risk assesment system

8/9/2019 Risk Assesment System

1/15

The development of audit detection risk assessment system: Usingthe fuzzy theory and audit risk model

She-I Chang a,*, Chih-Fong Tsai a, Dong-Her Shih b, Chia-Ling Hwang a

a Department of Accounting and Information Technology, National Chung Cheng University, Taiwanb Department of Information Management, National Yunlin University of Science and Technology, Taiwan

Abstract

The result of audit designation is significantly influenced by the audit evidence collected when planning the audit and the amount of audit evidence depends on the degree of detection risk. Therefore, when the assessment factors of detection risk are more objective andcorrect, audit costs and the risk of audit failure can be reduced. Thus, the aim of this paper is to design an audit detection risk assessmentsystem that could more precisely assess detection risk, comparing with the traditional determination method of detection risk in order toincrease the audit quality and reduce the possibility of audit failure. First of all, the grounded theory is used to reorganize 53 factorsaffecting detection risk mentioned in literatures and then employed the Delphi method to screen the 43 critical risk factors agreed uponby empirical audit experts. In addition, using the fuzzy theory and audit risk model to calculate the degree of detection risk allow theaudit staff to further determine the amount of audit evidence collected and set up initial audit strategies and construct the audit detectionrisk assessment system. Finally, we considered a case study to evaluate the system in terms of its feasibility and validity. 2007 Elsevier Ltd. All rights reserved.

Keywords: Detection risk; Grounded theory; Fuzzy theory; Audit risk model

1. Introduction

Many accounting and law experts thought that the mainreason resulting in the lawsuits encountered by accountingfirms was that the policymaker using financial statementsmisunderstood the relation between business failure andaudit failure (Arens, Elder, & Beaslsy, 2005). Because of external economic environment or the corporate situations(for example, the industry is in depression and the man-

ager’s capacity, integrity, and capital are insufficient), theenterprises could not pay off the debts or satisfy the inves-tors’ expectation. The situation is called business failure.The most serious business failure refers to bankruptcy.When audit staff cannot practice the audit works accordingto the acknowledged audit criteria and submit wrong auditopinions (for instance, the audit staff do not pay profes-sional attention and do not collect sufficient evidence), it

becomes audit failure. Khurana and Raman (2004) alsoindicated that audit failure does not necessarily lead tobusiness failure; however, after business failure, the inves-tors and creditors of the enterprises would pay attentionto the existence of the audit failure. For every audit case,the audit staff carried the audit risk and the possibility of submitting wrong opinions. Even though the audit staff has paid professional attention and presented proper auditopinion, which did not lead to audit failure, they might still

face the risk of lawsuits because of the business failure of the auditee. Therefore, the auditors should understandmore about the industry and the enterprise of the auditeeswhen receiving audit authorization and planning the audit;they should also use and plan the audit work in order toupgrade the audit quality and further reduce the risk of lawsuits (Arens et al., 2005; Krishnan & Krishnan, 1997).

When planning the audit work, the auditors decide thedegree of detection risk of the plans and the expected collec-tion of audit evidence amount through their understandingof the target enterprise and industries and assessment of the

0957-4174/$ - see front matter 2007 Elsevier Ltd. All rights reserved.

doi:10.1016/j.eswa.2007.08.057

* Corresponding author. Tel.: +886 05 2720411x34510.E-mail address: [email protected] (S.-I. Chang).

www.elsevier.com/locate/eswa

Available online at www.sciencedirect.com

Expert Systems with Applications 35 (2008) 1053–1067

Expert Systems with Applications

mailto:[email protected]:[email protected]


2/15

auditees’ operational risk, execution of analytical process,seriousness of assessment and acceptable audit risk, andthe degrees of inherent risk and control risk (Audit BulletinNo. 24, 1993). Therefore, the determination of detectionrisk would not only influence the progress of audit strate-gies, but also significantly influence the results of the audit.

When evaluating the detection risk, the auditors should bemore precise and careful. When the auditors are determin-ing uncertain affairs such as risks, they tend to use meaningterms such as ‘‘low’’, ‘‘medium’’ and ‘‘high’’, instead of sequential numbers. However, for the determinationof detection risk, it was difficult to reflect the influences of audit risk, inherent risk, and control risk on detection riskonly by using the meaning terms of low, medium and high.Therefore, the final determination of the audit result wasaccording to the ultimate judgment of the auditors ( Mock,Wright, & Srivastava, 1998). However, many studies havebeen suspicious of the auditors’ professional judgmentalcapability to distinguish audit evidence and proper

responses and they indicated that the audit staff’s profes-sional judgment was profoundly affected by training, expe-rience, and the capabilities dealing with time andcomplicated issues (Bedard & Graham, 2002; Helliar, Lyon,Monroe, Ng, & Woodliff, 1996; Khurana & Raman, 2004;Krishnan & Krishnan, 1997; Low, 2004; Turner, Mock, &Srivastava, 2002a; Wustemann, 2004).

