Unit 13 Internal Controls- Corporate Governance

13.1 Corporate Governance and Regulations Related to

Internal Control
Shareholders (Owners) establish an article of incorporation which a copy is given to the Security
and Exchange Committee (SEC).
Article of Incorporation includes:

• Company Name
• No of Shares
• Shareholder’s rights
• BOD
• General Assembly
• Dividends
• Dissolution

The shareholders elect the BOD which has 10 members, the majority of the members must be
independent members (have no shares or personal relations in the firm) could be 6 members. The
rest of the shareholders must be general members (manage the firm) could be 4 members.
The BOD establishes the Strategic Objectives, Values, Code of Ethics, and Performance
Accountabilities. DIRECTION (BOD)
The BOD appoints the Executive Managers (officers) CEO, CFO, COO, CPO, etc.
The BOD establishes the Bylaws, Policies to ensure that executive management is doing what is
right. DIRECTION (BOD)
The firm must have Risk Management and Internal Control designed by the executive
management with the coordination of BOD.
The problem which arises is that the executive management may not perform the correct
objectives of the shareholders, this is called Theory of Agency
Fiduciary Duty (trust) is imposed on the executive management to ensure that they are running
the firm correctly. AUDITING (BOD)

1|Page
The BOD appoints a Risk Committee and Audit Committee for monitoring and auditing the
actual performance.
The Audit Committee appoints an external audit who reports back to the BOD.
The Audit Committee appoints an internal auditor whose job is to ensure that there is a system in
the firm (corporate governance), ensures the of risk management duty and ensures the internal
control measures.
The Government Regulators also audit the performance of the business and are considered a part
of the corporate governance.
General Assembly is the meeting where the shareholders confronts the executive management
and are considered an audit tool on the management.
This is a system called as Corporate Governance, the reason why it’s there is to protect the
shareholder’s right, protect the supplier’s, employees, customer and the society as whole.

2|Page
 1. Corporate Governance

Governance- is the combination of people, policies,

procedures and process (including internal control) that help
ensure that an entity is effectively and efficiently directs its
activities towards meeting the objectives and interests of it
stakeholders.
Stakeholders are people or entities who are effected by the
governance activities of the entity. The also include
shareholders, employees, suppliers, customers and entire
society.
The governance applies to the entire organizational
activities from (top-down)
Corporate Governance can be internal or external:
➢ Internal- article of incorporation, corporate charters, bylaws, board of directors and
internal audit functions
➢ External- laws, regulations and external auditors
A corporation is a legal entity created under the authority of a state statute (Government
Regulators) to carry out the purpose permitted by that statute and the Article of Incorporation
(1st Governance Document)
Incorporation may be in any state. Article of Incorporation must be filed with the secretary of
state or another designated official.
The corporation is treated as a legal person with rights and obligations separated from its owners
and managers.
Corporations are governed by shareholders (owners) who elect the board of directors and they
approve the fundamental changes in the corporate structure (General Assembly)
Directors establish the corporate policies, adapt bylaws, and elect or appoint the officers
(executive management) who carry out the policies in the day-to-day management of the
organization (Theory of Agency >> Oversight and Internal Control)
Article of Incorporation includes (1st Governance Document):
✓ Corporation Name
✓ Number of authorized shares of stock
✓ Address of the organization
Bylaws govern the internal structure and operation of the corporation (2nd Governance
Document), this is considered a directing from the board of directors.

3|Page
 2. Corporate Governance Components
Governance has 2 major components:
1) Direction- determines the business model, overall objectives, approach to risk taking
(including risk appetite) and limits of organizational conduct

2) Oversight- the component which internal audit is mainly concerned. It is also the
component to which risk management and control activities are most likely to be applied.

