The Dodd-Frank Wall Street Reform and Consumer Pro- tection Act (commonly referred to as Dodd-Frank) was passed as a response to the Great Recession. It brought about significant changes to financial regulation in the United States, including changes in the financial regu- latory environment that affect all federal financial reg- ulatory agencies and almost every part of the nation's financial services industry. Its purpose was to create a sound economic foundation to grow jobs, protect con- sumers, rein in Wall Street and big bonuses, and prevent another financial crisis.

U.S. Stock Exchange Listing Standards

The major stock exchanges in the United States-the New York Stock Exchange (NYSE) and the National Association of Securities Dealers Automated Quotations (NASDAQ)-have promulgated certain standards that must be met by any public company that desires to be listed on those exchanges. These listing standards cover such items as the organization and responsibilities of the board and audit committee, code of business conduct, personal loans to executives, the need for an internal audit function, and stock options.

3-20 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

U.S. Sarbanes-Oxley Act of

2002

After a series of significant bankruptcies and incidents of fraudulent financial reporting at major U.S. corpora- tions (for example, Enron Corp., Tyco, and WorldCom), legislation was passed in the United States with the over- all objectives of creating more accountability over the integrity of financial reporting by chief executive and chief financial officers, and restoring investor confidence in the capital markets. This legislation, the Sarbanes- Oxley Act, contained numerous sections promulgating rules and regulations on many aspects of governance for public companies. The two sections that received the most public awareness and scrutiny were Sections 302 and 404.

• Section 302 requires the chief executive and chief financial officers of public companies to certify each quarter, in connection with the company's quarterly filing of its financial results on Form 10-Q, as to the effectiveness of the disclosure controls and procedures that were in place in connection with preparing that filing.

• Section 404 requires the company to provide asser- tions, in connection with the annual filing of its finan- cial results on Form 10-K, as to the effectiveness of internal control over financial reporting. This section, in particular, requires most companies to improve the documentation and testing surrounding those internal controls to support the required assertions.

effectively. It also requires the institution's independent outside auditors to attest to management's assertions regarding the effectiveness of its system of internal con- trols. Many aspects of this act were later included in the U.S. Sarbanes-Oxley Act of 2002.

GOVERNANCE 3-21 12. What are some key U.S. regulations that have been

written in response to adverse business events?

11. What is a combined assurance model? Why do some organizations use such models?

10. What are the three lines of defense in the Three Lines of Defense model?

9. In addition to the internal audit function, what other internal functions may provide independent assurance to the board or senior management?

8. What role does the internal audit function play in governance?

7. In governance, what are the key responsibilities of:

a. The board of directors?

b. Senior management?

c. Risk owners?

6. What types of outcomes might a board need to consider to understand stakeholders' expectations?

5. What are the three different types of stakeholders that the board must understand? Give examples of each type.

4. What is The II.A'.s definition of governance? How does this definition relate to the figure in exhibit 3-3?

3. What is the difference between the two areas of governance depicted in exhibit 3-3?

2. What is the OECD's definition of corporate governance?

I. Why are there arrows flowing in both directions between the different elements of governance depicted in exhibit 3-2?

a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.

b. A divisional compliance and ethics officer conducting a review of employee training records 8. Which of the following would be considered a first

line of defense in the Three Lines of Defense model?

a. A divisional controller conducts a peer review of compliance with financial control standards.

b. An accounts payable clerk reviews supporting documents before processing an invoice for payment.

c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed properly.

d. A production line worker inspects finished goods to ensure the company's quality standards are met.

7. Which of the following would not be considered a first line of defense in the Three Lines of Defense model?

a. Assess the organization's governance and risk management processes.

b. Provide advice about how to improve the organization's governance and risk management processes.

c. Oversee the organization's governance and risk management processes.

d. Coordinate its governance and risk management- related activities with those of the independent outside auditor.

6. The internal audit function should not:

a. The board of directors.

b. Senior management.

c. Risk owners.

d. The internal audit function.

5. Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process?

c. Consensus among all levels of management.

d. The board and senior management jointly.

3-22 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

4. Who is responsible for establishing the strategic objectives of an organization?

a. The board of directors.

b. Senior management.

a. Directly involved in the operation of the company.

b. Interested in the success of the company.

c. Influences the company.

d. Not a stakeholder.

3. ABC utility company sells electricity to residential customers and is a member of an industry

association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholder is this industry association?

2. Which of the following are typically governance responsibilities of senior management?

I. Delegating its tolerance levels to risk managers.

II. Monitoring day-to-day performance of specific risk management activities.

III. Establishing a governance committee of the board.

IV. Ensuring that sufficient information is gathered to support reporting to the board.

a. I and IV.

b. II and III.

c. I, II, and IV.

d. I, II, III, and IV.

a. Evaluating and approving strategic objectives.

b. Influencing the organization's risk-taking philosophy.

c. Providing assurance directly to third parties that the organization's governance processes are effective.

d. Establishing broad boundaries of conduct, outside of which the organization should not operate.

Select the best answer for each of the following questions.

