KPIs for Fraud Prevention and Detection
Auditors and accountants rely on analytics in monitoring functions, risk assessments and substantive procedures in the audit function and in operational support. Key performance indicators (KPIs) are measures of the components that drive a business’ value. As such, when considering financial-reporting risk, they identify areas that may be subject to manipulation as management is under pressure to meet performance expectations. Accordingly, obtaining an understanding of the KPIs relevant to a business is an integral part of the annual audit and the ongoing risk management function.
Standardizing KPI Presentation
KPIs and other financial measures not calculated through generally accepted accounting principles (non-GAAP measures) are often relied upon by investors and stakeholders to analyze company performance through the lens of management. The inclusion and presentation of these metrics are subject to management discretion; they can typically be found in the Management Discussion and Analysis (MD&A) section of the financial statements. While the MD&A section is not audited, it is typically reviewed by auditors to ensure there are no inconsistencies or contradictions to the information contained in the audited financial statements. It is management’s responsibility to consider the materiality of the inclusion or exclusion of the metric to financial statement users.
Issues arise due to a lack of standardization in the presentation of KPIs. For example, if two companies present KPIs with the same or similar titles but that are derived from different calculations, then it may not be appropriate to compare the two measures. In response to this concern, the Securities and Exchange Commission (SEC) released guidance in 2020 that provides a framework for disclosures that should accompany these metrics. The guidance calls for a clear definition of the metric and how it is calculated, a statement indicating the reasons why the metric provides useful information to investors, and a statement indicating how management uses the metric in managing or monitoring the performance of the business.
Pressure, as an element of the fraud triangle, arises from internal and external sources and, for publicly traded companies, is often linked to company performance. Management and employee compensation are often tied to KPIs. Similarly, credit rating agencies and analysts rely on certain financial indicators when evaluating companies. Pressure arises from management’s impetus to produce favorable results.
The Public Company Accounting Oversight Board (PCAOB) AS 2110 requires auditors to identify and assess the risk of material misstatement in the financials by obtaining an understanding of the company and its environment. This risk assessment helps the auditor design appropriate risk responses within the audit plan. During this process, AS 2110 mandates that auditors develop an understanding of the company’s strategies and business objectives, including the measures used by external parties or for reporting purposes.
The Accounting Standards Board (ASB) AU-C 315 also calls for auditors to understand the entity and its environment when identifying and assessing the risk of material misstatement in the financials. Specifically, AU-C 315 explicitly calls for consideration of key financial ratios and performance indicators, employee performance measures and incentive compensation policies. Auditors should practice professional skepticism when considering areas within the financial statements where they may reasonably expect material misstatement.
Auditors must also understand the internal controls in place to protect the component areas comprising the relevant KPIs. Inquiries of management or the audit committee will shed light on the entity’s approach to risk management including the design and implementation of internal controls. Where inherent risk and control risk are assessed high, meaning there is a high probability internal controls would fail to detect material misstatement from error or fraud, detection risk should be set low to bring overall audit risk down to an acceptable level.
An understanding of relevant KPIs can be developed through discussions with management and by understanding the entity and the industry. KPIs tend to measure components of a business that drive value, which requires a personalized approach in the development of the audit plan.
While not all KPIs are equally important for all companies, certain KPIs, such as return on assets or return on equity, are common and may be considered for most audit clients. It is important to remember that business entities are dynamic. KPIs of interest to an organization, its management and its stakeholders are subject to change. Accountants and auditors must evaluate these changes each year to ensure audit efforts are allocated appropriately.
This article appeared in the Summer 2022 issue of New Jersey CPA magazine. Read the full issue.