Section 1:

Corporate Governance

Governancecombo of people, policies, procedures & internal control that ensure an entity effectively & efficiently meets objectives of its stakeholders Stakeholdersperson or entity affected by activities of entity: shareholders, employees, suppliers, customers, govt. regulators External corp. govern. mechanismSecurities Act of 1933 & Securities Exchange Act of 1934 Internal corp. govern. mechanismcorporate charters & bylaws & internal audit functions Articles of incorporationcorp formed under laws of state of incorporation a. Filed with secretary of state b. Include: corp name, number of shares of stock, address, name of registered agent, name & address of each incorporator c. Also contain: purpose & powers of corp & internal mgmt Bylawsrules for a corp highest level of governance a. Authority of officers & directors b. Selection of officers & directors c. Lengths of their terms d. Compensation e. Decision to issue new stock be made Shareholders a. Commoncontributed basic capital for corp to carry on its business b. Preferredcontractual right to receive dividends and liquidation distributions ahead of commonnot always granted voting rights c. Act only at a meeting d. Required to hold an annual meeting e. Acts performed at annual meeting: a. Amending articles of incorporation b. Voting on matters requiring general vote c. Electing/removing directors Shareholder Suitsserve a governance function a. Shareholder may sue a corp: a. To preclude acts beyond its powers b. Recover improper dividends c. Remedy for mgmt breach of duty d. Rights created by statute, articles, bylaws or common lawclawbackinjured parties recover misused funds e. Sue directly on their own behalf, either individually or a members of a class 1Corporate Governance

b. Shareholder Derivative Suitrecover for wrongs done to the corpbenefit of corprecovery belongs to corp not shareholder c. Shareholder agreementshareholders can change by unanimous agreement provisions for corp govern a. Eliminate the board or restrict its powers b. Determine officers & directors c. Set voting requirements for directors & shareholders Board of Directorsoversight role & make/approve all major corp decisions Duties: a. selection/removal of officers b. capital structure decisions c. adding, amending, repealing bylaws d. changes: mergers, acquisitions e. declare & distribute dividends f. mgmt compensation g. audit activities: audit committee h. evaluating & managing risk: risk committee Fiduciary Dutydirectors /officers: act in best interest, loyal, due diligence in carrying out responsibilities, disclose conflicts of interest a. controlling or majority shareholders owe similar duties b. conflicting interest transactionpersonal loan by corp to director/officeracceptable if a. fair to corp b. approved by directors who do not have a conflict of interest c. SOX prohibits personal loans to director/officer of public companies Business Judgment Ruleprotects an director/officer from personal liability for honest mistakes of judgment if a. acted in good faith b. not motivated by fraud, conflict of interest or illegality c. not grossly negligent a. avoid personal liabilitydirectors/officers must: i. make informed decisions ii. free from conflict of interest iii. rational basis to support their position iv. director entitled to rely on information provided by an officer if reasonably believes officer has competence in relevant area Officersexecutive mgmtresponsible for day-to-day operations CEOdirectly selected by & reports to board of directorsselects CFO & CIO Internal Audit Functioncrucial governance structure Internal Auditinghelps org accomplish its objectives by a systematic, disciplined approach to evaluate & improve effectiveness of risk mgmt, control & govern 2Corporate Governance

Two types of work performed: a. Assurance servicesinternal audit function provides an assessment of govern, risk mgmt, control b. Consulting servicesadvisory in nature & add value & improve govern, risk mgmt, control Two qualities: a. Independenceorganizational qualityinternal audit function should report directly to audit committee w/administrative reporting to CEO b. Objectivitypersonal qualityinternal auditors must have impartial, unbiased judgment Aspects of Corp Govrn: a. trusteeshipcustodianship of corp assetspositive outcomes b. empowerment & controldecision-makingchecks & balances c. good corp citizenshipintegrity & ethical valuestone at the top d. transparency of public disclosureshigher cost of capital SECenforces securities laws PCAOBregulates public accounting firms Financial Reporting a. publicly held corp annual report to shareholders must contain audited financial statements b. board of directorsresponsible for hiring, compensation, overseeing work of independent auditor c. Audit Committeelarge corp. subset of board of directors that perform those functions a. Address complaints for accting & auditing matters b. Receive reportsaccting policies & practices, material alternative treatment within GAAP, ramifications of use of alternative disclosures and treatments preferred by external auditors d. SOXimposes responsibilities on publicly held corp & auditors a. Each member of audit committee has to be independent of board of directors & 1 has to financial expert b. Independent directornot affiliated with & receives no compensation from board of directors c. Audit committee responsible for appointing, compensating, & overseeing work d. Firm must report directly to audit committee e. Firm must be registered with PCAOB i. PCAOBprivate-sector bodyregulate accounting profession 1. Establish auditing standards 2. Inspects & investigates accounting firms 3. Enforces compliance w/rules, standards, act, securities laws e. Public accounting firmcannot perform consulting, legal & internal auditing services for audit client can perform tax planning & other nonaudit services if preapproved by audit committee f. Mgmt responsible for financial statements a. Independent auditors standard reportsentence stating financial statements are responsibility of mgmt, not auditors

3Corporate Governance

b. Auditors responsibilityexpress an opinion that financial statements are fairly presented in all material respects c. Auditor does not answer to corp officers d. Auditor reports to audit committee g. Section 302 of SOX a. Requires CEO & CFO to certify each report filed w/SEC that financial statements fairly present in all material respects the financial condition & results of operations i. Knowingly & intentionally violating this will result in forfeiture of 1. Bonus/incentive based compensation received previous 12 months 2. Profits received from sale of stock previous 12 months h. Section 802 of SOX a. Criminal penalties for destruction or falsification of documentsfined or imprisoned no more than 20 yrs

INTERNAL CONTROL
COSO FRAMEWORKInternal Control-Integrated Frameworkdesign & operation of internal control systems Internal Controlprocess affected by board of directors, mgmt & other personnel to provide reasonable assurance of mgmts objectives: a. b.

Effectiveness & efficiency of operationsdoing the right thing & doing things rightpursuit of org
objectivesentities mission

Reliability of financial reportinginvestors/creditors must have access to reliable financial reports

mgmts assertions for fair presentation of financial statements: occurrence, completeness, accuracy, cutoff

c.

Compliance w/laws & regulationsconduct activities & take actions in accordance w/laws &

regulationssubject to laws at local, state & federal levels d. Benefits of internal controls must always exceed costs of implementing them e. Objective in one category can overlap/support objective in another f. As conditions change objectives must be altered to adapt to changes g. Reasonable assurance of objectives is the goal Components of Internal Controlfive interrelated components 1. 2. 3. 4. 5.

Control Activitiespolicies & procedures that ensure mgmt directives are carried out Risk Assessmentidentification & analysis of risks to achievement of objectiveshow risks should be
managed

Information & Communicationinformation must be identified, captured & communicated Monitoringassesses the quality of systems performance over time Control Environmentsets the tone of an organization & foundation for all other components of
internal controldiscipline & structure

4Corporate Governance

The Control Environment7 areas 1. 2. 3. 4.

Human resource policies & proceduresintegrity & ethical behaviorongoing training Integrity & ethical valuespolicies & corporate culture Organizational Structuredetermined by size & mission Commitment to Competenceinternal control strengthened when mgmt specifies competencies
required for jobs & ensures employees have knowledge & skills

5. Managements Philosophy & operating styleset the day-to-day toneentities attitude toward risk & degree of control 6. Board of directors or Audit committeewilling & able to question mgmts actionsboard of directors: 1 outside directoraudit committeeall outside directors 7. Assignment of authority & Responsibility Risk Assessmentrisks & need to manage organizational change Risksmgmt must focus on risks at all levelsaddressed thru process of identification & analysis a. Risk Identificationidentify risks less important than requirement all risks be considered a. External risk factorstechnological changes, changes in customer wants/expectations b. Internal risk factorsinterruptions in automated systems, quality of personnel hired b. Risk Analysisformal/informal a. Estimating impact of event b. Assessing events likelihood c. Considering means to manage risk d. Inverse relationship b/w risk and its likelihood Managing Changeinternal controls must be adapted to changing entity Examples: i. Changed operating environment ii. New personnel iii. New/revamped information systems iv. Rapid growth v. New technology vi. New lines, products, activities vii. Corporate restructurings viii. Foreign operations Control Activitiespreventive/detective, manual/automated Examples: a. top level reviewsactual vs. budget b. direct functional or activity mgmtday-to-day interaction of mgrs w/line personnel c. information processing d. physical controls e. performance indicatorsdaily cash balance f. segregation of duties 5Corporate Governance

