1
Corporate Auditing Risk Assessment in Brazilian Context: A Multi-Criteria Approach
1. Introduction
Until the advent of escalated litigations against auditors notably that of Arthur Anderson
& Co, the century independent audit firm in the year 2003, auditors have always had a peace
of mind, working according to the generally accepted accounting principles and auditing
standards with little or no concerns about auditing risks. The big 4 firms in their auditing
methodologies stipulates the risk review, but most second-tier firms do not see it as sine qua
non or a cogent factor for a successful engagement management. Especially in the mentioned
case, even though SEC permits non-consolidation of organizations for specific purposes, if
the auditors had diligently evaluated the auditing risks it would not have gone through this
embarrassing situation that led to the dismantling of a solid global firm. Notwithstanding,
what is unacceptable to the accounting practitioners and the entire world, taking the image
Arthur Anderson had, is the destruction of the audit working papers where all surrounding
audit proofs have been evidenced, this is the stoke that break the horses back, evidently
culminating to its folding up. In a brief by the Chairman of Arthur Anderson – Brazil at the
Faculty of Economics, Administration and Accounting – University of São Paulo the case of
the operation that was not consolidated was as follows: In 1999 Enron decided to do away
with one of its Energy generating plants in Cuiaba in Brazil but could not find buyers.
Therefore, decided to constitute an investment company – LJM whose board of directors was
chaired by Andrew with the objective to buy the energy company with a bid to artificially
generate cash to escrow the Enron losses. There was an immediate agreement signed to
repurchase the plant after two years; a time space that is enough to conceal the Enron losses.
The question is, was this transaction known to the auditors? If so, it added and abetted.
2
Therefore, this apparent public mistrust regarding the case of Enron, Worldcom to
mention just a few, brought to the business environment a great reflection about the
client/auditor relationship. Thus, the studies of Craswell, Stokes & Laughton (2002) which
nvestigated whether the fee dependence within the audit firms offices jeopardizes auditor
independence, that reached a conclusion that the level of auditor fee dependence does not
affect auditor propensity to issue unqualified audit opinions and otherwise mentioning that the
finding remains robust for a number of tests, raises an eye brow.
2. Fundamentals of Audit Risk
Risk preferences play a central role in the economic theory of the firm, optimal
contracting, and virtually all managerial accounting topics that involve human behaviour and
decision making Cooper & Selto (1993).
The auditor’s assessment of risk for material misstatement in an engagement is of
fundamental importance in giving a right sizing professional services. This is for the fact that
with the outbreak of a diversified business environment and owing to the development of
specific business problems attributable to untraditional business environments, no one is
sufficiently backed with information to support a mention of generalized type of risk that
could arise, Imoniana (2000). As cited in the panel on Audit Effectiveness Report - POB
(2000) apud Shelton & Whittington & Landsittel (2001) the risk assessment and response
process called for by SAS No. 82 falls short in effectively deterring fraud or significantly
increasing the likelihood that the auditor will detect material fraud, largely because it fails to
direct auditing procedures specifically toward fraud detection. This is not different as related
to the risk of misrepresentation. Thus, it is wise to suggest to the auditors to use the portfolio
administration approach to manage risks in auditing, Stein (1991).
3
Therefore, as a result of an increased concern about audit risk, it would be wise to
reflect on the definitions given be the professional and standards proposing bodies. Thus,
according to AICPA SAS-47 (1996) auditing risk is the risk that the auditor for lack of
knowledge, could misstate while adequately modifying his opinion in a financial statement,
which is materially incorrect. And in the same line, IFAC says it signifies a risk that the
auditor would opine improperly when the financial statements contains relevant
misstatements.
2.1 Materiality
It is barely impossible to discuss risk in auditing without mentioning the concepts of
materiality. As the name may imply, what is material or relevant to the professional eyes of
the auditor? And what is significant when it comes to the terms of monetary values relating to
accounting transaction or class of account being treated? According to AICPA (1996) the
concepts of materiality agrees that certain errors, individually or in group are important for a
fair presentation of the financial statement in accordance with the generally accepted
accounting principles, while other errors are not important. Having materiality in mind
therefore, be it defined for a group of accounts or individual accounting balances, transactions
should be tested so as to mitigate the risk of misstatement.
2.2 Risk assessment methodologies
Risk evaluation methodologies or techniques could be designed for various segments to
suit the complexities of business environments and also to match the scope of work of the
auditor. They are such as: General corporate integrated risks approach, Internal auditing risk
approach, Computer environment risks, Electronic Commerce risks. All these approaches
4
adopt a top-down style of assessment, beginning from the planning, going through the
execution, monitoring, until the reporting and follow-up stages.
Thus, considering the framework adapted from the University of Victoria internal audit
approach (UVIC, 2004), one would observe that the approach presents the views of enterprise
risk management used by best practice firms world-wide. The framework determines the
following key points in the process of risk assessment:
a) Establish the Context (scope, objectives and costs of risk assessment) based on:
Strategic Context, Organizational Context, Management Context, Develop Risk
Evaluation Criteria, Define the Structure, considering: Process, Policy, Staff,
Technology Management Information and Service Assessment;
b) Risk Identification: What can happen, How and why it can happen, Tools and
techniques;
c) Risk Analysis: Determine Existing Controls, Consequences and Likelihood, Types
of Analysis: Qualitative, Semi-quantitative, Quantitative, Estimate Level of Risk;
d) Risk Evaluation (quantification of the threats): Low, Medium, High;
e) Risk Treatment: Avoidance, Reduce Likelihood, Reduce Consequences, Transfer,
Accept/Retain;
f) Monitor and Review: Monitor risks, the effectiveness of the risk treatment plan,
strategies and the management system controlling implementation, Ongoing review
is essential to ensure relevancy;
g) Communication and Consultation: Develop a communication plan for both internal
and external stakeholders, Address both risks and the process to manage it.
5
2.3 Risk evaluation model in the internal auditing
An apparent internal control risk is measured in audit process to enhance the definition
of control procedures to be tested to mitigate such risks and also determine the extension of
substantive tests to be executed in posterior phases of the audit. Risks of which accounting
transactions are exposed could be internal or external. The probability of its occurrence is
expected to be measured so that one could expedite action, be it high, medium, low or
insignificant. The types of exposures as categorized by the Institute of Internal Auditors (IIA,
1992) were used as the basis for determining the general risk for the accounting information
systems. The exposure types are:

