SUMMARY
Properly understanding the economic role of auditing standards is an important step toward improving both audit effectiveness and efficiency. In this essay, I observe that auditing standards are most important when an auditor may have an incentive to under-audit. While this conclusion may not come as a surprise, the conditions under which standards may, or may not, have a desirable effect on audit quality are less obvious. More specifically, I present a number of observations about what standards can do: Standards can (1) compensate for the lack of observability of the audit outcome by focusing on the audit process; (2) partially mitigate the information advantage possessed by the auditor as a professional expert that might motivate the auditor to under-audit; (3) counterbalance the diversity of demand across multiple stakeholders that might drive the audit to the lowest common denominator and create a market based on adverse selection; and (4) provide a benchmark that facilitates the calibration of an auditor's legal liability in the event of a substandard audit. However, I also present a number of observations about what standards should not try to do: Standards should not (1) discourage the use of judgment by auditors; (2) limit the potential demand for economically valuable alternative levels of assurance; (3) lead to excessive procedural routine or standardization in the conduct of the audit; and (4) be set based on an enforcement agenda. In the end, standards overreach may undermine the economic value of the audit to many stakeholders and lead to fee pressure for audit firms. Hopefully, these insights can inform future debates about the level and types of standards that are appropriate for the auditing profession.
DO AUDITING STANDARDS MATTER?
Generally accepted auditing standards, if they adequately fulfill their function, provide the practicing accountant … a means of evaluating … whether he is satisfying his professional responsibilities.
The auditing profession is awash in standards. Standards dictate how audit firms should structure their practice; how to hire, train, and reward their professional staff; what services to offer and clients to accept; how to conduct engagements; and how, and to whom, they are obligated to report. Various professional and regulatory bodies have established ethical standards, independence standards, quality control standards, and audit performance and reporting standards. Whether issued by the American Institute of CPAs (AICPA), the Public Company Accounting Oversight Board (PCAOB), the International Auditing and Assurance Standards Board (IAASB), or various national bodies, all standards have the effect of dictating, coordinating, and/or constraining professional auditors' activities and behavior. We generally presume that all of these standards improve the quality of financial reporting. While many will take this perspective as an article of faith, it is still worthwhile to ask: Do auditing standards matter? The purpose of this essay is to provide some insights into that question based on an interpretation of existing theoretical and empirical research in auditing.
In his seminal paper, Dye (1993) analyzes the effect of auditing standards on audit quality. His analysis shows that, when an auditor's personal “wealth,” which is at risk in the event of litigation, is known to potential litigants, auditors who intend to comply with standards prefer tougher (higher) standards.1 Willekens and Simunic (2007) extend Dye's work by considering the vagueness or ambiguity (i.e., flexibility) of standards. They show that vague standards can increase an auditor's effort up to a point, but that overly vague standards eventually will yield lower levels of auditor effort. Finally, Ye et al. (2009) observe that auditors prefer vague standards when the toughness of the standards is perceived by auditors as less than optimal. While these findings are of conceptual interest, the fundamental question remains: Do auditing standards matter? A related question also follows: Why do auditing standards matter?
ACCOUNTING STANDARDS VERSUS AUDITING STANDARDS
First, consider the potential differences between accounting and auditing and how those differences might influence the nature of standards. A critical distinction is that “accounting standards” define how to consistently measure and report an outcome across different companies, while “auditing standards” define a process to verify the outcome. This process may vary from audit to audit (Kanodia and Mukherji 1994; Causholli et al. 2013). Removing choice variation from the measurement and reporting of an outcome makes sense: two sets of similar facts should yield similar reported outcomes. However, the benefit of removing choice variation from a process is much less obvious: when auditing, there may be different ways to verify an outcome. Further, limits on a process may prevent innovation. Using mountain climbing as an analogy, outcome (accounting) standards indicate where the climbers wish to go (i.e., which mountain to climb), while process (auditing) standards pertain to the best way to get there (i.e., the path up the mountain). Different climbers may take different routes depending on their personal attitudes toward risk, their personal skills and experience, the technology and equipment they have available, and the time frame for completing the climb. Ultimately, the goal is the same—get to the top. Similarly, auditors differ in their attitudes toward audit risk, level of experience and expertise, audit methodologies, and deadline pressures. However, the goal is the same—get the “right” answer concerning reasonable assurance for the fair presentation of the financial report in accordance with applicable reporting standards.
At a minimum, auditing standards can serve the purpose of preventing auditors from taking a particularly dangerous path. Auditors, like mountain climbers, have no interest in falling off a cliff. An audit that has little chance of uncovering misstatements in the financial statements is undesirable. Consequently, to the extent to which auditing standards provide guidance on paths that are unlikely to achieve an auditor's goal, they can be useful to the profession. On the other hand, “one path fits all” would not be an appropriate rule to impose on expert mountain climbers and is probably no more appropriate for expert auditors. In the end, when the focus is on a process, getting to the appropriate destination is much more important than the route used to get there. Consequently, while restricting decision choice may be appropriate for accounting and reporting, it is less obviously a good thing for the audit process.2 Within the constraints of the process view of auditing, we now examine how standards might be beneficial for the auditing profession.
