The business risk audit – A longitudinal case study of an audit engagement

So

Ae

S

aBuAbstract

This study examines the impact of the Business Risk Audit (BRA), a development in audit methodology imple-mented in the late 1990s, on actual audit practice and on practitioners. Evidence is presented through a longitudinal casestudy developed from a set of actual audit Wles over a Wve year period spanning the implementation of the BRA,together with interviews with audit team members. The study contributes to our understanding of the nature of theaudit techniques underlying the BRA and the diYculties experienced in implementing them within the existing organiza-tional structures. In addition, the study illuminates the potentially conXicting roles of audit methodology in its organiza-tional context, both in mediating the complex relationship between the administrators and practitioners in the largeaccounting Wrms and as the knowledge management structure used to support delivery of the audit product. 2006 Elsevier Ltd. All rights reserved.

Introduction

The introduction of audit approaches that placegreater emphasis on the business risks in the orga-nization whose Wnancial statements are beingaudited, generally termed the Business Risk Audit(BRA), has been documented as a major innova-tion in audit methodology in the second half of the

1997; Lemon, Tatum, & Turley, 2000). This inno-vation has been associated with changes in thescope of the planning and risk assessment pro-cesses and in the related evidence gathering proce-dures used by auditors. Proponents of the BRAsuggest that this approach has the potential toenhance audit eVectiveness, arguing that an in-depth understanding of a business, its environmentAccounting, Organizations and

The business risk audit of an audit

Emer Curtis a,,a Department of Accountancy and Finance, N

b Accounting and Finance Group, Manchester 0361-3682/$ - see front matter 2006 Elsevier Ltd. All rights reservedoi:10.1016/j.aos.2006.09.004

1990s (Eilifsen, Knechel, & Wallage, 2001; Higson,

* Corresponding author. Tel.: +353 91 493138.E-mail address: [email protected] (E. Curtis).ciety 32 (2007) 439461

www.elsevier.com/locate/aos

longitudinal case studyngagement

tuart Turley b

tional University of Ireland, Galway, Irelandsiness School, University of Manchester, UKd.

and the business processes through which value iscreated is the best way in which an auditor will beable to recognize management fraud and businessfailure risks. Critics have suggested that the BRAwas intended to redeWne auditing as consulting and

ni440 E. Curtis, S. Turley / Accounting, Orga

to facilitate identiWcation of opportunities for pro-viding value added services to clients, with theintention of improving the status and proWtabilityof the auditor.

Much of the literature describing and comment-ing on the BRA implicitly assumes that BRA asdeveloped has been implemented uncontroversiallyby the audit Wrms. However, Power (1997, p. 8) hasdrawn attention to the fact that the programmes,ideas and concepts which shape the developmentof audit practice are at best loosely coupled to thetasks and routines performed in their name. Rad-cliVe (1999) established a similar point when inves-tigating the nature of the technologies used toenact eYciency auditing. This study was motivatedby a desire to understand how the BRA translatedinto changes in auditing techniques implementedby practicing auditors and the diYculties encoun-tered in operationalising the BRA in context, andthus to examine the relationship between a pro-gramme for change in the introduction of the BRAand the set of practices which it describes.

This paper reports the results of a case study onthe implementation of the BRA on an auditengagement. The case is based on the audit workpapers for a client of a large accounting Wrm overthe period 19962000, supplemented by interviewswith members of the audit team and reference tothe documented methodology of the audit Wrm. Acase study approach was chosen because it allowedfor an in-depth review of the nature and extent ofplanning work and evidence gathering procedures.The longitudinal aspect of the study was importantas it provided an insight into changes from the pre-vious methodology and how changes were embed-ded in the audit process. Interviews with membersof the audit team allowed investigation of barriersto implementation in the organizational context. Acase study approach to investigation of the auditprocess is also consistent with calls that have beenmade for more research evidence from real auditassignments about the methods that Wrms actuallyuse, and more recently for evidence on the practi-cal diVerences between the application of the oldermethodologies and BRA (Bedard, Mock, &Wright, 1999; Gwilliam, 1987; Power, 2003; Rob-son, Humphrey, Khalifa, & Jones, forthcoming;

Turley & Cooper, 1991).zations and Society 32 (2007) 439461

In addition to contributing descriptive evidenceabout the manner in which the concepts underly-ing the BRA were operationalised, the studyexplains why this methodology was perceived asmore judgemental and ambiguous by audit staV.The case highlights diYculties experienced inachieving a lasting move to an audit focused onbusiness risks and high level controls. It also dem-onstrates reluctance by auditors to reduce levels ofsubstantive testing, particularly in relation to sig-niWcant judgements and estimates, and identiWesdiscomfort at practitioner level with the lack oflinkage between audit work done on businessrisks and an opinion given on the Wnancial state-ments. The wider relevance of these diYculties isillustrated by related changes to successive ver-sions of the global methodology of this Wrm.

A major innovation in practice such as the BRAcan be considered from a number of perspectives.Its introduction may be seen as part of a WrmseVorts to create an audit product that is credible inthe market place. Here the administrative elementsof the Wrm, and more generally the auditing profes-sion, are concerned with conceptualizing and rep-resenting audit activity in a way that enhances itslegitimacy with clients and society. New methodo-logy may also reXect administrators views regar-ding a better audit, both as a structure for guidingand controlling the eVectiveness of the work eVortof staV and as a means of adapting the businessmodel associated with auditing. However, from theperspective of the practicing auditor, the legiti-macy of the audit process on an individual engage-ment is something diVerent. The practitioner maybe concerned that the process not only meets Wrmdetermined standards on methodology, but alsoactually provides a body of evidence that the prac-titioner believes to be valid as a basis for signingthe audit opinion and as a defensible record of theaudit process. The tension between what method-ology seeks to authorize and promote in evidencecollection procedures and what practitionersregard as appropriate for their opinion can creatediVerences between the oYcial approach andwhat is actually done. This study is about the prac-tical implementation of the BRA in an actual caseand as such the primary focus of analysis is on

whether and how that tension between methodo-

niE. Curtis, S. Turley / Accounting, Orga

logy and practitioners views of what constitutes alegitimate evidence process was evident in theimplementation of the new BRA methodology.

The study concludes that while the BRA wasdeveloped by the administrative sections of thelarge Wrms to address the concerns related to thestatus, eVectiveness and proWtability of auditingwithin those Wrms, inadequate consideration wasgiven to practitioners needs for what theyregarded as a legitimate audit which they couldpersonally be called upon to defend. As a result,the implementation of the BRA was not associatedwith the change in the overall pattern of evidencecollection that was intended. The study also raisesquestions about the ability of the BRA to induceaudit teams to generate additional revenuethrough providing added value for the client. Thisis partly a question of whether a hierarchicallyorganized audit team has the skills, Xexibility andtime to generate value, but it is also a function ofthe clients willingness and ability to pay for it.

The remainder of the paper is set out as follows.The next two sections discuss theoretical perspec-tives on audit methodology and review prior litera-ture on the development and implementation ofthe BRA. A description of the research methodsand the case context follows. The Wndings andanalysis are then divided into three sections, con-sidering in turn: changing the focus of the audit tobusiness risk and the impact on the identiWcationof risks; changes in the nature of the audit workactually performed and the diYculties of imple-menting change; and the impact of the BRA oncost and revenues. Finally, the implications andconclusions that can be drawn from the study forour understanding of the role of methodologies inaudit practice are considered.

Theoretical perspectives on audit methodology

Prior literature presents a number of diVerentperspectives on audit methodology. The primaryperspective, adopted by much of what is generallyreferred to as mainstream audit research (Gendron& Bedard, 2001) views auditing as technical prac-tice. Much of this literature, in particular the audit

judgement and decision making literature (JDM),zations and Society 32 (2007) 439461 441

adopts a rationalist paradigm from cognitive psy-chology, which is based on the idea that humans,or even societies, follow identiWable rules (Wester-dahl, 2004). Such research sees auditor judgementas a practice conducted by individuals who mustrespond eYciently to cues in the auditee environ-ment and make decisions accordingly (Power,1995, p. 318). This perspective has been criticizedfor ignoring the social context in which decisionsare made, where judgements are not simply theprocedural outcomes of the application of a set ofaudit techniques (Kirkham, 1992). Pentland (1993)argues that there is good reason to expect that noamount of rationalistic analysis will ever produce asuYcient explanation of auditor judgement (p.619) due to the insuYciency of rule following as anexplanation of social order. The literature whichconsiders audit methodology in its social and insti-tutional context recognizes at least four diVerent,and potentially conXicting, roles for audit metho-dology: the production of legitimacy for the pro-fession as a whole; the production of a legitimateset of work papers on an individual audit; a systemfor controlling and directing the work of the prac-titioners by administrative elements of the largeWrms; and encoding knowledge into the organiza-tional structure to assist in the achievement of theorganizational proWtability. Each of these perspec-tives is discussed below.

