-
So
Ae
S
aBuAbstract
This study examines the impact of the Business Risk Audit (BRA),
a development in audit methodology imple-mented in the late 1990s,
on actual audit practice and on practitioners. Evidence is
presented through a longitudinal casestudy developed from a set of
actual audit Wles over a Wve year period spanning the
implementation of the BRA,together with interviews with audit team
members. The study contributes to our understanding of the nature
of theaudit techniques underlying the BRA and the diYculties
experienced in implementing them within the existing
organiza-tional structures. In addition, the study illuminates the
potentially conXicting roles of audit methodology in its
organiza-tional context, both in mediating the complex relationship
between the administrators and practitioners in the largeaccounting
Wrms and as the knowledge management structure used to support
delivery of the audit product. 2006 Elsevier Ltd. All rights
reserved.
Introduction
The introduction of audit approaches that placegreater emphasis
on the business risks in the orga-nization whose Wnancial
statements are beingaudited, generally termed the Business Risk
Audit(BRA), has been documented as a major innova-tion in audit
methodology in the second half of the
1997; Lemon, Tatum, & Turley, 2000). This inno-vation has
been associated with changes in thescope of the planning and risk
assessment pro-cesses and in the related evidence gathering
proce-dures used by auditors. Proponents of the BRAsuggest that
this approach has the potential toenhance audit eVectiveness,
arguing that an in-depth understanding of a business, its
environmentAccounting, Organizations and
The business risk audit of an audit
Emer Curtis a,,a Department of Accountancy and Finance, N
b Accounting and Finance Group, Manchester 0361-3682/$ - see
front matter 2006 Elsevier Ltd. All rights
reservedoi:10.1016/j.aos.2006.09.004
1990s (Eilifsen, Knechel, & Wallage, 2001; Higson,
* Corresponding author. Tel.: +353 91 493138.E-mail address:
[email protected] (E. Curtis).ciety 32 (2007) 439461
www.elsevier.com/locate/aos
longitudinal case studyngagement
tuart Turley b
tional University of Ireland, Galway, Irelandsiness School,
University of Manchester, UKd.
and the business processes through which value iscreated is the
best way in which an auditor will beable to recognize management
fraud and businessfailure risks. Critics have suggested that the
BRAwas intended to redeWne auditing as consulting and
-
ni440 E. Curtis, S. Turley / Accounting, Orga
to facilitate identiWcation of opportunities for pro-viding
value added services to clients, with theintention of improving the
status and proWtabilityof the auditor.
Much of the literature describing and comment-ing on the BRA
implicitly assumes that BRA asdeveloped has been implemented
uncontroversiallyby the audit Wrms. However, Power (1997, p. 8)
hasdrawn attention to the fact that the programmes,ideas and
concepts which shape the developmentof audit practice are at best
loosely coupled to thetasks and routines performed in their name.
Rad-cliVe (1999) established a similar point when inves-tigating
the nature of the technologies used toenact eYciency auditing. This
study was motivatedby a desire to understand how the BRA
translatedinto changes in auditing techniques implementedby
practicing auditors and the diYculties encoun-tered in
operationalising the BRA in context, andthus to examine the
relationship between a pro-gramme for change in the introduction of
the BRAand the set of practices which it describes.
This paper reports the results of a case study onthe
implementation of the BRA on an auditengagement. The case is based
on the audit workpapers for a client of a large accounting Wrm
overthe period 19962000, supplemented by interviewswith members of
the audit team and reference tothe documented methodology of the
audit Wrm. Acase study approach was chosen because it allowedfor an
in-depth review of the nature and extent ofplanning work and
evidence gathering procedures.The longitudinal aspect of the study
was importantas it provided an insight into changes from the
pre-vious methodology and how changes were embed-ded in the audit
process. Interviews with membersof the audit team allowed
investigation of barriersto implementation in the organizational
context. Acase study approach to investigation of the auditprocess
is also consistent with calls that have beenmade for more research
evidence from real auditassignments about the methods that Wrms
actuallyuse, and more recently for evidence on the practi-cal
diVerences between the application of the oldermethodologies and
BRA (Bedard, Mock, &Wright, 1999; Gwilliam, 1987; Power, 2003;
Rob-son, Humphrey, Khalifa, & Jones, forthcoming;
Turley & Cooper, 1991).zations and Society 32 (2007)
439461
In addition to contributing descriptive evidenceabout the manner
in which the concepts underly-ing the BRA were operationalised, the
studyexplains why this methodology was perceived asmore judgemental
and ambiguous by audit staV.The case highlights diYculties
experienced inachieving a lasting move to an audit focused
onbusiness risks and high level controls. It also dem-onstrates
reluctance by auditors to reduce levels ofsubstantive testing,
particularly in relation to sig-niWcant judgements and estimates,
and identiWesdiscomfort at practitioner level with the lack
oflinkage between audit work done on businessrisks and an opinion
given on the Wnancial state-ments. The wider relevance of these
diYculties isillustrated by related changes to successive ver-sions
of the global methodology of this Wrm.
A major innovation in practice such as the BRAcan be considered
from a number of perspectives.Its introduction may be seen as part
of a WrmseVorts to create an audit product that is credible inthe
market place. Here the administrative elementsof the Wrm, and more
generally the auditing profes-sion, are concerned with
conceptualizing and rep-resenting audit activity in a way that
enhances itslegitimacy with clients and society. New methodo-logy
may also reXect administrators views regar-ding a better audit,
both as a structure for guidingand controlling the eVectiveness of
the work eVortof staV and as a means of adapting the businessmodel
associated with auditing. However, from theperspective of the
practicing auditor, the legiti-macy of the audit process on an
individual engage-ment is something diVerent. The practitioner
maybe concerned that the process not only meets Wrmdetermined
standards on methodology, but alsoactually provides a body of
evidence that the prac-titioner believes to be valid as a basis for
signingthe audit opinion and as a defensible record of theaudit
process. The tension between what method-ology seeks to authorize
and promote in evidencecollection procedures and what
practitionersregard as appropriate for their opinion can
creatediVerences between the oYcial approach andwhat is actually
done. This study is about the prac-tical implementation of the BRA
in an actual caseand as such the primary focus of analysis is
on
whether and how that tension between methodo-
-
niE. Curtis, S. Turley / Accounting, Orga
logy and practitioners views of what constitutes alegitimate
evidence process was evident in theimplementation of the new BRA
methodology.
The study concludes that while the BRA wasdeveloped by the
administrative sections of thelarge Wrms to address the concerns
related to thestatus, eVectiveness and proWtability of
auditingwithin those Wrms, inadequate consideration wasgiven to
practitioners needs for what theyregarded as a legitimate audit
which they couldpersonally be called upon to defend. As a
result,the implementation of the BRA was not associatedwith the
change in the overall pattern of evidencecollection that was
intended. The study also raisesquestions about the ability of the
BRA to induceaudit teams to generate additional revenuethrough
providing added value for the client. Thisis partly a question of
whether a hierarchicallyorganized audit team has the skills,
Xexibility andtime to generate value, but it is also a function
ofthe clients willingness and ability to pay for it.
The remainder of the paper is set out as follows.The next two
sections discuss theoretical perspec-tives on audit methodology and
review prior litera-ture on the development and implementation
ofthe BRA. A description of the research methodsand the case
context follows. The Wndings andanalysis are then divided into
three sections, con-sidering in turn: changing the focus of the
audit tobusiness risk and the impact on the identiWcationof risks;
changes in the nature of the audit workactually performed and the
diYculties of imple-menting change; and the impact of the BRA
oncost and revenues. Finally, the implications andconclusions that
can be drawn from the study forour understanding of the role of
methodologies inaudit practice are considered.
Theoretical perspectives on audit methodology
Prior literature presents a number of diVerentperspectives on
audit methodology. The primaryperspective, adopted by much of what
is generallyreferred to as mainstream audit research (Gendron&
Bedard, 2001) views auditing as technical prac-tice. Much of this
literature, in particular the audit
judgement and decision making literature (JDM),zations and
Society 32 (2007) 439461 441
adopts a rationalist paradigm from cognitive psy-chology, which
is based on the idea that humans,or even societies, follow
identiWable rules (Wester-dahl, 2004). Such research sees auditor
judgementas a practice conducted by individuals who mustrespond
eYciently to cues in the auditee environ-ment and make decisions
accordingly (Power,1995, p. 318). This perspective has been
criticizedfor ignoring the social context in which decisionsare
made, where judgements are not simply theprocedural outcomes of the
application of a set ofaudit techniques (Kirkham, 1992). Pentland
(1993)argues that there is good reason to expect that noamount of
rationalistic analysis will ever produce asuYcient explanation of
auditor judgement (p.619) due to the insuYciency of rule following
as anexplanation of social order. The literature whichconsiders
audit methodology in its social and insti-tutional context
recognizes at least four diVerent,and potentially conXicting, roles
for audit metho-dology: the production of legitimacy for the
pro-fession as a whole; the production of a legitimateset of work
papers on an individual audit; a systemfor controlling and
directing the work of the prac-titioners by administrative elements
of the largeWrms; and encoding knowledge into the organiza-tional
structure to assist in the achievement of theorganizational
proWtability. Each of these perspec-tives is discussed below.
