Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Flashcards
Corporate governance can be divided into 3 categories to control management, which are…
1) Policies
2) Procedures
3) Mechanisms
The 10 major controls over management include…
1) Compensation Systems
2) Boards of directors
3) Major committees
4) External Auditors
5) Internal Auditors
6) Attorneys
7) Regulators
8) Creditors
9) Securities Analysts
10) Internal Control Systems
Internal Control defined by COSO
A process effected by the entity’s board of directors, managements, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
What are the 5 components of COSO’s internal control?
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring Activities
What are the 3 limitations to COSO’s internal control?
1) Management can override internal control that rely on segregation of duties can be circumvented with collusion
2) Internal control can break down due to bad judgment or misunderstanding of duties
3) Internal control cannot be perfect because its cost cannot exceed its benefits.
Enterprise Risk Management (ERM)
A process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
What are the 8 interrelated components of ERM?
1) Internal Environment
2) Objective Setting
3) Event Identification
4) Risk Assessment
5) Risk Response
6) Control Activities
7) Information and Communication
8) Monitoring
What does effective corporate governance involve?
Developing an appropriate legal structure, establishing appropriate incentives, and monitoring devices to prevent inappropriate activity.
How is a corporation legal structure formed?
With the filing of the articles of incorporation with the secretary of state.
What should the articles of incorporation include in order to file it with the Secretary of State?
1) Proposed name
2) Initial address
3) Purpose
4) Powers
5) Name of the registered agent (management)
6) Name and address of each incorporator
7) Number of authorized shares of stock
8) Types of stock
What are the 6 bylaws of a corporations?
1) Bylaws set forth how the directors and/or officers are elected/selected.
2) How meetings are conducted
3) Types and duties of officers
4) Required meetings
5) Prescribe the process for bylaw amendment
6) Each officer/director receives a copy of the bylaws
How are articles of incorporation amended?
By the approval of the shareholders, either majority or 2/3 vote.
Common Shareholder
Provides the basic capital of the corporation and elect the board of directors.
Duties of the Common Shareholder
1) Votes on mergers and liquidations
2) Required to vote at least 1/yr
3) Amendment of articles of incorporation
Rights of the Common Shareholder
1) Last to receive capital in the event of liquidation
2) Receive dividends if declared by the board of directors
3) Subscribe to stock issues so that their ownership is not diluted as set forth in the articles of incorporation
4) Inspect books and records in good faith/proper purpose
5) Have cumulative voting rights
What are the situations in which a common shareholder can sue on behalf of the corporation?
1) Director violation of fiduciary duty
2) Illegal declaration of dividends
3) Fraud by an officer (Derivative Suit)
Rights of Preferred Shareholders
1) Vote only if they are a officer/director
2) Preference to dividends
3) Preference to receipt of capital upon liquidation of the company
Cumulative Voting Rights
In most cases, common shareholder have the right to cast 1 vote for each director for each share of stock they own allowing minority shareholders to have an opportunity to elect directors by voting all their votes for one or two directors.
Board of Directors
Runs the corporation on behalf of the shareholders and other stakeholders, responsible for providing strategic direction and guidance about the establishment of the key business objectives.
What are the 10 duties of the Board of directors?
1) Determining the mission of the corp.
2) Selection and removal of the CEO
3) Amending bylaws, unless this is the responsibility of the shareholders
4) Determining management compensation
5) Decisions regarding declaration and payment of dividends
6) Decisions regarding major acquisitions and capital structure
7) Advising management
8) Providing governance oversight, with the assistance of internal/external auditors
9) Ensuring accurate financial reporting
10) Risk Management
Business Judgment Rule
The direction may not be held liable for errors in judgment providing the director acted with good faith, loyalty, and due care.
Duty of Loyalty
The director must put the interest of the corporation before their personal interest.
Officer
Is delegated authority by the board of directors and is responsible for the fair presentation of the corp’s financial reports, including the financial statements. They have a fiduciary duty and are liable for their own torts. SOX prohibits personal loans to officers.
What is the key objective of compensation?
Align management’s decisions and actions with the long-term interest of shareholders.
What are the 2 problems with a Base Salary and Bonuses compensation system?
1) Problematic because accounting profit can be manipulated or managed.
2) Managers may put too much focus on short-term profits instead of focusing on maximizing the long-term wealth of shareholders
Base Salary and Bonuses Compensation System
Managers are compensated based on performance which is typically measured by accounting profit.
Stock Options Compensation System
Manage the corp. to increase the stock price, which is consistent with the goal of shareholders.
What are the 3 problems with a Stock Options Compensation System?
1) Managers may have an incentive to increase the stock price in short-term at the expense of long-term stock value, even by manipulating accounting income to increase stock price
2) May encourage management to take on risks that are in excess of shareholders’ risk appetite.
3) If the stock price falls substantially, the stock options may be so underwater that they no longer provide an incentive to management.
Stock Grants Compensation System
Involves issuing shares of stock as part of managements compensation.
What are 2 common types of stock grants?
1) Restricted Stock
2) Performance Shares
Restricted Stock
Stock that cannot be sold by the manager for a specific period of time, usually 10yrs.
Why is restricted stock grant compensation system effective?
It encourages managers to undertake operations that increase the long-term value of the corp’s stock price.
Performance Shares
Issuance of stock to management if certain levels of performance are met. If stock increases, compensation increases.
Executive Perquisites (Perks) Compensation System
Retirement benefits, use of corporate assets, golden parachutes, corporate loans, etc.
What is the best form of compensation?
A combination of fixed compensation and incentive compensation that is related to long-term stock price.
What is a balanced scorecard?
A performance system based on a composite of performance measures in addition to net profit, such as the amount of research and development expenditures, the corp’s market share, the number of new product developed, and/or the percentage of stock held by institutional investors.
What are the 12 monitoring devices that monitor management?
1) Board Oversight
2) NYSE/NASDAQ
3) Internal Auditors
4) External Auditors
5) Investment banks
6) Securities Analysts
7) Creditors
8) Credit Rating Agencies
9) Attorneys
10) SEC
11) IRS
12) Corporate Takeovers
Board Oversight as a Monitoring Device
Ensures that board members are competent and that the majority is independent. The board should also have a set of governance guidelines that are revised/reviewed annually.
Inside Directors
Officers, employees or major stockholders who are on the board of directors.
What does Dodd-Frank require public corporations to disclose with regard to the board of directors?
To disclose why or why not the chairman of the board is also the CEO.
What is the actual name of Dodd-Frank?
Wall Street Reform and Consumer Protection Act of 2010
What are the 3 committees of an effective corporate governance?
1) Nominating/Corp. Governance committee
2) Audit committee
3) Compensation committee
What are the 4 duties of the nominating/Corp. Governance committee?
1) Oversees board organization and committee assignments
2) Determines director qualifications and training
3) Develops corp. governance principles
4) Oversees the CEO succession
How does SOX define the audit committee?
A committee established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer; and audits of the financial statements of the issuer.
What are the 6 characteristics of an audit committee?
1) Responsible for the appointment, compensation and oversight of the corp’s external auditor.
2) The committee is mandated by SOX, NYSE, and NASDAQ.
3) At least one member must be a financial expert and the names of this expert must be disclosed. If no financial expert, then must provide an explanation.
4) External auditors must report directly to the audit committee
5) Internal auditors should have direct access to the audit committee.
6) Should establish procedures for the receipt and treatment of complaints regarding accounting/auditing matters. (Whistle-blowers).
What are the 4 attributes a financial expert should have?
1) An understanding of GAAP and financial statements
2) Experience in preparing, auditing, analyzing, or evaluating financial statements of the complexity and breadth expected to be encountered at the corp.
3) An understanding of internal controls and procedures for financial reporting.
4) An understanding of audit committee functions.
With relation to the audit committee, what 4 certifications does SOX, section 302, require of CFOs and CEOs?
1) Reviewed the quarterly and annual financial reports filed with the SEC and believe they are fairly states and contain no material misstatements.
2) Responsible for establishing and maintain internal controls that designed to assure that relevant info. is made known to them.
3) Evaluated internal controls and believe controls are effective as indicated in management’s report on internal control.
4) Certify that they have reported to the auditors and the audit committee all significant deficiencies in internal control, and are not aware of any postevaluation changes that could significantly affect controls.
What are 3 duties of the compensation committee?
1) Reviews and approves CEO compensation based on meeting performance goals.
2) makes recommendations to the board with respect to incentive and equity-based compensation plans.
3) Attempts to align incentives with shareholder objectives and risk appetite.
With regard to the compensation committee, what are 3 requirements per Dodd-Frank?
1) All members of the committee of public companies much be independent.
2) Shareholders must be allowed a nonbinding vote on executive compensation at least every 3yrs,
3) Shareholder must be allowed a nonbinding vote on whether the vote on compensation should be held more often at least every 6yrs.
4) Requires nonbinding vote by shareholders on “golden parachutes” to be provided to executives as a result of major transactions.
As a monitoring device, what are the 6 requirements per the New York Stock Exchange (NYSE)?
1) Majority of independent directors on the board.
2) Make a determination of independence of members and provide info. to investors about the determination.
3) Identify certain relationships that automatically preclude a board member from being independent.
4) Have non-management directors meet at regularly scheduled executive sessions
5) Adopt a comprehensive code of conduct and distribute it to ALL employees/Board members/Officers. The code must be acknowledged periodically by all employees and must be reinforced with training sessions.
6) Have independent audit committees
7) Nominating/Corp. Governance and compensation decisions must be made by independent committees.
As a monitoring device, what are the 6 requirements per the NASDAQ?
1) Majority of independent directors on the board.
2) Make a determination of independence of members and provide info. to investors about the determination.
3) Identify certain relationships that automatically preclude a board member from being independent.
