Corporate Governance

- Is a system by which organizations are directed and controlled.

- Is a set of relationships between a company’s directors, its shareholders, and
other stakeholders. It provides the structure through which the objectives of the
company are set, and the means of achieving those objectives and monitoring
performance are determined.
MANAGEMENT VS GOVERNANCE
Management
 Concerned with running the day to day business operations of a company.
 Concerned with making business decisions.
Governance
 Concerned with leading the company, and monitoring and controlling the
decisions of management to ensure that the business meets its objectives.
 Concerned with monitoring and controlling decisions, as well as providing
leadership and direction.

The separation of ownership and control creates problems for good corporate
governance, because the directors of a company might be able to run the company in a
way that is not in the best interests of the shareholders, but the shareholder might not
be able to prevent the directors from doing this, because the directors have most of the
powers to control what the company does.

CORPORATE GOVERNANCE ISSUES

The role and responsibilities of the board of directors

The BOD should :

 Understand its responsibilities

 Fulfill its responsibilities. Board of directors should not be dominated by one

chairman and the CEO. BOD should have different skills employed.

High standards of financial reporting should be upheld. External auditor is an

external person in the company who is employed to give opinion to the fs of a

company

 Provide suitable leadership to the company

Governance should, therefore, clearly establish the responsibilities of the BOD

and ensure these are carried out properly.

The composition and balance of the board of directors

The board should not be dominated by a powerful chief executive and/or chairman

The board should have a suitable balance, and consist of individuals with a

range of backgrounds and experience

Financial reporting, narrative reporting and auditing:

The board should be:

 properly accountable to its shareholders, and

 should be open and transparent with investors generally

High standards of financial reporting (and narrative reporting) and external
auditing must be upheld.
Directors’ Remuneration:
To encourage their commitment to achieving the objectives of their company, they
should be given suitable incentives.

Linking remuneration to performance is considered essential for successful corporate

governance.

Risk Management and Internal Control

The directors should ensure that

 their company operates within acceptable levels of risk, and
 that through a system of internal control, the resources of the company are
properly used and its assets are protected
Shareholders’ rights:
Encourage the involvement of shareholders through:

 more dialogue with the directors

 greater use of shareholder powers

CONCEPTS OF GOOD GOVERNANCE:

These concepts should be evident in the relationship between the

shareholders and board of directors:

 fairness
 Openness/Transparency
 Independence
 Honesty and Integrity
 Responsibility and Accountability
 Reputation
 Judgment

THE CORPORATE GOVERNANCE TRIANGLE

Shareholders provide capital to management. Management provides transparent
reporting to shareholders. Management provides regular reporting and update to board
of directors. Board of directors provide guidance and supervision. Board of directors
represent and report to shareholders. Shareholders elect and dismiss board of directors.
Company:

 Management
o Chief executive officer
o Chief financial officer
o Chief operating officer
o Chief marketing officer and others
 Shareholders
 Board of directors
o Chairman
o Managing director
o Executive directors- directors that have decision making or
managing decisions like executive committee members
 o Non-executive directors- some company would put these kind of
directors to add independence without decision or managing
decisions.
In a publicly listed entity where there are many different shareholders, the
presence of a knowledge gap exists between the owners and management.
How do you understand “knowledge gap” in this context?
What do you think can be done to address this knowledge gap?
You can rely on audited financial statements.

INTERNAL STAKEHOLDERS
 Shareholders- concerned with their assets
 Directors- have influence and power to hire senior management
 Senior Management
 Other Employees
EXTERNAL STAKEHOLDERS

 Regulators

 Government

 Suppliers

 Customers

 General Public or Special Interest Groups

 Stock Exchanges

 Auditors

 Investors

AGENCY THEORY IN CORPORATE GOVERNANCE

AGENCY THEORY- THERE IS A PRINCIPAL (SHAREHOLDERS) WHO HAS AN
AGENT TO MANAGE ITS ASSETS (SENIOR MANAGERS, BODs)
THE PRINCIPAL MIGHT HAVE DIFFERENT INTEREST.
Agency conflicts are differences in the interests of a company’s owners and managers.
 Moral hazard- there might be incentives received by the managers, these may
push them to do unethical actions
 Effort level- the manager that is also an owner may have more effort than a
manager per se.
 Earnings retention – The managers have that goal to reinvest their earnings but
on the owners, they want their dividends.
 Risk aversion- Managers may be risk averse while shareholders are risk takers.
The higher the risk, the higher the returns. This may not be true to other
companies.
 Time- owners may be long-term oriented while managers may be short-term
HOW TO SOLVE THE ISSUES THAT ARISE OUT OF THE AGENCY THEORY? –
-SEC gives out rules and regulations.
- there are also auditors hired by the company
-There are also board committees

Agency costs
 Monitoring costs- cost of measuring, observing and controlling the behavior of
management. Some costs are imposed by law (annual accounts, annual audit) and
some arise from compliance with codes of corporate governance.
 Bonding costs- costs of arrangements that help to align the interests of the
shareholders and managers (ex: strategic planning)
 Residual loss- losses occur for the owners, such as the losses arising from a
lower share price, because the managers take decisions and actions that are not in
the best interests of the shareholders. Monitoring costs and bonding costs will not
prevent some residual loss from occurring.
CHAIRMAN OF THE BOARD VS CHIEF EXECUTIVE OFFICER

CEO
Executive officer. Full time employees
Reporting lines:
All executive managers report directly or company secretary and the CEO report
indirectly to the CEO
Main responsibilities:
Head of the management team
Chairman
Part-time. Usually independent
No executive responsibilities. Only the
to the chairman directly, on matters
relating to the board.
The chairman reports to the company’s
shareholders, as leader of the board.
Leader of the board, with responsibility
for its effectiveness.
 To draft proposed plans, budgets and To make sure that the board fulfills its
strategies for board approval. role successfully.
To implement decisions of the board. To ensure that all directors contribute to
the work of the board

BOARD COMMITTEES

- A board committee is a committee set up by the board, and consisting of selected

directors, which is given responsibility for monitoring a particular aspect of the
company’s affairs for which the board has reserved the power of decision-making

Can board committees make decisions?

NO.They only report back to the board and make recommendations.

The number of and the type of board committee created will depend on the company.
The common committees are:
- Remuneration committee
- Audit committee- this emphasizes the audit function of the company. They are in
charge of hiring, appointing and looking for external auditors.
- Nominations committee – in charge of elections
- Risk management committee or Internal Control and Compliance Committee
 Internal Controls
- A process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories: (COSO DEFINITION)

 Effectiveness & efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws & regulations

The process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entity’s
objective with regard to reliability of financial reporting, effectiveness, and efficiency of
operations and compliance with applicable laws and regulations. (PSA 315 DEFINITION)
Four essential concept

 Internal control is a process

INTERNAL CONTROL is not an end in itself. Instead, it is the means of achieving
the entity’s objectives.
 Internal control is effected by those charged with governance,
management, and other personnel.
It is accomplished by people at every level of organization, including the
management, those charged with governance, and entity’s staff personnel. It is
the responsibility of the management to establish a control environment and
maintain policies and procedures to assist in achieving the entity’s objectives.
Those charged with governance, ensure the integrity of accounting and
financial reporting systems through oversight of management. Staff personnel
should also perform their respective functions in order to accomplish the objectives
of the entity.
 Internal control can be expected to provide reasonable assurance of
achieving the entity’s objectives.
It cannot provide absolute assurance that the entity’s objective will be
achieved because of the inherent limitations that may affect the internal
control effectiveness.

 Limitations:
Cost – benefit concerns. Cost of the internal control should not
exceed its benefits.
Directed at routine transactions. Most of internal controls are
directed toward routine transactions rather than non-routine
transactions.
 Human error- due to carelessness, distractions, mistakes
Possibility of collusion (through employees)
Possibility of control override (management)
Inadequacy of procedures due to changes

 Internal control is designed to help achieve the entity’s objectives.

 Categories of the objectives:

Effectiveness and efficiency of operations

Compliance with laws and regulations

Reliability of financial reporting

Auditing of financial statements

Auditor is concerned only with those policies and procedures within the accounting
and internal control systems that are relevant to the financial statement
assertions. Therefore, the objective that is most relevant to the audit is the financial
reporting objective.

Operational and compliance objectives may be relevant to the audit only if they
relate to data that auditor evaluates to determine the reliability of some financial
statement assertions. Examples; production statistics, controls pertaining to
detecting non-compliance with laws and regulations that may have a direct and
material effect on the financial statements.

Control categories according to business objectives:

 Operational controls
Operational controls are controls that help to reduce operational risks, or identify
failures in operational systems when these occur. The nature of operational risks
varies between companies, because their operations differ widely.
In general terms, operational risks are risks of failures in operations due to
factors such as human error, a failure in processes, a failure in systems, and so on.
 Compliance controls
Compliance controls are concerned with making sure that an entity complies with
all the requirements of relevant legislation and regulations. When regulations are
specific, compliance controls often involve detailed procedures for checking that
every regulation has been properly complied with, and that there is documentary
evidence that the checks have been made. This is often called a box-ticking
approach to compliance.
  A box-ticking approach to compliance control is more usually
associated with a rules-based approach to regulation rather
than a principles-based approach.
Financial controls have been explained as internal accounting controls that are
sufficient to provide reasonable assurance that: „
 transactions are made only in accordance with the general or
specific authorization of management „
 transactions are recorded so that financial statements can be
prepared in accordance with accounting standards and
generally-accepted accounting principles
 transactions are recorded so that assets can be accounted for
 access to assets is only allowed in accordance with the
general or specific authorisation of management
 the accounting records for assets are compared with actual
assets at reasonable intervals of time, and appropriate action
is taken whenever there are found to be differences.

