internal controls, and other governance processes for the corporation (referred to as assurance services). Results should be communicated to audit committee and board.

NYSE requires its listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the companies RM processes and system of IC

Question 52

Q

Institute of Internal Auditors (IIA)

Answer

A

professional organization of internal auditors.

Issues International Standards for the Professional Practice of Internal Auditing and a Code of Ethics for internal auditors.

Administers the Certified Internal Auditor program (CIA). Multipart exam that requires two years of internal audit experience (or its equivalent) and it demonstrates that the individual is competent to perform internal audits

Question 53

Q

International Standards for the Professional Practice of Internal Auditing

Answer

A

Include rules and interpretations for assurance services and consulting services.

Broken down into:

attribute standards- related to the characteristics of the internal audit activity
performance standards- related to the quality control of internal audit activities
implementation standards- expand upon the attribute and performance standards

Question 54

Q

Internal Audit Assurance Services

Answer

A

Involve providing an independent assessment of governance, risk management or control processes of an organization.

Examples: assurance about financial presentation, compliance, performance, and security system

Question 55

Q

Internal Audit Consulting Services

Answer

A

Involve advisory related services to improve an organization’s governance, risk management or control processes.

Examples: training, advising, and facilitating

Question 56

Q

Aspects of International Standards for the Professional Practice of Internal Auditing that relate particularly to corporate governance include:

Answer

A

the purpose, authority, and responsibility of the internal audit activity should be formally defined in the internal audit charter. This should recognize the need to adhere to the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. Also, apply to individual internal auditors and internal audit activities
internal audit activity must be independent and IA must be objective in performing their work; must have impartial, unbiased attitude and avoid conflicts of interest
engagement must be performed with proficiency (knowledge, skill, and competencies needed) and due professional care
IA’s must enhance their knowledge and skills with continuing professional development, and the chief audit executive must develop and maintain a quality assurance and improvement program
Internal audit activity must evaluate the effectiveness and contribute to the improvement of the corporation’s risk management processes and assist the management in maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement; chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board
the chief audit executive must establish risk-based plans to determine audit priorities, which includes effectively employ resources and establish p&p’s
the chief audit executive should share information and coordinate work with other internal auditors and external auditors
chief audit executive should periodically report to senior executive’s and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan
internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishments of its objectives
internal audit activity must evaluate the effectiveness and contribute the improvement of risk management process
internal audit activity must assist the org in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement
audit engagements should be adequately planned, including appropriate identification of objectives and scope. audit work programs should be developed and audit work should be adequately supervised
chief audit executive must establish and maintain a system to monitor the disposition of audit results communicated to management; (i.e. track findings and follow up)

Question 57

Q

Internal Auditor Independence

Answer

A

Achieved by organizational independence, which means auditors cannot be influenced by the management of the functional areas that they audit.

Chief audit executive should ideally report (functionally) to the audit committee and administratively to the CEO.

Functional reporting examples: board approvals of the internal audit charter, budget and resource plan; risk based audit plan; remuneration of the chief audit executive; and decisions regarding appointment and discharge of the chief audit executive.

If independence is impaired, details must be disclosed to appropriate parties

Question 58

Q

IA Quality Assurance and Improvement Programs Should Include…

Answer

A

internal assessments that include ongoing monitoring of performance and periodic self-assessment or review by other qualified individuals within the organization
external assessments at least once every 5 years by qualified independent assessors
chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board

Question 59

Q

Governance Process Objectives (that IA must assess)

Answer

A

promoting appropriate ethics and values within the organization
ensuring effective organizational performance management and accountability
communicating risk and control information to appropriate areas of the org
coordinating activities of and communicating information among the board, external and internal auditors, and management

Question 60

Q

External Auditor Responsibility

Answer

A

performing an audit of the corporation’s financial statements and internal control in accordance with standards of the PCAOB

Question 61

Q

Major corporate governance monitoring device for a corporation

Answer

A

external auditor

Question 62

Q

Section 404 SOX

Answer

A

requires that management acknowledge its responsibility for establishing adequate internal control over financial reporting and provide an assessment in the annual report of the effectiveness of internal control

Question 63

Q

Section 404 SOX for accelerated filers

Answer

A

(large public corporations) requires that external auditors attest to management’s report on internal control as part of the audit of the financial statements

Question 64

Q

Accelerated Filers (Large Public Corporations)

Answer

A

If public float is:
Large accelerated filer = greater than or equal to $700m

Accelerated filer= greater than or equal to $75m

Answer 65

A

amount of o/s shares in public investors hands as opposed to directors and officers, etc.

