In risk-based auditing, data-driven analyses are often used to automatically detect process deficiencies. This introduces a challenge: the number of deficiencies is too large to inspect manually. Current approaches addressing this challenge neglect integrating the risk dimension or rely on auditors to manually integrate it. This study aims to increase the effectiveness of such data-driven analysis approaches by including the risk dimension when presenting process deficiencies for further inspection. We investigate how the deficiency type and the affected control activity are associated with perceived risk. We run a discrete choice experiment with 58 auditors interpreting deficiencies that occur in a procure-to-pay or an order-to-cash process and find that (1) deficiencies of type “missing” or deficiencies related to asset-decrementing activities are perceived as the riskiest, (2) the control activity contributes 75 percent of the risk perception, and (3) external and internal auditors share a similar risk perception.

This content is only available via PDF.