The Interaction between Internal Control Assessment and Substantive Testing in Audits for Fraud*

THE INTERACTION BETWEEN INTERNAL CONTROLASSESSMENT AND SUBSTANTIVE TESTING IN AUDITS

FOR FRAUD

Reed Smith

Sam Tiras

Stan Vichitlekarn

University of Oregon

Draft: October, 1997

Helpful comments were provided by Neil Fargher, Ray King, Steve Matsunaga, DaleMorse, Terry O’Keefe, Evelyn Patterson, and workshop participants at the University ofOregon.

THE INTERACTION BETWEEN INTERNAL CONTROLASSESSMENT AND SUBSTANTIVE TESTING IN AUDITS

FOR FRAUD

Abstract

We examine, from the auditor’s perspective, the interaction between internal control

evaluations and substantive testing in a model of fraud detection. The purpose of our study

is to examine a two-stage model of the auditor/manager interaction in which the auditor

assesses the “likelihood” or possibility of fraud in the first stage and conducts substantive

tests in a second stage. We compare this two-stage model to a model in which the auditor

is restricted to substantive testing only, in order to assess the incremental costs and benefits

of performing internal control evaluations. We find that the two models yield the same

equilibrium probability of fraud detection, but that the two-stage model achieves this level

of detection at a lower cost to the auditor.

- 1 -

THE INTERACTION BETWEEN INTERNAL CONTROLASSESSMENT AND SUBSTANTIVE TESTING IN AUDITS FOR FRAUD

1 Introduction

The Auditing Standards Board of the AICPA has recently issued Statement on

Auditing Standards (SAS) 82, which was intended to clarify the external auditor’s

responsibility for the detection of fraud in financial statements and to provide guidance to

CPAs in this endeavor. At the same time, Senator Ron Wyden introduced the Private

Securities Litigation Reform Act of 1995, which requires that external auditors attempt to

detect illegal acts that would affect the financial statements. These two developments

indicate a growing trend towards increasing the auditor’s responsibility for detecting fraud.

This heightened responsibility for fraud detection amplifies the importance of the

auditor’s evaluation of the system of internal control in the early stages of an audit. The

quality of the internal control system not only indicates exposures to particular frauds, but

also provides insight into management’s overall attitude towards protection against

fraudulent activity.

We examine, from the auditor’s perspective, the interaction between internal control

evaluations and substantive testing in a model of fraud detection.1 In particular, we analyze

a game-theoretic interaction between an external auditor and management of the client firm

in a model in which the strength of controls is related to the propensity of the manager to

commit fraud. In addition, the (dishonest) manager chooses whether or not to commit

fraud. The auditor chooses the amount of audit work to perform in the assessment of

internal control and, depending upon the results of this assessment, the amount of

substantive testing to perform in an attempt to discover fraud.

1 This paper defines fraud in a manner consistent with Statement on Auditing Standards (SAS) number 82.Fraud is an intentional employee action which benefits the employee but is detrimental to the firm. Fraud,in our context, could be defalcation covered up by misreporting or simply misreporting for its own sake.We do not, however, consider report conditional auditing as in Newman, Rhoades, and Smith [1996].

- 2 -

The purpose of our study is to introduce a two-stage model of the auditor/manager

interaction in which the auditor exerts costly effort in an attempt to assess the “likelihood”

or possibility of fraud in the first stage and conducts substantive tests in a second stage.

We compare this two-stage model to a benchmark model in which the auditor is restricted

to substantive testing only, in order to assess how the equilibrium strategies and outcomes

are affected by the availability of costly internal control evaluation. In addition, we provide

some descriptive predictions about how various characteristics in the audit environment

affect the allocation of audit work across the two stages and how these characteristics affect

the manager’s fraud decision.

We find that the likelihood that fraud is perpetrated and the ex ante likelihood that it

is detected in equilibrium is not affected by whether or not internal control evaluations are

performed. However, we find that when these evaluations are performed, the equilibrium

cost of auditing is lower. This cost savings diminishes, however, as the ex ante

probability of a fraud-prone manager increases. In particular, as this probability increases,

(equilibrium) system assessment effort in the first-stage of the audit decreases because

substantive testing converges to the level of substantive testing in the benchmark game. In

other words, substantive testing will not be as responsive to the results of internal control

evaluations.

In addition , we find that as the effectiveness of substantive testing procedures

increases, the relative benefits of system assessment decrease and substantive testing again

converges to the level of substantive testing in the benchmark game. Audit firms that have

invested in an audit technology that increases the effectiveness of substantive testing are

expected to rely more heavily on substantive testing than on internal control reviews. The

potential cost savings to these firms from shifting audit resources to system evaluations are

minimal or non-existent. This result casts doubt on whether SAS 82 achieves the purpose

of increasing audit effectiveness by forcing these types of firms to allocate more audit

resources to system evaluation. We find that the probability of undetected fraud is not

- 3 -

affected by whether the auditor allocates resources to system evaluation. Only the audit

costs are affected.

Much of the previous literature in strategic auditing has focused on situations in

which the auditor makes a single decision. Newman and Noel [1989] and Shibano [1990]

both focus on the auditor’s accept/reject decision given a fixed sample of audit data.

Patterson [1993] extends these studies by considering the auditor’s accept/reject decision

after a sample size decision. Our model differs from these studies in two fundamental

ways. First, we model the audit as a discovery problem, where these papers model an

acceptance audit. Second, examine a two-stage audit interaction in which the auditor makes

effort decisions at the different stages.

This paper can be viewed as a first attempt at modeling the two-stage audit detection

problem addressed by SAS 82 in which the first stage involves system evaluation and the

second stage involves fraud detection. Few papers in strategic auditing have examined

allocations of audit work across time. Three papers which have addressed these issues are:

Caplan [1997], Park [1994], and Finn and Penno [1996]. Caplan [1997] examines a

multi-stage audit setting in which the manager has a two-stage decision, but the audit work

is essentially a one-stage problem. Park [1994] examines an audit allocation problem in

which the manager decides how much to steal in each of two periods and the auditor

decides how much auditing to perform in each of the two periods. Finn and Penno [1996]

examine the issue of commitment in a stop-and-go audit environment. Their paper focuses

on when to stop auditing, if no fraud has been discovered.

Our paper complements the Caplan [1997] paper in that we examine a two-stage

audit in which the first stage is system related. In other words, unlike Finn and Penno

[1996] and Park [1994], detection of fraud cannot occur in the first stage. Caplan’s [1997]

focus is on the manager’s first-stage decision (system choice), while we simplify that

choice and focus on the auditor’s first-stage decision (system evaluation).

- 4 -

The remainder of this paper is organized as follows: In section 2 we present and

discuss the simple benchmark model; in section 3, we present the details of our two-stage

model, in section 4 we describe our analysis, and in section 5 we discuss our results and

identify limitations of our study.

2 Benchmark model

As a benchmark, we begin with a restricted interaction between a manager, who

may wish to perpetrate a fraud, and an auditor who wishes to detect fraud. Managers are

of two types, dishonest managers, which arise with probability θ ; and honest managers,

which arise with probability 1 −θ( ) . Honest and dishonest managers are defined according

to their reward from successfully (i.e. without detection) perpetrating a fraud. Honest

managers obtain no benefit for fraud; whereas dishonest managers obtain a benefit of F.

In the benchmark model, the auditor cannot assess whether the manager is honest

or dishonest, and will choose a level of substantive testing (audit effort), denoted e > 0

based upon his knowledge of θ .2 If the manager chooses to commit fraud, the auditor will

detect the fraud with probability, d[e]. We assume that d[e] has the property:

d' e[ ] = τ 1 − d e[ ]( ) where τ > 0 is an audit effectiveness parameter. The effectiveness of

the audit increases with increases with τ.3, 4 The manager of type t ∈ g,b{ } will commit

fraud (as a mixed strategy) with probability αt ∈ 0,1[ ] .