EFFORT VERSUS ASSURANCE
There has been a great deal of commentary and research on defining audit quality.3 A critical element of much of the theoretical work on auditing standards is the assumption that “audit quality” can be represented by a probabilistic outcome as embedded in the audit risk model (i.e., the likelihood that an auditor issues the correct audit opinion). In this essay, I equate audit quality to the level of residual risk that a material misstatement goes undetected or uncorrected after the conduct of an audit, which is consistent with the traditional view of audit quality that exists in the audit literature (e.g., DeAngelo 1981). However, with the introduction of PCAOB inspections in the U.S., the consideration of audit quality has shifted from a focus on whether an auditor has issued an appropriate audit opinion to a focus on whether the auditor has completed an “acceptable” audit process. The firms that audit public companies are routinely criticized by the PCAOB for “failures” (i.e., audit deficiencies) in their audit process or documentation even though they are rarely accused of outright errors (i.e., issuing an incorrect opinion on a materially misstated financial report).
Dye (1993) defines audit quality as the probability that an auditor identifies and reports correctly on a firm's investment activity when performance has been poor. This stylized approach is consistent with the classic DeAngelo (1981) definition of audit quality: “The market-assessed joint probability that a given auditor will both (1) discover a breach in the client's accounting system and (2) report the breach.” While this approach has some intuitive appeal, it suffers from at least two mundane limitations. First, the actual level of assurance on an audit engagement is not observable (Francis 2004; Barton 2005; Knechel et al. 2009). The probability that an auditor fails to discover an existing misstatement cannot be known to the client, public, or auditor either before or after the conduct of an audit.4 Second, these definitions are not consistent with the professional representation of audit risk because they imply that it is desirable to drive audit risk to zero. However, existing audit standards recognize that audit risk can never be zero, nor is it the expectation that audits should be planned with that objective in mind.5
A bigger issue arises when one realizes that the level of assurance (an outcome) is not the same as audit effort (a process). In general, auditing standards do not dictate the appropriate level of assurance for an audit (i.e., standards do not dictate that residual audit risk should be 5 percent or 1 percent).6 Further, the assurance or risk level is idiosyncratic to an engagement (i.e., every audit will be conducted to achieve a slightly different level of assurance, albeit generally “high”). What standards do dictate are some constraints on how to go about obtaining a given level of assurance. While treating effort and assurance as equivalent can be expedient for economic modeling, it creates gaps in our conceptual understanding of auditing. If we define α as the level of assurance obtained on an audit—implying that 1 − α is the residual probability that a material misstatement is undetected by the auditor—then we can also consider α (or 1 − α) to be the unobservable outcome of the audit. As noted above, auditing standards define process rather than outcome. Consequently, we need a separate construct to reflect the audit process in order to discuss the role of standards.
A commonly used measure of the audit process is audit effort, so I denote Q as the auditor's effort on an engagement (typically measured in hours). Q is a direct function of the audit process and reflects the amount of work that an auditor has performed (e.g., procedures, testing, and evidence obtained).7 As noted, effort (Q) is not the same as assurance (α).8 However, the link between Q and α is important if one wishes to examine why standards matter. While it is reasonable to presume that α increases with more work (higher levels of Q), the nature of that relationship is unobservable. Further, as the “expert” in the audit process, the auditor may have an informational advantage in understanding this link, making it difficult for clients to question whether the audit is being conducted appropriately. In the end, the client can partially observe Q, either through direct observation of the audit team, or as a result of audit firm billings, but the client cannot know how effort links to the outcome of the audit (α).
SOME NECESSARY CONDITIONS FOR STANDARDS
There are at least three necessary conditions for auditing standards to be relevant to the actual conduct of an audit. First, it is critical to keep in mind that α is unobservable in discussing the role of auditing standards. In an economic sense, this observation precludes the client and auditor from simply contracting on α as if it is some kind of casino game where everyone knows the risk they are facing. If α were observable, the client could simply purchase the desired level of assurance (which is not strictly defined under the standards), bypassing the actual level of effort to be exerted (which is linked to standards).9
A second observation is that any penalty function imposed on the auditor for “poor” professional work must have a significant element of uncertainty. Typically, we think of litigation risk when we consider the loss that an auditor might incur for completing an audit that may be deemed to be substandard if prosecuted in a court of law, although regulatory penalties (e.g., fines, practice restrictions) also are relevant. In law, a liability regime can range from strict to non-existent. Regulations (standards) without enforcement (no penalties) have little chance to influence auditor behavior, so standards may not be relevant under an extremely lenient legal regime. More interestingly, standards also may be irrelevant at the opposite extreme. Consider a strict liability regime where the auditor would be held liable if the outcome of an audit was ex post determined to be incorrect.10 This assessment would focus strictly on the underlying true state of the financial statements (materially misstated or not), determined after the conduct of an audit, and would not be conditional on either Q (because effort would be irrelevant) or α (because the ex ante assessment would be superseded by the actual outcome). Consequently, standards would be irrelevant because Q would not affect an auditor's loss under a strict liability regime. Therefore, standards only matter under a negligence-based (uncertain) regime because an auditor's liability could then be based on the conduct of the audit compared to professional standards.11
A third condition is that the relationship between Q and α must be unknowable and uncertain to the client. If this is not the case, then the auditor and client can simply contract on Q as a substitute for the desired level of α. Whether the level of audit effort implied by the audit contract complies with auditing standards then depends on the level of assurance that the client has demanded and the effort level needed to provide that assurance. One implication of not having this condition is that clients might contract for less effort than the standards would require in order to obtain a lower level of assurance than that implied by the standards.12 On the other hand, inspections that focus solely on Q may actually lead to unacceptable levels of α as auditors naturally respond to the pressing incentives imposed by process-oriented inspections that focus on effort, which is disconnected from the achieved outcome of the process.
