Which of the following components of COSOs ERM Framework addresses an entitys integrity and ethical values?

What are the three COSO ERM (Enterprise Risk Management) frme work that cites esveral trends will continue to have effect on an ERM?

Adapting to the ___ of data
Leveraging ___ __ and automation
Managing the cost of ____ ___
Building stronger ____

Proliferation (internal & external data sources to be structured in new ways)
Art intelligence
Risk Managemnet
Organizations

The updated COSO Enterprise Risk Management (ERM) framework’s Executive Summary lists the following benefits that can be achieved when entities integrate ERM throughout the organization:

Increased range of ____
Improved identifications and managment of ___ entiy-wide
Increased ___ outcomes and reduce ___ surprises
Improve ___ deployment
Enhanced ____ resilience
Reduce ___ Variability

opportunities
risk
positive, negative
resource
enterprise

COSO issued an update to the enterprise risk management (ERM) framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance, which addresses the evolution of ERM and the need for entities to what?

improve their approach to managing risk to meet the demands of an evolving business environment.

Definition: The Committee of Sponsoring Organizations of the Treadway Committee (COSO) issued the Enterprise Risk Management—Integrated Framework in 2004, and defined enterprise risk management (ERM) as follows:

“Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its ____, to provide reasonable assurance regarding the achievement of entity x____.”

risk appetit, risk appetite

Enterprise risk management (ERM) components help the entity achieve its objectives. These interrelated components need to be both present and functioning effectively (i.e., no material weaknesses) in order to have an effective ERM system. ERM consists of eight components: (CRIMER.IO)

THIS IS THE FRAMEWORK OF ERM

Control Activities
Risk Assessment
Internal Environment
Monitoring
Event Identification
Risk Response

Information & Communication
Objective Setting

These are the 8 components of Enterprise Risk Management (ERM)...what are they

Control Activities
Risk Assessment
Internal Environment
Monitoring
Event Identification
Risk Response

Information & Communication
Objective Setting

Control activties- Management risk response are effectively carried out. Polices are implemented

Risk Assessment - Identified risks are evaluated
Internal Environment - Tone at top
Monitoring -Processes monitored - deficiencies reported
Event ID - Identify positive & negative events to detremine risks/opportunities

Risk Response - Avoid, reduce, share, or accept risks
Information & Communication - Info about ERM components need to be communicated to mgmt

Objective Setting - Mgmt places processes to formulate objectives to help company assess/respond to risks

The revised COSO Enterprise Risk Management (ERM) framework is designed to assist boards of directors in fulfilling their risk oversight role, which includes the following:

____,, ___, __with management
Approving management ___and remuneration
Participating in __ and __relations

Reviewing, challenging, and concurring
incentives
investor and stakeholder

The internal auditor who works in ERM sets the risk appetite of the organization

False - this is generally done by the board of directors and/or executive management.

Internal auditors do coordinate ERM activities across the organization, evaluate the risk management process, and give assurance that the risks of the organization are correctly evaluated.

COSO ERM Framework takes a risk base or control base appraoch?

ERM assists ___in effectively dealing with uncertainty and its related risk and opportunity, thus building stakeholder value in the entity.

The ____, is charged with the responsibility of finding a balance between growth and profit while using resources in an efficient and effective manner.

ERM helps ensure that ___ and ___laws and regulations are met, and assists in protecting the entity's reputation.

Risk Based

management

chief executive officer

reporting and compliance

. The objective of the ERM framework is to achieve all the goals of the control framework and help the organization to:

attain reasonable assurance that company objectives and goals are ___,

continuously assess risks and identify the appropriate action to take and the resources to allocate to ___

achieve its ____targets, and

avoid adverse ___and damage to the entity's reputation.

achieved and problems and surprises are minimized

overcome or mitigate risk,

financial and performance

publicity

COSO ERM Framework consists of 5 interrelated components -- what are they?
(GRIPS) - COSO grips ERM

Governance/Culture
Review/Revision
Information/Reporting
Performance
Strategy/Objective Setting

COSO ERM - GRIPS...What are they (Defintion)

Governance/Culture
Review/Revision
Information/Reporting
Performance
Strategy/Objective Setting

Gov - Sets Tone & upholds ethical values/behaviors

Review - Review performance and analyze ERM component functions

Information - Sharing info from all sources across org
Performance - Risks need to be identified and assesed.

