Tactical Audit Planning: A Survey and Classification of Mathematical Programming Models

Audit scheduling – determining the audit timetable of a firm by assigning auditors to tasks over a planning horizon – is a crucial yet complex planning activity. Audit information is vital to guarantee operational efficiency and ensure the conformity of firm practices with the legal panorama. Nevertheless, audit departments are expensive, hence frequently under-dimensioned. Depending on the size of a firm and how constrained resources are, even finding a feasible audit schedule can be challenging. This paper reviews and systematizes mathematical programming models for tactical audit scheduling. Research directions are devised, considering the gaps that the systematization allows to reveal. Findings suggest that modelling and solving problems from real organizations and accounting for travel times and auditor eligibility, for a given audit activity, are the most appropriate directions for researchers to channel their efforts. Author


Introduction
Auditing is an ancillary yet fundamental activity. It consists of having an independent party inspect a given aspect of an organization and evaluating its compliance with established guidelines, norms, and regulations. Especially in large organizations, internal audits are valuable to ensure control systems are working according to specifications, as senior management is frequently unaware of the shop floor, and misreporting can happen. However, planning the audits of a large organization is an exceptionally complex task. It comprises determining the audit necessities in each of the business units, proposing a feasible schedule and assigning resources (i.e., teams of auditors) to each auditing activity. Moreover, within each business unit, an audit can cover different aspects of each given function, its timing must comply with firm policy, and can require the competences of specific teams. Notwithstanding, the plan must also be feasible under the tight budget and personnel constraints imposed on this overhead function (Paterson 2015). Audit scheduling possibilities scale exponentially with the size a firm. While mathematical programming methods can quickly solve small instances, the general form of the problem is shown to be NP-hard (Brucker and Knust 2005). That is, the problem cannot be solved deterministically in polynomial time. Consequently, manual methods provide unreliable solutions with no quality guarantee and waste valuable worker time. Moreover, large instances of this problem are extremely challenging for computational methods to solve optimally. A better strategy is to combine the speed and available time of computers with the ingenious assignment and scheduling strategies that managers can devise (Dodin, Elimam, and Rolland 1998). This implies the computerization of heuristics experts use, the application of meta-heuristics to the problem, or even the conception of decomposition strategies for the audit scheduling mathematical programming models. This paper extensively reviews and classifies mathematical programming models and solution methods for planning audits. It extends previous work (Mohamed 2015) by reviewing models introduced in the last five years and providing a classification framework for researchers to quickly and unambiguously identify the model used in each paper. Additionally, this survey establishes directions for future research regarding the topic and how audit planning research can be placed in a broader review to gain exposure from researchers from related fields. Therefore, the purpose of this paper is twofold: to establish a path that eases new research into audit planning and to direct the efforts of researchers to the directions which, from the viewpoint of this work, would most benefit the topic. The structure of this paper is as follows. After this introduction, a brief description of the search methodology is presented. To provide the reader with context, Section 2 introduces the practical aspects of audits: the motivation of firms to audit their accounts and processes, the usual types of audits and tasks involved. Section 3 contains the literature review and classification of audit planning models. The section is introduced with a short description of the search procedure used for this review. Finally, Section 4 amasses the conclusions of this work and provides directions for future research.

Search methodology
The review presented in this paper intends to systematize work done on planning audits. To enable this, the scope of this review is restricted to the assignment and scheduling decisions and the type of approach mathematical programming models.
The search for papers containing these models was conducted in Scopus utilizing Formula 1, which returned a mass of 267 documents. By manually analyzing the relevance of the title and keywords, the results were narrowed to 34 papers of potential interest. Then, by promptly analyzing the contents and structure of the papers, the body of relevant literature was again reduced to thirteen papers. The excluded papers either did not tackle both assignment and scheduling decisions or did not use mathematical programming approaches. Lastly, four papers of interest (Bailey, Boe, and Schnack 1974;Salewski and Bartsch 1994;Vairaktarakis 2003;Çanakoğlu and Muter 2020) were found by checking the references of these thirteen papers and the authors that cited them.