THE ROLE OF DEMAND FOR ASSURANCE
An implicit assumption in many audit research papers is that auditors perform a standards-compliant audit, and the level of audit quality is reflected in the identity of the audit firm (Simunic 1980). This perspective suggests that the level of auditor effort that produces an audit that complies with standards can be determined with relative certainty by the auditor ex ante, and by others ex post. It also implicitly assumes a specific level of assurance (α) that cannot be observed. This view effectively treats the audit process as an experience good in economic theory (Klein and Leffler 1981). I will refer to the effort level that produces a standards-compliant audit as Q*.13 If all clients are assumed to purchase a standards-compliant audit, then the role of demand in the market for audit services is minimized because demand is conditional on Q* and a client either purchases that level of audit, or none.14 Is this realistic? An extension of the previous discussion of effort and assurance would highlight that demand is a function of α, even though it is unobservable. That is, clients may be willing to pay more for the perception of assurance that is potentially higher than the defined level of Q*.15 For example, in an environment in which the audit committee controls the contract with the auditor, the committee may be willing to acquire higher levels of assurance in order to protect their personal reputations from being besmirched by accounting fraud (Knechel et al. 2008). Given that the audit fee is paid by the company itself (i.e., its shareholders), the extra cost of higher assurance will not be proportionally borne by the individual members of the audit committee, which could lead to an escalating demand for assurance on the part of the audit committee (Knechel and Willekens 2006; Hay et al. 2008).16
In most settings, multiple stakeholders are interested in the audit's outcome. Management, shareholders, board members, bankers, suppliers, customers, and employees all have their own interest in the auditor's report. In this diverse environment, the nature of audit demand may be fluid, shifting with the influence of different stakeholders. Who hires the auditor? Who pays the auditor? Who determines audit scope?17 What is the audit committee's role? Depending on the bargaining rights of the various stakeholders, an auditor may be faced with conflicting demands. An audit may assist a supplier or employee who obtains some assurance concerning information on which they rely to evaluate whether the company will be able to pay its bills, but shareholders and lenders may perceive a high level of assurance as indispensible for making investment decisions.18 Depending on how the audit is negotiated, and by whom, the resulting level of audit effort may not efficiently balance competing interests. Auditing standards may help avoid too little auditing, which may expose some stakeholders to a level of risk (1 − α) greater than they would choose, while other stakeholders may bear the cost of excess auditing.
When considering demand, there are potentially two boundary conditions relevant to determining α (and Q) for a specific engagement. At the upper limit is the intrinsic value of the audit to the client (e.g., V). The value of V is conditional on the effort expended by the auditor and the unobserved level of assurance achieved.19 The maximum value that a client receives from the audit relates to the extent to which financial reporting risks are reduced, and the resulting reductions in the cost of capital, and the value of permissions to float capital in a public market. In general, V implies the existence of an upper bound on Q and α. More importantly, in a high demand environment, audit standards may have limited relevance to the audit contract because the effort level implied by V could exceed the effort level implied by the standards.20
At the other extreme is the auditor's minimum acceptable fee.21 This fee would reflect the minimum level of effort (call it Q′) that an auditor is willing to expend given the target level of assurance (α), the liability regime, and the cost of an auditor's effort level. However, the auditor's minimum fee could be a function of Q*, so a number of possibilities can arise:
Case 1—An auditor's perception of minimum effort equals the effort required for compliance.22 This situation may occur if the penalty for not providing a standards-compliant audit is severe enough that Q* becomes a de facto minimum level of effort. This is generally assumed to be the case in the U.S. litigation system, but may be less true in countries with low investor protection regimes.
Case 2—The compliance effort is below what an auditor considers to be a minimally acceptable effort level.23 In this case, standards may not matter because they define a level of audit effort below the minimum that an auditor is willing to provide, possibly because of reputational concerns. Many commentators in the past (i.e., pre-PCAOB) have argued that audit practices at the large international firms generally exceeded (and led) standard setting. In general, an auditor may not participate in a market in which potential clients are only willing to pay for a standards-compliant audit that has less quality than what the auditor believes is acceptable.24
Case 3—The compliance effort is above what an auditor considers to be a minimally acceptable level of effort.25 This case is potentially the most interesting because it suggests that an auditor may be willing to offer a less than standards-compliant level of effort if demanded by the client.