Strategy - ERM & Objective setting works together to establish a risk appetite/objectives

COSO ERM - GRIPS Have principles dedicated to each.

What are the principles for GOV & Review

GOV
1. Establish Board risk oversight
2. Establish operating structure
3. Define Culture
4. Commitment to Core Values
5. Attract/retain capable individuals

REVIEW
Assess Substantial Change
Review Risk/Performance
Pursue Improvement

COSO ERM - GRIPS Have principles dedicated to each.

List Information, Strategy/Objectives, & Performance(PAIID)

INFO
Leverage Info Systems
Communicate Risk Info
Report Risk/Performance

PERFORMANCE (PAIID)
Identify risk
Assess risk
Prioritize risk
Implemnet Risk Response
Develop Portfolio View

STRATEGY
Analyze Biz context
Define Risk Appetite
Evaluate Alt. Strategies
Formulate(create) Biz Objectives

_____ is the process used by organizations to manage risk and seize opportunities to achieve the goals of the organization. It provides a framework for risk management, determines response strategy, and monitors the progress

Enterprise risk management (ERM

ompany management, including the risk officer and financial executives, are responsible for establishing the ____ and implementing ____procedures

internal control system, monitoring

The COSO ERM (Enterprise Risk Management) framework is designed to help an entity's management achieve its objectives, grouped into four overlapping categories: (ROCS)

Reporting - reliable reporting
Operations - resources used effectively
Compliance -Compliance w/ laws/reg
Strategic - High lvl goals support entity's mission

OBJECTIVE OF COSO ERM
The COSO ERM (Enterprise Risk Management) framework is designed to help an entity's management achieve its objectives, grouped into four overlapping categories: (ROCS). Define Them

Reporting
Operations
Compliance
Strategic

Reporting - reliable reporting
Operations - resources used effectively
Compliance -Compliance w/ laws/reg
Strategic - High lvl goals support entity's mission

The return on an individual stock, or a portfolio of stocks, should equal its ___

cost of capital.

You want to have it equal at least the cost of what you put in. You dont want anything less b/c you'll be negative

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is the internal auditor.

False - it should be a manager within the department

"A manager with the department" is the correct answer choice because a manager within the department has the most detailed knowledge of risks in that department.

Enterprise risk management (ERM) components help the entity achieve its objectives. These interrelated components need to be both present and functioning effectively (i.e., no material weaknesses) in order to have an effective ERM system. ERM consists of eight components.

For Risk Response, What are the 4 principles

Risk Avoidance
Risk Reduction
Risk Sharing
Risk Acceptance

What are the definitons

Risk Avoidance
Risk Reduction
Risk Sharing
Risk Acceptance

Risk Avoidance - not to engage
Risk Reduction - mitigating control to offset risk
Risk Sharing - share risk w/ another org. Can create a Joint Venture this way

Risk Acceptance - assume all risk b/c its acceptable

Each of the following is a limitation of enterprise risk management (ERM), except: T/F

ERM deals with risk, which relates to the future and is inherently uncertain.

ERM operates at different levels with respect to different objectives.

ERM can provide absolute assurance with respect to objective categories.

ERM is as effective as the people responsible for its functioning.

True
True
False - Reasonable Assurance, not absolute
True

The Sarbanes-Oxley Act of 2002, Section 302, requires that CEOs and CFOs of a corporation include certifications that:

Signing Officers ___ the reports
Signing officers are evaluating the internal controls within ___ days and reporting their findings
all __in internal controls are being reported.

negative impacts on internal controls are being reported and corrected. T/F

Stating the financials do not contain untrue statements or material misstatements.

the financial statements present fairly the financial condition of the company.

review
90 days
deficiencies
True
True
True

For the Sarbanes Oxley act of 2002,

The officers are permitted to reincorporate the activities of a company to attempt to avoid these requirements. T/F

They are also not permitted to move the activities outside of the United States to attempt to avoid these requirements. T/F

Senior staff is responsible for the specific internal control functions employed in the various areas. T/F

Without properly implemented internal controls, members of management have the ability to __ necessary controls, enabling potential dishonest dealings or recording of transactions.

False - They are NOT permitted

True

True

override

Who is required to make special certification statements regarding the establishment of internal control systems on Form 10-K?

Both the principal executive officer and the principal financial officer

The purpose of the ___ is for the company to analyze the internal controls currently in place and to assess the effectiveness of those controls to avoid material misstatement in the firm's financial reporting.

