Earlier this week, I discussed the topic of the risky risk officer. What is the ideal risk attitude to have in a risk practitioner?
Today, I want to shift to the risk attitude of the internal auditor.
Do we want an internal auditor that is so risk averse they won’t spend $5 on a lottery ticket with a 10% chance of winning $100,000?
No.
Neither do we want an internal auditor that enjoys running across a busy street for the thrill.
Consider the internal auditor who does this:
An audit identifies a weakness in internal control because invoices from telephone companies are only reviewed for validity if they exceed $100.
The auditor writes this up as a “finding”, rates the risk as medium because there is a possibility that crooks could create a large number of fictitious invoices under the threshold (and this has happened in the past) and the loss would then be significant.
The draft report is sent to management for a response. Management has two options:
- Go along with the auditor and promise to change the threshold to $50, even though they believe the additional cost is not justified by the risk; or
- Disagree with the auditor and create a problem for senior management, who does not want to appear obstructive in front of the audit committee and top management.
Here’s a second example, this time one that occurred to me when I was a vice president in IT.
An audit of information security resulted in an audit report with multiple ‘findings’ rated as high. They related to the ongoing implementation of security software (ACF2) and tasks that had not yet been completed.
In each case, the auditor recommended that the issue be corrected promptly.
Every one of the so-called findings was on the project task list that my information security team handed the auditor at the start of the audit.
When challenged, the auditor agreed that we had known about each issue and that they were already scheduled for action.
The auditor also agreed, and this is telling, that if he was the project lead he would not change what we were doing! He agreed with our priorities and that we had scheduled actions in the correct sequence, did not have the resources to accelerate the work (and adding resources mid-project was of doubtful value), and so on. Read more:https://bit.ly/3Hg23bP