Management Control Reviews

Posted by Admin on
Management Control Reviews

Mini Guide

With the constantly evolving complexity of business operations, regulations and economic environments, companies are increasingly dependent on management’s use of sound professional judgment within Management Review Controls (MRCs). This guide focuses on key elements within MRC design, execution, and related documentation.

Our Professional Judgment Framework identifies six steps within a sound judgment process, which are critical when designing, executing, and evaluating MRCs. These steps may be applied to an MRC as follows:

  1. DEFINE THE MATTER Define the matter with specific risks, focusing on the nature of potential errors and how they occur.
  2. SPECIFY OBJECTIVES Specify objectives by identifying the points within the process that could give rise to the specific risk(s) and evaluate whether the control attributes of the MRC sufficiently address each of those points.
  3. IDENTIFY POSSIBILITIES Identify possibilities by challenging assumptions, ensuring clearly defined actions, including triggers for investigation and prescribed plans for resolution.
  4. GATHER AND ANALYZE INFO Gather and analyze information that depicts performance of each control attribute. Examine physical evidence of procedures performed, observe actions that occur, and evaluate their sufficiency to meet objectives.
  5. REACH CONCLUSION Reach conclusion as to the sufficiency of the control’s ability to prevent or detect specified risks. Has each objective been met appropriately?
  6. REFLECT Reflect on conclusions reached. Are each of the identified risk(s) sufficiently addressed through the controls after consideration of their design and implementation?

Creating and retaining records of the judgments made throughout each of the steps above, including consideration of evidence in favor of and contrary to the conclusion reached, assists management in supporting the design, implementation, and operating effectiveness of the MRC.

Fundamentals Elements of MRCs

Defining Precision

CONSIDERATIONS WHEN EVALUATING THE NATURE OF REVIEW PROCEDURES PERFORMED

Understand and document the objective and mechanics of the MRC.

  • Who are the preparer(s)/reviewer(s) in the control?
  • Do they have the appropriate level of competency and authority to perform this review?
  • What informs their expectations?
  • What information/reports is the control owner using in his or her review? How does the control owner ensure data is complete and accurate?
  • How would the control detect an error?
  • What actions are taken by the control owner(s) to resolve items selected for investigation?
  • What evidence exists to provide assurance that investigation actions have been taken, and resolutions have been reached?

Understand and document the complexities and judgments used in the MRC.

  • How do control owners apply professional skepticism?
  • How do control owners assess and ensure that data used in the control is relevant and complete?
  • How do control owners evaluate and challenge all key assumptions, especially those that do not follow historical trends (e.g. revenue growth is too optimistic)?
  • How do control owners evaluate and consider contradictory evidence?
  • How do control owners use objective evidence to support conclusions reached?
  • What is the level of complexity of supporting details and analysis used in the operation of the control?

INFORMATION USED IN CONTROLS

Key reports, spreadsheets, and queries used in the performance of MRCs.

  • How is data produced?
  • What IT general controls (ITGCs) exist to mitigate risks of data inaccuracy?
  • How does the control owner ensure data is reliable (complete and accurate) at each stage of the MRC?
  • Is the data produced into a modifiable or non-modifiable format?
  • What ensures that data has not been modified as it is passed from preparer to reviewer?
  • When data and reports used are not easily tied to financial statement balances, what methods are used to test the completeness and accuracy of these reports?
  • When there are ineffective IT controls, what changes in procedures have been made to ensure integrity of data used in the control?

MANAGEMENT REVIEW CONTROLS DEFINED

Management Review Controls (MRCs) include reviews of calculations, valuations, development of assumptions, reconciliations, analyses prepared by others (including third parties), or reviews of financial results against budgets and/or prior periods. MRCs can vary in their nature from controls with a simple review element to complex controls with significant judgment, management assumptions, and numerous control activities (we refer to these controls as multi-layered MRCs).

SUFFICIENT EVIDENCE OF REVIEW PROCEDURES

While not comprehensive, the below list includes examples of evidence that may be used to identify control objectives and support the performance of review procedures.

  • Detailed description of control objectives, procedures, and participants
  • Documented criteria for investigation and defined protocol for items that meet the criteria.
  • Draft memos depicting comments, questions, edits, and responses
  • Detailed meeting minutes that include documentation of key discussion points and demonstration of the application of the criteria for investigation
  • Screenshots of key system screens, reports, or data used to complete control procedures with descriptions of how each is applied within specific control activities

For questions or assistance, contact us at 717-569-2900.

Contact Us  >>

 

Disclaimer

Topics:

Let's start a conversation!

We would be happy to discuss how Trout CPA can help with your specific needs.
photo of accountant shaking hands with a business owner