The Past and Future of Reasonable Assurance

By Dan L. Goldwasser

E-mail Story Print Story

To be sure, the term “reasonable assurance” leaves much to the imagination. That in itself poses a problem for the profession, which, since the mid-1980s, has striven to close what it has called the “expectation gap”—the gap between the level of assurance that financial statement readers expect of an audit report and the level of assurance that an audit report actually provides. To this end, the accounting profession rewrote its auditing standards to provide more-explicit guidance and has, together with accounting regulators, stepped up its oversight and disciplinary measures.

These efforts did not, however, eradicate financial fraud, and the public outrage in response to such massive frauds as Enron, WorldCom, Adelphia, Cendant, Livent, and Waste Management, led to the enactment of the Sarbanes-Oxley Act of 2002 (SOA) and the formation of the Public Company Accounting Oversight Board (PCAOB). In an effort to restore public confidence in the audit process, SOA section 404 requires public companies to document their internal controls and requires their CEOs and CFOs to certify as to the effectiveness of those controls. In addition, SOA requires that each public company’s auditors also attest to the effectiveness of those controls.

The PCAOB’s Standard

To effectuate the requirements of SOA, the PCAOB adopted Auditing Standard (AS) 2, setting forth rules for the preparation and issuance of such attestation reports on internal controls. In AS 2, the PCAOB specified that the procedures that auditors use in performing these engagements must provide “reasonable (i.e., a high level of) assurance” that the client’s system of internal controls is adequate. Thus, the PCAOB equated “reasonable assurance” with “a high level of assurance” at least in the context of a section 404 attestation engagement. This suggests that the assurance conveyed in a standard audit report should also be of a high level.

This issue was first confronted by the International Auditing and Assurance Standards Board (IAASB), which proposed adding the phrase “a high level of assurance” to the standard audit report. After considerable debate, however, the IAASB eliminated this language, which elicited a firestorm of criticism not only as to the appropriate level of assurance to be conveyed by a financial statement audit report, but also as to the processes of the IAASB in formulating its auditing standards. The issue is now being considered by the AICPA’s Auditing Standards Board (ASB), which establishes auditing standards for nonpublic company audits. On April 28, 2005, the ASB proposed an amendment to AU section 230 (defining “due professional care” in the performance of work) that would equate “reasonable assurance” with “a high level of assurance.”

The following arguments have been advanced in support of adopting the PCAOB’s language:

• Auditors should appreciate the high level of assurance that the public expects a financial statement audit should provide.
• An audit conducted in accordance with ASB standards should provide no less assurance than an audit performed under PCAOB standards for public company audits.
• Audits must be planned and conduted to reduce the risk of a material misstatement to a low level. Accordingly, they should provide a “high level of assurance.”

Each argument, however, has serious flaws.

Motivating Auditors

It is important for auditors to realize that the public continues to expect a low rate of audit failures and that they must plan and perform their audit procedures in a manner that will minimize the risk of an undetected material misstatement. To date, the profession has sought to accomplish this by providing further guidance as to the audit procedures that must be performed, as well as the matters that should be considered. In addition, audit standards now require that all such matters be recorded in the auditor’s workpapers, in order to create a discipline that ensures that the required procedures have been properly performed. Enhanced annual internal inspections and triennial peer reviews further compel an enhancement in audit quality. It is therefore difficult to comprehend how a call for a “high level of assurance” will actually improve audit quality.

Certainly, auditors would like to eliminate all material misstatements from their reports, if only to avoid civil litigation, not to mention the disciplinary proceedings that are likely in the wake of a disclosure of an audit failure. Auditors that issue erroneous audit reports routinely face disciplinary proceedings by the SEC, their state board of accountancy, and the AICPA. Such proceedings are costly and time-consuming, and can greatly damage a professional career. Therefore, characterizing reasonable assurance as a high level of assurance is unlikely to have any material impact on audit quality, especially given that an audit failure is effectively a career-ending event.

Dual Auditing Standards

Just as troubling is the lack of a definition of what constitutes “a high level of assurance.” Some might characterize it as being somewhat greater than the “more likely than not” threshold required for tax opinions, while others might characterize it as being only slightly below a guarantee, or absolute assurance. Faced with such latitude, it is difficult to understand how this term would do anything but confuse auditors. At the same time, this shift in auditing standards could also have a detrimental effect on financial statement users, who may be prompted to forgo other means of reducing their financial risks (such as better internal controls or more-diversified investment portfolios), in the belief that an audit report can effectively eliminate the possibility of a financial fraud.

While it is clearly desirable that an audit in accordance with the ASB’s auditing standards deliver the same degree of assurance that audits in accordance with the PCAOB standards provide—if only to avoid public confusion—there are basic differences between public company audits and audits of “nonissuers” (i.e., entities not subject to SEC financial statement requirements). For example, all public companies are required to maintain an effective set of internal controls, which must be documented and tested by the auditor; nonissuers have no corresponding requirement. Therefore, one might expect public company audits to have a greater chance of detecting material misstatements. Indeed, the ASB has recognized in its discussions of AT 501 (its standard for attestation reports on internal controls) that an audit performed in conjunction with an internal-control attestation will provide a higher level of assurance than a stand-alone audit.

It is also worth noting that the intended use of financial statements can affect the level of testing for the auditor to employ. Public companies’ financial statements are likely to be relied upon by a broad group of investors, who may have invested hundreds of millions of dollars. This alone would seem to call for a higher level of assurance. Furthermore, although the PCAOB as an interim step adopted the ASB auditing standards as of April 2003, it clearly intends to adopt its own auditing standards. It is therefore likely that over the course of time the two sets of auditing standards will diverge in material respects. We can also expect some divergence in the level of assurance that the two classes of audits will provide.

In this author’s opinion, the argument that the two sets of standards should provide the same level of assurance is largely a political one; namely, that the profession should not appear to be promulgating standards that provide a lower level of assurance than those promulgated by public regulators. Stated differently, the promulgation of lower standards might make the profession appear more interested in protecting itself than in protecting the public. Although this would be an undesirable result, to mislead the public into believing that it is receiving more assurance than the profession is able to deliver would be far worse. This would clearly not be in the public interest, because it might deter financial-statement users from taking other measures to protect their financial interests. This is the argument that drug regulators use to prohibit the sale of otherwise harmless products that purport to cure a variety of human maladies.

Assessing the Audit Process

This raises the question of the level of assurance that can be reasonably provided by a financial statement audit. Under GAAS, an audit firm is required to assess the risks that the client’s financial statements contain a material misstatement and then to design its audit procedures (i.e., analytical procedures and tests of details) so as to reduce the possibility of an undetected material misstatement “to an appropriately low level.” Compliance with this mandate should logically yield a high level of assurance; however, risk-based auditing, although a useful concept, is far from an exact science. It is doubtful that auditors can actually quantify audit risks, much less eliminate them.

In theory, overall audit risk (AR) is the product of three factors: the inherent risk (IR), that the client’s financial statements will be misstated; the control risks (CR), that the client’s internal controls will not deter or detect material misstatements; and detection risks (DR), the risk that any remaining material misstatements will not be detected by audit procedures. Thus, audit risks can be reduced to the following equation:

AR = IR x CR x DR

Because auditing procedures consist of analytical procedures and tests of details, the above equation can be rewritten as follows, where APR is the risk of nondetection by analytical procedures and TDR is the risk of nondetection by tests of details:

AR = IR x CR x APR x TDR

The auditing standards envision that auditors will use this formula to design their audit procedures by assigning a low level, perhaps 5%, to AR. The audit risk formula then becomes:

IR x CR x APR x TDR = 5%

Using this formula to plan its audit procedures, the audit firm must first determine the values of IR and CR. The audit literature explains that the inherent risk of a material misstatement is influenced by the extent to which—

• assets can be objectively measured;
• accounts are determined through complex calculations;
• assets are subject to pilferage;
• assets may be diminished through obsolescence;
• the company is subjected to litigation risk or regulatory restrictions; and
• the business is affected by interest-rate fluctuations.

Clearly, these and other factors could have a material impact on the company’s assets and liabilities, and the more such factors that are applicable, the greater the risk that the information generated by the accounting system may be materially incorrect. The problem is that neither the audit literature nor common sense provides auditors with the means to quantify the inherent risk of a material misstatement, even assuming that the accounting system generates 100% accurate information and that no foul play is present. In fact, the problem of quantifying inherent audit risk is so bewildering that auditing standards setters have generally opted to combine inherent risks with control risks and treat them as a single factor, usually designated as risk of a material misstatement (RMM). In essence, they ignore the inherent risk factor altogether; the audit risk equation becomes:

RMM x APR x TDR = 5%

This is not altogether illogical, because presumably a company’s internal controls should be designed to prevent or detect the very material errors that are likely to be products of the inherent risks associated with the enterprise. The auditor is therefore instructed to focus on the effectiveness of the client’s internal controls. In practice, auditors complete long internal-control checklists and test a few dozen controls (assuming they have not immediately concluded that the client’s internal controls are wholly unreliable). The problem is that this process reflects only a superficial understanding of internal controls. This has been revealed by SOA section 404–related efforts to document public companies’ internal controls. Even companies with relatively simple operations have been found to have several hundred controls which, if defective, could give rise to a material misstatement; in large complex entities, the number of critical controls could number in the thousands. For companies that have not been subjected to the section 404 process, evaluations of internal controls have been and will continue to be highly superficial, if not altogether deficient.

For the most part, however, auditors of small businesses simply assume that the system of internal controls is unreliable and that the risk of material misstatements is at the maximum level, compelling them to perform “substantive audits.” This raises the question of how auditors can design audit procedures that reduce the risk of a material misstatement to an appropriate low level. Typically, auditors focus their efforts on those balance-sheet accounts that have the greatest contribution to determining the client’s net worth. While this approach has logic, the question remains as to how much testing is required to reduce the risk of a material misstatement to a low level. This problem is complicated by the fact that most auditors of nonissuers do not employ statistical sampling techniques. The resulting level of assurance from their testing is, at best, an inexact estimate. Moreover, even this more rigorous approach assumes that the auditors are working with a complete universe of data, that there are no missing assets or liabilities. If assets or liabilities are missing from the company’s records, the auditors’ computations of risk will necessarily be flawed. Moreover, there is strong reason to suspect that there may be a residual amount of risk that simply cannot be eliminated, an element which is not even recognized in the profession’s audit risk model. Therefore, while reducing audit risk to a low level is a laudable goal, the profession has little basis for concluding that it actually achieves that goal with any regularity.

Making Promises That Can Be Kept

Of course, no one has presented empirical evidence showing whether a properly performed GAAS audit will deliver a high level of assurance. Perhaps the only available evidence is the relatively low percentage of financial statement restatements each year as compared to the total number of public companies. Of the roughly 22,000 public companies registered with the SEC, only 414 filed restatements in 2004, an audit failure rate of less than 2%. The problem is that no one knows what percentage of audit failures actually get reported in restated financial statements. Moreover, it is by no means clear that these figures can be safely extrapolated to non-issuers. For a profession that prides itself on reaching conclusions based upon a sound evidentiary foundation, proclaiming reasonable assurance to be a high level of assurance is more a leap of faith than adherence to empirical testing. The profession may be deluding itself (and the public) that it can deliver audit reports with a high level of assurance without greatly enhancing the scope and sophistication of its audit procedures.

Those members of the profession that oppose the proposed references to “a high level of assurance” also argue that there is no pressing need to adopt this potentially misleading language. They argue that the profession should continue to try to improve audit procedures rather than seek to relieve public pressure by offering potentially false assurances. Moreover, they contend that those who press for this change are simply responding to a public overreaction to recent financial scandals. The additional financial safeguards adopted in the post-Enron era are not, however, without their increased costs. It is not unusual for section 404 procedures to cost several times the costs of an annual audit; when the public realizes the full extent of these additional costs, the clamor for more-effective financial statement audits may well subside.

It is also worth noting that there is a qualitative difference between the level of assurance that can be attained by testing the effectiveness of internal controls and the level of assurance that can be attained by testing a relatively small sample of account data for material misstatements. This difference alone calls for a lower level of assurance for audit reports.

Notwithstanding the great strides the accounting profession has made in improving audit quality since the adoption of SAS 53, it is still not in a position to assure the public that a GAAS audit has a high likelihood of detecting fraud. Such dubious promises would only lull business owners and boards of directors into a false sense of security—encouraging them to give internal controls a low priority while doing little, if anything, to actually enhance financial statement quality.