Answer 66

A

required (by SOX) to communicate information that will help the committee perform its oversight function
(i.e. engagement letter info):
consultation with other accountants
significant disagreements with management
written management representations
material misstatements (corrected or not)

Answer 67

A

Prohibits a person from knowingly destroying, mutilating, altering, falsifying or concealing records or documents to impede or influence the investigation of any department or agency of the united states

penalty is a fine or imprisonment for not more than 20 years or both

Answer 68

A

investment bankers help corporations issue equity and debt offerings

represent an external monitoring device because they must evaluate the company prior to becoming involved in selling the securities (buy, hold, sell)

Answer 69

A

an external monitoring device

debt agreements with covenants must be complied with; creditors monitor compliance

limitation is that they usually use info provided by management but often engage external auditors

Answer 70

A

rate the credit worthiness of corporate bonds and are external monitoring devices, much like security analysts

limitation is that they may improperly set initial rating and are slow to downgrade ratings once corps have financial difficulty

Dodd Frank Act helps prevent conflicts of interest and improve transparency

Answer 71

A

protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation by enforcing US securities laws

Answer 72

A

5 presidentially appointed commissioners

Answer 73

A

Division of Corporate Finance
Division of Enforcement
The Office of the Chief Accountant

Answer 74

A

reviews documents of publically held companies that are filed with the SEC; checks to see if they are meeting disclosure requirements and seeks to improve quality of disclosures

Answer 75

A

assists the SEC in executing its law enforcement function by recommending the commencement of investigations of securities law violations, recommending which cases to take to court, and prosecuting these cases on behalf of the Commission

Answer 76

A

advises the Commission on accounting and auditing, oversees the development of accounting principals, and approves the auditing rules put forward by the PCAOB (Must approve PCAOBs rules)

Answer 77

A

CEO and CFO must certify the accuracy of the truthfulness of periodic financial reports filed with SEC (criminally and civilly liable if incorrect certification)
public companies must disclose whether they have established a code of ethics for senior financial officers
any person who knowingly perpetrates or attempts a scheme to defraud any other person by misrepresenting or making false claims in connection with the purchase or sale of securities can be fined or imprisoned for up to 25 years, or both

Answer 78

A

will award whistleblowers for providing info about violations of securities laws that result in aggregate monetary sanctions in excess of $1 million

Answer 79

A

10%-30% of monetary sanction (if greater than $1 m) if info is derived from independent knowledge or analysis of the whistleblower and not known to the government from any other source

Answer 80

A

officers, directors, trustees, or partners of an entity, when those individuals learned of information about the misconduct from another person or in connection with the company’s process for identifying potential illegal conduct
employees whose main function involves compliance or internal audit, or individuals hired to investigate possible violations of law
employees of public accounting firms performing an engagement required by the securities laws
* Exception: if it appears that the co is attempting to behave in a way that would harm investors or inhibit an investigation, or 120 days have past since the notified the company of a violation

Answer 81

A

whistleblowers are encouraged to report information through the normal internal corporate governance system of the company by an indication that doing so may increase the amount of the award

Answer 82

A

provision by SOX and strengthened by Dodd-Frank

Answer 83

A

excepted “emerging growth companies” for a max of 5 years from the date of their initial public offering from certain requirements that apply to larger public companies, including:

certain disclosure requirements
requirement for an integrated audit of internal control
requirements regarding shareholder votes on executive compensation

Answer 84

A

act as a corporate governance device; if management is performing poorly, the corp may be subject to takeover by a firm that believes it can more efficiently utilize the corps resources (provides an incentive)

Answer 85

A

defense to corporate takeovers; option for shareholders to purchase additional shares at a discount

