Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Flashcards
Corporate Governance
Incudes the policies, procedures and mechanisms that are established to control management; it is designed to compensate for the agency problem
Agency Problem
Professional managers may not manage with the best interest of the entity; rather they manage for the best interest of themselves. This is becase shareholders are separated from operations (management) of the firm (the principals).
Internal Control (updated definition)
a process, effected by the entity’s BofD, management, and other personnel designed to provide reasonable assurance regarding the achievement objectives relating to operations, reporting, and compliance
COSO Internal Control Framework
CRIME
- Control Activities
- Risk Assessment
- Information and Communication
- Monitoring
- Control Environment
COSO Enterprise Risk Management
- Control Activities
- Risk Assessment
- Information and Communication
- Monitoring
- Internal Environment
- Objective Setting
- Event Identification
- Risk Response
All components work together to allow an organization to identify risk to achieving the organization’s objectives and appropriately manage those risks.
Enterprise Risk Management
A process, effected by an entity’s BofD, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the organization, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organizational objectives
Articles of Incorporation
The document filed with the secretary of state to obtain a certificate of incorporation, which include:
- proposed name of the corporation and initial address
- purpose of the corporation
- the powers of the corporation
- the name of the registered agent of the corporation
- name and address of each incorporator
- number of authorized shares of stock and types of stock
Can be amended by BofD vote
Audit Committee
The (independent) committee of the BofD that oversees the accounting and financial reporting processes of the company and oversees the audits of financial statements of the company. The Sarbanes-Oxley Act (and the NYSE and NASDAQ) requires all members to be independent.
Duties: appointment, compensation and oversight external auditors, resolution of any disagreements between management and the external auditor
Black Swan Analysis
Evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely
Board of Directors
The body charged with running the corporation on behalf of the shareholders and other stakeholders. It is responsible for providing strategic direction and guidance about the establishment of the key business objectives of the corporation
Business Judgment Rule
A case law-derived concept that provides that a corporate director may not be held liable for errors in judgment providing the director acted with good faith, loyalty, and due care.
However, directors may be held personally liable for approving and paying illegal dividends. Also they are responsible for their own torts (wrongful acts) even if they are acting on behalf of the corporation
Compensation Committee
The committee of the BofD that reviews and approves executive compensation, makes recommendations to the board regarding incentive-based compensation, and attempts to align incentives with shareholder objectives and risk appetite.
The Dodd-Frank Act (2010)
Requires all members of the compensation committee to be independent and provides that in setting compensation, the members may request the company to engage compensation advisors that are independent of management.
Shareholders must be allowed a non-binding vote on executive compensation at least every 3 years, and a vote every 6 years as to whether the vote on compensation should be held more often
Requires non-binding vote by shareholders on “golden parachutes” to be provided to executives as a result of major transactions
Corporate Bylaws
Set forth how the directors and/or officers are selected, how meetings are conducted, the types and duties of officers, and the required meetings. Should also prescribe the proces for bylaw amendment. All officers and directors should have a copy
Duty of Loyalty
A concept that provides that directors and officers must put the interest of the corporation before their personal interest. Accordingly, if a director is approached with a business opportunity that would be of interest to and benefit the corporation, he must first offer the opportunity to the corporation before pursuing it on his own behalf.
Evaluator
An individual that monitors internal control within an organization
Executive Perquisites
Executive benefits other than compensation, such as retirement, use of corporate assets, golden parachutes, and corporate loans
Inherent Risk
The risk to the organization if management does nothing to alter its likelihood or impact
Residual Risk
The risk of the event after considering management’s response
Risk Appetite
The amount of risk an organization is willing to accept to achieve its objective
Risk Assessment
Analyzing the potential (likelihood and impact) effects of a risk
Risk Tolerance
The acceptable variation with respect to achieving a particular objective
Self- Serving Activities
Put management before the shareholder by shirking, taking too little or too much risk, or consuming excessive perks
Self-serving activies are eliminated by…
Corporate governance, which involves developing an appropriate legal structure, and establishing appropriate incentives (forms of compensation) and monitoring devices to prevent this inappropriate activity
Shareholders
Provide the basic capital of the corporation and elect the board of the directos. Shareholders include major stakeholder or the corporation, but are also employees, customers, suppliers, government regulators, and society.
