Deck 7: Risk Management and Internal Control

Identify at least four questions that managers charged with risk management responsibility should be able to answer.

Answers will vary, however, key personnel responsible for managing risk (such as senior management, CEO, CFO, COO) should be able to answer questions like these:
(1) How do you identify risks that need to be addressed?
(2) How do you assess and prioritize the significance of risks?
(3) What information and reports do you use to monitor important risks? Who produces the information? How reliable and timely is the information?
(4) How do you decide what action to take in response to an identified risk?
(5) When are superiors or personnel from other areas involved in responding to a risk?
(6) How responsive are others to risks you identify?
(7) Are resources adequate (time, budget, qualified personnel) for effectively responding to risks on a timely basis?

Describe two potential problems the auditor may encounter when examining performance indicators.

a. Auditors must rely on the organization to provide appropriate data. Therefore, the auditor is limited to the data maintained by the client and useful measures might not always be available. A lack of appropriate performance indicators provides an indication that management of a process may not be effective.
b. Auditors must have assurance that the underlying performance measurement data are reliable. If data are unreliable, the auditor will find performance data a poor source of analytical evidence.

Why is identifying the appropriate person to question an important part of the auditor's evaluation of management control?

Managers in different departments will be responsible for different aspects of managing risk. In addition to interviewing the senior manager ultimately responsible for managing risk, the auditor should discuss controls with each manager who is closest to the risk in each particular process. These process owners are responsible for managing a process within the organization. Often, the appropriate persons to interview are outside the accounting and finance area and may be in such diverse functions as research and development, personnel, or manufacturing. By talking to multiple managers about the same risks, and obtaining supporting documentation whenever possible, the auditor can develop a relatively complete picture of the quality of management controls. In general, the auditor directs inquiries to those likely to possess the pertinent knowledge and those in a position to lose the most should their assertions prove false.

Consider a retail chain, such as Wal-Mart, that hires a large number of unskilled employees, many of whom are relatively young. Accordingly, there is a high turnover rate at most restaurants. Considering the many challenges of a young, transient, unskilled workforce, describe examples for each of the types of control activities likely to be in place for employees in Wal-Mart stores.

Describe the importance to organizational internal control of the control environment or "tone at the top"

Why is the evaluation of risk assessment critical to the auditor's understanding of risk? What should the auditor consider and why?

Describe the auditor's use of performance indicators to assess whether process risks are an immediate threat.

What conditions can limit the effectiveness of management controls?

Define management controls and describe what they should accomplish with respect to the other components of internal control.

In a data processing environment, what duties should be handled separately?

Describe the current trend of linking information systems across organizations and how it changes the way that auditors think about documents and organizational boundaries.

Explain the importance of the concept of segregation of duties and give examples of common problems with segregation of duties.

Describe three types of application controls in which an auditor is particularly interested.

U.S. coal companies are under a higher level of scrutiny because of injuries and deaths associated with mine operations in recent years. Coal companies encounter major process risks associated the extraction of coal from the ground. For each of the risks listed, identify controls for each process risk and possible performance measures that might signal control effectiveness or the level of residual risk.

Define internal control and its purpose, and describe the auditor's responsibility with respect to internal control.

Compare and contrast general controls and application controls.

Performance indicators are important for assessing whether any identified process risks are currently a significant problem. Problems may arise because risks are not effectively controlled or controls are not operating effectively. For each of the following process risks associated with an automotive manufacturer, like DaimlerChrysler, provide examples of measures that can be used as performance indicators.

The text describes management controls that may be relevant for the audit including: Top-level reviews, direct activity management, performance indicators and bench-marking, and independent evaluation. Describe examples of each of these for an automotive manufacturer.

Why must the auditor obtain evidence to support the conclusion that controls are effective, even if management controls appear to be effective? How is this done?

What are the indications of an effective control environment?