SOLUTIONS TO END-OF-CHAPTER PROBLEMS

1-1

SOLUTIONS TO END-OF-CHAPTER PROBLEMS

Chapter 2

Managing Risk: The Role of Auditing and Assurance

Questions

• Good corporate governance will lead a company to achieve its objectives. This

occurs by identifying and taking advantage of opportunities and identifying and managing risks. COSO’s 2004 ERM – Integrated Framework, provides a basis for managing a company’s strategic, operating, reporting and compliance risks.The strength of an organization’s internal environment is driven by strong corporate governance and effective monitoring processes should include board involvement, for example.

• The five elements of COSO’s Internal Control Framework over Financial

Reporting are: control environment, risk assessment, control activities,

information and communication, and monitoring, which are defined below.

a. Control environment: The general environment in which internal control

will operate including the attitudes and competence of management and employees of the organization.

b. Risk assessment: The activities the organization performs to identify,

assess, and prioritize risks. A breakdown in identifying or prioritizing risk will probably have a negative impact on the performance of the organization.

c. Control activities: The activities the organization performs to reduce the

effect of risk on its performance. The range of possible control activities in any organization is extremely broad and depends on the nature of the environment and risks that are of concern.

d. Information and communications: The production and distribution of

information necessary for effective internal control.

• Monitoring: The oversight of internal control to determine if it is effective.

Though small a community bank can still have a policy on ethical behavior which is conveyed by the leadership and bought into by the employees. COSO’s ERM framework should be applied to manage risks. Control activities should be particularly tight to safeguard the cash and recording of cash transactions.; cash is susceptible to theft - it is highly liquid, easily convertible, transportable, and Auditing Assurance and Risk 3rd Edition Knechel Solutions Manual Visit TestBankDeal.com to get complete for all chapters

1-2 untraceable. Management needs information on deposits, withdrawals, bank charges, loan activity etc. on a regular basis. Bank expenses should be compared with budgeted expenses on a periodic basis. Monitoring should be performed by the Board, the management on hand at the bank, and any internal, external, state or federal bank auditors.

• Monitoring and auditing are overlapping concepts but are also different concepts.

Monitoring as restrictively defined by COSO, reflects an oversight over internal controls. Of course, COSO defines internal control broadly including financial reporting, operations, and compliance. Auditing is also much broader than financial statement auditing including compliance, operational, financial, environmental, fraud, and IT audits. The primary difference in the terms is that audits typically involve a more detailed investigation and scrutiny than is suggested by the term monitoring. Financial statement audits have traditionally focused on attesting to the financial statements with the evaluation of internal controls being an optional subobjective of that goal. Since Sarbanes Oxley, this is only true for private companies.

• Strategies are implemented to achieve an organization’s objectives. Similarly,

internal controls also serve to achieve the organization’s objectives A strategy might involve a totally new path such as opening a new chain of stores in Southeastern US to take advantage of an opportunity. Internal controls are typically instituted to maintain and improve existing systems to deal with risks.

• The Control environment is a critical part of any audit concerned with

management fraud. The attitudes and values of upper management and its ability to effectively convey those values to employees and get them to buy into them greatly influences internal control. Also, the ability to hire, motivate and retain competent, trustworthy employees can have a pervasive effect on the organization’s internal controls and financial reporting system.

• The auditor’s report on the financial statements uses the International Reporting

Standards adopted by the European Union for evaluation. The opinion was signed by PricewaterhouseCoopers LLC. The Corporate Responsibility Report used AA1000 assurance standard as the criteria for evaluation and was signed by five individuals from presumably independent organizations. The reviewers of the responsibility report indicated that they inquired with management in obtaining evidence about the report. An audit would entail the gathering of much more extensive and reliable evidence to support management’s assertions in the financial statements. Previously, Shell’s CRR report was verified by both PricewaterhouseCoopers and KPMG, but they moved to an external committee presumably because of the perceived expertise and credibility of the experts relative to the public accounting firms.

• The audit failures which are highly publicized typically involve management

fraud. Recognition of this led the profession to begin assessing the control

1-3 environment. This requires that the auditor formally consider the nature of the CEO and upper management. Prior to the promulgation of SAS 55 in 1987, reviews of internal control did not formally consider the possibility that the CEO, who in those times basically appointed the external auditor, could be a fraudster.Assessing the control environment requires an evaluation of the nature of upper management and the corporate culture. What are the attitudes and values of management? Has the leadership developed policies on ethical behavior, disseminated that policy and gotten employees to buy into them? Do Human Resources have appropriate policies to hire, motivate and retain competent, trustworthy employees. Is management’s style autocratic, decision making centralized and/or powerful incentives distributed based on the achievement of accounting numbers? Or is the style more hands-off, which could entail another set of risks?

Screening new clients is essential to obtaining a client portfolio with the preferred risk profile.

• In the traditional audit, auditors were required to understand and evaluate internal

controls but were not required to test or report on them. Internal control testing was utilized for the audit to substitute for substantive testing when the controls were judged to be effective. The integrated audit requires that management’s assertions about the effectiveness of the internal control system be tested, evaluated, and reported upon. Should the auditors find that the controls are effective, they are still able to use tests of controls to justify reduced substantive testing as under traditional audit approaches.

• In phase one of the integrated audit, the auditor must devise a plan to obtain

sufficient competent evidence to support an opinion on both the financial statements and management’s assertions about the effectiveness of internal control over financial reporting. In phase two, the auditor collects the necessary evidence to corroborate management’s assertions in the financial statements and its report on internal control effectiveness. The planning phase has become more significant through time, but it is the evidence gathering phase that is the most expensive and labor intensive.

• Internal control as defined by COSO, includes controls over financial reporting,

operations, and compliance. The ERM framework also assesses a firm’s strategic risks which are not encompassed in its internal control framework. In other words, the internal controls under COSO’s 1992 framework are a subset of controls as described under the 2004 ERM framework.

Problems

• Critical business risks of an Internet dating service include the following:

New entrants to the market and fierce competition

1-4 Unauthorized access to the database Lack of fit between clients Insufficient advertising to cover database maintenance costs Liability for personal harm caused to a client on a date from the database Negative public perception of industry Misrepresentation by clients in database

b. Controls to mitigate risks:

Internal Controls:

Managers with integrity Well-controlled database Secure access--password protected, firewalls, etc.Public relations business process Competitor database maintained Research and development business process Targeted marketing to increase probability of client fit

External Controls:

Private security investigations of client information Assurance service to attest to representations contained in database Paid chaperones to escort clients on first dates Regulations impacting industry practices Information technology consulting to improve database Advertisers encouraging use of website

• financial statements

• reliability of information and control systems

• compliance with laws, regulations, and contractual obligations

• compliance with laws, regulations, and contractual obligations

• financial statements or reliability of information and control systems

• effectiveness and efficiency of operations

• effectiveness and efficiency of operations

• compliance with laws, regulations, and contractual obligations

• relevance and context of business risk management process

• relevance and context of business risk management process