An Internal Auditor Recommended Taking More Risk

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


Something like 20 years ago, during my first years as the CAE of a major oil refining company, one of my staff (I only hired audit managers at that time and she was the most senior of the three) was working on an audit of Treasury.

The Treasurer was a senior member of the Finance team, highly respected by company leadership. So it was important that we make a good impression in this first audit of his area. At the same time, he was a gruff curmudgeon (he reminded me of the late, great Alastair Sim as Scrooge in “A Christmas Carol”) that scowled every time I saw him — and other executives told me that he shared that disposition with everybody except the CFO.

So, I set the auditor, Laura Morton (now Nathlich), two tasks: the first was to perform an audit and provide an objective assessment of whether the Treasury function was meeting the needs of the corporation; the second was to get the Treasurer (Craig) to smile!

Laura exceeded my expectations (something she went on to do regularly).

As I had expected, Craig’s area was in very good shape. It reflected his personality as a disciplined, careful individual that had a deep understanding of the business and its needs.

But, Laura identified one issue that only deepened Craig’s frown.

She pointed out that the company’s investment policy limited overnight investment of cash to the safest of all investments, which had the lowest of all rates of return. While this was the policy that had been approved by the board, the level of risk being taken (clearly a very conservative one) was inconsistent with the general attitude of the company to taking risk!

The company was a significant “player” in the commodity derivatives market, not only to hedge the price it would pay for its raw materials (crude oil) and the price it would obtain for its refined products (gasoline, diesel, jet fuel, and so on), but it also had a truly speculative position.

So it was taking millions of dollars of risk in the commodities market but unwilling to take any risk in its overnight investments?

Laura recommended that the investment policy be reconsidered. That was a wise move. Only management can decide how much risk it is willing to take, but we (as the independent and objective internal audit team) can challenge them when appropriate.

Craig reluctantly agreed that Laura had a point — not on technical controls philosophy but on business grounds. He discussed it with the CFO and they agreed to change the policy.

I met with Craig and Laura to review the final report before it went to the audit committee. He gave Laura a reluctant smile and acknowledged that it was a professional audit.

Do your audit customers smile?

What do you think of an auditor that recommends taking more risk?

I welcome your comments.

Posted on Mar 22, 2014 by Norman Marks

Share This Article:    

  1.  Hi Norman,

    That was an excellent narrative of an audit engagement where everybody was happy - the auditee and the auditor. The auditor recommended taking more risks and the auditee agreed because it helped the auditee( the head of treasury) reflect on better investment strategies.

    I am reminded of an audit of a leading investment bank in the Middle East in 2010 when I was reviewing the fund management strategy and policy of the treasury and found that there were huge cash holdings and the Head of Treasury proudly claimed that " Cash is King" and would not risk loosing the money by investing in funds/ markets which were going through the effects of the Global Financial Meltdown ( Financial Crisis post 2008). In the exit meeting, it was discussed that funds can be invested instead of keeping the capital idle which would not benefit the banks and its stakeholders. The head of treasury disagreed and the report was presented to the Audit Committee.

    The Audit Committee discussed the issue of idle cash at lenght and made some interesting observations in line with their oversight function:

    1. The Investment Policy should be adhered to and any exceptions to the policy should be brought to the attention of the senior management and the board.

    2. A board level committee should be formed to explore investment opportunities and the board should be involved in the investment strategy  ( given the unusual circumstances which the economy was facing due to the global financial meltdown).

    3. The internal audit should review the action taken every 3 months and present a report to the Audit Committee.

    Thus, it was a great experience where auditor's view of adherence to the policy mandate was upheld by the Audit Committee and which was in the interest of the larger good of the stakeholders. 

  1. It was completely appropriate in this situation for the auditor to recommend taking more risk.  After all, risk management (not IA's responsiblity) is about balancing risks & rewards. This auditor definitley added value to her organization with her astute recommendation.  It was also gratifying to read that management changed their policy on investments as a result of the auditor's recommendation.

  1. Great article. When an audit can convince management to focus on going outside of its comfort zone, and that actually happens, it is a win-win. 

  1. Excellent story with a lesson for auditors if we are to remain relevant.  Too many auditors spend their time ticking and tying without making an impact on the organization.  Auditors should be challenging themselves and people in operations to streamline processes for efficiency and improve profits.

  1. This is an article which re-emphasizes the changing role of today's internal auditors. The 19th century auditors were very happy if managements took decision on investment based on lowest risk possible. In fact, internal auditors used to send out negative comments if managements decided otherwise - i.e. to invest in higher risk areas. Internal auditors today and in the future will look at investment decisions from a business view point not from a conservative viewpoint of doing business with least risks.
  1. I do not think she recommended that the organization take on more risk.  Rather, she recommended that the objectives of the business unit should be in line with the overall objectives of the organization.  A couple of questions come in mind: 1) Did she examine the risk appetite of the business unit itself? 2) Was the organization purposely asking this business unit to take on less risk in order to diversify its risk takings?


  1.  SBP, we can disagree on whether the organization took on more risk by investing in lower grade (and therefore riskier) products.

    On your questions, 1) in those days we didn't use risk management language, just the language of the business. She talked to the Treasurer (Corporate officer) about the level of risk he was willing to take on overnight investments and then compared that to the overall risk attitude of the organization. They appeared out of sync so the matter was raised to senior management (CFO) for resolution. 2) This was the corporate Treasury function.

Leave a Reply