What the auditor might do in Case 3 depends on the intrinsic value of the audit and the penalty function imposed on the auditor. If the value of a less-than-compliant audit exceeds a compliant audit, the auditor can decide to either offer a standards-compliant audit (Q*), with a commensurate higher fee, or to conduct an audit that is not standards-compliant (Q < Q*).26 A major reason that standards exist is to avoid the latter case by driving non-compliant audits from the audit market. More intriguing is the possibility that Case 3 results in a level of audit effort that is not necessarily desired by either the client or the auditor (i.e., referred to as allocative inefficiency in economics). In such a situation, the client would then have to choose between (1) obtaining more assurance than is economically justified, or (2) contracting for an alternative type of engagement (e.g., a review or agreed-upon procedures engagement).
Two illustrations of potential inefficiencies come to mind in unregulated assurance markets. In the 1990s, the audit profession developed an assurance service called WebTrust to verify that online retailers were legitimate and followed certain desirable business practices (e.g., protection of customer information and privacy). The logic for the service was that internet retailing could be risky to consumers, and websites would like to assure their potential customers that it was safe to deal with their website. The service designed by the AICPA and CICA was relatively expensive and needed to be renewed quarterly. Very few electronic retailers purchased the service, and customers and websites came to rely on less costly web certifications (e.g., Better Business Bureau, TRUSTe, VeriSign) and the protection built into most credit cards (e.g., fraud limits). In this case, the level of audit effort built into a WebTrust engagement greatly exceeded the intrinsic value of the service to potential clients, with many turning to less expensive competitors that could provide lower levels of assurance than an auditor was allowed to offer.27
Another example of potential inefficiency might be the initial implementation of Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), which required an auditor to examine a client's system of internal control over financial reporting in accordance with PCAOB standards. SEC registrants in the U.S. had no alternative but to purchase a compliant audit of internal control, so, they were forced to acquire the high level of assurance incorporated into Auditing Standard No. 2 (PCAOB 2004), and the somewhat lower level implied by Auditing Standard No. 5 (PCAOB 2007). While the net costs and benefits of the control reporting requirements have been debated, there is a general attitude that the requirements were very costly, at least as they were initially implemented by most auditors. One frequently voiced concern is that auditors interpreted the requirements as dictating a level of effort (Q*) that is much higher than was intended (Levine 2009).28 Other countries (e.g., The Netherlands) have adopted less stringent requirements, which presumably better match the perceived intrinsic value of limited assurance.29 This example highlights the intriguing possibility that, under the right conditions, an auditor may have an incentive to consistently impose a level of assurance on a client that is not economically justified.
INFORMATION ASYMMETRY, AUDIT EFFORT, AND COMPLIANCE WITH AUDITING STANDARDS
Having argued how the effort level implied by a standards-compliant (Q*) audit could affect audit demand, another question arises as to potential information asymmetry concerning Q*. If a client is in the position to determine the level of Q*, the role of the auditor, as a professional expert, potentially is diminished. In this case, the client can simply dictate an effort level of Q*.30 For the auditor to have control over determining the amount of effort needed in an engagement, the level of effort to be standards compliant must be uncertain to the client. That is, the auditor, as a professional expert, diagnoses the amount of audit effort needed in an engagement (Q or Q*, conditional on an implicit level of assurance) and also conducts the audit by providing that level of effort. This creates information asymmetry between the auditor and the client that can significantly influence the behavior of the auditor.
The circumstances described in the prior paragraph parallel that of a “credence good” as defined in economic theory (Dulleck and Kerschbamer 2006). A credence good (service) exhibits three important attributes: (1) the seller of the service is the person best positioned to recommend the extent of service needed, (2) the client has limited ability to assess how much of the service that is needed, and (3) the outcome of the service is either unobservable or can only be observed at significant cost.31 An audit would seem to fit these conditions (Causholli and Knechel 2012; Causholli et al. 2013): the outcome of the audit, in terms of residual risk, is unobservable (as discussed earlier) and the auditor has the professional expertise required to assess an individual client's risk and “recommend” the amount of audit effort (Q) that is needed.
As a result of this informational advantage, an auditor may have an incentive to act strategically to his/her own advantage and at a potential cost to the client. Specifically, an auditor may find it profitable in some (but not all) cases to:
Under-audit: Provide less audit effort than the client needs (Causholli et al. 2013).
Over-audit: Provide more audit effort than the client needs (Causholli 2009).
Overcharge: Bill for audit effort not actually performed.32
Ultimately, only the auditor can determine how many hours of work actually are needed for an engagement to satisfy professional standards (Q*) and achieve the appropriate level of assurance (α) given client conditions. Consequently, all of the above strategies could, in theory, occur in an audit setting. Of course, whether auditors are likely to behave in any of these manners depends on their judgment, attitudes as professionals, and personal sense of ethical conduct. There also are many compensating conditions that reduce the potential for strategic behavior by auditors, including a client's self-knowledge of their audit needs (e.g., knowledgeable management, audit committees, internal auditors, accounting staff with audit experience), ex post evaluations (e.g., peer review, PCAOB inspections), or threatened penalties (e.g., litigation). While these mechanisms can be effective, they are costly, satisfying the third condition of a credence good noted above.