SPAMSOAP

Some years ago, a guideline of the UK Auditing Practices Board identified

eight categories of internal (financial) controls, which can be remembered
by the mnemonic SPAMSOAP.
 SEGREGATION OF DUTIES- Where possible, duties should be divided between
two or more people
 Physical Controls - These are measures to protect assets against theft, loss or
physical damage
 Authorization & approval controls- These are controls over spending decisions and
decisions to enter into transactions
 Management controls- Controls applied by management. Example is the system of
budgeting.
 Supervision- Controls can be applied by supervising the work done by employees
 Organization Controls - There should be lines of reporting from junior to
senior staff
 Arithmetical & accounting controls- Examples are control total checks and
bank reconciliation checks
 Personnel controls- There should be controls over the selection and training of
employees
Types of Controls
In general, controls can be classified into:

 Directive – designed to encourage or cause a desirable outcome to be

achieved
 Broad in nature
 Can also be classified as preventive
Examples:

 Job descriptions

 Policies and procedures

 Trainings

 Laws and regulations

 Meetings

 Preventive – keep errors or irregularities from occurring

 More cost effective than detective controls

Examples:

 Segregation of duties

 Authorization / approval matrix

 Locking your office to prevent theft

 Detective – search for and identify errors after they have occurred
- More expensive than preventive controls but still essential to measure the
effectiveness of preventive controls
Examples:

 Reviews and comparisons

 Periodic physical inventory counts

 Supervisory reviews

 Exception reports

 Reconciling monthly account statements

 Corrective – designed to prevent recurrence of errors

 Used when improper outcomes occur and are detected
 Usually the last recourse, but can be costly

Examples:

 Disciplinary actions
  Filing suits in court

 Full restoration of a system backup files after evidence is found that data
have been improperly altered
 Compliance controls
 Financial controls

Internal Control System

- Means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management’s objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business,
including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable financial information.

Components of Internal Control:

 Control Environment
 Risk Assessment
 Information and Communication Systems
 Control activities
 Monitoring

CONTROL ENVIRONMENT

 Management’s & board of director’s attitude, awareness, & actions regarding

internal control
 Includes governance and management functions
 Captures importance of control in management’s operating style
 “Tone at the top”, influencing the control consciousness of its people
 Foundation for effective internal control, providing discipline and structure

Factors reflected in the control environment include:

 Communication and enforcement of integrity and ethical values
Management should establish ethical standards that discourage
employees from engaging in dishonest, unethical, or illegal acts that
could materially affect the financial statements.
 Commitment to competence
The entity should consider the level of competence required for each
task and translate it to requisite knowledge and skills.
 Management philosophy and operating style
 The auditor should assess the management attitude towards financial
reporting and their emphasis on meeting projected profit goals because
these will significantly influence the risk of material misstatements in
the financial statements.
 Active participation of those charged with governance
The entity must have an audit committee which will be responsible for
overseeing the financial reporting policies and practices of the entity.
 Personnel policies and procedures
The entity must implement appropriate policies for hiring, training,
evaluating, promoting and compensating entity’s personnel because
the competence of the entity’s employees will bear directly on the
effectiveness of the entity’s internal control.
 Assignment of responsibility and authority
 Organizational structure
It provides a framework for planning, directing and controlling the
entity’s operations. Appropriate methods of assigning responsibility
must be implemented to avoid incompatible functions and to minimize
the possibility of errors because of too much work load assigned to an
employee.

 Risk assessment

Risk assessment is the process used by companies to identify and assess the risks that
the company faces, and changes in those risks.

Entity’s business objectives cannot be achieved without some risks.

The risk assessment process involves prioritising the risks, and (if possible) putting a
quantitative measurement to them.

Business risk – the risk that the entity’s business objectives will not be attained as a result
of internal and external factors such as:

 Technological developments
 Changes in operating environment
 New personnel
 New or revamped information systems
 Rapid growth
 New business models, products, or activities
 Corporate restructurings
 Expanded foreign operations
  New accounting pronouncements
 Changes in customer demands
 Economic changes
Business risks are very crucial to every organization. For audit purposes, the auditor is
concerned only with those risks that are relevant to the preparation of reliable financial
statements.

A manufacturing company might categorise its operational risks as: selling and
markets, delivery, production, and purchasing and resources. Most of these risk
categories involve more than one function or department within the company.
Selling and markets is an aspect of operations that affects not just the marketing
department, but also research and development, quality control and customer
services, and so on.
Information and communication systems

Within a system of internal control, there must be a system for reporting to

management information about risks, the effectiveness of controls, failures in control
and the success of action to remove weaknesses in controls and reduce risks. The
information provided needs to be timely, relevant and reliable.
Information and communication systems

 Financial reporting system

Consists of the procedures and records established to initiate,
record, process, and report entity transactions and to maintain
accountability for the related assets, liabilities, and equity.
CLASSIFY, MEASURE, SUMMARIZE, DISCLOSE

An information system encompasses methods and reports that:

 Identify and record all valid transactions

 Describe on a timely basis the transactions in sufficient detail to permit
proper classification of transactions for financial reporting
 Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements
 Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period
 Present properly the transactions and related disclosures in their financial
statements

Communication
 Involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
 Open communication channel help ensure that exceptions are reported
and acted on.
Can be made electronically, orally, and through the actions of
management.
CONTROL ACTIVITIES

- Are the policies and procedures that help ensure that management directives
are carried out.
 Performance Reviews
These control activity includes reviews and analyzes of actual performance
versus budgets, forecasts, and prior period performance; relating different
sets of data to one another, together with analyses of the relationships and
investigative and corrective actions.
 Information Processing
When computer processing is used in significant accounting application,
internal control procedures can be classified into two type: general and
application control.
 Proper authorization of transactions and activities
 Segregation of duties
 Adequate documents and records
 Safeguards over access to assets
 Independent checks on performance
 Physical Controls
These are activities encompass the physical security of assets including
adequate safeguards such as secured facilities over access to assets and
records; authorization for access to computer programs and data files, and
periodic counting and comparison with amounts shown on control records.
 Segregation of Duties
Assigning different people with responsibilities of:
 Management (authorization)
 Custody (transaction execution)
 Accounting (recording transactions)
 Monitoring (independent checks on performance)
CATEGORIES OF CONTROL ACTIVITIES:
Preventive controls
 Intended to prevent misstatement
Detective controls

 Detect misstatements that have occurred

General Controls
 Control activities that prevent or detect irregularities for all accounting systems
 Policies and procedures that relate to many applications and support the
functioning or application controls by helping to ensure the continued proper
operation of information systems.
 Examples: Controls over data center and network operations; system software
acquisition, change, and maintenance; access security; application system
acquisition, development, maintenance
Application Controls
 Controls that pertain to the processing of certain types of transaction.
 Controls that apply to the processing of individual applications. These
controls help ensure that transactions occurred, are authorized, and are
completely and accurately recorded and processed.
 Examples: Checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such as edit
checks of input data and numerical sequence checks, and manual follow up
of exception reports.
Authorization
All transactions should be authorized by responsible personnel
acting within scope of prescribed authority, responsibility
 Specific authorization
Required for each transaction
Typically unusual transactions
General authorization
- Policies, procedures for typical transactions
SEGREGATION OF DUTIES
 Optimum segregation of duties exists when collusion is necessary to circumvent
controls

Separate functions for

 Custody (transaction execution)

 Authorization (management)

 Recording (accounting)
 Monitoring (independent checks on performance
Design, Use Documents & Records

Evidence of executed transactions

 Represent an audit trail

Impact efficiency
  Designed for multiple use

 Pre numbered consecutively

 Easy to complete
Access To Assets & Records
Access limited to authorized personnel by:
 Locks for physical protection
 Limits on employee access online

 Codes to authorize access

Monitoring
 Process of assessing the quality of internal control performance over time.
 Involves assessing the design and operation of controls on a timely basis.
 Ongoing monitoring activities
 For recurring activities
 Include regular management and supervisory activities such as
preparation of monthly bank reconciliation.
 Separate monitoring or evaluations
o Self-assessment performed by managers over the controls in
their areas of responsibility
o Independent checks performed by outsiders such as internal or
independent auditors.
o Monitoring activities that are performed on a non-routine basis
such as functions performed by internal auditors.
Internal control for small businesses

Internal control systems in small businesses tend to be weak compared to the internal
control systems of the larger entities. These weaknesses, however, can be compensated if
the owner/manager actively participates in the operation of the business.

It is not the responsibility of the auditor to establish and maintain an entity’s accounting and
internal control systems. This is the responsibility of the entity’s management.

Nevertheless, the auditors should give adequate consideration to these controls because the
quality of the entity’s internal control systems can have a significant impact on audit.

Consideration of the entity’s internal control systems involves the following steps:

1. Obtain understanding of the internal control

The auditor should obtain sufficient understanding of the components of the internal
control relevant to the audit.
Obtaining understanding of the internal control involves the ff. step:
 Evaluating the design of the control- involves considering whether the
control, individually or in combination with other controls, is capable of
effectively preventing, detecting and correcting material misstatements.
 Determining whether it has been implemented- implementation of a
control means that control exists and the controls have been placed
into operation. This is accomplished by performing a walk-through test.