Answer 86

A

Operations Objectives
Reporting Objectives
Compliance Objectives

Answer 87

A

the organization achieves effective and efficient operations when significant external events can be predicted and their potential effects mitigated, or the organization understands the extent to which operations can be managed when the effects of significant events cannot be mitigated; also includes safeguarding of assets

Answer 88

A

org prepares internal and external financial and nonfinancial reports in conformity with applicable laws, rules, regulations, standards, and internal policies

Answer 89

A

org complies with applicable laws, rules, and regulations

Answer 90

A

the set of standards, processes, and structures that provide the basis for carrying out IC across the org

foundation for other components of IC

Comprises of:

integrity and ethical values
paramaters enabling the board to carry out its oversight responsibilities
org structure and assignment of authority and responsibility
process for attracting, developing, and retaining competent individuals
rigor around performance measures, incentives, and rewards to drive accountability for performance

Answer 91

A

the organization demonstrates a commitment to integrity and ethical values
the BofD demonstrates independence from management and exercises oversight of the development and performance of IC
management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
the org demonstrates commitment to attract, develop and retain competent individuals in alignment with objectives
the org holds individuals accountable for their IC responsibilities in the pursuit of objectives

Answer 92

A

communication and enforcement of integrity and ethical values

management should establish a tone at the top of the org through directives, actions, and behavior that encourages appropriate behavior

do this with standards (code) of conduct, official policies, directives, and by example

individuals should be evaluated for adherence and deviations should be addressed

Answer 93

A

board must collectively possess appropriate expertise and have sufficient members that are independent from management

Answer 94

A

with board oversight

structured along various dimensions such as product or service, legal entity, or geographic market

orgs delegate authority and responsibility to enable management and other personnel to make decisions according to management’s directives

delegating authority increases risk, which means management should establish appropriate limitations of authority

Answer 95

A

commitment to competence is supported by human resource management processes for attracting, developing, and retaining the right fit of management, other personnel, and outsourced service providers

succession planning and contingency planning for assignment of IC responsibilities is also very important

Answer 96

A

Board should hold CEO responsible for establishing system of IC to achieve objectives

accountability should be supported by appropriate performance measures, incentives and rewards

must be cognizant of undue pressure affects, which may cause individuals to circumvent processes or engage in fraudulent activities

Answer 97

A

Risk: the possibility that an event will occur and adversely affect the achievement of objectives in the areas of operations, reporting or compliance

Risk Assessment: process for identifying, analyzing, and responding to risks

Answer 98

A

org specifies objectives with significant clarity to enable the identification and assessment of risks relating to objectives
org identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
org considers the potential for fraud in assessing risks to the achievement of objectives
org identifies and assesses changes that could significantly impact the system of IC
management must decide how much risk may be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding targeted risk levels

Answer 99

A

a risk analysis is performed, which involves the likely hood of the risk occurring and estimating its impact

management then determines which risks require response

response can include acceptance, avoidance, reduction, or sharing

Answer 100

A

policies and procedures that help ensure that management directives are carried out

Authorization and Approvals
Verifications
Physical Controls
Controls over standing data
Reconciliations
Supervisory Controls

Answer 101

A

RIPS (reviews, information processing, physical controls, segregation of duties)
1. org selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

org selects and develops general control activities over technology to support the achievement of objectives
org deploys control activities through policies that establish what is expected and in procedures that put policies into action

Answer 102

A

control activities that support the reliability of two or more types of transactions or processes

Controls over:

technology infrastructure which are designed to ensure the completeness, accuracy, and availability of technology processing
access to technology to restrict access to authorized users
the acquisition, development, and maintenance of technology and its infrastructure

Answer 103

A

designed to ensure that particular transactions (i.e. payroll) are accurate, complete, and authorized

Further segregated into:

input controls
processing controls
output controls

Answer 104

A

org obtains or generates and uses relevant, quality information to support the functioning of IC
org internally communicates info, including objectives and responsibility for internal control, necessary to support the functioning of IC
org communicates with external parties regarding matters affecting the functions of IC

Answer 105

A

Management must design an effective information system, considering the requirements of users, that reliably captures internal and external sources of data, processes the data into information and maintains quality throughout processing