4) Have non-management directors meet at regularly scheduled executive sessions
5) Adopt a comprehensive code of conduct and distribute it to ALL employees/Board members/Officers. The code must be acknowledged periodically by all employees and must be reinforced with training sessions.
6) Have independent audit committees
7) Nominating/Corp. Governance and compensation decisions must be made by a majority of independent directors.
What are the 5 determinants for not being independent per the NYSE?
1) If they have been an employee of the corp. or an affiliate in the last 5yrs.
2) If a family member has been an officer of the corporation or affiliate in the last 5yrs.
3) If they were a former partner/employee of the corp’s external auditor in the last 5yrs.
4) If they/family member in the last 3yrs received more than $120,000, for a 12mo period, in payments from the corp. other than for director compensation.
5) If they are an executive of another entity that receives significant amounts of revenue from the corp.
What are the 5 determinants for not being independent per the NASDAQ?
1) Not independent if they have been an employee of the corp. or an affiliate in the last 3yrs.
2) If a family member has been an officer of the corporation or affiliate in the last 3yrs.
3) If they were a former partner/employee of the corp’s external auditor in the last 3yrs.
4) If they/family member in the last 3yrs received more than $120,000, for a 12mo period, in payments from the corp. other than for director compensation.
5) If they are an executive of another entity that receives significant amounts of revenue from the corp.
Internal auditors
Perform audits of the risk management activities, internal control, and other governance processes for the corp. (aka Assurance services).
Required by the NYSE with listed companies.
What are the two main types of services provided by internal auditors?
1) Assurance Services
2) Consulting Services
What do internal audit assurance services involve?
Providing an independent assessment of governance, risk management or control processes of an organization.
What do internal audit consulting services involve?
Advisory-related services to improve an organization’s governance, risk management or control processes.
Internal audit performance standards
Relates to the quality of the internal audit activities
Internal audit implementation standards
Relates to the attribute and performance standards
Per the International Standards for the Professional Practice of Internal Auditors, what are 3 aspects of the internal audit charter?
1) Formally defining the purpose, authority, and responsibility of the internal audit activity.
2) The charter should recognize the need to adhere to the Code of Ethics and International Standards for the Professional Practice of Internal Auditors.
3) Standards apply to individual internal auditors and internal audit activities.
Per the International Standards for the Professional Practice of Internal Auditors, what are 4 aspects of the independence and objectivity?
1) Auditors can’t be influenced by the management of the functional areas that they audit.
2) The chief audit executive should report functionally to the audit committee and administratively to the CEO.
3) Functional reporting such as approval of the internal audit charter, budget or resource plan, risk-based audit plan, etc.
4) Individual internal auditors must have an impartial, unbiased attitude and avoid conflicts of interest.
Per the International Standards for the Professional Practice of Internal Auditors, what are 4 aspects regarding the performance of internal audits?
1) Must be performed with proficiency and due professional care.
2) Auditors must possess the knowledge, skills, and competencies needed to perform their individual responsibilities.
3) Sufficient knowledge of key IT risks, control, and audit techniques.
4) Sufficient knowledge to evaluate fraud risk
To enhance the internal auditor’s knowledge and skills with continuing education, the chief audit executive should develop what two quality assurance and improvement programs?
1) Internal assessments that include ongoing monitoring of performance and periodic reviews through self-assessment or review by other qualified individuals w/in the organization.
2) External assessments at least once every 5yrs by qualified independent assessors.
**The chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board.
Per the International Standards for the Professional Practice of Internal Auditors, what are 4 aspects specifically related to the chief audit executive?
1) Must establish risk-based plans to determine audit priorities, must effectively deploy internal audit resources to achieve the plan, and establish effective policies and procedures to guide audit activities.
2) Should share info. and coordinate work with other internal auditors and external auditors.
3) Should periodically report to senior executives and the board on the internal audit activities purpose, authority, responsibility, and performance relative to its plan. This must include significant risk exposures and control issues, including fraud risk and governance issues.
4) Must establish and maintain a system to monitor the disposition of audit results communicated to management.
Per the International Standards for the Professional Practice of Internal Auditors, what are 4 aspects specifically related to the internal audit activity?
1) Must evaluate the effectiveness and contribute to the improvement of the corp’s risk management processes.
2) Must assess and make appropriate recommendations for improving the governance process in its accomplish objectives.
3) Must evaluate the effectiveness and contribute to the improvement of risk management process
4) Must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Per the International Standards for the Professional Practice of Internal Auditors, what are 4 objectives specifically related to the internal audit activity’s roll in improving the governance process in its accomplishments?
1) Promoting appropriate ethics and values within the organization
2) Ensuring effective organizational performance management and accountability.
3) Communicating risk and control information to appropriate areas of the organization.
4) Coordinating the activities of and communicating info. among the board, external and internal auditors, and management.
Per the International Standards for the Professional Practice of Internal Auditors, what are 7 guidelines specifically related to the audit engagements?
1) Should be adequately planned
2) Appropriate identification of objectives and scope.
3) Work programs should be developed
4) Audit work should be adequately supervised
5) Should be assigned adequate resources
6) Sufficient info. should be collected and analyzed to achieve the audit objective
7) Results should be effectively communicated
External Auditor
Responsible for performing an audit of the corp’s financial statements and internal control in accordance with standards of the Public Company Accounting Oversight Board (PCAOB)
Per SOX, section 404, external auditors are responsible for what?
Establishing adequate internal control over financial reporting and provide an assessment in the annual report of the effectiveness of internal control.
** Large public corps. (accelerated filers) are required to attest to management’s report on internal control as part of the audit of the financial statements.
What are 9 matters that the external auditor can communicate to the audit committee to help with the oversight function?
1) Auditor responsibility to form and express an opinion
2) An audit does not relieve management or the audit committee with their responsibilities for governance
3) Planned scope and timing of the audit
4) Significant audit findings
5) Material correct misstatements
6) significant issues discussed with management
7) Auditor’s views about significant matters on which management consulted with other accountants
8) Written representation the auditor is requesting
9) Significant deficiencies and material weaknesses in internal control
What are 5 findings that make it a significant finding in the external audit process?
1) Auditor views of qualitative aspects of significant accounting practices
2) Significant difficulties encountered during the audit
3) Disagreements with management
4) Other findings or issues which the auditor believe are significant or relevant
5) Uncorrected misstatements other than those that are trivial.
Regarding external auditors, what does SOX, section 802, prohibit?
Knowingly destroying, mutilating, or concealing records or documents to impede or influence the investigation of any department or agency of the US.
**Penalty of up to 20yrs in prison and or a fine.
Investment Banks as a Monitoring Device
Help issue equity and debt offerings, as well as evaluate the company prior to becoming involved in selling the securities.
Securities Analysts as a Monitoring Device
Analyze companies to attempt to develop recommendations to buy, hold, or sell a particular corp’s stock. They use financial and nonfinancial info., including info. about corporate management to make their recommendations.
What is a potential issue with using a securities analyst as a monitoring device and how is it being controlled?
Potential conflicts of interest.
The SEC is attempting to control these conflicts by requiring analysts to certify that their compensation will not be impacted by their recommendations.
Creditors as a Monitoring Device
Debt agreements contain covenants (requirements) that must be complied with to prevent the creditor from taking actions such as accelerating payment terms.
What is one limitation with using a creditor as a monitoring device and how is it being controlled?
They monitor largely based on info. provided by management.
Creditors often engage external auditors to perform procedures to provide assurance about the corp’s compliance with certain covenants of the loan agreements.
Credit Rating Agencies as a Monitoring Device
Rate the creditworthiness of corporate bonds and analyze companies to attempt to develop recommendations to buy, hold, or sell a particular corp’s bonds. They use financial and nonfinancial info., including info. about corporate management to make their recommendations.
What is one limitation of using a credit rating agency as a monitoring device?
They may improperly set the initial rating and are slow to downgrade the rating once the corp gets in financial difficulty.
Attorneys as a Monitoring Device
Review security filings and provide management advice on legal matters.
The Securities and Exchange Commission (SEC) as a Monitoring Device
Responsible for protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. The activities of the SEC act as an important monitoring device for corp. government.
What are the 3 divisions/offices of the SEC?
1) Division of Corporate Finance
2) Division of Enforcement
3) Office of the Chief Accountant
What is the purpose of the SEC’s Division of Corporate Finance?
Reviews documents of publicly held companies that are filed with the SEC. Through the review process, the Division check to see if companies are meeting disclosure requirement and seeks to improve the quality of the disclosures by companies.
What is the purpose of the SEC’s Division of Enforcement?
Assists the SEC in executing its law enforcement function by recommending the commencement of investigations of securities law violations, recommending which cases to take to court, and prosecuting these cases on behalf of the SEC.
What is the purpose of the SEC’s Office of the Chief Accountant?
Advises the SEC on accounting and auditing, oversees the development of accounting principles, and approves the auditing rules put forward by the PCAOB.
What 6 provisions of SOX improved the SEC’s power as an external monitoring device?
1) SOX, section 906, the CFO and CEO are required to certify the accuracy and truthfulness of periodic financial reports filed with the SEC. 10-20yrs imprisonment/fined up to $5m.
2) SOX requires public companies to disclose in their filing whether they have established a code of ethics for senior financial officers
3) SOX - Anyone who knowingly perpetrates or attempts a scheme to defraud any other person by misrepresenting or making false claims in connection with the purchase or sale of securities can be fine and/or imprisoned up to 25yrs.
4) SOX- Destruction, mutilation, alteration, concealment, or falsification of documentation with the intent to obstruct or influence an ongoing investigation or an being considered for investigation is subject to 20yrs in prison and/or fine.
5) SOX prohibits any acts of retaliation against employees who alert the government to possible violations of securities laws (Whistle-blowers). Up to 10yrs in prison and/or fine.
What are the 5 Dodd-Frank related rules regarding whistle-blowers?
1) They are eligible to receive 10-30% of the monetary sanction if the info. is derived from independent knowledge or analysis of the whistle-blower and not known to the government from any other source.
