Flashcards in Corporate Governance Deck (53):
Who has the right and responsibility to manage a corporation?
Its board of directors (BD)
How many directors on the board should be independent?
At least two, if possible
What other names can the board of directors be called?
(1) executive board
(2) board of managers
(3) board of trustees
(4) board of governors
What is an audit committee?
An independent committee of board members that oversees the company's financial reporting process, including internal auditing and interaction with any external auditors
What must an audit committee include?
At least one financial expert
What must all members of an audit committee be?
Independent of the corporation -- not accepting compensatory fees for advisory, consulting, or other positions
How are officers in a corporation related to directors?
Officers are appointed by the BD, and the same people can be officers and directors
What is a disclosure committee?
A committee that may optionally be formed in order to cover various disclosure issues in financial reporting
-e.g. timeliness, materiality, reporting info to management
Who is responsible for evaluating the operating effectiveness of internal controls over financial reporting (ICFR)?
Management, NOT the external auditor
The point is that the auditor should not audit his own work, but should audit management's representations concerning internal controls
What are the general purposes of the Sarbanes-Oxley (SOX) Act?
(1) regulating auditors of public companies
(2) establishing sound corporate governance
(3) enhancing corporate reporting and disclosure
(4) strengthening enforcement for various laws and regulations
What does Section 302 of SOX require?
A company's CEO and CFO must certify (1) accuracy, (2) reliability, and (3) completeness for financial statements, in addition to (4) reliability of internal controls
Under Section 302 of SOX, what are the CEO and CFO sometimes called?
The signing officers
Under Section 302 of SOX, are the CEO and CFO required to ensure their presented financial info's conformity with GAAP?
Yes, but the requirements to which they must conform extend beyond GAAP as well -- the overall goal is to fully inform investors
What does Section 404 of SOX require?
A company's management must oversee internal control over financial reporting (ICFR)
Under Section 404 of SOX, what is management required to do regarding ICFR?
(1) prepare an annual report on ICFR
(2) prepare a statement of responsibility for ICFR
(3) conform to an acceptable framework for ICFR (e.g. COSO)
(4) prepare a statement of conclusion for ICFR's operating effectiveness
(5) disclose any material weaknesses in ICFR
Besides management's duties, what else does Section 404 of SOX require?
The external auditor must attest to and report on management's assessment of ICFR
Generally done when evaluating the annual and quarterly reports
What does SOX require for companies' disclosure controls?
Companies must maintain and evaluate controls governing info that is disclosed in various required reports
In particular, controls related to nonfinancial info (outside the financial statements) must be more clearly laid out
When a company is evaluating its disclosure controls, what are the typical things it checks for?
(1) whether the right people are involved
(2) whether key risk areas are addressed
(3) possible weaknesses
(4) whether voiced concerns have been addressed
Under SOX, what is the penalty for signing officers if they falsely certify the financial statements?
Up to $1 million and/or 10 years in prison
If willful, up to $5 million and/or 20 years in prison
Which companies do not need to comply with SOX?
Nonpublic and nonprofit companies
They can voluntarily adopt SOX standards to have a recognized level of internal control quality
What are different objectives for internal control?
(1) financial reporting
(2) operational effectiveness or efficiency
(3) regulatory compliance
Compliance with SOX deals with (1)
What are inherent limitations to internal control?
Internal control is intended to provide "reasonable assurance" and thus always involves risk, such as miscalculations, conspiracy, and management override
Who is responsible for a company's internal control?
What is the most commonly adopted framework for internal control?
Committee Of Sponsoring Organizations' (COSO) Integrated Framework
What are the five key elements of the COSO framework?
(1) control environment
(2) risk assessment
(3) information and communication
(4) control activities
Under the COSO framework, what is the control environment?
The overall foundation for the other components of internal control, involving how people act, think, and are aware of internal control. Includes:
-communication of company ethics
Under the COSO framework, what is risk assessment?
The company's identification of its own risks (particularly as related to financial statements), determining how to manage them
Under the COSO framework, what are information and communication?
All processes and duties related to the keeping and transferring of info
Includes considerations for the flow of info from management "downward" and from lower levels "upward"
Under the COSO framework, what are control activities?
Policies and procedures providing reasonable assurance that management decisions are carried out. Include:
-segregation of duties
-information processing (general controls and application controls)
Under the COSO framework, what is monitoring?
Keeping track of internal control quality over time, and correcting mistakes as needed -- important due to internal controls' natural tendency to deteriorate over time
Monitoring is management's responsibility
What is a control deficiency?
When a control, either in design or in operation, would not prevent or detect a misstatement on a timely basis
Not necessarily evidenced by some particular control failure, since they're not supposed to be 100% effective
What are two different kinds of control deficiency?
(1) design deficiency -- in what it is intended to do, regardless of how well it does it
(2) operating deficiency -- in how well it fulfills what it's designed to do
What are two different degrees of control deficiency?
(1) significant deficiency and (2) material weakness
Material weaknesses lead to the reasonable possibility of material misstatement in the financials; significant deficiencies are less bad but still deserve attention
Can a deficiency be determined to be a material weakness purely quantitatively?
Generally, no -- other qualitative factors should always be taken into consideration
The degree of deficiency is ultimately a matter of professional judgment
What are the International Standards for the Professional Practice of Internal Auditing?
Standards set by the Institute of Internal Auditors (IIA) to be used by internal auditors in whatever environment they work in
In the context of internal auditing, these are just called the "Standards"
What is the general structure of the Standards?
It ultimately includes two types of standards: (1) attribute standards and (2) performance standards, both of which are applicable to all internal auditing
In the Standards, what is the difference between attribute standards and performance standards?
Attribute = pertain to the company's or the internal auditor's attributes (e.g. independence)
Performance = pertain to the performance of the actual internal auditing services themselves
What is an internal audit charter?
A formal document defining the internal audit activity's purpose, rights, and duties within the organization
What are four attributes required among internal auditors?
(1) independence - no conflicts of interest
(2) objectivity - mentally unbiased, assumed responsibility
(3) proficiency - requisite skills
(4) due professional care - care of a reasonably prudent professional in the circumstances
(1) and (2) must be held both in fact and in appearance
As an attribute standard, what must internal auditors continue to maintain?
Continuing professional education - continuously improving their knowledge of the profession
What is required of internal auditors when reporting on their corporation's quality assurance?
The chief audit executive is required to report on quality assurance and improvement programs to the board and to senior management
What is a disclosure of nonconformance?
Any nonconformity with the Standards, code of ethics, or other professional auditing standards, if it affects the internal audit, must be communicated to the board and to senior management
According to the performance standards for an internal audit, what is the chief audit executive responsible for?
(1) managing the internal audit
(2) determining the audit's priority given the risks of unaudited activity and other business goals
(3) managing resources needed for the audit
(4) establishing policies and procedures for the audit
(5) reporting to the board and to senior management
According to the performance standards for an internal audit, what are some objectives of the internal audit?
(1) improving corporate governance
(2) managing risk
(3) improving internal controls
What is enterprise risk management (ERM)?
Developing a risk strategy for a company, considering its "risk appetite," resources, and other factors
ERM is relevant to corporate governance mostly insofar as it addresses the risk of material misstatement on the financials
What are four different ways to manage risk?
(1) risk avoidance
(2) risk reduction
(3) risk sharing
(4) risk acceptance
What are the three components of the ERM framework?
(1) establishing company objectives
(2) identifying factors, internal and external, that might hinder or prevent the attainment of those objectives
(3) choosing a risk management strategy
What sort of approach does the SEC recommend in monitoring the effectiveness of controls?
A "top-down" approach: starting at company-level controls, then finding controls related to more subsidiary processes or accounts, and so on
What are the benefits of having effective company-level controls?
More time-intensive testing on smaller levels is not necessary -- external auditors are not permitted to rely solely on company-level control evaluations, though their workload on lower levels can still be reduced by good company-level controls
What is a very important practice when testing controls?
Sampling -- varies based on population size, previous experience with control, nature of control, etc.
When management assesses internal controls for itself, including sampling, who is responsible for the nature, extent, and timing of control testing?
The auditor is responsible only for his sampling procedures; management cannot unduly rely on the auditor's decisions to support their own assessment of control effectiveness
What is the change control process?
A formal process which ensures that required changes to ICFR have been done