Professional Documents
Culture Documents
• Company Name
• No of Shares
• Shareholder’s rights
• BOD
• General Assembly
• Dividends
• Dissolution
The shareholders elect the BOD which has 10 members, the majority of the members must be
independent members (have no shares or personal relations in the firm) could be 6 members. The
rest of the shareholders must be general members (manage the firm) could be 4 members.
The BOD establishes the Strategic Objectives, Values, Code of Ethics, and Performance
Accountabilities. DIRECTION (BOD)
The BOD appoints the Executive Managers (officers) CEO, CFO, COO, CPO, etc.
The BOD establishes the Bylaws, Policies to ensure that executive management is doing what is
right. DIRECTION (BOD)
The firm must have Risk Management and Internal Control designed by the executive
management with the coordination of BOD.
The problem which arises is that the executive management may not perform the correct
objectives of the shareholders, this is called Theory of Agency
Fiduciary Duty (trust) is imposed on the executive management to ensure that they are running
the firm correctly. AUDITING (BOD)
1|Page
The BOD appoints a Risk Committee and Audit Committee for monitoring and auditing the
actual performance.
The Audit Committee appoints an external audit who reports back to the BOD.
The Audit Committee appoints an internal auditor whose job is to ensure that there is a system in
the firm (corporate governance), ensures the of risk management duty and ensures the internal
control measures.
The Government Regulators also audit the performance of the business and are considered a part
of the corporate governance.
General Assembly is the meeting where the shareholders confronts the executive management
and are considered an audit tool on the management.
This is a system called as Corporate Governance, the reason why it’s there is to protect the
shareholder’s right, protect the supplier’s, employees, customer and the society as whole.
2|Page
1. Corporate Governance
3|Page
2. Corporate Governance Components
Governance has 2 major components:
1) Direction- determines the business model, overall objectives, approach to risk taking
(including risk appetite) and limits of organizational conduct
2) Oversight- the component which internal audit is mainly concerned. It is also the
component to which risk management and control activities are most likely to be applied.
3. Board of Directors
The board is the source of overall direction and the ultimate responsibility for oversight.
The board elects the company’s management and determines the expectations from the
management in terms of integrity and ethics.
The board has the authority in the key decisions and plays a role of top-level strategic objective-
setting and strategic planning
The board has the responsibility to identify stakeholders, whether directly (employees, customer,
supplies) involved in the business or indirectly (investors) involved or having influence over the
business (regulators and competitors).
The board shall meet periodically (quarterly) to review and discuss the performance of
management. The board has to assess the performance of the management towards the
achievement of the strategic objectives.
The board is held accountable for shareholders and other stakeholders.
Since the board is responsible to assess performance, it is important for the majority of the board
to be independent in the company. An independent director has no material financial interest or
personal ties in the company. So, an independent director is not an officer or employee of the
company and thus is not active in the day-to-day activities.
4|Page
4. Executive Management
Executive management is reporting and accountable to the Board of Directors and must be
completely separated from them.
They perform the day-to-day governance functions and operational activities.
Perform risk management practices (what are the risk, who will own the risks, how will it be
managed)
Executive Management is responsible for designing and implementing the internal control
system.
5. Risk Committee
This committee is responsible for supporting the executive management in managing the
company risks. Its responsibilities include:
✓ Identifying risks
✓ Connecting risks to risk management and processes
✓ Delegating to risk owners
6. Audit Committee
Audit committee has the responsibility to oversee the audit activities and internal control system.
It should have a charter (agreement) describing duties and responsibilities. The audit committee
reports to the board of directors and shareholders directly.
Each member in the audit committee must be independent of the board of directors. The audit
committee must have at least one member who is a financial expert. An independent director is
not affiliate and receives no extra compensation (other than the main service for the board) from
the issuer.
The audit committee must also review financial statements prepared by the management. The
results must be reviewed with the executive management and the external auditor. Finally, the
audit committee must also review the annual report submitted to the government regulators.
