Está en la página 1de 8

Discussion of ‘‘Internal Control Weaknesses and Client Risk Management’’


Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou (2009) study audi- tors’ strategies to manage client risk resulting from internal control weaknesses in the first year of The Sarbanes-Oxley Act (SOX) 404 implementation. They first examine the relation between internal control weaknesses and audit fees, modified opinions, and auditor resignations, respectively, and establish that these are viable strategies to manage control risk on a stand-alone basis. They also document that that a pecking order exists among auditors’ client control risk management strategies—as control risk increases, auditors are likely to respond in the order of audit fee adjustments, modified opinions, and auditor resig- nations. The authors’ idea to look at a portfolio of decisions is an im- portant step in the research in this area, and this approach can be generalized to similar studies. However, certain aspects of the hypothe- sis development and research design limit the authors’ ability to adequately address their primary research objective.

1. Introduction

Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou (henceforth, EZZZ) address a question that is timely and important to accounting researchers, practi- tioners, and regulators, particularly in the post-Sarbanes-Oxley Act (SOX) era:

how do auditors manage their client risk? EZZZ study how auditors manage con- trol risk resulting from internal control weaknesses. The authors first examine the relation between internal control weaknesses and audit fees, modified opin- ions, and auditor resignations, respectively. EZZZ document that firms with in- ternal control weaknesses are charged higher audit fees, and the fees are higher for the more severe company-level weaknesses, than the less severe account- specific weaknesses. EZZZ also find that firms with internal control weaknesses are more likely to be flagged with modified opinions and more likely to have auditor resignations. These results are consistent with the evidence in the

*University of Chicago Booth School of Business



literature on the relation between client-related risks and audit fees, modified opinions, and auditor resignations. The more interesting analysis in the paper is the authors’ examination of the above methods from the point of view of a portfolio of client management strat- egies. EZZZ infer from their findings that as client control risk increases, audi- tors are likely to respond in the order of audit fee adjustments, modified opinions, and auditor resignations. EZZZ conclude that auditors use an array of ordered strategies to manage client control risk. This pecking-order analysis relates to the general literature on audit firm portfolio management. EZZZ pro- vide an important step in understanding how audit firms manage their client port- folios in terms of adapting to client control risk. However, I have some reservations about their hypotheses regarding the ordering of these strategies, and on the validity of the inferences from the results. In the remainder of this docu- ment, I discuss these issues with a focus on the pecking-order analysis, given that this forms the primary contribution of this paper. I conclude by providing some directions for future research on this topic.

2. The Client Risk Assessment Process

2.1 Pecking-Order Hypothesis

The authors hypothesize that as the level of control risk increases, auditors respond in the order of (1) audit fee adjustments, (2) modified opinions, and (3) auditor resignations. What remains to be established is whether this ordering adequately reflects the stages in the client risk assessment process followed in practice. Based on prior research as well as conversations with a few auditors, a simplistic process of a typical audit firm’s client acceptance or retention policy is outlined below (Bedard and Johnstone [2004]). An audit firm’s emerging client portfolio will be based on an evaluation of potential clients, continuing clients and discontinued clients. At the beginning of a period or client portfolio management process, the audit firm assesses (or reas- sesses) the audit risk and client business risk of a potential (or continuing) client to determine whether to engage or continue a client (Stage 1). The auditor evalu- ates both the client-related risks as well as the resources available to the audit firm to conduct a thorough investigation of the client. If the client does not meet the acceptable standards in terms of the related risks, or if the audit firm’s resources are insufficient to audit this client, the auditor does not submit a bid with a fee proposal to the new client (or resigns from the existing client). If the client meets the standard, then the auditor submits a fee proposal to the client (Stage 2). If the client does not accept the proposal, then as before the auditor is not hired by the new client or resigns from an existing client. If the client accepts the proposal, then in the next stage the auditor is hired (Stage 3). During this period, the auditor performs the audit and reports the results and opinion to the client. If the opinion is favorable, then that is published in the client’s



reports. If the opinion is unfavorable, the client may still publish the opinion and retain the auditor, or the client may disagree with the opinion that could result in either the auditor resigning from the client firm or the client firm firing the audi- tor. Figure 1 graphically depicts the various stages in the portfolio management process. Applying the above stages to the context of the paper, the auditor can resign in Stage 1 of the client assessment process, if the client control risk is greater than that acceptable by the audit firm. The audit firm may also resign (or not engage a new client) in Stage 2 when the client does not accept an engagement fee that is consistent with the associated risks. The auditor also may resign in the final stage when the client and auditor disagree on the opinion. In other words, the auditor resignation can occur even before a modified opinion or fee adjustment. With respect to fee adjustments and modified opinions, the fee adjustment takes place at the stage at which the audit firm has evaluated the risks and decided on an appropriate engagement fee. The opinion is arrived upon at the end of the period after the auditor has performed the audit. In other words, once the audit firm engages a client, the audit fee and following opinion are consistent with the level of control risk. Firms with higher levels of control risk are likely to have higher audit fees as well as modified opinions, or if the firm remediates the inter- nal control problem, then the opinion may be unqualified as well. The argument for why the ordering between these decisions is necessarily increasing in the con- trol risk is not well communicated in the paper. Overall, these points imply that there likely is more to the client management process than the pecking-order theory suggested by the authors.

FIGURE 1 Auditor Client Portfolio Management Decision

DISCUSSION OF ‘‘INTERNAL CONTROL WEAKNESSES’’ 583 reports. If the opinion is unfavorable, the client may still

2.2 Variation in Risk Assessment Criteria

EZZZ posit that internal control disclosures serve as a means of reassessing client control risk. A crucial factor the authors ignore in this context is how this assessment of risk differs across audit firms of different sizes. It is important to consider audit firm size while examining the client risk assessment, as firms of different sizes are likely to have different cost structures and different risk toler- ance criterion. Prior research documents that large audit firms have a common view of risk in the client engagement decision (Raghunandan and Rama [1999]). Small audit firms also have been documented to be more likely to resign for cost reasons—for instance, increased oversight and liability insurance costs are pri- mary reasons for resignations. Given that audit firms of different sizes have dif- ferent resources, it is plausible that the risk tolerance criterion of these firms will differ and be reflected in the client management strategies. 1 Next, EZZZ contend that in decisions related to client risk management, auditors should focus on inherent risk and control risk, because these two compo- nents equal the likelihood of error in clients’ accounts before the auditors’ test- ing. 2 However, the audit firm is likely to consider not only the level of risk it is willing to take on in its portfolio, but also the resources it has available to be able to conduct a through investigation of a client of a certain risk level. In other words, detection risk is likely to factor into the audit firm’s client management strategy as well. Given that detection risk is likely to be highly correlated with auditor quality or size, this provides another reason to consider audit firm size while developing client risk management hypotheses. Finally, the risk assessment criterion for new and existing clients also may be different, and audit firms are likely to process these two subgroups differently. For instance, prior studies document that audit firms do not simply reject all high-risk clients; decisions are made based on emerging portfolio of new and existing clients (see Simunic and Stein [1990]; Francis and Reynolds [2002], among others). In cases with existing clients, prior studies have argued that audit firms prefer to resign rather than attempt to risk-adjust pricing with a client with increased risks. It is suggested to be more rational behavior for the incumbent auditor to resign the client and provide an opportunity for a different audit firm, with different characteristics and less knowledge of the client, to perform the engagement (Krishnan and Krishnan [1997]; Bockus and Gigler [1998]). There- fore, the strategies adopted for managing client control risk are likely to differ across new and existing clients.

  • 1. There is evidence of a trend toward risk avoidance by audit firms over time, which is likely

to be heightened in the period after the scandals and SOX (Jones and Raghunandan [1998]). On the

other hand, some research documents large firms’ willingness to consistent or increasing amounts of risk over time (Francis and Reynolds [2002]).

  • 2. Inherent risk is risk that a material misstatement may occur in the client’s financial state-

ments in the absence of internal control procedures. Control risk is the risk that a material misstate-

ment in the client’s financial statements will not be detected and corrected by the client’s internal control procedures.



3. Some Empirical Issues

3.1 Measurement of Client Risk

Given the author’s objective, one of the key requirements that need to be met in the empirical design is to capture the severity of client control risk. The authors measure the presence of at least one internal control problem using a dummy variable (ICW). To measure the severity of the internal control problem, they further classify these weaknesses as company-level weaknesses (when the weaknesses are related to ‘‘ineffective control environment’’ or ‘‘management override’’ or to at least three account-specific problems, ICWCOMP) or account- specific weaknesses (weaknesses related to fewer than three account-specific weaknesses, ICWACCT). Although I understand the logic behind this argument, it would be informative to know what accounts are considered under these account-specific weaknesses. Some accounts are extremely complex and can be considered to have more pervasive weaknesses (e.g., hedge accounting). In that case, the authors may be classifying a potentially severe control weakness in the less severe category. Also, it is not clear from the document how many of these are ‘‘material weaknesses’’ and ‘‘significant deficiencies’’ as classified by SOX. This classification is likely to be a better indication of severity. The authors measure inherent risk of a client firm using discretionary accruals. Accruals can reflect business practices in a given economy. Variables like business complexity, firm size, growth, and governance structure (particu- larly audit committee characteristics) are likely to better reflect the probability of material misstatements. For client business risks, the authors use the measures le- verage, return on assets, whether the firm makes a loss in the current year, and the Altman Z-Score, which is a measure of financial distress. It would be inter- esting to see how these characteristics are correlated with internal control weak- nesses. This would indicate whether the ICW, ICWCOMP, and ICWACT dummies are measuring ‘‘control risk’’ or certain other firm characteristics of the clients that the audit firms are not equipped or willing to include in their portfolio.