Context and Scope
Audits are a necessary expense for firms. They counteract the loss of control resulting from the size and design complexity of organizations, and fills creditors with confidence in them since processes they are ensured processes are being executed according to the established by senior management (Abdel-Khalik 1993). Audits can be qualified according to the aspect being examined. Accounting audits ensure the veracity of financial and economic statements, with its forensic counterparts investigating the possibility of fraud. Quality audits verify if the organization is operating in accordance with its established quality system processes. Compliance audits check if a firm carries out its activities according to governmental regulations (e.g., General Data Protection Regulation in Europe or the Sarbanes-Oxley Act in the United States). Management audits assess if the managing teams can apply the strategies established by upper management and are working in accordance with the interests of the shareholders of the firm. Finally, strategic audits verify if the current position of the firm is adequate with its strategy. Audits can be performed by internal or external teams and can focus on a department or business unit or a whole organization (Gabinete de Avaliação e Auditoria Camões 2014). This panoply of audits needs to be planned and scheduled according to the available resources and competences needed in each type of audit. Figure 1 schematizes the main audit planning decisions by level. This paper focuses on the scheduling and assignment decisions of the planning problem, on the tactical level. As the figure shows, there are several other decisions in this problem. A prerequisite for this problem to be formulated is that the activities that compose an audit task of each type (Kagermann et al. 2008) have been determined. Regarding the frequency of audits, on the strategic level, a common methodology is to use a risk-based criterium to identify the types of audits and business units more advantageous to allocate audits to (Koutoupis and Tsamis 2009). The workforce should then be sized according to the risk an organization is willing to tolerate and its budget. Assuming the tasks per type of audit have been determined, the strategic question of determining the time between audits of each type, to which much work has been devoted to (Morey and Dittman 1986;Knechel and Benson 1991;Carey and Guest 2000;Rossi et al. 2010;Boritz and Broca 1986). Nevertheless, this survey overlooks papers tackling this decision. Moreover, Schneider and Nurre (2019) introduce an interesting audit-themed vehicle routing problem. Notwithstanding, it diverges from the purpose of this survey. Additionally, we exclude from the survey audit scheduling work which uses the program evaluation and review and critical path (PERT and CPM) methods. Work such as that of Burgber (1964), who introduces PERT to auditing, and of Elmaghraby and Kamburowski (1992), who develop the different types of dependencies between tasks, are not contemplated. However, work using PERT methods, including both scheduling and assignment decisions, is analyzed.

Mathematical Programming in Audit Scheduling
This section contains the review and classification of the mathematical programming models for audit assignment and scheduling. A summary exposition of the gaps in the research, allowing research directions to be derived, follows. Summers (1972) was first in applying mathematical programming to audit scheduling. With the objective of maximizing a payoff function, the author introduces a linear program to allocate limited staff hours to audit tasks. The program imposes lower and upper bounds on the hours a staffman can work, and on the duration of each audit activity. Besides billings, the objective function also evaluates the experience that auditors get from performing a task. Nevertheless, the author suggests that maximizing payoff can be myopic, losing sight of service quality. Bailey, Boe, and Schnack (1974) approach this gap by applying goal programming to the problem. As minimization objectives, the authors propose the length of the project (makespan), overtime, the time per audit engagement, and the mismatch between auditor and client. For maximization, they propose billings and audit-staff utilization. The auditors test the program for different rankings of the goals and show how this prioritization can be adapted to according to the objectives of the firm. Several other authors tackle the payoff-maximizing resource-constrained audit scheduling problem. Hemaida (1997) proposes a version of the problem where the payoff that an audit activity generates is the unconformity risk it covers. In this paper, he presents an instance of an application to a local hospital. Perron (2010) tackles the payoff-maximizing problem with teamwork. Audit teams must cover all skills needed for a job, and jobs are exclusive to teams. The model includes an application-based constraint impeding an auditor from engaging in two sequential audit activities separated by idle time if these activities are far away from his home.