Legitimacy of the profession

At the level of the profession, the ideas inform-ing audit methodologies are reXected in auditingstandards which simultaneously provide a sourceof legitimacy for the approaches applied by theaudit Wrms and a body of knowledge to justify theclaims of professional expertise. Consistent withthe norms and values of western market econo-mies, the profession has an interest in representingauditing as a rational, objective science. A numberof authors (Carpenter & Dirsmith, 1993; Dirsmith,Covaleski, & McAllister, 1985; Dirsmith, Heian, &Covaleski, 1997; Power, 1992, 1995, 2003) havelinked audit methodologies to the representationof the auditor as a rational expert. Power (1992,p. 59) suggests that the rise of a discourse in

audit sampling had much to do with attempts to


legitimate, rationalise, reinterpret and improvepractices that were already in place and in doingso, aligned the auditing profession with reveredvalues of rationality and science. Carpenter andDirsmith (1993) view the discourse on statisticalsampling as modifying and regenerating the pro-fessions abstract system of knowledge (Abbott,1988).

Similarly Power (1995) has argued that in spiteof the theoretically questionable and operation-ally ambiguous status of the audit risk model, ithas endured because it replaces statistical samplingin providing an abstract foundation for audits, itfunctions to rationalize a reorganization of auditwork and a reduction of detailed testing, and itprovides a respected vocabulary through whichoperational decisions can be justiWed (p. 331).

Legitimacy at the level of audit practice

It is in the domain of actual practice that formalaudit methodologies are translated or transformedinto audit procedures by individual practitionerscoping with such everyday exigencies as clientpressures and the cost of performing audits (Car-penter & Dirsmith, 1993, p. 45). The potential forreview of the audit work papers by the courts orpeer reviewers translates on an individual auditinto a need for the production of a set work paperswhich are a culturally legitimate, formal, defend-able record of the audit process (Power, 2003).Thus audit methodology is seen to play a signiW-cant role in the production of a legitimate set ofaudit work papers. Dirsmith et al. (1985, p. 57)suggest that the production of work papers is asanitizing process, where audit evidence can beviewed as a symbol for legitimizing a neitherwholly rationalized nor rationalizable audit pro-cess. In lamenting the trend toward more struc-tured audit methodologies, it has also been arguedthat this need to maintain legitimacy is a majorobstacle to a judgemental, organic audit:

It may well be that the litigious, control-directed, sociopolitical environment of theauditing profession is intolerant of theorganic audit perhaps the profession has

presented a formal image of itself that is notzations and Society 32 (2007) 439461

reXective of its own variety or loosely cou-pled nature. (Dirsmith & McAllister, 1982, p.227).

This suggests that audit work papers must con-form to institutionalized prescriptions of whatauditors do, in order to portray a rational func-tional image of the audit (Dirsmith et al., 1985).Thus if society expects that auditors conWrmreceivables then this must be done regardless ofeYciency or eVectiveness considerations.

Audit methodology and the control of practitioners

The large accounting Wrms, or more accurately,professional service Wrms, are so big that the litera-ture has recognized the separation of the adminis-trative structure of these Wrms from thepractitioners (Carpenter, Dirsmith, & Gupta, 1994)and the potential for conXict and power strugglebetween the two (Freidson, 1986). The acknowl-edgment of the separate roles of the administratorsand practitioners is important in considering auditmethodology because methodology is generallydeveloped by the administrative element but isimplemented by the practitioners. Prior literaturesuggests that these two groups have diVerent inter-ests, power bases and concepts of a legitimate pro-cess, which results in signiWcant scope for tensionand controversy over methodology.

Administrators have primary control over rulesand resources in these organizations, allowingthem to formulate the procedural and substantiverules addressed to the way professional work is tobe performed and to establish the basis for con-trolling and evaluating the work of practitioners(Freidson, 1986, p. 215). Carpenter et al. (1994)attribute the trend towards structured auditapproaches in part to eVorts by administrators tocontrol local practitioner judgement:

Administrators, preoccupied with the politicaland economic forces their organizations face,focus on formulating procedural and substan-tive rules that control the way in which theprofessional work is performedThey servenot primarily the client or even the profes-sional practitioner, but their own organiza-

tion, and it is from this organization that they


derive their power and authority. Thus,administrators seek to encode expertise intothe formal structure of the organizations byway of its rule systems (Carpenter et al., 1994,p. 373374).

Audit methodology and the business model

The literature also suggests that administratorsuse audit methodologies to inXuence the manner inwhich their organizations generate proWts. Giventhe concern with proWtability in a competitive mar-ket for audit service, where audit fees and marginshave been under pressure since the 1980s, adminis-trators have used audit methodology in brandingand marketing their services to existing and poten-tial audit clients (Jeppesen, 1998). Morris andEmpson (1998) suggest that the large audit Wrmshave codiWed organizational knowledge in theform of highly structured audit methodologies,which allows them to use inexperienced staV toapply this codiWed knowledge, thereby facilitatinga hierarchical organization structure, to achieveabove average proWts. There are also suggestionsthat audit methodologies can facilitate the expan-sion of low value-added audit services into the pro-vision of more lucrative consulting services bydirecting audit work and the attention of auditstaV towards opportunities to provide value addedservices in the course of, or as a result of, the audit(Barrett, Cooper, & Jamal, 2005).

Thus prior literature illustrates that audit meth-odologies serve diVerent roles at diVerent levels inthe institutional environment. The recognition ofthese diVerent roles suggests that there is consider-able scope for tension and controversy when thereis an innovation in a methodology such as BRA,which is developed by administrative elements ofthe Wrms but implemented by individual practitio-ners.

Administrators, by virtue of their position in theinstitutional environment, are more generally con-cerned with issues such as the jurisdiction andpower of the profession, and the inXuence of theirown Wrm within that environment. They have aninterest in the role of audit methodology in theproduction of legitimacy at the level of the profes-

sion. Practitioners on the other hand derive theirzations and Society 32 (2007) 439461 443

power and status within the Wrm primarily fromtheir client base (Freidson, 1986), and have the ulti-mate power to decide on the nature and extent ofaudit procedures actually performed on an individ-ual audit. Importantly, on the individual auditpractitioners are more concerned, not with thelegitimacy of the Wrms methodology or of the pro-fession, but with the conduct of what they regardas a legitimate audit process, for which they takepersonal responsibility. Both the Wrm and the indi-vidual auditors within it have a common interestthat the process captured in the Wrms methodo-logy should produce a legitimate audit Wle. How-ever, in the context of a speciWc audit thepractitioner may divert from or add to strict appli-cation of methodology in order to satisfy his/herown perceptions of a legitimate evidence process.

While administrators may attempt to use auditmethodologies to organize the manner in which theWrm produces proWts, and control and direct workperformed by practitioners, the literature recognizesthat idiosyncratic, local and intuitive judgementsby seasoned practitioners are diYcult to managefrom the centre of the Wrm (Power, 2003, p. 381).

Practitioners must also apply the variousrules and guidelines, and in so doing trans-form them as inXuenced by their own judge-ment and the day-to-day exigencies of speciWcclient service work. Importantly, practitionersemploy the overly formalized rules prescribedby administrators inconsistently and infor-mally (Carpenter et al., 1994, p. 373374).

A number of Weld studies of auditing illustratethis point. Fischers (1996) study of innovation inaudit technologies suggests that the administra-tors eVorts to change highly institutionalized auditpractices will not succeed unless practitioners canbe convinced of the validity and suYciency of theevidence produced by the new technologies. Resis-tance of practitioners to the imposition of highlystructured client acceptance tools and methodolo-gies has been reported by Dirsmith and Haskins(1991) and Carpenter et al. (1994). Examining theimposition by administrators of a system of man-agement by objectives, Dirsmith et al. (1997) andCovaleski et al. (1998) illustrate how this system

was appropriated by the practitioners to advance


the interests of their own protgs. Study of diY-cult client acceptance decisions in large CanadianWrms suggest that in spite of highly formalized pol-icies put in place by administrators, the decisionprocesses of practitioners remain largely Xexibleand organic (Gendron, 2001). More recently, Bar-rett et al. (2005) report variations in the manner inwhich local oYces implement both inter-oYceinstructions and global audit methodologies. How-ever, prior Weld studies do suggest that administra-tive elements of audit Wrms are successful ininXuencing the logics of action (Gendron, 2002)or world theories (Dirsmith & Haskins, 1991)adopted by the practitioners. In other words, thestructures put in place by administrators, whetheraudit methodologies, performance measures or cli-ent acceptance tools, inXuence decision processesby providing auditors with an interpretativescheme and a vocabulary that they frequently referto when making decisions (Gendron, 2002, p.661). Overall this literature suggests that whileadministrators can potentially use audit methodo-logies to inXuence practitioner actions on audits,the ultimate decision as to the nature and extent ofaudit testing remains with the practitioners.

The business risk audits: an ambitious programme of change

The introduction of BRA in the second half ofthe 1990s has been reported as a major innovationin audit methodology (Eilifsen et al., 2001; Higson,1997; Lemon et al., 2000). Higson (1997, p. 213)presents one of the earliest papers heralding theBRA. He suggests that as a result of the pressuresfaced by auditors from many quarters, they havebeen reassessing what the audit is trying to achieveand this has resulted in an extensive questioning ofhow it should be done. Knechel (forthcoming)suggests that BRA resulted from a culmination ofpressures on auditors in the form of fee and costpressure and the questioning of conventional wis-dom in audit practice, in particular questioning ofthe beneWts of structured audit approaches.

The BRA was intended to widen the focus ofthe auditor, from audit risk, deWned with reference

to Wnancial statement error, to business risk, deW-zations and Society 32 (2007) 439461

ned as the risk that an entity will fail to meet itsobjectives (Eilifsen et al., 2001; Higson, 1997;Lemon et al., 2000). The proponents of the BRAargue that business risk ultimately translates intorisk of Wnancial statement error and, therefore,that an approach which focuses on understandinga business, its environment and business processesprovides the best means by which an auditor willrecognize risks associated with management fraudand business failure (Erickson, Mayhew, & Felix,2000). Thus:

Wrms had concluded that perceived audit fail-ures result not from the ineVectiveness ofprocedures in detecting misstatements butbecause of diYculties, for example in recog-nizing going concern problems or identifyingfraud, arising from other aspects of the busi-ness context (Lemon et al., 2000, p. 12).

It was also argued that in the modern auditenvironment, where the Wnancial accounting sys-tems are generally very good, extensive testing ofdetails, in the absence of a good understanding ofbusiness risk, is at best ineYcient and at worstineVective. This view is consistent with the views ofcritics of structured audit approaches, who havelong argued that an in-depth understanding of thebusiness underpins a thoughtful, Xexible and judg-emental audit.

The change in approach envisaged by the BRAwas to be achieved in two ways: Wrst by changingthe focus of the audit from Wnancial statement riskto business risk; and second by changing thenature of audit testing from large volume tests ofdetails to the testing of high level monitoring orsupervisory controls, supported by high precisionanalytical work (Higson, 1997; Knechel, 2001,forthcoming; Lemon et al., 2000). The approachencourages the auditors to view the client in termsof key business processes, and risks and controlswithin those processes, as opposed to a frameworkbased on Wnancial statement balances and transac-tion streams. The rationale for this approach sug-gests that if the auditor can identify the sources ofbusiness risk and ensure that the client has appro-priate systems to monitor and manage that risk,there is little value in extensive substantive testing.

It has also been suggested that obtaining such an


insight on the business provides auditors with abetter basis for generating useful feedback for theclient. This added value contribution of BRAhas been reported both from views held by practi-tioners within Wrms (Higson, 1997) and from themany references to adding value on the large Wrmswebsites around the time of the implementation ofthe BRA (Jeppesen, 1998).

Some authors have questioned whether themotivation for the introduction of BRA wasrelated to the delivery of more or better audit assur-ance or the pursuit of self-interested proWtabilityand status for the auditors themselves. During theperiod from 1980 to the mid 1990s, the market foraudit services was characterized by increasing com-petition and fee pressure. This environment led tothe development of highly structured methodolo-gies, designed to minimize costs and maximize theleveraging of audit work to inexperienced staV. Theconsequent commoditization of the audit resultedin the progressive diversiWcation of audit Wrms intomore proWtable consulting services. The growthand proWtability of these consulting services in thebooming economies of the mid 1990s contributedto an undermining of the status of audit practitio-ners in the large professional service Wrms (Robsonet al., forthcoming).

Given this context, Robson et al. (forthcoming)argue that the BRA sought to improve the statusof the auditor, both within the large accountingWrms, and externally with clients and potentialrecruits, by aligning the auditor with the higherstatus function of management consulting. Thisperspective is supported by evidence of the strate-gies designed to sell the BRA both inside the Wrmsto the practitioners, and outside to clients, regula-tors and academics (Bell, Marrs, Solomon, & Tho-mas, 1997; Jeppesen, 1998; Winograd, Gerson, &Berlin, 2000).

Jeppesen (1998) argues that changing the focusof the audit from Wnancial statements to the busi-ness resulted in the audit being redeWned in orderto justify the delivery of proWtable managementconsulting services with the consequent erosion ofauditor independence. In fact, Power (2003) hassuggested that the BRA approaches were drivenmore by revenue than by cost considerations, given

the potential of added value to the client to gener-zations and Society 32 (2007) 439461 445

ate revenue either through better recoveries onaudit fees or through the cross selling of other ser-vices. In the context of the booming economicenvironment of the 1990s, revenue generation mayhave presented a more lucrative and less painfuloption than seeking further eYciencies in the audit.At the same time, litigation posed a far greaterthreat to the economic survival of the large auditWrms than price competition, as borne out by thefate of Andersen. Some Wrms believed that theBRA would beneWt their own management ofengagement risk (Lemon et al., 2000). The widelyreported introduction by the large accountingWrms in the early 1990s of procedures to assessengagement risk is symptomatic of the Wrms con-cern with audit eVectiveness. It is well establishedthat auditors are primarily exposed to litigationrisk in the case of business fraud or business fail-ure. Assuming that fraud and failure risks could beappropriately identiWed by the BRA, anticipatedreductions in substantive procedures were unlikelyto result in increased exposure to litigation. To theextent that the BRA was to be underpinned bystringent engagement risk management procedureswithin the audit Wrms (Higson, 1997; Lemon et al.,2000), clients with high levels of business risk andpoor control environments, which are unsuitablefor this audit approach, would also be excludedfrom the client base.

From programme to technology: transforming the BRA in practice

As a response to the contextual pressures dis-cussed above, the introduction of the BRA can beseen as relevant to a number of the theoreticalinterpretations of the role of methodology outlinedin the previous section, such as maintaining thelegitimacy of the professional activity of auditingand changing the business model for audit. If theBRA was intended to improve the proWtability andstatus of the auditor through delivery of a diVerentproduct to the client, with a reduced litigation riskfor the auditor, then it represented an ambitiousprogramme for change. Re-branding a tired auditproduct by updating the language and the image ofthe audit will neither insulate the auditor against

litigation nor deliver added value to the client.

446 E. Curtis, S. Turley / Accounting, Orga

While managing the image of audit practice maynot require change in practice, an impact on proWt-ability and litigation risk does. Therefore, toachieve their objectives Wrm administrators neededto induce real change in audit techniques. How-ever, earlier discussion of the potential tensionsbetween diVerent roles played by audit methodol-ogy draws attention to fact that practical imple-mentation of the new methodology requirednegotiation with practitioners. A programmedesigned to change audit methodology in order toimprove the status, proWtability and legitimacy ofaudit practice is not necessarily consistent with theproduction of a culturally legitimate audit Wle. Thisrepresented an ambitious programme for two rea-sons. First, in the institutional environment theBRA faced a battle for credibility amid signiWcantskepticism from regulators and academics (Curtis& Turley, 2005). Second, beneath that issue lay aseparate battle at the level of audit practice: totransform the BRA into practical changes inhighly institutionalized audit techniques, in a cli-mate of practitioner resistance to control byadministrators (Covaleski, Dirsmith, Heian, &Samuel, 1998). It is this battle that is essentially thesubject of this study.

The transformation of an innovation in auditmethodology into implemented practice cannot beassumed as unproblematic. Power (1997), drawingon Rose and Millers (1992) distinction betweenprogrammes and technologies, suggests that theprogrammes, or ideas and concepts which shapethe mission of audit practice, may be only looselycoupled to the procedures performed in their name(p. 8). This distinction is useful in clarifying the ten-sions between diVerent roles played by audit meth-odology in the production of diVerent types oflegitimacy. In particular, practitioners perceptionsregarding what is a legitimate, visible and defensi-ble evidence process may help to explain how suchloose coupling can arise. This study was, therefore,motivated by a desire to understand how the BRAresulted in changes (if any) in auditing evidencetechniques employed by practicing auditors(Power, 2003; RadcliVe, 1999).

To understand the translation between pro-gramme and practice, it is not suYcient to lookzations and Society 32 (2007) 439461

simply at oYcial descriptions of the techniques putforward by the Wrms or to count the number ofinvoices vouched under diVerent methodologies.The implementation of auditing techniques cannotbe considered in isolation from the auditsperformed and the organizational context in whichthe methodology is implemented. To provide directevidence on implementation and changes inpractice, the remainder of this paper analyses acase study of an actual audit engagement, con-structed from the audit work papers over a Wveyear period during which the BRA was introduced,together with interviews with members of the auditteam.

Research methods

Preparation for conduct of the case study beganwith a preliminary meeting in one of the oYces ofthe accounting Wrm that was the subject of thisstudy, to review the guidance materials provided toaudit staV, have discussion with the partner (here-after P1) responsible for implementing the newmethodology, and review a set of client Wles with asenior (hereafter S1) to explain how the BRA hadbeen operationalised. A second preliminary meet-ing in a second oYce comprised discussion with apartner (hereafter P2) involved in the developmentof the methodology on a worldwide basis, furtherreview of the detailed staV guidance and a discus-sion of implementation issues. It became apparentat this meeting that the methodology had evolvedthrough a number of versions and it was thereforeconsidered that a longitudinal perspective wouldprovide the best insight into the manner in whichthe BRA had been implemented.

The speciWc case to be investigated was chosenin conjunction with P2, who authorized access tothe work papers. In selecting the client, three fac-tors were considered to be important. First, thecase had to be of suYcient size and complexity toensure that the change in methodology would beevident in the work papers. Second, the clientought not to be so complex as to render it overlytime consuming to understand the audit Wles asWeld work for data collection was limited. Third,ni


the clients Wnancial condition ought to be suY-ciently stable to ensure that any changes in thenature and extent of the work were primarilyrelated to the implementation of the BRA ratherthan to changes in the companys condition. A cli-ent operating in the wholesale/distribution indus-try was chosen. This company had been a client forin excess of 10 years and had experienced steadygrowth throughout the Wve-year period of the casestudy. The client also had the advantage of consid-erable continuity within the audit team during thisperiod. A span of Wve years was chosen because theBRA had been Wrst implemented for this client forthe audit of the Wnancial statements for the yearended 31 December 1997. Hence 1996, being theWnal year of the old methodology, was included.The most recent audit completed at the time of theWeldwork was for the year ended 31 December2000.

Collection of evidence took place in the auditWrms oYces. Access was provided to: all of theaudit work papers for the Wve years under review;the Wnal published accounts including Auditorsand Directors Reports; the general correspondenceWle; audit Wrm management accounting recordsshowing audit hours charged to the job number bycategory of staV; and the oYcial methodology guid-ance given to each member of staV of the Wrm.

Three individuals were seniors on this clientover the Wve-year period (referred to hereafter asS2, S3 and S4). All three had since been promotedto manager and were still employed by the Wrm.All were available for interview at the time theWeldwork was undertaken and semi-structuredinterviews were undertaken with S2 and S4. S3,who had been involved in the audit from 1997 to2000 from staV level up to manager level, wasvery interested in the case study and regularlystopped by for casual conversations, to give opin-ions, to help with understanding the work papersand to explain how the methodology had beenapplied. The latest version of the software used tosupport the methodology was also made available.Given the extent of the documentation and thelimited time available, detailed review of the workpapers was restricted to three years 1996, 1998and 2000. The work papers for the interveningzations and Society 32 (2007) 439461 447

years were reviewed and some data was collected,but in less detail.

Notes were taken during the course of eachinterview and a detailed recollection of the inter-view based on the notes was written up immedi-ately afterwards. Copies of some documentation,such as the oYcial guidance on the methodology,and some print-outs from the accounting Wrms jobcosting records, were provided and this documen-tation has been retained as part of the case studydatabase (Yin, 1994).

An interesting feature of the study, which wasnot anticipated at the outset, was the evolution ofthe oYcial BRA methodology over the Wve yearscovered by the case study. During the Wve-yearperiod under review, two updates of the originalversion of the methodology were issued. Copies ofeach of these were obtained to assist in the inter-pretation of the audit work papers. A draft copy ofthe next version which was to be piloted for auditsfor the year ended December 2001 was alsoobtained. While the purpose of this paper is not topresent a detailed analysis of the changes from oneversion to another, it is notable that areas whichcaused controversy in implementing the approachwere related to changes made in the diVerent ver-sions of the global methodology, which demon-strates that continued development of themethodology by the administrators involved inter-action with experience from implementation inpractice.

Following the initial analysis of the data and thepreparation of an early draft of the Wndings, followup interviews were conducted with P2 and S2,where the Wndings were discussed. Both conWrmedthat the Wndings were consistent with their generalexperiences of implementation.

The discussion in subsequent sections attemptsto communicate the Wndings of the study throughanalysis of three main themes. The Wrst section dis-cusses changing the focus of the audit to businessrisk and considers the impact on the identiWcationof risks. The second section analyses changes in thenature of the audit work actually performed, anddiscusses the diYculties of implementing change.The third section considers the impact of the BRAon cost and revenues.

nd

tes w

eta

Rheeyye

aesn

h

sitp

ouTable 1The Wve modules of the audit process dedicated to assessing risks u

1. Evaluation of the clients risk management processThe Wrst module was a tool to support the evaluation of the clienstructured decision aid that evaluated the risk management procsupported by a speciWc section in the Wrms proprietary database

2. Analysis of client business environmentThe second module was designed to analyse the industry and therelevant industry-wide analysis from a proprietary knowledge dabusiness processes.

3. Preliminary analytical review (PAR)The third module was a software tool available to support the PAanalyses performed in the manually produced PAR for each of ta high-level variations analysis and a ratio analysis were performto include high precision variation analyses (e.g., by month and bother management accounting data. This review was updated at

4. Consideration of business risksThe Wrm described the fourth module as a framework for systemthreatening the organization as a whole or speciWc business procfor communication regarding business risks and business risk madatabase, which allowed the audit team to further investigate eac

5. Information XowsThe Wnal module was intended to facilitate the understanding ofprocessing risks. The software included a tool to support the creaof risks and controls within those processes. Industry-speciWc temAlternatively, memos describing procedures, risks and controls cer the BRA

s risk management process. This module was a computer-based,ses at a strategic level in the client organization. It washich included studies, best practices and other resources.

nvironment in which the client operates and was supported bybase. This analysis resulted in the identiWcation of critical

. The audit team did not make use of this tool. However, the three years were compared. In 1996, under the old methodology,

d. After the implementation of the BRA, the PAR was extended product), key performance indicators used by management, andar end.

tically understanding and identifying the types of business risksses within the organization ... it also supports a common languageagement. This tool was also supported by the Wrms proprietaryrisk speciWed and to obtain industry speciWc guidance on that risk.

gniWcant information Xows and identiWcation of informationion and modiWcation of process diagrams and the documentationlates were available within the Wrms database to support this.ld be used to document critical processes.448 E. Curtis, S. Turley / Accounting, Organizations and Society 32 (2007) 439461

Changing the focus to business risk and business processes

This section provides a description of the mannerin which key concepts of the BRA were operationa-lised through changes in the audit methodology. Italso explores the reasons why audit staV reportedthat they found the BRA more judgemental andambiguous than the previous approach.

Changing the focus from Wnancial statements to business risk

The pre-existing methodology applied on the1996 audit used a sequential, word-based, standardaudit planning work programme which led theaudit senior through the planning in a structuredfashion. Risks were identiWed, audit work pro-grammes were developed and work papers wereorganized primarily with reference to individualWnancial statement captions. These structures sup-ported the Wnancial statement focus of the tradi-

tional audit risk model approach of the 1980s andearly 1990s. The BRA envisaged a much broaderunderstanding of the business to support theassessment and analysis of business risks. To facili-tate the acquisition of this understanding and theassessment of risk, the methodology provided Wveseparate computer based modules which aredescribed in Table 1.

In order to change the focus of risk assessmentfrom the Wnancial statements to the business as awhole, two important changes were made to themethodology. First, only one of the planning mod-ules described in Table 1, the preliminary analyticalreview activity, was directly related to the Wnancialstatements, and even there emphasis was placed onkey operational data and on future as well as pastperformance. All of the other modules weredesigned around the business and not the Wnancialstatements. Second, the audit work papers wereorganised around the identiWed risks instead ofWnancial statement captions. Both of these changescould be expected to be signiWcant forces encourag-


ing staV to think about the audit diVerently. Theassessment of risk was supported by all Wve mod-ules and the methodology stressed the interrelatednature of the modules in assessing risk. The soft-ware included a summary Risk Tracker, to docu-ment risks from all Wve modules as soon as theywere identiWed and to drive further audit work.

The seniors generally felt that the software tool-set which supported the Wve planning modules ofthe new approach genuinely helped the audit teamto get a better understanding of the business andindustry. They suggested that it helped the team tothink about business risk and represented a signiW-cant improvement over the checklist approachof the old methodology. However, all of the seniorsfelt that applying the new methodology was amuch more judgemental process. The presence ofsigniWcant elements of structure to support riskanalysis did not remove ambiguity and the needfor judgement. Discussion with P2, S2 and S4 high-lighted signiWcant reasons for this. Under the oldmethodology risk analysis was carried out primar-ily on a Wnancial statement caption by captionbasis, which gave the seniors a Wnite number ofcaptions to consider, whereas under the BRA busi-ness risks were to be identiWed from what P2referred to as a universe of business risks.According to the partners, this created a sense ofinsecurity as to whether all relevant risks had beenidentiWed. Risk assessment was a more ambiguousprocess and demanded more from staV at relativelyjunior levels who were used to dealing with ahighly structured methodology.

There was also evidence that, despite the Wvemodules to guide the identiWcation of business risk,the seniors actually identiWed the risks in diVerentways. This did not reXect the integrated approachconceived by the methodology. In 1998, it is clearthat S3 relied heavily on the framework for consid-eration of business risks (the third module describedin Table 1) in identifying the risks for further auditconsideration. The risks identiWed on the risktracker in the work papers were comprised entirelyof risks identiWed when completing this module, andthe language used to describe those risks was alsotaken directly from this module. In 2000 S4 did notuse any links to the risk summary throughout the

Wve modules, but approached the risk summary as azations and Society 32 (2007) 439461 449

blank sheet of paper after completing the Wve riskassessment modules. S4 explained that this waswhere the thinking would start and would havereference to the Wnancial statements and prior yearwork papers when considering risks. This resulted indiVerent categorization of risks on the risk trackerby the three diVerent seniors (S2, S3 and S4) whoprepared the risk summaries. They also used diVer-ent terminology to describe similar risks. For exam-ple, S3 classiWed the risk associated with thewarranty provision under the heading product orservice failure whereas S4 classiWed this risk underthe heading judgements and estimates, whichencompassed other estimation risks. The sense ofinsecurity created by the potential for variation inthe risks identiWed, and consequently in the natureand extent of the audit work, seemed to create aneed for a mechanism to ensure the completeness ofthe audit risks identiWed. As a result of these diYcul-ties, the global methodology was amended torequire an initial risk assessment by partners.Subsequent business risk analysis by the audit teamwas aimed at validating this initial risk assessmentand identifying other risks. The initial risk assess-ment was seen as having a role to put boundaries onthe scope of the risks to be addressed by audit staV,who otherwise could potentially get lost in the uni-verse of business risk.

The lack of a risk tracker prepared on a compa-rable basis in 1996, and the diVerent terminologyand categorization of risks in 1998 and 2000, madeit problematic to prepare a sensible comparison ofrisks identiWed across each of the years 1996, 1998and 2000. Nonetheless, there are some noteworthycomments that can be made regarding the identiW-cation of risks after the implementation of theBRA. Risks which were directly related to Wnancialstatement captions were largely the same bothbefore and after implementation. The only signiW-cant diVerence was that the risks were speciWedmore precisely, as opposed to denoting the relatedaccount captions as risky (e.g. risk of credit defaultas opposed to the debtors caption being consideredrisky as a whole). Similarly, after the implementa-tion of the BRA, speciWc aspects of the informa-tion system were identiWed as risks. However, therewas little change in the audit approach to informa-

tion systems.


Two business risks unrelated to the Wnancialstatement captions were identiWed after the imple-mentation of the BRA which had not previouslybeen identiWed as risks. Authority and limit (risk ofunauthorized transactions) was classiWed as a mod-erate risk in both 1998 and 2000. Capacity (moder-ate risk) was classiWed both as an opportunity toimprove the clients business and as a business riskin 1998, whereas it was considered only an opportu-nity to add value in 2000. The inclusion of previ-ously unidentiWed risks on the risk tracker suggeststhat seniors were taking a broader view of the busi-ness. However, the identiWcation and summariza-tion of risks is not important for its own sake, ratherit is important because it potentially drives diVer-ences in the nature and extent of audit work done.This is examined in a later section of the paper onchanges in the nature and extent of audit work.

Removing the distinction between planning and audit work

In common with most methodologies utilizingthe audit risk model, the previous methodology ofthis Wrm had a very clear distinction between auditplanning and evidence collection. At the end of theplanning, the audit approach had been decided onand work programmes were agreed. Field workcomprised the completion of the work set out bythe work programme. Under the BRA there wasno clear distinction between planning and Weld-work. A signiWcant part of the risk assessment pro-cess involved the analysis of critical businessprocesses in order to identify risks and related con-trols. Unlike Wnancial statement balances, riskscannot be substantiated; logically they can only beaudited by auditing the controls over such risks.The BRA implemented by this Wrm required thatcontrols over risks were identiWed, evaluated andtested. Where controls over a risk were found to beeVective, the risk was considered reduced to anacceptable level. In this case no further auditwork was to be performed unless speciWcallyrequired to comply with GAAS. Where there werecontrol deWciencies, and hence residual audit risk,additional audit work of a substantive nature wasrequired in respect of Wnancial statement balances

potentially impacted by the risks. Thus the BRA aszations and Society 32 (2007) 439461

implemented by this Wrm envisaged a largely con-trols-based approach to the audit. This representeda substantial shift in emphasis from the audit riskmodel approach, where it was possible to performa wholly substantive audit if this was considered tobe more eYcient than testing controls.

Under the previous approach, work pro-grammes for compliance and substantive workwere developed from standard schedules of audittests. These work programmes, which were an out-put of the audit planning process, eVectively putboundaries on the audit for the audit staV. Underthe BRA the audit approach developed as theaudit progressed from a prima facie stance thatcontrols testing would be used where possible. Themethodology was set out as a process whereby thequestion was constantly asked Have we addressedthis risk? Thus, the evidence programme devel-oped as the audit progressed, requiring continualjudgements on the part of the senior. Audit staVperceived the BRA process as a more Xexible andunstructured process.

The BRA was intended to focus auditors atten-tion on business risk by weakening the linkbetween the risk assessment process and the Wnan-cial statements, and audit work was to be driven byidentiWed risks rather than Wnancial statement cap-tions. However, the changes in the nature andboundaries of audit work created potential con-Xicts with practitioners existing conceptions ofwhat was good practice and necessary to delivera legitimate audit process. It was clear that in prac-tice the seniors found that determining the mix ofaudit work was a much more ambiguous, and con-sequently diYcult, task when the boundaries pro-vided by standard work programmes and Wnancialstatement captions were removed.

Changing the nature of the audit work

This section examines the actual changes in thenature and extent of audit work after the imple-mentation of the BRA and explores the diYcultiesexperienced in achieving the changes in audit test-ing envisaged by the BRA.

As the working papers were organized around

identiWed risks rather than account captions, pre-

ni

s p

ntonE. Curtis, S. Turley / Accounting, Orga

Table 2Analysis of controls testing after implementation of the BRA

a There was no reference to the evaluation or testing of controlstatement that they were relied on. The provision was tested by the

Risks identiWed on risk summaries

1998

Controlsdesignevaluated

Controlstested

Controlsrelied on

Additiosubstanwork d

Obsolescencea S, P, Mb S, P, M Yes YesCredit default S, P, M S, P, M Yes YesTax and related parties No No No YesValuation of Wnancial

instrumentsS, P, M No No Yes

Foreign currencytranslation

S, P, M No No Yes

Performance incentives S No No YesWarranty provision S No No YesAuthority and limit S, P, M S, P, M Yes No

Information systemsintegrity andinfrastructure

S, P, M S, P, M Yes No

Access S, P, M S, P, M Yes NoCapacity S, P, M S, P, M Yes Noas predictive testing (see notes to Table 3).zations and Society 32 (2007) 439461 451

in relation to the obsolescence provision in 2000, and no speciWcerformance of a CAAT on the computation of the provision. This

2000

alive

e?

Controlsevaluated

Controlstested

Controlsrelied on

Additionalsubstantivework done?

No No No YesNo No No YesNo No No YesNo No No Yes

No No No Yes

No No No YesNo No No YesAccording to S4 it was felt this was adequatelyaddressed in previous years and decision was takento do no further workAccording to S4, Wrm specialists did full assessmentof the clients information system in 1999, whichwas updated in 2000N/A N/A N/A N/AN/A N/A N/A N/Aparing a comparison of the nature and extent ofwork done by account caption over the three yearsexamined was not straightforward. In order tostudy whether the logic of the new methodologywas followed in practice, Table 2 summarizes thenature of the audit work in respect of each riskidentiWed on the risk trackers in 1998 and 2000,focusing particularly on the nature of controls test-ing. This table follows the intended format of theWles after implementation of the BRA. Table 3 onthe other hand summarizes audit work done byWnancial statement account caption for 1996, 1998and 2000, analyzed into four categories: tests ofcontrols, tests of detail, low precision analytics andhigh precision analytics.1 The signiWcant features

of both tables and the extent to which the nature oftesting changed after implementation of the BRAare considered in the following discussion.

The guidance issued to staV was explicit aboutthe objective of decreasing the amount of substan-tive testing to be performed:

The assessment of client risk controls alsoprovides a basis for transitioning from lim-ited to extensive reliance on client risk con-trol processes and developing value addedinsights on improving client risk controlprocesses Our previous emphasis on sub-stantive tests as the primary or only methodof managing residual audit risk will decreasesigniWcantly.

