Corporate Governance Flashcards Preview

BEC > Corporate Governance > Flashcards

Flashcards in Corporate Governance Deck (53):

Who has the right and responsibility to manage a corporation?

Its board of directors (BD)


How many directors on the board should be independent?

At least two, if possible


What other names can the board of directors be called?

(1) executive board
(2) board of managers
(3) board of trustees
(4) board of governors


What is an audit committee?

An independent committee of board members that oversees the company's financial reporting process, including internal auditing and interaction with any external auditors


What must an audit committee include?

At least one financial expert


What must all members of an audit committee be?

Independent of the corporation -- not accepting compensatory fees for advisory, consulting, or other positions


How are officers in a corporation related to directors?

Officers are appointed by the BD, and the same people can be officers and directors


What is a disclosure committee?

A committee that may optionally be formed in order to cover various disclosure issues in financial reporting
-e.g. timeliness, materiality, reporting info to management


Who is responsible for evaluating the operating effectiveness of internal controls over financial reporting (ICFR)?

Management, NOT the external auditor

The point is that the auditor should not audit his own work, but should audit management's representations concerning internal controls


What are the general purposes of the Sarbanes-Oxley (SOX) Act?

(1) regulating auditors of public companies
(2) establishing sound corporate governance
(3) enhancing corporate reporting and disclosure
(4) strengthening enforcement for various laws and regulations


What does Section 302 of SOX require?

A company's CEO and CFO must certify (1) accuracy, (2) reliability, and (3) completeness for financial statements, in addition to (4) reliability of internal controls


Under Section 302 of SOX, what are the CEO and CFO sometimes called?

The signing officers


Under Section 302 of SOX, are the CEO and CFO required to ensure their presented financial info's conformity with GAAP?

Yes, but the requirements to which they must conform extend beyond GAAP as well -- the overall goal is to fully inform investors


What does Section 404 of SOX require?

A company's management must oversee internal control over financial reporting (ICFR)


Under Section 404 of SOX, what is management required to do regarding ICFR?

(1) prepare an annual report on ICFR
(2) prepare a statement of responsibility for ICFR
(3) conform to an acceptable framework for ICFR (e.g. COSO)
(4) prepare a statement of conclusion for ICFR's operating effectiveness
(5) disclose any material weaknesses in ICFR


Besides management's duties, what else does Section 404 of SOX require?

The external auditor must attest to and report on management's assessment of ICFR

Generally done when evaluating the annual and quarterly reports


What does SOX require for companies' disclosure controls?

Companies must maintain and evaluate controls governing info that is disclosed in various required reports

In particular, controls related to nonfinancial info (outside the financial statements) must be more clearly laid out


When a company is evaluating its disclosure controls, what are the typical things it checks for?

(1) whether the right people are involved
(2) whether key risk areas are addressed
(3) possible weaknesses
(4) whether voiced concerns have been addressed


Under SOX, what is the penalty for signing officers if they falsely certify the financial statements?

Up to $1 million and/or 10 years in prison

If willful, up to $5 million and/or 20 years in prison


Which companies do not need to comply with SOX?

Nonpublic and nonprofit companies

They can voluntarily adopt SOX standards to have a recognized level of internal control quality


What are different objectives for internal control?

(1) financial reporting
(2) operational effectiveness or efficiency
(3) regulatory compliance

Compliance with SOX deals with (1)


What are inherent limitations to internal control?

Internal control is intended to provide "reasonable assurance" and thus always involves risk, such as miscalculations, conspiracy, and management override


Who is responsible for a company's internal control?



What is the most commonly adopted framework for internal control?

Committee Of Sponsoring Organizations' (COSO) Integrated Framework


What are the five key elements of the COSO framework?

(1) control environment
(2) risk assessment
(3) information and communication
(4) control activities
(5) monitoring


Under the COSO framework, what is the control environment?

The overall foundation for the other components of internal control, involving how people act, think, and are aware of internal control. Includes:
-organizational structure
-HR policies
-management's philosophy
-communication of company ethics


Under the COSO framework, what is risk assessment?

The company's identification of its own risks (particularly as related to financial statements), determining how to manage them


Under the COSO framework, what are information and communication?

All processes and duties related to the keeping and transferring of info

Includes considerations for the flow of info from management "downward" and from lower levels "upward"


Under the COSO framework, what are control activities?

