A Proposed Conceptual Framework for Assurance
James E. Rebele
Rauch Business Center
621 Taylor Street
Lehigh University
Bethlehem, PA 18015
(610) 758-3682
A Proposed Conceptual Framework for Assurance
Abstract
Financial-statement auditors are facing widespread criticism as a consequence of Enron’s recent collapse and prior documented frauds involving companies such as Waste Management and Cendant. The profession must respond to this crisis of confidence, not only to restore credibility in the audit function, but to also maintain the credibility of financial reporting and U. S. capital markets. Recent responses to this crisis of confidence in auditing have included strengthening independence standards, plans to enhance the audit risk model, and moves by several firms to separate their audit and consulting practices.
Except for work on the audit risk model, the profession’s response has, so far, not included any discussion of how a theory or conceptual framework for auditing might improve audit effectiveness. This paper proposes a conceptual framework for assurance that includes basic concepts of criteria, materiality, risk, control, evidence, professional skepticism, objectivity, and independence. Each concept is explained and relationships among concepts are identified. The paper also discusses how a conceptual framework could benefit audit standard setting and practice, research, and education.
A PROPOSED CONCEPTUAL FRAMEWORK FOR ASSURANCE
Financial-statement auditors are under siege from regulators, investors, and the Federal government. Enron's recent collapse, past financial reporting frauds at companies such as Waste Management, Sunbeam, and Cendant, as well as widespread earnings management have all damaged auditors' credibility. Past actions taken by the profession have apparently been ineffective or inadequate in responding to criticism of auditors' performance. New approaches are therefore needed to improve auditors' effectiveness in detecting material financial-statement misstatements and to regain credibility lost due to recent financial scandals. Failure to effectively respond to the significant challenges currently facing the auditing profession will further erode both the value of audits and the quality of financial reporting.
Financial-statement audits must be performed in accordance with generally accepted auditing standards (GAAS). Changes to GAAS have historically been made in reaction to challenges and changes in the audit practice environment. For example, past criticism from regulators that auditors were not doing enough to uncover fraud resulted in the issuance of SAS No. 82, Consideration of Fraud in a Financial Statement Audit. Questions about auditor independence led to establishing the Independence Standards Board, which issued a conceptual framework for independence and new standards to strengthen auditor independence. Part of the profession's response to the current crisis of confidence involves strengthening existing auditing standards and auditors' compliance with standards. For example, in response to recommendations from the Panel on Audit Effectiveness, the Auditing Standards Board (ASB) is considering expanding the audit risk model to include business risk.
Unlike
financial accounting standard setting and practice, which are guided by concept
statements, audit standard setting and practice have been influenced very little
by basic theoretical concepts. This is probably because a basic theory that is
consistent with today’s audit environment has not been identified, although
such a theory surely exists.1
Mautz and Sharaf's The Philosophy
of Auditing, issued in 1961 and A
Statement of Basic Auditing Concepts, issued in 1973 are the only
significant theoretical works on assurance done in the past 40 years. Neither of these theoretical works appears
to have recently influenced either audit standard setting or practice.
Can basic theory help guide audit standard
setting and practice? If so, what
should this basic theory be and how can it help guide standard setting and
practice? This paper examines these
questions by (1) presenting a case for why a basic conceptual framework for
assurance is needed and (2) proposing a structure for this conceptual
framework. These objectives are
explored in the next two sections of the manuscript. The final section of the paper identifies implications of the
conceptual framework for standard setting, practice, research, and
education.
WHY A CONCEPTUAL FRAMEWORK FOR ASSURANCE IS NEEDED
This
section presents several reasons why a basic theory or conceptual foundation
for assurance is needed. Included are
discussions of why existing theory is insufficient for the new assurance
environment and how basic theory can help address challenges facing all types
of assurance services.
The
Insufficiency of Existing Theory
The most
scholarly theoretical work in auditing is Mautz and Sharaf's Philosophy of Auditing issued by the
American Accounting Association in 1961.
Mautz and Sharaf's monograph provided an outline for a theory of
auditing and identified the basic auditing concepts as being evidence, due
audit care, fair presentation, independence, and ethical conduct. The other major theoretical work, A Statement of Basic Auditing Concepts
(ASOBAC) has a more practical focus.
This monograph characterized financial-statement auditing as consisting
of investigative and reporting processes.
Most of the discussion in ASOBAC is devoted to the investigative
process, including planning the audit and collecting and evaluating evidence.
Robertson (1984) defended Mautz and Sharaf's theoretical work as being
sufficiently general to serve as a framework for auditing research and practice
developments. In Robertson's opinion
(page 66), "Research directed a creating a wholly new theory of auditing
might be interesting, but would add very little to the Mautz and Sharaf
structure." Support for Mautz and
Sharaf’s work as a sufficient general theory of auditing may have been
appropriate in the mid-1980's, but is such support still appropriate
today? Or, is there is need to update
existing assurance theory to be more relevant to current practice and to guide
future standard setting, practice, research, and education?
