Internal control assessment and substantive testing

8/18/2019 Internal control assessment and substantive testing

1/31

The Interaction between Internal Control Assessment

and Substantive Testing in Audits for Fraud*

J. REED SMITH,

State University of New

ork

at Buffalo

SAMU EL L. TIRAS,

State University of New

ork

at Buffalo

SANSAKRIT S. VICHITLEKARN,

University of Oregon

bstract

We examine tbe interaction between internal control assessments and substantive testing in

a model of fraud detection. The purpose of our study is to examine a two-stage m odel of the

aud itor-m ana ger interaction in which the auditor assesses the likeliboo d or possibility of

fraud in tbe first stage and conducts substantive tests in the second stage. We examine the

allocation of audit resources across these two distinct facets of the audit. We find that,

regardless of the auditor's allocation, the probability of undetected fraud remains the same,

but the allocation of some audit resources to internal control assessment may provide cost

savings for the auditor.

Keywords Strategic aud iting; Internal control assessment; Aud its for fraud; Substantive

testing

ondense

La possibility que Ies gestionnaires se rendent coupables de fraude pr^occupe depuis long-

temps les investisseurs. Depuis I'adoption du Statement on Auditing Standards SAS) 53 et

du SAS 55, cette preoccupation est aussi celle des v^rificateurs. Le SAS 53 exige des v^rifi-

cateurs qu'ils planifient leurs missions de verification de fafon ^ foumir une assurance rai-

sonnable que les fraudes seront detect^es et le SAS 55 exige que Ies v6rificateurs ^tudient les

structures de controle interne des entreprises clientes afin de determiner quelles sont les

entreprises les plus vulnerables ^ la fraude. Pour clarifier davantage les responsabilites des

v^rificateurs quant ^ la prevention et a la detection de la fraude, I'American Insittute of

Certified Public Accountants (AICPA) a plus tard adopts le SAS 78, en remplacement du

SAS 55, et le SAS 82, en remplacement du SAS 53. Ensem ble, le SAS 78 et le 5 45 82 servent

de guide aux v^rificateurs en ce qui a trait la meilleure fa?on de r^partir leurs efTorts entre

I'appiication de tests con?us pour d^tecter la fraude (tests de corroboration) et de tests

confus pour ^valuer la probability qu'une fraude puisse etre commise (Evaluation du


2/31

328 Contemporary Accounting Research

Les auteurs examinent I interaction entre rev aluation du contrdle inteme et les tests de

corrobo ration dans un m odele de detection de la fraude. Ils analysent en particulier I inter-

action en deux phases b a s ^ sur la th6orie des jeux entre un v^rificateur extem e et la direc-

tion de l en trep rise clien te. Le v^rificateur lv al ue Tefficacitd du controle dans un p remier

temps et effectue ensuite des tests de corroboration relatifs

k

la fraude dans un second

tem ps. L efficacit^ du eontrole est en relation inverse avec la propension du gestionnaire

h

cotnm ettre une fraude. Si le controle est efficace, le gestionnaire doit redoubler d effort pour

d^jouer le syst^me de controle, ce qui diminue rint6r6t de la fraude. Cependant, le gestion-

naire n a pas

k

d^ployer beaueoup d efforts pour d^jouer un syst^me de contro le deficient,

Une certaine probability est associee

h

I ̂ clairage que peut jeter r eva luation du con trole

inteme sur la d^ficience du systfeme de controle, d^ficience qui rendrait la fraude plus

at trayante pour le gest ionnaire. Sous reserve des resui tats de revaluat ion du controle

interne , le v^rificateur d^cidera d e I ^tend ue d es tests de corrobo ration qu il convien t

d effectuer.

Les auteurs eomparent ce module en deux phases

h

un module de base dans lequel Ie

v^rificateur n effectue que de s tests de corrobo ration. Cette com paraison met en relief la

fa^on dont revaluation du contrdle inteme influe sur les caract^Hstiques des strategies

d ^qu ilibre et les r^sultats du m odule. L analyse permet de prod uire certaines predictions

desc riptives en ce qui a trait S la fa9on d ont les diverses cara cteristiques du contexte de ia

mission influent sur la repartition du travail de verification entre Ies deux phases et k la

maniere dont elles influent sur ia decision des gestionnaires de commettre une fraude.

Les auteurs constatent que Ie volume de travail consacre

k

revaluat ion du controle

inteme n exe rce pas d influence sur la probabiiite d ^qu ilibre q u un e fraude soit com mise

sans etre detectee. D e plus, lorsque ies evaluations du contr61e intem e sont relativement effi-

cientes dans la detection des fraudes potentielles. des economies de coQts peuvent 6tre rea-

lisees par le verificateur grace h i affectation des ressources de verification k revaluation du

eontrole intem e p lutdt qu aux tests de corToboration.

Les auteurs constatent egalement q ue les econom ies de coOts decou lant de I evaluation

du systfeme diminuen t avec les facteurs qui augm entent I efficacite des p rocedes de corro bo-

ration. Si Ies procedes de corroboration sont suffisamment efficaces, Ie verificateur choisira

d affecter la totalite des ressources de verification aux tests de co rroboration.

Les auteurs commencent par une interaction premiere entre un gestionnaire qui se pro-

pose de commettre une fraude et un verificateur qui souhaite detecter la fraude. La probabi-

iite que le systeme de contrSle soit deficient est de ft et la probabiiite qu il soit efficace est

de (1 ~ ). L avantage q u obtient le gestionnaire lorsqu il com met une fraude qui n est pas

detectee est de F. Si Ie systeme de controle est efficace. toutefois, le gestionnaire doit

deploy er beaueoup d efforts (« ) pour le dejouer, ce qui fait que la fraude ne Iui rapportera

que F-Q). Si Ie gestionnaire commet une fraude et que la fraude est deteciee par le verifica-


3/31

Internal Con trol Assessm ent and Substantive Testing in Audits for Fraud 329

supposent que la fonction de detection d(x) rev8t la forme suivante :

d(x)

=

-

Exp{-bx},

oub>0 est un param ^tre. Ce param ^tre repr^sente I'efficacit^ des tests de corrob oration

dans la detection de la fraude.

