Fuzzy audit risk modeling algorithm

Article history: Received February 3, 2011 Received in Revised form April, 12, 2011 Accepted 12 April 2011 Available online 15 April 2011 Fuzzy logic has created suitable mathematics for making decisions in uncertain environments including professional judgments. One of the situations is to assess auditee risks. During recent years, risk based audit (RBA) has been regarded as one of the main tools to fight against fraud. The main issue in RBA is to determine the overall audit risk an auditor accepts, which impacts the efficiency of an audit. The primary objective of this research is to redesign the audit risk model (ARM) proposed by auditing standards. The proposed model of this paper uses fuzzy inference systems (FIS) based on the judgments of audit experts. The implementation of proposed fuzzy technique uses triangular fuzzy numbers to express the inputs and Mamdani method along with center of gravity are incorporated for defuzzification. The proposed model uses three FISs for audit, inherent and control risks, and there are five levels of linguistic variables for outputs. FISs include 25, 25 and 81 rules of if-then respectively and officials of Iranian audit experts confirm all the rules. © 2011 Growing Science Ltd. All rights reserved.


Introduction
Risk based audit (RBA) represents, a "new generation" of audit approaches which is against fraud (Lemon et al., 2000), and risk assessment is a critical step in RBA.There are different disadvantages on traditional auditing systems such as inefficient allocation resources for auditing program (Law, 2008;Helliar et al., 1996, Khorana & Raman, 2004;Krishnan & Krishnan, 1997;Bedard & Graham, 2002;Mock et al., 1998).Auditing standards also require assessing audit risk in each independent audit engagement based on ARM (SAS.47;ISA. 200.315;Iranian audit standard, 2007).Therefore, auditee risk assessment is a very important judgment issue by auditors in an audit.However, regardless of the fact that this judgment is performed with good and integrated will, auditors may have some mistakes in their judgment.Theoreticians of decision making have indicated that even experts have problem in assessing risks (Austen et al., 2000).In addition, many studies stated that the auditors' professional judgmental capability is limited, and they indicated that the auditors' professional judgment was affected by training, experience, and the capabilities dealing with time and complicated issues (Bedard & Graham, 2002;Helliar et al. 1996;Khurana & Raman, 2004;Krishnan & Krishnan, 1997;Low, 2004;Turner et al. 2002;Wustemann, 2004).These studies highlight the fuzzy nature of auditee risk assessment and qualitative and ambiguous attributes linked to risk assessment through traditional ARM.
1.1 Traditional ARM ARM is regarded as a normative model for helping auditors in the process of judgment of auditee risks (Blay et al., 2008)  . (1) In the model, detection risk, according to SAS No. 47 and Iranian audit standard section 20, is the risk of not detecting a material existing misstatement in an account balance.Inherent risk is defined as the susceptibility of an account balance to errors that could be significant with no regard to the existence of related internal control systems (Aldhizer, 1994).Control risk is defined as the risk of a material misstatement that could occur and it cannot be prevented or detected on a timely basis by an enterprise's internal control system procedures (Ibid).There are many evidences, which indicate that the present ARM proposed by auditing standards does not have enough effectiveness.Daniel (1998) and Strawser (1990) believe that ARM is not compatible with real judgments of auditors.Yardley (1989) believes that ARM is a model based on complicated possibilities.Dusenbury et al. (2000) state that the model is nearly complicated and contradictory.Therefore, traditional ARM could not prepare appropriate judgments to auditee risk assessment.They also indicate that we shall have new look toward ARM and make it more practical in audit environment.Because of the existence of the judgmental component and the ambiguity in auditee risk assessment, the aim of this research is to create a fuzzy ARM to have assess in auditee risks in uncertain environment of an audit.Thus, we state the research problem as follows: given an improper traditional ARM and the importance of auditee risk assessment in an audit, how can we apply the fuzzy theory to redesign the ARM, which leads to more appropriate assessment?This paper applies fuzzy methodology to answer this question.

