Internal Control Assessment and Substantive Testing

The Interaction between Internal Control Assessment
and Substantive Testing in Audits for Fraud*

J. REED SMITH, State University of New York at Buffalo
SAMUEL L. TIRAS, State University of New York at Buffalo
SANSAKRIT S. VICHITLEKARN, University of Oregon
Abstract
We examine tbe interaction between internal control assessments and substantive testing in
a model of fraud detection. The purpose of our study is to examine a two-stage model of the
auditor-manager interaction in which the auditor assesses the "likelibood" or possibility of
fraud in tbe first stage and conducts substantive tests in the second stage. We examine the
allocation of audit resources across these two distinct facets of the audit. We find that,
regardless of the auditor's allocation, the probability of undetected fraud remains the same,
but the allocation of some audit resources to internal control assessment may provide cost
savings for the auditor.
Keywords
Strategic auditing; Internal control assessment; Audits for fraud; Substantive

testing
Condense
La possibility que Ies gestionnaires se rendent coupables de fraude prôccupe depuis longtemps les investisseurs. Depuis I'adoption du Statement on Auditing Standards (SAS) 53 et
du SAS 55, cette preoccupation est aussi celle des v^rificateurs. Le SAS 53 exige des v^rificateurs qu'ils planifient leurs missions de verification de fafon ^ foumir une assurance raisonnable que les fraudes seront detectês et le SAS 55 exige que Ies v6rificateurs ^tudient les
structures de controle interne des entreprises clientes afin de determiner quelles sont les
entreprises les plus vulnerables ^ la fraude. Pour clarifier davantage les responsabilites des
v^rificateurs quant ^ la prevention et a la detection de la fraude, I'American Insittute of
Certified Public Accountants (AICPA) a plus tard adopts le SAS 78, en remplacement du
SAS 55, et le SAS 82, en remplacement du SAS 53. Ensemble, le SAS 78 et le 5*45 82 servent
de guide aux v^rificateurs en ce qui a trait & la meilleure fa?on de r^partir leurs efTorts entre
I'appiication de tests con?us pour d^tecter la fraude (tests de corroboration) et de tests
confus pour ^valuer la probability qu'une fraude puisse etre commise (Evaluation du
syst^me de controle interne).
Accepted by Rick Antle. Helpful comments were provided by Neil Fargher. Ray King, Steve Matsunaga. Dale Morse. Paul Newman, Evelyn Patterson, Mike Stein, and workshop panicipants at
the University of Oregon, Louisiana State University, Miami University, and SUNY at Buffalo.
We especially thank Rick Antle (the Associate Editor) and two anonymous reviewers for their
insights and suggestions.
Contemporary Accounting Research Vol. 17 No. 2 (Summer 20(X)) pp. 327-56 CAAA
328
Contemporary Accounting Research
Les auteurs examinent I'interaction entre revaluation du contrdle inteme et les tests de
corroboration dans un modele de detection de la fraude. Ils analysent en particulier I'interaction en deux phases b a s ^ sur la th6orie des jeux entre un v^rificateur exteme et la direction de l'entreprise cliente. Le v^rificateur lvalue Tefficacitd du controle dans un premier
temps et effectue ensuite des tests de corroboration relatifs k la fraude dans un second
temps. L'efficacit^ du eontrole est en relation inverse avec la propension du gestionnaire h
cotnmettre une fraude. Si le controle est efficace, le gestionnaire doit redoubler d'effort pour
d^jouer le syst^me de controle, ce qui diminue rint6r6t de la fraude. Cependant, le gestionnaire n'a pas k d^ployer beaueoup d'efforts pour d^jouer un syst^me de controle deficient,
Une certaine probability est associee h I'^clairage que peut jeter revaluation du controle
inteme sur la d^ficience du systfeme de controle, d^ficience qui rendrait la fraude plus
attrayante pour le gestionnaire. Sous reserve des resuitats de revaluation du controle
interne, le v^rificateur d^cidera de I'^tendue des tests de corroboration qu'il convient
d'effectuer.
Les auteurs eomparent ce module en deux phases h un module de base dans lequel Ie
v^rificateur n'effectue que des tests de corroboration. Cette comparaison met en relief la
faôn dont revaluation du contrdle inteme influe sur les caract^Hstiques des strategies
d'^quilibre et les r^sultats du module. L'analyse permet de produire certaines predictions
descriptives en ce qui a trait S la fa9on dont les diverses caracteristiques du contexte de ia
mission influent sur la repartition du travail de verification entre Ies deux phases et k la
maniere dont elles influent sur ia decision des gestionnaires de commettre une fraude.
Les auteurs constatent que Ie volume de travail consacre k revaluation du controle
inteme n'exerce pas d'influence sur la probabiiite d'^quilibre qu'une fraude soit commise
sans etre detectee. De plus, lorsque ies evaluations du contr61e inteme sont relativement efficientes dans la detection des fraudes potentielles. des economies de coQts peuvent 6tre realisees par le verificateur grace h i'affectation des ressources de verification k revaluation du
eontrole inteme plutdt qu'aux tests de corToboration.
Les auteurs constatent egalement que les economies de coOts decoulant de I'evaluation
du systfeme diminuent avec les facteurs qui augmentent I'efficacite des procedes de corroboration. Si Ies procedes de corroboration sont suffisamment efficaces, Ie verificateur choisira
d'affecter la totalite des ressources de verification aux tests de corroboration.
Les auteurs commencent par une interaction premiere entre un gestionnaire qui se propose de commettre une fraude et un verificateur qui souhaite detecter la fraude. La probabiiite que le systeme de contrSle soit deficient est de ft et la probabiiite qu'il soit efficace est
de (1 ~ $). L'avantage qu'obtient le gestionnaire lorsqu'il commet une fraude qui n'est pas
detectee est de F. Si Ie systeme de controle est efficace. toutefois, le gestionnaire doit
deployer beaueoup d'efforts () pour le dejouer, ce qui fait que la fraude ne Iui rapportera
que F-Q). Si Ie gestionnaire commet une fraude et que la fraude est deteciee par le verificateur, le gestionnaire encourt des penalites PQ, notamment des amendes, la perte de son
emploi ou la prison. La probabiiite que le gestionnaire qui fait face h un systdme de type
( e {w, s} commette une fraude dans un contexte de strategie mixte est de a, e [0, 1].
Dans ce module de base, Ie verificateur ne peut evaluer si le systdme est efficace ou
deficient. II determine retendue des tests de corroboration {intensite du travail de verification), denotee JC > 0, en fonction de la connaissance de ft Si Ie gestionnaire choisit de commettre la fraude, la probabiiite que le verificateur Ia detecte est de d(x). Les auteurs
Internal Control Assessment and Substantive Testing in Audits for Fraud
329
supposent que la fonction de detection d(x) rev8t la forme suivante : d(x) = 1 - Exp{-bx},
oub>0 est un param^tre. Ce param^tre repr^sente I'efficacit^ des tests de corroboration
dans la detection de la fraude.
Le v6rificateur engage des coQts de verification de ex pour determiner si une fraude a
^te commise. o^ c represente le cout unitaire de la verification. Si le v^rificateur ne parvient
pas k detecter une fraude qui a ^t^ commise, il encourt une p^nalit^ D, notamment des dommages. une atteinte k sa reputation et des sanctions gouvemementales. Le v^rificateur peut
^viter ces couts s'il d^tecte la fraude.
Les auteurs d6rivent les strategies d'equilibre suivantes pour le modele de base. Si le
gestionnaire observe la d^ficience du syst6me de contrdle, la probability d'equilibre qu'il
choisira de commettre la fraude est la suivante : a^ =
c(E + F )
^
; si le gestionnaire observe
bD&Fn
I'efficacite du systfeme de controle. il ne commettra pas la fraude. Le verificateur, k V6qu\libre, choisira x'= -Ln -
. Cet equilibre est semblable k celui observe dans
d'autres travaux relatifs k la verification strategique,