2 In the next section, we will add a strategy in which the auditor can exert effort e

c to possibly learn

whether the manager is honest or dishonest.3 This property is consistent with sampling under both the Poisson (see Newman, Park, and Smith [1997])and the Binomial distributions. In addition, sampling under the Hypergeometric distribution also satisfiesthe condition approximately (in the case of the Hypergeometric, τ is also a function of e). Note that thiscondition has implications for higher order derivatives as well. For example:

d" e[ ] = τ 1− d e[ ]( ) −d' e[ ]( ) = −τ 21 − d e[ ]( ) .

4 τ can be thought of as an inverse to the unit cost of auditing. For example, if detection were given by:d x[ ] = 1− Exp −x{ }( ) , and each unit of effort costs τ , we could define e = 1 τ( )x and rewrite the

detection probability in terms of e: d e[ ] = 1 − Exp −τ e{ }( ) where each unit costs 1 and the total cost is e.

Note that for this detection probability: d' e[ ] = τ Exp −τ e{ } = τ 1 − d e[ ]( ) .

- 5 -

The benefit to the dishonest manager of committing fraud and getting away with it

(not being detected) is F. The honest manager has a benefit of 0 for this outcome. The

penalty to both type of managers for detected fraud is PD . As a result, honest managers (as

a weakly dominant strategy) will never choose to commit fraud.

The auditor incurs audit costs of e to determine whether fraud has been committed.5

If the auditor fails to detect existing fraud, he suffers a penalty, D, which would include

legal damages, reputation loss, and governmental sanctions. This cost is avoided if the

auditor detects fraud. These payoffs are shown in the game tree below:

***************************Insert Figure 1 about here

***************************

The solution to this game is straight forward. The manager’s choice of αb* must

make the auditor’s equilibrium choice of e* optimizing and the auditor’s choice of e* must

make the manager’s choice of αb* optimizing. The auditor’s expected payoff is computed

as:

−θ αbD 1 − d e[ ]( )− e . (1)

The first-order condition for this payoff is:

−1 + θ αb Dτ 1 − d e[ ]( ) = 0 , (2)

and the second-order condition is:

−θα b Dτ2 1− d e[ ]( ) < 0. (3)

The dishonest manager’s payoff is:

αb F 1 − d e[ ]( ) − PD d e[ ]( ). (4)

Since the manager has mixed-strategy over a binary choice, the following condition must

hold in any completely mixed-strategy:

5 Without loss of generality, the unit cost of auditing is normalized to 1.

- 6 -

F 1 − d e[ ]( ) = PD d e[ ]. (5)

We characterize the equilibrium strategies to the benchmark game in proposition 1.

Proposition 1. The dishonest manager, in equilibrium, will commit fraud with

probability, 6

αb* =

F + PD

DτθPD

. (6)

The auditor, in equilibrium, will choose e such that:

d e*[ ] =F

F + PD . (7)

The proof follows directly from (2) and (5).

Comparative static analysis shows many similarities between this equilibrium and

the equilibria in Newman and Noel [1989] and Shibano [1990]. Before we describe our

comparative statics, however, we will compute the ex ante probability of undetected

fraud (UF): pr UF[ ] =θα b* 1− d e*[ ]( ) =

PD F + PD( )θDτθPD F + PD( ) =

1

Dτ.

Using direct partial differentiation of (6) and (7), we obtain the following

comparative statics in Table 1.

6 In addition, it is necessary that F + P

D≤ P

DτθD so that αb

* <1 . If this inequality does not hold, then

Proposition 1 does not describe equilibrium. This possibility is considered in section 4.5.

- 7 -

∂∂D

∂∂F

∂∂PD

∂∂τ

(7)∂

∂θ

Probability a dishonest managerwill commit fraud, αb

* - + - - -

Newman and Noel and Shibano - + - NA NA

Patterson - + - - NA

Probability a fraud will be detected,d e*[ ]

0 + - 0 0

Newman and Noel and Shibano 0 + - NA NA

Patterson + + - + NA

Probability of undetected fraud,pr UF[ ]

- 0 0 - 0

Newman and Noel and Shibano - +/- +/- NA NA

Patterson - +/- +/- +/- NA

Table 18

Comparative statics in the benchmark game(with comparisons to literature)

The comparative statics from our study (for the auditor’s strategy, d e*[ ] and the

manager’s fraud strategy, αb* ) are similar to the results of Newman and Noel [1989] and

Shibano [1990] (to the extent that the problems can be compared), even though we look at

a different type of audit decision. On the other hand, Patterson [1993] finds that detection

7 To compare τ between our study and Patterson, we interpret τ as an inverse of unit cost of auditing.

- 8 -

risk is increasing in (what we refer to as) D. The difference between our study and the

Patterson study results from our focus on fraud discovery and her focus on acceptance

auditing. We do not consider type I errors and, as a result, increased effort always serves

to improve the auditor’s expected reporting decision. Patterson does consider the costs of

type I errors and the auditor, in her model, balances the costs of type I and type II reporting

errors in choosing the optimal effort and cutoff values.

An interesting result of our model relates to the equilibrium probability of

undetected fraud. In our model, this probability is 1

Dτ which depends only on D and τ .

The equilibrium probability of detecting a fraud if it occurs (the auditor’s strategy) in (7)

and the equilibrium probability that a fraud occurs (θ times the manager’s strategy) in (6)

partially cancel so that the resulting probability that fraud is undetected is a constant. The

nature of the payoffs in the each of the other three studies does not allow them to specify a

closed form for the probability of undetected error. But their comparative statics are

consistent with ours in that the probability of undetected fraud is decreasing in the auditor’s

expected costs for undetected fraud and may be increasing or decreasing in the manager’s

gross payoff for undetected fraud (which we refer to as F). We find that this comparative

static is 0, which is (of course) neither increasing or decreasing.

We now extend our benchmark model by allowing the auditor to allocate effort in a

first stage to (possibly) discover the manager’s propensity to commit fraud.

3 Two-stage model

We extend the benchmark interaction in section 2 to a two-stage interaction by

adding a strategy for the auditor. The auditor can assess the likelihood that the manager is

dishonest by exerting effort in a first stage. As a result of this effort, the auditor either

learns that the manager is dishonest (and prone to fraud) or learns nothing (a null signal).

8 The letters NA in a cell imply that a comparison cannot be made between the papers because the otherauthors did not examine this comparative static.

- 9 -

We describe the sequence of events in the two-stage model in section 3.1. The payoffs to

the auditor and manager are derived in section 3.2, and the equilibrium concept is defined

in section 3.3.

3.1 Sequence of events

In the first stage of our model, the manager’s type is determined (honest (g) or

dishonest (b)). The dishonest manager is assumed to always have a weak system in order

to allow fraud to be perpetrated;9 the honest manager always chooses a strong system.10

The auditor attempts to determine whether the system of internal control is strong or weak

by exerting effort, e c > 0. We assume that the probability that the auditor will mistakenly

identify a strong system of internal control as weak is zero and the probability that the

auditor will identify a weak system of internal control as being weak is h e c[ ]. h e c[ ] is

assumed increasing-concave over the range [0,1), and h[0]=0.

