Corporate Governance, Internal Control and Enterprise Risk

Transcription

1 Corporate Governance, Internal Control and Enterprise Risk Chapter One Black CPA Review Chapter 1

2 Objectives: Objective 1: Understand the elements of corporate governance Objective 2: Understand internal controls Objective 3: Understand Enterprise Risk Management Objective 4: Know the various elements of the International Standards for the Professional Practice of Internal Auditing Black CPA Review Chapter 1

3 Objective 1: Understand the elements of corporate governance A. Corporate governance is the use of compensation, organization, and monitoring devices to help align the actions of an organization s management with the needs of the owners or shareholders. A corporation is formed when the articles of incorporation are filed with the Secretary of State. Within the articles, a set of bylaws are created that dictate executive compensation and organization. a. Executive Compensation Executive compensation is an important tool used to help align management s actions with the needs of the shareholders. It is important to have a good balance of fixed based compensation and incentive based compensation i. Fixed based salary and bonuses A type of compensation where management receives a set amount of money plus bonuses based on performance. 1. Downsides to this type of compensation: a. The factors determining the bonuses may be manipulated by management b. Management may become complacent or shirk their duties because they receive money regardless of the outcome of the company s finances c. Management may take a risky or short- sighted approach to business decisions in order to try and make a larger bonus ii. Stock grants A type of compensation where management receives stock as compensation. 1. There are two types of stock grants you need to know a. Restricted stock This is stock given to management that may not be sold for a predetermined period of time. This type of compensation urges management to take a long- term position on business decisions in order to help grow the corporation s stock over time. b. Performance shares These are stocks given to management for reaching certain predetermined goals. As the company does better, management s compensation increases iii. Stock options A type of compensation where management receives the option to purchase company stock at a set price. This gives management the incentive to drive the stock price up. 1. Downsides to this type of compensation: a. Management may take large risks in order to push the stock price up in the short- term b. If the stock price falls, management may not receive adequate compensation Black CPA Review Page 1-1

4 iv. Executive perks Type of compensation where management receives additional perks such as retirement benefits, use of assets (company car), or other various incentives. b. The best form of compensation is a mix of fixed based compensation and incentive based compensation B. Monitoring devices comprise another part of corporate governance. Both internal and external devices are set up to monitor the behavior of management. a. The board of directors oversees the operation of a corporation for the shareholders. i. The board of directors: 1. Hires and fires the corporate officers 2. Is elected by the shareholders of the corporation 3. Determines salaries for officers and dividend policies ii. The majority of board members should be independent from the company and not considered part of management iii. In order for the board of directors to effectively act as a monitoring device for corporate governance, the following committees should be created: 1. Audit committee This is a committee made up of board members that oversees the hiring, payment, and oversight of external auditors. The members act as a buffer between the company s management and the external auditors. The audit committee helps to handle any problems that arise between the external auditors and company management. a. The Sarbanes- Oxley Act states that at least one member of the audit committee should be a financial expert. If the company does not have a financial expert on the audit committee they must explain why. b. External auditors should report directly to the audit committee c. Internal auditors should have access to the audit committee 2. Compensation committee The compensation committee is in charge of determining management compensation a. The committee determines management s compensation and reviews performance measures to determine incentive compensation b. The committee s goal is to determine an appropriate mix of compensation in an effort to align the management s decision- making with the goals of the shareholders c. Dodd- Frank act requires that all members of the compensation committee be independent of the company. The act also stipulates that the shareholders should have a nonbinding vote every three years to determine executive compensation Black CPA Review Page 1-2

