7.3 Corporate Governance, Internal Control & Responsibility

Corporate Governance

Corporate governance is the system of structures and processes by which a company is directed and controlled, balancing the interests of shareholders, management, and other stakeholders. It addresses the agency problem: managers (agents) may act in their own interest rather than the owners' (principals').

Key Players

• Board of directors — elected by shareholders to oversee management, set strategy, and hire/monitor the CEO. A majority of independent (outside) directors strengthens objectivity.
• Audit committee — a subcommittee of independent board members that oversees financial reporting, internal control, and the relationship with the external and internal auditors. Under SOX, at least one member should be a financial expert.
• Management — runs operations and is responsible for designing and maintaining internal control.

Good governance also relies on aligned incentives (compensation tied to long-term value, not short-term earnings), transparency to shareholders, and accountability mechanisms such as say-on-pay votes and clawback provisions. Weak governance — a CEO who also chairs the board, a passive audit committee, or directors lacking independence — is itself a fraud red flag the exam may describe.

The COSO Internal Control–Integrated Framework

Internal control is defined by the Committee of Sponsoring Organizations (COSO) as a process providing reasonable assurance over three objectives: operations (effectiveness/efficiency), reporting (reliable reporting), and compliance (laws and regulations). The framework specifies five components — memorize them in order:

1. Control environment — the "tone at the top": integrity, ethical values, board oversight, and accountability. It is the foundation for all other components.
2. Risk assessment — identifying and analyzing risks to the objectives, including the risk of fraud.
3. Control activities — the policies and procedures (approvals, reconciliations, segregation of duties) that mitigate risk.
4. Information & communication — capturing and sharing relevant information internally and externally.
5. Monitoring — ongoing and separate evaluations to confirm controls operate as intended.

A common memory device is "CRIME": Control environment, Risk assessment, Information & communication, Monitoring, control activities (the Environment of activities) — but the cleanest approach is to recall the foundation (control environment) first and monitoring last. The 2013 update added 17 principles mapped to the five components, and clarified that all components and relevant principles must be present and functioning for a system of internal control to be deemed effective.

Internal control provides only reasonable assurance, not absolute — collusion and management override remain inherent limitations.

Note the related but separate COSO ERM framework (Enterprise Risk Management), tested in the Risk Management domain. ERM is broader: it links risk to strategy and performance across the whole entity, while the Internal Control framework focuses on the three control objectives. Do not confuse the five internal-control components above with the ERM components; an MCQ may list ERM elements (such as governance and culture, or strategy and objective-setting) as distractors for an internal-control question.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act of 2002 was the U.S. response to Enron and WorldCom. Two sections are heavily tested.

• Section 302 — the CEO and CFO must personally certify each quarterly and annual report: that they reviewed it, that it contains no material misstatements, and that they are responsible for disclosure controls.
• Section 404 — management must assess and report on the effectiveness of internal control over financial reporting (ICFR), and the external auditor of a large filer must attest to it.

Other provisions: SOX created the PCAOB to oversee auditors, restricted non-audit services auditors may provide, and imposed criminal penalties. Distinguish 302 (certify the report) from 404 (assess ICFR) — a frequent MCQ swap.

Two more sections appear on exams. Section 906 attaches criminal penalties to a knowingly false certification (fines and prison). Section 301 requires the audit committee to be independent and to establish procedures for handling complaints, including anonymous whistleblower submissions. SOX applies to U.S. public companies; private firms are not bound but often adopt its controls voluntarily as best practice and to prepare for an eventual IPO.

Segregation of Duties and Social Responsibility

Segregation of Duties (SoD)

A core control activity: no single person should control more than one of authorization, recordkeeping, and custody of assets (sometimes a fourth, reconciliation, is separated too). Splitting these prevents one employee from both committing and concealing fraud. Where staffing is too small to separate duties, compensating controls such as management review are used.

Corporate Social Responsibility and Sustainability

Corporate social responsibility (CSR) extends accountability beyond shareholders to society and the environment, often framed as the triple bottom line: people, planet, profit. Sustainability / ESG reporting discloses environmental, social, and governance performance using frameworks such as GRI, SASB, or the ISSB/TCFD climate standards.

Management accountants increasingly prepare and assure these reports, applying the same credibility and disclosure standards they apply to financial data. Reliable, decision-useful sustainability data is now a governance and investor-relations priority, not a public-relations afterthought.