Table 2 highlights diYculties in achieving a last-ing move to an audit designed to address risks andrelated controls. In 1998, while the audit team didfollow the logic of evaluating and testing controlsover risks envisaged by the BRA, substantive test-ing on material accounts remained very stable

1 Low precision analytics refers to relatively simple analyticalreview work, such as reviewing for unusual items and year onyear comparisons of numbers. High precision analytics may in-volve a greater degree of detail, for example looking at monthlyWgures and distributions and analysing sub-populations, andwork that involves more deWned analytical expectations, such

has been interpreted as a substantive test, although such tests can provide evidence of the operation of controls.b S D speciWc controls; P D pervasive controls; M D monitoring controls.throughout the period covered by the study. In the

452 E. Curtis, S. Turley / Accounting, Orga zations and Society 32 (2007) 439461ni

Table 3Summary analysis of the nature and extent of audit work in each of the three years examined in detail

This schedule does not purport to represent all of the audit work that was performed on this audit. Other areas of audit work such asrelated parties, going concern, fraud risk assessment, commitments and contingencies, subsequent events etc. were completed but arenot included in the summary presented here.

a Materiality: The summary of work done includes a materiality weighting for each account, where 0 represents aggregate balanceswhich are less than materiality, 1 represents balances which are between 1 and 4 times materiality, 2 represents balances which arebetween 5 and 10 times materiality and 3 represents balances with are in excess of 10 times materiality. In the case where captions fellinto more than one category over the three years, the range of materiality is given. This helps to illustrate the stability of the balancesheet relationships over the period of the case study.

Captions Materiala 1996 1998 2000

CTb TDc LPAd HPAe CT TD LPA HPA CT TD LPA HPA

Fixed assetsTangible assets 1 2 Y Y Y YIntangible assets 0 2 Y Y Y YFinancial assets 23 2 Y 2 Y 2 Y

Current assetsStock 3 3 Y Y 3 Y 1 Y

provision 3 Y Y 3 Y CAATf CAAT YDue from aYliates 01 2 Y 2 Y 2 YTrade debtors 3 2 Y Y 2 Y Y 2 Y Y

provision 3 Y Y Y 3 Y 3 Y YOther current assets 1 Y Y YCurrent asset investments 3 3 Y 3 Y 3 YBank and cash 13 3 Y 3 Y 3 Y

Current liabilitiesBank overdrafts 3 3 Y 3 Y 3 YTrade creditors 1 Y Y YDue to aYliates 3 2 Y 2 Y 2 YOther short term

creditors/accruals3 3 Y Y 3 Y 3 Y Y

ProvisionsPension 0 2 Y 2 Y 2 YWarranty provision 1 3 Y Y 3 Y Y 3 Y YDeferred income 2 3 Y 3 Y 3 Y

Shareholders equityand reserves

3 1 Y 1 Y 1 Y

ProWt and lossTurnover 3 Y Y Y Y Y YCost of sales 3 Y Y Y Y Y YGross proWt Y Y Y Y Y Y YG&A 3 2 Y Y 1 Y 1 YSelling expenses 3 2 Y 2 Y 2 YOther income 2 Y Y Y 1 YInterest expense 1 Y Y Y YExchange loss 1 2 Y 2 Y 2 YTaxes 1 3 3 3

Business risksAccess and information

systems integrityY Y

Authority and limit Y NCapacity riskg Y

ni

tet o (mar

igsistE. Curtis, S. Turley / Accounting, Orga

case of credit default risk and obsolescence risk,which relate to material judgemental balances inthe accounts, even though controls were tested andthe work papers explicitly stated that they wererelied on, traditional substantive work was alsoperformed. This represented testing levels in excessof that required by the methodology. Table 2 alsoshows that in 2000 controls were assessed asineVective for all of the risks identiWed on the risktracker, with all of the risks being addressed by tra-ditional substantive work on the account captionsrelated to the identiWed risks. This resulted in anaudit approach which was very similar to theapproach in 1996 under the pre-existing methodol-ogy. Table 3, which summarizes the work done byaccount caption, tells a similar story. This tableillustrates that the only year in which a signiWcantamount of controls testing took place was 1998,and even then there was very limited reduction insubstantive testing. The only change in tests ofdetails was a reduction in the extent of substantivetesting on tangible assets and general and adminis-trative expenses.

Table 3 (continued)b CT: Tests of control. This table indicates whether controls were

the extent of the control testing in each area. The nature and extenc TD: Tests of details. A relative weighting of 1 (limited work) 2

given to the extent of tests of details. These weightings are necessauthors experience of auditing practice.

d LPA: Low precision analytics. Under the LPA column, the desperformed. Examples of LPA include year on year variations analy

e HPA: High precision analytics. Procedures such as predictive teuct analyses, are considered to be HPA.

f See Footnote a to Table 2.g Not classiWed as a business risk in 2000.nied by limited reduction in substantive testing andzations and Society 32 (2007) 439461 453

followed by what appeared from the Wles to be areturn to a more traditional substantive approachby the fourth year after implementation. Three sig-niWcant issues which appeared to contribute to thispattern of behavior are discussed below.

Problems with linkage

From the earliest discussion with seniors andpartners in this study, it became apparent thatthere were problems linking the evidence collectedin relation to the risks and related controls withWnancial statement amounts. Although it may begenerally accepted that business risk is related toaudit risk, it seemed that practitioners wereuncomfortable with the inference involved in con-cluding on the veracity of Wnancial statementsbased on evidence supporting the existence of con-trols over business risks. S2 noted that this prob-lem did not just relate to staV, but that managersand in some cases partners were uncomfortableabout linkage. S1 commented that it was commonfor line managers to request a senior to prepare a

sted in a particular area; however, it does not attempt to quantifyf control testing is further analyzed in Table 2.oderate amount of work) or 3 (signiWcant amount of work) was

ily subjective as no objective measure is available, but reXect the

nation Y indicates where simple analytical review work has beens or review for unusual items.ing or detailed variations analysis, such as by-month or by-prod-The BRA also envisaged greater reliance onhigh precision analytics. Table 1, which describesthe risk assessment modules, notes an increase inthe use of high precision analytics for the prelimi-nary analytical review and this analysis wasupdated at the Wnal audit. Other than this, Table 3shows little evidence of signiWcant substitution ofhigh precision analytics for other forms of substan-tive testing.

Interviews with the seniors and partnersattempted to probe the reasons why initial eVortsto move towards controls testing were accompa-

summary of work done by account caption, inorder to bridge this gap. This problem may reXecta more generic problem of linkage between auditwork done and an opinion expressed on Wnancialstatements, which was exacerbated by changing thefocus from Wnancial statement risk to business risk.This issue is taken up in the implications section ofthe paper.

This question of linkage was discussed withboth partners. P2, who was involved in the develop-ment of the methodology, explained that there wasa controversy at an international level between

those who considered that focusing on the Wnancial


statements at an early stage in the audit had thepotential to distract the audit team from a businessrisk perspective and those who felt that restructur-ing the audit, including the audit work papers,entirely around business risk led to a concern thatall Wnancial statement risk was not addressed. Thisdebate was eVectively resolved in favour of tighterlinkage between risks and Wnancial statements andthe requirement for the audit team to produce alinkage schedule, cross referencing the Wnancialstatement captions to work done in addressingbusiness risks, was introduced for audits for yearsending 31 December 2000.

Evidence related to high level controls

A second issue in the implementation of theBRA was the suYciency of evidence available tosupport the operation of high level controls. Thelogic of the BRA approach suggests that if theauditor can identify the sources of business riskand ensure that the client has appropriate systemsto monitor and manage that risk, there is littlevalue in extensive detailed testing. The BRA envis-aged a change in the balance of audit testing fromlarge volumes of low-level transaction controls tohigh-level monitoring or supervisory controls. Thiswas to be achieved by classiWcation of controls asspeciWc, pervasive or monitoring. The audit teamwas required to evaluate the design of all threetypes of controls in relation to identiWed risks, butonly pervasive and monitoring controls (i.e. high-level controls) were to be tested and if they werefound to be operating eVectively reliance wasplaced on these controls. SpeciWc risk controls,which are typically transaction level controls, wereonly to be tested where pervasive or monitoringcontrols were considered ineVective.

Auditors had diYculties obtaining what theyconsidered to be suYcient evidence for the opera-tion of high level controls, and therefore realizingthe intended payoV from the anticipated reductionin testing large samples of transaction level con-trols. Table 3 highlights the fact that, despite theclear hierarchy in the type of control to be testedaccording to the oYcial methodology, in everyinstance where staV explicitly relied on controls in

1998, all three types of control were tested. Thiszations and Society 32 (2007) 439461

represented controls testing levels in excess of thatrequired by the methodology and is likely to havecontributed to the substantial increase in audithours (discussed in the next section). It wouldappear that audit staV were reluctant not toemploy established procedures that they regardedas good practice to give the audit an adequate evi-dence base.

Discussion with the seniors about the reasonsfor testing all three types of controls suggested thatthey were uncomfortable with the suYciency of theevidence provided by high-level controls alone.They questioned the sensitivity of those types ofcontrols to identify and correct misstatements,especially in the case of signiWcant judgements andestimates, such as a bad debts provision. The diY-culty of Wnding evidence to support the operationof high-level controls was noted by S1, citing thetendency of audit staV to document work done onhigh level-controls with comments such as TheWnancial controller stated that he reviewed.This senior commented that staV often had to besent to seek further documentary or corroborativeevidence that reviews had taken place. Even withsuch additional procedures, auditors remaineduncomfortable with this soft type of evidence.The evidence available to support the existenceand operation of high level controls fell short ofthe practitioners perceptions regarding what con-stitutes suYcient appropriate evidence. Concernswith the ability of high level controls to identifymaterial Wnancial statement misstatement werealso echoed by standard setters involved in draft-ing the IAASBs auditing standards in response tothe development of the BRA (Curtis & Turley,2005).

The diYculties experienced in replacing sub-stantive procedures with softer evidence on highlevel controls could be interpreted as a problem ofdisplacing highly institutionalized procedures.However, practitioners must personally answer topeer reviewers and the courts for the quality of theaudit performed, which is assessed on the basis ofthe documented audit Wles and not the tacit knowl-edge or comfort level of the practitioner. Even ifthe assessment of business risks and testing of highlevel controls over these risks provides the best

assurance on the veracity of Wnancial statements,


as is claimed by proponents of the BRA, practitio-ners seek to produce a legitimate defensible recordof the audit which conforms to institutional pre-scriptions of what a set of audit Wles should looklike (Dirsmith et al., 1985).

Time and skills required for controls testing

A further issue in the implementation of theBRA related to the time, eVort and skills requiredto document business processes, identify risks andcontrols within those processes, and design testsfor those controls. It was evident from the Wles anddiscussion with the seniors that a substantialamount of time was invested in these activities inthe early years of implementation. Discussion withthe partners about the extent of and commitmentto a risk/controls based audit revealed that bothpartners had some concerns about the audit staVsability to map critical processes, identify risks andrelated controls and devise testing plans for thosecontrols eYciently and eVectively. Both partnersstated that staV required signiWcant training to per-form these functions eYciently. In relation to the2000 audit, both the manager and senior wereasked whether controls were deemed ineVectivepurely on eYciency grounds, or whether the assess-ment reXected a true appraisal of the controls,which was the intended outcome of the BRA audit.The manager suggested that eYciency consider-ations had dominated, although the senior quali-Wed this (in a separate interview) suggesting thatit was felt that suYcient controls work had beendone over the previous few years, so a largely sub-stantive approach was taken in 2000. Despite thesubstantial amount of controls work done over theperiod 199699, the Wles explicitly stated that con-trols were not relied on in 2000. This contrasts withthe partners who expressed the view that goingback to the days of balance sheet bashing (aterm used by S2 to describe a wholly substantiveaudit approach) was seen as undesirable and con-Wrmed the continuing commitment to improvingstaV skills in this area.

There may be more than one explanation forthe diYculties in achieving the changes in thenature of audit testing which were envisaged by the

BRA. It is possible to argue that the reluctance tozations and Society 32 (2007) 439461 455

substitute the testing of high level controls andhigh precision analytics for traditional substantivetesting is a straightforward story of anchoringbehavior by practitioners. However, it may be thatpartners and managers perceive the legitimacy ofthe audit Wle, which they personally must defend,to be tightly bound up with the performance ofsuch institutionalized procedures. This problemappears to have been exacerbated by perceivedlack of linkage between a BRA audit and theWnancial statements. While the rationale underly-ing the BRA conceptualized the audit in a way thatessentially was not deWned by the Wnancial state-ments, this was challenged by the practitionersneed to feel satisWed that the audit had adequatelycovered the Wnancial statement amounts. Anotherobstacle to a lasting move to a controls based auditis that controls testing can be much more expen-sive and require higher skill levels than substantivetesting. The administrators may have underesti-mated the degree of organizational change (such asemploying individuals with more experience ordiVerent skill sets) required to implement the BRA.This may have resulted in diYculties in achievingthe commercial objectives envisaged by the BRA,an issue considered in the next section.

Costs and revenues

This section examines both the impact of BRAimplementation on costs and the outcome in termsof revenue generation. One reason that has beensuggested for the introduction of the BRA wasthat it was intended to increase revenue as opposedto reduce cost.

Discussion with partners at the preliminarymeetings revealed that they anticipated a substan-tial investment during the implementation of theBRA, when documentation of business processesand the related business risk assessment would beperformed for the Wrst time. However, they antici-pated that this would be oVset in part by the imme-diate reduction in the amount of transactioncontrol testing and/or detailed substantive workperformed, and in part on future audits, by theability to roll over much of the business risk assess-

ment from year to year. The partners were explicit

i456 E. Curtis, S. Turley / Accounting, Orga

about the beneWts this approach entailed in termsof audit eVectiveness, reduced risk of litigation andvalue to the client. P2 stressed the intention to de-commoditize the audit, referring to the BRA as aclient value oriented, multi-services sales plat-form. This was intended both to deliver value tothe client as part of the audit process, which shouldallow for better recoveries on audit fees, and toidentify potential opportunities for the delivery ofconsulting services.

Table 4 illustrates the extent of the investment inthe implementation of the BRA on this client. TheWgures reXect the reported hours charged by eachmember of staV to the job number. P2 conWrmedthat all hours incurred on audits during the imple-mentation period of the BRA were to be charged tothe client job number and Table 4 therefore reXectsthe investment in implementation on the client. Theaudit Wrm did not recover the substantial invest-ment made in the implementation period throughincreased fees. The audit fee remained stablethroughout the period of the implementation andas a result signiWcant write-oVs were incurred.Audit hours increased dramatically in 1997, the Wrstyear after implementation, and remained at thatlevel in 1998. According to S3, this was due to thesubstantial amount of time invested in completingthe Wve risk assessment modules of the BRA, inparticular in documenting critical business pro-cesses and identifying the related risks and controls.In addition during this implementation period theaudit team members were also on a learning curvewith the BRA, which dramatically changed theformat and layout of the audit Wles, and with thesoftware used to prepare the Wles.

Table 4Analysis of audit hours by level of staV

a The other category consists primarily of charges in relationto tax personnel and (in 2000) charges in respect of computer

1996%

1997%

1998%

1999%

2000%

Partner/manager 14 18 19 16 20Senior 35 37 37 37 38StaV 48 40 40 40 31Othera 3 5 4 7 11Total 100 100 100 100 100Actual hours 658 969 904 729 663audit personnel for tests conducted in relation to stock.zations and Society 32 (2007) 439461

The other notable feature of this table is the factthat the implementation does show an increase inthe relative amounts of time invested by audit part-ners, managers and seniors, suggesting that theBRA demanded a somewhat diVerent humanresource proWle. The 2000 audit shows an increasein the amount of senior time relative to staV time,though this may have been due to the fact that thissenior had never previously worked on this clientand therefore required additional time to becomefamiliar with the Wles.

The substantial increase in audit hours in theperiod from 1997 to 1999 which were not recov-ered through audit fees must have been unsustain-able. The interview with S2 revealed that in theyears 1996 up to 1998, fee pressure on this job wasconsidered to be average, or less than average. Thismay have been because of the acceptability of costoverruns during the implementation phase. How-ever, the interview with S4 revealed that she felt feepressure was above average for the audit in 2000.Taking Fischers (1996) line of reasoning from hisstudy of the implementation of new audit technol-ogies, this fee pressure should have acted as a cata-lyst for the unlearning of the old methodology andstimulated a response of cutting back on the sub-stantive audit work, particularly given the amountof eVort which had been expended in identifyingand evaluating risks and controls over the previousthree years. However, analysis of audit work donein the previous section suggests that it resulted inreduced reliance on controls, despite the fact thatthe stated methodology was to rely on the controlstesting and to reduce substantive testing whereverpossible. Even four years after implementation ofthe BRA, it appears that practitioners remainedresistant to the implementation of a controls basedapproach. While the previous section suggestedthat this may have been because of lack of skills orconcerns over the legitimacy of the evidenceobtained, this analysis suggests that it is also possi-ble that it was uneconomic to continue with thisaudit approach in the absence of an increase inaudit fees. Concerns have been raised that theBRA was introduced as a means of justifying lessaudit work in the name of producing auditeYciency. The Wndings of this study that the imple-nmentation of the BRA actually increased audit

tttttthe following extract from the documented metho-dology:

[the methodology] was designed so that eachcomponent contributes to our understandingof senior managements business risk man-agement activities. In this manner, the Wnd-ings of our audit not only contribute to theability to opine on the Wnancial statementsbut, importantly, they provide valuedinsights on improvements to the business riskmanagement process and related risk controlprocesses.

Any such opportunities identiWed in the courseof the audit were included in a separate section ofthe risk tracker. Table 5 lists the opportunities foradding client value identiWed in the planning pro-cess on this client, together with a brief summaryof any work performed during the course of theaudit.

It is clear from Table 5 that a considerableamount of time was invested in examining the

Table 5Opportunities identiWed to add client value

1998 Work done

Budget and planning Process documenCustomer satisfaction Process documenCompetitor industry Process documenCapacity Process documenHuman resources Process documen

2000 Work done

Budget and planning No work done

Customer satisfaction No work doneCompetitor industry No work doneCapacity and channel eVectiveness No work doneformed on these matters. It seems likely that nowork was performed because there was noexpected return on this investment, i.e. in the formof revenue generated through non-audit services orbuilding client relationships.

