AUDIT ANALYTICS AUDIT

More documents

Recommendations

Info

ESSAY 6: MANAGING RISK AND THE AUDIT PROCESS potential risks. For example, in the airline industry, a possible black swan might be the sudden and prolonged unavailability of jet fuel arising from shipment sabotage and hijacking as well as ongoing civil unrest. Obviously, this set of circumstances could have devastating ramifications and, therefore, should be contemplated to the extent feasible. For each risk identified, a key risk indicator (KRI) or a set of KRIs is constructed along with an associated benchmark or collection of benchmarks so that effective monitoring of the risk profile can be performed in a systematic and continuous manner. As KRI measures (or combinations of them) are found to be indicative of emerging problems, vulnerable business process areas and associated accounts and transactions are identified, the audit plan is updated, and a revised set of audit procedures and tests is compiled for execution. In addition, the process facilitates revisions to enterprise risk management procedures. To complete the CRMA framework, a method for maintaining the set of KRIs is developed whereby new measures are added, existing metrics are refined, and stale KRIs are deleted as risk profile modifications dictate. Specific considerations in implementing and using CRMA are explored in the next section. CRMA—MORE DETAILED CONSIDERATIONS Initial construction of the risk profile will be a prerequisite to creation of a functional CRMA program. In seeking preliminary guidance and direction, one might initially consult with the Committee of Sponsoring Organizations (COSO) 2013 Internal Control Integrated Framework. For an established entity, it will also be beneficial to refer to existing documentation, such as the most recently formulated risk assessment, risk profile information, or organizational quarterly and annual reports, and subsequently revise the risk profile as warranted. In achieving this, the CEB Risk Management Leadership Council (2013) recommends working closely with all identified risk owners and subject matter experts. The finalized risk profile will become instrumental in developing a comprehensive set of KRIs for use in monitoring and assessment routines. Risk Identification and Analysis Scandizzo (2005) outlines a system for managing operational risk and indicates that mapping is a critical component of the risk identification and management process. Generally speaking, mapping involves decomposing and examining a given business process by activity to identify all pertinent risk drivers (that is, people, processes, systems, and external dependencies) and associated risk factors. A useful question to 133
AUDIT ANALYTICS AND CONTINUOUS AUDIT:LOOKING TOWARD THE FUTURE ask of each activity during this phase is "What can go wrong?" because this will enhance discovery of relevant task characteristics such as how an activity can fail, how much risk exists, and the probability of occurrence and impact of potential risk exposure. Once all risks are identified and a profile is constructed, efforts gravitate toward the formulation and implementation of a meaningful set of KRIs able to productively monitor the risk environment. KRI Development and Implementation Key risk indicators are "metrics used by an organization to provide an early signal of increasing risk exposures in various areas of the enterprise" (CEB 2013). Each KRI should be a root cause identifier or a leading indicator of risk, such that a proactive response can be made in addressing detected problems. However, achieving this in practice is a non-trivial task. In a recent ERM function survey, 56 percent of respondents indicated the greatest difficulty in KRI development is establishing metrics that are leading indicators of risk (CEB 2013). Therefore, serious attention must be devoted to KRI construction. For example, if the inability to settle current liabilities is an identified risk, several potential KRIs might be envisioned, but many would be suboptimal. The current ratio might initially be suggested as a potential KRI in this situation, but at the point when this measure is indicative of a problem, it could be too late to prevent occurrence of the underlying risk event. Conversely, customer financial health trend information is a leading and more suitable KRI. In this case, if significant financial deterioration in the customer base is detected, then more effective corrective measures could be enacted to avoid having insufficient liquidity in clearing current liabilities as they mature. Moon (2014a) argues each KRI must possess two fundamental characteristics. First, it has to be measurable, but need not be purely objective. A KRI can be relatively subjective provided it is independently quantifiable and verifiable (Scandizzo 2005). For instance, information arising via text mining and sentiment analysis of news feeds and other electronic media could be synthesized in generating an effective KRI. In an application of this approach, relevant textual information is regularly analyzed, and variables such as information source quality, frequency and timing of news, and severity level of content are all determined and aggregated in computing an entity’s reputation risk score (RepRisk 2014). On the other hand, for the identified risk of manipulative earnings management, one might view tone-at-the-top as a potential KRI. The underlying rationale might be that this variable is highly correlated with organizational culture as well as the propensity for unethical behavior. However, evaluating tone-at-the-top would prove extremely challenging from the standpoint of measurability, and if the proposed KRI is not 134
Page 1 and 2:
AUDIT ANALYTICS and CONTINUOUS AUDI
Page 3 and 4:
Notice to Readers Audit Analytics a
Page 6 and 7:
TABLE OF CONTENTS Preface Acknowled
Page 8 and 9:
CONTENTS 3 Evolution of Auditing: F
Page 10:
CONTENTS B Page Implementing Contin
Page 13 and 14:
AUDIT ANALYTICS AND CONTINUOUS AUDI
Page 16 and 17:
AUTHOR BIOGRAPHIES Abdullah Alawadh
Page 18 and 19:
AUTHOR BIOGRAPHIES He is a passiona
Page 20 and 21:
AUTHOR BIOGRAPHIES AICPA Assurance
Page 22 and 23:
AUTHOR BIOGRAPHIES management. Prio
Page 24 and 25:
AUTHOR BIOGRAPHIES Trevor R. Stewar
Page 26:
PART I Essays 1
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108: AUDIT ANALYTICS AND CONTINUOUS AUDI
Page 112 and 113: ESSAY 4 Reimagining Auditing in a W
Page 114 and 115: ESSAY 4: REIMAGINING AUDITING IN A
Page 128: ESSAY 4: REIMAGINING AUDITING IN A
Page 157: AUDIT ANALYTICS AND CONTINUOUS AUDI
Page 170: PART II Case Studies 145
Page 182 and 183: CASE STUDY B Implementing Continuou
Page 184 and 185: CASE STUDY B: IMPLEMENTING CONTINUO
Page 192: CASE STUDY B: IMPLEMENTING CONTINUO
Page 200 and 201: CASE STUDY D Implementing Continuou
Page 202 and 203: CASE STUDY D: IMPLEMENTING CONTINUO
Page 208 and 209:
CASE STUDY D: IMPLEMENTING CONTINUO
Page 210:
AICPA Assurance Services Executive
show all

AUDIT ANALYTICS AUDIT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?