Answer 106

A

quality is essential and depends on whether info is accessible, correct, current, protected, retained, sufficient, timely, valid, and verifiable

Answer 107

A

information must be communicated through appropriate methods to management, other personnel and BofD

example: anonymous whistleblower hotline should be established to ensure that employees and other parties can report inappropriate activity

processes and channels must be established to facilitate communication to appropriate external parties such as regulators, owners, financial analysts, and customers

Answer 108

A

monitoring activities assess whether each of the five IC components are present and functioning

may be achieved by ongoing activities or separate evaluations

Answer 109

A

regularly performed supervisory and management activities, such as continuous monitoring of customer complaints or reviewing the reasonableness of management reports

Answer 110

A

monitoring activities that are performed on a nonroutine basis, such as periodic audits by internal auditors

Answer 111

A

org selects, develops, and performs ongoing and/or separate evaluationsn to ascertain whether the components of IC are present and functioning
org evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the bofd, as appropriate. *** this is not an ongoing monitoring activity

Answer 112

A

Individuals that monitor controls within an organization

Answer 113

A

should be competent and objective in the particular circumstances

competence is evaluators knowledge of IC and related processes, including how controls should operate and what constitutes a deficiency

objectivity refers to whether that person can evaluate the controls without concern about possible consequences of discovering deficiencies

Answer 114

A

they are not designed or implemented properly
they are properly designed and implemented but environment changes have occurred making the controls ineffective
they are properly designed and implemented by the way they operate has changed making controls ineffective

Answer 115

A

establishing a starting point that includes a supported understanding of the existing internal control system; serves as a starting point for monitoring IC

understanding allows orgs to design ongoing and separate monitoring procedures

Answer 116

A

Identifying through monitoring changes in internal control that are necessary because changes in the operating environment have taken place, such as changes in regulations or changes in the economic environment

Answer 117

A

evaluating the design and implementation of the changes, and establishing a new baseline

effective change management process enables management to control:

change requests
change analyses
change decisions
change planning, implementation, and tracking

*effects of changes should be considered; changes should be authorized, communicated, documented, and thoroughly tested before being implemented

Answer 118

A

periodically revalidating control operation when no known changes have occurred

Answer 119

A

control baseline
change identification
change management
control revalidation/ update

Answer 120

A

linking it to the results of the risk assessment component of internal control

this allows evaluators to focus monitoring attention on controls that address meaningful risks (aka key controls)

Answer 121

A

their failure could materially affect the area’s objectives, and other controls would not be expected to detect the failure on a timely basis; and
their operation might prevent or detect other control failures before they had an opportunity to become material to the organization’s objectives

*evaluator should determine what constitutes sufficient suitable evidence to determine this

Answer 122

A

evidence obtained from observing the control and reperforming it

Answer 123

A

evidence that identifies anomalies that may signal control change or failure

e.g. evidence derived from operating statistics, key risk indicators (forward-looking metrics that serve to identify problems), performance indicators, comparative industry data

Answer 124

A

ongoing is better because it can offer the first opportunity to identify and correct control deficiencies

Answer 125

A

should be reported to appropriate internal and external individuals so corrective action can be taken

Answer 126

A

to determine if action is taken on a timely basis

Answer 127

A

have been developed to help the evaluation process

preventive controls, detective controls, and corrective controls
feedback and feed-forward controls

Answer 128

A

evaluate the results of a process and adjust the process if the results indicate the process is not operating effectively

Answer 129

A

project results into the future and make changes to alter their projected results

Answer 130

A

reasonable but not absolute assurance because of:

human judgment in decision making
human errors and mistakes
circumvention by collusion
management override of internal control
cost constraints (cost should not exceed benefits)
custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents

Answer 131

A

a statement of managements responsibility for establishing and maintaining adequate IC over f/r for the corp
a statement identifying the framework used by management o conduct the required assessment of the effectiveness of IC (e.g. COSO)
an assessment of the effectiveness of IC as of the end of the company’s most recent fiscal year, including an explicit statement as to whether the IC over f/r is effective. Material weaknesses should be disclosed
if applicable, a statement that the corps registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the IC (reminder: external auditors of accelerated filers must attest to and report on the effectiveness of IC)