Legitimacy of the profession
At the level of the profession, the ideas inform-ing audit
methodologies are reXected in auditingstandards which
simultaneously provide a sourceof legitimacy for the approaches
applied by theaudit Wrms and a body of knowledge to justify
theclaims of professional expertise. Consistent withthe norms and
values of western market econo-mies, the profession has an interest
in representingauditing as a rational, objective science. A
numberof authors (Carpenter & Dirsmith, 1993;
Dirsmith,Covaleski, & McAllister, 1985; Dirsmith, Heian,
&Covaleski, 1997; Power, 1992, 1995, 2003) havelinked audit
methodologies to the representationof the auditor as a rational
expert. Power (1992,p. 59) suggests that the rise of a discourse
in
audit sampling had much to do with attempts to
-
ni442 E. Curtis, S. Turley / Accounting, Orga
legitimate, rationalise, reinterpret and improvepractices that
were already in place and in doingso, aligned the auditing
profession with reveredvalues of rationality and science. Carpenter
andDirsmith (1993) view the discourse on statisticalsampling as
modifying and regenerating the pro-fessions abstract system of
knowledge (Abbott,1988).
Similarly Power (1995) has argued that in spiteof the
theoretically questionable and operation-ally ambiguous status of
the audit risk model, ithas endured because it replaces statistical
samplingin providing an abstract foundation for audits, itfunctions
to rationalize a reorganization of auditwork and a reduction of
detailed testing, and itprovides a respected vocabulary through
whichoperational decisions can be justiWed (p. 331).
Legitimacy at the level of audit practice
It is in the domain of actual practice that formalaudit
methodologies are translated or transformedinto audit procedures by
individual practitionerscoping with such everyday exigencies as
clientpressures and the cost of performing audits (Car-penter &
Dirsmith, 1993, p. 45). The potential forreview of the audit work
papers by the courts orpeer reviewers translates on an individual
auditinto a need for the production of a set work paperswhich are a
culturally legitimate, formal, defend-able record of the audit
process (Power, 2003).Thus audit methodology is seen to play a
signiW-cant role in the production of a legitimate set ofaudit work
papers. Dirsmith et al. (1985, p. 57)suggest that the production of
work papers is asanitizing process, where audit evidence can
beviewed as a symbol for legitimizing a neitherwholly rationalized
nor rationalizable audit pro-cess. In lamenting the trend toward
more struc-tured audit methodologies, it has also been arguedthat
this need to maintain legitimacy is a majorobstacle to a
judgemental, organic audit:
It may well be that the litigious, control-directed,
sociopolitical environment of theauditing profession is intolerant
of theorganic audit perhaps the profession has
presented a formal image of itself that is notzations and
Society 32 (2007) 439461
reXective of its own variety or loosely cou-pled nature.
(Dirsmith & McAllister, 1982, p.227).
This suggests that audit work papers must con-form to
institutionalized prescriptions of whatauditors do, in order to
portray a rational func-tional image of the audit (Dirsmith et al.,
1985).Thus if society expects that auditors conWrmreceivables then
this must be done regardless ofeYciency or eVectiveness
considerations.
Audit methodology and the control of practitioners
The large accounting Wrms, or more accurately,professional
service Wrms, are so big that the litera-ture has recognized the
separation of the adminis-trative structure of these Wrms from
thepractitioners (Carpenter, Dirsmith, & Gupta, 1994)and the
potential for conXict and power strugglebetween the two (Freidson,
1986). The acknowl-edgment of the separate roles of the
administratorsand practitioners is important in considering
auditmethodology because methodology is generallydeveloped by the
administrative element but isimplemented by the practitioners.
Prior literaturesuggests that these two groups have diVerent
inter-ests, power bases and concepts of a legitimate pro-cess,
which results in signiWcant scope for tensionand controversy over
methodology.
Administrators have primary control over rulesand resources in
these organizations, allowingthem to formulate the procedural and
substantiverules addressed to the way professional work is tobe
performed and to establish the basis for con-trolling and
evaluating the work of practitioners(Freidson, 1986, p. 215).
Carpenter et al. (1994)attribute the trend towards structured
auditapproaches in part to eVorts by administrators tocontrol local
practitioner judgement:
Administrators, preoccupied with the politicaland economic
forces their organizations face,focus on formulating procedural and
substan-tive rules that control the way in which theprofessional
work is performedThey servenot primarily the client or even the
profes-sional practitioner, but their own organiza-
tion, and it is from this organization that they
-
niE. Curtis, S. Turley / Accounting, Orga
derive their power and authority. Thus,administrators seek to
encode expertise intothe formal structure of the organizations
byway of its rule systems (Carpenter et al., 1994,p. 373374).
Audit methodology and the business model
The literature also suggests that administratorsuse audit
methodologies to inXuence the manner inwhich their organizations
generate proWts. Giventhe concern with proWtability in a
competitive mar-ket for audit service, where audit fees and
marginshave been under pressure since the 1980s, adminis-trators
have used audit methodology in brandingand marketing their services
to existing and poten-tial audit clients (Jeppesen, 1998). Morris
andEmpson (1998) suggest that the large audit Wrmshave codiWed
organizational knowledge in theform of highly structured audit
methodologies,which allows them to use inexperienced staV toapply
this codiWed knowledge, thereby facilitatinga hierarchical
organization structure, to achieveabove average proWts. There are
also suggestionsthat audit methodologies can facilitate the
expan-sion of low value-added audit services into the pro-vision of
more lucrative consulting services bydirecting audit work and the
attention of auditstaV towards opportunities to provide value
addedservices in the course of, or as a result of, the
audit(Barrett, Cooper, & Jamal, 2005).
Thus prior literature illustrates that audit meth-odologies
serve diVerent roles at diVerent levels inthe institutional
environment. The recognition ofthese diVerent roles suggests that
there is consider-able scope for tension and controversy when
thereis an innovation in a methodology such as BRA,which is
developed by administrative elements ofthe Wrms but implemented by
individual practitio-ners.
Administrators, by virtue of their position in theinstitutional
environment, are more generally con-cerned with issues such as the
jurisdiction andpower of the profession, and the inXuence of
theirown Wrm within that environment. They have aninterest in the
role of audit methodology in theproduction of legitimacy at the
level of the profes-
sion. Practitioners on the other hand derive theirzations and
Society 32 (2007) 439461 443
power and status within the Wrm primarily fromtheir client base
(Freidson, 1986), and have the ulti-mate power to decide on the
nature and extent ofaudit procedures actually performed on an
individ-ual audit. Importantly, on the individual
auditpractitioners are more concerned, not with thelegitimacy of
the Wrms methodology or of the pro-fession, but with the conduct of
what they regardas a legitimate audit process, for which they
takepersonal responsibility. Both the Wrm and the indi-vidual
auditors within it have a common interestthat the process captured
in the Wrms methodo-logy should produce a legitimate audit Wle.
How-ever, in the context of a speciWc audit thepractitioner may
divert from or add to strict appli-cation of methodology in order
to satisfy his/herown perceptions of a legitimate evidence
process.
While administrators may attempt to use auditmethodologies to
organize the manner in which theWrm produces proWts, and control
and direct workperformed by practitioners, the literature
recognizesthat idiosyncratic, local and intuitive judgementsby
seasoned practitioners are diYcult to managefrom the centre of the
Wrm (Power, 2003, p. 381).
Practitioners must also apply the variousrules and guidelines,
and in so doing trans-form them as inXuenced by their own
judge-ment and the day-to-day exigencies of speciWcclient service
work. Importantly, practitionersemploy the overly formalized rules
prescribedby administrators inconsistently and infor-mally
(Carpenter et al., 1994, p. 373374).
A number of Weld studies of auditing illustratethis point.
Fischers (1996) study of innovation inaudit technologies suggests
that the administra-tors eVorts to change highly institutionalized
auditpractices will not succeed unless practitioners canbe
convinced of the validity and suYciency of theevidence produced by
the new technologies. Resis-tance of practitioners to the
imposition of highlystructured client acceptance tools and
methodolo-gies has been reported by Dirsmith and Haskins(1991) and
Carpenter et al. (1994). Examining theimposition by administrators
of a system of man-agement by objectives, Dirsmith et al. (1997)
andCovaleski et al. (1998) illustrate how this system
was appropriated by the practitioners to advance
-
ni444 E. Curtis, S. Turley / Accounting, Orga
the interests of their own protgs. Study of diY-cult client
acceptance decisions in large CanadianWrms suggest that in spite of
highly formalized pol-icies put in place by administrators, the
decisionprocesses of practitioners remain largely Xexibleand
organic (Gendron, 2001). More recently, Bar-rett et al. (2005)
report variations in the manner inwhich local oYces implement both
inter-oYceinstructions and global audit methodologies. How-ever,
prior Weld studies do suggest that administra-tive elements of
audit Wrms are successful ininXuencing the logics of action
(Gendron, 2002)or world theories (Dirsmith & Haskins,
1991)adopted by the practitioners. In other words, thestructures
put in place by administrators, whetheraudit methodologies,
performance measures or cli-ent acceptance tools, inXuence decision
processesby providing auditors with an interpretativescheme and a
vocabulary that they frequently referto when making decisions
(Gendron, 2002, p.661). Overall this literature suggests that
whileadministrators can potentially use audit methodo-logies to
inXuence practitioner actions on audits,the ultimate decision as to
the nature and extent ofaudit testing remains with the
practitioners.
The business risk audits: an ambitious programme of change
The introduction of BRA in the second half ofthe 1990s has been
reported as a major innovationin audit methodology (Eilifsen et
al., 2001; Higson,1997; Lemon et al., 2000). Higson (1997, p.
