Plan to update this analysis annually going forward to have it respond to changes in the business. Along the way you may even need to reconsider the bases used to assess the entity. If location was a logical base to use for the assessment initially, product line may be a more logical and cost-effective base to use in future years. Don't get stuck in a rut. COSO has included in the risk assessment component a new principle that management should be updating the risk assessments for changes in the business environment (Principle 9).
Consider Risks, Not Just Quantitative Measures
I mentioned risk several times in conjunction with what to include in and what to exclude from your documentation project. As you can see by now, I am skittish about excluding accounts and processes because they are judged to be low risk, since if you exclude an item from the scope of your procedures, you may not identify until it is way too late that the item, account, or process is in fact not low risk. There are lots of examples of low-risk areas becoming major problems. Fraud has a tendency to migrate to the weakest links in the chain of controls. As Walter Matthau noted in the movie The Fortune Cookie, “Every time you build a better mousetrap, the mice get smarter.”
No businessperson or auditor in their right mind starts out deliberately taking chances that a risky area will allow a material misstatement to occur that will cause the financial statements to be misstated. As skilled and as experienced as many managers and auditors are, the auditors of public entities, and the businesses they audit, have many painful reminders of the consequences of making bad judgments regarding risks. The reminders are in terms of income loss and reputation effects, and they stretch back over decades.
Nevertheless, risk judgments are made, and in order for audits and entity projects to be economical, they will continue to be. But very few financial statement elements are inherently and by their nature always low risk in all circumstances. Generalizing from experiences with other businesses or from other audit engagements gives a distorted view of risk, because the only risk that counts is the one specific to the entity and engagement right here and now. The probable low assessment of risk in the cash account did nothing to protect the shareholders and auditors of Parmalat, an Italian dairy company, from financial ruin when it was discovered that the auditors were served a bogus confirmation of a Bank of America account of over $3 billion. This led to the discovery that a significant portion ($13 billion) of the reported entity was bogus, and had been growing for years.
Go ahead, name some low-risk areas. Auditors generally pick fixed assets as a low inherent risk area for many businesses. Well, that was not the way it worked out at WorldCom, where major reclassifications of expenses were charged to fixed assets and doing so inflated reported income. In the previous decade the capitalization of garbage (literally) led to litigation and fines for the management and auditors of Waste Management. The poster child for audit skepticism and fixed assets risk was ZZZBest, a Wall Street darling start-up with interests in building restoration projects and all kinds of growth potential. In reality, the company was building files of fraudulent documents and misleading its auditors into thinking that it had interests in various buildings and fixed assets, when it did not.
Barings Bank and Orange County, CA, were stung some years ago when financial instruments and currency trading that in the past had been profitable went sour and what had been profitable ventures for the entities wound up creating huge losses and financial exposures that generated financial disaster, well beyond just the loss of income from these operations. Care needs to be taken to understand what risks various types of transactions and activities can expose the entity to; do not just look at the measure of revenue, asset, or income measurement in a “normal” year. Different thinking is required when derivative financial instruments are assessed.
It is hard to think of an inherently safe area in the financial statements and processes that does not deserve some level of consideration or scrutiny every once in a while. Consequently, it is helpful to rotate the emphasis and the areas in which management monitors and auditors audit. The nature, timing, and extent of monitoring and testing procedures should be varied such that the unpredictability of the oversight and the audit process helps ensure that those tempted to take risks and misstate or misappropriate realize that they are really taking a risk. All too often, management oversight and monitoring and the audit procedures applied become predictable and thus create an easy target for the fraudster.
Inherent and Control Risk
Following up on the risk discussion further, a concept that is difficult to communicate is that companies and auditors find it difficult to separate in their minds the underlying components of inherent risk and control risk (two distinctive risks identified in the audit literature) when making risk assessments. This sometimes leads to risk assessments that are low because of the assumed presence of effective controls, but without examining the design and operation of those controls, the basis of the low-risk assessment may not be valid. For example, in common conversation, the cash account may be considered low risk, but why? Is it not a sensitive asset and a frequent target of fraudsters? The answer may lie partly in the fact that the account is usually reconciled to the bank statement (a control), and extensive controls are in place over expenditures and over depositing cash receipts. If the reconciliation and other controls were not being performed or were improperly performed, would the low-risk assessment still be valid? Probably not. Therefore, one of the complexities in risk assessment is to identify the basis for the low-risk assessment and ensure that an otherwise high-risk area is not being given a pass in the scoping because of reliance on controls effectiveness, the very purpose of identifying the risks in the first place. At the scoping stage, the most relevant focus for the risk assessment is the inherent risk of the account and transactions stream.
Overstatement and Understatement
The risks of overstatement and understatement regarding internal controls over financial reporting are commonly misunderstood. Many auditors working in public company environments easily recognize the risk of an overstatement of income. However, in a private entity, minimization of taxes might motivate owners to want to understate accounting income to the extent it impacts tax liabilities. The assertion of occurrence often associated with income overstatement sometimes needs to take a backseat to the assertion of completeness.
Let's say you base your scoping of procedures on the recorded amounts of sales at various locations. If the sales at the Binghamton, NY, location are being systematically skimmed, then that location will seem to be less important for both controls assessment and monitoring – just the opposite of what should happen at that location. This sort of internal theft can be difficult to detect, which points out a common limitation of monitoring (or auditing) based on reported numbers (analytical procedures) that might not be accurate: It is harder to detect error in amounts that never enter the journals and accounts than it is to detect errors in amounts that are actually recorded. Suppose your entity is a church; do you have a record of how much loose cash is generally collected at a weekly service? Do you have statistics that relate the loose plate collections to the attendance? Is the amount recorded in the books what was put in the plate, or just the amount that was deposited in the bank account? How do you know? Is there opportunity for a disconnect to arise here?
A product line or location may appear to be poorly performing because someone has figured out a scheme to skim revenues from the organization. Restaurant license revenues of a municipality may be less than they should be because poor controls over the identification of licensed restaurants are keeping all restaurants from being properly identified in the database. For example, a standing database of licensed facilities should be updated when new licenses are issued or when businesses close, but in some organizations the two files are not related or reconciled. Unfortunately, businesses, governments, and auditors do not have a sterling track record of identifying all these businesses and financial reporting risks up front.
The lack of a consistent, reliable method for making such assessments may be part of the