Professional Documents
Culture Documents
The separation of ownership and control creates problems for good corporate
governance, because the directors of a company might be able to run the company in a
way that is not in the best interests of the shareholders, but the shareholder might not
be able to prevent the directors from doing this, because the directors have most of the
powers to control what the company does.
chairman and the CEO. BOD should have different skills employed.
company
The board should not be dominated by a powerful chief executive and/or chairman
The board should have a suitable balance, and consist of individuals with a
fairness
Openness/Transparency
Independence
Honesty and Integrity
Responsibility and Accountability
Reputation
Judgment
Management
o Chief executive officer
o Chief financial officer
o Chief operating officer
o Chief marketing officer and others
Shareholders
Board of directors
o Chairman
o Managing director
o Executive directors- directors that have decision making or
managing decisions like executive committee members
o Non-executive directors- some company would put these kind of
directors to add independence without decision or managing
decisions.
In a publicly listed entity where there are many different shareholders, the
presence of a knowledge gap exists between the owners and management.
How do you understand “knowledge gap” in this context?
What do you think can be done to address this knowledge gap?
You can rely on audited financial statements.
INTERNAL STAKEHOLDERS
Shareholders- concerned with their assets
Directors- have influence and power to hire senior management
Senior Management
Other Employees
EXTERNAL STAKEHOLDERS
Regulators
Government
Suppliers
Customers
Stock Exchanges
Auditors
Investors
Agency costs
Monitoring costs- cost of measuring, observing and controlling the behavior of
management. Some costs are imposed by law (annual accounts, annual audit) and
some arise from compliance with codes of corporate governance.
Bonding costs- costs of arrangements that help to align the interests of the
shareholders and managers (ex: strategic planning)
Residual loss- losses occur for the owners, such as the losses arising from a
lower share price, because the managers take decisions and actions that are not in
the best interests of the shareholders. Monitoring costs and bonding costs will not
prevent some residual loss from occurring.
CHAIRMAN OF THE BOARD VS CHIEF EXECUTIVE OFFICER
CEO Chairman
Executive officer. Full time employees Part-time. Usually independent
Reporting lines: No executive responsibilities. Only the
All executive managers report directly or company secretary and the CEO report
indirectly to the CEO to the chairman directly, on matters
relating to the board.
The chairman reports to the company’s
shareholders, as leader of the board.
Main responsibilities: Leader of the board, with responsibility
Head of the management team for its effectiveness.
To draft proposed plans, budgets and To make sure that the board fulfills its
strategies for board approval. role successfully.
To implement decisions of the board. To ensure that all directors contribute to
the work of the board
BOARD COMMITTEES
The number of and the type of board committee created will depend on the company.
The common committees are:
- Remuneration committee
- Audit committee- this emphasizes the audit function of the company. They are in
charge of hiring, appointing and looking for external auditors.
- Nominations committee – in charge of elections
- Risk management committee or Internal Control and Compliance Committee
Internal Controls
- A process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories: (COSO DEFINITION)
The process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entity’s
objective with regard to reliability of financial reporting, effectiveness, and efficiency of
operations and compliance with applicable laws and regulations. (PSA 315 DEFINITION)
Four essential concept
Limitations:
Cost – benefit concerns. Cost of the internal control should not
exceed its benefits.
Directed at routine transactions. Most of internal controls are
directed toward routine transactions rather than non-routine
transactions.
Human error- due to carelessness, distractions, mistakes
Possibility of collusion (through employees)
Possibility of control override (management)
Inadequacy of procedures due to changes
Auditor is concerned only with those policies and procedures within the accounting
and internal control systems that are relevant to the financial statement
assertions. Therefore, the objective that is most relevant to the audit is the financial
reporting objective.
Operational and compliance objectives may be relevant to the audit only if they
relate to data that auditor evaluates to determine the reliability of some financial
statement assertions. Examples; production statistics, controls pertaining to
detecting non-compliance with laws and regulations that may have a direct and
material effect on the financial statements.
