One of the primary ways an organization responds to risks is by implementing internal control policies and procedures to help prevent or deter a risk from occurring or to help detect that a risk has begun to occur prompting the need for further action. Many organizations design and implement a particular type of subjective, judgment-based internal control that is referred to as management review controls (or “MRCs”). MRCs generally involve some form of management-level reviews of aggregate data or estimates performed by knowledgeable personnel to detect potential risk events at an appropriate level of precision.
Examples of MRCs might include management level “budget-to-actual” performance evaluations whereby executives compare budgeted amounts or activities to actual results, period-over-period comparisons of activities (e.g., shipments made or customers served) to identify unexpected or outlier conditions that might suggest the presence of a risk event, or management’s review of a reserve estimate for uncollectible accounts receivables. Key elements of an effective MRC are that they (1) are heavily influenced by the seasoned judgments of executives who perform them, (2) rely on the completeness and accuracy of underlying information used in the execution of the control, and (3) depend on the precision of the MRC in being able to detect an underlying risk condition.
Mark Beasley, KPMG Professor of Accounting and Director of the Enterprise Risk Management Initiative in the Poole College of Management at NC State University, is the co-author (along with John Fogarty and Doug Prawitt) of a thought paper, Perspectives on Management Review Controls: Challenges and Solutions, recently released by the Center for Audit Quality. This thought paper provides information and insight on issues surrounding the design, implementation, execution, and documentation of MRCs.
While the paper focuses on MRCs designed to prevent, deter, or detect risks of material misstatements in financial statements, the overarching findings and insights can be easily translated to MRCs related to all other types of risks, including those related to operations and compliance. The paper identifies a number of insights that management teams can consider as they seek to improve the operating effectiveness of MRCs as internal controls.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.