Rights of Shareholders
- annual meetings are required by bylaws
- voting rights for articles of incorporation amendments or fundamental changes (mergers/ liquidations)
- last to receive their capital during liquidation
- right to receive dividends if declared by the BofD
- right to subscribe to stock issues so that their ownership is not diluted as set forth in the Atricles of Incorporation (preemptive right= allowed to purchase shares before the general public)
- right to inspect books and records in good faith and for a proper purpose
- right to sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer
Shareholders have no right to manage the corporation unless they are also officers or directors (CEO CFO)
Derivative Legal Suit
Shareholdes sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer
Preferred Shareholders
Generally have no voting rights but they have preference as to dividends and receipt of capital upon liquidation of the company
Common Shareholders
In many cases have cumulative voting rights in the election of directors allowing them to cast one vote for each director of the corporation for each share of stock they own
Directors (of the Board)
Are fiduciaries of the corporation; elected by the common shareholders and have no individual power to bind the corporation. The power is collective (decisions made by majority vote).
Must exercise ordinary care and due diligence in performing their duties, and act in a manner that they believe is in the best interest of the corporation. They must disclose any conflicts of interest.
Examples of BofD Duties
- determining the mission of the corporation
- selection and removal of the CEO
- amending the bylaws, unless this is a responsibility of the shareholders
- determining management compensation
- decisions regarding the declaration and payment of dividends
- decisions regarding major acquisitions and capital structure
- advising management
- providing governance oversight, with the assistance of internal and external auditors
- ensuring accurate financial reporting by the corporation
- risk management
Officers
Operate the company base on the authority delegated to them by the board of directors; agent of the corporation that can bind the corporation within the scope of his or her authority; responsible for fair presentation of financial reports (including f/s)
SOX requires the CFOand CEO to certify to the financial statements
SOX generally prohibits personal loans to officers or directors of a public company; exceptions are made for loans “in the ordinary course of business”
Have a fiduciary duty to the corporation and are liable for their own torts
The corporation is not bound by the acts of an officer acting beyond their scope.
Forms of Executive Compensation
Used in attempt to align managements behavior with the objectives of the shareholders. i.e. management decisions with long-term goals of shareholders (long-term stock price)
- base salary and bonuses
- stock options
- stock grants
- executive perquisites (perks)
Executive Base Salary and Bonuses
This system compensates managers based on performance (measured by accounting profit.) Risky because this can provide incentive for managers to cook the books for short term gain
Stock Options
This system compensates managers with an incentive to manage the corporation to increase the stock price, which is consistent with the goal of shareholders
Disadvantage: managers may have an incentive to increase stock price in the short-term at the expense of long-term value.
A lot of times, time stipulations, such as 3 years or more, are placed on exercising the stock
Stock Grants
Involve issuing shares of stock as part of managements compensation. Two types:
- restricted stock- cannot be sold by the manager for a specific period of time, usually 10 years
- performance shares- issuance of stock if certain level of performance is met.
Executive Perquisites
Retirement benefits, use of corporate assets, golden parachutes, and corporate loans
The best forms of executive compensation
a combination of fixed compensation and incentive compensation that is related to long-term stock price.