The case highlights the fact that although oneargument by which the administrators sought topersuade the practitioners of the beneWts of theBRA was that they would provide more value forthe client, it is at the practitioner level that themethodology must be translated into client value.This requires not only that the practitioners actu-ally succeed in creating value for the client but alsothat the client is willing and able to pay for it.Anecdotally, four diVerent partners from this Wrmindicated that clients were generally very happywith the new methodologies, and that in generalaudit fee recoveries had improved. However, allfour indicated that signiWcant sales of non-auditservices had not been achieved.

This evidence raises questions about the com-mercial success of the BRA in this case. It appears

ed by memo, controls evaluated and limited controls testinged by memo, no controls evaluateded by memo, no controls evaluateded by memo, controls evaluated and limited controls testinged by memo, no controls evaluatedE. Curtis, S. Turley / Accounting, Organizations and Society 32 (2007) 439461 457

costs is consistent with the work done by Blokdijk,Drieenhuizen, Simunic, and Stein (2003) whofound that total audit time increased in Big FiveWrms using business risk audits. This turns atten-tion to the potential revenue generation capabil-ities of the BRA.

The idea of auditors providing useful advice toclients as a result of their audit is certainly not new.However, the guidance on the BRA issued to allaudit staV of this Wrm lists the identiWcation ofopportunities to improve clients business as one ofthe primary goals of the BRA, as is evident from

added value opportunities in 1998. It is not possi-ble to identify the cost of this work as it is not ana-lyzed separately and was charged to the job as partof the audit. It is interesting however, that thesematters were not incorporated into a managementletter. It may be that these matters were discussedinformally with management, but if so this was notdocumented in the Wles. Although the same issueswere again identiWed during the planning processof the 2000 audit, no further work was performed.In accordance with the Wrm guidance, it was thepartners decision that no further work be per-


that implementation was very expensive as antici-pated. This was exacerbated by problems in con-vincing practitioners to achieve a payoV byreducing substantive procedures and placing reli-ance on high level controls and analytical proce-dures. The study illustrates that there is noguaranteed payoV from a BRA in terms of eitherfee recovery or generation of additional services.

Discussion and conclusion

The literature reviewed in the early sections ofthis paper points out how audit methodology maybe developed by the administrative elements withinthe large accounting Wrms in response to contex-tual pressures on auditors within those Wrms. Inthis context, the BRA can be seen as a responseintended to address commercial concerns aboutdecreasing audit proWtability and to reduce expo-sure to catastrophic litigation, while improving thestatus of the auditor by aligning the audit withhigher status consulting work and the fashionablelanguage of risk management. The purpose of thisstudy was to examine how the introduction of theconceptual approach of the BRA translated intochanges in audit techniques at a practical level. Theanalysis of the case study has demonstrated thatthe BRA faced considerable diYculties in achiev-ing the intended degree of change from practitio-ners and identiWes two, potentially complementary,explanations for this.

Inference, linkage and legitimacy

The evidence of the case study suggests thatpractitioners were uncomfortable with giving anaudit opinion on the Wnancial statements based onindirect evidence drawn from analysis concerningbusiness risks and the operation of high level con-trols. This relates to the problem of inference inauditing, which is essentially a generic problem ofmaking the connection between collecting what isinevitably partial audit evidence and giving anopinion on the Wnancial statements. Given thatthere is no general theory of evidence aggregation(Gwilliam, 1987), issuing an audit opinion inevita-

bly involves a degree of inference. However, thezations and Society 32 (2007) 439461

case study suggests that some forms of evidenceare seen to involve less inference than others. Theproblem of linkage between testing controls overbusiness risks and Wnancial statement account cap-tions ultimately forced an amendment to the glo-bal methodology of this Wrm to strengthen thislinkage. This problem may reXect the conditionthat auditors are generally less comfortable withthe inference involved in testing and relying oncontrols as opposed to testing the numbers them-selves. Jeppesen (1998) suggests that the commontheme in audit history is the gradual substitutionof the costly substantive auditing procedures.However, the history of audit methodology doesnot suggest that this trend is uncontested or con-tinuously in one direction. So-called systemsbased auditing was favoured in the 1970s as a wayof getting away from substantive testing and plac-ing reliance on systems of control, but in imple-mentation practitioners often opted for bothcontrols reliance and considerable substantive test-ing (Turley & Cooper, 1991). A similar pattern wasobservable with the implementation of the auditrisk model in the 1980s. While this model allowedauditors to rely on evidence from their evaluationof controls, prior research suggests that controlrisk was often assessed as high (The Panel onAudit EVectiveness, 2000; Waller, 1993) with theeVect that audit risk was primarily controlledthrough detailed testing. The case study suggeststhat the problem of inference in controls testingwas exacerbated in the case of the BRA, by chang-ing the focus from Wnancial statement risk to busi-ness risk, which widened the perceived gapbetween investigation and opinion. In this sense,the evidence gathered on a BRA audit did not sat-isfy the practitioners conceptions of an institu-tionally legitimate audit and, thus, the productionof legitimacy at the level of the individual auditacted as a constraint on the implementation of theBRA.

This concept of inference clariWes the problemsassociated with the use of intuition or tacit knowl-edge of a company or industry and other types ofsoft evidence. Proponents of the BRA claim thatanalysis of business risks and related controls is thebest way to produce valuable assurance about the

veracity of Wnancial statements and that an exten-


sive amount of substantive testing actually pro-duces little assurance if the business risks are notmanaged. However, the case study suggests thatrelying on tacit knowledge or soft evidence, whichinvolves signiWcant levels of inference, is problem-atic, not because it does not potentially produceassurance, but because it does not meet practitio-ners conceptions of legitimacy.

This aspect of the evidence from the case studysupports the conclusions reached by Dirsmith et al.(1985), who recognized that auditors must producelegitimate audit Wles but exhorted them to under-take a judgemental audit at the same time. Thecase study points to the fact that this approachinevitably has consequences for the cost of anaudit since additional audit work must be under-taken to support the production of legitimate auditWles. This introduces the second signiWcant issuewith the BRA which is suggested by the case study:problems with the business model.

The production of legitimacy and the production of proWts

The case study suggests that the BRA approachwas more expensive and required higher skill levelsthan relying primarily on substantive testing,which is generally uncomplicated. The additionalcost was exacerbated by the lack of reduction insubstantive testing discussed above. The case alsoillustrates that there is no guaranteed payoV from aBRA in terms of either fee recoveries or generationof additional services. Such a payoV will always bedependent on speciWc circumstances of the clientand the ability of the audit team to maximize anyrevenue generating opportunities that exist. Thissuggests some diYculties with the business modelwhich underpinned the BRA: Wrstly because thecosts of implementation outweighed the revenuesgenerated; and secondly because it suggests somemismatch between the BRA and the organiza-tional structure which implemented it. Morris andEmpson (1998) point out that the proWtability ofprofessional service Wrms is dependent on theirability to deploy their knowledge to the clientsadvantage, at a fee which generates a surplus overemployment and overhead costs. They suggest that

highly structured audit methodologies facilitatezations and Society 32 (2007) 439461 459

the delegation of routine audit work (i.e. the pro-duction of audit Wles) to inexperienced staV toachieve above average proWts. They also suggestthat delegation of tacit, intuitive and judgementalwork to inexperienced staV is problematic, as thattype of knowledge is less susceptible to codiWca-tion. Knechel (forthcoming) makes a similar pointin suggesting that there is a bottom up demand foraudit structure from inexperienced staV withinaudit Wrms. Thus the hierarchical organizationstructure of the audit Wrm is not necessarily suit-able for a methodology which was both more judg-emental and ambiguous in its application andmore demanding in terms of skill levels required ofthe staV. Morris and Empsons study draws atten-tion to the diVerent structure of a small consultingWrm, which reXects a greater focus on tacit knowl-edge which is applied by the consultants to achieveresults in client speciWc circumstances, representedin a relatively Xat organization structure and lim-ited leveraging of knowledge. Consistent with theWndings of the case study, this argument suggeststhat implementation of the BRA would have bene-Wted from a diVerent organizational structure, andone that was also better equipped to provide theconsulting services. Thus the demand for the pro-duction of legitimacy appears to constrain themanner in which proWts are produced.

In conclusion, it can be argued that in develop-ing the BRA to address concerns about the statusand proWtability of the auditors in large Wrms, theadministrators who developed it did not give ade-quate consideration to the role of audit methodol-ogy in the production of legitimacy as understoodby the practitioners. Since practitioners retain ulti-mate control over the nature and extent of auditprocedures performed, this resulted in diYculties inachieving a lasting move to a controls based audit.It also seems that, in trying to reengineer the busi-ness model, administrators gave inadequate consid-eration to the organizational structure of the Wrmsand the manner in which this structure supports theproduction of legitimacy. The development of theBRA approach may have represented an ambitiousprogramme of change, but eVecting real change inpractice requires more than simply training peoplein the application of new terminology. Similarly, re-

branding of the audit product with clients,


regulators and academics is not suYcient to changethe

Documents

The business risk audit – A longitudinal case study of an audit engagement