Operational controls
Operational controls are controls that help to reduce operational risks, or identify
failures in operational systems when these occur. The nature of operational risks
varies between companies, because their operations differ widely.
In general terms, operational risks are risks of failures in operations due to
factors such as human error, a failure in processes, a failure in systems, and so on.
Compliance controls
Compliance controls are concerned with making sure that an entity complies with
all the requirements of relevant legislation and regulations. When regulations are
specific, compliance controls often involve detailed procedures for checking that
every regulation has been properly complied with, and that there is documentary
evidence that the checks have been made. This is often called a box-ticking
approach to compliance.
A box-ticking approach to compliance control is more usually
associated with a rules-based approach to regulation rather
than a principles-based approach.
Financial controls have been explained as internal accounting controls that are
sufficient to provide reasonable assurance that: „
transactions are made only in accordance with the general or
specific authorization of management „
transactions are recorded so that financial statements can be
prepared in accordance with accounting standards and
generally-accepted accounting principles
transactions are recorded so that assets can be accounted for
access to assets is only allowed in accordance with the
general or specific authorisation of management
the accounting records for assets are compared with actual
assets at reasonable intervals of time, and appropriate action
is taken whenever there are found to be differences.
SPAMSOAP
Job descriptions
Trainings
Meetings
Examples:
Segregation of duties
Detective – search for and identify errors after they have occurred
- More expensive than preventive controls but still essential to measure the
effectiveness of preventive controls
Examples:
Supervisory reviews
Exception reports
Examples:
Disciplinary actions
Filing suits in court
Full restoration of a system backup files after evidence is found that data
have been improperly altered
Compliance controls
Financial controls
Control Environment
Risk Assessment
Information and Communication Systems
Control activities
Monitoring
CONTROL ENVIRONMENT
Risk assessment
Risk assessment is the process used by companies to identify and assess the risks that
the company faces, and changes in those risks.
The risk assessment process involves prioritising the risks, and (if possible) putting a
quantitative measurement to them.
Business risk – the risk that the entity’s business objectives will not be attained as a result
of internal and external factors such as:
Technological developments
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New business models, products, or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
Changes in customer demands
Economic changes
Business risks are very crucial to every organization. For audit purposes, the auditor is
concerned only with those risks that are relevant to the preparation of reliable financial
statements.
A manufacturing company might categorise its operational risks as: selling and
markets, delivery, production, and purchasing and resources. Most of these risk
categories involve more than one function or department within the company.
Selling and markets is an aspect of operations that affects not just the marketing
department, but also research and development, quality control and customer
services, and so on.
Information and communication systems
Communication
Involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
Open communication channel help ensure that exceptions are reported
and acted on.
Can be made electronically, orally, and through the actions of
management.
CONTROL ACTIVITIES
- Are the policies and procedures that help ensure that management directives
are carried out.
Performance Reviews
These control activity includes reviews and analyzes of actual performance
versus budgets, forecasts, and prior period performance; relating different
sets of data to one another, together with analyses of the relationships and
investigative and corrective actions.
Information Processing
When computer processing is used in significant accounting application,
internal control procedures can be classified into two type: general and
application control.
Proper authorization of transactions and activities
Segregation of duties
Adequate documents and records
Safeguards over access to assets
Independent checks on performance
Physical Controls
These are activities encompass the physical security of assets including
adequate safeguards such as secured facilities over access to assets and
records; authorization for access to computer programs and data files, and
periodic counting and comparison with amounts shown on control records.
Segregation of Duties
Assigning different people with responsibilities of:
Management (authorization)
Custody (transaction execution)
Accounting (recording transactions)
Monitoring (independent checks on performance)
CATEGORIES OF CONTROL ACTIVITIES:
Preventive controls
Intended to prevent misstatement
Detective controls
Authorization (management)
Recording (accounting)
Monitoring (independent checks on performance
Design, Use Documents & Records
Impact efficiency
Designed for multiple use
Easy to complete
Access To Assets & Records
Access limited to authorized personnel by:
Locks for physical protection
Limits on employee access online
Internal control systems in small businesses tend to be weak compared to the internal
control systems of the larger entities. These weaknesses, however, can be compensated if
the owner/manager actively participates in the operation of the business.
It is not the responsibility of the auditor to establish and maintain an entity’s accounting and
internal control systems. This is the responsibility of the entity’s management.
Nevertheless, the auditors should give adequate consideration to these controls because the
quality of the entity’s internal control systems can have a significant impact on audit.
Consideration of the entity’s internal control systems involves the following steps:
Walk-through test- involves tracing one or two transactions through the entire accounting
systems, from their initial recording at source to their final destinations. It also confirms the
auditor’s understanding of how the accounting systems and control procedures function.
An initial understanding of the design of the entity’s internal control systems is ordinarily
obtained by:
Auditor is NOT REQUIRED to obtain knowledge about the operating effectiveness of the
internal control when obtaining an understanding of the entity’s internal control system.
The auditor should make a preliminary assessment of control risk, at the assertion
level, for each material account balance. It may be at a high level (100%) or less
than high level.
When the auditor’s knowledge of the entity’s internal control indicates that internal
controls related to a particular assertions are not effective, the auditor may simply
assess control at a HIGH LEVEL. Hence, no tests of control need to be performed and
the auditor will rely primarily on substantive tests.
If the auditor believes that control is reliable, the auditor should determine whether it
is efficient to obtain the evidence to justify an assessment of control risk at a lower
level.
If the auditor concludes that it is more efficient to rely on the entity’s internal control
systems, the auditor would plan to assess control risk at less than high level
Identify specific internal control policies that are likely to prevent,
detect or correct misstatements relevant to financial statement
assertions
Perform test of control to determine effectiveness
Auditor will only tests the operating effectiveness of controls that are likely to detect or
prevent material misstatements. The auditor will only test those controls that he or she plans
to rely upon.
The auditor must obtain audit evidence through test of control to support any assessment of
control risk at less than high level. The lower the assessment of control risk, the more
support that the auditor should obtain. The greater the reliance of internal control, the more
extensive the tests.
Nature of tests of control
There is a significant overlap between the procedures used to obtain understanding and the
tests of control.
Obtaining understanding of the entity’s internal control and assessing control risks are
OFTEN DONE simultaneously.
Usually, auditors perform test of control during an interim visit in advance of period end.
They cannot rely on these results without considering the need to obtain further evidence
relating to the remainder of the period.
In determining whether or not to test the remaining period, factors are considered:
Testing the operating effectiveness of controls is different from obtaining audit evidence that
controls have been implemented. When obtaining audit evidence of implementation by
performing risks assessment procedures, the auditor determines that the relevant controls
exists and the entity is using them. When performing test of operating effectiveness of
controls, the auditor obtains audit evidence that controls operate effectively. This includes
obtaining audit evidence about how controls were applied at relevant times during the period
under audit, the consistency with which they were applied, and by whom or by what means
they were applied.
True
False
Question 2
The board should be properly accountable to its shareholders, and should be open and
transparent with investors generally.
True
False
Question 3
Difficulty in achieving staff collusion is inversely related to the number of persons involved.
True
False
Question 4
Physical access restrictions can be applied to buildings and warehouses.
True
False
Question 5
Preventive controls are more cost effective as compared to detective controls.
True
False
Question 6
The Chairman heads the executive management team of an entity.
True
False
Question 7
Corporate governance is concerned with running the business operations of a company.
True
False
Question 8
The audit committee should request special investigations from the internal audit department
only.
True
False
Question 9
Physical access restrictions can be applied to buildings and warehouses.
True
False
Question 10
Segregation of duties can be foregone if the organization involved is a small one as long as
compensating controls are in place.
True
False
Question 11
In the agency concept, the owners of an organization act as the principal whereas the
directors acts as the agent.
True
False
Question 12
Since external auditors are parties outside an organization, the external audit process cannot
be reviewed by the audit committee.
True
False
Question 13
The control framework needs to be in place to promote the right control environment.
True
False
Question 14
To emphasize independence, the board may comprise non-executive directors.
True
False
Question 15
A principle of good corporate governance is that a substantial number of the directors of a
company should be independent.
True
False
Question 16
When talking about agency conflicts, management seems to be more of a risk-taker as
compared to the shareholders of an entity.
True
False
Question 17
Monitoring is done to ensure that controls continue in operation.
True
False
Question 18
Internal auditors are duty bound to ensure that the control processes are carefully
implemented.
True
False
Question 19
Recording and custody functions should not be given to one personnel.
True
False
Question 20
The main driver for corporate governance is based on the agency concept.
True
False
Question 21
The control environment is the foundation for effective internal control, providing discipline
and structure.
True
False
Question 22
In terms of time horizon, shareholders tend to be more concerned of the short term financial
prospects than long term ones.
True
False
Question 23
According to the agency model, corporate bodies are overseen by directors who are
appointed by the senior management.
True
False
Question 24
The governance function is the primary responsibility of the internal audit activity.
True
False
Question 25
The internal audit activity and the audit committee are one and the same body.
True
False
Question 26
Lenders and regulators are considered internal stakeholders of an entity.
True
False
Question 27
The board should be composed of non-executive directors only so as to represent the
interests of the shareholders in a professional and responsible manner.
True
False
Question 28
Communication systems involve providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
True
False
Question 29
The senior management formulates a corporate strategy to achieve set objectives.
True
False
Question 30
Seminars, trainings and orientations for employees are examples of a corrective control.
True
False
Question 31
Preparation of bank reconciliation statements is an example of a detective control.
True
False
Question 32
The audit committee can have an involvement in the appointment of internal auditors.
True
False
Question 33
The organization should employ a process for identifying, assessing and managing risk.
True
False
Question 34
Costs of monitoring pertain to costs that might be incurred to provide incentives to managers
to act in the best interests of the shareholders.
True
False
Question 35
Monitoring controls pertain to the “tone at the top” of an entity.
True
False
Question 36
The nominations committee makes recommendations to the board when a vacancy on the
board has to be filled.
True
False
Question 37
Operational controls are concerned with making sure that an entity complies with all the
requirements of relevant legislation and regulations.
True
False
Question 38
Internal controls are there to mitigate unacceptable levels of risk.
True
False
Question 39
Customers and suppliers of a company are considered part of the stakeholders group.
True
False
Question 40
Risk Assessment includes a range of actions as diverse as approvals, authorizations,
verifications, reconciliations, etc.
True
False
In a small company that employs inadequate number of employees to permit proper division of
responsibilities, effective internal control can be strengthened by
Direct participation by the owner of the business in the record keeping activities of the business.
Delegation of full clear-cut responsibility to each employee for the functions assigned to each.
Question 2
The requirement that purchases be made from suppliers on an approved vendor list is an example of a
Monitoring control
Detective control
Corrective control
Preventive control
Question 3
Which of the following is a directive control?
Question 4
A well-designed system of internal control that is functioning effectively is most likely to detect an
irregularity arising from
Management fraud.
Question 5
What is the primary purpose of effective internal control in an organization?
Question 6
Checking odd balances in the documents and in the financial statement accounts is an example of what
type of control?
Corrective
Directive
Detective
Preventive
Question 7
According to the COSO report, the correct sequence is
Question 8
Which of the following is not typically one of management’s concerns in designing an effective internal
control structure?
Question 9
Which of the following components of internal control would encompass the routine controls over
business processes and transactions?
Risk assessment
Control activities
Question 11
Proper segregation of functional responsibilities in an effective structure of internal control calls for
separation of the functions of
Question 12
This pertains to the cost of measuring, observing and controlling the behavior of management.
Training cost
Monitoring cost
Residual loss
Bonding cost
Question 13
I. The governance function is the primary responsibility of the internal audit activity.
II. The organization should employ a process for identifying, assessing and managing risk.
True; True
True; False
False; True
False; False
Question 14
Proper segregation of duties reduces the opportunities in which a person could both
Question 15
Which of the following is not considered an external stakeholder?
