CMA Part 1 Section E

Strong internal controls will produce 3 main benefits

Lower external audit costs, reliable information for use in decision making, better control over assets of the company

What is corporate governance?

All the means by which the businesses are directed and controlled. Corporate governance is the joint responsibility of the board of directors and management. Directors are elected by shareholders to represent interests of the shareholders. Corporate governance spells out rules and procedures to be followed in making decisions for the corporation.

Agency problem

Conflict of interest between owners of the corporation (shareholders, principals) and the managers of the corporation (stakeholders, agents). Managers are concerned with what will benefit them individually rather than the company, shareholders are concerned with seeing the equity value of the company rise.

How is corporate governance related to risk assessment, risk management, and internal control?

They all rely on each other, directors and management are responsible for implementing strategy, in that they must consider risk. In order to consider risk, they must have a proper risk assessment system in place. In order to have an effective risk management system, they must have effective internal controls.

Principles of good governance

Board purpose, board responsibilities, interaction, independence, expertise and integrity, leadership, committees, meetings and information, internal audit, compensation, disclosure, proxy access, evaluation.

Board purpose

Board of directors should understand that they need to protect the interests of shareholders first, but also consider interests of other external and internal stakeholders

Board responsibilities

Monitor CEO and other executives, overseeing company's strategy, monitor internal control systems. Directors should employ healthy skepticism

Interaction

Needs effective communication among the board, management, external auditor, internal auditor, and legal counsel

Independence

Vast majority of directors should be independent, meaning they don't have any past or present personal ties to the corporation.

Expertise and Integrity

Directors should possess relevant business, industry, company, and governance expertise.

Leadership

Roles of board chair and CEO should be separate. If they are not, company should appoint an independent director.

Committees

Audit, compensation and governance committees of the board should have charters that explain how the committees are organized and operated.

Meetings and information

Board and its committees should meet frequently for extended periods of time

Internal Audit

All public companies should maintain a full audit team that reports directly to the audit committee on the board of directors. Companies should provide internal audit reports to necessary stakeholders.

Compensation

Compensation committee and board should carefully consider compensation amount for executives and directors.

Disclosure

Proxy statements should reflect board activity and transactions within a timely manner.

Proxy access

Board should have a process for shareholders to nominate director candidates.

Evaluation

Board should have procedures in place to evaluate CEO, full board, and individual directors on an annual basis.

Company formation

In the US, individual states make laws around corporate governance, US companies are formed under state statutes within a specific state. If they want to do business in other states, they have to get a license from that state to do business. People who sign the charter are the incorporators. A corporation is usually recognized as a legal entity as soon as articles of incorporation are filed or when certificate of incorporation is issued by state.

Details included in the charter

Name of the corporation, length of corporation's life (usually forever), purpose and nature of business, authorized number of shares to be issued, provisions for amending the articles of incorporation, preemptive rights, names and addresses of incorporators, names and addresses of board members, name and address of corporations registered agent.

After articles of incorporation are filed, following steps are carried out

Incorporators elect directors if not specified in articles, incorporators resign, directors meet to complete organizational structure

Details in bylaws

Requirements for annual meetings of shareholders, what shareholders' meetings will discuss, methods of calling shareholders' meetings, term length and number of directors, specifics on board meetings, how people are elected to board of directors, how shares are issued and represented and transferred, specifics on dividends, how bylaws can be amended

Board of directors initial meeting topics

Establish bylaws, effect officers, establish corporate bank account, ratify any contracts needed before incorporation, approve form of certificate for stock, accept or reject stock subscriptions, comply with requirements for doing business in other states, adopt a corporate seal, consider any other business as necessary for carrying on business purpose of corporation.

Amending articles of incorporation

EX: Increasing number of authorized shares of common stock. Must be something that could have been included in the original articles of incorporation, must be approved by majority of voting shares. Amendments are only effective after issuance of certificate of amendment.

Responsibilities of board of directors

Select CEO and other managers, determines expectations for managers, evaluate key decisions and top level strategic plan, be involved in internal controls, ensure corporation is in compliance with laws, need to be familiar with company's activities, should investigate any issues they consider important, board members need to be independent of the company

Audit comittee

Committee established by board of directors for the purpose of overseeing accounting and financial reporting and audits financial statements of the issuer. If no such committee exists, the team will evaluate entire board of directors

Requirements for Audit Committee and Audit Committee members

Has to consist of at least 3 members, all members must be independent, meaning they cannot be employed by the company in any capacity, 5 year period where former employees cannot join audit committee, one member must be a financial expert, all members must be financially literate.

Responsibilities of audit committee

Select and nominate external auditor, have an audit committee charter which addresses oversight of integrity of company's financial statements, listed companies compliance with legal and regulatory requirements, independent auditor's qualifications and independence, performance of listed company's internal audit function. Blue ribbon committee report recommends audit committees to measure company's internal controls and monitor them.

NYSE requirements for audit committees

Review annual and quarterly financial statements and uncover issues requiring attention, review with independent auditor on any problems including access to information, disagreements with management, audit committee sets clear hiring policies for employees or former employees of independent auditors.

How managers can perpetrate fraud

Record fictitious revenue, change timing of recognition, establish reversing transactions to smooth results, aggressive capitalization, structure significant or unusual transactions, not segregating an unusual gain, reporting financing or investment cash flows as operating cash flows on cash flow statement, use of inherent flexibility in accounting policies to construe results

Actions audit committees can take

Maintain appropriate level of skepticism, strengthen knowledge of business, brainstorm fraud risks then prioritize them, cultivate a whistleblower program, assess financial reporting culture, develop a broad information and feedback network

Responsibilities of CEO

Increase profitability, monitor company performance, improve stock price, spend time in strategic planning.

Who cares about internal controls

Investors, external auditors, legislative and regulatory bodies, customers

What is an internal control

Process carried out by companys' board of directors, management, and other personnel that is designed to provide reasonable assurance that company's objectives related to operations, reporting, and compliance will be achieved.

Fundamental concepts of internal controls

- Helps company achieve objectives

- Is an ongoing process

- Is accomplished by people

- Can provide reasonable assurance only, not absolute assurance

- Must be flexible and adaptable

Operating objectives

Include operational and financial performance goals and safeguarding assets against loss.

Reporting objectives

Emphasize reliability and timeliness of external and internal financial and non-financial reporting.

Compliance objectives

objectives to help the company comply with all applicable laws and regulations

Who is responsible for internal control?

- Board of directors is responsible for oversight

- CEO is ultimately responsible

- Senior managers delegate responsibility for establishment of specific internal control policies and procedures

- Financial officers and their staffs are central to the exercise of control

- Internal auditors play a monitoring role

- All employees produce information used in internal controls

- External parties can provide information that is useful to effective internal control

Components of internal control

control environment, risk assessment, control activities, information and communication, monitoring

Control environment

The overall attitude of management and employees about the importance of controls. Management should demonstrate a commitment to integrity and ethical values, board of directors demonstrates independence from management and exercises oversight, management establishes structure, reporting lines, and appropriate authorities and responsibilities to enable the corporation to pursue its objectives, organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives, organization holds individuals accountable for their internal control responsibilities

Risk assessment: 3 different types of risk

Inherent/residual risk - Natural risk that occurs assuming no controls are in place.

Control risk - Risk that an internal control will not detect an issue

Detection risk - Risk that a material misstatement in an account balance or transactions could result in a material weakness for the company

Principles relating to risk assessment

- Company's objectives must be specified clearly enough so that risks to those objectives can be assessed

- Organization should identify risks to achievement of its objectives and analyze them

- Consider potential for fraud

- Organization identifies and assesses changes that could impact organization's system of internal control

Risk identification

Entity level risks arise from internal and external factors

Transaction level risks occur at subsidiary, division, or operating units level

Risk analysis

Once the likelihood and estimated impact of risks have been assessed, one of the following actions is taken depending on the situation

- Acceptance - No action is taken

- Avoidance - Exit the activity or activities that give rise to the risk

- Reduction - Action is taken to reduce likelihood of the risk

- Sharing - Reducing the risk likelihood by transferring a portion of risk through purchasing insurance or forming joint venture

Control Activities

Actions taken to limit risks and achieve organizational activities, these can be preventive or detective.

- Organization selects and develops control activities that contribute to reducing acceptable levels of risk

- Organization selects and develops general control activities over technology

- Organization develops policies that establish what is expected and procedures that put policies into action

Preventive controls

Segregation of duties, job rotation, enforced vacations, training and competence of personnel, employee screening practices, physical control over assets, requirements for authorization, requirements for approval

Detective controls

Reconciliations, internal audits, physical inventory counts, variance analysis, random cash counts, supervisory review of accounting work, management review of account write-offs, exception reporting to identify unusual items

Principles related to Information and communication

- Organization should obtain or generate and use relevant, quality information

- Organization should internally communicate information

- Organization should communicate with external parties

Monitoring Activities

- Organization selects, develops, and performs ongoing evaluations, separate evaluations, or some combination of both

- Organization evaluates and communicates internal control deficiences in a timely manner

What is an effective internal control?

It provides reasonable assurance regarding achievements of organizational objectives and reduces risk to achieving those objectives. It requires each of the 5 components to be present and functioning. Together each of the 5 components will together facilitate effective and efficient operation, ensure timely, relevent, and reliable internal and external reporting, help ensure compliance with applicable laws and regulations.

Duties to segregate

Authorizing a transaction, recording the transaction, keeping physical custody of the related asset, periodic reconciliation of physical asset to recorded amount of asset. In a question about an effective or ineffective internal control, 4 different people should be doing these tasks

Transaction control objectives

- Authorization

- Completeness

- Accuracy

- Validity

- Physical safeguards and security

- Error handling

- Segregation of duties

Types of transaction control activities

-Authorizations and approvals

-Verifications

-Physical controls

-Controls over standing data

-Reconciliations

-Supervisory controls

Physical controls

2 subsets - controls that restrict access to records and documents, controls that restrict access to assets (cash, inventory,

EX: Checks should be stored in a locked area and only limited personnel should have access, POs should be prenumbered and access to them restricted, corporate credit cards should be kept in a locked cabinet

Physical protection of assets requires

- Segregation of duties

- Physical protection and controlled access to records and documents

- Physical restriction of assets such as cash and inventory

- Effective supervision and independent checks and verification

Example of segregation of duties: Inventory purchases and control

Authorization - Done by purchasing manager who approves POs

Record keeping - Done by receiving department

Custody - Warehouse personnel control physical access

Reconciliation - Inventory control personnel perform physical inventory counts. Accounting department reconciles physical inventory to records, adjusts inventory as needed, prepares JE to adjust inventory. The 3 tasks done by the accounting department should be 3 different people in accounting

Example of segregation of duties: Accounts Payable

Authorization - AP manager approves payments

Record keeping - AP personnel prints checks for suppliers

Custody - Treasury has custody of signature stamp for checks

Reconciliation - Accounting department reconcile vendor AP records to AP subledger

Example of segregation of duties: Credit Sales

Authorization - Sales manager approves sales

Record keeping - Billing department invoice customers and AR records receivables and write offs for delinquent accounts

Custody - Warehouse personnel have custody of inventory

Reconciliation - Accounting department reconciles AR journal to AR on general ledger

Example of segregation of duties: Cash Collections

Authorization - AR manager approves transactions to record customer payments

Record keeping - AR personnel record customer payments

Custody - Cashier receives cash payments. Two cashiers should receive payments, create a listing of receipts, and prepare bank deposits

Reconciliation - Accounting department reconciles cash against general ledger

Example of segregation of duties: Payroll Processing

Authorization - HR approves new employees to be added to payroll, payroll department manager approves payments before they are made

Record keeping - 3 different payroll people will add new employees to payroll records, make changes to employee information, print the payroll checks or prepare direct deposits

Custody - Treasurers office supervises transmission of funds

Reconciliation - Accounting department reconciles payroll system to general ledger

Examples of potential failures from inadequate segregation of duties

- If person who has custody of cash also has authority to authorize receivable write offs

- If person who controls physical access to inventory also performs inventory counts

- If person who approves POs also records receipts of fixed assets and performs inventory counts on fixed assets

- If person who prepares bank deposit also reconciles checking account

Physical protection - restricted access to assets

- Inventory should be kept in a physically locked area

- Requisitions for inventory should be approved by authorized personnel

- Inventory area should be monitored by proper authority

- Security camera and alarms can be used to monitor area

- Regular physical inventories should be taken

- Cash should be stored in a safe until deposited

Effective supervision and independent checks and verification examples

- Comparison of independent sets of records - comparing between bank statement and bank balance, comparing physical count of inventory to records

- Invoices should be prepared based on verified orders

- Process of receiving inventory should be verified to make sure that inventory clerk is physically counting items received

