On July 4th, a day when all service professionals are on vacation, my refrigerator stopped working. My wife and I ran to a store to buy a mini fridge and crammed all of the food for a family of four into an appliance meant for a dorm room. As soon as we were done, we looked at each other, covered in sweat from all of the activity, and we realize the air conditioning is not working at all. Unfortunately we live in Florida, and it is just a little hotter than the inside of a volcano in July.
Once we done crying and laughing, and after a few drinks (it was July 4th after all), we asked ourselves what we could have done differently. My wife and I are both auditors, so we tend to think in terms of risk and control.
I know just how goofy this sounds, but the conversation went to the four categories of control activities, and how we had applied these to our home. With both the refrigerator and the air conditioner, our process was the same.
Eventually the repairs were completed, and because we did share the risk through a warranty, the bill wasn’t too big. We lost some food in the broken fridge, and we had a bigger July 4th grill out than previously planned. With no air conditioning in a Florida summer, we had a really hot house while waiting for repair. In the end, I was reminded of a fact that is hard for most auditors, myself included…we can never fully control every risk. Our goal is to mitigate the risk to an acceptable level. What I learned from this experience is that the level of risk I am willing to accept on paper is much different from when it actually happens. Waiting a day or two for a repair to occur sounds okay, but the reality of trying to sleep when it’s 90o inside for even one night is a different story.
The lesson from my experience is this: when assessing the adequacy of controls, consider what the residual risk looks like to the people who actually have to live with the consequences.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.