Question

Management tends to focus on residual risk instead of inherent risk. Why do you think this is so? Why should internal auditors consider both inherent risk and residual risk when planning an assurance engagement?

Answer 1

Theroriticaly, Inherent risk the level of risk to the organization in the absence of any control mechanism or security check. However, if there are no controls at all, for example, no security check at entrance, no password protection for confidential files naturally risk of loss and damage i.e. inherent risk will be high. However, management does keep in place reasonable security measures to prevent risks that are avoidable. For example, having 3 layer authentication for confidential files, fingerprint sensors in vaults, cameras in place, backup of important files etc. However even after taking such measures, there still remains a level of risk whose probability of occurence is naturally low but not zero. This is called residual risk. For example, an expert hacker hacking the complex password protected system etc.

Management tends to focus on residual risk more as they have in place the reasonable protection measures and try to minimize the probability of residual risk.

However, internal auditors should consider both residual and inherent risk while planning an assurance engagement. When inherent risk is high, say for classified files documents of a Govt organization, employee database, medical health records for an insurance co, it calls for low level of acceptance of residual risk thus helping in framing the level of assurance practices to be followed. However when inherent risk is low, say available to public, the approriate assurance level would be to just check auntheticity of data availabla rather than confidentiality.