AUDIT ANALYTICS AUDIT
x8YaD9
x8YaD9
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ESSAY 6: MANAGING RISK AND THE <strong>AUDIT</strong> PROCESS<br />
objectively quantifiable and verifiable, it would be an unsatisfactory<br />
indicator.<br />
Second, a KRI must be relevant, meaning that changes in the measure<br />
must result in corresponding alterations in the probability of target risk<br />
event emergence. For instance, employee turnover rate might be<br />
considered as a proxy for risk of having material errors in the financial<br />
statements. While this seems a reasonable assumption, if the measure is<br />
not found to be highly predictive of the risk event, then it would not be a<br />
useful KRI in this context.<br />
Beyond being measurable and relevant, KRIs should also be<br />
non-redundant, easy to monitor, and auditable (Scandizzo 2005). To meet<br />
the first of these criteria, if two or more KRIs are highly correlated, then<br />
only one of the metrics is needed. Presumably, the retained KRI would be<br />
that which provides the greatest benefit in terms of risk monitoring and<br />
assessment quality. In fulfilling the second criterion, each KRI should be<br />
relatively easy and cost-effective to measure and report. To meet the final<br />
requirement, complete documentation of all indicators and<br />
corresponding data sources used for measurement should be consistently<br />
maintained. Table 6-1 provides some theoretical KRIs and associated<br />
applications so as to facilitate initial thinking about risk measure<br />
development.<br />
Table 6-1: Subset of Potential Key Risk Indicators<br />
Key Risk Indicator<br />
Segregation of duty violations<br />
Percent of uncollected sales<br />
Customer financial health<br />
Customer complaints<br />
Accounting employee turnover<br />
Password reset requests<br />
Ratio of book value to fair value<br />
for depreciable assets<br />
Customer attrition<br />
Research and development<br />
spending<br />
Tone of media coverage<br />
Phishing incidents<br />
To monitor risk of problems relative to:<br />
Internal control failures and<br />
misappropriation of assets<br />
Estimation quality and manipulative<br />
earnings management<br />
Cash flows, collections, and debt covenants<br />
Sales and customer base; product, labor, and<br />
process quality<br />
Error, fraud, and earnings management<br />
Control failure, fraud, data integrity or loss<br />
Estimation quality, errors, and manipulative<br />
earnings management<br />
Revenues and debt obligations<br />
Innovation, vision, organizational health,<br />
and management<br />
Corporate governance; management<br />
policies and practices<br />
Controls, external fraud, and data<br />
compromise<br />
135