213)presents one of the earliest papers heralding theBRA. He
suggests that as a result of the pressuresfaced by auditors from
many quarters, they havebeen reassessing what the audit is trying
to achieveand this has resulted in an extensive questioning ofhow
it should be done. Knechel (forthcoming)suggests that BRA resulted
from a culmination ofpressures on auditors in the form of fee and
costpressure and the questioning of conventional wis-dom in audit
practice, in particular questioning ofthe beneWts of structured
audit approaches.
The BRA was intended to widen the focus ofthe auditor, from
audit risk, deWned with reference
to Wnancial statement error, to business risk, deW-zations and
Society 32 (2007) 439461
ned as the risk that an entity will fail to meet itsobjectives
(Eilifsen et al., 2001; Higson, 1997;Lemon et al., 2000). The
proponents of the BRAargue that business risk ultimately translates
intorisk of Wnancial statement error and, therefore,that an
approach which focuses on understandinga business, its environment
and business processesprovides the best means by which an auditor
willrecognize risks associated with management fraudand business
failure (Erickson, Mayhew, & Felix,2000). Thus:
Wrms had concluded that perceived audit fail-ures result not
from the ineVectiveness ofprocedures in detecting misstatements
butbecause of diYculties, for example in recog-nizing going concern
problems or identifyingfraud, arising from other aspects of the
busi-ness context (Lemon et al., 2000, p. 12).
It was also argued that in the modern auditenvironment, where
the Wnancial accounting sys-tems are generally very good, extensive
testing ofdetails, in the absence of a good understanding
ofbusiness risk, is at best ineYcient and at worstineVective. This
view is consistent with the views ofcritics of structured audit
approaches, who havelong argued that an in-depth understanding of
thebusiness underpins a thoughtful, Xexible and judg-emental
audit.
The change in approach envisaged by the BRAwas to be achieved in
two ways: Wrst by changingthe focus of the audit from Wnancial
statement riskto business risk; and second by changing thenature of
audit testing from large volume tests ofdetails to the testing of
high level monitoring orsupervisory controls, supported by high
precisionanalytical work (Higson, 1997; Knechel, 2001,forthcoming;
Lemon et al., 2000). The approachencourages the auditors to view
the client in termsof key business processes, and risks and
controlswithin those processes, as opposed to a frameworkbased on
Wnancial statement balances and transac-tion streams. The rationale
for this approach sug-gests that if the auditor can identify the
sources ofbusiness risk and ensure that the client has appro-priate
systems to monitor and manage that risk,there is little value in
extensive substantive testing.
It has also been suggested that obtaining such an
-
niE. Curtis, S. Turley / Accounting, Orga
insight on the business provides auditors with abetter basis for
generating useful feedback for theclient. This added value
contribution of BRAhas been reported both from views held by
practi-tioners within Wrms (Higson, 1997) and from themany
references to adding value on the large Wrmswebsites around the
time of the implementation ofthe BRA (Jeppesen, 1998).
Some authors have questioned whether themotivation for the
introduction of BRA wasrelated to the delivery of more or better
audit assur-ance or the pursuit of self-interested proWtabilityand
status for the auditors themselves. During theperiod from 1980 to
the mid 1990s, the market foraudit services was characterized by
increasing com-petition and fee pressure. This environment led
tothe development of highly structured methodolo-gies, designed to
minimize costs and maximize theleveraging of audit work to
inexperienced staV. Theconsequent commoditization of the audit
resultedin the progressive diversiWcation of audit Wrms intomore
proWtable consulting services. The growthand proWtability of these
consulting services in thebooming economies of the mid 1990s
contributedto an undermining of the status of audit practitio-ners
in the large professional service Wrms (Robsonet al.,
forthcoming).
Given this context, Robson et al. (forthcoming)argue that the
BRA sought to improve the statusof the auditor, both within the
large accountingWrms, and externally with clients and
potentialrecruits, by aligning the auditor with the higherstatus
function of management consulting. Thisperspective is supported by
evidence of the strate-gies designed to sell the BRA both inside
the Wrmsto the practitioners, and outside to clients, regula-tors
and academics (Bell, Marrs, Solomon, & Tho-mas, 1997; Jeppesen,
1998; Winograd, Gerson, &Berlin, 2000).
Jeppesen (1998) argues that changing the focusof the audit from
Wnancial statements to the busi-ness resulted in the audit being
redeWned in orderto justify the delivery of proWtable
managementconsulting services with the consequent erosion ofauditor
independence. In fact, Power (2003) hassuggested that the BRA
approaches were drivenmore by revenue than by cost considerations,
given
the potential of added value to the client to gener-zations and
Society 32 (2007) 439461 445
ate revenue either through better recoveries onaudit fees or
through the cross selling of other ser-vices. In the context of the
booming economicenvironment of the 1990s, revenue generation
mayhave presented a more lucrative and less painfuloption than
seeking further eYciencies in the audit.At the same time,
litigation posed a far greaterthreat to the economic survival of
the large auditWrms than price competition, as borne out by thefate
of Andersen. Some Wrms believed that theBRA would beneWt their own
management ofengagement risk (Lemon et al., 2000). The
widelyreported introduction by the large accountingWrms in the
early 1990s of procedures to assessengagement risk is symptomatic
of the Wrms con-cern with audit eVectiveness. It is well
establishedthat auditors are primarily exposed to litigationrisk in
the case of business fraud or business fail-ure. Assuming that
fraud and failure risks could beappropriately identiWed by the BRA,
anticipatedreductions in substantive procedures were unlikelyto
result in increased exposure to litigation. To theextent that the
BRA was to be underpinned bystringent engagement risk management
procedureswithin the audit Wrms (Higson, 1997; Lemon et al.,2000),
clients with high levels of business risk andpoor control
environments, which are unsuitablefor this audit approach, would
also be excludedfrom the client base.
From programme to technology: transforming the BRA in
practice
As a response to the contextual pressures dis-cussed above, the
introduction of the BRA can beseen as relevant to a number of the
theoreticalinterpretations of the role of methodology outlinedin
the previous section, such as maintaining thelegitimacy of the
professional activity of auditingand changing the business model
for audit. If theBRA was intended to improve the proWtability
andstatus of the auditor through delivery of a diVerentproduct to
the client, with a reduced litigation riskfor the auditor, then it
represented an ambitiousprogramme for change. Re-branding a tired
auditproduct by updating the language and the image ofthe audit
will neither insulate the auditor against
litigation nor deliver added value to the client.
-
446 E. Curtis, S. Turley / Accounting, Orga
While managing the image of audit practice maynot require change
in practice, an impact on proWt-ability and litigation risk does.
Therefore, toachieve their objectives Wrm administrators neededto
induce real change in audit techniques. How-ever, earlier
discussion of the potential tensionsbetween diVerent roles played
by audit methodol-ogy draws attention to fact that practical
imple-mentation of the new methodology requirednegotiation with
practitioners. A programmedesigned to change audit methodology in
order toimprove the status, proWtability and legitimacy ofaudit
practice is not necessarily consistent with theproduction of a
culturally legitimate audit Wle. Thisrepresented an ambitious
programme for two rea-sons. First, in the institutional environment
theBRA faced a battle for credibility amid signiWcantskepticism
from regulators and academics (Curtis& Turley, 2005). Second,
beneath that issue lay aseparate battle at the level of audit
practice: totransform the BRA into practical changes inhighly
institutionalized audit techniques, in a cli-mate of practitioner
resistance to control byadministrators (Covaleski, Dirsmith, Heian,
&Samuel, 1998). It is this battle that is essentially
thesubject of this study.
The transformation of an innovation in auditmethodology into
implemented practice cannot beassumed as unproblematic. Power
(1997), drawingon Rose and Millers (1992) distinction
betweenprogrammes and technologies, suggests that theprogrammes, or
ideas and concepts which shapethe mission of audit practice, may be
only looselycoupled to the procedures performed in their name(p.
8). This distinction is useful in clarifying the ten-sions between
diVerent roles played by audit meth-odology in the production of
diVerent types oflegitimacy. In particular, practitioners
perceptionsregarding what is a legitimate, visible and defensi-ble
evidence process may help to explain how suchloose coupling can
arise. This study was, therefore,motivated by a desire to
understand how the BRAresulted in changes (if any) in auditing
evidencetechniques employed by practicing auditors(Power, 2003;
RadcliVe, 1999).
To understand the translation between pro-gramme and practice,
it is not suYcient to lookzations and Society 32 (2007) 439461
simply at oYcial descriptions of the techniques putforward by
the Wrms or to count the number ofinvoices vouched under diVerent
methodologies.The implementation of auditing techniques cannotbe
considered in isolation from the auditsperformed and the
organizational context in whichthe methodology is implemented. To
provide directevidence on implementation and changes inpractice,
the remainder of this paper analyses acase study of an actual audit
engagement, con-structed from the audit work papers over a Wveyear
period during which the BRA was introduced,together with interviews
with members of the auditteam.
Research methods
Preparation for conduct of the case study beganwith a
preliminary meeting in one of the oYces ofthe accounting Wrm that
was the subject of thisstudy, to review the guidance materials
provided toaudit staV, have discussion with the partner (here-after
P1) responsible for implementing the newmethodology, and review a
set of client Wles with asenior (hereafter S1) to explain how the
BRA hadbeen operationalised. A second preliminary meet-ing in a
second oYce comprised discussion with apartner (hereafter P2)
involved in the developmentof the methodology on a worldwide basis,
furtherreview of the detailed staV guidance and a discus-sion of
implementation issues. It became apparentat this meeting that the
methodology had evolvedthrough a number of versions and it was
thereforeconsidered that a longitudinal perspective wouldprovide
the best insight into the manner in whichthe BRA had been
implemented.