3. Board of Directors
The board is the source of overall direction and the ultimate responsibility for oversight.
The board elects the company’s management and determines the expectations from the
management in terms of integrity and ethics.
The board has the authority in the key decisions and plays a role of top-level strategic objective-
setting and strategic planning
The board has the responsibility to identify stakeholders, whether directly (employees, customer,
supplies) involved in the business or indirectly (investors) involved or having influence over the
business (regulators and competitors).
The board shall meet periodically (quarterly) to review and discuss the performance of
management. The board has to assess the performance of the management towards the
achievement of the strategic objectives.
The board is held accountable for shareholders and other stakeholders.
Since the board is responsible to assess performance, it is important for the majority of the board
to be independent in the company. An independent director has no material financial interest or
personal ties in the company. So, an independent director is not an officer or employee of the
company and thus is not active in the day-to-day activities.

4|Page
 4. Executive Management
Executive management is reporting and accountable to the Board of Directors and must be
completely separated from them.
They perform the day-to-day governance functions and operational activities.
Perform risk management practices (what are the risk, who will own the risks, how will it be
managed)
Executive Management is responsible for designing and implementing the internal control
system.

5. Risk Committee
This committee is responsible for supporting the executive management in managing the
company risks. Its responsibilities include:
✓ Identifying risks
✓ Connecting risks to risk management and processes
✓ Delegating to risk owners

6. Audit Committee
Audit committee has the responsibility to oversee the audit activities and internal control system.
It should have a charter (agreement) describing duties and responsibilities. The audit committee
reports to the board of directors and shareholders directly.
Each member in the audit committee must be independent of the board of directors. The audit
committee must have at least one member who is a financial expert. An independent director is
not affiliate and receives no extra compensation (other than the main service for the board) from
the issuer.
The audit committee must also review financial statements prepared by the management. The
results must be reviewed with the executive management and the external auditor. Finally, the
audit committee must also review the annual report submitted to the government regulators.
This committee must review the assessment and effectiveness of risk management, control and
governance processes either by an external or an internal auditor. Follow up and monitor the
implementation of recommendations proposed by the internal and external auditor. Evaluate the
executive management performance and compensation.
The internal auditor appoints and meets regularly with the Chief Audit Executive (CAE), as well
as approve the internal audit activity and plans activities.

5|Page
 7. External Auditor
The appointment and compensation are determined by the audit committee, and he reports to
them. The external auditor shall review and audit the company’s financial performance and
provide a report to the shareholders with the results.
There are 4 Audit Approaches:
1) Substantive Procedures Approach (bottom-up)
Also called as vouching approach OR direct verification approach. This method is
applied by testing large volumes of transactions and account balances without any
particular focus on a specific area in the financial statements. This method is not risk
based and views all controls equally.

2) Balance Sheet Approach

This method is focused on the balance sheet accounts, with only limited procedures being
carried out on income statement or profit and loss accounts.

3) System Based Approach

This method requires the auditor to assess the effectiveness of the internal control system
and then direct substantive procedures primarily to those areas where it is considered that
system objectives will not be met. Reduced testing is appropriate for accounts that are
likely to meet system objectives,

4) Risk Based Approach (top-bottom)

Audit procedures are directed towards areas where the financial statements might have
been misstated based on the auditor’s assessment (either by error or omission) as a
consequence of the risks faced by the business.

6|Page
 Audit Reports

1) Unqualified Opinion / Unmodified Opinion

Also called as clean opinion, this is an audit report issued when the auditor
determines that the financial statements are free of any misrepresentations. An
unqualified opinion indicates that the statements have been maintained according
with GAAP. This is the best type of report a business can receive.

2) Qualified Opinion
In situations where financial statements have not been maintained according with
GAAP, but no misrepresentations have been identified. The writing of qualified
opinion is similar to the unqualified opinion; however, it will include an addition
paragraph that highlights the reason for the report to not unqualified.

➢ If the auditor has obtained sufficient and appropriate evidence, misstatements

are material, but not pervasive (widespread).
➢ If the auditor has not obtained sufficient and appropriate evidence the possible
effects of undetected misstatements are material, but not pervasive
(widespread).

3) Adverse Opinion
This is the worst type of financial report a business can receive. This indicated that
the firm’s financial statements do not conform to GAAP. The auditor has obtained
sufficient evidence, but the misstatements are material and pervasive (widespread).

4) Disclaimer of Opinion
In some cases, the auditor is unable to complete an accurate audit report. This may
occur in case of, an absence of appropriate financial record. It is issued when the
scope of the audit is not sufficient to permit formation of an opinion or when the
auditor is not independent. The possible effects of undetected misstatements are
material and pervasive (widespread).

7|Page
 8. Foreign Corrupt Practices Act (FCPA)
The FCPA was established in 1977 during the Watergate Investigation. This system is designed
to prevent secret payments of corporate funds in bribes to government official, politicians and
foreign countries.
The FCPA contains 3 basic provisions:
1) Anti-Bribery
2) Internal Control System
3) Code of Ethics/Conduct
The penalties for an individual for each criminal violations of the FCPA can be fined up to
$100,000 or imprisonment for 5 years or both.
A corporation may be assessed a find up to $2,000,000 for violating the FCPA.

Provision 1: Anti-Bribery
Any firm in the USA, whether it’s a domestic or foreign. This provision is subject to issuers
(listed companies) both in US and foreign, all US companies (having or not an overseas
business) and any foreign companies working in the US.

Provisions 2: Internal Control System

Books and Record- issuers (listed companies) are required to make and keep books, record and
accounts that properly reflect transactions and disposition of assets.
Internal Control- all public companies (issuers = listed companies) registered under the 1934 Act
must devise and maintain a system of accounting control sufficient.

Provision 3: Code of Ethics / Conduct

A written code of ethics is a necessity, it might include an explanation of the FCPA and its
penalties. This code should be communicated and monitored by internal auditor for compliance.
A firm may require a written representations from employees that they have read and understood
the provision of the code.

8|Page
 9. Sarbanes Oxley Act (SOX)
The Sarbanes Oxley Act (SOX) of 2002 was a response to numerous financial reporting scandals
involving large public companies. The act contains provisions that impose new responsibilities
on public companies and their auditors. The act applies to issuers of publicly traded securities
subject to federal securities laws.
Sections in the Sarbanes Oxley Act (SOX) include:
Section 201: Non-Audit Services
Section 202: Independency of the Audit Committee, Financial Expert and selection of Auditor
Section 203: Audit Partner Rotation
Section 302: Corporate Resosponsibilty for Financial Reports
Section 404: Management Assesment of Internal Controls and External Auditor’s Report

Section 201: Non-Audit Services

The registered public accounting firm (external auditor) may perform the following services for
the issuer (listed companies):
1) Audit Services
2) Tax Services (only if approved in advance by the audit
committee)

The registered public accounting firm (external auditor) MUST NOT

perform the following non-audit services for the issuer (listed
companies):
1) Bookkeeping or Accounting records
2) Financial information system design and implementation
3) Appraisal or valuation of services (valuation of inventory)
4) Actuarial services (valuation of insurance)
5) Internal Audit services
6) Management functions or human resources
7) Broker or dealer, investment advisor
8) Legal services and expert services

9|Page
Section 202: Independency of the Audit Committee, Financial Expert and selection of
Auditor
Each member of the audit committee must be independent member of the issuer’s board of
directors.
The audit committee should have at least one member who is a financial expert.
An independent director is not affiliated (linked) with and receives no compensation (other than
the service on the board from the issuer)
The audit committee must be directly responsible for appointing, compensating and overseeing
the working of the public accounting firm employed by the issuer.
The audit firm must report directly to the audit committee, not to the executive management.

Section 203: Audit Partner Rotation

The act requires that the lead auditor and the reviewing partner must be rotated off the audit, so
that the same individual is not supervising a client’s audit for an extended period of time.
The lead audit partner cannot perform audit services for more than 5 consecutive fiscal years of
the audit client.

