Application of Delphi method for determining the affecting factors upon audit risk model

Article history: Received April 3, 2011 Received in Revised form July, 26, 2011 Accepted 28 July 2011 Available online 29 July 2011 The assessment of risks in an audit work could directly influence the costs, timing, and strategies as well as audit quality. The purpose of this paper is to identify the critical affecting factors on risks proposed in Audit Risk Model (ARM), in audit environment of Iran. In the present research, the Delphi Method consists of 60 audit partners and managers is employed. The panel consists of two equally divided groups, one from audit organization, a governmental organization, and the other from private audit firms. We employ two rounds of Delphi and 58 critical risk factors extracted from auditing literature and Iranian auditing standards and present them to the experts. There are 43 factors categorized as important factors to assess the risks in ARM. The results are considerable in an Iranian audit environment, findings show the most important factors are in inherent risk factors. Finally, we made a comparison with a similar study in Taiwan. Differences indicate that in professional judgment issues like risk assessment, the consideration of particular culture and environment could help enhance the precision of assessments, especially in assessing control risk factors. © 2012 Growing Science Ltd. All rights reserved.


Introduction
Recent audit failures emphasize on the importance of adequate assessing of client risks.The risk assessments affect the nature, timing, extent of audit procedures and evidence collected (Colbert, 1996;Helliar et al.,1996;Blay et al. 2008;Chang et al. 2007;Iranian Auditing Standard No 20;Bedard et al., 1999).Therefore, the determination of critical risk factors could help auditors in an audit case.The purpose of this paper is to come up with a consensus list of the most important factors influencing auditee risk assessments.Such a list allegedly aids in reducing the probability of audit failures.
Precise assessment of risks in auditing could influence on planning (Bedard & Graham, 2002).Auditors should plan the audit work to enhance the audit quality and further reduce the risk of litigations (Arens et al., 2005;Krishnan & Krishnan, 1997;Bell et al., 2005).Improper risk assessment could also lead to insufficient and ineffective distribution of resources in auditing and as a result, to inefficient and ineffective audit work (Low, 2008;Heliar et al., 1996, Khorana & Raman, 2004;Krishnan & Krishnan, 1997;Bedard & Graham, 2002).On the other hand, cultural differences among countries could affect the assessment of audit risk, inherent risk and particularly control risk (Chen & Huang, 2007).Hence, for the assessment of detection risk in a country like Iran, the affecting factors on risks in the audit environment could be different from western countries.Since 1990s, in response to changes in the business and economic environment, the risk based audit (RBA) represents a "new generation" of audit approaches (Lemon et al., 2000).The RBA approach broadens many concepts and procedures used in a traditional audit, and it is based on a macro view of the client business while the traditional approach is only based on a financial statement view (Bell et al., 1997;Bell et al., 2002;Bierstaker & O'Donnell, 2003;Lemon et al., 2000).The central point of the RBA is the determination of the overall audit risk the auditor could accept (Khorwat, 2008;Austen et al., 2000).
Iranian auditing standards also emphasize on applying this new approach in audit cases (Iranian auditing standards No.20, 31-5 and 3, 2007), however; several studies indicate the RBA could not be applied in Iran completely (Khodadad, 1994;Nejat, 1999;Forsati, 2003;Khatiri, 2005).The reason is the problem in assessing risks by auditors.However, authoritative guidance on risk assessments clarifies some audit characteristics, which should be considered while assessing risks, it does not clearly indicate the manner in which these factors are to be identified and weighted in the assessment (Blay et al., 2008;SAS 47;Iranian auditing standards No. 20, 31-5, 33).Therefore, risk identification and assessment within the RBA environment is important because auditors have limited ability to perform these tasks (Weil, 2004).
Therefore, the research question in this research is to determine the most important factors, in audit environment of Iran, which affect audit risk, inherent risk and control risk and to answer the question, we apply Delphi method.This study is important, because the determination of affecting factors on auditing risks could help auditors assess the risks, which are more objective as a central step of RBA.We also, compare the research results with a similar study in Taiwan (Chang et al., 2007).The findings indicate critical factors of inherent risk are the most important factors in Iran, while the factors of audit risk are the most unimportant factors.The comparison between countries also show cultural differences could affect auditee risk factors, especially in affecting factors on control risk.

Audit Risk Model
The RBA is a shift in thinking of auditing of an enterprise, but still the main ideas of risk evaluation in this approach is the audit risk model (ARM) (Lemon et al., 2000).Blay et al. (2008) believe that the ARM as a conceptual model promotes a risk, focused approach for allocation of audit procedures.This model has become an extremely important element in auditing (Quadackers et al. 1996).Additionally, the ARM, as a normative model in the professional standards assists auditors in the judgment processes about risk (Blay et al., 2008;Iranian Audit Procedure, 2000).The formulation of the ARM is as the following (Iranian Auditing Procedure, 2000; SAS 47): Based on this formulation, Detection Risk is: . *

DR IR CR =
(2) In the model, detection risk, according to SAS No. 47 and IACPA, is the risk of not detecting a material misstatement that exists in an account balance, if inherent risk and control risk are considered to be high, then in order to maintain audit risk at an acceptably low level, detailed testing should be extended to lower detection risk (Aldhizer, 1994).According to SAS No. 47 and IACPA, inherent risk is defined as the susceptibility of an account balance to errors that could be significant without regard to the existence of related internal control systems.Control risk is defined as the risk of a material misstatement that could occur and not be prevented or detected on a timely basis by an enterprise's internal control system procedures (Aldhizwe, 1994).And finally, audit risk, as defined by SAS No. 47 and IACPA is the risk of an auditor may unknowingly fail to appropriately modify an opinion on financial statements that are materially misstated.However, it is not possible to reduce this risk to zero.In the model, Inherent risk and control risk components together are sometimes referred to as "auditee risk" (Bedard et al., 1999;Austen et al., 2000;Bedard, & Graham, 2002;Messier, 2000;Hajiha, 2011), because they represent the risk of misstatements prior to the audit and the auditor has no direct control over auditee risk (Austen et al., 2000).

Methodology
In this research the affecting factors on audit risk were placed in categories presented by Beatee et al. (2002), which are named "auditee base" and "auditor base".Auditee base means the degree of influence when auditors present improper audit opinion to users of financial statements.Auditor base is about all risks indicating the inability of auditors to detect major fraud in financial statements (Beattie, et al., 2002).Affecting factors upon inherent risk were based on categorization of Heliar et al. (1996), which is divided into two categories namely "financial statement level" and "account remaining sum level".Financial statement level means the risk of the existence of important errors or frauds in overall financial statements.
Account remaining sum level can be translated as risk factors in which certain account of enterprises may have a major misstatement.According to COSO (1996) and IACPA (2007), affecting factors on control risk, in this research, are divided into "control environment", "risk assessment", "control activity" and " supervision".Control environment indicates the framework which makes the disciplines and internal control of the enterprise (Chang et al., 2007).Risk assessment is the way where enterprises identify the impossibility of their goal accomplishment.Control activity stands for the fact that the personnel in the organization actually applied the policy and process determined by the managerial level and finally supervision is the process in which the enterprises assessed the executive results of internal control (Ibid).
First, we assigned identified affecting factors to these subcategories according to the study performed by Chang et al. (2007).Additionally, in each category, we added the affecting factors from the guidelines of Iranian auditing standards and Audit Procedure (Issued by Audit Organization) which were absent in the list to make the final results more practical for risks assessment in Iran.Table 3 indicates the factors in each category and presents them by F1 to F58.We utilize them from two rounds of Delphi questionnaires for unanimity of Iranian experts upon these factors.