Walk-through test- involves tracing one or two transactions through the entire accounting
systems, from their initial recording at source to their final destinations. It also confirms the
auditor’s understanding of how the accounting systems and control procedures function.

An initial understanding of the design of the entity’s internal control systems is ordinarily
obtained by:

 Making inquiries of appropriate individuals

 Inspecting documents and records
 Observing of entity’s activities and operations

Auditor is NOT REQUIRED to obtain knowledge about the operating effectiveness of the
internal control when obtaining an understanding of the entity’s internal control system.

The auditor uses the understanding of internal control to

 Identify types of potential misstatements that can occur

 Consider factors that affect the risk of material misstatements
 Design the nature, timing, and extent audit procedures to be
performed
 2. Documenting the auditor’s understanding of internal control
The documentation need not to be in any particular form. The extent of
documentation may vary depending on the size and complexity of the entity and
nature of the internal control systems. Some commonly used forms of documentation:
 Narrative description of internal control
 Flowchart- diagrams the flow of transactions and documents
 Internal control questionnaire

3. Assessment of control risk

The auditor should make a preliminary assessment of control risk, at the assertion
level, for each material account balance. It may be at a high level (100%) or less
than high level.
When the auditor’s knowledge of the entity’s internal control indicates that internal
controls related to a particular assertions are not effective, the auditor may simply
assess control at a HIGH LEVEL. Hence, no tests of control need to be performed and
the auditor will rely primarily on substantive tests.
If the auditor believes that control is reliable, the auditor should determine whether it
is efficient to obtain the evidence to justify an assessment of control risk at a lower
level.
If the auditor concludes that it is more efficient to rely on the entity’s internal control
systems, the auditor would plan to assess control risk at less than high level
 Identify specific internal control policies that are likely to prevent,
detect or correct misstatements relevant to financial statement
assertions
 Perform test of control to determine effectiveness

4. Performing tests of control

Before the auditor can rely on how effective internal control procedures may be, the
auditor must test these controls to obtain evidences that they are working effectively
as the preliminary assessment suggests.
Test of controls are performed to obtain evidence about the effectiveness of the:
 Design of the accounting and internal control systems
 Operation of the internal controls

Auditor will only tests the operating effectiveness of controls that are likely to detect or
prevent material misstatements. The auditor will only test those controls that he or she plans
to rely upon.

The auditor must obtain audit evidence through test of control to support any assessment of
control risk at less than high level. The lower the assessment of control risk, the more
support that the auditor should obtain. The greater the reliance of internal control, the more
extensive the tests.
Nature of tests of control

 Inquiry- consists of searching for the appropriate information about the

effectiveness of internal control from knowledgeable persons inside and
out the entity
 Observation- looking at the process performed by the other
 Inspection- examination of documents and records to provide reliability
 Reperformance- repeating the activity performed by the client to
determine whether the results were obtained.

There is a significant overlap between the procedures used to obtain understanding and the
tests of control.

Obtaining understanding of the entity’s internal control and assessing control risks are
OFTEN DONE simultaneously.

Timing of test of control

Usually, auditors perform test of control during an interim visit in advance of period end.
They cannot rely on these results without considering the need to obtain further evidence
relating to the remainder of the period.

In determining whether or not to test the remaining period, factors are considered:

 Result of the interim test

 The length of the remaining period
 Whether changes have occurred in accounting and internal control
systems during the remaining period

Extent of tests of control

 Auditors cannot possibly examine all transactions related to certain

control procedures. The auditor should determine the size of the
sample sufficient to support the assessed level of control risk

Using the results of tests of control

 Auditors should evaluate whether the internal controls are designed

and operating as intended. The result of this evaluation is called
assessed level of control risk. The auditor uses this to determine the
acceptable level of detection risk.
 There is an inverse relationship between detection risk and combined
assessed level of inherent and control risks.
 If combined level of inherent and control risk is high, the detection risk
is low.
 In this regard, the auditor may consider modifying:
 Nature of substantive tests form less effective to more effective
procedures
  Timing of substantive test by performing them at year-end rather than
at interim
 The extent of substantive tests from smaller to larger sample size.

Operating effectiveness vs Implementation

Testing the operating effectiveness of controls is different from obtaining audit evidence that
controls have been implemented. When obtaining audit evidence of implementation by
performing risks assessment procedures, the auditor determines that the relevant controls
exists and the entity is using them. When performing test of operating effectiveness of
controls, the auditor obtains audit evidence that controls operate effectively. This includes
obtaining audit evidence about how controls were applied at relevant times during the period
under audit, the consistency with which they were applied, and by whom or by what means
they were applied.

