Concede or Deny: Do Management Persuasion Tactics Affect ...



Concede or Deny: Do Management Persuasion Tactics Affect Auditor Evaluation of Internal Control Deviations?

Christopher J. Wolfe CPA, DBA

Mays Business School

Texas A&M University

4353 TAMU

College Station, TX 77845

(979) 845-0964

Email: cwolfe@mays.tamu.edu

Elaine Mauldin CPA, PhD

College of Business

331 Cornell Hall

University of Missouri – Columbia

Columbia, MO 65211

(573) 884-0933

Email: mauldin@missouri.edu

Michelle Chandler Diaz CPA, PhD

Department of Accounting

E.J. Ourso College of Business

Louisiana State University

Baton Rouge, LA 70803

(225) 578-6216

Email: michelle@lsu.edu

January, 2008

We sincerely thank the participating firm for providing participants and expert insights into the audit process. We thank Duane Brandon, Jere Francis, Lisa Gaynor, Rich Houston, Bill Kinney, Lisa Koonce, Mary Lea McAnally, Ed O’Donnell, and workshop participants at Louisiana State University, University of Missouri-Columbia, University of South Carolina, Texas A&M University, and the 2007 AAA Auditing Section Midyear Conference for their thoughtful comments. Christopher Wolfe and Michelle Diaz gratefully acknowledge the Mays Business School for providing financial support while completing this research.

Concede or Deny: Do Management Persuasion Tactics Affect Auditor Evaluation of Internal Control Deviations?

Abstract: In an internal control audit, the potential for negative outcomes provides management the incentive to persuade auditors that control deviations are not significant deficiencies. The subjectivity in evaluating control deviations provides a means for persuasion tactics to work. This paper reports an experiment with 106 senior-level auditors who evaluated control deviations after exposure to management's persuasion tactics. Consistent with our theoretical model, management concession, compared to denial, resulted in higher perceived explanation adequacy, lower perceived management fault, and lower assessed control deficiency for information technology (IT) security breaches but not for manual application control breakdowns. Divergent from professional guidance, our results indicate that management inquiry can be used to reduce professional skepticism.

Key Words: internal control deficiency, audit judgment, management explanation, security breach

Data Availability: Contact the authors

Concede or Deny: Do Management Persuasion Tactics Affect Auditor Evaluation of Internal Control Deviations?

I. INTRODUCTION

We study when and how management persuasion tactics reduce auditors’ judgments about observed internal control deviations. By requiring auditors to opine on the effectiveness of a client’s internal controls over financial reporting, the Sarbanes Oxley Act of 2002 (SOX) creates a new pressure point for management. Reports of material weaknesses in internal controls can indirectly affect a firm’s cost of equity capital (Ogneva et al. 2007) and chief financial officers are often replaced within six months after these reports (Banham 2006). This new regulatory environment provides a strong incentive for managers to attempt to persuade auditors that observed internal control deviations are not deficiencies. Moreover, auditor judgments are subjective because observed deviations can indicate control system deficiencies or only the inherent limitations of internal controls (PCAOB 2007 ¶ 48). This study investigates the ability of management’s persuasion tactics to exploit this subjectivity in a SOX 404 audit.

We study two types of persuasion tactics, concessions and denials. Psychology research indicates that concessions and denials have different costs and benefits and are differentially effective dependent on when they are used (Kim et al. 2004; Kim et al. 2006; Tata 2002). Anecdotal evidence also suggests that management commonly uses these tactics to attempt to influence auditor assessment of control deficiency.[1] Although each persuasion tactic constitutes a self-serving management assessment that auditors should ignore (PCAOB 2007 ¶ 4, 80), we expect that concessions can be comparatively effective dependent on relative costs and benefits.

A concession’s benefit is to increase trust by accepting responsibility, while its cost is admitting connection to a failure event. A denial’s benefit is disassociation from a failure event, while its cost is lack of acceptance of responsibility or intent to change (Kim et al. 2004). We examine the effects of concession and denial in IT security breaches and manual application control breakdowns, because these contexts are theorized to produce comparatively different cost-benefit weightings.[2] We expect that psychological perceptions of technology failure elicited by an IT security breach will dilute negative judgments of human failure (Hackenbrack 1992) thereby reducing the cost of concession and allowing concession’s benefits to exceed its costs. Because the element of human failure stands alone for manual application control breakdowns, we expect the costs and benefits of concession to offset one another. We expect that denial’s cost is higher than its benefits in both contexts because management’s unwillingness to accept responsibility for an internal control breakdown is a clear violation of Auditing Standard Number 5 (AS 5, PCAOB 2007 ¶ 75).

One hundred six senior-level auditors from a Big 4 public accounting firm evaluated internal control deviations in case studies that included vignette conversations between the audit senior and management. We manipulated management’s persuasion tactic (concession or denial) and the control deviation context (IT security breaches or manual application control breakdowns).[3] For IT security breaches, we find that auditors judge management’s explanation more adequate, management less at fault, and the control deficiency less significant when management concedes an inconsequential deficiency than when management denies any deficiency at all. As expected, we observe no differences in auditor judgment between concessions and denials for manual application control deviations.

We also report path analyses to provide evidence that auditors’ judgment processes are consistent with our underlying theoretical model (shown in Figure 1). For IT security breach deviations, we find that management concession, as compared to denial, heightened perceived explanation adequacy; higher explanation adequacy reduced perceived management fault; and lower management fault reduced control deficiency judgments. While concessions and denials had no differential effect on manual application controls, we find all other path model relations substantially identical between manual application and IT security breach control deviations. The perceived adequacy of management’s explanation produced a robust effect on auditor judgment that can, in some contexts, be exploited by management’s persuasion tactics.

[Insert Figure 1 about here]

AS 5 indicates that auditor tests of control include inquiry of management (PCAOB 2007 ¶ 50), but it also requires that auditors’ exercise professional skepticism (PCAOB 2007 ¶ 4) and form an independent opinion (PCAOB 2007 ¶ 85). We observe a lack of independence in auditor judgment when management persuasion tactics manipulate perceived explanation adequacy. Our results represent a source of inconsistent judgment and reduced professional skepticism that should be addressed in auditor training. Our study also informs regulators as to the strong, independent effect that explanation adequacy can have on auditor judgment of control deficiency that is not acknowledged in AS 5 or other standards. Finally, our results extend prior research on internal control evaluation as part of the audit risk model to that of an opinion on internal control and add to the theory underlying the audit explanation literature by indicating when and how persuasion tactics and perceptions of explanation adequacy affect auditor judgment.

The remainder of the paper is organized as follows. The next section provides background and develops hypotheses. Then, the experimental methods are described and the results are presented. We conclude with a discussion of our study’s implications and limitations.

II. BACKGROUND AND HYPOTHESES

AS 5 delineates standards for the audit of internal controls and requires two types of tests of control: design effectiveness and operating effectiveness (PCAOB 2007 ¶ 42-45). Tests of design effectiveness determine if controls could effectively prevent or detect errors. Tests of operating effectiveness follow tests of design effectiveness because only properly designed controls need be tested to assure proper operation. We focus on the auditor’s evaluation of internal control deviations in tests of operating effectiveness.

Auditors are required to evaluate all observed control deviations to determine whether they indicate deficiencies in internal control (PCAOB 2007 ¶ 62). Deficiencies that are classified as material weaknesses directly result in an adverse audit opinion. However, lesser control deficiencies can accumulate to become a material weakness (PCAOB 2007 ¶ 65) and auditors must report all significant deficiencies to the audit committee. Significant deficiencies are defined as those that are less than material but important enough to merit attention by management (PCAOB 2007 ¶ 80, A11). We focus on auditors’ evaluation of significant deficiencies because significant deficiencies are important in their own right, can be a critical component of a material weakness, and are more commonly encountered than material weaknesses.[4]

Auditor evaluation of the significance of deficiencies is complex and subjective (Boury and Spruce 2005; Heuberger and Nepf 2005) and uncertainty surrounds the signal that an identified control deviation sends regarding the effectiveness of internal controls. AS 5 (PCAOB 2007 ¶ 48) states: “…because effective internal control over financial reporting cannot, and does not, provide absolute assurance…an individual control does not necessarily have to operate without any deviation to be considered effective.” Determining whether an observed control deviation is diagnostic of a systematic breakdown or an underlying limitation of internal controls is a key auditor judgment, and it is not a bright-line judgment.

As in the financial statement audit, management inquiry is a commonly used input in the evaluation of control deviations (PCAOB 2007 ¶ 50). However, management inquiry in a SOX environment represents a new, higher tension auditor-client interaction. Prior to SOX, auditors evaluated internal controls to plan their financial statement audit procedures and could usually audit around control problems by increasing the scope of their substantive test work (Ashton 1974; Libby et al. 1985). Now, the evaluation of internal control must stand on its own. In this new environment managers have greater reason to exploit the subjective process of evaluating internal control to avoid an adverse opinion or negative communications with the audit committee. Consequently, auditors are more often placed in a position of separating management persuasion tactics from factual information when making inquiry of management about observed control deviations. Professional guidance requires auditors to use professional skepticism when performing management inquiry and to ultimately form their own, independent assessment (PCAOB 2007 ¶ 4).

Management’s Persuasion Tactics – Concessions and Denials

We study concessions and denials because they are at opposing ends of the theoretical spectrum of persuasion tactics and because anecdotal evidence suggests that management uses concessions and denials when explaining control deviations. The psychology literature on explanations indicates that concessions and denials each have benefits and costs and that the relative weighting of these benefits and costs determine the effectiveness of the persuasion tactic (Kim et al. 2004, 2006). Further, this literature finds that the relative weighting of benefits and costs depends on the nature of failure events (Kim et al. 2004, 2006; Shaw et al. 2003). We study IT security breaches and manual application control deviations because they are common types of control deviations (Scarborough and Taylor 2007) with different contextual features that we expect will lead to differences in the relative effectiveness of concessions and denials.

The benefit of a concession is that it increases perception of the acceptance of responsibility and trust (Bottom et al. 2002; Kim et al. 2004; Ohbuchi et al. 1989; Schwartz et al. 1978). We expect that this benefit will accrue to both IT security breaches and manual application controls. The cost of a concession is that it acknowledges the event and accepts responsibility, confirming that the failure event could have been prevented (Kim et al. 2004). The cost of concessions should be high for internal control deviations where a crucial judgment is whether or not management could have prevented the deviation. However, we expect that the cost of concession will be minimized for IT security breaches relative to manual application control breakdowns.

IT Controls consist of a combination of technological and manual elements (AICPA 2006). For example, IT security controls include programmed access controls (technological) and employee choice and protection of passwords (manual/human). The technological element of an IT control is highly reliable when properly designed, implemented, and protected from improper change (Jackson 2007). It is the manual/human element of properly designed and implemented IT controls that can fail and create operating effectiveness deviations (Jackson 2007; Gansler and Lucyshyn 2005). In an IT security breach, perpetrated against a properly designed and implemented system, the technology element is irrelevant information because the root cause of the breach is human failure, just as it is in a manual application control failure. However, Hackenbrack (1992) finds that irrelevant information dilutes auditors’ decisions by distracting them from the diagnostic evidence. In a similar manner, we expect the irrelevant technology element in an IT security breach will distract the auditor from confirming management’s responsibility for the human failure event and thus allow management concession to reap the benefit of increasing trust while minimizing the cost of confirming responsibility.

Our expectation that technology will distract the auditor from critically assessing human failure is based on two psychological responses to technology. First, technology is an impersonal element and Bies et al. (1988) find that impersonal elements surrounding a failure event have the ability to shift focus away from the event’s human elements. Nissenbaum (1994, 77) specifically indicates that inanimate computer systems allow human action to be distanced from failure events in that, “having found one explanation for an error or injury, the further role and responsibility of human agents may be underestimated.” Second, technology failure is perceived to be more normative than human failure. Gansler and Lucyshyn (2005) argue that people accept risk as inevitable or normal in technology, and Naquin and Kurtzberg (2004) argue and find that a basic psychological response to technology is that computer failure is considered less discretionary than human failure.[5]

In sum, we expect a concession for an IT security breach will be an effective persuasion tactic because it will accrue the benefits of a concession and, at the same time, minimize a concession’s costs. In contrast, the failure of manual application controls stand alone as undiluted human failure. We expect a concession for a manual application control deviation will not be effective because the concession confirms direct connection to a singularly human failure event such that the costs of concession will offset the benefits.

We do not expect a denial to be an effective management persuasion tactic for either an IT security breach or a manual application control breakdown. Unlike social failure events where denial is a credible strategy (Kim et al. 2004), denial of an internal control failure event sends a strong signal that is at odds with management’s basic statutory requirement of “accepting responsibility.” AS 5 indicates that management must accept responsibility for the effectiveness of the company’s internal control over financial reporting (PCAOB 2007 ¶ 75). Therefore, we expect that denial produces a very high cost which negates all potential benefits irrespective of the control deviation’s context.

Hypotheses – Impact of Persuasion Tactics on Auditors’ Judgments

Figure 1 illustrates the theoretical chain through which we expect concession and denial to influence auditor judgment. Dependent on control deviation context, we first predict that management concession, compared to denial, heightens auditor perception of the explanation’s adequacy. Prior research finds that an explanation’s perceived adequacy, as opposed to the explanation’s claim in-and-of itself, is the primary factor in determining explanation effectiveness (Bies et al. 1988; Shapiro et al. 1994; Hareli 2005). Thus, persuasion tactics must first increase explanation adequacy before they effectively change subsequent judgments (Barton and Mercer 2005; Bies and Shapiro 1987).

Heightened perceptions of explanation adequacy are then expected to mitigate management’s attribution for the internal control deviation because higher perceived explanation adequacy increases the explanation’s ability to mitigate the assignment of blame and accountability for the failure event (Shaw et al. 2003). According to fairness theory, individuals assess accountability for an event by comparing what happened to what might have happened, generating counterfactual thoughts of what could have been done and what should have been done. The more adequate an explanation for a failure event, the more the explanation’s recipient will see the failure event as the only feasible option, which will deactivate “could have” and “should have” counterfactuals (Folger and Cropanzano 2001). Therefore, as shown in Figure 1, we expect that higher auditor perception of explanation adequacy will directly reduce perceived management attribution for the control deviation in terms of blaming management for what could have and should have been done to prevent the deviation.

Finally, lower management attribution for the deviation is predicted to lower judgment of the control deficiency resulting from the deviation. In the context of an internal control audit, auditor perception of what management could have and should have done to prevent the deviation is critical, because as options for the prevention of a control deviation are perceived as less feasible, the control deviation will be considered more a limitation of the control system and less a control deficiency.

As shown in Figure 1, we hypothesize the direct effect of concession and denial on perceived explanation adequacy and the indirect effects of concession and denial on management attribution and control deficiency judgment.[6] We predict that concessions, as compared to denials, in an explanation for an IT security breach will produce: (1) higher perceived adequacy of management’s explanation; (2) lower perceived management attribution; and (3) lower judgment of control deficiency. For manual application control deviations, we expect no differences in auditor perceptions or judgments between concessions and denials. Accordingly, we offer the following hypotheses.

H1: For IT security breaches, perceived explanation adequacy will be higher for management concessions than denials.

H2: For IT security breaches, perceived management attribution will be lower for management concessions than denials.

H3: For IT security breaches, judged control deficiency will be lower for management concessions than denials.

