Content uploaded by Rajendra P. Srivastava
Author content
All content in this area was uploaded by Rajendra P. Srivastava on Mar 30, 2017
Content may be subject to copyright.
1
Accepted for publication in Journal of Emerging Technology in Accounting (JETA),
forthcoming, 2017
Fraud Risk Assessment Using the Fraud Risk Model as a
Decision Aid
Theodore J. Mock
Distinguished Professor of Auditing & Assurance
University of California, Riverside, and
Honorary Professor, The University of Maastricht
900 University Avenue.
Riverside, Ca. 92521
Operator: 951.827.1012
Email: tmock@marshall.usc.edu
Rajendra P. Srivastava
EY Professor of Accounting and Information Systems
The University of Kansas
1300 Sunnyside Drive, Lawrence, KS 66045, USA
Phone: (785) 864-7590, Fax: (785) 864-5328
Email: rsrivastava@ku.edu,
and
Arnold Wright
Emeritus Professor
College of Business Administration
Northeastern University
360 Huntington Avenue, Boston, MA 02115, USA
Phone no: 617-373-7351; Fax: 617-373-8814
Email: a.wright@neu.edu
February 11, 2017
Fraud Risk Assessment Using the Fraud Risk Model as a
Decision Aid
ABSTRACT
This study investigates the efficacy of using a technology based on an elaboration of the
traditional fraud risk model to assess the risk of fraud and subsequently plan the audit. The fraud
risk model used is based on Srivastava, Mock and Turner (SMT) (2007, 2009) and explicitly
assesses the presence of fraud triangle factors and the need for forensic tests to aid in the
assessment of fraud detection risk and audit planning. Previous studies that examine fraud risk
decomposition simply advise subjects to assess fraud risks separately without an analytical
model.
We examine the effectiveness of the approach using an experiment involving 76 experienced
auditors where specific fraud risks are present or absent. As expected, the results indicate that the
model significantly enhances auditors’ sensitivity to differences in the level of fraud risks. That
is the auditors using the fraud risk model appropriately assessed low fraud risk as low and high
fraud risk as high, whereas the auditors using the traditional Audit Risk Model approach assessed
fraud risk at essentially the same level under either risk condition. The experiment also
investigated effects on audit program planning decisions. Contrary to expectations but consistent
with prior research, the risk decomposition technology tested did not result in auditors providing
more effective fraud detection procedures.
In all, the results suggest that although the tested risk decomposition technology can enhance risk
assessments and recognition of the need for additional forensic tests, auditors continue to have
difficulties in responding to fraud risks, perhaps because they lack the requisite fraud experience
and training.
Key Words: Fraud Risk Assessment Technology, Audit Program Planning, Fraud Risk Triangle,
Fraud Detection Risk Algorithm
2
Fraud Risk Assessment using Decomposed Audit Risk
Model: Use of Fraud Risk Model as Decision Aid
I. INTRODUCTION
Auditing standards (AICPA, SAS 99 2002, IAASB, 215 2009) require auditors on every
engagement to assess fraud risk, conduct a limited set of forensic audit tests, and respond to
elevated fraud risk by, for instance, conducting forensic tests or extending procedures.1 Despite
these responsibilities, there have been continued concerns about auditors’ abilities to detect
fraud, with relatively few frauds uncovered by external auditors (Dyck et al. 2010; KPMG 2009;
PCAOB 2007; Wilks and Zimbelman 2004; Public Oversight Board 2000). Thus, there appears
to be a performance expectation gap.
One of the likely important reasons for this gap is that auditors appear to have difficulties
in identifying fraud effective program planning strategies (nature and extent of tests) when
needed, as reported in a number of empirical studies (e.g., et al. 2015; Hammersley et al. 2011;
Mock and Turner 2005; and Asare et al. 2004). This difficulty may be due to two factors: (1)
auditors’ risk assessments fail to recognize conditions that warrant additional forensic tests;
and/or (2) auditors do not have sufficient training or knowledge to identify fraud risks. Since
auditors rarely, if ever, encounter material financial statement fraud, it is difficult for them to
develop refined knowledge structures of risk factors and relevant tests relating to fraud (Johnson
et al. 1993; Bonner 1990)
The purpose of the current study is to address this issue by examining the efficacy of a
decision tool that both disaggregates risks and also provides an algorithm that directs auditors to
the need for forensic tests. In particular, we test the efficacy of an analytical model derived
3
directly from auditing standards (AICPA SAS 99 2006). In contrast, previous studies that
examine fraud risk decomposition (e.g., Zimbelman 1997) simply advise subjects to assess fraud
risks separately without an analytical model. In this manner, we provide evidence of the relative
attribution of impaired risk assessments and/or lack of knowledge for auditors’ difficulties in
designing fraud effective program planning strategies. Specifically, we disaggregate the risk
assessment model into two components. The first is the traditional audit risk model (ARM),2
(SAS 107, AICPA 2006). The second is a fraud risk assessment model, FR = RI x RA x RO x
RSP, developed by Srivastava, Mock and Turner (2007, 2009) based on the risk factors
contained in the fraud triangle as espoused by SAS 99 (AICPA 2002). In the model, fraud risk
(FR) represents the risk that management fraud in the financial statements will go undetected by
the auditor, RI represents the risk that incentives to commit fraud are present after considering
the impact of safeguards in place, RA represents the risk that an attitude to commit fraud is
present after considering the impact of safeguards in place, RO represents the risk that
opportunities are present after considering the impact of safeguards in place, and RSP represents
the risk that special procedures (forensic and other) fail to detect fraud.
In a fraud setting this further decomposition is hypothesized to aid auditors in identifying
and assessing fraud, since decomposition is expected to lead auditors to search for additional
cues and focus on individual fraud risk factors related to incentives, opportunities and attitude.
Thus, this study corroborates and extends prior research on the value of decomposition of risks
(Zimbelman 1997; Wilks and Zimbelman 2004; Favere-Marchesi 2013) to enhance auditors’
fraud risk assessments and response.
Second, we investigate the value of a computational decision aid for auditors to
determine the risk that fraud tests will fail to detect a material management fraud (RSP) and
4
thereby highlight the need for forensic tests. Although, as noted, prior research has found that
auditors have difficulties in fraud program planning (Hammersley 2011), prior studies do not
provide a technology to compute the level of additional forensic testing necessary to achieve the
desired level of fraud detection risk.
We examine these issues using an experimental case where fraud risks (cues) are present
or absent (high fraud risk versus low fraud risk) and auditors arrive at a fraud risk assessment
using the traditional audit risk model (henceforth referred to as ARM) or the decomposed fraud
risk assessment model (henceforth referred to as decomposition). For auditors using the
decomposition model, a computational decision aid technology is also provided. Seventy-six
experienced auditors from a Big 4 firm participated in the experiment.
We find, as hypothesized, that decomposition significantly enhances auditors’ sensitivity
to differences in the level of fraud risks. We also find that in the high risk setting the
decomposition treatment does not result in a greater number of fraud effective tests, suggesting
the problem is not accurate recognition of the need for such tests but rather lack of auditor
training, and effective technologies to aid in designing tests.
Further, in the high risk setting decomposition did not lead to the planning of more
budgeted hours (extent of testing) than the ARM condition. Lastly, auditors were more likely to
consult with forensic experts in the high risk, decomposition condition than in the other
conditions. Since there is evidence that forensic experts are better able to identify effective tests
than financial auditors (Boritz et al. 2011; Verwey 2014), this difference may compensate for the
inability of the audit team to plan additional effective tests.3
The remainder of the paper is divided into four sections. The next section provides a
review of relevant literature and development of the hypotheses. The following two sections
5
contain an overview of the method and presentation of the results. The final section is devoted to
a discussion of the major findings and their implications for practice and future research.
II. RELEVANT LITERATURE AND HYPOTHESES
Several researchers have questioned the efficacy of the Audit Risk Model (ARM) for
fraud risk assessment and detection. Zimbelman (1997) and Shibano (1990) argue that the ARM
fails to explicitly distinguish between unintentional and intentional misstatements and, as such,
does not properly guide the auditor in considering relevant risks and planning tests. Drawing
upon the psychology literature, Zimbelman (1997) hypothesizes that decomposition of fraud risk
contained in inherent risks (intentional and unintentional misstatements) will aid in guiding the
auditor to access subsets of knowledge relating to fraud and to search for relevant cues in a
particular client setting. The identification of fraud cues will then lead to direct assessment of
fraud risk and, in turn, lead to adaptive planning judgments to respond to assessed fraud risk.
Zimbelman (1997) tests these hypotheses in an experiment where fraud risk (low vs. high) and
risk assessment approach (holistic vs. decomposition) are manipulated. He finds, as
hypothesized, that the decomposition group spent more time reading fraud cues, were more
accurate in fraud risk assessments, and planned more hours in the fraud setting than the holistic
group. However, while auditors planned more audit hours, they did not adjust the nature of
testing in response to fraud risk given a set of ten standard audit tests.4 This “more of the same
tests” strategy is unlikely to detect fraud, since standard audit tests are often not designed to
uncover intentional misstatements.
Houston et al. (1999) posit that the ARM focuses on risks at the account, assertion, or
cycle level, i.e., inherent risk and control risk. If so, the ARM would be descriptive of auditors’
risk assessments and program planning judgments in response to the risk of errors. However, the
6
ARM does not explicitly address higher level, engagement risks such as poor client financial
condition that are independent of the risk of errors (Stice 1991) and are sometimes indicators of
intentional misstatements. Engagement and audit firm business risk encompasses a broad range
of risk factors and include potential losses to the auditor such as loss of reputation or litigation
costs should an opinion be questioned by others in a court of law. While ARM as applied to an
account or assertion does not explicitly consider higher level risks, more recent auditing
standards recognize the importance of considering such risks in the risk assessment and planning
stages (e.g., PCAOB AS 8 2010; IAASB IAS 315 2003).
Houston et al. (1999) hypothesize that auditors’ assessments of business risk will be more
closely associated with auditors’ risk assessments and planning judgments than the ARM in a
situation of elevated fraud risk. In an experimental study they find support for their expectations
with a fee premium only present for the fraud setting.
In a review of the fraud detection literature, Hammersley (2011) notes that a number of
studies reaffirm auditors’ difficulties in designing fraud effective tests. In a study by Asare et al.
(2013) forensic auditors also indicate that in their investigations of fraud cases auditors often fail
to sufficiently modify the standard audit program. However, Hammersley et al. (2011) find that
auditors who identify the fraud scheme used by management are able to plan more diagnostic
tests. Thus, it appears that precise fraud risk assessment is necessary, i.e., pinpointing the nature
of the potential fraud scheme versus a global risk assessment.
In response to concerns by regulators and others (e.g., AICPA 2002 and Shelton,
Whittington, and Landsittel 2001) that auditors tend to overly focus on management attitude (i.e.,
management integrity) and fail to fully consider fraud opportunities and incentives, Wilks and
Zimbelman (2004) examine the impact of further decomposition in auditors risk assessments to
7
consider all three elements of the fraud triangle. They find that decomposition increases auditors’
sensitivity to opportunities and incentives when cues suggest a low risk of fraud but surprisingly
not when they indicate a high risk.5
Favere-Marchesi (2013) extends the experiment conducted by Wilks and Zimbelman
(2004) where he asks experienced audit managers to either categorize fraud risk cues into the
three components of the fraud triangle or provide decomposed risk assessments for these
components. Management attitude is held constant at low risk whereas incentive and opportunity
risks are manipulated at high or low levels. The results indicate that decomposition is
significantly more effective than categorization in sensitizing auditors’ assessments of
opportunity, incentive, and overall fraud risks and also leads them to assess a higher need to
revise audit plans and to increase the extent of audit testing when risks are high. However,
Favere-Marchesi (2013) focuses on overall engagement risks and, thus, does not examine
whether or not decomposition enhances auditors’ planning of effective tests to detect a particular
fraud. Importantly, the current study addresses this issue, since detection of a fraud requires the
performance of diagnostic tests.
Fraud&Risk&Assessment&Model&
Importantly, previous studies (Zimbelman 1997; Wilks and Zimbelman 2004; and
Favere-Marchesi 2013) that examine the efficacy of fraud risk decomposition, as discussed
above, do not provide an overriding analytical model for fraud planning. Srivastava et al (2009)
develop a comprehensive, decomposed fraud risk assessment model derived directly from
auditing standards. This model specifically incorporates the assessment of fraud risk by
disaggregating fraud risk into the three fraud risk factors identified in the fraud triangle (SAS 99
AICPA 2002) as well as the risk that the auditor’s forensic procedures will fail to detect fraud.
8
The model also formally incorporates positive (i.e., suggesting low fraud risk), negative (i.e.,
suggesting high fraud risk), and mixed items of evidence pertaining to the three fraud risk factors
and the interrelationship among the three fraud risk factors.
A somewhat more simplified, two step, version of the Srivastava et al (2009, hereafter
referred as SMT) risk assessment model involves first assessing acceptable audit risk (AAR) and
then fraud risk (FR). The simplification involves assuming there are no mixed items of evidence
and is expressed as follows (SAS 107, para 24 and footnote 12 in para 26, 2006). :
AAR = RMM x DR = IR x CR x APR x TD (1)6
Where RMM= risk of material misstatement
DR= detection risk
IR= inherent risk
CR= control risk
APR=substantive analytical procedures risk
TD=test of details risk
Also, FR = RI x RA x RO x RSP, which can be rewritten as:
FR = RiMM x RSP. (2)
Here RiMM stands for the risk of intentional material misstatements due to management
fraud, similar to RMM which represents the risk of material misstatement due to errors and
irregularities. In this formulation, fraud risk (FR) is the risk that fraud will go undetected when 1)
there is a non-zero risk of incentives (RI) to commit fraud, risk that opportunity (RO) to commit
fraud exists, and risk of attitude (RA) to commit fraud, and 2) there is also a non-zero risk that
the auditor’s special (forensic) procedures (RSP) will fail to detect fraud. Equation (2) represents
the fraud risk assessment model separate from the traditional audit risk model depicted in
Equation (1) which determines the risk of material misstatements due to errors and irregularities.
9
The current study provides empirical evidence to examine the efficacy of the SMT model in
enhancing fraud risk assessment and program planning.
Fraud Risk Assessments
Following the theory advanced by Zimbelman (1997), we expect that the additional
decomposition of fraud risk assessments should further assist auditors to access knowledge
structures relevant to fraud. For instance, they may search for fraud “incentive” cues such as
management compensation that is heavily tied to achieving accounting targets and for cues
related to opportunities to commit fraud such as weak internal controls or the choice of
accounting methods that are complex or require significant judgment. This further decomposition
is expected to lead auditors to search for relevant fraud cues contained within each of the fraud
triangle elements. The identification of additional fraud risks, when present, is then expected to
lead to greater sensitivity to fraud risks than the more holistic ARM approach. Further, Raiffa
(1968) suggests that the process of decomposing a multi-faceted decision into component
decisions, separately considering each component, and then recombining the components to
arrive at the global decision improves judgment accuracy.
Our focus is on fraud risk sensitivity or the ability to be able to accurately distinguish
between different levels of fraud risk, i.e., assess higher fraud risk in a high FR situation and
lower fraud risk under a low FR situation. Sensitivity would, thus, make the audit planning
process more efficient and effective. The discussion above leads to the following expectations as
reflected in our first hypothesis:
H1: Auditors in the decomposition condition will exhibit significantly greater sensitivity in
fraud risk assessments between high and low fraud risk conditions than those in the
ARM condition.
Fraud Effective Tests
10
We also examine the extent to which auditors plan fraud effective tests. As noted,
Zimbelman (1997) hypothesized that decomposition of inherent risks would lead to a change in
the planned nature of tests to detect potential fraud. His findings do not support this hypothesis.
However, auditors in his study are presented a prescribed set of standardized tests and could not
delete or add other tests. This setting does not provide the opportunity, as in practice, to be able
to fully adjust the nature of testing. Further, the level of decomposition of fraud risks may not
have been sufficient to focus the auditor on the need for effective fraud tests.
In the current study we provide auditors with two prompts that may be beneficial in
leading to the design of fraud effective tests: (1) a further decomposition of fraud risks; and (2)
within the decomposition condition, a computational algorithm that is expected to facilitate them
in signaling the need for forensic tests. Together these prompts should both enhance the auditor’s
ability to identify relevant fraud risks and highlight the need for forensic tests.
However, as discussed previously, the lack of an effect between higher fraud risk
assessments and more effective tests found in prior studies (e.g., Zimbelman 1997; Asare and
Wright 2004) may be due to either auditors’ lack of awareness of the need for specially designed
forensic tests and/or auditors’ lack of knowledge to design such tests. The former problem is
hypothesized to be alleviated by the decomposition of fraud risks and providing explicit
awareness of RSP (the risk that auditor’s special (forensic) procedures will fail to detect fraud).
However, lack of knowledge cannot be mitigated by these decision aids, which do not identify
specific effective tests to detect the fraud. Thus, given conflicting expectations, our next
hypothesis is stated in null form:
H2: In a high fraud risk setting the number of effective fraud procedures included in the
auditors’ planned audit program is not expected to differ significantly for the
decomposition condition compared with the ARM condition.
11
Extent of Testing
In line with “risk-adjusted auditing” (AICPA, SAS 107 2006), elevated fraud risk
assessments and the SMT algorithm are posited to impact the planned extent of testing, i.e.,
budgeted hours. When fraud risks are low there is no reason to expect differences in planned
extent between the decomposition and ARM condition, since low risks do not warrant expanding
testing beyond a normal audit setting. However, when fraud risks are high, decomposition and
the algorithm are anticipated to lead to a greater sensitivity in fraud risk assessments (H1), which
in turn is expected to lead to a greater extent of testing for the decomposition condition than the
ARM condition.