Fuzzy theory as a theoretical framework
Our understanding of most human problems and processes is mainly based on imprecise human reasoning (Seyedhoseini et al., 2010).However, the leading theory in quantifying uncertainty in scientific models from the late nineteenth century until the late twentieth century was based on probability theory (Ross, 2004).However, Many people have criticized the continuous evolution of uncertainty based on probability theory (1937, Black;Zadeh, 1965).Zadeh's work (1965) had a great influence on the thinking about uncertainty because it challenged not only probability theory as the sole representation of uncertainty, but also the very foundations upon which probability theory was based: classical binary (two-valued) logic (Klir & Yuan, 1995).Zadeh (1965) proposed the fuzzy theory and introduced the concept of membership function in order to deal with the difference of linguistic terms.He indicated that there was a certain degree of fuzziness in terms of people's thoughts, inference and perception.Fuzzy concepts enable assessors to use linguistic terms to assess indicators in natural language expressions and each linguistic term can be associated with a membership function (Lin & Chen, 2004;Seyedhoseini et al., 2010).Thus, due to fuzzy nature of auditee risk assessment, the theoretical framework of this paper is to apply the fuzzy theory to redesign ARM.
This paper is organized as follows: Section 2 reviews the research method including modeling algorithms and fuzzy sets and membership concepts.Section 3 presents the analysis & fuzzy modeling of audit risk components.Section 4 describes model validation including testing of all inference rules and sensitivity analysis and finally, section 5 provides conclusion and future researches.

Modeling algorithm for proposed model
According to traditional ARM, we have three risks of AR, IR and CR.Therefore, first we categorized each risk to sub categories, which are supposed to be used as inputs for the proposed model of this paper.The affecting factors on audit risk were categorized by Beatee et al. (2002) named "auditee base" and "auditor base".Auditee base means the degree of influence when auditors present improper audit opinion to users of financial statements.Auditor base is about all risks, which shows the inability of auditors to detect major fraud in financial statements (Beattie et al., 2002).
Inherent risk was categorized based on Helliar et al.'s categorization (1996).They divided these factors into "financial statement level" and "account remaining sum level".We use this categorization, because professional standards also refer to this categorization to assess the risks of material misstatement (ISA 200/26-7;ISA 315/100, Iranian Audit Procedure, 2007).Financial statement level means the risk of the existence of important errors or frauds in overall financial statements.In addition, ISA 200 notes: "The auditor considers the risk of material misstatement at the overall financial statement level, which refers to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions".Account remaining sum level can be explained as risk factors in which certain account of enterprises may have a major misstatement (Helliar et al., 1996).In addition, professional standards refer to this level: "the auditor also considers the risk of material misstatement at the class of transactions, account balance, and disclosure level because such consideration directly assists in determining the nature, timing, and extent of further audit procedures at the assertion level" (IAS 200/28; ISA 315/100).
According to COSO (1996), affecting factors on control risk, in this research, are divided into "control environment", "risk assessment", "control activity" and ""supervision".Control environment indicates the framework, which makes the disciplines and internal control of the enterprise (Chang et al., 2007).Risk assessment is the way that enterprises identify the impossibility of their goal accomplishment.Control activity stands for the fact that the personnel in the organization actually applied the policy and process determined by the managerial level, and finally supervision is the process in which the enterprises assessed the executive results of internal control (Ibid).Control environment indicates the framework, which makes the disciplines and internal control of the enterprise (Chang et al., 2007).
Thus, according to these categorizations, modeling algorithm of the research is presented as Fig. 1.

Fuzzy sets and membership
Bezdek provided a comparison between crisp and fuzzy sets (Bezdek, 1993).Crisp sets of real objects are equivalent to, and described by, a unique membership function.Fuzzy sets are always functions, which map a universe of objects, say X, inside the unit interval [0,1] which is the fuzzy set H with the membership function μ H that carries X into [0, 1].Although this statement holds in a formal mathematical sense, many functions that qualify on the basis of this definition cannot be suitable fuzzy sets.The membership function is the mathematical representation of membership in a set defined as follows, where μ A (x) is called the membership value x in A. The symbol μA(x) is the degree of membership of element x in fuzzy set A. Therefore, μA(x) is a value on the unit interval that measures the degree to which element x belongs to fuzzy set A; equivalently, μA(x) = degree to which x A (Bellman & Zadeh, 1970).
This paper introduces a modified and simple methodology that relies on fuzzy triangular functions and Mamdani operation.Dubois and Prade (1980) suggested fuzzy numbers that refer to the fuzzy set on real line R and their membership function was μA(x): R=>[0,1] with the following properties,  Hence, this research used the fuzzy theory and traditional ARM proposed by professional standards.First, we define the triangular fuzzy numbers of linguistic variables of auditee risks components.If triangular fuzzy numbers start rising from zero at x =a, reach a maximum of 1 at x = b, and decline to zero at x = c, then the membership function ( ) x μ of a triangular fuzzy number is given by (Siler & Buckley, 2005).

Analysis & fuzzy modeling of ARM components
To assist auditors in better assessing the risks, an integrated fuzzy inference system (FIS) is developed and the proposed FIS is based on the experiences of experts.Fig. 1 demonstrates the details of the proposed model.As we can observe from Fig. 1, the system has three inference engines of audit, inherent and control risks (three FISs).The FIS is a popular computing framework based on the concepts of fuzzy set theory, fuzzy if-then rules and fuzzy reasoning (Seyedhoseini et al., 2010).The theory has been widely applied for various fields such as AI, control engineering, expert systems, etc (Lee & Park, 1997;Mujumdar & Sasikumar, 2002;Tanaka & Sugeno, 1992;Toshiro, 1994, Mamdani, 1977;Jamshidi et al., 1997).FIS is named also fuzzy rule based system, fuzzy expert system, fuzzy model, fuzzy associative memory, fuzzy logic controller and simply fuzzy system.These systems can construct an input-output mapping based on human knowledge in the form of fuzzy if-then rules with appropriate membership functions.In order to construct each of the research three FISs, the following steps are carried out.

First step: definition of linguistic variables 3.1.1. Audit & inherent risks engines
Audit risk engine has two inputs named "auditor base" and "auditee base" and one output of audit risk (AR).Inherent risk inference engine has also two inputs including "Financial statement level" and "Account remaining sum level" and an output of inherent risk (IR) (see Fig. 1).Degrees of these output and input variables are based on five levels of linguistic terms (very low, low, medium, high and very high).With these 5 levels we will have 25 if-then fuzzy rules based on human knowledge of audit experts.

Control risk inference engine
Since there are four inputs for fuzzy inference engines, control environment, control activity, risk assessment, supervision, and five levels of linguistic terms, from very low to very high, there will be 625 inference rules which represent enormous number of combinations.Therefore, for CR, we use three levels of linguistic terms for each output variables, low, medium and high.However, for output variable such as control risk such as AR and IR, we use five levels of linguistic variables.Therefore, we will have 81 if then rules for CR FIS.One of the common ways to represent human knowledge is to form it into natural language expressions of the type: IF antecedent, THEN consequence.This form generally is referred to as deductive form, we employed this way in the research.

Audit & inherent risks inference engines
At this stage, linguistic variables associated with inputs and outputs are converted to fuzzy numbers, respectively.For fuzzification of variables, we used triangular numbers.A five level spectrum with the same distances is used for each variable.Fuzzy numbers that are equivalent to the assessment amount of "auditor base" and "auditee base" (as inputs) and "audit risk" (as output of AR engine) are shown in Fig. 2A to Fig. 2C.In these figures, the X axis indicates the risk degree (zero to 1 or zero to 100) and Y axis shows the membership degree (fuzzy number) for the related risk.We used experts' opinion for setting fuzzy numbers.Based on opinion of audit experts, practical desired domain of AR is 5% to 15%.Audit experts mentioned that the reason of certifying minimum 5% for AR is lowness of audit fees in Iran.
Besides, in accordance to Iranian Audit Procedure, some minimum levels are specified for IR and CR, so we cannot specify AR lower than %5.Fuzzy numbers equivalent to IR, "financial statement level", and "account remaining sum level" (output and inputs of IR engine) are presented in following Fig. 3A to Fig. 3B.One of the objectives of this research is to apply traditional ARM for Iranian audit environment; hence, we use proposed amounts of risks in Iranian Audit Procedure.The suggested levels of IR for different accounts including fixed assets and cash in this procedure is 50% to 100% (Iranian Audit Procedure, 2000).In this research similarly for levels of financial statements level and account remaining sum level in accordance to Iranian Audit Procedure is between 50% to 100% and domain of IR (Universe set) is specified as 0.5 to 1.The domain of output of this FIS (CR) in accordance to proposed minimum level of Iranian Audit Procedure (30%) is from 30% to 100%, but the level of inputs are from 0 to 100.

