LINKAGES BETWEEN AUDITORS RISK ASSESSMENTS IN A RISK-BASED AUDIT

Natalia Kotchetova
Assistant Professor
School of Accountancy
University of Waterloo
nkotchet@uwaterloo.ca
Thomas M. Kozloski
Assistant Professor
School of Business & Economics
Wilfrid Laurier University
tkozloski@wlu.ca
William F. Messier, Jr.
Deloitte & Touche LLP Professor
School of Accountancy
Georgia State University
and
Department of Accounting, Auditing and Law
Norwegian School of Economics and Business Administration
bmessier@gsu.edu

August 2006

The authors would like to thank participants at the 2004 New England Behavioral Accounting
Research Symposium, the 2005 American and Canadian Accounting Associations Annual
Meetings, the EARNet Symposium 2005, and workshops at Georgia State University and the
University of Waterloo. Special thanks to Stan Biggs, Larry Brown, Christine Earley, Craig
Emby, Lynn Hannan, Sue McCracken, Drew Newman, Ed ODonnell, Luc Quadackers, Ira
Solomon, Scott Vandervelde, and Alan Webb for their helpful comments.

LINKAGES BETWEEN AUDITORS RISK ASSESSMENTS IN A RISK-BASED AUDIT

Abstract
This paper examines auditors assessment of strategic business risks and their linkage of those
risks to the risk of misstatement in the financial statements. More specifically, we examine the
linkage between (1) auditors identification of business risks and their assessments of the risk of
material misstatement at the entity level; (2) their performance of business process analysis and
related process-level risk assessments; and (3) their assessments of the risk of material
misstatement at account level. These linkages are required during a risk-based audit, and we test
six hypotheses related to them. Our results show that auditors document a greater number of
specific business risks threatening the client entity when residual strategic risk is high; also, the
more business risks are identified by the auditors, the more financial statement implications are
identified; and the higher the assessment of client business risk by auditors the higher the
assessment of the entity level risk of material misstatement. At the level of a business process,
we find that performing a formal business process analysis affects the auditors business process
risk assessments. Specifically, the business process risk assessments of auditors who perform a
business process analysis do not differ across core and supporting processes, while the auditors
who do not perform a business process analysis assess risk for the core process higher than for
the supporting process. With respect to the auditors assessments of the risk of material
misstatement at the financial statement account level, these assessment are directly related to the
auditors assessments of the risk of material misstatement at the entity level. When auditors
assess the risk of material misstatement in the accounts and transactions affected by the business
process, their judgments are influenced by their process-level business risk assessments and not
by their assessments of the entity-level client business risk or by residual strategic risk.
Cumulatively, these results indicate that auditors follow the sequential belief updating structure
of the audit risk assessment workflow as prescribed by recently promulgated audit risk standards
(AICPA 2006; IAASB 2004a).

Key words: Business risks, Risk-based audits, Business Processes

Availability of Data: The data are available from the first author upon request.

LINKAGES BETWEEN AUDITORS RISK ASSESSMENTS IN A RISK-BASED AUDIT

I. INTRODUCTION
This paper examines the linkages that underlie the risk-based audit approach outlined in
the recently issued risk assessment auditing standards and adopted by the major public
accounting firms. 1 More specifically, we examine the linkages between the auditors
identification of business risks and their assessments of the risk of material misstatement at the
entity level, their performance of business process analysis and related process-level risk
assessments, and their final assessments of the risk of material misstatement at the account level.
We believe this is the first study to examine the linkages of auditors risk assessments throughout
the planning process of a risk-based audit. Because previous auditing standards and related firm
methodologies have been criticized for not being sufficiently rigorous and explicit regarding
these linkages (e.g., Bell et al. 1997; Jeppessen 1998; Weil 2004), the findings of this study have
important implications for regulators, academics, the accounting profession, and public
accounting firms.
Since the late 1990s, public accounting firms have been implementing audit approaches
generically referred to as risk-based auditing. 2 In November 2005, the Auditing Standards
Board (ASB) passed a suite of eight Statements on Auditing Standards (SASs) that dramatically
modified the guidance on the conduct of a financial statement audit (AICPA 2006). The
issuance of these standards represents the most significant change to auditing standards and audit
practice since the passage of the expectation gap standards in 1988 (AICPA 1993). There is an

Bell et al. (2005) provide a detailed and comprehensive overview of the changes made to KPMGs audit
methodology as a result of the changes in auditing standards.
2
Risk-based auditing is described more fully in the next section. This approach to a financial statement audit is also
referred to as a strategic systems audit (Bell et al. 1997; Bell et al. 2002) or a business risk audit (Lemon et al.
2000).

emerging body of research investigating various aspects of risk-based auditing (Ballou et al.
2004; Choy and King 2005; Kotchetova and Messier 2006; ODonnell and Schultz 2005;
Salterio, Knechel, Kotchetova 2006), but these studies have not examined the links between the
series of risk assessments made by the auditor at various decision levels (entity, business process,
and account) throughout a risk-based audit. The study of these linkages is important because if
auditors cannot properly relate the identification of business risks to an assessment of what can
go wrong at the account level then audit quality will be affected.
In this paper, we test a number of hypotheses related to the identification of business risks
and their linkage to related risk assessments at the entity, business process, and account levels.
In general terms, we examine the following questions: How does the level of residual strategic
risk 3 (RSR) affect the number of business risks identified by the auditors? How does the number
of business risks identified affect the auditors assessment of risk of material misstatement
(RMM) and related financial statement implications? How does the performance of a business
process analysis 4 affect the auditors assessments of RMM? Do auditors risk assessments vary
depending upon whether the business process is a core (e.g., product delivery) or supporting
(e.g., human resources) process? Do auditors entity level assessments of RSR and client
business risk (CBR) relate to their account level RMM assessments?
Our results show a number of important findings related to the linkages between auditors
risk assessments in a risk-based audit. First, the auditors documented a greater number of
specific business risks when residual strategic risk was high. Second, the greater number of
business risks identified by the auditors, the greater the number of financial statement
3

Residual strategic risk is the risk that remains after the entity has implemented control activities to monitor and
control the effects of the identified business risks.
4
A business process analysis is a formal assessment of a business process, including documentation of its key
objectives, key risks, major classes of transaction/accounts affected by these risks, and compensating controls. In
our study, participants either performed or did not perform a formal business process analysis.

implications identified. Third, the business process level risk assessments of auditors who
performed a business process analysis are not associated with RSR, but instead are associated
with their entity level client business risk (CBR) assessments; and this result holds across both
types of business processes (core and supporting). Fourth, the auditors assessments of RMM at
the financial statement account level are directly related to the auditors assessments of the risk
of material misstatement at the entity level. Finally, when auditors assess RMM at the account
level, their judgments are influenced by their process-level business risk assessments and not by
their assessments of the entity-level CBR, or by RSR. Taken together, our results show that
auditors are properly linking the identification of business risks with an assessment of what can
go wrong in the related financial statement accounts as prescribed by recent audit risk standards
(AICPA 2006; IAASB 2004a).
This paper proceeds as follows. In Section II, we provide background and an overview
of risk-based auditing. Section III presents our theory and hypotheses. Section IV discusses the
methodology. Section V presents our results, and Section VI summarizes our conclusions and
implications.
II. RISK-BASED AUDITING
Background
As a result of numerous frauds in the 1990s, the Securities and Exchange Commission
(SEC) asked the Public Oversight Board (POB) to evaluate the way audits were being conducted.
In response, the POB appointed the Panel on Audit Effectiveness, which issued its report in
August 2000 (POB 2000). The report included a number of recommendations to the ASB; the
most important being a need to increase the rigor and specificity of auditing standards.
Concurrently, a Joint Working Group (JWG) composed of standard setters and academics from

Canada, the United Kingdom, and the United States was formed to research the recent
developments in the audit methodologies of the largest accounting firms. In May 2000, the JWG
published the results of its research (Lemon et al. 2000). Both the Panel and the JWG concluded
that auditing standards needed to be enhanced in order to improve audit effectiveness.
The ASB and International Auditing and Assurance Standards Board (IAASB) undertook
a joint project to respond to the Panels and JWGs recommendations. The two bodies formed
the Joint Risk Assessments Task Force in October 2001 to develop a common set of auditing
standards. However, with the passage of the Sarbanes-Oxley Act in 2002, the Public Company
Accounting Oversight Board (PCAOB) assumed the role of issuing auditing standards for
registered companies in the U.S. in May 2003, and the ASB suspended work on its set of risk
assessment standards. In October 2003, the IAASB completed the international phase of the risk
assessment project and issued three International Standards on Auditing (ISAs). 5 After the ASB
was reorganized in early 2004, its Risk Assessments Task Force revised the original exposure
drafts of the risk assessment standards. In November 2005, the ASB approved eight SASs, three
of which map closely to the international standards: SAS No. 106, Audit Evidence, SAS No. 109,
Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,
and SAS No. 110, The Auditor's Procedures in Response to Assessed Risks and Evaluating the
Audit Evidence Obtained (AICPA 2006).
Standard setters believe that the introduction of this risk assessment process as the central
framework for auditing will improve the quality and effectiveness of audits, and result in a
substantial change in audit practice (Bell et al. 2005). The ASB has stated that the standards will
enhance auditors application of the audit risk model in practice by requiring (1) a more in-depth
5

The standards were ISA 315, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement, ISA 330, The Auditor's Procedures in Response to Assessed Risks, and ISA 500, Audit Evidence
(IAASB 2005).

understanding of the entity and its environment, including its internal control, to identify the
risks of material misstatement in the financial statements and what the entity is doing to mitigate
them, (2) a more rigorous assessment of the risks of material misstatement of the financial
statements based on that understanding, and (3) an improved linkage between the assessed risks
and the nature, timing, and extent of audit procedures performed in response to those risks
(AICPA 2006, p. iii). While the current study provides some limited evidence on the first two
points, its main focus is on the linkage of the auditors business risk assessments to the risk of
material misstatement at the entity and account levels.
An Overview of the Risk Assessment Process
As outlined in the new auditing standards (AICPA 2006), the risk assessment process 6
includes the following steps. The first step requires the auditor to obtain an understanding of the
entity and its environment, including the components of internal control, by performing risk
assessment procedures (AICPA 2006, SAS No. 109). 7 Based on this understanding of the entity
and its environment, the auditor identifies business risks that may result in material
misstatements in the financial statements. Such business risks result from significant conditions,
events, circumstances, actions, or inactions that could adversely affect the entitys ability to
achieve its objectives and execute its strategies, or through the setting of inappropriate objectives
and strategies (AICPA 2006, SAS No. 109 29).
The second step requires the auditor to use the information from the risk assessment
procedures to assess RMM at the financial statement and assertion levels. Part of this RMM

For a detailed discussion of the auditors risk assessment process, see Messier et al. (2006, Chapter 3).
Risk assessment procedures include inquiries of management and others within the entity, analytical procedures,
and observation and inspection for the purpose of obtaining an understanding of the entity and its environment and
to assess the risks of material misstatement at the financial statement and assertion levels (AICPA 2006, SAS No.
109 6). Bell et al. (2005) take a broader view and suggest that all audit procedures (i.e., tests of controls and
substantive procedures) are risk assessment procedures because of the dynamic nature of the audit process.

assessment is an evaluation of how the entity responds to those business risks and a requirement
to obtain evidence that those responses have been implemented. In evaluating the entitys
internal control components, one of the main focus points is an evaluation of the entitys risk
assessment process - the process used by the entitys management to identify and respond to
risks that may prevent the achievement of the entitys objectives. If the entitys response to the
identified risk is adequate, RMM can be reduced. However, if the auditor identifies risks that the
entitys risk assessment process has failed to identify or control (RSR), the auditor should
consider why the process failed and increase the RMM. 8
The third step requires the auditor to determine what audit work needs to be completed to
address the RMM identified at the financial statement level, and then to design and perform audit
procedures whose nature, timing, and extent are linked to the assessed RMM at the relevant
assertion level (AICPA 2006, SAS No. 110). 9 In other words, the auditor must link the RMM
at the financial statement level to what can go wrong in the related financial statement
account(s). The final step involves evaluating the evidence obtained from the risk assessment
procedures, tests of controls, and substantive testing (AICPA, 2006, SAS No. 106). The output
from this last step is the auditors opinion on the financial statements.
Documentation of audit work has also been an important issue for standard setters. Both
the ASB and PCAOB have recently issued standards (AICPA 2005; PCAOB 2004), which
significantly increase requirements for auditors to document their work. In addition, the new risk
assessment standards (AICPA 2006, SAS Nos. 109 and 110) have very specific requirements for
8

In the SASs, these risks are referred to as significant risks which are defined as identified risks that, in the
auditors judgment, require special audit consideration (AICPA 2006, SAS No. 109 110).
9
While the SASs use the term assertion level, the assertions being tested relate to classes of transaction, financial
statement accounts, or disclosures. For example, the auditor may have determined through the understanding of the
entity and its environment that the entitys products are facing stiff competition. As a result, the auditor should be
concerned with the valuation assertion (AICPA 2006b). However, in this example, the RMM at the assertion level
resides in the inventory account. Throughout the paper, we use the term RMM at the account level.

documenting the risk assessment process that were not present in prior auditing standards. In
particular, the auditor should document the following:
!
!
!
!
!
!
!

Key elements of the understanding of the entity and its environment, including each of
the components of internal control; the sources of information from which the
understanding was obtained; and the risk assessment procedures used.
The assessment of the risks of material misstatement both at the financial statement level
and at the relevant assertion level, and the basis for the assessment.
The risks identified and related controls evaluated.
The overall responses to address the assessed risks of misstatement at the financial
statement level.
The nature, timing, and extent of the further audit procedures.
The linkage of those procedures with the assessed risks at the relevant assertion level.
The results of the audit procedures (AICPA 2006, SAS Nos. 109 and 110).

The documentation requirements should result in auditors conducting formal business process
analyses that may have a positive effect on the auditors risk assessments. 10
Figure 1 presents how we operationalized the audit risk assessment process and how it
relates to our experimental materials (described later). In summary, the entity-level strategic
analysis is linked to specific business processes which in turn are linked to the related financial
statement accounts.
[Insert Figure 1]
III. THEORY AND HYPOTHESES DEVELOPMENT
We develop our hypotheses by following the risk assessment process discussed in the
prior section and outlined in Figure 1. 11
Strategic Analysis
Auditing standards require that the auditor assess the risk of material misstatement at the
financial statement (entity) level (RMM-E) by understanding the entity and its environment,
10

It is also possible that documentation requirements can have negative effects when risk assessments are performed
in a free-flowing narrative form; such negative effects do not occur, however, when risk assessments are numeric, as
in our study (see Piercey 2006).
11
Acronyms used throughout this section are described in Figure 1.

including internal control (AICPA 2006, SAS No. 109 102). In meeting this requirement, the
auditor uses the information gathered by performing risk assessment procedures to identify
business risks that may affect the entity. A major component of internal control that the auditor
should examine is the entity's risk assessment process. This process involves managements
identification, analysis, and management of strategic risks relevant to the preparation of financial
statements. The auditor must address any significant strategic risks not controlled or mitigated
by the entitys risk assessment process. The new auditing standards (AICPA 2006, SAS No. 109)
presume that an auditor should anchor on RSR, and that this should lead to the identification of
more business risks and result in a higher assessment of entity-level client business risk (CBRE). This leads to the following hypothesis:
H1: The number of business risks (NBR-E) identified by the auditors and the auditors
assessment of client business risk at the entity level (CBR-E) are greater when
residual strategic risk (RSR) is high than when RSR is low.
Auditing standards also require that, based on identifed business risks, the auditor
determine what could go wrong at the related financial statement level. This leads to the
following hypothesis:
H2: The greater the NBR-E identified and the higher the auditors assessments of CBRE, the higher the level of risk of material misstatement at the entity level (RMM-E)
and the greater the number of financial statement implications (NFSI) identified.
Performing a Formal Business Process Analysis 12
As we have previously described, the risk assessment process requires the auditor to
evaluate evidence about the entitys business risks and then subsequently use that evidence to
make risk assessments at the account level. In order to assess the effects of business risks at the
account level, the auditor examines the entitys controls over business processes that monitor the

12

Our treatment condition that requires performing a formal business process analysis includes documentation of the
results of such analysis.

