Chapter 2: Corporate Governance
What are some key control activities?
-Performance reviews -IT Controls -Segregation of duties
What's the difference between an outside and inside director?
An outside director has no affiliation to the company besides being a board member. An inside director may be an employee or have some executive function (i.e CEO)
What is "Enterprise Risk Management"?
Helps entities deal with the unpredictability of the business environment
Under the SEC, what does the division of enforcement do?
Investigate security law violations
What is COSO's Internal Control Framework? (ACE)
It stands for U.S. is Internal Control - Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Objective: -Reporting objective: Accuracy -Compliance with laws and regulations -Reporting objectives: Effective and efficient operations
Is most fraud found by external or internal auditors?
Most fraud is found by internal auditors/ personnel. This is why it's important to have a Fraud Risk Management Program
In 2012, what did the Jump Start Our Business Act do?
Purpose was to make small business have easier access to the capital markets. It also: 1) Private companies don't need audits of internal controls 2) Exempt from some rules around executive compensation disclosure and other registration 3) Raises the limit of exemptions 4) Prohibits crowdfunding 5) Community banks can have more shareholders
Under the SEC, what does the Chief Accountant do?
Responsible for transparency and relevancy of financial reporting
What are the bylaws of a company?
These are the internal rules
What's the most common way the board will monitor management?
Through the use of internal auditors
Monitoring is what sequence of activities?
1) Control baseline: develop an understanding for how it works 2) Change identification: Evaluate and identify changes to I/C 3) Change management: Determine when a change of I/C is needed 4) Control revalidation/update: Develop a new baseline understanding
What is the external auditor required to communicate to the audit committee?
1) Critical accounting policies 2) Alternative treatments acceptable under GAAP 3) Any additional communication to management
What is COSO's Enterprise Risk Management Framework?
COSO's Enterprise Risk Management (ERM) framework consists of 5 components and 20 related principles. Under the Performance component, Principle 13 defines two types of risk faced by an entity: 1) Inherent risk: risk to the entity in the absence of controls (ie, the natural level of risk) 2) Residual risk: risk to the entity that remains after controls are enacted (eg, collusion) Inherent risk exists whenever an entity chooses to participate in an activity; inherent risk can be reduced but not eliminated by using appropriate controls and safeguards. Residual risk is the risk that remains after controls and safeguards are employed. Residual risk can be shared/transferred; for example, an entity can purchase insurance to "share" the cost/risk of theft.
What are the basic elements of the change control process? This can be from external business changes or internal changes (i.e IT environment).
Change control should be developed to guard against potential adverse effects of change. 1) Change requests: when is change needed or desired 2) Change analysis: Evaluating the change 3) Change decisions: Deciding on the change 4) Planning and implementing the change: Developing a plan 5) Monitoring and tracking the change: how do we monitor the change
What is the definition of internal auditing and code of ethics of IAA?
Definition: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and government processes." Code of ethics: 1) Integrity 2) Objectivity 3) Confidentiality 4) Competency
What's the difference between inherent and residual risk
Inherent: The risk present if management takes no action Residual: The risk present after management has taken action.
What are some internal and external triggering events of ERM?
Internal: Infrastructure, IT, Personnel External: Economy, natural environment, Politics, and other social factors
What is the Institute of Internal Auditors?
This is an organization to help achieve: 1) Definition of internal auditing 2) code of ethics 3) International standards
What is an "Evaluator" of internal controls and what characteristics should they possess?
This is someone who monitors controls within an organization. They should be competent and objective
How does the Board get its authority?
Through the Articles of Incorporation and by laws
Under the SEC, what does the division of corporate finance do?
To provide interpretive guidance in regard to the Securities Act of 1933, the Securities and Exchange Act of 1934, the Trust Indenture Act of 1939, and the Sarbanes-Oxley Act of 2002. It also, however, reviews filings made under the 1933 Act to evaluate compliance with disclosure and accounting requirements.
Who is more likely to misstate the financials and who is more likely to steal assets?
Upper management is more likely to misstate the financials and lower personnel are more likely to steal assets
Do public companies need to have an internal audit function?
Yes
Must the company disclose whether the chair is also the CEO of a company?
Yes- and this is because of Dodd-Frank
When management has their report on internal control, what are some of the key elements?
-Acknowledgement of responsibility -Management's assessment of ICFR -Identification of framework -Indication that the auditor has issued an attestation report
With a good internal control structure, incompatible duties should be kept separate. Can you name ARCCs?
-Authorization -Recording -Custody of resources -Comparison and reconciliations
What are the typical duties of a board member?
-Be loyal -Have due care - Have due diligence -Engage in strategic planning -Securing available financial resources -Must be a fiduciary to the Company
What are some of the typical shortcomings to a strong I/C environment?
-Can't identify schemes -Bad follow up -Inadequate consideration of fraud/collusion -Limited involvement by personnel (BOD, internal auditors, audit committee etc...) -Lack appropriate monitoring by the audit committee
Under Risk Assessment, what are some of the relevant external and internal factors?