Auditors
Regulators
Shareholders
Lenders
Question 16
Corporate directors, management, external auditors and internal auditors all play important roles in
creating a proper control environment. Top management is primarily responsible for
Reviewing the reliability and integrity of financial information and the means used to collect and
report such information.
Question 17
The board of directors should (choose the incorrect one):
Question 18
An act of two or more employees to misstate record is called
Defalcation
Felony
Malfeasance
Collusion
Question 19
The primary responsibility for establishing and maintaining internal controls rests with the
external auditors.
management.
internal auditors.
Question 20
Giving limited computer access to employees is an example of what type of control?
Question 21
This COSO component include a range of actions as diverse as approvals, authorizations, verifications,
reconciliations, etc
Control environment
Control activities
Risk assessment
Monitoring
Question 22
This committee is tasked monitor financial reporting.
Audit committee
Risk committee
Nominations committee
Remuneration committee
Question 23
This is a concept of good governance that means directors are able to make judgments and give
opinions that are in the best interests of the company, without bias or pre-conceived ideas.
Fairness
Independence
Question 24
The concept of control should be viewed as
Inhibiting a person.
Limiting an operation.
Accomplishing an objective.
Blocking a process.
Question 25
A manager has an interest in receiving benefits from his or her position as a manager. This is a scenario
of the agency conflict under:
Effort level
Earnings retention
Moral hazard
Risk aversion
Question 26
The following relates to internal control. Which of the following is incorrect?
The internal control system is confined to those matters which relate directly to the functions of
the accounting system.
Internal control system refers to all the policies and procedures adopted by the management of
an entity to assist in achieving management’s objectives.
A strong environment does not, by itself, ensure the effectiveness of the internal control system.
In the audit of financial statements in accordance with GAAP, the external auditor is only
concerned with those policies and procedures within the accounting and internal control system
that are relevant to the financial statements.
Question 27
An adequate system of internal control is most likely to detect an irregularity perpetrated by a
Single employee
Single manager
Question 28
Corporate governance is concerned with
The relative roles, rights, and accountability of such stakeholder groups as owners, board
members, managers, employees, and others.
Question 29
Which of the following is not one of the differences between a CEO and a Chairman of the Board?
Only the secretary and the CEO report directly to the Chairman, while all executive managers
report directly to the CEO.
The CEO is the head of the executive team, while the Chairman is the leader of the board.
The Chairman implements the decisions of the board, while the CEO proposes plans, budgets and
strategies.
Question 30
Corporate management has a role in the maintenance of internal control. In fact, management
sometimes is a control. Which of the following involves managerial functions as a control device?
Supervision of employees.
Internal auditing.
Question 31
Which of the following is not a proper role of corporate board of directors?
Guidance.
Governance.
Guarantor.
Guardian.
Question 32
The purpose of control is to
Question 33
Internal control structure objectives are to be accomplished with reasonable assurance. The concept of
reasonable assurance recognizes that
Judgmentally selected samples cannot meet the criteria for statistical validity.
The control procedure should not have a significant adverse effect on efficiency or profitability.
Question 34
Which of the following is not a component in the COSO framework for internal control?
Segregation of duties
Risk assessment
Control environment
Monitoring
Question 35
Internal control is a function of management, and effective control is based upon the concept of charge
and discharge of responsibility and duty. Which of the following is one of the overriding principles of
internal control?
Responsibility for the accounting duties must be done by the audit committee of the company.
Responsibility for accounting activities and duties must be assigned only to employees who are
bonded.
Question 36
Which of the following best identifies the reason that effective corporate governance is important?
Question 37
According to the COSO report, which of the following is the most important component of internal
control?
Risk assessment.
Control activities.
Control environment.
Monitoring.
Question 38
This type of control ensures that there is clear direction and drive towards achieving the stated
objectives.
Directive
Detective
Preventive
Corrective
Question 39
All of the following are primary objectives of the overall management process except:
Compliance with laws, regulations, ethical and business norms and contracts.
Question 40
The major issue embedded in the structure of modern corporations that has contributed to the
corporate governance problem has been