Puis, les auteurs analysent l'interaction selon un modeie k deux phases, grace k Tajout
d'une strategie de la part du verificateur. Ce demier peut ^valuer la probabilite que le systdme
de contrdle soit deficient en effectuant un certain volume de travail dans un premier temps.
En consequence de ces efforts, le verificateur constate soit que le systeme de controle est
deficient (et qu'une fraude peut facilement etre commise), soit qu'il ne Test pas (signal nul).
La nature du syst^me est detemiinee a la premiere phase et observee k titre pHv^ par le
gestionnaire. Si le syst&me de controle est deficient, le gestionnaire sait que la probability
que le verificateur decele la deficience du controle est de h{e^), et la probabilite qu'il commette la fraude est de a^. Si le syst^me de contrdle est efficace, la probabilite que le gestionnaire commette la fraude es de a^.
Le verificateur tente de determiner si le systeme de contr6le inteme est efficace ou deficient
en deployant un effort e^. > 0. Les auteurs supposent que la probabilite que le verificateur
juge par erreur qu'un syst^me de controle inteme efficace est deficient est de zero, et que la
probabilite que le verificateur juge qu'un systeme de controle inteme deficient est deficient
est de h(e^.). une valeur k croissance concave dans l'intervalle [0, 1], et h(0) = 0.
A partir de ses observations k la premiere phase du modele, le verificateur determine
retendue des tests de corroboration (intensite du travail de verification) k la seconde phase.
Le choix du verificateur est denote XQ > 0. si ce dernier ne dec6Ie pas de deficience du systeme de conu-ole, et x-^ > 0, s'il decile une deficience du systeme de controle. Comme dans
le modele de base, si le gestionnaire choisit de commettre une fraude. la probabilite que le
verificateur detecte la fraude est de d(x), oti x represente soit XQ, soit x^,,..
Contrairement au module de base, le modele k deux phases fait intervenir trois equilibres
differents. Premi^rement, sifeou ^ sont grands, ou si c est petit, alors f' = 0 et les strategies
d'equilibre sont identiques k celles du module de base. Pour ces equilibres, le gestionnaire
ne commettra jamais de fraude si le syst^me de controle est efficace (ttj' = 0). D'autre part,
si i) et c ne sont pas trop grands et si c n'est pas trop petit, le verificateur choisira e* > 0.
Pour ces equilibres, le gestionnaire choisira a* = 0 pour Ies valeurs plus eievês de OJ et 0 <
* * pour les valeurs de a plus faibles.
330
Pour les cas dans lesquels h'(0) < - ^ . , , . , e' = 0k I'dquilibre. et le

c(( I tfj+ WLnl tf})
module est assimilable au module de base. Si le v6rificateur cboisit e* = 0, alors hie*) = 0
et le v6rificateur ne d^couvrira aucunemeni que le systfeme est deficient. II s'agit Ik de
l'exacte situation du module de base. Une autre faôn d'exprimer la chose serait la suivante ;
le v6rificateur choisit entre la verification en une seule pbase et la verification en deux phases,
en fonction de l'importance relative de b'(0) et - . . . . . Une caractdristique
c((l w) + vLn[oj)
importante de cette condition est qu'elle depend uniquement des param^tres b. c et 8, et de
la pente de bCe^.) au seuil de 0. Elle ne depend ni de !a strategic de l'entreprise v6rifi6e, ni de
celle du verificateur k la seconde phase.
Pour toutes les missions de verification, la probability prdvue d'une fraude non
c
c
est de T-T- et le coQt privu de Tficbec de la verification est de 7 Si h (0) >
oD
0
, la strategie de verification qui reduit Ie coflt au minimum consiste k
cboisir e' > 0. Si h'(0) < -r-.^-,
, , , , la strategie de verification qui reduit Ie coQt
c( (1 tf)+ e Ln [tj\)
au minimum consiste k choisir e* = 0. En d'autres mots, la probabilite qu'une fraude ne soit