H3: In a high fraud risk setting budgeted hours will be significantly higher for the
decomposition condition than the holistic condition.
Consultation with Forensic Experts
Finally, a potentially valuable resource for auditors to detect fraud is consultation with
forensic experts to assist in identifying and responding to fraud risks. Asare and Wright (2004)
report that auditors are reluctant to consult with forensic auditors; however, fraud risk
assessments are positively associated with the propensity to consult. With high risks, auditors are
likely to recognize they need the assistance of such experts. If H1 is supported, this would
suggest that in a high fraud risk setting auditors in the decomposition condition are more likely to
recognize the risks and then consult with forensic auditors than those in the ARM condition.
Importantly, if the decomposition condition with the algorithm fails to elicit more fraud
effective tests (H2), then consultation may mitigate the problem by bringing in experts who have
the experience and knowledge to assist the auditor in designing effective tests. Our final
hypothesis examines this issue.
H4: In a high fraud risk setting the likelihood of consulting with a forensic expert is
expected to be significantly greater for the decomposition condition than the ARM
condition.
12
III. METHOD
Experimental Treatments
ARM or Decomposition Conditions
The hypotheses are addressed in a 2 x 2 experiment with the independent variables fraud
risk assessment condition (ARM vs. decomposition) and fraud risk setting (low risk vs. high
risk). In the ARM condition we ask the auditors to make the usual risk assessments called for in
the audit risk model (See Equation 1) along with a separate assessment of fraud risk, as currently
required by SAS 99. Auditors then compute the associated overall audit risk. This treatment
could also be referred to as the “conventional” treatment as it is constructed to implement how
auditors apply Generally Accepted Auditing Standards (GAAS) in assessing the risk of
unintentional and intentional (fraud) risk.
The participating audit firm was consulted to identify the steps needed in applying the
decomposition treatment (Srivastava et al (2007, 2009)) in practice. In this setting participants in
the decomposition condition make all of the same assessments as the ARM condition, except
rather than an overall assessment of fraud risk they separately assess the risk of the presence of
incentives to commit fraud, the risk of the presence of an attitude of management to commit
fraud, and the risk of the presence of opportunities to commit fraud. Auditors then compute the
overall risk of intentional material misstatement (RiMM) due to fraud as the product of these
three risks.
Finally, based on equation (2) (Srivastava et al. 2009), participants in the decomposition
condition also compute the “risk of special procedures” or the risk that fraud tests will fail to
detect a material management fraud as follows:
13
RSP = AFR / (RI x RA x RO) = AFR/RiMM (3)
where AFR is used for to determine the acceptable fraud risk for planning purposes in place of
FR (fraud risk).
Formula (3) computes the required level of RSP to achieve an overall acceptable low
level of fraud risk (AFR), which is stipulated in the case as .05. For instance, assume the
auditor assesses the following risks: RI=.80; RA=.75; and RO=.70. Then RSP would be
computed as 0.119, i.e., RSP = 0.05/(0.80 x 0.75 x 0.70) = 0.119. If RSP is 1.0 or higher, this
indicates that no special forensic procedures are needed. This formula is analogous to
determining DR using the ARM with a unique focus on the need to conduct forensic audit tests.
Of note, the response scales for the decomposition condition (0-1.00) are the same as in
the ARM condition and represent probability assessments of risks. The assessed FR in the
decomposed model is derived from the decomposition model, whereas in the ARM case the
fraud risk is assessed by the auditors without any model, as would be currently done in practice.
While one of the treatments is labeled the “decomposition” condition, it involves more
than just specifically assessing the fraud triangle factors as was done in prior research [e.g.
Favere-Marchesi 2013]. In particular, it includes a computational step that determines the
magnitude of some of the variables [ e.g. ‘Computed Fraud Risk’ (RiMM) based on an
assessment of the fraud triangle variables and ‘Risk of Special Procedures’].
In pilot testing the decomposition condition, it became clear that with so many risk
parameters auditors would need the computation aid embedded in the experiment in order to
accurately determine the target detection risk for the planned forensic audit procedures to be able
to properly test the SMT decomposition framework. Otherwise, this risk would likely have
contained computational, integration errors that could confound the results. Such a
14
computational aid would be easy to develop and use in practice much like, for example, audit
sampling aids that are currently frequently employed by auditors (Whittington and Pany 2014).
The Task
Exhibit 1 provides an overview of the tasks for the decomposition and ARM conditions.
Auditors are provided a realistic case (“Precision Equipment, Inc.”) based on an actual financial
reporting fraud situation that resulted in an SEC AAER action (SEC 1998). The case instrument
is adapted by permission from that developed, pilot tested, and used by Asare and Wright (2004).
In step 1, participants are provided background information about the company’s products,
summary financial information, financial ratios, information about the overall control
environment, and an overview of current product trends in the industry. Planning materiality is
indicated as 3.5% of net income before taxes or $8 million. Finally, participants are provided
information on the revenue cycle (where the audit team plans to rely on the controls regarding
routine transactions) and the company’s marketing strategy. The overall task is to assess risks
and develop program plans (nature and extent of substantive tests) for the revenue cycle.
In step 2, all participants are provided with risk assessment guidance drawn from the
assessment of acceptable audit risk as discussed in SAS 107 (AICPA 2006). Additionally,
participants under the decomposition condition were provided with summary fraud risk
assessments guidance based on SAS 99 and Srivastava et al. (2007).
Step 3 requires the participants to assess various audit risk components for the revenue
cycle. For both the ARM and decomposition conditions auditors assess the following risks: audit
risk with a target AAR of between 5 and 10%, inherent risk, control risk, analytical procedure
risk, and test of details risks. All participants then compute the risk of a material unintentional
misstatement as the product of these risks.
15
Following SAS 99, participants next assess fraud risk with those in the ARM condition
making a direct assessment of fraud risk. In the decomposition condition, RiMM (risk of
intentional material misstatement due to management fraud) is specified to be the product of
separately assessed risks for incentives, attitude, and opportunities to commit fraud. Using the
algorithm decision aid all participants also determine the required level of forensic procedures to
achieve an overall acceptable low level of audit risk (AFR).
In step 4, participants are asked to determine the nature of audit tests in the revenue
cycle. Similar to practice where standard audit programs are widely used, they first begin by
selecting which, if any, of a set of 10 standard tests to conduct. These tests are those used in
Asare et al. (2004), based on a compilation from auditing textbooks. Then auditors are asked to
specify any other procedures they consider necessary.
The final two tasks entail setting budgeted hours for the revenue cycle, in total and by
staff level (staff, senior, manager, and partner), and determining the need to consult with a fraud
risk partner in the firm on a 10 point Likert scale (1=no necessity to consult; 5=moderate
necessity to consult; and 10=high necessity to consult). To provide a benchmark to determine
budget hours, a preliminary budget (total 65 hours), by staff level, is provided based on hours
expended on the prior year’s engagement.
Risk Setting
As indicated, there are two versions of the case: high fraud risk and low fraud risk. The
differences between the two versions are indicated in Exhibit 2. In the high risk condition the
fraud risks from the actual fraud case are present. The fraud is one of the relatively more
common forms of fraudulent financial reporting and entails “channel stuffing” in which
management overstates revenues towards the end of the period to inflate profits. In the high fraud
16
risk condition the case notes that management compensation is heavily tied to stock
performance, management places great importance on achieving financial forecasts, and the
company has met or exceeded sales targets for 12 consecutive quarters (fraud incentives and
attitudes).
The “marketing strategies” describes the plan towards the end of the year to fraudulently
materially increase sales by $22 million and income by $9.2 million (both material amounts).
This strategy was the basis of the actual fraud. Specifically, distributors were given the primary
sales responsibility for analog products, freeing the company to focus its marketing efforts on the
digital market. Distributors were provided various incentives to buy products, including very
large credit limits, access to large retail accounts and key customers previously serviced directly
by the company, profit sharing opportunities, favorable financing terms, and warehousing and
storage. About 70 percent of the distributors signed immediately, with the rest undecided.
Follow-up communications with the undecided distributors proved successful with only 4 not
signing by year-end. Essentially, distributors could agree to “purchase” the products with little
cash payment and a right of return. Subsequently, a highly significant proportion of these
transactions eventually failed to materialize into actual sales, and, thus, revenues and net income
were materially overstated at year-end.
In the low fraud risk setting management is compensated primarily through a base salary
(90%) with no indicated financial pressures to achieve earnings targets. Further, the marketing
strategy was not material (increasing income by $1.1 million) and entailed only the shifting of
responsibilities between distributors and direct company sales.