III. RESEARCH METHODS AND PARTICIPANTS

Experimental Task and Materials

We conducted an experiment where audit seniors read a case and then assessed two internal control deviations. Materials consisted of background information about a manufacturing company, summary financial statements, a narrative description of the revenue transaction processing cycle, information concerning auditor identified control deviations, and a conversational vignette between an auditor and a client manager. All deviations were designed such that they could have potentially contributed to a more than inconsequential misstatement of the financial statements and the root cause was employee failure to follow procedures. In the IT security breach condition, one deviation involved a password policy violation resulting in placement of false sales orders from a stolen laptop (IT-1). The other involved a system breach where an employee wrongly provided access to an intruder who stole customer procurement card information (IT-2). In the manual application controls condition, one deviation involved inappropriate credit-approval overrides (Manual-1) and the other involved unrecorded discounts on sales (Manual-2).[7] Each participant analyzed either the two IT or the two manual control deviations to ensure that our findings were not driven by idiosyncrasies in a particular form of control deviation.

The conversational vignette took place between the audit senior and the client’s controller. In the vignette, the controller explained the control deviations. In the concession (denial) condition, the controller concedes (denies) that there was an operating effectiveness breakdown with respect to each control deviation. Importantly, in neither the concession nor the denial treatment did the controller offer to make any changes to internal control procedures, and in each treatment, the controller indicated that management is very concerned with maintaining strong internal controls and that “nothing has occurred that caused a material misstatement of profits,” strongly implying that the internal control deviations should not be considered deficiencies. See Appendix A for an excerpt of the experimental materials.

We randomly assigned participants to one of the two internal control deviation context conditions and one of the two persuasion tactics conditions. Within treatment cells, we counterbalanced the order of the two internal control deviation cases. Experimental administrators read a script introducing the experiment to the participants, and they distributed envelopes containing an information sheet, general instructions, background questions, and experimental task materials. Administrators also monitored completion of the task and collected the instruments. The experiment was completed in a one-hour period.

Variables

Dependent variables adhered to our hypotheses and were measured on 11-point scales. Perceived explanation adequacy assessments were anchored on “not adequate” and “very adequate.” Control deficiency judgment assessments were anchored on “no deficiency” and “significant deficiency.” Following Shaw et al. (2003), we measured management attribution as a function of assessed blame and perceived feasible options. Management blame assessments were anchored on “no blame” and “all blame.” Management could have done more to prevent the [control deviation] and management should have enacted other controls or procedures were anchored on “no” and “yes.” [8] Construct validity checks provide support for our use of the management attribution construct. Management blame, “could have done”, and “should have done” produced confirmatory factor analysis loadings of 0.733, 0.861, and 0.670; each loading was statistically significant (p < .01); and internal consistency reliability was 0.80. In terms of discriminant validity, we found that when the management attribution construct was paired with any other dependent, independent, or control variable in an unconstrained structural equation model (SEM) it produced a significantly better fit than an identical SEM model that constrained the path to unity (p < .01 for all comparisons) (Andersen and Gerbing1988).[9]

Independent variables adhered to our experimental design and were coded as dichotomous variables: type of deviation (IT security breach versus manual application control breakdown), type of persuasion tactic (concession versus denial) and control deviation case (first deviation versus second deviation). Control variables for each internal control deviation followed professional guidance in AS 5 regarding the determination of control deficiency. We captured perceptions of the likelihood and potential magnitude of the misstatement as well as the efficacy of compensating controls for each deviation. The likelihood of misstatement scale ranged from “remote” to “probable,” the magnitude of misstatement scale ranged from “inconsequential” to “material,” and the scale measuring the influence of compensating controls ranged from “negatively influenced” to “positively influenced.”[10]

Participants

Senior auditors from a Big-4 firm attending a national training session acted as participants. Four participants were dropped due to incomplete responses so our final sample consisted of 106 auditors. Table 1 Panel A presents a profile of the participants’ experiential backgrounds. As shown, the auditors in our study had an average of about three years of experience; most had been trained on SOX 404 and AS 2 (89.62%); and most had been involved in SOX 404 audits (86.79%).[11] Table 1 Panel B presents the auditors’ appraisal of the control deviations. The auditors indicated that they understood the control deviations in the experimental materials, rating average understandability between 8.68 and 9.46 on an 11-point scale for each internal control deviation. Further, each control deviation was perceived as having financial statement implications with average financial statement risk rated between 7.93 and 8.78 on an 11-point scale for each control deviation. In sum, the audit seniors who participated in our study appear to have had sufficient background to analyze the control deviations that they were given, and they considered the deviations a threat to the integrity of the financial statements. Based on Chi-square and ANOVA testing, we find that the experience and control deviations assessment metrics were not significantly different (p > .10) across treatment conditions with the exception

of months of audit experience (p = .02).[12] Each of the experience and control deviations assessments was included as a covariate in each of the multivariate data analyses presented. None were statistically significant or had a substantive effect on the reported results.

[Place Table 1 about here.]

Experimental Checks

To ensure that the internal control deviations and dialogue were realistic and representative of practice, experimental materials were reviewed by two audit managers (from a Big 4 firm not providing participants), a former Big 4 audit partner, the controller of a publicly traded firm, and they were pilot tested on audit seniors from several different firms. The final versions of the experimental materials were reviewed by a partner and manager from the firm that provided participants to ensure that terminology was consistent with firm terminology and to ensure that the experimental task was appropriate for the firms’ audit seniors. While these reviewers noted that final determination of internal control deficiencies is made at a higher level than senior auditor, they also indicated that control issues are first analyzed by the engagement senior and they consider these initial assessments of internal control deviations to be vital to the audit.