Delphi method
Delphi is a tool for qualitative research.This method is used in macro subjects, especially qualitative matters, like identifying the affecting factors upon risks in an audit (Sarokhani, 2004).The Delphi is a structured process for predicting and assisting to make decisions during survey rounds.Gathering information and finally grouping agreement are its other usages.While most surveys attempt to respond to the question: "what is it?"the Delphi tries to answer to the question: "what could or should it be ?"(Powel, 2003).The Delphi method is the most important technique to detect and study subjects, which are mixtures of academic bases and social values (Sarokhani, 2004).Therefore, this is an appropriate method to recognize judgment issues like risk assessment.
Delphi could be used to form a group communication, which facilitates thinking and being involved as a whole to complex issues (Truff & Linstone, 2002/1975).Although this group judgment is from different mental view points, it is more trustable from individual and personal opinions and its results are more objective and precise (Massini, 1993).Participants in the new round could compare their personal opinions with others in prior round and may adjust or change them in next round.Hence, the final results are group judgments and there are no opinions belonging to a single person (Sarokhani, 2004).That is why we selected this qualitative method for the identification of affecting factors on risks in audit cases.

Research population
The population was audit managers and partners who are all members of Iranian association of certified public accountants (IACPA) located in Tehran.

Sampling method
The sampling technique appropriate for qualitative and Delphi researches is purposive sampling (Windle, 2004).Hence, in this research, we also employ this way to select the audit risk experts.Audit managers and partners are divided into two equal groups: one group consists of the audit managers and senior audit managers who are representatives of governmental sector and are employed in Iranian audit organization, a governmental organization that has obligation to audit financial statements of governmental companies.
This organization can also audit public companies accepted in Tehran stock exchange (TSE) and any other companies as well.The second group includes audit partners from the Trustworthy audit firms, which are the representatives of private sector of Iranian auditing.They are ranked according to several measures by the TSE.Public companies must only be audited by these audit firms or audit organization.The sample is formed with two groups each containing 30 experts (Delphi Panel).
Delphi questionnaires are sent by email messages or by the researcher in person to the audit managers and partners in two rounds.In each round, the goals and the processes of the research are explained completely to the participants.Before distributing the questionnaires, we perform a pre-tested with three experts who have academic and professional experience in assessing detection risk in several audit cases to confirm details in questionnaires.

Delphi panel
The validity of information gathered from Delphi is associated with the group, which is the most qualified one to respond the questions.Therefore, in the selection of the panel members not only the experts are important individually, but also the qualification, comprehensiveness and context of experts are important as well.Hence, in order to select participants in the panel we used the members of IACPA in two groups.In each group, we have 30 experts.Managers and partners are in position of assessing risk in audit cases.We select the members based on their qualifications, academic and professional background, the motivation and interest in risks.Some of them are engaged in auditing standard setting of risks in the past.

Delphi rounds
The purpose of repeating the rounds is to achieve an acceptable unanimity between the members of panel (Lantada, 2006;Windle, 2004).We employed two rounds of Delphi in this research.Fig. 1 presents two round's algorithm of the Delphi research.

Descriptive statistics
The number of experts in the Delphi panel was 60 (30 in each group of auditors) and in the first round, 56 experts responded to the questionnaire (93.3%).Table 1 presents frequencies and frequency percentages of professional position of the Delphi panel members.Academic degrees of the panel' members are 56.9 percent bachelor, 41 percent master and 2 percent Ph.D. Supervisors in above table had some particular qualifications in assessing risks in Iranian auditing environment or were in final years of this position.Some senior supervisors were waiting to receive a higher position in the time of the research.Table 2 presents Delphi panel's experiences in the independent audit and as an audit manager or partner.There were three categories of audit managers or partners: 1 to 10 years of experience were categorized as low experience, 11 to 20 years as average experience and 21 to 30 as high experience.The highest year of experience in independent audit was 36.In studies used Delphi method, there are so many ways to analyze and manage information (Lanteda et al. 2006;Fry & Bour, 2001).The use of medium and mode is more proper, although mean is also used (Okoly, 2004).Therefore, in this