The result of audit designation is significantly influencedby the audit evidence collected when planning the audit;the amount of audit evidence depends on the degree of detection risk. Therefore, when the assessment factors of detection risk are more objective and correct, audit costs

and the risk of audit failure can be reduced. At present,the risky environment faced by the auditors is further filledwith risks such as dissymmetrical information and compli-cated and flexible selection of accounting methods, whichmight confuse the audit key points for the audit staff. Thus,the corruptions exposed one after another and the investorsattributed the business failure to the audit failure. If theauditors still subjectively judge the influences of audit risk,inherent risk and control risk on detection risk, it mightlead to the error of audit strategy establishment and furtherincrease the risk of audit failure. Therefore, the researchquestion in this research was that, comparing with the tra-ditional determination of detection risk, is there a moreprecise detection risk assessment model that can upgradeaudit quality and reduce the possibility of audit failure?In order to find out the critical risk factors influencingdetection risk, which were identified by academia andempirical circles, this research provided the auditors thebase to assess the risks and establish a more objectivemethod to decide the detection risk and eliminate the dis-advantage, which only depended on the auditors’ subjec-tive judgment.

This paper is organized as follows. Section 2 reviewsrelated literatures including audit risk and the fuzzy theory.Section 3 presents the research methodology of this paper.

Section 4 describes the development of the audit detection

risk assessment system. Section 5 provides a case study toevaluate the system. Conclusion and future researches aregiven in Section 6.

2. Literature review

Taiwan Audit Criteria Bulletin No. 24 (1993) indicatedthat the collection of audit evidence depended on thedegree of detection risk. When the auditors planned theaudit work, through their understanding of the enterpriseand industry of the auditees, assessment of operational riskof auditees, execution of analytical process, seriousness of assessment and acceptable audit risk, and the degrees of inherent risk and control risk, they further determinedthe degree of detection risk of the plans. Thus, this sectionwill examine the definition, influence factors of the auditrisk and the audit risk model, and explore the methodologyto construct audit detection risk assessment system: thefuzzy theory.

2.1. Definitions of audit risk and audit risk model

AICPA (1983) defined that audit risk consists of inher-ent risk, control risk, and detection risk. The so-calledinherent risk means that under the condition without inter-nal control, the possibility of serious misstatement in finan-cial statements is present. Wustemann (2004) pointed outthat the factors influencing inherent risk included (1) assetflow; (2) the assessment method established according toaccounting assumption; (3) general economic situation;and (4) technical development. Control risk means that

the internal control of auditee could not immediatelyprevent or detect the risk of serious errors. Bedard andGraham (2002) also indicated that the following factorswould influence the assessment of control risk: (1) the orga-nizations and staff of accounting department of auditees;(2) the internal conditions of auditees, which were benefi-cial for detecting or preventing fraudulence; (3) safety of EDP system; and (4) management information for detect-ing corporate activities. Detection risk means that the auditpersonnel’s test could not detect the serious misstatementin the financial statements. Audit Criteria Bulletin No. 24(1993) indicated that the factors affecting detection riskassessment are (1) selecting improper audit process; (2)error execution; (3) misunderstanding the audit results;(4) the adoption of random inspection.

Audit planning should include eight steps: the prepara-tion before accepting audit authorization, understandingthe clients’ enterprises and industries, assessing the opera-tional risk of the clients, execution of initial analytical pro-cess, setting significant standard, assessing acceptable auditrisk and inherent risk, understanding internal control andevaluating control risk, collecting information to assessfraudulence risk and developing overall audit plan andaudit formula (Arens et al., 2005). Arens et al. (2005) fur-ther indicated that the factors influencing audit risk include

(1) significant standard; (2) auditees’ operational risk; (3)

1054 S.-I. Chang et al. / Expert Systems with Applications 35 (2008) 1053–1067


3/15

the degree of external users’ trust on the financial state-ments; (4) the possibility of the auditees’ financial difficul-ties after submitting the audit report; (5) audit staff’sassessment on the integrity of the managerial level. AICPA(1983) believed that the following factors influence theassessment of audit risk: (1) the scale and complexity of

auditees; (2) audit personnel’s understanding of the auditbusiness; (3) audit staff were influenced by the knowledgeof corporate operation.

Audit personnel’s assessment of audit risk would affectthe design of the following audit strategies. At the initialstage of audit planning, improper audit risk assessmentwould lead to wrong resource distribution and inefficientor ineffective audit results (Helliar et al., 1996; Khurana& Raman, 2004; Krishnan & Krishnan, 1997; Low,2004). At present, the common basic audit risk assessmentmethods include (Arens et al., 2005; Cushing, Graham,Palmrose, Roussey, & Solomon, 1995; Low, 2004; Messier& Austen, 2000; Taylor, 2000; Wustemann, 2004): risk fac-

tor analysis; fuzzy combined assessment; internal controlassessment; analytical audit; audit risk model; qualitativerisk assessment; and1 risk rate assessment. AICPA’s(1983) audit risk model provided the major conceptualframework of the audit process, which described that whenthe audit personnel plan the audit work, according to theirunderstanding of the auditees’ business, they should pro-fessionally judge and set up the audit risk level, whichcould affect submit proper audit opinions for the financialstatements, consider the remaining sum of each subject orvarious exchange factors and related internal control, andassess the degrees of inherent risk and control risk. Accord-

ing to the study of Arens et al. (2005), the factors influenc-ing the accountants’ professional judgment include theaudit work environment, audit personnel’s characteristics,audit evidence, decision-making process and quality char-acteristics determined. Therefore, the audit personnelshould follow the audit risk limit accepted, the remainingsum of each subject or different exchanges, inherent riskand control risk to set up the acceptable detection risk limitfor establishing the audit process.

The audit risk model is expressed as AR = IR *CR * DR. In other words, audit risk refers to the risk thatthe auditees’ financial statements could not reveal misstate-ment or fraudulence after their internal control activitiesand audit personnel’s detection. In the audit risk model,the items of (IR * CR) are sometimes called ‘‘auditee risk’’or ‘‘occurrence risk’’, since these two risks mean the riskthat before the audit, the misstatement has already existedin the financial statement (Khurana & Raman, 2004; Low,2004). The audit personnel could not control these tworisks; however, they must assess their levels in order todetermine the scale of audit test in the regulated audit risklevel (Messier & Austen, 2000). Taiwan Audit Criteria

Bulletin No. 24 (1993) also allowed the audit personnelto individually or collectively consider inherent risk andcontrol risk. The determination of detection risk on auditrisk model is expressed as DR ¼ AR

IRCR.

The criteria also indicated that when the audit personnelplan the audit work, they should initially judge the accept-

able audit risk and significance standard in order to acquiresufficient and proper audit evidence. AICPA (1983) alsodefined significance as the degree of influence that whencertain information was neglected, in error or unexposed,it might not be beneficial for the resource distribution pol-icy making of the financial statement users. When the auditpersonnel distribute overall significant level to the remain-ing sum or each account or exchange, it is called tolerablemisstatement. In the audit risk model, we realize that thereis a positive relation between detection risk and audit risk;however, it has reverse relations with inherent risk and con-trol risk (Arens et al., 2005; Low, 2004). When the auditpersonnel decide the remaining sum of certain subject or

the process property, time, and scale of exchange patterns,the lower the significant level is, the higher the degree of audit personnel’s acceptable audit risk. On the contrary,the higher the remaining sum of the subject or significantlevel of exchange pattern is, the higher the degree of auditpersonnel’s acceptable audit risk. Therefore, there isreverse relation between audit risk and significance andthere is also reverse relation between detection risk and sig-nificant level (Arens et al., 2005; Martinov & Roebuck,1998). The audit evidence refers to the data collected bythe audit personnel upon their professional judgment inorder to render opinions with respect to the propriety of

financial statements. The sufficiency and propriety of auditevidence determine the amount and reliability of the evi-dence acquired. There is also reverse relation between auditevidence and audit risk (Arens et al., 2005; Khurana &Raman, 2004; Low, 2004). Fig. 1 describes the relationamong the risks of audit risk model, significant level, andaudit evidence.

Reversereverse

Positive

Positive

reverse

reverse

Positive

Reverse

Reverse

Audit risk

Inherent risk

control risk

Significant level

Detection risk Audit evidence

Fig. 1. Relations among the risk composition in audit risk model,

significant level and audit evidence.

1 Risk rate = the occurrence frequency of the risk x the average loss of

the risk.

S.-I. Chang et al. / Expert Systems with Applications 35 (2008) 1053–1067 1055


4/15

2.2. The fuzzy theory

Zadeh (1965) proposed the fuzzy theory and introducedthe concept of membership function in order to deal withthe difference of linguistic variable. He thought that therewas a certain degree of fuzziness in terms of people’s

thoughts, inference and perception. Its aim is to solve thedata of uncertainty or fuzziness in the environment.The fuzzy theory has had considerable theoretical base

for studying uncertain and subjective issues. The theorywas later widely applied to fields such as AI, control engi-neering, expert systems, managerial science, business stud-ies, multi-principle decision making and risk assessment,etc. (Akhter, Hobbs, & Maamar, 2005; Lee & Park, 1997;Mujumdar & Sasikumar, 2002; Ross, Sorensen, Savage,& Carson, 1990; Tanaka & Sugeno, 1992; Toshiro, 1994).

Thus, the theoretical framework of this paper is to applythe fuzzy theory to construct the assessment of audit risk.The content related to the fuzzy theory is as follows:

2.2.1. Fuzzy set

Fuzzy set means the set signifying things with specificproperties and unclear boundaries. The fuzzy sets theoryaims to solve the uncertainty or fuzzy data in realistic envi-ronment. The definition of fuzzy set is as follows (Arenset al., 2005; Lee & Park, 1997; Mujumdar & Sasikumar,2002).

U is treated as discourse target and is called universe of discourse (or universal set); the target in each universe of discourse is called element (or member) and is representedby v; the fuzzy subset A on U means that for any X 2 U ,

there is a real number designated. le Að xÞ 2 ½0;

1 is the degreeof v membership on A. l

e Að xÞ : A ! ½0; 1 is called the mem-

bership function of A. When the universe of number of A is{0,1}, l

e Að xÞ becomes the characteristic function of an

ordinary subset and A becomes an ordinary subset.The height of the fuzzy set means the maximum degree

of membership, which is represented by hgtA. A is thefuzzy set of normalization and it means the fuzzy set inwhich there is at least one element of degree of membershipreferring to 1. The height of A is hgtA = 1.

2.2.2. Membership function

Membership function is also called degree of member-ship, which means the compatible or real degrees betweenthe element and set. In other words, membership functionmeans the degree that one element belonged to a certainset. That is to say, when the element has higher degree of membership, it means the degree of the set is higher. Wetreat U as a universe of discourse and call e A as one fuzzysubset of U and designate one number l

e Að xÞ 2 ½0; 1 for

each x 2 U to show the degree of membership of x fore A, which is the degree of membership of U . l

e Að xÞ is

called the membership function of e A. We can be sure thatthe fuzzy subset e A of U correspond to a certain numberle A

ð xÞ 2 ½0; 1 to x 2 U . Fig. 2 shows le A

ð xÞ curve diagram

of membership function.