pas detectee n'est pas influencee par la decision du verificateur d'affecter ou non des ressources de verification k revaluation du controle. Seuls les coQts de la verification pour Ie
verificateur sont influences par ce choix.
1. Introduction
The possibility that managers may commit fraud has long been a concem of corporate investors. This concern was passed on to the auditor with the passage of the
American Institute of Certified Public Accountants' (AICPA's) Statement on Audit-
ing Standards (SAS) No. 53 and SAS No. 55. SAS No. 53 required auditors to
design their audits to provide reasonable assurance that fraud would be detected,
and 5-45 No. 55 required auditors to analyze the intemal conlrol structures of their
clients to identify firms where fraud would most likely be perpetrated. To further
clarify the auditors' responsibilities in preventing and detecting fraud, the AICPA
later passed SAS No. 78, which superseded SAS No. 55, and SAS No. 82, which
superseded SAS No. 53. Together. SAS No. 78 and SAS No. 82 provide auditors
with guidance on how to best allocate their efforts between performing tests
designed to evaluate the likelihood that fraud could be committed (assessing the
system of intemal control) and performing tests designed to detect fraud (substantive testing).
We examine the interaction between intemal control assessments and substantive testing in a model of fraud detection. In particular, we analyze a two-stage
game-theoretic interaction between an extemal auditor and the management of a
client firm. The auditor assesses the strength of controls in the first stage and then
331
performs substantive tests for fraud in the second stage. The strength of controls is
inversely related to the propensity of a manager to commit fraud. If controls are
strong, a manager must exert costly effort to override the system of controls, which
diminishes the attractiveness of committing fraud. Costly effort is not required,
however, for the manager to override the controls of weak systems. With some
probability, the internal control assessment will reveal whether the system of controls is weak, indicating that it is more desirable for the manager to commit fraud.
Depending on the outcome of the assessment of internal control, the auditor will
decide how much substantive testing to perform.
We compare this two-stage model to a benchmark model in which the auditor
pertbrms only substantive testing. This comparison highlights how internal control
assessment affects the characteristics of the equilibrium strategies and outcomes of
the model. The analysis yields some descriptive predictions about how various
characteristics in the audit environment affect the distribution of audit work across
the two stages and how these characteristics affect the manager's fraud decision.
We find that the equilibrium probability that fraud is committed and is not
detected is unaffected by the amount of effort allocated to assessing internal controls. In addition, when internal control assessments are relatively efficient at identifying the potential for fraud, cost savings for the auditor can be achieved by
allocating audit resources away from substantive testing and toward internal control assessment.
We also find that the cost savings from system assessment decrease in factors
that increase the effectiveness of substantive testing procedures. If substantive testing procedures are sufficiently effective, the auditor will choose to allocate ail of
the audit resources to substantive testing.
The strategic auditing literature began with Fellingham and Newman 1985,
who examined the interaction between a client who chooses low or high effort that
translates directly into material error or no material error. The auditor can choose
to extend tests and discover the material error or not, and subsequently must
choose to qualify or not qualify the audit report. The audit technology in the
authors' paper is perfect, so their study focuses on the trade-off between information acquisition and the audit report. Following their study, several studies consider
the auditor-manager interaction assuming an imperfect audit technology. Newman
and Noe! (1989) and Shibano (1990) both focus on the auditor's accept/reject decision given a fixed sample of audit data. Patterson (1993) extends these studies by
considering the auditor's accept/reject decision after a sample size decision. Our
model differs from these studies in two fundamental ways. First, we model the
audit as a discovery problem with imperfect auditing, whereas Fellingham and
Newman, Newman and Noel, Shibano. and Patterson model an acceptance problem.
This difference changes the labeling and interpretation of many of the decisions
but does not really change the economic trade-offs involved. More importantly, we
examine a two-stage audit interaction in which the auditor makes two distinct
effort decisions at the different stages that provide different audit benefits.
The first stage of our audit detection problem involves system assessment, and
the second stage involves fraud detection. Few papers in strategic auditing have
332
examined allocations of audit work across time. Exceptions are Caplan 1999, Finn
and Penno 1996, and Matsumura and Tucker 1992. Caplan examines a multistage
audit setting in which the manager has a two-stage decision, but the audit work is
essentially a one-stage problem. Finn and Penno examine the issue of commitment
in a stop-and-go audit environment. Their paper focuses on when to stop auditing
if no fraud has been discovered. Matsumura and Tucker examine a two-stage audit
that is structurally similar to ours. The auditor chooses high or low compliance
testing, which then provides information about the probability of fraud. Based on
this information, the auditor then decides whether to exert high or low effort in
substantive tests. Matsumura and Tucker consider only a single type of audit client
(dishonest), and their information structure is much simpler. The first-stage effort
provides information about the likelihood that fraud actually was committed.
Our paper complements Matsumura and Tucker and Caplan in that we examine a two-stage audit in which the first stage is system-related. Unlike Finn and
Penno, detection of fraud cannot occur in the first stage. Caplan's focus is on the
manager's first-stage decision (system choice), while we simplify that choice and
focus on the auditor's first-stage decision (system assessment). Unlike Matsumura
and Tucker, the auditor in our model cannot obtain information about the probability that fraud actually was committed in the first stage. Rather, the first-stage effort
only provides information about the manager's type.
This paper also relates to research into tax compliance auditing. Both Sansing
(1993) and Rhoades (1997) examine two-stage models in which the auditor, which
is a tax authority in their papers, gathers information about the likelihood that
fraud will be committed in the first stage and then performs substantive testing in a
second stage. Sansing examines how the taxing authority should respond to information it has gathered and how the taxing authority's strategy would affect the
equilibrium likelihood of an aggressive taxpayer strategy. Sansing then computes
how much information the taxing authority should optimally gather, which is analogous to the system-assessment stage in our model.
While Sansing does examine a two-stage audit in which the first stage relates
to information acquisition, contextual differences between a tax audit and a financial statement audit induce important modeling distinctions. First, the second stage
of Sansing's model, which corresponds to the level of substantive testing in our
model, is a binary choice: audit the tax retum or not. This modeling choice is strategically descriptive for tax audits. On the other hand, this modeling choice is not
descriptive of financial statement audits. Public accountants must do some auditing
of each client. As a result, we model substantive testing as a continuous choice. Tn
addition, our model allows us to explicitly examine the allocation of audit resources
to system assessment and substantive testing.
Rhoades (!997) also models the tax audit problem as a two-stage audit. In the
first stage, the better-informed taxpayer reports income, and the tax authority
chooses to audit. The tax authority chooses to accept or reject the report subsequent to the findings of the imperfect audit in the second stage. Rhoades includes
costs for correcting type I errors. Like Sansing, Rhoades models the tax audit and
the subsequent accept/reject decisions as binary choices.
Ititemal Control Assessment and Substantive Testing in Audits for Fraud
333
Both Sansing and Rhoades show results that are analogous to our finding that
undetected fraud is not affected hy the assessment of internal control. For example,
tax revenues in Sansing's paper do not depend on the precision of the tax authority's information. An investment by the tax authority in more precise information
must be aimed at reducing cost rather than on generating increased revenue. Generating revenue in the tax models is analogous to detecting fraud in our study.
Unlike Matsumura and Tucker 1992, Sansing 1993, and Rhoades 1997, we
focus on the continuous allocation of audit resources to two distinct types of audit
task: system assessment and substantive testing. Both of these tasks relate to detection, but only substantive testing can actually detect fraud.
The remainder of this paper is organized as follows: in section 2 we present
and discuss a simple benchmark model, in section 3 we describe our two-stage
model, in section 4 we describe our analysis, and in section 5 we discuss our
results and identify the limitations of our study.
2. Benchmark model
We begin with a restricted interaction between a manager who wishes to perpetrate
a fraud and an auditor who wishes to detect fraud.' Tbe system of controls is either
weak, with probability 0, or strong, with probability (1 - 9). The benefit to the
manager of successfully committing fraud is F. If the system of controls is strong,
however, the manager must exert costly effort (oji) to override the controls, and the
net payoff to successfully committing fraud is only F - 6). If the manager commits
fraud and the fraud is detected by the auditor, the manager incurs a penalty, Pp,
which could iticlude fines, loss of employment, or jail. The manager with system
type t {w. s} will commit fraud as a mixed strategy with probability a, e [0, 1].
In the benchmark model, the auditor cannot assess whether the system is
strong or weak.^ The auditor chooses a level of substantive testing (audit effort),
denoted x>0, based on knowledge of 6. If the manager chooses to commit fraud,
the auditor will detect the fraud with probability d(x). We assume that the detection
function, d(x), has the functional form d(x) = 1 - EKp{~bx}, where /? > 0 is a
parameter.3 This parameter represents the effectiveness of substantive testing at
identifying fraud.**
The auditor incurs audit costs of ex to determine whether fraud has been committed, where c is the unit cost of auditing. If the auditor fails to detect fraud when
it has been perpetrated, he suffers a penalty, D, which includes legal damages, reputation loss, and governmental sanctions. This cost is avoided if the auditor detects
fraud. These payoffs are shown in the game tree in Figure I.
The solution to this game is straightforward. The managers' choices of a^ and
0^ must make the auditor's equilibrium choice of x optimizing, and the auditor's
choice of X must make the managers' choices of Oj and Oy^, optimizing. The auditor's
expected payoff is
(1 - e)a,)D Exp{-bx} - ex
The first-order condition for this payoff is
(1).
.
334
Contemporaiy Accounting Research
Figure 1 Benchmark model

Nature
Manager
Auditor
{Manager's payoff. Auditor's payof!}
{F(l - d(.)) - Fodix), -ZXI - dix)) - ex]
{F(\ -
- (Ut -ZHl - d{x)) - cx\
{0,-cx}
,. + (1 - e)a
- c=0
(2).
and the second-order condition is