Erroneous record keeping – The recording of financial transactions that are contrary
to established accounting policies. The errors may involve the time of recognition
and, value. Transactions may also be registered in an incorrect and inexact form and
incorrect classification.

Unacceptable accounting – The establishment or implementation of accounting
policies which are not generally accepted or are inappropriate for the circumstances
and lack of compliance with accounting standards

Business interruptions - Prolonged business disruptions that could lead to a
discontinuity of business operations, temporary suspension of operations to a
permanent termination of the enterprise.

Erroneous management decisions – may arise due to misleading information,
decision taken based on incorrect or incomplete management reports resulting to
error of judgment;

Fraud and Embezzlement – direct misappropriation of funds, deliberately
misinforming management or investors, concealing of information for self interest,
manipulation of figures or misrepresentation;
6

Statutory sanctions – Any penalties which may be brought by judicial or regulatory
authorities who have jurisdiction over an organization’s operations. Litigations
(employees or fiscal contingencies) arising from lack of compliance of guiding
regulations;

Excessive costs – Any expense of the business which could be readily avoided,
unnecessary increase in cost or expenditures; the loss of revenues to which the
organization is fairly entitled.

Loss or destruction of assets – The unintentional loss of or claims to physical assets,
monies or information assets.

Competitive disadvantage – The inability of an organization to effectively remain
abreast of the demands of the marketplace or to respond effectively to competitive
challenges such as technological advancements to create a competitive edge.
Thus if we suppose that the risk of which an accounting system say account payable is
exposed is low, as a result no much audit concern is paid to it but as a need to document our
findings it has to be proved, based on the IIA model, it will read as follows:
Table 1 – Risk Measurement in Accounts Payable System.
Risk Exposure
Erroneous record keeping
Unacceptable accounting
Business interruptions
Erroneous management decisions
Fraud and embezzlement
Statutory sanctions
Excessive costs
Loss and destruction of assets
Competitive Disadvantage
Low
1
0.3
1
0.3
1
0.3
1
0.3
1
0.3
1
0.3
1
0.3
1
0.3
1
0.3
Medium
3
0.5
3
0.5
3
0.5
3
0.5
3
0.5
3
0.5
3
0.5
3
0.5
3
0.5
Source: Adapted from IIA (1992)
High
5
0.8
5
0.8
5
0.8
5
0.8
5
0.8
5
0.8
5
0.8
5
0.8
5
0.8
Weight
1
Score
0.3
1
0.3
5
1.5
5
1.5
3
0.9
3
0.9
3
0.9
3
0.9
5
1.5
Total
9.3
7
Therefore, in the above stated table when the scores are summed up, it reaches 9.3,
which is considered low. In other circumstances the scores on the table could sum 46.5 and
124, which could be considered to be medium and high respectively.
2.4 Risk evaluation model in the computer environment auditing
The risk evaluation in the computer environment according to NIST (2004) which
describes basic principles for the control and management of risks, emphasizes that it is
imperative the identification of vulnerabilities and the group or threats of which information is
prone or the vulnerability of systems that has potential threats which could be perpetrated. In
addition to this, the model proposed by Carnegie Mellon University entitled OCTAVE
(Operationally Critical Threat, Asset and Vulnerability Evaluation) recommends that in a
computer environment, three key phases of risk evaluation should be taken into consideration:

