APPENDIX J:
AUDIT BACKGROUND
Audit Defined – The Lima Declaration of Guidelines on Auditing Precepts
In 1998, the original Lima Declaration of Guidelines on Auditing Precepts were reviewed by International
Organization of Supreme Audit Institutions (INTOSAI) and found to be still relevant and well accepted
(International Organization of Supreme Audit Institutions 2004).
The guidelines contain “timeless and essential values” that have remained topical for over twenty
years (Fiedler 1998). The revised guidelines state the purpose of audit:
Audit is not an end in itself but an indispensable part of a regulatory system whose aim is to reveal
deviations from accepted standards and violations of the principles of legality, efficiency, effectiveness
and economy of financial management early enough to make it possible to take corrective action in
individual cases, to make those accountable accept responsibility, to obtain compensation, or to take
steps to prevent – or at least render more difficult – such breaches. (International Organization of
Supreme Audit Institutions 1998, p.2 and International Federation of Accountants 2001, p.70)
Performance audit covers specific financial operations and the full range of government activity –
including organisational and administrative systems (Ibid., p.3).
Propensity to Rationalise – The Hidden Variable
As early as 1953, three factors were identified with the occurrence of fraud: motive, perceived
opportunity, and a propensity to rationalise (Cressey 1953). These three factors have been accepted as
being present in modern management fraud as: “Situational pressure”; “Perceived opportunity”; and
“Rationalization to act” (Association of Certified Fraud Examiners 1999, pp.4-7):
According to Cressey (1950), the propensity to rationalise is a moral weakness and a hidden variable.
Though hidden, auditors do make an assessment of this hidden variable when assessing the integrity
of management (American Institute of Certified Public Accountants 1996, 2002). (Watson 2004, p.3)
The Statement on Auditing Standards (SAS) No.82 refers only to ‘situational pressure’ and
‘’perceived opportunity’ but still “requires that auditors make an assessment of the likelihood of
management fraud” (Apostolou, Hassell, Webber & Summers 2001, p.3). The third element
“rationalization to act” was captured in a later release of SAS No.99. Apostolou, Hassell and Webber
(2000, p.182) note that rationalisation to act is: “Related to the fraud perpetrator’s ability to reason that
the fraud is either temporary or somehow beneficial to the company”; and “Captures the perpetrator’s
ethical attitude towards committing fraud”.
Future research into the relationships between these three factors is suggested: “Finally, the role of
personal rationalisation or ethical attitude of the fraudulent act should be investigated, especially when
considered in concert with motivation and opportunity (Ibid., p.189).
Based on their research surveys of thirty-five forensic experts Apostolou et al. (2000, p.190) list the key
‘opportunity risk’ factors as:

Management’s failure to display appropriate attitude about internal control;

High turnover of senior management; and

Strained management /auditor relationships.
Forensic Expert Classification of Management Fraud Risk Factors
Apostolou et al. (2001) found that management characteristics and influence over the control
environment category were judged as the most important of the 25 risk factors identified in the SAS
No.82. This was supported by other research – e.g. Heiman-Hoffman, Morgan and Patton (1996) who
surveyed 130 ‘Big 6’ (USA) auditors for commonly cited management fraud warning signs and found
that the top ten warning signs can be classified as “management characteristics”. Apostolou et al.
(2001, p.4) note that earlier SAS No.65 and Statement on International Auditing Standards (SIAS) No.3
and No.5 call for greater cooperation and “coordination of internal and external audit efforts” to assist in
the “prevention and early detection of management fraud”. Ramos (2002) predicts a new expanded
arena of procedures to detect fraud with the wider adoption of the SAS No.99 and a summary of
Chapter 2 (American Institute of Certified Public Accountants 2003) 1 of the guide advises auditors to
include:

An overall approach that includes scepticism which closely aligns with the precautionary
principle promoted by sustainability – “The auditor must set aside past relationships and not
assume that all clients are honest. The new standard provides suggestions on how auditors
can learn how to adopt a more critical, skeptical mind-set on their engagements, particularly
during audit planning and the evaluation of audit evidence” (Ibid., pp.1-2);

Brainstorming to set up the audit program and set the tone at the top for the engagement –
ensuring that group communications are maintained and support a “culture for engagement”,
“questioning mind” and a “proper degree of professional skepticism” (Ibid., p.2);

The possible need to “educate” management about the characteristics of fraud (Ibid., p.4);

Seeing fraud risk factors as an “event or condition that tracks the three conditions of the fraud
risk triangle” (Ibid., pp.5-6); and

