The Impact of Electronic Data Interchange Information Technology on External Auditors James Ricks jricks@semo.edu Department of Management and Marketing Eleanor Henry ehenry@semo.edu Department of Accounting and MIS Dana Schwieger dschwieger@semo.edu Department of Accounting and MIS Aahmed Almosen MBA Program Southeast Missouri State University Cape Girardeau, MO 63701, USA Abstract In this paper, the authors propose the application of a paradigm for auditing services derived from relational constructs used in the maturing paradigm of services marketing and third party logistics efficiency concepts. Concerns regarding quality and cost efficiency have spurred a growing focus on services marketing. Thus, the time has come for extending this paradigm further to auditing services using EDI. The establishment of Electronic Data Interchange (EDI) with Automatic Data Collection (ADC) linkages between firms offers significant potential for the transformation of relationships with considerable benefits and responsibilities for all participants. The growing importance and ubiquitousness of ADC and EDI is considered as well as the need for additional cost efficiencies in business. It is proposed that unique, efficient auditing services using EDI and ADC will render those services of increased value and indispensable to the client, thus resulting in greater client retention and customer satisfaction rates for auditing firms which can prove particularly vital to small auditing firms. Keywords: EDI, ADC, auditing, auditing controls 1. INTRODUCTION Advancements in technology are changing the way that business is conducted. Organizations are often forced to accept and adapt to technological changes or fall to the wayside and be left behind. Government and industry regulations spur the movement toward the increased embedding of technologies; however that, in turn, forces businesses to adapt their standard methods for handling functional processes. One such area that is adjusting to the infiltration of technology into its standard business operations is the auditing process. In this article, the authors examine a relational paradigm, adapted from marketing research, for the auditing process by briefly providing a background on Electronic Data Interchange (EDI), reviewing the literature for Electronic Data Interchange / Automatic Data Collection (EDI and ADC) and examining the audit process in sections 2 and 3. In sections 4, 5 and 6, the authors discuss technology auditing issues and data transmission security. In section 7, the authors use constructs applied to marketing of services and third party logistics efficiency concepts to develop propositions, for consideration and further study of the offering of auditing services. 2. EDI AND ADC Automatic Data Collection (ADC) is defined as the collection of data by a firm without human input or with minimal effort. Scanning devices used to read product bar codes and meters normally collect the raw data. EDI, the main focus of the paper, is defined as the electronic exchange of business transactions between companies from one computer to another using an accepted standard format without human intervention (Jenkins, 1994). Changing business relationships profoundly, the objective of EDI was to obtain time and cost efficiencies through the direct exchange of data between clients (Sawabini, 2001). In the past, EDI was sometimes mistaken for other communication methods, such as electronic mail, general access to the Internet (Larson & Kulchitsky, 2000) or derivatives such as “Rip-and-Read” (Lauer, 2000). When EDI is errantly confused with other communication methods, its full potential cannot be realized (Quinn, 1991). For the exchange to be considered truly EDI, the process must go from one system to the other with no or minimal manual intervention. Over the past 20 years, the growth of EDI has been significant. In 2006, an empirical study was conducted of industrial marketing practitioners, researchers, and faculty. Over 1,400 individuals responded to the survey. In that study, the binding of client and customers together using EDI and ADC (Figure 3) was supported in a marketing and Information Technology empirical study (Ricks & Schwieger, 2006). It was estimated that over one half of all interorganizational business documents was transmitted between corporations by way of electronic data interchange. While a number of organizations have considered some of the EDI controls intrusive on trading partners, some organizations are transitioning to XML based data transmission to overcome those deficiencies Kaliontzoglou & Boutsi, 2006). Thus, organizations are being increasingly forced to realign their goals and make decisions with their business partners in mind (Kopczak & Johnson, 2003). Allowing clients and customers access to electronic data makes each firm more dependent upon the other and more committed to them and their mutual success. The concepts of EDI, ADC, XML and such areas of linkage relate well with the most current business thinking. However, the data linkages provided by EDI can enable organizations to reduce their costs while improving their response to customer demands. The speed at which data is electronically exchanged is much faster than the traditional paper-based method and systems can be programmed for numerous operations and business applications such as auditing. Peter Drucker (1988) discussed how new practices