Choices Can Secretly Send Audit Risk ‘Off the Scale’
How Routine Business Choices Can Secretly Send Audit Risk ‘Off the Scale’
Looking around the room, you could tell the lecture hall was half full, which is generous by mid-semester standards. The student laptops are open, half-empty coffee cups are everywhere, and the slide on the screen simply states:
“Audit Risk: The Choices You Never Think About.”
The accounting course instructor does not begin with definitions. Instead, she asks a question.
“Who here believes that audit risk comes from big decisions?”
A few hands go up. A few students silently nod.
“Good,” the instructor says. “Except you’re already wrong.”
A ripple of uneasy laughter moves through the room, but the instructor does not smile.
The First Challenge: Small Business, Small Decision, Big Consequences
“Let’s start with a small business example,” the instructor continues. “Family-owned. Thirty employees. Simple stuff.”
A student in the front row raises a hand. “So… cash handling? That’s the risk, right?”
“Sometimes,” the instructor replies. “But not today.”
The instructor describes a local services company that decided—purely for convenience—to let one senior employee manages all the billing, deposits, and customer adjustments. No fraud. No complaints. No missing money. So, no problem?
“But why would anyone do that?” another student asks.
“Because they were busy,” the instructor answers. “And because it worked.”
And for two years, it worked flawlessly. Then the business applied for financing. The audit revealed not theft, but absence: no segregation of duties, no review trail, no evidence that anyone other than one person ever looked at the numbers.
“So, what’s the problem if nothing went wrong?” a student asked from the back.
The instructor pauses.
“Because audit risk is not about what happened. It’s about what can happen without detection.”
The risk rating on that engagement did not creep upward. It spiked.
The Second Challenge: Growth That Outruns Governance
The instructor clicks to the next slide. No bullet points this time. Just one word:
Growth
“Mid-sized company,” she says. “Doubled revenue in eighteen months.”
A student leans forward. “That’s a success story.”
“It is,” the instructor agrees. “Until it isn’t.”
The company adopted a new ERP system mid-year. The training was informal with controls “to be finalized later.” Manual overrides became common during the transition.
A student interrupts. “But ERP systems reduce audit risk, don’t they?”
“On paper,” the instructor says. “In practice, they often delay it.”
By year-end, the audit team found inconsistent revenue recognition driven not by intent, but by different departments using the system differently. Each method was defensible, but together, they were chaotic.
“So, what sent the risk off the scale?” a student asks.
“The assumption that software fixes governance,” the instructor replies. “It doesn’t. It amplifies whatever discipline already exists.”
The Third Challenge: Large Company, Very Small Shortcut
The room quiets a bit as the instructor shifts tone.
“Now let’s talk about a large, publicly accountable organization.”
A student raises a hand. “Don’t they have an internal audit? Committees? Layers of controls?”
“Yes,” the instructor says. “And also, some habits.”
The example is deceptively simple: management decides to rely on spreadsheet-based adjustments outside the core financial system to speed up month-end close. The files are reviewed. Access is limited, and everyone knows who owns them.
“So that’s fine then,” a student says confidently.
“It was,” the instructor replies. “Until three years later.”
By then, the spreadsheets had multiplied. Key assumptions were rolled forward without revalidation. No one could explain why certain adjustments existed—only that they always had.
The audit issue was not accuracy. It was traceability.
“And that’s what escalated risk?” another student asks.
“No,” the instructor says. “What escalated risk was the realization that senior leadership no longer understood their own reporting machinery.”
The Moment of Realization
The instructor closes her laptop.
“Here’s what all of these examples have in common,” she said. “None of the decisions were reckless. None were illegal. All were reasonable in the moment.”
A student inquires quietly. “So when does routine become risky?”
The instructor does not answer immediately. She pauses for a moment thinking about her response.
“It becomes risky when a choice solves today’s problem by borrowing against tomorrow’s controls,” she finally says.
The room falls silent while the message sinks in.
The Lesson Most Businesses Learn Too Late
Audit risk rarely explodes because of a single dramatic failure. It goes off the scale because dozens of small, sensible decisions quietly align in the wrong direction—convenience over documentation, speed over structure, trust over verification.
The instructor gathers their notes.
“Your exam will test definitions,” they say. “Your careers will test judgment.”
As the students pack up, one lingers behind. He asks a question.
“So, what’s the warning sign we should actually watch for?”
The instructor smiles, just slightly.
“When no one can remember why something is done that way—but everyone insists it must stay that way.”
And then it stays that way until your audit risk becomes invisible—right up until it’s exposed. And that how routine business choices can send your audit risk ‘off the scale’.