Literature review
To solve this problem, the authors provide multiple decomposition strategies consisting of separating team formation from assigning tasks. Rai et al. (2013) approach the problem of maximizing risk coverage with auditor-task exclusivity and the requirement of completing all jobs above a certain level of risk. The authors use this model in a real case of auditing autoparts suppliers before the launch of a new vehicle.
There is significant work aiming to minimize the duration of a project composed by audit tasks under the resource capacity constraints. Vairaktarakis (2003) approaches the problem with imposed precedence between tasks, exclusivity, and task eligibility. The latter implies only a subset of the auditors has the necessary skills for some of the tasks. The authors develop strong lower-bounds for the problem and propose a variety of heuristics. The model Yildirim, Angün, and Öncan (2019) use includes exclusivity and precedence relations between tasks along with tailor-made constraints for assigning a specific auditor to a given task. Çanakoğlu and Muter (2020) tackle the problem with teamwork, where an auditor can only be assigned to a team, a team to a job, and the resources of that team must be enough to fulfil that job. The auditors propose several heuristics to solve this problem, among which a tabu search procedure performed best. The model is then applied to the real case of a Turkish financial institution.
Three main studies are focus on audit expenses. Drexl (1991) tackles audit scheduling with the objective of minimizing costs, task precedence, and the requirement that all activities must be completed. The authors propose heuristics for the problem and develop a procedure to calculate strong lower bounds instances of the model. Salewski and Bartsch (1994) approach the expense-minimizing problem with sequence-dependent setups between audits engagements, which can be used to account for travel. These setups result in different cost incurrences and require different time-lags according to the order activities are scheduled. The authors compare the performance of genetic algorithms with greedy randomized procedures to find that the former outperforms the latter. Chang (2002) studies solution methods for both the problems of minimizing makespan and audit expenses. The author proposes to rank tasks according to their priorities (based on the critical path method) and assigning the most efficient or cheapest auditors to critical tasks, according to the objective of the problem. Chan and Dodin (1986) propose a program which minimizes auditor-client mismatch and tardiness costs, the most prevalent objective in audit scheduling. Besides delimiting bounds on auditor hours, their model imposes precedence between the tasks and exclusivity constraints. Dodin and Huang Chan (1991) study three variations of this model. One minimizing the mismatch, another minimizing tardiness and the one from his previous study which accounts for both objectives. The authors apply the models to the case of a local accounting firm. Elimam (1997, 1998) have originally introduced sequence-dependent setups to the audit scheduling literature. Given the complexity that this feature adds to the model, Dodin, Elimam, and Rolland (1998) propose a tabu search solution procedure for it. Chan, Lam, and Cheng (1998) tackle the problem with travel, imposing a one travel limit per task and including the out-of-town expenses of each auditor in the objective. The authors apply their approach to a medium-size international accounting firm. Finally, Brucker and Schumacher (1999) without featuring travel, introduce job release times and time-windows for auditor availability.