-Changes in operating environment (competition) -New Personnel -New or different IT environment -New technology -Corporate restructuring -Foreign operations -Accounting pronouncements
What are some of the key principles of the Cadburry code for corporate governance?
-Division of responsibility -Board members should be outside directors -Non-executive board members should set board compensation
What are some key requirements of board members?
-Majority of the directors must be independent -Nonmanagement directors are required to meet regularly -Entity must maintain an independent audit committee -Entity must identify non-independent relationships
What are the key internal control procedures? (PIPS)
-Performance reviews -Information processing -Physical controls -Segragation of duties
What are the limitations of internal controls?
-Poor human judgement -Collusion -Management override These may result in fraud or error within an organization
What are some key benefits of the enterprise risk management framework, that was developed by COSO?
-Promotes identification -Reduce costs of negative surprises -Prioritizes and maximizes the allocation of resources -Enhances entity resilience
What are the primary responsibilities of a board of directors in a publicly held company?
-Set compensation -Monitor management to ensure it is achieving objectives
What should the auditor's report include on ICFR?
-State the independence -State the auditor's responsibility -Define ICFR -State it was in accordance with PCAOB standards -Reasonable, not absolute, assurance and opinion -Signature of the audit firm/partner
What are some compensating controls for small entities?
-Strong tone at the top -Independent management -Random selection of transactions -Effective an annonymous whistle blower program
When risks exist, what are some alternative responses to the risks present?
1) Accept the risks and take no action 2) Share the risk: By entering into some 3rd party agreement 3) Reduce: through some type of internal or external change 4) Avoidance: if risk cannot be taken to an acceptable level 5) Mitigate the risk: Such as investing in education
What are the roles of the key parties: 1) Audit Committee 2) BOD 3) Management 4) Internal auditors 5) Employees
1) Audit Committee -Meet with internal and external auditors and monitor the control risks -Help management establish good internal controls -Should be independent -Act with due care and loyalty -May not accept consulting or advisory roles for the company 2) BOD: -Maintain good oversight -Hire outside experts as needed 3) Management: -Design, implement, and monitor I/C activity -Enforce the code of ethics 4) Internal Auditors: -Report to those charged with governance -Evaluate the design and operating effectiveness of the controls 5) Employees: -Have awareness and report incidents of abuse -Contribute to a strong control environment
when identifying potentially adverse effects on the entity, what are the 3 different key approaches?
1) Balance sheet approach: Which resources on the balance sheet are at risk? 2) Process approach: How is our process for doing business at risk? (i.e purchasing supplies) 3) Event identification approach: identify how the entity is at risk in these key areas: 1) Customers 2) Suppliers 3) Competitors 4) Potential new entrants 5) Substitutes
When assessing the severity of risks, how can the entity quantify their risk assessment? What is the most useful way to prioritize risk?
1) Benchmarking: 2) Models (probability): Expected values 3) Non-probability models: subjective assumptions The most useful way to prioritize risk is to assign an expected value to it/them.
What are the key factors of the Control Environment? (CHOPPER)
1) Commitment to Competence 2) Human resource and policies procedures 3) Organization structure 4) Philosophy and operating style 5) Participation from the board and audit committee 6) Ethical and integrity values 7) Responsibility and Authority Assignment
COSO has 17 principles (CRIME) can you name them?
1) Control Environment -Tone must come from the Top Management -Integrity -Competence -Accountability 2) Risk Assessment -Assess fraud risk -Analyze risk 3) Control Activities -Do control activities exist? -Does it have policies and procedures in place? -Policies must identify expectation -Controls over technology -Controls in place reduce risk and meet entity objectives 4) Information and Communication -Is the information relevant -Is the information communicated to outside and inside parties? 5) Monitoring -Perform ongoing evaluations -Evaluate deficiencies
The Organization for Economic Co-Operation and Development (OECD) developed the OECD principles, what are they?
1) Effective Corporate Governance Framework - "The corporate governance framework should promote transparent and efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory, regulatory and enforcement agencies." 2) Shareholder Rights and Ownership Functions - "The corporate governance framework should protect and facilitate the exercise of shareholders' rights." 3) Equitable Treatment of Shareholders - "The corporate governance framework should ensure the equitable treatment of all shareholders, including minority and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rights." 4) Stakeholders' Role in Corporate Governance - "The corporate governance framework should recognize the rights of stakeholders established by law or through mutual agreements and encourage either active co-operation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises." 5) Disclosure and Transparency - "The corporate governance framework should ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company." 6) Board Responsibilities - "The corporate governance framework should ensure the strategic guidance of the company, effective monitoring of management by the board, and the board's accountability to the company and the shareholders."
What are some various forms of incentive compensation?
1) End of year bonus 2) Stock options: Can buy stock at a fixed price for a fixed set of time 3) Stock appreciation rights: Only difference b/t Stock Options is that is pays the holder cash for increases in the stock price 4) Restricted shares: Can't sell the shares for a period of time 5) Performance shares: Given if performance objectives are met
What are some events that may trigger enterprise risk management?
1) Event inventories 2) Internal analysis 3) Escalation or threshold triggers 4) Facilitated workshops or interviews
What are the 5 components of COSO's new ERM framework?
1) Governance and culture -Set a strong tone from the top down. Must permeate down or otherwise it is not valuable 2) Strategy and objective setting -Analyze, define risk, and evaluate strategy 3) Performance -Identify, assess, and prioritize risks -Implement responses 4) Review and revision -Assess change -Review performance -Puruse improvements 5) Information, communication, and reporting -Leverage information systems -Communicate risks -Report on risks
Core systems (sales, cash, payroll, purchases) should have key processes, what are they?
1) Initiation: When is the transaction initiated 2) Authorization: When will the entity commit resources 3) Execution: How does the entity meet its performance obligation 4) Verification: How do we know errors are not made?
What are some other ways management is monitored?
1) Investment banks and securities analysts 2) Creditors and credit agencies 3) Attorneys
What are ISPPIA's International Standards for the Professional Practice of Internal Auditing performance standards?
1) Managerial and internal audity activity 2) Nature of work 3) Engagement planning 4) Performing the engagement 5) Communicating results 6) Monitoring progress 7) Communicating the acceptance of risks
What does a well designed mission statement encompass?
1) Moral or ethical position 2) Strategic influence for the entity's operations 3) Description of the entity's products 4) Expectation for growth and profitability
What are ISPPIA's International Standards for the Professional Practice of Internal Auditing attribute standards?
1) Purpose, authority, responsibility 2) Independence and objectivity 3) Proficiency and due professional care 4) Quality assurance and improvement
When the entity evaluates alternative strategies, what are the 3 types of risks COSO wants management to consider?
1) Risk to a chosen strategy: (i.e the performance of that strategy) 2) Risks that the strategy will not align with the mission, vision, and strategy of the entity 3) Risk of, or from, the strategy
What are the four significant provisions that relate to Compensation Committee
1) Say-on-Pay - Stockholders are required to be allowed to determine, by vote, if they approve of the compensation of executive officers; whether the vote on compensation should occur every 1, 2, or 3 years; and, in the event of a merger, whether or not they approve any compensation related to a "Golden Parachute." The votes on executive compensation and "Golden Parachute" compensation are not, however, binding on the board of directors. 2) Independence - Committee members and advisers are required to adhere to a higher standard in determining whether they are sufficiently independent to serve on, or advice to, the compensation committee. The bill also calls for enhanced disclosure regarding the use of compensation consultants and any conflicts of interest. 3) Disclosure - The bill requires enhanced disclosure relating executive compensation to the entity's financial performance. Disclosure includes the relationship of the median employee compensation, excluding that of the CEO, to the total annual compensation of the CEO. 4) Claw backs - The bill requires an entity that is required to restate its financial statements to establish policies for the recoupment of compensation (SOX Title III).
An audit committee must have one financial expert. What does it mean to be considered a financial expert?
1) understanding of GAAP and financial statements 2) Experience auditing or preparing F/S 3) Experience with internal accounting controls Note: The financial expert does not need to be a CPA
What is the business judgement rule?
A board of directors (BOD) is elected by and answers to an entity's shareholders. The business judgment rule was established as a result of case law and requires a director to fulfill a fiduciary duty to the entity. Directors must act in good faith, be loyal to the entity, and exercise due care and diligence in all their board functions. A director's fiduciary duty requires that the director not put personal interest above the corporation's interest. In other words, for a contract between a corporation and one or more of its directors to be valid, a director may not engage in self-dealing unless -abstaining from voting on the issue, and -informing the other directors of the conflict of interest before the other directors cast votes on the issue.
What are the five steps in a fraud risk management program? Why is the fraud risk management program important?
A good fraud risk management program (FRMP) is a likely way for a business to detect fraud from its management. More so than an external audit. Note: A forensic examiner is only hired after fraud has been detected. 1) Establish policies 2) Conduct an assessment 3) Plan for preventive and detective processes 4) Perform timely investigations 5) Monitor and assess the program A FRMP will not eliminate fraud
What are the key principles of Enterprise Risk Management?
The COSO Enterprise Risk Management (ERM) Framework addresses risk assessment under the Performance category. Here the entity determines its risk appetite, aligns it with its strategy, and assesses risk. Risk assessment identifies risks that may prevent achievement of an entity's objectives. Once identified, risks are prioritized and risk responses are developed. Expected value assigns probabilities to identified risks and combines the likelihood and amount of all the risks into a single value. Valuing the total potential impact of risk events helps management evaluate the interrelated impacts of decisions and deal with multiple risks (ie, risk portfolio).