Based upon his observations in the first stage of the model, the auditor will choose

a level of substantive testing (audit effort) in the second stage. The auditor’s choice, if he

does not find weaknesses in the control system, will be denoted e0> 0; his choice, if he

does observe weaknesses in the control system, will be denoted ew > 0. As in the

9 This assumption regarding the incentives of dishonest managers to choose weak systems of controlappears consistent with some notable audit failures. In particular, the control systems at PharMor and ZZZBest were notoriously poor and allowed management free hand in committing fraud. We admit, however,that there are several alternative choices for modeling at this point. For example, we could allow manager achoice of system quality. In this case, dishonest managers would be attempting to fool auditors intobelieving that they are honest by choosing “high quality” systems. Such a choice would necessarily makefraud more difficult or more costly. Since we are focusing on the structure of the auditor’s problem, wesimplify the problem by assuming that the auditor learns the manager’s “propensity” for fraud if a weaksystem is discovered. Caplan [1997] provides an interesting alternative to this model in which the audit isstrategically fixed (stochastic) and the manager’s system choice is a focus of the model.10 There are many reasons that honest managers would prefer strong systems. In particular, honestmanagers might believe that long-run cost savings can be obtained by choosing strong systems. Anotherreason that honest managers (at any given level of the organization) would be inclined to choose strongsystems is that it would also reduce the risk of fraud or delfalcation committed by their subordinates, butwhich they might be held accountable for.

- 10 -

benchmark model, if the manager chooses to commit fraud, the auditor will detect the fraud

with probability, d e[ ], where e is either e0 or ew .11

The dishonest manager knows that the auditor will identify him as dishonest with

probability h e c[ ].12 We will denote the (mixed-strategy) probability that the manager

commits fraud as αt ∈ 0,1[ ] , where t ∈ g,b{ } is the manager’s type. The sequence of

events is depicted in the timeline below:


***************************

3.2 Payoffs

The payoffs to the honest and dishonest managers are identical to those in the

benchmark game. Dishonest managers obtain a benefit of F for undetected fraud; honest

managers obtain a benefit of 0 for undetected fraud; and both manager types incur a cost

(penalty) of PD if they are detected committing fraud.

The auditor incurs audit costs of e c in attempting to determine if the internal control

system is weak. If the system is found to be weak, the auditor then incurs audit costs of

ew to determine whether fraud has been committed. If the system is not found to be weak,

the auditor incurs audit costs of e0 to determine whether fraud has been committed. The

existence of a strong or weak system does not affect the probability, d[e], of detecting

fraud. Again, if the auditor fails to detect existing fraud, he suffers a penalty, D, which is

avoided if the auditor detects fraud. These payoffs are shown in the game tree below:


***************************

11 We assume that d[e] is identical to the detection probability in the benchmark game and has all of thesame characteristics.12 The model of detection in this paper (for internal control and fraud detection) assumes that the auditorcannot find evidence of a “weak” system when it is strong or evidence of “fraud” when no fraud exists.

- 11 -

3.3 Nature of equilibrium

Equilibrium will be a 4-tuple of strategies: αb ,e c,e w ,e 0{ }.13 These strategies are

identified below:

αb : The (mixed-strategy) probability that the dishonest type of manager will commitfraud.

e c : The effort that the auditor supplies to determining whether the firm has a strong orweak system of internal controls.

ew : The effort that the auditor supplies to detecting fraud if he has found that the firmhas a weak system of internal controls.

e0 : The effort that the auditor supplies to detecting fraud if he has not found that thefirm has a weak system of internal controls. Note that this does not imply that hehas concluded that the controls are strong.

Equilibrium requires that each of these strategies be played in accordance with

Bayes’ Rule and that each strategy be a Nash best-reply to the other player’s strategy. In

addition, we require that all choices be sequentially rational.

4 Analysis of the two-stage model

In this section, we characterize the equilibria to our two-stage model, describe how

these equilibria are affected by changes in the parameters, and compare these equilibria to

those of the benchmark game. In section 4.1, we describe the payoff functions of the

auditor and dishonest manager, and describe the first-order conditions for the game. In

section 4.2, we characterize the equilibrium strategies to the game and in section 4.3, we

examine the interactions between parameters and equilibrium choices (comparative statics).

We compare this model to the benchmark model in section 4.4. We examine the

robustness of our equilibrium in section 4.5 and provide a numerical example in section

4.6.

13 We will ignore the strategy of the honest manager since committing fraud is weakly dominated.

- 12 -

4.1 Auditor and manager payoff functions

We begin this section by constructing the dishonest manager’s payoff as a function

of αb . The auditor will discover that the system is weak with probability, h e c[ ]. In this

case, the manager’s expected payoff is: αb F 1 − d ew[ ]( ) − PD d ew[ ]( ) . With probability

1 − h e c[ ]( ) , the auditor will not identify the system as weak (even though it is). In this

case, the manager’s expected payoff is: αb F 1 − d e0[ ]( ) − PD d e0[ ]( ) . Since the manager

does not know whether the auditor does or does not identify the system’s type, the

dishonest manager’s expected payoff is:

h e c[ ] αb F 1 − d ew[ ]( ) − PD d ew[ ]( )( ) + 1 − h e c[ ]( )αb F 1 − d e0[ ]( ) − PD d e0[ ]( )( ) . (8)

The auditor makes two choices. In the first period, he chooses e c which

determines the probability h e c[ ] that he will identify a weak system of internal control. In

the second period, the auditor will choose ew if he has identified the system as weak and

e0 if he has not. These choices drive the probability that the auditor will discover fraud if it

exists. Suppose the auditor has discovered that the manager has chosen a weak system of

internal control. Then the auditor’s conditional payoff function can be written:

− D 1 − d ew[ ]( )αb − ew − e c . (9)

If the auditor does not discover that the manager has chosen a weak system of internal

control, his conditional payoff can be written:

−α bD 1 − d e0[ ]( ) 1− h ec[ ]( )θ1 − h e c[ ]( )θ+ 1 − θ( ) − e0 − e c. (10)

We denote the ex ante probability that the auditor will find that the system of

internal control is weak as pweake = h ec[ ]θ. The auditor’s overall expected payoff can be

- 13 -

computed as pweake multiplied by the expression in (9) and (1- pweak

e ) multiplied by the

expression in (10):

−e c − h e c[ ]θ D 1 − d ew[ ]( )α b + ew( ) − 1− h e c[ ]θ( ) e0 +1 − h e c[ ]( )θD1 − d e0[ ]( )

1− h e c[ ]( )θ+ 1−θ( )

. (11)

The auditor’s payoff in (11) can be simplified:

−e c − ew θ h ec[ ] − e0 1−θ h e c[ ]( ) −θαb D h e c[ ] 1 − d ew[ ]( ) + 1− h ec[ ]( ) 1 − d e0[ ]( )( ). (12)

Using the payoffs in (8) and (12), we can describe first-order conditions for the

game. The dishonest manager’s choice is the probability of fraud, αb . The auditor

chooses his first stage effort, e c ; his effort if he learns that the control system is weak, ew ;

and his effort if he does not learn that the control system is weak (it may not be), e0 .

The manager’s first-order condition is:

F − F + PD( ) d e0[ ] 1− h e c[ ]( ) + d ew[ ]h e c[ ]( ) = 0 . (13)

If the auditor observes that the system of controls is weak (with probability θ h ec[ ] ), his

payoff is:

−e c* − ew − Dαb 1− d ew[ ]( ) , (14)

where e c* is a constant (at this point in the game). This yields the following first-order

condition:

1 − Dαbd' ew[ ] = 1− Dα bτ 1 − d ew[ ]( ) = 0 . (15)

The second-order condition for the auditor (in this information set) is:

−Dαbτ 1 − d ew[ ]( ) < 0. (16)

As a result, if the auditor finds himself in this information set, the choice of ew which

satisfies the first-order condition in (15) will be an optimum.

If the auditor does not observe that the system of controls is weak (which occurs

with probability 1 −θ h e c[ ]( )), his payoff is:

- 14 -

−Dθ 1− d e0[ ]( ) 1 − h ec

*[ ]( )αb

1 − h e c*[ ]θ − e c

* − e0 .14 (17)

The auditor’s first-order condition (in this information set) is:15

Dθ 1 −d e0[ ]( )τ 1− h ec*[ ]( )αb − 1− h ec

*[ ]θ( ) = 0 . (18)

The second-order condition for the auditor (in this information set) is:

−Dθτ2 1 − d e0[ ]( ) 1− h ec[ ]( )α b

1− θh e c[ ]( ) < 0 . (19)

Similar to the case in which the auditor observes that the system of controls is weak, if the

auditor finds himself in this information set in which he does not observe that the controls

are weak, his choice of e0 which satisfies the first-order condition in (18) will be an

optimum.

4.2 Equilibrium strategies

In this section, we characterize the equilibrium strategies of the manager (αb* ) and

the auditor (e c* , ew

* , and e0* ). Proposition 2 describes the strategies of the players in the

second-stage of the game. Proposition 3 characterizes the auditor’s choice of e c* in the first

stage of the game.

Combining (13), (15), and (18), we can obtain characterizations of αb* , e0

* , and ew*

as functions of e c* . These characterizations are described in Proposition 2.

Proposition 2. The dishonest manager, in equilibrium, will commit fraud with

probability,

αb* =

F + PD

DτθPD

(the same as in the benchmark model). 16 (20)

14 Again, the auditor would have already committed resources of e

c

* to the first-stage of the audit at this

point.15 Note we are using the assumption that: d' e[ ] = τ 1 − d e[ ]( ) here.16 Again, it is necessary that F + P

D≤ P

DτθD so that α

b

* < 1.

- 15 -

The auditor, in equilibrium, will choose ew to satisfy:

d ew*[ ] =

F + PD 1 −θ( )F + PD

, (21)

and e0 to satisfy:

d e0*[ ] =

F − h e c*[ ] F + PD 1 −θ( )( )

1 − h ec*[ ]( ) F + PD( )

. (22)

The proof follows immediately from the first-order conditions in (13), (15), and (18) given

that the second-order conditions in (16) and (19) are satisfied for all parameter choices.

In this model, the strategy of the dishonest manager is driven by the auditor’s

conditional payoff in the information set in which he observes weak controls. In other

words, αb must satisfy the auditor’s first-order condition in (15). This yields a value:

αb = Dτ 1− d ew[ ]( )( )− 1

. For the auditor’s equilibrium choice of d ew*[ ] , the manager will

choose αb to satisfy the auditor’s first-order condition in (15). To find the auditor’s

choices of e c* , ew

* , and e0* , we must substitute (15) into (13) and (18) and solve

simultaneously for d ew[ ] and d e0[ ] . We will then substitute back the value of d ew*[ ] in

(21) into αb = Dτ 1− d ew[ ]( )( )− 1

to obtain the value of αb* in (20).

Notice that the expression for d ew[ ] in (21) does not depend upon h e c[ ], but that

the expression for d e0[ ] in (22) does. This is because if the auditor has observed weak

controls, he knows that the manager is dishonest and has a desire to commit fraud. As a

result, he conditions his effort only on the equilibrium probability that the dishonest

manager will commit fraud.

As an immediate corollary of Proposition 2, we can compare the equilibrium

magnitudes of audit (detection) effort in the two information sets. This result is described

in Corollary 1.

- 16 -

Corollary 1. Equilibrium audit effort in the information set in which the auditor has

observed that the system of controls is weak (ew* ) is always greater than the equilibrium

audit effort in the information set in which the auditor has not observed weak controls.

The proof is obtained by comparing the magnitudes of (21) and (22).

The next segment of our analysis will focus on the characterization of audit effort in

the first stage of the game, e c . The manager’s strategy (whether honest or dishonest) is

completely characterized as is the auditor’s strategy in the second stage of the game. We

now incorporate these choices into the auditor’s first-stage problem. The auditor’s

expected payoff in the first stage is given by (12). Taking the first-order condition of this

expected payoff with respect to the first-stage choice of e c , we obtain:

−1 + θh' e c[ ] e0 − ew + Dαb d ew[ ] − d e0[ ]( )( ) = 0 . (23)

Using our equilibrium conditions from proposition 2, we can obtain a characterization of

h' e c*[ ] in terms of h e c

*[ ] , e0* , ew

* , and the parameters. This characterization is described in

proposition 3.

Proposition 3. Suppose that (23) induces a feasible choice of e c* for which

h e c*[ ] ∈ 0,1( ) and:17

h'' ec*[ ] ≤ −

1 −θ( )2 τ2 1 − h e c*[ ]( )

1−θh e c*[ ]( ) 1 −θ 1− τ 1 − h e c

*[ ]( ) e0* − ew

*( )( )( )3 . (24)

Then, the auditor’s equilibrium strategy in the first stage of the game is given by:

h' e c*[ ] =

τ 1 − h e c*[ ]( )

1 −θ 1 −τ 1 − h e c*[ ]( ) e0

* − ew*( )( ) . (25)

(proof in appendix)

17 A feasible solution to (16) is a solution to the equation for which e

c

* is a feasible value. Since e

c

*

depends upon ew

* and e

0

*, it is possible that no such solution exists.

- 17 -

Notice that h' e c*[ ] in (25) is a function of e0

* . Recall also that the auditor’s

equilibrium choice of e0 in (22) was a function of h e c[ ]. This co-dependence of e c* and

e0* , combined with a detection technology in which d' e[ ] = τ 1− d e[ ]( ) , will make closed-

form solutions impossible, even if we specified a detection probability. This fact will be

obvious in section 4.6 where we employ numerical techniques to solve a parameterized

example. The problem is not that a solution does not exist, though. The problem is that

the expression in (25) will be intractable in closed form. As a result, we will focus on

characterizing the solution as much as possible using comparative static analysis and

numerical analysis.

We now turn to our comparative static analysis of the game. Section 4.3 will

describe how changes in parameters (for interior equilibria) affect the equilibrium choices

of the dishonest manager and the auditor. Section 4.4 will compare the equilibria in the

benchmark game with those of the two stage game. We will discuss situations in which an

interior equilibrium does not exist in section 4.5.

4.3 Comparative Static Analysis

We now consider how changes in F, PD , D, τ, and θ affect the equilibrium

choices: e c* , e0

* , ew* , and αb

* , by applying the Implicit Function Theorem to the system of

first-order conditions identified in Proposition 2 and Corollary 1.18 Using this approach,

we obtain the comparative static results described in Table 2.19

18 For a detailed description of this approach, see Chiang [1989] pages 210 - 212.19 The proof of these results is in the appendix.

- 18 -

∂∂ D

∂∂ F

∂∂ PD

∂∂τ

20 ∂∂θ

Audit effort in system evaluation, e c*

0 0 0 — —

Probability of fraud detection when aweak system is observed, d ew

*[ ] 0 + — 0 —

Probability of detection when noweaknesses are observed, d e0

*[ ] 0 + — + +

Difference between e0* and ew

*

ew* − e0

*( )0 — + — —

Probability a dishonest manager willcommit fraud, αb

* — + — — —

Table 2Comparative statics for the two-stage game

20 The derivatives of e

w

* and e

0

* are the same as the derivatives of d e

w

*[ ] and d e0

*[ ], except for ∂ew

*/ ∂τ

and ∂e0

*/ ∂τ . We focus on the derivatives of the “detection probability” rather than “effort” in order to

demonstrate that the probabilities converge on d e*[ ] from the benchmark model. It is straight forward

that if ∂ d ew

*[ ] / ∂τ =0 (as shown in the table), then ∂ew

*/ ∂τ must be negative. What is not as clear is

that ∂e0

*/ ∂τ can be negative, too. This is because an increase in the effectiveness parameter (or,

equivalently, a decrease in the unit cost) allows “more” auditing to be done (in terms of probability) ata lower level of effort. This is illustrated in the numerical example of section 4.6.