Calfee and Craswell (1984) find that the application of standards can provide professionals with incentives to either over-comply or under-comply. Further, an auditor's behavior will be idiosyncratic to a specific client. An auditor might find it beneficial to over-audit when a client is complacent about their audit fees (Bedard and Johnstone 2010), while under-auditing another client that is more aggressive about keeping audit fees down (Houston 1999). On the other hand, given that standards apply to all clients, they are a blunt mechanism for coping with auditor behavior that is essentially idiosyncratic to a specific client. In fact, this may create a conundrum for standard setters: The more they try to regulate auditor behavior through standard setting, the more complex the audit becomes, expanding the potential information asymmetry between the auditor and a client, thereby increasing the potential for auditors to behave strategically. To avoid this, standards setters may be motivated to issue more and more detailed and specific standards, leading to the related debate concerning rules versus principles.
AN ECONOMIC ROLE FOR STANDARDS
The extensive discussion leading up to this point of the essay has laid out a number of economic conditions that help justify the existence of auditing standards. At a minimum, these conditions include (1) an unobservable outcome of the audit process (achieved level of assurance), (2) uncertainty surrounding penalties for inappropriate audit work (a negligence regime in law), (3) a fuzzy relationship between audit effort and assurance that is unknown to the client (credence good), and (4) an information advantage to the auditor (incentives). Taken together, these conditions may yield circumstances in which auditors are motivated to act strategically in their own self-interest. In this context, standards can play an important role within the auditing profession.
Leaving aside the issue of fees, the implications for standards are different for idiosyncratic over- or under-auditing.33 Let us first consider the case of over-auditing. There are two conflicting reasons why an auditor's effort might exceed the standards-compliant level (i.e., Q > Q*). First, the client may wish to obtain a higher level of assurance than is implied by standards. In this case, the extra effort expended by the auditor is freely negotiated and, presumably, represents economic value to the client because it also brings a higher level of assurance. Standards should not be a barrier to such an arrangement. On the other hand, apparent over-auditing may arise because an auditor is taking advantage of information asymmetry in the audit process to work (and bill) more hours than are strictly needed. While this situation may result in an incrementally higher level of assurance, the client would not consider the added benefit to be worth the added cost.34 Standards may not be an efficient way to address this potential market imperfection because the auditor's behavior is idiosyncratic to some clients but not others.35 In such cases, it may be more efficient for the client to become better informed about its own assurance needs if it suspects that its auditor is over-auditing. Further, mechanisms exist to partially rectify the information asymmetry between the client and the auditor. For example, internal accounting staff or audit committee members may have worked for the auditor in the past and be familiar with the firm's methodology. Also, repeat audits may provide the client with a great deal of insight into the auditor's processes.36
We now turn our attention to under-auditing, possibly the strongest raison d'être for standards. At a minimum, standards signal that it is inappropriate for an auditor to intentionally under-audit, no matter what the incentives may be. Also, consistent with Mautz (1961), standards provide a partial roadmap for a better audit. In this context, standards provide a complement to auditor education, training, and process improvement. Standards also provide a somewhat fuzzy legal benchmark for what constitutes under-auditing. To the extent to which an auditor fails to comply with auditing standards, he/she may be held liable, after the fact, for any perceived “gap” between actual audit effort and the effort level that would be required to comply with auditing standards (i.e., Q < Q*). Further, the magnitude of any potential auditor liability can be conditional on the size of the performance gap. Thus, conditional on the legal regime, standards can influence the likelihood and extent of under-auditing by providing a basis for auditor liability that is an increasing function of the extent to which Q falls short of Q*.
TWO AUDITS OR NOT TWO AUDITS?
Since the establishment of the PCAOB in 2002, a common notion has developed that the audits of U.S. publicly listed clients are significantly different from other audits; that is, there are now two audit markets in the U.S. Whether this view is valid, depends on how you look at an audit. There are at least two ways to look at this question: (1) through the lens of standards, or (2) through the lens of subject matter. Obviously, the standards applicable to the audits of public registrants are different in some ways from the standards applied to private entities, as evidenced by their authoritative source. Nevertheless, there is no inherent reason why a private sector audit could not use PCAOB standards, nor is there any reason that a public company audit could not comply with both PCAOB and private sector standards (assuming that they were not inherently contradictory). Thus, it is not clear that different standards cause a bifurcation in the audit market. However, what is much clearer is that the subject matter of a PCAOB audit is different from that of other engagements because an auditor is required to provide an opinion on internal control over financial reporting for many registrants. This alone makes a PCAOB audit different. As a result of these two conditions, the effort (and testing) threshold for a standards-compliant audit is likely to be different for the two types of engagements. With the imposition of fee disclosures and inspections, it also is likely that the nature of audits in a market equilibrium will be different for the two markets. Thus, one might expect that audits of public entities will “look” different from audits of private entities.
