BEC CPA Exam Review Course

BEC CPA Exam Review Course Complete 2

Yeah. Hi, welcome to Bisk CPA Review online learning. My name is Jennifer Louis, and I'm going to be walking you through CPA Exam corporate governance. A few tips before we start one tip is to make sure that you have your viewers guide with you so that you can follow along as we discuss the topics. It's important for you to use it as an outline, but to make sure that you keep your own notes of things that you hear that strike a chord with you and things that you want to make sure that you remember.

You want to treat this course, like you're taking a live BEC CPA Review course, which means at the end, you want to make sure that after you've listened to the video and you've gone through and taken your notes, that you take a few moments to go through and review the outline and the notes that you took prior to moving on to the next topic.

The first thing that we're going to talk about is to go through an overview about what corporate governance is now. Corporate governance is going to be the manner in which an entity is managed and governed. Now, who is involved in this process, it's going to vary from entity to entity. Sometimes it's just management.

Other times it's management and other personnel that are appropriate to assist management within the organization. And it also may include those charged with governance, which may include the board of directors. Not all entities have boards of directors. Some of them will just have an executive managed committee management committee or a owner of the business that helps govern the organization.

But the ultimate goal is to make sure that there is some. Person or persons that operate to the benefit of the organization to make sure that they're running the operations effectively and efficiently, that there is controls over reliable financial reporting, that there is controls over governing the organization as far as compliance with laws and regulations and contracts and grant agreements.

And then they also need to make sure that there's somebody that is involved in overseeing the strategic direction of the organization. When you think about things from an audit perspective, mostly the auditors are concerned about internal controls over financial reporting and internal controls over financial reporting are a process that's effected by the company's board of directors management and other personnel.

So as you talked about who governance is, governance could be something that includes all three of those different components or elements of corporate governance. Internal controls over financial reporting are designed to provide reasonable assurance regarding the reliability of the financial statements.

Since we're dealing with financial statements, that's why generally auditors are interested in internal controls over financial reporting, because they're wanting to make sure that there's reasonable assurance, that the financial statements that they're giving opinions on are reliable. Those charged with governance is a unique term that has emerged in recent years.

And those chargers governance was a term that's a little bit broader than the board of directors. It encompasses the board of directors and an audit committee that you typically might see in some organizations where they have the nature, size, or complexity that really needs there to be a formal governance structure.

Other organizations, smaller organizations might just have an executive management committee that might be the person or persons that are charged with governance. So when we talk about those charter governance, it's really any appropriate body. That's responsible for overseeing the strategic direction of the organization and the obligations that are related to accountability, including financial reporting.

They may or may not. Include the responsibility for improve approving the entities, financial statements. As I mentioned, governance, when we talk about those charged with governance is going to vary from entity to entity, and it's going to be influenced by the size and the ownership characteristics.

Some members of those charge of governance may or may not have management responses disabilities. The members of governance may or may not be an owner manager. But they could include those. If it's a smaller entity, say if there is only a sole business owner with no other ownership in the organization, then they're generally going to be that owner manager may be the only person that's charged with governance.

Whereas a larger organization that might be publicly traded would have a formal board of directors and a formal audit committee. But it doesn't matter if you're a sole trustee of an organization or whether or not there's a complete board, every organization, regardless of its nature, size and complexity is going to have a person or persons that's responsible for guns running that entity management.

Or those that are responsible for achieving the objectives of the entity. And they're the ones that have direct responsibility and authority to establish the policies and make decisions. About financial statements and financial reporting objectives. So they're the ones that will actually design and implement and maintain internal controls over financial reporting.

And then those charged with governance would be the ones that would oversee management to make sure that they're comfortable with what is being designed and implemented as it relates to financial reporting. So those charged with governance oversees management. And then management may oversee other personnel in the organization that are responsible for actually carrying out those financial reporting directors like processing payroll and recording acquisitions that would show up in in property plant and equipment.

And so everything would have a hierarchy within the organization with those charged with governance or the board of directors sitting at the top of the organizational structure. So boards of directors may be the formal representation of those charged with governance. And often when you hear that there's a board of directors, it's a group of people that are elected or appointed to oversee the activities of a company or an organization.

Other terms that you might hear related to boards of directors are going to be things like a board of trustees or a board of governors or a board of managers. Or it even could be referred to as an executive board. Okay. Any of those terms are very, some are very similar in nature in referring to the elected or the appointed people that are assigned with the responsibility to jointly oversee the activities of the organization.

Now, what those activities specifically are, will depend a little bit as well. It all depends on what the powers are. The duties of the responsibilities are that are. Delegated to this group by an authority outside of itself. So when we talk about that, we mean that there would be perhaps corporate bylaws that would have been established for a publicly traded company.

That would say here's what the board of directors is supposed to do. And it would outline those responsibilities within the corporate bylaws. So typically as we're looking at the number of board members and how they are chosen and what their specific responsibilities are, it may include how many times a year that they're expected to meet and what types of reports that they generate as a result of these meetings.

Those are all going to be governed by the bylaws. As far as legal responsibilities for the board of directors, that's going to depend with the nature of the entity. So is it a publicly traded organization? Is it a not-for-profit organization? Is it a college or a university? Each different type of entity will have some rules that it has to follow.

That's convert on it by oftentimes. Regulatory or legal type things that they have to follow and then each jurisdiction. So each different state than an organization and operates in. We'll also generally have some legal responsibilities for. The board of directors when there is a formal board of directors.

So often when we're thinking about responsibilities, if you have a board of directors, that's more of a formalized governance structure. There often are bylaws that are the corporate bylaws, or there might be laws or regulations within the state that the organization operates in that gives responsibilities and accountability to the board of directors.

But remember not every organization needs to have a formal board. So depending on the nature of the organization, it might be that those charge of governance, isn't a formal board of directors. It's just a management team, or it's just an owner of the business. There still will be responsibilities for that person or persons, but there's, it's going to be less formalized and it's not necessarily going to be something that's governed by laws or regulations outside of the entity itself.

So the more than an entity has public accountability. Be it because it's a publicly traded organization or because they receive money through grants or they're for a not-for-profit organization or it's a college or university that also gets grant funding and operates perhaps within the confines of state rules, those types of organizations or.

Often going to have those boards of directors that are going to be appointed or they're going to be voted on by a larger membership for them to represent and act on behalf of the entity as a whole. So some organizations are required to have boards of directors. And that's one of the things you have to make sure that you're aware of with publicly traded organizations that are regulated by the sec and are governed by the Sarbanes Oxley act.

Those types of entities are required by statutory and regulatory bodies to have a board of directors. A lot of times, these public companies, when they have this board of directors, the board of directors is representing the, all the shareholders of the organization, but they don't necessarily have power directly in order for them to make change.

It's more of that. Everybody in the full audit there shit's shareholders would have responsibility for submitting and getting a vote, but oftentimes they have a proxy vote. And so they send in for major changes. They send in what they believe their proxy votes should be on a particular issue.

And then the board in essence, they'll often does have voting memberships. And a lot of times the board will have a voting block. They will have so many voting shares. That a lot of times the boards for large public companies have what they call de facto power, which means while they don't have direct power and authority, they have defacto power because their voting block is so large that sometimes it's difficult to overcome decisions that they desire to make.

Even if you had other shareholders sending in their proxy votes, as it relates to specific issues, small private companies. On the other hand, generally have. A lot of times, it's the same people that are involved in managing and running the business. That also may be the ones that are sitting on these boards and it, or it might be the ones that are assigned with these governance responsibilities.

And so sometimes there's no real division of power between the two. Oftentimes it's the management of the company that often sits on the board of directors. So a lot of times for these smaller private companies that don't have this outside regulatory requirement to have a board of directors still has a governance structure that is similar to a board, but they often will use the term, those charged with governance, as opposed to establishing a formal board of directors.

So on behalf of this education online, I'd like to thank you for listening to this section around just a general governance oversight responsibility section on understanding the definitions. And what I'd like you to ask you to do is to go back and read the notes that you took and look at the outline and make sure that you're comfortable with the foundational definitions of some of these areas that we discussed before you move on to the next section.

Hi, welcome back to the corporate governance section of online learning. I'm Jennifer Louis. And we're going to talk a little bit more about the specific qualities, duties and responsibilities of the board of directors. If it's been a while before, since you looked at the first section that dealt with definitions of what a board of directors is, I'd like you to go back and revisit that really briefly.

Just look through the outline. Refresh yourself and remind yourself about what the definitions are for the different terminologies that you're going to be hearing as we go through this section and then come back and pick up this section. So the qualities necessary for a board of directors is to make sure that they have what's necessary to oversee the organization.

And particularly as we're thinking about from an audit perspective, it's the financial reporting expertise that becomes very critical. We want to make sure that they have somebody within the. Governance structure that has an in-depth knowledge of how a business operates and make sure that they understand what generally accepted accounting principles are and understand the differences between some of the alternatives that you may be able to select, because we want them to have enough of an expertise to oversee the financial reporting mechanisms of the organization.

We also want to make sure that they have some of those soft skills that are important. And when I talk about soft skills, I'm talking about things like integrity and commitment and a sense of due care to carry out their responsibilities in a way that they're keeping in mind their obligations to the entity and the shareholders whose interests they're supposed to be keeping in the forefront.

So we want to make sure that they are. Using their authority for proper purpose and that they're acting in honesty and good faith when they're making some of these key decisions and authorizing certain things to be carried out. We also want to make sure that they are aware of where there might be some conflicts of interest and that they properly identify and consider those in how it is that they can carry out their duties with responsibility.

So for example, if they have access to in entities, assets, or access to information, they shouldn't be using that access for their own personal benefit or profit without the informed consent of the entity. They shouldn't conflict with compete with the organization by setting up a situation where perhaps they're acting as a director for a competing company with the organization that they also are acting as a board of directors on.

That's very similar in nature. They want to make sure that they don't set up a business that competes directly with the company that they're sitting on the board of directors of, they shouldn't enter into transactions with the company where it could create some sort of conflict and it could even be conflict and appearance because if somebody were to engage in a transaction with a company, say that they were looking to purchase something, then from the organization, there's a natural interest.

From the personal standpoint to want to get the best you can out of the transaction. And then from the responsibility of the person from the board of directors perspective, they have a duty to the company to try and get the most as possible for the company itself out of the transaction. So you can see that there would be some conflict there.

Do I look out for my self-interest or do I look out for the company? Self-interest and part of your responsibilities of being on a board of directors is to make sure that you're looking out for the best interests of the company and that you're looking out for the best interest of the stakeholders or the shareholders and that you're ensuring that you're maintaining a level of divide to ensure that you're not stepping over the boundaries of perhaps.

Focusing too much on yourself and your own profit as opposed to your responsibility for the company. So what's very important is sometimes there might be some transactions that are entered into as a board member with a company. And it's not that is. Never allowable what's important is to make sure that those, all of those types of transactions are done with the informed consent of the company and that management of the company that this board member is sitting on the board of directors up, that they ratify those transactions and make sure that they're fully disclosed and they may even need to be disclosed in the footnotes to the financial statements.

So the other financial statement users would know where there is a transaction, where there is a related party interest. When we talk about being objective and that's one of the things that's very important for a board to have board members on it, where there is a sense of objectivity is to try and build a critical mass of independent directors.

And when you see that term, what they're generally referring to is that there's at least two members that have a sense of independence. If possible, this is more important for a public company than it is for a non-public company, but for a public company, you want to make sure that there's a critical mass of preferably at least two independent objectives that can be objective in the advice and the counsel that they provide to the organization and that they can appropriately monitor and oversee what senior management of the company's doing.

So if they're independent, that means that they can perhaps have a greater sense of professional skepticism regarding what management's telling 'em. And some of the judgments that are put into play as far as some of the decisions that management is making that they would like. The board to ratify.

So if they're adopting a significant accounting policy, or if they're going to go out and spend a large sum of money to make a capital acquisition of some amount of, by some big piece of equipment or to change the types of investments that they might invest in, and they want to start spending money on acquiring some higher risk, higher yield type investment securities.

Those are all types of things that typically, if you have a board of directors that they would be involved in that decision-making process, if it's something that's significant to the organization. And so the more that you have some. Independence and objectivity in who comprises the board of directors, the better that they're going to be able to maintain that appropriate level of skepticism.

And they're not going to feel intimidated about asking probing and challenging questions of management. So we want to make sure that is considered that as much as we can have somebody that's. Financially literate, sitting on a board of directors, but also that they have a sense of independence and objectivity.

It's not that every board member has to have those qualities, but you want to make sure that you have at least one, preferably two people that have those qualities. And you also want to make sure that the entity has a process to periodically evaluate whether or not the directors continue to be independent because things change over time.

A board member that joined a board initially might have changed the affiliations or might've changed who they engage in business with. And that change. May have may actually influence their ability to maintain independence. So somebody that is independence when they first join a board, things may happen where over the course of time, they no longer are considered independent.

And so it may be that they are asked to they might be removed from that board, or they might just restructure the board to add additional members that help fulfill the criteria being financially literate and independent. So general responsibilities of whether you have a formal board of directors, or even if you just have those charged with governance.

So if you remember an earlier section, we talked about how some organizations don't have formal boards, they have a person or persons that might be the owner manager, or it might be an executive management committee. Somebody that is just really just charged with governance. And all organizations, regardless of their nature, size and complexity should have those charged with governance.

Whereas only larger, more complex entities are going to have a formal board and a formal audit committee. So the responsibilities of a governance structure for small companies, big companies, publicly traded companies, not for profits. Doesn't really matter. Their responsibilities are to objectively review management, significant judgments, and to help.

Management identify and evaluate any sort of unusual activity that might be occurring with transactions or events that might impact financial reporting. So they're going to interact with the auditors, whether it's internal auditors or external auditors to really get a sense around what's the overall quality of the entities controls over financial reporting and to make suggestions, if they think that there needs to be improvements, it could be improvements in management and who is involved in.

Management, it might be improvements in how a system of internal controls is structured. They might make suggestions around hiring additional people so that they can improve segregation of duties. So governance. So the ones that are supposed to be a little bit removed from the organization, to the extent that they can look at the broader view and the broader perspective to say, what is it that we really need to accomplish in order to ensure that we have.

Reliable financial reporting, effective and efficient operations and compliance with laws and regulations. So we want to make sure that they are alert to where there might be management override. So if they're interested in all these things and they're separate from management, then. They want to make sure that they're overseeing management and making sure that management is not trying to manipulate the financial statements by short circuiting, a system of internal control.

So if there's lack of segregation of duties, it might be easier for management to go in and book fraudulent revenue transactions, for example. Governance and those charter governance by overseeing management's judgements and looking at the financial reports on a periodic basis, they're going to be looking for those types of situations where there might be signals or red flags that something like that might be occurring.

So they're going to look at performance reports like budget to actual analysis, or looking at gross profit margins or looking at trend analysis from period to period. And they're going to try and look for indicators or red flags of where something might be going on that significant or unusual. And then they'll follow up and ask questions to management to make sure that they're comfortable, that everything's being handled in an appropriate and aboveboard manner.

They also might be involved in making decisions around how to structure incentive compensation arrangements, which could include compensation of senior management of an organization. They will Often also, if there isn't audit, that's done of the organization, they will review the audit plan and the services that are being provided by the auditor.

And often they're the ones that will actually engage the external auditor. So they will interview the different firms that might be applying to be the external auditor for the company. And they're the ones that will establish the compensation arrangements with the external auditor and meet with the extra Lauder periodically throughout the process.

To ensure that everything's being handled correctly. They're also want to periodic basis going to do a periodic self assessment of their own performance. So not just looking at what management's doing, what the auditors are doing, but how good of a job are they doing in fulfilling their oversight role of looking at the strategic direction of the company and ensuring that they're focusing on effective and efficient operations.

Reliable financial reporting. And compliance with laws and regulations. And so those three elements are very important for those charge of governance to periodically look at and make sure that they're doing the right things at the right time. And they're going to make sure that management is making changes as necessary.

Particularly if, for example, a new accounting standard comes out and this new accounting standard needs to be adopted by the company. Those charged with governance will. Be informed enough to know that there's a new standard coming out and they will ask management. W what did you decide to do? How did you decide to implement it?

Management would relate what their decisions were and then those charged with governance would listen to what management said, and they would feel comfortable that the approach that was being taken by management seemed to be an appropriate way to handle the situation. So thanks for listening to this topic on qualities of a board of directors and some of the things that you want to make sure that the individual members are keeping attuned to as they carry out their responsible.

Hi, welcome back to the corporate governance section of our online learning. We're going to talk next about audit committees. Now, back when I was in public accounting, I worked for a large public accounting firm and we used to have to meet with the audit committees frequently about the financial statement audits.

And I also was the financial operational internal audit director for a very large not-for-profit in Washington, DC. And I also had the responsibility as the internal audit person to meet with the audit committee. So the audit committee has a very important role and function and their job is to actively oversee the entities, accounting and financial reporting policies and practices.

So the larger board, the board of directors would be responsible for many different objectives, including. Compliance with laws and regulations effective and efficient operations and reliable financial reporting. The audit committee really just takes one of those three objectives and focuses in on it more precisely.

So they assist the larger board with fulfilling their fiduciary responsibilities. So there needs to be a process where the audit committee is informed of significant judgments and issues that effect accounting and financial reporting so that they can deal with those issues on a timely basis. And often it's the internal audit group or the external audit group that would be involved in that process to come in and have those conversations with the audit committee.

In addition to the audit committee meeting with the senior management of the organization. So the audit committee needs to understand how it is that management actually identifies monitors and controls financial reporting risks that would affect the organization. So how do they make sure that the financial statements are complete and that all the assets exist and that accounts receivable is properly valued.

They're going to go through and think about what are the major things that could be wrong or misrepresented within the financial statements. And then their job is to know what is this particular organization's greatest risks and how can we make sure that management is appropriately managing those risks?

So there's going to be a direct line of communication. That's going to be necessary in order for them to do that. And it's going to involve talking directly with management, but it also is going to involve a direct line of communication with internal and external auditors to discuss. Those types of relevant matters.

Now you'll notice I said direct line of communication. So what that means is that periodically the audit committee is going to meet with the internal and external auditors without management around. So that they're. If they want to say something that they don't feel comfortable saying in front of management directly, they have an opportunity to have these Eyeful offline conversations with the audit committee in order for them to make sure that they can discuss the reasonableness of the financial reporting process and significant comments and recommendations they might have as a result of doing audit type services.

And just being able to give that feedback in an open and free environment. The audit committee beyond just overseeing management is also responsible for overseeing. The auditor activities, whether it's an internal audit activity or whether it's an external audit activity, they have responsibility.

Understand what is it that these internal and external auditors are doing. And they're supposed to also, particularly with the external auditors to challenge whether or not there's any independence issues that might exist with who they have doing their financial statement audit, because that's one of the things that's important about a financial statement audit is that the external auditors.

Really should have no impediments for them to be able to. Judge and evaluate whether or not the financial statements are materially misstated. And so it's very important for them to be independent and objective. And over the course of time, for example, there might be a familiarity threat where the auditor has been the organization's auditor for 10 years.

And so the audit committee might make a judgment to say maybe we should go out for bid to see if we should hire a different. CPA firm to come in and do our financial statement audit in order to try and mitigate the risk of this familiarity threat that the auditor's might be presuming that things are being done above board because they have such great relationships with management and the people that they're dealing with on a day-to-day basis as it relates to the financial statement.

Got it. So they do have a responsibility of making sure they're comfortable with the. Auditor external auditor relationship with the firm, as well as overseeing what internal audit is doing and the results of their services. And then also monitoring it overseeing management. There also might be circumstances where there needs to be some interaction with outside regulators.

Say the sec might have a question about the financial reports and. The audit committee would often be involved in those interactions along with management, just to make sure that they're comfortable, that what's being represented to these outside third parties in this compliance type arena is something that they're comfortable with because they're going to look at things from the viewpoint of preserving and protecting the best interest of the company.

Whereas management is probably going to be looking to preserve and protect their own best interests. So they may. Skew things. Management may skew things and dealing with outside regulators to try and preserve their job, to not make it look like they did anything wrong. So they may be coming from a more defensive posture.

Whereas the audit committee being on an oversight role could be the one that would be more of the mediator between the two and try and make sure that conversations are such, that they can objectively look at both viewpoints and try and big bring such issues to resolution. So they do have the authority to engage and replace and determine external auditors.

When they're hiring them, they have influence over making recommendations to compensation and performance evaluations for management. And they also have the authority to have influence over the internal audit department as well. So the audit committees purely have they, they clearly have a lot of influence over the organization, as it relates directly to ensuring reliable financial reporting.

The Sarbanes Oxley act is the act that came out and it's that it's applicable to organizations that are regulated by the sec. So if you're a publicly traded organization or an issuer as they're called, they have to follow the Sarbanes-Oxley at the Sarbanes. Oxley act actually has a requirement that publicly traded entities have a audit committee.

Now the audit committees are a subset. Of the board of directors. So usually it's the people that are sit on the audit committee, also sit on the full board of directors. And as they're looking at, who's sitting on the audit committee, the Sarbanes Oxley act says that more than half of the audit committee should be outside directors or they should be independent directors.

So that means that they can't be executive directors, meaning that they can't be a member of management and they can't be. Inside directors, meaning that they have a vested financial interest or other sort of conflict with the entity itself, they have to be truly outside directors that are independent and won.

At least one of these outside directors has to be financially literate. Now they don't give specific definitions around what financially literate means, but what they do is provide a list of here are some things that might make somebody. Qualified to be financially literate. And it includes things like their experience and their education and whether or not they've ever sat on a board before.

There's a whole laundry list of things that could qualify somebody to be financially literate, but it's important to have at least one outside director that qualifies as being financially literate on the audit committee of a publicly traded organization that follows the Sarbanes-Oxley act. In addition, Remember, at least half of the of the members of an audit committee of a publicly traded organization should be independent or outside directors.

The other thing that the Sarbanes-Oxley does as it relates to the audit committee is it says that the internal auditors are required to report directly to the audit committee. Now, generally, if there is an internal audit department, they do have a direct line of communication with the audit committee because that's.

Kind of the whole point of having an audit committee is to have that means that independence and objectivity it's optional for private companies to do that. It's just a best practice that they do. Whereas if it's a publicly traded organization, their internal auditors are required by law to have that direct line of reporting.

So by law, if you're a publicly traded organization, there has to be a direct line of. Reporting for internal audit, a direct line of reporting for external auditors. And there has to be at least one outside director that's financially literate or determined to be a financial expert. And remember that financial expert determination can be made up of a lot of different factors.

It could be because they've had prior experience as a controller of a large organization, or they previously were in public accounting or they. Actually have been involved in preparing audited financial statements in the past, it could be that they were an internal auditor for another organization. The goal was to make sure that they have enough understanding and experience formally or informally, to be able to understand financial statements, generally accepted accounting principles, to be able to make judgment calls around the sufficiency and appropriateness of key decisions like selecting.

Alternatives that might be available within generally accepted accounting principles and they want to understand controls. And what does it mean to have a good sound system of controls over reliable financial reporting? So they need to be able to understand preparing financial statements, reading financial statements, the controls.

Over generating financial statements, and then they also need to understand what it means to be a member of the audit committee. So what are our duties and our responsibilities and why is it that we have to take these jobs so seriously? So in looking at. With an audit committee and trying to decide who should sit on the audit committee?

It's very important that the board ensure that they have somebody that is sitting on that committee, that they feel comfortable has those skill sets necessary. So they're going to make sure that they do independent reference checks and that they look at the relationships that individual might have.

So do they have any conflicts of interests or any other types of. Related party relationships that might impair their ability to really be considered an outside director, as opposed to an inside director. Sometimes companies use independent search firms to help find individuals to sit on the audit committee and that might be appropriate for a much larger publicly traded type organization.

In all cases, you should know enough about the individuals to feel confident about their financial literacy, their commitment. Their ability to be able to perform their responsibilities with due diligence and appropriate amount of professional skepticism. In some cases, the audit committee might be required to actually certify that they've complied with independence and ethics rules that the organization has established an often.

If there are these certifications are updated periodically often once a year to make sure that somebody that. Sitting on the audit committee as circumstances change that they're, that they are able to identify where there might be some emerging issues with independence and ethics that might require them to change their relationship.

Perhaps they could no longer be on the audit committee or perhaps they can no longer be on the full board if the conflict of interest is large enough, but it's definitely something that needs to be periodically evaluated. So we've gone through and talked about the. Composition of the audit committee itself.

And so now would be a good time to go back and revisit the earlier sections that talk about what's the definitions of those charged with governance. What's the definition of a board? How is the board and audit committee differ? And what types of responsibilities is the audit committee have that the full board does not have.

Hi, welcome back to our corporate governance section on our online learning. And now we're going to talk about internal control over financial reporting. My name is Jennifer Louis and I used to work in public accounting. And it's one of those things that you really need to ensure that you have a firm understanding around what does it mean to have internal controls over financial reporting?

A lot of times when you're in private accounting and you're working directly with. Companies in their accounting departments. You certainly, you get a sense around controls over financial reporting. But companies from a broader perspective are also concerned about controls over operational effectiveness and efficiency and controls over compliance with laws and regulations.

Whereas from an audit perspective you're more directly related to internal controls just specifically over financial reporting. Now there might be some overlap. There might be where a control that helps you ensure that you're running your business. Also helps you ensure that you have accurate and timely and consistent financial statements.

So there can be where there's multiple objectives, but the primary objective that you're going to be focused on is to ensure that the financial statements are reasonably stated. And so when we talk about controls and we think about it from the context of financial reporting, we're looking at an integrated system of checks and balances that work together to reduce the risk.

That your financial statements are materially misstated. So you want to reduce the risk that there is a problem to an acceptably low level. Now who's involved in that responsibility where it's going to be management other personnel, and then those charged with governance, which could be the board of directors.

So when we talk about the board of directors in this segment, I'm automatically bringing in situations where maybe there's not a board of directors, but there's just an executive management committee or other group that's considered the governance structure of the organization. What's important to think about is when we talk about internal controls over financial reporting, that if it involves multiple parties, it's not just the people that are processing the transactions or management that is authorizing, approving those transactions.

But it's also the governance structure, which may be the board of directors that's overseeing management and what they're doing as well. It's an integrated process that involves lots of different people and lots of different activities. All of it designed to provide reasonable assurance regarding the reliability of financial statements.

Now, one of the most widespread methods that's used to design and evaluate. The strength of the system of internal controls over financial reporting is what's called the COSO internal control integrated framework. Now Kozo stands for the committee, a sponsoring organization. So they're a group that put together this gold standard of internal controls.

And this gold standard is called the integrated framework and the integrated framework. Operates as a mechanism to show what are the most important components of a well-designed and effectively functioning system of internal controls that does not have material weaknesses in its system. You notice I emphasized that there's not material weaknesses.

If system of internal controls over financial reporting is never going to be perfect. You're never going to be able to design the perfect system. There's always going to be limitations that will exist because of the fact that there's people involved. And so there can be collusion. There could be override.

There could just be errors in judgment. It could be that somebody just wrote down the wrong number. So there's lots of things that could happen. It may be intentional or unintentional, but there's things that could go wrong in any system. Of internal controls. And so the goal is to design your system in such a way that it is reducing risk, that you're going to have material fraud or material error.

And so the people that are involved in this process are responsible for overseeing to make sure that the design of the system is set up in such a way that airs a chance and a pretty good chance that we're going to be able to identify all of those instances. If you're talking about the COSO integrated framework, there's basically five key components that we're going to discuss that are critical to satisfying that objective.

When we talk about the different components, we're assuming that each of those different components are all going to function together in. Managing the risk that there's material misstatement in these financial statements, not all of the five different components are going to operate identically. Some of the components will be stronger than other components as you look at the different organizations.

And so what I mean by that is that not every organization is going to have a system of internal controls. That's designed exactly the same way. Depending on the nature and the size and the complexity of the organization, how many people they have that are involved in accounting, how many different types of locations they have, how many different products and services they offer, all of those things are going to come into play in designing a system of internal controls over financial reporting, to be able to manage risk it's appropriate to that organization.

Now not one component is so one single component out of the different components is not going to be in and of itself sufficient to make up for just totally ignoring another component. But what it can do is that it can mitigate risk. So the strength of one component could make up for some deficiencies in another component.

That we're going to talk about, and we go through the different components, but they're all going to operate together in an integrated way to all limit the effect of things. So the five different components that are in the COSO integrated framework starts with the foundational component of that framework, which is called the control environment.

The control environment is the first of the five components and it's the face of the whole. System of the integrated framework in that it sets the control consciousness of the organization. It's the foundation for the other four components of the COSO internal control, integrated framework. It's things like management's integrity and ethical values and how the organization is structured and how they hire people.

What types of training they provide to people. It's all the things that just set that foundational base. And set the tone of the organization around the fact that internal controls matter and ensuring reliable financial statements matters. The second component of the internal control integrated framework relates to risk assessment.

Now risk assessment is how does the company identify and evaluate and analyze the internal and external risks that could impact. The entities ability to create reliable financial statements. This is going to include how they record and process and summarize and report all the individual financial data transactions that go through a system of controls.

But it also is going to include things like how they accumulate all those individual transactions and get them into the set of financial statements. So how they present. Financial information, this set of financial statements, what types of disclosures are there in the set of financial statements and what the risk assessment component does is that somebody within the organization is responsible for looking at the financial statements and saying what could go wrong in this set of financial statements.

That actually might be something of concern to the users of the financial statements. So whatever the users of the financial statements care the most about those are the things that if there were to be a problem, it would be a much bigger deal. So when we talk about identifying and evaluating risk, we're talking about identifying, evaluating the areas where if there were to be something wrong, it would make a difference to the users and they may end up making a different economic choice.

So once they've identified all those things, then somebody needs to go through and decide how are we going to manage these risks? So the risk assessment is not just the identification of risk, the evaluation of how significant is that risk, but also trying to decide how are we going to manage that risk?

The third component of the COSO integrated framework has to do with information and communication. So as we are setting the foundational basis, Of the COSO integrated framework with our control environment. And as we go through and identify and evaluate and analyze risk within our financial statements, we also need to share important information.

So the information and communication component, which is the third component of the COSO integrated framework is the method of sharing knowledge and data throughout the organization. So it's not just making sure that pertinent information is identified and captured and communicated through some sort of formal accounting system or formal record keeping system.

But also that they're just communicating informal things that occur. So if I am making a change in my department, for example, that might influence the data and information that. Another department's getting that. I share that information across the organization that I communicate with my external auditors in my legal counsel that I.

Communicate downwards in the organization so that people at the upper levels of the organization let people at the lower level of the organization know what's critical and important for them to do their jobs appropriately. And people at the lower end of the organization have to communicate upwards to let upper management and those charged with governance know where they think there might be flaws in the system or where they're confused about what they're supposed to be doing, or they think that there might be some sort of fraud that might be perpetrated.

Communication has to flow up down, across, inside, outside. It has to flow in a free and robust manner throughout the entity in order to make sure that people have the information to make good decisions and to do their jobs well. And then remember this component also includes the actual information systems.

That produce the reports that can create contain the operational financial and compliance related information. That's critical to people to be able to do their jobs. It also deals with the fact of just making sure that everybody, once again, is getting clear messaging from top management about. The seriousness of fulfilling their roles and responsibilities, particularly internal control responsibilities in a thoughtful and diligent manner.

People need to understand how their jobs Interrail interrelate with other people's jobs and how, what they do on a daily basis actually ultimately influences what ends up in the financial statements. So we need to make sure that if people are confused about what they're doing or why they're doing it, or how to do it, as it relates to financial reporting, that there is a mechanism in place that management and those charged with governance could be alert to that and know that there might be some confusion or some misunderstanding, and then their job and responsibility is to make sure that there's clear messaging out there to correct that issue.

So we've talked about three of the five. Components of the COSO integrated framework. So far, we've talked about the foundational control environment that just sets the tone of the organization around financial reporting. We've talked about assessing risk to figure out what might go wrong and how, and what is it that we need to manage and control.

That might be the bigger issues. We talked about information and communication that makes sure that everybody has the data and the information and the knowledge to do their jobs well. And then the fourth component is going to be control activities. And so the control activities are traditionally what people think about as being.

Internal controls. It's the actual policies and procedures that make sure that management directives are carried out. And so what that means is those are the actual actions that are occurring in processing payroll or Paying your bills or getting deposits in the bank. It's the activities that include the processing and recording and the authorization and approving and the reconciliations and all of those things that occur on a day to day routine basis throughout the organization at all levels and at all functions to get the transactions and events into the systems that actually create the financial statements themselves.

So the control activities are the specific policies and procedures that help ensure a management directors are carried out. And those include things like approvals, authorizations, verifications, reconciliations, matching of documents, anything that is an activity that would help ensure that the data and information that's getting into the system that ultimately is going to create the financial statements is handled properly.

The fifth and last component of the COSO integrated framework that we're going to talk about is called monitoring. And what monitoring is that it is the mechanism that management uses and that governance uses to ensure that internal controls is operating as intended over a period of time. So over the course of time, they want to make sure that all the controls and the systems that they've set up are happening as intended.

If there's changing circumstances we have a new employee that joins the organization. Monitoring is going to make sure that changeover from the old employee to the new employee happens appropriately. And that the new employee seems to have a grasp on the roles and responsibilities that they're supposed to be fulfilling as it relates to internal controls over financial reporting.

So monitoring could be done. What you might hear two different things. There's ongoing monitoring. And then there's separate evaluations. Ongoing monitoring is things that management and governance does just in the course of doing their jobs on a day-to-day basis. So every day they might review a report that shows.

How many sales were generated during the course of the day. If they see where there's an anomaly, where sales are have are significantly higher than anticipated or significantly lower than anticipated, they're going to go and investigate to say, okay, what's happening? Is it because we're having a great day with our sales?

Or is there something perhaps that is a glitch within the system? So they try to identify through monitoring where there might be a problem. And they're going to investigate it and they may conclude that. No, it really isn't a problem. It's something that we anticipated and expected and should be occurring, or they may identify that there is a problem with the control activities and the other internal controls related to financial reporting to be remediated.

Now you're going to hear this term. Remediated remediate is just a fancy word for fixed. So monitoring is going to identify where there might need to be corrective action taken of deficiencies in the system of internal controls over financial reporting, and they could identify deficiencies in how trust transactions are processed and recorded in the system.

Or they also might identify deficiencies in the control consciousness of the organization, or it could be deficiencies in assessing risk, or it could be deficiencies in information and communication. So monitoring really monitors the other four components of the COSO integrated framework to make sure that things are happening as intended over the course of time.

So when we talk about over the course of time, we're talking about there, these perhaps the need to have these separate evaluations. So periodically they may go through and have internal audit go in and do a. A project to go and look at a specific area like cash management, to make sure that things are happening as intended specific to cash management.

There may be a control self-assessment program that every department head goes through once a quarter or once a year. So separate of that  would be something that's very targeted and specific to a specific area. Of emphasis and it might be your higher risk areas that are more open to there being problems or issues.

And then ongoing monitoring is the monitoring. That's just done on a daily routine basis. As the, as everybody just goes through their regular roles and responsibilities, where they're constantly alert to where there might be issues. And if they do uncover an issue that they investigate it and determine what corrective action within the system needs to be.

Remediated or fixed to ensure that issue isn't perpetuated and that it doesn't continue because the longer you let control deficiencies continue the greater likelihood that you're going to end up with a material misstatement because individual transactions might aggregate up to be problems over the course of time.

That might be a material misstatement. If you give it time enough for it to perpetuate. So understanding the COSO integrated framework and just the core elements and how they fit together is important for corporate governance because corporate governance is going to play a role in monitoring, and they're going to play a role in setting the control.

Consciousness of the organization with the control environment, and they're going to play a role in making sure that risk is assessed appropriately and that communications are free flowing and robust. So they're going to look at all these different elements and from an oversight, big picture perspective, they're going to make sure that all these different elements are properly designed and that they're looked at as an integrated system of controls that all work together to try and manage financial reporting risk.

Yeah. Hi, I'm Jennifer Louis and welcome back to our corporate governance online module. Today, we're going to talk about enterprise risk management and. Enterprise risk management or erm, is a principle that's very similar in a lot of ways to the COSO internal control integrated framework. If you remember, we talked about that in an earlier module about the COSO integrated framework that had five components of.

Control environment, risk assessment, information and communication monitoring, and control activities. The enterprise risk management framework is also something that is based on COSO principles, Kozol being the committee of sponsoring organizations. And what it does is it takes that original COSO integrated framework and looks at it in a little bit of a, in a more broad context.

And the foundational principle of it is that. Every entity exists to provide value for its stakeholders. So what management's challenges is to figure out how much uncertainty or risk are we willing to accept in order to grow stakeholder value, enterprise risk management enables management to effectively deal with the uncertainty that's associated with.

Opportunity. Because every time you try to take advantage of opportunity, there's always a risk that the opportunity might not play out. So you want to figure out where's that delicate balance between accepting risk in order to take advantage of opportunities and create value, but not going to the extreme to the detriment of the organization.

So in going through this enterprise risk management process, It also helps ensure effective financial reporting, compliance with laws and regulations and operational effectiveness and efficiency. So there's other objectives that roll out of the enterprise risk management framework, enterprise risk management, or erm, if you would, to the actual definition is that it's a process.

That's affected by the entities board of directors management and other personnel. So you can tell that part of the definition is very similar to the Kozel internal control, integrated framework definition, which is also a process that is affected by management and other personnel and an entities board of directors.

What's different about this is that it is applied in a. Strategic way. So the COSO framework or the integrated framework for internal controls thinks about operational process improvement, ensuring reliable financial statements and compliance with laws and regulations, where the erm, framework adds an additional objective of ensuring that you're able to fulfill the strategic.

Directions are the strategic objectives of the company as well. So what they do in the erm framework is they look at what are the things that could go wrong that may affect the entities ability to meet any of those risks. And then how do I manage that risk to be within the entities appetite and to assure that we can achieve those objectives, whether it's financial reporting, operational effectiveness and efficiency compliance, or the ability to fulfill strategic goals and objectives.

Key terms that you will hear as real as it relates to the enterprise risk management or erm, framework is these concepts around strategy aligning your risk appetite and your risk strategy. So your risk appetite is where you try to assess how much risk or uncertainty am I willing to take on. And then my risk strategy is going to be, how do I respond to that risk?

What it does is it helps. Design it helps creating a rigorous process of identifying your risk, selecting among different alternative risk responses to create a strategy for dealing with that risk. And the different risk responses are either going to be risk avoidance. Or I just choose not to engage in that activity to reduce my risk, or what's often it's risk reduction is the second option, which is I can try and put in some compensating or mitigating controls and activities to try and manage the risk.

I can do risk sharing where I try and share the risks with other organizations. For example, I might get involved in a joint venture as opposed to taking all the risk on myself. Or I might choose to do risk assessment at Rick's acceptance, which is where I just choose to to go ahead and assume the risk, because I think that the risk isn't going to be significant enough for me to have to try and deal with it.

So for responses that you might have to risk underneath the enterprise risk management framework are risk avoidance, risk reduction, risk sharing, and risk acceptance. The goal of each of those different responses or combinations responses is going to be to try and make sure that you are reducing any surprises.

And you want to try to make sure that as you identify potential events and trying to figure out how you're going to respond to those different events, that you do that in a robust manner in order for you to reduce surprises that might have. An outcome such as a unexpected cost or a loss. This might involve you looking at risk from a very large perspective, like how to manage risk across an enterprise that has multiple locations that might operate on an international basis.

And so part of it might be Going through and trying to look at risk at a big picture perspective, not just at the individual component perspective and trying to figure out how all those risks interrelate together and how to prioritize, how you're going to respond to risks, looking at things on an enterprise wide level.

The goal of all this is to help you seize opportunities where I have an opportunity where I think my risk appetite is such that I should take advantage of that opportunity and try to have a positive outcome. So I'm going to deploy my capital or delegate my resources to the areas where I think that there's this great opportunity for me to seize.

Chances in order for me to build shareholder value. So remember that all comes back to the very beginning when we talked about, erm, is that the ultimate goal is to take on risk. With the goal of building shareholder value, but I need to do that in a way that makes sense that I go through and I make conscious decisions around how can I provide reasonable assurance to the organization that I am actually moving towards my objectives of reliable financial statements, strategic objectives, operational objectives, compliance.

I'm moving towards all these objectives. In a way where we are accepting risk, but not doing it to the extent where there could be a detriment or a loss to the organization, because we've overextended ourselves with our risk appetite. Each of those different categories of risk, of strategic, operational reporting and compliance, all could overlap.

Just like we talked about with the COSO internal control integrated framework, you might have activities that crossover those different objectives. It's something that helps me be in compliance with the law regulation also might help me run my business better. So you might see where there's overlap between the four objectives, but you have to make sure.

That, during this process of using the enterprise risk management process, that you're looking at each of those different objectives and trying to thoughtfully deal with each of those different components. Now, how do you do that? If you remember, the COSO integrated framework had five components of internal controls, it had the control environment, risk assessment, information and communication monitoring, and control activities.

The enterprise risk management has. Eight components. Now, some of the components are very similar to what you heard in the COSO integrated framework, starting with the control environment. Erm, has a concept around that the internal environment has to encompass the tone of the entity and sets the consciousness around how risk is viewed and addressed.

And what's the general philosophy around the organization's risk appetite. And. What's management's integrity and ethical values. So it's all those things that are very similar to that foundational basis of the COSO integrated framework, which is the control environment. Here's where it's a little different.

The COSO integrated framework has something called a risk assessment component. Whereas the erm framework actually takes that risk assessment component and it breaks it apart into three separate components. The first component is to. Establish what your objectives are. So you need to know what are the things that we're trying to accomplish with financial reporting and strategy and operations and compliance.

So that is a whole separate component of the framework. The second thing that you're going to do in that. In that risk assessment thing, a part of the component is to identify the internal and external events that might keep you from achieving those objectives. And then the next step is to say, how is it that I'm going to perhaps decide how I'm going to manage these risks?

So that includes looking at the likelihood and magnitude of these things that could go wrong. How likely is it that they would happen and what would be the magnitude if they did, and to go through the process of segregating out your lower level risks from your higher level risks. Whereas the risk assessment component of the COSO integrated framework that we talked about in a previous module has just risk assessment.

The erm, framework has objective setting for your risk has identifying internal and external events that could occur that could keep you from meeting those objectives. And. Has a risk assessment component that involves looking at the likelihood and magnitude of risks and deciding how it is that those risks should be managed appropriately.

Then you're going to go through and set up the response itself. So you're going to go through and say, once I've looked at. The D the likelihood and magnitude of risk, and I've tried to put them into different buckets. Then I'm going to go through and say, how should I respond to these risks? And remember, there was four different risks responses.