5. Documenting the assessed level of control risk

If the control risk is assessed at high level, the auditor should document his
conclusion that control risk is at high level.
If control risk is assessed at less than high level, auditor should document his
conclusion that control risk is less than high level and the basis for that assessment.
This basis is actually the results of tests of control. Hence, the auditor cannot assess
control risk at less than high level without performing test of control.

 Communication and internal control weaknesses

The auditor may become aware of the weaknesses of the systems. The
auditor is required to report to the appropriate level of management
material weaknesses in the design or operation of the accounting and
internal control systems, which have come to the auditor’s attention.

Oral communications could also be made provided these are

adequately documented in the audit working papers.

Auditors are not required to search or identify internal control

weaknesses.
Auditors must communicate these weaknesses to the client when they
come to their attention during the course of audit.
These should be documented in a formal management letter.
An internal control framework provides a road map regarding the control environment.

True
False
Question 2
The board should be properly accountable to its shareholders, and should be open and
transparent with investors generally.

True
False
Question 3
Difficulty in achieving staff collusion is inversely related to the number of persons involved.

True
False
Question 4
Physical access restrictions can be applied to buildings and warehouses.

True
False
Question 5
Preventive controls are more cost effective as compared to detective controls.

True
False
Question 6
The Chairman heads the executive management team of an entity.

True
False
Question 7
Corporate governance is concerned with running the business operations of a company.

True
 False
Question 8
The audit committee should request special investigations from the internal audit department
only.

True
False
Question 9
Physical access restrictions can be applied to buildings and warehouses.

True
False
Question 10
Segregation of duties can be foregone if the organization involved is a small one as long as
compensating controls are in place.

True
False
Question 11
In the agency concept, the owners of an organization act as the principal whereas the
directors acts as the agent.

True
False
Question 12
Since external auditors are parties outside an organization, the external audit process cannot
be reviewed by the audit committee.

True

False
Question 13
The control framework needs to be in place to promote the right control environment.

True
False
Question 14
To emphasize independence, the board may comprise non-executive directors.
 True
False
Question 15
A principle of good corporate governance is that a substantial number of the directors of a
company should be independent.

True
False
Question 16
When talking about agency conflicts, management seems to be more of a risk-taker as
compared to the shareholders of an entity.

True
False
Question 17
Monitoring is done to ensure that controls continue in operation.

True
False
Question 18
Internal auditors are duty bound to ensure that the control processes are carefully
implemented.

True

False
Question 19
Recording and custody functions should not be given to one personnel.

True
False
Question 20
The main driver for corporate governance is based on the agency concept.

True
False
Question 21
The control environment is the foundation for effective internal control, providing discipline
and structure.

True
False
Question 22
In terms of time horizon, shareholders tend to be more concerned of the short term financial
prospects than long term ones.

True
False
Question 23
According to the agency model, corporate bodies are overseen by directors who are
appointed by the senior management.

True

False
Question 24
The governance function is the primary responsibility of the internal audit activity.

True

False
Question 25
The internal audit activity and the audit committee are one and the same body.

True

False
Question 26
Lenders and regulators are considered internal stakeholders of an entity.

True
False
Question 27
The board should be composed of non-executive directors only so as to represent the
interests of the shareholders in a professional and responsible manner.
 True

False
Question 28
Communication systems involve providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.

True
False
Question 29
The senior management formulates a corporate strategy to achieve set objectives.

True

False
Question 30
Seminars, trainings and orientations for employees are examples of a corrective control.

True
False
Question 31
Preparation of bank reconciliation statements is an example of a detective control.

True
False
Question 32
The audit committee can have an involvement in the appointment of internal auditors.

True
False
Question 33
The organization should employ a process for identifying, assessing and managing risk.

True
False
Question 34
Costs of monitoring pertain to costs that might be incurred to provide incentives to managers
to act in the best interests of the shareholders.
 True
False
Question 35
Monitoring controls pertain to the “tone at the top” of an entity.

True
False
Question 36
The nominations committee makes recommendations to the board when a vacancy on the
board has to be filled.

True
False
Question 37
Operational controls are concerned with making sure that an entity complies with all the
requirements of relevant legislation and regulations.

True
False
Question 38
Internal controls are there to mitigate unacceptable levels of risk.

True

False
Question 39
Customers and suppliers of a company are considered part of the stakeholders group.

True
False
Question 40
Risk Assessment includes a range of actions as diverse as approvals, authorizations,
verifications, reconciliations, etc.

True
False
In a small company that employs inadequate number of employees to permit proper division of
responsibilities, effective internal control can be strengthened by

Direct participation by the owner of the business in the record keeping activities of the business.

Delegation of full clear-cut responsibility to each employee for the functions assigned to each.

Affirm in writing management’s approval of limitation on the scope of the audit.

Employment of temporary personnel to aid in the separation of duties.

Question 2
The requirement that purchases be made from suppliers on an approved vendor list is an example of a

Monitoring control

Detective control

Corrective control

Preventive control

Question 3
Which of the following is a directive control?

Recording every transaction on the day it occurs.

 Performing monthly reconciliation of bank statements.

Requiring dual signatures on all disbursements over a specific dollar amount.

Requiring all members of the internal auditing department to be CIAs.

Question 4
A well-designed system of internal control that is functioning effectively is most likely to detect an
irregularity arising from

The fraudulent action of several employees.

Management fraud.

Informal deviations from the official organization chart.

The fraudulent action of an individual employee.

Question 5
What is the primary purpose of effective internal control in an organization?

Obtaining profitability and financial strength.

Achievement of certain organizational goals.

Shareholders’ involvement in the company’s success.

Completion of a successful audit for the entity.

Question 6
Checking odd balances in the documents and in the financial statement accounts is an example of what
type of control?

Corrective

Directive

Detective
 Preventive

Question 7
According to the COSO report, the correct sequence is

Objectives, actions, risks.

Actions, objectives, risks.

Risks, objectives, actions.

Objectives, risks, actions.

Question 8
Which of the following is not typically one of management’s concerns in designing an effective internal
control structure?

Efficiency and effectiveness of operations.

Obtaining the best internal control system possible.

Reliability of financial reporting.

Compliance with applicable laws and regulations.

Question 9
Which of the following components of internal control would encompass the routine controls over
business processes and transactions?

Risk assessment

The control environment.

Control activities

Information and communication

Question 10
Inherent limitations in an internal control structure must be considered in evaluating its effectiveness in
preventing or detecting errors and irregularities. Inherent limitations do not include

Incompatible functions performed by the same person.

Misunderstanding of instructions, mistakes of judgment, personal carelessness, distraction or

fatigue.

Collusion among employees

Management override of certain policies and procedures.

Question 11
Proper segregation of functional responsibilities in an effective structure of internal control calls for
separation of the functions of

Authorization, execution and payment

Authorization, recording and custody

Custody, execution and reporting

Authorization, payment and recording

Question 12
This pertains to the cost of measuring, observing and controlling the behavior of management.

Training cost

Monitoring cost

Residual loss

Bonding cost

Question 13
I.  The governance function is the primary responsibility of the internal audit activity.

II.  The organization should employ a process for identifying, assessing and managing risk.

True; True

True; False

False; True

False; False

Question 14
Proper segregation of duties reduces the opportunities in which a person could both

Record cash receipt and record cash disbursements.

Establish internal controls and authorize transactions.

Perpetuate errors and irregularities and conceal them.

Journalize entries and prepare financial statements.

Question 15
Which of the following is not considered an external stakeholder?

Auditors

Regulators

Shareholders

Lenders

Question 16
Corporate directors, management, external auditors and internal auditors all play important roles in
creating a proper control environment.  Top management is primarily responsible for

Establishing a proper environment and specifying an overall internal control structure.

 Ensuring that external and internal auditors adequately monitor the control environment.

Reviewing the reliability and integrity of financial information and the means used to collect and
report such information.

Implementing and monitoring controls designed by the board of directors.

Question 17
The board of directors should (choose the incorrect one):

Understand its role and responsibilities.

Provide suitable leadership to the company.

Fulfill its role and responsibilities.

Make business decisions for the company.

Question 18
An act of two or more employees to misstate record is called

Defalcation

Felony

Malfeasance

Collusion

Question 19
The primary responsibility for establishing and maintaining internal controls rests with the

external auditors.

management.
 internal auditors.

Securities and Exchange Commission.

Question 20
Giving limited computer access to employees is an example of what type of control?

Corrective and directive

Directive and preventive

Detective and corrective

Preventive and detective

Question 21
This COSO component include a range of actions as diverse as approvals, authorizations, verifications,
reconciliations, etc

Control environment

Control activities

Risk assessment

Monitoring

Question 22
This committee is tasked monitor financial reporting.

Audit committee

Risk committee

Nominations committee
 Remuneration committee

Question 23
This is a concept of good governance that means directors are able to make judgments and give
opinions that are in the best interests of the company, without bias or pre-conceived ideas.

Fairness

Honesty and integrity

Openness and transparency

Independence

Question 24
The concept of control should be viewed as

Inhibiting a person.

Limiting an operation.

Accomplishing an objective.

Blocking a process.

Question 25
A manager has an interest in receiving benefits from his or her position as a manager. This is a scenario
of the agency conflict under:

Effort level

Earnings retention

Moral hazard

Risk aversion
Question 26
The following relates to internal control. Which of the following is incorrect?

