Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Flashcards Preview

BEC > Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management > Flashcards

Flashcards in Module 40: Corporate Governance, Internal Control, and Enterprise Risk Management Deck (164):

Corporate Governance

Incudes the policies, procedures and mechanisms that are established to control management; it is designed to compensate for the agency problem


Agency Problem

Professional managers may not manage with the best interest of the entity; rather they manage for the best interest of themselves. This is becase shareholders are separated from operations (management) of the firm (the principals).


Internal Control (updated definition)

a process, effected by the entity's BofD, management, and other personnel designed to provide reasonable assurance regarding the achievement objectives relating to operations, reporting, and compliance


COSO Internal Control Framework

1. Control Activities
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Control Environment


COSO Enterprise Risk Management

1. Control Activities
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Internal Environment
6. Objective Setting
7. Event Identification
8. Risk Response

All components work together to allow an organization to identify risk to achieving the organization's objectives and appropriately manage those risks.


Enterprise Risk Management

A process, effected by an entity's BofD, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the organization, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organizational objectives


Articles of Incorporation

The document filed with the secretary of state to obtain a certificate of incorporation, which include:
1. proposed name of the corporation and initial address
2. purpose of the corporation
3. the powers of the corporation
4. the name of the registered agent of the corporation
5. name and address of each incorporator
6. number of authorized shares of stock and types of stock

Can be amended by BofD vote


Audit Committee

The (independent) committee of the BofD that oversees the accounting and financial reporting processes of the company and oversees the audits of financial statements of the company. The Sarbanes-Oxley Act (and the NYSE and NASDAQ) requires all members to be independent.

Duties: appointment, compensation and oversight external auditors, resolution of any disagreements between management and the external auditor


Black Swan Analysis

Evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely


Board of Directors

The body charged with running the corporation on behalf of the shareholders and other stakeholders. It is responsible for providing strategic direction and guidance about the establishment of the key business objectives of the corporation


Business Judgment Rule

A case law-derived concept that provides that a corporate director may not be held liable for errors in judgment providing the director acted with good faith, loyalty, and due care.

However, directors may be held personally liable for approving and paying illegal dividends. Also they are responsible for their own torts (wrongful acts) even if they are acting on behalf of the corporation


Compensation Committee

The committee of the BofD that reviews and approves executive compensation, makes recommendations to the board regarding incentive-based compensation, and attempts to align incentives with shareholder objectives and risk appetite.


The Dodd-Frank Act (2010)

Requires all members of the compensation committee to be independent and provides that in setting compensation, the members may request the company to engage compensation advisors that are independent of management.

Shareholders must be allowed a non-binding vote on executive compensation at least every 3 years, and a vote every 6 years as to whether the vote on compensation should be held more often

Requires non-binding vote by shareholders on "golden parachutes" to be provided to executives as a result of major transactions


Corporate Bylaws

Set forth how the directors and/or officers are selected, how meetings are conducted, the types and duties of officers, and the required meetings. Should also prescribe the proces for bylaw amendment. All officers and directors should have a copy


Duty of Loyalty

A concept that provides that directors and officers must put the interest of the corporation before their personal interest. Accordingly, if a director is approached with a business opportunity that would be of interest to and benefit the corporation, he must first offer the opportunity to the corporation before pursuing it on his own behalf.



An individual that monitors internal control within an organization


Executive Perquisites

Executive benefits other than compensation, such as retirement, use of corporate assets, golden parachutes, and corporate loans


Inherent Risk

The risk to the organization if management does nothing to alter its likelihood or impact


Residual Risk

The risk of the event after considering management's response


Risk Appetite

The amount of risk an organization is willing to accept to achieve its objective


Risk Assessment

Analyzing the potential (likelihood and impact) effects of a risk


Risk Tolerance

The acceptable variation with respect to achieving a particular objective


Self- Serving Activities

Put management before the shareholder by shirking, taking too little or too much risk, or consuming excessive perks


Self-serving activies are eliminated by...

Corporate governance, which involves developing an appropriate legal structure, and establishing appropriate incentives (forms of compensation) and monitoring devices to prevent this inappropriate activity



Provide the basic capital of the corporation and elect the board of the directos. Shareholders include major stakeholder or the corporation, but are also employees, customers, suppliers, government regulators, and society.