of management would need to evolve for the facilitation of information flow. Drucker noted that new practices could doom, or greatly alter, traditional hierarchical command and control of organizations. Whatever the level of change resulting from trends in electronic data linkages, it would continue to be a factor in future organizational thinking. Organizations were predicted to experience three changes from information technology linkages, they included: (1) flatness, (2) empowerment and (3) outsourcing (Meyer & Power, 1989; Rockart & Short, 1989; Savage, 1990). Drucker asked in 2004, “What is the most important impact of information technology on business? Information technology forces you to organize your processes more logically. The computer can handle only things to which the answer is ‘yes’ or ‘no’. It cannot handle ‘maybe’. It's not the computerization that's important then; it's the discipline you have to bring to your processes. You have to do your thinking before you computerize it or else the computer simply goes on strike.” How a firm handles computerizing services could be vital to efficiency. Flatness may lead to more demands for economical auditing services. Likewise, outsourcing could lead to higher demand for high technology auditing services and more specialization. With the emerging technologies being implemented by a vast majority of businesses in a variety of industries, auditing has no choice but to follow and adapt to new auditing strategies. Thus, more cost effective auditing objectives can be achieved. In a paperless business environment, the old image of an auditor with a bunch of papers and pencils is being erased not only in big auditing firms, but also in small individual auditing offices around the country and the world. With a lack of paper evidence to support processes, legal issues must also be considered in this new construct. 3. AUDITING The second stream of literature focuses upon legislative considerations in the field of auditing and the changes brought about from the application of EDI. With the decreasing paper trail resulting from electronic data exchange, there are practical considerations that must be made to abide by regulatory compliance requirements. 3.1 Legislative Considerations Internal control in information technology has become a major focus of government and industry regulations. The Sarbanes-Oxley Act of 2002 and the AICPA Statement on Auditing Standards (SAS) No. 94 (2001) both focus on internal control with the objective of providing reliable financial information. 3.1.1 Sarbanes-Oxley Act Section 404 of the Sarbanes-Oxley Act requires CEOs and CFOs to certify internal controls in their companies. Specifically, they must acknowledge their responsibilities for maintaining controls and procedures that pertain to financial reporting. They must also conclude and report on the effectiveness of internal controls and procedures for the firm’s annual report to the board of directors and shareholders. Finally, the external auditor must attest to the assertions made by management regarding internal control in the organization (Green, 2002). To protect auditor independence from management, Section 203 of the Act requires that the lead audit partner and audit review partner be rotated every five years on all public audits. The International Federation of Accountants (IFAC) has a similar rule specifying auditor rotation after no more than seven years (Doupnik & Perera, 2009). At the international level, the Public Interest Oversight Board, the Professional Oversight Board, and the International Organization of Securities Commissions (IOSCO) are examples of regulatory oversight similar to the PCAOB in the US. Regulatory scrutiny exists on the international scene as well as in the US with respect to the Big Four international auditing firms (Doupnik & Perera, 2009). Expectations are, first, that the Big Four will protect their international auditing markets. Second, more rules and regulations will be written and followed as a shield against litigation. Third, the audit function will continue to evolve in the direction of a partnership among the audit committee, internal auditors, and external auditors (Doupnik & Perera, 2009). 3.1.2 AICPA Statement on Auditing Standards (SAS) No. 94 SAS No. 94 requires auditors to consider information technology as part of the overall internal control process and provides guidance to the auditor in assessing internal control risk when a significant amount of financial information is processed in complex IT systems. Auditing through the computer techniques, such as test data, parallel simulation, or embedded audit modules should be used to test controls when firms have sophisticated IT systems. For auditors with little IT experience, the test data system is recommended (Cerullo & Cerullo, 2003). Other research studies have explored auditors’ reluctance to use sophisticated computer assisted audit techniques (Curtis & Payne 2008; Debreceny et al. 2005). The weakness in auditor training, experience, or background can be aided with IT expertise, either within the audit firm or within the client firm. Many audit firms employ IT trained staff to assist with audits for the purpose of external reporting. IT personnel within a client firm may occupy a position as internal auditor or assist with audits for the benefit of the auditor. Such assistance can provide a necessary interface to make full use of sophisticated computer assisted audit techniques above the level of test data. 4. AN OVERVIEW OF EDI INFORMATION TECHNOLOGY AUDITING ISSUES The use of EDI can generate numerous benefits to the company. Such benefits include cost saving in areas like paper and postage, labor, inventory, and shipping. Using EDI can also improve customer service and enhance internal processing as well as assist the company in gaining a competitive advantage. Auditing EDI is part of the information technology auditing group’s responsibilities. This group’s responsibility is to provide support to the general audit side on computer related aspects of their work by providing sufficient audit coverage of the organization’s information technology system. Both general audit and computer audit works should complement each other in providing adequate audit coverage for the whole organization. Before implementing an EDI system into business process operations, it is important for an organization to consider the auditor role in the implementation process. As it is true for any fiscally-oriented software development and implementation project, an auditor should be a part of the EDI development team. This is extremely important when addressing the internal control aspects during the development and implementation of EDI. 4.1 Information Technology Audit Mission Generally, the information technology audit mission would be to review, appraise, and report on: 1. Soundness, adequacy and application of the Information Systems operational standards; 2. Soundness, adequacy, and application of systems development standards; 3. The extent of compliance with corporate standards; 4. Security of the corporate IS investment; 5. Completeness and accuracy of computer-processed information; 6. Whether optimum use is being made of all computing resources; and 7. Soundness of application systems developed (Cascarino, 2007). In carrying out this mission, auditors generally conduct their audit in an information technology environment in two ways: auditing around the computer and auditing through the computer. 4.2 Auditing Around the Computer In auditing around the computer, auditors typically obtain an understanding of internal control and then perform tests of control, substantive tests of transactions, and account balance verification procedures in the same manner as if the accounting system were entirely manual. The auditor remains responsible for gaining an understanding of general and application computer controls because such knowledge is useful in identifying risks that may affect the financial statements. Figure 1- Auditing Around the Computer However, the auditor does not typically perform tests of computer controls. In other words, the auditor is not using computer controls to reduce assessed control risk. Instead, the auditor uses non-IT controls to support reduced control risk assessment. Figure 1 depicts the idea of auditing around the computer. 4.3 Auditing Through the Computer With the expanding use of IT and its implications, internal controls are often embedded in such a way that is visible only in electronic format. Therefore, traditional source documents such as purchase orders, shipping orders, invoices, and accounting documents can be found in electronic forms only. As a result, the auditor must change the approach from the auditing around the computer approach to auditing through the computer. Figure 2 depicts the idea of auditing through the computer. The appendix also contains examples that highlight the differences between auditing around the computer and auditing through the computer. Figure 2 - Auditing Through the Computer This study is recommending that when auditing in an EDI business environment, the auditors will be more effective using the auditing through the computer approach rather than the auditing around the computer approach. In particular, a method called Embedded Audit Module Approach is recommended. Under the auditing through the computer approach, there are two categories of testing strategies other than the embedded audit module approach which are the test data approach and the parallel simulation approach. For the purpose of this study, we will discuss only the approach that the auditor will likely use in an EDI environment, the Embedded Audit Module Approach. 5. EMBEDDED AUDIT MODULE APPROACH The embedded audit module approach is a programmed routine incorporated into an application program that is designed to achieve an audit function such as calculation or activity logging. More specifically, this approach uses an audit hook as an exit point in an application program. The exit point allows the auditor to subsequently add an audit module or any particular instructions by activating the hook to transfer control to an audit module (Whittington & Delaney, 2006-2007). There are several audit tools available from organizations such as ACL, BPS, Pentana, and AuditNet. The reason that the embedded audit module is the best approach for auditing in an EDI environment is the fact that it allows the auditor to monitor audit data on a continuous basis. The main downside of this module is that it requires the auditor to be involved during the system design phase. It is possible, however, that this module can be implemented after the system has been set up. There are many issues of which auditors should be aware in an EDI environment. Thus, they should plan and conduct their audits accordingly. The following section discusses three of the main issues that auditors will most likely encounter in almost any EDI business environment: (1) absence of audit trail, (2) absence of authorization, and (3) validation of payment. 