Tag Archives: internal audit

D&O Compass/ISS – Trends in Director Skill Sets – Starting to Include culture/HR, CSR or ESG . . . Non-Financial Skills

Posted on by

I found the following interesting from D&O Compass, as reported by Institutional Shareholder Services, Inc. – perhaps desired director skill sets are including or starting to include culture or HR, corporate social responsibility or ESG, and other non-financial skills and backgrounds.

But I am a bit curious about one of the comments: “. . . there is an ongoing director-level shift away from ‘traditional’ skills such as financial expertise, audit expertise, and CEO experience.” I would argue, however, that financial expertise, audit expertise, and CEO experience also can relate and be pertinent to culture or HR, corporate social responsibility, and ESG.

In fact, as you might know from my other posts and materials, it is not uncommon for the audit committee to be delegated initial risk management oversight (although in my view overall oversight of risk management remains as a board responsibility), and it has been my view that culture, corporate social responsibility and ESG, including governance, offer potential opportunities for internal audit and external audit to provide new and enhanced value-added services that could be helpful to management including executive management, the board, and audit or risk committees, and that those services could also benefit the organization as a whole and the shareholders. Please excuse the less-than-fantastic quality of the D&O Compass materials, as that was the best that could be done. Best to you, David Tate, Esq., San Francisco/California.

———————————————

Remember, every case and situation is different. It is important to obtain and evaluate all of the evidence that is available, and to apply that evidence to the applicable standards and laws. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation.

Thank you for reading this website. I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only.

I am also the new Chair of the Business Law Section of the Bar Association of San Francisco.

Blogs: Trust, estate/probate, power of attorney, conservatorship, elder and dependent adult abuse, nursing home and care, disability, discrimination, personal injury, responsibilities and rights, and other related litigation, and contentious administrations http://californiaestatetrust.com; Business, D&O, board, director, audit committee, shareholder, founder, owner, and investor litigation, governance, responsibilities and rights, compliance, investigations, and risk management  http://auditcommitteeupdate.com

The following are copies of the tables of contents of three of the more formal materials that I have written over the years about accounting/auditing, audit committees, and related legal topics – Accounting and Its Legal Implications was my first formal effort, which resulted in a published book that had more of an accounting and auditing focus; Chapter 5A, Audit Committee Functions and Responsibilities, for the California Continuing Education of the Bar has a more legal focus; and the most recent Tate’s Excellent Audit Committee Guide (February 2017) also has a more legal focus:

Accounting and Its Legal Implications

Chapter 5A, Audit Committee Functions and Responsibilities, CEB Advising and Defending Corporate Directors and Officers

Tate’s Excellent Audit Committee Guide

The following are other summary materials that you might find useful:

OVERVIEW OF A RISK MANAGEMENT PROCESS THAT YOU CAN USE 03162018

Audit Committee 5 Lines of Success, Diligence, and Defense - David Tate, Esq, 05052018

COSO Enterprise Risk Management Framework ERM Components and Principles

From a prior blog post which you can find at https://wp.me/p75iWX-dk if the below scan is too difficult to read:

* * * * *

 

MITSloan online tool to measure and compare company cultures – you should be aware – comments and screenshot FYI

Posted on by

This came to my attention – MITSloan online tool to measure and compare company cultures. I have previously written about culture, which, for example, is also an element of the COSO ERM framework, and was considerably in the news in 2018, including at the board level. But as I noted: will culture continue to be in the news, and will executive management and boards really take active interest? Culture also is, or could be a component of ESG.

Now apparently, and coming soon I suspect, proposals for different ways to measure culture. One or possibly two standards that are widely accepted would be helpful. Too many possible standards are not helpful, except to argue that there is no recognized standard. Business leaders, executive management, HR, directors, audit and risk committees, internal and outside auditors, in-house counsel, etc., should take note and be aware.

Regarding internal and outside audit, I have thought for a long time that they could (if they wanted to) become involved in auditing, or in auditing certain aspects or components of or processes relating to culture, governance, risk management, fraud risk, etc. I could argue that the value of internal audit and of outside audit are being passed by others who are taking the lead.

And if you are on a board, or on an audit or risk committee, where you are significantly reliant on other people to report to you, might this type of information be helpful to you in your oversight capacity? I have no explicit knowledge about how MITSloan goes about measuring and comparing company cultures, and I don’t know whether I would consider the criteria and processes that they use to be reliable and helpful; however, might it be interesting to search to see if your company is listed and evaluated? Dave Tate, Esq., San Francisco/California

Every case and situation is different. It is important to obtain and evaluate all of the evidence that is available, and to apply that evidence to the applicable standards and laws. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation.

Thank you for reading this website. I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only.

I am also the new Chair of the Business Law Section of the Bar Association of San Francisco.

Blogs: Trust, estate/probate, power of attorney, conservatorship, elder and dependent adult abuse, nursing home and care, disability, discrimination, personal injury, responsibilities and rights, and other related litigation, and contentious administrations http://californiaestatetrust.com; Business, D&O, board, director, audit committee, shareholder, founder, owner, and investor litigation, governance, responsibilities and rights, compliance, investigations, and risk management  http://auditcommitteeupdate.com

The following are copies of the tables of contents of three of the more formal materials that I have written over the years about accounting/auditing, audit committees, and related legal topics – Accounting and Its Legal Implications was my first formal effort, which resulted in a published book that had more of an accounting and auditing focus; Chapter 5A, Audit Committee Functions and Responsibilities, for the California Continuing Education of the Bar has a more legal focus; and the most recent Tate’s Excellent Audit Committee Guide (February 2017) also has a more legal focus:

Accounting and Its Legal Implications

Chapter 5A, Audit Committee Functions and Responsibilities, CEB Advising and Defending Corporate Directors and Officers

Tate’s Excellent Audit Committee Guide

The following are other summary materials that you might find useful:

OVERVIEW OF A RISK MANAGEMENT PROCESS THAT YOU CAN USE 03162018

Audit Committee 5 Lines of Success, Diligence, and Defense - David Tate, Esq, 05052018

COSO Enterprise Risk Management Framework ERM Components and Principles

From a prior blog post which you can find at https://wp.me/p75iWX-dk if the below scan is too difficult to read:

* * * * *

 

 

 

A Few Comments About Going Concern Uncertainties, CAMs, Etc.

Posted on by

I don’t hear or see much in the news about disclosures about an entity’s going concern, but I have a feeling that this is going to become a bigger issue for certain public companies, their boards and audit committees, and their auditors. Evaluating going concern is a complicated topic – thus, in this post I am highlighting one aspect, but an important aspect. See, FASB ASU No. 2014-15, and subsequent materials relating thereto. I suspect that most people would conclude that evaluating a potential issue relating to going concern involves, or depending on the circumstances could involve, especially challenging, subjective, or complex auditor judgment – thus, potentially raising critical audit matters or CAMs. Click on the following link  https://wp.me/p75iWX-fr for a prior summary post about CAMs. I digress here for one comment: in regard to CAMs, one might ask, for example, “When are the circumstances of an auditor’s judgment simply ‘challenging’ v. ‘especially challenging’”?

Going concern can generally be defined as an evaluation of the entity’s expected ability to continue as an ongoing viable going concern business entity within one year after the date that its financial statements are issued (or within one year after the date that the financial statements are available to be issued, when applicable). Thus, for example, obviously for some business entities it can become a question of liquidity or liquid assets v. rate of cash burn. For the purpose of this post, I am looking at this issue only from an accounting/auditing viewpoint. Many other issues can arise, such as, for example, possible shareholder, investor, and creditor rights, and possible officer, director, and shareholder or majority shareholder liability relating thereto.

Now to the single point of this post, ASU No. 2014-15 provides that when evaluating conditions and events as to whether there is substantial doubt about an entity’s ability to continue as a going concern, the “initial” evaluation does not take into consideration the potential effect of management’s plans that have not been fully implemented as of the date that the financial statements are issued (for example, the initial evaluation might not take into consideration plans to raise capital, borrow money, restructure debt, or dispose of an asset, that have been approved but that have not been fully implemented as of the date that the financial statements are issued). Again, I digress for one comment: in the above discussion, consider, for example, how to evaluate when a matter is “approved” v. “fully implemented.”

Importantly, I note, however, that later in the going concern evaluation process, mitigating factors should be taken into consideration including, for example, the probability that management’s plans will be effectively implemented within one year after the date that the financial statements are issued, and the probability that management’s plans, when implemented, will mitigate the relevant conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern within one year after the date that the financial statements are issued. Thus, in the evaluation process there is a timing aspect to considering possible mitigating factors: first they are not considered, but subsequently they are considered including their probability of implementation and success. Obviously, the going concern evaluation can be or can become complicated.

With the development of CAMs, I am sensing that issues such as these will be discussed more in public and investor view.

Onward.

Every case and situation is different. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation.

Thank you for reading this website. I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only.

I am also the new Chair of the Business Law Section of the Bar Association of San Francisco.

Blogs: Trust, estate/probate, power of attorney, conservatorship, elder and dependent adult abuse, nursing home and care, disability, discrimination, personal injury, responsibilities and rights, and other related litigation, and contentious administrations http://californiaestatetrust.com; Business, D&O, board, director, audit committee, shareholder, founder, owner, and investor litigation, governance, responsibilities and rights, compliance, investigations, and risk management  http://auditcommitteeupdate.com

 

OVERVIEW OF A RISK MANAGEMENT PROCESS THAT YOU CAN USE 03162018

Audit Committee 5 Lines of Success, Diligence, and Defense - David Tate, Esq, 05052018

COSO Enterprise Risk Management Framework ERM Components and Principles

* * * * *

 

Forwarding a post by Eugene Fram – Nonprofit & Business Directors Must Be Vigilant – Board Liability Costs Could be $2.2 Million!

Posted on by

Below I have provided a link to a blog post by Eugene Fram. Eugene writes good materials for nonprofits. There have been rumblings for some time now about the possibility that a couple of states might start more actively overseeing nonprofits and their operations. And a few of the big players in the nonprofit community have suggested that more robust nonprofit governance might be beneficial. I ask that you click on the link below to Eugene’s post – although state action is unusual, the example situations that Eugene describes are less unusual. I am also updating my materials for nonprofit audit committees, which I will post soon.

Here is the link to Eugene’s post:  https://non-profit-management-dr-fram.com/2019/01/27/nonprofit-business-directors-must-be-vigilant-board-liability-costs-could-be-2-2-million-3/

Thanks for reading this post. If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.

Every case situation is different. You do need to consult with professionals about your particular situation. This post is not a solicitation for services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

Corporate, Business, Or Entity Culture – The Board’s Role And Knowledge About – From State Street

Posted on by

The following is a link to a January 2019, letter from State Street emphasizing and focusing on the business’s culture and how it adds value. The letter pertains to corporate culture because of the business in which State Street operates – but what we are really talking about is business or entity culture which includes public companies, private businesses, nonprofits, and governmental organizations and entities.

The letter is short and lacks detailed discussion about culture; however, I found interesting the attachment to the letter with possible questions that might be asked of the board members about the state of the business’s culture and the director’s knowledge thereof. I would assume that the majority of directors could not answer those questions with detail.

I also found interesting that the letter differentiates culture from values, and instead focus’ on culture’s impact on value. However, I would say that the business’s values drive and impact the business’s culture.

As culture has become a board topic (and apparently it might be here to stay), I would like to see additional, more specific discussions about how to evaluate and grade, and improve upon the organization or entity’s culture.

This definitely is a topic for the full board, but as it also falls into the category of risk management or ERM, this might also be on the plate of the risk management committee, if there is one, or on the plate of the audit committee to which risk management is often delegated (but let me also add, in my view, risk management is a topic for the entire board – if risk management is delegated to a committee, that committee should, nevertheless, report on risk management to the full board, for the full board’s consideration).