Bonuses are effective if they are based on a composite of performance measures in addition to net profit, such as the amount of research and development expenditures, the corporation’s market share, the number of new products developed, and/ or the percentage of stock held by institutional investors (pension plan) (who intend to hold the stock for the long-term)
***These are referred to as balanced scorecards
Monitoring Devices
Monitor management behavior
Internal: board of directors and internal auditors
External: external auditors, analysts, credit agencies, attorneys, the SEC and the IRS
Board Oversight
For effective governance oversight, board members must be competent and a majority should be independent (not part of management and does not receive benefit other than the compensation of being a board member)
Inside Directors
Officers, employees or stockholders who are on the board of directors
Wall Street Reform and Consumer Protection (Dodd-Frank) Act of 2010
Requires public corporations to disclose why or why not the chairman of the board is also the CEO
Board Committees for Effective Governance
- the nominating/ corporate governance committee
- the compensation committee
- the audit committee
The Nominating/ Corporate Governance Committee
- oversees board organization, including committee assignments
- determines director qualifications and training
- develops corporate governance principals
- oversees CEO succession
Members of the Audit Committee Should…
1 should be a “financial expert” and if the audit committee does not have a financial expert they must disclose why
Financial Expert (a judgement call made by Board):
- understanding of GAAP and financial statements
- experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
- understanding of internal controls and procedures for financial reporting
- understanding of audit committee functions
Obtain these from: education and experience as a principal financial officer, PA, controller, or equivalent; experience supervising an individual in one of the previously mentioned positions; experience overseeing or assessing the performance of companies or public accountants with respect to preparing, auditing or evaluating financial statements; other relevant experience
Whistleblowers and Audit Committee
Audit committee should establish rules for the receipt, and treatment of complaints by employees
Dodd-Frank Act and Whistleblowers
Dodd-Frank provides for civil actions by whistleblowers who are retaliated against by the company; SOX prohibits retaliation
** goes farther than SOX for whistleblowers
Section 302 of the SOX act
Requires certification that the CEO and CFO:
- have reviewed the quarterly and annual financial reports filed with the SEC and they believe they are fairly stated and contain no material misstatements
- are responsible for establishing and maintaining internal control
- having executed IC and believe controls are effective as indicated in managements report on IC
- have reported to the auditors and the audit committee all significant deficiencies in IC, and are not aware of any post-evaluation changes that could significantly affect IC
NYSE & NASDAQ Rules Related to Corporate Governance and Director Independence
Require listed corporations to:
- have a majority of independent directors on their board
- make determination of independence of members and provide info to investors about the determination
- identify certain relationships that automatically preclude a member from being independent
- have non-management directors meet at a regularly scheduled executive sessions
- adopt and make publically available a code of conduct applicable to all directors, officers, and employees, and disclose any waivers of the code for directors or executive officers
- have an independent audit committee.
NYSE & NASDAQ rules that make a director not independent
- if a director has been an employee of the corporation or an affiliate in the last 5 years (3 for NASDAQ)
- if a family member of a director has been an officer of the corporation or affiliate in the last 5 years (3 for NASDAQ)
- if director was a former partner or employee of the corporation’s external auditor in the last 5 years (3 for NASDAQ)
- if a director or a family member in the last 3 years received more than $120,000 (in 12 month period) in payments from the corporation other than for director compensation
- if a director is an executive of another entity that receives significant amounts of revenues from the corporation (vendor or supplier to the corp)
Internal Auditors
Perform audits of the risk management activities, internal controls, and other governance processes for the corporation (referred to as assurance services). Results should be communicated to audit committee and board.
NYSE requires its listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the companies RM processes and system of IC
Institute of Internal Auditors (IIA)
professional organization of internal auditors.
Issues International Standards for the Professional Practice of Internal Auditing and a Code of Ethics for internal auditors.
Administers the Certified Internal Auditor program (CIA). Multipart exam that requires two years of internal audit experience (or its equivalent) and it demonstrates that the individual is competent to perform internal audits
International Standards for the Professional Practice of Internal Auditing
Include rules and interpretations for assurance services and consulting services.
Broken down into:
- attribute standards- related to the characteristics of the internal audit activity
- performance standards- related to the quality control of internal audit activities
- implementation standards- expand upon the attribute and performance standards
Internal Audit Assurance Services
Involve providing an independent assessment of governance, risk management or control processes of an organization.
Examples: assurance about financial presentation, compliance, performance, and security system
Internal Audit Consulting Services
Involve advisory related services to improve an organization’s governance, risk management or control processes.