You could avoid the risk. You could share the risk, you could manage the risk or you could decide to manage the risk appropriately with some compensating or mitigating controls. So with your risk response, you're going to subside how it is that I'm going to deal with that risk, looking at my risk appetite, or how much risk I'm willing to tolerate.

And then I'm going to design control activities that will appropriately manage that risk. So the control activities are the policies and the procedures that are established and implemented to help ensure that your responses, that management's decided on how to respond to these risks are effectively carried out.

This is where things are going to start looking a little bit more similar to the COSO integrated framework, because there is an information and communication component where it talks about identifying and capturing and communicating information in a form and timeframe that enables people to carry out their job responsibilities.

And then there also needs to be a monitoring component that makes sure that things are happening as intended. So the erm, framework has eight different components to it. And so take the time now to go back to the outline and go back and revisit those eight different components of the enterprise risk management framework and think to yourself where there is some similarities to the COSO integrated framework and where there's some differences.

Hi, I'm Jennifer Louis. And I'm going to be talking to you about the control environment as it relates to corporate governance. The control environment is the tone of the organization that influences the control consciousness of its people. So it's the foundation for all other aspects of internal control.

Okay. That's why it's so important for it to be a critical part of any corporate governance. It provides the discipline and the structure for people to do the right things at the right time. So it is important for a governing body, but be it a. Board of directors or a it executive management team or management or other appropriate people embody it within the organization.

It's it is important for them to make sure that they are focusing on the tone at the top and the messages that are being sent throughout the organization related to the control consciousness and the importance of reliable financial reporting. So how exactly do they go about doing that? There's a few key ways that governance can play an important role in this.

And one of them is to make sure that there's an emphasis on integrity, ethical values and competence. And this is going to be most important for top managers of the organizations, because they do set that. Tone at the top, they articulate the values that have to be developed and understood throughout the organization.

And they set the standard for conduct.  If the employees of the organization see management operating in a way that demonstrates integrity and ethical values, they're going to be more apt to perform in that same manner. Should they have the, should the need arise for them to make some value judgments or some choices?

So it's important as it relates to integrity, ethical values and competence, that there are processes in place to monitor adherence to any principles that might be out there related to those foundational principles. And these monitoring processes should identify any deviations from sound, integrity, and ethics so that they can be responded to in a timely manner.

It's important to make sure that entity peop personnel are informed of any ethical violations that are identify and that they're informed of any actions that were taken to remediate or fix the problems. One of the biggest decisions of something like fraud is that it's the fear of getting caught.

And so if. You don't publicize the fact that the organization is alert to where there might be violations of integrity or ethical principles, then people aren't aware. That it is something that they need to place an emphasis on. So deviations need to be identified and communicated to appropriate people in a timely manner.

Corrective action needs to be taken. And we want to make sure that there's a constant messaging out there around the importance of integrity, ethics and competence. The other critical element of the controlled environment is management's philosophy and operating style. The philosophy and operating style of management directly influences the attitudes that others in the organization are going to have around accounting principles, estimates, presentation, and disclosure, and other similar type tasks that are a part of generating financial statements, the philosophy and operating style that management has establishes.

And. Helps articulate what it is. That's important about the financial reporting objective. So if management is. Absolutely focused on making sure that the financial statements are fairly presented, that they're consistently presented that they're completely presented. Then if they emphasize those types of things, as part of their financial reporting objectives, that tone of the organization, that tone is going to travel down through the organization.

And it's going to start establishing a role of internal control over financial reporting within the. Organization as a whole. So you need to make sure that with the management philosophy and operating style, that they emphasize the importance of minimizing risks, that financial statements are misstated.

So all of their interactions with others throughout the organization, as well as interactions with those outside of the organization and the tone and the attitude that they take around accounting principles and estimates are critical in establishing this. Core foundational principle around having the right control consciousness.

So beyond making sure that integrity and ethical values and competence are something that's emphasized that management's philosophy and operating style is something that sets the right tone of the organization. Another component of the control environment is how is it that management assigns authority and responsibility within the organization?

There has to be clearly defined responsibilities at appropriate levels in the organization to facilitate effective internal control, which includes. Where are the limitations of things that I'm not allowed to do? So not just one of my authorized to do, but what am I not authorized to do so that it's clear, particularly with things like segregation of duties that they're not stepping over those boundaries.

So position descriptions, job descriptions. They need to be set to the degree that it reinforces who's responsible for what, within the organization. This is going to include what management's responsible for and what those charged with governance are responsible for. If it's a board of directors, the owner, the an executive management team, whoever the governing body is, they need to know what they're accountable for as well.

And then those charter governance also need to make sure that they're reviewing managements. Job descriptions and levels of assigned at the wordy so that they can strengthen and improve those as necessary. So there is a hierarchy. That is important as it relates to designing the foundational control environment, which includes management, looking at the job descriptions and roles and responsibilities of people at the operational level within the organization.

And then those chargers governance looking at management's job descriptions and responsibilities and authorizations as well to make sure that everybody is doing something that's appropriate within the confines of their job. So there's always going to be a balance. That's an out there that's necessary to look at what does it need we need to do to get the job done.

And then what is it that we need to do in order to maintain adequate internal controls? And sometimes particularly in. Smaller organizations that becomes a little bit more difficult because they have fewer people. And so sometimes the, there is an inability to have proper segregation of duties because they just don't have enough people to enable that to happen.

And so sometimes there becomes, it becomes even more important for management and those charger governance to look at how job responsibilities are assigned to make sure that they've mitigated that risk as much as they possibly can. This gets into the next component of the control environment is around organizing and developing its people and entity needs to make sure that they have a proper lines of financial reporting established such that there is appropriate lines of communication and oversight.

So what different business units. How were they described within an organization chart? And how does responsibilities line up as far as who oversees, what business unit and who is ultimately responsible for managing the organization? Including, okay. Overseeing reliable financial reporting.

So there needs to be some sort of formalized organization structure. Now, when I say formalized organization structure, it could be an organization chart that's created, but in smaller, less complex entities that don't have that many people. They may not need an org chart, but what really becomes more critical if they don't have a formal org chart is to have job descriptions so that it leaves everybody knows who is responsible for what?

Within. The financial reporting system itself, and there needs to be some identification around what core competencies do I need these individuals to have so that we can make sure that the organization is employing or otherwise retaining individuals who possess the require competence related to financial reporting.

We want to make sure that everybody has the skill sets in order to do the job adequately. Those charged with governance. Are they. Form a critical role in establishing a control environment. That's conducive to ensuring reliable financial reporting because they're the ones that are going to monitor management and they're particularly going to monitor any risks of management override.

Of internal control. And so it's important that governance has at least one or more members that have some financial reporting expertise that has a greater opportunity for them to be able to oversee the effective of internal controls over financial reporting and the financial statement, preparation process.

They need to be able to oversee the relationship with they make with internal and external auditors and interact with regulatory auditors as deemed. , it's important, even if they don't have a formal board that there'd be some person or persons that are charged with governance or overseeing the strategic direction of the company, including the reliability of financial reports in order to make sure that there isn't that risk of management override.

Human resources is another important element of the control environment and human resources is the policies and procedures that are designed and implemented to facilitate effective internal control, because they're looking for ways to demonstrate a commitment to. Competence integrity and sound ethical behavior.

So it's going to be the training that is put into place, but it's also going to be how it is that we go about recruiting and hiring key people in these key financial reporting positions and making sure that we hire the right people. That have the greatest potential of being successful in their jobs, but that you're also providing tools and training for them to continue to perform those financial reporting roles on a recurring basis.

There needs to be performance evaluation and compensation practices like raises and bonuses should reflect the importance of achieving. Financial reporting objectives. So compensation plans should not be excessively tied to short-term results because then there's going to be this motivation maybe for people to overstate earnings.

In order to, for example, if their bonuses is tied to net income or to revenue growth, then there might be a short term motivation for them to misstate those things in order to get the bonus. And then later they may need, they might not be able to keep up the fraud scheme any longer and ultimately things will catch up with them.

And then you could have a misstatement in the financial statements that's going to result from that. So the control environment. As part of corporate governance is important because it does establish the tone and the foundational principles that are critical to establishing a sound control consciousness around internal controls over financial reporting.

Yeah.

Hi, I'm Jennifer Louis and we're going to talk a little bit more about financial reporting oversight and how that's a critical part of corporate governance. Financial reporting oversight has a lot of important elements to it, including making sure that an entity does properly understand what are the financial reporting risks to our organization.

So the organization needs to have a risk identification process. That includes consideration of all the operational processes that impact the financial statement, accounts and disclosures, risk identification, and assessment considers things like. Are my entities personnel competent enough and dedicated enough to support our ability to meet these financial reporting objectives and does my information, technology, infrastructure and processes support in entities ability to meet financial reporting objectives.

And is the organization has it designed its operations in a way where there are appropriate mechanisms for management to. Deal with risks. So as risk changes and evolves, is there a mechanism in place for them to identify those changing circumstances, such that they can modify the it infrastructure, the processes, the training of its people and other relevant matters in order for them to respond to these risks?

So risk identification is important to make sure that they're looking at all the factors that could create a risk that the financial statements might not be correct. This is going to include both internal and external factors, things that the organization can control and things that the organization can't control.

So when we talk about internal factors, it's things like. The it systems that are put in place that, that are running and generating and capturing the data that's being put into the financial statements. It's going to be the number of people that you decide to hire in the accounting department.

Those are all things that are directly in the control of the entity itself. But there's also going to be external factors that might create risk of misstatement in the financial statements, changes in the economy, changes in interest rates, changes in regulations that organizations have to comply with.

Those are things are outside of the organization's control, but yet they still create circumstances that need to be managed to ensure that financial statements are properly stated. So from a financial reporting risk standpoint, that's why it's so critical for governance being management. Those charged with governance, the board and other appropriate personnel that they're all looking for, identifying these things that could go wrong and then analyzing them through a process that goes through and says, how likely is it that this will have an impact on my financial statements?

That even if it does impact my financial statements, to what degree or magnitude would it likely occur and then D and then. What they can do is use that information to decide what risks need to be managed, what risks need to have some controls in place to keep it from being a big deal. So this risk assessment process requires an initial evaluation.

And analysis of risk, but it also requires management to periodically reassess their conclusions to look for things that have changed that might ultimately need some changes to be made to the internal controls over financial reporting themselves. So financial reporting risks are the risks that something could go wrong.

In the financial reporting information. So financial reporting information is all of the information that is pertinent to the financial statements themselves. So it's all the information that's identified, captured and used at all levels in order to put together your set of financial statements. So it's the actual data that's undermined the financial statements and the financial reporting.

System makes sure that it's captured completely and accurately and timely. It makes sure that all transactions and events are put through some sort of mechanism. Of capturing that data. So things that are routine and in the ordinary course of business, as well as things that are non routine in nature, say a related party transaction or something that happens through journal entry.

Only it doesn't get processed through the system itself. These are all things that you need to make sure that. All transactions events have some means whether they're something that's through the formal processing system or outside of the routine processing system, to make sure that they're everything that needs to be included in the financial statements is included.

This includes things like estimates. So if we have to make an adjusting journal entry to change the allowance for doubtful accounts, then that estimate needs to make sure that gets recorded into the system. It includes looking at. Any operating information that is used to develop accounting and financial reporting information.

Like it could be your cash management and looking at your collections of amounts that were on bills that you sent out to your customers. There's an overlapping degree there. There's an overlap. In the fact that yes, I need to make sure that what is still receivable that has not been collected yet is shown as an accounts receivable my books.

But we also want to know what customers are paying their bills on a timely basis for us to be able to manage cash flow and decide what customers we really should be looking to sell more products or services to. So when we talk about financial information, financial reporting information, it is sometimes things that directly.

Influence the financial statements. And then it also may include things that are indirectly a part of the financial statements. There needs to be policies that are established for reliable financial reporting. And these policies should be communicated throughout the organization to make sure that management's directives are properly being carried out.

People need to know what it is that they should be doing and when they should be doing it so that they are comfortable, that they're properly fulfilling management's directives and their objectives that they established with financial reporting. Part of this is going to be the control activities that are built into the day-to-day processes and that are out there.

How do I collect cash on a daily basis and get it in the bank? How do I pay my payroll? How often do I pay it? How do I pay my vendors? How do I book sales? How do I show that inventory has been relieved after shipments  are made of a particular product. All of those things of whatever happens on a day to day.

Business level, there is going to be an impact on the financial reporting system as well, to get those transactions and events captured into the financial reporting system. So people need to know what their responsibility is and their accountability is for those policies and procedures and management as the one that needs to establish those policies and procedures.

So there is something for people to follow. And it needs to include the timeliness of it. Not just that I want somebody to perform bank recs, but how often do I want an individual to perform bank reconciliations? Do I want them to do it monthly? Do I want them to do it weekly? How often is my expectation for the performance of those procedures?

Other important aspects around policies and procedures for financial reporting is that senior management needs to be involved in the development of these policies and procedures. And as the importance of those policies and procedures. Increases the level of oversight and approval of those policies and procedures needs to increase.

So if I have a board of directors, for example, they're going to be involved in approving any significant accounting policies and procedures that might be material to the financial statements as a whole. So there needs to be somebody that is establishing the policies and procedures, and then somebody else that's reviewing and approving it.

Now who is that? Somebody else it's generally going to be those charged with governance, whoever that is for an organization, there also needs to be a mechanism to make sure that financial policies and procedures are periodically reviewed for their continued relevance and to make sure that they are adapted for changing conditions and circumstances.

So just to review for financial reporting oversight, we want to make sure that the organization is aware of what the financial reporting risks are. We want to make sure that they're aware of how financial reporting information is generated, and captured within the system. And we want to make sure that there's appropriate policies and procedures that are in existence to ensure reliability of the financial reporting process as a whole.

Yeah.

Hi, I'm Jennifer Louis. And we're going to talk a little bit about the purpose and benefits of monitoring and control effectiveness. As it relates to corporate governance. The primary purpose of monitoring is to provide comfort on whether controls continue to operate effectively over the course of time.

That concept is critical to governance because you're looking at whether or not there isn't any deterioration of controls, because if you're not monitoring those controls, then they tend to deteriorate over the course of time, which could lead to misstatement in the financial statements. And so governance be it management and the board of directors and executive management teams and other appropriate parties.

They are the ones that need to set the standard to say that we are looking over each other's shoulder to ensure that we're all doing the right things in the right way in a timely manner. So monitoring as a foundational premise is the gathering of all the important information that needs to be accumulated in order for.

Appropriate people to make that evaluation of wound, whether or not controls are continuing to operate effectively over the course of time, monitoring should include all the important elements of internal control. Which generally is going to be the components of the COSO integrated framework that you've heard me talk about multiple times.

Now, if you've been watching all these different segments, and if you remember the five important components are the control and bias, the risk assessment, the information and communication, the country control activities themselves, and then monitoring. So monitoring is the fifth component of the COSO.

Internal control, integrated framework that monitors the other remaining four components of a well-designed and operating effectively effectively operating system of controls. So it looks at the relative strength of all those other components and evaluates whether or not there's any deficiencies in the system that need to be fixed.

Now, monitoring can happen through manual processes or automated processes. So a manual. Monitoring example would be if somebody physically takes a check package that was written and looks at the supporting check package and decides whether or not it was properly categorized, whether it was properly authorized, whether it was put into the right reporting period for the right amount, somebody going through and maybe taking a sample of those check disbursements and making sure that everything was treated properly.

You also could have an automated monitoring mechanism over cash disbursements. And that could be that perhaps the system automatically rejects any checks that are written over a certain dollar amount, or maybe it matches, checks up with the vendor invoice file that shows all of. Vendor invoices that have been approved for payment.

And so it check can't be cut for the vendor unless it's in this authorized vendor listing. So there's ways that, that systems can be used automated systems that can be used to help mitigate the risk that there's something going wrong with the day-to-day processing and what it might be even is to generate these exception reports that could be.

Something that's listed, for example, run me a list of all disbursements that were authorized and processed after hours. And so somebody could go take that exception listing and look to see whether or not it appears as if these are valid transactions. This concept of monitoring has two folds to it. One of them is that it looks at.

Where there might be actual errors in the system or where somebody might be overriding controls or perpetrating fraud, but it also looks at the effectiveness of the system because it identifies any internal control breakdowns, which may reduce efficiency and the system as a whole. So part of monitoring is to make sure that the entity is producing accurate and reliable information to be used in decision-making, including.

Creating accurate and timely financial statements that are used by outside third parties, perhaps, but it also is identifying and correcting internal control problems on a timely basis. So it's looking at. At how things are processed over the course of time, not just a set period of time, but over the course of time.

And so you want to make sure that monitoring is done periodically, not just once a year, that there should be monitoring that is built into to some degree ongoing monitoring that happens on a routine daily basis. Because you don't want issues and problems with things like controls or misstatements, net financial statements to linger out there for too long of a period of time, because they could aggregate up to be something that's material as time passes.

Ultimately the goal of monitoring that would be a benefit to an organization is to be more proactive in identifying deficiencies in internal controls, over financial reporting, and to identify any misstatements so that they can be dealt with on a timely basis. So what are some important foundational elements of monitoring?

Those elements are going to include a proper tone at the top. Regarding the importance of monitoring. So those that are most directly involved in monitoring management, senior management. The board or others that might be part of governance to make sure that they're taking the process seriously, that they are communicating with people at lower levels of the organization.

If they do find deficiencies to let them know that we found a deficiency, here's how we're going to fix it. And to put people on alert that they need to make sure that they're doing there. Their jobs and their responsibilities appropriately. Otherwise somebody's going to notice, and they're going to take action.

So an effective organization structure that assigns these monitoring roles to people with appropriate capabilities, objectivity and authority is important. So not just assigning roles and responsibilities and how to process individual transactions and events throughout a financial reporting system.

But also who's going to be monitoring what, within that process, all the way up to what is. Those charged with governance or the board of directors going to monitor in their role and responsibility, another critical element beyond setting the right tone and having an appropriate organization structure that assigns roles and responsibilities to those that are going to be doing monitoring is to make sure that those doing the monitoring have a baseline in order for them to monitor against.

They have to know what is the starting point that I'm dealing with or what is the. Desired baseline that we want to operate against to compare to. So what do I compare against what are we doing now compared to what we should be achieving and being able to identify the differences that might exist in that point in time.

So they want to make sure that they're using persuasive information about key controls that. Might address some of these meaningful risks that are out there with the financial reporting objectives. So you want to make sure that those doing the monitoring have a means of identifying and knowing what it is that they're looking for as far as risks that could be out there.

And they also want to make sure that they know what are the controls that we're using to monitor or manage those risks. To keep them from being something that is considered to be material. So they need to know what the relative severity of any problems are. And what are the points in time where I need to remediate or fix those problems.

There's some points in time where there could be a deficiency or a problem in the system that's identified, but we can let it go for a little while before we have to deal with it because it's really more of a less consequential. Issue so I can let less consequential things build up over the course of time before I have to deal with them, as opposed to I come across an issue in my monitoring, that's a major, big deal, and I need to fix it right away because it's going to have an immediate impact on my financial statements.

So those doing the monitoring need to have the capability to be able to differentiate the varying levels of severity of the problems and issues that they come across and be able to prioritize their responses to those problems and issues for timely action and follow up as necessary who gets. The information about any identified deficiencies is going to be those that are at an appropriate level to fix the problem, as well as one level up from that should be aware that there is a potential issue here for the longterm.

And so what that might mean is that what that might mean is that a monitoring might happen at a level closer to the identified deficiency for a period of time until. Everybody gets comfortable that the problem has been fixed and then maybe monitoring could be loosened up a little bit and performed at a less periodic level until because they're comfortable that the system is working as intended again.

Okay. So when we talk about with monitoring, it's important for those charter, that responsibility, to know what their responsibilities are, to know who's all involved in the monitoring process to be able to understand financial reporting risks and to be able to understand materiality so that as they're going through and they're identifying deficiencies and potential problems, they can go through the process of evaluating what needs to be done.

And when, so that they can allocate resources appropriately and communicate issues appropriately throughout the organization, to make sure that the most important things aren't being dealt with first and that other issues that may have been encountered are being dealt with on a future basis.

Hi, I'm Jennifer Louis. And we're going to talk about practical applications of monitoring concepts. If you need to go back and refresh on what monitoring is, go back to the internal controls over financial reporting section, and read a little bit about monitoring and how it fits into the. Internal controls of our financial reporting framework.

And then also look at the sections that dealt with the benefits of monitoring. So the monitoring is something that's critical to ensuring that there's reliable financial statements that are generated from a system. And there's different types of monitoring that could occur. One of them is to have internal audit or other appropriate parties.

Go and periodically evaluate and test the operating effectiveness of controls that are in the internal control and are in the financial reporting process. So a periodic evaluation or a separate test of controls is something that's called a separate evaluation. There also could be ongoing monitoring and ongoing monitoring as the continuous monitoring of information that's built into a system.

And so this can be something that's done on an automated basis, or it could be something that's done on a manual basis. So on a manual basis, for example, there might be some operating reports or some performance metrics that are generated from the system that tells us. The tells management or other appropriate parties about the financial information that's being generated.

And they can look at that financial information and they can look to see if there's anything that looks odd or funny or what you might hear called an anomaly. So if there's an anomaly, it's that, there's something that's not expected. There's something that is unusual. And so if there's a trend, let's say if I'm looking at my.

Expenses from last period to this period. And all of a sudden there's certain expense areas that really jumped up significantly from the prior period that might be an anomaly or something that's unusual that could be integrate indicative of a control failure, or it could be that we just spent more money and that increase in expenses is actually something that's valid.

It also could be that perhaps there's items that are miscategorize, that something's getting charged to a particular expense line item that doesn't really belong there, or it could be that things that. Should be recorded in the next period or being recognized too early, or it could be that somebody stealing from the company and they're trying to cover it up.

And so they're hiding the other side of the entry into expenses. So monitoring is going to include looking at these re these reports that are generated with financial information. And they're going to look to see whether there might be things that are significant or unusual, or those. Anomalies in order for them to identify possible issues.

And then the job of the people that are doing the monitoring then is to actually follow up on those issues and ask the questions to see, is it truly a problem or not? If it does end up being a problem, then they need to correct the problem. Make sure that the amounts end up being correct in the financial statements, but then they also need to correct.

The system to make sure that this whatever deficiency, what in a system that existed that allowed this misstatement or this error to occur that, that gets fixed as well. So the ultimate goal of monitoring is to make sure that the numbers are right in the financial statements at the end of the day.

And the presentation is appropriate and the disclosures are appropriate. But also that the system that's generating all this information is also a strong, accurate, reliable system. Part of the monitoring could be through. Supervisor review that occurs in the course of business. So for example, looking at reconciliations, if somebody is preparing a bank reconciliation, and then somebody else is reviewing the bank reconciliation, The person reviewing the bank, reconciliation is looking at it from the perspective of was the bank rec done.

And does it tick and tie and agree, but they're also looking for things like, are there any unusual reconciling items that might indicate that there is an error in the financial statements or an index or an internal control failure? They're going to look at. Was the reconciliation able to perform timely.

If it wasn't able to be done timely, then maybe there's a system problem that needs to be fixed. Or perhaps there are unusual transactions or events that need to be further analyzed and addressed. So the rec the review of the reconciliations is a control activity over the financial statement amount of cash, but it also is a monitoring control over the processing of cash and the management of cash and looking at it from a systems perspective as well.

So self-assessment needs to be done. By management, if they're the ones that are performing some of these controls. So if management is the one in a smaller organization that is preparing the bank reconciliation, who should be reviewing the bank reconciliation to look for the appropriateness of financial reporting and looking to see if there's any red flags or indicators of deficiencies in the system.

Those charged with governance are the ones that might be the appropriate party to look at bank reconciliations. In that situation, if management is preparing the bank rec, then an executive management committee or the owner of the business, or a board of directors needs to be the one that's reviewing the bank reconciliation, there always should be some sort of oversight function.

To set the right tone in the organization around the importance of generating reliable financial statements. Monitoring is also going to include things that is, that is built into the interactions that those charged with governance has with internal and external auditors. So internal and external auditors are going to bring potential issues to the table around things that they think may be areas of concern.

That needs to be looked at in more detail or possibly could end up in material misstatement down the road. So internal and external auditors are supposed to throw up the red flag to say, Hey, I think there potentially could be an issue. And then. Management is the one that's responsible for taking the corrective action and making the changes in the system to make sure that problem does not continue or end up being something that is a much larger deal that could end up in a misstatement of the financial statements, or maybe even having to restate financial statements for the information that's already been generated.

So how do we prioritize monitoring? It's going to depend on risk. And so somebody has to make the decision around. As problems are identified. Let's say that maybe we find a transaction that is miscategorized or we find a disbursement that was made too soon, or we find a cash receipt that was coded to the wrong customer.

As we find these problems, somebody has to make a judgment call to say How big of a problem is this, what's the likelihood and the magnitude of this issue. And is this something that we need to fix now today? Or is this something that could wait a period of time before we end up fixing it? They have to look at the inherent risk associated with issues that are identified through monitoring.

So they have to look and see what's the nature of the problem. What is the. Complexity of the problem, how much subjectivity is involved with this particular area? They have to look at how many processes could be impacted by this problem.  How much could it perhaps trickle out throughout the organization?

So there needs to be an instance where somebody is able to prioritize. Ha, not just the monitoring efforts, but prioritizing the response that is necessary for any problems that are identified. Having said that there also is an inherent risk that things may change and that controls may not. Modify or adapt appropriately to deal with these changing circumstances.

So in an earlier section, we talked about the need to have a control baseline. So the control baseline is giving the, those that are doing monitoring a starting point that. So for them to be able to compare against, to say, okay, what is the ideal situation that I should be looking for? And now, where do I have variances from that situation that I need to perhaps investigate and resolve?

It's important to make sure that those doing monitoring realize that the control baseline may need to change because it's circumstances change as the business grows as our. Products and services evolve as the economy changes. There's things that change that require the baseline to change, because what might be reasonable and expected in one month might not be what's reasonable accepted in the next month.

For example, with the downturn in the economy, it might not be expected that revenues should be consistent with the prior period. You actually might expect a decline in those revenues. So the control baseline of what you're looking for to identify those significant and unusual events or anomalies might be, if it is the same as last year, I want to know what's going on.

So it's important to make sure that. That those doing monitoring are aware of changing circumstances and they're aware of changing risks and they're aware of where numbers are expected to change and should change and where controls might need to be modified in order for them to best address the risk.

So using a change management process might be one means of verifying that. Any necessary changes to controls are being appropriately made and that a new control baseline is actually create it when appropriate. Yeah. And then finally somebody needs to periodically con reconfirm that changed controls the new baseline that things that evolved, that we made changes to our systems, that those are.

Operating from that point forward at an appropriate level. So there may, so there needs to be monitoring of the new set of controls or the new processes or systems. Okay. A couple areas to emphasize that. I think we've talked about several times now throughout the corporate governance modules, but I know it's an important concept that is likely going to be addressed in the BEC CPA Exam is the concept between there's a difference between ongoing monitoring and separate evaluations.

Ongoing monitoring is the monitoring that's done in the ordinary course of operation. So these are the things that are going to potentially happen daily, weekly, monthly, quarterly. So depending on the frequency of the operation of control, there's going to be different levels of monitoring of that control.

So if I have a daily control, I have to make an assessment of how often do I need to monitor the daily control is happening. If I have a. Weekly something that happens weekly, or how often do I need to monitor that weekly control? So the extent of operation of the control that's being monitored plays into determining the timing of monitoring the control to make sure that it's happening as intended.

So a lot of times these things are built into the regular. Processes the regular management and supervisory activities. So if I know that I want to do monthly bank reconciliations, I know I want to do quarterly budget to actual analysis. Those are things that are going to be built into the normal policies and procedures.

And they're going to be set at a timeframe where it's. Real time enough to be able to identify potential internal control issues before they aggregate to be a material issue, because that's the goal of monitoring to keep problems from building up to end up being a material misstatement in the financial statements, separate evaluations are going to be things that happen at a point in time.

It might be that. Separate evaluations might occur once every other year. It could be dependent on an internal audit and what internal audit establishes as what it is that they want to look at. It might be that it's the same thing that we do on a ongoing basis, but we do it less periodically with a very specific focus.

Let me explain what I mean by that. If I do. Monthly budget to actual analysis just through the course of business. And it might be that the controller does that maybe every quarter, the board of directors looks at the results of the budget to actual analysis and they do their own investigation of things that might look significant or unusual.

So it might be that it's the same thing. We're doing budgets, actual analysis. It's just that it's done at one level. On an ongoing basis and it's done at a higher level at a basis that happens less often throughout the process. So monitoring is important to make sure that you're building it into a good sound system of governance.

And it needs to make sure that everybody's thinking about as they're designing, monitoring as part of governance, that there's an identification of all the people that are involved in monitoring. What are the different procedures that we're doing? What are the things that we're doing that are part of ongoing monitoring and what are the things that are part of separate evaluations that might be done by internal audit or through control self-assessment or through using outside resources or using the board of directors or a higher level of management?

Hi, I'm Jennifer Louis, and we're going to discuss the importance of making sure that you're using quality information in the monitoring process. That's a part of corporate governance. So corporate governance and monitoring requires information that's generated from the system in order for them to perform the analysis of whether or not things are operating as intended.

And so it's important for that information to be persuasive. And when we talk about persuasive information, it's the degree to which the information provides support for the conclusions that. They're coming too. And so when we talk about persuasive information, it really is going to be contingent on two key aspects.

One of them is that the information is suitable and the other is that it's sufficient. Now suitability has three components to it. It has to be relevant. It has to be reliable and it has to be timely in order for it to be suitable. So relevant information, provide something that's actually meaningful about the operation of the underlying controls or the control component itself.

And so it's fit for its intended purpose. Or there actually is relevance to what it is that we're accumulating to monitoring the next aspect, being reliability. Reliable information means that it is not only accurate, but that it's also verifiable and comes from an objective source that is suitable to generate the information.

And then the final part of having information that is suitable is that it also needs to be timely. So suitable information is relevant, it's reliable and it's timely. And timely information is produced and used in an appropriate timeframe to make it possible, to prevent or detect control weaknesses before they become significant.

And that's an important concept about. The T the suitability of financial information, it's emphasizes that we need to do it in a timely manner that will prevent or detect and correct control weaknesses before they become significant. So it's not that we have to prevent or detect every single misstatement it's that we have to prevent or detect problems before they aggregate up to be significant.

So that means that there could be inconsequential deficiencies in our internal control system that we could let lapse for a period of time and that they won't aggregate to be significant until a month out a quarter out, even a whole year out. And so the relativity of monitoring is going to depend on how timely do I need the information to be.

And my. Assessment of that around the time of information is going to depend on how quickly could my problems add up to be aggregated, to be something that's significant. So ways of information is going to be both suitable and sufficient. Suitable information is relevant, reliable, and timely, and sufficient information means that I've gathered.

I've gathered it in enough quantity in order for me to form a reasonable conclusion. Both suitability and sufficiency are really a matter of a judgment. That's going to be based on the relative risk of what it is that's being monitored and the relative importance of the control. The other decision that has to be made around information that's used in monitoring is whether or not the information needs to be gathered directly, or can it be gathered indirectly direct information is obtained.

Directly it's obtained through observing controls in their actual operation, like observing somebody, opening up the mail and accumulating the cash and checks for deposit. It could be repo re-performing the control. So that's a direct information. So to re-perform a. Bank reconciliation, for example, to make sure that you're comfortable with the process and that you're comfortable with the information that's being accumulated within the reconciliation itself.

You also can do some other direct testing of controls, like going through and pulling a sample of cash disbursements and looking at the supporting check package and making sure that it's coded to the right account and in the right period. And it pu it appeared to have all the proper sign-offs that were required in order for the disbursement to be made.

Each of those are examples of monitoring where monitoring is being performed with direct information and direct information tends to be pretty persuasive information because it provides an unobstructed view of the operation of that control. So direct information is something that is probably most appropriate for monitoring controls that have the greatest level of importance to them.

Indirect information is going to be less persuasive than direct information because it's indirect. It doesn't tell the evaluator explicitly what the underlying controls that the underlying controls are operating effectively, but it gives you some indicator as to whether or not things are going a skew or something.

Doesn't quite make sense. So a lot of times these the monitoring that's done with indirect information is using reports. And analyses that are summarizations of individual transactions that are generated from the system, like looking at operating statistics, looking at my accounts, receivable aging, or my AR has percentage of sales or looking at my gross profit margin trends are looking at my expenses compared to last period of this period.

Those are all things that it's an aggregation of data and information that is probably done on in a. In a manner that might be weekly, monthly, quarterly, annually, it's often done in, on a basis that's less periodic than my direct information. So it's important that even if we're using indirect information that we think about how timely we need that information to be, should I be monitoring budget to actual.

Once a week, once a month, once a quarter, what would be appropriate for me to look for those anomalies? And remember we said, anomalies are the things that look odd that are significant or unusual, and that we're looking at those anomalies to be able to address them in a timely manner that would allow me to prevent or detect and correct any problems before they aggregate too, these significant.

So whether I'm using. Direct information or indirect information. It's important to think about the timing of those monitoring controls and looking to see, what is it that needs to be there in order for this information that's being used to be persuasive information for me to be able to conclude that the systems and the processes and the controls are operating as intended.

Which in effect means that I could have a better sense of comfort that my financial statements that are being produced are reliable when you're looking at it indirect information. It's important to realize that the absence of any anomalies does not mean that the underlying controls are operating effectively.

It just means that they could be that the Controls are failing, but yet the data information that's being produced isn't reflecting an anomaly for some reason. So the absence of thing of things looking significant, unusual does not mean the underlying controls are operating effectively.

Whereas direct testing generally is going to give you better information about the operating effectiveness of controls. So in order for monitoring to be something that is useful, In a governance type environment. It does need to be based on information that is, has a sense of high quality to it and is appropriate to the monitoring that's being performed.

So when we talk about persuasive information, we have to remember it. Persuasive information needs to be both suitable and sufficient. Suitable means that it's relevant, reliable, and timely. And the information that's being used can either be direct information, meaning that I'm actually observing the controls or re performing them or getting them through some other direct means, or they could be indirect information that evolves from the processes in which the underlying control actually resides like budget to an actual analysis or looking at a trend.

Reports or other types of key performance metrics, but whether it's direct information or indirect information, it still needs to be suitable and sufficient. So the concepts of relevant, reliable, timely, and sufficient to the extent that I need to have it, they, those concepts still hold true. Whether it's direct or indirect information.

Hi, I'm Jennifer Louis. And we're going to talk about the change control process as it relates to corporate governance. Now change control process is basically. The formal process that's used to ensure that any necessary changes to internal controls over financial reporting are that are identified through the monitoring process are done in a coordinated and controlled manner.

So when we talk about governance and we, when we've been talking a lot about the importance of establishing the right tone of the organization about, about Generating reliable financial statements and the importance of internal controls over financial reporting and identifying financial reporting risks and designing procedures to manage those risks and making sure that we're monitoring to ensure that things are happening as intended.

All of that is meant to look for where there is a need for change, either things aren't happening as intended. And so we need to reinforce that with individuals to tell them you need to do this. Role and responsibility and activities that were assigned to you. And perhaps they're not doing them and they're not doing them appropriately, perhaps they're not doing them timely.

Perhaps they're not doing them as well, Boston thoughtfully. So where is it that we need to modify existing controls? But also, where is it that we need to perhaps add control activities to the process that the, to the internal controls over financial reporting that we need to modify and change them because of changes that have been happening with internal external factors, like changes in the scope of our business or changes in the ability for our customers to pay their bills or changes in interest rates on our variable rate debt, which is.

Having us pay more every month on our debt, which leaves us less money to reinvest in the business. So all of those types of things, we also need to take into account with change control, to ensure that necessary changes are made when they're needed and where changes to existing things are done as well.

So what's new and what needs to just be tweaked or clarified or enhanced? So identification and communication of these changes needs to be done in a timely manner to those parties, responsible for taking corrective action. And that's going to include management and those charged with governance when it's appropriate, it needs to meet.

You need to make sure as we're thinking about what needs to change, that it's going to come from information from lots of sources. It could come directly from. Internal sources through our monitoring of how things are done in our business. But it also could come from external sources, perhaps external auditors bring to management's attention that there's a deficiency in the processing of.

Cash receipts, or maybe it comes from a regulator that has identified where there might be a flaw in how certain transactions or events are being treated within the internal control system. So deficiencies can be identified either from internal or external sources and all deficiencies that are identified need to be considered.

Okay. For what's their implications on our financial reports so that we can prioritize and take timely corrective action to fix the problems that we've identified. And then once we've made corrections to the system, we need to make sure that the corrected systems. Are designed and are operating effectively a well, so there needs to be ongoing sense of monitoring just because we monitor it and make corrections to systems at one point in time.

Does it mean that we can now ignore that? We need to make sure that we're constantly and continuously looking for improvements to the process to strengthen our internal controls over financial reporting. So there's different tools that can be used to help us in this process. And there are some formalized process manage management tools that are out there that could be purchased and installed in a information technology type environment.

And they might make mom tree more efficient and something that's more sustainable for the long-term, particularly if we have to replicate the monitoring activities over a period of time, maybe every month or every quarter. So the automation could help us not only identify problems, but it also could help the organization assess and prioritize risks by assigning some sort of key that would help me.

Okay. Is this something that is of a low priority? Is this something that's at a moderate priority or is this something that needs to be fixed and corrected right away? So it helps us identify risks. Assess risk. And then also look for the controls that are linked to the problems that we found. So if I found that something got coded, a vendor payment got coded to the wrong expense line item, it went to telephone instead of rent.

Then what I would need to do is to say what controls failed that enabled that to happen? And. How can I, and who do I need to communicate those problems to so that we can appropriately fix the system. So these process management tools are the things that provide the structure to consistently keep track of our monitoring efforts, to link them to the specific controls that need to be fixed and to follow up on that process by communicating to the appropriate people, what needs to be fixed as well as to follow up on controls that have supposedly been remediated to make sure that they really have been fixed too.

To the degree that we wanted them to be. So it's a repository for all of these pieces of information and it allows us to document our thought process and our rationale and our thinking around the change control process. Yes, it helps us roll up information. So if I have lots of deficiencies that were identified related to.

My cash receipts processing. I might've had five different deficiencies that I identified in my internal control process that needed to be fixed and governance might want to roll all the deficiencies up and to think, to look at cash receipts as a whole, as opposed to maybe just. Opening the mail or depositing the cash in the bank or relieving the receivable from the system.

So you could look at things at a very finite level, or you can look at things at a very aggregated level. And these process management tools allow governance to look at the items that were identified at varying levels throughout the organization and throughout the process. So the goal ultimately is to try and make the process simple too, to figure out a way where there can be a dashboard of metrics that will focus time and effort into fixing the problems that carry the highest degree of severity.

And risk to the financial reports themselves and to make sure that they get fixed first and then trying to roll out any remaining resources to fix the problems that are of the next level severity. And then the next level of severity and moving that through the process and keeping track of as things get fixed, to remove them from  the dashboard of metrics.

Management and other personnel, obviously you're going to be capturing this information and doing the initial input into some sort of process management tool. But those charged with governance, people that are at the board of directors level or executive management team level, they also need to be involved in the process because they need to hold management accountable for.

Aggregating this information and taking corrective action and following through, if management says that they're going to make some sort of corrective fixed by the end of the month, then somebody needs to hold them accountable for following through with that action step in that plan. And so those charter governance.

Plays that role in monitoring senior management to make sure that they're doing what they've committed to and that they are properly remediating identify control deficiencies in a timely manner to prevent or detect and correct misstatements. Those charts of governance are the ones that are best positioned to objectively.

Look to see whether or not management has implemented effective monitoring procedures and taken corrective necessary action, because hopefully they don't have a direct vested interest in it. They're not the ones that are the doers, so they can be the ones that are the overseers. So this may involve.

Those charge of governance, having to do some inquiry of management and to get updates from them. But it also is going to include the conversations that they have with internal audit, external audit. If there's a specialist that's brought in to correct a particular problem or issue, they should be involved in having robust and open dialogue with all appropriate parties that might.

Give some red flag signals around the quality of the job that management's doing in managing the process of enacting change. As it's been deemed appropriate, this should include. Looking at necessary changes that because of problems that were identified, that could be leading to fraud or to error. So remembering that management could have an intent to deceive and they could even be intentionally deceiving, those charged with governance.

And so particularly when there's a deficiency that relates to a potential fraud risk that needs to be. Given a higher level of priority of looking to see what needs to be done. And so they may need to actually physically do some direct testing. So remember, in another module, we talked about the persuasiveness of information, and so those charter governance may need to get some direct information about whether or not there could be some potential fraud problems going on as opposed to relying on indirectly information.

Ultimately, as we look at governance and we've looked through the whole process of different elements of governments, we've talked about, who is. The parties that are involved with governance, we've talked about the important qualities of governance, not just the board of directors, but the audit committee, if it's appropriate of an executive management team, if that's who the governance structure is.

And then all the different elements of what it is that governance is doing the importance of them being involved in all the different elements of the COSO integrated framework, that includes the components of the control environment and risk assessment. And. Control activities and monitoring and information and communication.

And also thinking about the objectives of these systems of internal controls, how, yes, we're really heavily focused on the reliability of financial information because that teams to be the thing that carries the greatest risk in an organization. But also we need to think about operational effectiveness and efficiency and compliance with laws and regulations and.

Particularly, if we're thinking about the enterprise risk management framework, that we're thinking about strategic objectives as well, and emphasizing the points in those components of the COSO framework, that really requires governance to be most heavily involved with establishing the control environment.

With ensuring proper information and communication with assessing risk appropriately and then monitoring to make sure that things are happening as intended. So there's a critical role for governance throughout the process of financial reporting to ensure that they're generating accurate, complete, timely, and reliable financial information where the risk of material misstatement has been reduced to a relatively low level.

Hopefully you've learned a lot as we've gone through talking about the corporate governance section, I encourage you to go back and look at. The outlines that were associated with the viewer's guide to look at any notes that you took and to reevaluate, if there's any areas where you need to go back and revisit, because it doesn't look as familiar or to you as you thought you would remember things the first time through, because sometimes these segments are done.

All at once. And sometimes they're broken into multiple days, so go back and revisit and make sure that there's nothing that you want to review. And I encourage you to continue to study and to take this process in a way that, that you're. It's it gets a career choice in a way, is that you're moving forward and you're treating this process as a job to ensure that you're setting yourself up for success in passing the BEC CPA Exam.

So I wish you all the best of luck and here for all of us here at Bisk CPA Review, online learning, we really hope that you pass that exam.