Neither
the Mautz and Sharaf monograph nor ASOBAC identify risk or control as basic
auditing concepts. This is not a
criticism of these prior theoretical works because risk and control concepts
were not identified or widely discussed in the 1960's and 1970's. However, risk and control are fundamental
to assurance practice today, and both of these concepts should provide guidance
to assurance standard setting, practice, research, and education.
Much of
the Mautz and Sharaf monograph is a discussion of individual concepts and
explanations for how these concepts relate to financial-statement
auditing. For example, coverage of the
evidence concept identifies financial-statement assertions and the types of
evidence needed to verify these assertions.
Mautz and Sharaf did not, however, include much discussion of the
relationships among the identified concepts nor did they present an underlying
conceptual framework for audit standard-setting or practice. Both identifying concepts and relationships
among these concepts are important for specifying a conceptual framework for
assurance.
Another
reason why existing theory is insufficient for today’s assurance environment
relates to new types of assurance services being developed and offered. The
American Institute of Certified Public Accountants' Special Committee on
Assurance Services, also known as the Elliott Committee, recommended expanding
beyond the traditional financial-statement audit to offer services that improve
the quality of information, or its context, for decision-making (Elliott
1998). This definition of what are
known as assurance services expands on the audit function, while retaining
important concepts and objectives such as independence and improving
information for decision-making.
Financial-statement audits and an expanded assurance service such as
information systems reliability are therefore related, but distinct, types of
engagements. Existing theory therefore
needs to be expanded to encompass new types of assurance services.
Elliott
(1998, 7) expressed the opinion that concepts applied on financial-statement
audits will be transferable to assurance services related to information
reliability, although some reconsideration of basic concepts may be
necessary. This point is illustrated
through the results of a recent study that tested whether concepts underlying
traditional audit services carry over to new types of assurance services. King and Schwartz (1998) examined only one
type of assurance service, but they did find that conservatism, which is
necessary for effectively auditing financial statements, is not as essential
for conducting effective assurance services.
The conceptual foundation for financial-statement auditing and other
assurance services will certainly overlap to a great extent, but King and
Schwartz’s finding indicates that the relative importance of basic concepts may
differ depending on the type of assurance being provided or the type of
information for which assurance is being provided. Different types of assurance services may therefore share the
same conceptual foundation, but how basic concepts are applied across types of
assurance services will likely differ.
Assurance Challenges
Assurance is broadly defined here to include engagements such as
financial-statement audits and attestation services performed by independent
parties and assurance needed by a company’s management. Management needs assurance that, for example,
information systems and data are secure, rights to intellectual property are
protected, and operating objectives are being achieved. Internal auditors often provide assurance
for some of these resources, while management is generally responsible for assuring
that organizational objectives are met and that legal rights to intellectual
property are protected.
Assurance providers of all types face many important challenges,
although the discussion here is restricted to challenges to (1) improve the effectiveness
of financial-statement audits and (2) protect a company’s value-added resources
in today’s information-age economy.
These examples encompass assurance from both internal and external
perspectives, and should provide a sufficient context for demonstrating how
theory can help meet today’s assurance challenges.
Improving Audit Effectiveness:
Current Efforts
Audits
should be planned and performed to provide reasonable assurance that financial
statements being reported on are free of material misstatement or “fairly
presented in accordance with generally accepted accounting principles”. Audit effectiveness refers to the auditor’s
actual performance in uncovering existing material misstatements in a set of
financial statements. Auditors are effective
to the extent that they detect existing material misstatements and ineffective
to the extent that an existing
material misstatement is not detected during an audit. Ineffective audits increase information risk
associated with financial statements, making it more likely that users will
suffer losses as a consequence of relying on materially misstated information.
Information about companies’ financial performance is the life-blood of
securities markets. A credible
financial reporting system is therefore essential for capital markets to
function and for economic activity to be conducted. Financial reporting will be credible and serve its function,
however, only to the extent that the system provides financial information that
is both relevant and reliable. Each of
these characteristics or qualities of information is increasingly being
questioned, although our concern here is with reliability issues.
Earnings
are the most closely watched measure of corporate financial performance, and it
is therefore important that earnings figures accurately report the financial
consequences of a company’s operating or business performance. Earnings quality is compromised, and
information risk increased, when companies manage earnings by stretching the
inherent flexibility in generally accepted accounting principles (GAAP) or when
companies manipulate earnings through reporting that is inconsistent with
GAAP. Concern about widespread earnings
management and recent high-profile cases of earnings manipulation have led to
criticisms of audit effectiveness by the Securities and Exchange Commission,
Congressional committees, the press, and others. Never before have financial-statement auditors faced such
widespread criticism and calls for sweeping changes in regulatory practices and
auditor performance.
