• Blog

Thinking Like an Auditor

  • A Lesson on the Nature of Control

    July 8, 2016 | By Toby DeRoche MBA, CIA, CCSA, CRMA, CICA

    On July 4th, a day when all service professionals are on vacation, my refrigerator stopped working. My wife and I ran to a store to buy a mini fridge and crammed all of the food for a family of four into an appliance meant for a dorm room. As soon as we were done, we looked at each other, covered in sweat from all of the activity, and we realize the air conditioning is not working at all. Unfortunately we live in Florida, and it is just a little hotter than the inside of a volcano in July.

    Once we done crying and laughing, and after a few drinks (it was July 4th after all), we asked ourselves what we could have done differently. My wife and I are both auditors, so we tend to think in terms of risk and control.

    I know just how goofy this sounds, but the conversation went to the four categories of control activities, and how we had applied these to our home. With both the refrigerator and the air conditioner, our process was the same.

    • Avoid – Well, you can’t entirely avoid a broken appliance, but they are getting a little older. Both are probably about 10 years old, so replacing these sooner might have avoided this situation.
    • Reduce – We take care of the appliances, and everything is clean and well maintained. From my perspective, we’ve done our part to reduce the risk of breakage.
    • Share – I have a home warranty, so I have shared the financial aspect of the breakage. The warranty doesn’t do anything to get a repair done at the last minute on a holiday.
    • Accept – Nope. I’m not going to simply accept the full risk of a broken appliance, that’s why I do my best to keep up with regular maintenance.

    Eventually the repairs were completed, and because we did share the risk through a warranty, the bill wasn’t too big. We lost some food in the broken fridge, and we had a bigger July 4th grill out than previously planned. With no air conditioning in a Florida summer, we had a really hot house while waiting for repair. In the end, I was reminded of a fact that is hard for most auditors, myself included…we can never fully control every risk. Our goal is to mitigate the risk to an acceptable level. What I learned from this experience is that the level of risk I am willing to accept on paper is much different from when it actually happens. Waiting a day or two for a repair to occur sounds okay, but the reality of trying to sleep when it’s 90o inside for even one night is a different story.

    The lesson from my experience is this: when assessing the adequacy of controls, consider what the residual risk looks like to the people who actually have to live with the consequences.

  • View Demo
    Contact Us
    Request More Information