Le v6rificateur engage des coQts de verification de

ex

pour determiner si une fraude a

^te comm ise. o^

c

represente le cout unitaire de la verification. Si le v^rificateur ne parvient

pas k detecter une fraude qui a ^t^ commise, il encourt une p^nalit^ D, notamm ent des dom-

mages. une atteinte k sa reputation et des sanctions gouvemementales. Le v^rificateur peut

^viter ces couts s'il d^tecte la fraude.

Les auteurs d6rivent les strategies d'equilibre suivantes pour le modele de base. Si le

gestionnaire observe la d^ficience du syst6me de contrdle, la probability d'equilibre qu'il

c(E F )

choisira de comm ettre la fraude est la suivante

:

a^

=

^ ; si le gestionnaire observe

bD Fn

I'efficacite du systfeme de controle. il ne commettra pas la fraude. Le verificateur, k V6qu\-

l ibre, choisira

x'=

-Ln — - — . Cet equi l ibre es t semblable

k

celui observe dans

d'autres travaux relatifs k la verification strategique,

Puis,

les auteurs analysent l'interaction selon un modeie

k

deux phases, grace

k ajout

d'une strategie de la part du verificateur. Ce demier peut ^valuer la probabilite que le systdme

de contrdle soit deficient en effectuant un certain vo lume de travail dans un prem ier temp s.

En consequence de ces efforts, le verificateur constate soit que le systeme de controle est

deficient (et qu 'un e fraude peut facilement etre comm ise), soit qu'il ne Test pas (signal nul).

La nature du syst^me est detemiinee a la premiere phase et observee k titre pHv^ par le

gestion naire. Si le syst me de controle est deficient, le gestionnaire sait que la probability

que le verificateur decele la deficience du controle est de h{e^), et la probabilite qu'il com-

mette la fraude est de a^. Si le syst^me de contrdle est efficace, la probabilite que le gestion-

naire com mette la fraude es de a^.

Le verificateur tente de determ iner si le systeme de contr6le inteme est efficace ou deficient

en deployant un effort e^ > 0. Les auteurs supposent que la probabilite que le verificateur

jug e par erreur qu'u n syst^me de controle inteme efficace est deficient est de zero, et que la

probabilite que le verificateur juge qu'un systeme de controle inteme deficient est deficient

est de h(e^.). une valeur

k

croissance concave dans l'interva lle [0, 1], et h(0) = 0.

A partir de ses observations k la premiere phase du modele, le verificateur determine

re ten du e des tests de corroboration (intensite du travail de verification) k la seconde phase.

Le choix du verificateur est denote

XQ >

0. si ce dernier ne dec6Ie pas de deficience du sys-

teme de conu-ole, et x- ̂> 0, s'il decile une deficience du systeme de controle. Comme dans

le modele de base, si le gestionnaire choisit de commettre une fraude. la probabilite que le

verificateur detecte la fraude est de

d(x),

oti

x

represente soit

X Q,

soit

x^,,..

Contrairement au module de base, le modele k deux phases fait intervenir trois equilibres


4/31

330 Contem porary Accounting Research

Pour les cas dans lesquels h'(0) < - — — ^ — . , , „ . , e = 0k I'dq uilib re. et le

c((

I — t j

+

WLnl tf})

module est a ssimilable au module de base. Si le v6rificateur cbo isit

e*

0, alors

hie*

) = 0

et le v6rificateur ne d^couvrira aucunemeni que le systfeme est deficient. II

s agit

Ik de

l'exacte situation du module de base. Une autre fa^on d 'exprim er la chose serait la suivante ;

le v6rificateur choisit entre la verification en une seule pbase et la verification en deux phases,

en fonction de l'importance relative de b'(0) et — — — —

.„.. . Une caractdristique

c ( ( l

w

+ v L n [ o j )

importante de cette condition est qu'elle depend uniquement des param^tres b. c et 8, et de

la pente de

bCê .

au seuil de 0. Elle ne depend ni de a strategic de l'entreprise v6rifi6e, ni de

celle du verificateur k la seconde phase.

Pour toutes les missions de verification, la probability prdvue d'une fraude non

c c

est de

T-T-

et le coQt privu de Tficbec de la verification est de 7

•

Si h (0) >

oD 0

, la strategie de verification qui reduit Ie coflt au minimum consiste k

cboisir e > 0. Si h'(0)


5/31

Internal Con trol Assessm ent and Substantive Testing in Audits for Fraud 331

performs substantive tests for fraud in the second stage. The strength of controls is

inversely related to the propensity of a manager to commit fraud. If controls are

strong, a manager must exert costly effort to override the system of controls, which

diminishes the attractiveness of committing fraud. Costly effort is not required,

however, for the manager to override the controls of weak systems. With some

probability, the internal control assessment will reveal whether the system of con-

trols is weak, ind icating that it is more desirable for the manager to comm it fraud.

Depending on the outcome of the assessment of internal control, the auditor will

decide how much substantive testing to perform.

We compare this two-stage model to a benchmark model in which the auditor

pertbrms only substantive testing. This comparison highlights how internal control

assessment affects the characteristics of the equilibrium strategies and outcomes of

the model. The analysis yields some descriptive predictions about how various

characteristics in the audit environment affect the distribution of audit work across

the two stages and how these characteristics affect the manager's fraud decision.

We find that the equilibrium probability that fraud is committed and is not

detected is unaffected by the amount of effort allocated to assessing internal con-

trols.

In addition, when internal control assessm ents are relatively efficient at iden-

tifying the potential for fraud, cost savings for the auditor can be achieved by

allocating audit resources away from substantive testing and toward internal con-

trol assessment.

We also find that the cost savings from system assessment decrease in factors

that increase the effectiveness of substantive testing procedures . If substantive test-

ing procedures are sufficiently effective, the auditor will choose to allocate ail of

the audit resources to substantive testing.

The strategic auditing literature began with Fellingham and Newman 1985,

who examined the interaction between a client who chooses low or high effort that

translates directly into material e rror or no m aterial error. The auditor can choose

to extend tests and discover the material error or not, and subsequently must

choose to qualify or not qualify the audit report. The audit technology in the

authors' paper is perfect, so their study focuses on the trade-off between informa-

tion acquisition and the audit report. Following their study, several studies consider

the auditor-manager interaction assuming an imperfect audit technology. Newman

and Noe (1989) and Shibano (1990) both focus on the auditor's accept/reject deci-

sion given a fixed sample of audit data. Patterson (1993) extends these studies by

considering the auditor's accept/reject decision after a sample size decision. Our

model differs from these studies in two fundamental wa ys. First, we model

th

audit as a discovery problem with imperfect auditing, whereas Fellingham and

Newman, Newman and Noel, Shibano. and Patterson model an acceptance problem.


6/31


examined allocations of audit work across time. Excep tions are Caplan 1999, Finn

and Penno 1996, and Matsumura and Tucker 1992. Caplan examines a multistage

audit setting in which the manager has a two-stage decision, but the audit work is

essentially a one-stage problem. Finn and Penno examine the issue of commitment

in a stop-and-go audit environment. Their paper focuses on when to stop auditing

if no fraud has been discovered. M atsumura and Tucker examine a tw o-stage audit

that is structurally similar to ours. The auditor chooses high or low compliance

testing, which then provides information about the probability of fraud. Based on

this information, the auditor then decides whether to exert high or low effort in

substantive tests. Matsumura and Tucker consider only a single type of audit client

(dishonest), and their information structure is much simpler. The first-stage effort

provides information about the likelihood that fraud actually was committed.

Our paper complements Matsumura and Tucker and Caplan in that we exam-

ine a two-stage audit in which the first stage is system-related. Unlike Finn and

Penno, detection of fraud cannot occur in the first stage. Caplan's focus is on the

manager's first-stage decision (system choice), while we simplify that choice and

focus on the auditor's first-stage decision (system assessment). Unlike Matsumura

and Tucker, the auditor in our model cannot obtain information about the probabil-

ity that fraud actually was com mitted in the first stage. Rather, the first-stage effort

only provides information about the manager's type.

This paper also relates to research into tax compliance auditing. Both Sansing

(1993) and Rhoades (1997) examine two-stage models in which the auditor, which

is a tax authority in their papers, gathers information about the likelihood that

fraud will be committed in the first stage and then performs substantive testing in a

second stage. Sansing examines how the taxing authority should respond to infor-

mation it has gathered and how the taxing authority's strategy would affect the

equilibrium likelihood of an aggressive taxpayer strategy. Sansing then computes

how much information the taxing authority should optimally gather, which is anal-

ogous to the system-assessment stage in our model.

While Sansing does examine a two-stage audit in which the first stage relates

to information acquisition, contextual differences between a tax audit and a finan-

cial statement audit induce important modeling distinctions. First, the second stage

of Sansing's model, which corresponds to the level of substantive testing in our

model, is a binary choice: audit the tax retum or not. This modeling choice is stra-

tegically descriptive for tax audits. On the other hand, this modeling choice is not

descriptive of financial statement audits. Public accountants must do some auditing

of each client. As a result, we model substantive testing as a continuous choice. Tn

addition, our model allows us to explicitly examine the allocation of audit resources


7/31

Ititemal Control Assessment and Substantive Testing in Audits for Fraud 333

Both Sansing and Rhoades show results that are analogous to our finding that

undetected fraud is not affected hy the assessm ent of internal control. For example,

tax revenues in San sing s paper do not depend on the precision of the tax author-

ity s information. An investment by the tax authority in more prec ise information

must be aimed at reducing cost rather than on generating increased revenue. Gen-

erating revenue in the tax models is analogous to detecting fraud in our study.

Unlike Matsumura and Tucker 1992, Sansing 1993, and Rhoades 1997, we

focus on the continuous allocation of audit resources to two distinct types of audit

task: system assessment and substantive testing. Both of these tasks relate to detec-

tion, but only substantive testing can actually detect fraud.

The remainder of this paper is organized as follows: in section 2 we present

and discuss a simple benchmark model, in section 3 we describe our two-stage

model, in section 4 we describe our analysis, and in section 5 we discuss our

results and identify the limitations of our study.

2 Benchmark model

We begin with a restricted interaction between a manager who wishes to perpetrate

a fraud and an auditor who wishes to detect fraud. Tbe system of controls is either

weak, with probability 0, or strong, with probability (1 - 9). The benefit to the

manager of successfully committing fraud is F If the system of controls is strong,

however, the manager must exert costly effort

oji)

to override the controls, and the

net payoff to successfully com mitting fraud is only F - 6). If the manager com mits

fraud and the fraud is detected by the auditor, the manager incurs a penalty, Pp,

which could iticlude fines, loss of employment, or jail. The manager with system

type

t

€ {w.

s}

will commit fraud as a mixed strategy with probability

a, e

[0, 1].

In the benchmark model, the auditor cannot assess whether the system is

strong or weak.^ The auditor chooses a level of substantive testing (audit effort),

denoted x>0, based on knowledge of 6 If the manager chooses to commit fraud,

the auditor will detect the fraud with probability d x). We assume that the detection

function,

d x),

has the functional form

d x) =

1 -

EKp{~bx},

wh ere /? > 0 is a

parameter.3 This parameter represents the effectiveness of substantive testing at

identifying fraud.**

The auditor incurs audit costs of

ex

to determine w hether fraud has been com-

mitted, where c is the unit cost of auditing. If the auditor fails to detect fraud when

it has been perpetrated, he suffers a penalty, D , which includes legal dam ages, rep-

utation loss, and governmental sanctions. This cost is avoided if the auditor detects

fraud. These payoffs are shown in the game tree in Figure I.

The solution to this game is straightforward. The m anag ers choices of a^ and

0 ^ must make the auditor s equilibrium choice of x optimizing, and the aud itor s


8/31

334 C on t em po ra i y A ccoun t i ng R esea rch

Fig ure 1 Benchmark model

Nature Manager Auditor {M anager's payoff. Auditor's payof }

{F(l - d(.«)) -

Fodix),

-ZXI -

dix)) - ex]

{F \ -

{0,-cx}

-

Ut

-ZHl - d{x -

cx\

1

-

e a

-

= 0

and the second-order condition is

The manager's payoff if the system is weak, is

2).

3).