The comparative statics for ew* and αb

* can be obtained directly from the equilibrium

conditions in (20) and (21). The comparative statics for e0* and e c

* require that we apply

the Implicit Function Theorem to the system of equations.

This analysis provides some noteworthy results. Consider the comparative statics

for ew* . The auditor’s effort in detecting fraud, given that he knows that he is dealing with

a dishonest manager is driven by the manager’s incentives for fraud (F and PD ) in the

intuitive direction. It is a bit surprising, though, that the auditor’s effort is a decreasing

function of the ex ante likelihood that the manager is dishonest. This is especially

- 19 -

surprising since the parameter, θ , does not appear in either of the first order conditions

(13) or (15). This implies that the influence of θ on ew* and αb

* must derive as a second-

order effect from the changes of θ on e0* and the effect of e0

* on ew* . Notice that θ does

appear in the first-order condition in (18) for the auditor if he has not observed any

weaknesses in internal control. And recalling the relationship between αb* and d ew

*[ ] , this

equation also contains an expression for d ew*[ ] . Hence (18) will cause d e0

*[ ] to be

responsive to changes in θ and will also, in turn, cause ew* and αb

* to respond to changes

in θ . The lack of responsiveness of ew* to changes in D and τ result primarily from the

fact that the manager’s first-order condition in (13) does not depend upon these parameters.

Unlike comparative statics for ew* and αb

* , which can be obtained directly from the

equilibrium expressions in (20) and (21), the comparative statics for e0* are a bit more

complicated. As an example, note that τ does not appear in the expression for d e0*[ ] in

(22). But, (from Table 2), dd e0

*[ ]d τ

> 0 . The impact of τ on d e0*[ ] must derive from the

impact of τ on e c* and the impact of e c

* on e0* . We derive these comparative statics by

applying Cramer’s rule and the Implicit Function Theorem. Consider dd e0

*[ ]d τ

as an

example. This derivative will be the third element of the vector product:

∂∂τ

∂A

∂e c

,∂A

∂e0

,∂M

∂α b

• J−1 where J is the matrix of second order partials.

∂∂τ

∂A

∂e c

,∂A

∂e0

,∂M

∂α b

• J−1 can be rewritten:

θ d ew*[ ]− d e0

*[ ]( )h' e c*[ ]

τ2 1 − d ew*[ ]( ) , 0, 0

, which implies

that we are only concerned with the first column of J−1 . So a single element of J−1 will

- 20 -

determine the sign of dd e0

*[ ]d τ

, but this element involves derivatives with respect to ew , e0 ,

αb , and e c . The details of the computation are given in the appendix. The surprising

result that increases in audit technology increase the auditor’s choice of detection

probability when a weak system is not detected is attributable to the fact that increases in τ

induce decreases in e c* which then cause d e0

*[ ] to increase. This result demonstrates our

argument that audits in which substantive testing procedures are effective will correspond

to a decreased focus on internal control evaluation, since d ew*[ ] and d e0

*[ ] will be

converging on the benchmark detection probability, d e*[ ] .

Finally, consider the difference between ew* and e0

* . Our comparative statics show

that this difference is decreasing in F,τ , and θ and is increasing in PD . The results for τ

and θ can be obtained simply by examining the comparative static results for ew* and e0

* .

And since ∂e c

*

∂F=

∂e c*

∂PD

= 0 , the results for F and PD can be obtained by computing d ew*[ ] -

d e0*[ ] using (21) and (22).21

The nextsection constrasts the solutions of section 4 to the solutions to the

benchmark game in section 2 to explicitly demonstrate the benefits from internal control

evaluations.

4.4 Comparison of the benchmark model and the two-stage model

In the benchmark model, the equilibrium audit effort required that the equilibrium

probability that a fraud would be detected, if it exists, is given by: d e*[ ] =F

F + PD

. In the

two-stage model, we can obtain an expression for the equilibrium that a fraud would be

detected by computing: h e c*[ ]d ew

*[ ]+ 1 − h e c*[ ]( )d e0

*[ ], where h e c*[ ] is characterized by

21 Since the derivatives of e

c

* are zero, only the direct effects are important in evaluating this difference.

- 21 -

(25), d ew*[ ] is characterized by (22) and d e0

*[ ] is characterized by (23). Computing this

value, we find that for the two-stage model, the probability of detecting a fraud if it exists

is still F

F + PD

. Hence, the equilibrium probability of detection is the same for both

models. In addition, we note that the manager’s fraud strategies in (6) and (20) are

identical. Note, however, that in the two-stage model, the auditor could trivially choose the

benchmark model by choosing e c =0 (which implies by assumption that h e c[ ] = 0). As a

result, we conclude that the two-stage model at least weakly dominates the benchmark

model, since the auditor would only choose e c* > 0 if it would decrease his ex ante

expected total costs. This result is important because it demonstrates that the potential

benefits to internal control assessment lie in audit cost decreases, not in more (ex ante)

effective audits.

We formalize this result in corollary 2.

Corollary 2: Suppose the conditions in proposition 2 are satisfied and that e c* > 0. The

ex ante cost of auditing using a two-stage audit, e c* +θ h ec

*[ ]ew* + 1 −θ h e c

*[ ]( )e0* is less

than the cost of auditing using a benchmark audit, e* .

Corollary 2 will be illustrated with our numerical example in section 4.6.

To understand better how the benchmark and two-stage models relate, we will

compare the equilibrium values of d e[ ], d ew[ ], and d e0[ ] . By observation, we see that

d ew*[ ] > d e*[ ] , but that the difference is decreasing in θ . Using a similar comparison, we

observe that d e*[ ] > d e0*[ ] and, since

∂e0*

∂θ> 0 , this difference is also decreasing in θ . As

a result we conclude d ew*[ ] > d e*[ ] > d e0

*[ ] and that d e*[ ] is a weighted average of d ew*[ ]

and d e0*[ ] (weighted by h e c

*[ ] and 1 − h e c*[ ]( ) respectively). As θ increases, d ew

*[ ] and

- 22 -

d e0*[ ] converge to d e*[ ] from above and below respectively. Also, as θ increases, the

value of e c* decreases. At some point the value of e c

* = 0 and the two models are identical.

Since we know that the equilibrium probability of detection is F

F + PD

for both the

benchmark and the two-stage games, we can compute the expected probability of

undetected theft. This is given by probability of a dishonest manager, θ , multiplied by the

probability that the dishonest manager will commit fraud (recall that it is the same under

both the one and two-stage games): αb =F + PD

D τθ PD

, multiplied by the probability of not

detecting the fraud: 1 −F

F + PD

=PD

F + PD

. Multiplying these values we obtain the

probability (ex ante) that an audit failure will occur, 1

D τ. Hence, the occurrence of audit

failures is decreasing in D (the auditor’s penalty) and in the effectiveness parameter, τ . It

is important to note, though that this decrease in audit failures does not result from

increased effort on the part of the auditor; rather it results from a decreased likelihood that

the dishonest manager will commit fraud.

Section 4.5 will address situations in which the solutions to (22), (23), and (25) are

infeasible.

4.5 Robustness

Since (25) characterizes e c* as a function of ew

* and e0* , and the functions h e c[ ] and

h' e c[ ] , it is quite possible that no feasible algebraic solution exists. While there does

always exist a solution to equation (25) over the domain of the real numbers, there is no

guarantee that the solution will yield a positive number.22 If the solution is not positive,

then the auditor will choose e c*=0; which implies that h=0. As noted above, this situation

22 This issue is much more likely to arise than a situation in which (17) does not hold. Note if (17) doesnot hold, then the solution is a minimum rather than a maximum - which is unlikely.