3.2 Selection Bias

Another important concern in this analysis is that of potential selection bias. Prior research has shown that several characteristics related to a firm’s in- herent risk are associated with internal control weaknesses, and these character- istics are associated with such audit decisions as fees and modified opinions (for instance, Bell, Landsman, and Shackelford [2001]; Ge and McVay [2005]; Doyle, Ge, and McVay [2007]). The current research design does not eliminate the likelihood of self-selection, which makes it difficult to interpret the coeffi- cients. This becomes more of a concern given the likelihood of a shift in risk tolerance standards, and the possible aversion of audit firms toward certain types of clients.


3.3 Governance Controls

An important result in the literature is the effect of corporate governance mechanisms on auditors’ decisions. Auditors are more likely to resign from engagements for which they perceive that the probability of hidden audit risk is high (Krishnan and Krishnan [1997]; Bockus and Gigler [1998]). Building on this literature, Lee, Mande, and Ortman (2004) provide direct evidence on the association between auditor resignation and audit committee and board character- istics. Audit committees and boards perform a variety of tasks, including appoint- ing the external auditors, overseeing management reporting practices, and improving firms’ internal control systems. As a result, when firms have these effective corporate governance mechanisms in place, auditors perceive that the probability of hidden audit risk is lower and, thus, they are less likely to resign. The authors do not consider client firms’ corporate governance environments, but incorporating these in the research design would increase the credibility of the results, particularly given that governance mechanisms are likely to be signif- icantly related to audit firms’ client management decisions.

4. Conclusion

Notwithstanding the issues discussed above, the EZZZ paper studies an interesting and timely research question. The idea to examine a portfolio of deci- sions that audit firms make with respect to client acceptance or retention is com- mendable. In particular, the evidence documented by EZZZ raises a number of ideas for further analysis. One extension of this analysis is to examine how the client risk management strategies of auditors have changed in the current regula- tory environment, whether the change reflects risk avoidance, and whether such avoidance methods violate public interest. Another avenue is the examination of the role of competition among the big audit firms in affecting client acceptance decisions in the current regulatory environment. A useful exercise is to model the joint decision framework between auditors’ client acceptances and clients’ decisions on selecting auditors. Finally, one can investigate the implications of post-SOX audit realignments and audit firm portfolio characteristics for audit quality and, consequently, for standard-setting.


Bedard, J. C., and K. M. Johnstone. 2004. ‘‘Audit Firm Portfolio Management Decisions.’’ Journal of Accounting Research 42 (4): 659–690. Bell, T. B., W. R. Landsman, and D. A. Shackelford. 2001. ‘‘Auditors’ Perceived Business Risk and Audit Fees: Analysis and Evidence.’’ Journal of Accounting Research 39 (1): 35–43. Bockus, K., and F. Gigler. 1998. ‘‘A Theory of Auditor Resignation.’’ Journal of Accounting Research 36: 191–208. Doyle, J., W. Ge, and S. McVay. 2007. ‘‘Determinants of Weakness in Internal Control over Finan- cial Reporting.’’ Journal of Accounting and Economics 44 (1–2): 193–223. Elder, R., Y. Zhang, J. Zhou, and N. Zhou. 2009. ‘‘Internal Control Weaknesses and Client Risk Management.’’ Journal of Accounting, Auditing, and Finance, forthcoming.



Francis, J. R., and J. K. Reynolds. 2002. ‘‘Do large Accounting Firms Screen Out Risky Audit Cli- ents.’’ Working paper, University of Missouri. Ge, W., and S. McVay. 2005. ‘‘The Disclosure of Material Weaknesses in Internal Control after the Sarbanes-Oxley Act.’’ Accounting Horizons 19 (3): 137–158. Jones, F. L., and K. Raghunandan. 1998. ‘‘Client Risk and Recent Changes in the Market for Audit Services.’’ Journal of Accounting and Public Policy 17: 169–81. Krishnan, J., and J. Krishnan. 1997. ‘‘Litigation Risks and Auditor Resignations.’’ The Accounting Review 72: 539–560. Lee, H. Y., V. Mande, and R. Ortman. 2004. ‘‘The Effect of Audit Committee and Board of Director Independence on Auditor Resignation.’’ Auditing: A Journal of Practice & Theory 23 (2):


Raghunandan, K., and D. Rama. 1999. ‘‘Auditor Resignations and the Market for Audit Services.’’ Auditing: A Journal of Practice and Theory 18: 124–134. Simunic, D. A., and M. T. Stein. 1990. ‘‘Audit Risk in a Client Portfolio Context.’’ Contemporary Accounting Research 6: 329–40.

Copyright of Journal of Accounting, Auditing & Finance is the property of Greenwood Publishing and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.