Manipulation Checks
17
Two questions were asked to determine whether the client risk setting manipulation was
successful: assess the overall level of risk of a material misstatement (inherent risk x control risk)
for the revenue cycle; and assess the level of fraud risk for the revenue cycle. The response scale
for both questions was a 7 point Likert scale: 1=low risk; 4=medium risk; and 7=high risk. As
expected, the mean responses for the first question were significantly higher (t=40.032; p<.001;
one tailed) for the high risk setting (4.16) than for the low risk setting (3.00). Similarly, the mean
response to the second question was significantly higher (t=2.239; p=.014; one-tailed) for the
high risk setting (4.19) than for the low risk setting (3.50). These results indicate participants
encoded the risk manipulations as intended.7
Participants
Participants were 72 audit seniors and four managers from a Big 4 firm who were
identified by a contact person and voluntarily completed the case via the mail.8 The method of
administration (i.e., the mail) was stipulated by the participating firm. Auditors were randomly
assigned to one of the four between-subject experimental conditions. Since our contact person
did not tabulate the number of cases distributed, we are unable to compute the response rate.
Participants were informed they were not to discuss their responses with others, since the study is
looking for individual judgments.
Table 1 provides demographic data on the sample. The number of participants in each
experimental condition ranged from 18-20. As indicated, participants were predominately
seniors (94.5%) and had sufficient general domain experience (mean 3.72 years of auditing
experience).
The task, as discussed earlier, entails initial risk assessment and program planning, which
is the predominant responsibility of audit seniors. Participants possessed the requisite task
18
specific experience in dealing with revenue recognition, which is the type of fraud present in the
high risk version of the experimental case (mean 4.20 on a scale of 1-7 regarding experience on
revenue recognition issues where 1=no prior experience, 4=deal with on a number of occasions,
and 7=deal with this very often). Statistical tests indicated no significant differences (p< .10) in
the demographic variables between the experimental conditions, suggesting successful
randomization of assignment.9
IV. RESULTS
Table 2, panel A presents the ANOVA results examining auditors fraud risk assessments
(H1). There is a significant main effect for risk approach (p=.003, one tailed). The significant
main effect and the means for the experimental conditions are reported in Table 2, panel B along
with simple effect comparison tests in panel C.
The mean fraud risk assessments indicate no significant difference between the high
(mean .297) and low risk (mean .314) conditions for auditors using the ARM risk approach,
suggesting a lack of sensitivity to fraud risks (t=0.259; p=.797). In contrast, for the
decomposition approach the fraud risk assessments are significantly (t=1.788; p=.041 one tailed)
higher in the high risk condition (mean .232) than in the low risk condition (mean 0.104),
supporting H1. Thus, the decomposition approach improved auditors’ accuracy in discriminating
between the low and fraud risk settings, thus, potentially promoting audit effectiveness and
efficiency.
H2 is presented in null form given alternative expectations regarding the impact of the
decomposition condition on the planning of effective fraud tests, i.e., greater awareness of the
need for fraud tests versus insufficient knowledge of effective tests. We use the benchmark set of
13 tests that Asare and Wright (2004) employed as identified by the SEC in its accounting
19
enforcement release on the case. None of these tests were included in the standard audit program
provided to participants, since they do not represent common audit tests.
Two independent individuals coded participants’ responses of additional audit tests
participants planned to perform beyond the standard audit program. The coders had eight and
two years of auditing experience respectively and were blind to the hypotheses of the study and
the experimental condition of participants. The overall level of coding agreement was 82%,
indicating high inter-coder reliability. Coding differences were jointly discussed and reconciled.
If an agreement could not be reached, unresolved differences were then reconciled by one of the
authors.
Table 3 reports the ANOVA results (panel A) with the final reconciled audit tests and the
means for the experimental conditions (panel B). The ANOVA findings do not indicate any
significant main effects nor interactions. In particular, simple effect comparison tests in panel C
show the number of effective tests in the high risk setting do not significantly differ for the
decomposition condition and the ARM condition (cell B versus D), failing to find evidence
rejecting the null H2. Notably, relatively few fraud effective tests were identified (overall mean
.31), corroborating prior research (Asare and Wright 2004). The decomposition approach
coupled with the decision aid to compute the desired risk of special forensic procedures, thus, did
not significantly enhance auditors’ planning of forensic tests.
As will be discussed in the final section, this result may be because of lack of auditor
training and proficiency in designing forensic tests. We also performed an analysis for the
number of standard audit tests selected (maximum of eight). We do not provide an hypothesis for
the effect of the experimental manipulations on the choice of standard tests, since, as discussed,
these tests are not considered to be effective in detecting the fraud. This task was included to
20
provide task realism, since in practice auditors are routinely provided standard audit programs as
a decision aid for program planning. Analyses (untabulated) indicated a mean of about 6.6
standard tests selected for testing out of eight provided in the standard program. There was also a
marginally significant effect for fraud risk setting (p=.095) where auditors planned more
standard tests when fraud risk is high than low. This result corroborates prior research in which
auditors in response to elevated fraud risk “do more of the same tests” (Hammersley et al. 2011,
Asare and Wright 2004).
Table 4 reports the findings of the ANOVA analyses (panel A), means for each
experimental condition (panel B), and simple effects comparison tests (panel C) regarding total
budgeted hours (H3).10 The ANOVA results show a significant main effect for fraud risk. As
anticipated, auditors planned more hours in the high risk setting than the low risk setting.
However, there is no significant interaction between fraud risk and risk approach. In particular,
panel C does not show significantly more budgeted hours in the high risk setting for the
decomposition condition than the ARM condition (cell B versus D). Although the earlier results
indicated the risk approach led to greater sensitivity in assessments of fraud risk, this did not
translate into differences in planned hours in the high vs. low risk settings, and, thus, H3 is not
supported.
Table 5 presents the results regarding H4 on the desire to consult a forensic expert. The
ANOVA findings (Panel A) show a significant main effect for fraud risk (F=13.792; p<.001)
with auditors more likely to consult in the high risk setting than the low risk setting. The
interaction is also significant (p=.048; one-tailed). Providing support for H4, the means in panel
B and the simple effect comparison tests in panel C show, as expected, that the greatest
propensity to seek the counsel of forensic experts is in the high risk, decomposition condition.
21
Additional Analysis
As noted, in the decomposition condition we asked auditors to separately assess the
elements of the fraud triangle: the risk of the presence of incentives to commit fraud (RI); the
risk of the presence of an attitude of management to commit fraud (RA); and the risk of the
presence of opportunities to commit fraud (RO). We compared these assessments for the low risk
setting to the high risk setting to explore which element(s) of the fraud triangle were driving the
higher fraud risks found in testing H1. There are no a priori expectations of which of these risks
would vary, since assessments are likely linked to the specific cues in our experimental case.
Untabulated t-tests indicate that there is a significant difference in the mean assessments of RI
(t=4.461; p=.0001) between the high and low risk settings (.750 and .445 respectively).
However, there are no significant differences for RA and RO. This result suggests auditors are
using the bonus plans evidence correctly in assessing the risk of incentives by management to
commit fraud in the high risk setting.
V. CONCLUSIONS
There are significant expectations by users that auditors will detect material financial
statement fraud during an engagement. An essential element in accomplishing this objective is
proper fraud risk assessment and appropriate program planning regarding the nature and extent
of fraud effective tests. Often standard audit tests will not be effective in uncovering fraud and
tests must, thus, be tailored to the fraud risks present. Further, forensic specialist auditors may be
called in to assist. Prior research (Zimbelman 1997; Favere-Marchesi 2013) has demonstrated
that decomposition of fraud risks enhances auditors’ attention to fraud cues, resulting in more
accurate fraud risk assessments and additional extent of testing.
22
The current study extends that research by examining the impact of further risk
decomposition on auditor fraud planning judgments. Specifically, we hypothesize that
decomposing fraud risk into the elements of the fraud triangle (risk of incentives, opportunities,
and rationalization) and identifying the required level of detection risk of forensic tests needed to
control audit risk will improve fraud program planning decisions. The results of our experiment
indicate that auditors in the decomposition condition exhibit greater sensitivity in fraud risk
assessments in differentiating between a low fraud and a high fraud risk setting. However, this
enhancement in risk assessments is not found to translate to differences in planned hours or more
fraud effective tests. Rather, auditors in the high risk condition select a greater number of
standard audit tests (“do more of the same”), even though these tests may be ineffective in
detecting the fraud. Importantly, though, decomposition was found to result in a greater
propensity to seek forensic experts in the high fraud risk setting, potentially compensating for the
findings suggesting deficiencies in auditors’ planning of fraud effective tests and extent of
testing.
The findings have a number of implications for audit practice and future research. Of
greatest concern is that the increased sensitivity in fraud risk assessments prompted by
decomposition did not then result in enhanced subsequent audit decisions as to the nature and
extent of tests. Rather, consistent with prior research (Zimbelman 1997, Asare and Wright 2004,
Hammersley et al. 2011), auditors in a high fraud risk setting planned to perform a greater
number of standard audit tests. These results raise the central question of why improved risk
assessments did not lead to improved auditor program planning decisions.