This committee must review the assessment and effectiveness of risk management, control and
governance processes either by an external or an internal auditor. Follow up and monitor the
implementation of recommendations proposed by the internal and external auditor. Evaluate the
executive management performance and compensation.
The internal auditor appoints and meets regularly with the Chief Audit Executive (CAE), as well
as approve the internal audit activity and plans activities.
5|Page
7. External Auditor
The appointment and compensation are determined by the audit committee, and he reports to
them. The external auditor shall review and audit the company’s financial performance and
provide a report to the shareholders with the results.
There are 4 Audit Approaches:
1) Substantive Procedures Approach (bottom-up)
Also called as vouching approach OR direct verification approach. This method is
applied by testing large volumes of transactions and account balances without any
particular focus on a specific area in the financial statements. This method is not risk
based and views all controls equally.
6|Page
Audit Reports
2) Qualified Opinion
In situations where financial statements have not been maintained according with
GAAP, but no misrepresentations have been identified. The writing of qualified
opinion is similar to the unqualified opinion; however, it will include an addition
paragraph that highlights the reason for the report to not unqualified.
3) Adverse Opinion
This is the worst type of financial report a business can receive. This indicated that
the firm’s financial statements do not conform to GAAP. The auditor has obtained
sufficient evidence, but the misstatements are material and pervasive (widespread).
4) Disclaimer of Opinion
In some cases, the auditor is unable to complete an accurate audit report. This may
occur in case of, an absence of appropriate financial record. It is issued when the
scope of the audit is not sufficient to permit formation of an opinion or when the
auditor is not independent. The possible effects of undetected misstatements are
material and pervasive (widespread).
7|Page
8. Foreign Corrupt Practices Act (FCPA)
The FCPA was established in 1977 during the Watergate Investigation. This system is designed
to prevent secret payments of corporate funds in bribes to government official, politicians and
foreign countries.
The FCPA contains 3 basic provisions:
1) Anti-Bribery
2) Internal Control System
3) Code of Ethics/Conduct
The penalties for an individual for each criminal violations of the FCPA can be fined up to
$100,000 or imprisonment for 5 years or both.
A corporation may be assessed a find up to $2,000,000 for violating the FCPA.
Provision 1: Anti-Bribery
Any firm in the USA, whether it’s a domestic or foreign. This provision is subject to issuers
(listed companies) both in US and foreign, all US companies (having or not an overseas
business) and any foreign companies working in the US.
8|Page
9. Sarbanes Oxley Act (SOX)
The Sarbanes Oxley Act (SOX) of 2002 was a response to numerous financial reporting scandals
involving large public companies. The act contains provisions that impose new responsibilities
on public companies and their auditors. The act applies to issuers of publicly traded securities
subject to federal securities laws.
Sections in the Sarbanes Oxley Act (SOX) include:
Section 201: Non-Audit Services
Section 202: Independency of the Audit Committee, Financial Expert and selection of Auditor
Section 203: Audit Partner Rotation
Section 302: Corporate Resosponsibilty for Financial Reports
Section 404: Management Assesment of Internal Controls and External Auditor’s Report
9|Page
Section 202: Independency of the Audit Committee, Financial Expert and selection of
Auditor
Each member of the audit committee must be independent member of the issuer’s board of
directors.
The audit committee should have at least one member who is a financial expert.
An independent director is not affiliated (linked) with and receives no compensation (other than
the service on the board from the issuer)
The audit committee must be directly responsible for appointing, compensating and overseeing
the working of the public accounting firm employed by the issuer.
The audit firm must report directly to the audit committee, not to the executive management.
The annual report prepared by the executive management must contain a report on the
company’s internal control over financial reporting:
✓ A statement of management’s responsibility for internal control
✓ Management’s assessment of the effectiveness of internal control as the end of the fiscal
year
✓ Identification of the framework used to evaluate the effectiveness of internal control (Ex-
COSO)
✓ A statement about whether significant changes in controls were made after their
evaluation, including any corrective actions.
10 | P a g e
The external auditor report should issue 2 reports:
1) Opinion of the financial statements
2) Opinion on the management’s assessment on the internal control. The auditor’s report
must also describe any material weakness in internal control.
The evaluation is not to be subject of a separate engagement but be in the conjunction
with the audit of the financial statements.
Fraud Schemes
1) Misappropraition of Assets- committed mainly by employees and results in theft,
embezzlement or deflaction. This is mainly an internal problem.
11 | P a g e
13.2 Risk and Internal Control
1. Risk Management
Every organization faces risks that are unforeseen obstacles to the pursuit of its objectives. Risks
can be internal or external.
Risk Management is an ongoing process of designing and operating internal controls that
mitigate the risks identified in the organization’s assessment.
12 | P a g e
1) Risk Identification
It is the process where management identifies the risks facing the organization without excluding
any risks, and classifying them.
2) Risk Assessment
Risk can be quantified as a combination of two factors,
➢ Severity of consequence (impact)
➢ Likelihood of occurrence (probability)
The expected value of a loss due to a risk exposure can then be stated numerically as product of
the two factors.
13 | P a g e
3) Risk Prioritization
The assessed risks are then prioritized to formulate appropriate response. The board of directors
appoint an Enterprise Risk Management Committee (ERM) to review the risks identified and the
assessment.
4) Risk Response
This is the most crucial step. The risk response is considered an internal control (solution). Risk
responses include:
a. Risk Sharing/Transferring
b. Risk Mitigation
c. Risk Exploiting (investing)
d. Risk Acceptance
e. Risk Avoidance
All systems of internal control involve tradeoffs between cost and benefits. (Risk Mitigation).
14 | P a g e
5) Risk Monitoring
The board of director, risk committee and audit committee must follow up with the management
to review the effectiveness of the risks.
2. Audit Risks
Audit Risk- is the risk that an auditor may express the wrong opinion
on misstated financial statements and is material in amounts.
Inherent Risk (IR) – is the susceptibility of financial statements to be
materially misstated when there are no internal controls. It is the
probability that an error OR irregularity (fraud) will occur.
IR is also the susceptibility of ones of the company objective arising
due to the nature of the product/inventory (Ex- gold)
Detection Risk (DR) – also known as planned detection risk, is the measure of the risk that
evidence will fail to detect mis-statements exceeding an acceptable audit risk. It is the risk that
the auditor is willing to take than an error OR fraud goes undetected by audit procedures.
DR is the risk that an obstacle to an objective will not be detected before the loss has actually
occurred.
15 | P a g e
3. Objectives of Internal Control
An organization establishes a system of internal control to help it manage many of the risks it
faces.
One of the main components of corporate governance is Internal Controls. Internal Controls is
used in the business to help face risk that restricts the firm from achieving its objectives.
Designed and Implemented by the executive management and is supervised by the internal and
external auditors.
Internal control was mentioned in the Sarbanes Oxley Act (SOX). The CEO and CFO must sign
indicating that the internal control system is being implemented. The external auditor must assess
and reflect his opinion for the internal control system.
The Foreign Corrupt Practices Act (FCPA) stated that there should be an internal control system
and the executive management and responsible for maintaining the internal control system.
The board of directors set the strategic objectives (long term) which are then converted to
operational objectives (short term) and then passed along to the executive management.
2) Reporting- this relates to the decision making, stakeholders must have reliable, timely
and transparent financial statements.
Accurate, reliable, timely, transparent information, prevent fraud, internal and external.
3) Compliance- the laws, rules and regulations that are set in the firm.
16 | P a g e
An internal control system is more likely to provide reasonable assurance (80%) of achieving
operational, reporting and compliance objectives.
The cost of the internal control system must not exceed the benefits to be attained.
The overall impact of the control procedure should not hinder (delay) operational efficiency.
The internal control, even if it is properly designed and implemented will not eliminate the
probability of fraud reoccurrence but may prevent and detect it.