Rights of Shareholders

1. annual meetings are required by bylaws
2. voting rights for articles of incorporation amendments or fundamental changes (mergers/ liquidations)
3. last to receive their capital during liquidation
4. right to receive dividends if declared by the BofD
5. right to subscribe to stock issues so that their ownership is not diluted as set forth in the Atricles of Incorporation (preemptive right= allowed to purchase shares before the general public)
6. right to inspect books and records in good faith and for a proper purpose
7. right to sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer

Shareholders have no right to manage the corporation unless they are also officers or directors (CEO CFO)


Derivative Legal Suit

Shareholdes sue on behalf of the corporation if officers and directors do not for reasons such as director violation of fiducuary duty, illegal declaration of dividends, or fraud by an officer


Preferred Shareholders

Generally have no voting rights but they have preference as to dividends and receipt of capital upon liquidation of the company


Common Shareholders

In many cases have cumulative voting rights in the election of directors allowing them to cast one vote for each director of the corporation for each share of stock they own


Directors (of the Board)

Are fiduciaries of the corporation; elected by the common shareholders and have no individual power to bind the corporation. The power is collective (decisions made by majority vote).

Must exercise ordinary care and due diligence in performing their duties, and act in a manner that they believe is in the best interest of the corporation. They must disclose any conflicts of interest.


Examples of BofD Duties

1. determining the mission of the corporation
2. selection and removal of the CEO
3. amending the bylaws, unless this is a responsibility of the shareholders
4. determining management compensation
5. decisions regarding the declaration and payment of dividends
6. decisions regarding major acquisitions and capital structure
7. advising management
8. providing governance oversight, with the assistance of internal and external auditors
9. ensuring accurate financial reporting by the corporation
10. risk management



Operate the company base on the authority delegated to them by the board of directors; agent of the corporation that can bind the corporation within the scope of his or her authority; responsible for fair presentation of financial reports (including f/s)

SOX requires the CFOand CEO to certify to the financial statements

SOX generally prohibits personal loans to officers or directors of a public company; exceptions are made for loans "in the ordinary course of business"

Have a fiduciary duty to the corporation and are liable for their own torts

The corporation is not bound by the acts of an officer acting beyond their scope.


Forms of Executive Compensation

Used in attempt to align managements behavior with the objectives of the shareholders. i.e. management decisions with long-term goals of shareholders (long-term stock price)
1. base salary and bonuses
2. stock options
3. stock grants
4. executive perquisites (perks)


Executive Base Salary and Bonuses

This system compensates managers based on performance (measured by accounting profit.) Risky because this can provide incentive for managers to cook the books for short term gain


Stock Options

This system compensates managers with an incentive to manage the corporation to increase the stock price, which is consistent with the goal of shareholders

Disadvantage: managers may have an incentive to increase stock price in the short-term at the expense of long-term value.

A lot of times, time stipulations, such as 3 years or more, are placed on exercising the stock


Stock Grants

Involve issuing shares of stock as part of managements compensation. Two types:
1. restricted stock- cannot be sold by the manager for a specific period of time, usually 10 years
2. performance shares- issuance of stock if certain level of performance is met.


Executive Perquisites

Retirement benefits, use of corporate assets, golden parachutes, and corporate loans


The best forms of executive compensation

a combination of fixed compensation and incentive compensation that is related to long-term stock price.

Bonuses are effective if they are based on a composite of performance measures in addition to net profit, such as the amount of research and development expenditures, the corporation's market share, the number of new products developed, and/ or the percentage of stock held by institutional investors (pension plan) (who intend to hold the stock for the long-term)
***These are referred to as balanced scorecards


Monitoring Devices

Monitor management behavior

Internal: board of directors and internal auditors
External: external auditors, analysts, credit agencies, attorneys, the SEC and the IRS


Board Oversight

For effective governance oversight, board members must be competent and a majority should be independent (not part of management and does not receive benefit other than the compensation of being a board member)


Inside Directors

Officers, employees or stockholders who are on the board of directors


Wall Street Reform and Consumer Protection (Dodd-Frank) Act of 2010

Requires public corporations to disclose why or why not the chairman of the board is also the CEO


Board Committees for Effective Governance

1. the nominating/ corporate governance committee
2. the compensation committee
3. the audit committee


The Nominating/ Corporate Governance Committee

1. oversees board organization, including committee assignments
2. determines director qualifications and training
3. develops corporate governance principals
4. oversees CEO succession


Members of the Audit Committee Should...