The speciWc case to be investigated was chosenin conjunction
with P2, who authorized access tothe work papers. In selecting the
client, three fac-tors were considered to be important. First,
thecase had to be of suYcient size and complexity toensure that the
change in methodology would beevident in the work papers. Second,
the clientought not to be so complex as to render it overlytime
consuming to understand the audit Wles asWeld work for data
collection was limited. Third,ni
-
niE. Curtis, S. Turley / Accounting, Orga
the clients Wnancial condition ought to be suY-ciently stable to
ensure that any changes in thenature and extent of the work were
primarilyrelated to the implementation of the BRA ratherthan to
changes in the companys condition. A cli-ent operating in the
wholesale/distribution indus-try was chosen. This company had been
a client forin excess of 10 years and had experienced steadygrowth
throughout the Wve-year period of the casestudy. The client also
had the advantage of consid-erable continuity within the audit team
during thisperiod. A span of Wve years was chosen because theBRA
had been Wrst implemented for this client forthe audit of the
Wnancial statements for the yearended 31 December 1997. Hence 1996,
being theWnal year of the old methodology, was included.The most
recent audit completed at the time of theWeldwork was for the year
ended 31 December2000.
Collection of evidence took place in the auditWrms oYces. Access
was provided to: all of theaudit work papers for the Wve years
under review;the Wnal published accounts including Auditorsand
Directors Reports; the general correspondenceWle; audit Wrm
management accounting recordsshowing audit hours charged to the job
number bycategory of staV; and the oYcial methodology guid-ance
given to each member of staV of the Wrm.
Three individuals were seniors on this clientover the Wve-year
period (referred to hereafter asS2, S3 and S4). All three had since
been promotedto manager and were still employed by the Wrm.All were
available for interview at the time theWeldwork was undertaken and
semi-structuredinterviews were undertaken with S2 and S4. S3,who
had been involved in the audit from 1997 to2000 from staV level up
to manager level, wasvery interested in the case study and
regularlystopped by for casual conversations, to give opin-ions, to
help with understanding the work papersand to explain how the
methodology had beenapplied. The latest version of the software
used tosupport the methodology was also made available.Given the
extent of the documentation and thelimited time available, detailed
review of the workpapers was restricted to three years 1996,
1998and 2000. The work papers for the interveningzations and
Society 32 (2007) 439461 447
years were reviewed and some data was collected,but in less
detail.
Notes were taken during the course of eachinterview and a
detailed recollection of the inter-view based on the notes was
written up immedi-ately afterwards. Copies of some
documentation,such as the oYcial guidance on the methodology,and
some print-outs from the accounting Wrms jobcosting records, were
provided and this documen-tation has been retained as part of the
case studydatabase (Yin, 1994).
An interesting feature of the study, which wasnot anticipated at
the outset, was the evolution ofthe oYcial BRA methodology over the
Wve yearscovered by the case study. During the Wve-yearperiod under
review, two updates of the originalversion of the methodology were
issued. Copies ofeach of these were obtained to assist in the
inter-pretation of the audit work papers. A draft copy ofthe next
version which was to be piloted for auditsfor the year ended
December 2001 was alsoobtained. While the purpose of this paper is
not topresent a detailed analysis of the changes from oneversion to
another, it is notable that areas whichcaused controversy in
implementing the approachwere related to changes made in the
diVerent ver-sions of the global methodology, which demon-strates
that continued development of themethodology by the administrators
involved inter-action with experience from implementation
inpractice.
Following the initial analysis of the data and thepreparation of
an early draft of the Wndings, followup interviews were conducted
with P2 and S2,where the Wndings were discussed. Both conWrmedthat
the Wndings were consistent with their generalexperiences of
implementation.
The discussion in subsequent sections attemptsto communicate the
Wndings of the study throughanalysis of three main themes. The Wrst
section dis-cusses changing the focus of the audit to businessrisk
and considers the impact on the identiWcationof risks. The second
section analyses changes in thenature of the audit work actually
performed, anddiscusses the diYculties of implementing change.The
third section considers the impact of the BRAon cost and
revenues.
-
nd
tes w
eta
Rheeyye
aesn
h
sitp
ouTable 1The Wve modules of the audit process dedicated to
assessing risks u
1. Evaluation of the clients risk management processThe Wrst
module was a tool to support the evaluation of the clienstructured
decision aid that evaluated the risk management procsupported by a
speciWc section in the Wrms proprietary database
2. Analysis of client business environmentThe second module was
designed to analyse the industry and therelevant industry-wide
analysis from a proprietary knowledge dabusiness processes.
3. Preliminary analytical review (PAR)The third module was a
software tool available to support the PAanalyses performed in the
manually produced PAR for each of ta high-level variations analysis
and a ratio analysis were performto include high precision
variation analyses (e.g., by month and bother management accounting
data. This review was updated at
4. Consideration of business risksThe Wrm described the fourth
module as a framework for systemthreatening the organization as a
whole or speciWc business procfor communication regarding business
risks and business risk madatabase, which allowed the audit team to
further investigate eac
5. Information XowsThe Wnal module was intended to facilitate
the understanding ofprocessing risks. The software included a tool
to support the creaof risks and controls within those processes.
Industry-speciWc temAlternatively, memos describing procedures,
risks and controls cer the BRA
s risk management process. This module was a computer-based,ses
at a strategic level in the client organization. It washich
included studies, best practices and other resources.
nvironment in which the client operates and was supported
bybase. This analysis resulted in the identiWcation of critical
. The audit team did not make use of this tool. However, the
three years were compared. In 1996, under the old methodology,
d. After the implementation of the BRA, the PAR was extended
product), key performance indicators used by management, andar
end.
tically understanding and identifying the types of business
risksses within the organization ... it also supports a common
languageagement. This tool was also supported by the Wrms
proprietaryrisk speciWed and to obtain industry speciWc guidance on
that risk.
gniWcant information Xows and identiWcation of informationion
and modiWcation of process diagrams and the documentationlates were
available within the Wrms database to support this.ld be used to
document critical processes.448 E. Curtis, S. Turley / Accounting,
Organizations and Society 32 (2007) 439461
Changing the focus to business risk and business processes
This section provides a description of the mannerin which key
concepts of the BRA were operationa-lised through changes in the
audit methodology. Italso explores the reasons why audit staV
reportedthat they found the BRA more judgemental andambiguous than
the previous approach.
Changing the focus from Wnancial statements to business risk
The pre-existing methodology applied on the1996 audit used a
sequential, word-based, standardaudit planning work programme which
led theaudit senior through the planning in a structuredfashion.
Risks were identiWed, audit work pro-grammes were developed and
work papers wereorganized primarily with reference to
individualWnancial statement captions. These structures sup-ported
the Wnancial statement focus of the tradi-
tional audit risk model approach of the 1980s andearly 1990s.
The BRA envisaged a much broaderunderstanding of the business to
support theassessment and analysis of business risks. To
facili-tate the acquisition of this understanding and theassessment
of risk, the methodology provided Wveseparate computer based
modules which aredescribed in Table 1.
In order to change the focus of risk assessmentfrom the Wnancial
statements to the business as awhole, two important changes were
made to themethodology. First, only one of the planning mod-ules
described in Table 1, the preliminary analyticalreview activity,
was directly related to the Wnancialstatements, and even there
emphasis was placed onkey operational data and on future as well as
pastperformance. All of the other modules weredesigned around the
business and not the Wnancialstatements. Second, the audit work
papers wereorganised around the identiWed risks instead ofWnancial
statement captions. Both of these changescould be expected to be
signiWcant forces encourag-
-
niE. Curtis, S. Turley / Accounting, Orga
ing staV to think about the audit diVerently. Theassessment of
risk was supported by all Wve mod-ules and the methodology stressed
the interrelatednature of the modules in assessing risk. The
soft-ware included a summary Risk Tracker, to docu-ment risks from
all Wve modules as soon as theywere identiWed and to drive further
audit work.
The seniors generally felt that the software tool-set which
supported the Wve planning modules ofthe new approach genuinely
helped the audit teamto get a better understanding of the business
andindustry. They suggested that it helped the team tothink about
business risk and represented a signiW-cant improvement over the
checklist approachof the old methodology. However, all of the
seniorsfelt that applying the new methodology was amuch more
judgemental process. The presence ofsigniWcant elements of
structure to support riskanalysis did not remove ambiguity and the
needfor judgement. Discussion with P2, S2 and S4 high-lighted
signiWcant reasons for this. Under the oldmethodology risk analysis
was carried out primar-ily on a Wnancial statement caption by
captionbasis, which gave the seniors a Wnite number ofcaptions to
consider, whereas under the BRA busi-ness risks were to be
identiWed from what P2referred to as a universe of business
risks.According to the partners, this created a sense ofinsecurity
as to whether all relevant risks had beenidentiWed. Risk assessment
was a more ambiguousprocess and demanded more from staV at
relativelyjunior levels who were used to dealing with ahighly
structured methodology.
There was also evidence that, despite the Wvemodules to guide
the identiWcation of business risk,the seniors actually identiWed
the risks in diVerentways. This did not reXect the integrated
approachconceived by the methodology. In 1998, it is clearthat S3
relied heavily on the framework for consid-eration of business
risks (the third module describedin Table 1) in identifying the
risks for further auditconsideration. The risks identiWed on the
risktracker in the work papers were comprised entirelyof risks
identiWed when completing this module, andthe language used to
describe those risks was alsotaken directly from this module. In
2000 S4 did notuse any links to the risk summary throughout the
Wve modules, but approached the risk summary as azations and
Society 32 (2007) 439461 449
blank sheet of paper after completing the Wve riskassessment
modules. S4 explained that this waswhere the thinking would start
and would havereference to the Wnancial statements and prior
yearwork papers when considering risks. This resulted indiVerent
categorization of risks on the risk trackerby the three diVerent
seniors (S2, S3 and S4) whoprepared the risk summaries. They also
used diVer-ent terminology to describe similar risks. For exam-ple,
S3 classiWed the risk associated with thewarranty provision under
the heading product orservice failure whereas S4 classiWed this
risk underthe heading judgements and estimates, whichencompassed
other estimation risks. The sense ofinsecurity created by the
potential for variation inthe risks identiWed, and consequently in
the natureand extent of the audit work, seemed to create aneed for
a mechanism to ensure the completeness ofthe audit risks identiWed.
As a result of these diYcul-ties, the global methodology was
amended torequire an initial risk assessment by partners.Subsequent
business risk analysis by the audit teamwas aimed at validating
this initial risk assessmentand identifying other risks. The
initial risk assess-ment was seen as having a role to put
boundaries onthe scope of the risks to be addressed by audit
staV,who otherwise could potentially get lost in the uni-verse of
business risk.
The lack of a risk tracker prepared on a compa-rable basis in
1996, and the diVerent terminologyand categorization of risks in
1998 and 2000, madeit problematic to prepare a sensible comparison
ofrisks identiWed across each of the years 1996, 1998and 2000.
Nonetheless, there are some noteworthycomments that can be made
regarding the identiW-cation of risks after the implementation of
theBRA. Risks which were directly related to Wnancialstatement
captions were largely the same bothbefore and after implementation.
The only signiW-cant diVerence was that the risks were speciWedmore
precisely, as opposed to denoting the relatedaccount captions as
risky (e.g. risk of credit defaultas opposed to the debtors caption
being consideredrisky as a whole). Similarly, after the
implementa-tion of the BRA, speciWc aspects of the informa-tion
system were identiWed as risks. However, therewas little change in
the audit approach to informa-
tion systems.
-
ni450 E. Curtis, S. Turley / Accounting, Orga
Two business risks unrelated to the Wnancialstatement captions
were identiWed after the imple-mentation of the BRA which had not
previouslybeen identiWed as risks. Authority and limit (risk
ofunauthorized transactions) was classiWed as a mod-erate risk in
both 1998 and 2000. Capacity (moder-ate risk) was classiWed both as
an opportunity toimprove the clients business and as a business
riskin 1998, whereas it was considered only an opportu-nity to add
value in 2000. The inclusion of previ-ously unidentiWed risks on
the risk tracker suggeststhat seniors were taking a broader view of
the busi-ness. However, the identiWcation and summariza-tion of
risks is not important for its own sake, ratherit is important
because it potentially drives diVer-ences in the nature and extent
of audit work done.This is examined in a later section of the paper
onchanges in the nature and extent of audit work.
Removing the distinction between planning and audit work
In common with most methodologies utilizingthe audit risk model,
the previous methodology ofthis Wrm had a very clear distinction
between auditplanning and evidence collection. At the end of
theplanning, the audit approach had been decided onand work
programmes were agreed. Field workcomprised the completion of the
work set out bythe work programme. Under the BRA there wasno clear
distinction between planning and Weld-work. A signiWcant part of
the risk assessment pro-cess involved the analysis of critical
businessprocesses in order to identify risks and related con-trols.
Unlike Wnancial statement balances, riskscannot be substantiated;
logically they can only beaudited by auditing the controls over
such risks.The BRA implemented by this Wrm required thatcontrols
over risks were identiWed, evaluated andtested. Where controls over
a risk were found to beeVective, the risk was considered reduced to
anacceptable level. In this case no further auditwork was to be
performed unless speciWcallyrequired to comply with GAAS. Where
there werecontrol deWciencies, and hence residual audit
risk,additional audit work of a substantive nature wasrequired in
respect of Wnancial statement balances
potentially impacted by the risks. Thus the BRA aszations and
Society 32 (2007) 439461
implemented by this Wrm envisaged a largely con-trols-based
approach to the audit. This representeda substantial shift in
emphasis from the audit riskmodel approach, where it was possible
to performa wholly substantive audit if this was considered tobe
more eYcient than testing controls.
Under the previous approach, work pro-grammes for compliance and
substantive workwere developed from standard schedules of
audittests. These work programmes, which were an out-put of the
audit planning process, eVectively putboundaries on the audit for
the audit staV. Underthe BRA the audit approach developed as
theaudit progressed from a prima facie stance thatcontrols testing
would be used where possible. Themethodology was set out as a
process whereby thequestion was constantly asked Have we
addressedthis risk? Thus, the evidence programme devel-oped as the
audit progressed, requiring continualjudgements on the part of the
senior. Audit staVperceived the BRA process as a more Xexible
andunstructured process.
The BRA was intended to focus auditors atten-tion on business
risk by weakening the linkbetween the risk assessment process and
the Wnan-cial statements, and audit work was to be driven
byidentiWed risks rather than Wnancial statement cap-tions.
However, the changes in the nature andboundaries of audit work
created potential con-Xicts with practitioners existing conceptions
ofwhat was good practice and necessary to delivera legitimate audit
process. It was clear that in prac-tice the seniors found that
determining the mix ofaudit work was a much more ambiguous, and
con-sequently diYcult, task when the boundaries pro-vided by
standard work programmes and Wnancialstatement captions were
removed.
Changing the nature of the audit work
This section examines the actual changes in thenature and extent
of audit work after the imple-mentation of the BRA and explores the
diYcultiesexperienced in achieving the changes in audit test-ing
envisaged by the BRA.
As the working papers were organized around
identiWed risks rather than account captions, pre-
-
ni
s p
ntonE. Curtis, S. Turley / Accounting, Orga
Table 2Analysis of controls testing after implementation of the
BRA
a There was no reference to the evaluation or testing of
controlstatement that they were relied on. The provision was tested
by the
Risks identiWed on risk summaries
1998
Controlsdesignevaluated
Controlstested
Controlsrelied on
Additiosubstanwork d
Obsolescencea S, P, Mb S, P, M Yes YesCredit default S, P, M S,
P, M Yes YesTax and related parties No No No YesValuation of
Wnancial
instrumentsS, P, M No No Yes
Foreign currencytranslation
S, P, M No No Yes
Performance incentives S No No YesWarranty provision S No No
YesAuthority and limit S, P, M S, P, M Yes No
Information systemsintegrity andinfrastructure
S, P, M S, P, M Yes No
Access S, P, M S, P, M Yes NoCapacity S, P, M S, P, M Yes Noas
predictive testing (see notes to Table 3).zations and Society 32
(2007) 439461 451
in relation to the obsolescence provision in 2000, and no
speciWcerformance of a CAAT on the computation of the provision.
This
2000
alive
e?
Controlsevaluated
Controlstested
Controlsrelied on
Additionalsubstantivework done?
No No No YesNo No No YesNo No No YesNo No No Yes
No No No Yes
No No No YesNo No No YesAccording to S4 it was felt this was
adequatelyaddressed in previous years and decision was takento do
no further workAccording to S4, Wrm specialists did full
assessmentof the clients information system in 1999, whichwas
updated in 2000N/A N/A N/A N/AN/A N/A N/A N/Aparing a comparison of
the nature and extent ofwork done by account caption over the three
yearsexamined was not straightforward. In order tostudy whether the
logic of the new methodologywas followed in practice, Table 2
summarizes thenature of the audit work in respect of each
riskidentiWed on the risk trackers in 1998 and 2000,focusing
particularly on the nature of controls test-ing. This table follows
the intended format of theWles after implementation of the BRA.
Table 3 onthe other hand summarizes audit work done byWnancial
statement account caption for 1996, 1998and 2000, analyzed into
four categories: tests ofcontrols, tests of detail, low precision
analytics andhigh precision analytics.1 The signiWcant features
of both tables and the extent to which the nature oftesting
changed after implementation of the BRAare considered in the
following discussion.
The guidance issued to staV was explicit aboutthe objective of
decreasing the amount of substan-tive testing to be performed:
The assessment of client risk controls alsoprovides a basis for
transitioning from lim-ited to extensive reliance on client risk
con-trol processes and developing value addedinsights on improving
client risk controlprocesses Our previous emphasis on sub-stantive
tests as the primary or only methodof managing residual audit risk
will decreasesigniWcantly.
Table 2 highlights diYculties in achieving a last-ing move to an
audit designed to address risks andrelated controls. In 1998, while
the audit team didfollow the logic of evaluating and testing
controlsover risks envisaged by the BRA, substantive test-ing on
material accounts remained very stable
1 Low precision analytics refers to relatively simple
analyticalreview work, such as reviewing for unusual items and year
onyear comparisons of numbers. High precision analytics may
in-volve a greater degree of detail, for example looking at
monthlyWgures and distributions and analysing sub-populations,
andwork that involves more deWned analytical expectations, such
has been interpreted as a substantive test, although such tests
can provide evidence of the operation of controls.b S D speciWc
controls; P D pervasive controls; M D monitoring
controls.throughout the period covered by the study. In the
-
452 E. Curtis, S. Turley / Accounting, Orga zations and Society
32 (2007) 439461ni
Table 3Summary analysis of the nature and extent of audit work
in each of the three years examined in detail
This schedule does not purport to represent all of the audit
work that was performed on this audit. Other areas of audit work
such asrelated parties, going concern, fraud risk assessment,
commitments and contingencies, subsequent events etc. were
completed but arenot included in the summary presented here.
a Materiality: The summary of work done includes a materiality
weighting for each account, where 0 represents aggregate
balanceswhich are less than materiality, 1 represents balances
which are between 1 and 4 times materiality, 2 represents balances
which arebetween 5 and 10 times materiality and 3 represents
balances with are in excess of 10 times materiality. In the case
where captions fellinto more than one category over the three
years, the range of materiality is given. This helps to illustrate
the stability of the balancesheet relationships over the period of
the case study.
Captions Materiala 1996 1998 2000
CTb TDc LPAd HPAe CT TD LPA HPA CT TD LPA HPA
Fixed assetsTangible assets 1 2 Y Y Y YIntangible assets 0 2 Y Y
Y YFinancial assets 23 2 Y 2 Y 2 Y
Current assetsStock 3 3 Y Y 3 Y 1 Y
provision 3 Y Y 3 Y CAATf CAAT YDue from aYliates 01 2 Y 2 Y 2
YTrade debtors 3 2 Y Y 2 Y Y 2 Y Y
provision 3 Y Y Y 3 Y 3 Y YOther current assets 1 Y Y YCurrent
asset investments 3 3 Y 3 Y 3 YBank and cash 13 3 Y 3 Y 3 Y
Current liabilitiesBank overdrafts 3 3 Y 3 Y 3 YTrade creditors
1 Y Y YDue to aYliates 3 2 Y 2 Y 2 YOther short term
creditors/accruals3 3 Y Y 3 Y 3 Y Y
ProvisionsPension 0 2 Y 2 Y 2 YWarranty provision 1 3 Y Y 3 Y Y
3 Y YDeferred income 2 3 Y 3 Y 3 Y
Shareholders equityand reserves
3 1 Y 1 Y 1 Y
ProWt and lossTurnover 3 Y Y Y Y Y YCost of sales 3 Y Y Y Y Y
YGross proWt Y Y Y Y Y Y YG&A 3 2 Y Y 1 Y 1 YSelling expenses 3
2 Y 2 Y 2 YOther income 2 Y Y Y 1 YInterest expense 1 Y Y Y
YExchange loss 1 2 Y 2 Y 2 YTaxes 1 3 3 3
Business risksAccess and information
systems integrityY Y
Authority and limit Y NCapacity riskg Y
-
ni
tet o (mar
igsistE. Curtis, S. Turley / Accounting, Orga
case of credit default risk and obsolescence risk,which relate
to material judgemental balances inthe accounts, even though
controls were tested andthe work papers explicitly stated that they
wererelied on, traditional substantive work was alsoperformed. This
represented testing levels in excessof that required by the
methodology. Table 2 alsoshows that in 2000 controls were assessed
asineVective for all of the risks identiWed on the risktracker,
with all of the risks being addressed by tra-ditional substantive
work on the account captionsrelated to the identiWed risks. This
resulted in anaudit approach which was very similar to theapproach
in 1996 under the pre-existing methodol-ogy. Table 3, which
summarizes the work done byaccount caption, tells a similar story.
This tableillustrates that the only year in which a
signiWcantamount of controls testing took place was 1998,and even
then there was very limited reduction insubstantive testing. The
only change in tests ofdetails was a reduction in the extent of
substantivetesting on tangible assets and general and
adminis-trative expenses.
Table 3 (continued)b CT: Tests of control. This table indicates
whether controls were
the extent of the control testing in each area. The nature and
extenc TD: Tests of details. A relative weighting of 1 (limited
work) 2
given to the extent of tests of details. These weightings are
necessauthors experience of auditing practice.
d LPA: Low precision analytics. Under the LPA column, the
desperformed. Examples of LPA include year on year variations
analy
e HPA: High precision analytics. Procedures such as predictive
teuct analyses, are considered to be HPA.
f See Footnote a to Table 2.g Not classiWed as a business risk
in 2000.nied by limited reduction in substantive testing andzations
and Society 32 (2007) 439461 453
followed by what appeared from the Wles to be areturn to a more
traditional substantive approachby the fourth year after
implementation. Three sig-niWcant issues which appeared to
contribute to thispattern of behavior are discussed below.
Problems with linkage
From the earliest discussion with seniors andpartners in this
study, it became apparent thatthere were problems linking the
evidence collectedin relation to the risks and related controls
withWnancial statement amounts. Although it may begenerally
accepted that business risk is related toaudit risk, it seemed that
practitioners wereuncomfortable with the inference involved in
con-cluding on the veracity of Wnancial statementsbased on evidence
supporting the existence of con-trols over business risks. S2 noted
that this prob-lem did not just relate to staV, but that
managersand in some cases partners were uncomfortableabout linkage.
S1 commented that it was commonfor line managers to request a
senior to prepare a
sted in a particular area; however, it does not attempt to
quantifyf control testing is further analyzed in Table 2.oderate
amount of work) or 3 (signiWcant amount of work) was
ily subjective as no objective measure is available, but reXect
the
nation Y indicates where simple analytical review work has beens
or review for unusual items.ing or detailed variations analysis,
such as by-month or by-prod-The BRA also envisaged greater reliance
onhigh precision analytics. Table 1, which describesthe risk
assessment modules, notes an increase inthe use of high precision
analytics for the prelimi-nary analytical review and this analysis
wasupdated at the Wnal audit. Other than this, Table 3shows little
evidence of signiWcant substitution ofhigh precision analytics for
other forms of substan-tive testing.
Interviews with the seniors and partnersattempted to probe the
reasons why initial eVortsto move towards controls testing were
accompa-
summary of work done by account caption, inorder to bridge this
gap. This problem may reXecta more generic problem of linkage
between auditwork done and an opinion expressed on
Wnancialstatements, which was exacerbated by changing thefocus from
Wnancial statement risk to business risk.This issue is taken up in
the implications section ofthe paper.
This question of linkage was discussed withboth partners. P2,
who was involved in the develop-ment of the methodology, explained
that there wasa controversy at an international level between
those who considered that focusing on the Wnancial
-
ni454 E. Curtis, S. Turley / Accounting, Orga
statements at an early stage in the audit had thepotential to
distract the audit team from a businessrisk perspective and those
who felt that restructur-ing the audit, including the audit work
papers,entirely around business risk led to a concern thatall
Wnancial statement risk was not addressed. Thisdebate was
eVectively resolved in favour of tighterlinkage between risks and
Wnancial statements andthe requirement for the audit team to
produce alinkage schedule, cross referencing the Wnancialstatement
captions to work done in addressingbusiness risks, was introduced
for audits for yearsending 31 December 2000.
Evidence related to high level controls
A second issue in the implementation of theBRA was the suYciency
of evidence available tosupport the operation of high level
controls. Thelogic of the BRA approach suggests that if theauditor
can identify the sources of business riskand ensure that the client
has appropriate systemsto monitor and manage that risk, there is
littlevalue in extensive detailed testing. The BRA envis-aged a
change in the balance of audit testing fromlarge volumes of
low-level transaction controls tohigh-level monitoring or
supervisory controls. Thiswas to be achieved by classiWcation of
controls asspeciWc, pervasive or monitoring. The audit teamwas
required to evaluate the design of all threetypes of controls in
relation to identiWed risks, butonly pervasive and monitoring
controls (i.e. high-level controls) were to be tested and if they
werefound to be operating eVectively reliance wasplaced on these
controls. SpeciWc risk controls,which are typically transaction
level controls, wereonly to be tested where pervasive or
monitoringcontrols were considered ineVective.
Auditors had diYculties obtaining what theyconsidered to be
suYcient evidence for the opera-tion of high level controls, and
therefore realizingthe intended payoV from the anticipated
reductionin testing large samples of transaction level con-trols.
Table 3 highlights the fact that, despite theclear hierarchy in the
type of control to be testedaccording to the oYcial methodology, in
everyinstance where staV explicitly relied on controls in
1998, all three types of control were tested. Thiszations and
Society 32 (2007) 439461
represented controls testing levels in excess of thatrequired by
the methodology and is likely to havecontributed to the substantial
increase in audithours (discussed in the next section). It
wouldappear that audit staV were reluctant not toemploy established
procedures that they regardedas good practice to give the audit an
adequate evi-dence base.
Discussion with the seniors about the reasonsfor testing all
three types of controls suggested thatthey were uncomfortable with
the suYciency of theevidence provided by high-level controls
alone.They questioned the sensitivity of those types ofcontrols to
identify and correct misstatements,especially in the case of
signiWcant judgements andestimates, such as a bad debts provision.
The diY-culty of Wnding evidence to support the operationof
high-level controls was noted by S1, citing thetendency of audit
staV to document work done onhigh level-controls with comments such
as TheWnancial controller stated that he reviewed.This senior
commented that staV often had to besent to seek further documentary
or corroborativeevidence that reviews had taken place. Even
withsuch additional procedures, auditors remaineduncomfortable with
this soft type of evidence.The evidence available to support the
existenceand operation of high level controls fell short ofthe
practitioners perceptions regarding what con-stitutes suYcient
appropriate evidence. Concernswith the ability of high level
controls to identifymaterial Wnancial statement misstatement
werealso echoed by standard setters involved in draft-ing the
IAASBs auditing standards in response tothe development of the BRA
(Curtis & Turley,2005).