Answer 132

A

helps align risk appetite of the organization with its strategy
enhances risk response decisions, reduces operational surprises and losses
identifies and manages cross-enterprise risks
provides integrated responses to multiple risks
helps the organization seize opportunities, and
improves the deployment of capital

Answer 133

A

identifying risks
assessing risks
prioritizing risks
determining risk responses
and monitoring risks

Answer 134

A

basis for all other components of ERM, provides discipline and structure

encompasses tone of the organization, and sets the basis for how risk is viewed and addressed by an organization; including risk management philosophy and risk appetite, and integrity and ethical values

Answer 135

A

ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the mission and are consistent with risk appetite

Answer 136

A

high-level goals aligned with the organizations mission

these objectives are linked and integrated with specific objectives established for various activities

Answer 137

A

divided into three categories:

operations objectives
reporting objectives
compliance objectives

Answer 138

A

event inventories
internal analysis
escalation or threshold triggers
facilitated workshops or interviews
process flow analysis
leading event indicators
loss event data methodologies

Answer 139

A

an incident that occurs or might occur that affects implementation of strategy of achievement of objectives

may be negative (risks) or positive (opportunities) or both

Answer 140

A

developing a detailed listing of potential events

Answer 141

A

this may be done at regular staff meetings; it may involve using info from other stakeholders such as customers suppliers etc

Answer 142

A

management predetermines limits that cause an event to be further assessed

Answer 143

A

involves soliciting info about events from management and staff

example: a facilitator may lead a discussion of events that might affect achieving an organizations objectives

Answer 144

A

involves breaking processes down into inputs, tasks, responsibilities, and outputs to identify events that might adversely affect the process

Answer 145

A

involves monitoring data correlated to events, to identify when the event is likely to occur

Answer 146

A

repositories of past events that resulted in loss, management can identify event trends and the root causes of events

Answer 147

A

evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely

Answer 148

A

risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed (should assess inherent and residual risk for an event)

Answer 149

A

risk to the org if management does nothing to alter its likelihood or impact

Answer 150

A

risk of the event after considering management’s response

Answer 151

A

used to assess risk when risks do not lend themselves to quantification or when sufficient reliable data is not available to use a quantitative model

Answer 152

A

quantify risk

Answer 153

A

associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions

example: value at risk, cash flow at risk, earnings at risk, and development of credit and operational loss distributions

Answer 154

A

used subjective assumptions in estimating the impact of events without quantifying an associated likelihood

examples: sensitivity measures, stress tests, and scenario analysis

Answer 155

A

management selects risk responses that are consistent with the risk appetite of the organization including:

Avoidance
Reduction
Sharing
Acceptance (retention)

Answer 156

A

this response involves exiting the activity that gives rise to the risk

Answer 157

A

involves taking action to reduce risk likelihood or impact, or both.

example: might involve managing the risk or adding additional controls to processes

Answer 158

A

Involves reducing risk likelihood or impact by transferring or sharing a portion of the risk. Techniques include:

insurance
hedging
outsourcing

Answer 159

A

no action is taken because the risk is consistent with the risk appetite of the org

Answer 160

A

policies and procedures should be established and implemented to help ensure the risk responses are carried out effectively

Answer 161

A

Information is needed at all levels of the org to identify, assess and respond to risks

Communication should effectively convey the importance and relevance of effective ERM, the orgs objectives, the orgs risk appetite and risk tolerances, a common risk language and the roles and responsibilities of personnel in effecting and supporting the components of ERM

Answer 162

A

the entire ERM process should be monitored to make needed modifications

monitoring is accomplished by ongoing management activities, and separate evaluations, such as those performed by independent auditors

Answer 163

A

risk relates to the future which is uncertain
ERM provides info about risks of achieving objectives but it cannot provide even reasonable assurance that objectives will be achieved (you can’t say that the co will even be functioning in a year)
ERM cannot provide absolute assurance with respect to any of the objective categories

Answer 164

A

limitations is subjective to human judgments with regard to risk and impact
a well-designed ERM can break down
collusion
management override

Brainscape's Knowledge GenomeTM

Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Flashcards

Brainscape's Knowledge Genome^TM