a. Once risks identified, control activities designed to address risks are put in place & personnel trained b. Well designed controls serve as tools c. General Controlsaffect all computer systemsenvironment within application controls function a. data center operations controlscontrols over centralized hardwaremainframes/servers b. systems software controlscontrols over installation & upgrade to operating system, database mgmt system, security software & utility programs c. access security controlscontrols over physical access (contact w/hardware) & logical access (view/change programs or data) d. application system development & maintenance controlscontrols over procurement of new computer applications d. Application Controlsspecific to a given computer applicationpayroll processing a. completeness & accuracy of transaction processing, authorization & validity b. controls applied over input, processing, & output of an application Information & Communication Informationfinancial (inventory valuation) or nonfinancial (market demographics) a. strategic & integrated systems b. information qualityappropriate, timely, current, accurate & accessible Communication a. Internalrole each employee has to play communicated in policies & detailed procedures feedback from lower to upper levels b. Externalcustomers & suppliersbribed & kickbacks are not condoned c. Means of communicationpolicy & procedure manuals, one-on-one interaction b/w mgmt & staff Monitoringdone continually & thru separate evaluations a. Ongoing monitoring activitiescontrol-oriented: reconciliation , customer complaints about billing, reports of internal & external auditors, training seminars b. Separate evaluationsrisk determine scope & frequencycontrol self-assessmentinternal audit function perform a thorough review Inherent Limitations of Internal Controlprovide only reasonable assurance of entities objectives Types of limitations: a. Human judgment is faultyerrors or mistakes b. Controls can breakdownemployee misunderstanding, carelessness, fatigue c. Mgmt override internal controlfraudulently achieve revenue projections or hide liabilities d. Collusionmanual or automated controls can be circumvented e. Costs of control not exceed benefits derived Internal Control Reporting Section 404 of SOXinternal control for issuers a. Mgmt must establish & document system of internal controls b. Mgmt must include in annual report a report on internal control over financial reporting a. Statement that internal control is mgmts responsibility 6Corporate Governance

b. Mgmts assessment of effectiveness of internal control c. Identification of framework used (COSO Framework) d. Disclosure of material weaknesses e. Statement that changes in controls were made after evaluation f. Statement that external auditor issued an attestation report on mgmts assessment c. Requires independent auditor to express an opinion on clients system of internal control Section 406(c) of SOXrequires issuer to disclose whether it has adopted a code of ethics for senior financial officers & if not the reason Foreign Corrupt Practices Act of 1977all issuers must devise & maintain a system of internal accounting control, regardless if have foreign operationsmay not offer/authorize corrupt payments to any foreign official, foreign political party or candidate for political office in a foreign country Responsible Parties MgmtCEO establishes tone at the top Board of Directorsintegrity & ethical values reflected in boards selection of CEO & senior vp positions a. Objective judgment b. Knowledge of organizations industry c. Willing to ask questions about mgmts decisions d. Subcommittees of board: audit committee, compensation committee, finance committee, risk committee Internal Auditorsconsulting & advisory role a. Perform systematic reviews b. Not responsible for selecting & executing controls External Parties External AuditorsPCAOB made it a legal requirement to examine & report on internal control Legislators & regulatorsForeign Corrupt Practices Act & SOXlegal requirements for internal control Parties interacting w/entity Financial analysts, bond rating agencies & news media

ENTERPRISE RISK MANAGEMENT (ERM)

COSO Risk Mgmt Frameworkpurpose is to provide a basis for coordinating & integrating all of the entities risk mgmt activities ERMobjectives of entity & establishing means for evaluating effectiveness
Process effected by entities board of directors, mgmt & other personnel applied in strategy setting &

across enterprise, designed to identify events that affect the entity & manage risk to be w/in its risk appetite, to provide reasonable assurance regarding achievement of entity objectives Riskpossibility that an event will occur & affect achievement of objectives Risk mgmtidentifying events that affect entity & manage risk to be within entities risk appetiteprovide reasonable assurance 7Corporate Governance

Responsibilities: Senior Mgmt a. CEO sets tone at the top b. CEO has ultimate responsibility for ERM c. Ensure that risk mgmt processes are in place & functioning d. Determines risk mgmt philosophy Board of Directors a. Have an oversight role b. Determine risk mgmt processes are in place, adequate & effective c. Majority of boardoutside directors d. Years of experience either in industry or corp govern e. Willing to challenge mgmts choices Risk Committee & CRO a. Composed of directors that include mgrs b. CROcoordinate entities risk mgmt activitiesmember of & reports to risk committee Internal Auditors a. Directed by the board to evaluate effectiveness & contribute to improvement of risk mgmt processes b. Determination if risk mgmt processes are effective is a judgment resulting from assessment: a. Entity objectives support & align w/mission b. Risks identified & assessed i. Risk responses selected that align risks & entities risk appetite ii. Risk information captured & communicated in timely manner ERM Capabilities a. ERM allows mgmt to optimize stakeholder value by coping w/uncertainty & risk & opportunities presents b. ERM helps mgmt to a. Reach objectives b. Prevent loss of reputation & resources c. Report effectively d. Comply w/law and regulations c. Risk appetitewillingness of senior mgmt to accept risk a. Evaluating strategic options b. Setting objectives c. Developing risk mgmt techniques d. Risk responseavoidance, reduction, sharing, acceptance e. Reduction of operational surprises & losses f. Multiple & cross-enterprise risks g. Response to opportunities h. Deployment of capital

8Corporate Governance

ERM Events a. Events w/negative impactrisks b. Events w/positive impactoffset risks or create opportunities c. Opportunitypossibility that an event will occur & positively affect achievement of objectives, supporting value creation or preservation ERM Objectivesoverlap but are distinctdifferent needs 1. 2. 3. 4. 1. 2.

Reportingreliabilityw/in entities control Operationseffectiveness & efficiencyaffected by external eventsentity not in control Strategicalign & support entities missionaffected by external eventsentity not in control Compliancelaws & regulationsw/in entities control Control Activitiespolicies & proceduresensure effectiveness of risk responses Risk Assessmentlikelihood & impact as basis for risk mgmt
a. Inherent riskrisk arising from an activity itself b. Residual riskwhat remains after risk responses

ERM Componentsintegrated w/mgmt process & influence each other

3. 4. 5. 6. 7. 8.

Information & Communicationidentifies, captures, communicates relevant & timely info Monitoringongoing mgmt activities or separate evaluationsfull ERM process monitored Risk Responsesconsistent w/risk tolerances & appetite Event Identificationinternal & external eventsdifferentiates b/w opportunities & risks Objective Settingprocess established & objectives align w/mission & risk appetite Internal Environmentrisk mgmt philosophy, risk appetite, integrity, ethical values & environment

sets the tone of the entity Present & functioning effectivelyno material weaknesses exist & risk is w/in risk appetite ERM effectiveboard of directors & mgmt have reasonable assurance that o Reporting is reliable o Compliance is achieved o Know the extent of achievement of strategic & operations objectives ERM Limitations a. Faulty human judgment b. Cost-benefit considerations c. Simple errors or mistakes d. Collusion e. Mgmt override of ERM decisions Strategies for Risk Response a. Risk avoidanceends the activity from which the risk arises b. Risk retentionaccepts the risk of an activity c. Risk reductionlowers the level of risk associated with an activity d. Risk sharingtransfers some loss potential to another party 9Corporate Governance

e. Risk exploitationseeks risk to pursue a high return on investment Risk Management Process 1. 2. 3. 4. 5.

Identify Risksperformed for entire entity Assess Risksprobability & potential effect Prioritize Risks Formulate Risk Responses Monitor Risk Responsesthose closest to the activities themselves & audit function

Event Identificationconsider past events & future possibilities 1. Event inventories 2. Internal analysis 3. Escalation of threshold triggers 4. Facilitated workshops & interviews 5. Process flow analysis 6. Leading event indicators 7. Loss event data methodologies

10Corporate Governance