Here is the link to the State Street letter – be sure to read the attachment https://www.ssga.com/investment-topics/environmental-social-governance/2019/01/2019%20Proxy%20Letter-Aligning%20Corporate%20Culture%20with%20Long-Term%20Strategy.pdf

Best to you, David Tate, Esq. (and inactive California CPA)

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see above), and connect with me on LinkedIn or Twitter.

The following are a few additional materials for your consideration.

Tate’s Excellent Audit Committee Guide (02172017) – posted here, and being update

Posted on by

Below I have provided a link to Tate’s Excellent Audit Committee Guide, which I last fully updated February 17, 2017. Since that time developments relating to various of the discussion topics have been posted to this blog. I am starting the process of fully updating the Guide. To be sure there have been changes and developments since February 17, 2017; however, I believe that you will still find the Guide useful.

Click on the following link to the February 17, 2017, Guide Tate’s Excellent Audit Committee Guide 02172017 with Appendix A-2

The following is a screenshot of the Guide’s cover:

 

 

 

Elon Musk / Tesla – purported SEC settlement, but corporate governance and board member judicial independence questions also remain

Posted on by

To say the least, it must have been a stressful couple of months for Tesla board members – how do you get your undisputed CEO leader and visionary to control himself, to take care of his mental and physical health, stop doing stupid or ill-advised things and making stupid or ill-advised public communications, and stop causing self-inflicted wounds? Or, at this point, how much do you need Mr. Musk to be the CEO of Tesla – can’t some other person take the helm – someone who is better qualified to build cars, and who also is an electric/battery power visionary? And where was the board in all of this? Well . . . we don’t know because they were silent to the public.  

You might have heard the news that the SEC filed suit against Mr. Musk last week as a result of an ill-advised and possibly unlawful public comment that he made. Yesterday (Saturday) I read two articles about possible settlement or actual settlement with the SEC. The following earlier-in-the-day article represents that Mr. Musk had rejected a settlement offer made by the SEC.  But please be aware that I never simply accept a news or other article as being correct – the article might be correct, or some of it might be correct, or none of it might be correct, you can be reasonably certain that the article is not entirely complete, and I also watch for the adjectives used and the opinions and conclusions reached as opposed to facts and whether or not those facts are supported with objective, credible evidence and sources. Thus, although I am using articles below, I am not representing or suggesting that they are correct or entirely correct. 

I found the first, earlier-in-the-day article interesting because of its discussion about the terms (presumably only some of the terms) of settlement purportedly offered by the SEC, and more interesting for the purported reasons why the settlement offer was rejected. The reasons for rejection, for example, do not include whether or not acceptance of the settlement would be in the best interests of Tesla and its stockholders. The reasons suggest that the settlement was rejected based on reasons personal to Mr. Musk, the reasons suggest a desire to maintain and not lose board control, and the reasons suggest a lack of board member involvement in whether or not the settlement should be accepted, and a lack of board member active diligent governance, oversight, and independence. Of course, obviously there are additional facts about which we are not aware.

In terms of board member independence, I am talking about possible lack of judicial independence, not independence as defined by stock exchange or similar rules, or whether or not the board member is an officer of Tesla. Board member judicial independence is an evolving and increasingly important attribute and evaluation – for example, does the board member truly diligently and prudently evaluate the issues at hand in the best interests of the stockholders and the company, and make decisions that are independent of the director’s self interests and independent of the director’s relationships with the executive officers and with the other directors. As you might be aware, judicial independence, for example, also takes into consideration business, financial, social, family, and friend interactions, relationships, and influences or pressures.

The following is the earlier-in-the-day article representing that settlement with the SEC was rejected and at least some of the purported reasons for the possible rejection – see a picture from the earlier-in-the-day first article below or  Click Here For Article

Musk reportedly doesn't settle with SEC

A later-in-the-day article then represented that settlement with the SEC had been accepted, and at least some of the purported terms of the settlement. I would view acceptance of the purported settlement as a good decision in the right direction for Tesla and its stockholders, and also for Mr. Musk. I will be interested in hearing who the two new directors will be, the process for and who nominates/selects the new directors and what Mr. Musk’s involvement will be in that process, and who the independent directors will be and whether they will be and are judicially independent as they should be judicially independent after taking into consideration that matters, issues and people over which they will have specific oversight and responsibility. See a picture from the later-in-the-day second article below or Click Here For Article

Musk reportedly settles with the SEC

Best to you, David Tate, Esq. (and inactive California CPA), Royse Law Firm, Menlo Park, California office, with offices in northern and southern California.  My blogs: trust, estate, elder abuse and conservatorship litigation http://californiaestatetrust.com, D&O, boards, audit committees, governance, etc. http://auditcommitteeupdate.com, workplace http://workplacelawreport.com

David Tate, Esq., Overview of My Practice Areas (Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com)

  • Civil Litigation: business, commercial, real estate, D&O, board and committee, founder, owner, investor, creditor, shareholder, M&A, and other disputes and litigation; and investigations
  • Probate Court Litigation: trust, estate, elder abuse, and conservatorship disputes and litigation
  • Administration: trust and estate administration and contentious administrations representing fiduciaries and beneficiaries
  • Workplace (including discrimination) litigation and consulting
  • Board, director, committee and audit committee, and executive officer responsibilities and rights; and investigations

Royse Law Firm – Overview of Firm Practice Areas – San Francisco Bay Area and Los Angeles Basin

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Litigation (I broke out the litigation as this is my primary area of practice)
  •             Business & Commercial
  •             IP – Patent, Trademark, Copyright, Trade Secret, NDA
  •             Accountings, Fraud, Lost Income/Royalties, Etc.
  •             Internet Privacy, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, D&O, Board/Committee, Shareholder
  •             Lender/Debtor
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, and Administrations
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions, Including AgTech and HealthTech, Etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

Disclaimer. This post is not a solicitation for legal or other services inside or outside of California, and also does not provide legal or other professional advice to you or to anyone else, or about a specific situation – remember that laws are always changing – and also remember and be aware that you need to consult with an appropriate lawyer or other professional about your situation. This post also is not intended to and does not apply to any particular situation or person, nor does it provide and is not intended to provide any opinion or any other comments that in any manner state, suggest or imply that anyone or any entity has done anything unlawful, wrong or wrongful – instead, each situation must be fully evaluated with all of the evidence, whereas this post only includes summary comments about information that may or may not be accurate and that most likely will change over time.

Discussions About The New COSO ERM Framework And Related Topics

Posted on by

By: David Tate, Esq., Royse Law Firm, Northern and Southern California (Silicon Valley/Menlo Park Office) http://rroyselaw.com/

I have pasted below four links in which the authors discuss enterprise risk management (ERM) and risk management, the new COSO ERM framework, and some aspects of internal audit.

I appreciate what the authors are discussing; however, my preference would have been to have more defined tasks or requirements in the new COSO ERM framework (I use the word “requirements” broadly because generally there is no mandated risk management framework that must be followed, although for some industries and businesses there are some risk management requirements that are mandated by law and which must be followed).

It is clear that whatever risk management framework or process a business uses will remain largely discretionary based on the business judgment of management and the board, and that in fact might be better for possible liability purposes; however, it is my belief that people and businesses usually will implement policies or processes or procedures (other than, for example, for how to design, develop and manufacturer a product or service that they provide) if they are required to follow or adopt certain specific requirements by law, statute, regulation, or rule, or perhaps as required by the expectations of the community or stakeholders. That having been said, we are where we are on this. And it is now also generally accepted (and in some instances mandated) that a business will adopt and implement risk management, the board will oversee risk management, sometimes audit committees and/or risk committees are required to be involved in or oversee risk management, and in some businesses the board will delegate risk management oversight to a committee of the board, to the extent that risk oversight can be delegated (I would maintain that the board still must oversee risk management with the help of the committee and that the board cannot delegate its overall responsibility to oversee risk management).

In my view, the components and principles outlined in the new COSO ERM framework are essentially only broad in nature, which allows for each business to decide how to design and implement, etc., enterprise risk management based on the business judgment of management and the board of that particular business, in light of the business’ mission, core values, business objectives, strategies, and views and evaluations of related risks.

Let me also say this, I do appreciate that the first of the five core components in the new COSO ERM framework is Governance and Culture, and that the fifth of the five components is Information, Communication, and Reporting which also includes principle 19 (Communicates Risk Information) and principle 20 (Reports on Risk, Culture, and Performance). I believe that including governance, culture, communication and reporting (if they are adopted – remember, no specific framework is mandated) will help to move ERM and risk management to a more visible position. And, it is my belief, based on recent business, nonprofit, and governmental entity shortcomings and failures, that governance, culture, communication and reporting need to be moved more front and center. In fact, COSO listed governance and culture as the first of the five core components because governance and culture can be central to the entirety of the entity’s ERM.

The following are the links to the four enterprise risk management, etc., discussions that I mentioned at the beginning of this post, and below those links I have copied and pasted from my September 7, 2017, post in which I discussed the new COSO ERM framework and which you can also read at http://wp.me/p75iWX-aQ 

The following are the links to the four additional discussions:

https://wordpress.com/read/feeds/254243/posts/1619082863

https://iaonline.theiia.org/2017/Pages/COSO-ERM-Getting-Risk-Management-Right.aspx

https://normanmarks.wordpress.com/2017/09/29/should-you-adopt-the-updated-coso-erm-framework-my-assessment/

https://www.protiviti.com/US-en/insights/bulletin-vol6-issue8?utm_medium=social&utm_source=ProSocial

COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)

I.  Governance and Culture Component:

Supporting Principles:

  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attracts, Develops, and Retains Capable Individuals

II.  Strategy and Objective-Setting Component:

  1. Analyzes Business Context
  2. Defines Risk Appetite
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives

III.  Performance Component:

  1. Identifies Risk
  2. Assesses Severity of Risk
  3. Prioritizes Risks
  4. Implements Risk Responses
  5. Develops Portfolio View

IV.  Review and Revision Component:

  1. Assesses Substantial Change
  2. Reviews Risk and Performance
  3. Pursues Improvement in Enterprise Risk Management

V.  Information, Communication, and Reporting Component:

  1. Leverages Information and Technology
  2. Communicates Risk Information
  3. Reports on Risk, Culture, and Performance

Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.

Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.

COSO 2013 Internal Control Framework – 5 Components, and 17 Principles

1.  Control Environment Component:

Mandatory Principles

  1. Demonstrate commitment to integrity and ethical values.
  2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
  5. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

2.  Risk Assessment Component:

Mandatory Principles

  1. Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
  3. Consider the potential for fraud in assessing risks to the achievement of objectives.
  4. Identify and assess changes that could significantly impact the system of internal control.

3.  Control Activities Component:

Mandatory Principles

  1. Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
  2. Select and develop general control activities over technology to support the achievement of objectives.
  3. Deploy control activities through policies that establish what is expected and procedures that put policies into action.

4.  Information & Communication Component:

Mandatory Principles

  1. Obtain or generate and use relevant, quality information to support the functioning of internal control.
  2. Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. Communicate with external parties regarding matters affecting the functioning of internal control.

5.  Monitoring Activities Component:

Mandatory Principles

  1. Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The Business Judgment Rule

The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

David Tate, Esq., Royse Law Firm, California (Silicon Valley/Menlo Park office), with additional offices in San Francisco, Los Angeles and Orange County, http://rroyselaw.com/

* * * * *

New COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance; COSO 2013 Internal Control Framework; the Business Judgment Rule

Posted on by

You may have heard or seen that the new COSO ERM Framework is out as of a day or two ago – Enterprise Risk Management – Integrating with Strategy and Performance. This is a project that COSO announced on October 21, 2014, so it is a longtime in the works. The original (first) framework was issued in 2004. Below I have provided the bare bones outline for the new ERM Framework, in addition to the bare bones outline for the COSO 2013 Internal Control Framework, and a summary of the business judgment rule. Why did I provide all three? Because for boards and audit committees, and for business entities and their executive officers, and sometimes for the employees also, all three are, or should be, tied together.

I will be commenting about and outlining the ERM Framework in detail in later posts (after I have had time to evaluate the detailed materials, and discuss them with colleagues). For now, all I can give you is the outline below. I do note – and I’m not being negative about this – that I have some concern that the five concepts and twenty principles, with the detail added, might be a lot for some small and mid-sized business entities, nonprofits and governmental entities to handle. But it is what it is. And as you may know, although it is now recognized that boards are responsible for oversight of risk management, many audit committees are responsible for risk management oversight pursuant to statute, regulation, or exchange requirements, and a typical audit committee charter lists oversight of risk management as an area of responsibility, generally there is no legally required or mandated risk management framework or process, although some industries (such as banks, for example) are heavily regulated for risk management purposes. It is possible that the new COSO ERM Framework will become the accepted framework to follow, although other frameworks do exist.

COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and The Institute of Internal Auditors.

The new COSO ERM Framework is organized into five interrelated primary or core components, which are supported by a set of twenty principles. The following is a broad outline of the five components and twenty principles. And as I stated above, in later posts I will be adding considerable detail. Below I have also provided an outline for the COSO 2013 Internal Control Framework, and a discussion about the business judgment rule.

Thanks for reading. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles

 

COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)

I.  Governance and Culture Component:

Supporting Principles:

  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attracts, Develops, and Retains Capable Individuals

II.  Strategy and Objective-Setting Component:

  1. Analyzes Business Context
  2. Defines Risk Appetite
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives

III.  Performance Component:

  1. Identifies Risk
  2. Assesses Severity of Risk
  3. Prioritizes Risks
  4. Implements Risk Responses
  5. Develops Portfolio View

IV.  Review and Revision Component:

  1. Assesses Substantial Change
  2. Reviews Risk and Performance
  3. Pursues Improvement in Enterprise Risk Management

V.  Information, Communication, and Reporting Component:

  1. Leverages Information and Technology
  2. Communicates Risk Information
  3. Reports on Risk, Culture, and Performance

 

Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.

Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.

COSO 2013 Internal Control Framework – 5 Components, and 17 Principles

1.  Control Environment Component:

Mandatory Principles

  1. Demonstrate commitment to integrity and ethical values.
  2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
  5. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

2.  Risk Assessment Component:

Mandatory Principles

  1. Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
  3. Consider the potential for fraud in assessing risks to the achievement of objectives.
  4. Identify and assess changes that could significantly impact the system of internal control.

3.  Control Activities Component:

Mandatory Principles

  1. Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
  2. Select and develop general control activities over technology to support the achievement of objectives.
  3. Deploy control activities through policies that establish what is expected and procedures that put policies into action.

4.  Information & Communication Component:

Mandatory Principles

  1. Obtain or generate and use relevant, quality information to support the functioning of internal control.
  2. Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. Communicate with external parties regarding matters affecting the functioning of internal control.

5.  Monitoring Activities Component:

Mandatory Principles

  1. Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

 

The Business Judgment Rule

The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

That’s it for now. Thanks for reading. Much, much more to come on these topics. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles

* * * * *

Updated Mediation and Dispute Resolution Questionnaire Attached

Posted on by

Greetings all. I have updated my mediation and dispute resolution questionnaire, which is a document that I wrote and use to obtain information that is helpful to facilitate dispute and case settlement. Click on the following link for the pdf, and go ahead and use the questionnaire and pass it to other people as you wish. Thank you. David Tate

Here is the link for the questionnaire: Mediation and Dispute Resolution Questionnaire, David Tate, Esq. 07302017

Here is a link to the Royse Law Firm, PC http://rroyselaw.com/