I. Which of the following is not an appropriate governance role for an organization's board of directors?

tv1 U LTI PLE-C HOI CE

QUESTIONS

GOVERNANCE 3·23 Internal

Auditing Advisory role Advisory role Oversight role Responsibility for risk Executive

Management Oversight role Responsibility for risk Advisory role

Advisory role Operating

Management

a. Responsibility for risk b. Oversight role c. Responsibility for risk d. Oversight role

14. Which of the following represents the best governance structure?

a. Economic downturns.

b. Fraud or other corporate wrongdoing.

c. Elections or other political changes.

d. Economic growth.

13. What types of business events tend to drive new legislation and guidance?

12. Which of the following statements regarding corporate governance is not correct?

a. Corporate control mechanisms include internal and external mechanisms.

b. The compensation scheme for management is part of the corporate control mechanisms.

c. The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue.

d. The internal audit function of a company has more responsibility than the board for the company's corporate governance.

11. Which of the following is not a role of the internal audit function in best practice governance activities?

a. Support the board in enterprisewide risk assessment.

b. Ensure the timely implementation of audit recommendations.

c. Monitor compliance with the corporate code of conduct.

d. Discuss areas of significant risks.

a. Part of the first line of defense.

b. Part of the second line of defense.

c. Part of the third line of defense.

d. Not a line of defense.

10. Companies in industries that are heavily regulated may be subject to audits by the regulator's auditors.

While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered:

a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.

b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.

c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met.

d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over financial reporting.

9. Which of the following would be considered a second line of defense in the Three Lines of Defense model?

to ensure that all marketing and sales staff have completed the required FCPA training.

c. The external audit team observes the counting of inventory on December 31.

d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over financial reporting.

MULTIPLE-CHOICE

QUESTIONS

9. The King Code of Corporate Governance for South Africa is widely considered one of the most progressive governance codes in the world. Search the internet for the latest version (King IV) and find Section 5.4, which focuses on Assurance. Under Principle 15 there is information about internal audit. Choose a recommended practice and discuss how it aligns with The IIA's Standards.

8. Discuss how regulations help to improve

governance. Explain how some regulations may have unintended consequences regarding governance.

b. What factors might influence the CAE's decision to postpone an assurance engagement?

c. What services might the internal audit function provide in lieu of performing an assurance engagement?

7, The CAE of PJS Company is working with senior management and the board to develop a combined assurance model and has asked you for advice.

More specifically, he has asked you to respond to the following questions:

a. In a combined assurance model, should the internal audit function postpone assurance engagements in areas of the company for which other assurance providers have already planned assurance activities?

Create a board of directors (board) and maintain a separate audit committee.

Employ an internal auditor who reports to the board.

A reporter for the local newspaper has a couple of questions for you.

a. Typically, what is a governing board's responsibility for internal controls?

b. Why would the GAO want each cooperative board to employ an internal auditor?

3·24 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

6. The General Auditor's Office (GAO) of ABC jurisdiction issued a report on the XYZ Electric

Cooperative, a large member-owned utility. This report reviewed the work of MNO Consulting.

MNO found numerous internal control weaknesses.

The GAO concurred with MNO's conclusion and recommendations regarding the overall lack of effective internal controls. In particular, the GAO went on to recommend that the ABC jurisdiction's legislature should require by law that each cooperative:

5. IT governance has become a "hot topic" in recent years. Using the governance framework shown in exhibit 3-4, customize each of the components to describe how they might specifically relate to governing IT objectives and risks of an organization.

4. In exhibit 3-4, the internal audit function is included in the assurance box. In light of this assurance role, discuss the pros and cons of the chief audit executive (CAE) reporting to the board of directors (or one of its committees) versus the chief financial officer (CFO). Relate your answer to the concepts described in Standard ^1100: Independence and Objectivity.

3. Given that directors typically do not interface directly with key stakeholders, how might a board of directors obtain an understanding of key stakeholder expectations? How might that process vary among the various stakeholder groups identified in the chapter?

2. Discuss why it is important, from a governance perspective, to have independent outside directors on a board of directors.

1. Describe ways in which an organization's business model may affect its approach to governance oversight. Provide examples that contrast publicly held companies from privately held companies.

GOVERNANCE 3·25 Utilize the KnowledgeLeader website and perform the following:

a. Authenticate to the KnowledgeLeader website using your username and password.

b. Perform research and identify alternative model(s) of assurance layering other than the Three Lines of Defense model. Compare and contrast the(se) model(s). How do they differ? How are they similar?

c. Submit a brief write-up indicating the results of your research to your instructor.

CASE 3

Knowledgeleader Practice Case:

Multiple Lines of Defense

Background Information

Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organi- zations operating in a highly regulated environment in particular have a need to demonstrate that they have mit- igated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire.

One common example of this strategy is the Three Lines of Defense model. However, this is not the only model.

The IIA has different blogs on its website. One of these is a governance blog (https://iaonline.theiia.org/blogs/marks).

Find this site on The IIA's website and review the last three postings, as well as the comments related to each. Be pre- pared to discuss in class your thoughts on each of the three original postings and the related comments.

CASE 2

Visit the website http://www.ecgi.org/codes/all_codes.

php, which contains a list of governance codes from around the world. Review the governance regulations for Australia, South Africa, and the United Kingdom. Con- duct additional research on the internet to answer the following questions:

A. What events may have been the impetus for each of these countries promulgating these regulations?

B. Describe ways in which these regulations are similar.

C. Describe at least one notable difference between each of these regulations.

D. Which of these regulations do you believe has the most comprehensive governance requirements?

Why?