BEC

The Enterprise Risk Management—Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as a:

"A process effected by an entity's board of directors, management, and other personnel" is correct because the board of directors has overall responsibility for managing enterprise risk and can delegate parts of the process to entity personnel. "A serial process in which one component affects only the next component" is incorrect because the components are interrelated, not sequential. "A process that takes a control-based approach to an organization" is incorrect because the framework is much more than the resulting internal controls. "A process that replaces the COSO Internal Control Framework" is incorrect because the process is the framework; it does not replace it.

Each of the following statements is correct regarding the existence and implementation of codes of conduct

"Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior." -A code of conduct is only effective if employees understand the limits on behavior contained in the code and are able to take appropriate action when improper behavior is encountered. "The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading." -A code of conduct that omitted any of these topics would be incomplete and unable to meet its objectives. "The codes of conduct are periodically acknowledged by all employees." It is important that employees periodically review the code of conduct and acknowledge agreement to its ethical restrictions.

The three objectives of internal controls are

(1) effective use of the organization's resources through operations; (2) reporting reliable information, and (3) compliance (following all laws and regulations). Internal controls are designed to provide reasonable (but not absolute) assurance that objectives are achieved and compliance to laws and regulations is obtained. Control objectives related to financial reporting, operational efficiency, and law and regulation compliance include validity, timely recording/processing, recording accuracy, supportability, reasonableness, adequate representation of rights/obligations, funding, and appropriateness.

What were the 2017 ERM objective updates?

2017 updated framework focuses on the importance of considering risk in both the strategy-setting process and in driving performance. The 2017 framework's objectives include -expanding reporting to address expectations for greater stakeholder transparency; -enhancing alignment between performance and enterprise risk management; -accommodating evolving technologies and the proliferation of data and analytics.

Whose job is it to maintain transparency?

Although expanding reporting to address expectations for greater stakeholder transparency is one of the topics addressed in the 2017 Enterprise Risk Management (ERM) framework, it is management's responsibility to improve transparency, not the BOD's responsibility.

According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions?

An entity's risk assessment process for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP. Risk assessment identifies and analyzes significant change. The organization should identify changes that could affect the current control system, such as changes in the external environment, changes in the business model, and changes in leadership.

risk assessment

Assessing fraud risk

According to COSO, the presence of a written code of conduct provides for a control environment that can:

COSO's ERM framework is designed to help an entity attain reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized; continuously assess risks and identify the appropriate action to take and the resources to allocate to overcome or mitigate risk; and encourage teamwork in the pursuit of achieving its financial and performance targets.

It is part of Title IX, "White Collar Crime Penalty Enhancements."

Certification violations result in a criminal punishment for corporate officers who fail to certify corporate financial reports filed with the Securities and Exchange Commission (SEC).

Under COSO, which of the following principles falls under control activities?

Deploys through policies and procedures The control activities component relates to policies and procedures needed to make sure that control objectives are effectively carried out. Control activity examples include selecting and developing control activities, and general controls over technology, and then deploying those controls through policies and procedures. Assessing fraud risk is part of risk assessment. Enforcing accountability and demonstrating a commitment to competence are both part of the control environment component.

Cost-effective and efficient control activities should be developed throughout all levels and functions of an organization. Control activities can be grouped into a number of categories. Which of the following is not a reasonable control activity category?

Having an employee handbook is not considered a control activity. Control activity examples include the following: Segregation of duties: Dividing the duties of authorization, custody, and record keeping to multiple individuals Authorization: Review of appropriate transactions by designated individuals for approval Review and verification: Review of transactions for accuracy and completeness Information processing controls: Use of hash totals, sequential documents (checks, invoices, etc.), and limited access to particular files Retention of records: Retention of transaction records for an appropriate period of time Reconciliation: A periodic comparison of source documents, such as bank statements, with data recorded in the financial records Physical security of assets: Use of locks, security guards, alarm systems, and cameras Education, training, and monitoring IT security: Use of passwords, firewalls, access logs, etc. Top-level reviews: Periodic reviews of progress toward stated goals by upper management

Internal control activities are only designed to provide reasonable assurance related to the achievement of the stated objectives. Limitations related to the control process include the following:

Limitations on staff size Cost versus benefit on implementation and monitoring Breakdowns in communication, training, and technology Employee collusion Management override

According to COSO, an executive's deliberate misrepresentation to a banker who is considering whether to make a loan to an enterprise is an example of which of the following internal control limitations?

Management override

COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. Which of the following is not one of the five interrelated components of the framework?

Monitoring is from the original 2004 ERM (enterprise risk management) framework.

According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in:

Monitoring of controls is a process designed to assess the quality of internal control performance over time, verifying that the internal control system remains adequate to address changes in risk. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The COSO Enterprise Risk Management (ERM) framework assists management in effectively dealing with uncertainty and its related risk and opportunity, thus building stakeholder value in the entity.

The internal audit function must determine whether risk management processes are effective. This judgment results from the internal auditor's assessment of all of the following except:Relevant risk information is captured and communicated in a timely manner across the organization (not only to the board of directors), enabling staff, management, and the board to carry out their responsibilities.