2.2.3. Fuzzy numbers

In the assessment process of different projects, the satis-faction with different properties in the project is usuallyplaced in a certain scale. If we signify it with a clear andprecise number, it is less likely to reflect the reality. There-fore, in fuzzy multi-principle assessment, fuzzy numberstend to be used to show the degree of satisfaction (Arenset al., 2005; Wustemann, 2004). Fuzzy numbers were pro-

posed by Dubois and Prade (1980) who indicated thatfuzzy numbers refer to the fuzzy set on real line R and theirmembership function was l

e Að xÞ : R ! ½0; 1, which has the

following characteristics:

• le Að xÞ is piecewise continuous;

• le Að xÞ is convex fuzzy subset.

le A

ð xÞ is normality of a fuzzy subset. In other words, thereis a real number x0, which results in le A

ð x0Þ ¼ 1.

3. The research method

First of all, we used the grounded theory (Glaser, 1992)to reorganize and analyze the factors influencing detectionrisk in the past literatures and allocated them into threedimensions (audit risk, inherent risk, and control risk)according to the audit risk model. In order to increasethe contribution of the research to audit cases, this researchthen adopted the Delphi method (Linstone & Turoff, 1975)to distribute expert questionnaires to the experts in empir-ical audit circles. The distribution targets included the auditstaff in accounting firms and the internal audit personnel of ordinary enterprises. The researcher expected to find outthe critical factors influencing audit risk, inherent risk,and control risk identified by the experts in real audit casesthrough the distribution of the expert questionnaires.

Audit is a process of collecting evidence, reducing uncer-tainty and showing audit opinions. Thus, in order to under-stand the possible risks when auditing, the audit staff musthave access to the risks caused by uncertainty in the infor-mation (Arens et al., 2005; Friedlob & Schleifer, 1999; Lee& Park, 1997; Wustemann, 2004). Since the fuzzy theorycould retain a certain degree of fuzziness in terms of peo-ple’s thoughts, inference and perception; describe theadvantages, disadvantages, and situations of thingsthrough fuzzy logic and concept; and deal with subjective

assessment through objective and scientific methods, it

)( 1~ x A µ

1 x 2 x

Fig. 2. le Að xÞ curve diagram of membership function.



5/15


6/15


7/15


8/15

Table 1 (continued )

Category Category Risk factors Description

Controlactivity

43. Re-examination of executive resultsof operational activities

Do target enterprises re-examine the executive results of operational activities such asplanning, budget, internal control performance.

44. Control of data dealing Do target enterprises set up related policy process manual for data dealing as thebase for the employees?

45. Substantial control of accountingrecords and assets

Do target enterprises ensure accounting records and the safety of corporate assetsand carry out the control?

46. Authorization of transaction Do target enterprises set up efficient transaction authorization process?

47. Professional capacity division of

transaction

Do target enterprises carry out transaction professional capacity division such as

managing money instead of the account.48. Professional capacity division of financial report employees

Do target enterprises efficiently separate the financial report employees’ professionalcapacity such as financial manager, EDP staff, accounting staff and internal auditor.

49. Delivery and communication processof accounting information related tofinancial report

The delivery and communication process of accounting information system includesthe occurrence of transaction and accounting record used, supporting information,dealing report of accounting subject and editing of finance

Supervision 50. Installation and responsibilitydivision of internal audit department

Do target enterprises install internal audit department and efficiently carry out theinternal audit functions.

51. Process used by internal audit toprevent, detect and correct errors

Prevention, detection, error correction and fraudulence process set up by the targetenterprises and the executive results

52. Independent confirmation processtoward the corporate operationalperformance

Target enterprises’ independent confirmation process of corporate operationalperformance such as inventory management


9/15

As to control risk aspect, according to COSO (1996), theresearcher divided the risk factors influencing control riskinto ‘‘control environment’’,’’ risk assessment’’, ‘‘controlactivity’’, ‘‘information and communication’’, and ‘‘super-vision’’. ‘‘Control environment’’ means the framework forcreating the disciplines and internal control of the target

enterprises. Thus, the risk factors such as the employees’integrity, morality and abilities, managerial level’s manage-rial philosophy, risk orientation and power, and duty divi-sion of target enterprises were classified into ‘‘controlenvironment’’. ‘‘Risk assessment’’ was the method withwhich target enterprises identified the impossibility of theirgoal accomplishment. Thus, the factors such as risk assess-ment of new accounting criteria announced, risk assess-ment responding to the changes of external environment,and risk assessment of safety of EDP system were classifiedas ‘‘risk assessment’’. ‘‘Control activity’’ means the targetenterprises ensured that the members in the organizationactually executed the policy and process ordered by the

managerial level. Thus, internal controls such as controlof data dealing, actual control of accounting records andassets, authorization of transaction, and professionalcapacity division of transaction were classified as ‘‘controlactivity’’. ‘‘Information and communication’’ was the pro-cess in which target enterprises and accounting informationrelated to financial reports delivered and communicated.Since the risk factors of ‘‘information and communication’’were rarely mentioned in the past literatures, this researchincludes ‘‘information and communication’’ into the corecategory of ‘‘control activity’’ and named the risk factorsof the former as ‘‘the process of delivery and communica-

tion of accounting information related to the financialreport’’. ‘‘Supervision’’ was the process in which the targetenterprises assessed the executive results of internal con-trol. Thus, the risk factors of installation and duty divisionof internal audit department, the process the internal auditused to prevent/detect/correct the errors and the indepen-dent confirmation process on the corporate operationalperformance were classified under ‘‘supervision’’.