Manipulation checks were included to verify that participants read and understood the treatments. One question asked when the control deviation was discovered and was anchored by “while testing revenue cycle application controls” and “while testing information technology general controls.” The mean responses of participants in the manual application control deviation treatment were 3.07 and 2.50 for the two internal control deviations. The mean responses of participants in the IT security breach treatment were 8.59 and 8.85 for the two internal control deviations. All differences between the treatments were statistically significant (p 0.97, root mean square error of approximation (RMSEA) < .074, and the standardized root mean square residual (SRMR) < 0.046 (Kline 2005).

[Insert Figure 2 about here]

Considering first the model for IT security breaches (Figure 2 Panel A), we find that as theorized concession/denial persuasion tactics only influence control deficiency judgments indirectly. We observe two statistically significant indirect paths leading from persuasion tactic type to the control deficiency judgment: 1) concession/denial => explanation adequacy => management attribution => control deficiency (t = 3.608, p < .01); and 2) concession/denial => explanation adequacy => management attribution => magnitude of misstatement => control deficiency (t = 1.978, p = .056). We find that explanation adequacy fully mediates the effect of concession/denial persuasion tactics on management attribution. This finding validates the theory that the perceived adequacy of reasoning is the key determinant of explanation effectiveness, not the claim itself (Bies and Shapiro 1987). We also find that management attribution fully mediates the effect of the perceived adequacy of management’s explanation on auditor judgments of control deficiency. This finding indicates that auditors use the adequacy of management’s explanation to evaluate the tradeoff between management fault and inherent control limitations, but it is the level of fault attributed to management that influences deficiency judgments.

With respect to the path model for manual application control deviations (Figure 2 Panel B), we find no effect for concession/denial persuasion tactics on perceived explanation adequacy.[16] However, the relation between perceived explanation adequacy, management attribution, and auditor judgment is substantially similar to that in the path model for IT security breaches. From explanation adequacy, we observed three statistically significant indirect paths leading to manual application control deficiency judgments: 1) explanation adequacy => management attribution => control deficiency (t = 2.907, p < .01); 2) explanation adequacy => management attribution => magnitude of misstatement => control deficiency (t = 1.667, p = .099); and 3) explanation adequacy => management attribution => likelihood of misstatement => control deficiency (t = 1.659, p = .100).

Our SEM results offer two important insights. First, auditor perception of the adequacy of management’s explanation directly influences auditor judgment of the fault attributed to management for a control breakdown, and management fault is a significant determinant of internal control deficiency judgments. Additionally, the effect of perceived explanation adequacy on auditor judgment occurs regardless of whether the context is an IT security breach or a manual application control breakdown. This is important, because no provision in professional guidance is made for an auditor’s perception of management’s explanation for a control deviation. Yet our results indicate a strong effect on auditor judgment contingent on how adequate management’s explanation of the potential control deficiency is perceived. This finding indicates that anything management can do to make their explanations appear more adequate will result in audit judgments that are more aligned with management’s agenda, and this is the source of the second important insight provided by the path models. We find that dependent on context, persuasion tactics can influence auditor perceptions of the adequacy of management’s explanations and in the end auditor judgment of control deficiency.

V. DISCUSSION

Explanations are given to persuade others that one’s actions are sensible and appropriate (Keil 2006). Prior research in accounting finds that management makes self-serving explanations in annual reports (Aerts 2005; Barton and Mercer 2005; Bettman and Weitz 1986) and to auditors when defending their position related to earnings management attempts (Nelson et al. 2002). The literature also indicates that auditors are less persuaded by self-serving explanations when management has incentives to manage earnings (Anderson et al. 2004) and that only plausible explanations for unfavorable outcomes persuade analysts (Barton and Mercer 2005). We extend this literature by holding incentives and factual content constant to study the impact of persuasion tactics embedded in management’s explanations to auditors.

In our experiment, 106 audit seniors evaluated internal control exceptions stemming from either IT security breaches or manual application control deviations crossed with either concession or denial persuasion tactics embedded in management’s explanations to the auditor. When management conceded that an IT security breach signaled an inconsequential control problem, auditors assessed explanation adequacy higher, management fault lower, and control deficiency lower than when management denied the existence of any control problem. On the other hand, for manual application control breakdowns, management’s persuasion tactics had no differential effect on auditor assessment of explanation adequacy, management fault, or control deficiency.

This research has limitations. Audit planning materials are rich, but they are necessarily restricted in this study due to limits on access to the experimental participants and potential maturity effects in our experiments. Our experimental cases differed on attributes other than the incidence of an IT security breach or a manual application control breakdown. Analyses of alternative explanations for our results did not contradict our interpretation of persuasion tactic differences between IT security breach and manual application control breakdowns. However, we cannot rule out the possibility that unobserved correlated variables could offer alternative explanation for our results. Additionally, our results may not generalize to all types of control deviations. For instance, control deficiencies defined as design deficiencies typically do not involve operational testing, and it is not clear whether management persuasion tactics would influence auditors differently for design versus operational control deficiencies. Future research is needed to address these issues.

Our participants came from one Big 4 firm, and they were all at the senior level. Therefore, our results are specific to audit seniors and potentially specific to the firm that provided the participants. Also, audits usually involve an audit team, and the ability to consult team members can affect audit judgments. In this experiment, we used individual judgments that do not capture dynamic team interactions. However, the initial judgments made and documented by audit seniors have been shown to influence the judgments of reviewing auditors (Ricchiute 1999). Further, the senior auditor participants were experienced in assessing control deviations, and firm partners indicated that they were capable of assessing internal control deviations and that their individual judgments were important to the audit. Our focus on individual judgments is consistent with prior research in audit judgment and decision-making.

SOX requirements have significantly expanded audits of publicly traded firms and thereby created a new environment for the auditor that involves making subjective judgments on the quality of clients’ control systems. The subjective nature of this judgment provides the vehicle for management persuasion tactics to influence auditors. For regulators, our results indicate that auditors can be influenced by management persuasion tactics for certain types of internal control deviations. In addition, we find that the underlying source of that influence, perceived explanation adequacy, exerted a strong effect on auditor judgment regardless of control deviation context. This result is important because it suggests that management inquiry does more than provide auditors with factual evidence, as per professional guidance in AS5. With regard to audit practice, our results indicate that a consistent use of concessions by management is an optimal strategy, because concessions are not perceived negatively by auditors and sometimes they produce auditor judgments that are significantly more favorable to management’s agenda. This represents a potential bias in audit judgment that firms should consider addressing in training.

Finally, we extend the management explanation literature to consider persuasion tactics with a primary purpose of deflecting culpability, as opposed to explanations solely for the purpose of offering causal evidence germane to the audit. We demonstrate that the effectiveness of self-serving management explanations can depend on the type of persuasion tactic used and the context in which it is used. By demonstrating the importance of interaction effects between persuasion tactics and their context, we provide a more complete understanding of the complex relationship between management explanations and auditor judgment.

REFERENCES

Aerts, W. 2005. Picking up the pieces: Impression management in the retrospective attributional framing of accounting outcomes. Accounting Organizations and Society 30(6): 493-517.

American Institute of Certified Public Accountants (AICPA). 2006. Statement on Auditing Standard no. 109. Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. New York: AICPA.

Anderson, J., and D. Gerbing 1988. Structural equation modeling in practice: A review and recommended two-step approach. Psychological Bulletin 103(3): 411-423.

Anderson, U., K. Kadous, and L. Koonce. 2004. The role of incentives to manage earnings and quantification in auditors' evaluations of management-provided information. Auditing: A Journal of Practice and Theory 23(1): 11-27.

Ashton, R. 1974. An experimental study of internal control judgments. Journal of Accounting Research 12(1): 143-157.

Bagozzi, R., and S. Kimmel. 1995. A comparison of leading theories for the prediction of goal-directed behavior. British Journal of Social Psychology 34: 437-461.

Banham, R. 2006. Party of three: Outside advisors leap in where auditors fear to tread. CFO 22: 56-64.

Barton, J., and M. Mercer. 2005. To blame or not to blame: Analyst's reactions to external explanations for poor financial performance. Journal of Accounting and Economics 39: 509-533.

Bettman, J., and B. Weitz. 1986. Attributions in the board room: Causal reasoning in corporate annual reports. Administrative Sciences Quarterly 28: 165-183.

Bies, R.J. and D.L. Shapiro. 1987. Interactional fairness judgments: The influence of causal accounts. Social Justice Research 1: 199-218.

Bies, R.J., D.L. Shapiro, and L.L. Cummings. 1988. Causal accounts and managing organizational conflict - Is it enough to say it’s not my fault? Communication Research 15: 381-399.

Bottom, W. P., K. Gibson, S. Daniels, and J. K. Murnighan. 2002. When talk is not cheap: Substantive penance and expressions of intent in rebuilding cooperation. Organization Science 13: 497-513.

Boury, P., and C. M. Spruce. 2005. Auditors at the gate: Section 404 of the Sarbanes-Oxley Act and the increased role of auditors in corporate governance. International Journal of Disclosure and Governance 2(1): 27-52.

Folger, R., and R. Cropanzano. 2001. Fairness theory: Justice as accountantability. In Advances in Organizational Justice, edited by J. Greenberg and R. Cropanzano. Palo Alto, CA: Stanford Press.

Gansler, J. S., and W. Lucyshyn. 2005. Improving the security of financial management systems: What are we to do? Journal of Accounting and Public Policy 24: 1-9.

Hackenbrack, K. 1992. Implications of seemingly irrelevant audit evidence in audit judgment. Journal of Accounting Research 30(1):126-136.

Hareli, S. 2005. Accounting for one’s behavior-What really determines its effectiveness? Its type or its content? Journal for the Theory of Social Behaviour 35 (4): 359-372.

Heuberger, J. H., and B. J. Nepf. 2005. Taking control of internal control reporting: Recent PCAOB and SEC guidance. Insights: The Corporate & Securities Law Advisor 19(7): 2-9.

Jackson, R.A. 2007. The human side of risk. Internal Auditor 64 (5): 38-44.

Keil, F.C. 2006. Explanation and understanding. Annual Review of Psychology 57: 227-54.

Kim, P. H., C. D. Cooper, D. L. Ferrin, and K. T. Dirks. 2004. Removing the shadow of suspicion: The effects of apology versus denial for repairing competence- versus integrity-based trust violations. Journal of Applied Psychology 89(1): 104-118.

Kim, P. H., K. T. Dirks, C. D. Cooper, and D. L. Ferrin. 2006. When more blame is better than less: The implications of internal vs. external attributions for the repair of trust after a competence- vs. integrity-based trust violation. Organizational Behavior and Human Decision Processes 99(1): 49-65.

Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling. New York: Guilford Press.

Libby, R., J. Artman, and J. Willingham. 1985. Process susceptibility, control risk, and audit planning. The Accounting Review 60(2): 212-230.

Naquin, C. E., and T. R. Kurtzberg. 2004. Human reactions to technological failure: How accidents rooted in technology vs. human error influence judgments of organizational accountability. Organizational Behavior and Human Decision Processes 93: 129-141.

Nelson, M.W., J.A. Elliott, and R.L. Tarpley. 2002. Evidence from auditors about managers' and auditors' earnings management decisions. The Accounting Review 77 (Supplement): 175-202.

Nissenbaum, H. 1994. Computing and accountability. Communications of the ACM 37 (1): 73-80.

Ogneva, M., K. Subramanyam, and K. Raghunandan. 2007. Internal control weakness and cost of equity: Evidence from SOX section 404 disclosures. The Accounting Review 82(5): 1255-1297.

Ohbuchi, K., M. Kameda, and N. Agarie. 1989. Apology as aggression control: Its role in mediating appraisal of and response to harm. Journal of Personality and Social Psychology 56: 219-227.

Public Company Auditing Oversight Board (PCAOB). 2007. Auditing Standard Number 5 - An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. Washington D.C.: PCAOB.

Ricchiute, D. N. 1999. The effect of audit seniors' decisions on working paper documentation and on partners' decisions. Accounting Organizations and Society 24: 155-171.

Scarborough, K. and M. Taylor. 2007. Two years and counting. Journal of Accountancy 203 (6): 74-80.

Schwartz, G., T. Kane, J. Joseph, and J.T. Tedeschi. 1978. The effects of remorse on the reactions of a harm-doer. British Journal of Social Psychology 17: 293-297.

Shapiro, D. L., E.H. Buttner, and B. Barry. 1994. Explanations: What factors enhance their perceived adequacy? Organizational Behavior and Human Decision Processes 58: 346-368.

Shaw, J. C., E. Wild, and J.A. Colquitt. 2003. To justify or excuse? A meta-analytic review of the effects of explanations. Journal of Applied Psychology 88(3): 444-458.

Tabachnick, B.G., and L.S. Fidell. 2000. Computer-Assisted Research Design and Analysis. Boston, MA: Allyn and Bacon.

Tata, J. 2002. The influence of accounts on perceived social loafing in work teams. The International Journal of Conflict Management 13 (3): 292-308.

TABLE 1

Profile of Auditors’ Experience and Assessment of Control Deviations

|Panel A: Experience | | |

| |Number |Percent |

|Number of Auditor Participants |106.00 |100.00 |

| | | |

|Number of Auditor Participants With | | |

|In-Charge Experience |92.00 |86.79 |

|In-Charge Experience SOX 404 Controls Audit |57.00 |53.77 |

|Involvement in SOX 404 Audit |92.00 |86.79 |

|Training on SOX 404 |95.00 |89.62 |

|Training on AS 2 |95.00 |89.62 |

| | | |

| | | |

|Auditor Participants Average |Mean |Std. Dev. |

|Months Of Audit Experience |37.62 |19.78 |

|Number of Clients with SOX 404 audits |1.52 |1.03 |

|Number of Clients with systems group interactions |2.16 |1.25 |

|Number of Clients with significant deficiencies |0.90 |0.82 |

|Number of Clients with material weaknesses |0.33 |0.57 |

| | | |

|Panel B: Assessment of Control Deviationsa | | |

| |Mean |Std. Dev. |

|Understood Control Deviationb | | |

|IT-1: Password Policy Violation - Invalid Sales Invoices |9.00 |1.86 |

|IT-2: Wrongly Granting System Access - Stolen Procurement Cards |8.68 |1.73 |

|Manual-1: Unapproved Customer Credit |9.46 |1.59 |

|Manual-2: Unrecorded Sales Discounts |9.13 |1.84 |

|Financial Statement Risk of Control Deviationb | | |

|IT-1: Password Policy Violation - Invalid Sales Invoices |7.93 |2.42 |

|IT-2: Wrongly Granting System Access - Stolen Procurement Cards |8.78 |2.01 |

|Manual-1: Unapproved Customer Credit |8.50 |1.94 |

|Manual-2: Unrecorded Sales Discounts |8.73 |1.44 |

a Each deviation case was designed to be understandable, potentially have contributed to a more than inconsequential misstatement of the financial statements, and have its cause rooted in employee failure to follow procedures. IT-1 and IT-2 represent the IT security breach condition. The first deviation case involved placement of false sales orders using a password obtained from a stolen laptop where the employee had permanently stored their system password providing the mechanism for the deviation. The second deviation case involved a system access violation where the employee had provided access to an intruder who stole customer procurement card information. In the manual application control deviations condition, the first deviation case Manual-1 involved inappropriate credit approval overrides and the second deviation case Manual-2 involved unrecorded discounts on sales. (See Appendix A for an excerpt of the experimental materials that describes the control deviations.)

b Assessments were made on 11-point scales with 11 representing high understandability and high consideration of financial statement risk.