One potential explanation is that auditors do not have sufficient experience or training on
how to react to higher fraud risk and detection risk of forensic procedures by designing fraud
23
effective tests. Few auditors have had direct experience with identifying managerial fraud. Will
additional training or decision aids (e.g., identification of potential fraud tests) significantly help
to address this issue? For instance, auditing firms may provide a list of potentially effective fraud
tests to select from if fraud risk is assessed at a high level. Or, is it more cost-ineffective to not
expect financial statement auditors to be proficient in the area of fraud detection and instead
ensure forensic auditors are brought in when fraud risk is high? These questions are important
issues for future research and practice.
There are limitations of this research study that should be considered in interpreting the
findings. First, because the decomposition treatment involves several cognitive and
computational elements not explicit in the ARM condition or in prior research, there is some
uncertainty as to the specific cause of any differences in our results vis-à-vis prior studies.
Secondly, we present auditors with an actual, disguised fraud case, which focuses on a revenue
recognition issue (“channel stuffing”). Since the International Auditing Standard on Fraud (ISA
240, 2009, para 26) indicates there is always a presumption of fraud in revenue recognition, this
context may have focused auditors more on the possibility of fraud than for other accounts,
which may bias us against supporting our hypotheses positing advantages of the decomposition
condition. Thus, we do not have a basis to determine whether or how the findings may vary for
other types of frauds or when there are multiple frauds present.
Further, auditors in our experiment make independent risk assessments and program
planning decisions while in practice these judgments are made in a hierarchical group setting.
(See Libby and Luft (1993), Rich, Solomon, and Trotman (1997), and Nelson and Tan (2005) for
an in depth consideration of the impact of group processes in an audit setting.) Thus, we cannot
determine the effects of decomposition when, for instance, there is the presence of brainstorming
24
or of the review process that could impact collective risk assessments, program planning, or final
engagement decisions. Additionally, we focus on the efficacy of a specific fraud risk assessment
and program planning analytical model. While the model examined is derived from auditing
standards, future experimental research may wish to test other comprehensive models. Finally,
auditors completed the experiment on their own time and were not accountable, whereas on an
engagement the auditor is often under time constraints and is subject to accountability. Future
research may examine the generalizability of our results under these conditions that may affect
auditor motivations. These limitations in scope represent promising additional avenues for future
research.
25
Table 1
Demographic Data (n=71)
Panel A: Categorical Variables
Variable
N
Position: Senior
72 (94.7%)
Manager
4 (5.3%)
CPA
42 (56%)
Panel B: Continuous Variables
Variable
Mean (SD)
Minimum
Maximum
Auditing experience (years)
3.82 (1.36)
1
10
Experience with revenue recognition issues
4.20 (1.37)
2
7
Primary industry specialization (years)
3.13 (1.67)
0
10
Secondary industry specialization (years)
1.04 (1.45)
0
7
Notes:
(1) Decomposition=fraud risk model; ARM=audit risk model with separate fraud risk assessment
(2) Experience with revenue recognition: response scale— 1=No prior experience; 4=Dealt with
on a number of occasions; 7=Dealt with this very often.
26
Table 2
Fraud Risk Assessments (H1)
Panel A: Anova results
Source
Sum of
Squares
df
Mean
Square
F
Sig.
Intercept
4.244
1
4.244
93.841
.000
Risk approach (RA)
.357
1
.357
7.901
.006
Fraud risk (FR)
.058
1
.058
1.292
.259
RA x FR
.100
1
.100
2.216
.141
Error
3.256
72
.045
Total
7.975
76
Note:
Risk approach: ARM vs. decomposition fraud risk assessment
Fraud risk: low risk vs. high risk
Panel B: Descriptive statistics
Mean (SD) [N]
Fraud Risk Condition
Risk Approach
Low Fraud Risk
High Fraud Risk
Total
ARM
[A] .314 (.164) [18]
[B] .297 (.234) [20]
.305 (.202) [38]
Decomposition
[C] .104 (.134) [20]
[D] .232 (.293) [18]
.164 (.262) [38]
Total
.203 (.178) [38]
.266 (.227) [38]
.235 (.225) [76]
Note: Dependent variable— fraud risk assessment 0-1.00 (probability of fraud where 0=no
chance of occurrence and 1.00=100% chance of occurrence.
27
Panel C: Follow-Up Simple Effect Tests
Cell Comparison
Mean Difference
S.E.
t-value
(1) A versus B
0.17
0.07
0.726
(2) A versus C
0.21
0.05
4.477
***
(3) A versus D
0.82
0.79
1.032
(4) B versus C
0.19
0.06
3.254
***
(5) B versus D
0.65
0.09
0.754
(6) C versus D
-0.13
0.07
-1.788*
*** p<0.01, ** p<0.05, * p<0.10
28
Table 3
Number of Fraud Effective Tests
Panel A: ANOVA results
Source
Sum of
Squares
Df
Mean
Square
F
Sig.
Intercept
7.4
1
7.4
15.9
.001
Risk approach (RA)
0.4
1
0.4
0.8
0.399
Fraud risk (FR)
0.0
1
0.0
0.0
0.92
RA x FR
0.5
1
0.5
1.2
.28
Error
34.6
74
0.5
Total
42.9
78
Note:
Risk approach: ARM vs. decomposition fraud risk assessment
Fraud risk: low risk vs. high risk
Panel B: Descriptive statistics
Mean (SD) [N]
Fraud Risk Condition
Risk Approach
Low Fraud Risk
High Fraud Risk
Total
ARM
[A] 0.45 (0.72) [20]
[B] 0.30 (0.92) [20]
0.38 (0.82) [40]
Decomposition
[C] 0.15 (0.37) [20]
[D] 0.33 (0.59) [18]
0.24 (0.49) [36]
Total
0.30 (0.58) [40]
0.32 (0.78) [38]
0.31 (0.68) [78]
Note: Dependent variable— Number of fraud effective tests identified
29
Panel C: Follow-Up Simple Effect Tests
Cell Comparison
Mean Difference
S.E.
t-value
(1) A versus B
0.15
0.26
0.580
(2) A versus C
0.30
0.18
1.671
*
(3) A versus D
0.12
0.22
0.549
(4) B versus C
0.15
0.22
0.675
(5) B versus D
-0.03
0.26
0.131
(6) C versus D
-0.18
0.16
-1.158
*** p<0.01, ** p<0.05, * p<0.10
Table 4
Total Budgeted Hours (H3)
Panel A: Anova results
Source
Sum of
Squares
df
Mean
Square
F
Sig.
Intercept
436,902
1
436,902
1,949
.00
Risk approach (RA)
6.8
1
6.8
0.0
.86
Fraud risk (FR)
2,705
1
2,705
12.019
.00
RA x FR
146.6
1
146.6
0.7
.42
Error
16,207
72
225
Total
455,793
76
Note:
Risk approach: ARM vs. decomposition fraud risk assessment
Fraud risk: low risk vs. high risk
Panel B: Descriptive statistics
Mean (SD) [N]
Fraud Risk Condition
Risk Approach
Low Fraud Risk
High Fraud Risk
Total
ARM
[A] 71.70 (12.43) [20]
[B] 80.88 (16.26) [20]
76.29 (15.02) [40]
Decomposition
[C] 68.32 (17.85) [20]
[D] 83.06 (12.54) [18]
75.28 (17.07) [38]
Total
70.05 (15.20) [40]
81.89 (14.51) [38]
75.81 (15.92) [78]
Note: Dependent variable— Total Budgeted Hours
27
Panel C: Follow-Up Simple Effect Tests
Cell Comparison
Mean Difference
S.E.
t-value
(1) A versus B
-9.19
4.58
2.005**
(2) A versus C
3.38
4.90
0.690
(3) A versus D
-11.36
4.12
-2.760***
(4) B versus C
12.56
5.46
2.299**
(5) B versus D
-2.18
4.84
0.451
(6) C versus D
-14.74
5.20
-2.835***
*** p<0.01, ** p<0.05, * p<0.10
28
Table 5
Consultation With Forensic Expert (H4)
Panel A: ANOVA results
Source
Sum of
Squares
df
Mean
Square
F
Sig.
Intercept
1,469.3
1
1,469.3
454.34
.000
Risk approach (RA)
3.1
1
3.10
0.96
.331
Fraud risk (FR)
44.6
1
44.6
13.79
.000
RA x FR
9.2
1
9.2
2.85
.048
Error
219.9
68
3.2
Total
1,750.5
72
Notes:
(1) Risk approach: ARM vs. decomposition fraud risk assessment
Fraud risk: low risk vs. high risk
(2) Significance levels are one-tailed when the results are consistent with
expectations, otherwise they are two-tailed.