1 should be a "financial expert" and if the audit committee does not have a financial expert they must disclose why

Financial Expert (a judgement call made by Board):
1. understanding of GAAP and financial statements
2. experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
3. understanding of internal controls and procedures for financial reporting
4. understanding of audit committee functions

Obtain these from: education and experience as a principal financial officer, PA, controller, or equivalent; experience supervising an individual in one of the previously mentioned positions; experience overseeing or assessing the performance of companies or public accountants with respect to preparing, auditing or evaluating financial statements; other relevant experience


Whistleblowers and Audit Committee

Audit committee should establish rules for the receipt, and treatment of complaints by employees


Dodd-Frank Act and Whistleblowers

Dodd-Frank provides for civil actions by whistleblowers who are retaliated against by the company; SOX prohibits retaliation

** goes farther than SOX for whistleblowers


Section 302 of the SOX act

Requires certification that the CEO and CFO:
1. have reviewed the quarterly and annual financial reports filed with the SEC and they believe they are fairly stated and contain no material misstatements
2. are responsible for establishing and maintaining internal control
3. having executed IC and believe controls are effective as indicated in managements report on IC
4. have reported to the auditors and the audit committee all significant deficiencies in IC, and are not aware of any post-evaluation changes that could significantly affect IC


NYSE & NASDAQ Rules Related to Corporate Governance and Director Independence

Require listed corporations to:
1. have a majority of independent directors on their board
2. make determination of independence of members and provide info to investors about the determination
3. identify certain relationships that automatically preclude a member from being independent
4. have non-management directors meet at a regularly scheduled executive sessions
5. adopt and make publically available a code of conduct applicable to all directors, officers, and employees, and disclose any waivers of the code for directors or executive officers
6. have an independent audit committee.


NYSE & NASDAQ rules that make a director not independent

1. if a director has been an employee of the corporation or an affiliate in the last 5 years (3 for NASDAQ)
2. if a family member of a director has been an officer of the corporation or affiliate in the last 5 years (3 for NASDAQ)
3. if director was a former partner or employee of the corporation's external auditor in the last 5 years (3 for NASDAQ)
4. if a director or a family member in the last 3 years received more than $120,000 (in 12 month period) in payments from the corporation other than for director compensation
5. if a director is an executive of another entity that receives significant amounts of revenues from the corporation (vendor or supplier to the corp)


Internal Auditors

Perform audits of the risk management activities, internal controls, and other governance processes for the corporation (referred to as assurance services). Results should be communicated to audit committee and board.

NYSE requires its listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the companies RM processes and system of IC


Institute of Internal Auditors (IIA)

professional organization of internal auditors.

Issues International Standards for the Professional Practice of Internal Auditing and a Code of Ethics for internal auditors.

Administers the Certified Internal Auditor program (CIA). Multipart exam that requires two years of internal audit experience (or its equivalent) and it demonstrates that the individual is competent to perform internal audits


International Standards for the Professional Practice of Internal Auditing

Include rules and interpretations for assurance services and consulting services.

Broken down into:
1. attribute standards- related to the characteristics of the internal audit activity
2. performance standards- related to the quality control of internal audit activities
3. implementation standards- expand upon the attribute and performance standards


Internal Audit Assurance Services

Involve providing an independent assessment of governance, risk management or control processes of an organization.

Examples: assurance about financial presentation, compliance, performance, and security system


Internal Audit Consulting Services

Involve advisory related services to improve an organization's governance, risk management or control processes.

Examples: training, advising, and facilitating


Aspects of International Standards for the Professional Practice of Internal Auditing that relate particularly to corporate governance include:

1. the purpose, authority, and responsibility of the internal audit activity should be formally defined in the internal audit charter. This should recognize the need to adhere to the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. Also, apply to individual internal auditors and internal audit activities

2. internal audit activity must be independent and IA must be objective in performing their work; must have impartial, unbiased attitude and avoid conflicts of interest

3. engagement must be performed with proficiency (knowledge, skill, and competencies needed) and due professional care

4. IA's must enhance their knowledge and skills with continuing professional development, and the chief audit executive must develop and maintain a quality assurance and improvement program

5. Internal audit activity must evaluate the effectiveness and contribute to the improvement of the corporation's risk management processes and assist the management in maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement; chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board

6. the chief audit executive must establish risk-based plans to determine audit priorities, which includes effectively employ resources and establish p&p's

7. the chief audit executive should share information and coordinate work with other internal auditors and external auditors

8. chief audit executive should periodically report to senior executive's and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan

9. internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishments of its objectives

10. internal audit activity must evaluate the effectiveness and contribute the improvement of risk management process

11. internal audit activity must assist the org in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement

12. audit engagements should be adequately planned, including appropriate identification of objectives and scope. audit work programs should be developed and audit work should be adequately supervised

13. chief audit executive must establish and maintain a system to monitor the disposition of audit results communicated to management; (i.e. track findings and follow up)


Internal Auditor Independence

Achieved by organizational independence, which means auditors cannot be influenced by the management of the functional areas that they audit.

Chief audit executive should ideally report (functionally) to the audit committee and administratively to the CEO.

Functional reporting examples: board approvals of the internal audit charter, budget and resource plan; risk based audit plan; remuneration of the chief audit executive; and decisions regarding appointment and discharge of the chief audit executive.

If independence is impaired, details must be disclosed to appropriate parties


IA Quality Assurance and Improvement Programs Should Include...

1. internal assessments that include ongoing monitoring of performance and periodic self-assessment or review by other qualified individuals within the organization
2. external assessments at least once every 5 years by qualified independent assessors
3. chief audit executive should communicate the results of the quality assurance and improvement program to senior management and the board


Governance Process Objectives (that IA must assess)

1. promoting appropriate ethics and values within the organization
2. ensuring effective organizational performance management and accountability
3. communicating risk and control information to appropriate areas of the org
4. coordinating activities of and communicating information among the board, external and internal auditors, and management


External Auditor Responsibility

performing an audit of the corporation's financial statements and internal control in accordance with standards of the PCAOB


Major corporate governance monitoring device for a corporation

external auditor


Section 404 SOX

requires that management acknowledge its responsibility for establishing adequate internal control over financial reporting and provide an assessment in the annual report of the effectiveness of internal control


Section 404 SOX for accelerated filers

(large public corporations) requires that external auditors attest to management's report on internal control as part of the audit of the financial statements


Accelerated Filers (Large Public Corporations)

If public float is:
Large accelerated filer = greater than or equal to $700m

Accelerated filer= greater than or equal to $75m


Public Float

amount of o/s shares in public investors hands as opposed to directors and officers, etc.


External Auditor Communication

required (by SOX) to communicate information that will help the committee perform its oversight function
(i.e. engagement letter info):
consultation with other accountants
significant disagreements with management
written management representations
material misstatements (corrected or not)


Section 802 SOX

Prohibits a person from knowingly destroying, mutilating, altering, falsifying or concealing records or documents to impede or influence the investigation of any department or agency of the united states

penalty is a fine or imprisonment for not more than 20 years or both


Investment banks and security analysts

investment bankers help corporations issue equity and debt offerings

represent an external monitoring device because they must evaluate the company prior to becoming involved in selling the securities (buy, hold, sell)


Creditors act as...

an external monitoring device

debt agreements with covenants must be complied with; creditors monitor compliance

limitation is that they usually use info provided by management but often engage external auditors


Credit Rating Agencies

rate the credit worthiness of corporate bonds and are external monitoring devices, much like security analysts

limitation is that they may improperly set initial rating and are slow to downgrade ratings once corps have financial difficulty

Dodd Frank Act helps prevent conflicts of interest and improve transparency


SEC Responsibility

protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation by enforcing US securities laws


SEC consists of

5 presidentially appointed commissioners


SEC divisions and offices related to corporate governance

1. Division of Corporate Finance
2. Division of Enforcement
3. The Office of the Chief Accountant


Division of Corporate Finance

reviews documents of publically held companies that are filed with the SEC; checks to see if they are meeting disclosure requirements and seeks to improve quality of disclosures


Division of Enforcement

assists the SEC in executing its law enforcement function by recommending the commencement of investigations of securities law violations, recommending which cases to take to court, and prosecuting these cases on behalf of the Commission


The Office of the Chief Accountant

advises the Commission on accounting and auditing, oversees the development of accounting principals, and approves the auditing rules put forward by the PCAOB (Must approve PCAOBs rules)


Provisions of SOX that improved SEC as external monitoring device

1. CEO and CFO must certify the accuracy of the truthfulness of periodic financial reports filed with SEC (criminally and civilly liable if incorrect certification)

2. public companies must disclose whether they have established a code of ethics for senior financial officers

3. any person who knowingly perpetrates or attempts a scheme to defraud any other person by misrepresenting or making false claims in connection with the purchase or sale of securities can be fined or imprisoned for up to 25 years, or both


Dodd- Frank awards

will award whistleblowers for providing info about violations of securities laws that result in aggregate monetary sanctions in excess of $1 million


Whistleblower is eligible to receive

10%-30% of monetary sanction (if greater than $1 m) if info is derived from independent knowledge or analysis of the whistleblower and not known to the government from any other source


Individuals generally excluded from receiving monetary sanctions from whistleblower act are...

1. officers, directors, trustees, or partners of an entity, when those individuals learned of information about the misconduct from another person or in connection with the company's process for identifying potential illegal conduct

2. employees whose main function involves compliance or internal audit, or individuals hired to investigate possible violations of law

3. employees of public accounting firms performing an engagement required by the securities laws

*Exception: if it appears that the co is attempting to behave in a way that would harm investors or inhibit an investigation, or 120 days have past since the notified the company of a violation


Where to report a securities violation

whistleblowers are encouraged to report information through the normal internal corporate governance system of the company by an indication that doing so may increase the amount of the award


Can sue company for retaliation against whistleblowers

provision by SOX and strengthened by Dodd-Frank


Jumpstart Our Business Startup Act (JOBS)

excepted "emerging growth companies" for a max of 5 years from the date of their initial public offering from certain requirements that apply to larger public companies, including:
1. certain disclosure requirements
2. requirement for an integrated audit of internal control
3. requirements regarding shareholder votes on executive compensation


Corporate Takeovers

act as a corporate governance device; if management is performing poorly, the corp may be subject to takeover by a firm that believes it can more efficiently utilize the corps resources (provides an incentive)


Poison Pill Defense

defense to corporate takeovers; option for shareholders to purchase additional shares at a discount


Internal Control Objectives

1. Operations Objectives
2. Reporting Objectives
3. Compliance Objectives


Operations Objectives (IC)

the organization achieves effective and efficient operations when significant external events can be predicted and their potential effects mitigated, or the organization understands the extent to which operations can be managed when the effects of significant events cannot be mitigated; also includes safeguarding of assets


Reporting Objectives (IC)

org prepares internal and external financial and nonfinancial reports in conformity with applicable laws, rules, regulations, standards, and internal policies


Compliance Objectives (IC)

org complies with applicable laws, rules, and regulations


Control Environment (IC)

the set of standards, processes, and structures that provide the basis for carrying out IC across the org

foundation for other components of IC

Comprises of:
1. integrity and ethical values
2. paramaters enabling the board to carry out its oversight responsibilities
3. org structure and assignment of authority and responsibility
4. process for attracting, developing, and retaining competent individuals
5. rigor around performance measures, incentives, and rewards to drive accountability for performance


Principals relating to the control environment

1. the organization demonstrates a commitment to integrity and ethical values
2. the BofD demonstrates independence from management and exercises oversight of the development and performance of IC
3. management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
4. the org demonstrates commitment to attract, develop and retain competent individuals in alignment with objectives
5. the org holds individuals accountable for their IC responsibilities in the pursuit of objectives


