The Auditor as Judge of Acceptable Risk Levels and Advocate for Risk Management

When internal auditors assess the adequacy of controls, we should consider whether the level of risk to the organization is at an “acceptable level” (see IIA International Standard 2201). When that level of risk is “unacceptable” in the opinion of the auditor, there is an obligation to “discuss the matter with senior management” and the matter will be included in the formal audit report (quotes are from Standard 2600).

That is what the International Standards for the Professional Practice of Internal Auditing say, and it makes sense because we should be helping the management team manage risks so they are at desired levels. If risks are higher than desired, there is an obvious threat to the organization. If risks are too low, there may be inefficiencies that can be removed to improve financial and operational performance.

The traditional auditor has never seen a risk he didn’t want to reduce. But is this the right approach?

Let’s take a situation I had when chief audit executive of Tosco. We had about 6,000  convenience stores (branded Circle K, BP, 76), where employee/customer theft was always an issue. There was an audit of a group of stores, where we found that there had been several thefts and employees discharged. Physical inventories were being performed by the (independent) store auditors every 3-4 weeks, a high frequency as the stores were rated high risk. The division manager also visited at least once a month. But still, inventory losses (called shrink) approximated 0.92 percent of sales.

The first reaction of the traditional auditor is to call for improved controls, perhaps through additional cameras (and monitoring) in the store, more frequent store audit visits, etc. But, industry experience is that once shrink drops below about 1 percent, additional controls cost more than the reduction in shrink. The company (in fact, the industry) had a risk tolerance of 1 percent. So, the intelligent auditor sees that management is on top of the situation, that risks are at “acceptable levels” and moves on.

But, and this is the big but, what does the auditor do if management has not established its risk tolerance? I have heard one thought leader say that this is an issue that should be included in the audit report. My thinking is that this is an opportunity for a discussion about the value of risk management.

We have historically been advocates for internal control. Now is the time for us to be advocates for risk management. When we perform an audit and management does not employ risk management practices in designing their processes and in decision-making, we have an advocacy opportunity.

If there is to be an audit report finding, in most cases it should be delivered to somebody at a corporate level rather than at a local level. I would like to think we can collect some of these local situations, understand how risk management would add value to local operations, and build the case for a discussion first with senior management and then with the board.

Now, we still have a challenge in that we have a control issue and management has not defined its risk tolerance. Do we go ahead and publish, or do we substitute our own judgment for that of management? Well, I think the answer is that we try to work with management to agree on whether the current level of risk is above or below acceptable levels. Yes, that means using our judgment collectively with management to establish the threshold.

Are we set if management has defined risk tolerances? No, because the risk tolerance can be inappropriate for the business. For example, perhaps it was set a year ago and the business conditions have changed. We need to use our judgment and assess whether management’s risk tolerances are reasonable.

Let’s bottom-line this. World-class auditors, in my opinion, should assess the condition of internal controls against the standard of providing reasonable assurance that risks are managed at (approximately) risk tolerances. We should no longer:

  • Report the issue and let management reply as to whether they accept the risk.

  • Ignore situations where management has not established risk tolerances.
  • Accept, without question, management’s setting of risk tolerances.
  • Miss the opportunity to be an advocate for risk management, especially an appropriate risk culture.

Do you agree?

Posted on Oct 29, 2009 by Norman Marks

Share This Article:    

  1. Without a doubt, if there ever were a time when individuals at any level of the organization need more guidance that includes a good solid understanding of the controls and the risks or, in other words, they have done some 'critical thinking' associated with risk management, that time is now.  Who better to deliver that message?  I can't think of anyone better than the people who are dedicated to the profession, understand the bigger picture, and even more importantly, have some history of what does and does not work!  It is almost second nature.  It has to go further though because the third-party must be brought into discussions with the business as all the cards must be on the table to make the best decision.

    Every organization is unique.  Their leadership knows this fact, but have they thought about risk taking in their own terms and tolerances or are they satisfied with looking at what another organization has done to address risks?  Are they even looking at the risks?-- may be a better question for some.  Awareness and guidance is needed.  That seems obvious.  Who to involve in the risk management process becomes a question of trust and how it is delivered.

  1. I think you have a good point here. Getting an independent opinion about the risks and threshholds is an important audit result. And audit should definitively make it transparent (and also make transparent if there is not risk threshhold at all). However, let me challange your thought about audit being involved in setting the risk tolerances:

    1) If audit is involved in setting the risk tolerance levels, how can audit uphold its independence? In particular, if audit agrees on a tolerance level, how will audit defend future findings against the risk tolerance they agreed upon before (other than changed environment)?

    2) What is a good risk tolerance level? How can audit identify the "correct" one? Can they override the shareholders (who have the final say in risk tolerance)? Does audit know the shareholders' risk attitudes, or even those of all stakeholders?

    3) Since risk tolerance is a key ingredient of a company's strategy, should audit assess the strategy? What is the wrong strategy? Who judges the underlying assumptions?

  1. Great discussion. 

    My personal view is that internal auditors should ensure that there is concensus agreement on the current residual risk status up to an including the board for significant risidual risk situations.

    I don't believe that it audit's job to decide on risk appetite but it is audit's job to ensure that significant residual risk situations are known by senior management and the board and there is agreement on acceptability. 

    In a perfect utopia world the business unit would have done their own risk self-assessment and communicated the current residual risk status upward through the organization for review and audit would confirm that the information being communicated was reliable and reasonably complete.  Enterprise risk management software can be used to set how many levels above the reporting level must review residual risk status and confirm their review in the system. 

    Since we don't live in a utopia world many organizations don't have robust risk self-assessment systems so Internal audit must use their audits to identify and  elevate significant residual risk acceptance decisions.  I don't believe it is internal audit's job to decide what is or isn't acceptable but they can elevate situations they think might be outside the risk tolerance of senior management and/or the board.



  1. Risk-based security and security risk assessments are the emperor's new clothes. Risk calculation is far too complex and affected by too many unknowns to be valid. Nobody has ever reported on tests of the validity of risk assessments. Evaluation of controls is best done by asset and vulnerability analysis, benchamarking against other similar organizations' practices, immediate obvious needs, standards, experts' advice, generally accepted practices, tradition, and the current literature. I call this diligence-based security.


  1. Oliver asks: "If audit is involved in setting the risk tolerance levels, how can audit uphold its independence? In particular, if audit agrees on a tolerance level, how will audit defend future findings against the risk tolerance they agreed upon before (other than changed environment)?"

    My opinion is that we are assessing and providing an opinion on controls and processes all the time. That means we are involved in determining whether, in our opinion, they are adequate.

    I see no diferent in assessing whether we think management's risk tolerances or risk appetite is appropriate.

  1. Tim, surely it our job to compare residual risk levels against risk tolerance, not only to determine whether the risk strategy of acceptance is appropriate but also whether other risk strategies (e.g., remediation) are appropriate?

    You have commented previously on IA reporting residual risk levels. I would prefer to report excessive risk above risk tolerance.

  1. Donn, I know you prefer a due-diligence approach rather than risk assessment (for reasons you have previously explained).

    If we translate the concept of risk tolerance to due diligence, we are asking the auditor to assess whether management's assessment of the appropriate level of security is appropriate and adequate. Do you agree that the auditor should review and assess management's position?

  1. Norman's opinion is:  "that we are assessing and providing an opinion on controls and processes all the time.  That means we are involved in determining whether, in our opinion, they are adequate."

    I agree.  Are the controls appropriate or adequate for the job they are doing?  This is what is being assessed.  What residual risk remains, and is it "acceptable" risk. 

    Example:  Who can "accept" the risk?