- 23 -

is identical to the situation in which the auditor cannot assess the likelihood of fraud by

evaluating the system of controls and must rely on substantive testing exclusively as

represented by our benchmark model.

Note also that if F + PD > D τθ PD , the equilibrium value of αb* is the boundary

value (1). If αb* =1, then the auditor’s problem becomes a straightforward optimization

problem over e c , ew , and e0 . In this case, the auditor’s strategy will depend only upon

the factors directly affecting his payoff: D, θ , and τ .

4.6 Numerical Example

In our numerical example, we will illustrate that the two-stage model yields the

same equilibrium probability of detection at a lower cost than does the benchmark model.

In addition, we will also show that the strategies: d ew*[ ] > d e*[ ] > d e0

*[ ] converge to d e*[ ]as θ gets larger; and at the same time h e c

*[ ] approaches zero. Suppose

d e[ ] = 1− Exp −τ e{ } where τ = 1/4, h e c[ ] = 1−1

1 + ec( ) , F=50, PD = 10 , D = 100, and

θ = 3/10. The computations of e0* , ew

* , and αb* from proposition 2 yield: αb

* =4

5 ,

ew* = 4Ln 20[ ] (approximately 11.98), and e0

* = −4 Ln1

6+

7

60e c

*

. When these values are

substituted into the auditor’s first-order condition for e c (in (25)), we obtain the following

condition: 2 7 + Ln 27[ ] − 3Ln10 + 7e c[ ] + 7e c( ) − 5 1+ ec( )2= 0 . While this equation is

transcendental and does not have a closed form solution, there is an approximate solution at

e c* = .652525 . For this solution, we can compute e0

* (approximately) as: 5.662.

Using these values, we compute d ew*[ ] = 1 − Exp −4Ln 20[ ] 4{ } = .95,

d e*[ ] =F

F + PD

= .8333 , and d e0*[ ] = 1− Exp −5.662/4{ } = .7572 . Also, we note that

- 24 -

h e c*[ ] = 1−

1

1.6525= .3949 . Clearly, d ew

*[ ] > d e*[ ] > d e0*[ ] and, in addition,

d e*[ ] = .8333 = h e c*[ ] d ew

*[ ] + 1 − h e c*[ ]( )d e0

*[ ] = .395*.95 + .605*.7572 = .8333. Hence,

both the probability of detection (ex ante) and the probability fraud is committed by the

dishonest manager are the same under the two different models. The equilibrium cost of

auditing in the two-stage model is given by: e c* +θ h ec

*[ ] ew* + 1−θ h e c

*[ ]( )e0* , which is

computed as .6525+(.3*.395)*11.98+(1-.3*.395)*5.662=7.0634. For the benchmark

model, the cost is: 4 Ln[6] = 7.1670. Clearly, the ex ante cost is greater under the

benchmark model.

Note, however, that the ex post cost might be greater under the two-stage model.

If the manager is dishonest and the auditor learns that he is dishonest (as he hopes to), the

total ex post cost would be .6525+11.98=12.63 which is considerably greater than the ex

post cost under the benchmark model (7.1670).

Finally, we shall examine what happens as θ or τ gets larger. First, suppose that

all other parameters remain the same, except that θ = .38. For this value of θ , the

equilibrium strategies of the auditor are ew* = 11.037, e0

* = 7.119, and e c* = .0195. These

strategies yield equilibrium probabilities: d ew*[ ] = .9366 , d e0

*[ ] = .8313 , and

h e c*[ ] = .0191 . Note that d ew

*[ ] is decreasing towards d e*[ ] = .8333 and d e0*[ ] is

increasing towards the value. And as h e c*[ ] is so small, the weight on d e0

*[ ] is much

higher than the weight on d ew*[ ] . If θ = .385, then the auditor will choose e c

* = 0 and the

problem will simplify to the benchmark problem.

Next, suppose that τ increases from 1/4 to 3/10 (suppose that θ is 3/10). For this

value of τ , the equilibrium strategies of the auditor are ew* = 9.99, e0

* = 5.464, and e c* =

.2352 which yields equilibrium probabilities: d ew*[ ] = .95, d e0

*[ ] = .8059 , and

- 25 -

h ec*[ ] = .1904 . The increase in τ is causing the auditor’s strategies to once again converge

(in terms of probability) towards the benchmark solution. Note that the probabilities

converge, even though each of the auditor’s effort choices actually decreases in absolute

terms.

5 Discussion

This paper provides a simple model of the auditor’s allocation problem, as

discussed in SAS 82, in which the auditor must choose how to allocate scarce audit

resources between internal control evaluations and substantive testing. Internal control

evaluations help the auditor determine if the manager’s control system is weak and a weak

system of internal controls provides the manager an opportunity to commit fraud. We

assume that only managers with a propensity to commit fraud would select a weak system.

We show that in equilibrium, allocating scarce audit resources to evaluations of internal

controls will generally reduce the expected cost of auditing for fraud. The notable

exceptions are when audit technology is extremely effective or when the ex ante likelihood

of a manager being dishonest is extremely high.

When audit technology is extremely effective, the equilibrium probability of

undetected fraud is very low. This in turn lowers the equilibrium probability of a manager,

who is prone to fraud, committing fraud. We show that a highly effective audit technology

would likely result in the auditor allocating less effort to internal control reviews than he

might otherwise. In the extreme, we would expect the auditor to reduce the effort exerted

in reviewing internal controls to zero and only perform substantive testing, regardless of

the manager’s propensity for fraud. These tradeoffs between internal control reviews and

the effectiveness of audit technology are empirically testable. Specifically, we would

expect that in auditing decentralized organizations, where substantive testing is likely more

difficult (and costly), auditors would increase their efforts in evaluating internal controls

over that level of effort exerted when auditing centralized organizations.

- 26 -

When the ex ante likelihood of a manager being dishonest is extremely high, we

show that the cost savings from allocating resources to internal control reviews is

diminished. While this result may appear counterintuitive, it follows directly from Bayes’

Rule. The information content of learning that internal controls are weak does not

substantially update the auditor’s expectations regarding fraud, thus, does not substantially

reduce the required level of substantive testing. This result is also empirically testable.

Specifically, we would expect that auditors would reduce their efforts in evaluating internal

controls and increase substantive testing in industries prone to high levels of fraud.

A limitation of our study is that we do not allow the manager to select the

information system quality. Rather, we assume that evidence of a weak system is fully

revealing. While we believe that allowing system quality to vary could alter our results, we

expect that the implications of the study would be similar. Future research may be able to

identify how noisy information about system quality, rather than a fully revealing signal,

would effect the auditor’s effort level in fraud detection.

- 27 -

References

American Institute of Certified Public Accountants, “Statement on auditing standardsNumber 82 - consideration of fraud in a financial statement audit, 1997.

Caplan, D. “Internal controls and the detection of management fraud,” working paper,Columbia University (1997).

Chiang, A. Fundamental Methods of Mathematical Economics, Third edition,MacGraw-Hill, 1984.

Finn, M. and M. Penno “Real-time inspection games with varying levels of commitment,”working paper, Northwestern University, 1996.

Newman, P. and J. Noel “Error rates, detection rates, and payoff functions in auditing,”Auditing: A Journal of Practice and Theory, pp. 50-66, 1989 (Supplement).

, J. Park and R. Smith “Allocating internal audit resources to minimize detection riskdue to theft,” Auditing: A Journal of Practice and Theory, Forthcoming, 1998.

, S. Rhoades, and R. Smith “Allocating audit resources to detect fraud,” Review ofAccounting Studies, pp. 161-182, 1996.

Park, J. “Strategic audit timing plans,” unpublished dissertation, University of Texas,1995.

