Risk/Control Frameworks in Auditing: Application & Examples

Instructor: Deborah Schell

Deborah teaches college Accounting and has a master's degree in Educational Technology.

Risk and control frameworks help an organization achieve its objectives and ensure it is operating efficiently and effectively. Let's examine how control frameworks can be used by a government entity.

Role of Frameworks

Risk/control frameworks help an organization assess its risks and ensure it has internal controls in place to manage them. Internal controls are processes, policies and procedures put in place by management to ensure the organization achieves its objectives effectively and efficiently, financial reporting is accurate and reliable, and the organization complies with laws and regulations.

Let's examine how these frameworks could be used by the City of Funsville.

Establish an Internal Control Environment

The main purpose of internal controls is to mitigate errors and fraud from occurring. Since governments use public money to fund projects, they are accountable to taxpayers and must ensure that public funds are spent wisely. Establishing and maintaining an internal control environment is a critical step in demonstrating this accountability.

Since management is responsible for the control environment, the organizational structure should be reviewed to ensure responsibility has been appropriately assigned. For example, let's assume that a review of the organizational structure at the City of Funsville revealed that there is a mayor, Ms. Joy, a nine-person council and a chief administrative officer (CAO), Ms.Glee. Neither the mayor nor the CAO can implement major changes without the approval of a majority of the members of council.

Complete a Risk Assessment

The next step in the risk/control framework is completing a risk assessment to determine the internal and external risks that the entity faces as it attempts to achieve its objectives. A risk assessment involves identifying and analyzing risks to determine the likelihood of their occurrence and the impact they are likely to have on the organization.

Once the risks have been identified, management must develop a response to each one. For example, management may decide to accept the risk, meaning that no further action needs to be taken. It could decide to avoid the risk by not participating in a process. It could take steps to reduce the risk, or it could decide to share some of the risk.

Returning to the City of Funsville, let's assume a review of the city's community centers revealed there was a high probability for a citizen to injure themselves on the walkways during winter storms because there aren't enough city employees to clear the paths immediately. In this situation, the city could decide to accept the risk and possibly get sued if someone injures themselves, avoid the risk by closing the community centers on poor weather days, reduce the risk by hiring additional staff to clear the walkways at an increased cost or share the risk by obtaining insurance in the event that it gets sued by someone who is injured in a fall.

Design Control Activities

Once risks have been assessed, management must design control activities to respond to these risks. Two of the most important control activities in a government relate to segregation of duties and documentation.

Segregation of duties involves ensuring that one individual does not have too much accountability for a process such that a fraud could occur. This is especially important in a government setting where money is obtained from the public. For example, let's assume that the City of Funsville has a purchasing policy stating that the manager who approves contracts cannot approve payment for the contract. This control would prevent the manager from purchasing items for himself personally and then submitting the invoice to the city for payment.

There should also be appropriate documentation to provide evidence that a transaction took place and to demonstrate compliance with laws and regulations. Documentation can also prove that a transaction was properly authorized, recorded, processed and reported. For example, the City of Funsville would need to demonstrate that checks for payments were signed according to the limits in its check signing authority document. It would also need to provide documentation of its annual budget process because the taxpayers of the city would have an interest in knowing how their tax dollars are being spent.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account