Section 302: Corporate Resosponsibilty for Financial Reports

Section 404: Management Assesment of Internal Controls and External Auditor’s Report
The Sarbanes Oxley Act (SOX) requires:
✓ Periodic statutory financial reports to include certain certifications.
✓ Management is responsible to establish and document internal control procedures

The annual report prepared by the executive management must contain a report on the
company’s internal control over financial reporting:
✓ A statement of management’s responsibility for internal control
✓ Management’s assessment of the effectiveness of internal control as the end of the fiscal
year
✓ Identification of the framework used to evaluate the effectiveness of internal control (Ex-
COSO)
✓ A statement about whether significant changes in controls were made after their
evaluation, including any corrective actions.

10 | P a g e
The external auditor report should issue 2 reports:
1) Opinion of the financial statements
2) Opinion on the management’s assessment on the internal control. The auditor’s report
must also describe any material weakness in internal control.
The evaluation is not to be subject of a separate engagement but be in the conjunction
with the audit of the financial statements.

10. Public Company Accounting Oversight Board (PCAOB)

Standard No.5 is a principle based. It is designed to increase the likelihood that material
weakness in the internal control will be found before the result of misstatement of a company’s
financial statements and at the same time eliminate unnecessary procedures.
The final standard also focuses the auditor on the procedure necessary to perform high-quality
audit tailored to the company’s facts and circumstances. The new standard is more risk-based
and scalable, which is better in meeting the needs of investors and public companies.

11. Fraud VS Error

Fraud- any intentional act or omission design to deceive

others, result from the victim suffering a loss or the perpetrator
(criminal) achieving gain or both.

Error- an act involving an unintentional deviation from truth

or accuracy.

Fraud Schemes
1) Misappropraition of Assets- committed mainly by employees and results in theft,
embezzlement or deflaction. This is mainly an internal problem.

2) Fraudulent Financial Statements- commited mainly by management to decieve

financial statements. This is mainly an external problem and it’s the focus of the external
auditor and regulatory bodies.

11 | P a g e
13.2 Risk and Internal Control
1. Risk Management
Every organization faces risks that are unforeseen obstacles to the pursuit of its objectives. Risks
can be internal or external.

Risk Management is an ongoing process of designing and operating internal controls that
mitigate the risks identified in the organization’s assessment.

There are risk management process includes:

1) Risk Identification
2) Risk Assessment
3) Risk Prioritization
4) Risk Response
5) Risk Monitoring

12 | P a g e
 1) Risk Identification
It is the process where management identifies the risks facing the organization without excluding
any risks, and classifying them.

2) Risk Assessment
Risk can be quantified as a combination of two factors,
➢ Severity of consequence (impact)
➢ Likelihood of occurrence (probability)
The expected value of a loss due to a risk exposure can then be stated numerically as product of
the two factors.

13 | P a g e
 3) Risk Prioritization
The assessed risks are then prioritized to formulate appropriate response. The board of directors
appoint an Enterprise Risk Management Committee (ERM) to review the risks identified and the
assessment.

4) Risk Response
This is the most crucial step. The risk response is considered an internal control (solution). Risk
responses include:
a. Risk Sharing/Transferring
b. Risk Mitigation
c. Risk Exploiting (investing)
d. Risk Acceptance
e. Risk Avoidance

All systems of internal control involve tradeoffs between cost and benefits. (Risk Mitigation).

14 | P a g e
 5) Risk Monitoring
The board of director, risk committee and audit committee must follow up with the management
to review the effectiveness of the risks.

2. Audit Risks
Audit Risk- is the risk that an auditor may express the wrong opinion
on misstated financial statements and is material in amounts.
Inherent Risk (IR) – is the susceptibility of financial statements to be
materially misstated when there are no internal controls. It is the
probability that an error OR irregularity (fraud) will occur.
IR is also the susceptibility of ones of the company objective arising
due to the nature of the product/inventory (Ex- gold)

Control Risk (CR) – is the likelihood that mis-statements exceeding

the acceptable level will not be prevented OR detected by the firm’s
internal controls. It is the probability of control failure.
CR is the risk that the controls put in place will fail to prevent an
obstacle from achieving the objective.

