BUSINESS MANAGEMENT
BOOKSSOFTWARE
CDsINTERNAL AUDIT
BOOKS
SOFTWARE
CDs
|
|
SUPPORT
CENTER DATE: 12/19/02 QUESTION: Can you define a high, medium and low risk, in regards to assessing control issues? I understand that the level of risk is associated with the business objectives and the risk that the VPs, or above, are willing to accept, but I was hoping to get generic definitions of a high, medium, and low risk. ANSWER: Sorry, no I cannot. Risk is personal. Everyone views risk differently. There are no generic definitions. High, Medium and Low are intellectual wastes of time. What is High to one is Low to another. What is important is how much risk, in terms of things going wrong, is the Governance prepared to live with. Only when the limits of risk are understood can we make any kind of determination as to the adequacy of controls. This cannot be made with subjective terms of High, Medium and Low. DATE: 12/2/02 QUESTION: What do you do if the vice presidents will not admit to taking any risk and continually send the message of a zero errors goal? This is making it difficult for us to implement the Governance, Management and Performance concepts. ANSWER: I agree that zero errors is an admiral goal. And if the business risk is really high, we should strive towards it. However, the business has scarce resources and not every risk is that high. So any business has to make hard decisions as to where the scarce resources will be allocated. By establishing limits of risk - "how much are we prepared to live with going wrong" - and monitoring errors, etc., against those limits, the business has a means of allocating those scarce resources. You haven't provided me with a lot of information. I assume that you have explained the Governance - Management - Performance concepts and attempted to manage upwards. If you are still going to be crucified if anything goes wrong, my only suggestion is to quit now while you can do so on your terms. The reality of life is that things will go wrong (risks will jump up and bite you). If you are going to be blamed for it, you are not dealing with people who have a firm grip on reality, or ethics for that matter. Leave now while it suits you. And good luck in your new career. DATE: 11/26/02 QUESTION: We attended the Risk Based Integrated Auditing™ overview that you presented in Greensboro. We want to proceed with RBIA but we have some unique issues in our company where we will need to make changes to RBIA to make it work. How much of the RBIA process can we change to suit our company structure? What are the risks associated with changing it dramatically? ANSWER: You can, of course, change whatever you want to. Almost all companies make changes to suit their unique geographical, structural, regulatory and operating environments. We have spent a lot of time refining the RBIA concepts to provide outstanding value and productivity. If you start bypassing parts of RBIA, you run the risk of reducing the value and productivity that RBIA can deliver. Because RBIA addresses the really major risks in the business, we have incorporated many safeguards to protect the audit teams from getting themselves into trouble. I would say that the biggest risk in bypassing parts of RBIA is that you run the risk of bypassing the safeguards that we have designed into it. You may not be successful with some of the more contentious audits that you do. One more thing. There is a lot of information in RBIA. I can provide only an overview in the one day sessions that you attended. I strongly suggest that you attend the full four day session before you proceed. It will provide much more of the details about the concepts and walk you through two very difficult case studies. You will be more informed about the issues that you will encounter in proceeding further with RBIA. DATE: 10/11/02 QUESTION: Your concepts of Governance require that senior management agree to the amount of risk that they are prepared to take on. What do you do if they will not quantify that risk? ANSWER: Business is the art of risk taking. Whether they admit it or not, executives take risks, that they are legally accountable for, with the stockholders' assets every day. Refusal to quantify that risk means that it is difficult to know whether you have too many resources in any one area or whether you are performing the right processes. More importantly, it is almost impossible to make any assessment of controls unless you understand the risk involved and how much risk you are prepared to take. You could very well be over controlled and consuming excessive resources and cost. The only circumstances where we have encountered executives who will not agree to accept a certain, quantified amount of risk is where their auditor (internal or external) practice "gotta auditing". They may be reluctant to state it for fear of being "written up". Outside of this situation, a rational discussion about the direct connections between the cost of control and the amount of risk the organization is prepared to take on usually accomplishes the objective. If your company has any cost cutting initiatives in place, emphasis that the less risk the company is prepared to take on, the more expensive the controls will be. More risk, less control, less cost. Whenever we apply this methodology, we have always found over control situations where costs can be saved. While executives may be reluctant to talk about risk, most are very keen to talk about cost savings. DATE: 10/7/02 QUESTION: Why are you opposed to audit programs? They are taught in every basic audit class and form the basis of all internal auditing that I have ever seen? ANSWER: I am not opposed to audit programs. In the public accounting world, they make eminent sense. Unlike internal auditing, public accounting is a true profession and can be sued. In such situations, it makes all the sense in the world to have rigorous, standardized audit programs that staff can follow to complete their audits. Audit programs also work where internal auditors are required by law or mandate from the audit committee to do repetitive, low level compliance with procedures audits in areas where processes are very standardized. If the level of education and intelligence of the internal auditors involved is not very high, (lower salaries) it makes sense to use audit programs. The problem is that the public accounting model and standardized compliance audits are not based around the value equation. When the value equation ("what are we getting for the cost and time incurred") becomes prevalent, the audit program way of doing things results in: •
high cost audits with little or no value to show for it, We firmly believe internal auditors are of such a level of skill and expertise that they are bored out of their brains with audit programs. Internal audit departments have a lot to offer company executives by addressing the huge risks that are threatening the company. The public accounting way of doing audits is not utilizing the skills that most internal auditors have. When you address the key risks that are involved in the company, there is no audit program available. Can anyone produce an audit program to deal with a complex governance issues? Many internal audit departments avoid the complex difficult risks simply because they don't know how to put them into an audit program way of doing audits. Risk Based Integrated Auditing™ is designed to generate high value for minimal cost where a very few internal auditors are charged with covering and extensive range of risk issues. In such environments, audit programs make it very difficult to add value.
|
  
The Best of the Best for 2006RBIA
Gold Medal RBIA
Silver Medal RBIA
Bronze Medal Congratulations!
SOX
404 RISK CONTROL MANAGER 2.1 SOFTWARE
|
|||
|
RBIA™
and PGRM™ Osterio, Inc. All rights reserved worldwide.
|
Updated: February 2, 2007 |
