COSO and ERM framework

Question 1

3 areas SOX addresses

Answer 1

1. C-orporate responsibility
2. E-nhanced Financial Disclosures
3. F-raud

Question 2

What is the primary roles of the audit committee?

Answer 2

1. Report-Auditor reports directly to the audit committee

2. Resolving disputes

Question 3

Assertions made by CEO CFO signing F/S’s

Answer 3

4. R-esponsibility assumed for controls
                               -
6. C-hanges significant
7.  R-eviewed Report
3. O-missions- none
2. U-ntrue statements none
5. D-isclosures to auditor's and audit committee
3. S-tandingF/S fairly represent financial of company

Question 4

Enhanced Financial Disclosures

Answer 4

1. R-eports(Periodic)-disclosures
2. C-onflict of interest provisions-Disclosures
3. T-ransactions involving Management and principal Stocholders Disclosures
4. I-nternal Control assessment by management
5. I-nvestment Companies are exempt
6. C-ode of Ethics for Senior Officers disclosure
7. A-udit Committee Financial Expert disclosure
8. S-EC enhanced review of periodic disclosures by issuer

Question 5

Code of ethics standards promote?

Answer 5

1. Honest and Ethical conduct
2. Full, Fair, Accurate, and timely disclosures(periodic F/S)
3. Compliance with laws, rules, and regulations

Question 6

Knowledge of the Financial Expert should include

Answer 6

1. UNDERSTANDING of audit committee functions
   -
2. P-reparation experience or auditing of F/S for comparable issuers
3. U-nderstanding of GAAP
4. G-AAP application
5. E-xperience with Internal Controls

Question 7

What is COSO?

Answer 7

COSO (Treadway Commission) : an independent private sector initiative, was initially established in the mid-1980s to study the factors that lead to fraudulent financial reporting. The private “ Sponsoring organizations” include the 5 major financial associations in the US.

Question 8

What is the COSO Framework?

Answer 8

Widely regarded as an appropriate and comprehensive basis to document the assessment of IC over financial reporting.

Question 9

What is the definition of IC?

Answer 9

Process-effected by those charged with governance, management, and other personnel-designed to provide reasonable assurance about the achievement of the entity’s objectives. Objectives represent what an entity strives to achieve.

Question 10

3 categories of an entities objectives

Answer 10

1. R-eliability of financial reporting
2. E-ffectiveness and efficiency of operations
3. C-ompliance with applicable laws and regulations

Question 11

5 Components of COSO

Answer 11

1. C-ontrol environment
2. R-isk Assessment
3. I-nformation and Communication Systems
4. M-onitoring
5. E-xisting Control Activities

Question 12

Control Environment definition

Answer 12

The overall tone of the organization

Question 13

Risk Assessment definition

Answer 13

Management’s identification of risk

Question 14

Information and Communication Systems definition

Answer 14

A means of recording transactions and communicating responsibilities

Question 15

Monitoring Definition

Answer 15

Assessment of internal control performance over time

Question 16

Existing Control Activities definition

Answer 16

Control policies and procedures

Question 17

Control Environment 7 principles

Answer 17

1. P-hilosophy and operating style of management
2. H-uman Resources
3. R- eporting Competencies(Financial)
4. A-uthority and Responsibility
5. S- tructure of the organization
6. E-thical values and integrity
7. D-irectors(Board)

Question 18

Philosophy and operating style of management definition

Answer 18

The shared belief and attitudes of management that impact the entire organization are defined by the risk management philosophy

Question 19

Human resources attributes

Answer 19

The commitment to hiring the most qualified people will influence the internal environment. Minimum educational and experience requirements, background checks, and the like demonstrate the commitment and promote individual and corporate accountability.

Question 20

Reporting Competencies attributes(Risk Appetite)

Answer 20

The amount of risk an organization will accept in the pursuit of value is defined by risk appetite. Factors heavily into balancing strategy with return

Question 21

A-uthority and Responsibility attributes

Answer 21

The degree to which individuals are given appropriate authority to handle their responsibilities and the degree to which they are held accountable influences the internal environment

Question 22

Structure of the organization

Answer 22

The organizational structure should support the entity’s enterprise risk management system

Question 23

Directors(Board) attributes

Answer 23

The degree of involvement and appropriate oversight provided by the board of directors establishes an organization-wide tone that recognizes authority and accountability

Question 24

Risk assessment attributes

Answer 24

1. GAAP accordance
2. Financial Reporting Objectives
3. F/S reporting risks
4. Fraud Risk

Question 25

Information and Communication attributes

Answer 25

Definition: Identify, capture, process, and distribute information supporting the accomplishment of financial reporting objectives. Attributes 1. Financial Reporting:Current, accurate, timely 2. IC Information: IC designed to capture compliance data and trigger responses where appropriate 3. Internal Communication: communication with personnel and outside the normal chain of command 4. External Communication: Open communication with everyone involved with the organization

Question 26

Monitoring Attributes

Answer 26

Definition: Provides an assessment of the performance of the system of IC over time. Attributes: 1. Ongoing/Separate Evaluations and Reporting Evaluations (Scope and frequency of evaluations varies based on the significance of the risk b being controlled 2. Metrics, Self-assessments, Computer network testing, internal auditing, 3. Reporting deficiencies in IC report to appropriate leadership in a timely manner

Question 27

Existing Control Activities attributes

Answer 27

Definition: Generally represent the policies and procedures used to implement IC Attributes: 1. Designed to mitigate risk 2. Selection and development 3. policies and procedures 4. IT

Question 28

ERM Definition

Answer 28

Enterprise Risk Management assists organizations in developing a comprehensive response to risk management. Intent of ERM is to allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value. Value is maximized when strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives

Question 29

ERM has the following themes

Answer 29

1. Aligning Risk Appetite and Strategy 2. Enhancing Risk Response Decisions 3. Reducing Operational Surprises and Losses 4. Identifying and Managing Multiple and Cross-Enterprise risks 5. Seizing Opportunities 6. Improving Deployment of Capital

Question 30

ERM defines enterprise objectives in 4 categories(S-etting Objectives in ERM)

Answer 30

1. S-trategic 2. O-perations 3. R-eporting 4. C-ompliance

Question 31

ERM Components in order

Answer 31

1. I-nternal environment 2. S-etting objectives 3. E-vent objectives 4. A- ssessment of risk 5. R-isk response 6. A-ctivities(Control) 7. I-nformation and Communication 8. M- onitoring

Question 32

ERM- Internal Environment elements

Answer 32

1. P-hilosophy of risk management 2. H-uman resources standards 3. R-isk appetite and response 4. A-uthority and responsibility 5. S-tructure(organizational) 6. E-thical values(Integrity) 7. D-irectors 8. C-ommitment to competence

Question 33

E-thical values and integrity definition

Answer 33

Adoption and demonstration of high ethical values by leadership will shape the internal environment

Question 34

C-ommiment to Competence

Answer 34

Management's specification of required competency levels for each job function establishes the organization-wide expectation of individual and thus corporate competence.

Question 35

S-trategic objectives defined

Answer 35

The broad, mission-driven objectives of an organization are its strategic objectives. Remain the same year after year while the related objectives and the selected objectives are more dynamic

Question 36

O-perations objectives defined

Answer 36

Includes efficiency, effectiveness, and profitability objectives that are subject to management discretion or style.

Question 37

R-eporting Objectives Defined

Answer 37

External and Internal objectives associated with timeliness and accuracy are associated with both financial and non-financial data

Question 38

C-ompliance objectives defined

Answer 38

Includes adherence to the laws, rules, and regulations associated with operations, including tax and financial reporting compliance, workplace safety, environment regulations, and other laws.

Question 39

E-vent Identification defined

Answer 39

Events both negative(Risks) and positive(opportunities) should be identified. An internal or external occurrence that impacts strategy or the achievement of objectives. Categories include SWOT Techniques 1. Event Inventories 2. Internal Analysis 3. Escalation or Threshold triggers

Question 40

A-ssessment of Risk

Answer 40

Risks are analyzed in relation to their likelihood and their severity and the anticipated risks that continue even after management has taken action. Supported by Inherent and residual risks, likelihood of impact, data sources, and event relationships.

Question 41

Inherent risks

Answer 41

The risk to an organization that exists if management takes NO action to change the likelihood or impact of an adverse event.

Question 42

Residual Risks

Answer 42

The risk to an organization that exists AFTER management takes action to mitigate the adverse impact of the event.

Question 43

Data Sources

Answer 43

Generally drawn from past experiences with similar events.

Question 44

Benchmarking

Answer 44

Use of common data from organizations with similar characteristics.

Question 45

Probabilistic Models

Answer 45

Use of a range of events and impacts WITH likelihood estimated using assumptions.

Question 46

Non-probabilistic Models

Answer 46

Use of subjective assumptions to estimate event impact WITHOUT estimating likelihood

Question 47

R-isk Response

Answer 47

Management's response to risk must align with the organization's overall risk appetite. Supported by the following key elements of risk avoidance, risk reduction, risk sharing, risk acceptance.

Question 48

Risk Avoidance

Answer 48

Management may elect to avoid or terminate risk.

Question 49

Risk Reduction

Answer 49

Management may elect to reduce or mitigate risk.

Question 50

Risk Sharing

Answer 50

Management may reduce risk by transferring risk

Question 51

Risk Acceptance

Answer 51

The company may take no action

Question 52

A-ctivities control(E in CRIME)

Answer 52

The policies and procedures used to effect management's response to risk.

Question 53

I-nformation and Communication(I in CRIME)

Answer 53

Includes the identification, capture, and communication of information throughout the organization in an effective manner.

Question 54

M-onitoring(M in CRIME)

Answer 54

Used to manage risk

Question 55

Ongoing Monitoring activities

Answer 55

Operating or functional support managers provide ongoing monitoring activity to verify the effective operation of controls.

Question 56

Separate evaluations

Answer 56

A fresh look at the effectiveness of IC can be highly valuable. Internal audit staff or Ad Hoc can conduct the evaluation.

Question 57

Change Control Process

Answer 57

Consider the manner in which management monitors and authorizes changes to a variety of IT matters including software application programs, system software, database administration, networks and security, and job scheduling.

Question 58

Total Production Ratios(TPR)

Answer 58

The value of all output relative to the value of all input.