BEC 1 - Corporate Governance and Internal Control Flashcards Preview

BEC - CPA Excel > BEC 1 - Corporate Governance and Internal Control > Flashcards

Flashcards in BEC 1 - Corporate Governance and Internal Control Deck (39):
1

A public company audit committee must have at least one "financial expert" and they must have all of the following:

(a) an understanding of GAAP and financial statements; (b) experience in preparing or auditing F/S; (c) experience with internal auditing controls; and (d) an understanding of audit committee functions

2

Under SOX, it is a crime to punish a public company whistleblower who provides truthful information relating to

any federal offense

3

Under the SOX retaliation cause of action, it is a crime to punish a public company whistleblower who provides truthful information relating to

federal securities law violations only

4

Under Dodd-Frank, if the SEC determines to impose penalties above $1 million, what percentage would be within the range of mandatory rewards?

Between 10-30% of sanctions imposed.

5

Public companies must adopt a code of ethics for:

senior financial officers.
CFOs, comptrollers, principal accounting officers, and others performing similar functions.

6

T/F: Detective controls are more costly than preventive and corrective controls.

True
Detective controls have to be continually performed to be effective, whereas, preventive controls are pretty much set once they have been put into place.

7

T/F: Application controls are controls over the computing environment as a whole.

False.
General controls are controls over the environment as a whole helping to ensure that data integrity is maintained.

Application controls are controls over specific data input, data processing and data output activities ensuring the accuracy, completeness, and validity of transaction processing. Narrowly focused on those accounting applications that are involved with data entry, updates, and reporting.

8

Preventive controls attempt to stop an error or irregularity before it occurs. They are typically "passive." Meaning, once they are in place, they simply need to be activated to be effective. Examples include:

Locks on buildings and doors, use of username and password to gain access to computer resources, and building segregation of duties into the organizational structure.

9

Detective controls attempt to detect an error after it has occurred. They are typically "active" as they must be continually performed in order to be effective. Examples include:

Data entry edits (checks for missing data, values that are too large or too small), reconciliation of accounting records to physical assets (bank recs, inventory counts), and tests of transactions to determine whether they comply with management's policies and procedures (audits).

Note they can take on preventive characteristics. Surveillance cameras

10

Corrective controls are always paired with detective controls. They attempt to reverse the effects of the observed error or irregularity. Examples include:

Maintenance of backup files, disaster recovery plans, and insurance.

11

The COSO "cube" model for internal control contains 5 fundamental components, which are:

C - Control activities
R - Risk assessment
I - Information and communication
M - Monitoring
E - Control environment

12

Which of the 5 fundamental components of the COSO "cube" model is described as:
* Management's philosophy toward controls, organizational structure, system of authority and responsibility, personnel practices, policies, and procedures. This component is the core or foundation of any system of internal control.

Control Environment

13

Which of the 5 fundamental components of the COSO "cube" model is described as:
* The process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives. This topic is covered in greater depth in the "Risk Management Policies and Procedures" lesson.

Risk assessment

14

Which of the 5 fundamental components of the COSO "cube" model is described as:
* The information and communication systems that enable an organization's people to identify, process, and exchange the information needed to manage and control operations.

Information and communication

15

Which of the 5 fundamental components of the COSO "cube" model is described as:
* In order to ensure the ongoing reliability of information, it is necessary to monitor and test the system and its data.

Monitoring

16

Which of the 5 fundamental components of the COSO "cube" model is described as:
* The policies and procedures that ensure that actions are taken to address the risks related to the achievement of management's objectives.

Control Activities

17

T/F: The COSO model was developed to help guide efforts to articulate and improve accounting controls.

True.

18

T/F: A sustainability report is primarily an external, nonfinancial report.

True

19

In the COSO "cube" model, each of the following is a control objective except
A. Compliance.
B. Monitoring.
C. Operations.
D. Reporting.

B. Monitoring is correct because it is not a control objective in the COSO model.

20

T/F: Management should establish oversight of outsourcing service providers.

True

21

Under COSO Internal Control Principles, what are the 5 principals of control under control environment?

1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence of management, and oversees the development and monitoring of internal control
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives, including integrating organizational structures and services including outsourced service providers.
4. Competence -- The organization demonstrates a commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives.
5. Accountability -- The organization holds individuals accountable for their internal control responsibilities

22

Under COSO Internal Control Principles, what are the 4 objectives under risk assessment?

1. Objectives -- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks that threaten the achievement of objectives.
2. Assessment -- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risk should be managed.
3. Fraud -- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. Change management -- The organization identifies and assesses changes in the external environment, business model and organizational leadership that could impact the system of internal control.

23

Under COSO Internal Control Principles, what are the 3 principals of control under control activities?