4),

5).

and the manager's payoff if the system is strong, is


9/31

Intemal Control Assessment and Substantive Testing in Audits for Fraud 335

bD9P

6).

D

If the manager observes a strong system of control, she will not commit

fraud.

«: =0 il).

The auditor, in equilibrium, will choose x:

8).

PROOF.

The proof follows directly from equations 2,4. and 5.

•

Tbe comparative statics from our study for the auditor s strategy, x and the

manager s fraud strategy, a*,, are similar to those of Newman and Noel 1989 and

Sbibano 1990, even though we look at a different type of audit decision. For exam-

ple,

the equilibrium choice of x* is not affected by changes in the auditor s expo-

sure to audit failures, D. On the other hand, Patterson (1993) finds that detection

risk may be increasing in what we refer to as D. The difference between our study

and Patterson s results from the fact that Patterson considers the balancing of two

distinct strategic choices: sample size and acceptance. We do not consider type I

errors and, as a result, increased effort always serves to improve the auditor s

expected reporting decision. Patterson does consider the costs of type I errors and

the auditor, in her model, balances the costs of type I and type II reporting errors in

choosing the optimal effort and cutoff values.

We can examine the equilibrium probability of undetected fraud. Ex ante,

the probability of undetected fraud

(UF)

is Pr(C/F) =

dcc1(l

-

d(_x*)) =

bDBP (FP\

M 5

•

^^^

auditor s first-order condition in equation 2 can be

stated in terms of d(j:):

a =

1

Tbe (I

-

d(x)) and

6

terms then

bD0il-d(x))

cancel. As a result, the equilibrium probability that fraud is undetected is a con-

stant. The comparative statics in the other three studies are consistent with ours in

that the probability of undetected fraud is decreasing in the auditor s expected

costs for undetected fraud. They find, however, that the probability of undetected


10/31


auditor s decision is determined hy the m anager s

payoff,

and the m anager s deci-

sion is determined by the auditor s

payoff.

In all four papers, the manager plays a

mixed strategy over two discrete choices. As a result, the auditor s choice of audit

effort (sample size, materiality thresholds, etc.) will either make the manager

strictly prefer one choice over the other or will make the manager indifferent. The

equilibrium in each of these papers requ ires that the audito r s ch oice m ake the

manager indifferent between choosing fraud and choosing no fraud.* As a result,

the trade-off of the m ana ger s expected payoff if he com mits fraud relative to the

payoff if he does not commit fraud dictates how much audit effort the auditor

chooses in equilib rium . In a similar m anner, it is the audito r s trade-offs between

failing to detect fraud and exerting costly effort that drive the manage r s mixed-

strategy choice of a^

^

As the au ditor s penalty for not detecting fraud increases,

the auditor s own cho ice is not affected, but the manager decreases the likelihood

of committing fraud.

3 . Two stage model

We extend the interaction in section 2 to two stages by adding a strategy for the

auditor. The auditor can assess the likelihood that the control system is weak by

exerting effort in a first stage. As a result of

this

effort, the auditor either teams that

the control system is weak (and fraud can be easily perpetrated) or does not (a null

signal).

In this section, we desc ribe the sequence of events in the two-stage model.

We then derive the payoffs to the auditor and the manager and define the equilib-

rium concept.

Sequence of events

The system type, strong s) or weak w), is determined in the first stage and is

observed privately by the manager. The weak system requires no effort in order for

the manager to perpetrate fraud. The strong system imposes costs of

ft

on the man-

ager if she wishes to override the system and perpetrate a fraud. The manager with

a weak system of controls knows that the auditor will discover the control weak-

ness with probability

h e^.),

and she conunits fraud with probability

cc^^.

The ma

ager with a strong system of controls comm its fraud with prohabiiity a ,.

The auditor attempts to determine whether the system of internal control is

strong or weak by exerting effort,

e^ >

0. We assume that the probability that th

auditor will mistakenly identify a strong system of internal control as weak is zero,

and the probability that the auditor will identify a weak system of internal control

as weak is h(ec), which is assumed increasing-concave over the range [0, I), and

h(0) = 0.9


11/31

Internal Control Assessment and Substantive Testing in Aud its for Fraud 337

Fi gu re 2 Timeline: TVo-siage model

Nature delermines Manager observes Auditor Icams or Aud itor based on Auditor discovers

system type system type and does not leam)

strong, weak ). chooses whether that system is

to com mit fraud. weak if it is.

Auditor chooses

system evaluation

efToit

results of inlem ai fraud if it occurred

control evaluation) proba bilistically,

chooses substatUive

testing.

yoffs

The payoffs to the managers who face strong and weak systems are identical to

those in the benchmark ga me . M anagers w ho face a w eak system of control obtain

a benefit of F for undetected fraud, m anagers who must override a strong system of

controls in order to perpetrate a fraud obtain a net benefit of F - co for undetected

fraud, and the manager incurs a cost penalty) of Pp if she is detected c om mitting

fraud.

The auditor incurs audit costs of e^ in attempting to determine whether the

internal control system is weak. If the system is found to be weak, the auditor

incurs audit costs of cx^^, to determine whether fraud has been committed. If the

system is not found to be weak, the auditor incurs audit costs of

C XQ

to determine

whether fraud has been committed. The existence of a strong or a weak system

does not affect the probability, d jc), of detecting fraud. Again, if the auditor fails to

detect fraud when it has been perpetrated, he suffers a penalty, D, which is avoided

if the auditor detects fraud. The information structure and payoffs are shown in the

game tree in Figure 3.

The auditor will identify a weak system as weak with probability h e^), and

choose a level of substantive testing, x^^., that induces a detection probability


12/31


f

^

f

d

a

I

u

as

S

2

c

f 2

2

1


13/31

Internal Control Assessment and Substantive Testing in Audits for Fraud 339

If the auditor identifies the control system as weak, then he chooses x^. know-

ing that the probab ility that the manager com mitted fraud is o;,,. The expected pay-

off to the auditor in this information set is

If the auditor does not identify the control system as weak, then he computes

the probability that the system is weak using Bayes s rule: — ~ .

