CMA Part 2 SU 1: Ethics, Fraud, and Risk Management
"Members shall act in accordance with ... and shall encourage others within their organizations to adhere to them."
"These principles" namely honesty, fairness, objectivity, and responsibility
3 tools that can be used to identify process controls related to ethical and behavioral issues:
1) Business Process Reengineering 2) Quality management 3) Continual Process Improvement
The 4 specific standards in the IMA's Statement of Ethical Professional Practice are:
1) Competence 2) Confidentiality 3) Integrity 4) Credibility
If organizational policies do not resolve an ethical conflict, consider the following courses of action (3 possibilities):
1) Discuss with immediate supervisor (if not involved). If not resolved, escalate to next management level. Do not communicate to external authorities unless clear violation of the law. 2) Clarify relevant issues through confidential discussion with IMA Ethics Counselor or other impartial advisor. 3) Consult your attorney as to legal obligations and rights.
5 types of risk:
1) Hazard risk = insurable risk (e.g. natural disasters) 2) Financial risk (e.g. interest rate risk, FX risk, credit risk) 3) Operational risk = related to everyday operations 4) Strategic risk (e.g. global economic risk, political risk) 5) Business risk = risk that company will have lower than expected profits (or incur a loss)
The 4 overarching principles in the IMA's Statement of Ethical Professional Practice are:
1) Honesty 2) Fairness 3) Objectivity 4) Responsibility
Two methods for monitoring ethical compliance are:
1) Human performance feedback loop: competencies, job descriptions, and objectives should include ethical expectations and regular employee review systems (completed at least annually) must assess employees against this criteria, with 360 feedback; KPIs must include tracking of employees against ethical training requirements 2) Survey tools: surveys asking employees how well the organization is following the code of ethics can be used to stimulate dialogue and turn the company into a learning and development organization
5 steps in the risk management process:
1) Identify risks with significant impact on operating units 2) Assess risks for probability and potential impact 3) Prioritize risks 4) Formulate risk responses 5) Monitor (done by manager of operating unit and the audit function)
3 major motivators of fraudulent financial reporting include:
1) Motivation related to manager's compensation 2) Meeting debt covenants, budgets, or other goals 3) Meet or exceed earnings targets / analyst's forecasts
The 3 characteristics of fraud:
1) Opportunity 2) Rationalization 3) Pressure (motivation)
The 4 kinds of primary controls are:
1) Preventive 2) Detective 3) Corrective 4) Directive
Methods for controlling conflicts of interest include (6 things):
1) Provide a code of conduct provision 2) Require financial disclosure by managers 3) Require prior notification about questionable transactions 4) Prohibit financial ties to suppliers, customers, or distributors 5) Encourage strong ethical behaviors thru corporate actions, policies, and public communications 6) Employees should refuse any gift, favor, or hospitality that would influence or appear to influence their actions
The part of the organization responsible for periodic reconciliation of recorded amounts and assets should be...
1) unconnected with the original transaction, or 2) without custody of the assets involved
Define a conflict of interest
A conflict between the personal and official responsibilities of a person in a position of trust, sufficient to affect judgment, independence, or objectivity in conducting the affairs of the business
The question "what does one do in the white spaces?" illustrates an organization's need for...
A defined set of organizational values and code of ethics against which every unanticipated decision must be judged. Failure to have every individual know & understand these values leads to inconsistency and in the worst cases, to unethical or fraudulent behavior.
Definition of rationalization (characteristic of fraud) + examples:
A person's ability to justify actions as consistent with his or her personal code of ethics; include thoughts of being underpaid or overworked, feeling that "everyone else is doing it", belief that rank has its privileges, low self-esteem or morale, revenge, treating theft as a "loan" that will be paid back, assuming that no one will get hurt
Define an apparent conflict of interest
A situation or relationship that reasonably could appear to other parties to involve a conflict of interest
An ethics helpline is an example of ... which is an important component in maintaining an ethical organization culture.
A whistleblowing framework (a confidential way for employees to report possible violations and receive advice on ethical aspects of challenging decisions)
The FCPA contains two sets of provisions:
Accounting (books & records, and internal control) and anti-bribery
Operational risk can be managed with...
Adequate internal controls, BPR, and continuity planning
What resource does the IMA provide for members who wish to discuss ethical conflicts?
An ethics hotline, 800-245-1383.
Segregation of duties requires separation of which functions?
Authority to execute transactions Recording the transaction Custody of the asset Periodic reconciliation
The 3 responsibilities falling under the standard of credibility are:
C I D Communicate, Influential Info, Disclose deficiencies 1) Communicate information fairly and objectively. 2) Disclose all relevant info that could reasonably be expected to influence an intended user's understanding 3) Disclose delays or deficiencies in information, timeliness, processing, or internal controls in conformance with policy or applicable law
2 kinds of secondary controls are:
Compensatory (mitigative) - reduce risk when primary controls are ineffective Complementary - work with other controls to reduce risk to acceptable level
Benefits of ERM include:
Consideration of risk appetite and strategy Risk response decisions Reduction of operational surprises and losses Effective, integrated responses to interrelated risks Response to opportunities Better capital allocation
Requiring full financial disclosure by all managers is a method of...
Controlling conflicts of interest
The organization has a responsibility to foster a sense of ethics in its employees, which can be accomplished by...
Developing a code of conduct and ethical behavior
Those subject to the FCPA's anti-bribery provisions include:
Domestic concerns (whether or not doing business overseas and whether or not registered with the SEC), Issuers (whether US or foreign) that have a class of securities at a US stock exchange or required to file reports with the SEC, and any person (incl. foreign nationals and foreign non-issuing companies) acting corruptly while in the US
The four responsibilities falling under the standard of competence are:
E C D L Expertise, compliance, decision support, limitations 1) Maintain an appropriate level of professional expertise by continually developing knowledge and skills 2) Perform professional duties in accordance with relevant laws, regulations, and technical standards 3) Provide decision support information and recommendations that are accurate, clear, concise, and timely 4) Recognize and communicate professional limitations or other constraints that would preclude responsible judgment or successful performance of an activity
Misappropriation of assets is most often committed by...
Employees, through theft, embezzlement, or defalcation
An altered document is often evidence of fraud. Alteration can occur in various ways, such as...
Erasure or forgery
Employee training is important to maintaining an ethical organizational culture. Ethics training should focus on...
Ethical concepts, the organization's code, and compliance
T/F: A comprehensive framework of corporate ethical behavior is a result of an effective system of control.
False. A thorough, integrated system for ethical behavior is a prerequisite for an effective system of internal control.
T/F: There is no risk of fraud if none of the three characteristics are present.
False. Additionally, characteristics may be present but hidden (e.g. financial pressure on an employee is not noticed by an auditor b/c no bill collectors are harassing them at the office)
T/F: Corrupt payments are prohibited if the person making them knew that some or all of them would be used to influence a gov't official.
False. Corrupt payments are prohibited if the person should have known, or did in fact know, that they would be used for this purpose.
T/F: ERM should provide reasonable assurance that operating objectives are being met.
False. ERM should provide assurance of achieving reporting and compliance objectives, which are within the entity's control. Operating objectives are influenced by external factors - ERM should provide assurance that mgmt receives timely information about whether those objectives are being achieved
T/F: Individuals in violation of the FCPA are subject to fines.
False. Individuals in violation of the FCPA are subject to fines and imprisonment. A corporation may also be assessed a fine. A corporation may not directly or indirectly pay a fine assessed upon an individual.
T/F: Ethical behavior should be understood as compliance with the law.
False. Many of the corporate scandals of the early 21st century arose from a failure to distinguish between what would be seen as reasonable vs what would fall under some interpretation of compliance with the law.
T/F: The IMA Statement requires members to avoid actual conflicts of interest.
False. Members are required to mitigate actual, and avoid apparent, conflicts of interest
T/F: Quantification of risk is required for a sound risk management structure.
False. Precise numeric quantification of risk is not necessarily required. Qualitative tools are crucial.
T/F: Under the FCPA, "grease" payments to facilitate paperwork processing, securing a license, receiving utility service, etc., are included in the umbrella of corrupt payments.
False. The FCPA allows these facilitation payments to allow US firms to fairly compete in foreign countries where these payments are routine.
T/F: A code of conduct should state that employees are to disclose all conflicts of interest.
False. The code should say that employees are to refrain from engaging in any activity that would prejudice their ability to carry out their duties ethically.
T/F: When faced with ethical issues, the first thing you should do is discuss the issue with your immediate superior.
False. The first thing you should do is follow your organization's established policies.
T/F: Storing petty cash in a locked safe is an example of a directive control.
False. This is a preventive control. A directive control could be a policy and procedure manual.
Limitations of ERM include:
Faulty human judgment Cost-benefit considerations Simple errors Collusion Mgmt override of ERM decisions
Human capital is a critical asset because...
Humans innovate, cut costs, bring knowledge to the workplace, share knowledge with others, and develop relationships with suppliers, customers, and others
ERM is a process applied in strategy setting and across the enterprise, designed to...
Identify events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance that objectives will be met
When there is an ethical conflict, when is it appropriate to contact levels above your immediate supervisor?
If no satisfactory resolution is reached through discussions with the immediate supervisor, and with the supervisor's knowledge (assuming they are not involved)
Organizations face particular challenges while operating internationally because of the melting pot of personal values within societies and organizations. To avoid unpredictable results and weak internal control, organizations should...
Make an effort to clearly define expectations and provide support and encouragement for complying with them
When volatility increases, risk... When time increases, risk...
Increases in both cases
A person who wants to sell an asset 1 year from now has a (long / short) position. To protect against loss, the owner can enter into a (long / short) hedge.
Long position - benefits from increasing value of asset Short hedge - protects against falling value of asset
Examples of operational risks:
Loss from inadequate or failed processes, people, and systems in any of the following: HR (inadequate training or hiring) Poor internal controls Product failure (lawsuits, customer ill will) Environmental damage Business continuity Legal & compliance risk (making company subject to civil or criminal penalties)
The 3 responsibilities falling under the standard of integrity are:
M/C/A P D Mitigate/communicate/advise, Prejudice, Discredit 1) Mitigate actual conflicts of interest. Regularly communicate with business associates to avoid apparent conflicts. Advise all parties of potential conflicts. 2) Refrain from engaging in conduct that would prejudice carrying out duties ethically 3) Abstain from engaging in or supporting any activity that might discredit the profession
Fraudulent financial reporting is most often committed by...
Management, to deceive financial statement users
Red flags & risk factors of misappropriation of assets:
Missing documentation Large amounts of cash on-hand High-value, small-sized assets Unexplained budget variances Failure of certain employees to take vacations Unusual write-offs of receivables Failure to follow up on past-due receivables Shortages in delivered or received goods Poor supervision Products or services purchased in excess of needs Payroll checks with a second endorsement Employees on payroll who didn't sign up for benefits Undocumented petty cash expenditures Common addresses on payables, refunds, or payments Addresses or phone numbers of employees that match suppliers or others Complaints by customers
In addition to accounting and anti-bribery provisions, the FCPA also has requirements regarding...
Money laundering and terrorist financing.
The 3 responsibilities falling under the standard of confidentiality are:
N I/M A Non-disclosure, Inform/Monitor, Advantage 1) Keep information confidential except when disclosure is authorized or legally required 2) Inform all relevant parties regarding appropriate use of confidential information. Monitor subordinates' activities to ensure compliance. 3) Refrain from using confidential information for unethical or illegal advantage.
