Some folks think of auditors as insurance agents or soothsayers. Where one may see opportunities waiting in the wing, they are more likely to discern lurking dangers behind sharp corners. But this is where the similarity ends. Insurance agents transfer risk from the insured to the insurer, in exchange for an annual premium. Soothsayers embrace risk, albeit with fatalistic fervor. Auditors, on the other hand, assist management to mitigate risk.
This chapter is about risks, but rather than focus on risks that controls can help us mitigate, as covered in Chapter 3: Objectives, we will cover control risks: ways and means in which IT controls can fail to handle the very risks they have been designed to mitigate.