James E. Rebele
Rauch Business Center
621 Taylor Street
Bethlehem, PA 18015
Financial-statement auditors are facing widespread criticism as a consequence of Enron’s recent collapse and prior documented frauds involving companies such as Waste Management and Cendant. The profession must respond to this crisis of confidence, not only to restore credibility in the audit function, but to also maintain the credibility of financial reporting and U. S. capital markets. Recent responses to this crisis of confidence in auditing have included strengthening independence standards, plans to enhance the audit risk model, and moves by several firms to separate their audit and consulting practices.
Except for work on the audit risk model, the profession’s response has, so far, not included any discussion of how a theory or conceptual framework for auditing might improve audit effectiveness. This paper proposes a conceptual framework for assurance that includes basic concepts of criteria, materiality, risk, control, evidence, professional skepticism, objectivity, and independence. Each concept is explained and relationships among concepts are identified. The paper also discusses how a conceptual framework could benefit audit standard setting and practice, research, and education.
Financial-statement auditors are under siege from regulators, investors, and the Federal government. Enron's recent collapse, past financial reporting frauds at companies such as Waste Management, Sunbeam, and Cendant, as well as widespread earnings management have all damaged auditors' credibility. Past actions taken by the profession have apparently been ineffective or inadequate in responding to criticism of auditors' performance. New approaches are therefore needed to improve auditors' effectiveness in detecting material financial-statement misstatements and to regain credibility lost due to recent financial scandals. Failure to effectively respond to the significant challenges currently facing the auditing profession will further erode both the value of audits and the quality of financial reporting.
Financial-statement audits must be performed in accordance with generally accepted auditing standards (GAAS). Changes to GAAS have historically been made in reaction to challenges and changes in the audit practice environment. For example, past criticism from regulators that auditors were not doing enough to uncover fraud resulted in the issuance of SAS No. 82, Consideration of Fraud in a Financial Statement Audit. Questions about auditor independence led to establishing the Independence Standards Board, which issued a conceptual framework for independence and new standards to strengthen auditor independence. Part of the profession's response to the current crisis of confidence involves strengthening existing auditing standards and auditors' compliance with standards. For example, in response to recommendations from the Panel on Audit Effectiveness, the Auditing Standards Board (ASB) is considering expanding the audit risk model to include business risk.
Unlike financial accounting standard setting and practice, which are guided by concept statements, audit standard setting and practice have been influenced very little by basic theoretical concepts. This is probably because a basic theory that is consistent with today’s audit environment has not been identified, although such a theory surely exists.1 Mautz and Sharaf's The Philosophy of Auditing, issued in 1961 and A Statement of Basic Auditing Concepts, issued in 1973 are the only significant theoretical works on assurance done in the past 40 years. Neither of these theoretical works appears to have recently influenced either audit standard setting or practice.
Can basic theory help guide audit standard setting and practice? If so, what should this basic theory be and how can it help guide standard setting and practice? This paper examines these questions by (1) presenting a case for why a basic conceptual framework for assurance is needed and (2) proposing a structure for this conceptual framework. These objectives are explored in the next two sections of the manuscript. The final section of the paper identifies implications of the conceptual framework for standard setting, practice, research, and education.
This section presents several reasons why a basic theory or conceptual foundation for assurance is needed. Included are discussions of why existing theory is insufficient for the new assurance environment and how basic theory can help address challenges facing all types of assurance services.
The Insufficiency of Existing Theory
The most scholarly theoretical work in auditing is Mautz and Sharaf's Philosophy of Auditing issued by the American Accounting Association in 1961. Mautz and Sharaf's monograph provided an outline for a theory of auditing and identified the basic auditing concepts as being evidence, due audit care, fair presentation, independence, and ethical conduct. The other major theoretical work, A Statement of Basic Auditing Concepts (ASOBAC) has a more practical focus. This monograph characterized financial-statement auditing as consisting of investigative and reporting processes. Most of the discussion in ASOBAC is devoted to the investigative process, including planning the audit and collecting and evaluating evidence.
Robertson (1984) defended Mautz and Sharaf's theoretical work as being sufficiently general to serve as a framework for auditing research and practice developments. In Robertson's opinion (page 66), "Research directed a creating a wholly new theory of auditing might be interesting, but would add very little to the Mautz and Sharaf structure." Support for Mautz and Sharaf’s work as a sufficient general theory of auditing may have been appropriate in the mid-1980's, but is such support still appropriate today? Or, is there is need to update existing assurance theory to be more relevant to current practice and to guide future standard setting, practice, research, and education?