4.2. Using the Delphi method to screen the critical audit

detection risk factors

The purpose of using the Delphi method was to supple-ment the insufficiency of literature and we expected to reor-ganize more complete questions through the experts’ andscholars’ discussion. Therefore, this research constructsthe research model based on the Grounded Theory intothe questionnaires and used e-mail to send the interviewquestionnaires. Before distributing the questionnaires, wepretested them with three experts having experience in aca-demic study and audit cases to confirm the design of thequestionnaire and the categorization of the questions.After being assured that there was no error in the detailsof the questionnaire, we sent out the questionnaires. Beforedistributing the questionnaires, the research had the agree-

ments of the experts interviewed after completely describ-

ing the research purposes and questionnaire progress tothe experts. Through two rounds of questionnaire distribu-tion, the researcher investigated the critical risk factorsinfluencing the detection risk determination of target enter-prises thought by internal and external audit staff. Theexperts in this research included 30 internal and external

audit staff (15 internal audit staff and 15 external auditstaff). Since the staff in charge of assessing the risk of targetenterprises in the accounting firm was the audit manager,the external audit targets of questionnaire interview in thisresearch referred to the staff with the level above managersin the accounting firm. As to internal audit, since the publiccompanies were regulated by the Financial SupervisoryCommission, they must submit internal control projectannually. Therefore, we treated the internal staff of publiccompanies as the targets.

In the first round, the questionnaire included 53 risk fac-tors influencing detection risk assessment reorganized bythe Grounded Theory and it was divided into three aspects:

‘‘audit risk’’, ‘‘inherent risk’’ and ‘‘control risk’’. Theresearcher thus designed semi-open questionnaires. Thefirst-round questionnaires listed 53 factors and askedthe experts about the degree of importance of each ques-tion. In addition, a blank column is left for the experts toadd other critical factors or opinions (such as the proprietyof categorization). In the first round, there were 30 ques-tionnaires distributed and 25 experts responded. The returnrate was 83%. This questionnaire was based on a five-pointLikert scale and combined the opinions of 25 experts to cal-culate the average, maximum, minimum, plural number,and standard deviation or each item. The purpose of calcu-

lating the averages is to understand the average degree of the experts in terms of the importance of each question.The calculation of maximum, minimum, and standarddeviation is to see the degree of difference of each expert’sopinion. To calculate the plural number is to understandmost of the experts’ views on the degree of importance of each question. The calculation of Quartile Deviation isfor the degree of consistency of each expert for eachquestion.

In the first round of using the Delphi method, the resultsof the questionnaires show that the averages of the ques-tions were all more than 3. Thus, we cannot delete the lessimportant questions. Therefore, after adding the experts’other opinions, the Delphi questionnaires were redesignedfor the second round. In 53 items, the averages of ‘‘mana-gerial level has the incentives to operate the profits’’ and‘‘many errors in account receivable of the previous audit’’were the highest (4.72). Maximum was 5 and minimumwas 4. It showed that the experts all believed that thedegree of importance of these two items were extremelyhigh.

Each audit detection risk factor analysis and the averageresult comparison in expert questionnaires of the first andsecond rounds are shown in Fig. 4.

As shown in Fig. 4, the questionnaires in the first and

second rounds have reached a certain degree of



10/15

consistency. Through the t-test scale of independent sam-ples, only three risk factors are significant (t is less than0.05), which are auditors’ understanding toward targetbusiness, HR policy, and installation and responsibilitydivision of audit department in internal target enterprises.It shows that there are differences among the audit expertswith regard to the importance degree of three risk factors.It might be that there were too few internal auditors (sixpeople) who replied to the questionnaires during the sec-ond round.

Since the risk factors with averages more than 4 meansthe experts all thought that the risk factor was ‘‘impor-

tant’’, we should retain all of the risk factors with averagesmore than 4. As to the risk factors with averages less than3.5, since their plural numbers were 3 and minimum was 1or 2, and for each factor, there were about 60% of expertsselecting less than 3, it shows that most of the expertsthought that the risk factor is not important for the assess-ment of detection risk. Thus, we could eliminate them. Forthe risk factors with averages between 3.75 and 3.5,although their plural numbers are mostly 4 and the mini-mum is 2, there are about 40% of experts selecting less than3, which show that the risk factor is not important for theassessment of detection risk. Thus, we eliminate these

Fig. 4. Each audit detection risk factor analysis and comparison in expert questionnaires of the first and second rounds.

Fig. 5. Critical factors influencing detection risk assessment.



11/15

factors. For the risk factors with averages between 4 and3.75, the plural numbers are mostly 4 and the minimumis 2 or 3. However, there are only about 20% experts choos-ing less than 3. Therefore, we retain the risk factors withaverage between 4 and 3.75.

