Mark R. Simmons
Joined: Nov 2003
Thursday October 25, 2012 12:05 PM
I think it's inappropriate to tell managment what they "should" do when dealing with risk mitigation. My reasoning is below.
COSO ERM defines avoidance, reduction, sharing, and acceptance as potential risk responses. The appropriate response depends on the organization’s risk appetite and business objectives.
A grocery store chain, for example, may decide that the likelihood and impact of adverse reactions from long-time customers and community leaders outweigh any revenues gained from selling alcoholic beverages. To avoid those risks, it decides not to sell alcohol.
Or, suppose a company opens a facility in an area prone to natural disasters. To reduce risk, it may decide to back up crucial data at a distant off-site location.
Establishing a joint venture to develop a new personal technology product is an example of sharing risk. For instance, a company might choose to focus on providing technological expertise, while allowing another firm to take responsibility for product-marketing efforts.
Conversely, an organization may decide that the likelihood and impact of an identified risk it faces is acceptable. For example, a manufacturing firm might conclude that relying heavily on one rail carrier to deliver its raw materials and finished products is an acceptable risk because of the carrier’s overall financial health and its long-term status as a low-cost provider.
Whether the organization chooses to reduce, share, avoid, or accept risk, the COSO approach involves responding to risks strategically, rather than reacting to unanticipated circumstances.
(June 2006 Internal Auditor, p 25)
For Discussion: Is It Inappropriate to Use “Should” in Audit Reports
Internal Auditors must consider risk in planning and carrying out the engagement. However, risk identification, analysis, and mitigation response are primarily management’s decision and responsibility.
In my opinion:
Internal auditors exceed their role and authority by including in audit reports what management “should do” in response to a reportable condition. A professionally written internal audit report recognizes that management has the sole authority and responsibility to establish the entity’s risk tolerance appetite and either avoid, reduce, share, or accept the risks associated with conditions reported by the internal auditor.
It is inappropriate for the internal auditor to tell management what “should” be done. Current best practice for a professionally written internal audit report calls for discussion of the business risk, the root cause of the risk exposure, and options that management could consider to address the risk exposure. For example, “management could avoid the risk by…”; “management could reduce the risk by …”; “management could share the risk by…”.
Stating the risk, the root cause(s) - not the symptoms - and possible options management could pursue gives depth to the solution and challenges the status quo. By providing options for management’s consideration and response, the decision and accountability are placed where they belong – with management. If the internal auditor believes management’s solution to a mission-critical risk is insufficient based on establisehd risk tolerance criteria, the auditor has the option of so stating in the report, or more appropriately, raising the matter to a higher level for resolution before issuing a final report.
What do you think?
Edited: Friday October 26, 2012 at 4:41 PM by Mark R. Simmons