Neither the Mautz and Sharaf monograph nor ASOBAC identify risk or control as basic auditing concepts. This is not a criticism of these prior theoretical works because risk and control concepts were not identified or widely discussed in the 1960's and 1970's. However, risk and control are fundamental to assurance practice today, and both of these concepts should provide guidance to assurance standard setting, practice, research, and education.
Much of the Mautz and Sharaf monograph is a discussion of individual concepts and explanations for how these concepts relate to financial-statement auditing. For example, coverage of the evidence concept identifies financial-statement assertions and the types of evidence needed to verify these assertions. Mautz and Sharaf did not, however, include much discussion of the relationships among the identified concepts nor did they present an underlying conceptual framework for audit standard-setting or practice. Both identifying concepts and relationships among these concepts are important for specifying a conceptual framework for assurance.
Another reason why existing theory is insufficient for today’s assurance environment relates to new types of assurance services being developed and offered. The American Institute of Certified Public Accountants' Special Committee on Assurance Services, also known as the Elliott Committee, recommended expanding beyond the traditional financial-statement audit to offer services that improve the quality of information, or its context, for decision-making (Elliott 1998). This definition of what are known as assurance services expands on the audit function, while retaining important concepts and objectives such as independence and improving information for decision-making. Financial-statement audits and an expanded assurance service such as information systems reliability are therefore related, but distinct, types of engagements. Existing theory therefore needs to be expanded to encompass new types of assurance services.
Elliott (1998, 7) expressed the opinion that concepts applied on financial-statement audits will be transferable to assurance services related to information reliability, although some reconsideration of basic concepts may be necessary. This point is illustrated through the results of a recent study that tested whether concepts underlying traditional audit services carry over to new types of assurance services. King and Schwartz (1998) examined only one type of assurance service, but they did find that conservatism, which is necessary for effectively auditing financial statements, is not as essential for conducting effective assurance services. The conceptual foundation for financial-statement auditing and other assurance services will certainly overlap to a great extent, but King and Schwartz’s finding indicates that the relative importance of basic concepts may differ depending on the type of assurance being provided or the type of information for which assurance is being provided. Different types of assurance services may therefore share the same conceptual foundation, but how basic concepts are applied across types of assurance services will likely differ.
Assurance is broadly defined here to include engagements such as financial-statement audits and attestation services performed by independent parties and assurance needed by a company’s management. Management needs assurance that, for example, information systems and data are secure, rights to intellectual property are protected, and operating objectives are being achieved. Internal auditors often provide assurance for some of these resources, while management is generally responsible for assuring that organizational objectives are met and that legal rights to intellectual property are protected.
Assurance providers of all types face many important challenges, although the discussion here is restricted to challenges to (1) improve the effectiveness of financial-statement audits and (2) protect a company’s value-added resources in today’s information-age economy. These examples encompass assurance from both internal and external perspectives, and should provide a sufficient context for demonstrating how theory can help meet today’s assurance challenges.
Audits should be planned and performed to provide reasonable assurance that financial statements being reported on are free of material misstatement or “fairly presented in accordance with generally accepted accounting principles”. Audit effectiveness refers to the auditor’s actual performance in uncovering existing material misstatements in a set of financial statements. Auditors are effective to the extent that they detect existing material misstatements and ineffective to the extent that an existing material misstatement is not detected during an audit. Ineffective audits increase information risk associated with financial statements, making it more likely that users will suffer losses as a consequence of relying on materially misstated information.
Information about companies’ financial performance is the life-blood of securities markets. A credible financial reporting system is therefore essential for capital markets to function and for economic activity to be conducted. Financial reporting will be credible and serve its function, however, only to the extent that the system provides financial information that is both relevant and reliable. Each of these characteristics or qualities of information is increasingly being questioned, although our concern here is with reliability issues.
Earnings are the most closely watched measure of corporate financial performance, and it is therefore important that earnings figures accurately report the financial consequences of a company’s operating or business performance. Earnings quality is compromised, and information risk increased, when companies manage earnings by stretching the inherent flexibility in generally accepted accounting principles (GAAP) or when companies manipulate earnings through reporting that is inconsistent with GAAP. Concern about widespread earnings management and recent high-profile cases of earnings manipulation have led to criticisms of audit effectiveness by the Securities and Exchange Commission, Congressional committees, the press, and others. Never before have financial-statement auditors faced such widespread criticism and calls for sweeping changes in regulatory practices and auditor performance.