However, there also are a number of ways in which all audits are similar. All audits follow a basic process of risk assessment, testing, and conclusion that is based on professional judgment. Imposed standards will influence that process, but the idiosyncratic nature of the client will potentially have more effect on the conduct of an individual audit. A private company that enters into complex derivative contracts, or has significant Level 3 assets subject to valuation concerns, involves much the same risks, control concerns, and need for audit procedures as a client that is publicly listed. In short, the audit process used by an auditor is conditional on the unique aspects of the client, as well as the regulatory and standard-setting structure imposed for different types of clients. In a sense, an audit is a singular but flexible service. It is molded to fit the circumstances of the client subject to the constraints of regulation and standards. A question that the profession and standard setters must wrestle with continually is, which aspect is dominant—satisfying the demand for an economically valuable audit that reduces stakeholder information risks, or compliance with a set of standards imposed to assure that all audits meet a minimum level of quality. Ideally, these two conditions occur simultaneously, but it is also possible that an inefficient level of standards may undermine the actual achieved quality of some audits.
STANDARDS OR STANDARDIZATION?
Whether it likes it or not, the auditing profession is more highly regulated than at any time in its history. Standard setting is just one form of external control exerted over audit professionals. This essay started with a quote from Mautz (1961), which suggested that a primary benefit of standards is that they provide a benchmark against which an audit can be evaluated. This view is consistent with the arguments in this essay in that standards can provide a partial constraint on strategic (or negligent) behavior by an auditor. In the current financial reporting environment, setting new standards is an automatic reaction to most perceived problems with audit quality. Problems need solutions, and new standards are a straightforward and visible reaction to a problem. Thus, the profession sees a continually escalating set of more and more detailed standards (i.e., rules). When standard setting is combined with ex post inspection that uses the standards as a de facto “rules checklist” for evaluating the quality of an audit, standardization becomes a natural outgrowth. The PCAOB has acknowledged that enforcement concerns can influence the setting of its standards so as to make inspection easier (Cullinan et al. 2013). However, it is not clear that standardization is fully compatible with the exercise of professional judgment and skepticism needed to conduct high quality audits in a very complex and rapidly evolving business environment.
With this ever-increasing burden, it is important to think about the unintended challenges that are created for the profession. Therein lies one of the greatest potential risks of standards—excessive standards are likely to breed standardization in the audit process. However, the audit process needs to be responsive to the idiosyncratic needs of individual clients. While standards do not automatically reduce this responsiveness, standardization of processes may inhibit auditor judgment and innovation in ways that lead to a one-size-fits-all approach to the audit. Further, standardization may start a self-fulfilling cycle in which some standardization leads to more auditor focus on compliance, and auditor judgment begins to atrophy. We saw a similar phenomenon with the introduction of “structure” to the audit process in the 1980s leading, at the time, to a running debate between the so-called “quantos” and “judgos” (Dirsmith and McAllister 1982; Sullivan 1984; Knechel 2007). Often at the core of such a debate is the idea that “structure” (standardization) will become both desirable and defensible for an audit firm, a bulwark against the challenges of relying on professional judgment in a complex and changing environment. Often lost in such debates is the notion of how audits create value for the ultimate financial statement users. Standardization may build a sense of confidence in the audit process, but does it actually build a better audit?
SUMMARY AND CONCLUSION
The discussion in this essay has arrived at the conclusion that auditing standards are most important when an auditor may have an incentive to under-audit. This conclusion may not come as a surprise. However, along the way, I also have generated a number of observations about what standards can do: Standards can (1) compensate for the lack of observability of the audit outcome by focusing on the audit process; (2) partially mitigate the information advantage possessed by the auditor as a professional expert that might motivate the auditor to under-audit; (3) counterbalance the diversity of demand across multiple stakeholders that might drive the audit to the lowest common denominator and create a market based on adverse selection; and (4) provide a benchmark that facilitates the calibration of an auditor's legal liability in the event of a substandard audit. However, there also are some things that standards should not do: Standards should not (1) discourage the use of judgment by auditors; (2) limit the potential demand for alternative levels of assurance; (3) lead to excessive procedural routine or standardization in the conduct of the audit; or (4) be set based on an enforcement agenda. In the end, standards overreach may undermine the economic value of the audit to many stakeholders and lead to fee pressure for audit firms.
In an ideal world, clients would demand, and auditors would supply, whatever level of assurance was most appropriate for a client's circumstances. In a world in which the intrinsic value of the audit is increasing, clients would be willing to pay fees commensurate with an audit's intrinsic value, and actual audit effort could outpace audit standards in most engagements. On the other hand, if market participants perceive that the value of the audit is dwindling because the risks of the world are becoming too complex for auditors to handle, audits are excessively standardized, or audit professionals do not innovate their core service, standards provide a mechanism to push the profession as a whole to keep pace with environmental forces. For example, the profession recently has been developing standards for the audits of environmental information (Auditing and Attestation Statement of Position 13-1, Attest Engagements on Greenhouse Gas Emissions Information, AICPA 20013) and XBRL reporting in financial statements (Statement of Position 09-1, Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data, AICPA 2009). In the end, subject to some important caveats and limitations, the role of standards is important for keeping the profession relevant, responsive to stakeholder needs, and moving forward the overall quality of the audit process.
REFERENCES
In some countries other than the U.S., partners are required to publicly disclose information about their personal wealth and financial position. For an example involving Sweden, see Knechel et al. (2013b).
In this essay, I focus on standards related to conducting the audit and reporting the results. Broader standards related to professional conduct, independence, and quality control, while relevant to the auditor's behavior, are less important for this essay's thesis. Standards that govern entering the profession (examination and licensing laws) or restrict client acceptance (independence rules) may be more akin to accounting standards in that they define an outcome (who can perform an audit and under what circumstances) rather than a process. Further, this essay is silent on how standards should be written, i.e., the ongoing debate about rules- versus principles-based standards.
See Knechel et al. (2013a) and Francis (2011) for overviews of the audit-quality literature.
Some argue that the quality of an audit can be known after the audit is completed, especially in the case of an audit failure. If the quality of the audit is reflected by the specified probability described in the text, then the observation of an audit failure does not necessarily reveal what the actual chance of such an occurrence would have been, conditional on the audit process, i.e., was reasonable assurance obtained at the time of the audit. An audit failure might indicate that the achieved risk of the audit was less than desired, or could simply indicate that the underlying state of the client was a random draw from the extreme (and unfortunate) tail of the distribution of possible audit outcomes.
A riskless audit is not possible for many reasons, but two important issues relate to the valuation and completeness assertions of the financial statements. Valuation often depends on predictions of the future which, by definition, cannot be known and are subject to potentially large error. Completeness can never be fully tested because it involves a search for the unknown. Add the inherent limitations of sample-based audit methods and it should be clear that zero audit risk is neither feasible nor economically desirable.
The desired assurance/residual risk of an audit may reflect the joint effect of a complex set of factors, including the auditor's appetite toward risk and the client's demand for assurance. More will be mentioned on the latter point later in this essay.
Q also reflects the effort levels of different members of the audit team, categorized by rank or experience (e.g., partners, managers, senior, staff).
Assurance (α) is the complement of residual risk (1 − α). The difference between assurance and effort may partially explain the adverse findings in PCAOB inspections (Q). Different levels of α are likely to imply different audit approaches and effort levels. If inspectors and auditors have different views as to what level of assurance (α) is appropriate for a client, then an inspector is more likely to determine that an audit is inadequate. However, that finding is not necessarily because the auditor failed to comply with standards but, rather, because the auditor did not comply with standards conditional on the inspector's view of α.
This observation assumes that the “client” executing the contract is the shareholder or other primary user of the audited financial report (i.e., the client is not management). Otherwise, it would be debatable whether the appropriate level of assurance was actually being demanded because management and shareholders may have different attitudes about how much auditing is “enough.” Emphasis on the role of the audit committee in selecting and managing the auditor, at least for public registrants, has made this assumption more robust since the passage of SOX.
In theory, although litigation risk for auditors is highest in the U.S. (Wingate 1997), the U.S. does not have strict liability. In most cases, some standard of negligence or gross negligence applies in cases against auditors. One exception that comes closest to strict liability involves cases brought under the SEC Act of 1933 for new security issues. However, even in those cases a negligence standard applies.
Consistent with this view, Willekens et al. (1996) argue that auditing standards are most important when legal standards are unclear. Schwartz (1998) also shows that auditing standards are only credible under a negligence standard of law where a standard of due care is vague.
This possibility is discussed in more detail below as we turn our attention to the role of demand in audit contracting. The issue of exerting less audit effort than required by standards is the crux of many of the concerns expressed about audit quality. The determination of a standards-compliant audit can be extremely complex because the standards require that audit effort be conditional on the riskiness of the client, including the quality of internal control. However, as noted above, effort also is conditional on the desired assurance level, something that is not explicitly defined by the standards. The audit is simply one mechanism for managing risk, and the extent of risk reduction derived from the audit reflects a complex calculus that balances different control mechanisms such as process controls, entity controls, internal auditing, corporate governance, regulatory oversight, and external auditing.
The use of Q and Q* to reflect levels of auditor effort greatly simplifies what is a very complex production function involving auditor decisions about staffing, timing, procedures, use of specialists, and other decisions made during the planning and conduct of the audit. However, for the purposes of this essay, all that is needed is to understand that higher levels of effort (Q) may result in higher levels of assurance (α).
This assumption is embedded in analytical research (e.g., Dye 1993) and is made much more explicitly in research on audit fees, which assumes a competitive market for audit services in order to justify using a production model to estimate the fee level for a client (Simunic 1980). The assumption of a competitive market removes demand from the market dynamic (Hay et al. 2006).
Note that, at this point I am abstracting from potential value that may arise from an audit in ways indirectly related to the overall assurance level (e.g., evaluation of internal systems or operating advice offered in a management letter).
Recent evidence of fee pressure being exerted by audit committees would seem to contradict this observation. Members of audit committees must balance their personal reputation against the desirability of retaining a lucrative board position. If pressured to reduce audit costs by management, an audit committee may try to reduce audit costs so as to maintain their position on the board as balanced against the small chance that they could get caught up in an accounting scandal.
The scope question might seem trivial because it is the auditor's responsibility to plan the engagement. However, there are conditions under which audit scope might be questioned by the audit committee or even management. For example, the European Union has proposed mandatory joint audits in their recent Green Paper (European Commission 2010). However, evidence from at least one country that had a joint audit requirement (Denmark) indicates that the two auditors are often engaged at different times, which means that management may be putting different parts of the audit out for tender each time, resulting in a de facto scoping decision (Holm and Thinggaard 2010).
While an auditor does not attest to a client's survival, reliable profit and accounting information assists a lender or supplier to assess the likelihood of a going concern problem in the future, regardless of whether an auditor issues a modified going concern audit report.
This can be represented in mathematical notation as V(α|Q).
That is, if V(α|Q*) < V(α|Q), then it follows that Q > Q*.
This is referred to as the “reservation wage” in economic contracting models.
Or, Q* = Q′.
Or, Q* < Q′.
This situation raises the intriguing possibility that adverse selection could drive the audit market. That is, only low-quality firms will be willing to contract to provide a standards-compliant audit, while high-quality firms will withdraw from the market because they cannot charge a fee commensurate with their perception of the minimum effort needed for an engagement. This result could occur if the standards are actually set at a low level and clients are only willing to contract for what is represented to be a standards-compliant audit. This market would probably be characterized by apparent lowballing. This condition could also reflect a market in which there are no, or few, returns to reputation, such that there is no incentive for a firm to build and maintain a brand name (see Klein and Leffler [1981] and Mayhew [2001] for more on investments in auditor reputation).
Or, Q* > Q′.
That is, V(α|Q < Q*) > V(α|Q = Q*).
To say that very few websites purchased WebTrust would only hint at the full extent of the failure to penetrate the market. Two years after its introduction, WebTrust seals appeared on about 20 websites, compared to over 2,700 websites displaying the less extensive Better Business Bureau (BBB) Online Reliability certification (New York Society of CPAs 1999). However, it also is interesting to note that a related service, SysTrust, which addressed issues related to business-to-business (B2B) electronic commerce, was much more successful. One possible explanation is that the magnitude of B2B transactions, and the associated risk, justified the cost of those engagements in ways that did not materialize in business-to-consumer markets in which individual transactions are relatively small, albeit numerous.
Whether or not this perspective is valid, there clearly is anecdotal evidence that the fees associated with providing an opinion on the quality of a client's internal control system have been high (U.S. Chamber of Commerce 2006; Nazareth 2007).
The Dutch corporate governance code (Tabaksblat, effective 2004) requires that the management board declare in the annual report that the internal risk management and control systems are adequate and effective, and it shall provide clear substantiation of this. The Dutch corporate governance code is based on the “comply-or-explain” principle, so company management either has to comply with the regulations or explain why they do not comply. In practice, the non-compliance rate has ranged from 18 percent in 2004 to around 50 percent in 2009 (Van de Poel and Vanstraelen 2010).
Ironically, inspections that focus primarily on determining auditor effort (Q*) may have the same effect, removing demand from the relationship between an auditor and a client. One obvious and potential outcome of such a focus is that the audit becomes a compliance-driven exercise with minimal economic value beyond its “licensing” value to a client. Such a development would likely lead to extreme fee pressure on auditors as they shift from a value view of the audit to a compliance view.
The classic example of a credence good (service) is a car repair. Few people can diagnose what is wrong with their car when it begins to “behave” abnormally. Most car owners simply take the vehicle to a mechanic and ask him to deal with the problem. In the vast majority of cases, the car owner simply takes the recommendation of the mechanic at face value and approves the repairs. Typically, there is no attempt to verify the accuracy of either the mechanic's recommendations or the actual repairs performed. Wolinsky (1993) reports a Department of Transportation study that found that 53 percent of auto repairs were unnecessary.
This category of behavior captures a specific form of strategic behavior by an auditor. It does not reflect increased fees associated with increased value delivered via the audit process (e.g., via control testing or advice). Further, auditors often are confronted with situations in which they feel forced to undercharge for services because of competitive pressures. This is often reflected in reduced realization rates (Dopuch et al. 2003). Nevertheless, certain audit-quality threatening behaviors documented in the research literature, such as premature signoff of audit procedures (Margheim and Pany 1986) or failure to perform required audit procedures (Otley and Pierce 1996), may be manifestations of overcharging if the audit fee is conditioned on the completion of such work.
Overcharging by billing for hours not expended likely is a violation of professional ethics and may be better addressed through the Code of Professional Conduct.
This is part of the justification used to increase competition in the profession by removing restrictions on advertising and solicitation by accounting firms (Imhoff 2003; Hay and Knechel 2010).
An interesting irony, given the thesis of this essay, was the PCAOB's attempt to assess audit efficiency as part of its audit inspection process: “In 2006, the Board will focus its inspections of ICFR on whether firms efficiently achieved the objectives of an ICFR audit” (PCAOB 2006). It seems odd that a regulator charged with protecting the market against poor (substandard) audits and unreliable financial reports would be concerned about whether an auditor is doing too much testing. On the other hand, it is not clear that the PCAOB ever did assess audit efficiency so the publicity about its effort may have been directed at parties other than the audit firms.
Of course, there also is a cost to becoming better informed, so a client actually may be willing to accept some over-auditing as a cost-effective solution. Causholli (2009) finds that the economic rent that accrues to an auditor for over-auditing does not occur in the early years of an audit, possibly because the auditor is still learning about the client's risks and systems and may have lowballed the initial fee. Over-auditing appears to be highest in the fourth, fifth, and sixth years, but then decreases as the client becomes more familiar with the auditor's methods.
