Focus On Risk Enterprises
In this issue...
How Much Risk?

Upcoming Workshop 

Liz will be presenting


 "Building the 2012 Risk-Based Audit Team: Road Map to Results"


October 17, 2011

 at the


MIS Training Institute's

Audit Directors' & Managers' Symposium


 in Scottsdale, AZ


for more information go to

Host a Public Seminar and receive discounts for your entire team!

Does your office have a conference or training room that can hold up to 20 people? Would you be willing to host a public seminar at your office for Focus On Risk? If so, you can receive a discount off the seminar price for each of your attendees!
Contact Liz at for more information.
   piggy bank podium
"You can measure opportunity with the same yardstick that measures the risk involved. They go together. "
 - Earl Nighingale 

NASBA logo 

Focus On Risk Enterprises, LLC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:

   September Newsletter




I'm in denial right now...I am in denial that September has already come and gone without me getting out the September newsletter.  As you might guess, the controls I had established to get the newsletter out on time failed.  I may need to reassess how much risk I am willing to accept when it comes to getting this newsletter out on time.


Speaking of how much risk I am willing to accept, this newsletter discusses the importance of understanding "how much risk" governance is willing to accept in order to determine the effectiveness of controls. 


It is not always easy to get governance to verbalize "how much risk" but the time and effort to obtain will be more than worth it.



- Liz Meyers, CPA, Lead Instructor




 How Much Risk?



To be successful, every business must take some degree of risk.  To truly understand if controls are working effectively to manage these risks, it is important to know how much risk your organization's governance is willing to accept.   In Risk Based Integrated Auditing TM (RBIA), we refer to the amount of risk governance is willing to accept as the "limits of risk".



The "limits of risk" establishes, in some quantitative terms, an inner and outer range for each risk.  The limits are arrived at by discussions with the audit customer, other stakeholders and middle managers.

It is unrealistic to think it is possible to reach consensus with the audit customer, other stakeholders, and middle managers on an exact amount of how much risk they are prepared to accept.  Instead, "limits of risk" strives to reach an agreement on a range within which a risk metric (how management measures the risk) could move without requiring further evaluation of the controls.  For each risk, there is usually an inner limit and an outer limit of risk. The inner limit will help you identify over control.  The outer limit will help you identify under-control.  If the risk metric starts to move outside the approved "limits of risk", it can be interpreted that either the risks are under-controlled requiring additional controls  or over-controlled and excessive controls should be removed (assuming the limits are still valid).   When determining the amount of risk the organization is willing to accept, do not approach an audit customer, or auditee, with a question along the lines of "what's your limit of risk?"   Many people view the acceptance or tolerance of errors or mistakes as an audit "no-no".  They tend to respond to auditors in terms of what they think auditors want to hear.  Instead invest the audit teams' time by using it to understand the current rate of errors and the results of management's efforts to reduce them.  The metrics used to measure the error rates are usually a good basis to baseline the "limits of risk".

The "limits of risk" can be further deduced through talks with executives and middle management using terms they relate to. These terms will likely vary between the various levels.  Executives may talk in terms of costs associated with correcting the errors. Middle management will usually focus on specific metrics related to the units in question, e.g., number of bills with errors.  The audit team will need to summarize all the responses and deduce an inner and outer limit of risk.

Although middle management provides their insights and recommendations as to what they believe the "limits of risk" should be, they do not have the legal authority to take risks with the stockholder's assets.  Only Governance has the fiduciary authority to take risks with the stockholder assets.  When middle managers start making decisions about how much risk they are taking with the stockholder 's assets, without governance approval, they are exposing the officers and board members of the company to a possible law suit.  Middle managers are not elected by stockholders.  They may have custody of the stockholder assets but they do not have a legal fiduciary responsibility for those assets. 

 The audit customer may be surprised to see the divergence of opinions of the limits of risk expressed by other audit customers and auditees.  This may cause them to re-think their initial risk estimates. 


Without knowing the governance-approved "limits of risk", internal auditors cannot determine whether controls are adequate.  By continuing to audit controls without the limits of risk, auditors can perpetuate the auditees' belief that auditors do not understand the business and write up every little thing that goes wrong.  Something all auditors should want to avoid.






 magnifying glass
Magnifying our Customer's Success by Focusing On Risk