Are We Measuring Risk Without a Yardstick?
IT Audit Leader
For the past 30 years the audit profession has evolved its risk consciousness, and all professionals embed some type of risk assessment into their periodic audit cycles. These audit risk models tend to apply broad labels such as high, medium, and low risk to various classifications of assets, resources, or programs. Some models attempt to be data-driven by building up from very granular entity information while others are based on qualitative, long-term views of inherent risk.
Internal auditors have been seriously missing the mark in these efforts because few of us treat these tools as actual models attempting to predict a given outcome. Do we back test the risk model each year against audit results, financial performance, or any other yardstick?
Credit models such as consumer credit reports became useful through continuous improvement against the yardstick of loan losses. The Dow Jones Industrial Average is a simple model of economic health. But what does an audit risk model measure?
What is the yardstick to judge how well our audit risk model is predicting? One of my colleagues had a meeting last year with auditors from other large firms, and they found they couldn’t even agree on the definition of risk. This subject reminds me of a recent 60 Minutes television segment about the lack of true scientific evidence behind most forensic science.
I’m interested in a conversation as to what evidence we have that these risk models are working and how we can evolve into more evidence-based models.
Posted on Jul 10, 2012 by Tim
Share This Article: