A New Approach to Evaluate Audit Risk Model by Fuzzy Expert Systems - Evidences from Iran

A New Approach to Evaluate Audit Risk Model by Fuzzy Expert Systems - Evidences from Iran Dr. Zohreh Hajiha Department of Accounting Islamic Azad University Science and Research Branch Tehran Iran Tel: +989121396870 Fax: 0098 021 44817170 Email: Z_hajiha@yahoo.com Dr. Fraydoon Rahnama Roodposhti Associate Professor of Accounting Faculty of Economics and Management Islamic Azad University Science and Research Branch Tehran Iran Email: Rahnama@iau.ir Dr. Saeed Askary** Assistant Professor of Accounting College of Business Administration Abu Dhabi University Abu Dhabi United Arab Emirates Tel: +971 2 5015746 Fax: +971 2 5860184 Email: saeed.askary@adu.ac.ae **Corresponding Author 1

Abstract The main aim of Risk Based Audit is to correctly assess auditee risks. Performing this assessment by auditor can directly influence on effectiveness of audit. The assessment process of risks as a basic framework can improve total quality and effectiveness of audit which results in decreasing the risk of audit failure. Therefore, this research within framework of fuzzy theory, deals with redesigning Audit Risk Model suggested by auditing standards by using audit experts' opinion. In applying fuzzy logic, we used from triangular membership functions and in order for de-fuzzying we employed Center of Gravity method. In order for fuzzy inference we used from Mamdami method. Modeling algorithm is based on three fuzzy inference engines including audit, inherent and control risks' engines. For audit, inherent and control risks, 25, 25 and 181 if-then fuzzy rules was written respectively that were certified by Iranian experts. Then the Fuzzy model of this research was executed in a tile company in the year 2009 and also we compared the results of the research model with real auditee risks. Results indicate that the assessments of the research model has complete compatibility with real auditee risks, meanwhile in traditional auditors assessments of risks there was some contradictions in some cases with real results. Hence, the research model has applicability for auditee risks' assessment more appropriate in real audit works. Key Words: Fuzzy Logic, Audit Risk Model, Audit Risk, Inherent Risk, Control Risk, Auditee Risks. Abbreviations: ARM, Audit Based Model; RBA, Risk Based Audit; AR, Audit Risk; IR, Inherent Risk; CR, Control Risk; DR, Detection Risk; FIS, Fuzzy Inference System; FARM, Fuzzy Audit Based Model. JEL classification: M42, C6. 2

Introduction Human intelligence has different aspects including innovation, common feeling, judgment, creativity, reasoning and inference. Since people have different levels of these aspects they have different level of intellectual abilities ranking from low to high. However even people with high level of intelligence; they are not free from zero-level mistake. Human memory is weak and processing information in brain is not performed fast. On this basis, artificial intelligence (AI) was raised as well as genetic algorithm (GA) and fuzzy inference systems (FIS) are among these systems. Fuzzy systems uses fuzzy set and are suitable mathematical modeling for ambiguity conditions such as those professional judgments in audit risks assessment. Audit risk assessment obviously influences on nature, timing and extent of audit procedures (Colbert 1996; Bedard et al. 1999; Blay et al. 2008; Chang et al. 2007). According to Austen et al. (2000) and Khorwatt (2008), the auditor main aim in every financial statement audit engagement is a proper assessment of detection risk (DR). Bell et al (2005) expressed that assessment of audit risks can directly influence on effectiveness of audit procedures and proper assessing process of these risks and as a basic framework in which can improve audit quality and total effectiveness of audit procedure. Based on findings of Helliar et al. (1996), Khurana and Raman (2004), Kerishnan and Kerishnan(1997) and Law(2008) in almost every stage of audit planning, unsuitable assessment of audit risks may result in wrong and inefficient distribution of resources and eventually inefficient audit results. Therefore, audit risk assessment should be more objective and correct to have 3

less audit costs and risk of audit failure. Audit quality through having lesser audit risk has an contrary direction with audit failure (Beasely 2001). Weligh (2004) also emphasized that inappropriate audit planning can be one reason of audit failure in which related to erroneous in inherent risk assessment.. Immonia (2007) suggested that in spite of diverse commercial environment and its developing problems, nobody has enough information for support and defending from the judgment about risk assessment. In addition, Austen et al. (2000) believe that regardless to this point that this judgment should be performed with good integrity; the auditors may mistakenly provide wrong judgment. Even risks that are objectively identified can have some impacts on auditor judgment. Mock et al. (1998) supposed that some complicated qualitative factors have influence on risk and auditors cannot simultaneously control the reactions of these elements on his or her final judgment. Some of the studies have observed capacity of professional judgment of auditors with ambiguity. Auditor professional judgment is mainly a function of the number of years of training and valuable experiences. Also judgmental issues may differ from auditor to auditor which is modified by personality characters, psychological and social issues (Bedard and Graham 2002; Helliar et al. 1996; Khurana and Raman 2004; Krishnan and Krishnan 1997; Low 2004; Turner et al. 2002; Wustemann 2005). To conclude, auditor judgment is a complex issue and cannot be easily formulated in a simple hypothesis. Due to complexity of judgment and ambiguity element in assessing audit 4

risks, this research aim to design a new Audit Risk Model (ARM) that deals with properly assessment of audit risks. In order to do so, this research uses fuzzy logic which is a mathematical logic for considering under uncertain conditions. We also examined the research model in a real company in Iran and compared its usefulness with traditional risks' assessment of the company auditors. The rest of this paper is organized as follows. Section 2 describes theoretical framework of the study by review current literature. Section 3 derives research methodology. Section 4 introduces elements of the Fuzzy Audit Risk Model (FARM). Section 5 applies the case of our study. Finally the study summarizes concludes and discusses on the results. Theoretical Framework Fuzzy theory is used in mathematical modeling of audit risk in this paper. Fuzzy set consists of groups that do not have certain borders for membership. In fuzzy theory, the concepts of yes or no have replaced with concepts that are either true or false. Zimmermann (1991) mentioned to use from ambiguous words like somehow high or low (verbal terms) instead of crisp numbers. Also instead of complicated formulas, in fuzzy theory we use from experience of human in form of if-then Rules. Fuzzy theory has this fundamental characteristic that makes judgment under condition of uncertain (like condition of judgment about auditee risks) and use from verbal terms (including low, medium and high risk) that expert persons usually use them for their judgments. Bezdek (1993) provided a comparison between crisp and fuzzy sets (cited in Ross, 2004). Crisp sets of real objects are equivalent to, and described by, a 5

unique membership function. But there is no set-theoretic equivalent of real objects corresponding to χ A. Fuzzy sets are always functions, which map a universe of objects, say X, onto the unit interval [0,1]; that is, the fuzzy set H is the function μ H that carries X into [0, 1]. Hence, every function that map X onto [0, 1] is a fuzzy set. But a set becomes fuzzy set when, and only when, it matches some intuitively plausible semantic description of imprecise properties of the objects in X. The membership function embodies the mathematical representation of membership in a set, is a set symbol with a tilde underscore, say A, where the functional mapping is given by: μa(x) [0, 1] (1) The symbol μ A(x) is the degree of membership of element x in fuzzy set A. Therefore, μ A(x) is a value on the unit interval that measures the degree to which element x belongs to fuzzy set A; equivalently, μ A(x) = degree to which x A. However, Zimmermann (1991) has stated that fuzzy theory is extension of sets classic theory. In classic theory of sets an element is either member or not member in set. In fact membership of elements follows from {0,1} or binary pattern. Calculation of Memberships Different types of memberships can be drawn in accordance to desired application. However, one of membership functions that has high application is triangular membership function. Hence, we employed triangular fuzzy numbers of linguistic variables of auditee risks components. According to Siler and 6

Buckley (2005) if triangular fuzzy numbers start rising from zero at x =a, reach a maximum of 1 at x = b and decline to zero at x = c, then the membership function m(x) of a triangular fuzzy number is given by: Triangular Fuzzy Number (TFN) is a continuous fuzzy set. Generally TFN is shown as triple (a,c,b). (2) Audit Risk Model Auditing standards stipulates that risk assessment based on ARM shall be performed in each financial statements audit engagement (SAS 47; ISA 200 and 315). Blay et al (2008) believe that ARM in audit standards is regarded as normative model for helping external auditors in the process of judgment in relation to assessing auditee risks and preparing an effective audit plan. A general pattern of ARM is as following: Audit Risk(AR) = Inherent Risk(IR)* Control Risk(CR)* Detection Risk(DR) (3) In Iranian Auditing Standard No.20 (2007) titled Aim and General Principles of Financial Statements Audit", inherent risk (IR) is defined as vulnerability of a claim against misstatement that can be important either individually or with a combination of other misstatements by this assumption that there is no internal control over it. Control risk (CR) related to those 7

misstatements that can be important either individually or with combination of other misstatements that internal controls of client is not able to prevent discover or amend those misstatements. Detection risk (DR) means auditor will not be able to discover misstatement in financial statements that can be important either individually or with the combination of other misstatements (article 27). Finally, audit risk (AR) means when auditor submits unsuitable opinion in relation to those material misstatements of financial statements (article 19). Law (2008) believes that although ARM assumes that all three risks are interrelated to each other but IR and CR are associated with the client accounting and internal control system, meanwhile DR is auditor risk. Level of substantive tests that are applied by auditors is a function of assessing level of CR and IR. Based on Sarbanes-Oxley Act of 2002, the client management is responsible for designing and implementing an effective and efficient internal control system that the system reliability affect CR. Daniel (1998) and Strawser (1990) believe that ARM is not compatible with real judgments of auditors. Pany and Whittington (2001), Blokdijk (2004) and Yardley (1989) also suggest that ARM is regarded as model based on probabilities and a complicated model for being understood. Dusenbury et al. (2000) stated that ARM is a complicated model and sometimes seems to be a contradictory issue. Therefore it seems that the method that auditors really applied for risk assessment should be more integrated and produces a sensible result. Some researchers have gone beyond this issue and believe that a more completed model is necessary for rapidly changing of the audit market particularly after case of the recent corporate collapses and 8

issuance of the SOX Act. Research Methodology The research method is modeling and from view point of aim it is regarded as applied research. By using fuzzy sets theory, we has attempted to create a new ARM. Advantages of this model is that it has security index from experience risk experts and statistical models. Making Fuzzy Membership In order to make fuzzy membership we used from Triangular Functions (Siler and Buckley 2005). The reason of using Triangular Fuzzy numbers is that they are simple and common. Also another reason for selecting this method is compatibility of fuzzy numbers with division of some variables under study. Fuzzy Inference We used Mamdani s implication operation for fuzzy inference and obtaining the membership function values of fuzzy, which has been referred to as correlationminimum. Mamdani fuzzy inference systems is the first inference methodology, in which inputs and outputs are represented by fuzzy relational equations in canonical rule-based form (Mamdani 1977). Equation 4 presents Mamdani s implication. This operation is valid for all values of x X and y Y (Ross 2004). (4) 9

Elements for Fuzzy Audit Risk Model In this research in accordance to classification of Beattie et al. (2002), AR is classified into two basics that include "audit base" and "auditor base". Auditor base means risks that are created as a result of inability of auditor for detecting material fraud in financial statements. Therefore, risk factors which may result in error judgment of auditors are from auditor base. Audit base means degree of influence when auditor will submit incorrect audit report to financial statements users. We also used from the classification of Hilliar et al. (1996) for affecting factors on IR which divided them into two classes including "financial statement level" and "account remaining sum level". Financial statement level means a risk in which it is possible that overall financial statements of an auditee may have important error or fraud. Account remaining sum level means risk factors in which particular accounts of an auditee will have material misstatement. From aspect of CR in accordance to COSO (1996) the effecting factors on CR in this research include "control environment", "risk assessment", "control activity" and "supervision". Control environment indicates the framework which makes the disciplines and internal control of the auditee. Risk assessment is the way with which enterprises identify the impossibility of their goal accomplishment. Control activity stands for the fact that the personnel in the organization actually applied the policy and process determined by the managerial level, and finally supervision is the process in which the enterprises assessed the executive results of internal control. Control environment indicates the framework which makes the disciplines and internal control of the auditee. Therefore based on subsidiary classes of auditee risks that are used in this 10

research, the Fuzzy Audit Risk Model (FARM) of this research is indicted in Figure 1: [Put Figure 1 Here] Fuzzy Modeling for Audit Risk Elements Modeling algorithm has three inference engines for AR, IR and CR. In order to achieve each of these three models, we applied the following steps which are respectively prepared for three inference engines of AR, IR and CR: First Step: Dividing Variables of System Audit and Inherent Risk Engines We divided inputs and output of audit and inherent risks to the sub classes as we mentioned in previous section and then we determined the grades of these risks based on verbal variables in 5 levels as very low, low, medium, high and very high. Control Risk Inference Engine Whereas there are 4 input variables of CR inference engine, if like aforesaid engines there will be 5 verbal variables for them (from very high to very low) the number of fuzzy inference rules will be 625 rules that to write them is very difficult. Therefore, for CR engine we used three verbal variables for each of the input variables (low, medium and high) but for output variables of CR engine due to homogeneity of verbal levels of CR, with AR and IR, we employed five verbal variables. 11

Second Step: Fuzzing of Verbal Variables Audit and Inherent Risk Engines In this stage the verbal input and output variables are respectively converted into fuzzy numbers. We used 5 choice spectrums with same distance for variables. Range of AR based on experts' opinion is minimum 5% and maximum 15%. Experts have mentioned that reason of certifying minimum 5% is low rate of audit fees in Iran. Also whereas in Iranian Audit Procedure some minimum levels are specified for IR, CR and AR cannot be zero. Since fuzzy risk model is practical and follows from Iranian Audit Procedure and due to this fact that suggested levels of the amount of IR for some accounts including fixed assets, payables and cash is in Iranian Audit Procedure is 50% to 100%, also financial statement level and remaining sum levels in accordance to this procedure is 50% to 100% (Iranian Audit Procedure 2000: 12-15), therefore domain of IR (universe set) at this research is 0.5 to 1, also these ranges have been certified by audit experts. Control Risk Inference Engine Level of CR that is achieved from fuzzy system in accordance to minimum CR that is suggested from Iranian Audit Procedure is 30% to 100% but level of input variables are 0% to 100%. Third Step: Converting Achieved Information from First and Second Steps into Inference Rules (Inference Engine) Audit and Inherent Risk Engines For inputs of AR inference engine, in order to perform inference we needed to 12

write 25 rules. Fuzzy inference rules were first written by researchers, and then these rules were submitted to selected Iranian risk' experts to adjust the rules. In the final fuzzy model we used from adjusted rules upon comment of experts. For IR engine we took the same direction as AR engine. In addition, in Iranian Audit Procedure, importance level of remaining sum level is more than financial statement level. Hence, in order to write fuzzy rules besides comment of experts we assigned more important weight on remaining sum level variable. The number of rules at this stage is also 25. The Figure 2 indicates inference rules' surface for AR and IR engines (after being adjusted by experts). Figure 2 and 3 shows inference surface rules for AR and IR engines [Put Figure 2 Here] [Put Figure 3 Here] Control Risk Inference Engine According to the verbal levels of inputs of CR, we made 81 inference rules. For CR engine we also took the same direction as AR and IR engine. The Figure 4 indicates inference rules' surface for CR engine (after being adjusted by experts). Whereas there are more than two inputs for this engine, only three-dimensional plots can indicate two inputs and one output at the same time, so we have presented one plot as sample (rules of control environment & control activity). [Put Figure 4 Here] By using ARM that is suggested by professional audit standards, Detection Risk 13

(DR) can be calculated as: (5) We employed Center of Gravity method to de-fuzzy. This procedure is the most prevalent and physically appealing of all the de-fuzzy methods (Sugeno 1985; Lee 1990, cited in Ross 2004). In this method, the sum of multiplication of membership degree of each member in a fuzzy set will be divided into sum of numbers equivalent to each member in accordance to following equation: Therefore AR, IR and CR can be offered qualitatively and quantitatively by FARM in this research. (6) Case Study & Numerical Example In order to examine effectiveness and efficiency of the research model, a case study from applying FARM in a real audit environment will be offered. A manufacturing company was studied. This company manufactures tile and ceramic which is limited company was gone under independent audit for fiscal year ended to March 20, 2009 by Shahedan Trustworthy Audit Firm. The auditee was established in 1984 and its net assets has reached 3.4 million dollars. Its total assets are about 16 million dollars at the end of the audit year. This is the third fiscal year that Shahedan firm audits the company. The audit report included unqualified opinion. Members of audit team included 14

one audit manager, one supervisor and two senior auditors. We used the interviews from the related personnel in the case company to collect the related data, about DR assessment by auditors (based on their audit and traditional ARM) and the related data to assess auditee risks by FARM of this research. In order to assess DR of case auditee by FARM, we took following stages: First Stage: Assessing Affecting Factors on AR engine Influential factors on audit risk based on two categories of auditor and client base were submitted to audit manager. These two categories were assessed by audit manager as 50% and 25%, respectively. The output of AR inference engine is level of audit AR after de-fuzzy reached to 9.94% quantitatively and medium qualitatively. Second Stage: Assessing Affecting Factors on IR engine Affecting factors on inherent risk based on two categories of financial statement level and account remaining sum level was submitted to audit manager. Then the risks degrees of these two categories were assessed by audit manager as 50% and 50% respectively (very low and very low). The output of this inference engine is level of IR that after de-fuzzy was 54% quantitatively and very low qualitatively. Third Stage: Assessing Affecting Factors on CR engine Affecting factors on control risk based on four categories of control environment, risk assessment, control activity and supervision were submitted to audit manager. Then the risks of these four categories were assessed by audit manager as 60%, 25%, 25% and 60 % respectively (medium, low, low and medium). The 15

output of this inference engine is the level of CR that after de-fuzzing was 55% quantitatively and low qualitatively. Hence, Material Misstatement Risk (MMR) is simply calculated as following: MMR= IR * CR = 54% * 55% = 29.7% DR of the client in the year 2009 was calculated as: 9.94 DR = = 29.7 33.47 Therefore, through FARM system, DR was assessed as 33.47% quantitatively or low qualitatively for overall client. However, Shahedan audit firm assessed AR, IR and CR of the client as 5%, 28% and 73 % respectively (very low, very low and high). There is significant differences among all of the three assessed risks by FARM and by the manager trough traditional ARM. In the final section of this research, to clarify that which of these assessed risks are more closer to real risks of the client (calculated by fuzzy model or by audit manager), we used from a checklist that are completed via interview with members of audit team or related personnel of the client. This checklist was prepared based on related literature. Table 1 indicates a summary of the results of this interview based on the checklist factors. Second column shows the studies support each affecting factor on risks that we investigated on the client and third column presents the risk assessment based on the literature backgrounds. [Put Table 1 Here] 16

Conclusion & Discussion Risk Based Approach (RBA) is a modern auditing approach that one of its main aims is to perform proper risk assessment in order to ensure from process of audit which affect directly on audit planning, strategies and opinion. Appropriate risk assessment finally results in abating audit failure. In order to this, ARM is a normative model to assess client risks under RBA. However, professional standards do not offer any unique method to assess risks under ARM. Hence, in this process the approach can be used from considerable mathematical methods. One of these methods is fuzzy logic that can be applied in uncertain conditions and uses from verbal terms instead of exact numbers, so that it will be more compatible with realities of client risk assessment by experts. Therefore, in this research, fuzzy set conceders as a mathematical modeling framework to re design ARM. Therefore, within the fuzzy logic framework, FARM in a case of Iranian company, was assessed by its audit manager. Results of this study indicate that in the client, outputs of fuzzy inference system for AR after defuzzification is 9.94%(medium), for IR is 54%(very low) and for CR is 55%(medium). These results are compatible with results of studying real risks that we achieved them through the checklist, while traditional assessments by auditors were not compatible with real risks. Therefore it can be concluded that the FARM can appropriately calculate AR, IR and CR and as a result, DR. DR of client was 33.47% as a number or low from qualitative point of view for overall audit project. In a summary, upon comparing the received results from audit manager and results of research model and also results of independent assessment of risks from the checklist we can conclude that results of our 17

research model are completely compatible with real risk assessment of client, meanwhile the assessed risks by auditor in some cases have considerable difference with real risks of the client. Therefore, designed Fuzzy ARM in this research was successful for assessing client risk. Limitations of Research There are number of limitations in this study. First, some limitations for selecting and participating audit experts for writing fuzzy rules exists especially during working seasons of audits, persuading the best experts for attending at research and handling several meetings was difficult task. Second, due to limitations of fuzzy model, the assessment of risks in this research was performed for overall audit project (it was used from deductive methodology instead of comparative methodology for risk assessment) while in some studies the risk assessment is studied for each account balance of client. Third, number of inference rules for inputs of CR engine with five verbal variables became very high (more than 600), thus for CR engine only three variables were employed. Submitting more than 600 rules to experts and taking their opinion was impossible. We used from triangular functions, while we can use bell shape functions. Suggestions of Research Using from results of this research for flexible audit planning with different levels of risk assessment or different levels of floating risk that assists different scenarios of audit program based on different amounts of risk. In future research, we can use in other cases of professional judgment from fuzzy logic. Considerable fields include levels of materiality in an audit, level of probable 18

assets and liabilities based on Iranian accounting standards. In this research it is used from triangular fuzzy numbers, also it can be used from bell shape numbers as basics for other research that will result in more proper results. Using from neural networks for reconstruction of ARM or using genetic algorithm as a complementary tool for fuzzy systems are recommended. Designing learning machine for improving fuzzy model which will result in changing comment of experts or adding new topics to learner machines from human behavior Reference American Institute of Certified Public Accountants (AICPA): SAS 47(1993), Audit Risk and Materiality in Conducting an Audit. Arens, A.A., Elder, R.J., & Beaslsy, M.S., (2005). Auditing and Assurance Services: An Integrated Approach, 10th ed.,upper Saddle River, New Jersey: Prentice Hall. Austen, L. A., Eilifsen, A. & Messier, W. F., (2000). THE RELATIONSHIP OF RISK ASSESSMENTS AND INFORMATION TECHNOLOGY TO DETECTED MISSTATEMENTS, http://ssrn.com. Accessed 25 May 2009. Beasley, M.S., Carcello, J.V. and Hermanson, D.R., (2001). Top 10 audit deficiencies, Journal of Accountancy, (April),191(4),63 66. Beattie, V., Fearnley, S., Brandt, R., (2002). Auditor independence and audit risk in the UK: a Reconceptualisation, Presented at the American Accounting Association Professionalism and Ethics Symposium, August. Beaulieu, P.R., (2001). The effects of judgments of new clients integrity upon risk judgments, audit evidence, and fees, Auditing, 20(2), 85-99. Bedard, J.C., & Graham, L.E., (2002). The effects of decision aid orientation on risk factor identification and audit test planning, Auditing, 21(2), 39-56. Bedard, J., Mock, T., & Wright, A.,(1999). Evidential Planning in Auditing: A review of the Empirical Research, Journal of Accounting Literature, 18. Behn, B.K., Kaplan, S.E., Krumwiede, K.R., (2001). Further evidence on the auditor s going-concern report: the influence of management plans, Auditing, 20(1), 13-28. Bell, T. B., Peecher, M. E., & Solomon, I., (2005). The 21st century public company audit: Conceptual elements of KPMG s global audit methodology, KPMG, LLP. 19

Blay, A., Kizirian, T., & S., Dwight, ( 2008). Evidential Effort And Risk Assessment In Auditing, Journal of Business & Economics Research, 6, 39-59. Blokdijk, J., (2004). Tests of control in the audit risk model: effective? Efficient?, International Journal of Auditing, 8,185-94. Bloomfield, R., (1995). Strategic dependence and inherent risk assessments, Accounting Review, Vol., No. 1,71 90. Chang, S.I., C.F., Tsai, & D.H., Shih, (2007). The Development of Audit Detection Risk Assessment System: Using the Fuzzy Theory and Audit Risk Model, Expert Systems with Applications, Doi: 10.1016/j.eswa.2007.08.057. Colbert, J. L., (1996). International and US standards - audit risk and materiality, Managerial Auditing Journal, 11 ( 8), 31 35. Committee of Sponsoring Organizations of the Tread way Commission (COSO),(1996). Internal Control Issues in Derivatives Usage, AICPA. Daniel, S.S., (1988). Some empirical evidence about the assessment of audit risk in practice, Auditing: A Journal of Practice and Theory, (spring), 7(2),174 18. Dusenbury, R.B., Reimers, J.L., Wheeler, S.W., (2000). The audit risk model: an empirical test for conditional dependencies among assessed component risks, Auditing: A Journal of Practice and Theory, (Fall).19( 2),105 117. Haskins, M.E, & Dirsmith, MW., (1999). Control and Inherent Risk Assessments in Client Engagements: An Examination of Their Interdependencies. Journal of Accounting and Public Policy. 14, 63-83. Helliar, C., Lyon, B., Monroe, G.S., Ng., J., & Woodliff, D.R., (1996).UK auditors perceptions of inherent risk, British Accounting Review, 28(1),45-72. Imoniana, JO, Gartner, IR., (2009). Towards a Multi-Criteria Approach to Corporate Auditing Risk Assessment in Brazilian Context, http://ssrn.com/abstract=1095950, Accessed 25 May 2009. International Federation of Accountants. (IFAC), (2006). International standards on auditing, ISA No. 200, Objective and General Principles, www.ifac.org, Accessed 25 May 2009 International Federation of Accountants. (IFAC), International standards on auditing, ISA No. 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,(2006). www.ifac.org, Accessed 25 May 2009. Iranian Association of Certified Public Accountants(IACPA), (2007). Auditing Standard Setting Committee, Iranian Auditing Revised Standards, section 20,31-5 and 33, Tehran, Iran. Iranian Audit Organization, (2000). Iranian Audit Procedure, Tehran, Iran. 20

