E.1. Corporate Governance and Internal Control Framework

Question 1

What is the purpose of internal controls?

Answer 1

To assist the organization in achieving its objectives.

Question 2

What are the benefits of a strong internal control system?

Answer 2

• Lower external audit costs
• Better control over the assets of the company
• Reliable information for use in decision-making

Question 3

What is corporate governance?

Answer 3

It includes all the means by which businesses are directed and controlled, including rules, regulations, processes, customs, policies, procedures, institutions, and laws.

Question 4

Who is primarily responsible for corporate governance?

Answer 4

Corporate governance is the joint responsibility of the organization’s board of directors and management. However, the board of directors is the primary direct stakeholder influencing corporate governance.

Question 5

What is the agency problem in corporate governance?

Answer 5

The agency problem arises from the fact that the owners of the corporation (shareholders) and the managers (agents) are different people with potentially conflicting priorities.

Question 6

Why is corporate governance important?

Answer 6

Good corporate governance is vital for the health and well-being of a country’s economy and helps prevent corporate downfalls like those of Enron and WorldCom.

Question 7

How is corporate governance related to risk management and internal control?

Answer 7

Governance, risk management, and internal control rely on each other to ensure effective business strategies and risk management processes.

Question 8

What is the primary role of internal audit in governance?

Answer 8

Assessing internal controls over financial reporting, operations effectiveness, and compliance with laws and regulations.

Question 9

What is required to form a corporation in the U.S.?

Answer 9

Application for a charter must be made to the proper authorities of a state, and articles of incorporation must be filed.

Question 10

What information is detailed in a corporation’s charter?

Answer 10

• The name of the corporation
• The length of the corporation’s life
• Its purpose and nature of business
• Authorized number of shares of capital stock
• Provisions for amending the articles
• Preemptive rights
• Names and addresses of incorporators and initial board of directors
• Name and address of the registered agent

Question 11

What are the initial steps a corporation must take after receiving a certificate of incorporation?

Answer 11

• Incorporators elect directors if not named in the articles
• Incorporators resign
• Directors meet to complete the organizational structure

These steps are crucial for establishing the governance and operational framework of the corporation.

Question 12

What is the purpose of corporate bylaws?

Answer 12

Corporate bylaws specify internal management rules, including meeting requirements, quorum specifications, director elections, officer elections, officer responsibilities, share representation, payment of dividends, and how the bylaws can be amended.

Bylaws must conform to state laws and the articles of incorporation.

Question 13

What are the responsibilities of the board of directors?

Answer 13

• Selecting and overseeing management
• Setting corporate strategy and direction
• Overseeing the internal control activities of the company
• Ensuring compliance with laws and regulations
• Board members should investigate any issues they consider important.

The board represents the shareholders and provides governance, guidance, and oversight.

Question 14

What is the role of the audit committee?

Answer 14

Overseeing accounting and financial reporting processes and audits of financial statements.

The audit committee is crucial for ensuring the integrity of financial reporting and compliance with regulations.

Question 15

What are the requirements for audit committee members?

Answer 15

• At least three members
• All members must be independent
• At least one financial expert
• All members must be financially literate

Independence means no material relationship with the company, and financial literacy is a listing requirement of stock exchanges.

Question 16

What responsibilities does the audit committee have regarding management fraud?

Answer 16

The audit committee is specifically responsible for addressing the risk of fraud by management override of internal control over financial reporting. Actions the audit committee can take include:

• Maintaining skepticism
• Understanding the business
• Brainstorming to identify fraud risks and prioritizing them
• Cultivating a whistleblower program

Oversight by the Board of Directors and the audit committee is the only deterrent to management fraud.

Question 17

What authority does the audit committee have under Rule 10A 3(b)(5) of the Securities Exchange Act?

Answer 17

Authority to engage independent counsel and other advisers, and to determine appropriate funding for the registered public accounting firm employed and any advisors employed by the committee.

Question 18

What is the significance of the board of directors having independent members?

Answer 18

Board members are responsible for questioning and scrutinizing management’s activities. Therefore, it is important for the board members to be independent of the company, meaning not active in the day-to-day management of the company.

Boards of companies that are listed on secondary securities markets must consist of a majority of independent directors, a requirement instituted by the Sarbanes-Oxley Act that applies to stock exchanges and the requirements they make of listed companies.

Question 19

What is the role of the audit committee in relation to external auditors?

Answer 19

1. Selecting and nominating the external auditor
2. Approving audit fees
3. Supervising the external auditor
4. Overseeing auditor qualifications and independence
5. Discussing with the auditors matters required under generally accepted auditing standards, and reviewing the audit scope, plan, and results

Question 20

True or False:

A majority of the members of the audit committee must be independent.

Answer 20

False

All members of the audit committee must be independent per Section 10A 3(b)(3) of the Securities Exchange Act of 1934 (15 U.S.C. 78f), as amended.

Question 21

What are the requirements for members of the audit committee with respect to financial literacy for companies listed on stock exchanges?

Answer 21

Stock exchanges require all members of a listed company’s audit committee to be financially literate, and one member must be a financial expert.

The Nasdaq defines “financial literacy” as the ability to read and understand financial statements.

The SEC defines “financial expert” as someone who knows GAAP and can apply it; who has experience preparing, auditing, analyzing, or evaluating financial statements; who understands internal control over financial reporting; and who understands the audit committee’s functions.

Question 22

What is the purpose of policies and procedures in a corporation?

Answer 22

To assure that management’s instructions are carried out and to limit risks to achieving organizational objectives.

Policies establish expectations, while procedures put these policies into action.

Question 23

What are the responsibilities of a CEO in a corporation?

Answer 23

• Growing the company
• Increasing profitability
• Monitoring company performance
• Improving market price of stock
• Strategic decision-making
• Setting company culture and “tone at the top”
• Public relations and media appearances

The CEO’s responsibilities can vary based on the size of the company and the authority delegated by the board of directors.

Question 24

Who elects the members of the board of directors?

Answer 24

Shareholders

Usually with each share of stock allowed one vote.

Question 25

What is the definition of internal control according to the COSO publication, *Internal Control – Integrated Framework?*

Answer 25

It is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Question 26

What are the three categories of objectives that internal control applies to?

Answer 26

1. Operations objectives 2. Reporting objectives 3. Compliance objectives

Question 27

# True or False: Once an internal control system has been set up, it can continue to function indefinitely.

Answer 27

False ## Footnote Internal control is an ongoing process. It is not something that can be done once and be completed. It consists of ongoing tasks and activities to maintain the system.

Question 28

# True or False: If done properly, internal control procedures can guarantee that the company's objectives will be achieved.

Answer 28

False ## Footnote Internal control procedures can provide **reasonable assurance** only--not a guarantee--that the company's objectives will be achieved in the areas of operations, reporting, and compliance.

Question 29

What is internal control risk?

Answer 29

The risk that the design or operation of an entity’s internal control system will not prevent or detect a threat to the company’s achievement of its objectives relating to operations, reporting, and compliance.

Question 30

Can internal control risk be eliminated?

Answer 30

No ## Footnote Internal control risk exists even in the best control system because an internal control system cannot provide a guarantee that an organization will achieve its objectives.

Question 31

Can internal control risk be managed?

Answer 31

Yes ## Footnote Managing internal control risk involves designing, implementing, and maintaining a system of internal controls that can provide reasonable assurance that the organization’s objectives in the areas of operations, reporting, and compliance will be achieved.

Question 32

What does maintaining an internal control system involve?

Answer 32

It requires that management evaluate the controls regularly and update them to respond to changes in the business and in its systems and procedures.

Question 33

Where does the responsibility for overseeing the internal control system lie?

Answer 33

The board of directors is responsible for overseeing the internal control system. ## Footnote The board’s oversight responsibilities include providing advice and direction to management, constructively challenging management, approving policies and major transactions, and monitoring management’s activities.