The internal control system is confined to those matters which relate directly to the functions of
the accounting system.

Internal control system refers to all the policies and procedures adopted by the management of
an entity to assist in achieving management’s objectives.

A strong environment does not, by itself, ensure the effectiveness of the internal control system.

In the audit of financial statements in accordance with GAAP, the external auditor is only
concerned with those policies and procedures within the accounting and internal control system
that are relevant to the financial statements.

Question 27
An adequate system of internal control is most likely to detect an irregularity perpetrated by a

Single employee

Single manager

Group of managers in a collusion

Group of employees in collusion

Question 28
Corporate governance is concerned with

Hostile takeovers becoming the norm.

The trend toward more women on boards of directors.

The legitimacy of charters used in a place.

The relative roles, rights, and accountability of such stakeholder groups as owners, board
 members, managers, employees, and others.

Question 29
Which of the following is not one of the differences between a CEO and a Chairman of the Board?

Only the secretary and the CEO report directly to the Chairman, while all executive managers
report directly to the CEO.

The CEO is usually full-time, while the Chairman is usually part-time.

The CEO is the head of the executive team, while the Chairman is the leader of the board.

The Chairman implements the decisions of the board, while the CEO proposes plans, budgets and
strategies.

Question 30
Corporate management has a role in the maintenance of internal control.  In fact, management
sometimes is a control.  Which of the following involves managerial functions as a control device?

Supervision of employees.

Maintenance of a quality control department.

Internal auditing.

Use of a corporate policies manual.

Question 31
Which of the following is not a proper role of corporate board of directors?

Guidance.

Governance.

Guarantor.

Guardian.

Question 32
The purpose of control is to

Determined whether an operation is a cost or profit center.

Control employee behavior.

Determine who is in charge of a department.

Ensure that the goals of a firm are being achieved.

Question 33
Internal control structure objectives are to be accomplished with reasonable assurance. The concept of
reasonable assurance recognizes that

Judgmentally selected samples cannot meet the criteria for statistical validity.

Employee carelessness can weaken an internal control structure.

The control procedure should not have a significant adverse effect on efficiency or profitability.

The auditor’s primary responsibility is the detection of fraud.

Question 34
Which of the following is not a component in the COSO framework for internal control?

Segregation of duties

Risk assessment

Control environment

Monitoring

Question 35
Internal control is a function of management, and effective control is based upon the concept of charge
and discharge of responsibility and duty.  Which of the following is one of the overriding principles of
internal control?

Responsibility for the performance of each duty must be fixed.

 Responsibility for accounting and financial duties should be assigned to one responsible officer.

Responsibility for the accounting duties must be done by the audit committee of the company.

Responsibility for accounting activities and duties must be assigned only to employees who are
bonded.

Question 36
Which of the following best identifies the reason that effective corporate governance is important?

The goal of profit maximization.

Lack of oversight by the board of directors.

Excess management compensation.

The separation of ownership from management.

Question 37
According to the COSO report, which of the following is the most important component of internal
control?

Risk assessment.

Control activities.

Control environment.

Monitoring.

Question 38
This type of control ensures that there is clear direction and drive towards achieving the stated
objectives.

Directive
 Detective

Preventive

Corrective

Question 39
All of the following are primary objectives of the overall management process except:

Compliance with laws, regulations, ethical and business norms and contracts.

Identification of risk exposures and use of effective strategies to control them.

Improving the effectiveness of risk management, control and governance processes.

Safeguarding of the organization’s assets.

Question 40
The major issue embedded in the structure of modern corporations that has contributed to the
corporate governance problem has been

Excessive executive compensation.

The separation of ownership from control.

Union domination of the proxy machinery.

Early retirement programs, such as the one implemented by IBM.

9. CONFLICTS OF INTEREST BETWEEN..

8. OBTAINING THE BEST
7. CEO AND THE CHAIR ARE SPLIT
12. GENERAL CONTROLS
26. INDEPENDENT PROFESSIONAL SERVICES
11. EFFORT LEVEL
18. IMPLEMENTING CONTROLS
24. WHEN THE RISK EVENT IS UNACCEPTABLE
SECURITY AND EXCHANGE… RESPONSIBLE FOR SUVJECT MATTER INFO
33. BUYING INSURANCE FOR PERSONAL BODILY INJURY
INHERENT LIMITATIONS…INCOMPATIBLE FUNCTIONS

which of the following is true? ongoing monitoring includes independent checks on

performance DONE BY INTERNAL OR EXTERNAL AUDITORS WHILE SEPARATE
MONITORING INCLUDES IDENTIFYING DEVIATIONS FROM RECURRING ACTIVITIES
ON SEPARATE DEPARTMENTS : general controls

THE PRACTITIONER WILL REDUCE…