5.1 Absence of Audit Trail Before widespread acceptance of computer technologies in the auditing practice, auditors were dependent entirely on paper audit trails. Every transaction had to have a paper document supporting and authorizing each transaction. When organizations started using computers in their daily business operations, auditors, as a consequence, had to conduct their audits on a printed audit trail from the system. Their concern about auditing in an electronic oriented business environment was overcome by the fact that all transactions could be saved and reviewed whenever they were needed. With the implementation of EDI, another concern arose. Source documents that supported transactions, in fact, did not exist or might be available for only a limited time. For example, purchasing orders were received from customers in electronic unreadable format from a central network repository. To address this issue from an auditing point of view, it is important to note that data entry is normally accomplished in one of three ways: 1. Source documents are batched, and then entered via direct entry terminals; 2. Source documents are entered as received; and 3. Transactions are entered directly without preparation of source documents (Hansen & Hill, 1989). In the first case, the batch number can serve as a batch reference. Thus, the auditor can trace these references to ensure the competency of any transaction. The second and third cases can be handled by off the shelf programmed routines. The programmed routine assigns electronic documents to batches and then numbers these documents automatically. The software generates a substitute for a source document. Surrogate documents typically indicate the person preparing or authorizing the transactions (Hansen & Hill, 1989). 5.2 Absence of Authorization One of the most important factors that auditors look for when auditing any internal control is the appropriate authorization for every transaction. Obviously, every transaction cannot be audited but instead, the internal control would be audited to estimate the possibility of initiating unauthorized transactions on that system. However, with the use of EDI and ADC, a transaction can be initiated electronically with no human intervention. In other words, a transaction can be initiated electronically based upon the occurrence of a particular event. For example, based upon the receipt of a purchase order along with customer’s credit satisfaction, an invoice may be generated and a shipping order may electronically be sent to the shipping department without any human authorization. These control problems can be mitigated, to some extent, by implementing the following procedures or similar procedures. All the purchase orders that require managerial authorization are held in a file created for this purpose. Access to this file (or files) must be restricted via levels of password controls. Encryption can be used to prevent data or password pirating. Computerized checks and balance programs can issue a first alert in detecting fraudulent activity (Hansen & Hill, 1989). It is important for the auditor to know how these controls are functioning in order to appropriately conduct his or her audit in a sound manner. 5.3 Validation of Payment The standard procedure that is followed by auditors in a paper-based system is to match vendor invoices with the purchase orders and the receiving documents. By doing so, the auditor can verify that the goods were actually ordered and received, and that the invoice accurately charges for only those goods received. In the EDI system, however, there are no documents that the auditor can match in order to verify the validation of payments. This issue is entirely dependent on the appropriate programming of the validation procedure. If the procedures are properly programmed, the programmed control routine verifies whether or not the amounts on the relevant electronic documents match the amounts being processed. If the two amounts do not match, an error message will be displayed. If the two amounts do match, a code is automatically applied to indicate the validation procedures have been completed (Hansen & Hill, 1989). Validation of payment is one of several audit procedures integrated in packaged computer assisted audit techniques (CAATS) used by auditors. While there are other factors that auditors should be aware of, the preceding three issues are to be considered the most important effects of EDI from an auditing standpoint. There are several threats that must be addressed and considered by auditors when auditing an EDI environment. These threats include, but are not limited to (Cascarino, 2007): 1. Manipulation of input by an authorized user; 2. An outsider accessing messages in transit and amending them; 3. Message adulteration resulting in an overstatement of transaction; 4. The loss of the transaction; and 5. Duplication of the transaction. 6. AUTHENTICATION AND ENCRYPTION When auditing an EDI environment, the auditors will likely encounter two methods of controlling securities. These methods include authentication and encryption. 6.1 Authentication Authentication involves the prevention of undetected modification of the message’s content. This may involve some key fields, or it may involve the whole message. Authentication is typically affected by the use of Message Authentication Code (MAC), which is calculated from the readable text-and-devices at the receiving end and compared to the transmitted value. In order for MAC to be effective, the authentication test must confirm that the sent and received tests and code values are identical. They must be transparent to the users and they must be automatically invoked. 6.2 Encryption Encryption offers a form of security based on the idea of keys. Typically, each party has two kinds of keys, a public key and a private key. The public key is distributed to others in a separate transmission. The sender of a message uses the private key, which stays with the sender, to encrypt the message. The receiver uses the public key to decrypt the message. Any encrypted message must be properly processed through the encryption algorithm after the keys are applied. As long as the private key is secure, the encryption scheme should provide a secure transmission. All encryption keys can be cracked, but the longer the key, the harder it will be to crack. 6.2.1 Encryption Keys Within an EDI environment, however, three keys are usually used for encryption; a master key, a key exchange, and the data key. The master key is used to protect the other keys and the cryptograms. The master key is unique to each network node and must be kept confidential within each organization. The key exchange key (KEK) is unique to each link in the network. Its function is to protect data keys during exchange when establishing communication between nodes. The data key or working key is used for both data encryption and message authentication. Once means are in place to ensure secure data transmission and all parties involved are satisfied with the business relationship, the business relationship should be long term. 7. PROPOSITIONS FOR MARKETING OF AUDITING SERVICES THROUGH THE COMPUTER Keeping in mind the technical detail involved in developing systems providing secure and auditable transactions, the authors draw from previous research to apply constructs used in marketing of services and third party logistics efficiency concepts. Some of the propositions developed in 2006 for business in general can be applied to the marketing of auditing services (Ricks & Schwieger, 2006). We also propose that three of these propositions will work as described for the auditing services market. P1 The higher the level of uniqueness of the EDI-Auditing system for a client of auditing services, the higher the exit costs for the client. P2 EDI-Auditing systems will provide consumers with more value for their purchases. The auditing system will become more efficient as EDI expands. As EDI and ADC expand, consumers will demand this level of value and service of all firms. P3 Businesses will be inclined to join with auditing firms who can deliver more computerized custom-made services efficiently, than auditing firms who cannot customize their services. Figure 3 – Interrelationship Model 8. TECHNOLOGY RELATIONSHIPS AND THE AUDITING PROCESS The selection of third party auditors for publicly traded firms is a significant, and hopefully, long term decision. Since changes in such relationships must be reported to the public through published financial statements, any significant change may signify a red flag to investors. Thus, when going through the process of selecting a third party auditor, publicly traded firms must consider elements of all three propositions due to the fact that the relationship is expected to be on-going and long lasting. Companies with international operations, whether publicly traded or not, face a situation similar to that of publicly traded companies. The number of qualified international auditors from which to choose is quite small. Thus, once an auditor is initially selected, the relationship is expected to be on-going. The situation for privately held firms is somewhat different. Although termination of an auditor relationship does not generate the same level of concern demonstrated on the publicly traded plane, the costs can be almost as great. In this type of situation, the three propositions prove more valuable. Propositions 2 and 3 will most likely affect the initial selection of the audit provider. Once a relationship is established, the exit costs, associated with Proposition 1, for the auditing client greatly increase the higher the level of uniqueness of the auditing system, The effect that EDI has upon a third party audit relationship is dependent upon the size and marketplace of the organization. The authors propose these three propositions for further study into the binding relationships that develop between auditors and their EDI clients. Those firms that embrace the emergent trends of the EDI and ADC business environment will be positioned to enjoy the marketing advantages indicated in the above three propositions 8. CONCLUSION In this paper, the authors examine EDI and ADC and its impact on the auditing environment. In the systems development process for creating a system with fiscal implications, it is important to involve the expertise of an auditor early in the development process. Thus, the interrelationship between the auditor and the organization can become strongly bound. Drawing upon work from industrial marketing and the binding of relationships resulting from EDI and ADC, the authors propose three propositions for further study examining the resultant binding that EDI and ADC generate in the organization/auditor relationship. 