Third step: Fuzzy inference rules
The FIS for three FISs of AR, IR and CR systems are written in the following subsection.

Audit risk inference engine
We used Mamdani's implication operation for fuzzy inference and obtaining the membership function values of fuzzy called as correlation-minimum.Eq. ( 4) presents Mamdani's implication where the operation is valid for all values of x X and y Y (Ross, 2004).
Although there are several inference techniques developed for fuzzy rule based systems in the literature (Mamdani, 1977), Mamdani FIS is the first inference methodology, in which inputs and outputs are represented by fuzzy relational equations in canonical rule-based form (Mamdani, 1977;Nikkhah & Makui, 2011).We had five linguistic terms (very low, low, average, high, very low), for two inputs of AR FIS (auditor base and auditee base).Hence, in order to perform approximate reasoning using natural language if-then rules, we need to write 25 rules.First, we make these rules based on research literature of factors influencing AR.Then these rules are submitted to selected Iranian audit experts (five persons) for their amendment comments.Managers and partners are in position of assessing risks in audit cases, so we select these experts based on their qualifications, academic and professional background, as well as the motivation and interest in risks.Some of them were previously engaged in Iranian auditing standards on risks in the past.Experts are invited to several meetings to share their comments on fuzzy rules.Finally, in the final integrated fuzzy model, we modified rules based on comments of the audit experts.Fig. 5 indicates the fuzzy logic system of AR where it is generated by the 25 rules that accounted for both inputs (The MathWorks, 2007).

Inherent inference risk engine
We act for IR Engine similar to AR Engine.In Iranian Audit Procedure the importance degree of "account remaining sum level" is higher than importance degree of "financial statement level".In order to write fuzzy rules, we give more weight to the variable of account remaining sum level.In addition, we use literature and comments of audit experts.There are 25 rules at this stage (with two inputs and five levels).Fig. 6 shows these rules graphically.We submitted the figures to experts, and they also confirmed it.Therefore, in the light of what we have collected from the interviews of experts, the engine will work correct.

Control risk inference engine
In this engine, we have four inputs with three levels of linguistic variables for each input (low, average, high).Therefore, we needed to make 81 If-Then rules.Like the previous FISs, these rules are prepared by reviewing academic literature, and they are submitted to experts and adjusted according to their comments.The output of this FIS is the levels of CR that can be qualitative or quantitative after defuzzification.Via multiplying of the amounts of IR and CR, we can calculate material misstatement risk (MMR) (ISAs, Iranian Audit Standard, section 20, 2007;Iranian Audit Procedure, 2000;Blay et al., 2008): MMR = IR * CR Based on traditional ARM given in Eq. (1), we can simply calculate detection risk (DR).Therefore, we need to get back to a "crisp" value to calculate MMR and DR, through a procedure called "defuzzification".In this research, to defuzzify, we use center of gravity method.The procedure is the most prevalent and physically appealing of all the defuzzification methods (Sugeno,1985;Lee, 1990, Ross, 2004).In this method, the sum of multiplication of membership degree of each member in a fuzzy set will be divided into sum of the numbers equivalent to each member in accordance to following equation: where Σ denotes the algebraic sum and a is the crisp amount of membership functions (Ross, 2004).Therefore, we can calculate AR, IR and CR as crisp numbers or by qualitative variables (from very low to very high).In other words, we have constructed an expert system automatically replicating the decision process of the experts on auditee risk assessment.

Model validation
One of the most important issues on developing a method is to test the validation of expert systems.In fact, we need to make sure about the knowledge that experts have gathered and we have to make sure from authenticity and accuracy of software (Ghasemnejad et al, 2006).
The main validation method at the stage of gathering information from experts is to use previous academic studies and research literature completed and certified by Iranian Auditing Standards.To do that, the rules of knowledge base was prepared based on literature review and professional standards, and then to make the model more practical to apply in Iranian audit environment, we submitted the fuzzy rules of three FISs for Iranian audit experts from Audit organization, a governmental organization that has obligation to audit financial statements of governmental companies.This organization can also audit public companies listed in Tehran stock exchange (TSE) and any other companies.After studying inference rules, audit experts are invited to a meeting to state their viewpoints, and after a discussion based on interviews, we adjusted the final rules.We should be also sure about the authenticity of software.We implemented the fuzzy ARM system in MATLAB 9.0 software.In order to make sure about fuzzification of linguistic variables and entering if -then rules in the software, we make two separate programs and enter data into them.The inputs of each rule are entered into each program and the outputs are compared.If there are any contradictions between the outputs of two programs, the characteristics of the related rule are compared with knowledge base and contradictions are removed and we make sure about authenticity of software.We also test the accuracy of the model by transforming a conceptual model to software program to see whether there is error in the system or not.If this error is within an acceptable domain, the model will be regarded as valid; otherwise, the model must be adjusted.In order to be sure that the model error is in acceptable domain.

Test of all inference rules
This method was separately applied for each FIS.Thus, three groups of tests were employed for three FISs of AR, IR and CR.Therefore, the inputs of each inference engine (IF antecedent of each rule) were separately entered into expert system related to that inference engine.We compared the calculated output achieved from each rule, after defuzzifying, with expected output.Expected output means the output from each rule, which is expected from that rule.This output refers to second section of the rule (THEN consequence).Average squares of outputs' errors achieved from this software will be compared with the expected outputs (The Math Works, 2007).Based on the opinion of audit experts, if this average for three FISs is lower than 5%, the error will be in acceptable domain and can be ignored.A summary of calculations of error testing for each inference engine is shown in Table 1.As it can be seen, the error is lower than the expected amount of error by experts (5%).(For AR, IR and CR this level is about 1%, 0.8% and 1% respectively).Thus, the accuracy of inference engines is in acceptable domain of errors.

Sensitivity analysis
An expert system must be judged on the basis of its ability to infer, from a set of given inputs, the same output the expert(s) would provide, in any situation.Therefore, we have tested the reliability of our three expert systems through a series of simulations, varying the value of one driver simultaneously, while leaving the other fixed.
In this method, the model are tested for all three models of AR, IR and CR.For example, for fuzzy model of AR, we selected the first written rule of this FIS.In this rule, "auditee base" is "very low" and "auditor base" is also "very low" and both inputs are at their lowest levels.We assumed one input as fixed and the level of the other input can increase.With the continuous increasing of the first input of AR model (by regarding that other input is fixed), the level of output (amount of AR) was gained.
Then, we drew a plot where x axis shows the non-fixed input and y axis shows the output (AR) (Fig. 7).This figure was offered and explained to experts, and we asked their comments on that; the audit experts have certified the compatibility of changes in degree of AR with changing degree of an input and have also certified total trends of changes.Similar process was repeated for other inputs of AR.
As it can be seen, there is an increasing trend for AR by increasing both of inputs when one input is fixed.The results of these tests certify authenticity of rules for FISs.We repeated similar conditions to AR for IR and CR (maintaining an input as fixed and gradual increase of other input).The figures were also submitted to the experts, and they confirmed that the trends of AR, IR and CR according to fuzzy expert systems are acceptable and correct under Iranian professional context, so the model was validated.

Conclusion
In this paper, we have presented a new audit risk model for auditing standards.The proposed model of this paper uses fuzzy numbers to gather inputs and outputs and uses Mamdani method for analyzing the results.The proposed model used three FISs for audit, inherent and control risks, and there were five levels of linguistic variables for outputs.FISs include 25, 25 and 81 rules of if-then respectively and officials of Iranian audit experts confirm all the rules.The model was used using some real-world data and the results are validated.As a further research, this model can be applied for a real-world case study the results can be compared with traditional assessment risk techniques.

Fig
Fig. 2. A. Membership functions for AR Fig. 2. B. Membership functions for auditee base variable Fig. 2. C. Membership functions for auditor base variable

Fig. 3 .
Fig. 3. A. Membership functions for IR Fig. 3.B Membership functions for financial statements variable Fig. 3.C.Membership functions for account remained sum level variable Fig. 4 A. Membership functions for CR Fig. 4 B. Membership functions for control environment Fig. 4. C. Membership functions for risk assessment Fig. 4. D. Membership functions for control activity

Fig. 7
Fig. 7(a).Change in audit risk as per auditee base Fig. 7(b) Change in audit risk as per auditor base

Table 1
A summary of errors of inference engines for AR, IR and CR