the emphasis and the areas in which management monitors and auditors audit. The nature, timing, and extent of monitoring and testing procedures should be varied such that the unpredictability of the oversight and the audit process helps ensure that those tempted to take risks and misstate or misappropriate realize that they are really taking a risk. All too often, management oversight and monitoring and the audit procedures applied become predictable and thus create an easy target for the fraudster.
Inherent and Control Risk
Following up on the risk discussion further, a concept that is difficult to communicate is that companies and auditors find it difficult to separate in their minds the underlying components of inherent risk and control risk (two distinctive risks identified in the audit literature) when making risk assessments. This sometimes leads to risk assessments that are low because of the assumed presence of effective controls, but without examining the design and operation of those controls, the basis of the low-risk assessment may not be valid. For example, in common conversation, the cash account may be considered low risk, but why? Is it not a sensitive asset and a frequent target of fraudsters? The answer may lie partly in the fact that the account is usually reconciled to the bank statement (a control), and extensive controls are in place over expenditures and over depositing cash receipts. If the reconciliation and other controls were not being performed or were improperly performed, would the low-risk assessment still be valid? Probably not. Therefore, one of the complexities in risk assessment is to identify the basis for the low-risk assessment and ensure that an otherwise high-risk area is not being given a pass in the scoping because of reliance on controls effectiveness, the very purpose of identifying the risks in the first place. At the scoping stage, the most relevant focus for the risk assessment is the inherent risk of the account and transactions stream.
Overstatement and Understatement
The risks of overstatement and understatement regarding internal controls over financial reporting are commonly misunderstood. Many auditors working in public company environments easily recognize the risk of an overstatement of income. However, in a private entity, minimization of taxes might motivate owners to want to understate accounting income to the extent it impacts tax liabilities. The assertion of occurrence often associated with income overstatement sometimes needs to take a backseat to the assertion of completeness.
Let's say you base your scoping of procedures on the recorded amounts of sales at various locations. If the sales at the Binghamton, NY, location are being systematically skimmed, then that location will seem to be less important for both controls assessment and monitoring – just the opposite of what should happen at that location. This sort of internal theft can be difficult to detect, which points out a common limitation of monitoring (or auditing) based on reported numbers (analytical procedures) that might not be accurate: It is harder to detect error in amounts that never enter the journals and accounts than it is to detect errors in amounts that are actually recorded. Suppose your entity is a church; do you have a record of how much loose cash is generally collected at a weekly service? Do you have statistics that relate the loose plate collections to the attendance? Is the amount recorded in the books what was put in the plate, or just the amount that was deposited in the bank account? How do you know? Is there opportunity for a disconnect to arise here?
A product line or location may appear to be poorly performing because someone has figured out a scheme to skim revenues from the organization. Restaurant license revenues of a municipality may be less than they should be because poor controls over the identification of licensed restaurants are keeping all restaurants from being properly identified in the database. For example, a standing database of licensed facilities should be updated when new licenses are issued or when businesses close, but in some organizations the two files are not related or reconciled. Unfortunately, businesses, governments, and auditors do not have a sterling track record of identifying all these businesses and financial reporting risks up front.
The lack of a consistent, reliable method for making such assessments may be part of the problem. In my view, when entities scope out locations, accounts, and business processes up front, before a careful analysis and some evidence that the area is truly low risk, they are just asking for trouble. To do the job right, I suggest first obtaining some evidence that all is well and that all the exposures have been considered, before concluding the process is indeed a low risk.
Additional Scoping Considerations
As you right-size the scope of your project, you will need to make sure you considered factors that contribute to the overall breadth and depth of the project. Those matters may be affected by one or more of these issues:
• Operations in multiple locations
• Internal controls that reside with third parties, such as service organizations (SOs)
• Recent internal audit and consulting projects
• Work performed by others
• Other technical scoping issues
Multiple Locations
Your evaluation of internal control should initially consider all the company's locations or business units. This does not mean that management is required to replicate its evaluation process at each location. Rather, you should make risk-based judgments about which locations should be scoped into the analysis and the nature, timing, and extent of procedures to be applied. To help you make those judgments, you may want to consider three types of risks:
1. Risks subject to centralized controls. Some companies may manage multiple locations or business units by using standard control procedures, the same software, and centralized controls. For example, consider the ABC Co., which owns and operates shopping malls. The company has developed its own information technology system, which stores and manages tenant leases and performs the basic accounting functions. The centralized processing and controls may adequately address many of the risks associated with ABC's financial reporting. In that case, it may be sufficient for management to consider the shared controls and processes as one system, barring reasons that might contribute to differences (e.g., differences in staffing quality or a local culture of questionable ethics).
2. Specific risks at individual locations or business units. In some cases, a risk may be related only to an individual location or business and therefore may not be adequately addressed by the common controls. For example, suppose that ABC acquired a very significant new mall during the year, and as of year-end it had not yet transitioned the new mall over to its central processing system. Or suppose that one of the malls was in a location that had a unique operating environment (e.g., the management and systems and policies were markedly different from other parts of the country).
In those situations, management will want to consider the controls related to those location- or business unit–specific risks.
3. Low-risk locations or business units. Some of the controls that operate at an individual location or business unit may be related to risks that are relatively low, based on experience and prior testing. In addition, the relative size of some locations in terms of assets, liabilities, and contribution of profit may be very small and the locations pose no specific risks such as are sometimes identified when they are engaged in specific risk activities, such as currency trading or investing in derivative financial instruments. In those situations, management may determine that evidence about the operation of those controls gained through self-assessment and ongoing monitoring activities, when combined with the evidence derived from centralized controls, may be sufficient. However, recall the warning raised earlier regarding understated balances providing a false comfort about the insignificance of the account, balance, or location.
When making risk-based judgments about multiple locations or business units, keep in mind that the three types of risks and controls