Construction of the existing profiles based on identified information assets which
entails figuring all material and human resources in the organization that supports
information technology, with this, one is able to identify how fragile an so
vulnerable the organization at large is;

Identification of the vulnerability of the environment concerning infra-structure,
thus, key components of the infra-structure are identified and their fragility is
measured;

Establishes the strategies and the security policies. Once identified the probability of
threats that enables the quantification of risks, decision is then driven towards
implementation of measures that would mitigate such risks. In summarizing the
NIST approach therefore, in table 2 – Probability of the Occurrence of Risks, shows
the likelihood of the risks mentioned in their methodology so far.
8
Table 2 – Probability of the Occurrence of Risks.
Level of occurrence of the
Probability
High
Medium
Low
Description of the Degree of Threat
The origin of the threat is highly motivated and is sufficiently probable, the existing
controls to protect the vulnerability could be ineffective
The origin of the threat is significantly motivated and is sufficiently probable, the
existing controls to mitigate the risk could moderately prevent its perpetration
The origin of the threat is immaterial and is sufficiently proved to be low and the
existing controls prevent it from being violated.
Source: Adapted from NIST (2004)
3. Proposed View of the Corporate Auditing Risk Structure
The figure 1 shows a methodology proposed in this study to evaluate auditing risks. In
decomposing the structure in a higher level therefore, we have: Service Risk and Auditing
Risk. The service risk is subdivided into: ethical risk, moral risk and the risk of loss of
earning. Auditing risk is subdivided into: inherent risk, internal control risk and the risk of
detection.
Figure 1 – Corporate Auditing Risk Model Structure.
Corporate
Auditing
Risk
Service
Risk
Ethical
Risk
Moral
Risk
Auditing
Risk
Loss of
Earning
Risk
Inherent
Risk
Source: Elaborated by Authors
Internal
Control
Risk
Detection
Risk
9
3.1 Service risk
Otherwise known as the engagement risk, deals with the acceptance of the service by the
auditors. What to consider when proposals are being drafted and submitted to an intending
client. According to DTTI Audit System2 (1995:26) engagement risk, as it relates to an audit
engagement, is the risk that:

The firm may be exposed to adverse consequences as a result of its association with
a client (e.g. negative publicity or litigation).

The financial statement as a whole may be subject to material errors or to
misunderstanding by users as a result of factors that may be:

Pervasive to the audit engagement and financial statements;

Specific to a significant account balance and related potential error(s).
a) Ethical Risk (Professional Image Destruction) – Apparent professional dishonesty
that the auditor portrays as he is forced to commit arts prohibited to his profession
while observing the laws and regulations of the practice as he succumbs to the
management persuasion gives rise to intentional omissions and material
misstatement that results to a breach of trust of the users of the financial statements
and/or accounting information systems.
b) Moral Risk (Social Distrust) – Organizations culture of social responsibility which
the auditor perceives as he measures the lack of family and school guidance, free
wheeling capitalism and the rate at which the client takes advantage of primitive
local laws.
c) Loss of Earning Risk (Fee Dependence) – The auditors’ apparent measure of fee
dependence and effects on independence as it impacts on the effectiveness of the
audit.
10
3.2 Auditing risk
Deals with what to look, after the service has been accepted and auditing activities are
planned to guard against the possibilities of wrong opinions when audit activities might have
been concluded.
a) Inherent Risk (Susceptibility of Accounting Balance) – Susceptibility of Accounting
Balance - According do AUS-402 “inherent risk means the susceptibility of an
account balance or class of transactions to misstatement that could be material,
individually or when aggregated with misstatements in other balances or classes,
assuming there were no related internal controls”. Thus, it is common to assess
inherent risk when developing the audit plan and also during the development of the
audit programs and its implementation. During the development of audit planning,
the auditor assesses inherent risk at the financial statement level and when preparing
the audit programs the auditor respectively assesses the material account balances
and classes of transactions at the assertion level.
As the assessment of this risk entails a little of subjectivity it is wise for the auditor
to use a professional judgment to evaluate the factors surrounding it, they are such as
the following, adopted by the best practices of global accounting firms:

Management Integrity – how trustworthy and transparent is the management;

Management Experience – is the management changed very often? If not so,
how many years of experience has the management in preparation of financial
statements?