Relevant risk information is captured and communicated in a timely manner across the organization (not only to the board of directors), enabling staff, management, and the board to carry out their responsibilities.v

According to the Sarbanes-Oxley Act of 2002, when an issuer's board of directors selects members to be on the company's audit committee, the board of directors must select individuals who:

The audit committee is directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm (firm) employed by that public company (issuer). The board of directors must have an audit committee entirely composed of members who are independent from management influence. Each member of the audit committee must be a member of the board of directors and must otherwise be independent. Audit committee members may not accept any consulting, advisory, or other compensation from the issuer or be an affiliated person of the issuer.

Under COSO, which of the following principles falls under control activities?

The control activities component relates to policies and procedures needed to make sure that control objectives are effectively carried out. <Control activity examples include selecting and developing control activities, and general controls over technology, and then deploying those controls through policies and procedures.> Enforcing accountability and demonstrating a commitment to competence are both part of the control environment component.

Under COSO, which of the following is considered a principle of the control environment?

The control environment forms the foundation of a business, consisting of its people and the environment in which the entity operates. Of the answers listed, only "exercise oversight responsibility" is considered part of the control environment. Assessing fraud risk is part of risk assessment, communicating externally is part of the information and communication component, and evaluating and communicating deficiencies is part of monitoring.

COSO's 2017 updated ERM framework—Integrating with Strategy and Performance, consists of five interrelated components. What are they?

The five components are 1Strategy and Objective-Setting; 2. Governance and Culture; 3. Performance; 4. Review and Revision; 5. and Information, Communication, and Reporting

The purpose of the TDRA (top-down risk assessment) is for the company to analyze the internal controls currently in place and to assess the effectiveness of those controls so as to avoid material misstatement in the company's financial reporting. As part of that assessment process, which of the following items would be done?

The purpose of the TDRA is for the company to analyze the internal controls currently in place and to assess the effectiveness of those controls to avoid material misstatement in the firm's financial reporting. The focus of the assessment of internal controls will deal with significant (material) accounts. The TDRA will focus on the identification and analysis of pertinent risks related to the achievement of the company's objectives. The higher levels are examined first in the assessment process. Based upon the identification and analysis of risks and the associated internal control to mitigate those risks, management needs to conclude whether the danger of an internal control failure is low, medium, or high. This step is taken after the internal controls in place have been assessed.

COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. What are the components of Review and Revision?

The review and revision component is based upon the idea that by reviewing entity performance, an organization can consider how well the ERM components are functioning over time and changes, and what revisions are needed. This component includes the following principles: assess substantial change, review risk and performance, and pursue improvement in ERM.

Pursuant to the Sarbanes-Oxley Act of 2002, an accountant who destroys documents to impede an investigation by a U.S. agency can be:

Title VIII of the Sarbanes-Oxley Act addresses the criminal penalties associated with manipulating, destroying, or altering financial records or otherwise impeding an investigation. Individuals who knowingly alter, destroy, mutilate, or conceal any record or document with the intent to impede, obstruct, or influence the investigation can be fined, imprisoned for not more than 20 years, or both.

The Sarbanes-Oxley Act (SOX) was enacted to enhance the transparency of a company and hold its officers more accountable. What is part of SOX Title XI, "Corporate Fraud Accountability"?

Title XI includes clauses for tampering: individuals who alter, destroy, mutilate, or conceal records, documents, etc., with the intent to impair objectivity or availability of use, or otherwise obstruct, influence, or impede any official proceeding, will be fined, imprisoned for not more than 20 years, or both; prohibiting persons from serving as officers/directors (in any cease-and-desist proceeding, the SEC can issue an order to prohibit any person who has violated certain security laws, rules, and regulations, from serving as an officer or director of the issuer); and retaliation against informants.

In relation to the internal control process, control sufficiency is:

Two important definitions related to the internal control process are control precision and control sufficiency: Control precision is the alignment between a risk and the control activity designed to mitigate that risk. In other words, a control activity that has a direct influence on the achievement of a stated objective is considered to be more precise than one that only has an indirect influence. Control sufficiency is a group of controls with a variety of degrees of precision necessary to achieve a control objective. For example, there would potentially be a number of control activities such as segregation of duties, reconciliation of bank statements, and daily deposits of receipts in order to protect all incoming receivable payments from theft or fraud.

The Sarbanes-Oxley Act of 2002 (SOX) section 404 develop documentation of existing internal controls and procedures associated with>

associated with financial reporting, test the effectiveness of those controls and procedures, and provide details on any deficiencies in the controls and/or documentation

The Sarbanes-Oxley Act of 2002 (SOX) section 404 develop documentation of existing internal controls and procedures requires that all publicly traded firms establish internal controls related to financial reporting Per SOX, a company needs to do all of the following:

develop documentation of existing internal controls and procedures associated with financial reporting, test the effectiveness of those controls and procedures, and provide details on any deficiencies in the controls and/or documentation.

The four categories of entity objectives in the enterprise risk management framework are:

strategic (high-level goals, aligned with and supporting the entity's mission), operations (effective and efficient use of its resources), reporting (reliability of reporting), and compliance (compliance with applicable laws and regulations). The actual implementation of internal controls is not one of the entity objectives.