Patterson, E. “Strategic sample size choice in auditing,” Journal of Accounting Research,pp. 272-293, 1993.

Shibano, T. “Assessing audit risk from errors and irregularities,” Journal of AccountingResearch pp. 110-147, 1990 (Supplement).

- 28 -

fraud

no fraud

no fraud

dishonestθ

honest1 − θ( )

fraud

αb

αg

e

e

F 1 − d e[ ]( ) − PDd e[ ] , − e − D 1− d e[ ]( )( )

−PDd e[ ] , − e − D 1− d e[ ]( )( )

0,−e( )

0,−e( )

Figure 1Benchmark Model

- 29 -

type

(hon

est,

dish

ones

t)de

term

ined

.th

is in

duce

ssy

stem

cho

ice

audi

tor

choo

ses

syst

emev

alua

tion

effo

rt

audi

tor

lear

ns(o

r do

es

not l

earn

)m

anag

er is

fr

aud-

pron

e (i

f he

is)

audi

tor

(bas

ed o

n re

sults

of

inte

rnal

co

ntro

l eva

luat

ion)

ch

oose

s su

bsta

ntiv

e te

stin

g

man

ager

cho

oses

frau

d or

no

frau

d (w

ithou

t kno

win

g th

e re

sults

of

the

audi

tor's

inte

rnal

co

ntro

l eva

luat

ion

audi

tor

disc

over

sfr

aud

if it

occ

urre

dpr

obab

ilist

ical

ly

Figu

re 2

Tim

elin

eT

wo

-sta

ge m

odel

- 30 -

natu

reau

dito

ras

sess

men

tef

fort

natu

re(c

ontr

olas

sess

men

t)

audi

tor

effo

rtm

anag

er

eC e C

e W e0 e 0

0,−

e0

−e c

()

1

he c[

]

1−

he c

[]

frau

d

no f

raud

frau

d

no f

raud

no f

raud

dish

ones

tθ

F1

−d

e w[]

()−

de w

[]P

D,−

e w−

e c−

D1 −

de w[

](

)(

)

F1

−d

e 0[]

()−

de 0[

]PD,−

e0

−e c

−D

1−d

e 0[

](

)(

)

0,− e

w−

ec

()

hone

st1

−θ

()

frau

d

αb α

b

α g

0,− e

c−

e0

()

− PD

de 0[

],−

D1

−d

e 0[]

()−

ec

−e

0(

)

Figu

re 3

Gam

e T

ree

Tw

o-St

age

Mod

el

- 31 -

Proof of Proposition 1

First, suppose that (21) and (22) define the auditor’s detection strategy.

Substituting (21) and (22) into (8) yields:

−h ec[ ] 1 −θ( )PDα b + h ec[ ] 1 − θ( )PDαb = 0 . (A1)

In other words, for the manager, any choice of αb is optimizing if the auditor is choosing

ew and e0 in accordance with (21) and (22). In particular, αb* in (20) is optimizing, as

long as it satisfies: αb* =

F + PD

Dτθ PD

∈ 0,1[ ] .

Now consider the auditor’s problem. Suppose the auditor observes a weak system

of internal controls and knows that the manager is dishonest. In this case, the auditor must

(conditionally) choose ew to satisfy (15). If the manager is choosing αb* as in (20), the

auditor’s FOC in (15) can be rewritten:

θ PD − F + PD( ) 1 − d ew[ ]( ) = 0 , (A2)

which implies that d ew[ ] is characterized by (21). Using the same approach, we find that

αb* =

F + PD

Dτθ PD

implies that the auditor’s choice of e0* in (22) satisfies the auditor’s FOC. In

addition, since these decisions must be sequentially rational, the second order conditions in

(16) and (19) are sufficient to ensure that these choices are optimal. n

Proof of Proposition 2

Suppose there exists a value, e c > 0, which satisfies (24). We need to show that

this value defines the equilibrium choice of the auditor in the second stage of the game.

Since (24) is the solution to the auditor’s FOC, we must only show that the second order

conditions for an optimum are satisfied.

- 32 -

We begin by constructing the 3X3 Hessian matrix of second-order partials (for the

auditor). Denoting the auditor’s payoff in (12) as A, this matrix is:

H =

∂2A

∂ec2

∂2A

∂e c∂ew

∂2A

∂e c∂e0

∂2A

∂e c∂ew

∂2A

∂ew2

∂2A

∂e0∂ew

∂2A∂e c∂e0

∂2A∂e0∂ew

∂2A∂e0

2

. (A3)

We will also substitute in the equilibrium first-order condition: ∂A

∂e c

= 0 . The first principal

minor is given by the first row/first columne element of H. Substituting ∂A

∂e c

= 0 into

∂2A

∂ec2 = 0 , we obtain:

h'' ec[ ]h' e c[ ] < 0 . The second principal minor is:

∂2A

∂ec2

∂2A

∂ew2 −

∂2A

∂e c∂ew

2

.

Substituting ∂A

∂e c

= 0 into this expression, we obtain: −θ2 d ew[ ] − d e0[ ]( )h e c[ ]h'' e c[ ]1 − d ew[ ]( ) 1+θh' ec[ ] ew − ec( )( ) .

Since ew* > e0

* (see corollary 1), d ew[ ] must be greater in equilibrium than d e0[ ] . Hence,

this expression must be positive. The third and final principal minor is the determinant of

H. Without replicating the cumbersome details (available from the author), we observe

than the third principal minor is negative if and only if (24) is satisfied. n

Proof of the comparative static results:

The comparative static results are obtained by using the Implicit Function Theorem over the

system of equations. We begin by building a vector of first order conditions. We will

simplify the process by ignoring the first order condition in (15) and focusing on the other

three FOCs. We will substitute this condition in afterwards. The vector, FOC, is:

- 33 -

FOC =∂A

∂ec

,∂A

∂e0

,∂M

∂αb

T

. We will then construct a Jacobian matrix of partials of these

conditions as follows:

J =

∂FOC1[ ]∂ec

∂FOC1[ ]∂ew

∂FOC 1[ ]∂e0

∂FOC 2[ ]∂ec

∂FOC 2[ ]∂ew

∂FOC 2[ ]∂e0

∂FOC 3[ ]∂ec

∂FOC 3[ ]∂ew

∂FOC 3[ ]∂e0

=

∂2A

∂ec2

∂2A

∂e c∂ew

∂2A

∂e c∂e0

∂2A

∂ec∂e0

∂2A

∂ew∂e0

∂2A

∂e02

∂2M∂αb∂ec

∂2M∂αb∂ew

∂2M∂αb∂e0

. (A4)

Note the similarities in the elements of (A4) and the Hessian matrix of second order partials

in (A3). The Implicit Function Theorem holds that the partials of e c* , ew

* , and e0* with

respect to a parameter, λ , by computing:

∂e c*

∂λ,∂ew

*

∂λ,∂e0

*

∂λ

T

= J−1 • −∂FOC 1[ ]

∂λ, −

∂FOC 2[ ]∂λ

, −∂FOC 3[ ]

∂λ

T

. Defining A J as the

adjoint matrix of J, J−1 is computed as A J

J. If we know the sign of the determinant of J,

therefore, we can compute the signs of the partials with respect to a parameter λ by

computing: A J • −∂FOC1[ ]

∂λ, −

∂FOC 2[ ]∂λ

, −∂FOC 3[ ]

∂λ

T

. We now compute the sign of

determinant. The determinant of J, evaluated at (20), (21), (22), and (25) is:

τ PD Z1 + Z2( ), where Z1 = −1 −θ( )2 τ2

1−θ +θτ 1− h e0[ ]( ) ew* − e0

*( )( )2 and

Z2 =1−θ h ec

*[ ]( ) −1 + θ− θτ 1 − h ec*[ ]( ) ew

* − e0*( )( )h" e c

*[ ]1 − h ec

*[ ]( ) . This value is strictly positive if

and only if (24) holds as a strict inequality (which we will assume).

We will now proceed with computing the vectors of parameter partials. Denote as

A j i,j[ ] the element of the adjoint matrix and the vector of paritals by

- 34 -

FOCλ = −∂FOC 1[ ]

∂λ, −

∂FOC 2[ ]∂λ

, −∂FOC 3[ ]

∂λ

. Equations (A5) through (A9) compute the

vectors of partials.

FOCθ = −1

θ, −

1

θ, 0

. (A5)

FOCF = 0,0, −1 + d e0*[ ] 1 − h e c

*[ ]( ) + d ew*[ ]h e c

*[ ]{ } . (A6)

FOCPD = 0, 0, d e0*[ ] 1 − h e c

*[ ]( ) + d ew*[ ]h ec

*[ ]{ } . (A7)

FOCD = 0,0,0{ }. (A8)

FOCτ =θ d ew

*[ ]− d e0*[ ]( )h' e c

*[ ]τ2 1 − d ew

*[ ]( ) , 0, 0

.23 (A9)

Now we proceed to determine the signs in table 2.

∂e c*

∂θ= −

1

θ1,1,0[ ]• A j 1,1[ ],A j 1,2[ ],A j 1,3[ ][ ] = −

1

θA j 1,1[ ] + A j 1,2[ ]( )

Using (21), (22), and (25):

A j 1,1[ ] + A j 1,2[ ] =θτ2 τ 1+ θh ec

*[ ]2( ) e0* − ew

*( ) + h ec*[ ]PD −1 +θ − 1+ θ( )τ e0

* − ew*( )( )( )

−1 +θ −θτ 1− h e c*[ ]( ) e0

* − ew*( )( ) .(A10)

Using (25), we know that this must be positive if the numerator is negative. We establish

that it is negative by looking at the sign numerator over the range of τ . The numerator is

negative if τ 1+θ h ec*[ ]2( ) e0

* − ew*( ) + h e c

*[ ]PD −1 +θ − 1 + θ( )τ e0* − ew

*( )( )( ) (A11)

23 For all other comparative statics, the derivatives with respect to e

w

* and e

0

* are the same as for d e

w

*[ ] and

d e0

*[ ] since the value of d[e] does not depend upon anything except τ and e. For this comparative static,

- 35 -

is negative. Suppose τ = 0 . This expression is computed as: −h ec*[ ]PD 1−θ( ) < 0 . Next,

compute the derivative of the expression with regards to τ . This derivative is:

1 − h e c*[ ]( ) 1−θh ec

*[ ]( ) e0* − ew

*( ) < 0 . Hence (A10) must be positive. This implies that

∂e c*

∂θ< 0 .

∂ew*

∂θ= −

1

θAj 2,1[ ] + A j 2,2[ ]( ) . Since A j 1,2[ ] is zero and A j 2,2[ ] =

1

τDet J[ ] ,

A j 2,1[ ] + A j 2,2[ ] = Aj 2,2[ ] > 0 , which implies that ∂ew

*

∂θ< 0 .

∂e0*

∂θ= −

1

θA j 3,1[ ] + A j 3,2[ ]( ) . Computing A j 3,1[ ] + A j 3,2[ ] and substituting in (21) and

(22), we obtain:

1 −θ( )h' e c*[ ] τ 1 − h e c

*[ ]( ) − 1−θ( )h' ec*[ ]( ) −θ 1− h ec

*[ ]( )h ec*[ ]h'' e c

*[ ]Z3 , (A12)

where: Z3 = −1 +θ− θτ 1− h e c*[ ]( ) e0

* − ew*( )( ). Next we rewrite (our strict version of)

constraint (24) as: h'' ec*[ ] = −

A + 1 − θ( )2τ2 1 − h ec*[ ]( )

1 −θh e c*[ ]( ) 1 −θ 1 − τ 1− h ec

*[ ]( ) e0* − ew

*( )( )( )3 (A13)

where A is the positive real number which converts (24) to an equality. Substituting

(A13) and (25) into (A12), we obtain an expression with the numerator:

1 −θ( )θτ2 1− h ec*[ ]( )PD τ e0

* − ew*( ) 1 +θh e c

*[ ]2( ) + h e c*[ ] −1 +θ− 1 + θ( )τ e0

* − ew*( )( )( )

− AθPDh e c*[ ]

. (A14)

however, we are actually computing d d e *[ ]

d τ=

∂ d e[ ]∂ τ e*

+∂ d e*[ ]

∂ e*

∂ e *

∂ τ e*

. As we are actually focused on

d ew

*[ ] and d e0

*[ ] converging to d e*[ ] we are not concerned with this technical issue.

- 36 -

(A14) is shown to be negative in exactly the same way that (A11) was shown to be

negative. The denominator of the expression is:

1 − h e c*[ ]( ) 1−θh ec

*[ ]( ) −1+ θ− θτ 1 − h ec*[ ]( ) e0

* − ew*( )( )2

, which must clearly be positive.

Hence, ∂e0

*

∂θ> 0 .

Next consider the signs of ∂e c

*

∂F,

∂ew*

∂F,

∂e0*

∂F,

∂e c*

∂PD

,∂ew

*

∂PD

, and∂e0

*

∂PD

. Note from (A6) and

(A7) that only the last column of A J is important. In addition, the last element in the vector

(A6) is always negative and the last element in (A7) is always positive since

d e0*[ ] 1 − h e c

*[ ]( ) + d ew*[ ]h ec

*[ ] must be strictly between d e0*[ ] and d ew

*[ ] . As a result, we

conclude:

sign∂e c

*

∂F

= −sign

∂e c*

∂PD

= sign A j 1,3[ ][ ]

sign∂ew

*

∂F

= −sign

∂ew*

∂PD

= sign A j 2,3[ ][ ]

sign∂e0

*

∂F

= −sign

∂e0*

∂PD

= sign A j 3,3[ ][ ]

The sign of A J 1,3[ ] is zero. Using (21), (22), (25) and (A13), the sign of

A J 2,3[ ] = AJ 3,3[ ] = −A

1− h e c*[ ]( ) −1 +θ−θτ 1− h e c

*[ ]( ) e0* − ew

*( )( )2 < 0 . (A15)

As a result, we conclude that:

∂e c*

∂F=

∂e c*

∂PD

= 0 , ∂ew

*

∂F=

∂e0*

∂F> 0 , and

∂ew*

∂PD

=∂e0

*

∂PD

< 0 .

Clearly from (A8), changes in D do not affect the auditor’s choices at all.

- 37 -

Finally, from (A9), we observe that only the first column of the adjoint matrix matters in

determining the signs of ∂e c

*

∂τ,

∂ew*

∂τ, and

∂e0*

∂τ. The first element of FOCτ is clearly

positive. So we conclude that:

sign∂e c

*

∂τ

= sign A j 1,1[ ][ ]

sign∂ew

*

∂τ

= sign A j 2,1[ ][ ]

sign∂e0

*

∂τ

= sign A j 3,1[ ][ ]

Using (21), (22), and (25), A J 1,1[ ] = −τ2 1−θh e c*[ ]( )PD < 0, which implies

∂e c*

∂τ< 0 .

A J 2,1[ ] = 0. And using (21), (22), (24), and (25), we know that

A J 3,1[ ] =1−θ( )τ2PD

1−θ +θτ 1− h e c*[ ]( ) e0

* − ew*( )( ) > 0 . n

The Interaction between Internal Control Assessment and Substantive Testing in Audits for Fraud*

Documents

Transcript of The Interaction between Internal Control Assessment and Substantive Testing in Audits for Fraud*