initiation, authorization, processing, and recording of transactions that affect the financial
statement accounts. We hypothesize that performing a formal business process analysis will have
a positive effect on the auditors risk assessments and their linkage to potential misstatements in
the related financial statement accounts because such a formal analysis requires the auditor to
specifically consider all the relevant issues/risks related to the process.
Research in psychology (Hastie et al. 1984; Hastie and Park 1986) suggests that judgment
accuracy tends to be higher if individuals utilize an on-line strategy versus a memory-based
strategy. An individual using an on-line strategy tends to build a memory structure during
encoding, whereas an individual using a memory-based strategy forms judgments based on
recall from memory (Haberstroh and Betsch 2002). As a result, the preprocessing of information
(or evidence) should aid in an individuals utilization of an on-line judgment strategy (Hastie and
Park 1986; Haberstroh and Betsch 2002; Hammond et al. 1987). Research in social cognition
and marketing supports the supposition that preprocessing of information aids an on-line
strategy (Feldman and Lynch 1988; Friedman et al. 1985; Hastie and Park 1986; Kardes 1986;
Lynch et al. 1988; Rao and Monroe 1988). For example, numerous studies in marketing have
demonstrated that initial product judgments or prior product evaluations affect subsequent
choices and judgments about product qualities (e.g., Kardes 1986; Lynch et al. 1988; Rao and
Monroe 1988). More specifically, this research shows that consumers initial evaluations of
products influenced their subsequent overall product quality judgments; whereas factual,
descriptive information influenced discrete (performance, dependability) memory-based
judgments.
In an auditing context, individuals who perform a formal business process analysis are
more likely to use an on-line processing strategy for making risk assessments while those who do

not perform a business process analysis will likely rely on a memory-based strategy. This should
occur because a formal business process analysis results in the auditor preprocessing evidence
that will be used to make risk assessments whereas an auditor who does not perform the business
process analysis will only have memory-based evidence available to make the risk assessments.
Thus, auditors performing such an analysis should form their business process risk assessments
based on a combination of case information and RSR; and information encoded during the
formal analysis of the business process. Auditors who do not explicitly perform a formal
business process analysis will base their business process risk assessments on a memory-based
structure resulting from only the case information and RSR. 13
While the auditors who perform a formal business process analysis will have the same
case information and RSR in memory as the auditor who do not perform a business process
analysis, we expect that the auditors who perform a business process analysis to primarily rely on
the information developed from the analysis of the business process to make their business
process risk assessment. This leads to the following hypotheses:
H3: When auditors perform a formal business process analysis of the clients business
processes (core and supporting) they use the business process level information that
is developed during the analysis and their own assessments of entity-level client
business risk (CBR-E) to make process-level business risk assessments (BPR-C and
BPR-S). Auditors who do not perform a formal business process analysis of the
clients business processes will rely on the RSR that was communicated to them as
a part of a case information to make their process-level business risk assessments.

13

Inferences from research on judgment accuracy using on-line versus memory-based strategies (e.g., Haberstroh
and Betsch 2002) would suggest that auditors who explicitly perform a formal analysis of a business process will
generate more accurate judgments of process-level risks than those who directly proceed from evidence inputs about
RSR to process descriptions and associated risk judgments. However, we do not have benchmarks for business
process risks judgments for our experimental case; hence, we are limited as to what we can conclude with respect to
accuracy.

10

Types of Business Processes

The fourth hypothesis examines whether auditors business process assessments differ
when analyzing a core (or critical) process versus a supporting business process, and if this result
varies depending on whether the auditors performed a formal business process analysis.
Auditors who explicitly perform a business analysis of both processes are more likely to become
aware of process-level specific risks existing in both the core and supporting processes.
Conversely, auditors who do not perform a formal business process analysis are likely to focus
on entity level information inputs that relate to the entitys core business processes. Unless the
entity level analysis identifies specific risks that have direct implications for the supporting
business process, auditors who do not perform the business process analysis are likely to focus
on the core process. This likely occurs because their entity level analysis will focus on the more
significant business risks that may result in material misstatements in the core business process
(Ballou et al. 2004; ODonnell and Schultz 2005). Thus, the auditors assessments of client
business process level risk should be higher for the core business process versus the supporting
business process. This discussion predicts an interaction between BPA and ToP and leads to the
following hypotheses:
H4: The process level business risk assessments (BPR-C and BPR-S) of auditors who
perform a formal analysis of the entitys business processes will not differ across
the core and supporting processes. Auditors who do not perform a formal analysis
of the entitys business processes will have higher process level business risk
assessments for the core process (BPR-C) than the supporting process (BPR-S).
Linking the Risk of Material Misstatement at the Financial Statement Account Level to the
Entity Level Assessment
The time period and intervening judgment tasks between the entity level analysis (i.e., the
initial evaluation of evidence about RSR and the judgment of the CBR-E) and final business

11

process level judgments should reduce their association. If the most recent judgments in the riskbased approach are available in memory, we expect that the auditors assessments of the risk of
material misstatement for the accounts affected by the business process (RMM-C and RMM-S)
to be primarily based on their assessments of business process-level risks (BPR-C and BPR-S)
rather than RSR at the entity-level. However, we expect that neither type of the process nor
performance of a business process analysis should directly affect the auditors assessments of the
risk of material misstatement in the process-specific accounts. Thus, we hypothesize:
H5: The auditors assessments of the risk of material misstatement at the financial
statement account level (RMM-C and RMM-S) are directly related to the auditors
assessments of the risk of material misstatement at the entity level (RMM-E).
H6: When auditors assess the risk of material misstatement at the financial statement
account level (RMM-C and RMM-S), their judgments are influenced by the
process-level assessments of business risks (BPR-C and BPR-S), and not by their
assessments of the entity-level client business risk (CBR-E) or by residual strategic
risk (RSR).
IV. METHODOLOGY
Research Design
The experimental design is a 2 (Residual Strategic Risk) x 2 (Business Process Analysis)
x 2 (Type of Process) mixed factorial. The first two factors are manipulated between-subjects,
while the third factor is manipulated within-subjects. 14 We also use two measured variables to
examine our hypotheses: the auditors entity-level assessments of the client business risk (CBRE) and risk of material misstatement at the entity level (RMM-E).
The Residual Strategic Risk (RSR) factor was manipulated at two levels: high versus
low. In the high risk condition, the participants read the results of the clients strategic analysis
that ended with the following statement: The outgoing senior auditor was concerned that

14

We also manipulate order of the two business processes thereby introducing a third between-subjects factor in our
design. When included in our analyses, order was not a statistically significant factor (p-value=.845 or greater).

12

National Foods strategy did not adequately address the threats and opportunities in the
companys external environment. The participants were also presented with key financial ratios
that were unfavorable. The ratios indicated a decline in sales and gross profit accompanied by an
increase in interest expense and operating income (6.2%). 15 In the low risk condition, the
participants read the results of the strategic analysis that ended with the following statement:
The outgoing senior auditor concluded that National Foods strategy adequately addressed the
threats and opportunities in the companys external environment. The participants also viewed
key financial ratios that were favorable - an increase in sales, gross profit, operating income, and
a small increase in net income (2.6%).
The Business Process Analysis (BPA) factor was manipulated at two levels: an
explicit request to perform and document the analyses of the entitys business processes versus
no explicit request. 16 In the explicit request condition, the participants were asked to
document the key objectives of the process, its key activities and associated risks, significant
classes of transactions, and assess two risks: (1) the risk that the overall objectives of the process
are not being achieved, and (2) the risk of material misstatement for the classes of transactions
and account balances affected by the process. In the condition where the analysis of the entitys
business process was not explicitly requested, the auditors were asked to respond to the two risk
assessments only (see section Case Materials below).
The Type of Process (ToP) factor also had two levels: a core (or critical) business
process and a supporting business process. The core business process was operationalized as the

15

We included a larger increase in operating income in the high risk condition than the low risk condition to indicate
that there was an increased risk of material misstatement. With a decrease in sales and gross profit and an increase
in interest income, there should be an expectation of a decline in operating income.
16
It is possible that participants in the no explicit request condition performed a business process analysis but did
not document it in our case materials. If the participants did perform such an analysis, it would work against finding
significant results.

13

product/service delivery process while the supporting business process was operationalized as
the human resource management process. The classification of the processes into core versus
supporting was based on the source case developed by Greenwood and Salterio (2002) (see next
section). The case materials clearly labeled the two processes as core or supporting.
Case Materials
The case used in this study was a hypothetical grocery retailer, National Foods, located in
the Southeastern United States. The profile of the client was based on the Loblaws case
developed by Greenwood and Salterio (2002). 17 The case materials contained three parts. Part 1
included the strategic analysis of National Foods; including background on the entity, its external
environment and related risks, Porters five-forces framework for the food distribution industry,
information on the bargaining power of suppliers and buyers, threat of new entrants, competition,
and a summary of key risks. It presented National Foods strategies, objectives, and an entitylevel business model. Lastly, the materials contained an audited balance sheet and income
statement for two years and three years, respectively. Each of these statements was also
converted to common size financial statements. After this information, all participants were
asked:
(1) Based on your review of the information about National Foods, Inc., what are the key

business risks faced by National Foods, Inc.? How many of these risks affect National
Foods financial statements? What areas of National Foods financial statements should
be subject to special audit focus? The case provided a place for the participants to list (1)
key business risks and (2) potential effects on the financial statements and areas of audit
focus. The number of key business risks was used to develop the NBR-E variable while
the potential effects were used to develop the NFSI variable.
17

We thank the authors and KPMG for permission to use the case.

14

(2) To assess the business risk for National Foods, Inc. at the entity level on a 7 point scale (1
= very low risk, 5 = moderate risk, 9 = very high risk). This represents the auditors
assessment of client business risk at the entity level (CBR-E).
(3) To assess the risk of material misstatement for National Foods, Inc., at the entity level (1
= very low risk, 5 = moderate risk, 9 = very high risk). This represents the auditors
assessment of the risk of material misstatement at the entity level (RMM-E).
Part 2 of the case contained information on two of National Foods business processes.
The two types of processes were introduced to the participants using the following information:
You will notice that the core business processes for the company include the following:
Brand and Image Delivery, Product and Service Delivery, and Customer Service
Delivery. The resource management (non-core, or supporting) processes consist of
Human Resource Management, Property Management, Regulatory Management,
Financial/Treasury Management, and Information Management. Your manager has asked
you (BPA condition = to perform a detailed analysis of; No BPA condition = to
review) one core process (Product and Service Delivery), and one supporting process
(Human Resource Management).
The case materials for the product/service delivery process also included information on:
category management, supplier selection, logistics and distribution, stock management, and price
management. Similarly, the case materials for the human resource management process included
information on functions such as human resource policy, compliance with labor regulations;
employee recruitment, hiring, training, and development; performance reviews, mentoring, and
counseling; and union contract and grievance procedures. After each process, the participants in
the BPA condition were asked:
(1) Based on the description of the Product/Service Delivery (Human Resource
Management) process at National Foods, Inc. and information in Part 1, please indicate
the extent to which you agree that the following items represent the key objectives of this

15

process. This was followed by a list of 9 objectives for each process (1 = disagree to 7 =
agree).
(2) In your opinion, what are the key activities and associated risks of National Foods
Product/Service Delivery (Human Resource Management) process? Please list at least
one key activity and related risk for each sub-process. You may refer to the process
description if necessary.
(3) Please indicate the significant classes of transactions or accounts affected by the
National Foods Product/Service Delivery (Human Resource Management) process. The
classes of transactions were categorized as routine, non-routine, and estimates.
(4) Based on your review of information about National Foods, Inc., and your analysis in
Parts 2a and 2b, please make an assessment of the overall risk that the objectives of the
Product/Service Delivery Process (Human Resource Management) at National Foods are
not achieved (1 = very low risk, 5 = moderate risk, 9 = very high risk). This represents
the auditors assessment of the business process risk for each process (BPR-C = core
business process or BPR-S = supporting business process).
(5) Based on your review of information about National Foods, Inc., and other analyses you
performed in Parts 2a and 2b, please assess the risk of material misstatement for the
classes of transactions/accounts affected by the National Foods Product/Service
Delivery (Human Resource Management) Process (1 = very low risk, 5 = moderate risk,
9 = very high risk). This represents the auditors assessment of the risk of material
misstatement for the accounts/transactions in each process (RMM-C = core business
process or RMM-S = supporting business process).

16

The completion of questions (1) (3) represent the way we requested the auditors to perform and
document the analyses of both processes. The participants in the condition that did not require a
formal business process analysis only answered questions (4) and (5).
The third part of the materials requested the participants to provide demographic
information, task specific information, and responses about the case materials. Figure 1 provides
a graphical representation of the points where each variable was assessed.
Experimental Procedures and Participants
The experiment was administered at training sessions of the Big 4 accounting firms 18
held in the United States and in Norway. 19 One hundred thirty-four fully completed, usable
responses were obtained from audit seniors. On average, the participants had 45 months (3.75
years) of auditing experience (27 engagements, regardless of size). Their audit planning
experience, on average, was 16 engagements. The most frequently reported areas of
specialization included: financial services, insurance, and real estate (38%), manufacturing
(14%), energy, oil and mining (12%), information technology, software, and communications
(12%), followed by transportation and shipping (11%), and communications (6%). The
remaining 7% of participants specialized in other services, such as healthcare, higher education,
non-for-profit entities, travel agencies, and international trade. In summary, none of the
participants planned most of their engagements in the industry of the client depicted in the
experimental case- grocery retail. Therefore, collectively, our sample can be viewed as a

18

Firm affiliation is not a statistically significant factor in our analyses.

Country is not statistically significant in any of the analyses. For Norwegian participants, we include only
responses where self-rated knowledge of English was 5 or above on a 7-point scale anchored at 1=very poor
knowledge of English and 7=very good knowledge of English.
19

17

generalist auditor with respect to the experimental case, corresponding to the type of auditors
who tend to work on such engagements in practice. 20
Task-Specific Experience
Participants reported a high level of familiarity with the risk analysis task. All of the
participants had performed analyses of client business processes during previous audit
engagements. When asked about the methods used to perform an analysis of a business process,
the most often mentioned methods included the following: interview, discussions, inquiry of
client (40%); research about the client company and its processes (18%); research regarding the
business environment, industry risks, and competitors (13%); review of the process-level
controls (13%); review of the previous years files and analyses (9%); flowcharting, process or
cycle mapping (7%); and consultations with other members of the audit team (7%). 21 Thus, the
auditors in this study were familiar with the approach provided in our experimental materials.
The auditors also indicated that they document the results of the strategic analysis using
the following means: databases (13%), memos (10%), controls section of the working papers
(7%), flowcharts (6%), summary in the files (2%), and diagrams (1%). When asked what is
being documented in the course of business process analysis, the items cited were: narratives or
process descriptions (9%); issues and risks (9%); conclusions and explanations (7%), areas tested
(4%), people interviewed and management responses (4%), and expectations (3%).
Finally, participants were asked to indicate whether they perform business process
analysis and document its results on a typical engagement using a 7-point scale, where 1
20

Our information regarding generalist auditors work on grocery clients was confirmed with authors of the
experimental case who in turn consulted with several Big 4 partners.
21
The sum of percentages for the methods used to analyze client business processes exceeds 100% because some of
the participants reported more than one method. Other methods that were mentioned less often included review of
the business process strategy analysis conducted by the client; logical inference; analysis of the correlation between
business risk, transaction types, and audit risk; analysis of key routines and transactions; and following the
managers guidance.

18

corresponded to never, and 7 corresponded to always. The mean response was 4.68 for
performance of business process analysis and 4.97 for documentation. Thus, it appears that
auditors typically perform analyses of business processes on their audit engagements.
Auditors indicated that case materials and instructions were understandable (mean
response of 5.32 on a 7 point scale where 1 was not at all understandable and 7 was very
understandable) and realistic (mean response of 5.81 on a 7-point scale where 1 was not at all
realistic and 7 was very realistic). The average self-reported time to complete the
experimental task was approximately 43 minutes. 22
IV. RESULTS
Manipulation Check
We had originally planned on using the auditors assessment of CBR-E as a manipulation
check on RSR since one would expect that the more residual risk, the higher the assessment of
the clients business risk. Unfortunately, CBR-E did not vary across the two levels of RSR. 23
In an attempt to get a measure of the two levels of RSR, we partially re-administered the
experiment to 86 participants in a graduate auditing class in Canada. These participants have,
one average, 16 months of audit experience, and become senior associates immediately
following completion of the class. The participants were presented with background information
about the client, National Foods, Inc., and results of strategic analysis, as Part I of the instrument
used in the main experiment, and were asked to provide their assessment of RSR on a 9-point
scale, anchored at 1 as very low risk, and 9- very high risk. Next, they were provided with
description of two business processes, as in Part 2 of the main experiment, and were asked to
22

When we analyzed time in relation to BPA and RSR factors, neither was statistically significant (p=.579 for BPA
and p=.068 for RSR).
23
See the ANOVA results reported for H1.

19

classify these processes as core or supporting to the clients operations. Finally, participants
provided demographic information.
Analysis of participants RSR assessments indicated that they perceived the difference
between the low and high conditions as intended: the mean assessment of RSR was 5.14 in
the low condition, and 6.64 - in high; these assessments were statistically significantly
different (F=27.901, p=.000). In addition, 98% of participants correctly classified Product and
Service Delivery process as core, and 63% classified Human Resources Management process as
supporting to the clients operations. Therefore, we obtained ex-post comfort in our
manipulations of RSR and ToP. 24
Descriptive Statistics
Table 1 presents descriptive statistics for all measured and dependent variables. Table 2
(Panel A) shows the correlations between all variables. NBR-E and CBR-E do not appear to
correlate significantly with RSR (p>.05 for both variables), casting doubt on prediction in H1.
However, there is a positive, significant correlation between NBR-E and NFSI (p=.000 in Table
2, Panels A and B; p=.032 in Panel C). Also, we observe a positive, significant correlation
between RMM-E and CBR-E (p=.001 in Table 2, Panel A; p=.063 in Panel B, and p=.016 in
Panel C). Therefore, this provides preliminary support for H2. BPR-C and BPR-S are correlated
with the independent variable BPA (p<.01 for both processes, Table 2, Panel A). This provides
preliminary support for H3. The process-level business risk assessments (BPR-S, BPR-C) are
correlated with the auditors assessment of the client business risk (CBR-E) (p<.01 for both
processes). Panels B and C (Table 2) show that correlations between CBR-E and process-level
business risk assessments (BPR-C, BPR-S) are significant at both levels of the business process

24

Given the obvious nature of the manipulation for the business process analysis, no manipulation checks for the
variable BPA were carried out.

20

analysis factor: p!.05 for corr(CBR-E; BPR-C) and corr(CBR-E; BPR-S) at BPA=0 (Panel B,
Table 2) and BPA=1 (Panel C, Table 2). This provides partial support for H3 because we also
observe that none of the process-level business risk assessments are significantly correlated with
the independent variable RSR. Specifically, Panel B (Table 2) indicates that in the absence of
performing a business process analysis, process-level business risk assessments are not
statistically significantly correlated with residual strategic risks (p=.549 for corr(RSR; BPR-C);
p=.175 for corr(RSR; BPR-S)). Finally, significant correlations between process-level
assessments of business risk (BPR-S, BPR-C) and risk of material misstatement at the entity
level (RMM-E) (p<.05) and at the process level (RMM-S, RMM-C) (p<.01, p<.01, respectively)
suggest support for H5 and H6.
[Insert Tables 1 and 2]
Strategic Analysis and the Assessment of the Risk of Material Misstatement at the Entity
Level
The output from performing strategic analysis is the identification of the entity-level
business risks. H1 predicts that the number of business risks (NBR-E) identified by the auditors
and the auditors assessment of client business risk at the entity level (CBR-E) will be greater
when residual strategic risk (RSR) is high than when residual strategic risk is low. We test this
hypothesis by running a MANOVA (not tabulated) with RSR as the independent variable and
NBR-E and CBR-E as the dependent variables. The results show that RSR is not significant
(F=1.54, p=.217). However, individual ANOVAs (not tabulated) indicate that RSR is significant
for NBR-E (F=2.98, p=.043, one-tailed) but not significant for CBR-E (F=.16, p=.343). This
result provides partial support for H1, indicating that auditors documented a greater number of
specific business risks threatening the client entity when residual strategic risk was high.

21

Once the business risks have been identified, the auditor assesses the risk of material
misstatement and what can go wrong in the financial statements. H2 tests whether the
identification of a greater number of business risks (NBR-E) and higher assessments of client
business risk at the entity level (CBR-E) result in a higher assessment of the risk of material
misstatement at the financial statement level (RMM-E) and in the identification of a greater
number of financial statement implications (NFSI). We ran a MANOVA with RSR, CBR-E and
NBR-E as independent variables, and RMM-E and NFSI as dependent variables. Table 3 (Panel
A) presents the result. The MANOVA shows that RSR is not significant (F=.95, p=.389) while
CBR-E (F=5.50, p=.005) and NBR-E (F=12.44, p=.000) are significant. Panel B presents the
individual ANOVAs. Using RMM-E as the dependent variable, Panel B shows that CBR-E is
significant (F=10.45, p=.002) while RSR (F=1.20, p=.275) and NBR-E (F=1.37, p=.243) are not
significant. The ANOVA with NFSI as the dependent variable indicates that NBR-E is
significant (F=23.14, p=.000) while RSR (F=.80, p=.373) and CBR-E (F=.43, p=.530) were not
significant. Generally, these results support H2 but suggest that the linkage is more specific than
we hypothesized.
[Insert Table 3]
To examine these findings further, we ran two regressions. First, we regressed NFIS on
NBR-E and CBR-E. 25 Panel C shows that NBR-E is significant (t=4.73. p<.001) and CBR-E is
insignificant (t=.62, p=.531). Second, we regressed RMM-E on NBR-E and CBR-E. Panel D
shows that CBR-E is significant (t=3.27, p=.001) and NBR-E is not significant (t=1.35, p=.180).
Thus, we find that the greater number of business risk identified (NBR-E) the greater the
number of financial statement implications (NFIS) identified by the auditors. We also find that
25

We use regression, as opposed to ANOVAs, because all variables in this analysis are continuous (i.e., measured).
Also, in using regression we can rely on the sign of the significant coefficients, which is essential for testing our
hypothesis 2.

22

the higher the auditors assessment of client business risk (CBR-E), the higher the auditors
assessment of RMM-E. Therefore, we conclude overall support for H2.
The Effect of Performing a Business Process Analysis
Table 4 presents the repeated measures ANCOVA used to test H3. The results show that
the BPA variable is highly significant (p=.002). 26 In the core business process, the auditors
business process risk assessments were higher in the condition where the auditors performed a
business process analysis (5.42) than in the condition where they did not (4.60). In the
supporting business process, we find a similar result (4.26 v. 3.53). This provides overall
support that performing a formal business process analysis affects the auditors business process
risk assessments.
[Insert Table 4]
To test the predictions for H3, we split the sample by the two levels of BPA and analyze
the sub-samples separately. Table 5 presents the results of these analyses. In each analysis, RSR
is a between-subject factor, CBR-E is a covariate, and ToP is a within-subject factor. H3
predicts that for the auditors who perform a business process analysis will not rely on RSR and
that their assessments of business risks for both processes will be associated with their own
entity-level client business risk assessment (CBR-E). As shown in Panel A, RSR is not
significant (p=.106) and CBR-E is significant (p<.001). Thus, as predicted, the auditors
business process level risk assessments were not associated with residual strategic risk but were
associated with their entity level client business risk assessment. This result holds across both

26

We ran the ANOVA with the other covariates (NBR-E, RMM-E, and NFSI) and their interactions with RSR,
BPA, and ToP. None of them are significant at conventional levels. The ToP*RSR interaction term was significant
in Table 4 (p=.044). Simple effects tests show that ToP is significant (p=.031) when RSR is high but not significant
(p=.629) when RSR is low.

23

business processes. Therefore, our predictions for performing a business process analysis are
supported.
[Insert Table 5]
H3 also predicts that auditors who do not perform a business process analysis will rely on
the RSR to develop their process-level business risk assessments. As shown in Panel B, the RSR
variable is not significant (p=.452). Thus, our prediction that the auditors business process level
risk assessments would be associated with RSR for those auditors who did not perform a formal
business process analysis was not supported. However, they are consistent with the results for the
auditors who performed a formal business process analysis, their business process-level risk
assessments were associated with their entity-level client business risk assessment (CBR-E; p=
.004). The significance of CBR-E in both conditions suggests that the auditors used their CBR-E
judgments in their assessment of BPR regardless of whether the auditors performed a BPA or
not. We interpret this finding as an indication that auditors utilize primarily an on-line strategy;
i.e., they rely on a series of their own diagnostic judgments throughout the risk assessment
process, as opposed to applying a memory-based judgment that would imply plain transfer of
information about residual strategic risk to the process level judgments.
H4 predicts an interaction effect (ToP * BPA) - the process level business risk
assessments (BPR-C and BPR-S) of auditors who perform a formal analysis of the entitys
business processes will not differ across the core and supporting processes while the auditors
who do not perform a formal analysis of the entitys business processes will have higher process
level business risk assessments for the core process than the supporting process. Table 4 shows
that the ToP * BPA interaction is not significant (p=.406).

24

To investigate this result further, we examine the analyses reported in Table 5 where the
dataset is split by whether a formal business process analysis was, or was not, performed. Panel
A of Table 5 shows that ToP is not significant (p=.679). Specifically, when BPA=1, mean BPRS assessment is 4.26, while mean BPR-C is 5.42, and they do not appear to be statistically
significantly different. Thus, these auditors business process risk assessments do not differ
across core and supporting process. Panel B of Table 5 shows a significant main effect for ToP
(p=.029, one tailed). 27 The means for the main effect of ToP show that the auditors BPR
assessments were higher in the core process compared to the supporting process (4.60 v. 3.53).
Therefore, while the overall analysis did not support the predicted interaction effect, the results
of the individual ANCOVAs do. We interpret these results to support H4 and to suggest that a
formal, documented analysis of a business process potentially overcomes the auditors tendency
to look for problems in the core business process while overlooking the supporting process (see
Ballou et al. 2004, ODonnell and Schultz 2005).
Assessment of Risk of Material Misstatement at the Process Level
The last two hypotheses are tested in a repeated measures ANCOVA that includes all of
the previous independent variables and covariates, with RMM-C and RMM-S as the dependent
variables. Table 6 presents the results.
[Insert Table 6]
H5 predicts that the auditors assessments of the risk of material misstatement at the
financial statement account level (RMM-C and RMM-S) are directly related to the auditors
assessments of the risk of material misstatement at the entity level (RMM-E). As Table 6 shows,
RMM-E is significant (F=11.76, p=.001). The ToP*RMM-E interaction term was also significant
27

The ToP*RSR interaction was significant (p=.046). Simple effects tests of the ToP*RSR interaction indicate
process level business risk assessments are marginally sensitive to RSR in the supporting process (p=.087, 2-tailed),
but not for the core process (p=.633, 2-tailed).