Examples: training, advising, and facilitating
Aspects of International Standards for the Professional Practice of Internal Auditing that relate particularly to corporate governance include:
- the purpose, authority, and responsibility of the internal audit activity should be formally defined in the internal audit charter. This should recognize the need to adhere to the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. Also, apply to individual internal auditors and internal audit activities
- internal audit activity must be independent and IA must be objective in performing their work; must have impartial, unbiased attitude and avoid conflicts of interest
- engagement must be performed with proficiency (knowledge, skill, and competencies needed) and due professional care
- IA’s must enhance their knowledge and skills with continuing professional development, and the chief audit executive must develop and maintain a quality assurance and improvement program
- Internal audit activity must evaluate the effectiveness and contribute to the improvement of the corporation’s risk management processes and assist the management in maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement; chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board
- the chief audit executive must establish risk-based plans to determine audit priorities, which includes effectively employ resources and establish p&p’s
- the chief audit executive should share information and coordinate work with other internal auditors and external auditors
- chief audit executive should periodically report to senior executive’s and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan
- internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishments of its objectives
- internal audit activity must evaluate the effectiveness and contribute the improvement of risk management process
- internal audit activity must assist the org in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement
- audit engagements should be adequately planned, including appropriate identification of objectives and scope. audit work programs should be developed and audit work should be adequately supervised
- chief audit executive must establish and maintain a system to monitor the disposition of audit results communicated to management; (i.e. track findings and follow up)
Internal Auditor Independence
Achieved by organizational independence, which means auditors cannot be influenced by the management of the functional areas that they audit.
Chief audit executive should ideally report (functionally) to the audit committee and administratively to the CEO.
Functional reporting examples: board approvals of the internal audit charter, budget and resource plan; risk based audit plan; remuneration of the chief audit executive; and decisions regarding appointment and discharge of the chief audit executive.
If independence is impaired, details must be disclosed to appropriate parties
IA Quality Assurance and Improvement Programs Should Include…
- internal assessments that include ongoing monitoring of performance and periodic self-assessment or review by other qualified individuals within the organization
- external assessments at least once every 5 years by qualified independent assessors
- chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board
Governance Process Objectives (that IA must assess)
- promoting appropriate ethics and values within the organization
- ensuring effective organizational performance management and accountability
- communicating risk and control information to appropriate areas of the org
- coordinating activities of and communicating information among the board, external and internal auditors, and management
External Auditor Responsibility
performing an audit of the corporation’s financial statements and internal control in accordance with standards of the PCAOB
Major corporate governance monitoring device for a corporation
external auditor
Section 404 SOX
requires that management acknowledge its responsibility for establishing adequate internal control over financial reporting and provide an assessment in the annual report of the effectiveness of internal control
Section 404 SOX for accelerated filers
(large public corporations) requires that external auditors attest to management’s report on internal control as part of the audit of the financial statements
Accelerated Filers (Large Public Corporations)
If public float is:
Large accelerated filer = greater than or equal to $700m
Accelerated filer= greater than or equal to $75m
Public Float
amount of o/s shares in public investors hands as opposed to directors and officers, etc.