In response to criticism of audit performance, the Panel on Audit Effectiveness (Panel) was established to study the current audit model and to make recommendations for improving the effectiveness of financial-statement audits. The Panel identified the audit risk model as being the conceptual foundation for audits of financial statements and concluded that the basic model underpinning financial-statement audits remains generally appropriate, although in need of some enhancing and updating (Panel 2000, 13). The themes driving the Panel’s recommendations for improving audit effectiveness are that (1) definitive auditing standards form the starting point for promoting quality audits and (2) audit firms need comprehensive and vigorous methodologies based on the standards (emphasis added) to drive the behavior of their auditors to a higher plane (Panel 2000, 5).
Do more definitive standards form the starting point for promoting quality audits and will audit methodologies based on these more definitive standards improve audit effectiveness? Or might the Panel’s recommended approach actually make auditors more ineffective in uncovering financial-statement misstatements? These questions should be addressed through empirical research, but there are several reasons, identified below, why the Panel’s recommended approach to establishing standards that guide practice may not achieve the desired result of improving audit effectiveness.
One potentially harmful consequence of specific standards, or standards of any type, is that a compliance mentality will be adopted by the party charged with meeting the standard. This party could be an individual auditor complying with GAAS or a firm that stresses compliance with standards as part of its quality control program. Complying with standards is a necessary, but not sufficient, condition for effective auditing. More specific and definitive auditing standards risk making compliance the goal instead of a means for achieving the more important goal of conducting effective audits. Effective auditing requires an investigative mentality, or professional skepticism, which is a very different mindset from a compliance mentality.
The Panel on Audit Effectiveness recognized the importance of professional skepticism to effective auditing. Page 15 of the Panel’s Report states that, “The concept of professional skepticism should be taught effectively and the role of auditors in the detection, and implicitly in the deterrence, of fraud reinforced.” The Panel implicitly recognized the importance of an investigative mentality through its recommendation that standards create a “forensic-type fieldwork phase” on all audits (Panel 2000, 5). The Panel has, however, sent conflicting messages by calling for more specific standards and audit methodologies based on these more specific standards while at the same time calling for increased emphasis on professional skepticism and forensic-type auditing.
That is, claiming that compliance with more specific standards will improve audit effectiveness and calling for more forensic (investigative) auditing seem to be incompatible behaviors that few auditors will likely be able to resolve.
Assurance standards should and will always guide practice, and the Panel on Audit Effectiveness' recommendation to develop more specific standards that guide practice is not, by itself, wrong. However, both standards and practice should be grounded in fundamental assurance concepts, and plans to do this are not apparent in the Panel’s recommendations or in the Auditing Standards Board’s (ASB) response to these recommendations.
The next section presents an argument for why the profession should first establish a conceptual framework for assurance, a framework that includes basic assurance concepts and relationships among these concepts. The conceptual framework for assurance would then serve as the foundation for developing assurance standards, including generally accepted auditing standards. Firms’ audit methodologies would then be based on both standards and a conceptual framework that underlies the standards.
Concepts as the Foundation for Assurance Standards: To understand why and how assurance standard setting and practice could benefit from a conceptual framework, we can look to reasons why the Financial Accounting Standards Board (FASB) established a conceptual framework for financial accounting and reporting. As noted in the introduction to Concept Statement 1, Objectives of Financial Reporting by Business Enterprises, the objectives and concepts identified and described in the FASB's conceptual framework "Set forth fundamentals on which financial accounting and reporting standards will be based."(emphasis added) (FASB 2000, 4). Financial accounting’s conceptual framework therefore directly impacts and benefits standard setting and indirectly impacts and benefits accounting practice, which is where standards are applied.
The financial accounting conceptual framework also identifies and defines concepts that can be used as tools for resolving accounting and reporting questions (Foster and Johnson 2001). The FASB's concept statements can help solve complex accounting problems by (Storey and Storey 1998, 86):
· Providing a set of common premises as a basis for discussion.
· Providing precise terminology.
· Helping to ask the right questions.
· Limiting areas of judgment and discretion and excluding from consideration potential solutions that are in conflict with it.
· Imposing intellectual discipline on what traditionally has been a subjective and ad hoc reasoning process.
Accounting for leases is one complex problem currently facing financial accounting standard setters and practitioners. Recent discussion of this controversial issue suggests using the FASB's conceptual framework to choose between alternative accounting treatments for leases (Monson 2001) and recommends that whatever approach the FASB takes be consistent with the concept statements (AAA 2001). The conceptual framework for financial accounting is therefore perceived and used as an important source of guidance for setting standards that affect accounting practice. Financial statement auditing does not have an underlying conceptual framework, other than the audit risk model, that can guide standard setting and practice.
Using objectives and concepts to provide direction and structure to reporting standards and practice enhances the credibility of financial accounting (Foster and Johnson 2001). Basing assurance standards and practice on a set of fundamental concepts could similarly enhance the credibility of assurance services, which is especially important at this time when the credibility of financial-statement auditing is being questioned by regulators, financial-statement users, company management, and, perhaps, by auditors themselves.
Safeguarding Intellectual Capital Resources
Some of a firm’s intellectual capital, for example, copyrights and patents, is reported in its financial statements as intangible assets. Other intellectual capital, for example, knowledge and experience of managers, has value to the firm, but such value is not quantified and reported in the financial statements. For intellectual capital that is quantified and reported on a company’s balance sheet, the financial-statement value can differ dramatically from the revenue-producing value that the resource has to the firm. A familiar example would be patents held by pharmaceutical firms, which have low financial-statement value as compared with revenue-generating value.
Independent auditors provide reasonable assurance that the value reported on the balance sheet for intangible assets is not materially misstated and that it is fairly presented in accordance with GAAP. Management has primary responsibility for assuring that the financial-statement value for an intangible asset is accurate, but management must also assure that the potential revenue-generating value of the intangible asset is safeguarded.
Napster’s infringement of music copyrights illustrates the distinction between the auditor’s and management’s assurance focus. A recording company's independent auditor is primarily concerned with providing reasonable assurance that the dollar amount for copyrights reported on the company's balance sheet is not materially misstated. Management is responsible for ensuring that the recorded amount for copyrights is fairly presented, although management’s primary concern is assuring that the revenue-generating potential of copyrighted recordings is protected. The music industry did not sue to shut down Napster because financial-statement amounts were misstated. They sued to protect the value of copyrighted music to individual recording companies and to the industry as a whole.
A conceptual framework for assurance must be broad enough to encompass different types of assurance needs and situations. For example, different needs for assurance on different types of assets or information to benefit different groups must fit within the conceptual framework. Related to the above example, a conceptual framework should be broad enough to encompass assurance responsibilities of independent auditors for record companies as well as assurance needs of record company management and the overall recording industry. The proposed conceptual framework for assurance presented in the next section therefore encompasses traditional assurance services, including financial-statement audits and attestation engagements, and assurance needs of organizations, including safeguarding of all value-producing resources or assets, information and information systems, data, and reputation. The model also encompasses expanded assurance responsibilities that would result from future developments in business reporting.
CONCEPTUAL FRAMEWORK FOR ASSURANCE
The proposed conceptual framework for assurance is shown below in Figure 1. Identified in the framework are the major resources for which assurance is needed and the basic assurance concepts, including criteria (materiality), risk, control, evidence (professional skepticism), and objectivity (independence). Relationships among the concepts and between the concepts and resources requiring assurance are also specified in the proposed conceptual framework for assurance model. Each model component and relationships among components are briefly described in the following sections.
Insert Figure 1 here
The first model component identifies assets or resources for which assurance is generally needed. Each identified item in this component of the model impacts a company's financial performance and is therefore of interest to external decision-makers, auditors, and company management.
Information can include financial information reported by an entity to regulatory agencies and other external parties, non-financial performance and strategic information, intellectual property, information systems, and data. Intellectual property, which is also known as intellectual capital or knowledge, is the primary source of value for products such as software, pharmaceuticals, recordings, and publications. Some intellectual property rights are captured on balance sheets as intangible assets, but much of the knowledge assets that drive financial performance for today's companies are not formally measured and reported. Whether reported or not, assurance that rights to intellectual property are safeguarded is needed to protect a company's operations and financial performance.
Advances in information technology have dramatically increased companies’ reliance on computerized information systems to conduct operations and to gather and report performance information both internally and externally. Maintaining operations and reliably reporting performance information require assurance that, for example, information system controls function effectively and databases are kept secure. Primary responsibility for providing such assurance may rest with a company’s internal auditors, although external auditors must understand and rely on controls in a client’s information system. Assurance on information system reliability and database security is therefore important to both internal and external parties.
Assets include tangible resources such as inventory and property, financial resources such as cash, receivables, and investments, and intangible resources such as copyrights, trademarks, and patents. There is some overlap between intangible assets and intellectual property, with the former including only those assets measured and reported on the balance sheet and the latter including intellectual capital not captured and reported by the information system.
The primary determinant of a firm's financial performance is often its reputation or brand image. Firms with strong brand reputations generate higher unit volume sales and can command premium prices and profit margins. Firms whose reputation for quality or reliability has been compromised suffer lost unit sales and lower revenue and profit margins, both causing poorer financial performance. Firestone and Ford provide a vivid example of how significantly financial performance can be adversely affected when a company's brand reputation is compromised. Enron’s recent collapse not only destroyed that company but also damaged Arthur Andersen's reputation for quality auditing, threatening not only a loss of clients and revenue, but possibly the survival of the firm as an independent entity (Weber et al. 2001).
A recent study by Nagar and Rajan (2001) found that both financial and non-financial quality measures are leading indicators of future sales. This result again confirms the importance of quality (reputation) to financial performance and supports plans to include quality measures in the business-reporting model (Nagar and Rajan 2001, 496). A future need to attest to assertions about quality was recognized by Elliott (1994a, 121). Both the empirical result and Elliott's observation support including brand or company reputation in the conceptual framework for assurance.
Providing assurance is not possible without first identifying criteria which assurance can be measured against and a materiality threshold. For example, generally accepted accounting principles (GAAP) are the criteria for financial-statement audits and materiality is generally defined as being a misstatement that could affect financial statement users’ decisions. Auditors therefore provide reasonable assurance that financial statements are fairly presented in accordance with GAAP, which are the criteria for identifying materially misstated financial statements.
Security breaches and system failures would be among the criteria for providing assurance on information system reliability. Criteria for assets would relate to security from theft or improper use, while criteria for brand or company reputation might be the public reporting of any negative information about the company or quality ratings issued by independent agencies such as J. D. Powers or Consumer Reports.
Products whose value is derived principally from intellectual property require legal protection of rights to benefits derived from ownership of such property (Murray 2001). Criteria for providing assurance on intellectual property would therefore come from relevant copyright, patent, and antitrust laws or regulations. Similarly, criteria for engagements whose objective is compliance, such as environmental audits or debt covenant compliance, would be derived from applicable laws or agreements.
The term risk implies some expectation of future loss or other undesirable outcome. For example, investment risk, information risk, accident risk, and the risk of illness all indicate the possibility of some negative consequence or outcome. In the assurance context, risk refers to the possibility that financial statements will be materially misstated, information systems will fail or be broken into, assets will be stolen, data will be lost or stolen, intellectual property rights will be breached, or reputation will be damaged.
These examples indicate how risk is a general concept that is applicable to different situations or events. The basic risk concept therefore takes on meaning only when applied within some context or to some event or outcome. Audit risk is therefore the application of the general risk concept to a situation where an auditor issues an unqualified opinion on materially misstated financial statements. Similarly, business risk is the application of the basic risk concept to a situation where external or internal conditions prevent an entity from achieving its business objectives. Much as revenue recognition and matching are basic financial accounting concepts that are applied to different types of earnings processes, risk is a general concept that is applicable to different assurance contexts.
Control implies some attempt to exercise restraint over someone or something or to influence the direction that some object might take. For example, we control the speed of our car by applying the brake or easing off the gas pedal, while traffic flows are controlled using signals and directional arrows and signs. In an assurance context, control refers to a company's financial reporting (internal) controls, access or programmed controls to protect information systems, security systems to protect tangible assets, backup procedures to protect data, and management monitoring and responsiveness to safeguard a company’s reputation.
As with risk, control is a general concept that becomes meaningful when applied within a specific context. Within the assurance context, internal control refers to a process designed and implemented to provide reasonable assurance that operations are effective and efficient, financial reporting information is reliable, and relevant laws and regulations are complied with. More generally, controls to protect against unreliable information in the financial reporting system include a company’s internal control system, generally accepted accounting principles, and independent audits.
Evidence (professional skepticism)
Evidence includes any information gathered as part of an assurance engagement, including, for example, the criteria by which assurance is being measured, the nature of risks and consequences of risks being realized (e.g., types of misstatements that could occur), and the nature and effectiveness of controls. Characteristics that make evidence persuasive, including relevance, reliability, timeliness, and sufficiency are well established in the standards, although perhaps not well enough implemented in practice as criticism of auditor effectiveness suggests.
Of particular importance to effective assurance are the multidirectional relationships among the risk, control, and evidence concepts. These multidimensional relationships reflect the need to conduct an assurance engagement with an attitude of professional skepticism. Professional skepticism is included as part of the evidence concept because of the importance that auditors adopt a skeptical attitude when gathering and evaluating evidence. Perhaps most important to exhibiting an appropriate level of professional skepticism is the need for auditors to adapt audit programs whenever new evidence is inconsistent with prior evidence or previously-established expectations. For example, a professionally skeptical auditor would extend substantive testing when new evidence is inconsistent with a reduced level of control risk.
Auditor independence has probably received more attention in recent years than has any other factor impacting audit effectiveness. Prompted by findings that independence rules were being violated by individual auditors and firms and by continuing criticism that consulting revenues are clouding auditors’ independent judgments and ability to stand up to clients, the profession responded by establishing the Independence Standards Board (ISB). The ISB issued a conceptual framework for independence and specific rules designed to strengthen auditor independence.
