Data Audit: Its Place in Auditing

Stephen E. Loeb and Adil E. Shamoo

1. BRIEF REVIEW OF THE HISTORY OF AUDITING

Evidence indicates that the concept of auditing has existed since ancient times. Mcmickle and Elrod present an interesting brief description of the historical development of auditing. They point out that "many ancient, civilizations developed various audit-type procedures." Brown traces auditing to ancient Egypt, Greece, and Rome. Further he notes the use of audits in 14th and 15th century England. Modern public accounting, however, seems to have developed as a consequence of the business expansion of the 19th century (Mcmickle and Elrod). In the 19th century public accountants were mainly concerned with fraud and audits were structured accordingly Mcmickle and Elrod, notes that "the first audits in America were patterned after the British general audit the most important duty of the auditor was to detect fraud". Chatfield) indicates that early U.S. auditing was viewed "mainly as verification of book keeping detail." In more recent years the focus of audits by public accountants has moved away from fraud to that of consideration as to whether the financial statements of an entity are presented fairly. Mcmickle and Elrod note that at about the beginning of the 20thn century a new occupation internal auditing came into existence. However, they note that internal auditing really began to develop in "the late thirties and the early forties." Government auditing was probably one of the earliest types of auditing. In the United States the establishment of the General Accounting Office in 1920 was of major importance to the progress of government auditing .

2. VARIOUS KINDS OF AUDITING AND AUDITORS

In the previous section several kinds of auditing and auditors that exist today were mentioned. Many basic auditing textbooks cover the distinctions between various kinds of auditing and auditors. Since many readers of this journal are not likely trained in auditing or accounting, a brief description of both in an early issue seems appropriate. Consequently, in this section the various kinds of auditing and auditors that exist in the United States are discussed. A consideration of auditing and auditors in other nations is beyond the scope of this current paper. However, a discussion of auditing on an international level and the possible international development of data auditing is an appropriate topic for future research and discussion of Auditing Financial Auditing. Financial auditing in the United States is normally thought of as being performed by public accounting firms. In performing this function the public accountant evaluates the financial statements of an entity and then in a report states whether or not these financial statements as presented are fair. The results of such financial audits can be used both within and outside the audited entity. In the United States the public accounting firms are generally Certified Public Accounting (CPA) firms. However, since individual CPAs are certified and licensed by each state or territory, the privilege of practicing public accountancy is determined by the laws in the state or territory. In fact, in some jurisdictions it is not necessary to be a CPA to practice public accounting, thus allowing certain non CPAs (depending on the

jurisdiction) to perform independent audits. Financial auditing in the United States can also be performed by auditors other than public accountants. Any auditor evaluating financial data is in essence performing a financial audit. Thus, for example, a government auditor can conduct a financial audit. However, in general in the United States, independent financial audits for use of third parties are performed by a public accounting firm. "Operational audits, also known as performance, management, or value-added audits, evaluate the economy (cost), efficiency, and effectiveness of an organization's operations. Compliance auditing involves an auditor looking to see if an entity complies "with certain rules or procedures set forth by either [that entity] or a third party." For example an auditor can determine if a entity is complying "with fair-hiring practices in connection with a contract for the federal government." Attestation Engagements. In 1986 the American Institute of Certified Public Accountants (AICPA) issued a Statement on Standards for Attestation Engagements (AICPA, 1986) in which the AICPA gives "guidance and [establishes] a broad framework for a variety of attest services" (AICPA, 1986, p. 2). With this statement the AICPA formally recognized the role of the CPA in public accounting giving "assurance on representations other than historical financial statements and in forms other than the positive opinion." Examples of these types of activities are: "reports on descriptions of systems of internal accounting control; on descriptions of computer software; on compliance with statutory, regulatory, and contractual requirements; on investment performance statistics, and on the accuracy of college textbooks. Thus, the AICPA has legitimized a new type of audit service. In the United States, independent external auditors practice in public accounting firms. These firms are independent contractors that perform financial audits for client entities. However, while performing independent external audits they are, in essence, representing the interests of societyespecially third party users of financial statements. In addition to financial audits S. E. Loeb and A . E. Shamoo provide other types of auditing services such as compliance audits, operational audits, and attestation services for clients. Many entities have internal auditors working as employees. These are individuals who work for an organization and carry out various auditing functions for the organization. Many public and private corporations have internal auditors as do government units and agencies in the United States at the federal, state, and local levels. Internal audits can provide a variety of services for their employer including financial, compliance, and operational audits. In addition to internal auditors, some government agencies have full time auditors who actually audit outside entities or the general public. An example of such an auditor would be an Internal Revenue Service auditor who audits the tax returns of individuals as well as other entities. This "outside" auditing can be viewed as a form of external government auditing.

