Auditor–Management Responsibility Boundary (AMURB-v1)
Minimal, decisive test for responsibility clarity when a known risk is not disclosed during an audit cycle
Status: Pre-registered · Boundary test · Publication-grade
Purpose
This protocol tests whether responsibility for risk disclosure remains clear and enforceable at the auditor–management interface when a material risk is known internally but not disclosed during an audit cycle.
The test is designed to surface the earliest point at which responsibility becomes ambiguous—whether due to materiality judgment, reporting norms, contractual language, or informal practice.
1. Scenario Definition
Management becomes aware of a material operational, financial, legal, or compliance risk.
The risk is not disclosed to auditors during the relevant audit cycle, or is only revealed later through external discovery, internal escalation, or regulatory inquiry.
2. Explicit Parties
- Management (risk owners, executives)
- Audit team (internal or external)
- Board of directors and/or audit committee
- External stakeholders or regulators (if triggered)
3. Plausible Dispute Points
- Who determines whether a risk is “material”
- Whether management must disclose risks not explicitly requested
- Whether auditors should have detected the risk independently
- Whether the board or audit committee was adequately informed
- Timing of disclosure versus audit scope and responsibility
4. Protocol
For each real, anonymized, or simulated incident:
- Timeline: Record when the risk was identified, discussed internally, documented, disclosed (or not), and later surfaced.
- Documentation: Collect risk memos, emails, internal meeting notes, audit requests, and post-discovery remediation actions.
- Responsibility Statements: Capture explicit claims of responsibility, exemption, or obligation at each disclosure or non-disclosure point.
5. Pass / Fail — Boundary Closure Logic
Boundary Closed (Pass): A documented, pre-established protocol requires disclosure of such risks. Management followed the protocol or there is an explicit, uncontested breach with clear consequences.
Boundary Disputed (Fail): Responsibility is unclear or contested—management cites non-materiality or lack of request; auditors cite incomplete disclosure; board cites reporting gaps; regulators identify incomplete or misleading audit outcomes.
6. Minimal Output
| Step / Decision | Claimed Responsible Party | Evidence / Documentation | Disputed? |
|---|---|---|---|
| Risk Identified | Management | Risk memo, email | |
| Internal Review | Management / Compliance | Meeting record | |
| Audit Notification | Management / Auditors | Audit log, correspondence | |
| Disclosure to Board | Management / Audit Committee | Board minutes | |
| Remediation / Action | Management / Compliance | Action plan, record |
7. Reporting Statement
“Responsibility for disclosure of [risk] was / was not clearly assignable at all steps. Dispute arose at [boundary]. Protocol improvement is required at [gap].”
8. Implications
If Closed: Clear disclosure protocol, audit trail, and enforcement exist. Publish as a best-practice reference.
If Disputed: Publish the point of ambiguity to drive refinement of disclosure obligations, audit scope language, escalation requirements, or embedded acknowledgment mechanisms.
This document defines a minimal, publication-grade boundary test. No optimization claims, investment implications, or policy mandates are inferred.