In this episode of THE SAMPLE, Leita Hart-Fanta, CPA discusses the connection of Risk and Choice and what to do with an inherent risk once identified.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
In this episode, we discuss what to do with an inherent risk once you’ve identified it. So you’ve filtered the risks for magnitude and likelihood, and now it’s time to tell management about it. Because where there’s a risk, there must be a choice. The key here is that you, the auditor, are not responsible for that risk. Your job is to point out the risk. It’s management’s job to decide what to do with it. As one of my friends tells me all the time, “Not my circus, not my monkey.” So when I’m going, “Oh, I can’t believe this guy.”
He’s like, “Hey. Not your circus, not your monkey.” And your job as an auditor is just to point out the risk, and then management has four choices to make. One, they can accept the risk and go, “Well, thanks for telling us, but we’re going to keep doing what we’re doing.” Maybe they don’t have the time, the resources, the will, the concern that you have. And again, not your circus, not your monkey. You just have to go, “Okay. I did my job. I told you.” They could avoid the risk. They instead could go, “Wow. I had no idea that that could happen, and we’re not going to do that anymore. Thanks for telling us. We’re not going to do that activity any longer.” Or they can say, “Well, we still want to do this thing, but we probably should take some action to mitigate the risk.” So here, they could put controls in place to mitigate the risk.
And this is where you can help them because we’re experts in internal control. Or this last choice, a little bit tricky in that they say, “Oh, wow. We should probably do something about that, should have more controls in place, but we don’t have the resources internally to do that or the will. So let’s subcontract that out. Well, let’s find a partner who will share the risk with us.” Now, the tricky part of this is that even though you’re sharing the activity and the risk and the controls with someone else, that doesn’t mean you get to wash your hands at us.
So that doesn’t mean management gets to just say, “Done. Don’t have to worry about it.” They still have to make sure that that partner, that subcontractor is doing their job. So your job, again, point out the issues, point out the risks, but then once you’ve done that, remember that it’s not your monkey, not your circus. It’s their choice to make what to do with that risk.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me firstname.lastname@example.org and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info: