UTILIZING LIMITS OF RISK
Last month's newsletter discussed the importance of internal auditors determining "how much risk" governance is willing to live with, which we refer to as the "limits of risk". By auditing without the governance-approved "limits of risk", internal auditors cannot determine whether controls are adequate. This can also perpetuate the belief that auditors do not understand the business and write up every little thing that goes wrong.
Once the governance-approved "limits of risk" are obtained, internal auditors must assess if the limits are excessive or too conservative. Excessive limits indicate too much risk is being taken with the stockholder's assets. If the internal audit team reaches this conclusion, it is imperative they discuss with governance their reasoning as to why the limits are excessive and resolve the issue.
Too conservative limits of risk can also have a negative impact to the stockholders. Auditors must recognize that risk taking is critical to business success. They must understand the upside as well as the downside to risk. If the limits of risk are too risk adverse, the organization's success may be impeded in the market place. Again, auditors must engage governance on the issue and explain their reasoning for deeming the limits as too conservative and resolve the issue.
Two simple examples of excessive and overly-conservative limits of risk can be seen with the credit terms and credit limits approval processes:
An excessive limit of risk for credit terms would mean that an organization provides customers with favorable credit terms and credit limits that exceed what the customer's poor credit history would normally warrant. The good side of risk for this decision is increased sales; the bad side of risk is higher accounts receivable write-offs.
An overly conservative limit for credit terms and credit limits can be reflected by an organization implementing "cash only" or "pay-upon-receipt" credit terms. The good side of this risk is the company will have almost no accounts receivable write-offs. The bad side of this risk is the organization has severely limited who will buy from them.
Internal auditors should also assess whether the approved limits of risk are appropriate for the business environment and challenge them if necessary. The audit team must take into consideration any "work around" costs, costs to correct or rework errors costs. These costs are often not measured but are necessary for assessing the appropriateness of the limits of risk. For example, does it make sense to reject expense reports that are off by $1.00 (a conservative limit) if the cost to rework it is $5.00? Conversely does it make sense to approve and process all expense reports whether or not receipts are provided (excessive limits)?
Assessing the limits of risk can also help prevent auditors from falling into the trap of spending too much time addressing a risk which is already within the acceptable limits of risk. When reviewing reports used by management to assess risks (i.e., metrics of the errors), the auditor should determine if the metric being measured indicates that risk is moving outside of its limits. This could be an indication that either additional control(s) is needed or excessive controls should be removed (assuming the limits are still valid). To support their recommendations, auditors should emphasize cost/benefit tradeoffs, e.g., in the expense report example noted above, it will cost $5 to correct a $1 error.
Once the audit team has determined that the limits of risk are not excessive or too conservative and the risk is maintained within acceptable limits, the team may decide to stop work on that particular risk and move on to another risk area. Of course, the team would need to feel reasonably comfortable that the metrics used to measure the exposure are accurate. The experience of the individual subject matter experts on the team may confirm their accuracy.
In Risk Based Integrated AuditingTM, our overriding objective is to generate maximum value for minimal cost. If a risk exposure is already within the agreed limits of risk, where is the value for the cost of performing additional audit work? Utilizing the governance-approved limits of risk effectively will take auditors down a path to provide value to the organization and its stockholders.