I was recently working to prepare the audit plan for a client and it got me thinking about risk appetite and is it really used in the right light. External Auditors have always used the concept of materiality as their responsibility is to give a true and fair view of the financials, this concept also allows them to not audit everything in the company and limit the resources needed.
When a company uses risk appetite they are also applying the materiality concept to say where the that risk and control resources will be deployed. What this means is that in areas where the potential of a loss is well below the risk appetite not much focus is needed by the risk and internal fuctions. This also means that if you are a crook you could slowly make money by stealing from the company as long as it is below the materiality limit.
I cant imagine applying a similar concept to my personal finances or money, I will not let anybody take me for even a Rupee more than what’s due and if I can someone taking advantage of me for a few rupees I will always be on guard next time dealing with that person or may not deal with that person again.
So I asked is it okay for big or small companies to lose x% or their revenue as it is below the materiality limit or within acceptable risk appetite? I guess someone would get up and say there is a cost to control and what is the point of saving 100 Rupees by spending 1000 Rupees. Well thats right and thats what should be looked at when evaluating a control break down and not materiality.