In
response to criticism of audit performance, the Panel on Audit Effectiveness
(Panel) was established to study the current audit model and to make
recommendations for improving the effectiveness of financial-statement
audits. The Panel identified the audit
risk model as being the conceptual foundation for audits of financial
statements and concluded that the basic model underpinning financial-statement
audits remains generally appropriate, although in need of some enhancing and
updating (Panel 2000, 13). The themes
driving the Panel’s recommendations for improving audit effectiveness are that
(1) definitive auditing standards form the starting point for promoting quality
audits and (2) audit firms need comprehensive and vigorous methodologies based on the standards (emphasis added)
to drive the behavior of their auditors to a higher plane (Panel 2000, 5).
Do more
definitive standards form the starting
point for promoting quality audits and will audit methodologies based on
these more definitive standards improve audit effectiveness? Or might the Panel’s recommended approach
actually make auditors more ineffective in uncovering financial-statement
misstatements? These questions should
be addressed through empirical research, but there are several reasons,
identified below, why the Panel’s recommended approach to establishing
standards that guide practice may not achieve the desired result of improving
audit effectiveness.
One
potentially harmful consequence of specific standards, or standards of any
type, is that a compliance mentality will be adopted by the party charged with
meeting the standard. This party could
be an individual auditor complying with GAAS or a firm that stresses compliance
with standards as part of its quality control program. Complying with standards is a necessary, but
not sufficient, condition for effective auditing. More specific and definitive auditing standards risk making
compliance the goal instead of a means for achieving the more important goal of
conducting effective audits. Effective
auditing requires an investigative mentality, or professional skepticism, which
is a very different mindset from a compliance mentality.
The
Panel on Audit Effectiveness recognized the importance of professional
skepticism to effective auditing. Page
15 of the Panel’s Report states that, “The concept of professional skepticism
should be taught effectively and the role of auditors in the detection, and
implicitly in the deterrence, of fraud reinforced.” The Panel implicitly recognized the importance of an
investigative mentality through its recommendation that standards create a
“forensic-type fieldwork phase” on all audits (Panel 2000, 5). The Panel has, however, sent conflicting
messages by calling for more specific standards and audit methodologies based
on these more specific standards while at the same time calling for increased
emphasis on professional skepticism and forensic-type auditing.
That is, claiming that compliance with more specific
standards will improve audit effectiveness and calling for more forensic
(investigative) auditing seem to be incompatible behaviors that few auditors
will likely be able to resolve.
Assurance standards should and will always guide practice, and the Panel
on Audit Effectiveness' recommendation to develop more specific standards that
guide practice is not, by itself, wrong.
However, both standards and practice should be grounded in fundamental
assurance concepts, and plans to do this are not apparent in the Panel’s
recommendations or in the Auditing Standards Board’s (ASB) response to these
recommendations.
The next
section presents an argument for why the profession should first establish a conceptual framework for assurance, a framework
that includes basic assurance concepts and relationships among these
concepts. The conceptual framework for
assurance would then serve as the foundation for developing assurance
standards, including generally accepted auditing standards. Firms’ audit methodologies would then be
based on both standards and a conceptual framework that underlies the
standards.
Concepts as the
Foundation for Assurance Standards: To understand why and how assurance standard
setting and practice could benefit from a conceptual framework, we can look to
reasons why the Financial Accounting Standards Board (FASB) established a
conceptual framework for financial accounting and reporting. As noted in the introduction to Concept
Statement 1, Objectives of Financial
Reporting by Business Enterprises, the objectives and concepts identified
and described in the FASB's conceptual framework "Set forth fundamentals on which financial
accounting and reporting standards will
be based."(emphasis added) (FASB 2000, 4). Financial accounting’s conceptual framework therefore directly
impacts and benefits standard setting and indirectly impacts and benefits
accounting practice, which is where standards are applied.
The
financial accounting conceptual framework also identifies and defines concepts
that can be used as tools for resolving accounting and reporting questions
(Foster and Johnson 2001). The FASB's
concept statements can help solve complex accounting problems by (Storey and
Storey 1998, 86):
·
Providing
a set of common premises as a basis for discussion.
·
Providing
precise terminology.
·
Helping
to ask the right questions.
·
Limiting
areas of judgment and discretion and excluding from consideration potential
solutions that are in conflict with it.
·
Imposing
intellectual discipline on what traditionally has been a subjective and ad hoc
reasoning process.
Accounting for leases is one complex problem currently facing financial
accounting standard setters and practitioners.
Recent discussion of this controversial issue suggests using the FASB's
conceptual framework to choose between alternative accounting treatments for
leases (Monson 2001) and recommends that whatever approach the FASB takes be
consistent with the concept statements (AAA 2001). The conceptual framework for financial accounting is therefore
perceived and used as an important source of guidance for setting standards
that affect accounting practice.
Financial statement auditing does not have an underlying conceptual
framework, other than the audit risk model, that can guide standard setting and
practice.