2) Tips can be anonymously (through an attorney) with the whistle-blower only being identified to the SEC after determination that an award will be given (can be in excess of $1m - paid by the SEC).
3) Employees, customers, suppliers are all eligible
4) Encouraged to report the info. through the normal internal corporate governance system of the company by an indication that doing so may increase the amount of the award.
5) SOX includes provisions to discourage retaliation against whistle-blowers which were strengthened by Dodd-Frank.
What are 3 categories of individuals that are excluded from whistle-blower eligibility and reward?
1) Officers, directors, trustees, or partners of an entity, when those individuals learned of info. about the misconduct from another person or in connection with the company’s processes for identifying potential illegal conduct.
2) Employees whose main job functions involve compliance or internal audit, or person who are employed by a firm hired to perform audit or compliance functions or to investigate possible violations of the law.
3) Employees of public accounting firms performing an engagement required by the securities laws.
For those excluded form whistle-blower eligibility, under which 2 circumstances may they become eligible?
1) If it appears that the company is attempting to behave in a way that would harm investors or inhibit an investigation
2) 120 days has passed since they notified the company of the violation.
What is the Jumpstart Our Business Startups Act (JOBS)?
Exempts “emerging growth companies” for a max of 5yrs from the date of their initial public offering from certain requirements that apply to large public companies.
What 3 requirements are emerging growth companies exempt from, while large public companies are not?
1) Certain disclosure requirements
2) The requirement for an integrated audit of internal control
3) The requirements regarding shareholder votes on executive compensation
The Internal Revenue Service (IRS) as a Monitoring Device
Requires certain accounting info. on the copr’s income tax return, audits corp’s tax returns and enforces penalties for filing false tax returns.
Corporate Takeovers as a Monitoring Device
If management is performing poorly, the corp. may be subject to takeover by a firm that believe it can more effectively utilize the corp’s resources.
Poison Pill
A strategy used to prevent corporate takeover. Triggers an option for the shareholders to purchase additional shares at a discount if someone attempts to acquire a controlling interest in the corp.
**Controversial because they inhibit an active market for corp. control.
Internal Control - Integrated Framework developed by COSO
The most commonly used framework in the US.
A process, effected by the entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.
What are the 3 main objectives of Internal Control?
1) Operations
2) Reporting
3) Compliance
Internal Control Operations Objective
The organization achieves effective and efficient operations when significant external events can be predicted and their potential effects mitigated, or the organization understand the extent to which operations can be managed when the effect of significant events cannot be mitigated. This category of objectives includes safeguarding assets
Internal Control Reporting Objective
The organization prepares internal and external financial and nonfinancial reports in conformity with applicable laws, rules, regulations, standards, and internal policies.
Internal Control Compliance Objective
The organization complies with applicable laws, rules, and regulations.
What are the 5 components of internal control under the COSO framework?
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring Activities
Per COSO Framework, Control Environment
The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Per COSO Framework, Risk Assessment
The possibility that an event will occur and adversely affect the achievement of objectives in the area of operations, reporting, or compliance.
Per COSO Framework, Control Activities
Policies and procedures that help ensure that management directives are carried out.
Per COSO Framework, Information and Communication
Supports all components of the framework. Considering the requirements of the users, the reliability captures internal and external sources of data, processes the data into info., and maintain quality throughout processing.
Per COSO Framework, Monitoring
Assess whether each of the five components of the framework are present and functioning and may be achieved by performing ongoing activities or by separate evaluations.
What are the 5 principles of the COSO framework control environment component?
1) Demonstrate commitment to integrity and ethical values
2) Exercise oversight responsibility
3) Establish structure, authority, and responsibility
4) Demonstrate commitment to competence
5) Enforce accountability
What are the 4 principles of the COSO framework risk assessment component?
1) Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
2) Identifies risks to the achievement of tis objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
3) Considers the potential for fraud in assessing risks to the achievement of objectives
4) Identifies and assesses changes that could significantly impact the system of internal control
What are the 3 principles of the COSO framework control activities component?
1) Selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
2) Selects and develops general control activities over technology to support the achievement of objectives
3) Deploys control activities through polices that establish what is expected and in procedures that put policies into action
What are the 3 principles of the COSO framework Information and communication component?
1) Obtains or generates and uses relevant, quality info. to support the functioning of internal control.
2) Internally communicates info., including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
3) Communicates with external parties regarding matters affecting the functioning of internal control.
What are the 2 principles of the COSO framework monitoring component?
1) Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
2) Evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
What are 6 types of control activities that mitigate risk per the COSO framework?
1) Authorizations and approvals - Review of the validity of transactions
2) Verifications - Comparison of 2+ items with each other or with policy
3) Physical controls - Restriction of access to physical assets or performing periodic inventories
4) Controls over standing data - Accuracy, completeness and validity of data used in a transaction processing; eg. price master file used to record sales transactions.
5) Reconciliations - Comparison of 2+ data elements to identify an differences
6) Supervisory controls - High level controls to ensure other control activities are operating
What are 2 types of control activities application controls per the COSO framework?
1) General controls over technology
2) Transaction (application) controls
Per COSO Framework, Control Activity General Controls Over Technology
Support the reliability of 2+ types of transaction or processes; encompasses control activities 1) over technology infrastructure which are designed to ensure the completeness, accuracy, and availability of technology processing, 2) over access to technology to restrict access to authorized users, 3) over acquisition, development, and maintenance of technology and its infrastructure.
Per COSO Framework, Control Activity Transaction (Application) Controls
Designed to ensure that particular transactions are accurate, complete, and valid (authorized), and are segregated into 1) input controls to ensure that data are input accurately and completely and transactions are valid, 2) processing controls to ensure that data is processed accurately, 3) Output controls over the distribution of and accuracy of output.
Per COSO framework, control environment component, what 3 standards can be implemented to demonstrate commitment to integrity and ethical values?
1) Management should establish a tone at the top of the organization through directives, actions, and behavior that encourages appropriate behavior.
2) These should be communicated through a code/standard of conduct, official policies, directives and by example.
3) Individuals should be evaluated for adherence to standards and deviations should be addressed in a timely manner
Per COSO framework, control environment component, what can management do to exercise oversight responsibility?
Establish appropriate oversight of management and the system of internal control by collectively possess appropriate expertise and have sufficient members that are independent from management
Per COSO framework, control environment component, what 3 standards can be implemented to establish structure, authority and responsibility?
1) Management should establish with board oversight, structures, reporting lines, and appropriate authorities and responsibilities.
2) Relationships with outsourced service providers may also affect the organizations structure.
3) Delegating authority increases risk. Therefore, management should establish appropriate limitations to authority.
Per COSO framework, control environment component, what 3 standards can be implemented to demonstrate commitment to competence?
1) Management adopts policies and practices that reflect expectations of stakeholders, and provide the foundation for defining competence needed within an organization, and the basis for executing and evaluating performance.
2) Commitment to competence is supported by human resource management process for attracting, developing, and retaining the right fit of management, other personnel, and outsourced service providers.
3) Succession planning for key managers as well as contingency plans for assignment of internal control responsibilities are also important.
Per COSO framework, control environment component, what 3 standards can be implemented to enforce accountability?
1) Board of directors should hold CEO responsible for establishing the requisite system of internal control to support the achievement of organizational objectives.
2) Accountability for internal control should be established at all level and supported by appropriate performance measures, incentives, and rewards.
3) The board and senior management should be cognizant of the effects that undue pressure can have on behavior as it may cause individuals to circumvent processes or engage in fraudulent activities.
What are 4 risk responses per the COSO framework risk assessment component?
1) Acceptance
2) Avoidance
3) Reduction
4) Sharing
What does segregation of duties entail per the COSO framework control activities component
Dividing the responsibility of recording, authorizing, approving transactions, and handling the related asset.
Per COSO framework, information and communication component, what 4 standards can be implemented to be an effective information/communication system?
1) Quality of info. depends on whether its accessible, correct, current, protected, retained, sufficient, timely, valid, and verifiable.
2) To be effective, info. must be communicated through the appropriate methods to management, other personnel, and board of directors.
3) Processes and channels must be established to facilitate communication to parties such as regulators, owners, financial analysts, and customers.
4) Processes and channels should also provide appropriate communication from external parties such as customers, suppliers, auditors, and regulators to management and the board.
Per COSO framework, monitoring component, what are 2 characteristics of internal control evaluators?
1) Competent - knowledge of internal control and related processes, including how controls should operate and what constitutes deficiency.
2) Objective - Can evaluate the controls without concern about possible consequences of discovering deficiencies.
Per COSO framework, monitoring component, what are 3 reasons why internal control systems fail?
1) They are not designed or implemented properly
2) They are properly designed and implemented but the environment changes have occurred making the control ineffective.
3) They are properly designed and implemented but the way they operate has changed making the control ineffective.
Per COSO Framework, Monitoring Component, Monitoring-for-Change Control Continuum
The sequence of these activities:
1) Control baseline
2) Change identification
3) Change management
4) Control revalidation/update
Per COSO Framework, Monitoring Component, Monitoring-for-Change Control Continuum, Control Baseline
Establishing a starting point that includes a supported understanding of the existing internal control system
Per COSO Framework, Monitoring Component, Monitoring-for-Change Control Continuum, Change Identification
Identifying through monitoring changes in internal control that are necessary because changes in the operating environment have take place, such as changes in regulations or changes in the economic environment.
Per COSO Framework, Monitoring Component, Monitoring-for-Change Control Continuum, Change Management
Evaluating the design and implementation of the changes and establishing a new baseline.
Per COSO framework, monitoring component, monitoring-for-change control continuum, what does an effective change management process enable management to control?
1) Change requests
2) Change analyses
3) Change decisions
4) Change planning, implementation, and tracking
Per COSO framework, monitoring component, monitoring-for-change control continuum, change management, what standards need to be implemented with regard to change planning, implementation, and tracking?