Physical protection - controlled access to records and documents

- Checks should be stored in a locked area

- POs should be prenumbered and access to them restricted

- Corporate credit cards should be kept in a locked cabinet and access controlled

- Password access should be controlled by only letting employee see information that is relevant to their job

Foreign Corrupt Practices Act

Law announced in 1977 and amended in 1998, made in response to questionable payments made my large companies. There are 2 main provisions, anti-bribery and accounting. Applies to company as a whole

Accounting provisions of FCPA

- Books and records provision - Issuers of securities must make and keep books, records, and accounts which reflect transactions and dispositions of the issuer

- Internal Controls Provision - Requires issuers to maintain a system of internal controls that provides reasonable assurances that transactions are accurate, access to assets is limited, and reconciliations are done regularly

SOX and Corporate Reporting Controls

Applies to publicly held US companies, Non-US companies that are public and operate in the US, some provisions may apply to private companies. Created in response to numerous financial frauds and audit failures.

Title III: Corporate Responsibility Section 302

Each 10Q and 10K must be certified by CEO or officers, certification says that

- The officer has reviewed the report

- Based on the signer, the report does not contain any material misstatements

- Financial statements are presented accurately

- Officers are responsible for internal controls, have designed internal controls so to ensure material information is caught, have evaluated effectiveness of internal controls, have presented conclusions in their report

- Officers have disclosed all significant deficiencies and any fraud regardless of materiality.

- Officers state whether or not there were significant changes to internal controls in prior period.

SOX Title 4 Section 404 Assessment of Internal Controls

Each 10K must

- State responsibility of management for establishing and maintaining adequate internal controls

- Contain an assessment of the internal controls over financial reporting by management and auditor

Above assessment must contain

- Statement of management's responsibility for maintaining adequate internal control over financial reporting

- Statement identifying framework used by management to evaluate effectiveness of internal control over financial reporting

- Management's assessment of effectiveness of internal control over financial reporting as of end of most recent fiscal year

- Statement that the auditor has reviewed the effectiveness of the internal control based on managements assessment

- Management is required to evaluate every quarter any change in the internal control over financial reporting.

It is important to use a top down, not bottom up approach

SOX Section 407

- Disclosure of audit committee financial expert

- If there is one expert, must state whether they are independent and their name, if more than one expert, no need to do this

- Requires they have an understanding of GAAP principles

- Experience in preparing, auditing, or supervision of financial statements of comparable companies

- Experience in internal accounting controls and financial reporting

- Understanding of audit committee functions

Monitoring internal control over financial reporting according to COSO

Monitoring should be a combination of 2 things

- Ongoing evaluations use software to perform evaluation automatically. Software generates an alert whenever it detects an irregularity such as an incorrect price on a PO

- Separate evaluations may also be done by management periodically, EX: Internal audit or external audit.

4 tests to test adequacy of internal controls - Top Down approach

Inquire - Involves asking management or staff how they are doing this process (least reliable method as people can lie)

Observation - Watching control procedures being performed (reliability also limited as employees know they are being watched)

Inspection - Examination of documents related to control procedures (Usually provides better reliability than inquiry and observation, but there is still risk that sample is not representative)

Re-performance - Individual re-performs the control manually to ensure automated process is working correctly (most reliable but takes time so usually just a small sample is done)

Classifying deficiencies

Control deficiency - Internal control does not allow employee to prevent or detect misstatements on a timely basis

Significant deficiency - A control or multiple control deficiencies that have significant magnitude but have not yet had a material impact on financial reporting

Material weakness - Combination of deficiencies that make it evident there is a material misstatement of company's annual or interim financial statements and will not be prevented or detected on a timely basis.

Anti bribery provisions of FCPA

Illegal to offer or authorize corrupt payments to any foreign official, foreign party chief, or official. A corrupt payment is one that intends for the user to misuse their power.

Management is required to maintain records and books and accounts that represent transactions properly

Title 1 of SOX

Established PCAOB to oversee auditing of public companies

- Board contains 5 members appointed by SEC, includes members are financially literate, 2 members must be CPAs

Responsiblities

- Registering accounting firms that audit public companies, establish standard related to preparation of audit reports, conduct inspections of public accounting firms, enforcing compliance

Section 201 of SOX

Prohibits audit firms from providing a wide array of non-audit services to audit clients. The act prohibits bookkeeping, financial information systems design and implementation, appraisal or valuation services, actuarial services, internal audit services, management functions, HR services, legal services, any other services PCAOB deems necessary.

