• Role of Management in Internal Control Evaluation:
Responsibility for Risk Identification: Management has the primary responsibility for designing,
implementing, and maintaining an effective system of internal controls. As part of this process,
management identifies the risks related to fraud, waste, and abuse that could impact financial
reporting or operational efficiency.
Mitigating Risks: Once risks are identified, management is responsible for mitigating them by
developing appropriate policies, procedures, and controls.
• Role of the Auditor in Internal Control Evaluation:
Assessing Control Effectiveness: Auditors are not responsible for designing or implementing controls;
rather, their role is to evaluate whether the controls put in place by management are effective. They
do this through testing, observation, and other audit procedures.
Fraud Risk Assessment: As part of their duties under Generally Accepted Government Auditing
Standards (GAGAS), auditors must assess the risk of material misstatement due to fraud and evaluate
how management’s controls address those risks.
• Why Other Options Are Incorrect:
B . Auditors do not identify risks—this is management's job. Auditors evaluate and assess the
controls already in place.
C . Determining risk tolerance is a governance and management responsibility, not the joint
responsibility of auditors and management.
D . Management mitigates risks, but auditors don’t monitor compliance with controls—they test and
evaluate the controls as part of their audit procedures.
• Reference and Documents:
GAGAS (Yellow Book) by GAO: Emphasizes management’s responsibility for risk identification and
the auditor’s responsibility for assessing control effectiveness.
COSO Internal Control Framework (2013): Highlights management’s responsibility for risk
assessment and control design, while auditors provide independent assurance.