Record and report and generalization
The design of Delphi second round The application of second round and analysis of results research, we applied mode and frequencies to analyze the results.We designed semi -open questionnaire in the first round, which listed 58 affecting factors in eight categories on AR, IR and CR.We requested the Delphi panel to announce the influence degree of each factor on the risks.In addition, we left blank columns for each category to additional factors or other opinions by experts.The questionnaires were designed on a five point Likert scale (very low, low, average, high, and very high).We analyzed frequencies of every factor in the first round.If the most responses were on the "average" and lower than average for a factor, that factor was classified as an unimportant factor where in audit environment of Iran could not affect detection risk, significantly.If the most frequencies were on "high" or "very high" options, that factor was categorized as an important factor, which could affect detection risk and should be considered in assessing the risk in a real audit case.
In the second round of Delphi, we announced the results of first round on the questionnaire, the point of view of the majority.We also presented responses of each expert in the first round for all factors, separately.Therefore, for every expert out of 56 experts there was a particular questionnaire in the second round.The reason to present the results of the first round to the experts was that experts could have the opportunity to compare majority's response with their own response for each individual factor.Participants could then change and adjust their primary opinion in order to get closer to the majority's opinion.The evaluation of the management integrity and honesty according to the past interaction with auditors F4 Judgment degree of the auditee's presented information and their assessment method F5 The considerations of audit costs while using the audit strategies and procedures F6 Auditor's financial relationship with a particular client or particular groups of clients F7 Auditee's operational risk (The risk that the auditee could not reach the operational goal) F8 The composition of auditor's clients Auditee base category F9 The external users' trust on financial statements and their diversification degree (for instance Auditee is a public company) F10 After submitting audit report, the possibility of the financial difficulty or shortage of auditee New proposals of panel members in the first round * The character and professional experience and coordination of leadership board members in the auditee * Auditor's non -financial relationship with auditee Risk factors on inherent risk Financial statement level category F11 Doubt in going concern of the auditee F12 The kind of business operation of auditee F13 Many changes in Manage Auding.J. levels and senior staff (Is the leave rate or change of top managers higher than that of the similar companies during a certain period of time?)

F14
Many changes in important accounting staff (Is the leave rate or change of important accounting staff higher than that of the alike companies during a certain period of time?) F15 Continuous changes of the auditor or employing less well known auditors

F16
The scale of auditee (the number of employees of auditee, sale volume or revenues and assets in comparison to whole industry).F17 Knowledge and experience of top and middle management with regard to general skills in accounting and management F18 Property susceptibility of auditee to fraud like cash F19 Complexity of auditee (for instance; is auditee an international enterprise or does it have many related firms or subdiaris?)F20 external economic environment of auditee including policies, laws and competition F21 Administration manner of auditee (initial authorization or not)

F22
Management level is under pressure to modify the financial statement, for example: the accomplishment of the analysts' estimation forced managers to report more beneficial financial news or profit-base bonus or salary policy encourages managers to operate the profits

F23
The existence or condition of irregular or complex transaction, particularly at the end of the financial year or unusual transactions which are not related to auditee goals F24 possibility of auditee's violation of laws (the degree of auditee's following toward the regulations) F25 significant errors or fraudulence in financial statements detected in previous audits F26 In previous audits having argue with Manage Auding.J. level with regard to accounting issues F27 Is the auditee a governmental or non governmental entity?(from the aspects of profitability, taxation and going concern) Account remaining sum level category F28 Inventory and raw material calculation complexity of auditee and the variety of calculation methods

F29
Difficulty about an specific account or transaction in auditee or unusual transaction such as overseas credits, foreign purchases or accounts under influence of related party transaction

F30
The degree of wrongly using accounting principles might mislead users of financial statement and the degree of changes in accounting principles and policies in auditee F31 Identifying the biased accounting estimations of the managers in the previous audit F32 Many errors in receivable and payable accounts found in the previous audit (for instance: increasing receivables by increasing sales) F33 Many errors in inventory accounts in the previous audit(for instance: errors in prices or number of items) F34 Top management's integrity, morality and to be well known F35 The content of judgment used at determining of account balances New proposals of panel members in the first round * Not to apply interim audit and not to be presented timely information by auditee.

