Something like 20 years ago, during my first years as the CAE of a major oil refining company, one of my staff (I only hired audit managers at that time and she was the most senior of the three) was working on an audit of Treasury.
The Treasurer was a senior member of the Finance team, highly respected by company leadership. So it was important that we make a good impression in this first audit of his area. At the same time, he was a gruff curmudgeon (he reminded me of the late, great Alastair Sim as Scrooge in "A Christmas Carol") that scowled every time I saw him — and other executives told me that he shared that disposition with everybody except the CFO.
So, I set the auditor, Laura Morton (now Nathlich), two tasks: the first was to perform an audit and provide an objective assessment of whether the Treasury function was meeting the needs of the corporation; the second was to get the Treasurer (Craig) to smile!
Laura exceeded my expectations (something she went on to do regularly).
As I had expected, Craig's area was in very good shape. It reflected his personality as a disciplined, careful individual that had a deep understanding of the business and its needs.
But, Laura identified one issue that only deepened Craig's frown.
She pointed out that the company's investment policy limited overnight investment of cash to the safest of all investments, which had the lowest of all rates of return. While this was the policy that had been approved by the board, the level of risk being taken (clearly a very conservative one) was inconsistent with the general attitude of the company to taking risk!
The company was a significant "player" in the commodity derivatives market, not only to hedge the price it would pay for its raw materials (crude oil) and the price it would obtain for its refined products (gasoline, diesel, jet fuel, and so on), but it also had a truly speculative position.
So it was taking millions of dollars of risk in the commodities market but unwilling to take any risk in its overnight investments?
Laura recommended that the investment policy be reconsidered. That was a wise move. Only management can decide how much risk it is willing to take, but we (as the independent and objective internal audit team) can challenge them when appropriate.
Craig reluctantly agreed that Laura had a point — not on technical controls philosophy but on business grounds. He discussed it with the CFO and they agreed to change the policy.
I met with Craig and Laura to review the final report before it went to the audit committee. He gave Laura a reluctant smile and acknowledged that it was a professional audit.
Do your audit customers smile?
What do you think of an auditor that recommends taking more risk?
I welcome your comments.