Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 21

I mentioned risk several times in conjunction with what to include in and what to exclude from your documentation project. As you can see by now, I am skittish about excluding accounts and processes because they are judged to be low risk, since if you exclude an item from the scope of your procedures, you may not identify until it is way too late that the item, account, or process is in fact not low risk. There are lots of examples of low-risk areas becoming major problems. Fraud has a tendency to migrate to the weakest links in the chain of controls. As Walter Matthau noted in the movie The Fortune Cookie, “Every time you build a better mousetrap, the mice get smarter.”

No businessperson or auditor in their right mind starts out deliberately taking chances that a risky area will allow a material misstatement to occur that will cause the financial statements to be misstated. As skilled and as experienced as many managers and auditors are, the auditors of public entities, and the businesses they audit, have many painful reminders of the consequences of making bad judgments regarding risks. The reminders are in terms of income loss and reputation effects, and they stretch back over decades.

Nevertheless, risk judgments are made, and in order for audits and entity projects to be economical, they will continue to be. But very few financial statement elements are inherently and by their nature always low risk in all circumstances. Generalizing from experiences with other businesses or from other audit engagements gives a distorted view of risk, because the only risk that counts is the one specific to the entity and engagement right here and now. The probable low assessment of risk in the cash account did nothing to protect the shareholders and auditors of Parmalat, an Italian dairy company, from financial ruin when it was discovered that the auditors were served a bogus confirmation of a Bank of America account of over $3 billion. This led to the discovery that a significant portion ($13 billion) of the reported entity was bogus, and had been growing for years.

Go ahead, name some low-risk areas. Auditors generally pick fixed assets as a low inherent risk area for many businesses. Well, that was not the way it worked out at WorldCom, where major reclassifications of expenses were charged to fixed assets and doing so inflated reported income. In the previous decade the capitalization of garbage (literally) led to litigation and fines for the management and auditors of Waste Management. The poster child for audit skepticism and fixed assets risk was ZZZBest, a Wall Street darling start-up with interests in building restoration projects and all kinds of growth potential. In reality, the company was building files of fraudulent documents and misleading its auditors into thinking that it had interests in various buildings and fixed assets, when it did not.

Barings Bank and Orange County, CA, were stung some years ago when financial instruments and currency trading that in the past had been profitable went sour and what had been profitable ventures for the entities wound up creating huge losses and financial exposures that generated financial disaster, well beyond just the loss of income from these operations. Care needs to be taken to understand what risks various types of transactions and activities can expose the entity to; do not just look at the measure of revenue, asset, or income measurement in a “normal” year. Different thinking is required when derivative financial instruments are assessed.

It is hard to think of an inherently safe area in the financial statements and processes that does not deserve some level of consideration or scrutiny every once in a while. Consequently, it is helpful to rotate the emphasis and the areas in which management monitors and auditors audit. The nature, timing, and extent of monitoring and testing procedures should be varied such that the unpredictability of the oversight and the audit process helps ensure that those tempted to take risks and misstate or misappropriate realize that they are really taking a risk. All too often, management oversight and monitoring and the audit procedures applied become predictable and thus create an easy target for the fraudster.