Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Recommendations Quiz results Graphic
Results of a survey on internal control and risk management recommendations

by Matthew Leitch, 25 August 2004

Survey design
Recommendation types
Public sector versus private sector
Respondent roles
Differences between scenarios
Comments by respondents
Respondent profile
Limitations of the survey
Further information

Thank you

First, thank you to everyone who responded to this survey. It was a long and tough one that needed thought. The payoff is that we have some interesting results with profound implications for many, especially people in internal audit roles.


The results of this research strongly suggest that auditors, risk managers, and others who make recommendations for improving internal control and risk management can benefit from giving more attention to recommendations beyond the usual repertoire of sign offs, documentation, segregation of duties, and reconciliations. This implies that there could be great value in changes to audit approach and audit training and education.

In this online internet survey respondents were asked to consider eight hypothetical reviews of business activities and consider for each review a list of five potential recommendations for improvement. Respondents were asked:

This combination of questions revealed that certain types of recommendation were as likely to be good recommendations as others but were much less likely to be in place already. They were also less likely to be "expected."

Making these types of recommendation requires greater knowledge of risk and uncertainty but someone who has that knowledge would be able to use it often because the controls in question are rarely in place.

The survey showed no differences between the public and private sectors, except that public sector respondents thought a much wider range of recommendations was expected of them. This finding contrasts with opinions expressed to me by some, who speculated that the public sector was not interested in risk taking or risk management. In fact, the public sector respondents felt they were expected to make more wide reaching and sophisticated recommendations than did the private sector respondents.

Survey design

The survey form presented respondents with eight imaginary reviews (i.e. the scenarios) in the order shown below:

NameScenario description
prod devThe review looked at the way product ideas are developed and approved in a particular business unit.
conferThe review looked at the way potential conferences were chosen and, in particular, how estimates of likely attendances were made. These are vital to the decision of whether to go ahead or not.
backbillThe review looked at a project that is trying to identify past billing errors and, where possible, raise back charges with customers who have been under-charged.
projectThe review looked at a project plan being developed for a large project that is vital to the future of the organisation and expected to last over 2 years.
serviceThe review looked at plans to improve services to customers by introducing several innovations.
prod mgmtThe review looked at how a set of products have been managed.
oilThe review looked at a business case for exploring a region for oil. The case includes extensive financial projections.
overallThe review looked at the management of risk and uncertainty throughout the organisation.

Each scenario was followed by five potential recommendations for improvement, displayed in a random order that differed for each respondent.

Respondents were asked three questions about each recommendation using the following instructions:

"Imagine that internal auditors or other risk management or internal control specialists have been doing some reviews of activities in an imaginary organisation. Each review found problems and some recommendations are under consideration."

"For each recommendation consider the following:"