External Auditor Communication
required (by SOX) to communicate information that will help the committee perform its oversight function
(i.e. engagement letter info):
consultation with other accountants
significant disagreements with management
written management representations
material misstatements (corrected or not)
Section 802 SOX
Prohibits a person from knowingly destroying, mutilating, altering, falsifying or concealing records or documents to impede or influence the investigation of any department or agency of the united states
penalty is a fine or imprisonment for not more than 20 years or both
Investment banks and security analysts
investment bankers help corporations issue equity and debt offerings
represent an external monitoring device because they must evaluate the company prior to becoming involved in selling the securities (buy, hold, sell)
Creditors act as…
an external monitoring device
debt agreements with covenants must be complied with; creditors monitor compliance
limitation is that they usually use info provided by management but often engage external auditors
Credit Rating Agencies
rate the credit worthiness of corporate bonds and are external monitoring devices, much like security analysts
limitation is that they may improperly set initial rating and are slow to downgrade ratings once corps have financial difficulty
Dodd Frank Act helps prevent conflicts of interest and improve transparency
SEC Responsibility
protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation by enforcing US securities laws
SEC consists of
5 presidentially appointed commissioners
SEC divisions and offices related to corporate governance
- Division of Corporate Finance
- Division of Enforcement
- The Office of the Chief Accountant
Division of Corporate Finance
reviews documents of publically held companies that are filed with the SEC; checks to see if they are meeting disclosure requirements and seeks to improve quality of disclosures
Division of Enforcement
assists the SEC in executing its law enforcement function by recommending the commencement of investigations of securities law violations, recommending which cases to take to court, and prosecuting these cases on behalf of the Commission
The Office of the Chief Accountant
advises the Commission on accounting and auditing, oversees the development of accounting principals, and approves the auditing rules put forward by the PCAOB (Must approve PCAOBs rules)
Provisions of SOX that improved SEC as external monitoring device
- CEO and CFO must certify the accuracy of the truthfulness of periodic financial reports filed with SEC (criminally and civilly liable if incorrect certification)
- public companies must disclose whether they have established a code of ethics for senior financial officers
- any person who knowingly perpetrates or attempts a scheme to defraud any other person by misrepresenting or making false claims in connection with the purchase or sale of securities can be fined or imprisoned for up to 25 years, or both
Dodd- Frank awards
will award whistleblowers for providing info about violations of securities laws that result in aggregate monetary sanctions in excess of $1 million
Whistleblower is eligible to receive
10%-30% of monetary sanction (if greater than $1 m) if info is derived from independent knowledge or analysis of the whistleblower and not known to the government from any other source
Individuals generally excluded from receiving monetary sanctions from whistleblower act are…
- officers, directors, trustees, or partners of an entity, when those individuals learned of information about the misconduct from another person or in connection with the company’s process for identifying potential illegal conduct
- employees whose main function involves compliance or internal audit, or individuals hired to investigate possible violations of law
- employees of public accounting firms performing an engagement required by the securities laws
* Exception: if it appears that the co is attempting to behave in a way that would harm investors or inhibit an investigation, or 120 days have past since the notified the company of a violation
Where to report a securities violation
whistleblowers are encouraged to report information through the normal internal corporate governance system of the company by an indication that doing so may increase the amount of the award
Can sue company for retaliation against whistleblowers
provision by SOX and strengthened by Dodd-Frank
Jumpstart Our Business Startup Act (JOBS)
excepted “emerging growth companies” for a max of 5 years from the date of their initial public offering from certain requirements that apply to larger public companies, including:
- certain disclosure requirements
- requirement for an integrated audit of internal control
- requirements regarding shareholder votes on executive compensation
Corporate Takeovers
act as a corporate governance device; if management is performing poorly, the corp may be subject to takeover by a firm that believes it can more efficiently utilize the corps resources (provides an incentive)
Poison Pill Defense
defense to corporate takeovers; option for shareholders to purchase additional shares at a discount
Internal Control Objectives
- Operations Objectives
- Reporting Objectives
- Compliance Objectives
Operations Objectives (IC)
the organization achieves effective and efficient operations when significant external events can be predicted and their potential effects mitigated, or the organization understands the extent to which operations can be managed when the effects of significant events cannot be mitigated; also includes safeguarding of assets
Reporting Objectives (IC)
org prepares internal and external financial and nonfinancial reports in conformity with applicable laws, rules, regulations, standards, and internal policies
Compliance Objectives (IC)
org complies with applicable laws, rules, and regulations