Using
objectives and concepts to provide direction and structure to reporting
standards and practice enhances the credibility of financial accounting (Foster
and Johnson 2001). Basing assurance standards and practice on a set of
fundamental concepts could similarly enhance the credibility of assurance
services, which is especially important at this time when the credibility of
financial-statement auditing is being questioned by regulators, financial-statement
users, company management, and, perhaps, by auditors themselves.
Safeguarding Intellectual Capital Resources
Some of a firm’s intellectual capital,
for example, copyrights and patents, is reported in its financial statements as
intangible assets. Other intellectual
capital, for example, knowledge and experience of managers, has value to the
firm, but such value is not quantified and reported in the financial
statements. For intellectual capital
that is quantified and reported on a company’s balance sheet, the
financial-statement value can differ dramatically from the revenue-producing
value that the resource has to the firm.
A familiar example would be patents held by pharmaceutical firms, which
have low financial-statement value as compared with revenue-generating value.
Independent auditors provide reasonable
assurance that the value reported on the balance sheet for intangible assets is
not materially misstated and that it is fairly presented in accordance with
GAAP. Management has primary
responsibility for assuring that the
financial-statement value for an intangible asset is accurate, but management
must also assure that the potential revenue-generating value of the intangible
asset is safeguarded.
Napster’s infringement of music
copyrights illustrates the distinction between the auditor’s and management’s
assurance focus. A recording company's
independent auditor is primarily
concerned with providing reasonable assurance that the dollar amount for
copyrights reported on the company's balance sheet is not materially
misstated. Management is responsible
for ensuring that the recorded amount for copyrights is fairly presented,
although management’s primary concern is assuring that the revenue-generating
potential of copyrighted recordings is protected. The music industry did not sue to shut down Napster because
financial-statement amounts were misstated.
They sued to protect the value of copyrighted music to individual
recording companies and to the industry as a whole.
A
conceptual framework for assurance must be broad enough to encompass different
types of assurance needs and situations.
For example, different needs for assurance on different types of assets
or information to benefit different groups must fit within the conceptual
framework. Related to the above
example, a conceptual framework should be broad enough to encompass assurance
responsibilities of independent auditors for record companies as well as
assurance needs of record company management and the overall recording
industry. The proposed conceptual framework for assurance presented in the next
section therefore encompasses traditional assurance services, including
financial-statement audits and attestation engagements, and assurance needs of organizations,
including safeguarding of all value-producing resources or assets, information
and information systems, data, and reputation.
The model also encompasses expanded assurance responsibilities that
would result from future developments in business reporting.
CONCEPTUAL FRAMEWORK FOR ASSURANCE
The proposed conceptual framework for assurance is shown below in Figure 1. Identified in the framework are the major resources for which assurance is needed and the basic assurance concepts, including criteria (materiality), risk, control, evidence (professional skepticism), and objectivity (independence). Relationships among the concepts and between the concepts and resources requiring assurance are also specified in the proposed conceptual framework for assurance model. Each model component and relationships among components are briefly described in the following sections.
Insert Figure 1 here
Assurance
Needs
The first
model component identifies assets or resources for which assurance is generally
needed. Each identified item in this
component of the model impacts a company's financial performance and is
therefore of interest to external decision-makers, auditors, and company
management.
Information can include financial information reported by an entity to
regulatory agencies and other external parties, non-financial performance and
strategic information, intellectual property, information systems, and
data. Intellectual property, which is
also known as intellectual capital or knowledge, is the primary source of value
for products such as software, pharmaceuticals, recordings, and
publications. Some intellectual
property rights are captured on balance sheets as intangible assets, but much
of the knowledge assets that drive financial performance for today's companies
are not formally measured and reported.
Whether reported or not, assurance that rights to intellectual property
are safeguarded is needed to protect a company's operations and financial
performance.
Advances
in information technology have dramatically increased companies’ reliance on
computerized information systems to conduct operations and to gather and report
performance information both internally and externally. Maintaining operations and reliably
reporting performance information require assurance that, for example,
information system controls function effectively and databases are kept
secure. Primary responsibility for
providing such assurance may rest with a company’s internal auditors, although
external auditors must understand and rely on controls in a client’s
information system. Assurance on
information system reliability and database security is therefore important to
both internal and external parties.
Assets
include tangible resources such as inventory and property, financial resources
such as cash, receivables, and investments, and intangible resources such as
copyrights, trademarks, and patents.
There is some overlap between intangible assets and intellectual
property, with the former including only those assets measured and reported on
the balance sheet and the latter including intellectual capital not captured
and reported by the information system.
The primary determinant of a firm's financial performance is often its reputation or brand image. Firms with strong brand reputations generate higher unit volume sales and can command premium prices and profit margins. Firms whose reputation for quality or reliability has been compromised suffer lost unit sales and lower revenue and profit margins, both causing poorer financial performance. Firestone and Ford provide a vivid example of how significantly financial performance can be adversely affected when a company's brand reputation is compromised. Enron’s recent collapse not only destroyed that company but also damaged Arthur Andersen's reputation for quality auditing, threatening not only a loss of clients and revenue, but possibly the survival of the firm as an independent entity (Weber et al. 2001).
A recent study by Nagar and Rajan (2001) found that both financial and non-financial quality measures are leading indicators of future sales. This result again confirms the importance of quality (reputation) to financial performance and supports plans to include quality measures in the business-reporting model (Nagar and Rajan 2001, 496). A future need to attest to assertions about quality was recognized by Elliott (1994a, 121). Both the empirical result and Elliott's observation support including brand or company reputation in the conceptual framework for assurance.
Criteria (Materiality)
Providing assurance is not possible without first identifying criteria
which assurance can be measured against and a materiality threshold. For example, generally accepted accounting
principles (GAAP) are the criteria for financial-statement audits and
materiality is generally defined as being a misstatement that could affect
financial statement users’ decisions.
Auditors therefore provide reasonable assurance that financial
statements are fairly presented in accordance with GAAP, which are the criteria
for identifying materially misstated financial statements.
Security
breaches and system failures would be among the criteria for providing
assurance on information system reliability.
Criteria for assets would relate to security from theft or improper use,
while criteria for brand or company reputation might be the public reporting of
any negative information about the company or quality ratings issued by
independent agencies such as J. D. Powers or Consumer Reports.
Products
whose value is derived principally from intellectual property require legal
protection of rights to benefits derived from ownership of such property
(Murray 2001). Criteria for providing
assurance on intellectual property would therefore come from relevant
copyright, patent, and antitrust laws or regulations. Similarly, criteria for engagements whose objective is
compliance, such as environmental audits or debt covenant compliance, would be
derived from applicable laws or agreements.
Risks
The term
risk implies some expectation of future loss or other undesirable outcome. For example, investment risk, information
risk, accident risk, and the risk of illness all indicate the possibility of
some negative consequence or outcome.
In the assurance context, risk refers to the possibility that financial
statements will be materially misstated, information systems will fail or be
broken into, assets will be stolen, data will be lost or stolen, intellectual
property rights will be breached, or reputation will be damaged.
These
examples indicate how risk is a general concept that is applicable to different
situations or events. The basic risk
concept therefore takes on meaning only when applied within some context or to
some event or outcome. Audit risk is
therefore the application of the general risk concept to a situation where an
auditor issues an unqualified opinion on materially misstated financial
statements. Similarly, business risk is
the application of the basic risk concept to a situation where external or
internal conditions prevent an entity from achieving its business
objectives. Much as revenue
recognition and matching are basic financial accounting concepts that are
applied to different types of earnings processes, risk is a general concept
that is applicable to different assurance contexts.
Controls:
Control
implies some attempt to exercise restraint over someone or something or to
influence the direction that some object might take. For example, we control the speed of our car by applying the
brake or easing off the gas pedal, while traffic flows are controlled using
signals and directional arrows and signs.
In an assurance context, control refers to a company's financial
reporting (internal) controls, access or programmed controls to protect
information systems, security systems to protect tangible assets, backup
procedures to protect data, and management monitoring and responsiveness to
safeguard a company’s reputation.
As with risk,
control is a general concept that becomes meaningful when applied within a
specific context. Within the assurance
context, internal control refers to a process designed and implemented to
provide reasonable assurance that operations are effective and efficient,
financial reporting information is reliable, and relevant laws and regulations
are complied with. More generally,
controls to protect against unreliable information in the financial reporting
system include a company’s internal control system, generally accepted
accounting principles, and independent audits.
Evidence (professional skepticism)
Evidence
includes any information gathered as part of an assurance engagement, including, for example, the criteria by
which assurance is being measured, the nature of risks and consequences of
risks being realized (e.g., types of misstatements that could occur), and the
nature and effectiveness of controls.
Characteristics that make evidence persuasive, including relevance,
reliability, timeliness, and sufficiency are well established in the standards,
although perhaps not well enough implemented in practice as criticism of
auditor effectiveness suggests.
Of particular importance to effective assurance are the multidirectional relationships among the risk, control, and evidence concepts. These multidimensional relationships reflect the need to conduct an assurance engagement with an attitude of professional skepticism. Professional skepticism is included as part of the evidence concept because of the importance that auditors adopt a skeptical attitude when gathering and evaluating evidence. Perhaps most important to exhibiting an appropriate level of professional skepticism is the need for auditors to adapt audit programs whenever new evidence is inconsistent with prior evidence or previously-established expectations. For example, a professionally skeptical auditor would extend substantive testing when new evidence is inconsistent with a reduced level of control risk.
Objectivity/Independence
Auditor independence has probably received more attention in recent years than has any other factor impacting audit effectiveness. Prompted by findings that independence rules were being violated by individual auditors and firms and by continuing criticism that consulting revenues are clouding auditors’ independent judgments and ability to stand up to clients, the profession responded by establishing the Independence Standards Board (ISB). The ISB issued a conceptual framework for independence and specific rules designed to strengthen auditor independence.