1
Using “open-ended” questioning to develop personalized/localised fraud risk factor awareness
Page references given here to the online American Institute of Certified Public Accountants summary article refer
to the printed version from the web site, and so may vary depending on printer options used.
(Ibid., p.6).
SAS No. 99 changed the emphasis from earlier standards to specifically focus on assessment as a
synthesis of identified risks – i.e. “the assembling of a complex whole from originally separate parts”
through a process that links the stages of risk identification and audit response (Ibid., p.6).
The auditor is directed to “look for patterns in the identified fraud risks” and note that with the “three
elements of the fraud risk triangle; the risk of material misstatement due to fraud generally is greater
when all three are present” (Ibid., p.6). A diagram of the fraud risk triangle is provided in Figure J1
below.
Figure J1. The Fraud Risk Triangle
Source: Ramos (2003) as cited in American Institute of Certified Public Accountants (2003, p.1)
Figure J2 below indicates the increasing focus on synthesis in audit test design.
Figure J2. The Role of Synthesis in Audit test Design
The following illustration maps the audit process from risk identification to audit test design.
“Synthesis” is the element that links the two ends of the process.
Eliminate risk synthesis from the process step, and the chain is broken—there is no link to risk
identification.
Once that link between risk identification and audit test design is eliminated, it is not surprising
that the design of audit tests is not effective in helping auditors identify risks.
Source: Ramos (2003) as cited in American Institute of Certified Public Accountants (2003, pp.6-7)
Enron Case study
The Smartest Guys in the Room (Mclean & Elkind 2003) indicates that the “slippery slope” normally
begins with a series of small steps (rather than one big one): “each one of which makes it easier to take
the next step” and this “getting away with small indiscretions” without adverse consequences leads
down the path of “slippery slope logic” (McCallum 2004, p.2). From the Enron case study a number of
personal traits at the top may include: “lack of courage”; “pride”, “ego and arrogance”; “cocksureness”;
“haughty attitude”; “good intentions justifying improper behaviour”; “getting ‘too cute’ with the practices,
rules and traditions of running a good company”; and being “smarter about bending the rules than
knowing where it was taking them” (Ibid., pp.3-4). Mclean & Elkind (2003) produced a “414-page
testament to the ‘Tone at top’ theory of organisational culture and behaviour”:
Tone at The Top: What organisations are like at their core is determined by the example set at the top.
Everyone watches and takes their cues from the people who run the place. If the most senior people
are wise, honest, straightforward, hard-working, grounded, and respectful, then those qualities will
permeate the entire organization. If instead, they are blindly ambitious, arrogant, greedy, selfabsorbed, delusional and disrespectful, then that is what the organisation will become. (McCallum
2004, p.4)
Proposed antidotes include “philosophy” and “humour” (e.g. in the “guise of a personality such as
James Thurber”) to expose an “abundance of unsubstantiated assertions and strongly held opinions,
and equivalent absence of thoughtful questions and rigorous analysis” (Ibid., p.4).
The Control Environment
The tone of an organisation and the way it operates is set by a number of interrelated elements: “control
environment”; “risk assessment”; “control activities”; “information and communication”; “monitoring”
(Committee of Sponsoring Organizations of the Treadway Commission 1994).2 Specifically the effective
control environment:
. . . sets the tone of an organization, influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values and competence of the entity's people;
management's philosophy and operating style; the way management assigns authority and
responsibility, and organizes and develops its people; and the attention and direction provided by the
board of directors. (Ibid., p.2)
The control environment’s tone is “influenced by an entity's history and culture” and the attitudes of
senior management, and in summary:
2
Internal Control - Integrated Framework (Coopers & Lybrand, 1992) was issued by the Committee of Sponsoring
Organizations of the Treadway Commission in 1992 and was prepared in conjunction with the American Institute
of Certified Public Accountants (AICPA), the Institute of Internal Auditors, the American Accounting Association,
the Institute of Management Accountants and the Financial Executives. In 1994, it was expanded to address
additional controls pertaining to the safeguarding of assets.

“. . . defines the tone of an organization and the way it operates” establishing a “foundation for
all other components of internal control, providing both discipline and structure”;

When effective, “set a positive ‘tone at the top,’ hire and retain competent people, and foster
integrity and control consciousness”;

“. . . is influenced by an entity's history and culture, and conversely, it influences the control
consciousness of its people”;

“. . . include[s] the integrity, ethical values, and competence of the people in the organization”;

May be seen in the “. . . actions and attitudes of the owner or CEO rather than in formal
documents and written procedures”; and

Each of the five components (listed above) are “. . . linked to and interrelates with the others,
not in a linear or serial fashion, but as a multidirectional, iterative process” (Steinberg & Tanki
1993).
Soft Controls
A management philosophy based on ethics and integrity has been described as the “soft controls” – the
“intangible, difficult to verify, essential controls necessary to run any organisation” – and when absent
there is a higher risk that more traditional controls “may be overridden” (Hubbard, Roth & Espersen
2002).
Soft control information can be gathered by “structured interviews”, “self-assessment workshops” or
“self-assessment questionnaires” (Ibid., 2002). Internal audit may have to accept management’s lack of
acceptance of soft controls for internal control but: “to the extent that they [audit] do not evaluate soft
controls, they are not in compliance with ‘The IIA’s Standards for the Professional Practice of Internal
Auditing’, which require that auditors evaluate risk management and governance” (Hubbard et al. 2002).
(original emphasis)