Panel B: Descriptive statistics
Mean (SD) [N]
Fraud Risk Condition
Risk Approach
Low Fraud Risk
High Fraud Risk
Total
ARM
[A] 3.89 (1.50) [20]
[B] 4.75 (1.77) [20]
4.34 (1.69) [40]
Decomposition
[C] 3.59 (0.94) [20]
[D] 5.88 (2.60) [18]
4.74 (2.25) [38]
Total
3.74 (1.25) [40]
5.27 (2.23) [38]
4.53 (1.87) [78]
Note: Dependent variable— consultation with forensic expert 1=no necessity to consult;
5=moderate necessity to consult; 10=high necessity to consult
Panel C: Follow-Up Simple Effect Tests
Cell Comparison
Mean Difference
S.E.
t-value
(1) A versus B
-0.86
0.54
-1.606
(2) A versus C
0.30
0.43
0.706
(3) A versus D
-1.99
0.71
-2.802
***
(4) B versus C
1.16
0.48
2.424
**
(5) B versus D
-1.13
0.72
-1.569
*
(6) C versus D
-2.29
0.67
-3.427
***
*** p<0.01, ** p<0.05, * p<0.10
28
Exhibit 1
Task Analysis/Comparison for Risk Assessment Condition
Task Step
ARM
Fraud Risk Assessment based on SAS 99
Decomposition
:FR Assessment with explicit assessment of fraud triangle
factors and application of the SMT algorithm
Step 1
Case
Introduction
Review introduction/purpose and client
[Precision Equipment] details. Fraud risk
[high/low] varies according to risk treatment
Same
Step 2
Risk Guidance
Review
Review SAS 107 AAR Guidance where:
AAR=IR*CR*APR*TD = RMM*DR.
Review SAS 107 AAR Guidance where:
AAR=IR*CR*APR*TD = RMM*DR.
Review SAS 99 guidance where:
FR = RI*RA* RO*RSP
Step 3
Provide Risk
Assessments
using a scale
from 0.00 to
1.00
3.1 Assess the components of AAR where
AAR is stated to be set at a low level of .05
to .10.
3.2 Calculate the Risk of a Material Error
= IR*CR*APR*TD
3.3 Assess SAS 99 FR
3.1 Same.
3.2 Same.
3.3 - Assess RI, RA, and RO.
- Compute FR assuming RSP = 1.0 [no special procedures
have been performed].
- Assuming your firm plans to achieve a FR < or = 0.05
and using the SMT algorithm, calculate the desired RSP in the
audit program
Step 4
Program
Planning
Specify:
a. Audit Program Plan,
b. Budgeted Hours and
c. Need for consultation of forensic experts
Same
Step 5
Demographics and manipulation check.
Same
Exhibit 2: Details on Risk Treatmentxi
Case Version: Low Risk
Assessment of the Control Environment and Preliminary Judgment of Materiality
Top management is compensated through a base salary (90%), and stock options (10%). The
management team is well respected in the business community and turnover among top
management has been infrequent.
Marketing Strategies
The only change since interim was the implementation of a marketing program in November in
response to distributor incentives granted by key competitors. The marketing program increased
revenue and net income by $10 million and $1.1 million, respectively. Discussions with key
company personnel revealed that Precision Equipment felt it was necessary to take this action in
response to market changes and competitor actions. You have gathered the following
information about the client’s November marketing strategy.
In late 2006, management decided that a reallocation of marketing responsibilities among its
sales channels would offer the best means of meeting its strategic goals. The company’s
products, both analog and digital, had been sold to end-users primarily through two channels:
directly, i.e., through a sales force of employees; and through authorized distributors, who
purchased measurement products from the company for resale to end-users. Management
believed that by giving the distributors greater sales responsibility for the traditional analog
segment of its product line, the company’s direct sales force could devote increased resources
and efforts to the sale of the digital products.
Case Version: High Risk
Assessment of the Control Environment and Preliminary Judgment of Materiality
Top management is compensated through a base salary (50%), an earnings-based bonus plan
(30%) and stock options (20%). As with most public companies in the client’s industry, there is
significant pressure for management to meet analysts’ earnings forecasts. Management places
great importance on achieving or exceeding sales and other financial forecasts. The company has
met or exceeded sales goals for 12 consecutive quarters. The management team is well respected
in the business community and turnover among top management has been infrequent.
30
Marketing Strategies
The only change since interim was the implementation of a marketing program in November in
response to distributor incentives granted by key competitors. The marketing program increased
revenue and net income by $22 million and $9.2 million, respectively. Discussions with key
company personnel revealed that Precision Equipment felt it was necessary to take this action in
response to market changes and competitor actions. You have gathered the following
information about the client’s November marketing strategy.
In late 2006, management decided that a reallocation of marketing responsibilities among its
sales channels would offer the best means of meeting its strategic goals. The company’s
products, both analog and digital, had been sold to end-users primarily through two channels:
directly, i.e., through a sales force of employees; and through authorized distributors, who
purchased measurement products from the company for resale to end-users. Management
believed that by giving the distributors primary sales responsibility for the traditional analog
segment of its product line, the company’s direct sales force could devote increased resources
and efforts to the sale of the digital products.
In November 2006, to further this strategy of shifting analog sales responsibility to distributors,
Precision launched a new marketing program under which distributors were asked to purchase a
minimum amount of analog systems. The minimum amount was based on the inventory of
analog devices (1.8 million units) divided by the pro-rata share of overall distributor sales. To
encourage the distributors to participate, Precision offered to provide end-users with incentives
(discussed below) to buy analog systems from distributors. This incentive would help the
distributors resell the inventory they were purchasing from the promotion. Precision also offered
several incentives, including profit-sharing opportunities, to encourage distributors to participate
in the Program.
To further assist sales by the distributors, the Program would provide them with access to large
retail accounts, hospitals and physicians that had previously been serviced by Precision directly.
Further, under the Program, Precision would permit distributors to share in incremental profits
resulting from expansion of Precision’s share of the market.
Precision devised other initiatives to help boost sales of the analog systems. Primary among
these initiatives was the “Premier Digital” Program, through which retailers, who purchased
analog systems from the distributors, earned frequent-flyer type points that could be used to
obtain discounts on the digital units. This program was becoming more commonplace as the
industry growth slowed down and distributors were being pursued by equipment manufacturers
(see the industry summary).
As part of the promotion program, Precision required that each distributor sign a promissory note
for amounts owed. Under the terms of the promissory note, all amounts owed to Precision,
including the November Program purchases, would have to be satisfied in full by June 2007. The
note also required distributors to make payments on their November Program balances calculated
to coincide with expected product sell-through. In June 2007, the note required distributors to
31
make a “balloon” payment for their outstanding balances, which Precision estimated would be
approximately 70% of the November Program purchases.
On November 13, 2006, Precision held a meeting with its distributors to present them the
Program. The marketing initiative was largely successful with distributors signing up for large
orders of analog systems. About 70 percent of the distributors signed immediately with the rest
being undecided. Follow-ups with the undecided distributors proved successful with only 4 not
signing by year-end.
On December 10, 2006, the controller prepared a summary memorandum requesting credit limit
increases for 11 distributors. The memorandum described the results of the November
promotion, the potential strategic benefits of the Program, the intended reliance upon promissory
notes to secure the distributors credit balances, and the payment history and status of the 11
distributors. Top management approved the requested credit limit increases based upon this
summary memorandum.
Finally, several distributors indicated, during and after the November 13 meeting, that they did
not have sufficient capacity to store additional products in their warehouses. As an
accommodation to these distributors, Precision arranged to hire freight forwarders and
warehouse facilities.
At this point, management was quite pleased with the success of the marketing program; its
continued impact will depend on how competitors respond.
32
Exhibit 3: Case Requirements, Risk Guidance Overview, Detailed instructions and
illustrations of the Risk Assessment Tool
Case Requirements:
Based on the above information, you are now asked to provide a number of risk assessments and
other audit decisions. Please complete these in the order that follows. You may review any of the
prior client information as needed.
Guidance on completing risk assessments
Current practice [firm policies] requires the assessment of various risks to plan the nature and
extent of substantive audit work. Your firm guidance indicates the following risks should be
considered:
The audit risk formula of SAS 107:
AAR = IR x CR x APR x TD = RMM x DR
Where:
AAR= Acceptable audit risk – The risk that the auditor may unknowingly fail to
appropriately modify her or her opinion on financial statements that are materially
misstated
IR = Inherent Risk – The susceptibility of a relevant assertion to a misstatement that could
be material, either individually or when aggregated with other misstatements,
assuming that there are related controls
CR = Control Risk – The risk that a misstatement that could occur in a relevant assertion
and that could be material, either individually or when aggregated with other
misstatements, will not be prevented or detected on a timely basis by the entity’s
internal control.
