How Much Risk?
To be successful, every business must take some degree of risk. To truly understand if controls are working effectively to manage these risks, it is important to know how much risk your organization's governance is willing to accept. In Risk Based Integrated Auditing TM (RBIA), we refer to the amount of risk governance is willing to accept as the "limits of risk".
The "limits of risk" establishes, in some quantitative terms, an inner and outer range for each risk. The limits are arrived at by discussions with the audit customer, other stakeholders and middle managers.
It is unrealistic to think it is possible to reach consensus with the audit customer, other stakeholders, and middle managers on an exact amount of how much risk they are prepared to accept. Instead, "limits of risk" strives to reach an agreement on a range within which a risk metric (how management measures the risk) could move without requiring further evaluation of the controls. For each risk, there is usually an inner limit and an outer limit of risk. The inner limit will help you identify over control. The outer limit will help you identify under-control. If the risk metric starts to move outside the approved "limits of risk", it can be interpreted that either the risks are under-controlled requiring additional controls or over-controlled and excessive controls should be removed (assuming the limits are still valid). When determining the amount of risk the organization is willing to accept, do not approach an audit customer, or auditee, with a question along the lines of "what's your limit of risk?" Many people view the acceptance or tolerance of errors or mistakes as an audit "no-no". They tend to respond to auditors in terms of what they think auditors want to hear. Instead invest the audit teams' time by using it to understand the current rate of errors and the results of management's efforts to reduce them. The metrics used to measure the error rates are usually a good basis to baseline the "limits of risk".
The "limits of risk" can be further deduced through talks with executives and middle management using terms they relate to. These terms will likely vary between the various levels. Executives may talk in terms of costs associated with correcting the errors. Middle management will usually focus on specific metrics related to the units in question, e.g., number of bills with errors. The audit team will need to summarize all the responses and deduce an inner and outer limit of risk.
Although middle management provides their insights and recommendations as to what they believe the "limits of risk" should be, they do not have the legal authority to take risks with the stockholder's assets. Only Governance has the fiduciary authority to take risks with the stockholder assets. When middle managers start making decisions about how much risk they are taking with the stockholder 's assets, without governance approval, they are exposing the officers and board members of the company to a possible law suit. Middle managers are not elected by stockholders. They may have custody of the stockholder assets but they do not have a legal fiduciary responsibility for those assets.
The audit customer may be surprised to see the divergence of opinions of the limits of risk expressed by other audit customers and auditees. This may cause them to re-think their initial risk estimates.
Without knowing the governance-approved "limits of risk", internal auditors cannot determine whether controls are adequate. By continuing to audit controls without the limits of risk, auditors can perpetuate the auditees' belief that auditors do not understand the business and write up every little thing that goes wrong. Something all auditors should want to avoid.