CPA review BEC Module 40 Corporate Governance, Internal Control, and Enterprise Management

2 Uniform CPA Examination Passing Rates SectionThird quarter Forth quarter cumulative AUD47.41%42.06%46.35% BEC57.90%51.95%55.46% FAR51.14%45.96%47.60% REG52.21%44.49%49.41%

3 BEC Passing Rates

4 CPA Exam Pass Rate 2014 vs Prior Years

5 Test Tips Flash cards. Especially for Information Technology Work multiple choice again and again and again Brush up on your writing skills Tackle the different topics one by one

6 What Does the BEC Exam Cover? 16-20% Corporate Governance 16-20% Economics 19-23% Finance 15-19% Information Systems and Communications 10-14% Strategic Planning 12-16% Operations Management

7 Writing Tip Dear [Name here]: Intro: I am writing to you today to [advise/consult/inform/other verb] you [on or about] [topic here]. Paragraph 1: Talk about pros of the topic Paragraph 2: Talk about cons of the topic Paragraph 3: Summarize effect Closing: Thank you for taking the time to read my advice/consultation on [topic]. I hope that you will take these thoughts into consideration when... Sincerely, Your Name Here

8 Corporate Governance Agency problem: the owners of a business (principals) need means to ensure that those whom they appoint to run the business (agents) do so in a way that matches with shareholders’ needs Agency problem has been broadened out into the concept of corporate governance

9 Corporate Governance Regimes Governance regimes are heavily influenced by the institutional environment Stakeholder model (Continental Europe) versus shareholder model (Anglo-Saxon environment) of corporate governance Tendency towards convergence on the issue of effectiveness and accountability of corporate boards

10 Board of Directors Regular meetings Active participation Freedom to include items in agenda Sufficient notice for board meetings Access to advice and services of company secretary and independent professional advice Full record of board/committee minutes, and available for inspection Independent non-executive directors should be present at board meetings to discuss matter involving conflict of interest Abstain from voting if conflict of interest exists Insurance coverage for legal action against directors

11 Board Composition Balance of skills and experiences Balanced composition of executive and non- executive directors Non-executive directors should be of sufficient calibre Independent non-executive directors should be expressly identified List of directors updated and their respective role and function identified

12 Responsibilities of Directors Keep abreast of the responsibilities as a director Exercise duties of care, skill, integrity and diligence expected Ensure proper understanding of the operation, business and the regulatory requirement Contribute sufficient time and resources to serve the corporate Attend AGMs to share the views of shareholders

13 Chairman and CEO Segregation of the management of the board and the day-to-day management of the corporate’s business Balance of power at board level to avoid concentration of power in a single individual Separation of Chairman and CEO Division of responsibilities between Chairman and CEO clearly laid down in writing

14 Independent Directors Independent directors are non-executive directors who attend board meetings on a regular basis and monitor corporate behaviour A (unitary) board should include a significant portion of independent directors In a dual-board system, the supervisory board exercises oversight over what executive directors in the management board are doing

15 Remuneration of Directors and Senior Management Transparency of directors’ remuneration policy Remuneration should be sufficient but not excessive Each director not to involve in deciding his/her own remuneration

16 Audit Independence The value of an audit depends partly upon the technical skills of the auditor and partly upon his independence and ethical qualities Independence issues: Restrictions on the type of non-audit services that an auditor is allowed to provide to audit clients Employment of former audit firm employees by the audit client Periodic audit partner rotation Limits to the audit appointment

17 Audit Committee Independence is an essential quality for audit committee members The audit committee should provide a quasi- independent forum where those concerned with checking the effectiveness and quality of the company’s accounting and control should be able to meet and discuss with shareholder representatives (independent directors) and raise issues of concern

18 Audit Committee Roles Oversee of the financial reporting process Monitor the effectiveness of the system of internal control (and possibly of the enterprise risk management system) Act as an intermediary between the board of directors and the external auditors (and possibly internal auditors as well)

19 Reporting on Internal Control An effective system of internal control is seen as crucial for good goverance Reporting on the effectiveness of internal control as a governance requirement COSO Framework is considered to offer an established set of control criteria to assess the effectiveness of internal control US Sarbanes-Oxley Act of 2002

20 Important aspects of SOX include: Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors New rules for audit committees New rules for management New internal control requirements US Sarbanes-Oxley Act

21 US Sarbanes-Oxley Act Each annual report filed with the SEC has to include an internal control report o Management’s responsibility for establishing adequate internal control over financial reporting o Management’s assessment of its effectiveness The independent auditors must attest to and report on the assessments made by company management

22 Control Frameworks COSO’s internal control framework The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute

23 In 1992, COSO issued the Internal Control Integrated Framework: Defines internal controls. Provides guidance for evaluating and enhancing internal control systems. Widely accepted as the authority on internal controls. Incorporated into policies, rules, and regulations used to control business activities. Control Frameworks

24 COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment Information and communication Monitoring Control Frameworks

25 Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. Result: Enterprise Risk Manage Integrated Framework (ERM) An enhanced corporate governance document. Expands on elements of preceding framework. Provides a focus on the broader subject of enterprise risk management. Control Frameworks

26 Enterprise Risk Management - Definition Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO, Enterprise Risk Management – Integrated Framework

27 Enterprise Risk Management COSO sees internal control as a subset of risk management Other risk management devices include transferring risk to third parties, risk-sharing, contingency planning and consciously excluding activities deemed too risky Risk disclosure requirements may empower shareholders to use disclosures to bring companies to adopt more elaborate risk management standards

28 Control Frameworks Basic principles behind ERM: Companies are formed to create value for owners. Management must decide how much uncertainty they will accept. Uncertainty can result in: Risk Opportunity

29 These issues led to COSO’s development of the ERM framework. Takes a risk-based, rather than controls-based, approach to the organization. Oriented toward future and constant change. Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: Setting objectives. Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. Developing a response to assessed risk. Control Frameworks

30 Columns at the top represent the four types of objectives that management must meet to achieve company goals. Strategic objectives Operations objectives Reporting objectives Compliance objectives Control Frameworks

31 Columns on the right represent the company’s units: Entire company Division Business unit Subsidiary Control Frameworks

32 Internal Environment The most critical component of the ERM and the internal control framework. Is the foundation on which the other seven components rest. Influences how organizations: Establish strategies and objectives Structure business activities Identify, access, and respond to risk A deficient internal control environment often results in risk management and control breakdowns.

33 Objective Setting Objective setting is the second ERM component. It must precede many of the other six components. For example, you must set objectives before you can define events that affect your ability to achieve objectives

34 Event Identification Events are: Incidents or occurrences that emanate from internal or external sources. That affect implementation of strategy or achievement of objectives. Impact can be positive, negative, or both. Events can range from obvious to obscure. Effects can range from inconsequential to highly significant.

35 Risk Assessment and Risk Response The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. COSO indicates there are two types of risk: Inherent risk Residual risk

36 Risk Assessment and Risk Response The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include: Increased sales and productivity Reduced losses Better integration with customers and suppliers Increased customer loyalty Competitive advantages Lower insurance premiums Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No

37 Costs are usually easier to measure than benefits. Primary cost is personnel, including: Time to perform control procedures Costs of hiring additional employees to effectively segregate duties Costs of programming controls into a system Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No Risk Assessment and Risk Response

38 Other costs of a poor control system include: Lost sales Lower productivity Drop in stock price if security problems arise Shareholder or regulator lawsuits Fines and penalties imposed by governmental agencies Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No Risk Assessment and Risk Response

39 The expected loss related to a risk is measured as: Expected loss = impact x likelihood The value of a control procedure is the difference between: Expected loss with control procedure Expected loss without it Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No Risk Assessment and Risk Response

40 Risks that are not reduced must be accepted, shared, or avoided. If the risk is within the company’s risk tolerance, they will typically accept the risk. A reduce or share response is used to bring residual risk into an acceptable risk tolerance range. An avoid response is typically only used when there is no way to cost- effectively bring risk into an acceptable risk tolerance range. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No Risk Assessment and Risk Response

41 Control Activities The sixth component of COSO’s ERM model. Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.

42 Information and Communication The seventh component of COSO’s ERM model. The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization. So accountants must understand how: Transactions are initiated Data are captured in or converted to machine-readable form Computer files are accessed and updated Data are processed Information is reported to internal and external parties

43 Monitoring Key methods of monitoring performance include: Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline