A risk, in the broadest sense, is anything that may prevent an organization from meeting its goals and objectives. Here, however, we limit the focus to those elements that deal with fraud and its perpetration, prevention and detection. Often, discussions of risk relate to disaster recovery and business continuity planning.

Categories of Risk

Auditors generally recognize three categories of risk: inherent risk, control risk, and detection risk. What auditors refer to as "audit risk" or "residual risk" is a function of the relationship among these categories. In a broad sense, these terms can relate to errors as well as fraud. When dealing with fraud, these categories may apply to the entire array of fraud that may be perpetrated against an entity, including the risks involving a material misstatement of an entity’s financial statements. In the governmental environment, however, the illicit gains of a perpetrator are typically not the product of financial statement fraud. The rare occurances of financial statement fraud in government tend to be but a method of hiding a fraudulent activity such as asset misappropriation.

Inherent Risk

As implied by its name, inherent risk is directly related to the nature of the underlying process, asset or organization to which the risk applies. A process or organizational structure that is very complex, inherently exhibits a higher exposure to risk of misrepresentation or misappropriation than a simple organization. Certain assets, such as cash, are more susceptible to inherent risk than others, like bricks. An increased inherent risk may also arise from the external environment in which an organization operates: a bank is more likely to be robbed than an airport magazine vendor.

In most cases, organizations may have little or no influence over inherent risks.

Control Risk

Control risk is related to the effectiveness of an organization’s internal control structure and the policies and procedures that support that structure. An effective internal control structure reduces control risk; an ineffective internal control structure increases control risk.

Control risk is, to a great extent, the product of an organization’s management and its internal environment, which, in turn, may be influenced by history, goals and ethical standards.

Detection Risk

If and when an error or fraud occurs, detection risk is the measure of how likely and how quickly the event can and will be uncovered. Detection risk is affected by both the internal and the external conditions. Relatively small violations may not readily yield themselves to discovery. Inadequate review of results or reports increases detection risk as does the lack of oversight or regulation. Detection risk may also be increased by the lack of expertise, experience or relevant training of management, staff or auditors.

Tools/Best Practices