3. GENERIC NATURE OF AUDITING

What Is an Audit? The American Accounting Association Committee on Basic Auditing Concepts defined auditing as: "a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users." This definition has been used by many auditing textbooks in discussing the nature of auditing. Consequently, it seems appropriate to consider this definition as a standard and therefore to

consider it in the development of a definition of data auditing. The COBAC felt that their definition covered a "financial audit, management audit, operational audit, performance audit, and compliance audit." Further, the COBAC pointed to the following key phrases in their definition. "Systematic process" "objectively obtaining and evaluating evidence" "assertions about economic actions and events" The COBAC indicates that an audit involves "planning" to help accomplish "a set of audit objectives auditing is based, in part at least, on the discipline and philosophy of scientific method. The COBAC notes that "all audits center on the process of obtaining and evaluating evidence. Indicates that "the link between economic activity and events and assertions about the activities and events is an accounting (information) system and the accounting process."

Auditing Is Not Accounting

Some auditing textbooks take great care to point out that auditing is not accounting. Since this is an interdisciplinary journal, we think is of value to discuss this issue. In their seminal monograph Mautz and Sharaf point out that "it is quite incorrect to consider auditing to be a subdivision of accounting." These authors note that "auditing is concerned with accounting but it is not a part of accounting, auditing has its principal roots, not in accounting which it reviews, but in logic on which it leans heavily for ideas and methods. Mautz and Sharaf go on to state that "insofar as the use of evidence is concerned, law and auditing are thus applications of logic to certain real situations; they are applied logic just as engineering may be said to be applied mathematics." Thus, auditing can occur totally independent of accounting. 4. EXISTING DEFINITIONS OF DATA AUDITING In the mid-1970 Glick concerned with the accuracy of research, suggested the establishment of an independent occupation in the private sector to conduct audits. According to Glick these audits would be performed on certain organizations, not on individuals. Glick uses the term "scientific audits" which he later suggests is a "review mechanism which evaluates the overall research climate in which investigations are carried out. Broad defines "Quality Assurance" as "an auditing process which oversees every aspect of a study from its first conception to the final report being issued." Noel appears to be the first to use the term "data audit which is the title of the paper. Further, in the first sentence of the paper Noel states "data auditing is the key to Good Laboratory Practice. Also, Noel indicates that auditing has two facets accuracy of recording in the production of raw data and the final report and "accuracy of scientific interpretation". Segal use the term "Data Audit Program" in discussing one aspect of the Food and Drug Administration's (FDA) "Bioresearch Monitoring Program." They indicate that this program [involves] inspections of clinical investigators. These inspections are limited in scope and are conducted by FDA field force. Huff (1986) uses the term "data audit" . However, his definition is of the term "audit" which he defines as "a methodical examination and review of a situation or condition concluding with a detailed report of findings. Shamoo and Annau (1987)state "the procedures for data auditing will have to be non-obtrusive so that scientists can carry out their work "

5. WHAT IS THE NATURE OF DATA AUDITING?

We offer the following as a possible definition of data auditing: The systematic process by which objective evidence is obtained and evaluated as to assertions about research data and their value to determine the degree of correspondence between those assertions and established or predetermined criteria which can then be communicated to interested parties. In formulating this definition, we have drawn heavily on existing literature especially the wording of the COBAC (1972) definition of auditing. A comparison of the two definitions the )COBAC 1972 definition of auditing and our definition of data auditing) will show that many of the words, phrases, and meanings are the same or almost the same. The key factors in our suggested definition of data auditing are: Data Auditing Should involve a "Systematic Process." "Systematic Process" is the same wording as is in the COBAC definition of auditing. It is also similar to Huff's (1986) comment that auditing is a "methodical examination and review." As with any audit, data auditing should involve careful planning to meet particular goals and objectives. Further, as with all audits, data audits should have a specific methodology. Data Auditing Should Involve Objective Evidence Obtained and Evaluated. The wording in this aspect of our definition is based on the COBAC definition of auditing. To be able to evaluate assertions about research data and the data's value, the data auditor will have to collect and evaluate evidence. The research data under consideration can be in any number of forms or formats (i.e., derived data, manipulated data, tables, figures, conclusions, and so on). Determine Degree of Correspondence Between the Assertions About the Research Data and the Value of the Data and Established or Predetermined Criteria. Again, the wording in this aspect of our definition is based on the COBAC definition of auditing. The data auditor's analysis should objectively ascertain if the research claims reasonably correspond to established or predetermined criteria. A data auditor should be able to conclude whether the research conclusions are justified by the data. As noted earlier, Noel (1979) mentions that the "accuracy of scientific interpretation" is an aspect of "auditing". The data auditor should use established criteria as a standard. If, however, established criteria have yet to be agreed upon, then the data auditor should use predetermined criteria set by the researcher who has used this predetermined criteria in forming interpretations and/or conclusions about data. Additionally, if conclusions based on the same data differ between research groups, the data auditor should attempt to verify whether the data are internally consistent, without taking a position on the interpretation of the data (and the researchers' predetermined criteria if such criteria were used). In the phrase "research data and the value of the data" we include research methods, research procedures, the data gathered, and the analysis of the data, and the conclusions drawn from the analysis of the data. This broad interpretation is based in part and consistent with Noel's (1979) definition of "data." Communicating the Data Auditor's Conclusions to Interested Parties. Again, the wording in this aspect of our definition is based on the COBAC definition. Also, Huff (1986) indicates that an audit should end "with a detailed report of findings." Further, as noted earlier, "Quality Assurance" should include "the final report being issued" (Broad 1979) For the data audit to be of value, the data auditor should communicate his or her findings to interested parties.

6. PLACE OF DATA AUDITING IN THE AUDITING DISCIPLINE

We think that the data auditing is defined above falls within the auditing discipline. There are many similarities between the two definitions-the COBAC definition and the data auditing definition. A key difference is the COBAC definition is concerned with "assertions about economic actions and events" and "the degree of correspondence between those assertions and established criteria," while the data audit definition does not mention "economic actions and events". Instead, the data audit definition focuses on "assertions about research data and their value" and "the degree of correspondence between those assertions and established or predetermined criteria." Notwithstanding this difference, we believe that data auditing falls within the auditing discipline. The difference seems to be related to the matter evaluated, not the audit process or approach. Data auditing has similarities to financial, compliance, and operational auditing. Furthermore, the public accounting profession now has a place for the data audit. More specifically, data auditing would fall within the concept of an attestation engagement. The AICPAs Statement on Standards for Attestation Engagements (1986) probably establishes overall standards and authority for the public accounting profession to engage in data auditing. Should public accounting firms elect to engage in data auditing, the individuals involved would need education/training in research. Furthermore, COBAC (1972) discussed possibilities for expanding auditing. The Committee took a position that any "extension of the audit function must possess the following attributes: 1. The subject matter must be susceptible to the deduction of evidential assertions. Such assertions must be both quantifiable and verifiable. 2. An information system must be present to record the actions, event, or results. 3. Consensus must exist on the established criteria against which the information prepared from the subject matter can be evaluated." (COBAC, 1972) Research data seem to possess the potential to meet these three criteria. In general, research data are both "quantifiable and verifiable." Further, research can be recorded on various media and can be part of various kinds of information systems. Finally, in research most measurement is often performed with established procedures and standards. However, as noted earlier, in evaluating data, interpretations and conclusions may be a function of a researcher's predetermined criteria.

External v. Internal Data Auditors

Data auditing can be performed by internal data auditors, independent external data auditors (from the private sector), government data auditors, or all three. "Quality assurance [units] as required by Food and Drug Administration (FDA) regulations for "nonclinical laboratory studies" (FDA,1978) seem to be internal data auditing groups. In addition, Segal et al. (1985) in discussing one aspect of FDAs "Bioresearch Monitoring Program" describe FDA performing a form of external government auditing. In independent financial auditing, the work of internal auditors may be used by the independent external auditor to supplement and enhance the latter's work. Ultimately for third parties to find a data audit useful, the audit probably would have

to be under the principal control of some type of external data auditor. The relationship of an internal data auditor to an external data auditor is a subject for future papers.

Public Accountant v. Data Auditors

Finally, consideration should be given to whether independent data auditing should be performed by public accounting firms, should be the province of an independent occupation of data auditors, or should be performed by both. As mentioned earlier, data auditing is in essence an attestation engagement and can be performed by a public accounting firm. Whether the accountancy laws in the various jurisdictions can be interpreted as limiting the field to public accounting firms is a legal question open to further research and discussion. Certainly, an occupation of data auditors is worth considering. Or alternatively, data auditing could be performed by both public accounting firms and a new profession of data auditors. As noted earlier, Glick (1975, 1976) suggested the establishment of an independent occupation in the private sector to conduct such audits.

7. DISCUSSION AND CONCLUSIONS

In this paper we briefly reviewed the history of auditing and the various kinds of auditing and auditors that presently exist. We noted that while these matters are discussed elsewhere, the interdisciplinary nature of data auditing justifies their review in an early issue of this journal. Next, we discussed the generic nature of auditing, reviewed existing definitions of data auditing, and defined the concept of data auditing in terms of the existing auditing literature. We concluded that data auditing is a type of auditing. As such, data auditing could be performed by independent external auditors, internal auditors, government auditors, or all three. Further, independent data auditing in the private sector could be performed by public accounting firms, an independent occupation of data auditors, government auditors, or all three. Data auditing is a new concept in auditing and as a result opens a new set of opportunities and a new set of challenges and issues.