As a result, 43 critical factors which influence audit

detection risk assessment are retained which are shown inFig. 5.

4.3. Construction of the audit detection risk assessment

system

To construct the audit detection risk assessment system,all of the steps of the fuzzy theory described in Section 2.2are applied. That is, to define linguistic variable, use fuzzyassessment number to integrate the fuzzy numbers of eachrisk, use audit risk model to calculate the fuzzy value of DR, and infer the linguistic approximate value of DR byEuclidean distance. All of the risk factors involved in thismechanism were based on three major dimensions (auditrisk, inherent risk, and control risk), eight subcategories(auditor base, auditee base, financial statement level,account the remaining sum level, control environment, riskassessment, control activity, and supervision) and 43 riskfactors were reorganized, designed and screened in the lastsection.

In order to avoid auditors’ misunderstanding and errorcalculation of the fuzzy theory when assessing the risks, wedesigned five levels to assess the risk in the system. That is,the respondents assess the ‘‘possibility’’ of each risk factor

in the target enterprises and the ‘‘significance’’ of the influ-ence of the possible risk on financial statement. The ‘‘pos-sibility’’ and ‘‘significance’’ of the risk factors were dividedinto five levels: ‘‘extremely possible’’, ‘‘possible’’, ‘‘ordin-ary’’, ‘‘impossible’’, ‘‘extremely impossible’’, and ‘‘veryhigh’’, ‘‘high’’, ‘‘medium’’, ‘‘low’’ and ‘‘very low’’ (see

Fig. 6).After all the respondents finish the assessment of targetenterprises detection risk, we can look at the fuzzy calcula-tion results. This system sequentially lists the risk degreesof the risk factors. The top of the picture also describethe calculation of detection risk of target enterprises andone simple conclusion to elaborate the risk degree of targetenterprises in terms of three major dimensions (audit risk,inherent risk, and control risk), as well as the acceptabledetection risk degree of accounting firms authorized bythe target enterprises calculated by this system. In addition,in order to allow the assessors to understand the interac-tion among the risks, we move the arrow to the location

of each risk degree and the picture will show the triangularfuzzy number of the risk factor to serve as the reference of the related personnel in the authorized accounting firmswhen they plan audit strategies.

5. System evaluation

The case company is a manufacturing plant establishedin 1954 and turned into a limited company in 1969 and thestock became public in November, 1994. By 1998, its cap-ital volume has reached 3 billion NT dollars. There were

Fig. 6. Assessment interface of detection risk assessment system.



12/15

about 1200 employees and it was the largest door lockmanufacturing plant in Taiwan exclusively managing themanufacturing and sales of various door locks, such as cyl-inder lock. Besides promoting its own brand, it also dealtwith OEM manufacturing for clients in the USA, Austra-lia, and Japan. Since the case company valued the upgrad-

ing of product R&D and had over 120 patent techniques, ithas established long-term and stable relations with the cli-ents and suppliers under the continuous expansion of oper-ational scale and it had world-class R&D capacity and topproducing scale in Asia.

This paper used the interviews on the related personnelin the case company to collect the related data, such as therespondents’ views on the possibility of each risk factor of case company and asked the case company to provide thelist of internal and external auditors helping the operationof the system. With regard to internal auditors in the casecompany, there were only two employees (chief auditorand audit administrator). Thus, for internal auditors, there

were only two respondents; in terms of external auditors,there were four respondents including the chief, deputymanager, and two accountants of the accounting firm incharge of auditing the case company. Among others, thedeputy manager was the staff assessing the risks of theauthorized cases.

The related data of the case industry and the basicinformation of the case company were acquired mainlythrough interviews with the internal auditors in the casecompany. Through two times of the interviews, the indus-try background information of the case, introduction of the case company, significant historical records, organiza-

tional framework, operational situations, and future devel-opment plans were gathered. We also recorded theinterview process in order to understand the risk assess-ment model on the operation of the case company andthe interaction between internal and external auditors.Besides the interview on the internal auditors of the casecompany, we also performed two interviews with therelated external auditors in the accounting firms of the casecompany in order to understand the accounting firm’sdetection risk assessment of the case company and itsinteraction with the internal auditors. The interview out-line of internal and external auditors in the case companyis shown in Table 2.

Subsequently, the respondents were further asked to usethe system to manage the detection risk of the assessmentcase company. The operational results of the system areas follows.

First of all, the respondents’ assessment on the possibilityand significance of each risk factor is reorganized and theanswers of possibility and significance of each risk factorare then calculated. Next, the efficient fuzzy weighted aver-age method is used to calculate the triangular fuzzy numbersof each risk factor and infer the linguistic degree of each riskfactor of different levels by modified Euclidean distance. Thetriangular fuzzy numbers of audit risk, inherent risk and

control risk are obtained as follows: (0.06197917,0.19626437,0.46949405), (0.00787602,0.16353811, 0.42576058)and (0.00151910,0.16236867,0.42049180).

The audit risk model is then used and the triangularfuzzy numbers of audit risk, inherent risk, and control riskcalculated above to further acquire the triangular fuzzynumbers of detection risk as (0.00132989,0.28471029,8649.64130453). Finally, we used modified Euclidean dis-tance to infer and found out that the accounting firm’sacceptable detection risk linguistic degree toward the casecompany was ‘‘high’’.

