Instant Download with all chapters and Answers
*you will get solution manuals in PDF in best viewable format after buy*
Managing Risk: The Role of Auditing and Assurance
1. Good corporate governance will lead a company to achieve its objectives. This
occurs by identifying and taking advantage of opportunities and identifying and
managing risks. COSO’s 2004 ERM – Integrated Framework, provides a basis
for managing a company’s strategic, operating, reporting and compliance risks.
The strength of an organization’s internal environment is driven by strong
corporate governance and effective monitoring processes should include board
involvement, for example.
2. The five elements of COSO’s Internal Control Framework over Financial
Reporting are: control environment, risk assessment, control activities,
information and communication, and monitoring, which are defined below.
a. Control environment: The general environment in which internal control
will operate including the attitudes and competence of management and
employees of the organization.
b. Risk assessment: The activities the organization performs to identify,
assess, and prioritize risks. A breakdown in identifying or prioritizing risk
will probably have a negative impact on the performance of the
c. Control activities: The activities the organization performs to reduce the
effect of risk on its performance. The range of possible control activities
in any organization is extremely broad and depends on the nature of the
environment and risks that are of concern.
d. Information and communications: The production and distribution of
information necessary for effective internal control.
e. Monitoring: The oversight of internal control to determine if it is effective.
Though small a community bank can still have a policy on ethical behavior which
is conveyed by the leadership and bought into by the employees. COSO’s ERM
framework should be applied to manage risks. Control activities should be
particularly tight to safeguard the cash and recording of cash transactions.; cash is
susceptible to theft – it is highly liquid, easily convertible, transportable, and
untraceable. Management needs information on deposits, withdrawals, bank
charges, loan activity etc. on a regular basis. Bank expenses should be compared
with budgeted expenses on a periodic basis. Monitoring should be performed by
the Board, the management on hand at the bank, and any internal, external, state
or federal bank auditors.
3. Monitoring and auditing are overlapping concepts but are also different concepts.
Monitoring as restrictively defined by COSO, reflects an oversight over internal
controls. Of course, COSO defines internal control broadly including financial
reporting, operations, and compliance. Auditing is also much broader than
financial statement auditing including compliance, operational, financial,
environmental, fraud, and IT audits. The primary difference in the terms is that
audits typically involve a more detailed investigation and scrutiny than is
suggested by the term monitoring. Financial statement audits have traditionally
focused on attesting to the financial statements with the evaluation of internal
controls being an optional subobjective of that goal. Since Sarbanes Oxley, this is
only true for private companies.
4. Strategies are implemented to achieve an organization’s objectives. Similarly,
internal controls also serve to achieve the organization’s objectives A strategy
might involve a totally new path such as opening a new chain of stores in
Southeastern US to take advantage of an opportunity. Internal controls are
typically instituted to maintain and improve existing systems to deal with risks.
5. The Control environment is a critical part of any audit concerned with
management fraud. The attitudes and values of upper management and its ability
to effectively convey those values to employees and get them to buy into them
greatly influences internal control. Also, the ability to hire, motivate and retain
competent, trustworthy employees can have a pervasive effect on the
organization’s internal controls and financial reporting system.
6. The auditor’s report on the financial statements uses the International Reporting
Standards adopted by the European Union for evaluation. The opinion was signed
by PricewaterhouseCoopers LLC. The Corporate Responsibility Report used
AA1000 assurance standard as the criteria for evaluation and was signed by five
individuals from presumably independent organizations. The reviewers of the
responsibility report indicated that they inquired with management in obtaining
evidence about the report. An audit would entail the gathering of much more
extensive and reliable evidence to support management’s assertions in the
financial statements. Previously, Shell’s CRR report was verified by both
PricewaterhouseCoopers and KPMG, but they moved to an external committee
presumably because of the perceived expertise and credibility of the experts
relative to the public accounting firms.
7. The audit failures which are highly publicized typically involve management
fraud. Recognition of this led the profession to begin assessing the control
environment. This requires that the auditor formally consider the nature of the
CEO and upper management. Prior to the promulgation of SAS 55 in 1987,
reviews of internal control did not formally consider the possibility that the CEO,
who in those times basically appointed the external auditor, could be a fraudster.
Assessing the control environment requires an evaluation of the nature of upper
management and the corporate culture. What are the attitudes and values of
management? Has the leadership developed policies on ethical behavior,
disseminated that policy and gotten employees to buy into them? Do Human
Resources have appropriate policies to hire, motivate and retain competent,
trustworthy employees. Is management’s style autocratic, decision making
centralized and/or powerful incentives distributed based on the achievement of
accounting numbers? Or is the style more hands-off, which could entail another
set of risks?