Policies and procedures providing reasonable assurance that management decisions are carried out. Include:
-performance reviews
-physical controls
-segregation of duties
-information processing (general controls and application controls)


Under the COSO framework, what is monitoring?

Keeping track of internal control quality over time, and correcting mistakes as needed -- important due to internal controls' natural tendency to deteriorate over time

Monitoring is management's responsibility


What is a control deficiency?

When a control, either in design or in operation, would not prevent or detect a misstatement on a timely basis

Not necessarily evidenced by some particular control failure, since they're not supposed to be 100% effective


What are two different kinds of control deficiency?

(1) design deficiency -- in what it is intended to do, regardless of how well it does it
(2) operating deficiency -- in how well it fulfills what it's designed to do


What are two different degrees of control deficiency?

(1) significant deficiency and (2) material weakness

Material weaknesses lead to the reasonable possibility of material misstatement in the financials; significant deficiencies are less bad but still deserve attention


Can a deficiency be determined to be a material weakness purely quantitatively?

Generally, no -- other qualitative factors should always be taken into consideration

The degree of deficiency is ultimately a matter of professional judgment


What are the International Standards for the Professional Practice of Internal Auditing?

Standards set by the Institute of Internal Auditors (IIA) to be used by internal auditors in whatever environment they work in

In the context of internal auditing, these are just called the "Standards"


What is the general structure of the Standards?

It ultimately includes two types of standards: (1) attribute standards and (2) performance standards, both of which are applicable to all internal auditing


In the Standards, what is the difference between attribute standards and performance standards?

Attribute = pertain to the company's or the internal auditor's attributes (e.g. independence)

Performance = pertain to the performance of the actual internal auditing services themselves


What is an internal audit charter?

A formal document defining the internal audit activity's purpose, rights, and duties within the organization


What are four attributes required among internal auditors?

(1) independence - no conflicts of interest
(2) objectivity - mentally unbiased, assumed responsibility
(3) proficiency - requisite skills
(4) due professional care - care of a reasonably prudent professional in the circumstances

(1) and (2) must be held both in fact and in appearance


As an attribute standard, what must internal auditors continue to maintain?

Continuing professional education - continuously improving their knowledge of the profession


What is required of internal auditors when reporting on their corporation's quality assurance?

The chief audit executive is required to report on quality assurance and improvement programs to the board and to senior management


What is a disclosure of nonconformance?

Any nonconformity with the Standards, code of ethics, or other professional auditing standards, if it affects the internal audit, must be communicated to the board and to senior management


According to the performance standards for an internal audit, what is the chief audit executive responsible for?

(1) managing the internal audit
(2) determining the audit's priority given the risks of unaudited activity and other business goals
(3) managing resources needed for the audit
(4) establishing policies and procedures for the audit
(5) reporting to the board and to senior management


According to the performance standards for an internal audit, what are some objectives of the internal audit?

(1) improving corporate governance
(2) managing risk
(3) improving internal controls


What is enterprise risk management (ERM)?

Developing a risk strategy for a company, considering its "risk appetite," resources, and other factors

ERM is relevant to corporate governance mostly insofar as it addresses the risk of material misstatement on the financials


What are four different ways to manage risk?

(1) risk avoidance
(2) risk reduction
(3) risk sharing
(4) risk acceptance


What are the three components of the ERM framework?

(1) establishing company objectives
(2) identifying factors, internal and external, that might hinder or prevent the attainment of those objectives
(3) choosing a risk management strategy


What sort of approach does the SEC recommend in monitoring the effectiveness of controls?

A "top-down" approach: starting at company-level controls, then finding controls related to more subsidiary processes or accounts, and so on


What are the benefits of having effective company-level controls?

More time-intensive testing on smaller levels is not necessary -- external auditors are not permitted to rely solely on company-level control evaluations, though their workload on lower levels can still be reduced by good company-level controls


What is a very important practice when testing controls?

Sampling -- varies based on population size, previous experience with control, nature of control, etc.


When management assesses internal controls for itself, including sampling, who is responsible for the nature, extent, and timing of control testing?


The auditor is responsible only for his sampling procedures; management cannot unduly rely on the auditor's decisions to support their own assessment of control effectiveness


What is the change control process?

A formal process which ensures that required changes to ICFR have been done


Who can hold management responsible for properly executing the change control process?

The audit committee