Literature systematization
As explored in Section 2, audits come in all shapes and sizes and, as the review in the previous subsection suggests, mathematical programming models for audit scheduling too. By objective, audit scheduling mathematical programming models can be divided into four main groups. The first group is relative to payoff maximization and includes models with the objective of maximizing the expected returns from performing a set of tasks, activities, or engagements. These general returns can assume the form of billings, premiums given by the presence of specific auditors, the experience that auditors acquire, the overall price of the audit engagement or even the risk that the audit covers. The second group of models attempts to minimize the duration of the in which the audit engagements are performed or makespan. The third group minimizes audit expenses under the constraint that all activities must be performed. These expenses are respective to the pay of the selected auditors and to other expenditures they engage in, necessary to the task. The fourth group of models minimizes the auditor-client mismatch and tardiness costs. Fitting into all of these four groups, the work of Bailey, Boe, and Schnack (1974) applies goal programming to an array of objectives. Table 1 summarizes the literature review and systematizes papers by the objective of their model. The interpretation of the payoff, mismatch, tardiness, and expenses columns is straightforward. The utilization column asks if the model attempts to maximize the usage of available auditor time. Setup is relative to the minimization of the costs of changing between activities, such as travel. Lastly, the audit time column shows the models that attempt to minimize the average time per audit. Audit scheduling models may also be classified by the features they can account for, as in Table 2. The requirements activities have can differ between types of audits and firms. Nevertheless, by making use of constraints, most of the real-world implications of audit planning can be incorporated into mathematical programming models. The inclusion of capacity and utilization constraints is ubiquitous in audit scheduling, either by imposing limits on the time auditors work or just by the number of auditors being finite. Given the nature of the objective, some models need to require the completion of specific jobs explicitly. It is also relevant to consider the duration of the audit engagement, either for budgeting or because it can be limited by the availability of human resources in the client firm or department. Besides resource capacity, exclusivity (one resource, one task) and task precedence are the most recurrent features that models include. Given that capacity constraints are transversal to all models of this survey, this column is omitted. The interpretation of the completion, duration, exclusivity, and precedence columns is straightforward. The travel column states that a model includes sequence-dependent setups after each activity. The windows column shows if the model includes time-windows in auditor availability. The column entitled eligibility is relative to models that require specific auditors, or teams of auditors, given their skills and competences, to perform a given task. Lastly, the teamwork column is relative to models which consider teams of auditors, comprised of elements with potentially different skillsets, are assigned to tasks, rather than individuals. Elimam (1997, 1998 Table 1: Summary of audit assignment and scheduling models used in each paper and classification by objective function (Y means objective is considered) Elimam (1997, 1998

Research gaps
Systematizing the literature enables the identification of several trends in audit scheduling research. Models considering risk-based payoff functions apply them to practical cases (Hemaida 1997;Rai et al. 2013). Models minimizing makespan tend to be similar to job-shop scheduling models. Task precedence is not considered in these models. Moreover, recent models consider auditor eligibility for a task, given its skillset, and the possibility of assigning teams of auditors to tasks. Furthermore, some gaps are made evident. Models featuring teamwork never consider the duration constraints or the capacity of audit clients. Eligibility and payoff maximization have not been considered together in papers with examples of practical application. Travel has been neglected in recent papers, and there is no model intersecting travel with eligibility or teamwork. Time-windows were only considered for a mismatch and tardiness minimization problem with exclusivity and precedence constraints. Finally, there was a single paper making use of goal programming to conciliate the number of potential objectives of the plan.

Conclusions
In this paper, the author reviewed mathematical programming models for audit scheduling. This survey may prove useful for researchers entering this topic and others who wish to update their knowledge of this topic with the developments made in the last five years. It is particularly interesting for researchers that tackled other scheduling problems to make the transition to audit scheduling. Therefore, relating this research to job-shop scheduling and resource-constrained project scheduling appears as the next step in increasing the exposure of this problem. The narrow scope of this survey allows for the research on these models to be systematized. This is valuable since it allows researchers, and even practitioners, to immediately perceive if the tactical audit scheduling problem they are facing is already modelled and has been tackled before. Moreover, it enables the swift identification of research gaps. From the observed gaps, five research directions were derived which seem the most promising. Firstly, real cases and the inclusion of their context-specific constraints will never lose relevance. Guaranteeing that the developed models see practical application is a must for any stream to attract researchers and funding. Secondly, the use of goal programming (Bailey, Boe, and Schnack 1974) can be an effective way of aligning the objectives of the models and senior management. Given current practices, an expense minimization objective subjugated by a risk coverage one seems to be a sensible unexplored approach. Thirdly, given the difficulty of solving the large audit scheduling problems of real companies, the structure of these problems needs to be looked at to devise decomposition strategies, and the application other metaheuristics besides, tabu search, should be tested. Fourthly, the auditorclient compatibility seems to be highly valued in audit planning approaches. It would be interesting to conceive models which account for the possibility that a relationship which is too good can result in bribing and misreporting. Lastly, models which feature eligibility, travel times and teamwork are a must in the current operational panorama, composed of international organizations and specialized workers.