In this short blog posting, we have shared a risk management white paper on Key Risk Indicators and when an auditor should act given a specific KRI position.
From time to time customers reach out to us with Q&A requirements for a specific problem they are facing. While we always oblige, sometimes we also share our response more broadly with the risk management and audit community at large, today is one of those days.
I hope my email finds you well. We have a debate with our internal audit team about risk rating for a specific audit observation, can they raise the rating by time, based on its ageing period?
I mean if we don't take action on a finding rated as low risk, can they raise its rating in the next audit assignment if they found the same observation occurs.
Knowing when to act is an important aspect of a strong audit framework. Actually, I would go further to say; auditors should:
» Know what indicators they should be monitoring and why
» When KRI signal data warrants a response
» The propionate response required given an indicator(s) position
Given all of this, should auditors be raising a risk rating because of time and time alone, that is an indicator has become stale over time and consequently suspicious?
That all depends on whether a change in an indicator or not as it is, is potentially significant to the business unit in question. I don't believe there is a direct answer to this question except to say auditors themselves must know when a specific observation is significant and what should be required, this is what seems to be lacking in this case.
Key Risk indicator White Paper | Causal Capital [LINK]
So with all of this in mind, we have taken to write a small white paper [LINK] that lays out what needs to be in place for a comprehensive Key Risk Indicator Audit Alert System.