Johnstone, K.M., (2000). Client-acceptance decisions: simultaneous effects of client business risk, audit risk, auditor business risk, and risk adaptation, Auditing, 19(1),1-25. Khorwatt, E., (2008). Audit Risk Assessment the Professional Balancing Act Monthly Electronic Bulletin of ASCA, www.ascasociety.org. Accessed 25 May 2009. Khurana, I.K., & Raman, K.K., (2004). Litigation risk and the financial reporting credibility of big 4 versus non-big 4 audits: evidence from Anglo-American countries, The Accounting Review, 79(2),473-495. Krishnan, J., & Krishnan, J.,(1997). Litigation risk and auditor resignations The Accounting Review, 72(4),539-560. Law, P., (2008). Auditors perceptions of reasonable assurance in audit work and the effectiveness of the audit risk model, Asian Review of Accounting, 16(2), 160-178. Low, KY., (2004). The effects of industry specialization on audit risk assessments and audit-planning decisions. Accounting. Review, 79(1), 201-219. Mamdani, EH., (1997). Application of fuzzy logic to approximate reasoning using linguistic systems, 26, 1182-1191. Messier, W.F., Jr.,(2000). Auditing & Assurance Services: A Systematic Approach, Second Edition. NewYork: Irwin McGraw-Hill. Mock, TJ., Wright, A., Srivastava, RP., (1998). Audit Program Planning Using a Belief Function Framework. University of Kansas Audit Research Symposium. Newnam D.P., Paterson E., Smith R. (2001), The influence of potentially fraudulent reports on audit risk assessment and planning, The Accounting Review, 76(1), 59-80. Pany, K., Whittington, R., ( 2001). Research implications of the auditing standard board s current agenda, Accounting Horizon, 15 ( 4), 401-411. Ross, TJ., (2004). Fuzzy Logic With Engineering Application. Second Edition. John Wiley & Sons Ltd. Shailer, G., Wade, M., Willett, R., Yap, K.L., (1998).Inherent risk and indicative factors: senior auditors perceptions, Managerial Auditing Journal, 13(8), 455-464. Siler, W, Buckley, JJ., (2005). Fuzzy Expert Systems and Fuzzy Reasoning, John Willey & Sons. Inc. Strawser, R., (1990). Human information processing and the consistency of the audit risk modern Accounting Business Research, 21, 67-75. Taylor, M.H., (2000). The effects of industry specialization on auditors inherent risk assessments and confidence judgments, Contemporary Accounting Research, 17(4), 693-712. 21

Turner, JL., Mock, TJ., Srivastava, RP., (2002). A Conceptual Framework and Case Studies on Audit Planning and Evaluation Given the Potential for Fraud, Proceeding s of the 2002 Deloitte & Touche University of Kansas Symposium on Auditing Problems. Wielligh, SPJ von., (2004). High inherent risk elements in financial statements of listed South African long-term insurers, Meditari Accountancy Research, Vol. 12, No. 1, 195 217. Wüstemann, J., (2005). Evaluation and Response to Risk in International Accounting and Audit Systems: Framework and German Experiences. [forthcoming J. Corp. Law], http://ssrn.com/abstract=550722, Accessed 25 May 2009. Yardley, JA., (1989). Explaining the conditional nature of the audit risk mode. Journal of Accounting. Education. 7(1), 107-114. Zimmermann, H.S., (1991).Fuzzy set theory and its application, zed, Boston, Kluwer academic publicities. 22

Auditee Base Auditor Base 1. Audit Risk Inference Engine Audit Risk (AR) First Stage: Specifying Audit Risk (Specifying the level of Acceptable Audit Risk(AR) Calculating Level of Audit Risk by using Inference Engine after defuzzifiying Comparison of calculated Audit Risk with suggested domain of Risk by Iranian Audit Procedure for different companies Financial Statements Level Account Remaining 2. Sum Level 3. 4. Inherent Risk Inference Engine Inherent Risk (IR) Second Stage: Specifying Material Misstatement Risk (MMR) Control Environment Material Misstatement Risk (MMR) Control Activity 5. Risk Assessment Supervision Control Risk Inference Engine Control Risk (CR) 6. Comparing suggested minimum for Control Risk of by Iranian Audit Procedure (30%) with calculated Risk after defuzzifiying 23 Third Stage: Calculating Detection Risk (DR) Figure 1. Fuzzy Audit Risk Model (FARM) of the research

Figure 2. AR engine Figure 3. IR engine Fig.2 inference rules' surface for AR and IR engines Figure 4. Inference rules' surface for CR engine 24

Table 1. Results of Interview for Assessing Real Risks of Case Company Real Risk Assessment According to literature and results of the risk assessment AR is at medium level According to literature and results of the risk assessment IR is at very low level Research Literature Law 2004; Beaulieu et al. 2001. Beaulieu et al. 2001, AICPA 1993. Turner et al. 2002. Arens et al. 2005. Behn et al. 2001; Austen and Messier 2000. Johnstone 2000. Austen and Messier 2000; Helliar et al. 1996; Haskins and Dirsmith 1993. Bedard and Graham 2002; Helliar et al. 1996; Colbert 1996. Iranian Audit Procedure 2000. Arens et al. 2005. Arens et al. 2005; Helliar et al. 1996. Colbert 1996; Haskins and Dirsmith 1993; Helliar et al. 1996; Newnam et al.2001. Iranian Audit Procedure 2000. Iranian Audit Procedure 2000. Related Results through interviews Understanding auditors from client goals including general economical status, operational activities, commercial grounds and complete recognition of business model by auditors are at medium level Auditor knowledge and professional techniques is at medium level Honesty and integrity of management in accordance to mutual behavior by auditor in previous audits has been at high level. Personality, professional record, composition and arrangement of members of board of directors in client is at medium level. Diversity and vastness and depending of external users of financial statements is very low. Ambiguity in continuation of activity at client is very low. Technological complexity of products, complexity of capital structure, number and geographical diversion of production and distribution centers are very low. There was no change in important accounting employees and managers in the audit year. There was no continuous change in auditor throughout client life. sensibility of assets for fraud(for example assets with high value and fast transfer like cash) is low Complexity of client is low Level of suitable division of power and duty in client is at medium level Unusual pressures on management for modifying and amending financial statements is low Illegal or unusual or complicated transaction especially at the end of the fiscal year or near to it or irrelevant transactions with client mission is low Level of following up from regulations in client is at medium level Related Risk Audit Risk (AR) Inherent Risk(IR) 25

According to literature and results of the risk assessment CR is at medium level Arens et al. 2005; Helliar et al. 1996; Bedard and Graham 2002; Austen and Messier 2000; Taylor 2000. Austen and Messier 2000; Colbert 1996. Austen and Messier 2000. Austen and Messier 2000. Taylor 2000; Hilliar et al. 1996. Taylor 2000; Hilliar et al. 1996. Iranian Audit Procedure 2000. Iranian Audit Procedure 2000. Beaulieu et al. 2001; Hilliar et al. 1996; Haskins and Dirsmith 1993; AICPA 1993; COSO 1996. Hilliar et al. 1996; Haskins and Dirsmith 1993; AICPA 1993; COSO 1996; Bedard and Graham 2002; Austen and Messier 2000. Austen and Messier 2000; COSO 1996. Haskins and Dirsmith 1993; COSO 1996' Hilliar et al.1996. Austen and Messier 2000; Johnson 2000. Arens et al. 2005 Haskins and Dirsmith 1993; COSO 1996. Austen and Messier 2000; Shailer et al. 1998. Bedard and Graham 2002; Shailer et al. Important errors and frauds that are discovered in previous audit is low Complexity of calculation for inventories and materials at client and diversity of calculation methods is low Problem in relation to a special account or transaction in client or transactions that need extraordinary processing is low Errors for using accounting principles and standards has low effect on financial statements users In previous audit the partial accounting estimations on behalf of manager was not observed. There was low errors in receivable accounts and payments in previous audit There was low errors in inventories and goods in previous audit Judgment for specifying accounts was low Level of training programs for employees and professional loyalty of employees at client was at medium level Level of professional training of accounting employees was at medium level Partnership of board of directors or audit committee at internal control of client was low and company did not have audit committee Tendency of management to risk is high Tendency of management to optimism in financial statements is at medium level Communication of management on the process for preparing financial information is at medium level Division of duties and responsibilities in client is at medium level risk assessment of safety of information system is low Validity risk of accounting system (to control efficiency of system performance) is low Control Risk(CR) 26

1998, Hilliar et al. 1996; Haskins and Dirsmith 1993; COSO 1996. Haskins and Dirsmith 1993; COSO 1996; and Austen and Messier 2000. Austen and Messier 2000; COSO 1996. COSO 1996; Haskins and Dirsmith 2000; Haskins and Dirsmith 1993. COSO 1996; Hilar et al. 1996; Austen and Messier 2000; Haskins and Dirsmith 1993. Haskins and Dirsmith 2000; COSO1996. Iranian Audit Procedure 2000. COSO1996; Austen and Messier 2000; Haskins and Dirsmith 1993; Bedard and Graham2002. Company had budget planning and performance of internal control systems was high Instructions of policy for working with data and information in client for employees are appropriate Controlling basics in accounting and protection of assets are high Classification and separating professional capacity at financial report including financial manager and employees of accounting informational system is proper in client Suitable guardianship for preparing financial information including concluding transaction, registering accounting and preparing accounting report and their edition and amendments were available There is not internal audit department in client Process of independent approval for performance of company including management of inventory Management is medium 27