News from Focus On Risk Enterprises

In this issue...

Utilizing Limits of Risk

Correction

Upcoming Workshop

Liz will be presenting

"Building the 2012 Risk-Based Audit Team: Road Map to Results"

October 17, 2011

at the

MIS Training Institute's

Audit Directors' & Managers' Symposium

in Scottsdale, AZ

for more information go to

www.misti.com

"Risk comes from not knowing what you're doing."

- Warren Buffett

Host a Public Seminar and receive discounts for your entire team!

Does your office have a conference or training room that can hold up to 20 people? Would you be willing to host a public seminar at your office for Focus On Risk? If so, you can receive a discount off the seminar price for each of your attendees! Contact Liz at Liz@focusonrisknow.com for more information.

Focus On Risk Enterprises, LLC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org

For more information go to:

www.FocusOnRiskNow.com

October Newsletter

2011

Greetings!

Ok, I am ready to acknowledge it is officially October...not that you would know by stepping outside my office. Here in Houston, we won't see the type of weather most of the nation considers to be Fall until late November or early December. It is the advertisements for Oktoberfests and Halloween costumes that forces me to acknowledge the new season has arrived.

In the September newsletter, we covered the importance of getting Governance to verbalize how much risk they are willing to accept, what we refer to as the "limits of risk". In this newsletter, we will show how internal audit can utilize the the limits of risk to determine the effectiveness of controls.

Enjoy the season!

- Liz Meyers, CPA, Lead Instructor

UTILIZING LIMITS OF RISK

Last month's newsletter discussed the importance of internal auditors determining "how much risk" governance is willing to live with, which we refer to as the "limits of risk". By auditing without the governance-approved "limits of risk", internal auditors cannot determine whether controls are adequate. This can also perpetuate the belief that auditors do not understand the business and write up every little thing that goes wrong.

Once the governance-approved "limits of risk" are obtained, internal auditors must assess if the limits are excessive or too conservative. Excessive limits indicate too much risk is being taken with the stockholder's assets. If the internal audit team reaches this conclusion, it is imperative they discuss with governance their reasoning as to why the limits are excessive and resolve the issue.

Too conservative limits of risk can also have a negative impact to the stockholders. Auditors must recognize that risk taking is critical to business success. They must understand the upside as well as the downside to risk. If the limits of risk are too risk adverse, the organization's success may be impeded in the market place. Again, auditors must engage governance on the issue and explain their reasoning for deeming the limits as too conservative and resolve the issue.

Two simple examples of excessive and overly-conservative limits of risk can be seen with the credit terms and credit limits approval processes:

An excessive limit of risk for credit terms would mean that an organization provides customers with favorable credit terms and credit limits that exceed what the customer's poor credit history would normally warrant. The good side of risk for this decision is increased sales; the bad side of risk is higher accounts receivable write-offs.

An overly conservative limit for credit terms and credit limits can be reflected by an organization implementing "cash only" or "pay-upon-receipt" credit terms. The good side of this risk is the company will have almost no accounts receivable write-offs. The bad side of this risk is the organization has severely limited who will buy from them.

Internal auditors should also assess whether the approved limits of risk are appropriate for the business environment and challenge them if necessary. The audit team must take into consideration any "work around" costs, costs to correct or rework errors costs. These costs are often not measured but are necessary for assessing the appropriateness of the limits of risk. For example, does it make sense to reject expense reports that are off by $1.00 (a conservative limit) if the cost to rework it is $5.00? Conversely does it make sense to approve and process all expense reports whether or not receipts are provided (excessive limits)?

Assessing the limits of risk can also help prevent auditors from falling into the trap of spending too much time addressing a risk which is already within the acceptable limits of risk. When reviewing reports used by management to assess risks (i.e., metrics of the errors), the auditor should determine if the metric being measured indicates that risk is moving outside of its limits. This could be an indication that either additional control(s) is needed or excessive controls should be removed (assuming the limits are still valid). To support their recommendations, auditors should emphasize cost/benefit tradeoffs, e.g., in the expense report example noted above, it will cost $5 to correct a $1 error.

Once the audit team has determined that the limits of risk are not excessive or too conservative and the risk is maintained within acceptable limits, the team may decide to stop work on that particular risk and move on to another risk area. Of course, the team would need to feel reasonably comfortable that the metrics used to measure the exposure are accurate. The experience of the individual subject matter experts on the team may confirm their accuracy.

In Risk Based Integrated Auditing^TM, our overriding objective is to generate maximum value for minimal cost. If a risk exposure is already within the agreed limits of risk, where is the value for the cost of performing additional audit work? Utilizing the governance-approved limits of risk effectively will take auditors down a path to provide value to the organization and its stockholders.

Correction:

In our October article, "How Much Risk" an error was made in the last paragraph. It should read as follows:

"By continuing to audit controls without the limits of risk, auditors can perpetuate the auditees' belief that auditors do not understand the business and write up every little thing that goes wrong."

We regret if this caused you any confusion. - Liz

Magnifying our Customer's Success by Focusing on Risk