(1 h(^^) )0+ (1 0)

The manager in this situation committed fraud with probability oCy^, and w ith prob-

ability —— — —--^— —— — the manager faced a strong system of contro ls and

chose to commit fraud with probability a^. The auditor s assessment of the proba-

bility that the manager committed fraud if the system is not found to be weak is

(12).

If the auditor does not identify the control system as weak, then his conditional

expected payoff is

In the first stage, the auditor chooses

e^.

which induces the probability hie^.

that a weak system will be identified as weak . The aud itor s expected payoff at this

decision point is

Cl

.

14 .

In the next section, we will formalize the equilibrium concept for our analysis.


14/31


a^ =

the (mixed-strategy) probability that the manager facing a strong system

of controls will commit fraud.

e^ =

the effort that the auditor supplies to determ ine w hether the firm has a

weak system of intemal controls.

x^. =

the effort that the auditor supplies to detect fraud if he has found that the

firm has a weak system of intemal controls.

XQ = the effort that the auditor supp lies to detect fraud if he has not found that

the firm has a weak system of intemal controls.

Equilibrium requires that each of these strategies be a Nash best-reply to the

other player's strategy and that the auditor's beliefs are updated in accordance with

Bay es's rule. In addition, w e require that all choices be sequentially rational.

4. Analysis of the two stage model

In this section we describe equilibrium in the two-stage model and how intemal

control assessment affects tbe nature of the auditor-manager interaction. Unlike

the benchmark mo del, three distinct equilibria arise in the two-stage m odel. First,

if either /J or 0 is large, or if

c

is small, then

e =0

and tbe equilibrium strategies

are identical to those in the benchmark m od el . For these equilibria, the manager

will never com mit fraud if the system of controls is strong (a * = 0). On the other

hand, if

b

and

c

are not too large and

c

is not too small, then the auditor will choose

€*

> 0. For these equilibria, the manager will choose oc =0 for larger values of O

and 0< a < 0^ for sm aller values of

co.

We begin our analysis by describing the first-order conditions (FOCs) induced

by the seco nd-s tage payoffs in equa tion s 9, 10, 11 , and 13. For this analy sis,

we will assume that the auditor's first-stage equilibrium choice of

e

is greater

than zero. If the manager faces a weak system of control, then she will choose

0 ^ e (0,1) if and only if

0 (15).

If the manager faces a strong system of control, then she will choose a^e (0,1) if

and only if


15/31


In addition, since Xy^, is a continuous c hoice, the following second-order condition

must be satisfied: ̂

-bxJ

the manager will

also choose a*. If

(O

exceeds this ratio, it is imp ossible for equations 15, 16, 17.

and 19 to be solved simultaneously so that a* > 0. In any of these cases, a* = 0.

As a result, the FOC in equation 19 will reduce to

(21),

and the equilibrium choices of x^,, XQ, and a^, will be determined by the simulta-

neous solution of the FOCs in equations 15. 17. and 21.

^

We characterize the strat-

egies in the second stage of the two-stage game (for situations in which

e*

0)

in

Proposition 2.


16/31

342 Contemporary Accounting Research » . : [

\he following strategies represent equilibrium choices by the auditor and

the manager in the second stage:

22 .

23 ,

a:. =

24 ,

and

a: =

bD \ -

25 .

Case 2: If a>> Min F,

, then the following strategies

represent equilibrium choices by the auditor and the manager in the

second stage:

D

(26),

27 ,

a . =

(28).


17/31


Suppose that

axF.

The expression for a* in equation 25 is positive if and only

if h(ep(fl)+ (I - 0)Po) - ft)> 0, which is true if and only if fi)< — . For

these cases, a strong system of controls is better than a weak system but is not

sufficiently strong to deter managers from committing fraud altogether. If ft) >

, on the other hand, the manager will not commit fraud with any

( i - M ^ ; ) )

positive probability (i.e., c^^ =0).

We now describe the auditor's equilibrium choice of e* in the first stage of the

g me In Proposition 2, the second-stage strategies for the auditor and the manager

are characterized assuming that e* > 0. We now characterize the auditor's first-

stage choice.

The auditor's payoff in the first stage was characterized in equation 14. This

payoff induces the following FOC with regard to ê .:

=

Substituting the FOC in equation 17. we find

h ' ( )

30 .

(31)

for any e* > 0 '** The second-order condition for e^ is

Q

(32).

Again, substituting in the FOC in equation 17, equation 32 reduces to

<

0 (33).

which is satisfied for all x^ and XQ Equation 31 and the equilibrium values of x*

and

x ^

in equations 26 and 27 imply that e* >

e^

whenever'^


18/31


This result provides the basis for P roposition 3 .

P RO P O S I T I O N 3 . / / h ' (0 ) > — - - — ^ — - , . „ . . then c* > 0 in equilibrium

c((

I — u) +

a L n [ a | )

and the auditor s equilibrium choice ofe^ satisfies equation 31. Conversely

PROOF: See

appendix.

F or cases in which h '(0) < - — — — — . , ,-^,. , ^* = 0 in equilibrium and

c

—

7) + t7Ln[t7j) *

the gam e reverts to the benchm ark m odel. If the auditor choos es e* = 0, then

h(c*) = 0 and the auditor will never discover that the system is weak. This is pre-

cisely the situation in the benchmark model. Ano ther way of saying this is that the

auditor will choose between one-stage auditing and two-stage auditing based on

the relative magnitudes of h'(0) and

—————

—

—

r . An important c harac-

c(\\ — u) +

aLn[&J)

teristic of this condition is that it depends only on the parameters b, c, and 6, and

the slope of

\\ie^

at 0. It does not depend on either the aud itee's strategy or the audi-

tor's strategy in the second stage of the game.

The next section will discuss the characteristics of equilibrium in the two-

stage m odel and provide the results of our comparative static analysis.

Equilibrium characteristics of the two-stage model

For situations in which a* = 0. the expression for .r*, in equation 26 depends only

on the exogenous param eters. The expression for

JCQ

in equation 27 depends on the

parameters and the auditor's first-stage choice of h(e*). Conversely, for equilibria

in which a* > 0, x*^ in equation 22 depends in part on h(e*). but x^ in equation

23 does not. The reason for this differenee, which will also induce differences in

the comparative statics, is that the auditor's choice of

Jt ̂

and

XQ

is driven by the

manager's

payoff.

In case of Proposition 2, the aud itor's strategy must keep both


19/31

Intemal Con trol Assessment and Substantive Testing in Audits for Fraud 345

the auditor chooses e^. and

x^^

to make the "wea k" m anager indifferent between

fraud and no fraud. The expected payoff to the weak manager is decreasing in both

e^. (since x ^ >

X Q )

and X y ^ . Therefore, in satisfying this manager's indifference

condition, there is a trade-off between

e^

and

jc ,̂.,

and the value of

J:̂ ^

that satisfies

the weak m anager's indifference condition depends on b(e *).

The reasoning for case 2 of Proposition 2 is different. In this case, the m anager

will not commit fraud if tbe controls are strong. As a result, the auditor's strategy

only needs to make managers with weak systems indifferent between fraud and no

fraud. The auditor's choice of x ̂ in equation 26 does not involve any Bayesian

updating; the auditor's choice of

X Q ,

on the other hand, does involve Bayesian

updating since it is no longer determined by equation 16. Therefore,

h(e*)

appears

in the expression for

X Q

but not for x ̂ in case 2 of Proposition 2.

Before providing the results of the comparative static analysis, we character-

ize the relative magnitudes of

jc*

, JtJ,

e*,

and

a^^

for the cases in which a* = 0

and a* > 0. In equation 26

x^^

is always greater than x^ , in equation 22, and

X Q

in

equation 27 is always less than ;cj in equation 2 3. These facts imply that xJ , -

X Q

is greater for situations in which

a* =0

than for situations in which a* > 0. Since

the right-hand side of equation 31 is decreasing in

x^ - X Q ,

h(e*) must be less for

situations in whicb a* =0 than it is for situations in which Cf > 0. As a result, e*

J S C

( (OMe) \

must be greater for situations in which a* = 0

a) >

Pp

than it is for

I

l-h«))

)

situations in which a* > 0 ft)<

—P^ .

Finally, a ^ in equation 28 is

I l-h 0.

Table I provides the comparative statics for the two-stage model for situations

in which

e*

> 0 . ' ^

Several of these comparative statics differ for situations in which ct* > 0 and

de ^g*

for those in which a* = 0. For example,

TT-Z

> 0 whenever a* > 0, and

i

<

0

^ de ' de

for situations in whieh a* =

0.

The reason for this sign change is that when

a ^

> 0,

the sign of -:r— is determined by the sign of =;—=7— :^—=;—

,

whereas when a* = 0,


20/31


TABLE

1

Comparative static results

for the

two-stage game

For

changes

in

e

c

F

P

D

b

+

0

-

0

-

•

—

+

0

0

0

-

0

< •

-

+

-

0

Ind.

ind.

-

0

+

-

0

-

0

Changes

in

X

^

0

0

+

-

0

-

-

0

+

-

0

ind.

0

X*

0

ind.

0

+

•

•

+

-

0

0

0

+

0

«^

-

ind.

+

-

-

ind.

ind.

-

+

+

-

-

-

0

ind.

+

+

ind.

-

-

ind.

£„, will be affected in equilibrium. The change in sign for —̂ is due to the change

au

in the interaction between e* and XQ in the two equilibria. For a* = 0, XQ is a

function of h(e ) and 9 times h e*). For a* > 0, neither 6 nor h(e*) affects the

equilibrium value of XQ , since it is determined by equation 16 alone. This is the

same reason that both

-=r^

and ;̂— change sign. If a* > 0,

x*

is a function of

ac dc ^ ^

h e*), but XQ is not. If tt^ < 0,

x^

is not a function of h(e*). but XQ is. The shift

in sign for these comparative statics points to the shift in the structure of the inter-

action for larger values of (o and smaller values of a.

Comparison of the benchmark model and the two-stage model

In this section, we compare the benchmark model with the two-stage model and

identify differences and similarities in the strategies and outcomes across the two

models. Proposition 3 demonstrates that the auditor will choose e* >0 if and only

if equation 35 is satisfied. For these situations, equilibrium will be characterized by

the auditor s choice of e in equation 31 and second-stage choices in case 1 or

case 2 of Proposition 2, depending on the magnitude of

co.

If equation 35 is not sat-

isfied and e* = 0, then h(e*) = 0 and the interaction is identical to that in the


21/31


D D

and the expected cost of

an

audit failure is again - . Finally, if equation 35 is satisfied

b

and ft><

)

/ * p , then the ex ante probability of undetected error is again

-

d(jt;))

a *

= ^ (37).

Hence, the ex ante probability of undetected fraud and the expected cost of audit

failure do not depend on whether the auditor performs only substantive testing or

whether he allocates resources to internal control evaluation.

If h'(0) > ———————r——, the auditor's cost of auditing is strictly less if

he allocates audit resources to internal control evaluation, since he could always

choose e^ = 0 and play the benchmark game. But £̂ - 0 is not optimizing when

' . We conclude, therefore, that the auditor is obtaining

cost savings in achieving the expected cost of audit failures, 7 , by allocating audit

b

resources to internal control evaluation. This result is stated without proof as Cor-

ollary I.

COROLLARY 1. For

a ll

audits,

th e

expected probability of undetected

raud

s ~

and the

expected

cost of audit failures is r.ff

h'(0) > — — —

—

—

—

— T — T - ,

the cost-minimizing audit strategy for the auditor is to allocate effort of

e >Oas determined by equation 31, and x ̂ and jcj are characterized

b

in

Proposition 2. If h (0)

<

,

the

cost minimizing


22/31

348 Con temporary Accoun ting Research

comparison, we observe that

dix*)

> d(jcj) and. since

-^

> 0. this difference i

also decreasing in ft A s a result, we conclude that d(x*,) > d{x*)

>

d(jcj) and that

d(x*) is a weighted average of d(jcp and d(.tj). As

9

inc reases. d(A:*) and d

JTJ )

converge to d(x*) from above and below, respectively. Also, as 9 increases, e*

decreases. When ©decreases to the point that equation 35 no longer holds, c* = 0

and the two models are identical.

T he last characteristic of the gam e that we investigate is the ex ante prob a-

bility that fraud is com mitted and detected. T his analysis w ill hinge critically

on whether h'(0) >

— —

—^r-—

—

— r^r- and, if this condition is met. whether o >

c({l

—

u) + crLnl u\)

( l - f t ) h ( < )

Pp . If e* = 0, then the ex ante probability of fraud is computed as

where

a*^

is given by equation 6. If ^ ' > 0 and a* = 0, then a* is given by equa

tion 28, which is the same as equation 6. Hence, equation 38 is still the ex ante

probability of fraud. Finally, if e* and a* are both greater than zero, then cC ̂ i

given by equation 24 and a* is given by equation 25 . For these cases, the ex ante

probability of fraud will be

(39).

Pp)(h(el){(0+ Pp)- 6

T he expression in equation 39 is strictly less than that in equation 38 for all

l-e)h e*)

Q}< Pp. T his result implies that if e* and a* are both greater than

i-h e;

zero, one-stage auditing is not only cost-ineffieient but also induces a greater prob-

ability of fraud. T he probab ility of undetected fraud, how ever, is not affected by


23/31

Internal Control Assessment and Substantive Testing in Aud its for Fraud 349

5 . Discussion

This paper provides a simple m odel of the au ditor s allocation problem , in w hich

the auditor can choose to spend scarce audit resources on internal control assess-

ment. Internal control assessments help the auditor determine whether the man-

age r s control system is weak, and a w eak system of internal controls leads to a

greater potential for managers to commit fraud. We find that the probability of

undetected fraud is invariant to whether the auditor does or does not spend

resources on internal control assessmen t, but internal control assessments can p ro-

vide a cost savings to the auditor.

The auditor will always choose to perform internal control assessments un less

substantive testing procedures are very cost-effective at identifying fraud or the

proportion of weak systems in the population is relatively high. As the cost effec-

tiveness of substantive testing increases and the proportion of weak systems

increases, the relative benefit of performing internal control assessments decreases

to the point where the auditor should choose to perform only substantive testing.

Our theory argues that as audit effectiveness decreases the relative importance

of internal control assessment increases. The influence that a particular audit situation

faced by practitioners m ay have on audit effectiveness, and hence on the auditor s

allocation of effort to internal control assessment, is an empirical question. An

example of such an audit situation that could be tested is how much effort the auditor

exerts to distinguish errors from fraud. A second example that relates to audit

effectiveness may be the type of testing that must be employed. S ome procedures

(such as negative confirmations) may be less informative than other audit proce-

dures (such as positive confirmations). Still another example that may affect audit

effectiveness is the difficulty in obtaining substantive test data (such as inventory

observations), a typical problem in decentralized organizations. The infiuence of

these issues and others on the aud itor s allocation p roblem can be emp irically

tested within the scope of our theory.

Our finding that the benefit of internal control assessments decreases as the ex

ante probability that the system is weak increases m ay appear counterintuitive, but

it follows directly from B aye s s rule. The inform ation con tent of learning that

internal controls are weak does not substantially update the auditor s expectations

regarding fraud, and thus does not substantially reduce the required level of sub-

stantive testing.

A limitation of our study is that we do not allow the manager to select the

information system quality. While we believe that allowing system quality to vary

could alter the results, we expect that many results would be similar since it is the

m anage r s payoffs that drive many of the audito r s decis ions . In addition, future


24/31


ppen ix F

Proof of Proposition 3

If equation 35 is satisfied, then the

e*

that solves equation 31 is optimizing unless

the equilibrium solution to the benchmark game provides a lower total expected

cost to the auditor. If the equilibrium solution to the benchmark game provides a

lower cost, then the auditor could choose e* =0 and effectively choose the bench-

mark gam e. The manager could infer that the aud itor s optimal choice was e* =0

and would choose a^, and a* accordingly. The only way that this situation might

arise is if the ma nag er s best-reply was discontinuous at

Min

F

. For these cases, the man-

ager s strategy in equation 28 is the same as her strategy in equation 6 for all e^ As

a result, we conclude that if Q>> Min

onlyifh (0)>

F,

, then e* > 0 if and

Suppose next that fl)< Min

. For these cases, the man-

ager s strategies in equations 24 and 25 do not converge to tbe strategies in equa-

tions 6 and 7 at

ê

= 0 a^^ in equa tion 24 is zero , and a* in equation 25 is negative

if

e* =

0. For these situations, therefore, we must compare the auditor s equilib-

rium payoff under the benchmark with the auditor s equilibrium payoff in Proposi-

tion 2. If the equilibrium payoff to the auditor is higher under the benchmark

solution, the auditor will choose e* = 0. The equilibrium payoff to the auditor, if

he chooses

e* -

0, is

40 .


25/31

Internal Control Assessm ent and Substantive Testing in Audits for Fraud 351

Note that the expected cost of an audit failure is the same, - r , in both exp ressions.

If f

,

= 0, the cost of substantive testing is

ex

= Ln

b

F+P,

D

42).

If ê , > 0, the expected cost of substantive testing is

F+P,

D

43).

The cost in equation 42 is greater than the cost in equation 43 w henever

Ln

D

D

F P

D

CD+P

D

44).

Smce w e are considering situations in which ox

, we observe that

F+P

D

F+P

D

(O+P

D

(45).

Equation 45 implies that

F+P,

Ln

D

D

+ 1 -

F+P.

(46).

Since the Ln[ ] operator is concave,

Ln

E P,


26/31


than at e*) is strictly greater than the audi tor's payoff in equation 40 . But the opti-

mizing choice of

e

e*) will make equation 41 the highest over all

e^.