Pressures Influencing on the Management – unusual pressures on management to
misstate the financial statement;

Nature of Business Entity – Geographical location, complexity of capital
projects, constant technological renewal projects; and
11

Market Indexes – Those that influences on the investment and usually affects the
country risk, such as:

Unstable economic policies;

Unstable political structure;

Disloyal competitiveness.
b) Internal Control Risk (Effectiveness and Management Skills) – The internal control
risk depends on the effectiveness and the management skills. It is the risk that the
existing internals controls could not detect an error equal or above those tolerable for
the accounting data being tested. In other words, internal control risk is the risk that
internal controls are not effective to prevent or detect material errors in a timely
manner Imoniana (2001). In agreement with these definitions above, certain
questions are worth asking:

Has the management implemented internal controls effective to prevent:
Constant operational losses, Financial distress and Business continuity or goingconcern problems?

Are the employees duly sensitized about the needs of controls?

Are the functions duly segregated to track responsibility; who accounts for what?

Does the management demonstrate the spirit of compromise with the business
objectives?

Does the organization structure permit the implementation of good controls?

What are the punitive measures for transgression?

How are the internal and external factors monitored?
c) Detection Risk (Imminent Proofs of Misstatement) - What is the risk that the auditor
would not be able to detect adequate proofs about misstatements and be lured to
giving opinion about financial statement that is materially incorrect? AUS – 402
12
states that the level of detection risk related specially to the auditor’s substantive
procedures. The auditor’s control risk assessment, together with the inherent risk
assessment, influences the nature timing and extent of substantive procedures to be
performed to reduce detection risk. Thus, one could crave the indulgence to ask the
following questions:

What is behind the concealment of relevant information by the management?

Would a false representation mean a beach of confidence?

Would the engagement hours be sufficient for the timing of substantive
procedures?

Would the 95% confidence level be attained using a larger sample size?
4. Evaluation Model for the Corporate Auditing Risk Structure
4.1 Quantitative formulation of the risk structure
The major characteristic of the corporate auditing risk structure presented in figure 1 is
that the variables are eminently qualitative. These types of variables require specific
treatments and the multicriteria methods of decision analysis makes this feasible.
Therefore, initiating the modeling by quantitative formalization of the relationships
between the variables in the problems structure, we revive the concept that the corporate audit
risk is a sum of service risk and auditing risk:
car  sr j  ar j
(1)
where: car is the corporate auditing risk, sr is the service risk group and ar is the auditing risk
group.
13
Thus, as a perception of risk by auditors or evaluators is subjective, there is a need to
stipulate a level of importance which each group of risk portrays in the assessment process,
which could be formulated by attributing relative importance:
car  w j sr j  w j ar j
2
for
w
j
(2)
 1 , and wj is the relative importance (weight) of the referenced group.
j 1
The service risk group sr is a function of the criteria values of ethical risk er, moral risk
mr, loss of earning risk ler, and relative weights wji of each risk criteria, such as:
sr j  wij v k (er )  wij v k (mr)  wij v k (ler )
(3)
that can assume the aggregate form:
m
sr j   wij v k (rc ij )
(4)
i
m
for
w
j 1
j
i
 1 and 0 <wji <1, where rcji is the risk criteria of the risk group j.
The auditing risk arj calculus depends on the service risk group sr score, as follow:
0
ar   j
j
j
wi vk (ir )  wi vk (icr )  wi vk (dr )
j
if sr j  rp *
if sr j  rp *
(5)
where ir is the inherente risk, icr is the internal control risk, dr is the detection risk, relative
weights wji of each risk criteria and rp is the threshold of risk perception, arbitrarily defined
from a risk attribute scale (it will be defined more ahead) in accordance with preferences and
values of the decision maker, that can assume the aggregate form:
0

m
ar j   w j v (rc j )
 i k i

 i
if
sr j  rp *
if
sr j  rp *
(6)
14
4.2 Definition of relative importance of risk group wj and risk criteria wji
The estimation of weights or relative importance of risk groups and risk criteria is
formulated through the Analytic Hierarchy Process (AHP), as in Saaty (1990, 1991). The
process is initialized with parity comparison between the risk group and the risk criteria,
according to the relative importance judgment scale of values shown in table 3.
Table 3 – Relative importance judgement scale.
Ratings of Absolute
Importance
a to b = 1
a to b =3
a to b = 5
a to b = 7
a to b = 9
a to b = 2,4,6,8
Reciprocals
Explanation
Two activities contribute equally to the objective and are of the highest importance.
Experience and judgement moderately favor a over b.
Experience and judgement strongly favor a over b.
a is strongly favored over b and its dominance is demonstrated in practice.
The evidence favoring a over b is the highest possible.
When compromise is needed.
If activity a has one of the above numbers assigned to it when compared with
activity b, then b has the reciprocal value when compared to a.
Source: Adapted from Saaty (1990, 1991)
The results observed from the comparison done by the specialists’ involved in decision
process are presented below in the form of:
1
a
A   21
 ...