    If $1 M in software (to automate a manual process) is going to reduce the risk of $300 M in data being stolen and used to fund illegal activities, an individual cannot disregard the fact that if their level of authority is $10 M (inadequate) then others must be involved in making the decision.  (A simple example for the sake of discussion.)  Now add in the fact that the probability of the data being stolen is "high" for this organization.  An auditor or a security professional should be able to help explain this to decision makers. 

    For example: Is a manual means of control vs. the software automation a "strong" or a "weak" control.  "Manual" in the current times is a very "weak" control.  It would not be recommended to reduce the risk in this example by those who know it is "inadequate" given the risk and the probability of the breach occurring. 

    Some decision makers are not clear on the strength or weakness of a given control.  The control is only viewed as a "control that can close a gap" without regard to the risk or the adequacy of the control and the organization's tolerance of the risk the said control is intended to reduce.  Adequacy of the control is as important as having the appropriate level of authority to accept risk.

  1. Excellent article.  And, I agree 100% with the premise.

    In the past there was less emphaisis on Risk Management, and auditors as you point out, where focused on controls.   Thanks to the regulatory changes of the last 6 to 10 years, Risk Management has surfaced as a major compliance requirement in operations, finance and IT management.  And, auditors need to step up to the plate.  

    As we all know, the current financial crisis will likely yield a new crop of compliance requirements that will put ever more reliance on Risk Management. 


  1. Good dialogue.  

    At the end of the day our IA perspectives on risk and control do help shape organizational risk tolerance levels.   I am in agreement with Norman that we cannot just report residual risk and think our job is done.    We all know there are cases of CAE's who have walked away from their job when they felt management has accepted excessive business risk (vs. illegal acts).   A key value driver is risk management education.  We will need to do more of this going forward.  

  1. Norman states: "We have historically been advocates for internal control. Now is the time for us to be advocates for risk management. When we perform an audit and management does not employ risk management practices in designing their processes and in decision-making, we have an advocacy opportunity." 

    I completely agree.  And if we don't move quickly on this we will quickly be irrelevant.  Even the U.S. regulators see the value of board involvement in risk management, and are pushing it in several ways (SEC 10K disclosures; TARP rules; etc).  IA can really help move this forward.

  1. I agree for the most part.

     Implied in this discussion is that Internal Auditors understand the entity’s level of risk tolerance.  Judgment is involved in that not all risks are known and everyone uses their own experience and frame of reference in interpreting risks.
    However, if the level of risk tolerance has not been established or effectively communicated and understood by those in the entity responsible for taking/managing risks, then there is an opportunity to report a design or effectiveness exception on risk management. Hopefully, this would take place in an assessment of ERM by Internal Auditing.
    In the context of a specific audit in which risk taking is determined to be “unacceptable”, the issue should be reported from the viewpoint that the auditor (who has an understanding of the entity’s level of risk tolerance) is of the opinion that the risk is either not defined by the entity’s level of risk tolerance or is not in line with it. Management would either agree or disagree and there could be appropriate dialogue or an opportunity to escalate the matter to an appropriate level within the organization.
    There is a “materiality” factor that should be considered in evaluating whether management is OK in accepting a risk, but this should not be made by the auditor (in my opinion) but by a risk oversight group or the CRO, as determined by the entity.
  1. The situation requires sufficient discussions with management ti understand it and assess, however, if in the auditor's judgement the risk should have been avoided due to its impact on the organization, reporitng the issue to the board is imperative. It is at not not a matter of whether management has or has not established a risk tolerance for its activities. it is impossible to disregard the imapct of a control weakness whatever the situation is, and this is auditing irrespective whether we call it review of risk management approach or else,

    It is always auditor's reponsibility to assess, and report results, notwithstanding that management may try to persuafde the auditor and overexplain the business obectives of their decisions, but the auditor should be extremely alert and excercise his professional judgement.

  1.  Norman,

    A couple of thoughts:

    You state "we should be helping the management team manage risks". Internal audit should not be helping the management team to manage risks. This is a conflict of interest.

    You state "using our judgement collectively with the management team to establish thresholds" Internal audit should not be establishing thresholds as it is a conflict of interest.

    It is the responsibility of the board to establish the risk tolerances and appetite and to the extent this has been identified by the auditors, I imagine in conducting a review of the risk management system- this should be included in the audit report as it is a serious issue. Naturally there will be extensive discussion on this subject. It would be quite helpful for the auditors to identify why the risk tolerances have not been established as I think that most certainly a training opportunity for the Board will be determined.

    On your statement to "report the issue and let management reply as to whether they accept the risk"- this sounds good once it is the appropriate level of management and the results as well have been communicated to the audit committee for ratifications.

    On your statement to "accept, without question, management's setting or risk tolerances", this sounds good once these tolerances are agreed at the board level. Risk tolerances are owned by the board and not by management.



  1. Arnold, may I suggest that if it is acceptable for internal audit to help management have effectiveinternal controls (through assessment and recommendations for improvement), it is similarly acceptable for internal audit to help management manage risk (by assessing and making recommendations for improving their risk management processes).

  1. Norman,

    I think that this revised wording is appropriate. I was reacting to what seemed to be those responsibilities that were crossing over the line on the "fan" that we have come to embrace. So to the extent that we assess and make recommendations for improving risk management processes, this does in the end analysis "help management manage risk"




    Interesting discussion!
    I think Norman has pointed out an important area. It is now an established fact that present day global economic crisis was the result of slackened risk management process. It is high time that we,   internal auditors adopt a proactive role in risk management without compromising objectivity and independence. We should be more magnanimous in our approach while making recommendations on risk management process. Internal auditors sometimes, avoid making recommendations that could add value to the company for fear of exceeding their roles.
    However, IIA’s definition of internal auditing also contains “consulting” activity.  The CAEs should market their expertise on risk assessment to the Board for performing consulting assignments on risk management. Internal audit may provide, in such assignment, proper advice on risk appetite and risk tolerance, after properly following IIA’s regulations on independence and objectivity.
  1. Dear Norman:

    An outstanding topic and view.  We face this so much in audit and more notably in organizations that are decentralized.  In our planning phases we try to extract what Senior Management and process management's view of Impact and Likelihood are with respect to risk for the overall process.  This helps us keep in mind what management's tolerable and in some cases (when we ask) expected residual risk will be.  It provides a baseline for us to assess the different risk categories and risks and related control assessments to subjectively roll up an assessment of residual risk to compare to managements.  Hence, while preserving our independence we can provide management and the Audit Committee with an objective prospective on how things actually are and THEY can determine if this is within their tolerable level or not.

    I have found in my travels that employing even a simple ERM type framework is often not done (as many studies have suggested).  As a result if you speak with 20 managers you get 20 different prospectives of both what risk means and what is tolerable.  The true risk to the company as a result may be individuals or department leaders unintentionally accepting a greater level of risk than what Senior Management may want.  In a one off situation it may have little impact to the business; but collectively misapplied it can increase the likelihood element of risk to a point to have a material impact on overall residual risk (i.e., exceeding tolerable). 

  1. I would want to add a practical scenerio where the auditor identifies risk based on say an I.T standard and Management accepts the finding but can not commit to the reduction of the identified risk and accepts to maintain the status quo not withstanding the Auditor's professional opinion.


    What is the audit's next step.


    Does highligting that management assumption of risk still violates a standard constitutes a closure. Can the audit force management to accept and mitigate.




  1. Jazinda, the auditor should identify risk not in terms of a standard, but in terms of how it could affect the business. Just because there is a theoretical risk doesn't mean action should be taken. For example, every time you breathe you are taking a risk, but you won't stop breathing! A determination has to be made as to whether the risk should be accepted or not. The auditor may have an opinioni, but it remains a management decision.

    If the auditor listens to management explain why the risk is acceptable and then disagrees, the auditor should escalate to more senior management. If necessary, because the risk is significant, the auditor will take it to the board. See the IIA Standards on this topic.

    I hope that helps.

Leave a Reply