Control Environment (IC)
the set of standards, processes, and structures that provide the basis for carrying out IC across the org
foundation for other components of IC
Comprises of:
- integrity and ethical values
- paramaters enabling the board to carry out its oversight responsibilities
- org structure and assignment of authority and responsibility
- process for attracting, developing, and retaining competent individuals
- rigor around performance measures, incentives, and rewards to drive accountability for performance
Principals relating to the control environment
- the organization demonstrates a commitment to integrity and ethical values
- the BofD demonstrates independence from management and exercises oversight of the development and performance of IC
- management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
- the org demonstrates commitment to attract, develop and retain competent individuals in alignment with objectives
- the org holds individuals accountable for their IC responsibilities in the pursuit of objectives
Demonstrate commitment to integrity and ethical values
communication and enforcement of integrity and ethical values
management should establish a tone at the top of the org through directives, actions, and behavior that encourages appropriate behavior
do this with standards (code) of conduct, official policies, directives, and by example
individuals should be evaluated for adherence and deviations should be addressed
exercise oversight responsibility
board must collectively possess appropriate expertise and have sufficient members that are independent from management
establish structure authority and responsibility
with board oversight
structured along various dimensions such as product or service, legal entity, or geographic market
orgs delegate authority and responsibility to enable management and other personnel to make decisions according to management’s directives
delegating authority increases risk, which means management should establish appropriate limitations of authority
demonstrate commitment to competence
commitment to competence is supported by human resource management processes for attracting, developing, and retaining the right fit of management, other personnel, and outsourced service providers
succession planning and contingency planning for assignment of IC responsibilities is also very important
enforce accountability
Board should hold CEO responsible for establishing system of IC to achieve objectives
accountability should be supported by appropriate performance measures, incentives and rewards
must be cognizant of undue pressure affects, which may cause individuals to circumvent processes or engage in fraudulent activities
Risk Assessment (IC)
Risk: the possibility that an event will occur and adversely affect the achievement of objectives in the areas of operations, reporting or compliance
Risk Assessment: process for identifying, analyzing, and responding to risks
Risk Assessment Principles (IC)
- org specifies objectives with significant clarity to enable the identification and assessment of risks relating to objectives
- org identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
- org considers the potential for fraud in assessing risks to the achievement of objectives
- org identifies and assesses changes that could significantly impact the system of IC
- management must decide how much risk may be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding targeted risk levels
After risks have been identified (IC)…
a risk analysis is performed, which involves the likely hood of the risk occurring and estimating its impact
management then determines which risks require response
response can include acceptance, avoidance, reduction, or sharing
Control Activities (IC)
policies and procedures that help ensure that management directives are carried out
Authorization and Approvals Verifications Physical Controls Controls over standing data Reconciliations Supervisory Controls
Control Activity Principles (IC)
RIPS (reviews, information processing, physical controls, segregation of duties)
1. org selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
- org selects and develops general control activities over technology to support the achievement of objectives
- org deploys control activities through policies that establish what is expected and in procedures that put policies into action
General Controls Over Technology
control activities that support the reliability of two or more types of transactions or processes
Controls over:
- technology infrastructure which are designed to ensure the completeness, accuracy, and availability of technology processing
- access to technology to restrict access to authorized users
- the acquisition, development, and maintenance of technology and its infrastructure
Transaction Controls
designed to ensure that particular transactions (i.e. payroll) are accurate, complete, and authorized
Further segregated into:
- input controls
- processing controls
- output controls
Information and Communication Principles (IC)
- org obtains or generates and uses relevant, quality information to support the functioning of IC
- org internally communicates info, including objectives and responsibility for internal control, necessary to support the functioning of IC
- org communicates with external parties regarding matters affecting the functions of IC
Information and Communication (IC)
Management must design an effective information system, considering the requirements of users, that reliably captures internal and external sources of data, processes the data into information and maintains quality throughout processing
Quality of information (within information and communication of IC)
quality is essential and depends on whether info is accessible, correct, current, protected, retained, sufficient, timely, valid, and verifiable
Information and communication to be effective