Independence has been described as the cornerstone of auditing, and certainly independence is what gives the auditor’s opinion on financial statements most of its credibility. Independence is therefore a fundamental assurance concept. But is independence valued for its own sake or because independence makes it more likely that the individual(s) providing assurance will be as objective (unbiased) as possible when collecting and evaluating evidence and when expressing an opinion? Auditors are required to be independent so that they will be objective when fulfilling their professional responsibilities, so objectivity is the goal of independence.
The
concepts of objectivity and independence are not, for lack of a better word,
independent, but they are sufficiently distinct to require separate
identification in the proposed conceptual framework. Objectivity is identified as the primary concept because it is
the reason independence is required.
That is, independence without objectivity would be unacceptable, while
objectivity without independence, while not desirable, should at least lead to
an acceptable result.
Audit Risk Model
The multi-directional relationships among risk, control, and evidence
in the conceptual framework encompass the basic risk model for
financial-statement audits. Earlier in the paper, we asked whether
the audit risk model is basic theory or the application of basic theory to the
specific context of a financial-statement audit. The audit risk model is
theoretical, but as the conceptual framework model shows it is not the basic theory for assurance.2 Instead, the audit risk model is the
application of basic assurance concepts to the context of a financial-statement
audit. Inherent risk is therefore the
application of the basic risk concept to the possibility that financial
statements are misstated, while control risk is the application of the basic
control concept to the situation where internal controls operate to prevent
and/or detect financial statement misstatements. Similarly, the evidence concept applied to the audit risk model
refers to substantive tests conducted in response to assessed levels of
inherent risk and control risk.
Substantive tests, in turn, affect another risk application, detection
risk.
An
alternative way to demonstrate how the audit risk model is the application of
basic assurance concepts and not the basic assurance theory is to show how the
basic concepts are applicable beyond financial-statement audits. As previously discussed, intellectual
capital and brand reputation are important resources driving firm financial
performance and neither resource is currently quantified and reported in a
firm’s financial statements. Yet both
resources are at risk of theft, loss, or damage, any of which will negatively
impact the firm’s financial performance.
Controls are therefore needed to safeguard a firm’s intellectual capital
and brand reputation. Internal auditors
and management would generally be responsible for gathering evidence to, for
example, monitor the nature of risks to intellectual capital and brand
reputation and to adapt controls to changing risks. The context differs from
the financial-statement-auditing, but the basic assurance concepts remain
relevant and applicable to intellectual capital and brand reputation
resources.
Audits
conducted by most firms consider risks at the entity level in addition to risks
of misstatement at the financial-statement assertion level. Specifically, most firms begin an audit by
considering an entity’s business risks and the potential that such risks could
lead to materially misstated financial statements. Because firms’ audit approaches already consider business risk,
the ASB is likely to conclude that auditing standards should require
consideration of business risk (Pany and Whittington 2001).3 This change would then require auditors to
determine and corroborate management’s actions to control these risks, design
tests of controls and substantive tests to assess the impact of business risks
on financial statements, and to conduct tests that specifically address
identified risks (Pany and Whittington 2001, 403). Note that these changes would be in addition to audit planning
and execution requirements of the existing audit risk model.
These
potential changes to auditing standards are consistent with the proposed
conceptual framework for assurance. The
framework, in fact, allows for including business risks, relevant controls, and
related audit tests as part of an expanded audit approach. Firms’ current audit approaches that
include business risk and the ASB’s consideration of changes to the audit risk
model are both encompassed within the conceptual framework. Moreover, the framework can be a useful
guide for developing and implementing a new audit approach.
IMPLICATIONS OF A CONCEPTUAL FRAMEWORK FOR
STANDARD SETTING, PRACTICE, RESEARCH, AND EDUCATION
This
section identifies implications of establishing a conceptual framework for
assurance on standard setting and practice, research, and education. The implications are not dependent on the
specific conceptual framework presented in this paper, and are instead derived
from the need to establish a conceptual framework for assurance.
Implications for Standard Setting
and Practice
Audit standard setting in the United States has generally been reactionary rather than proactive. New standards have been issued and existing standards modified in reaction to criticism of auditors' performance, mostly from the Securities Exchange Commission following reports of auditors’ apparent ineffectiveness at detecting fraud or curbing widespread earnings management. For example, the Auditing Standards Board’s current work to enhance the audit risk model was undertaken in reaction to a recommendation from the Panel on Audit Effectiveness, a group created in response to criticism of auditor effectiveness.
Much as the Financial Accounting Standards Board is the primary beneficiary of the financial accounting concept statements, the Auditing Standards Board would be the principal beneficiary of a conceptual framework for assurance. A conceptual framework would provide a foundation for developing new assurance standards and modifying existing standards. New standards will always be required to deal with problems in the assurance environment, but a conceptual framework for assurance could help the ASB proactively develop standards and to develop standards that are internally consistent.