Demonstrate commitment to integrity and ethical values

communication and enforcement of integrity and ethical values

management should establish a tone at the top of the org through directives, actions, and behavior that encourages appropriate behavior

do this with standards (code) of conduct, official policies, directives, and by example

individuals should be evaluated for adherence and deviations should be addressed


exercise oversight responsibility

board must collectively possess appropriate expertise and have sufficient members that are independent from management


establish structure authority and responsibility

with board oversight

structured along various dimensions such as product or service, legal entity, or geographic market

orgs delegate authority and responsibility to enable management and other personnel to make decisions according to management's directives

delegating authority increases risk, which means management should establish appropriate limitations of authority


demonstrate commitment to competence

commitment to competence is supported by human resource management processes for attracting, developing, and retaining the right fit of management, other personnel, and outsourced service providers

succession planning and contingency planning for assignment of IC responsibilities is also very important


enforce accountability

Board should hold CEO responsible for establishing system of IC to achieve objectives

accountability should be supported by appropriate performance measures, incentives and rewards

must be cognizant of undue pressure affects, which may cause individuals to circumvent processes or engage in fraudulent activities


Risk Assessment (IC)

Risk: the possibility that an event will occur and adversely affect the achievement of objectives in the areas of operations, reporting or compliance

Risk Assessment: process for identifying, analyzing, and responding to risks


Risk Assessment Principles (IC)

1. org specifies objectives with significant clarity to enable the identification and assessment of risks relating to objectives

2. org identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed

3. org considers the potential for fraud in assessing risks to the achievement of objectives

4. org identifies and assesses changes that could significantly impact the system of IC

5. management must decide how much risk may be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding targeted risk levels


After risks have been identified (IC)...

a risk analysis is performed, which involves the likely hood of the risk occurring and estimating its impact

management then determines which risks require response

response can include acceptance, avoidance, reduction, or sharing


Control Activities (IC)

policies and procedures that help ensure that management directives are carried out

Authorization and Approvals
Physical Controls
Controls over standing data
Supervisory Controls


Control Activity Principles (IC)

RIPS (reviews, information processing, physical controls, segregation of duties)
1. org selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

2. org selects and develops general control activities over technology to support the achievement of objectives

3. org deploys control activities through policies that establish what is expected and in procedures that put policies into action


General Controls Over Technology

control activities that support the reliability of two or more types of transactions or processes

Controls over:
1. technology infrastructure which are designed to ensure the completeness, accuracy, and availability of technology processing
2. access to technology to restrict access to authorized users
3. the acquisition, development, and maintenance of technology and its infrastructure


Transaction Controls

designed to ensure that particular transactions (i.e. payroll) are accurate, complete, and authorized

Further segregated into:
1. input controls
2. processing controls
3. output controls


Information and Communication Principles (IC)

1. org obtains or generates and uses relevant, quality information to support the functioning of IC
2. org internally communicates info, including objectives and responsibility for internal control, necessary to support the functioning of IC
3. org communicates with external parties regarding matters affecting the functions of IC


Information and Communication (IC)

Management must design an effective information system, considering the requirements of users, that reliably captures internal and external sources of data, processes the data into information and maintains quality throughout processing


Quality of information (within information and communication of IC)

quality is essential and depends on whether info is accessible, correct, current, protected, retained, sufficient, timely, valid, and verifiable


Information and communication to be effective

information must be communicated through appropriate methods to management, other personnel and BofD

example: anonymous whistleblower hotline should be established to ensure that employees and other parties can report inappropriate activity

processes and channels must be established to facilitate communication to appropriate external parties such as regulators, owners, financial analysts, and customers


Monitoring (IC)

monitoring activities assess whether each of the five IC components are present and functioning

may be achieved by ongoing activities or separate evaluations


Ongoing monitoring activities

regularly performed supervisory and management activities, such as continuous monitoring of customer complaints or reviewing the reasonableness of management reports


Separate evaluations

monitoring activities that are performed on a nonroutine basis, such as periodic audits by internal auditors


