Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 22

Following up on the risk discussion further, a concept that is difficult to communicate is that companies and auditors find it difficult to separate in their minds the underlying components of inherent risk and control risk (two distinctive risks identified in the audit literature) when making risk assessments. This sometimes leads to risk assessments that are low because of the assumed presence of effective controls, but without examining the design and operation of those controls, the basis of the low-risk assessment may not be valid. For example, in common conversation, the cash account may be considered low risk, but why? Is it not a sensitive asset and a frequent target of fraudsters? The answer may lie partly in the fact that the account is usually reconciled to the bank statement (a control), and extensive controls are in place over expenditures and over depositing cash receipts. If the reconciliation and other controls were not being performed or were improperly performed, would the low-risk assessment still be valid? Probably not. Therefore, one of the complexities in risk assessment is to identify the basis for the low-risk assessment and ensure that an otherwise high-risk area is not being given a pass in the scoping because of reliance on controls effectiveness, the very purpose of identifying the risks in the first place. At the scoping stage, the most relevant focus for the risk assessment is the inherent risk of the account and transactions stream.