The diYculties experienced in replacing sub-stantive procedures
with softer evidence on highlevel controls could be interpreted as
a problem ofdisplacing highly institutionalized procedures.However,
practitioners must personally answer topeer reviewers and the
courts for the quality of theaudit performed, which is assessed on
the basis ofthe documented audit Wles and not the tacit knowl-edge
or comfort level of the practitioner. Even ifthe assessment of
business risks and testing of highlevel controls over these risks
provides the best
assurance on the veracity of Wnancial statements,
-
niE. Curtis, S. Turley / Accounting, Orga
as is claimed by proponents of the BRA, practitio-ners seek to
produce a legitimate defensible recordof the audit which conforms
to institutional pre-scriptions of what a set of audit Wles should
looklike (Dirsmith et al., 1985).
Time and skills required for controls testing
A further issue in the implementation of theBRA related to the
time, eVort and skills requiredto document business processes,
identify risks andcontrols within those processes, and design
testsfor those controls. It was evident from the Wles anddiscussion
with the seniors that a substantialamount of time was invested in
these activities inthe early years of implementation. Discussion
withthe partners about the extent of and commitmentto a
risk/controls based audit revealed that bothpartners had some
concerns about the audit staVsability to map critical processes,
identify risks andrelated controls and devise testing plans for
thosecontrols eYciently and eVectively. Both partnersstated that
staV required signiWcant training to per-form these functions
eYciently. In relation to the2000 audit, both the manager and
senior wereasked whether controls were deemed ineVectivepurely on
eYciency grounds, or whether the assess-ment reXected a true
appraisal of the controls,which was the intended outcome of the BRA
audit.The manager suggested that eYciency consider-ations had
dominated, although the senior quali-Wed this (in a separate
interview) suggesting thatit was felt that suYcient controls work
had beendone over the previous few years, so a largely sub-stantive
approach was taken in 2000. Despite thesubstantial amount of
controls work done over theperiod 199699, the Wles explicitly
stated that con-trols were not relied on in 2000. This contrasts
withthe partners who expressed the view that goingback to the days
of balance sheet bashing (aterm used by S2 to describe a wholly
substantiveaudit approach) was seen as undesirable and con-Wrmed
the continuing commitment to improvingstaV skills in this area.
There may be more than one explanation forthe diYculties in
achieving the changes in thenature of audit testing which were
envisaged by the
BRA. It is possible to argue that the reluctance tozations and
Society 32 (2007) 439461 455
substitute the testing of high level controls andhigh precision
analytics for traditional substantivetesting is a straightforward
story of anchoringbehavior by practitioners. However, it may be
thatpartners and managers perceive the legitimacy ofthe audit Wle,
which they personally must defend,to be tightly bound up with the
performance ofsuch institutionalized procedures. This
problemappears to have been exacerbated by perceivedlack of linkage
between a BRA audit and theWnancial statements. While the rationale
underly-ing the BRA conceptualized the audit in a way
thatessentially was not deWned by the Wnancial state-ments, this
was challenged by the practitionersneed to feel satisWed that the
audit had adequatelycovered the Wnancial statement amounts.
Anotherobstacle to a lasting move to a controls based auditis that
controls testing can be much more expen-sive and require higher
skill levels than substantivetesting. The administrators may have
underesti-mated the degree of organizational change (such
asemploying individuals with more experience ordiVerent skill sets)
required to implement the BRA.This may have resulted in diYculties
in achievingthe commercial objectives envisaged by the BRA,an issue
considered in the next section.
Costs and revenues
This section examines both the impact of BRAimplementation on
costs and the outcome in termsof revenue generation. One reason
that has beensuggested for the introduction of the BRA wasthat it
was intended to increase revenue as opposedto reduce cost.
Discussion with partners at the preliminarymeetings revealed
that they anticipated a substan-tial investment during the
implementation of theBRA, when documentation of business
processesand the related business risk assessment would beperformed
for the Wrst time. However, they antici-pated that this would be
oVset in part by the imme-diate reduction in the amount of
transactioncontrol testing and/or detailed substantive
workperformed, and in part on future audits, by theability to roll
over much of the business risk assess-
ment from year to year. The partners were explicit
-
i456 E. Curtis, S. Turley / Accounting, Orga
about the beneWts this approach entailed in termsof audit
eVectiveness, reduced risk of litigation andvalue to the client. P2
stressed the intention to de-commoditize the audit, referring to
the BRA as aclient value oriented, multi-services sales plat-form.
This was intended both to deliver value tothe client as part of the
audit process, which shouldallow for better recoveries on audit
fees, and toidentify potential opportunities for the delivery
ofconsulting services.
Table 4 illustrates the extent of the investment inthe
implementation of the BRA on this client. TheWgures reXect the
reported hours charged by eachmember of staV to the job number. P2
conWrmedthat all hours incurred on audits during the
imple-mentation period of the BRA were to be charged tothe client
job number and Table 4 therefore reXectsthe investment in
implementation on the client. Theaudit Wrm did not recover the
substantial invest-ment made in the implementation period
throughincreased fees. The audit fee remained stablethroughout the
period of the implementation andas a result signiWcant write-oVs
were incurred.Audit hours increased dramatically in 1997, the
Wrstyear after implementation, and remained at thatlevel in 1998.
According to S3, this was due to thesubstantial amount of time
invested in completingthe Wve risk assessment modules of the BRA,
inparticular in documenting critical business pro-cesses and
identifying the related risks and controls.In addition during this
implementation period theaudit team members were also on a learning
curvewith the BRA, which dramatically changed theformat and layout
of the audit Wles, and with thesoftware used to prepare the
Wles.
Table 4Analysis of audit hours by level of staV
a The other category consists primarily of charges in relationto
tax personnel and (in 2000) charges in respect of computer
1996%
1997%
1998%
1999%
2000%
Partner/manager 14 18 19 16 20Senior 35 37 37 37 38StaV 48 40 40
40 31Othera 3 5 4 7 11Total 100 100 100 100 100Actual hours 658 969
904 729 663audit personnel for tests conducted in relation to
stock.zations and Society 32 (2007) 439461
The other notable feature of this table is the factthat the
implementation does show an increase inthe relative amounts of time
invested by audit part-ners, managers and seniors, suggesting that
theBRA demanded a somewhat diVerent humanresource proWle. The 2000
audit shows an increasein the amount of senior time relative to
staV time,though this may have been due to the fact that thissenior
had never previously worked on this clientand therefore required
additional time to becomefamiliar with the Wles.
The substantial increase in audit hours in theperiod from 1997
to 1999 which were not recov-ered through audit fees must have been
unsustain-able. The interview with S2 revealed that in theyears
1996 up to 1998, fee pressure on this job wasconsidered to be
average, or less than average. Thismay have been because of the
acceptability of costoverruns during the implementation phase.
How-ever, the interview with S4 revealed that she felt feepressure
was above average for the audit in 2000.Taking Fischers (1996) line
of reasoning from hisstudy of the implementation of new audit
technol-ogies, this fee pressure should have acted as a cata-lyst
for the unlearning of the old methodology andstimulated a response
of cutting back on the sub-stantive audit work, particularly given
the amountof eVort which had been expended in identifyingand
evaluating risks and controls over the previousthree years.
However, analysis of audit work donein the previous section
suggests that it resulted inreduced reliance on controls, despite
the fact thatthe stated methodology was to rely on the
controlstesting and to reduce substantive testing whereverpossible.
Even four years after implementation ofthe BRA, it appears that
practitioners remainedresistant to the implementation of a controls
basedapproach. While the previous section suggestedthat this may
have been because of lack of skills orconcerns over the legitimacy
of the evidenceobtained, this analysis suggests that it is also
possi-ble that it was uneconomic to continue with thisaudit
approach in the absence of an increase inaudit fees. Concerns have
been raised that theBRA was introduced as a means of justifying
lessaudit work in the name of producing auditeYciency. The Wndings
of this study that the imple-nmentation of the BRA actually
increased audit
-
tttttthe following extract from the documented metho-dology:
[the methodology] was designed so that eachcomponent contributes
to our understandingof senior managements business risk man-agement
activities. In this manner, the Wnd-ings of our audit not only
contribute to theability to opine on the Wnancial statementsbut,
importantly, they provide valuedinsights on improvements to the
business riskmanagement process and related risk
controlprocesses.
Any such opportunities identiWed in the courseof the audit were
included in a separate section ofthe risk tracker. Table 5 lists
the opportunities foradding client value identiWed in the planning
pro-cess on this client, together with a brief summaryof any work
performed during the course of theaudit.
It is clear from Table 5 that a considerableamount of time was
invested in examining the
Table 5Opportunities identiWed to add client value
1998 Work done
Budget and planning Process documenCustomer satisfaction Process
documenCompetitor industry Process documenCapacity Process
documenHuman resources Process documen
2000 Work done
Budget and planning No work done
Customer satisfaction No work doneCompetitor industry No work
doneCapacity and channel eVectiveness No work doneformed on these
matters. It seems likely that nowork was performed because there
was noexpected return on this investment, i.e. in the formof
revenue generated through non-audit services orbuilding client
relationships.