Monitoring Principles (IC)

1. org selects, develops, and performs ongoing and/or separate evaluationsn to ascertain whether the components of IC are present and functioning

2. org evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the bofd, as appropriate. *** this is not an ongoing monitoring activity



Individuals that monitor controls within an organization


Characteristics of Evaluators

should be competent and objective in the particular circumstances

competence is evaluators knowledge of IC and related processes, including how controls should operate and what constitutes a deficiency

objectivity refers to whether that person can evaluate the controls without concern about possible consequences of discovering deficiencies


Internal control systems can fail because

1. they are not designed or implemented properly
2. they are properly designed and implemented but environment changes have occurred making the controls ineffective
3. they are properly designed and implemented by the way they operate has changed making controls ineffective


Control Baseline

establishing a starting point that includes a supported understanding of the existing internal control system; serves as a starting point for monitoring IC

understanding allows orgs to design ongoing and separate monitoring procedures


Change Identification

Identifying through monitoring changes in internal control that are necessary because changes in the operating environment have taken place, such as changes in regulations or changes in the economic environment


Change Management

evaluating the design and implementation of the changes, and establishing a new baseline

effective change management process enables management to control:
1. change requests
2. change analyses
3. change decisions
4. change planning, implementation, and tracking

*effects of changes should be considered; changes should be authorized, communicated, documented, and thoroughly tested before being implemented


Control revalidation/ update

periodically revalidating control operation when no known changes have occurred


Monitoring Sequence of Activities

1. control baseline
2. change identification
3. change management
4. control revalidation/ update


The effectiveness and efficiency of monitoring can be enhanced by

linking it to the results of the risk assessment component of internal control

this allows evaluators to focus monitoring attention on controls that address meaningful risks (aka key controls)


Key control characteristics (meaningful risks)

1. their failure could materially affect the area's objectives, and other controls would not be expected to detect the failure on a timely basis; and
2. their operation might prevent or detect other control failures before they had an opportunity to become material to the organization's objectives

*evaluator should determine what constitutes sufficient suitable evidence to determine this


direct evidence

evidence obtained from observing the control and reperforming it


indirect evidence

evidence that identifies anomalies that may signal control change or failure

e.g. evidence derived from operating statistics, key risk indicators (forward-looking metrics that serve to identify problems), performance indicators, comparative industry data


ongoing monitoring vs separate monitoring

ongoing is better because it can offer the first opportunity to identify and correct control deficiencies


communication of deficiencies discovered via monitoring

should be reported to appropriate internal and external individuals so corrective action can be taken


track corrective action

to determine if action is taken on a timely basis


classifications of internal controls

have been developed to help the evaluation process

1. preventive controls, detective controls, and corrective controls

2. feedback and feed-forward controls


feedback controls

evaluate the results of a process and adjust the process if the results indicate the process is not operating effectively


feed-forward controls

project results into the future and make changes to alter their projected results


limitations of internal control

reasonable but not absolute assurance because of:

1. human judgment in decision making
2. human errors and mistakes
3. circumvention by collusion
4. management override of internal control
5. cost constraints (cost should not exceed benefits)
6. custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents


Section 404 of SOX requires management to provide a report on effectiveness of the IC system, which includes...

1. a statement of managements responsibility for establishing and maintaining adequate IC over f/r for the corp
2. a statement identifying the framework used by management o conduct the required assessment of the effectiveness of IC (e.g. COSO)
3. an assessment of the effectiveness of IC as of the end of the company's most recent fiscal year, including an explicit statement as to whether the IC over f/r is effective. Material weaknesses should be disclosed
4. if applicable, a statement that the corps registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the IC (reminder: external auditors of accelerated filers must attest to and report on the effectiveness of IC)


Benefits of ERM

1. helps align risk appetite of the organization with its strategy
2. enhances risk response decisions, reduces operational surprises and losses
3. identifies and manages cross-enterprise risks
4. provides integrated responses to multiple risks
5. helps the organization seize opportunities, and
6. improves the deployment of capital


Risk Management process involves...

1. identifying risks
2. assessing risks
3. prioritizing risks
4. determining risk responses
5. and monitoring risks


Internal Environment (ERM)

basis for all other components of ERM, provides discipline and structure

encompasses tone of the organization, and sets the basis for how risk is viewed and addressed by an organization; including risk management philosophy and risk appetite, and integrity and ethical values


Objective Setting (ERM)

ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the mission and are consistent with risk appetite


strategic objectives

high-level goals aligned with the organizations mission

these objectives are linked and integrated with specific objectives established for various activities


ERM objective categories (3)

divided into three categories:

1. operations objectives
2. reporting objectives
3. compliance objectives


Event Identification Techniques (ERM)

1. event inventories
2. internal analysis
3. escalation or threshold triggers
4. facilitated workshops or interviews
5. process flow analysis
6. leading event indicators
7. loss event data methodologies



an incident that occurs or might occur that affects implementation of strategy of achievement of objectives

may be negative (risks) or positive (opportunities) or both


event inventories

developing a detailed listing of potential events


internal analysis

this may be done at regular staff meetings; it may involve using info from other stakeholders such as customers suppliers etc


escalation or threshold triggets

management predetermines limits that cause an event to be further assessed


facilitated workshops or interviews

involves soliciting info about events from management and staff

example: a facilitator may lead a discussion of events that might affect achieving an organizations objectives


process flow analysis

involves breaking processes down into inputs, tasks, responsibilities, and outputs to identify events that might adversely affect the process


leading event indicators

involves monitoring data correlated to events, to identify when the event is likely to occur


loss event data methodologies

repositories of past events that resulted in loss, management can identify event trends and the root causes of events


black swan analysis

evaluating the occurrence of events that had negative effects and were unanticipated or viewed as highly unlikely


Risk Assessment (ERM)

risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed (should assess inherent and residual risk for an event)


inherent risk

risk to the org if management does nothing to alter its likelihood or impact


residual risk

risk of the event after considering management's response


qualitative techniques in risk assessment (ERM)

used to assess risk when risks do not lend themselves to quantification or when sufficient reliable data is not available to use a quantitative model


probabilistic or non-probabilistic models are used to..

quantify risk


probabilistic models

associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions

example: value at risk, cash flow at risk, earnings at risk, and development of credit and operational loss distributions


non-probabilistic models

used subjective assumptions in estimating the impact of events without quantifying an associated likelihood

examples: sensitivity measures, stress tests, and scenario analysis


Risk Response (ERM)

management selects risk responses that are consistent with the risk appetite of the organization including:
1. Avoidance
2. Reduction
3. Sharing
4. Acceptance (retention)


Avoidance (risk response)

this response involves exiting the activity that gives rise to the risk


Reduction (risk response)

involves taking action to reduce risk likelihood or impact, or both.

example: might involve managing the risk or adding additional controls to processes


Sharing (risk response)

Involves reducing risk likelihood or impact by transferring or sharing a portion of the risk. Techniques include:
1. insurance
2. hedging
3. outsourcing


Acceptance (retention) risk response

no action is taken because the risk is consistent with the risk appetite of the org


Control Activities (ERM)

policies and procedures should be established and implemented to help ensure the risk responses are carried out effectively


Information and Communication (ERM)

Information is needed at all levels of the org to identify, assess and respond to risks

Communication should effectively convey the importance and relevance of effective ERM, the orgs objectives, the orgs risk appetite and risk tolerances, a common risk language and the roles and responsibilities of personnel in effecting and supporting the components of ERM


Monitoring (ERM)

the entire ERM process should be monitored to make needed modifications

monitoring is accomplished by ongoing management activities, and separate evaluations, such as those performed by independent auditors


3 Limitations of ERM

1. risk relates to the future which is uncertain
2. ERM provides info about risks of achieving objectives but it cannot provide even reasonable assurance that objectives will be achieved (you can't say that the co will even be functioning in a year)
3. ERM cannot provide absolute assurance with respect to any of the objective categories


Specific limitations with respect to ERM not providing absolute assurance of any objective categories include:

1. limitations is subjective to human judgments with regard to risk and impact
2. a well-designed ERM can break down
3. collusion
4. management override