After gathering the acceptable detection risk degree of the case company, we further interviewed the audit man-agers in charge of the authorized accounting firms man-aging the detection risk assessment of the case companyand the audit personnel in charge of assessing internalcontrol activity of the case company. Through thedescriptions of internal and external staff on each riskassessment of the company, they can confirm the validityof the assessment system as well as the feasibility andpracticability of the assessment system As shown in Table3, the empirical result of the detection risk assessmentsystem on the case company significantly and generallycomplies with current risk situations of the case companyand the detection risk assessment system is actually feasi-

ble and useful.

Table 2Interview outline of internal and external auditors in case company

Interview outline of internal auditors

1. How does your company assess the risk of the firm at usual? Do youassess the misstatement risk of the financial statement?

2. What is the work content of your audit department?3. What is the internal control of your company?4. How was the interaction between your company and accounting

firms in the past?5. What are the risk degrees of the following risks in your company?

(1) Auditor base(2) Auditee base(3) Financial statement level(4) Account remaining sum level(5) Control environment(6) Risk assessment(7) Control activity(8) Supervision

Interview outline of external auditors

1. How do you assess the auditees’ detection risk at usual?2. What is your detection risk assessment degree to the case company?3. What are the risk degrees of the following risks in your company?

(1) Auditor base(2) Auditee base(3) Financial statement level(4) Account the remaining sum level(5) Control environment(6) Risk assessment(7) Control activity(8) Supervision

4. What is your opinion about the detection risk assessment systemproposed by this research?

5. What is your opinion about the difference between the assessmentresults of the detection risk assessment system proposed by this

research and your original assessment results?



13/15

Table 3Reorganization of interview results of cases

Aspects Empiricalresults

External audit Internal audit Support of literatures Conclusions

Auditrisk

Low • Auditors’understanding towardtarget enterprises

• External audit isprofessional

• Low (2004) and Beaulieu (2001)thought that for the auditors’understanding toward target

enterprises, the better the professionalcapacity was, the lower the risk was

According to the interview results of internal and external auditors and thesupport of related literatures and the

assessment system result constructed bythis research, we realize that the riskdegree of audit risk in the case companyis low

• Auditors haveprofessional capacities

• Having long-term relation andunderstanding thecompany

• Turner et al. (2002a) believed that

• Managerial level hasgood integrity

• Managerial levelhas goodreputation

• The better the managers’ integritywas, the lower the risk was

• Shareholders of thebank depend on financialstatement

• Being publicagain; thus, theinvestors valuefinancialstatement

• Arens et al. (2005) thought that whenthe users trusted the financialstatement, the risk would be higher

• Low risk to have

financial crisis again

• Low possibility

of financial crisisagain

• Messier and Austen (2000) indicated

that the financial crisis occurred aftersubmitting the audit report whichincreased the audit risk

Inherentrisk

Low • Rare changes of managerial level andaccounting personnel

• Low leave rateof manageriallevel andaccountingpersonnel

• Davutyan and Kavut (2005) thoughtthat the higher the leave rate of themanagers and accounting personnelwas, the higher the risk was

According to the interview results of internal and external auditors and thesupport of related literatures and theassessment system result constructed bythis research, we realize that the riskdegree of inherent risk in the casecompany is low

• Managerial level hasincentives to operateprofits

• There is nopolicy facilitatingthe managers tomanage theprofits

• Church et al. (2001) thought thatwhen the managers had moreincentives to operate the profits, thecorporate risk would be higher

• Case company adjust

the suggested affairs

• Accounting

personnel respectthe opinions of accounting firms

• Taylor (2000) thought that the errors

of account receivable and inventorywould increase the risk

• The risk that accountreceivable or inventoryaccount remaining sumhave serious error is low

Controlrisk

Low • Employees and,accounting personnel’sintegrity

• Employees’integrity

• Bedard and Graham (2002) indicatedthat the more integrity the accountingpersonnel had, the lower the risk was

According to the interview results of internal and external auditors and thesupport of related literatures and theassessment system result constructed bythis research, we realize that the riskdegree of control risk in the casecompany is low

• Simple operationalstyle of the managers

• Managerial leveldoes not pursuerisk

• Johnstone (2000) indicated that thesimpler the manager’s operational riskwas, the lower the risk was

• Regular riskassessment

• Regularlyhaving riskcontrol in internaland externalenvironments

• COSO (1996) believed that regularrisk assessment and control activitycould reduce the risk

• Control activity iseffective and actuallypracticed

• Valuing internalcontrol andactuallypracticing it

• Davutyan and Kavut (2005) believedthat the more complete the internalaudit function is the lower the risk is

• Complete functions of audit department

• Regularproposinginternal controlplan

(continued on next page)



14/15

6. Conclusion

The new audit bulletin criteria involved the applicationexpected to strengthen the audit risk model and increaseaudit quality. However, the audit risk model was regarded

as the theoretically ideal concept model. Since it was diffi-cult to quantify the risk factors and we could not com-pletely use precise numbers or terms to express theirmeanings, they were criticized as having low practicalvalue. The assessment system constructed in this paper usesthe fuzzy theory to help auditors in rendering professional judgment when facing fuzzy incidents and increasing thepreciseness of risk assessment. It also allows the audit riskmodel to be more practical. At present, most of the riskmanagement adopted by large-scale accounting companies,accounting firms and registered accountant business refersto risk rate risk assessment. The advantage is that the risksafety indicator is based on plenty of experience accumula-tion and statistical calculation, which considers the scien-tific technique standard, social and economic situations,legal factors and human psychological factors at the time,which are the least risk rate generally accepted.