Independence has been described as the cornerstone of auditing, and certainly independence is what gives the auditor’s opinion on financial statements most of its credibility. Independence is therefore a fundamental assurance concept. But is independence valued for its own sake or because independence makes it more likely that the individual(s) providing assurance will be as objective (unbiased) as possible when collecting and evaluating evidence and when expressing an opinion? Auditors are required to be independent so that they will be objective when fulfilling their professional responsibilities, so objectivity is the goal of independence.
The concepts of objectivity and independence are not, for lack of a better word, independent, but they are sufficiently distinct to require separate identification in the proposed conceptual framework. Objectivity is identified as the primary concept because it is the reason independence is required. That is, independence without objectivity would be unacceptable, while objectivity without independence, while not desirable, should at least lead to an acceptable result.
The multi-directional relationships among risk, control, and evidence in the conceptual framework encompass the basic risk model for financial-statement audits. Earlier in the paper, we asked whether the audit risk model is basic theory or the application of basic theory to the specific context of a financial-statement audit. The audit risk model is theoretical, but as the conceptual framework model shows it is not the basic theory for assurance.2 Instead, the audit risk model is the application of basic assurance concepts to the context of a financial-statement audit. Inherent risk is therefore the application of the basic risk concept to the possibility that financial statements are misstated, while control risk is the application of the basic control concept to the situation where internal controls operate to prevent and/or detect financial statement misstatements. Similarly, the evidence concept applied to the audit risk model refers to substantive tests conducted in response to assessed levels of inherent risk and control risk. Substantive tests, in turn, affect another risk application, detection risk.
An alternative way to demonstrate how the audit risk model is the application of basic assurance concepts and not the basic assurance theory is to show how the basic concepts are applicable beyond financial-statement audits. As previously discussed, intellectual capital and brand reputation are important resources driving firm financial performance and neither resource is currently quantified and reported in a firm’s financial statements. Yet both resources are at risk of theft, loss, or damage, any of which will negatively impact the firm’s financial performance. Controls are therefore needed to safeguard a firm’s intellectual capital and brand reputation. Internal auditors and management would generally be responsible for gathering evidence to, for example, monitor the nature of risks to intellectual capital and brand reputation and to adapt controls to changing risks. The context differs from the financial-statement-auditing, but the basic assurance concepts remain relevant and applicable to intellectual capital and brand reputation resources.
Audits conducted by most firms consider risks at the entity level in addition to risks of misstatement at the financial-statement assertion level. Specifically, most firms begin an audit by considering an entity’s business risks and the potential that such risks could lead to materially misstated financial statements. Because firms’ audit approaches already consider business risk, the ASB is likely to conclude that auditing standards should require consideration of business risk (Pany and Whittington 2001).3 This change would then require auditors to determine and corroborate management’s actions to control these risks, design tests of controls and substantive tests to assess the impact of business risks on financial statements, and to conduct tests that specifically address identified risks (Pany and Whittington 2001, 403). Note that these changes would be in addition to audit planning and execution requirements of the existing audit risk model.
These potential changes to auditing standards are consistent with the proposed conceptual framework for assurance. The framework, in fact, allows for including business risks, relevant controls, and related audit tests as part of an expanded audit approach. Firms’ current audit approaches that include business risk and the ASB’s consideration of changes to the audit risk model are both encompassed within the conceptual framework. Moreover, the framework can be a useful guide for developing and implementing a new audit approach.
This section identifies implications of establishing a conceptual framework for assurance on standard setting and practice, research, and education. The implications are not dependent on the specific conceptual framework presented in this paper, and are instead derived from the need to establish a conceptual framework for assurance.
Audit standard setting in the United States has generally been reactionary rather than proactive. New standards have been issued and existing standards modified in reaction to criticism of auditors' performance, mostly from the Securities Exchange Commission following reports of auditors’ apparent ineffectiveness at detecting fraud or curbing widespread earnings management. For example, the Auditing Standards Board’s current work to enhance the audit risk model was undertaken in reaction to a recommendation from the Panel on Audit Effectiveness, a group created in response to criticism of auditor effectiveness.
Much as the Financial Accounting Standards Board is the primary beneficiary of the financial accounting concept statements, the Auditing Standards Board would be the principal beneficiary of a conceptual framework for assurance. A conceptual framework would provide a foundation for developing new assurance standards and modifying existing standards. New standards will always be required to deal with problems in the assurance environment, but a conceptual framework for assurance could help the ASB proactively develop standards and to develop standards that are internally consistent.