1. Risk reduction -- Organizational control activities mitigate (i.e., reduce) the risks to the achievement of objectives to acceptable levels.
2. Technology controls -- The organization selects and implements general controls over technology which support the achievement of its objectives.
3. Policies -- The organization's control activities inform policies that establish stakeholder expectations. Established procedures ensure the implementation of these policies.

24

Under COSO Internal Control Principles, what are the 3 principals of control under information and communication?

1. Quality -- Relevant, high-quality information supports the internal control processes.
2. Internal -- Internal communication supports internal control processes.
3. External -- Communication with outsiders supports internal control processes.

25

Under COSO Internal Control Principles, what are the 2 principals of control under monitoring?

1. Ongoing and periodic -- Ongoing and separate evaluations evaluate internal control functioning.
2. Address deficiencies -- Parties responsible for taking corrective action, including senior management and the board of directors, receive timely communication of internal control deficiencies.

26

Why manage risk? Four elements on the horizontal, representing the objectives of managing enterprise risk:

strategic, operations, reporting, and compliance
a. Strategic objectives -- High-level goals that support the overall mission of the organization
b. Operations objectives -- Goals that deal with the day-to-day operating activities of the organization (sales activities, warehousing, manufacturing, etc.)
c. Reporting objectives -- Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting
d. Compliance objectives -- Goals designed to ensure that the organization meets all legal and regulatory requirements

27

What will we manage? Eight control components

Internal (control) environment, Objective Setting, Event identification, Risk assessment, Risk response, Control Activities, Information & Communication, Monitoring

28

Where will we manage risk? Four organizational levels, indicated in the third dimension (depth)

Subsidiary, Business Unit, Division, Entity-Level

Risks and objectives differ depending on the specified organizational level

29

According to COSO ERM, the goals of risk management include:

1. Aligning risk appetite and strategy -- Assessing and documenting the organization's risk appetite improves the match between desired and chosen risk. It also permits the development of mechanisms to manage risks.
2. Improving risk responses -- Enterprise risk management permits better choices from among alternative risk responses - risk avoidance, reduction, sharing, and acceptance.
3. Reducing operational surprises and losses -- Risk identification and management enhances the capacity to identify potential events and establish responses, reducing surprises and associated costs or losses.
4. Identifying and managing multiple and cross-enterprise risks -- Every enterprise faces risks across the organization; enterprise risk management facilitates effective responses to the interrelated impacts, as well as integrated responses to multiple related risks.
5. Seizing opportunities -- By considering a full range of potential events, management can better identify and proactively act on opportunities.
6. Improving capital deployment -- Risk information allows management to better assess capital needs and improve capital allocation.

30

What is the expected value of a loss when analyzing and decomposing risk?

It is the likelihood of the loss, multiplied by the amount of a loss, should one occur.

31

Segregation of Duties (SoD) - Consider four critical activities related to internal control, which should be separated to lessen fraud risk:

1. Authorizing events -- e.g., approving customer credit, authorizing payment of an invoice, approving shipping to a customer;
2. Recording events -- e.g., completing source documents, such as a customer invoice or bill of lading, posting events into the general ledger;
3. Safeguarding resources related to events (custody) -- e.g., maintaining the cash in a bank vault or the inventory in a store;
4. Reconciling, overseeing and auditing -- e.g., board of directors' review, internal and external audits, and reconciling system logs with known system activity.

32

According to COSO, what are the two primary attributes of effective evaluators?

Competence and objectivity are the two main attributes of effective evaluators that are identified by COSO.

33

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

Change Identification is the monitoring for change process that would include ongoing and separate evaluations intended to identify and address changes in internal control effectiveness.

34

In a large public corporation, evaluating internal control procedures should be the responsibility of
A. Accounting management staff who report to the CFO.
B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operations officer.
D. Security management staff who report to the chief facilities officer.

B. The key to recognizing the correctness of this answer is that the question asks who should engage in "evaluating" internal control procedures (not design or implement control procedures). Among the offered choices, an independent internal audit staff, i.e., who report to the board of directors or an audit committee, but not the CFO, are best qualified to monitor and evaluate internal control procedures.

35

According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum?

The change management stage involves evaluating the design and implementation of changes and establishing a new baseline.

36

List the four activities that comprise the design and execution of control monitoring.

Prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures.

37

What is a condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the system to increase the likelihood of achieving objectives?

An internal control deficiency

38

Name the three activities that comprise assessing and reporting on control monitoring.

Prioritize findings, report results as appropriate, follow up to implement corrective actions.

39

What are the three elements of establishing a foundation for control?

The tone at the top, organizational structure, baseline understanding of control effectiveness.