APPENDIX J: AUDIT BACKGROUND Audit Defined – The Lima Declaration of Guidelines on Auditing Precepts In 1998, the original Lima Declaration of Guidelines on Auditing Precepts were reviewed by International Organization of Supreme Audit Institutions (INTOSAI) and found to be still relevant and well accepted (International Organization of Supreme Audit Institutions 2004). The guidelines contain “timeless and essential values” that have remained topical for over twenty years (Fiedler 1998). The revised guidelines state the purpose of audit: Audit is not an end in itself but an indispensable part of a regulatory system whose aim is to reveal deviations from accepted standards and violations of the principles of legality, efficiency, effectiveness and economy of financial management early enough to make it possible to take corrective action in individual cases, to make those accountable accept responsibility, to obtain compensation, or to take steps to prevent – or at least render more difficult – such breaches. (International Organization of Supreme Audit Institutions 1998, p.2 and International Federation of Accountants 2001, p.70) Performance audit covers specific financial operations and the full range of government activity – including organisational and administrative systems (Ibid., p.3). Propensity to Rationalise – The Hidden Variable As early as 1953, three factors were identified with the occurrence of fraud: motive, perceived opportunity, and a propensity to rationalise (Cressey 1953). These three factors have been accepted as being present in modern management fraud as: “Situational pressure”; “Perceived opportunity”; and “Rationalization to act” (Association of Certified Fraud Examiners 1999, pp.4-7): According to Cressey (1950), the propensity to rationalise is a moral weakness and a hidden variable. Though hidden, auditors do make an assessment of this hidden variable when assessing the integrity of management (American Institute of Certified Public Accountants 1996, 2002). (Watson 2004, p.3) The Statement on Auditing Standards (SAS) No.82 refers only to ‘situational pressure’ and ‘’perceived opportunity’ but still “requires that auditors make an assessment of the likelihood of management fraud” (Apostolou, Hassell, Webber & Summers 2001, p.3). The third element “rationalization to act” was captured in a later release of SAS No.99. Apostolou, Hassell and Webber (2000, p.182) note that rationalisation to act is: “Related to the fraud perpetrator’s ability to reason that the fraud is either temporary or somehow beneficial to the company”; and “Captures the perpetrator’s ethical attitude towards committing fraud”. Future research into the relationships between these three factors is suggested: “Finally, the role of personal rationalisation or ethical attitude of the fraudulent act should be investigated, especially when considered in concert with motivation and opportunity (Ibid., p.189). Based on their research surveys of thirty-five forensic experts Apostolou et al. (2000, p.190) list the key ‘opportunity risk’ factors as: Management’s failure to display appropriate attitude about internal control; High turnover of senior management; and Strained management /auditor relationships. Forensic Expert Classification of Management Fraud Risk Factors Apostolou et al. (2001) found that management characteristics and influence over the control environment category were judged as the most important of the 25 risk factors identified in the SAS No.82. This was supported by other research – e.g. Heiman-Hoffman, Morgan and Patton (1996) who surveyed 130 ‘Big 6’ (USA) auditors for commonly cited management fraud warning signs and found that the top ten warning signs can be classified as “management characteristics”. Apostolou et al. (2001, p.4) note that earlier SAS No.65 and Statement on International Auditing Standards (SIAS) No.3 and No.5 call for greater cooperation and “coordination of internal and external audit efforts” to assist in the “prevention and early detection of management fraud”. Ramos (2002) predicts a new expanded arena of procedures to detect fraud with the wider adoption of the SAS No.99 and a summary of Chapter 2 (American Institute of Certified Public Accountants 2003) 1 of the guide advises auditors to include: An overall approach that includes scepticism which closely aligns with the precautionary principle promoted by sustainability – “The auditor must set aside past relationships and not assume that all clients are honest. The new standard provides suggestions on how auditors can learn how to adopt a more critical, skeptical mind-set on their engagements, particularly during audit planning and the evaluation of audit evidence” (Ibid., pp.1-2); Brainstorming to set up the audit program and set the tone at the top for the engagement – ensuring that group communications are maintained and support a “culture for engagement”, “questioning mind” and a “proper degree of professional skepticism” (Ibid., p.2); The possible need to “educate” management about the characteristics of fraud (Ibid., p.4); Seeing fraud risk factors as an “event or condition that tracks the three conditions of the fraud risk triangle” (Ibid., pp.5-6); and 1 Using “open-ended” questioning to develop personalized/localised fraud risk factor awareness Page references given here to the online American Institute of Certified Public Accountants summary article refer to the printed version from the web site, and so may vary depending on printer options used. (Ibid., p.6). SAS No. 99 changed the emphasis from earlier standards to specifically focus on assessment as a synthesis of identified risks – i.e. “the assembling of a complex whole from originally separate parts” through a process that links the stages of risk identification and audit response (Ibid., p.6). The auditor is directed to “look for patterns in the identified fraud risks” and note that with the “three elements of the fraud risk triangle; the risk of material misstatement due to fraud generally is greater when all three are present” (Ibid., p.6). A diagram of the fraud risk triangle is provided in Figure J1 below. Figure J1. The Fraud Risk Triangle Source: Ramos (2003) as cited in American Institute of Certified Public Accountants (2003, p.1) Figure J2 below indicates the increasing focus on synthesis in audit test design. Figure J2. The Role of Synthesis in Audit test Design The following illustration maps the audit process from risk identification to audit test design. “Synthesis” is the element that links the two ends of the process. Eliminate risk synthesis from the process step, and the chain is broken—there is no link to risk identification. Once that link between risk identification and audit test design is eliminated, it is not surprising that the design of audit tests is not effective in helping auditors identify risks. Source: Ramos (2003) as cited in American Institute of Certified Public Accountants (2003, pp.6-7) Enron Case study The Smartest Guys in the Room (Mclean & Elkind 2003) indicates that the “slippery slope” normally begins with a series of small steps (rather than one big one): “each one of which makes it easier to take the next step” and this “getting away with small indiscretions” without adverse consequences leads down the path of “slippery slope logic” (McCallum 2004, p.2). From the Enron case study a number of personal traits at the top may include: “lack of courage”; “pride”, “ego and arrogance”; “cocksureness”; “haughty attitude”; “good intentions justifying improper behaviour”; “getting ‘too cute’ with the practices, rules and traditions of running a good company”; and being “smarter about bending the rules than knowing where it was taking them” (Ibid., pp.3-4). Mclean & Elkind (2003) produced a “414-page testament to the ‘Tone at top’ theory of organisational culture and behaviour”: Tone at The Top: What organisations are like at their core is determined by the example set at the top. Everyone watches and takes their cues from the people who run the place. If the most senior people are wise, honest, straightforward, hard-working, grounded, and respectful, then those qualities will permeate the entire organization. If instead, they are blindly ambitious, arrogant, greedy, selfabsorbed, delusional and disrespectful, then that is what the organisation will become. (McCallum 2004, p.4) Proposed antidotes include “philosophy” and “humour” (e.g. in the “guise of a personality such as James Thurber”) to expose an “abundance of unsubstantiated assertions and strongly held opinions, and equivalent absence of thoughtful questions and rigorous analysis” (Ibid., p.4). The Control Environment The tone of an organisation and the way it operates is set by a number of interrelated elements: “control environment”; “risk assessment”; “control activities”; “information and communication”; “monitoring” (Committee of Sponsoring Organizations of the Treadway Commission 1994).2 Specifically the effective control environment: . . . sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. (Ibid., p.2) The control environment’s tone is “influenced by an entity's history and culture” and the attitudes of senior management, and in summary: 2 Internal Control - Integrated Framework (Coopers & Lybrand, 1992) was issued by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 and was prepared in conjunction with the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants and the Financial Executives. In 1994, it was expanded to address additional controls pertaining to the safeguarding of assets. “. . . defines the tone of an organization and the way it operates” establishing a “foundation for all other components of internal control, providing both discipline and structure”; When effective, “set a positive ‘tone at the top,’ hire and retain competent people, and foster integrity and control consciousness”; “. . . is influenced by an entity's history and culture, and conversely, it influences the control consciousness of its people”; “. . . include[s] the integrity, ethical values, and competence of the people in the organization”; May be seen in the “. . . actions and attitudes of the owner or CEO rather than in formal documents and written procedures”; and Each of the five components (listed above) are “. . . linked to and interrelates with the others, not in a linear or serial fashion, but as a multidirectional, iterative process” (Steinberg & Tanki 1993). Soft Controls A management philosophy based on ethics and integrity has been described as the “soft controls” – the “intangible, difficult to verify, essential controls necessary to run any organisation” – and when absent there is a higher risk that more traditional controls “may be overridden” (Hubbard, Roth & Espersen 2002). Soft control information can be gathered by “structured interviews”, “self-assessment workshops” or “self-assessment questionnaires” (Ibid., 2002). Internal audit may have to accept management’s lack of acceptance of soft controls for internal control but: “to the extent that they [audit] do not evaluate soft controls, they are not in compliance with ‘The IIA’s Standards for the Professional Practice of Internal Auditing’, which require that auditors evaluate risk management and governance” (Hubbard et al. 2002). (original emphasis)