CFE Exam Quiz 62

The OECD Principles of Corporate Governance is regarded as one of the hallmark sources of guidance for corporate governance practices for organizations throughout the world. According to the OECD, the Principles “are intended to help policymakers evaluate and improve the legal, regulatory, and institutional framework for corporate governance intending to supporting economic efficiency, sustainable growth, and financial stability.” Indeed, policy makers in many countries have used these Principles as a basis for legislative and regulatory corporate governance initiatives

It is to be noted that the National Commission on Fraudulent Financial Reporting, more commonly known as the Treadway Commission, was created in the United States in 1985 to describe the duty of the auditor to prevent and detect fraud.
The following four recommendations are given by the Treadway Commission which, along with other measures, were intended to reduce the possibility of fraud in financial reports. These recommendations will be presented to the audit committee of the board of directors.
Mandatory independent audit committee—The board of directors oversees management’s conduct. The Treadway Commission recommended that each board of directors has an audit committee composed of outside directors.
Written charter—The Treadway Commission also suggested that companies develop a written charter setting forth the audit committee’s duties and responsibilities. The board of directors should periodically review, modify, and approve this written charter.
Resources and authority—According to the Treadway Commission, the existence of an audit committee and a written charter is not enough. The committee also must have adequate resources and authority to carry out its responsibilities.
Informed, vigilant, and effective audit committee members—The audit committee should be composed of members who are informed, vigilant, and effective.

The actions of an employee are generally considered in the context and nature of employment if the employee has real authority or apparent authority to participate in such activities. Apparent authority means that a third party may reasonably believe that the employee is entitled to act on the company’s behalf.

The emerging legal principle of conscious avoidance allows the government to prove that the employer was aware of a particular fact that creates liability by demonstrating that the employer knew that the fact existed was highly likely and deliberately avoided confirming the reality. Employers certainly can not pretend not to notice when there is reason to believe criminal behavior.

Management must ensure that adequate internal controls are in place to prevent and detect fraud. Though management may not enforce all controls, the quality of internal control functions is typically distributed among individuals throughout the enterprise, including individual contributors, management, and even the board of directors. Management is also responsible for monitoring and remediating internal controls to ensure that fraud prevention and detection is effectively designed and operated.

The National Commission on Fraudulent Financial Reporting (commonly known as the Treadway Commission) was set up in 1985 to define the auditor’s responsibility to prevent and detect fraud. The Treadway Commission proposed in 1987 that the five professional accounting associations funding the commission work together to guide the internal controls of organizations. The Sponsoring Organizations Committee (COSO) was formed to review the recommendation of the Treadway Commission and COSO released its Internal Control-Integrated System in 1992.

As stated in this description, internal controls should be designed to assist management in achieving the following three categories of objectives one of which is
Objectives of operations relating to the efficiency and effectiveness of operations of the company.

As noted in this definition, internal controls should be designed to assist management in meeting the following three categories of objectives. The one that pertains to the organization’s adherence to the laws and the regulations to which it is subject is the compliance objective.

The Framework defines five interrelated elements of internal control to achieve these objectives: control climate, risk assessment, control operations, information and communication, and monitoring.

The control environment provides the foundation for the internal control system throughout the entire organization. Established by managers and senior managers, it sets an organization’s morale and ethical tone, emphasizing the value of internal controls and expected standards of conduct.
COSO lays out five concepts for designing and implementing an effective control environment:
1. A dedication to honesty and ethical values is displayed by staff at all grades.
2. The board of directors is independent from management and oversees the development and performance of internal control.
3. Management establishes structures, reporting lines, and appropriate authorities and responsibilities with board oversight in pursuing organizational goals.
4. The company is committed to recruiting, developing and retaining competent people by priorities.

Risk is defined as the possibility of an event taking place and adversely affecting the achievement of goals. “Risk assessment involves identifying and assessing the risks faced by the entity in achieving its organizational goals. This method is complex and iterative and forms the basis on which to decide how to handle risks.
According to COSO, risk assessment involves the following principles: 1. The organization sets sufficiently clear objectives to enable the identification and assessment of risks relating to the objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes these risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control.
The company chooses and establishes general innovation management programs to facilitate the achievement of goals is the management for control activities.

Monitoring is the mechanism that measures a monitoring system’s effectiveness over time. This aspect should include both ongoing, automated assessments and periodic separate assessments, the findings of which should be assessed against predefined criteria. The framework principles that support this component are as follows: 1. The company chooses, establishes, and performs ongoing and/or similar evaluations to decide whether the internal control mechanisms are present and functioning. 2. The company assesses and communicates internal control failures to the parties responsible for taking corrective action promptly.

When designing such a program, each organization should consider other factors:
A determination that the program is successful is adversely affected by the failure of an organization to implement or follow industry practices or standards required by any relevant government regulation.
Large organizations are expected to spend more formal operations and more resources than small organizations to meet the requirements. For example, smaller organizations may use available staff to carry out ethics and compliance rather than employing separate staff.
The recurrence of a similar event creates doubt as to whether the organization took reasonable steps to meet the requirements

It is to be noted that the high-level staff shall ensure that the company has an active compliance and ethics program and that ultimate responsibility for the compliance and ethics program is delegated to specific individuals within the organization.

The organization shall take reasonable steps to communicate its standards and procedures and other aspects of the compliance and ethics program to the individuals referred to in subparagraph (b) below by conducting effective training programs and otherwise disseminating information appropriate to the respective roles and responsibilities of such individuals on a regular and practical basis.
The individuals referred to in subpart (a) above are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

High-level managers are also required to ensure that the organization has an effective program and that the overall responsibility for the program is delegated to specific individuals within this community. High-level personnel are those who have “substantial control over the organization or who have a substantial role in the making of policy within the organization.” Specific examples of high-level personnel include:
I: Directors
II: Executive officers
III: Individuals in charge of major business or functional units of the organization
IV: Individuals with substantial ownership interests in the organization

If a board of directors exists, such as in a public company, the board must be knowledgeable about the content and operation of the compliance program and oversee its implementation.
There are four principal benefits to this practice:
The involvement of the board of directors provides a sense of authority to the compliance program. It identifies the program as a matter of company policy.
The involvement of a board committee provides oversight to the operation of the program by personnel who are not involved in the program’s day-to-day operation.
Efforts to implement an effective compliance program can be documented in the committee’s meeting minutes. This documentation can prove useful if the company ever has to defend its actions and seek mitigation of a criminal fine.
The involvement of those board members who are on the audit committee will help ensure that the board is knowledgeable about the content and operation of the compliance program.

Employees should be trained to understand the ethical standards of the company. They should also be trained to identify and know how to avoid potentially harmful situations. This training should be tailored to the nature of the business of the organization, taking into account its external and internal risks. Training should also include a review of statutes and regulations that are particularly applicable to the organization. Most importantly, it should not be a one-time program. It is insufficient to simply distribute a copy of the company’s compliance policy at the start of an employee’s tenure.

It is to be noted that the organization’s efforts should be documented so that it can prove that it made every effort to enforce compliance. For every allegation of an offense, the company should maintain:
I: An account of the alleged offense
II: A description of the steps taken to investigate the allegation
III: A description of the actions taken by the organization in response to the violation
Additionally, in many jurisdictions, there is also a secondary purpose: to mitigate potential fines for criminal conduct by showing that the organization is dedicated to preventing illegal activity.

Organizations also need to regularly assess the risk of criminal behavior and appropriately adjust their conduct and their enforcement and ethics system. In doing so, the company must determine the following:
The extent and severity of the criminal behavior that could occur
The probability that some criminal behavior will occur due to the nature of the operation of the organization
The prior history of the organization, which might indicate the types of criminal conduct that the company should be trying to prevent

An effective information retention policy requires an organization
(1) to formulate retention policies before a lawsuit or official investigation is foreseen;
(2) to create, update and/or modify policy in compliance with relevant laws and regulations;
(3) to ensure that the policy is fair following the business practices of the company;
(4) to provide a concise explanation of what is to be destroyed in an organization

It is to be noted that it is important to keep in mind which type of information should be retained or destroyed. It is important to remember that every organization is different; thus, an organization may require the retention of documents that are not provided for in this text. All types of documents produced by an organization must be initially accounted for. This includes tangible and electronic documents and is never limited to financial documents. Accounting records, corporate tax records, bank records, employment records, various workplace records (including in-house emails and client correspondence), and legal records must be considered when constructing a DRP for a particular organization.

Finally, to properly execute a DRP, someone with detailed knowledge of the DRP should be in charge of the policy and should ensure that employees understand and follow it as designed. This individual should be a senior-level employee with the power to enforce the policy. A DRP manager is responsible for:
I: Implementing the DRP
II: Ensuring that employees understand and follow the DRP’s purpose
III: Providing oversight on actual retention and destruction of documents
IV: Ensuring proper storage of documents
V: Periodically following up with counsel to ensure proper retention periods are in place

Fraudulent financial reporting may be accomplished by the following:  Manipulation, falsification (including forgery), or alteration of accounting records or supporting documentation from which the financial statements are prepared  Misrepresentation in, or intentional omission from, the financial statements of events, transactions, or other significant information  Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.

Fraudulent financial reporting often involves overriding controls by management that might otherwise appear to be operating effectively. Management can commit fraud by overriding controls using techniques such as
I: Recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate operating results or achieve other objectives
II: Inappropriately adjusting assumptions and changing judgments used to estimate account balances
III: Omitting, advancing, or delaying recognition in the financial statements of events and transactions that have occurred during the reporting period IV: Concealing, or not disclosing, facts that could affect the amounts recorded in the financial statements

Misappropriation of assets can be accomplished in a variety of ways, including:
Embezzling receipts (for example, misappropriating collections on accounts receivable or diverting receipts in respect of written-off accounts to personal bank accounts)
Stealing physical assets or intellectual property (for example, stealing inventory for personal use or sale, stealing scrap for resale, or colluding with a competitor by disclosing technological data in return for payment)
Causing an entity to pay for goods and services not received (for example, payments to fictitious vendors, kickbacks paid by vendors to the entity’s purchasing agents in return for inflating prices, or payments to fictitious employees)
Using an entity’s assets for personal use (for example, using the entity’s assets as collateral for a personal loan or a loan to a related party)

The risk of failing to detect a material error resulting from fraud is higher than the risk of failing to detect an error resulting from it. This is because fraud may involve sophisticated and carefully organized schemes designed to conceal it, such as falsification, deliberate failure to record transactions, or intentional misrepresentations to the auditor. Such attempts at concealment maybe even more difficult to detect when accompanied by collusion, as collusion may cause the auditor to believe that audit evidence is persuasive when it is, in fact, false.

Confirmation is not one of the risk assessment procedures that the auditor should use to gain an understanding of the entity and its environment, including its internal control.

It should be noted that all options are correctly stated.

It is found that The structure for corporate governance will ensure the company’s strategic strategy, effective management oversight by the board, and transparency to the company and investors by the board.
I: Members of the board must behave in good faith, with due diligence and consideration, and in the best interests of the company and investors, on a fully informed basis.
II: Where decisions of the board may affect different groups of shareholders, the board should treat all shareholders fairly
III: The board should apply high ethical standards. It should take into account the interests of stakeholders.
IV: Monitoring the effectiveness of the company’s governance practices and making changes as needed.