Question 34

Who is ultimately responsible for the internal control system in a company?

Answer 34

The CEO ## Footnote The CEO is ultimately responsible for the internal control system and the "tone at the top."

Question 35

What are the five components of internal control according to the COSO framework, *Internal Control – Integrated Framework* (2013)?

Answer 35

1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Activities

Question 36

What is the role of internal auditors in a company's internal control system?

Answer 36

They evaluate the effectiveness of the internal controls established by management and contribute to their ongoing effectiveness, but they do not have responsibility for establishing or maintaining the control system.

Question 37

What is the importance of the control environment in internal control?

Answer 37

It provides the organization’s ethical values. It includes the standards, processes, and structures that provide the foundation for carrying out internal control. ## Footnote The board of directors and senior management are responsible for establishing the “tone at the top,” including expected standards of conduct that apply to all employees. Management is responsible for reinforcing the expectations at all levels of the organization.

Question 38

What is the significance of the "tone at the top" in internal control?

Answer 38

The "tone at the top" refers to the overall ethical climate that originates at the top of the organization with the board of directors, the audit committee of the board, and the CEO that influences the entire organization's culture and the effectiveness of internal controls.

Question 39

Who is directly responsible for developing and implementing an organization's internal control system?

Answer 39

The Chief Executive Officer and senior management. ## Footnote The board of directors provides oversight, but the direct responsibility lies with the CEO and senior management.

Question 40

What is the role of the organizational structure in achieving a company's objectives?

Answer 40

It provides the framework for planning, executing, controlling, and monitoring activities to achieve objectives.

Question 41

What does delegation of authority entail in an organization?

Answer 41

It involves giving up centralized control of some business decisions, allowing them to be made at lower levels by those closest to day-to-day operations.

Question 42

Why is it important for a company to attract, develop, and retain competent employees?

Answer 42

To ensure tasks are accomplished in accordance with the company's objectives and plans.

Question 43

What should be included in a thorough background check when hiring new employees?

Answer 43

* Confirmation of work histories * Confirmation of education * Checking references ## Footnote Any embellishment or undisclosed history should be a red flag.

Question 44

What is the responsibility of the board of directors regarding the CEO's competence?

Answer 44

The board of directors should evaluate the competence of the CEO.

Question 45

What is the role of management in risk assessment?

Answer 45

Responsible for the assessment of risk within the control environment.

Question 46

# Define: Inherent risk

Answer 46

The susceptibility to a material misstatement in an account balance or class of transactions that exists naturally, assuming no controls are in place.

Question 47

What is control risk?

Answer 47

The risk that an internal control will not prevent or detect in a timely manner a material misstatement in an account balance or class of transactions.

Question 48

What is detection risk?

Answer 48

The risk that a material misstatement in an account balance or class of transactions that could result in a material weakness for the company will not be detected.

Question 49

What is the first step in management's process of assessing risks to the achievement of the company's objectives?

Answer 49

Objective setting ## Footnote The company’s objectives must be specified clearly enough so that the risks to those objectives can be assessed.

Question 50

What should the identification of risks to the achievement of the company's objectives include?

Answer 50

* Entity-level risk * Process-level (transaction) risk * Risks originating in outsourced service providers, suppliers, and channel partners ## Footnote Both internal and external risks need to be identified, and the potential for fraud must be considered. The specific risks depend on the company's objectives.

Question 51

What are some potential fraudulent activities that need to be considered as part of identifying risks to the company's achievement of its objectives?

Answer 51

1. Fraudulent financial reporting 2. Loss of assets 3. Corruption 4. Management fraud by override of controls 5. Employee fraud - for example if two employees collude 6. Fraud perpetrated from the outside - such as someone hacking into the computer systems.

Question 52

What kind of remediation is necessary when fraud is detected?

Answer 52

The improper actions must be dealt with. In addition, steps may need to be taken to make changes in the risk assessment process and in other components of the internal control system such as control activities, to prevent future occurrences.