A top-down risk assessment (TDRA) is done in order for a company to be in compliance with ___

TDRA (Top Down Risk Assessment)

SOX 404.

Two important definitions related to the internal control process are those for control precision and control sufficiency. Define Them

Control Precision - alignment between risk & Control activity designed to mitigate the risk.

Control Sufficiency - Grp of controls to achieve a control objective.

In order to be in compliance with SOX 404, a company needs to:

(3)

Document existing controls and list procedures associated w/ financial reporting

Test effectiveness of documented controls

Provide details of any deficiencies in controls

Each financial report that contains financial statements prepared in accordance with GAAP must reflect all material ___that have been identified by the external auditors.

Pro forma financial information cannot contain an untrue statement of a material fact or omit to state a material fact necessary in order to make the pro forma financial information not misleading. T/F

Annual and quarterly financial reports should disclose all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer with unconsolidated entities or other persons, that may have a material current or future effect on financial condition, Tf

correcting adjustments

True

True

The BOD has a fiduciary duty to act in the best interests of the corporation. As fiduciaries, board members are held to a higher standard of care than would be exercised in discharge of those people's personal affairs. Directors may not put themselves in a position where their interests and duties conflict with the duties that they owe to the company. T/F

Fiduciary duties fall within three categories:

True

Duty of Care -Act in good faith. Belief their decisions is whats best for the entity

Duty of Loyalty - undivided loyalty. Put interests of shareholders above their own

Duty of Due Diligence - Refers to the care a reasonable person should make before entering an agreement/transaction. This is a way to prevent harm.

The financial statements are required to be audited by an independent CPA firm that is certified by the ___to perform audits of corporations under the jurisdiction of the SEC.

The independent auditor is hired by and interacts directly with the board of directors'____

This committee should include independent directors, including stockholders & officers, and should be chaired by someone with significant financial reporting qualifications and experience.

PCAOB

audit committee.

False - (not stockholders or officers)

According to the Sarbanes-Oxley Act of 2002, a chief executive officer or chief financial officer who misrepresents the company's finances may be penalized by being:

fined, but not imprisoned.

imprisoned, but not fined.

removed from the corporate office and fined.

fined and imprisoned.

Fine & imprisoned - can be fined, imprisoned for not more than 20 years, or both.

. Penalties include fines of not more than $1,000,000, imprisonment for not more than 10 years, or both for certification violations;

and fines of not more than $5,000,000, imprisonment for not more than 20 years, or both for willful certification violations.

The Sarbanes-Oxley Act has the authority to remove individuals from corporate office. T/F

False - That is a responsibility of the corporate board of directors or the stockholders.

. Penalties include fines of not more than $1,000,000, imprisonment for not more than 10 years, or both for ___violations;

and fines of not more than $5,000,000, imprisonment for not more than 20 years, or both for ___

certification

willful certification violations.

____oversee the financial reporting process; monitor the choice of accounting policies and principles; monitor the internal control process; appoint, compensate, and oversee the external auditors; and receive communications and audit reports directly from the external auditors.

___ is when individuals who alter, destroy, mutilate, or conceal records, documents, etc., with the intent to impair objectivity or availability of use, or otherwise obstruct, influence, or impede any official proceeding, will be fined, imprisoned for not more than 20 years, or both.

audit committees

Tampering

In any cease-and-desist proceeding, the Securities and Exchange Commission (SEC) can issue an order to prohibit any person who has violated certain security laws, rules, and regulations, from serving as ___

an officer or director of the issuer.

SOX Title XI "Corporate Fraud Accountability" Consists of 3 components

Tampering
Retailiation Against Informations
Prohibiting Persons from serving as officers

A top-down risk assessment (TDRA) is used to identify and assess:
(4)
__

Identify financial reporting items, transaction level controls, & entity level controls

risks related to financial reporting.

internal control procedures to limit the identified risks.

Analyze NTE of evidence

According to the Sarbanes-Oxley Act of 2002, when an issuer's board of directors selects members to be on the company's audit committee, the board of directors must select individuals who:

receive consulting fees, but not advisory fees, from the company.
are members of the company's board of directors.
are employed by the company in a financial management role.
are affiliated persons of the company's subsidiary.

are members of the company's board of directors.

Each member of the audit committee must be a member of the board of directors and must otherwise be independent.