17 | P a g e
To allow the board of directors to supervise the executive managemet, the board must
have sub-committees include:
• Audit Committee
• Risk Committee
• Comepensation Committee
• Finance Committee
• Nomination/Governance Committee
2) Executive/Senior Management
Senior Management is responsisble for establishing and maintaing the organization’s
system of internal control. The CEO also establishes the tone at the top and must be a role
model. Firms reflect the ethical vlaues and control of the CEO.
4) Internal Auditors
Internal audtor also evaluates the adequatcy and effectiveness of internal control response
to riks in the entity’s oversight, operations and information system.
5) External Auditors
According to the SOX and PCAOB Standards, it states that the external auditor should
issue 2 reports. A report for the opinion on the financial statements and the other on the
management assessment of the internal control. The auditor must also describe any
material weaknesses in the internal control system. The evaluation must be in a
conjunction (combination) with the audit of financial statements.
18 | P a g e
6) Legislators and Regulators
The congress passed the FCPA and SOX both set as a legal requirement regarding the
internal control.
7) Other Parties
The customers, suppliers, financial analysts, media can also highlight any gaps in the
internal controls system.
5. COSO Framework
COSO internal control is an integrated framework that is widely accepted as the standard for the
design and operation of internal control system.
COSO framework assumptions for internal control are:
➢ The intended aim is to achieve 3 classes of objectives (Operational, Reporting and
Compliance)
➢ It is an ongoing process
➢ Effected by people at the organizational levels (Ex- board, management and all
employees)
➢ Able to provide reasonable assurance (80%), but not absolute assurance that objectives
will be achieved
➢ Adaptable to entity’s structure (manufacturing and services)
19 | P a g e
1) Control Environment
The control environment reflects the attitude and actions of the board and management regarding
the significance of internal control within the organization.
The control environment is a set of standards, processes, and structure (by the board and
management) that reflects the system of internal control.
There are 5 principles:
➢ Integrity and Ethical Values- there must be a tone at the top (management leadership,
role model, openness, and honesty). Establish a code of conduct/ethics. Evaluating the
performance of individuals and teams. Correcting deviations in a timely and consistent
manner.
➢ Board Oversight- establish and provide oversight responsibility over the internal control
designed by the management by board charter, periodic meetings, internal and external
reports. Operate independently and objectively make decisions.
20 | P a g e
➢ Organizational Structure and Authorities- have an appropriate organizational structure
and reporting line. The firm must also assign and limit responsibilities (Ex- delegation of
authorities)
2) Risk Assessments
The risk assessment process is the basis for determining how the risks should be managed.
Company’s objectives should be clear to identify and assess the risks relating to them.
Management must focus carefully on the risks at all levels of the entity and take necessary
actions to manage them.
Management should also consider the risk of fraud (opportunity, pressure and rationalization). A
good internal control system is more likely to prevent fraud from a single employee but not from
a group of employees in collusion. The next step is to respond to the risk by the following:
a. Risk Sharing/Transferring
b. Risk Mitigation
c. Risk Exploiting (investing)
d. Risk Acceptance
e. Risk Avoidance
3) Control Activities
These policies and procedures help ensure that management directives and objectives are carried
out. The internal control system must be applied to various levels of the entity and stages of the
processes. The may be preventive, detective or segregation of duties.
21 | P a g e
4) Information and Communication
The organizations must use relevant, quality, and timely information to support functioning of
internal control system. The organization communicates internally, by the objectives and
responsibilities. The organization communicates externally, with matters that are affecting the
functioning of internal control.
5) Monitoring Activities
Monitoring is a process of assessing the quality of internal control performance over time to
ensure that controls continue to meet the needs of the organization.
The organization selects, develops, and performs ongoing and separate evaluations to determine
whether the components of internal controls are present and functioning.
The organization evaluates, communicates, and controls deficiencies in a timely manner.
22 | P a g e
7. Flowcharting
Flowcharting- is the representation is a process using pictorial symbols and is useful in
understanding, evaluation, and documenting internal control and system developments.
Flowcharts provide a visual of the various steps of a process from beginning to end. It assists
with identifying strengths and weaknesses in the internal control.
23 | P a g e