Screening new clients is essential to obtaining a client portfolio with the preferred
8. In the traditional audit, auditors were required to understand and evaluate internal
controls but were not required to test or report on them. Internal control testing
was utilized for the audit to substitute for substantive testing when the controls
were judged to be effective. The integrated audit requires that management’s
assertions about the effectiveness of the internal control system be tested,
evaluated, and reported upon. Should the auditors find that the controls are
effective, they are still able to use tests of controls to justify reduced substantive
testing as under traditional audit approaches.
9. In phase one of the integrated audit, the auditor must devise a plan to obtain
sufficient competent evidence to support an opinion on both the financial
statements and management’s assertions about the effectiveness of internal
control over financial reporting. In phase two, the auditor collects the necessary
evidence to corroborate management’s assertions in the financial statements and
its report on internal control effectiveness. The planning phase has become more
significant through time, but it is the evidence gathering phase that is the most
expensive and labor intensive.
10. Internal control as defined by COSO, includes controls over financial reporting,
operations, and compliance. The ERM framework also assesses a firm’s strategic
risks which are not encompassed in its internal control framework. In other
words, the internal controls under COSO’s 1992 framework are a subset of
controls as described under the 2004 ERM framework.
1. a. Critical business risks of an Internet dating service include the following:
New entrants to the market and fierce competition
Unauthorized access to the database
Lack of fit between clients
Insufficient advertising to cover database maintenance costs
Liability for personal harm caused to a client on a date from the database
Negative public perception of industry
Misrepresentation by clients in database
b. Controls to mitigate risks:
Managers with integrity
Secure access–password protected, firewalls, etc.
Public relations business process
Competitor database maintained
Research and development business process
Targeted marketing to increase probability of client fit
Private security investigations of client information
Assurance service to attest to representations contained in database
Paid chaperones to escort clients on first dates
Regulations impacting industry practices
Information technology consulting to improve database
Advertisers encouraging use of website
2. a. financial statements
b. reliability of information and control systems
c. compliance with laws, regulations, and contractual obligations
d. compliance with laws, regulations, and contractual obligations
e. financial statements or reliability of information and control systems
f. effectiveness and efficiency of operations
g. effectiveness and efficiency of operations
h. compliance with laws, regulations, and contractual obligations
i. relevance and context of business risk management process
j. relevance and context of business risk management process
3. Strategic risk: a competitor with a well established brand name opens
shop across the street
Operations risk: Major clients are in an industry that is experiencing a
major downturn and business failures.
Reporting risk: The firm’s attorney is 49% sure that it will prevail in a
lawsuit. However, because the loss is not probable, the liability is not
Compliance Risk: The managing partner learns that the engagement
partner for Enron, David Dinkins, has just shredded all documents relevant
to the investigation.
4. The answer given will depend on the risk identified. What follows is an
example of a hypothetical risk. Suppose they are concerned that they will
lose customers due to problems with shipping.
Risk Identification: Shipping risk (e.g., shipping too slow, shipping costs
too high, damage in shipment, goods stolen in shipment, insurance
Management Response: Provide a forced response interface requiring
customers to indicate the mode of shipment desired. Allow them to enter
their zip code to precisely determine the shipping cost to them. Make
insurance on the jewelry shipment mandatory. Jewelry cases must have
structural integrity and packing material must be adequate.
Information Reliability: Have credit card information verified with a
credit service or require they use a third-party service (e.g., PayPal).
Performance Results: Obtain feedback from customers on the quality of
the shipment and the cost of handling
Reaction by management: If carriers are unreliable which delays shipment,
results in damage and returns, or is not competitive costwise, then
management should consider other alternatives.
5. a. IBM
Mission Statement: At IBM, we strive to lead in the creation,
development, and manufacture of the industry’s
most advanced information technologies, including
computer systems, software, networking systems,
storage devices, and microelectronics. We translate
these advanced technologies into value for our
customers through our professional solutions and
business services worldwide.
Business Objectives: Be recognized as market leader in creating and
selling information technology.
Provide expert solutions for information technology
issues to customers.
Strategic Risk Remaining a leader in the competitive information
technology industry is uncertain.
If the technology is not cutting edge, demand for its
solutions will fall. Customer relationships must be
Significance of Risk IBM’s position is well entrenched which is why it
was sued for anti-trust in the 70s and 80s. Still there
is always a low risk that they will miss a turn in the
road as with the PC..
The solutions proposed might become outdated or
the means for communicating these solutions may
not be as effective as a competitor.
b. YUM Brands (Pizza Hut/Taco Bell/KFC)
Mission Statement: Put a YUM on people’s faces around the
world…that special eating experience that makes
you smile and creates lifelong customers. Food you
crave. Comeback value. Customer-focused teams.
Business Objectives: Satisfy customer needs for food that is craved.
Create loyal customers.
Strategic Risks Customer tastes may change
Customers may become more fickle with a wider
range of competitors.
Significance of Risk Medium risk. Research studies warning about the
risks of salt could affect all these brands.
Medium risk. The range of restaurants and cuisine
pose a on-going risk for a restaurant with a static
Mission Statement: Improve the quality of people’s lives through the
timely introduction of technological innovations.
Business Objectives: We will be a leading solutions provider in the areas
of healthcare, lifestyle and enabling technology
We will stay abreast of the latest technologies
Strategic Risks Healthcare, lifestyle and enabling technologies may
wane in their importance
Significance of risk Low. Healthcare, lifestyle and enabling
technologies should remain in demand as the
Medium. Technological innovations will always be
in demand but it is not clear that Philips will be the
d. Procter & Gamble
Mission Statement: We will provide products of superior quality and
value that improve the lives of the world’s
consumers. As a result, consumers will reward us
with leadership sales and profit growth, allowing
our people, our shareholders, and the communities
in which we live and work to prosper.
Business Objectives: Be the market share leader for consumer products
offered by the company.
Maximize shareholder value.
Strategic Risks Saturation of market
Risk a product might harm people
Significance of Risks Low. The global market place is far from saturated.
Low. Most of P&G’s products are relatively safe
and time tested. New consumers in different
countries might have a different experience
e. The Walt Disney Company
Mission Statement: Disney’s overriding objective is to create
shareholder value by continuing to be the world’s
premier entertainment company from a creative,
strategic, and financial standpoint.
Business Objectives: Be perceived as the most creative entertainment
Maximize shareholder value through financial
performance and intangibles.
Strategic Risks New competitors, new technology
Taste for existing products might change.
Significance of Risks Medium. The number of competitors in children’s
movies and theme parks is growing.
Low. Bambi is not MTV but its appeal cuts across
6. a. McDonald’s
Avoidance: McDonald’s does not sell roast beef products (like
Hardee’s), possibly because they do not have a process for
incorporating the necessary equipment to efficiently serve
Insurance: McDonald’s likely carries liability insurance policies
regarding lawsuits stemming from spoiled food served to
customers. Several years ago, Burger King suffered losses
when a supplier delivered meat tainted with e coli to
Reduction: McDonald’s has strict operating policies for its franchises
to help ensure that the product tastes the same in all of its
locations. Specific equipment must be purchased by
franchisees and preparation procedures must occur
according a formal plan.
Acceptance: McDonald’s issues franchises instead of owning
restaurants. An inherent risk of franchising is placing
control of operations in the hands of franchisees all over the
world. Should franchises not follow established policies,
the trademark can be negatively impacted from associated
Insurance: Nike more than likely carries significant liability insurance
related to the production and sale of its sporting equipment.
Should an athlete be seriously injured while wearing the
company’s shoes or using its equipment, the possibility
exists that injured parties will involve the company in a
Reduction: Nike has been involved in a scandal involving the
production of its products in underdeveloped countries,
where employees are often young and paid an extremely
low wage. Rather than discontinue production in these
countries, Nike has chosen to implement a series of
controls and policies aimed at improving the working
conditions and preventing any further problems in the
future. The company has even invited its key alliance
athlete, Michael Jordan, to become involved in the
monitoring process. Jordan has thus far chosen not to be
involved in this situation because of other commitments.
Acceptance: Nike elevated the trend of creating alliances with athletes to
wear and promote its products. Knowing that many of
these 18-25 year-old millionaires are prone to engage in
unlawful and questionable acts, Nike has accepted the
associated risks by continuing to increase the number of
athletes with which the company has contracts.
Occasionally, athletes cross the line of acceptability,
however, (Atlanta Falcon’s safety Eugene Robinson’s
solicitation of a prostitute the week prior to the Super Bowl
comes to mind) and Nike is forced to terminate its
relationship with the athlete involved.
Avoidance: Nike has entered most sports-related product and apparel
markets over the years; however, they have yet to enter the
recreation provider market. The company has opened Nike
Town outlets to sell its merchandise, but has yet to open
venues to participate in sporting events using Nike-
produced equipment and promoted using Nike-affiliated
athletes. The recreational industry is risky, with the
exception perhaps of golf courses.
c. The Home Depot
Acceptance: The Home Depot is a retailer that realizes a significant
portion of its profitability from the economies of scale
created by selling goods in a warehouse format, essentially
making each location a distribution center. Therefore, The
Home Depot needs to ensure that a high volume of
consumers shop at its location. Thus far, the company has
avoided building stores in locations that would require a
significant commute by customers, choosing only to build
in densely populated areas.
Insurance: Each Home Depot store likely is insured against theft or
damage due to fire or natural disaster. Because of the size
of each store and the number of inventory items at each
store, the financial impact associated with these events
could be material to the operation.
Avoidance: Home Depot avoids this risk by conducting market analysis
to determine where to build. This ensures a high enough
volume to cover costs.
Reduction: The Home Depot reduces the risks associated with
distributing 40,000 to 50,000 different types of products to
each of its 800+ stores by centralizing its purchasing
process and utilizing six sigma to ensure that its inventory
does not result in any stock outs.
7 a. This is a management control as the hiring of competent, trustworthy
employees is an overriding strategic concern. It is most unusual that the
controller is involved with the hiring of internal auditors. Hopefully, this
involvement is limited to offering suggestions to the audit committee..
Since internal auditors evaluating the accounting systems for which the
controller is responsible, they should remain independent of the controller
and not beholden to him or her. In most modern organizations,
professional internal audit functions report directly to the audit committee
or CEO and not to the controller
b. This is a business process control. This control exhibits both high
diagnosticity and high objectivity because the imbedded automated control
should flag any entry over a specified level with a high degree of
reliability. The control should also be objective given the involvement of
both an executive of the organization and the independent auditor.
c. This is a management control. This control has high objectivity because
the risk committee involves corporate executives and (presumably)
outsiders to the company. The control should have high diagnosticity
unless no members of the risk committee have the appropriate skills or
knowledge to effectively assess risk management initiatives.
d. This is a management control. This control could exhibit high objectivity
because the vice president is interested is reviewing the performance of
the plant managers. However, this control could exhibit low diagnosticity
unless the vice president performs follow-up procedures to ensure that
managers truthfully self-reported reasons for variances.
e. This is a management control to monitor a business process. This control
exhibits both high diagnosticity and high objectivity because the
independent intermediary should be an expert at ensuring that the ERP
system is being designed and implemented according to contractual
obligations. Being independent from the ERP provider helps ensure
objectivity. The client should carefully investigate the relationship
between the ERP provider and the consultant, however. Often the
consultant has an alliance with the ERP provider, which can reduce the
objectively to some degree.
8. The following describes how Amazon.com might conduct the risk management
process for the risk that Barnes & Noble might effectively exploit a competitive
advantage of having retail stores effectively market its B&N.com business unit.
Risk Assessment: Amazon.com should carefully monitor Barnes & Noble’s
marketing efforts for its B&N.com business units (by visiting
stores, monitoring websites for advertising, and monitoring
its website). Further, Amazon.com should survey book
consumers for recognition of both companies’ websites and
how they learned of the websites (for internet awareness,
Amazon.com can gain access to the number of hits to its
advertisements, but the Company cannot get this information
Response by Management: Amazon.com likely subscribes to the notion that
“the best defense is a strong offense” and intensifies
its own marketing efforts whenever it perceives that
B&N’s marketing efforts are being successful.
Because Amazon does not have retail operations, it
must create alliances with marketing outlets.
Information Reliability: Amazon.com needs to assess the reliability of
information suggesting success or failure of B&N.com to
successfully market its operations at the expense of
Amazon. One way to address this issue is to hire a
professional accounting firm to provide an assurance
service on the reliability of the information systems used
to gather competitor data.
Performance Results: Performance results can materialize on several
dimensions, some of which will directly impact the
financial statements. Marketing expenses should
dramatically increase in periods in which B&N.com has
been identified as successfully influencing consumers
through its on-site marketing efforts. Successful
performance by Amazon.com might be demonstrated
through statistical relationships identified (correlation,
etc.) through consumer feedback (via surveys, hit rates,
etc.) and sales of products identified as preferred by those
Reaction by Management: Management response to risk management
performance results is an important last step in the
risk assessment process (prior to restarting the loop).
Amazon.com’s managers should carefully and
critically evaluate whether its response to the risks of
losing business to B&N.com through marketing
efforts at stores have been effectively mitigated. For
example, success by Amazon might not reflect
mitigation of the in-store risk; rather, it could be
linked to outperforming B&N.com on website
advertising. Perhaps the on-site marketing efforts
will not be realized for a period of time, such as the
following holiday season. Managers need to carefully
re-examine whether performance measures properly
reflect success or failure at mitigating risk.