Question 53

What steps are involved in the risk analysis that follows the identification of risks to the achievement of the company's objectives?

Answer 53

1. Assess the likelihood or frequency of each risk’s occurring; 2. Estimate the impact of each risk; and 3. Consider how each risk should be managed by assessing what actions need to be taken.

Question 54

What are the categories of risk responses that may be implemented following risk analysis?

Answer 54

1. Acceptance - No action is taken 2. Avoidance - Exiting the activity 3. Reduction - Action taken to reduce the likelihood or impact of the risk 4. Sharing - Reduce the risk likelihood or impact by transferring or sharing the risk such as by purchasing insurance ## Footnote Risk assessment is an internal control function, but the actions taken by management to address the risks are a function of management.

Question 55

What are control activities and what is their purpose?

Answer 55

They are actions established by policies and procedures that help ensure that management’s instructions intended to limit risks to the achievement of the organization’s objectives are carried out.

Question 56

What are preventive controls?

Answer 56

Controls designed to avoid an unintended event such as an error or fraud before it occurs.

Question 57

What are detective controls?

Answer 57

Controls designed to discover an unintended event after it has occurred but before the ultimate objective has occurred.

Question 58

What are technology general controls?

Answer 58

They include controls over the technology infrastructure; security management; technology acquisition; development; and maintenance; restriction of technology access to authorized users to protect the organization’s assets from external threats.

Question 59

What is the importance of segregation of duties in control activities?

Answer 59

Segregation of duties is typically a part of all control activities to prevent errors and fraud.

Question 60

Why should control activities be integrated with risk assessment?

Answer 60

The control activities put into effect the actions needed to carry out risk responses.

Question 61

What should management do if a discrepancy is identified during a reconciliation process?

Answer 61

Investigate the discrepancy, correct any errors, and reflect the correction in the reconciliation.

Question 62

Why should management periodically review and reassess policies and procedures?

Answer 62

To ensure their continued relevance and make necessary revisions.

Question 63

What are the principles related to the Information and Communication component of internal control?

Answer 63

* Obtain or generate relevant, quality information. * Communicate information internally. * Communicate with external parties regarding matters affecting the functioning of internal control.

Question 64

What types of information are needed to support internal control responsibilities?

Answer 64

Timely and relevant information, both financial and non-financial, from internal and external sources.

Question 65

What is the role of internal communication in an organization?

Answer 65

To ensure that information, objectives, and responsibilities for internal control are communicated to support its functioning.

Question 66

What forms can internal communication take within an organization?

Answer 66

* Dashboards * Email messages * Training * One-on-one discussions * Written policies and procedures * Website postings * Social media postings

Question 67

What should an organization communicate with external parties regarding its internal control?

Answer 67

Relevant and timely information affecting the functioning of internal control.

Question 68

What are monitoring activities in an internal control system and what is their purpose?

Answer 68

Monitoring is the process of assessing the quality of the internal control system’s performance over time to determine whether the system is still relevant and still able to address new risks that may have developed. Monitoring ensures that the internal control system continues to operate effectively. ## Footnote Monitoring also includes revisiting previously identified problems to make sure they have been corrected.

Question 69

How can monitoring be conducted in an organization?

Answer 69

* Ongoing evaluations built into business processes. * Separate evaluations conducted periodically. ## Footnote If monitoring is done regularly during normal operations, the need for separate evaluations is lessened.

Question 70

What should be done with findings from monitoring activities?

Answer 70

Findings should be evaluated against established criteria and deficiencies communicated to management and the board of directors as appropriate. Remedial action should be taken, and the results of the remedial action should also be monitored to be certain that the situation has been corrected.

Question 71

What is required for an internal control system to be considered effective?

Answer 71

All five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and relevant principles must be present and functioning together in an integrated manner.

Question 72

What assurance does an effective internal control system provide to senior management and the board of directors?

Answer 72

Reasonable assurance regarding the achievement of objectives, effective and efficient operations, conformity with reporting standards, and compliance with laws and regulations.