1) Its important that the change management process considers the effects on other areas of the organization and incorporates them into analysis, planning, and implementation phases of the change.
2) A system of documentation should be established to ensure that changes are authorized, communicated, and documented.
3) Changes should be thoroughly tested before being implemented.
Per COSO framework, monitoring component, what are the 2 characteristics of key controls (meaningful risks)?
1) Their failure could materially affect the area’s objectives, and other controls would not be expected to detect the failure on a timely basis.
2) Their operation might prevent or detect other control failures before they had an opportunity to become material to the organization’s objectives.
Per COSO framework, monitoring component, what are the 2 types of sufficient suitable evidence?
1) Direct evidence
2) Indirect evidence
Per COSO Framework, Monitoring Component, Direct Evidence
Evidence obtained from observing the control and reperforming it.
Per COSO Framework, Monitoring Component, Indirect Evidence
Evidence that identifies anomalies that may signal control change or failure, such as: Evidence derived from operating statistics, key risk indicators (forward-looking metrics that serve to identify problems), performance indicators (metrics that reflect critical success factors), and comparative industry data.
Is ongoing monitoring or separate monitoring more effective and why?
Ongoing monitoring is best.
It operates continuously and can offer the first opportunity to identify and correct control deficiencies. Technology makes this a more effective an efficient option.
Separate evaluations may be performed by…
Internal auditors, objective evaluators, cross-functional evaluators, or through benchmarking/peer against comparable organizations.
Self-assessment may be performed if..
They are performed by individuals in the same department and they are suitably supervised.
Preventative Controls
Serve to prevent misstatements from occurring in the first place
Detective Controls
Serve to detect misstatement after they have occurred
Corrective Controls
Serve to correct misstatements after they are detected
Feedback Controls
Evaluate the results of a process and adjust the process if the result indicate the process is not operating effectively
Feed-Forward Controls
Project results into the future and make changes to alter the projected results.
What are 6 limitations of internal control?
1) Human judgment in decision making can be faulty
2) Breakdowns can occur because of human failures such as simple errors or mistakes
3) Controls, whether manual or automated, can be circumvented by collusion
4) Management has the ability to override internal control
5) Cost constraints
6) Custom, culture, and the corp. governance system may inhibit fraud, but they are not absolute deterrents
SOX, section 404, requires a report on the effectiveness of the system includes what 4 statements and/or assessments?
1) A statement of managements responsibility for establishing and maintaining adequate internal control over financial reporting for the corp.
2) A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the corp’s effectiveness over internal control
3) An assessment of effectiveness of the corp’s internal control over financial reporting as of the end of the company’s most recent fiscal year, which includes an explicit statement of whether internal control over financial reporting is effective and if there are any material weaknesses.
4) If applicable, a statement that the corp’s registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.
Per COSO Framework, Enterprise Risk Management (ERM)
Is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
What are 8 risks associated with the sales and collection process?
1) Inaccurate or incomplete sales data and lack of security over sales order info.
2) Sales to customers that are not creditworthy
3) Maintaining too much or too litter inventory
4) Inaccurate filing of orders
5) Inaccurate billing of customers
6) Failure to bill for shipment
7) Errors or fraud in processing and depositing cash receipts
8) Accounts may be written off without authorization
What are 8 risks associated with the acquisitions and payment process?
1) Ordering unneeded goods
2) Purchasing goods from unauthorized vendors
3) Receiving goods that are damaged or inferior
4) Receiving goods that were not ordered
5) Payment for goods not received
6) Payment for purchase twice
7) Unauthorized cash payments
8) Loss or theft of assets
Per COSO ERM framework, what are 5 risk management processes?
1) Identifying risks
2) Assessing risks
2) Prioritizing risks
4) Determining risk responses
5) Monitoring risk responses
Per COSO ERM Framework, Negative Impact Events
Represents risks
Per COSO ERM Framework, Positive Impact Events
Represents opportunities or may offset the negative impact
Per COSO, what are the 8 interrelated components of ERM framework?
1) Internal environment
2) Objective setting
3) Event identification
4) Risk assessment
5) Risk response
6) Control activities
7) Information and communication
8) Monitoring
Per COSO ERM Framework, Internal Environment Component
Is the basis of all other components of ERM, providing discipline, structure, organizational tone, integrity, ethical values, board oversight, and sets the basis for how risk is viewed and addressed by an organization’s people, including risk management philosophy and risk appetite,
Per COSO ERM framework, internal environment component, what are the 2 main responsibilities of management?
1) Management sets the ethical tone by action and example, and communicates the tone through codes of conduct and established policies.
2) Management should avoid the use of incentives and temptations to engage in unethical behavior, unless effective controls are established to prevent such behavior.
Per COSO ERM Framework, Internal Environment Component, Risk Appetite
Is the amount of risk an organization is willing to accept to achieve its goals, and reflects the organization’s culture, operating style, and is directly related to the organizations strategy.