 a n1
... a1n 
... a 2 n 
... ... 

... 1 
a12
1
...
an2
and the elements judgement matrix A must satisfy the conditions:
a) a ij   ;
b) a ji 
1

;
c) a ii  1.
where a represents a parity comparison between the factors and sub-factor and  refers to the
relative importance judgement scale value.
The resolution of matrix A is done through the calculation of auto-vector vi:
 n

vi    a ij 
 j 1 
1
n
(7)
15
whose normalization through (2) results into proprietary auto-vetor wi, which expresses the
relative importance scale (weights) of each one of the factors and sub-factors. Afterwards, the
integrity of the judgement is tested, calculated for inconsistence index, aimed to identify
judgement deviations which violates the principle of transitivity, as in Lane & Verdini, 1989.
wi 
vi
(8)
n

i 1
vi
4.3 Definition of value function of risk criteria v(rcji)
The function value of risk criteria is established through cardinal values attributed to
standard risk situations previously defined by the auditor. For each of the criterion of the
group of service and auditing risk are associated five standard situations that assumes the
attributes of irrelevant risk, low, moderate, significant and very significant. These risk
attributes, which are linguistic variables, have their cardinal parts established in key discrete
points with the intervals between 0 and 1, when the values near to 1 represents circumstances
with higher risks, and the values close to zero refers to the circumstances with less risk.
In
tables 4 and 5 below are shown standard situations of the risk criteria, which were defined for
the study with their respective value functions and the risk attributes.
16
Table 4 – Standard Circumstances of Risk Criteria rcji – Service Risk Group.
Risk Criteria
rcji
Ethical Risk
Standard Circumstances
1.
2.
3.
4.
5.
Moral Risk
1.
2.
Value
Risk Attribute
Function v(rcji)
Auditors involvement in statutory sanctions as a
1,00
Very Significant
result of decision-taking based on financial
statement that is misunderstanding to users
Securities & Exchange Commission canceling of
0,75
Significant
auditors licenses found dishonest
Perception of loss of professional independence
0,50
Moderate
Thorough pre-engagement risk assessment
0,25
Low
Non acceptance of engagements that could bring
0
Irrelevant
negative publicity
Absolute perception of abuse of primitive local laws
1,00
Very Significant
Little or no concerns about the effects of free
0,75
Significant
wheeling capitalism
Lack of social responsibilities
0,50
Moderate
Undefined organizational culture
0,25
Low
Sensitized about free wheeling capitalism
0
Irrelevant
Fee dependence on a client
1,00
Very Significant
3.
4.
5.
Loss of Earning 1.
Risk
2. Bargains of the auditors with the management
3. Non-concentration of earnings on doubtful
engagements
4. Contract of the auditors by the board of directors
5. Diversification of clients
0,75
0,50
Significant
Moderate
0,25
0
Low
Irrelevant
Source: Elaborated by Authors
Table 5 – Standard Circumstances of Risk Criteria rcji – Auditing Risk Group.
Risk Criteria
rcji
Inherent Risk
Standard Circumstances
1.
2.
3.
4.
5.
Value
Risk Attribute
Function v(rcji)
Doubtful management integrity
1,00
Very Significant
Nature of business entity & constant technological
0,75
Significant
renewal projects
Unusual pressures influencing on the management
0,50
Moderate
Management turnover rate
0,25
Low
Adjustable business plans to suite modifying social,
0
Irrelevant
economical and political scenarios
Implementation of ineffective management skills
1,00
Very Significant
Internal Control 1.
Risk
2. Lack of control consciousness
3. Unstructured conducive business and control
environment
4. Flexible punitive measures for transgression of
internal controls
5. Management up and doing to enhance compliance
Detection Risk
1. Concealment of imminent proofs of misstatement of
the financial statement
2. Obstacles that influences the nature timing and
extent of substantive procedures
3. Competences for Design & Implementation of
substantive and analytical procedures to track
unusual transactions
4. Review of audit methodologies by the firms to
mitigate this risk
5. Certification of a representation letter to guide
against faulty audit approaches
Source: Elaborated by Authors
0,75
0,50
Significant
Moderate
0,25
Low
0
1,00
Irrelevant
Very Significant
0,75
Significant
0,50
Moderate
0,25
Low
0
Irrelevant
17
4.4 Definition of risk levels of corporate auditing risk
The final result of equation (2) is a value stated between 0 and 1, whose risk levels, that
is, numerical intervals and risk attributes are shown in table 6 below.
Table 6 – Risk Attributes of Corporate Auditing Risk (car).
Risk Level
Irrelevant
Low
Moderate
Significant
Very Significant
Numeric Interval
0  car  0,25
0,25  car  0,50
0,50  car  0,75
0,75  car  1,00
car = 1,00
Source: Elaborated by Authors
Risk Attribute
A
B
C
D
E
4.4 Simulation and results
Apart from a broad literature review, we obtained audit manual sections and practice
aids pertaining to audit risk assessment from two of the Big four firms. After reviewing this
material, we conducted interviews with one of the national office partners each in charge of
audit engagements and this assured the representation of the big four group audit approaches.
To developing this study therefore, the following additional methodological steps were
stipulated to make the simulation:
a) Definition of relative importance of risk groups wj and risk criteria wji;
b) Definition of threshold of risk perception rp*;
c) Definition of value functions v(rcji);
d) Final evaluation and association with risk attributes scale.
Steps a e b were standardized to enhance the assessment of audit engagements. Thus,
standard information should be constantly reviewed because of the periodical mutation of
business environment, internal or external to the organization and value references of the
decision taker. And steps c should be developed for every specific audit engagement.
18
Upon application of the methodology, a group of audit partners were stimulated to fill
three judgment questionnaires, according to AHP method (see item 4.2), whose results are
Risk Group
relative importance ratio of the risk and criteria groups as presented in figures 2 and 4.
Audit Risk
0,167
Service Risk
0,833
-
0,200 0,400 0,600 0,800 1,000
Relative Importance Ratio (wj)
Figure 2 – Relative Importance Ratios of Risk Groups (wj).
Service Risk Group Risk Criteria
Source: Elaborated by Authors
Loss of Earning Risk
0,105
Moral Risk
0,258
Ethical Risk
0,637
-
0,200 0,400 0,600 0,800
Relative Importance Ratio (wji)
Figure 3 – Relative Importance Ratios of Criteria Risk of Service Risk Group (wji).
Source: Elaborated by Authors
Audit Risk Group Risk Criteria
19
Detection Risk
0,236
Internal Control Risk
0,082
Inherent Risk
0,682
-
0,200 0,400 0,600 0,800
Relative Importance Ratio (wji)
Figure 4 – Relative Importance Ratios of Criteria Risk of Audit Risk Group (wji).
Source: Elaborated by Authors
In sequence, the group defined as a threshold of risk perception for acceptance of audit
services, the following risk attribute:

Ethical Risk: Tolerable risk attribute = Moderate;

Moral Risk: Tolerable risk attribute = Low;

Loss of Earning Risk: Tolerable risk attribute = Low.
The global valuation of the tolerable circumstances of risk through the application of
equation (4), shows that the audit partners would only accept audit services with a low service
risk, this being a position taken on a conservative stand point (see figure 5).
Consequently, for this study, audit proposals that conjugates significant and very
significant ethical risk; moderate, significant and very significant moral risk; moderate,
significant and very significant loss of earning risks; would be automatically refused.
20
Figure 5 – Attribute of Service Risk and Threshold of Risk Perception.
Risk Criteria
Standard Circumstances
j
rc i
Ethical Risk
w i=
j
0,637
j
3
v i=
Moral Risk
w i=
j
0,258
j
4
v i=
Loss of
Earning Risk
j
0,105
w i=
j
4
v i=
j
w=
0,833
Risk Level
Irrelevant
Low
Moderate
Significant
Very
Significant
Value Function
Risk Attribute
j
1. Auditors involvement in statutory sanctions as a result
of decision-taking based on financial statement that is
misunderstanding to users
2. Securities & Exchange Commission canceling of
auditors licenses found dishonest
3. Perception of loss of professional independence
v(rc i )
1,00
Very Significant
0,75
Significant
0,50
Moderate
4. Thorough pre-engagement risk assessment
5. Non acceptance of engagements that could bring
negative publicity
1. Absolute perception of abuse of primitive local laws
0,25
0,00
Low
Irrelevant
1,00
Very Significant
2. Little or no concerns about the effects of free wheeling
capitalism
3. Lack of social responsibilities
0,75
Significant
0,50
Moderate
4.
5.
1.
Undefined organizational culture
Sensitized about free wheeling capitalism
Fee dependence on a client
0,25
0,00
1,00
Low
Irrelevant
Very Significant
2.
Bargains of the auditors with the management
0,75
Significant
0,50
Moderate
0,25
Low
3. Non-concentration of earnings on doubtful
engagements
4. Contract of the auditors by the board of directors
5.
Diversification of clients
Numeric Interval
0<= car <0,25
0,25<= car <0,50
0,50<= car <0,75
0,75<= car <1,00
car = 1,00
0,00
Irrelevant
Risk Attribute Value Function
0,00
A
0,25
B
0,50
C
0,75
D
E
1,00
Level of Service Risk (SR) =
0,409
Low
Source: Elaborated by Authors
Finally, we assessed audit proposals with the following attributes:

Ethical Risk: Risk attribute = Low;

Moral Risk: Risk attribute = Low;

Loss of Earning Risk: Risk attribute = Irrelevant.
The attributes of the service risk resulted into a classification of an irrelevant risk, which
signals the acceptance of the service (see figure 6).
21
Figure 6 – Attribute of Service Risk of Purpose.
Risk Criteria
Standard Circumstances
j
rc i
Ethical Risk
wji=
0,637
j
4
v i=
Moral Risk
w i=
j
0,258
vji=
4
Loss of
Earning Risk
j
0,105
w i=
j
5
v i=
j
0,833
w=
Value Function
Risk Attribute
j
1. Auditors involvement in statutory sanctions as a result
of decision-taking based on financial statement that is
misunderstanding to users
2. Securities & Exchange Commission canceling of
auditors licenses found dishonest
3. Perception of loss of professional independence
v(rc i )
1,00
Very Significant
0,75
Significant
0,50
Moderate
4. Thorough pre-engagement risk assessment
5. Non acceptance of engagements that could bring
negative publicity
1. Absolute perception of abuse of primitive local laws
0,25
0,00
Low
Irrelevant
1,00
Very Significant
2. Little or no concerns about the effects of free wheeling
capitalism
3. Lack of social responsibilities
0,75
Significant
0,50
Moderate
4.
5.
1.
Undefined organizational culture
Sensitized about free wheeling capitalism
Fee dependence on a client
0,25
0,00
1,00
Low
Irrelevant
Very Significant
2.
Bargains of the auditors with the management
0,75
Significant
0,50
Moderate
0,25
0,00
Low
Irrelevant
0,224
Irrelevant
3. Non-concentration of earnings on doubtful
engagements
4. Contract of the auditors by the board of directors
5. Diversification of clients
Level of Service Risk (SR) =
Source: Elaborated by Authors
Upon application (6), we verify that the level of irrelevant service risk motivates the
same level of audit (see figure 7), with the following attributes of risk criteria:

Inherent Risk: Risk attribute = Irrelevant;

Internal Control Risk: Risk attribute = Moderate;