0. Hence

equation 41 must be strictly greater than equation 40 in equilibrium . •

Proof of comparative statics

Suppose first that

0>

—

Q

which implies that a* = 0. The comp ara-

tive statics for jc*. and a^, are obtained directly from partial differentiation of

equations 26 and 28. The comparative statics for

e*

and xJ are obtained by

applying the implicit function theorem over the system of equations. We begin hy

building a vector of first-order conditions. We will simplify the process by substi-

tuting the first-order condition for;c^ in equation 17 into the FOCs in equations 15,

21, and 30. We define the vector

FOC

=\^ ^>

,

where equation 17

has been substituted into each of these partials. We then construct a Jacobian

matrix of partials of these conditions as follows:

J

dFOC[l] dFOC[\] dFOC[\]

dFOC[2] dFOC[2] dFOC[2]

de.

dx.

c w

-^O

dF0C[3] dF0C[3]

de. dx.

d A

(48)

The implicit function theorem implies that the partials of e*

respect to a parameter,

X,

are given by

C^,

and

XQ

with

dFOC{2]


27/31

Internal Control Assessm ent and Substantive Testing in Audits for Fraud 353

5 <

To demonstrate that the sign of |y| > 0, we shall compute 3-7^ using direct paitial

a

differentiation of equation 26 and by using the implicit function theorem.

-J *

Using the implicit function theorem, we obtain an expression for -^ that

ou

depends on \J\. From direct partial differentiation of equation 26. we know that

^ < - I

vector is as follows:

O bu

dFOC[l] 3FQC[2 dFOC[3rf _ f I c

Smce. after subsUtutmg,

Aj[2,

2] is compu ted as

- c

where V Exp{fe;co}(-I + Exp{b{x

| y i>Oi fandoi i ly i f

, the sign of

(50).

(51).

0

- XQ)} - b x^ -XQ))>0 (52).

Equation 52 is positive if and only if equation

5

is positive. We know, however, that

equation 51 must be positive since 3 — < 0. Hence, | / | > 0.

de Bx*

Now we proceed to determine the signs of 3 - and -r^ .

au 69


28/31


29/31

Intem al Con trol Assessment and Substantive Testing in Audits for Fraud 355

5. If this cond ition is violated, then the cost of substantive testing is too high to be a

credible deterrent to fraud.

6. We simplify our discussion by referring to the manager's choice as a choice of fraud or

no fraud, which is how we m odel the problem. The m anager's choices in some of the

other papers are not labeled precisely the same as in ours, but the same general trade-

offs are present. Newman and Noel, for example, allow the manager to choose material

error or no material error rather than fraud or no fraud.

7.

The net expected benefit to the dishonest manager w ho comm its fraud is the gross

benefit, F, multiplied by the probability that the fraud goes undetected less the grass

penalty, P^, multiplied by the probability that the fraud is detected.

8. Again, Newman and Noel and Shibano do not consider sampling or effort costs

directly. Rather, they consider the trade-offs between rejecting and accepting a sample.

Still, the same qualitative issues arise.

9. The m odels of detection in this papter for both assessing internal control and detecting

fraud assume that the auditor cannot find evidence of a "wea k" system when it is

strong or evidence of "fraud" when no fraud ex ists.

10. We assume that dix) is identical to the detection probability in the benchmark game

and has all of the same characteristics.

11 . A specific condition for e* > 0 is pravided in Proposition 3 .

12. Since the decision is sequential, we can consider this second-order condition in

isoladon.

13. The FOC in equation 16 is no longer relevant since a^ = 0.

14. If e^ 0, then the first-order condition need not be m et.

15. The equilibrium values of J:*, in equation 22 and XQ in equadon 23 are never relevant

for small values of e* and hence are not a con cem . A proof is available from the

authors.

16. Several of the comparative statics are indeterminate in sign. The reason for these

indeterminacies is that we have made no specific assumptions regarding the relative

magnitudes of

h(e(.), h {e^),

and

h {e^).

In cases in which com ponen ts of a derivative

that have different signs are weighted by these factors, we frequently cannot determine

the overall sign .

17. ^ is the aud itor's payoff in equation 14,

A/H /

is the m anager's payoff in equaUon 9 , and

Ms is the mana ger's payoff in equation 10.

de: dx o

18 . We dem onstrate our approach with -r ^ and ^77 for the situation in which a = 0.

o o

[)etails of the remaining comparative statics are available from the authors on request.

de*

19.

The approach that we used to esu bli sh that - r ^ < 0 could again be used, but this

au


30/31


. 1988.

Statement o n auditing standards No. 55: C onsideration of the internal

control structure in a financial statemen t

audit

New York AICFA.

. 1995.

Statement on auditing standards N o. 78: Consideration of the internal

control in a financial statement

audit:

An amendm ent to statement on au diting

standards Number 55.

New York: AlCPA .

. 1997.

Statement on auditing standards No. 8 2: C onsideration of fraud in a

financial statement audit

New York AICPA,

Caplan, D. 1999. Internal controls and the detection of management fraud.

Journal of

Accounting Research 37 1): 101-18.

Chiang, A. 1984. Fundam ental methods of mathematical econom ics 3d ed .. New York:

McGraw-Hill.

Fellingham, J., and P, Newman. 1985. Strategic considerations in auditing. Accounting

Review 60 4): 634 -50.

Finley, D. 1994. Game theoretic analysis of discovery sam pling for internal fraud control

auditing. Contemporary Accounting Research 11 1):91-1 14,

Finn, M., and M . Penno. 1996. Real-time inspection gam es with varying levels of

conmiitmeni. Working paper, Northwestem University.

Matsumura, E., and R. Tucker. 1992. Fraud detection: A theoretical foundation. AccoHoring

Review 67 4): 753^8 2.

New man . P.. and J. Noel. 1989. Error

rates,

detection rates, and payoff functions in auditing.

Auditing:

A Journal of Practice and Theory

8 Supplement): 50-66.

New man, P., J. Park, and R. Smith. 1998. Allocating internal audit resources to minimize

detection risk due to theft.

Auditing:

A Journal of Practice and Theory 17 1) : 69-82.

Patterson, E. 1993, Strategic sample size choice in auditing. Journal of Acco unting

Research 3\ 2): 27 2-93 .

Rhoades, S. 1997. Costly false detection errors and taxpayer rights legislation: Implications

for tax compliance, audit policy and revenue collections. Journal of the American

x tion

Association 19 Supp lement): 27 -4 7.

Sansing. R. 1993. Information acquisition in a tax compliance gam e.

Accounting Review

68 4): 874-8 4.

Shibano, T. 1990. Assessing audit risk from errors and irregularities. Journal of Accounting

Research 28 Supplem ent): 110-4 7.


31/31

Internal control assessment and substantive testing

Documents

Transcript of Internal control assessment and substantive testing