Per COSO ERM framework, internal environment component, what are the 2 main ways to consider risk appetite?
1) Qualitatively - Low, moderate, high
2) Quantitatively - In percentages
Per COSO ERM Framework, Internal Environment Component, Risk Tolerance
Relates to the organization’s objectives and is the acceptable variation with respect to a particular objective.
Per COSO ERM Framework, Objective Setting Component
Objectives 1) must exist before management can identify potential events affecting their achievement 2) support and aligns with the organization’s mission, 3) consistent with risk appetite.
Per COSO ERM framework, objective setting component, in broad terms, what is the mission statement?
Is what the organization aspires to achieve.
Per COSO ERM framework, objective setting component, what are the 3 categories of objective setting?
1) Operations - Effectiveness and efficiency of operations
2) Reporting - Reliable reporting of internal/external, financial/nonfinancial info.
3) Compliance - Adherence to laws and regulations
Per COSO ERM framework, objective setting component, what are strategic objectives?
They are high-level goals aligned with the organization’s mission, which are linked and integrated with the specific objectives established for various activities.
Per COSO ERM Framework, Event Identification Component
Potential internal and external events affecting achievement of an organization’s objectives must be identified, distinguishing between risks (negative events) and opportunities (positive events), and may affect implementation of strategy or achievement of objectives.
Per COSO ERM framework, event identification component, what are 5 external events?
1) Economic events
2) Natural environmental events
3) Political events
4) Social events
5) Technological factors
Per COSO ERM framework, event identification component, what are 4 internal events?
1) Organization’s infrastructure
2) Personnel
3) Processes
4) Technology
Per COSO ERM framework, event identification component, what are 7 event identification techniques?
1) Event inventories
2) Internal analysis
3) Escalation or threshold triggers
4) Facilitated workshops
5) Process flow analysis
6) Leading event indicators
7) Loss event data methodologies
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Event Inventories
Developing a detailed listing of potential events
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Internal Analysis
May be done at staff meeting and involve using info. from other stakeholders.
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Escalation or Threshold Triggers
Management predetermines limits that cause an event to be further assessed.
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Facilitated Workshops
Involves soliciting info. about events from management and staff.
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Process Flow Analysis
Involves breaking processes down into inputs, tasks, responsibilities, and outputs to identify events that might adversely affect the process.
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Leading Event Indicators
Involves monitoring data correlated to events, to identify why the event is likely to occur.
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Loss Event Data Methodologies
Developing repositories of data on past loss events, management can identify event trends and the root causes of events,
Per COSO ERM Framework, Event Identification Component, Event Identification Techniques, Loss Event Data Methodologies, Black Swan Analysis
Involves evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely.
Per COSO ERM Framework, Risk Assessment Component
Risks are analyzed, considering the likelihood and impact (eg. financial impact), as a basis for determining how they should be managed.
Per COSO ERM framework, risk assessment component, what are 2 techniques to assess risk?
1) Qualitative - High, moderate, low
2) Quantitative - In percentages
Per COSO ERM Framework, Risk Assessment Component, Probabilistic Models
Associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions.
Per COSO ERM Framework, Risk Assessment Component, Nonprobabilistic Models
Use subjective assumptions in estimating the impact of events without quantifying an associated likelihood.
Per COSO ERM framework, risk assessment component, what are 5 probabilistic models?
1) Value at risk
2) Cash flow at risk
3) Earnings at risk
4) Development of credit
5) Operational loss distributions
Per COSO ERM framework, risk assessment component, what are 3 nonprobabilistic models?
1) Sensitivity measures
2) Stress tests
3) Scenario Analysis
Per COSO ERM framework, risk response component, what are 4 responses to risk?
Are consistent with the risk appetite of the organization, and are:
1) Avoidance - Exiting the activity that gives rise to risk
2) Reduction - Taking action to reduce risk
3) Sharing - Transferring or sharing a portion of the risk
4) Acceptance - No action taken, consistent w/the risk appetite.
Per COSO ERM Framework, Control Activities Component
Policies and procedures should be established and implemented to help ensure the risk responses are effectively carried out.
Per COSO ERM Framework, Information and Communication Component
Information - Relevant info. is identified, captured, and communicated to enable people to carry out their responsibilities.
Communication - Covey the importance and relevance of effective ERM, the org’s objectives, the org’s risk appetite and risk tolerances, a common risk language, and the roles and responsibilities of personnel in effecting and supporting the components of ERM.
Per COSO ERM Framework, Monitoring Component
Ongoing management activities, and separate evaluations, such as those performed by internal auditors.
Per COSO ERM framework, what are 3 limitations to ERM?
1) Future is uncertain
2) Can’t provide reasonable assurance that objectives will be achieved.
3) Can’t provide absolute assurance to objective categories.
Per COSO ERM framework, what are 5 limitations that limit absolute assurance?
1) Limited to human ability and judgment
2) ERM can break down
3) Collusion
4) Cost-benefit constraints
5) Subject to management override
