Earlier this week, I discussed the topic of the risky risk officer. What is the ideal risk attitude to have in a risk practitioner?
Today, I want to shift to the risk attitude of the internal auditor.
Do we want an internal auditor that is so risk averse they won’t spend $5 on a lottery ticket with a 10% chance of winning $100,000?
No.
Neither do we want an internal auditor that enjoys running across a busy street for the thrill.
Consider the internal auditor who does this:
An audit identifies a weakness in internal control because invoices from telephone companies are only reviewed for validity if they exceed $100.
The auditor writes this up as a “finding”, rates the risk as medium because there is a possibility that crooks could create a large number of fictitious invoices under the threshold (and this has happened in the past) and the loss would then be significant.
The draft report is sent to management for a response. Management has two options:
-
- Go along with the auditor and promise to change the threshold to $50, even though they believe the additional cost is not justified by the risk; or
- Disagree with the auditor and create a problem for senior management, who does not want to appear obstructive in front of the audit committee and top management.
Here’s a second example, this time one…