5 3. Nominating committee (a.k.a. Corporate Governance Committee) This committee is in charge of determining the qualifications for board members, assigning members to committees, and determining the corporate governance principles. The committee is also in charge of making recommendations for the hiring of management. b. Internal auditors act as internal monitoring devices. The internal auditors perform audits of internal controls, risk management, and accounting processes. They should have access to or report directly to the audit committee. While the internal auditors are employees of the company they should maintain independent as much as possible. c. External auditors are hired by the corporation to audit the financial statements and internal controls of the company in order to ensure that they are in conformity with certain regulations. Because internal auditors are employees of the company and will never be completely independent, it is necessary to hire outside, independent, auditors. External auditors report directly to the audit committee and are considered the most effective external monitoring device. d. Creditors act as an external monitoring devices because many creditors make requirements of a corporation that must be met in order for the corporation to receive loans or credit. The creditors monitor the company to ensure that they are complying with the requirements. e. Credit rating agencies are external monitoring devices. The agencies rate how creditworthy a corporation is and publish those ratings. f. Securities analysts are considered external monitoring devices because they analyze a company s financial and nonfinancial data in order to recommend whether the public should buy or sell the company s stock. g. Attorneys act as external monitoring devices in that they provide legal advice to management as well as review securities filings that are filed with the SEC h. The Securities and Exchange Commission (SEC) is an external monitoring device. The SEC is given the responsibility of making sure that financial markets are fair and orderly and fostering an environment that protects investors. i. The following are divisions of the SEC that help to promote strong corporate governance: 1. Division of Enforcement This division is in charge of recommending which cases the SEC should prosecute. 2. Division of Corporate Finance This division reviews the corporate filings and explores ways to improve corporate disclosures 3. The Office of the Chief Accountant This office within the SEC provides guidance on accounting and auditing principles. This office also approves any auditing rules advised by the PCAOB i. The NASDAQ and the New York Stock Exchange (NYSE) act as external monitoring devices because they have several requirements that must be met in order for a corporation to be listed on the exchange. i. The stock exchanges require listed corporations to: Black CPA Review Page 1-3

6 1. Set up an audit committee within the board of directors 2. Identify any board members that are not independent a. The following impair a director s independence: i. Working as an executive for another company that receives revenue from the corporation ii. Holding a position either as a partner or employee of the external auditor during the last 5 years (3 for the NASDAQ) iii. Working for the corporation in the last 5 years (3 for the NASDAQ) iv. If the director or family of the director receive more than $120,000 in compensation, other than board of director fees, from the company v. If a family member has been an officer in the last 5 years (3 for the NASDAQ) 3. Have regular meetings of the board of directors 4. Ensure that the majority of board members are independent 5. Publish a company code of conduct C. Shareholders a. Shareholder Rights: i) Right to vote 1. Shareholder s have the right to vote on: a. Who is elected to the Board of Directors b. Whether to dissolve the corporation c. Other significant changes to the corporation d. On mergers, acquisitions and consolidations i. The Board must also approve ii. Shareholders must approve by a majority iii. For the shareholders who vote against a merger they have the right to receive the fair value of their stocks (I.E. Their stock is repurchased by the company) ii) Right to inspect the minutes from the Board of Director s meetings iii) Right to request company records if the request is made in good faith (i.e. a shareholder may request the names and addresses of all the other shareholders if they are not sending solicitations) iv) Shareholders have a preemptive right, which is the right to purchase shares of newly issued stock as to keep their interest from being diluted. v) If dividends are declared then the shareholders have a right to collect them b) Shareholders are not agents c) They may transfer interest easily and without approval through the selling and purchasing of stock Black CPA Review Page 1-4

7 i) Example: Mark owns 5 shares of ABC Company s 100 shares for a 5% interest. ABC issues another 100 shares, which would reduce Mark s interest to 2.5% but Mark has a preemptive right to purchase up to 5% of the newly issued stock to keep his interest from being diluted. d) Shareholder Liabilities: i) Limited Liability 1. Limited to the amount the shareholder paid for the stock e) Shareholders may be liable to creditors if: i) Watered Stock is purchased 1. Shareholders would be liable for the difference between price paid for the stock and par value ii) Piercing the corporate veil occurs 1. Piercing the corporate veil occurs when the shareholders co- mingle assets or funds, fraud occurs, or the corporation is undercapitalized from the inception. a. Shareholders who have pierced the corporate veil can be held personally liable f) The majority shareholders owe a fiduciary duty to the minority shareholders Objective 2: Understand internal controls A. Internal control is A process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations. a. The point to take away from the internal control definition is the objectives of internal control (ROC): i. Reliability of financial reporting ii. Operational efficiency and effectiveness iii. Compliance with applicable laws and regulations B. The Committee of Sponsoring Organizations (COSO) identified 5 components that comprise internal controls. They are: control environment, risk assessment, control activities, information and communication and lastly monitoring. a. Control environment i. The control environment sets the tone for the internal controls of the entire company 1. The control environment includes 7 elements: a. Integrity and ethical values b. Organizational structure c. The clear assignment of authority and responsibility d. Participation by the board of directors and the audit committee Black CPA Review Page 1-5

8 e. The procedures and policies set up by human resources f. Management s commitment to competence g. The operating style and philosophy of management (i.e. Tone at the Top) 2. The following are some of the questions that auditors ask when assessing the control environment a. How competent is the management? b. Does the HR department have appropriate policies and procedures? c. Is management made up of dominant or aggressive individuals? d. Is the audit committee actively involved? b. Risk Assessment/Analysis i. This is the ability of the corporation to identify, analyze, and manage any risks that may cause the financial statements to be misstated or to not be in conformity with GAAP ii. The following are factors that may cause a corporation to have a hard time assessing risk: 1. New personnel 2. New information systems 3. New areas of growth, products or activities 4. New technology 5. Rapid growth c. Control Activities i. Control activities are the activities or policies in place to help prevent and detect risk ii. Specific control activities include: 1. Performance reviews 2. Information processing (these are controls that check the accuracy, completeness and authorization of transactions) 3. Physical controls (these are such things as passwords, hired guards or surveillance equipment) 4. Segregation of Duties This is done in order to prevent one employee from doing more than one of the following: a. Authorization of transactions b. Recording c. Custody of assets i. Examples (These are common examples on the CPA exam): (1) Employees who prepare invoices should not also have the authority to sign checks. (2) Employees who have custody of assets such as petty cash should not also record those assets such as making petty cash journal entries. Black CPA Review Page 1-6

9 d. It is important to know that just because controls are in place doesn t mean they will be effective. i. Control limitations include: 1. Management may override controls 2. Controls may not detect collusion or bad judgment d. Information and Communication i. This is the accounting system set up to record, process, summarize and report transactions. e. Monitoring i. The company must have procedures in place to monitor internal controls to ensure that they are working properly ii. The Committee of Sponsoring Organizations issues the Guidance on Monitoring Internal Control Systems. This guidance states that companies should have an employee to monitor the internal controls. This evaluator should be both competent and objective C. It is important to know the role of the Committee of Sponsoring Organizations (COSO) a. The committee is made up of members from several different organizations with the purpose of researching current internal control concepts and procedures used by business in order to develop a set of standards for internal controls D. The following sections of Sarbanes- Oxley are relevant to internal control: a. Section 302 This section states that it is the responsibility of management to disclose any known significant internal control deficiencies to the auditors and the audit committee b. Section 404 This section requires that management take responsibility for establishing internal controls for financial reporting, and that management must provide a report assessing the effectiveness of the internal controls E. Even the best internal controls still have limitations. They cannot protect the company against: a. Obsolescence The controls are no longer effective due to a changing environment b. Collusion Two or more employees conspire together to avoid the internal controls c. Management override Management has the power to override the internal controls d. Human Judgment Bad judgment on the part of an employee can cause internal controls to be ineffective F. One of the most important internal controls over any business process is the segregation of duties. G. It is important to know that when internal controls are changed in one area, it often changes internal controls in another area. These effects must be considered before any change is made to the control process. Black CPA Review Page 1-7

10 Objective 3: Understand Enterprise Risk Management A. Enterprise Risk Management (ERM) - Enterprise risk management is a process that is affected by an entity s board of directors, management and other personnel, and applied in a strategy setting across the enterprise. It is designed to identify potential events that may affect the entity, to manage risk and keep within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives. B. ERM was designed by the COSO with the intention of helping to keep the acceptable level of risk in line with the company s strategy. ERM helps to identify and manage risks, to decrease risk response time, and to reduce potential losses due to risks. C. The COSO has identified 8 components of ERM. They are; internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and lastly monitoring. a. Internal Environment The internal environment encompasses the tone of an organization (tone at the top). It sets the basis for how risk is viewed and addressed by a company s employees. This includes risk management philosophy, risk appetite, integrity and ethical values, and the environment in which they operate. It is important for management to set the tone for risk management. i. Some components that factor into internal environment include: 1. The organizational structure of the company 2. The use of responsible and effective human resource policies 3. The competency and training of the employees ii. Two components that determine the internal environment are risk appetite and risk tolerance 1. Risk appetite The level of risk a corporation (shareholders, board members, management) is willing to accept to reach its goals. 2. Risk tolerance Specific objectives that are set in order to reach corporate goals. Risk tolerance is the acceptable level of deviation from what the company has set for its goals. For example, if a company sets the objective of having a 70% sales margin and their acceptable level of deviation is 5%, then a sales margin of 65% is acceptable. b. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise Risk Management ensures that management has a process in place to set objectives and that the chosen objectives support the entity s mission and are consistent with its risk appetite. i. There are three types of objectives that a company may use: 1. Reporting Objectives Objectives set by the company to generate reliable reporting of both financial and nonfinancial information 2. Operating Objectives Objectives set by the company to increase the effectiveness and efficiency of operations Black CPA Review Page 1-8

11 3. Compliance Objectives Objectives set by the company to follow specific laws and regulations c. Event Identification Internal and external events that affect the achievement of an entity s objectives must be identified. Events can be risks or opportunities and the entity must distinguish between the two. Opportunities are channeled back to management s strategy or objective- setting processes. Risks are negative events that require a response. d. Risk Assessment Risks are analyzed by considering likelihood and impact. Management then determines how the risks should be managed or handled. Management assesses risks on an inherent and a residual basis. i. Inherent Risk The risk that exist when the corporation does nothing to prevent or reduce risk ii. Residual Risk - The risk that remains after management takes action to either prevent or reduce risk e. Risk Response Once a risk is identified, management selects an appropriate risk response i. Avoiding Ignoring the risk altogether; this is usually done by not doing a particular activity or type of business ii. Accepting The company will take no action, but instead accept the risk iii. Reducing The company will take specific actions to help diminish risk, such as implementing internal controls iv. Sharing The company will take actions that enable them to share the risks with another company; this typically involves either outsourcing or purchasing insurance f. Control Activities Policies and procedures are established and implemented to help ensure that the risk responses are effectively carried out. It is important that each activity is well documented, and that the staff is competent in performing the activities. g. Information and Communication Relevant information is identified, captured, and communicated in such a way that enables people to carry out their responsibilities. It is important that a clear chain of communication exists so that information can pass through the organization in a timely manner. h. Monitoring It is important that the Enterprise Risk Management process is monitored and any necessary modifications are made. Monitoring of the ERM is accomplished through ongoing management activities and/or separate evaluations. D. ERM Limitations a. The following are limitations of ERM: i. Identified risk relates to future events, however future events are uncertain. ii. ERM, while identifying the risks of reaching specific objectives, cannot accurately predict if the objectives will actually be reached iii. ERM may be overridden by management iv. ERM procedures may become obsolete v. ERM may fail as a result of collusion between two or more employees Black CPA Review Page 1-9

12 vi. Bad human judgment may cause errors in the ERM system vii. Cost- benefit constraints may cause the ERM system not to be as effective as it could be. Objective 4: Know the various elements of the International Standards for the Professional Practice of Internal Auditing A. The International Standards for Professional Practice of Internal Auditing outlines two types of internal audit services that may be performed. a. Assurance b. Consulting B. The three main sections of the standards are as follows: a. Performance Standards section b. Implementation Standards section c. Attribute Standards section C. The standards require that internal auditors establish a system to monitor the distribution of audit results. Black CPA Review Page 1-10

13 Study Aids Executive Compensation: Fred s Stipend was Seriously Expensive Fixed based salary and bonuses Stock Grants Stock options Executive perks Five components of internal controls: Craig Required his Company to Inform and Monitor Control environment Risk assessment Control activities Information and communication Monitoring Internal and External monitoring devices: Barbara Invited Every Company to Come and See All Supervisory Selections Board of directors internal Internal auditors internal External auditors external Creditors external Eight components of Enterprise Risk Management (ERM): RICO admires ERM Risk assessment Internal environment Control activities Objective setting Credit rating agencies external Securities analyst external Attorneys external SEC external Stock exchanges external Monitoring Information and communication Risk response Event identification Objectives of internal control (ROC): Reliability of financial reporting Operational efficiency and effectiveness Compliance with applicable laws and regulations Black CPA Review Page 1-11

14 Questions Objective 1: Question 1:Why is a well- defined organizational structure important? A. To inspect corporate records B. To elect officers C. To define lines of authority D. To oversee the internal control structure Question 2: Which of the following positions best describes the nature of the board of directors of XYZ Co.'s relationship to the company? A. Agent B. Executive C. Fiduciary D. Representative Question 3: What does the audit committee of the board of directors oversee? A. Formal job descriptions for employees in an organization B. The financial reporting process in an organization C. The responsibilities assigned to employees D. The creation of standards Question 4: Incentive compensation programs should: A. only promote an inspired work environment. B. only maintain an inspired and productive work environment. C. only promote productive work environments. D. promote and maintain an inspired and productive work environment. Objective 2: Question 5: The one component of internal control that sets the tone of an organization, influencing the control consciousness of its people and serving as the foundation for all other components of internal control is: A. the control environment. B. risk assessment. C. control activities. D. information and communication Question 6: Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted. A bank, for example, may incur significant penalties as a result of missed payments. Which of the following activities is necessary to determine what would constitute a disaster for an organization? Black CPA Review Page 1-12

15 A. Risk analysis B. File and equipment backup requirements analysis C. Vendor supply agreement analysis D. Contingent facility contract analysis Question 7: Which of the following is not one of the five components of internal control identified in SAS 78 as originally included in the COSO Report? A. Control environment B. Accounting system C. Control activities D. Information and communication Question 8: The manager of a production line has the authority to order and receive replacement parts for all machinery that require periodic maintenance. The manager typically pays for the parts using a corporate credit card (that bills to the company). The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The manager processed payments for the undelivered parts through the company's credit card and those payments were sent to the family- member supplier. After the supplier received the money, it was divided between the manager and the family member. An internal auditor is conducting an audit of the use of corporate credit cards by employees and the supplies ordering process. Which of the following are major audit concerns regarding these issues? I. Segregation of duties is insufficient. II. The purchasing function is impaired. III. Cards may be used for personal benefit. IV. The company is required to make one large payment instead of many small ones A. II and IV only B. III only C. I, II, III, and IV D. I and III only Objective 3: Question 9: Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when: A. internal auditors have direct access to the board of directors and the entity's management. B. management is dominated by one individual who is also a shareholder. C. external policies established by parties outside the entity affect its accounting practices. D. the audit committee is active in overseeing the entity's financial reporting policies Question 10: If controls add to the efficiency of operations, management must: Black CPA Review Page 1-13

16 A. implement the controls immediately. B. ask the internal auditor for recommendations. C. weigh the benefit of reducing loss or inefficiency against the cost of the control. D. consider only the cost of the control. Question 11: A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk? A. Risk reduction B. Prospect theory C. Risk sharing D. Risk acceptance Question 12: What does enterprise risk management do for an organization? A. It manages risks and seizes opportunities to achieve the goals of the organization. B. It creates policies and procedures. C. It creates risks to achieve the goals of the organization. D. It creates progress. Black CPA Review Page 1-14

17 Answers Objective 1: Question 1: C Organizational structures help no one unless they are well- defined. The structure helps define lines of authority, so an organization does not have too many people in management. This structure creates working relationships between the various employees in the organization. Question 2: C The board of directors of XYZ Co.'s relationship to the company is a fiduciary relationship. To understand why, you must first define fiduciary. A fiduciary relationship is a legal or ethical relationship of trust between two people, organizations, or other such parties. Question 3: B The audit committee of the board of directors oversees the following: Financial reporting Financial disclosure Compliance with standards Question 4:D Incentive compensation programs should be set up to promote and maintain an inspired and productive work environment. Some people are not comfortable with change, but in a world of quickly changing technology, they must be inspired to move on with that technology. Incentive programs help with this issue. Objective 2: Question 5: A The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the entity's identification and analysis of relevant risks and the determination of how these risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication systems support the identification, capture, and exchange of information. Question 6: A Risk analysis is necessary to determine an organization's definition of a disaster and evaluate the effect of that disaster. System backup analysis, vendor supply agreement analysis, and contingent facility contract analysis are all contingency planning strategies to react to a disaster. Question 7: B Accounting system is not one of the five components of internal control identified in SAS 78. This was one of the elements of internal control identified in SAS 55, but this part of SAS 55 has been superseded by SAS 78 Question 8: D Black CPA Review Page 1-15

18 The segregation of duties is insufficient as there should be another person to process the receiving documents. In the absence of effective monitoring, credit cards could easily be used for personal benefit. Objective 3: Question 9: B The auditor must consider the client's control environment when measuring control risk. One of the factors of the control environment, management philosophy and operating style, presents as an example the situation where management is dominated by only one or a few individuals. This domination directly affects the control environment because it is the only item listed above over which management has significant influence. The other answers (external policies, internal auditors, and the audit committee) all involve a degree of independence from management Question 10: C Managers must weigh the benefit of reducing loss or inefficiency against the cost of the controls. They should not implement controls without first understanding whether any benefits of implementing these controls outweigh the costs. Although management can solicit recommendations from the internal auditor, it is not a requirement. Question 11: A Risk reduction helps to lower costs and correct issues within a corporation. If the manufacturing firm relocates to an area closer to a firm that can provide the raw materials, the firm will reduce the risk of higher costs. Management should always be in the process of identifying risks in order to assess and respond accordingly. Question 12: A Enterprise risk management (ERM) is the process used by organizations to manage risk and seize opportunities to achieve the goals of the organization. It provides a framework for risk management, determines response strategy, and monitors the progress. Black CPA Review Page 1-16