What is Risk?
We all know the answer to this intuitively. Your mother, like mine, probably formed your first understanding of risk, with statements such as "Don't run with scissors. You'll put your eye out!" or "Put your coat on before you go outside. You'll catch your death of cold!" She was concerned about risk to your health and well-being. As we grew, risk became applicable to other areas of life. "You break it, you bought it," reads the sign in the store. "This was an accident that did not have to happen!" says your Dad after your first fender bender from driving too fast or too carelessly. Now, risky behavior is costing someone money, possibly you. As we get older and life becomes more complex, so does risk and all of its implications. When it comes to risk in business, most of us think of property risk. A fire burns through a classroom, a flood takes out the computer room, or a company car is wrecked or stolen. These are events that could occur and effect operations. The standard remedy for such risks is insurance. The state of Louisiana has an entire department called the Office of Risk Management whose stated focus is "... to develop, direct, achieve and administer a cost effective comprehensive risk management program ... in order to preserve and protect the assets of the State of Louisiana." (La. ORM Website).
How Do Auditors View Risk?
But what do internal auditors mean when they speak of risk? When used by internal auditors, risk takes on a far broader meaning. Risk is defined by the Institute of Internal Auditors (IIA) as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood." Would that include the events listed above? Absolutely. But so much more. What if inadequate employee training results in erroneous data being recorded in the college's information systems? What if poor cash management controls at a college result in several months of unreconciled bank statements? Is that risk? What if poor controls over access to academic reporting software resulted in fraudulent changes to student grades? What if a college chancellor or board member made the front page of the local newspaper or the 10 O'clock News for an incident that had nothing to do with the college or their service on the Board? Are these risks insurable? Are these covered by ORM? What if these events have not actually happened but could happen because of the weak or non-existent controls. The vast majority of us never poked our eyes out from running with scissors either, but it could have happened. And if it did, the effect on our lives or on our business could be devastating? When internal auditors plan their work, they must make an assessment of institutional risk, including all risks, not just property risks. Preferably, the institution itself should have an ERM, Enterprise Risk Management program, which takes an institution-wide view of the risks faced by the entity. These would include the physical risks previously mentioned as well as financial risks, fraud risks, academic risks, environmental risks and other areas of risk including an area increasingly getting the attention of board members and senior management, reputational risks. In addition to using their estimation of enterprise-wide risk for planning their overall work plan, internal auditors must also take risk into account when developing the specific tasks performed in a project. For example, perhaps a project was selected because of the appearance of weak cash controls. In deciding what tasks to perform, the auditor must determine first if controls even exist. If they do not exist at all, there is significant risk that the data may be erroneous. A large number of records may need to be reviewed to come to a conclusion about the validity of the attribute being tested or the balance being confirmed. If controls exist but are thought to be weak, the auditor will need to test a sample of records in order to gauge the risk of errors in the entire record population. Based on the results of that sample, the auditor may conclude that even though the controls are weak, they appear to be working. Or the auditor may decide, due to errors identified in the sample records reviewed, to enlarge the selected sample of records and then come to a conclusion regarding the record population as a whole. The goal is to gather sufficient evidence from the review of records to conclude whether the perceived risk is sufficient to impact the achievement of management's objectives and to report such to management with appropriate recommendations.
What to Do if Internal Audit Identifies Risk at Your College?
When Internal Audit cites your college for weak controls, it is not because we are looking for that "˜gotcha' moment. Weak controls adversely impact the college's ability to reach its goals and Internal Audit wants you to reach your goals. We will discuss with you the risk that we have identified and will work with you to develop appropriate remedial measures. The best remedial measure is to implement a control that will avoid the risk altogether. Some risks cannot be completely avoided. In those cases, a control that identifies the risk event when it occurs and minimizes its impact is the next best thing.
Don't Wait
You do not have to wait for Internal Audit to identify risk at your college. College leaders should become knowledgeable about risks that exist in their areas of responsibility. If you become aware of risks, invite Internal Audit to come and help you make an assessment and work with you to identify appropriate controls. Our mothers had some other sage advice as we were growing up. "An ounce of prevention is worth a pound of cure!" It still applies.