Audit committee members may not accept any consulting, advisory, or other compensation from the issuer or be an affiliated person of the issuer.

The audit committee should contain at least one ___

financial expert ---------If an issuer does not have an audit committee financial expert, that issuer must disclose the reason why the role is not filled

Financial expertise includes an understanding of generally accepted accounting principles and financial statements, experience in the preparation or auditing of financial statements of generally comparable issuers, experience with internal accounting controls, and understanding of audit committee functions.

The Sarbanes-Oxley Act requires financial issuers to publish what kind of information?

The immaterial condition of the company
Internal control performance relative to industry best practice benchmarks
Only positive impacts on internal controls
The scope and capabilities of the internal control structure

The scope and capabilities of the internal control structure

Issuers must include the scope and capabilities of the internal control system and include procedures for financial reporting in their annual reports.

The Sarbanes-Oxley Act changed the way financial reports are treated. What section of the act requires the CEO to review the financial statements?

302

Section 302 of the Sarbanes-Oxley Act requires that CEOs and CFOs certify the accuracy of the financial statements and the reliability of internal controls prior to the statements being signed.

The treasurer makes disbursements by check and reconciles the monthly bank statements to accounting records. Which of the following best describes the control impact of this arrangement?

Internal control will be enhanced since these are duties that the treasurer should perform.

The treasurer will be in a position to make and conceal unauthorized payments.

The treasurer will be able to make unauthorized adjustments to the cash account.

Controls will be enhanced because the treasurer will have two opportunities to discover inappropriate disbursements.

The treasurer will be in a position to make and conceal unauthorized payments.

Having the treasurer in a position to make and conceal unauthorized payments is an example of inadequate segregation of functions. The functions of disbursing funds and reconciling the related cash account should be assigned to different personnel.

The Enterprise Risk Management—Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as a:

process that takes a control-based approach to an organization.

process effected by an entity’s board of directors, management, and other personnel.

process that replaces the COSO internal control framework.

serial process in which one component affects only the next component.

process effected by an entity’s board of directors, management, and other personnel.

"A process effected by an entity’s board of directors, management, and other personnel" is correct because the board of directors has overall responsibility for managing enterprise risk and can delegate parts of the process to entity personnel.

COSO issued an update to the ERM (enterprise risk management) framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. The revised ERM framework is designed to assist boards of directors (BOD) in fulfilling their risk oversight role, which includes all of the following except:

reviewing, challenging, and concurring with management on various topics.

approving management incentives and remuneration.

participating in investor and stakeholder relations.

improving resource deployment.

improving resource deployment.

___:, management plans, organizes, leads, and controls the organization's activities in order to minimize risks and cut back on costs.

enterprise risk management

Risk response. Management can choose to avoid, reduce, share, or accept risks after careful analysis.

Risk avoidance. Choosing not to engage in an activity

Risk reduction. Implementing some compensating or mitigating control to offset the risk of an activity

Risk sharing. Sharing the risk with another organization such as establishing a joint venture
R
isk acceptance. Assuming all of the risk because it is deemed acceptable

Avoid
ReductionS

Share

Accept

A financial institution looking to assess its investment portfolio's exposure to price changes most likely would use which of the following techniques?

Market value at risk analysis

Cash flow at risk analysis

Back testing analysis

Earnings at risk analysis

Market value at risk analysis

COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. Which of the following is not one of the five interrelated components of the framework?

Governance and culture

Strategy and objective-setting

Performance

Monitoring

Monitoring

Monitoring is from the original 2004 ERM (enterprise risk management) framework. The 2017 ERM framework itself consists of five interrelated components (which are supported by a set of 20 principles). The components are governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting

COSO’s 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, includes several trends that should be monitored by entities. Which of the following is not one of those trends?

Expand customer service to include texts and chatbots

Adapt to the proliferation of data

Manage the cost of risk management

Leverage artificial intelligence and automation

Expand customer service to include texts and chatbots

COSO issued an update to the ERM (enterprise risk management) framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. The updated framework focuses on the importance of considering risk in both the strategy-setting process and in driving performance. Which of the following in not addressed by the update?

Achieve its financial and performance target

Accommodate expectations for governance and oversight

Expand reporting for greater stakeholder transparency

Recognize the globalization of markets and the need to apply a common approach across geographies

Achieve its financial and performance target

The 2004 ERM (enterprise risk management) framework lists a number of components, one of which is event identification. Which of the following is not used by managers for event identification?

Perform data mining and analysis

Use comprehensive lists of potential events

Perform an internal analysis

Perform an external analysis

Perform an external analysis

According to COSO, the four categories of entity objectives in the enterprise risk management framework include each of the following, except:

implementation of internal controls.

reliability of reporting.

compliance with applicable laws and regulations.

effective and efficient use of the entity's resources.

implementation of internal controls.

COSO's enterprise risk management framework encompasses each of the following, except:

seizing opportunities.

improving deployment of capital.

enhancing risk response decisions.

decreasing inherent risk appetite.

decreasing inherent risk appetite.

COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance, which is designed to assist the board of directors (BOD) in fulfilling their risk oversight role. Which of the following is not one of the BOD’s obligations in terms of ERM?

Revising reporting options to improve stakeholder transparency

Approving management incentives and remuneration

Reviewing and challenging management of proposed strategy and risk appetite

Participating in investor and stakeholder relations

Revising reporting options to improve stakeholder transparency

The Sarbanes-Oxley Act requires financial issuers to publish what kind of information?

Only positive impacts on internal controls

Internal control performance relative to industry best practice benchmarks

The scope and capabilities of the internal control structure

The immaterial condition of the company

The scope and capabilities of the internal control structure

Pursuant to the Sarbanes-Oxley Act of 2002, an accountant who destroys documents to impede an investigation by a U.S. agency can be:

temporarily or permanently limited on the activities, functions, or operations conducted on behalf of a registered public accounting firm.

fined and/or imprisoned not more than 10 years.

suspended or barred from being associated with a registered public accounting firm or be required to end such association.

fined and/or imprisoned not more than 20 years.

fined and/or imprisoned not more than 20 years.

The Sarbanes-Oxley Act of 2002 (SOX) requires that all publicly traded firms establish internal controls related to financial reporting that are documented, tested, and maintained for the purpose of preventing fraud. Per SOX, a company needs to do all of the following except:

develop documentation of existing internal controls and procedures associated with financial reporting.

test the effectiveness of the existing internal controls and procedures.

provide information on deficiencies in the controls and/or documentation of those controls.

include all areas of potential risk to the misstatement of the financial statements in this documentation, testing, and reporting process.

include all areas of potential risk to the misstatement of the financial statements in this documentation, testing, and reporting process.

Regarding the requirements of the Sarbanes-Oxley Act, officers of a company are not permitted to:

keep the organization transparent.

move the activities of the organization outside of the United States to avoid complying with the Sarbanes-Oxley Act.

report material misstatements.

report deficiencies of internal controls.

move the activities of the organization outside of the United States to avoid complying with the Sarbanes-Oxley Act.

In relation to the internal control process, control sufficiency is:

the alignment between a risk and the control activity designed to mitigate that risk.

the testing of the effectiveness of a control procedure.

the group of controls with a variety of degrees of precision necessary to achieve a control objective.

the measurement of the effectiveness of a specific control in alleviating the defined risk.

the group of controls with a variety of degrees of precision necessary to achieve a control objective

A top-down risk assessment (TDRA) is done in order for a company to be compliance with SOX 404. The purpose of a TDRA is to do all of the following except:

identify and assess the risks related to the financial reporting elements.

identify acts of fraud and embezzlement and assess the effect these items have had on company performance.

identify and assess financial reporting elements.

identify and assess the internal control procedures meant to limit the identified risks.

identify acts of fraud and embezzlement and assess the effect these items have had on company performance.

Which of the following statements is correct regarding the requirements of the Sarbanes-Oxley Act of 2002 for an issuer's board of directors?

The majority of members of the board of directors must be independent from management influence.

The board of directors must have an audit committee entirely composed of members who are independent from management influence.

The board of directors must have a compensation committee, a nominating committee, and an audit committee, each of which is entirely composed of independent members.

Each member of the board of directors must be independent from management influence, based on the member's prior and current activities, economic and family relationships, and other factors.

The board of directors must have an audit committee entirely composed of members who are independent from management influence.

According to the Sarbanes-Oxley Act of 2002, when an issuer's board of directors selects members to be on the company's audit committee, the board of directors must select individuals who:

are affiliated persons of the company's subsidiary.

receive consulting fees, but not advisory fees, from the company.

are employed by the company in a financial management role.

are members of the company's board of directors.

are members of the company's board of directors.