First establishing a conceptual framework and then developing standards from that framework is the approach taken recently by the Independence Standards Board. It is curious, and somewhat illogical, that we now have a conceptual framework for independence but we do not yet have a conceptual framework for assurance. If a conceptual framework was considered necessary for developing new independence standards, then shouldn’t a conceptual framework be necessary for developing new assurance standards? If a conceptual framework underlies financial accounting standards, then shouldn’t a conceptual framework underlie standards for auditing financial statements?
A conceptual framework would provide a common language to use in setting standards and in resolving complex problems facing the assurance profession. Agreement on basic concepts would allow debate to focus on problems and challenges facing the assurance profession while minimizing disagreement over basic theoretical issues. For example, a conceptual framework could provide a common set of concepts and terminology for discussions aimed at enhancing the audit risk model and improving audit effectiveness. A conceptual framework could also be potentially useful in identifying potential problems, thereby allowing standard setters and practitioners to proactively respond rather than responding reactively.
Implications for Research
The primary research implications of the conceptual framework are that it would help organize extant assurance research and assist researchers in identifying important, unexamined research questions relevant to all types of assurance services. Pany and Whittington (2001) identified promising areas of research derived from the Panel on Audit Effectiveness’ recommendations to the ASB. These recommended research topics fit within the conceptual framework for assurance, but the framework can also be useful in identifying important research topics that are not derived from the Panel’s recommendations. The conceptual framework would therefore supplement Pany and Whittington (2001) as an important source of research topics that could assist assurance standard setters and practitioners.
Implications for Education
Education is interpreted here as including both university-level education and continuing professional education. Accounting education has historically been very procedural in nature, focusing mostly on standards and rules with relatively little attention to basic theoretical concepts and the application of those concepts. Financial accounting courses cover the basic concept statements, although the focus of these courses, as reflected in the textbooks, is having students learn generally accepted accounting rules or standards. Similarly, students in tax classes are taught the Internal Revenue Code and students in auditing classes learn the Statements on Auditing Standards.
Despite repeated calls for change, accounting education remains largely procedures-oriented with relatively little attention to theory. Change has been difficult, in part, because of the procedural nature of most accounting textbooks. As noted by current American Accounting Association President, Joel Demski (2001), current accounting textbooks suffer from a perceived need to list every rule published by the FASB and from a lack of foundations. Demski’s observations are especially relevant to assurance education, which does not have an identified, agreed-upon conceptual foundation that could be taught to accounting students.
A review of current auditing/assurance texts will confirm that a basic conceptual framework for assurance is not being taught to our students. In fact, textbooks show little agreement on underlying concepts, with each book identifying a unique set of “basic concepts”. The concept sets included in most current auditing/assurance texts are also incomplete, since almost no current text identifies control as a basic assurance concept.
A conceptual framework for assurance will not magically improve assurance education, but it would bring agreement to the basic assurance concepts and relationships among these concepts. A conceptual framework would provide a context for helping students understand the nature of assurance and can help them apply these basic concepts to different situations within a specific type of engagement and to different types of assurance engagements. For example, a conceptual framework for assurance would be applicable to different types of clients for which financial-statement audits are being conducted and to assurance engagements other than financial-statement audits, including attestation engagements, new assurance services being developed by the profession, and business advisory services. Ultimately, a conceptual framework could offset a tendency to conduct audits with a compliance mentality and, relatedly, promote higher levels of professional skepticism. Both effects would improve auditor effectiveness.
The objectives of this paper were to establish why a conceptual framework for assurance is needed and to present a proposed conceptual framework model that identifies primary assurance concepts and relationships among concepts. The conceptual framework presented in this paper is only a starting point for developing a conceptual framework for assurance. Additional work is needed to challenge the sufficiency of the proposed framework and to more fully describe the identified concepts and relationships among concepts. Future work on the conceptual framework for assurance should involve assurance practitioners, academicians, regulators, and financial-statement user groups.
Using objectives and concepts to provide direction and structure to reporting standards and practice enhances the credibility of financial accounting (Foster and Johnson 2001). Basing assurance standards and practice on a set of fundamental concepts could similarly enhance the credibility of assurance services. This is especially important at this time when auditors must rebuild, and not just protect, the profession's credibility. Failure to regain credibility will continue to erode the value of financial-statement audits and threaten opportunities to develop and offer new assurance services that build on the profession's reputation for integrity and competence.
Recommendations made by the Panel on Audit Effectiveness are significantly affecting the ASB’s current agenda and will likely shape its agenda for the next several years (Pany and Whittington 2001). The ASB must respond in the short-term to the Panel’s recommendations by changing standards in a way that will improve audit effectiveness in practice. However, a longer-term approach for improving assurance standard setting and practice, an approach that includes a conceptual foundation for assurance, is also needed. The ASB should therefore not miss the opportunity provided by the current crisis of confidence to at least begin work on a conceptual framework that will not only enhance the effectiveness of financial statements audits, but which will also provide guidance for all types of assurance services.
1. The audit risk model is often presented as the basic theoretical or conceptual foundation for financial-statement auditing. Although theoretical, the audit risk model is more the application of basic assurance theory to the context of a financial-statement audit than it is basic assurance theory.
2. It might be argued that the audit risk model is the conceptual framework for financial
statement audits, although the assurance concepts criteria, materiality, and objectivity
(independence) are not explicitly specified in the model. At best, the audit risk
model should therefore be considered a partial conceptual framework for financial
3. Business risk refers to the possibility that an entity will not meet its objectives or goals. Affecting business risk are economic factors, industry conditions, and firm-specific decisions related to strategy and business activities. Management cannot dictate conditions in the entity’s external business environment, but instead must develop and implement high-level, entity-wide controls to manage the negative impact that such conditions will have on the entity’s operations and financial performance. Although business risk is not included in the current risk model underlying financial-statement audits, business risk and related management controls are encompassed in the broader conceptual framework for assurance.
American Accounting Association Financial Accounting Standards Committee. 2001.
Evaluation of the Lease Accounting Proposed in G4+1 Special Report. Accounting
Horizons, Vol. 15, No. 3 (September), pp. 289-298
American Institute of Certified Public Accountants. 1997. Considering Fraud in a
Financial Statement Audit: Practical Guidance for Applying SAS No. 82. AICPA:
AICPA Special Committee on Financial Reporting. 1994. Improving Business
Reporting-A Customer Focus. American Institute of Certified Public
Accountants. New York.
Bell, T. B., F. O. Marrs, I. Solomon, and H. Thomas. 1997. Auditing Organizations
Through a Strategic-Systems Lens: The KPMG Business Measurement Process,
New York: KPMG Peat Marwick LLP.
Committee on Basic Auditing Concepts. 1973. A Statement of Basic Auditing Concepts.
Studies in Accounting Research No. 6. American Accounting Association. Sarasota.
Demski, J. S. 2001. President’s Message. Accounting Education News. American
Accounting Association. Fall 2001. Sarasota, FL.
Elliott, R. K. 1998. Assurance Services and the Audit Heritage. Auditing: A Journal of
Practice & Theory. Vol. 17 Supplement. Pages 1-8.
Elliott, R. K. 1994a. Confronting the Future: Choices for the Attest Function. Accounting
Horizons. Vol. 8, No. 3. Pages 106-124.
Elliott, R. K. 1994b. The Future of Audits. Journal of Accountancy. September 1994.
Foster, J. M. and L. T. Johnson. 2001. Why Does the FASB Have a Conceptual
Framework? Understanding the Issues. August, FASB; Norwalk, Connecticut.
King, R. R. and R. Schwartz. 1998. Planning Assurance Services. Auditing: A Journal of
Practice & Theory. Vol 17 Supplement. Pages 9-36.
Mautz, R. K. and H. Sharaf. 1961. The Philosophy of Auditing. American Accounting
Association, Sarasota, FL.
Monson, D. W. 2001. The Conceptual Framework and Accounting for Leases.
Accounting Horizons. Vol. 15, No. 3 (September), pp. 275-288
Murray, A. 2001. Intellectual Property: The Old Rules Don't Apply. The Wall Street
Journal, August 23, 2001, page A1.
Nagar, V. and M. V. Rajan. 2001. The Revenue Implications of Financial and Operating
Measures of Product Quality. The Accounting Review. October 2001. Pp. 495-513.
Panel on Audit Effectiveness. 2000. Report and Recommendations. Stamford, CT: Public
Pany, K. J. and O. R. Whittington. 2001. Research Implications of the Auditing Standards
Board’s Current Agenda. Accounting Horizons. Vol. 15, No. 4, pp. 401-411.
Robertson, J. C. 1984. A Defense of Extant Auditing Theory. Auditing: A Journal of
Practice & Theory. Vol. 3, No. 2, Spring. Pages 57-67.
Storey R. K. and S. Storey. 1998. The Framework of Financial Accounting Concepts and
Standards. Financial Accounting Standards Board; Norwalk, Connecticut.
Weber, J., D. Little, D. Henry, and L. Lavalle. Arthur Andersen, How Bad Will it Get?
Business Week, December 24, 2001, pages 30-32.
Skepticism) Criteria (Materiality)