Providing user documentation, maintaining fire suppression equipment in the File Library, and using usernames and passwords to control access to the system are all examples of what type of Control?
Definition of Feedback Controls
A procedure in which the results of a process are evaluated and, if the results are undesirable, the process is adjusted to correct the results; most detective controls are also feedback controls.
After the fact control designed to detect an error after it has occurred. Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.
Controls over specific data input, data processing, and data output activities. Designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.
Paired with detective controls, they attempt to reverse the effects of the error or irregularity which has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.
Sarbanes Oxley of 2002, the CEO and CFO may be penalized for misrepresenting the company's finances by being?
Fined and Imprisoned
17 Components of Internal Control - Risk Assessment Section
- Organizational Objectives
- Change Management
TRUE OR FALSE - SOX stated that one member of the Audit Committee must be a "financial expert."
FALSE The Sarbanes-Oxley Act provides that at least one member should be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation.
Which of the following committees of the board of directors generally has the responsibility of overseeing CEO succession?
The nominating/corporate governance committee
Control Environment as a Component of Internal Control has 5 principals
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It may be viewed as the foundation for the other components of internal control.
- Ethics at the top of organization
- Independent Management
- Management establishes oversight
- Competent talent in organization
Director's Duty of Loyalty
The directors' duty of loyalty means that they must put the interest of the corporation before their personal interest. Assume a director is approached with a business opportunity that would be of interest to and benefit the corporation. However, the director is also interested in the opportunity. The director must first offer the opportunity to the corporation before pursuing it on his or her own behalf.
Auditing Standards divide internal control into five interrelated components (elements) as follows:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communication, and
ERM - Risk Response
- Avoidance - exiting activity to avoid risk
- Reduction - taking steps to reduce risk likelihood or impact
- Sharing - transfers risk via insurance, hedging or outsourcing
- Acceptance - no action taken
Three Objectives of Internal Control (ROC)
- Reliability of reporting (financial statements)
- Efficiency and effectiveness of operations (significant events, safeguarding assets)
Compliance with applicable laws and regulations.
Internal Control Components of COSO & ERM
ERM has 8 Components (5 of which are same as COSO Components of IC)
- Internal Environment (COSO)
- Strategic Objective Setting
- Event Identification
- Risk Assessment (COSO)
- Risk Response - ERM's main focus for corporations
- Control Activities (COSO)
- Information and Communication (COSO)
- Monitoring (COSO)
SOX Act of 2002 did three things:
- SOX directed public company audit committees to install procedures for ensuring that whistleblowers' complaints are properly directed.
- SOX provided a civil damages action for public company whistleblowers who suffer retaliation for providing information in an investigation or participating as a witness or otherwise in a proceeding involving federal securities law violations.
- SOX made it a crime punishable by fine and/or imprisonment of not more than 10 years to retaliate against an informant who provided truthful information relating to the commission of any federal offense to a law enforcement officer (not just federal securities law violations).
Dodd-Frank created an entirely new anti-retaliation provision that whistleblowers are likely to use instead of the SOX provision (even as amended), because:
- Whistleblowers may sue directly in federal district court without going through the Department of Labor complaint process.
- Whistleblowers may recover two times the amount of back pay owed with interest and attorneys' fees if they establish that they are victims of retaliation.
- The SOL is much longer - whistleblowers must file within three years of when they knew, or should have known, they had the right to sue and within six years of the violation.
- Note that the SEC can also sue to punish such retaliation.
If an accountant learns such "original information" (i.e. whistleblower related) while acting as an internal auditor, or while working for a public accounting firm performing a mandated audit, he or she is disqualified from receiving a bounty?
Yes. Auditors are already duty-bound to report such information and as such they are viewed as not needing the incentive of a bounty to fulfill their obligation.
However, there are a few exceptions where the auditor could claim a bounty.
COSO Model Pyramid Structure
COSO ERM Model Cube
Attribute Standards - Internal Audit Charter
"The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval."
Attribute Standards - Organizational Independence
- "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.
- The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity."
Attribute Standards - Quality Assurance and Improvement Program
- "The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity."
- "The quality assurance and improvement program must include both internal and external assessments."
Requirements of the Quality Assurance and Improvement Program - Internal Assessments
"Internal assessments must include:
- Ongoing monitoring of the performance of the internal audit activity; and
- Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices."
A related Interpretation states, "Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework."
Requirements of the Quality Assurance and Improvement Program - External Assessments
"External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:
- The need for more frequent external assessments; and
- The qualifications and independence of the external reviewer or review team, including any potential conflict of interest."
High Level Attribute Standards
- Purpose, Authority, and Responsibility (Standard 1000)
- Independence and Objectivity (Standard 1100)
- Proficiency and Due Care (Standard 1200)
- Quality Assurance & Improvement Program (Standard 1300)
High Level Performance Standards
- Managing the Internal Audit Activity (Standard 2000)
- Nature of Work (Standard 2100)
- Engagement Planning (Standard 2200)
- Performing the Engagement (Standard 2300)
- Communicating Results (Standard 2400)
- Monitoring Progress (Standard 2500)
- Resolution of Senior Management's Acceptance of Risks (Standard 2600)
Performance Standards: Managing the Internal Audit Activity - Planning
The chief audit executive should consider the entity's risk management framework, including established risk appetites set by management.