Detection Risk: Risk attribute = Low.
The valuation of the corporate auditing risk through (2) corroborates previous results
while showing the same level of irrelevant risk.
22
Figure 7 – Attribute of Audit Risk and Corporate Audit Risk of Purpose.
Risk Criteria
j
w i=
j
v i=
j
w i=
j
v i=
rc j i
Inherent Risk
0,682
5
Internal
Control Risk
0,082
3
wji=
Detection
Risk
0,236
vji=
4
j
w=
0,167
Standard Circumstances
1. Doubtful management integrity
2. Nature of business entity & constant technological
renewal projects
3. Unusual pressures influencing on the management
Value Function
v(rc j i )
1,00
0,75
Risk Attribute
Very Significant
Significant
0,50
Moderate
4. Management turnover rate
5. Adjustable business plans to suite modifying
social, economical and political scenarios
1. Implementation of ineffective management skills
0,25
0,00
Low
Irrelevant
1,00
Very Significant
2.
0,75
Significant
0,50
Moderate
0,25
Low
0,00
1,00
Irrelevant
Very Significant
0,75
Significant
0,50
Moderate
0,25
Low
0,00
Irrelevant
0,100
0,203
Irrelevant
Irrelevant
Lack of control consciousness
3. Unstructured conducive business and control
environment
4. Flexible punitive measures for transgression of
internal controls
5. Management up and doing to enhance compliance
1. Concealment of imminent proofs of misstatement of
the financial statement
2. Obstacles that influences the nature timing and
extent of substantive procedures
3. Competences for Design & Implementation of
substantive and analytical procedures to track unusual
transactions
4. Review of audit methodologies by the firms to
mitigate this risk
5. Certification of a representation letter to guide
against faulty audit approaches
Level of Audit Risk (SR) =
Level of Corporate Audit Risk (CAR) =
Source: Elaborated by Authors
5. Conclusion
The current study analyzed the existing audit risk assessment models and proposes a
Corporate Global Auditing Risk Model using the Multi-Criteria Approach. The objective
envisaged among other things a reflection on the methods used by the engagement
management to assess risks and a confidence level the auditor would expect.
Thus, since the situations involved in corporate risk assessment pinpoints a major
characteristic of business structure that considers variables which are eminently qualitative
such types of subjective variables require specific treatments and the multicriteria methods of
decision analysis is the more appropriate approach
23
This approach is an initial treatment that is been given to a complex issue – corporate
auditing risks that is more analyzed in audit practices and little papers are presented
academically. Nevertheless, the study abridges the distance between practice and scientific
proofs.
We conclude therefore, that there are innumerous studies which could be developed
relating to this term, especially those which can use refined mathematical treatments for the
aggregation of linguistic variables by adopting tools such as fuzzy sets.
References
ABREMA – Activity Based Risk Evaluation Model of Auditing. Available on
<www.abrema.net/risk-concepts_s.html> accessed on Jan. 30 2004.
AICPA - American Institute of Certified Public Accountants. Professional Standards. SAS no.
47 section 312. New York: 1996.
ALBERTS, Christopher, DOROFEE, Audrey. OCTAVE threat profiles. Pittsburg: Carnegie
Mellon University – SEI/CMU. Available on: <http://www.cert.gov/octave/pubs.html>
accessed on Jan. 30 2004.
ALLEN, Craswell, STOKES, Donald, LAUGHTON, Janet. Auditor independence and fee
dependence. Journal of Accounting & Economics, V. 33, 2002, p. 253-275.
ASBAARF – Auditing Standards Board of the Australian Accounting Research Foundation.
Risk Assessments and Internal Controls. Available on
<http://www.ican.org.np/public_html/auditing/objectives_chap07.html> accessed on Feb. 02
2004.
COOPER, Jean C., SELTO, Frank H. Is risk preference induction a reliable method of
controlling risk preferences? Journal of Management Accounting Research, 10492127,
Fall93, Vol. 5, 1993.
24
DTTI – Deloitte Touche Tohmatsu International. The Audit Approach. Audit System/2. 1995,
p. 26.
GOMES, Luiz F. A. M., GOMES, Carlos F. S., ALMEIDA, Adiel T. Tomada de Decisão
Gerencial. São Paulo: Atlas, 2002.
IFAC - International Federation of Accountants. Professional Code of Ethics. São Paulo:
IBRACON, 1997.
IIA - The Institute of Internal Auditors. Altamont Springs Florida, 1992.
IMONIANA, Joshua Onome. Auditoria – Uma Abordagem Contemporânea. São Paulo:
Associação de Ensino de Itapetininga, 2001.
KPMG. Peat Marwick, Dreyfuss. Manual de Auditoria. São Paulo: KPMG, 2000.
LANE, Eric, VERDINI, William. A Consistency Test for AHP Decision Makers. Decision
Sciences, V. 20, 1989, p. 575-590.
NIST - National Institute of Standards and Technology. An introduction to computer security:
the nist handbook – special publication 800-12. Washington: NIST. Available on:http://cswww.ncst.gov/publications/nistpubs/800-12/ accessed on Jan 30 2004.
RICCHIUTE, David N. Auditing and Assurance Service. 5. ed. Cincinnati: Southwestern,
1998.
RITTENBERG, Larry E., SCHWIEGER, Bradley J. Auditing Concepts a Changing
Environment. 2. ed. Orlando: Dryden Press, 2001.
SAATY, Thomas L. Método de Análise Hierárquica. São Paulo: McGraw-Hill, 1991.
SAATY, Thomas L. How to Make a Decision: The Analytic Hierarchy Process. European
Journal of Operational Research, North Holland, V. 48, 1990, p. 9-26.
SHELTON, S. W., WHITTINGTON, O. R., LANDSITTEL, D. Auditing Firms’ Fraud Risk
Assessment Practices. American Accounting Association – Accounting Horizons: March,
2001.
25
SHIMIZU, Tamio. Decisão nas Organizações. São Paulo: Atlas, 2001.
UVIC - University of Victoria British Columbia, Internal Audit Framework. Available on
http://web.uvic.ca/inta/objectives/function.htm. Accessed on Feb. 12, 2004.