The only characteristic of fraud that can be controlled by management is...
Opportunity, which arises from a lack of oversight, inadequate internal controls, or lack of enforcement of internal controls
Which law requires that US companies registered with the SEC have a whistleblowing hotline?
SOX
The board's role with respect to risk management is...
Oversight. The board should determine that risk management processes are in place, adequate, and effective
Definition of corrupt payments:
Payments for the purpose of inducing the recipient to act or refrain from acting with the mere goal to obtain or retain business.
Definition of pressure / motivation (characteristic of fraud):
Person's reason or need for committing fraud (either fraudulent financial reporting or misappropriation of assets)
Senior management determines the entity's risk management...
Philosophy
Residual risk vs inherent risk
Residual risk is what remains after any avoidance, sharing, or mitigation strategies Inherent risk arises from the activity itself
5 strategies for risk response:
Risk avoidance (end the activity) Risk retention (accept the risk) Risk reduction / mitigation (lower the risk) Risk sharing / transfer (offload some risk to 3rd party) Risk exploitation (pursue risk for high return)
"Self insurance" is synonymous with which strategy for risk response?
Risk retention
The COSO ERM framework is a cube with rows, slices, and columns, which represent:
Rows: 8 components (e.g. objective setting, risk response, monitoring) Slices: 4 categories of objectives Columns: organizational units (e.g. division, BU)
Regarding ethics, the most significant provision of SOX is Section...
Section 406(c) which requires any company issuing securities to disclose if the issuer has a code of ethics for senior financial officers
A person who wants to buy an asset 1 year from now has a (long / short) position. To protect against loss, the owner can enter into a (long / short) hedge.
Short position - benefits from falling value of asset Long hedge - protects against increasing value of asset
SOX defines "code of ethics" as...
Standards reasonably necessary to promote 1) honest and ethical conduct - including handling conflicts of interest, 2) full, fair, accurate, timely, understandable disclosure in periodic reports, 3) compliance with gov't rules and regs
4 categories of objectives:
Strategic objectives Operations objectives Reporting objectives Compliance objectives
Who has the ultimate responsibility for ERM?
The CEO
Definition of opportunity (characteristic of fraud):
The ability of a person to perpetrate and conceal fraud
Definition of risk:
The possibility that an event will occur and negatively affect achievement of objectives
Hiring decisions and employee orientation and training should address...
The alignment of individual values and ethics with organizational expectations
When there is an ethical conflict and your immediate supervisor is the CEO, the acceptable reviewing authority would be...
The audit committee, executive committee, board of directors, board of trustees, or owners
A significant risk in very large organizations is that the culture...
The culture that the board and senior mgmt believe to exist in the company is different from the actual culture experienced by employees, clients, and suppliers
In order for a code of ethics to be effective, its application must be demonstrated by...
Those in positions of power and leadership ("setting the tone at the top"). People believe what they see, rather than what they hear in a company "pep talk"
Red flags & risk factors of fraudulent financial reporting:
Too good / too bad to be true Threat of bankruptcy, foreclosure, or hostile takeover High turnover on board or senior mgmt Nonfinancial mgmt's excessive participation in choosing accounting principles or estimates Strained relationship with auditor Known history of securities laws violations Industry or market declines Poor cash flows Significant related party transactions not in the course of business Highly complex transactions Transactions in tax-havens Unrealistic sales or profitability incentives Unusually rapid growth Pressures to meet analysts' expectations
T/F: Corporate bribery and passive bribery are not addressed by the FCPA.
True. Payments to foreign business owners or domestic US officials are not prohibited by the FCPA, and neither is the receipt or acceptance of a bribe.
T/F: The FCPA prohibits the offer of a bribe, even if it is not consummated.
True. The act prohibits payment of anything of value; de minimis gifts and tokens of hospitality are acceptable.