(3).
The manager's payoff, if the system is weak, is
(4),
and the manager's payoff, if the system is strong, is
(5).
For the remainder of our analysis we make the technical assumption that
< bDOPp, which implies that a^ < 1 and a* = O.s
We characterize the equilibrium strategies to the benchmark game in Proposition I.
1. If the manager observes a weak system of control, the equilibrium probability that she will choose to commit fraud is
PROPOSITION
Intemal Control Assessment and Substantive Testing in Audits for Fraud
bD9P D
335
(6).
If the manager observes a strong system of control, she will not commit fraud.
: =0
il).
The auditor, in equilibrium, will choose x:
(8).
D
PROOF.
The proof follows directly from equations 2,4. and 5.
Tbe comparative statics from our study for the auditor's strategy, x' and the
manager's fraud strategy, a*,, are similar to those of Newman and Noel 1989 and
Sbibano 1990, even though we look at a different type of audit decision. For example, the equilibrium choice of x* is not affected by changes in the auditor's exposure to audit failures, D. On the other hand, Patterson (1993) finds that detection
risk may be increasing in what we refer to as D. The difference between our study
and Patterson's results from the fact that Patterson considers the balancing of two
distinct strategic choices: sample size and acceptance. We do not consider type I
errors and, as a result, increased effort always serves to improve the auditor's
expected reporting decision. Patterson does consider the costs of type I errors and
the auditor, in her model, balances the costs of type I and type II reporting errors in
choosing the optimal effort and cutoff values.
We can examine the equilibrium probability of undetected fraud. Ex ante,
the probability of undetected fraud (UF) is Pr(C/F) = dcc1(l - d(_x*)) =
bDBP
(FP\
~ M 5 '^^^ auditor's first-order condition in equation 2 can be
1
stated in terms of d(j:): a* =
. Tbe (I - d(x)) and 6 terms then
bD0il-d(x))
cancel. As a result, the equilibrium probability that fraud is undetected is a constant. The comparative statics in the other three studies are consistent with ours in
that the probability of undetected fraud is decreasing in the auditor's expected
costs for undetected fraud. They find, however, that the probability of undetected
fraud may be increasing or decreasing in the manager's gross payoff for undetected fraud, which we refer to as F. We find that this comparative static is zero.
Since F appears only in the auditor'sfirst-ordercondition through d(x), and since the
(I - d(x)) terms cancel, F does not affect the probability of undetected fraud.
The economic rationale underlying the results in Newman and Noel 1989,
Shibano 1990, and Patterson 1993 is similar to that in our benchmark model. The
336
auditor's decision is determined hy the manager's payoff, and the manager's decision is determined by the auditor's payoff. In all four papers, the manager plays a
mixed strategy over two discrete choices. As a result, the auditor's choice of audit
effort (sample size, materiality thresholds, etc.) will either make the manager
strictly prefer one choice over the other or will make the manager indifferent. The
equilibrium in each of these papers requires that the auditor's choice make the
manager indifferent between choosing fraud and choosing no fraud.* As a result,
the trade-off of the manager's expected payoff if he commits fraud relative to the
payoff if he does not commit fraud dictates how much audit effort the auditor
chooses in equilibrium.' In a similar manner, it is the auditor's trade-offs between
failing to detect fraud and exerting costly effort that drive the manager's mixedstrategy choice of a^ .^ As the auditor's penalty for not detecting fraud increases,
the auditor's own choice is not affected, but the manager decreases the likelihood
of committing fraud.
3. Two-stage model
We extend the interaction in section 2 to two stages by adding a strategy for the
auditor. The auditor can assess the likelihood that the control system is weak by
exerting effort in a first stage. As a result of this effort, the auditor either teams that
the control system is weak (and fraud can be easily perpetrated) or does not (a null
signal). In this section, we describe the sequence of events in the two-stage model.
We then derive the payoffs to the auditor and the manager and define the equilibrium concept.
Sequence of events
The system type, strong (s) or weak (w), is determined in the first stage and is
observed privately by the manager. The weak system requires no effort in order for
the manager to perpetrate fraud. The strong system imposes costs offt)on the manager if she wishes to override the system and perpetrate a fraud. The manager with
a weak system of controls knows that the auditor will discover the control weakness with probability h(e^.), and she conunits fraud with probability cc^^. The manager with a strong system of controls commits fraud with prohabiiity a,.
The auditor attempts to determine whether the system of internal control is
strong or weak by exerting effort, e^. > 0. We assume that the probability that the
auditor will mistakenly identify a strong system of internal control as weak is zero,
and the probability that the auditor will identify a weak system of internal control
as weak is h(ec), which is assumed increasing-concave over the range [0, I), and
h(0) = 0.9
Based on his observations in the first stage of the model, the auditor will
choose a level of substantive testing (audit effort) in the second stage. The auditor's
choice, if he does not find weaknesses in the control system, is denoted ô ^ 0; his
choice, if he finds weaknesses in the control system, is denoted x^^, > 0. As in the
benchmark model, if the manager chooses to commit fraud, the auditor will detect
the fraud with probability d(j:), where jc is either .o
is depicted in the timeline in Figure 2.
337
Figure 2 Timeline: TVo-siage model
Nature delermines Manager observes

system type
system type and
(strong, weak).
chooses whether
to commit fraud.
Auditor chooses
system evaluation
efToit
Auditor Icams (or

does not leam)
that system is
weak if it is.
Auditor (based on Auditor discovers

results of inlemai fraud if it occurred
control evaluation) probabilistically,
chooses substatUive
testing.
Payoffs
The payoffs to the managers who face strong and weak systems are identical to
those in the benchmark game. Managers who face a weak system of control obtain
a benefit of F for undetected fraud, managers who must override a strong system of
controls in order to perpetrate a fraud obtain a net benefit of F - co for undetected
fraud, and the manager incurs a cost (penalty) of Pp if she is detected committing
fraud.
The auditor incurs audit costs of e^ in attempting to determine whether the
internal control system is weak. If the system is found to be weak, the auditor
incurs audit costs of cx^^, to determine whether fraud has been committed. If the
system is not found to be weak, the auditor incurs audit costs of CXQ to determine
whether fraud has been committed. The existence of a strong or a weak system
does not affect the probability, d(jc), of detecting fraud. Again, if the auditor fails to
detect fraud when it has been perpetrated, he suffers a penalty, D, which is avoided
if the auditor detects fraud. The information structure and payoffs are shown in the
game tree in Figure 3.
The auditor will identify a weak system as weak with probability h(e^), and
choose a level of substantive testing, x^^., that induces a detection probability <^{x^^,).
With probability 1 - hie^.), the auditor will not identify the weak system as weak
and will choose a level of substantive testing, JCQ, that induces detection probability
d(j:o). The probability that fraud is detected if the system is weak is h(e^)d(.x^^,) +
(1 - h(e(.))d(j:o)- Therefore, if the control system is weak, the expected payoff to
the manager of committing fraud is
+ (1 - h(e,))(l -
(9).
If the system of controls is strong, the auditor will never identify the system as
weak and will always choose XQ. If the control system is strong, therefore, the
expected payoff to the manager is
(10).
338
f
^
a.
Iu
as
S
6
u
f/
2 /
339
If the auditor identifies the control system as weak, then he chooses x^. knowing that the probability that the manager committed fraud is o;,,. The expected payoff to the auditor in this information set is
If the auditor does not identify the control system as weak, then he computes
the probability that the system is weak using Bayes's rule:
~
.
(1 h(^^))0+ (1 0)
The manager in this situation committed fraud with probability oCy^, and with probability --^ the manager faced a strong system of controls and
chose to commit fraud with probability a^. The auditor's assessment of the probability that the manager committed fraud if the system is not found to be weak is
(12).
If the auditor does not identify the control system as weak, then his conditional
expected payoff is
In the first stage, the auditor chooses e^., which induces the probability hie^.)
that a weak system will be identified as weak. The auditor's expected payoff at this
decision point is
Cl
.)
(14).
In the next section, we will formalize the equilibrium concept for our analysis.
Nature of equilibrium
Equilibrium will be a quintuple of strategies,
, identified as follows:
= the (mixed-strategy) probability that the manager facing a weak system of

controls will commit fraud.
340
a^
= the (mixed-strategy) probability that the manager facing a strong system

of controls will commit fraud.
e^
= the effort that the auditor supplies to determine whether the firm has a
weak system of intemal controls.
x^.
= the effort that the auditor supplies to detect fraud if he has found that the
firm has a weak system of intemal controls.
XQ
= the effort that the auditor supplies to detect fraud if he has not found that
the firm has a weak system of intemal controls.
Equilibrium requires that each of these strategies be a Nash best-reply to the

other player's strategy and that the auditor's beliefs are updated in accordance with
Bayes's rule. In addition, we require that all choices be sequentially rational.
4. Analysis of the two-stage model
In this section we describe equilibrium in the two-stage model and how intemal
control assessment affects tbe nature of the auditor-manager interaction. Unlike
the benchmark model, three distinct equilibria arise in the two-stage model. First,
if either /J or 0 is large, or if c is small, then e* =0 and tbe equilibrium strategies
are identical to those in the benchmark model." For these equilibria, the manager
will never commit fraud if the system of controls is strong (a* = 0). On the other
hand, if b and c are not too large and c is not too small, then the auditor will choose
* > 0. For these equilibria, the manager will choose oc* =0 for larger values of O)
and 0< a* < 0^ for smaller values of co.
We begin our analysis by describing the first-order conditions (FOCs) induced
by the second-stage payoffs in equations 9, 10, 11, and 13. For this analysis,
we will assume that the auditor's first-stage equilibrium choice of e* is greater
than zero. If the manager faces a weak system of control, then she will choose
0^ e (0,1) if and only if
(15).
If the manager faces a strong system of control, then she will choose aê (0,1) if
and only if
(16).
If the auditor discovers that the system is weak, then equation 11 implies that x*^
must satisfy
(17).
341
In addition, since Xy^, is a continuous choice, the following second-order condition

must be satisfied:'^
-bxJ < 0
(18).
If the auditor does not discover that the system is weak, he will update his beliefs
about the likelihood that it is in fact weak and choose XQ to satisfy
- c = 0 (19).
The second-order condition for XQ is
cc.. +
a l<0(20).
For any equilibrium in which both a* e (0,1) and a^, e (0,1), the second-stage
equilibrium choices of x^, jcj, a^, and a* will be determined by the simultaneous solution of the FOCs in equations 15, 16, 17, and 19.
Ciearly, if co is greater than or equal to F, the cost of overriding a strong system
of control in order to commit fraud is not beneficial to the manager, so she would
never commit fraud under a strong system of controls. This condition is sufficient
but not necessary to deter fraud. Whenever (o>
p, the manager will
also choose a*. If (O exceeds this ratio, it is impossible for equations 15, 16, 17.
and 19 to be solved simultaneously so that a* > 0. In any of these cases, a* = 0.
As a result, the FOC in equation 19 will reduce to
(21),
and the equilibrium choices of x^,, XQ, and a^, will be determined by the simultaneous solution of the FOCs in equations 15. 17. and 21. '^ We characterize the strategies in the second stage of the two-stage game (for situations in which e* > 0) in
Proposition 2.
2. Suppose that e* > 0. There are two possible sets of equilibrium strategies in the second stage of the game.
PROPOSITION
Case 1:
F,
342
. :
[ "
\he following strategies represent equilibrium choices by the auditor and

the manager in the second stage:
(22).
(23),
(24),
a:. =
and
a: =
(25).
bD(\ -
Case 2: If a>> Min F,
, then the following strategies
represent equilibrium choices by the auditor and the manager in the

second stage:
epD
(26),
(27),
a!. =
bDOP.
(28).
and
=0
PROOF.
The proof follows directly frtjm equations 15 through 21.
(29).
343
Suppose that axF. The expression for a* in equation 25 is positive if and only
if h(ep(fl)+ (I - 0)Po) - ft)> 0, which is true if and only if fi)<
. For
these cases, a strong system of controls is better than a weak system but is not
sufficiently strong to deter managers from committing fraud altogether. If ft) >
, on the other hand, the manager will not commit fraud with any
(i-M^;))
positive probability (i.e., c^^ =0).
We now describe the auditor's equilibrium choice of e* in the first stage of the
game. In Proposition 2, the second-stage strategies for the auditor and the manager
are characterized assuming that e* > 0. We now characterize the auditor's firststage choice.
The auditor's payoff in the first stage was characterized in equation 14. This
payoff induces the following FOC with regard to e^.:
=0
(30).
Substituting the FOC in equation 17. we find

h'()
(31)
for any e* > 0. *' * The second-order condition for e^. is

Q
(32).
Again, substituting in the FOC in equation 17, equation 32 reduces to

"
<
(33).
which is satisfied for all x^ and XQ. Equation 31 and the equilibrium values of x*
and x'^ in equations 26 and 27 imply that e* > e^ whenever'^
- 1+
Ln
Evaluating equation 34 at e^ = 0, we obtain
(34).
344
This result provides the basis for Proposition 3.

3. //h'(0) > - - ^ - , . . . then c* > 0 in equilibrium
c(( I u) + aLn[a|)
and the auditor's equilibrium choice ofe^ satisfies equation 31. Conversely,
PROPOSITION
PROOF: See appendix.
For cases in which h'(0) < - . ,
,-^,. , ^* = 0 in equilibrium and
c(( 1 (7) + t7Ln[t7j)
the game reverts to the benchmark model. If the auditor chooses e* = 0, then
h(c*) = 0 and the auditor will never discover that the system is weak. This is precisely the situation in the benchmark model. Another way of saying this is that the
auditor will choose between one-stage auditing and two-stage auditing based on
the relative magnitudes of h'(0) and r^- . An important characc(\\ u) + aLn[&J)
teristic of this condition is that it depends only on the parameters b, c, and 6, and
the slope of \\ie^) at 0. It does not depend on either the auditee's strategy or the auditor's strategy in the second stage of the game.
The next section will discuss the characteristics of equilibrium in the twostage model and provide the results of our comparative static analysis.
Equilibrium characteristics of the two-stage model
For situations in which a* = 0. the expression for .r*, in equation 26 depends only
on the exogenous parameters. The expression for JCQ in equation 27 depends on the
parameters and the auditor's first-stage choice of h(e*). Conversely, for equilibria
in which a* > 0, x*^ in equation 22 depends in part on h(e*). but x^ in equation
23 does not. The reason for this differenee, which will also induce differences in
the comparative statics, is that the auditor's choice of Jt,^ and XQ is driven by the
manager's payoff. In case 1 of Proposition 2, the auditor's strategy must keep both
types of managers (those with strong controls and those with weak controls) indifferent between committing fraud and not committing fraud. The manager with
strong controls knows that in the second stage she is facing the auditor's strategy
JCQ (since the auditor's test of controls produces no false positives). Therefore, the
auditor's first-stage strategy has no effect on the expected payoff to the manager
with strong conuôls, and h(e*) cannot enter into this manager's indifference condition (see equation 16). Hence, the "strong" manager's payoffs determine x^, and
345
the auditor chooses e^. and x^^ to make the "weak" manager indifferent between
fraud and no fraud. The expected payoff to the weak manager is decreasing in both
e^. (since x"^ > XQ) and Xy^. Therefore, in satisfying this manager's indifference
condition, there is a trade-off between e^ and jc^,., and the value of J:^^ that satisfies
the weak manager's indifference condition depends on b(e*).
The reasoning for case 2 of Proposition 2 is different. In this case, the manager
will not commit fraud if tbe controls are strong. As a result, the auditor's strategy
only needs to make managers with weak systems indifferent between fraud and no
fraud. The auditor's choice of x^ in equation 26 does not involve any Bayesian
updating; the auditor's choice of XQ, on the other hand, does involve Bayesian
updating since it is no longer determined by equation 16. Therefore, h(e*) appears
in the expression for XQ but not for x^ in case 2 of Proposition 2.
Before providing the results of the comparative static analysis, we characterize the relative magnitudes of jc* , JtJ, e*, and a^^ for the cases in which a* = 0
and a* > 0. In equation 26 x^^ is always greater than x^, in equation 22, and XQ in
equation 27 is always less than ;cj in equation 23. These facts imply that xJ, - XQ
is greater for situations in which a* =0 than for situations in which a* > 0. Since
the right-hand side of equation 31 is decreasing in x^ - XQ, h(e*) must be less for
situations in whicb a* =0 than it is for situations in which Cf! > 0. As a result, e*
S
(OMe)
(l-h))
must be greater for situations in which a* = 0 a) >
situations in which a* > 0
ft)<
Pp than it is for
P^ . Finally, a^ in equation 28 is
(l-h(<))
greater than in equation 24 and, in fact, the ex ante probability that fraud is committed, Pr(Fraud) = Oa^, + (1 - 0) a*, is also greater for situations in which a* = 0
than it is for situations in which a* > 0.
Table I provides the comparative statics for the two-stage model for situations
in which e* >0.'^
Several of these comparative statics differ for situations in which ct* > 0 and
de
^g*
for those in which a* = 0. For example, TT-Z > 0 whenever a* > 0, and i < 0
"^ de
'
de
for situations in whieh a* = 0. The reason for this sign change is that when a*^ > 0,
the sign of -:r is determined by the sign of =;=7 :^=; , whereas when a* = 0,
the sign is determined by the sign of ^=:=;~ a* > 0, the FOC in equation 16 becomes integral to determining the auditor's allocation to Xy^, and XQ. AS a result, the allocation of audit resources to the first stage.
346
TABLE 1
Comparative static results for the two-stage game
Changes in
K
For
changes
e
PD
D
b
+
0
0
-
+
0
0
0
0
X*
X0
in
c
F
<
*^
-
+
0
Ind.
ind.
+
0
0
0
0
+
0
-
^*
+
+
0
ind.
0
0
ind.
0
+
+
0
ind.
+
ind.
ind.
0
0
+
0
+
+
0
ind.
+
+
ind.
ind.
, will be affected in equilibrium. The change in sign for T^ is due to the change
au
in the interaction between e* and XQ in the two equilibria. For a* = 0, XQ is a
function of h(e') and 9 times h(e*). For a* > 0, neither 6 nor h(e*) affects the
equilibrium value of XQ , since it is determined by equation 16 alone. This is the
same reason that both -=r^ and ^; change sign. If a* > 0, x* is a function of
ac
dc
^
^
h(e*), but XQ is not. If tt^ < 0, x^ is not a function of h(e*). but XQ is. The shift
in sign for these comparative statics points to the shift in the structure of the interaction for larger values of (o and smaller values of a.
Comparison of the benchmark model and the two-stage model
In this section, we compare the benchmark model with the two-stage model and
identify differences and similarities in the strategies and outcomes across the two
models. Proposition 3 demonstrates that the auditor will choose e* >0 if and only
if equation 35 is satisfied. For these situations, equilibrium will be characterized by
the auditor's choice of e' in equation 31 and second-stage choices in case 1 or
case 2 of Proposition 2, depending on the magnitude of co. If equation 35 is not satisfied and e* = 0, then h(e*) = 0 and the interaction is identical to that in the
benchmark model. Recall that for these cases, the ex ante probability of undetected
c
c
error was ^ ^ , which implies that the expected cost of an audit failure is 7 . If
bD
b
equation 35 is satisfied and (0>
tected error is
<)
P ^ . the ex ante probability of unde-
))
347
bb
and the expected cost of an audit failure is again - . Finally, if equation 35 is satisfied
b
)
and ft><
/*p, then the ex ante probability of undetected error is again
))
- d(jt;)) a* = ^
(37).
Hence, the ex ante probability of undetected fraud and the expected cost of audit
failure do not depend on whether the auditor performs only substantive testing or
whether he allocates resources to internal control evaluation.
If h'(0) > r, the auditor's cost of auditing is strictly less if
he allocates audit resources to internal control evaluation, since he could always
choose e^ = 0 and play the benchmark game. But ^ - 0 is not optimizing when
' ""'
. We conclude, therefore, that the auditor is obtaining
cost savings in achieving the expected cost of audit failures, 7 , by allocating audit
b
resources to internal control evaluation. This result is stated without proof as Corollary I.
COROLLARY
1. For all audits, the expected probability of undetectedfraudis
and the expected cost of audit failures is r.ff h'(0) > TT- ,
the cost-minimizing audit strategy for the auditor is to allocate effort of
e* >Oas determined by equation 31, and x*^ and jcj are characterized
in Proposition 2. If h'(0) <
, the cost-minimizing
audit strategy is to choose t* = 0 and to choose substantive testing

according to equation 8.
To understand better how the benchmark and the two-stage models relate, we
will compare the equilibrium values of d(A:*), d(jcj[,), and d(.Tj). By observation,
we see that d(jfj|,) > d(.t*) but that the difference is decreasing in ft Using a similar
348
comparison, we observe that dix*) > d(jcj) and. since -^
> 0. this difference is
also decreasing in ft As a result, we conclude that d(x*,) > d{x*) > d(jcj) and that
d(x*) is a weighted average of d(jcp and d(.tj). As 9 increases. d(A:*) and d( JTJ)
converge to d(x*) from above and below, respectively. Also, as 9 increases, e*
decreases. When decreases to the point that equation 35 no longer holds, c* = 0
and the two models are identical.
The last characteristic of the game that we investigate is the ex ante probability that fraud is committed and detected. This analysis will hinge critically
on whether h'(0) > ^r-r^r- and, if this condition is met. whether o) >
c({l u) + crLnl u\)
(l-ft)h(<)
Pp. If e* = 0, then the ex ante probability of fraud is computed as
where a*^ is given by equation 6. If ^ ' > 0 and a* = 0, then a* is given by equation 28, which is the same as equation 6. Hence, equation 38 is still the ex ante
probability of fraud. Finally, if e* and a* are both greater than zero, then cC^ is
given by equation 24 and a* is given by equation 25. For these cases, the ex ante
probability of fraud will be
(39).
Pp)(h(el){(0+ Pp)- 6))

The expression in equation 39 is strictly less than that in equation 38 for all
(l-e)h(e*)
Q}<
Pp. This result implies that if e* and a* are both greater than
(i-h(e;))
zero, one-stage auditing is not only cost-ineffieient but also induces a greater probability of fraud. The probability of undetected fraud, however, is not affected by
the choice.
Next, we consider the ex ante probability of fraud detection. If the system is
f
weak, the probîiity fraud is detected as = under each of the three scenarios.
F+Pp
If the system of controls is strong, the probability of detecting fraud (if committed)
is d(;c;!;) = ^~^
if both e* > 0 and a* > 0.
F + Pp
'^
349
5. Discussion
This paper provides a simple model of the auditor's allocation problem, in which
the auditor can choose to spend scarce audit resources on internal control assessment. Internal control assessments help the auditor determine whether the manager's control system is weak, and a weak system of internal controls leads to a
greater potential for managers to commit fraud. We find that the probability of
undetected fraud is invariant to whether the auditor does or does not spend
resources on internal control assessment, but internal control assessments can provide a cost savings to the auditor.
The auditor will always choose to perform internal control assessments unless
substantive testing procedures are very cost-effective at identifying fraud or the
proportion of weak systems in the population is relatively high. As the cost effectiveness of substantive testing increases and the proportion of weak systems
increases, the relative benefit of performing internal control assessments decreases
to the point where the auditor should choose to perform only substantive testing.
Our theory argues that as audit effectiveness decreases the relative importance
of internal control assessment increases. The influence that a particular audit situation
faced by practitioners may have on audit effectiveness, and hence on the auditor's
allocation of effort to internal control assessment, is an empirical question. An
example of such an audit situation that could be tested is how much effort the auditor
exerts to distinguish errors from fraud. A second example that relates to audit
effectiveness may be the type of testing that must be employed. Some procedures
(such as negative confirmations) may be less informative than other audit procedures (such as positive confirmations). Still another example that may affect audit
effectiveness is the difficulty in obtaining substantive test data (such as inventory
observations), a typical problem in decentralized organizations. The infiuence of
these issues and others on the auditor's allocation problem can be empirically
tested within the scope of our theory.
Our finding that the benefit of internal control assessments decreases as the ex
ante probability that the system is weak increases may appear counterintuitive, but
it follows directly from Bayes's rule. The information content of learning that
internal controls are weak does not substantially update the auditor's expectations
regarding fraud, and thus does not substantially reduce the required level of substantive testing.
A limitation of our study is that we do not allow the manager to select the
information system quality. While we believe that allowing system quality to vary
could alter the results, we expect that many results would be similar since it is the
manager's payoffs that drive many of the auditor's decisions. In addition, future
research may be able to identify how noisy information about system quality,
rather than a fully revealing signal, would affect the auditor's effort level in fraud
detection.
350
Appendix
Proof of Proposition 3
If equation 35 is satisfied, then the e* that solves equation 31 is optimizing unless
the equilibrium solution to the benchmark game provides a lower total expected
cost to the auditor. If the equilibrium solution to the benchmark game provides a
lower cost, then the auditor could choose e* =0 and effectively choose the benchmark game. The manager could infer that the auditor's optimal choice was e* =0
and would choose a^, and a* accordingly. The only way that this situation might
arise is if the manager's best-reply was discontinuous at <* = 0.
. For these cases, the man-
Suppose first that O) > Min F,
ager's strategy in equation 28 is the same as her strategy in equation 6 for all e^. As
D , then e* > 0 if and
a result, we conclude that if Q>> Min F,

onlyifh'(0)>
Suppose next that fl)< Min
D . For these cases, the man-
ager's strategies in equations 24 and 25 do not converge to tbe strategies in equations 6 and 7 at e^. = 0. a^^ in equation 24 is zero, and a* in equation 25 is negative
if e* = 0. For these situations, therefore, we must compare the auditor's equilibrium payoff under the benchmark with the auditor's equilibrium payoff in Proposition 2. If the equilibrium payoff to the auditor is higher under the benchmark
solution, the auditor will choose e* = 0. The equilibrium payoff to the auditor, if
he chooses e* - 0, is
(40).
The equilibrium payoff to the auditor, if ftj < Min
'^P.
and he
chooses the e* that satisfies equation 31, is computed as
(41).
351
Note that the expected cost of an audit failure is the same, - r , in both expressions.
If f (, = 0, the cost of substantive testing is
ex = 7 Ln
b
F+P,
(42).
If e^, > 0, the expected cost of substantive testing is

F+P,
(43).
D
The cost in equation 42 is greater than the cost in equation 43 whenever

F + PD
Ln
CD+P D
Smce we are considering situations in which ox
F+P D
(44).
, we observe that
F+P D
'"(O+P D
(45).
Equation 45 implies that
Ln
'F+P, D
D
F+P.
+ (1 -
(46).
Since the Ln[ ] operator is concave,
Ln
E + P,
(1 -
F+P D
Q)+PD
(47),
which implies that equation 44 holds. We conclude therefore that there exists some
value of e^. such that the auditor's payoff in equation 41 (evaluated at that e,. rather
352
than at e*) is strictly greater than the auditor's payoff in equation 40. But the optimizing choice of e^ (e*) will make equation 41 the highest over all e^. > 0. Hence,
equation 41 must be strictly greater than equation 40 in equilibrium.
Proof of comparative statics

Q , which implies that a* = 0. The compara-
Suppose first that (0>
tive statics for jc*. and a^, are obtained directly from partial differentiation of
equations 26 and 28. The comparative statics for e* and xJ are obtained by
applying the implicit function theorem over the system of equations. We begin hy
building a vector of first-order conditions. We will simplify the process by substituting the first-order condition for;c^ in equation 17 into the FOCs in equations 15,
21, and 30. We define the vector FOC
, where equation 17
=\^,^>
has been substituted into each of these partials. We then construct a Jacobian
matrix of partials of these conditions as follows:
d'A
dFOC[l] dFOC[\] dFOC[\]

J=
dFOC[2] dFOC[2] dFOC[2]

de.c
dx.
""w
(48)
"-Ô
dF0C[3] dF0C[3]
de.
dx.
The implicit function theorem implies that the partials of e*

respect to a parameter, X, are given by
C^, and XQ with
dFOC{2]
Aj
Defining Aj as the adjoint matrix of 7, J"' is computed as r-jr . If we know the sign
of the determinant of J, therefore, we can compute the signs of the partials with
respect to a parameter A by computing
AJ.
dFOC[l]
dF0C[2]
dX
-T-
353
5<
To demonstrate that the sign of |y| > 0, we shall compute 3-7^ using direct paitial
a9
differentiation of equation 26 and by using the implicit function theorem.
-J *
Using the implicit function theorem, we obtain an expression for -^ that
ou
depends on \J\. From direct partial differentiation of equation 26. we know that
^<
-I
aO
bu
vector is as follows:
r dFOC[l] 3FQC[21 dFOC[3rf _ f I c
Smce. after subsUtutmg,
, the sign of
(50).
Aj[2, 2] is computed as
-c
(51).
where V = Exp{fe;co}(-I + Exp{b{x
> 0.
|yi>Oifandoiily if
- XQ)} - b(x^ -XQ))>0
(52).
Equation 52 is positive if and only if equation 51 is positive. We know, however, that

equation 51 must be positive since 3 < 0. Hence, | / | > 0.
de
Bx*
Now we proceed to determine the signs of 3 - and -r^ .'
au
69
(53)
Aj[\,
, 2] = bc9(Exp{bxJ(\
- l)h'(e^)) (54).
354
Substituting equations 26. 27, and 31 into equation 54, we find that equation 54 is
positive if and only if
5 + (I - 5 - 0( I - S))hie^) + se h(e^)2 > 0
(55),
where 5= bix^^. - XQ). Clearly 5> 0. We observe that equation 55 is increasing in 5

and is positive at 5 = 0. Hence, equation 55 must be positive, which implies that
dxl
The simplest approach (in this case) to establishing that -j^
dxl
dxl
djc;3e; 3.^5
chain rule, - 7 - = -r- + - ^ . rrr- =
dd
ae a*d0
de
> 0 is to use the
h(<)
> 0. In addition,
bi\ehi*))
de*
dxl
Since 3 ^ < 0, it is straightforward that - j ^ >
O
off
The remainder of the comparative statics in Table 1 are obtained in the same manner.
For situations in which a* = 0, we define the vector, FOC = ^r, -^T^, - 5 - ^
where equations 17 and 19 have been substituted into the FOCs in equations 15,
16, and 30. The remainder of the analysis follows the same logic as before.
Endnotes
1. Without loss of generality, we assume that all managers are identically motivated to
commit fraud. If some managers were inherently honest and would not commit fraud
regardless of the opportunity, it would not qualitatively change any of our results.
2. In section 3, we add a strategy in which the auditor can exert effort e' to possibly leam
whether the system of internal controls is strong or weak.
3. This property is consistent with discovery sampling under the Poisson distribution. In
addition, it approximates discovery sampling under the hypergeometric distribution.
The important feature of our detection function is that it is everywhere increasingconcave. This detection function is also employed in Finley 1994 and Newman, Park,
and Smith 1998.
4. In situations in which there are many errors in the client's ledgers, b would be low
becau.se the auditor would have to identify whether problems brought lo light by
testing relate to errors or irregularities. Other factors that influence the magnitude of b
migbt be the type of sampling that must be employed. For example, negative
confirmations are typically less infonnative than positive confirmations.
355
5. If this condition is violated, then the cost of substantive testing is too high to be a
credible deterrent to fraud.
6. We simplify our discussion by referring to the manager's choice as a choice of fraud or
no fraud, which is how we model the problem. The manager's choices in some of the
other papers are not labeled precisely the same as in ours, but the same general tradeoffs are present. Newman and Noel, for example, allow the manager to choose material
error or no material error rather than fraud or no fraud.
7. The net expected benefit to the dishonest manager who commits fraud is the gross
benefit, F, multiplied by the probability that the fraud goes undetected less the grass
penalty, P^, multiplied by the probability that the fraud is detected.
8. Again, Newman and Noel and Shibano do not consider sampling or effort costs
directly. Rather, they consider the trade-offs between rejecting and accepting a sample.
Still, the same qualitative issues arise.
9. The models of detection in this papter for both assessing internal control and detecting
fraud assume that the auditor cannot find evidence of a "weak" system when it is
strong or evidence of "fraud" when no fraud exists.
10. We assume that dix) is identical to the detection probability in the benchmark game
and has all of the same characteristics.
11. A specific condition for e* > 0 is pravided in Proposition 3.
12. Since the decision is sequential, we can consider this second-order condition in
isoladon.
13. The FOC in equation 16 is no longer relevant since a^ = 0.
14. If e^ = 0, then the first-order condition need not be met.
15. The equilibrium values of J:*, in equation 22 and XQ in equadon 23 are never relevant
for small values of e* and hence are not a concem. A proof is available from the
authors.
16. Several of the comparative statics are indeterminate in sign. The reason for these
indeterminacies is that we have made no specific assumptions regarding the relative
magnitudes of h(e(.), h'{e^), and h''{e^). In cases in which components of a derivative
that have different signs are weighted by these factors, we frequently cannot determine
the overall sign.
17. ^ is the auditor's payoff in equation 14, A/H/ is the manager's payoff in equaUon 9, and
Ms is the manager's payoff in equation 10.
de:
dx'o
18. We demonstrate our approach with -r^ and ^77 for the situation in which a ! = 0.
off
off
[)etails of the remaining comparative statics are available from the authors on request.
de*
19. The approach that we used to esublish that -r^ < 0 could again be used, but this
au
^proach is much simpler.
References
American Institute of Certified Public Accountants (AICPA). 1988. Statement on auditing
standards No. 53: The auditor's responsibility to detect and report errors and
irregularities. New YOTk; AICPA.
356
. 1988. Statement on auditing standards No. 55: Consideration of the internal

control structure in a financial statement audit. New York: AICFA.
. 1995. Statement on auditing standards No. 78: Consideration of the internal
control in a financial statement audit: An amendment to statement on auditing
standards Number 55. New York: AlCPA.
. 1997. Statement on auditing standards No. 82: Consideration of fraud in a
financial statement audit. New York: AICPA,
Caplan, D. 1999. Internal controls and the detection of management fraud. Journal of
Accounting Research 37 (1): 101-18.
Chiang, A. 1984. Fundamental methods of mathematical economics, 3d ed.. New York:
McGraw-Hill.
Fellingham, J., and P, Newman. 1985. Strategic considerations in auditing. Accounting
Review 60 (4): 634-50.
Finley, D. 1994. Game theoretic analysis of discovery sampling for internal fraud control
auditing. Contemporary Accounting Research 11 (1):91-114,
Finn, M., and M. Penno. 1996. Real-time inspection games with varying levels of
conmiitmeni. Working paper, Northwestem University.
Matsumura, E., and R. Tucker. 1992. Fraud detection: A theoretical foundation. AccoHoring
Review 67 (4): 753^82.
Newman. P.. and J. Noel. 1989. Error rates, detection rates, and payoff functions in auditing.
Auditing: A Journal of Practice and Theory 8 (Supplement): 50-66.
Newman, P., J. Park, and R. Smith. 1998. Allocating internal audit resources to minimize
detection risk due to theft. Auditing: A Journal of Practice and Theory 17(1): 69-82.
Patterson, E. 1993, Strategic sample size choice in auditing. Journal of Accounting
Research 3\ (2): 272-93.
Rhoades, S. 1997. Costly false detection errors and taxpayer rights legislation: Implications
for tax compliance, audit policy and revenue collections. Journal of the American
Taxation Association 19 (Supplement): 27-47.
Sansing. R. 1993. Information acquisition in a tax compliance game. Accounting Review
68 (4): 874-84.
Shibano, T. 1990. Assessing audit risk from errors and irregularities. Journal of Accounting
Research 28 (Supplement): 110-47.

Internal Control Assessment and Substantive Testing

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Internal Control Assessment and Substantive Testing

Hochgeladen von

Copyright:

Verfügbare Formate

The Interaction between Internal Control Assessment

and Substantive Testing in Audits for Fraud*

Strategic auditing; Internal control assessment; Audits for fraud; Substantive

Contemporary Accounting Research