This paper reorganizes 43 critical risk factors influencingdetection risk assessment identified by academia and auditempirical circles and allocates the above critical risk factorsinto three dimensions and eight categories according to thecategorization of the related literatures. We believe that itcan function as the reference for future researchers whenthey study the risk identification of audit planning. In addi-tion, the fuzzy theory is a type of research method consid-

erably suitable for being applied to aspects with a highdegree of subjectivity, such as audit. However, it is rarelyused by audit scholars. Regarding the construction of thesystem, it is an encouragement for the future scholars inthe accounting audit domain to consider the fuzzy theory.

References

American Institute of Certified Public Accountants (AICPA): SAS47(1983) and AU 312 (1984), Audit Risk and Materiality in Conduct-ing an Audit.

Akhter, F., Hobbs, D., & Maamar, Z. (2005). A fuzzy logic-based systemfor assessing the level of business-to-consumer (B2C) trust in electronic

commerce. Expert Systems with Applications, 28(4), 623–628.

Arens, A. A., Elder, R. J., & Beaslsy, M. S. (2005). Auditing and assuranceservices: An integrated approach (10th ed.). Upper Saddle River, NewJersey: Prentice Hall.

Beattie, V., Fearnley, S., & Brandt, R. (2002). Auditor independence andaudit risk in the UK: A Reconceptualisation, Presented at TheAmerican accounting association professionalism and ethics symposium,

August.Beaulieu, P. R. (2001). The effects of judgments of new clients’ integrity

upon risk judgments, audit evidence, and fees. Auditing, 20(2), 85–99.Bedard, J. C., & Graham, L. E. (2002). The effects of decision aid

orientation on risk factor identification and audit test planning.

Auditing, 21(2), 39–56.Behn, B. K., Kaplan, S. E., & Krumwiede, K. R. (2001). Further evidence

on the auditor’s going-concern report: The influence of managementplans. Auditing, 20(1), 13–28.

Committee of Sponsoring Organizations of the Treadway Commission(COSO) (1996). Internal Control Issues in Derivatives Usage, AICPA.

Cushing, B. E., Graham, Jr, L. E., Palmrose, Z.-V., Roussey, R. S., &Solomon, I. (1995). Risk orientation. In T. B. Bell & A. M. Wright(Eds.), Auditing practice, research, and education: A productive collab-oration (pp. 11–54). New York, NY: AICPA.

Davutyan, N., & Kavut, L. (2005). An application of data envelopmentanalysis to the evaluation of audit risk: a reinterpretation. Abacus,41(3), 290–306.

Dubois, D., & Prade, H. (1980). Fuzzy sets and systems. New York:Academic Press.

Friedlob, G. T., & Schleifer, L. L. F. (1999). Fuzzy logic: Applicationfor audit risk and uncertainty. Managerial Auditing Journal, 14(3),12–13.

Glaser, B. G. (1992). Basics of grounded theory analysis: Emergence vs forcing , Mill Valley.

Haskins, E. H., & Dirsmith, M. W. (1993). Control and inherent riskassessments in client engagements: An examination of their interde-pendencies. Journal of Accounting and Public Policy, 14, 63–83.

Helliar, C., Lyon, B., Monroe, G. S., Ng, J., & Woodliff, D. R. (1996). UKauditors’ perceptions of inherent risk. British Accounting Review, 28(1),

45–72.Johnstone, K. M. (2000). Client-acceptance decisions: Simultaneous effects

of client business risk, audit risk, auditor business risk, and riskadaptation. Auditing, 19(1), 1–25.

Khurana, I. K., & Raman, K. K. (2004). Litigation risk and the financialreporting credibility of big 4 versus non-big 4 audits: Evidence fromAnglo-American countries. The Accounting Review, 79(2), 473–495.

Krishnan, J., & Krishnan, J. (1997). Litigation risk and auditor resigna-tions. The Accounting Review, 72(4), 539–560.

Lee, D. H., & Park, D. (1997). An efficient algorithm for fuzzy weightedaverage. Fuzzy Sets and Systems, 87 , 39–45.

Linstone, H. A., & Turoff, M. (1975). The Delphi method: Techniques and applications. Addison Wesley.

Low, K. Y. (2004). The effects of industry specialization on audit riskassessments and audit-planning decisions. The Accounting Review,

79(1), 201–219.

Table 3 (continued )

Aspects Empiricalresults

External audit Internal audit Support of literatures Conclusions

Acceptabledetectionrisk

High • Determine the detectionrisk degree at usual by thework backup of the pastyears

• Audit deputymanager usually doesnot go to the auditeecompany

Although the detection risk assessmentacquired by this research is consistent withthe assessment results of internal andexternal auditors, there is the difference

between the internal audit of audit deputymanger who assesses detection risk atusual and audit chief who audits in thecase company most frequently. Thus, thereis significant error to only allow auditdeputy manager to subjectively judge anddetermine the detection risk

• Assessment result of thissystem is close to theoriginal assessment resultof the audit manager

• The assessment resultof this system is closeto current situation of the company



15/15

risk assesment system

Documents