First establishing a conceptual framework and then developing standards from that framework is the approach taken recently by the Independence Standards Board. It is curious, and somewhat illogical, that we now have a conceptual framework for independence but we do not yet have a conceptual framework for assurance. If a conceptual framework was considered necessary for developing new independence standards, then shouldn’t a conceptual framework be necessary for developing new assurance standards? If a conceptual framework underlies financial accounting standards, then shouldn’t a conceptual framework underlie standards for auditing financial statements?
A conceptual framework would provide a common language to use in setting standards and in resolving complex problems facing the assurance profession. Agreement on basic concepts would allow debate to focus on problems and challenges facing the assurance profession while minimizing disagreement over basic theoretical issues. For example, a conceptual framework could provide a common set of concepts and terminology for discussions aimed at enhancing the audit risk model and improving audit effectiveness. A conceptual framework could also be potentially useful in identifying potential problems, thereby allowing standard setters and practitioners to proactively respond rather than responding reactively.
Implications for Research
The primary research implications of the conceptual framework are that it would help organize extant assurance research and assist researchers in identifying important, unexamined research questions relevant to all types of assurance services. Pany and Whittington (2001) identified promising areas of research derived from the Panel on Audit Effectiveness’ recommendations to the ASB. These recommended research topics fit within the conceptual framework for assurance, but the framework can also be useful in identifying important research topics that are not derived from the Panel’s recommendations. The conceptual framework would therefore supplement Pany and Whittington (2001) as an important source of research topics that could assist assurance standard setters and practitioners.
Implications for Education
Education is interpreted here as including both university-level education and continuing professional education. Accounting education has historically been very procedural in nature, focusing mostly on standards and rules with relatively little attention to basic theoretical concepts and the application of those concepts. Financial accounting courses cover the basic concept statements, although the focus of these courses, as reflected in the textbooks, is having students learn generally accepted accounting rules or standards. Similarly, students in tax classes are taught the Internal Revenue Code and students in auditing classes learn the Statements on Auditing Standards.
Despite repeated calls for change, accounting education remains largely procedures-oriented with relatively little attention to theory. Change has been difficult, in part, because of the procedural nature of most accounting textbooks. As noted by current American Accounting Association President, Joel Demski (2001), current accounting textbooks suffer from a perceived need to list every rule published by the FASB and from a lack of foundations. Demski’s observations are especially relevant to assurance education, which does not have an identified, agreed-upon conceptual foundation that could be taught to accounting students.
A review of current auditing/assurance texts will confirm that a basic conceptual framework for assurance is not being taught to our students. In fact, textbooks show little agreement on underlying concepts, with each book identifying a unique set of “basic concepts”. The concept sets included in most current auditing/assurance texts are also incomplete, since almost no current text identifies control as a basic assurance concept.
A conceptual framework for assurance will not magically improve assurance education, but it would bring agreement to the basic assurance concepts and relationships among these concepts. A conceptual framework would provide a context for helping students understand the nature of assurance and can help them apply these basic concepts to different situations within a specific type of engagement and to different types of assurance engagements. For example, a conceptual framework for assurance would be applicable to different types of clients for which financial-statement audits are being conducted and to assurance engagements other than financial-statement audits, including attestation engagements, new assurance services being developed by the profession, and business advisory services. Ultimately, a conceptual framework could offset a tendency to conduct audits with a compliance mentality and, relatedly, promote higher levels of professional skepticism. Both effects would improve auditor effectiveness.
CONCLUSION
The objectives of this paper were to establish why a conceptual framework for assurance is needed and to present a proposed conceptual framework model that identifies primary assurance concepts and relationships among concepts. The conceptual framework presented in this paper is only a starting point for developing a conceptual framework for assurance. Additional work is needed to challenge the sufficiency of the proposed framework and to more fully describe the identified concepts and relationships among concepts. Future work on the conceptual framework for assurance should involve assurance practitioners, academicians, regulators, and financial-statement user groups.
Using objectives and concepts to provide
direction and structure to reporting standards and practice enhances the
credibility of financial accounting (Foster and Johnson 2001). Basing assurance
standards and practice on a set of fundamental concepts could similarly enhance
the credibility of assurance services.
This is especially important at this time when auditors must rebuild,
and not just protect, the profession's credibility. Failure to regain credibility will continue to erode the value of
financial-statement audits and threaten opportunities to develop and offer new
assurance services that build on the profession's reputation for integrity and
competence.
Recommendations made by the Panel on
Audit Effectiveness are significantly affecting the ASB’s current agenda and
will likely shape its agenda for the next several years (Pany and Whittington
2001). The ASB must respond in the
short-term to the Panel’s recommendations by changing standards in a way that
will improve audit effectiveness in practice.
However, a longer-term approach for improving assurance standard setting
and practice, an approach that includes a conceptual foundation for assurance,
is also needed. The ASB should
therefore not miss the opportunity provided by the current crisis of confidence
to at least begin work on a conceptual framework that will not only enhance the
effectiveness of financial statements audits, but which will also provide
guidance for all types of assurance services.
Footnotes
1.
The
audit risk model is often presented as the basic theoretical or conceptual
foundation for financial-statement auditing.
Although theoretical, the audit risk model is more the application of
basic assurance theory to the context of a financial-statement audit than it is
basic assurance theory.
2.
It
might be argued that the audit risk model is the conceptual framework for
financial
statement audits, although
the assurance concepts criteria, materiality, and objectivity
(independence) are not
explicitly specified in the model. At
best, the audit risk
model should therefore be
considered a partial conceptual framework for financial
statement audits.
3.
Business
risk refers to the possibility that an entity will not meet its objectives or
goals. Affecting business risk are
economic factors, industry conditions, and firm-specific decisions related to
strategy and business activities.
Management cannot dictate conditions in the entity’s external business
environment, but instead must develop and implement high-level, entity-wide
controls to manage the negative impact that such conditions will have on the
entity’s operations and financial performance.
Although business risk is not included in the current risk model
underlying financial-statement audits, business risk and related management
controls are encompassed in the broader conceptual framework for assurance.
Bibliography
American
Accounting Association Financial Accounting Standards Committee. 2001.
Evaluation of the Lease Accounting
Proposed in G4+1 Special Report. Accounting
Horizons, Vol. 15, No. 3 (September), pp. 289-298
American
Institute of Certified Public Accountants. 1997. Considering Fraud in a
Financial Statement Audit: Practical Guidance for Applying SAS
No. 82.
AICPA:
New York.
AICPA
Special Committee on Financial Reporting. 1994. Improving Business
Reporting-A Customer Focus. American Institute of Certified Public
Accountants. New York.
Bell,
T. B., F. O. Marrs, I. Solomon, and H. Thomas. 1997. Auditing Organizations
Through a Strategic-Systems Lens: The KPMG Business Measurement Process,
New York: KPMG Peat Marwick LLP.
Committee
on Basic Auditing Concepts. 1973. A Statement of Basic Auditing Concepts.
Studies in Accounting Research No. 6.
American Accounting Association. Sarasota.
Demski,
J. S. 2001. President’s Message. Accounting Education News. American
Accounting Association. Fall 2001.
Sarasota, FL.
Elliott,
R. K. 1998. Assurance Services and the
Audit Heritage. Auditing: A Journal of
Practice & Theory. Vol. 17 Supplement. Pages 1-8.
Elliott,
R. K. 1994a. Confronting the Future: Choices for the Attest Function. Accounting
Horizons. Vol. 8, No. 3. Pages 106-124.
Elliott,
R. K. 1994b. The Future of Audits. Journal of Accountancy. September 1994.
pp. 74-80.
Foster,
J. M. and L. T. Johnson. 2001. Why Does the FASB Have a Conceptual
Framework? Understanding the Issues. August, FASB;
Norwalk, Connecticut.
King,
R. R. and R. Schwartz. 1998. Planning Assurance Services. Auditing:
A Journal of
Practice & Theory. Vol 17 Supplement. Pages 9-36.
Mautz,
R. K. and H. Sharaf. 1961. The Philosophy
of Auditing. American Accounting
Association, Sarasota, FL.
Monson,
D. W. 2001. The Conceptual Framework
and Accounting for Leases.
Accounting Horizons. Vol. 15, No. 3 (September), pp. 275-288
Murray,
A. 2001. Intellectual Property: The Old
Rules Don't Apply. The Wall Street
Journal, August 23, 2001, page A1.
Nagar,
V. and M. V. Rajan. 2001. The Revenue Implications of Financial and Operating
Measures of Product Quality. The Accounting Review. October 2001. Pp.
495-513.
Panel
on Audit Effectiveness. 2000. Report and
Recommendations. Stamford, CT: Public
Oversight Board.
Pany,
K. J. and O. R. Whittington. 2001. Research Implications of the Auditing
Standards
Board’s Current Agenda. Accounting Horizons. Vol. 15, No. 4, pp.
401-411.
Robertson,
J. C. 1984. A Defense of Extant
Auditing Theory. Auditing: A Journal of
Practice & Theory. Vol. 3, No. 2, Spring. Pages 57-67.
Storey
R. K. and S. Storey. 1998. The Framework
of Financial Accounting Concepts and
Standards. Financial Accounting
Standards Board; Norwalk, Connecticut.
Weber,
J., D. Little, D. Henry, and L. Lavalle. Arthur Andersen, How Bad Will it Get?
Business
Week, December 24, 2001, pages 30-32.
(Professional
Skepticism) Criteria (Materiality)
Evidence
Risks
Controls
Conceptual Framework for Assurance