9. SOURCES Arens, A., R. Elder and M. Beasley (2008) Auditing and Assurance Services: An Integrated Approach. (12th edition) Prentice Hall, Upper Saddle River, NJ. American Institute of Certified Public Accountants (AICPA). (2001) The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit. Statement of Auditing Standards No. 94. New York NY: AICPA. _____. (AICPA). (2003) 2003 Audit Partner Rotation – Issue Brief. Retrieved from October 7, 2009. Cascarino, R. E. (2007) Auditor’s Guide to Information System Auditing. (7th edition) John Wiley and Sons, Hoboken, NJ. Cerullo, M. V. and M. J. Cerullo (2003) Impact of SAS No. 94 on Computer Audit Techniques. Information Systems Control Journal. Vol 1. pp. 53-57. Curtis, M.B., and E.A. Payne. (2008) “An Examination of Contextual Factors and Individual Characteristics Affecting Technology Implementation Decisions in Auditing. International Journal of Accounting Information Systems, Vol. 9 pp. 104-121. Debreceny, R., S.Lee, W. Neo, and J.S. Toh. (2005) Employing Generalized Audit Software in the Financial Services Sector: Challenges and Opportunities. Managerial Auditing Journal Vol. 20, No. 6, pp. 605-619. Doupnik, T. & H. Perera (2009) International accounting. (2nd edition) McGraw-Hill Irwin, Boston, MA. Drucker, P. (1988), “The Coming of the New Organization.” Harvard Business Review, Vol. 66, No. 1, pp. 45-53. Drucker, P. (2004) “Peter Drucker still batting at 94,” Interview with Brent Schlender, January 12, 2004 for Fortune (accessed June 26, 2009). Greene, F. (2002) Compliance with Sarbanes-Oxley and SAS 94: The Critical Role of Application Security in Internal Control. (accessed March 16, 2009). Hansen, J. V. & N.C. Hill (1989) “Control and Audit of Electronic Data Interchange.” MIS Quarterly. Vol.13. No. 4 pp. 403-414. Kaliontzoglou, A., Boutsi, P. and D. Polemi (2006) eInvoke: Secure e-Invoicing based on web services,” Electronic Commerce Research. Vol. 6, No. 3-4, pp. 337-353. Kopczak, L. R. and M. E. Johnson (2003) “The Supply-Chain management Effect.” MIT Sloan Management Review, Vol. 44, No. 3, pp. 27-34. Larson, P.D., Kulchitsky, J.D. (2000), "The use and impact of communication media in purchasing and supply management", Journal of Supply Chain Management, Vol. 36, No.3, pp.29-38. Lauer, T. W. (2000), “Side Effects of Mandatory EDI Order Processing in the Automotive Supply Chain”, Business Process Management Journal, Vol. 6 No. 5, pp. 366- 375. Meyer, C. and D. Power (1989) “Enterprise Disintegration: The Storm Before the Calm”, Commentary, Tample, Barker and Sloane, Lexington, MA. Quinn, F. J. (1991) “Why you Should Know About EDI”, Logistics Management, Vol. 30, No. 7, pp. 45-48. Ricks, J. E. and D. Schwieger (2006) “Development of an electronic data interchange model for channel management,” Journal of Strategic E-Commerce, Vol. 4, No. 1-2, pp. 51-70. Rockart, J. and J. Short (1989), “IT in the 1990s: Managing Organizational Interdependence”, Sloan Management Review, Vol. 30, No. 2, pp. 7-17. Savage, C. (1990), “Fifth Generation Management”. Digital Press, Boston. Sawabini, S. (2001), “EDI and the Internet”, The Journal of Business Strategy, Vol. 22, No.1, pp. 42-43. U.S. House of Representatives, Committee on Financial Services. (2002) Sarbanes-Oxley Act of 2002 (SOX). Public Law No. 107-204. Government Printing Office, Washington D.C. Whittington, O. R. & P. R. Delaney, (2006) “Wiley CPA Examination Review 2006-2007, Vol. 1: Outlines and Study Guides, (33rd Edition) John Wiley and Sons, Hoboken, NJ. Appendix - Examples of Auditing Around and Through the Computer Internal control Auditing Around the Computer Approach Auditing Through the Computer Approach Credit is approved for sales on account Select a sample of sales transactions from the sales journal and obtain the related customer sales order to determine that the credit manager’s initials are present, indicating approval of sales on account. Obtain a copy of the client’s sales application program and related credit limit master file and process a test data sample of sales transactions to determine whether the application software properly rejects those tests sales transactions that exceed the customer’s credit limit amount and accepts all other transactions. Payroll is processed only for individual currently employed. Select a sample of payroll disbursements from the payroll journal and verify by reviewing human resources department files that the payee is currently employed. Create a test data file of valid and invalid employee ID numbers and process that file using a controlled copy of the client’s payroll application program to determine that all invalid employee ID numbers are rejected and that all valid employee ID numbers are accepted Column totals for the cash disbursements journal are subtotaled automatically by the computer. Obtain a printout of the cash disbursements journal and manually foot each column to verify the accuracy of the printed column totals. Obtain an electronic copy of the cash disbursements journal transactions and use generalized audit software to verify the accuracy of the column totals. Source: Arens, A. Elder, R. & Beasley, M. Auditing and Assurance Services, An Integrated Approach (12th edition, 2008)