Inherent Risk and Residual Risk
Inherent risk is the level of risk assuming no internal controls, while residual risk is the level of risk after considering the impact of internal controls. For example, the risk of 'over/ understatement of revenue' without considering any internal controls indicates inherent risk. The above risk when considered with internal controls in place (say, monthly reconciliation of revenue and follow up, correction of discrepancies, etc.) indicate residual risk.
The objective of internal controls is to reduce the inherent risk and keep the residual risk within the organization's risk appetite. The gap between the inherent risk and residual risk shows the strength of the control and is known as the control score.
No comments:
Post a Comment