APR = Analytical Procedure Risk – The risk that the analytical procedures conducted by the
auditor will not detect a misstatement that exists in a relevant assertion that could be
material, either individually or when aggregated with other misstatements
TD = The risk that the test of details conducted by the auditor will not detect a
misstatement that exists in a relevant assertion that could be material, either
individually or when aggregated with other misstatements
And
RMM= the risk of material misstatement which is equal to the product of IR and CR
DR= the detection risk (the product of AP and TD
33
Guidance on Fraud Risk Assessment: Computational Tool Provided
In addition to the above guidance, SAS 99 requires auditors to consider the likelihood of fraud
based on the “fraud risk triangle”. Fraud risk [FR] can be viewed as the product of four risks:
FR = RI x RA x RO x RSP
RI = Risk that incentives are present after considering the impact of safeguards in place
RA = Risk that attitude to commit fraud is present after considering the impact of
safeguards in place
RO = Risk that opportunities are present after considering the impact of safeguards in
place
RSP = Risk that Special (Forensic and Other) Procedures fail to detect fraud. If no special
procedures are performed then set RSP = 1.0. This is similar to detection risk as
applied to detecting fraud.
Assessment of Risks: Based upon the client information provided and the above guidance,
please indicate the following risk assessments using a scale from 0.00 to 1.00, where 0.00
= no chance of occurrence, 0.50 = a 50% chance of occurrence or similar to a coin flip,
and 1.00 = a 100% chance of occurrence. You may use any number in the range 0.00
through 1.00:
1. Acceptable Audit Risk (AAR). Typically acceptable audit risk is set at a low level
between .05 and .10
AAR = _____
2. Inherent Risk (IR)
IR = _____
3. Control Risk (CR).
CR = _____
4. Analytical Procedure Risk (APR).
APR = _____
5. Test of Details Risk (TD).
TD = _____
6. Risk of a Material Error. Using your assessments in questions 2-4, calculate the risk that
client’s revenue account contains an unintentional material misstatement
34
IR x CR x APR x TD = (_____)x(_____) x(_____) x(______) = _______
The following questions deal with assessing the risk of fraud using the fraud risk equation
discussed above.
FR (Fraud risk) = RI x RA x RO x RSP
Based on the information provided to you on the client, please indicate the following risk
assessments using a scale from 0.00 to 1.00, where 0.00 = no chance of occurrence, 0.50 = a 50%
chance of occurrence or similar to a coin flip, and 1.00 = a 100% chance of occurrence. You may
use any number in the range 0.00 through 1.00:
7. Risk of the presence of Incentives to commit fraud (RI). The risk that management has
incentives to commit fraud.
RI = _____
8. Risk of the presence of Attitude to commit fraud (RA). The risk that management has
attitude to commit fraud.
RA = _____
9. Risk of the presence of Opportunities to commit fraud (RO). The risk that management
has opportunities to commit fraud.
RO = _____
10. Risk of Fraud (FR). Compute the fraud risk (FR) using the fraud risk model
(FR = RI x RA x RO x RSP) and your assessed values of RI, RA, and RO, above, with the
assumption that you have not performed any special procedures, i.e., RSP = 1.0. Insert the
values you place above in questions 6-8.
Computed Fraud Risk = RI x RA x RO x RSP = (_____)x(_____) x(_____) x(1.0) = _____
11. Risk of Special Procedures (RSP). Assume that your firm plans to achieve a 0.05 level of
fraud risk (i.e., FR = 0.05) in order to give a clean opinion, using your responses above to
questions 6-8 compute the level of risk desired by the special procedures that will fail to detect
material management fraud.
FR 0.05
RSP = =
RIxRAxRO ( )x( )x( )
=
______
Program Plan for the Revenue Cycle
As noted earlier, your next task is to finalize the audit program for the Revenue cycle. Below, a
preliminary substantive audit program is presented based on last year’s (2005) end-of-year
program and information up to the interim date. The audit partner has asked you to review and
35
update the program based on current year’s circumstance. As in practice, you are free to change
the program plan in any way, including increasing or decreasing the nature and/or extent of tests.
Place a check mark by all procedures you feel are necessary. You are free to add (or delete) as
many additional procedures that you believe are necessary for the firm to achieve its desired
audit risk. However, keep in mind that efficiency is also important to keep the audit at a
reasonable cost. That is, assume that the audit partner will evaluate your program on its
effectiveness (risk reduction) as well as efficiency (cost containment).
After determining the tests to be conducted, you are also asked to plan the “EXTENT” of audit
work (total budgeted hours by staff level). Please update the following program which has been
culled from the September 2006 interim work papers of this client.
36
Guidance on Fraud Risk Assessment: Computational Tool NOT Provided
Guidance on completing risk assessments
Current practice [firm policies] requires the assessment of various risks to plan the nature and
extent of substantive audit work. Your firm, guidance indicates the following risks should be
considered:
The audit risk formula of SAS 107:
AAR = IR x CR x APR x TD = RMM x DR
Where:
AAR= Acceptable audit risk – The risk that the auditor may unknowingly fail to
appropriately modify her or her opinion on financial statements that are materially
misstated
IR = Inherent Risk – The susceptibility of a relevant assertion to a misstatement that could
be material, either individually or when aggregated with other misstatements,
assuming that there are related controls
CR = Control Risk – The risk that a misstatement that could occur in a relevant assertion
and that could be material, either individually or when aggregated with other
misstatements, will not be prevented or detected on a timely basis by the entity’s
internal control.
APR = Analytical Procedure Risk – The risk that the analytical procedures conducted by the
auditor will not detect a misstatement that exists in a relevant assertion that could be
material, either individually or when aggregated with other misstatements
TD = The risk that the test of details conducted by the auditor will not detect a
misstatement that exists in a relevant assertion that could be material, either
individually or when aggregated with other misstatements
And
RMM= the risk of material misstatement which is equal to the product of IR and CR
DR= the detection risk (the product of AP and TD)
Assessment of Risks: Based upon the client information provided and the above guidance,
please indicate the following risk assessments using a scale from 0.00 to 1.00, where 0.00 = no
chance of occurrence, 0.50 = a 50% chance of occurrence or similar to a coin flip, and 1.00 = a
100% chance of occurrence. You may use any number in the range 0.00 through 1.00:
2. Acceptable Audit Risk (AAR). Typically acceptable audit risk is set at a low level
between .05 and .10
AAR = _____
2. Inherent Risk (IR)
IR = _____
3. Control Risk (CR).
CR = _____
4. Analytical Procedure Risk (APR).
APR = _____
5. Test of Details Risk (TD).
TD = _____
6. Risk of a Material Error. Using your assessments in questions 2-4, calculate the risk that
client’s revenue account contains an unintentional material misstatement
IR x CR x APR x TD = (_____)x(_____) x(_____) x(______) = ____________
Finally, as you are aware, SAS 99 also requires the auditor to assess the likelihood that there is a
material fraud present. Please assess this risk.
7. Risk of Fraud (FR).
FR = _____
29
References
American Institute of Certified Public Accountants (AICPA). 2006. Statement on Auditing
Standards No. 107: Audit Risk and Materiality in Conducting an Audit, New York, New
York: AICPA.
American Institute of Certified Public Accountants (AICPA). (2002). Consideration of Fraud in
a Financial Statement Audit. Statement on Auditing Standards (SAS) No. 99, New York,
New York: AICPA.
Asare, S., and A. Wright, A. 2004t The effectiveness of alternative risk assessment and program
planning tools in a fraud setting, Contemporary Accounting Research, Summer, Vol. 21:
325-352.
Asare, S., Wright, A., and M. Zimbelman. (2015), Challenges Affecting Auditors’ Detection of
Financial Statement Fraud: Insights from Fraud Examinations. Journal of Forensic &
Investigative Accounting (July-December): 68-111..
Bonner, S. (1990), ‘Experience effects in auditing: The role of task specific knowledge’, The
Accounting Review, Vol. 65, No. 1, pp. 72-92.
Boritz, E., N. Kochetova-Kozloski and L. Robinson (2011) Are fraud specialists effective at
modifying audit programs in the presence of fraud risk? Working Paper, University of
Waterloo.
Brazel J. F., T. D. Carpenter and J.G Jenkins (2010) Auditors’ Use of Brainstorming in the
Consideration of Fraud: Reports from the Field The Accounting Review Vol. 85, No. 4
pp. 1273–1301.
Dyck, A., Morse, A, & Zingales, L. (2010), ‘Who blows the whistle on corporate fraud?’,
Journal of Finance, Vol. 65, Issue 6, pp. 2213-2253.
Favere-Marchesi, M. (2013) Effects of decomposition and categorization on fraud-risk
assessments. Auditing: A Journal of Practice & Theory, Vol. 32, No. 4, pp. 201-219.
Hammersley, J. (2011), ‘A review and model of auditor judgments in fraud-related planning
tasks’, Auditing: A Journal of Practice & Theory, Vol. 30, No. 4, pp. 101-128.
Hammersley, J, Johnstone, K., & Kadous, K. (2011), ‘How do audit seniors respond to
heightened fraud risk?’ Auditing: A Journal of Practice & Theory, Vol. 30, No. 3, pp.
81-101.
Hoffman, V. and M. Zimbelman (2009) Do Strategic Reasoning and Brainstorming Help Auditors
Change Their Standard Audit Procedures in Response to Fraud Risk? The Accounting Review
(May): 811-829.
Houston, R., Peters, M., & Pratt, J. (1999), ‘The Audit Risk Model, business risk and audit-
planning decisions’, The Accounting Review, Vol. 74, No. 3, pp. 281-298.
30
International Auditing and Assurance Standards Board (IAASB). (2009), International Standard
on Auditing 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of
Financial Statements.
IAASB. 2003. Identifying and assessing the risks of material misstatement through
understanding the entity. International Standards on Auditing 315. New York, NY:
IFAC.
Johnson, P., Grazioli, S., & Jamal, K. (1993), ‘Fraud detection: Intentionality and deception in
cognition’, Accounting, Organizations, and Society, Vol. 18, pp. 467-488.
Libby, R. and J. Luft. (1993). Determinants of judgment performance in accounting setting:
Ability, knowledge, motivation, and environment. Accounting, Organizations and
Society. (July). 18, 5: 425-450.
KPMG. (2009), Fraud Survey 2009, KPMG, Montvale, New Jersey.
Mock, T. J. & Turner, J. L. (2005), ‘Auditor Identification of Fraud Risk Factors and Their
Impact on Audit Programs’, The International Journal of Auditing, Vol. 9, Issue 1, pp.
59-77.
Nelson, M. and Hun‐Tong Tan (2005) Judgment and Decision Making Research in Auditing: A
Task, Person, and Interpersonal Interaction Perspective. AUDITING: A Journal of
Practice & Theory (Supplement) 24, 1: 41-71.
Norman, C., Rose, A., & Rose, J. (2010), ‘Internal audit reporting lines, fraud risk
decomposition, and assessments of fraud risk’, Accounting, Organizations & Society,
Vol. 35, pp. 546–557.
Public Company Accounting Oversight Board (PCAOB). (2007). Observations of Auditors’
Implmentation of PCAOB Standards Relating to Auditors’ Responsibilities with Respect
to Fraud. Release No. 2007-01. January 22, 2007. Washington D.C.: PCAOB.
Public Company Accounting Oversight Board (PCAOB). (2010). AS 8: Audit Risk. Washington
D.C.: PCAOB
Public Oversight Board. (2000). The Panel on Audit Effectiveness. Stamford, CT: Public
Oversight Board.
Raiffa, H. (1968. Decision Analysis: Introductory Lectures on Choices under Uncertainty.
Reading, Mass.: Addison-Wesley.
Rich, J., Solomon, I., and K. Trotman. (1997) Multi-auditor judgment/decision making research:
A decade later. Journal of Accounting Literature. 16: 86-126.
31
Securities and Exchange Commission. (1998). Release no. 987: In the Matter of Bausch & Lomb
Incorporated, Harold O. Johnson, Ermin Ianacone, and Kurt Matsumoto, Respondents.
Commerce Clearing House, Inc.
Shelton, S., Whittington, R. and D. Landsittel. 2001. Auditing firms’ fraud risk assessment
practices. Accounting Horizons (March), pp. 19-33.
Shibano, T. (1990), ‘Assessing audit risk from errors and irregularities’, Journal of Accounting
Research (supplement), Vol. 28, pp. 110-140.
Srivastava, R. P., T. J. Mock, and L. Gao. 2011. The Dempster-Shafer Theory of Belief
Functions for Managing Uncertainties: An Introduction and Fraud Risk Assessment
Illustration. Australian Accounting Review, Vol. 21 (3), pp. 282–291.
Srivastava, R. P., Mock, T. J. & Turner, J. (2007), ‘Analytical Formulas for Risk Assessment for
a Class of Problems where Risk Depends on Three Interrelated Variables’, International
Journal of Approximate Reasoning, Vol. 45, pp. 123–151.
Srivastava, R., Mock, T. J. & Turner, J. L. (2009), ‘Bayesian Fraud Risk Formula for Financial
Statement Audits’, Abacus, Vol. 45, No. 1, pp. 66-87.
Stice, J. (1991), ‘Using financial and market information to identify pre-engagement factors
associated with lawsuits against auditors’, The Accounting Review, Vol. 66, No. 3, pp.
516-533.
Trompeter, G., Carpenter, T., Desai, N., Jones, K. and R. Riley (2013) A Synthesis of fraud-
related research. Auditing: A Journal of Practice & Theory, Vol. 32, No. 1, pp. 287-321.
Verwey, I. (2014). Differences between Public Auditors and Forensic Accountants in their
Ability to Identify Fraud Risks and Plan Effective Procedures to Mitigate Fraud Risks,
PhD dissertation, Nyenrode University, the Netherlands.
Whittington, R. and C. Pany. 2014. Principles of Auditing & Other Assurance Services. 19th
Edition. (Mc-Graw-Hill, Irwin).
Wilks, T. & Zimbelman, M. (2004), ‘Using game theory and strategic reasoning concepts to
prevent and detect fraud’, Accounting Horizons, Vol. 18, pp. 173-184.
Zimbelman, M. (1997), ‘The effects of SAS No. 82 on auditors’ attention to fraud risk factors
and audit planning decisions’, Journal of Accounting Research (supplement), Vol. 35, pp.
75-104.
32
Endnotes
1 The focus of our study is on financial reporting fraud rather than misappropriations. For brevity, we use the term
“fraud” to refer to financial reporting fraud.
2 The Audit Risk Model is expressed as AAR = IR x CR x APR x TD. AAR (audit risk) is the risk that the
auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially
misstated. IR (inherent risk) is the risk of susceptibility of a relevant assertion to a misstatement that could be
material, either individually or when aggregated with other misstatements, assuming that there are no related
controls. CR (control risk) is the risk that a misstatement that could occur in a relevant assertion and that could be
material, either individually or when aggregated with other misstatements, will not be prevented or detected on a
timely basis by the entity’s internal control. APR (analytical procedures risk) is the risk that analytical procedures
will fail to detect a misstatement that exists in a relevant assertion that could be material, either individually or when
aggregated with other misstatements. TD (test of details risk) is the risk that the other procedures conducted by the
auditor will not detect a material misstatement. This model is also expressed as AAR = RMM x DR (SAS 107,
AICPA 2006), where RMM is the risk of material misstatement because of inherent factors and weaknesses in the
accounting control systems.
3 Given auditors’ primary responsibility is to engage in planning activities to detect fraud when present, our focus in
this study is on audit effectiveness. Of note, we also obtain findings regarding audit efficiency. As reported in the
pairwise comparison tests in panel C of Table 2-5 (conditions A versus C), we find some evidence of audit
inefficiency for the ARM condition versus the decomposition in terms of unwarranted higher fraud risk (t=4.48;
p<.01) and planned effective tests (t=1.61; p< .10) in the low fraud risk setting.
4 While the focus of the current study is on the effects of decomposition of risks using an analytical model to aid
auditors’ fraud risk assessments and program planning, there are other approaches that may aid auditors in fraud
detection. For instance, there have been studies on the beneficial effects of fraud brainstorming (Brazel et al. 2010)
and the use of strategic reasoning (Hoffman and Zimbelman 2009). See Trompeter et al. (2013) for a comprehensive
review of the literature on auditor fraud detection.
5 Norman et al. (2010) replicate the study by Wilks and Zimbelman (2004) with internal auditors given their
different responsibilities, incentives, and accountabilities as compared to external auditors. The results indicate that
decomposition led to greater sensitivity of internal auditors to management attitudes for both high and low risk
settings. This finding is consistent with the focus of internal auditors in considering internal controls to address risks
relating to management opportunities and incentives. Thus, the effects of decomposition vary for internal and
external auditors. The focus of the current study is on external auditors.
6 As stated in footnote 12 in paragraph 26 of SAS 107: Risk of material misstatement (RMM) is the product of
inherent risk (IR) and control risk (CR); and detection risk (DR) is the product of test of details risk (TD) and
substantive analytical procedures risk (AP). In our formulation we add ‘R’ to indicate these are both detection risks.
7 We did not design a manipulation check for the risk approach manipulation, since this entails making fewer
(holistic) versus more (decomposition) risk assessments. This was a direct and obvious manipulation.
8 The analyses were rerun excluding the 4 managers, and the results were qualitatively the same. Thus, subsequent
reporting of the results includes all participants.
9 None of the demographic variables are significant covariates in the analyses as well.
10 We also performed separate ANOVA analyses for each level (staff, seniors, managers, and partners), and the
results show the same pattern across levels of a significant main effect for fraud risk (i.e., more hours when risks are
high than low) but no main effect for risk approach (ARM versus decomposition) nor interaction between fraud risk
and risk approach.
xi Copies of the instruments are available from the first author.