Performance Standards: Nature of Work - Risk Management
Determining that the risk management processes are effective is a judgment as to whether
- the organization's mission and objectives are aligned;
- significant risks are identified/assessed;
- risk responses are appropriate relative to risk appetites; and
- relevant risk information is captured and communicated in a timely manner.
Performance Standards - Resolution of Senior Management's Acceptance of Risks
"When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution."
The Dodd-Frank Act of 2010 established a requirement that:
- All members of the compensation committee of the board of directors be independent.
- All members of the audit committee of the board of directors be independent.
- All members of the corporate governance committee of the board of directors be independent.
- All members of the board of directors be independent.
All members of the compensation committee of the board of directors be independent.
All members of the compensation committee of the board of directors be independent.
The SEC is responsible for protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. In achieving these responsibilities, the SEC enforces the U.S. securities laws.
- Division of Corporate Finance - reviews public filings.
- Division of Enforcement - law enforcement
- Office of Chief Accountant - accounting and auditing advisor for SEC
Dodd-Frank's Corporate Responsibility Provisions (other than whistleblowing (see separate card))
Say on Pay and Say on Golden Parachutes: Section 951 of the Dodd-Frank Act requires public companies to provide their shareholders with a periodic non-binding “advisory” vote to approve the compensation of its executives.
Independence for Compensation Committies and Compensation Consultants/Advisors: requires the SEC to direct the stock exchanges to adopt independence standards for public companies’ compensation committees considering certain factors established by the SEC.
Pay for Performance and Pay Equity Disclosures: Section 953 requires public companies to make disclosures regarding the relationship between a company’s executive compensation and its financial performance. Public companies must also disclose the ratio between a company’s CEO’s total compensation and the median total compensation for all other company employees.
Clawback Compensation: equires the SEC to direct the stock exchanges to require listed companies to develop and implement compensation claw-back policies enabling the recovery of incentive-based compensation from current or former executive officers following a restatement of financial results.
Hedging Disclosure: The SEC is required to issue rules requiring public companies to disclose whether employees and directors are permitted to hedge against any decrease in the value of the a public company’s stock.
Proxy Access: SEC required to issue rules permitting public company shareholders to nominate directors using the company’s proxy solicitation materials.
Dodd-Frank's Corporate Responsibility Provisions - Whistleblowing
Section 922 created a significant financial incentive for whistleblowers that voluntarily provide “original information” to the SEC that leads to the recovery of more than US$1 million in monetary sanctions from the violation of the federal securities laws. The provision impacts both public and private companies as there are a number of ways in which a private company can violate the federal securities laws (e.g., seeking investors). In addition to the financial incentives for whistleblowers, Section 922 creates a private right of action for whistleblowers who suffer retaliation which prohibits employers from discharging, demoting, suspending, threatening, harassing or otherwise discriminating against a whistleblower because of any lawful act or report by the whistleblower. In May 2011, the SEC adopted rules to establish a whistleblower program, and such rules are now effective.
SOX and Dodd-Frank - application to public and private companies?
NO...SOX only applies to publicly traded organizations. However, there is one exception where the whistleblower provision of Dodd-Frank does apply in certain circumstances to private companies.
Risk Assessment as a Component of Internal Control has 4 principals
Strategic Objectives (to acknowledge, identify and strategy development)
Fraud must be considered as a risk
- Change Management
Control Activities as a Component of Internal Control has 3 principals
Risk Reduction (integrate controls with risk strategy and assessment)
The exam may ask if Risk Reduction is part of the Risk Assessment component and it is NOT.
Information & Communication as a Component of Internal Control has 3 principals
- Quality information
- Internal (whistleblower)
Monitoring as a Component of Internal Control has 2 principals
- Must be ongoing and periodic (benchmarking)
- Must address control deficiencies
COSO ERM Objectives and Purpose
COSO ERM provides common language with regard to RISK and is effected by an organization's management.
- Strategic Objective
- Operations Objective
- Reporting Objective
- Compliance Objective
International Internal Auditing Standards
Attribute Standards focus on the implementation of the internal audit, characteristics of the individuals performing the audit and internal audit activities.
Performance Standards focus on high level management of the internal audit and creates measurement criteria.
Control Framework showing relationships amongst the control types
- Preventative - before the fact, passive controls
- Detective - after the fact, active controls, second line of defense
- Corrective - if error then action to correct, often paired with detective controls
Controls also fall under the umbrella of being either General Controls or Application Controls.
- General Controls are often preventative controls over the design and operation of the Computer System.
- Applications Controls deal with data input/output and processing and are often detective controls.
Financial Expert on the Audit Committee
The Sarbanes-Oxley Act provides that at least one member should (but doesn't have to) be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation. A financial expert is one that possesses all of the following attributes:
- An understanding of generally accepted accounting principles and financial statements
- Experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
- An understanding of internal controls and procedures for financial reporting
- An understanding of audit committee functions
What would a whistleblower's reward be for providing original information to the SEC that led to imposed penalties of $2,000,000?
Answer is in the range of 10-30% of the sanctions imposed. i.e. $200,000 - $600,000