Section 203 of SOX

Lead audit partner and review partner must rotate off of client after 5 years, must remain off for 5 years. Other audit partners must rotate off after 7 years and remain off for 2 years. Specialty partners (tax and valuation) don't have to rotate off.

Section 204 of SOX

Auditor must report to audit committee..

- Critical accounting policies to be used

- Alternative treatments within GAAP that were discussed

- Other material written communication between audit firm and client company audit committee

2 accounting organizations oversee external audit process

- American Insitute of CPAs through the Auditing Standards board audits private companies

- Public Company Accounting Oversight Board perform audits for publicly traded companies

SOX Title 1

Established PCAOB as an independent, non governmental board that operates under the supervision of the SEC. Public accounting firms must be registered with the PCAOB in order to prepare or issue audit reports.

Responsibilities of PCAOB

- Registering public accounting firms that audit companies

- Establishing auditing, quality control, ethics, and other standards related to audit reports Note this is different from setting accounting standards

- Conduct annual inspections of public accounting firms that serve >100 companies and every 3 years for accounting firms that serve <100 companies. PCAOB writes a report and provides to SEC and state authorities

- Enforcing compliance with SOX, rules of board, professional standards

- Conduct investigations and disciplinary proceedings for violations of SOX, rules of board, professional standards

- Management of operations and staff of PCAOB

Independent external auditors

Qualified CPAs who are not affiliated with the company being audited. External auditor will present an opinion letter that is included in the 10k that states

- Opinion on if the financial statements are presented fairly and accurately

- Opinion on the effectiveness of the internal control over financial reporting.

Independent auditor has no responsibility to give opiniong to company on the operation of the business.

Financial statement opinion of auditor - 4 categories

- Unqualified (PCAOB) or unmodified (ASB)

- Qualified (PCAOB) or modified (ASB)

- Adverse

- Disclaimer

Unqualified or unmodified opinion

Means that the financial results are "clean" and presented fairly

Qualified or modified opinion

Contains an exception meaning that the financial statements do not fully represent the financial position of the company. This exception is usually not big enough to cause the financial statements as a whole to be misleading

Adverse Opinion

Issued when exceptions are material enough where the financial statements do not present the financial position, results from operations, and cash flows of the company. These are seldom issued because companies change their accounting when the auditor brings the problem to their attention

Disclaimer

Used when the auditor has not been able to gather information on the financial statements to express an opinion

Critical audit matter

Any matter that was communicated or required to be communicated to the audit committee, relating to accounts or disclosures material to the financial statements, and involving especially challenging, subjective, or complex auditor judgment.

For each critical audit matter, the auditor must

- Identify critical audit matter

- Describe concerns that led to determination of critical audit matter

- Describe how critical audit matter was addressed in the audit

- Refer to the relevant accounts or disclosures that talks about critical audit matter

Going concern opinion

The accompanying consolidated financial statements have been prepared assuming the Company will continue as a going concern, but there is substantial doubt about its ability to continue as a going concern.

SOX Title 4 Section 404 C

Provides that section 404 does not apply to "non accelerated filers." These filers are not required to have their independent auditors express an opinion over their internal control over financial reporting

Non-accelerated filers

Public company with public float of less than $75 million. Must file its 10K with the SEC within 90 days after the end of its fiscal year and 10Q 45 days after each quarter.

Accelerated filer

Public float between $75 and $700 million, has followed the Exchange act for at least 12 months, has filed one 10K with the SEC and has revenues of $100 million or more. Must file 10K 75 days after fiscal year and 40 days for quarter

Large, accelerated filer

Has public float of $700 million or more, filed at least one annual report with SEC, and has revenues of >100M. Filing deadlines are 60 days for 10K and 40 days for 10Q

Review performed by independent auditor

Involves high level inquiries and analytical procedures, the objective of which is an expression an opinion regarding the financial statements

Negative assurance

A statement indicating that, as a result of performing certain procedures, nothing came to the accountant's attention indicating that the subject matter in question did not meet a specified standard.

Compilation

Formatted financial statements presenting the assertions of management without going through a formal checking process. It provides no assurance whatsoever regarding the accuracy of the financial statements.

Objectives for an information system

- Promoting effectiveness and efficiency of operations

- Maintain reliability of financial reporting

- Assuring compliance

- Safeguarding assets

5 interrelated components of internal control

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring