When internal auditors assess the adequacy of controls, we should consider whether the level of risk to the organization is at an “acceptable level” (see IIA International Standard 2201). When that level of risk is “unacceptable” in the opinion of the auditor, there is an obligation to “discuss the matter with senior management” and the matter will be included in the formal audit report (quotes are from Standard 2600).
That is what the International Standards for the Professional Practice of Internal Auditing say, and it makes sense because we should be helping the management team manage risks so they are at desired levels. If risks are higher than desired, there is an obvious threat to the organization. If risks are too low, there may be inefficiencies that can be removed to improve financial and operational performance.
The traditional auditor has never seen a risk he didn’t want to reduce. But is this the right approach?
Let’s take a situation I had when chief audit executive of Tosco. We had about 6,000 convenience stores (branded Circle K, BP, 76), where employee/customer theft was always an issue. There was an audit of a group of stores, where we found that there had been several thefts and employees discharged. Physical inventories were being performed by the (independent) store auditors every 3-4 weeks, a high frequency as the stores were rated high risk. The division manager also visited at least once a month. But still, inventory losses (called shrink) approximated 0.92 percent of sales.
The first reaction of the traditional auditor is to call for improved controls, perhaps through additional cameras (and monitoring) in the store, more frequent store audit visits, etc. But, industry experience is that once shrink drops below about 1 percent, additional controls cost more than the reduction in shrink. The company (in fact, the industry) had a risk tolerance of 1 percent. So, the intelligent auditor sees that management is on top of the situation, that risks are at “acceptable levels” and moves on.
But, and this is the big but, what does the auditor do if management has not established its risk tolerance? I have heard one thought leader say that this is an issue that should be included in the audit report. My thinking is that this is an opportunity for a discussion about the value of risk management.
We have historically been advocates for internal control. Now is the time for us to be advocates for risk management. When we perform an audit and management does not employ risk management practices in designing their processes and in decision-making, we have an advocacy opportunity.
If there is to be an audit report finding, in most cases it should be delivered to somebody at a corporate level rather than at a local level. I would like to think we can collect some of these local situations, understand how risk management would add value to local operations, and build the case for a discussion first with senior management and then with the board.
Now, we still have a challenge in that we have a control issue and management has not defined its risk tolerance. Do we go ahead and publish, or do we substitute our own judgment for that of management? Well, I think the answer is that we try to work with management to agree on whether the current level of risk is above or below acceptable levels. Yes, that means using our judgment collectively with management to establish the threshold.
Are we set if management has defined risk tolerances? No, because the risk tolerance can be inappropriate for the business. For example, perhaps it was set a year ago and the business conditions have changed. We need to use our judgment and assess whether management’s risk tolerances are reasonable.
Let’s bottom-line this. World-class auditors, in my opinion, should assess the condition of internal controls against the standard of providing reasonable assurance that risks are managed at (approximately) risk tolerances. We should no longer:
Report the issue and let management reply as to whether they accept the risk.
- Ignore situations where management has not established risk tolerances.
- Accept, without question, management’s setting of risk tolerances.
- Miss the opportunity to be an advocate for risk management, especially an appropriate risk culture.
Do you agree?