information must be communicated through appropriate methods to management, other personnel and BofD
example: anonymous whistleblower hotline should be established to ensure that employees and other parties can report inappropriate activity
processes and channels must be established to facilitate communication to appropriate external parties such as regulators, owners, financial analysts, and customers
Monitoring (IC)
monitoring activities assess whether each of the five IC components are present and functioning
may be achieved by ongoing activities or separate evaluations
Ongoing monitoring activities
regularly performed supervisory and management activities, such as continuous monitoring of customer complaints or reviewing the reasonableness of management reports
Separate evaluations
monitoring activities that are performed on a nonroutine basis, such as periodic audits by internal auditors
Monitoring Principles (IC)
- org selects, develops, and performs ongoing and/or separate evaluationsn to ascertain whether the components of IC are present and functioning
- org evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the bofd, as appropriate. *** this is not an ongoing monitoring activity
Evaluators
Individuals that monitor controls within an organization
Characteristics of Evaluators
should be competent and objective in the particular circumstances
competence is evaluators knowledge of IC and related processes, including how controls should operate and what constitutes a deficiency
objectivity refers to whether that person can evaluate the controls without concern about possible consequences of discovering deficiencies
Internal control systems can fail because
- they are not designed or implemented properly
- they are properly designed and implemented but environment changes have occurred making the controls ineffective
- they are properly designed and implemented by the way they operate has changed making controls ineffective
Control Baseline
establishing a starting point that includes a supported understanding of the existing internal control system; serves as a starting point for monitoring IC
understanding allows orgs to design ongoing and separate monitoring procedures
Change Identification
Identifying through monitoring changes in internal control that are necessary because changes in the operating environment have taken place, such as changes in regulations or changes in the economic environment
Change Management
evaluating the design and implementation of the changes, and establishing a new baseline
effective change management process enables management to control:
- change requests
- change analyses
- change decisions
- change planning, implementation, and tracking
*effects of changes should be considered; changes should be authorized, communicated, documented, and thoroughly tested before being implemented
Control revalidation/ update
periodically revalidating control operation when no known changes have occurred
Monitoring Sequence of Activities
- control baseline
- change identification
- change management
- control revalidation/ update
The effectiveness and efficiency of monitoring can be enhanced by
linking it to the results of the risk assessment component of internal control
this allows evaluators to focus monitoring attention on controls that address meaningful risks (aka key controls)
Key control characteristics (meaningful risks)
- their failure could materially affect the area’s objectives, and other controls would not be expected to detect the failure on a timely basis; and
- their operation might prevent or detect other control failures before they had an opportunity to become material to the organization’s objectives
*evaluator should determine what constitutes sufficient suitable evidence to determine this
direct evidence
evidence obtained from observing the control and reperforming it
indirect evidence
evidence that identifies anomalies that may signal control change or failure
e.g. evidence derived from operating statistics, key risk indicators (forward-looking metrics that serve to identify problems), performance indicators, comparative industry data
ongoing monitoring vs separate monitoring
ongoing is better because it can offer the first opportunity to identify and correct control deficiencies
communication of deficiencies discovered via monitoring
should be reported to appropriate internal and external individuals so corrective action can be taken
track corrective action
to determine if action is taken on a timely basis
classifications of internal controls
have been developed to help the evaluation process
- preventive controls, detective controls, and corrective controls
- feedback and feed-forward controls
feedback controls
evaluate the results of a process and adjust the process if the results indicate the process is not operating effectively
feed-forward controls
project results into the future and make changes to alter their projected results
limitations of internal control
reasonable but not absolute assurance because of:
- human judgment in decision making
- human errors and mistakes
- circumvention by collusion
- management override of internal control
- cost constraints (cost should not exceed benefits)
- custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents
Section 404 of SOX requires management to provide a report on effectiveness of the IC system, which includes…
- a statement of managements responsibility for establishing and maintaining adequate IC over f/r for the corp
- a statement identifying the framework used by management o conduct the required assessment of the effectiveness of IC (e.g. COSO)
- an assessment of the effectiveness of IC as of the end of the company’s most recent fiscal year, including an explicit statement as to whether the IC over f/r is effective. Material weaknesses should be disclosed
- if applicable, a statement that the corps registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the IC (reminder: external auditors of accelerated filers must attest to and report on the effectiveness of IC)
Benefits of ERM
- helps align risk appetite of the organization with its strategy
- enhances risk response decisions, reduces operational surprises and losses
- identifies and manages cross-enterprise risks
- provides integrated responses to multiple risks
- helps the organization seize opportunities, and
- improves the deployment of capital
Risk Management process involves…
- identifying risks
- assessing risks
- prioritizing risks
- determining risk responses
- and monitoring risks
Internal Environment (ERM)
basis for all other components of ERM, provides discipline and structure
encompasses tone of the organization, and sets the basis for how risk is viewed and addressed by an organization; including risk management philosophy and risk appetite, and integrity and ethical values
Objective Setting (ERM)
ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the mission and are consistent with risk appetite
strategic objectives
high-level goals aligned with the organizations mission
these objectives are linked and integrated with specific objectives established for various activities
ERM objective categories (3)
divided into three categories:
- operations objectives
- reporting objectives
- compliance objectives
Event Identification Techniques (ERM)
- event inventories
- internal analysis
- escalation or threshold triggers
- facilitated workshops or interviews
- process flow analysis
- leading event indicators
- loss event data methodologies
Event
an incident that occurs or might occur that affects implementation of strategy of achievement of objectives
may be negative (risks) or positive (opportunities) or both
event inventories
developing a detailed listing of potential events
internal analysis
this may be done at regular staff meetings; it may involve using info from other stakeholders such as customers suppliers etc
escalation or threshold triggets
management predetermines limits that cause an event to be further assessed
facilitated workshops or interviews
involves soliciting info about events from management and staff
example: a facilitator may lead a discussion of events that might affect achieving an organizations objectives
process flow analysis
involves breaking processes down into inputs, tasks, responsibilities, and outputs to identify events that might adversely affect the process
leading event indicators
involves monitoring data correlated to events, to identify when the event is likely to occur
loss event data methodologies
repositories of past events that resulted in loss, management can identify event trends and the root causes of events
black swan analysis
evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely
Risk Assessment (ERM)
risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed (should assess inherent and residual risk for an event)
inherent risk
risk to the org if management does nothing to alter its likelihood or impact
residual risk
risk of the event after considering management’s response
qualitative techniques in risk assessment (ERM)
used to assess risk when risks do not lend themselves to quantification or when sufficient reliable data is not available to use a quantitative model
probabilistic or non-probabilistic models are used to..
quantify risk
probabilistic models
associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions
example: value at risk, cash flow at risk, earnings at risk, and development of credit and operational loss distributions
non-probabilistic models
used subjective assumptions in estimating the impact of events without quantifying an associated likelihood
examples: sensitivity measures, stress tests, and scenario analysis
Risk Response (ERM)
management selects risk responses that are consistent with the risk appetite of the organization including:
- Avoidance
- Reduction
- Sharing
- Acceptance (retention)
Avoidance (risk response)
this response involves exiting the activity that gives rise to the risk
Reduction (risk response)
involves taking action to reduce risk likelihood or impact, or both.
example: might involve managing the risk or adding additional controls to processes
Sharing (risk response)
Involves reducing risk likelihood or impact by transferring or sharing a portion of the risk. Techniques include:
- insurance
- hedging
- outsourcing
Acceptance (retention) risk response
no action is taken because the risk is consistent with the risk appetite of the org
Control Activities (ERM)
policies and procedures should be established and implemented to help ensure the risk responses are carried out effectively
Information and Communication (ERM)
Information is needed at all levels of the org to identify, assess and respond to risks
Communication should effectively convey the importance and relevance of effective ERM, the orgs objectives, the orgs risk appetite and risk tolerances, a common risk language and the roles and responsibilities of personnel in effecting and supporting the components of ERM
Monitoring (ERM)
the entire ERM process should be monitored to make needed modifications
monitoring is accomplished by ongoing management activities, and separate evaluations, such as those performed by independent auditors
3 Limitations of ERM
- risk relates to the future which is uncertain
- ERM provides info about risks of achieving objectives but it cannot provide even reasonable assurance that objectives will be achieved (you can’t say that the co will even be functioning in a year)
- ERM cannot provide absolute assurance with respect to any of the objective categories
Specific limitations with respect to ERM not providing absolute assurance of any objective categories include:
- limitations is subjective to human judgments with regard to risk and impact
- a well-designed ERM can break down
- collusion
- management override