Detection Risk (DR) – also known as planned detection risk, is the measure of the risk that
evidence will fail to detect mis-statements exceeding an acceptable audit risk. It is the risk that
the auditor is willing to take than an error OR fraud goes undetected by audit procedures.
DR is the risk that an obstacle to an objective will not be detected before the loss has actually
occurred.

Audit Risk = Inherent Risk * Control Risk * Detection Risk

15 | P a g e
 3. Objectives of Internal Control
An organization establishes a system of internal control to help it manage many of the risks it
faces.
One of the main components of corporate governance is Internal Controls. Internal Controls is
used in the business to help face risk that restricts the firm from achieving its objectives.
Designed and Implemented by the executive management and is supervised by the internal and
external auditors.
Internal control was mentioned in the Sarbanes Oxley Act (SOX). The CEO and CFO must sign
indicating that the internal control system is being implemented. The external auditor must assess
and reflect his opinion for the internal control system.
The Foreign Corrupt Practices Act (FCPA) stated that there should be an internal control system
and the executive management and responsible for maintaining the internal control system.

The board of directors set the strategic objectives (long term) which are then converted to
operational objectives (short term) and then passed along to the executive management.

There are 3 main objectives:

1) Operational- this relates to the entity achieving its mission.
Improve Performance, productivity, quality, innovation, customer satisfaction, efficiency,
effectiveness and safeguarding of assets.
Eliminate waste, inefficiency, spoilage and bad decisions

2) Reporting- this relates to the decision making, stakeholders must have reliable, timely
and transparent financial statements.
Accurate, reliable, timely, transparent information, prevent fraud, internal and external.

3) Compliance- the laws, rules and regulations that are set in the firm.

16 | P a g e
An internal control system is more likely to provide reasonable assurance (80%) of achieving
operational, reporting and compliance objectives.
The cost of the internal control system must not exceed the benefits to be attained.
The overall impact of the control procedure should not hinder (delay) operational efficiency.
The internal control, even if it is properly designed and implemented will not eliminate the
probability of fraud reoccurrence but may prevent and detect it.

4. Roles and Responsibilities

There are several parties involving the internal control, they include:
1) Board of Directors
The entity’s commitment and ethical vlaues are reflected in the selection of CEO and
other officers. The board should oversee the internal control designed and implemented
by the executive management. In order for interal control to be effective, the board
should be objective, have knowledge of the firm’s industry and willing to ask relevant
questions about the management decisions.

17 | P a g e
 To allow the board of directors to supervise the executive managemet, the board must
have sub-committees include:
• Audit Committee
• Risk Committee
• Comepensation Committee
• Finance Committee
• Nomination/Governance Committee

2) Executive/Senior Management
Senior Management is responsisble for establishing and maintaing the organization’s
system of internal control. The CEO also establishes the tone at the top and must be a role
model. Firms reflect the ethical vlaues and control of the CEO.

3) Other Entity Personnel

Employees have a role to play in the internal control and is expected to perform the
appropriate control activities. All employees should understand that they are expected to
inform those higher managers in the organization of poor conrol/issues in the system.

4) Internal Auditors
Internal audtor also evaluates the adequatcy and effectiveness of internal control response
to riks in the entity’s oversight, operations and information system.

5) External Auditors
According to the SOX and PCAOB Standards, it states that the external auditor should
issue 2 reports. A report for the opinion on the financial statements and the other on the
management assessment of the internal control. The auditor must also describe any
material weaknesses in the internal control system. The evaluation must be in a
conjunction (combination) with the audit of financial statements.

18 | P a g e
 6) Legislators and Regulators
The congress passed the FCPA and SOX both set as a legal requirement regarding the
internal control.

7) Other Parties
The customers, suppliers, financial analysts, media can also highlight any gaps in the
internal controls system.

5. COSO Framework
COSO internal control is an integrated framework that is widely accepted as the standard for the
design and operation of internal control system.
COSO framework assumptions for internal control are:
➢ The intended aim is to achieve 3 classes of objectives (Operational, Reporting and
Compliance)
➢ It is an ongoing process
➢ Effected by people at the organizational levels (Ex- board, management and all
employees)
➢ Able to provide reasonable assurance (80%), but not absolute assurance that objectives
will be achieved
➢ Adaptable to entity’s structure (manufacturing and services)

In order to implement COSO, there are 5

components:
1) Control Activities
2) Risk Assessment
3) Information and Communication
4) Monitoring
5) Control Environment’

19 | P a g e
 1) Control Environment
The control environment reflects the attitude and actions of the board and management regarding
the significance of internal control within the organization.
The control environment is a set of standards, processes, and structure (by the board and
management) that reflects the system of internal control.
There are 5 principles:
➢ Integrity and Ethical Values- there must be a tone at the top (management leadership,
role model, openness, and honesty). Establish a code of conduct/ethics. Evaluating the
performance of individuals and teams. Correcting deviations in a timely and consistent
manner.

➢ Board Oversight- establish and provide oversight responsibility over the internal control
designed by the management by board charter, periodic meetings, internal and external
reports. Operate independently and objectively make decisions.

20 | P a g e
 ➢ Organizational Structure and Authorities- have an appropriate organizational structure
and reporting line. The firm must also assign and limit responsibilities (Ex- delegation of
authorities)

➢ Commitment to Competence- develop and implement policies and procedures. The

board and management must evaluate competence and address the deviations. The
organization must also attract, develop, and retain integrity. Employees must also have an
ongoing training and mentoring. Senior managers and board should plan and prepare for
succession.

➢ Accountability of Individuals- enforce accountability through structures, authorities,

and responsibility. Establish performance measures, rewards, and incentives.

2) Risk Assessments
The risk assessment process is the basis for determining how the risks should be managed.
Company’s objectives should be clear to identify and assess the risks relating to them.
Management must focus carefully on the risks at all levels of the entity and take necessary
actions to manage them.
Management should also consider the risk of fraud (opportunity, pressure and rationalization). A
good internal control system is more likely to prevent fraud from a single employee but not from
a group of employees in collusion. The next step is to respond to the risk by the following:
a. Risk Sharing/Transferring
b. Risk Mitigation
c. Risk Exploiting (investing)
d. Risk Acceptance
e. Risk Avoidance

3) Control Activities
These policies and procedures help ensure that management directives and objectives are carried
out. The internal control system must be applied to various levels of the entity and stages of the
processes. The may be preventive, detective or segregation of duties.

21 | P a g e
 4) Information and Communication
The organizations must use relevant, quality, and timely information to support functioning of
internal control system. The organization communicates internally, by the objectives and
responsibilities. The organization communicates externally, with matters that are affecting the
functioning of internal control.

5) Monitoring Activities
Monitoring is a process of assessing the quality of internal control performance over time to
ensure that controls continue to meet the needs of the organization.
The organization selects, develops, and performs ongoing and separate evaluations to determine
whether the components of internal controls are present and functioning.
The organization evaluates, communicates, and controls deficiencies in a timely manner.

6. Public Company Accounting Oversight Board (PCAOB)

The PCAOB is non-profit organization created after the Sarbanes Oxley Act (SOX) to oversee
the audit of public companies and protect the interests of investors.
The PCAOB issued its Auditing Standard No.5, which requires the external auditor to express
opinion on financial statements and internal control system.

22 | P a g e
 7. Flowcharting
Flowcharting- is the representation is a process using pictorial symbols and is useful in
understanding, evaluation, and documenting internal control and system developments.
Flowcharts provide a visual of the various steps of a process from beginning to end. It assists
with identifying strengths and weaknesses in the internal control.

Vertical flowcharts present successive steps in top-to-bottom format.

Horizontal flowcharts (system flowcharts) represent areas of department OR functions

verticals.

23 | P a g e