Risk factors on control risk environment category F36
The training of the auditee's employees integrity, morality and professional capacity F37 The training of the auditee's accounting staff's professional capacities F38 The participation and application of the board of directors or audit committee in the internal control of the auditee F39 Management's operational philosophy and risk tendency (for instance: tend to pursue high-profit and high -risk investment) F40 Management's attitude about too optimistic financial reports F41 The management emphasis on the precise preparation process of financial information F42 Appropriateness of organizational structure and chart of auditee F43 Clear division of power and duty in auditee F44 Human resource policy of auditee Risk of validity of accounting system (the performance control of the system) F51 Re-examination of obtained results of operational activities such as planning, budget, internal control performance F52 Procedures regulated about data processing and their dealing policies as the base for the employees F53 Substantial control of accounting records and safety of assets F54 Efficient professional capacity division of financial reporting employees such as financial manager, accounting information system's staff, and internal auditor(duty division in finance, accounting and auditing ) Supervision category

F55
Proper supervision of the process of accounting information preparation including the occurrence of transaction and accounting record, supporting information, dealing report of accounting subject and editing and changing F56 Installation and efficient responsibility of internal audit department in auditee F57 Process used by internal audit to prevent, detect and correct errors or frauds in auditee F58 Independent confirmation process toward the auditee operational performance like inventory management In the first round, the valid percent for three factors (F18, F22, and F23), which all were categorized in inherent risk factors, was the highest.There were higher than 90% of experts believed the importance degree of them were high or very high.In the second round the percent went even higher to 91%, 98% and 100%, respectively.In Table 3, the unimportant factors have been specified with the color gray.Two factors had the lowest percents (F5 and F8; 78% and 87% on average or lower than average options) and both factors are in audit risk category.Overall, seventeen factors were placed as unimportant factors.For instance, about the fourth Factor (F4) 25 experts evaluated the effect of this factor on risk "average", while 22 experts believed that the effect of it was "high"; hence we categorized that as an unimportant factor.
According to the results in the first round, the most responses were "average" or "high" options.In addition, three new factors were proposed by experts and we added them as new factors to the questionnaire in the second round.Experts were allowed to assess them as well as the prior factors, which were assessed for the second time.These new factors are presented in Table 3, two factors on audit risk and one on inherent risk.According to the results in the second round all 16 factors could be ranked as unimportant factors again.Furthermore, in this round another factor (F49) ranked as unimportant, while two new factors from the ones which were proposed by the experts in the first round were recognized as important factors (more than 50% of responses showed that importance degree of these factors was either "high" or "very high").Chang et al. (2007) studied critical factors affecting audit, inherent and control risks, through Delphi method in Taiwanese auditing environment.They used the mean of responses upon 5 point Likert scale to recognize unimportant factors.The risk factors with mean of 3.5 and higher were recognized "important" and risk factors with a mean less than 3.5 were classified as unimportant.Table 4 compares the results (unimportant risk factors) of two methods, frequency and mean of responses.In two subcategories "Account remaining sum level" in inherent risk as well as "Control activity" in control risk, all factors were identified as important in both two rounds.It shows that based on experts' opinion, these factors are important for the assessment of detection risk in the ARM.Similar to the work performed by Chang et al. (2007), the factors with mean less than 3.5 were identified as unimportant factors.As Table 6 indicates, for audit risk, there are only two unimportant factors, which are confirmed by one method but not by another one (F4 and F9), while for inherent risk only one risk factor (F20) is not repeated by both methods.In control risk factors, all factors are common in both methods (except of two that are F58 and F49).In overall, from 17 unimportant factors 7 are in control risk factors.The number of Delphi panel members was 30 in two groups of 15 experts, external and internal auditors in the study proposed by Chang et al. (2007) in Taiwan.However, in the present study, the number of Delphi panel members is 60 with two equal groups of external auditors from governmental and private firms.