25

(F=5.36, p=.022). Simple effects tests show that RMM-E is significant for the critical process
(p=.000) but not for the supporting process (p=.368). We interpret this result to indicate that
auditors incorporate their entity-level RMM assessments more readily in account-level
assessments for the core, but not for the supporting process. Thus, H5 is supported.
H6 predicts that when auditors assess the risk of material misstatement in the accounts
and transactions affected by the business process their judgments will be influenced by their
process-level business risk assessments (BPR-C and BPR-S) and not by their assessments of the
entity-level client business risk (CBR-E), or by residual strategic risk (RSR). Table 6 shows that
the covariates measuring process-level business risks for both processes (BPR-C: p<.001; BPRS: p<.001) are significant while CBR-E (p=.963) and RSR (p=.907) are not significant. These
results provide support for H6 and indicate that auditors follow the sequential belief updating
structure of the audit risk assessment workflow as prescribed by series of recent audit risk
standards (AICPA 2006; IAASB 2004a; CICA 2005).
V. CONCLUDING COMMENTS
Conclusions and Implications
This paper examines whether and how the information about residual strategic risk and
entity-level client business risk assessments influence process-level risk assessments. Our results
show the following. First, we find that the requirement to perform a business process analysis
leads to different business process risk assessments. Second, our results indicate that auditors
appear to link the information about the clients residual strategic risk to the process-level
business risk assessments only for the supporting process, and only when they are not requested
to perform and document their process-level analyses. However, when participants are asked to
perform an analysis of a business process, their process-level risk assessments show a significant

26

association with their earlier assessments of entity-level client business risk, but not with
evidence inputs about residual strategic risk. Taken together, these findings suggest that auditors
tend to rely upon their own assessments of client-level business risk in making process-level
assessments, rather than upon conclusions about residual strategic risk communicated to them in
a strategic analysis summary. Our findings lend credence to the standard-setters and accounting
firms objective of connecting global (entity-level) and process-level risk assessments by means
of explicitly requiring auditors to perform and document work performed, including analyses of
the clients business processes (AICPA 2005; PCAOB 2004, A8-A10). Our result showing that
process-level assessments of risk of material misstatement are influenced mostly by assessments
of business risks at the same level, as well as entity-level risk of material misstatement, further
corroborate such connectivity in auditors judgments.
We find that the requirement to perform an analysis of a business process is associated
with auditors process-level risk assessments; and that auditors process-level business risk
assessments are not associated with the type of the process (core versus supporting) in the
presence of the requirement to perform an analysis of the entitys business processes. Taken
together, these findings provide support for the business risk audit approach. They further
suggest that concerns that auditors who perform and document process analysis may overlook
risks embedded in the support process while focusing solely on the core process may be
unwarranted when auditors perform a formal business process analysis (Ballou et al. 2004).
Limitations and Future Research
This study is subject to limitations typically associated with experimental work that uses
audit professionals as participants. In addition, our experimental manipulation of business
process analysis was generic, and not tailored specifically to any of the participants firms

27

methodologies. Also, we examine risk assessments made by auditors individually, thereby

ignoring the highly interactive nature of audit team discussions that are likely to surround such
tasks in practice. Finally, due to the nature of the experimental task, auditors participating in the
experiment did not have an option of obtaining additional information beyond what was
provided in the materials, and thus they may have based their risk assessments on what they
would normally consider incomplete information.
Future studies may investigate whether business risk audit approaches also provide for
connectivity between the multiple-level (entity, process, and assertion) risk judgments and
auditors choices regarding the nature, timing, and extent of audit procedures. Results of our
study suggest that structuring an experiment whereby risk assessment, process analysis, and
planning judgments are set as a series of on-line judgment tasks may be an appropriate way of
testing such connectivity.

28

REFERENCES
American Institute of Certified Public Accountants. 1993. The Expectation Gap Standards:
Progress, Implementation Issues, Research Opportunities. New York, NY: AICPA.
__________. 2005. Audit Documentation. New York, NY: AICPA.
__________. 2006. Statements on Auditing Standards Nos. 104-111. (March) New York, NY:
AICPA.
Ballou, B., Earley, C. E., and J. Rich. 2004. The impact of strategic positioning information on
auditor judgments about business process performance. Auditing: A Journal of Practice &
Theory 23(2): 71-88.
Bell, T., Marrs, F., Solomon, I., and H. Thomas. 1997. Auditing Organizations through a
Strategic Systems Lens: The KPMG Business Measurement Process. KPMG Peat Marwick
LLP.
__________, M.E. Peecher, and I. Solomon. 2002. The Strategic-Systems Approach to Auditing.
In Cases in Strategic-Systems Auditing. Bell, T.B., and I. Solomon (Eds.). KPMG LLP.
__________. 2005. The 21st Century Public Company Audit: Conceptual Elements of KPMGs
Global Audit Methodology. KPMG LLP.
CICA. 2005. CICA Assurance Handbook Section 5141 Understanding the Entity and Its
Environment and Assessing the Risks of Material Misstatement. Available at
http://www.cica.ca/index.cfm/ci_id/7966/la_id/1.htm.
Carlston, D. E. 1980. The recall and the use of traits and events in social inference processes.
Journal of Experimental Social Psychology 16 (July): 303-328.
Choy, A. K., and R. R. King. 2005. An experimental investigation of approaches to audit decision
making: An evaluation using systems-mediated mental models. Contemporary Accounting
Research 22(2): 311-350.
Coupey, E., O. Bodur, and D. Brinberg. 1998. Pre-decision processes in consumer choice: Effects
of prior knowledge on aspects of decision structuring. Advances in Consumer Research
25:226-232.
Feldman, J. M., and J. G. Lynch, Jr. 1988. Self-generated validity and other effects of
measurement on belief, attitude, intention, and behavior. Journal of Applied Psychology
73(3): 421-435.
Friedman, L., Howell, W.C., and C. R. Jensen. 1985. Diagnostic judgment as a function of the
preprocessing of evidence. Human Factors 27(6): 665-673.

29

Greenwood, R., and S. Salterio. 2002. Loblaw Companies Ltd. In Cases in Strategic-Systems
Auditing. Eds., Bell, T. B., and I. Solomon. U.S.A.: KPMG LLP.
Haberstroh, S., and T. Betsch. 2002. Chapter 13: Online strategies versus memeory-based
strategies in frequency estimations. In Sedlmeier, P., and T. Betsch (Eds.), Etc.
Frequency Processing and Cognition New York, NY: Oxford University Press, Inc.
Hammond, K., Hamm, R.M., Grassia, J., and T. Pearson. 1987. Direct comparison of the efficacy
of intuitive and analytical cognition in expert judgment. IEEE Transactions on Systems,
Man, and Cybernetics 17(5): 753-770.
Hastie, R., and B. Park. 1986. The relationship between memory and judgment depends on
whether the judgment task is memory-based or on-line. Psychological Review 93(3): 258268.
Hastie, R., B. Park, and R. Weber. 1984. Social memory. In Handbook of Applied Cognition.
Wyer, R. S., Jr., and T. K. Skrull (Eds.). Lawrence Erlbaum Associates: Hillsdale, NJ.
IAASB. 2005. Handbook of International Auditing, Assurance, and Ethics Pronouncements.
International Federation of Accountants: New York.
Jeppesen, K.K. 1998. Reinventing auditing, redefining consulting and independence. The
European Accounting Review 7(3): 517-539.
Kardes, F. R. 1986. Effects of initial product judgments on subsequent memory-based judgments.
Journal of Consumer Research 13(1): 1-11.
Kotchetova, N., and W.F. Messier, Jr. 2006. Strategic analysis and auditors risk assessment.
Working paper. University of Waterloo.
Lemon, W. M., K.W. Tatum, and W. S. Turley. 2000. Developments in the Audit Methodologies
of Large Accounting Firms. UK: ABG Professional Information.
Loken, B., and R. Hoverstad. 1985. Relationships between information recall and subsequent
attitudes: Some exploratory findings. Journal of Consumer Research 12(2): 155-168.
Lynch, J. G., Jr., H. Marmosrstein, and M. F. Weigold. Choices from sets including remembered
brands: use of recalled attributes and prior overall evaluations. Journal of Consumer
Research 15(2): 169-184.
Messier, W.F., Jr., Glover, S. M., and D. F. Prawitt. 2006. Auditing and Assurance Services: A
Systematic Approach. 4th Ed. McGraw-Hill/Irwin: New York, NY.
Nisbett, R., and L. Ross. 1980. Human Inference: Strategies and Shortcomings of Social
Judgment. Prentice Hall: Englewood Cliffs, NJ.

30

ODonnell, E. and J. Schultz. 2005. The halo effect in business risk audits: Can strategic
assessment bias auditor judgment about accounting details? The Accounting Review 80(3):
921-939.
Piercey, M. D. 2006. Somewhat possible or substantial doubt? Documentation requirements,
persuasion tactics, and verbal (vs. numerical) audit risk assessment. Working paper.
University of Illinois at Urbana-Champaign.
Public Oversight Board - Panel on Audit Effectiveness. 2000. The Panel on Audit Effectiveness:
Report and Recommendations. POB: Stamford, CT.
Public Company Accounting Oversight Board. 2004. Auditing Standard No. 3 - Audit
Documentation. PCAOB: Washington, DC.
Rao, A. R., and K. B. Monroe. 1988. The moderating effect of prior knowledge on cue utilization
on product evaluations. Journal of Consumer Research 15(2): 253-264.
Salterio, S.E., W. R. Knechel, and N. Kotchetova. 2006. Performance measurement systems and
strategic analysis extensiveness: Auditors usage of balanced scorecards and performance
benchmarks. Working paper. Queens University.
Weil, J. 2004. Behind the wave of corporate fraud: A Change in how auditors work. Wall Street
Journal (March 25): A1, A14.
Wiggins, M., and D. OHare. 2003. Weatherwise: Evaluations of cue-based training approach for
the recognition of deteriorating weather conditions during flight. Human Factors 45(2):
337-345.

31

Figure 1
A Graphical Representation of the Case Materials and the Elicitation of Measured and
Dependent Variables
Perform
Entity-Level Strategic Analysis
(Part 1)

RSR
(high/low)

Identify and Assess

Entity Level Risks

CBR-E
NBR-E

Identify
Financial Statement Implications of
Business Risks

NFSI

Assess
Risk of Material Misstatement at the
Entity Level

RMM-E

Entity
Level

Perform (or do not perform)

Business Process-Level Analysis
(Part 2a)

Assess
Business Process Level Risks for a Critical
and a Supporting Process

BPA
(yes/no)

BPR-C
BPR-S

Process
Level
Analyze
Related Financial Statement Accounts
(Part 2b)
Assess
Risk of Material Misstatement at the
Financial Statement Account Level

RMM-C
RMM-S

Relationship to Experimental Materials (see text for a more detailed description):

Part 1: Participants were presented with information about the entity that was used for understanding the entity and
its environment. One independent variable, residual strategic risk (RSR) was manipulated between-subjects at two
levels (high and low) at this point in the experiment. The participants then listed the business risks identified (NBRE) and the financial statement implications (NFSI) and assessed CBR-E and RMM-E.
Part 2a: Participants were required to perform (or not perform) a formal business process analysis on two business
process (core and supporting). The requirement to perform or not perform a formal business process analysis was
the second between-subjects independent variable (BPA). The two business processes represent the within-subjects
independent variable: type of process (ToP). The participants then assess BPR-C and BPR-S.
Part 2b: Participants were then asked, based on the previous information, to assess the risk of material misstatement
for the classes of transactions/accounts affected by each process. This resulted in the RMM-C and RMM-S
assessments.
Measured and Dependent Variables:
CBR-E
= The auditors assessment of client business risk at the entity level.
NBR-E= Number of business risks at the entity level documented by the participants.
NFSI = Number of financial statement implications of identified based on documented business risks.
RMM-E = The auditors assessment of the risk of material misstatement at the entity level.
BPR-C
= The auditors assessment of business process risk for the core process (product/service delivery).
BPR-S
= The auditors assessment of business process risk for the supporting process (human resource
management).
RMM-C = The auditors assessment of the risk of material misstatement for the classes of transactions/accounts
affected by the core process (product/service delivery).
RMM-S = The auditors assessment of the risk of material misstatement for the classes of transactions/accounts
affected by the supporting process (human resource management).

33

Table 1
Descriptive Statistics
Panel A: Number of business risks identified (NBR-E)
NBR-E
BPA
RSR
no explicit request
explicit request
Marginal Means
3.58
3.83
3.70
(1.500)
(1.200)
(1.361)
Low
n=38
n=35
n=73
3.63
4.31
4.10
(1.012)
(1.370)
(1.300)
High
n=19
n=42
n=61
n=57
n=77
n=134
Total
Panel B: Client business risk at the entity level (CBR-E)
CBR-E
BPA
RSR
no explicit request
explicit request
Marginal Means
5.50
5.60
5.55
(1.247)
(1.479)
(1.354)
Low
n=38
n=35
n=73
5.26
5.81
5.64
(1.098)
(1.254)
(1.225)
High
n=19
n=42
n=61
5.42
5.71
5.59
(1.194)
(1.356)
(1.293)
Total
n=57
n=77
n=134
Panel C: Number of Financial Statement Implications Identified (NFSI)
NBR-E
BPA
RSR
no explicit request
explicit request
Marginal Means
3.16
3.23
3.19
(2.034)
(1.395)
(1.745)
Low
n=38
n=35
n=73
2.74
3.33
3.15
(1.558)
(1.843)
(1.769)
High
n=19
n=42
n=61
3.02
3.29
3.17
(1.885)
(1.645)
(1.749)
Total
n=57
n=77
n=134

Panel D: Risk of material misstatement at the entity level (RMM-E)

RMM-E
BPA
RSR
no explicit request
explicit request
Marginal Means
4. 79
5.29
5.03
(1.379)
(1.405)
(1.404)
Low
n=38
n=35
n=73
5.11
5.43
5.33
(1.329)
(1.016)
(1.121)
High
n=19
n=42
n=61
4.89
5.36
5.16
(1.359)
(1.202)
(1.287)
Total
n=57
n=77
n=134
Panel E: Business process risk for core process (BPR-C)
BPR-C
BPA
RSR
no explicit request
explicit request
Marginal Means
4.68
5.63
5.14
(1.646)
(1.610)
(1.686)
Low
n=38
n=35
n=73
4.42
5.24
4.98
(1.346)
(1.206)
(1.297)
High
n=19
n=42
n=61
4.60
5.42
5.07
(1.545)
(1.408)
(n=1.518)
Total
n=57
n=77
n=134
Panel F: Risk of material misstatement for the core process (RMM-C)
RMM-C
BPA
RSR
no explicit request
explicit request
Marginal Means
4.61
5.49
5.03
(1.717)
(1.502)
(1.666)
Low
n=38
n=35
n=73
4.58
5.07
4.92
(1.346)
(1.237)
(1.282)
High
n=19
n=42
n=61
4.60
5.26
4.98
(1.591)
(1.371)
(1.499)
Total
n=57
n=77
n=134

35

Panel G: Business process risk for the supporting process (BPR-S)

BPR-S
BPA
RSR
no explicit request
explicit request
Marginal Means
3.32
4.37
3.82
(1.416)
(1.308)
(1.456)
Low
n=38
n=35
n=73
3.95
4.17
4.10
(2.013)
(1.080)
(1.422)
High
n=19
n=42
n=61
3.53
4.26
3.95
(1.649)
(1.185)
(1.442)
Total
n=57
n=77
n=134
Panel H: Risk of material misstatement for the supporting process (RMM-S)
RMM-S
BPA
RSR
no explicit request
explicit request
Marginal Means
3.66
4.06
3.85
(1.744)
(1.434)
(1.604)
Low
n=38
n=35
n=73
4.16
4.05
4.08
(1.604)
(1.464)
(1.498)
High
n=19
n=42
n=61
3.82
4.05
3.96
(1.602)
(1.441)
(1.555)
Total
n=57
n=77
n=134
_________________________________________
Description of Independent and Dependent Variables:
RSR = Residual Strategic Risk - between subjects, independent variable. Coded as 0 if "low", 1 if "high".
BPA = Business Process Analysis - between-subjects, independent variable. Coded as 0 if participants did not
perform a business process analysis; coded as 1 if they did perform a business process analysis.
NBR-E= Number of business risks at the entity level documented by the participants.
CBR-E = Client business risk at the entity level an assessment of the risk from 1 (very low) to 9 (very high).
NFSI = Number of financial statement implications of identified based on documented business risks.
RMM-E = Risk of material misstatement at the entity level an assessment of the risk from 1 (very low) to 9 (very
high).
BPR-S = Business process risk for the supporting process (human resources) an assessment of the risk from 1
(very low) to 9 (very high).
RMM-S = Risk of material misstatement for the supporting process (human resources) an assessment of the risk
from 1 (very low) to 9 (very high).
BPR-C = Business process risk for core process (product and service delivery) an assessment of the risk from 1
(very low) to 9 (very high).
RMM-C = Risk of material misstatement for the core process (product and service delivery) an assessment of the
risk from 1 (very low) to 9 (very high).
ToP independent variable Type of a Process, manipulated within subjects, coded as type 1 if business process is
supporting in nature (human resources), coded as 2 if business process is of core nature (product and service
delivery).

36

Table 2
Correlations
Panel A: Full sample (N= 134)
RSR
BPA
NBR-E
NBR-E
.149
.183
1
(.086)
(.035)
CBR-E
.035
.113
.028
(.685)
(.195)
(.750)
NFSI
-.013
.076
.383
(.885)
(.382)
(.000)
RMM-E
.117
.181
.120
(.179)
(.037)
(.167)
BPR-S
.096
.252
.067
(.271)
(.003)
(.445)
RMM-S
.075
.073
.055
(.391)
(.405)
(.528)
BPR-C
-.051
.268
.163
(.562)
(.002)
(.061)
RMM-C
-.036
.220
.185
(.676)
(.011)
(.032)

CBR-E

NFSI

RMM-E

BPR-S

RMM-S BPR-C

1
.061
(.482)
.276
(.001)
.339
(.000)
.279
(.001)
.351
(.000)
.240
(.005)

1
.014
(.872)
.021
(.806)
.008
(.924)
.013
(.885)
.030
(.730)

Panel B: Sub-sample where BPA=0 (N = 57)

RSR
NBR-E
CBR-E
NFSI
.019
1
NBR-E
(.891)
-.094
.074
1
CBR-E
(.485)
(.584)
-.106
.530
.274
1
NFSI
(.432)
(.000)
(.039)
.111
.015
.248
-.041
RMM-E
(.413)
(.909)
(.063)
(.761)
.182
.065
.366
.141
BPR-S
(.175)
(.630)
(.005)
(.297)
.140
.148
.388
.118
RMM-S
(.300)
(.273)
(.003)
(.383)
-.081
.221
.258
.162
BPR-C
(.549)
(.099)
(.053)
(.229)
-.008
.206
.166
.133
RMM-C
(.954)
(.124)
(.217)
(.322)

37

1
.236
(.006)
.214
(.013)
.241
(.005)
.423
(.000)

RMM-E

1
.636
(.000)
.448
(.000)
.354
(.000)
BPR-S

1
.237
(.006)
.287
(.001)
RMM-S

1
.708
(.000)
BPR-C

1
.137
(.310)
.185
(.168)
.115
(.392)
.286
(.031)

1
.657
(.000)
.414
(.001)
.219
(.102)

1
.197
(.143)
.283
(.033)

1
.637
(.000)

Panel C: Sub-sample where BPA=1 (N = 77)

RSR
NBR-E
CBR-E
NFSI
.184
1
NBR-E
(.109)
.077
-.037
1
CBR-E
(.503)
(.749)
.032
.244
-.110
1
NFSI
(.783)
(.032)
(.339)
.060
.154
.274
.040
RMM-E
(.607)
(.180)
(.016)
(.730)
-.087
-.024
.301
-.160
BPR-S
(.454)
(.837)
(.008)
(.165)
-.003
-.051
.190
-.112
RMM-S
(.977)
(.657)
(.099)
(.333)
-.139
.036
.394
-.166
BPR-C
(.228)
(.754)
(.000)
(.150)
-.151
.104
.267
-.103
RMM-C
(.188)
(.368)
(.019)
(.371)

RMM-E

RMM-S

BPR-C

1
.274
(.016)
.224
(.050)
.283
(.013)
.509
(.000)

________________________________________
Note: Values in cells are correlations (two-tailed p-values).
Refer to table 1 for a description of the independent and dependent variables.

38

BPR-S

1
.624
(.000)
.407
(.000)
.436
(.000)

1
.255
(.025)
.273
(.016)

1
.741
(.000)

Table 3
Multivariate Analysis of Covariance and Regressions
Panel A: Multivariate Tests
Effect
RSR
Wilks' Lambda
CBR-E
Wilks' Lambda
NBR-E
Wilks' Lambda

Value
.985
.921
.838

Panel B: Tests of Between-Subjects Effects

Source
Dependent
SS
Variable
Corrected Model RMM-E
21.374
NFSI
62.880
RSR
RMM-E
1.840
NFSI
2.111
CBR-E
RMM-E
15.994
NFSI
1.139
NBR-E
RMM-E
2.105
NFSI
61.261
Error
RMM-E
199.014
NFSI
344.173

F
.951
5.502
12.438

df
2.000
2.000
2.000

df

p-value
.389
.005
.000

F
3
3
1
1
1
1
1
1
130
130

4.654
7.917
1.202
.798
10.448
.430
1.375
23.140

p-value
.004
.000
.275
.373
.002
.530
.243
.000

Panel C: Regression
Dependent Variable: Number of Financial Statement Implications of Identified Business Risks
(NFSI)
Model
SS
df
MS
F
p-value
Regression
Residual
Total
Model
Constant
NBR-E
CBRE

60.768
346.284
407.052
Standardized
Coefficients
.382
.051

2
131
133
t
1.167
4.734
.628

39

30.384
2.643
p-value
.245
.000
.531

11.494

.000

Panel D: Regression
Dependent Variable: Risk of Material Misstatement at the Entity Level (RMM-E)
Model
SS
df
MS
F
Regression
Residual
Total
Model

19.534
200.855
220.388
Standardized
Coefficients

Constant
NBR-E
CBRE

.113
.273

2
131
133
t
5.752
1.348
3.266

9.767
1.533
p-value
.000
.180
.001

_____________________________

Refer to table 1 for a description of the independent and dependent variables.

40

6.370

p-value
.002

Table 4
Repeated Measures Analysis of Covariance
Dependent Variables: Business Process-level Assessments of Business Risk (BPR-S, BPR-C)
Source
Between-Subjects Effects:
Intercept
RSR
BPA
RSR * BPA
CBR-E
Error

SS

df

76.109
.162
24.382
6.392
61.969
187.106

1
1
1
1
1
129

31.040
.066
9.944
2.607
25.273

.000
.798
.002
.109
.000

Within-Subjects Effects:
ToP
ToP * RSR
ToP * BPA
ToP * RSR * BPA
ToP * CBR-E
Error(ToP)

2.842
4.439
1.000
1.848
.053
155.472

1
1
1
1
1
129

2.358
3.684
.694
1.534
.044

.127
.044
.406
.218
.834

________________________________________
Refer to table 1 for a description of the independent and dependent variables.

41

p -value

Table 5
Analysis of Covariance by BPA
Dependent Variables: Business Process-level Assessment of Business Risk (BPR-S, BPR-C)
Panel A: Business Process Requirement (BPA = 1)
Source
SS
Between-Subjects Effects:
Intercept
66.790
RSR
5.202
CBR-E
33.345
Error
82.777
Within-Subjects Effects:
ToP
ToP * RSR
ToP * CBR-E
Error (ToP)

df

.175
.449
1.611
75.122

Panel B: No Business Process Requirement (BPA = 0)

Source
SS
df
Between-Subjects Effects:
Intercept
16.365
RSR
2.056
CBR-E
29.333
Error
171.877
Within-Subjects Effects:
ToP
ToP * RSR
ToP * CBR-E
Error (ToP)

5.364
5.590
1.692
77. 098

F
1
1
1
74

34.391
2.678
17.170

.000
.106
.000

1
1
1
74

.173
.443
1.590

.679
.508
.211

p -value

1
1
1
54

5.141
.646
9.216

.027
.425
.004

1
1
1
54

3.757
3.915
1.185

.057
.046
.281

_____________________________________
Refer to table 1 for a description of the independent and dependent variables.

42

p -value

Table 6
Repeated Measures Analysis of Covariance for Process-level Assessment of
Risk of Material Misstatement
Dependent Variables: Risk of Material Misstatement for each Business Process (RMM-S, RMMC)
Source
Between-Subjects Effects:
Intercept
RSR
BPA
RSR * BPA
Covariates:
CBR-E
RMM-E
BPR-S
BPR-C
Error

SS

df

2.170
.020
1.283
.088

1
1
1
1

1.514
.014
.895
.061

.221
.907
.346
.805

.003
16.886
50.584
35.626
180.680

1
1
1
1
126

.002
11.762
35.276
24.845

.963
.001
.000
.000

Within-Subjects Effects:
ToP
ToP * RSR
ToP * BPA
ToP * RSR * BPA
ToP * CBR-E
ToP * RMM-E
ToP * BPR-S
ToP * BPR-C
Error(ToP)

.111
.301
1.258
.213
2.500
5.577
45.878
55.610
130.967

1
1
1
1
1
1
1
1
126

.107
.289
1.210
.205
2.405
5.365
44.139
53.501

.744
.592
.273
.652
.123
.022
.000
.000

________________________________________
Refer to table 1 for a description of the independent and dependent variables.

43

p -value