The case highlights the fact that although oneargument by which
the administrators sought topersuade the practitioners of the
beneWts of theBRA was that they would provide more value forthe
client, it is at the practitioner level that themethodology must be
translated into client value.This requires not only that the
practitioners actu-ally succeed in creating value for the client
but alsothat the client is willing and able to pay for
it.Anecdotally, four diVerent partners from this Wrmindicated that
clients were generally very happywith the new methodologies, and
that in generalaudit fee recoveries had improved. However, allfour
indicated that signiWcant sales of non-auditservices had not been
achieved.
This evidence raises questions about the com-mercial success of
the BRA in this case. It appears
ed by memo, controls evaluated and limited controls testinged by
memo, no controls evaluateded by memo, no controls evaluateded by
memo, controls evaluated and limited controls testinged by memo, no
controls evaluatedE. Curtis, S. Turley / Accounting, Organizations
and Society 32 (2007) 439461 457
costs is consistent with the work done by Blokdijk,Drieenhuizen,
Simunic, and Stein (2003) whofound that total audit time increased
in Big FiveWrms using business risk audits. This turns atten-tion
to the potential revenue generation capabil-ities of the BRA.
The idea of auditors providing useful advice toclients as a
result of their audit is certainly not new.However, the guidance on
the BRA issued to allaudit staV of this Wrm lists the identiWcation
ofopportunities to improve clients business as one ofthe primary
goals of the BRA, as is evident from
added value opportunities in 1998. It is not possi-ble to
identify the cost of this work as it is not ana-lyzed separately
and was charged to the job as partof the audit. It is interesting
however, that thesematters were not incorporated into a
managementletter. It may be that these matters were
discussedinformally with management, but if so this was
notdocumented in the Wles. Although the same issueswere again
identiWed during the planning processof the 2000 audit, no further
work was performed.In accordance with the Wrm guidance, it was
thepartners decision that no further work be per-
-
ni458 E. Curtis, S. Turley / Accounting, Orga
that implementation was very expensive as antici-pated. This was
exacerbated by problems in con-vincing practitioners to achieve a
payoV byreducing substantive procedures and placing reli-ance on
high level controls and analytical proce-dures. The study
illustrates that there is noguaranteed payoV from a BRA in terms of
eitherfee recovery or generation of additional services.
Discussion and conclusion
The literature reviewed in the early sections ofthis paper
points out how audit methodology maybe developed by the
administrative elements withinthe large accounting Wrms in response
to contex-tual pressures on auditors within those Wrms. Inthis
context, the BRA can be seen as a responseintended to address
commercial concerns aboutdecreasing audit proWtability and to
reduce expo-sure to catastrophic litigation, while improving
thestatus of the auditor by aligning the audit withhigher status
consulting work and the fashionablelanguage of risk management. The
purpose of thisstudy was to examine how the introduction of
theconceptual approach of the BRA translated intochanges in audit
techniques at a practical level. Theanalysis of the case study has
demonstrated thatthe BRA faced considerable diYculties in
achiev-ing the intended degree of change from practitio-ners and
identiWes two, potentially complementary,explanations for this.
Inference, linkage and legitimacy
The evidence of the case study suggests thatpractitioners were
uncomfortable with giving anaudit opinion on the Wnancial
statements based onindirect evidence drawn from analysis
concerningbusiness risks and the operation of high level con-trols.
This relates to the problem of inference inauditing, which is
essentially a generic problem ofmaking the connection between
collecting what isinevitably partial audit evidence and giving
anopinion on the Wnancial statements. Given thatthere is no general
theory of evidence aggregation(Gwilliam, 1987), issuing an audit
opinion inevita-
bly involves a degree of inference. However, thezations and
Society 32 (2007) 439461
case study suggests that some forms of evidenceare seen to
involve less inference than others. Theproblem of linkage between
testing controls overbusiness risks and Wnancial statement account
cap-tions ultimately forced an amendment to the glo-bal methodology
of this Wrm to strengthen thislinkage. This problem may reXect the
conditionthat auditors are generally less comfortable withthe
inference involved in testing and relying oncontrols as opposed to
testing the numbers them-selves. Jeppesen (1998) suggests that the
commontheme in audit history is the gradual substitutionof the
costly substantive auditing procedures.However, the history of
audit methodology doesnot suggest that this trend is uncontested or
con-tinuously in one direction. So-called systemsbased auditing was
favoured in the 1970s as a wayof getting away from substantive
testing and plac-ing reliance on systems of control, but in
imple-mentation practitioners often opted for bothcontrols reliance
and considerable substantive test-ing (Turley & Cooper, 1991).
A similar pattern wasobservable with the implementation of the
auditrisk model in the 1980s. While this model allowedauditors to
rely on evidence from their evaluationof controls, prior research
suggests that controlrisk was often assessed as high (The Panel
onAudit EVectiveness, 2000; Waller, 1993) with theeVect that audit
risk was primarily controlledthrough detailed testing. The case
study suggeststhat the problem of inference in controls testingwas
exacerbated in the case of the BRA, by chang-ing the focus from
Wnancial statement risk to busi-ness risk, which widened the
perceived gapbetween investigation and opinion. In this sense,the
evidence gathered on a BRA audit did not sat-isfy the practitioners
conceptions of an institu-tionally legitimate audit and, thus, the
productionof legitimacy at the level of the individual auditacted
as a constraint on the implementation of theBRA.
This concept of inference clariWes the problemsassociated with
the use of intuition or tacit knowl-edge of a company or industry
and other types ofsoft evidence. Proponents of the BRA claim
thatanalysis of business risks and related controls is thebest way
to produce valuable assurance about the
veracity of Wnancial statements and that an exten-
-
niE. Curtis, S. Turley / Accounting, Orga
sive amount of substantive testing actually pro-duces little
assurance if the business risks are notmanaged. However, the case
study suggests thatrelying on tacit knowledge or soft evidence,
whichinvolves signiWcant levels of inference, is problem-atic, not
because it does not potentially produceassurance, but because it
does not meet practitio-ners conceptions of legitimacy.
This aspect of the evidence from the case studysupports the
conclusions reached by Dirsmith et al.(1985), who recognized that
auditors must producelegitimate audit Wles but exhorted them to
under-take a judgemental audit at the same time. Thecase study
points to the fact that this approachinevitably has consequences
for the cost of anaudit since additional audit work must be
under-taken to support the production of legitimate auditWles. This
introduces the second signiWcant issuewith the BRA which is
suggested by the case study:problems with the business model.
The production of legitimacy and the production of proWts
The case study suggests that the BRA approachwas more expensive
and required higher skill levelsthan relying primarily on
substantive testing,which is generally uncomplicated. The
additionalcost was exacerbated by the lack of reduction
insubstantive testing discussed above. The case alsoillustrates
that there is no guaranteed payoV from aBRA in terms of either fee
recoveries or generationof additional services. Such a payoV will
always bedependent on speciWc circumstances of the clientand the
ability of the audit team to maximize anyrevenue generating
opportunities that exist. Thissuggests some diYculties with the
business modelwhich underpinned the BRA: Wrstly because thecosts of
implementation outweighed the revenuesgenerated; and secondly
because it suggests somemismatch between the BRA and the
organiza-tional structure which implemented it. Morris andEmpson
(1998) point out that the proWtability ofprofessional service Wrms
is dependent on theirability to deploy their knowledge to the
clientsadvantage, at a fee which generates a surplus overemployment
and overhead costs. They suggest that
highly structured audit methodologies facilitatezations and
Society 32 (2007) 439461 459
the delegation of routine audit work (i.e. the pro-duction of
audit Wles) to inexperienced staV toachieve above average proWts.
They also suggestthat delegation of tacit, intuitive and
judgementalwork to inexperienced staV is problematic, as thattype
of knowledge is less susceptible to codiWca-tion. Knechel
(forthcoming) makes a similar pointin suggesting that there is a
bottom up demand foraudit structure from inexperienced staV
withinaudit Wrms. Thus the hierarchical organizationstructure of
the audit Wrm is not necessarily suit-able for a methodology which
was both more judg-emental and ambiguous in its application andmore
demanding in terms of skill levels required ofthe staV. Morris and
Empsons study draws atten-tion to the diVerent structure of a small
consultingWrm, which reXects a greater focus on tacit knowl-edge
which is applied by the consultants to achieveresults in client
speciWc circumstances, representedin a relatively Xat organization
structure and lim-ited leveraging of knowledge. Consistent with
theWndings of the case study, this argument suggeststhat
implementation of the BRA would have bene-Wted from a diVerent
organizational structure, andone that was also better equipped to
provide theconsulting services. Thus the demand for the pro-duction
of legitimacy appears to constrain themanner in which proWts are
produced.
In conclusion, it can be argued that in develop-ing the BRA to
address concerns about the statusand proWtability of the auditors
in large Wrms, theadministrators who developed it did not give
ade-quate consideration to the role of audit methodol-ogy in the
production of legitimacy as understoodby the practitioners. Since
practitioners retain ulti-mate control over the nature and extent
of auditprocedures performed, this resulted in diYculties
inachieving a lasting move to a controls based audit.It also seems
that, in trying to reengineer the busi-ness model, administrators
gave inadequate consid-eration to the organizational structure of
the Wrmsand the manner in which this structure supports
theproduction of legitimacy. The development of theBRA approach may
have represented an ambitiousprogramme of change, but eVecting real
change inpractice requires more than simply training peoplein the
application of new terminology. Similarly, re-
branding of the audit product with clients,
-
ni460 E. Curtis, S. Turley / Accounting, Orga
regulators and academics is not suYcient to changethe