Discussion
The aim of this study was to recognize critical affecting factors on the risks under ARM required by professional standards.Risk assessment is a central point in audit cases on RBA.The results of this research provide insights in the most important factors, which affect auditee risks in Iranian business environment.However, there are several important factors, which could influence on judgment issues like risk assessment.Chen and Huang (2008) found that culture affects the assessment of risk in auditing.They compared Taiwan and Singapore auditing and understood that the efficiency of control activities has correlation with risk assessment of auditors.To assess the risk, control environment of auditee and identification of it are important.Therefore, professional judgments in auditing such as risk assessment could be associated with particular cultures in different countries.The comparison of the differences between the results obtained from different countries could be helpful for assessing the risks, more precisely.This comparison could also add value to international auditing and accounting.Independent audit credits to financial statements for users, therefore, applying RBA could enhance insurance of users and influence directly their decision making.
We also compared the results with a similar study in Twain.In the Table 5 what is considerable is that factor 6, that is "Auditor's financial relationship with a particular client or particular groups of clients "was identified an unimportant factor in both two rounds, while the new factor named "Auditor's non -financial relationship with auditee" (proposed by experts) was identified as an important factor in the second round.In addition, one of the least unimportant factors was identified F5, the considerations of audit costs while using the audit strategies and procedures, which is in audit risk factors.It suggests that in Iranian auditing environment non financial relationships with the auditee could even be more risky than financial relationships, while this factor does not exist in Taiwan auditing environment.
In present study, seven factors (out of 58) are in control risk , however, in Chang et al.' study five factors (out of 53) are in control risk, it could be related to more important position of internal auditors in Taiwan in comparison with Iran.Taiwanese internal auditors in public companies are required to report annually to external users (Chang et al., 2007); however in Iran internal auditors do not have such a duty.Internal auditors should consider the risks related to an auditee when planning in a risk based approach; specific procedures are generally more effective and efficient than procedures based approach because the internal auditors focus on areas with relatively more risks (Colbert & Alderman, 1995).However, researches show independent auditors in Iran could not rely on the findings and reports of internal auditors (Nikkhah Azad & Noroozi, 2000;Keramati, 1996).
Hence, this study can indicate the importance of internal auditors in auditing risk assessment.
This paper reorganized 42 critical risk factors influencing detection risk assessment identified by audit experts and allocated the risk factors into three dimensions according to the ARM and eight categories according to the related literatures.
Professional judgment issues like risk assessment affect several factors in auditing.These issues could be influenced by the particular culture and environment of countries.The study of affecting factors on risks in the ARM could help apply the RBA approach.Furthermore; auditors could employ the results of the research to identify and assess risks in Iranian audit environment via increasing the preciseness of risk assessment.This could also help the audit risk model become more practical.To resist against recent audit failures and increased frauds in current uncertain environment, auditors should consider all risks in auditing.

Conclusion
This paper has identified the critical affecting factors on risks proposed in ARM, in Iranian audit environment.Our Delphi Method consisted of 60 audit partners and managers.The panel consists of two equally divided groups, one from audit organization, a governmental organization, and the other from private audit firms.We employed two rounds of Delphi and 58 critical risk factors extracted from auditing literature and Iranian auditing standards and present them to the experts.There were 43 factors categorized as important factors to assess the risks in ARM.The results were considerable in an Iranian audit environment, findings show the most important factors were in inherent risk factors.Finally, we made a comparison with a similar study in Taiwan.Differences have indicated that in professional judgment issues like risk assessment, the consideration of particular culture and environment could help enhance the precision of assessments, especially in assessing control risk factors.

Table 1
Professional position of auditors in Delphi panel

Table 2
The experience of Delphi panel's members

Table 3
Affecting factors upon risks in Audit Risk Model (Is the policies of HR like employment, promotion and examination clear?)

Table 4
Deleted factors based on the two methods

Table 5
Comparison of results Table 5 compares unimportant risk factors (in each subcategory) from this study (17 factors out of 58) with the Chang et al' results (9 factors out of 53).The similar factors in both two studies have been highlighted in color gray.