TABLE 2

Auditor Judgment Differences between Concede and Deny Explanations

| |IT Security Breach Control Deviations a |Manual Application Control Deviations |

| |IT-1 |IT-2 |Manual-1 |Manual-2 |

| |Password Policy Violation |Wrongly Granting Access |Unapproved Credit |Unrecorded Discounts |

| |Con|Deny |t-value |Concede |

| |ced| | | |

| |e | | | |

| | | | | | | | | |

|DV = Explanation Adequacy a | |df |F |p b | |df |F |p b |

|Between Subjects | | | | | | | | |

|Concession/Denial | |1 |19.961 |0.000 | |1 |0.008 |0.929 |

|Error | |52 | | | |49 | | |

| | | | | | | | | |

|Within Subjects | | | | | | | | |

|Case | |1 |2.046 |0.159 | |1 |3.047 |0.087 |

|Case x Concession/Denial | |1 |1.705 |0.197 | |1 |1.349 |0.251 |

|Error(Case) | |52 | | | |49 | | |

| | | | | | | | | |

|DV = Management Attribution a | | | | | | | | |

|Between Subjects | | | | | | | | |

|Concession/Denial | |1 |3.774 |0.057 | |1 |0.062 |0.805 |

|Error | |52 | | | |49 | | |

| | | | | | | | | |

|Within Subjects | | | | | | | | |

|Case | |1 |22.373 |0.000 | |1 |0.214 |0.645 |

|Case x Concession/Denial | |1 |0.005 |0.942 | |1 |0.063 |0.803 |

|Error(Case) | |52 | | | |49 | | |

| | | | | | | | | |

|DV = Significance of Deficiency a | | | | | | | | |

|Between Subjects | | | | | | | | |

|Concession/Denial | |1 |6.499 |0.014 | |1 |0.072 |0.789 |

|Error | |52 | | | |50 | | |

| | | | | | | | | |

|Within Subjects | | | | | | | | |

|Case | |1 |40.092 |0.000 | |1 |1.073 |0.305 |

|Case x Concession/Denial | |1 |0.197 |0.659 | |1 |0.414 |0.523 |

|Error(Case) | |52 | | | |50 | | |

| | | | | | | | | |

a All variables are defined in Table 2. Greenhouse-Geisser and Huynh-Feldt adjustment to degrees of freedom for sphericity violations validate the reported repeated measure results (Tabachnick and Fidell 2000).

b p-values are two-tailed.

TABLE 4

Auditor Judgment Differences between IT and Manual Control Deviations

Panel A: Mean (Std. Dev.) of Manual and IT Control Deviation Cases

| |Control Deviation Casesa |

| |IT(1) |IT(2) |Manual (3) |Manual (4) |F-valuec |

| | | | | | |

|Variablesb |n = 54 |n = 53/54 |n = 51/52 |n = 51/52 | |

| | | | | | |

|Explanation Adequacy |5.22 |4.80 |4.04 |3.35 |5.828* |

| |(2.40) |(2.67) |(2.53) |(2.38) | |

| | | | | | |

|Management |7.66 |8.86 |9.55 |9.45 |12.103* |

|Attribution |(2.25) |(1.88) |(1.63) |(1.34) | |

| | | | | | |

|Control |6.52 |8.63 |8.56 |8.29 |10.823* |

|Deficiency |(2.60) |(2.29) |(2.03) |(1.87) | |

| | | | | | |

|Compensating |-0.06 |-1.26 |-1.13 |-0.96 |3.725** |

|Controls |(2.02) |(1.99) |(2.15) |(2.12) | |

| | | | | | |

|Magnitude of Misstatement |7.48 |8.62 |8.04 |7.73 |2.198*** |

| |(2.96) |(2.40) |(2.06) |(2.15) | |

| | | | | | |

|Likelihood of Misstatement |7.11 |7.70 |7.88 |8.15 |1.772 |

| |(2.82) |(2.40) |(2.39) |(1.99) | |

Panel B: Mean Differences between IT and Manual Control Deviation Cases

| | |Variables d |

| | |Explanation |Management |Control |Compensating |Misstatement |

|Control Deviations |Adequacy |Attribution |Deficiency |Controls |Magnitude |

| | | | | | | |

|IT (1) |IT (2) |0.42 |-1.20* |-2.11* |1.20** |-1.14*** |

| |Manual (3) |1.18*** |-1.89* |-2.04* |1.07** |-0.56 |

| |Manual (4) |1.87* |-1.79* |-1.77* |0.90 |-0.25 |

| | | | | | | |

|IT (2) |Manual (3) |0.76 |-0.69 |0.07 |-0.13 |0.58 |

| |Manual (4) |1.45* |-0.59 |0.34 |-0.30 |0.89 |

| | | | | | | |

|Manual (3) |Manual (4) |0.69 |0.10 |0.27 |-0.17 |0.31 |

| | | | | | | |

*, **, *** Denotes significance at the 1%, 5%, 10% levels, respectively. Tests are two-tailed.

a IT-1 refers to the password policy violation case; IT-2 refers to the wrongly granting access case; Manual-3 refers to the unapproved credit case; and Manual-4 refers to the unrecorded discounts case.

b All variables are defined in Table 2. Cell sizes vary due to the three missing responses noted in Table 2.

c A multivariate analysis of variance (MANOVA) indicated statistically significant differences between control deviation cases (Pillai’s Trace = 0.339; p < .01). Individual ANOVA F-values are shown.

d Values shown are mean differences. Bonferroni mean comparisons were used to determine statistical significance. Tukey honestly significant differences produced results identical to the Bonferroni method.

FIGURE 1

Theoretical Model

Auditor Judgments of Internal Control Deviations

[pic]

Boldfaced arrows indicate our theoretical model. Concessions, as compared to denials, are predicted to heighten auditor perceived explanation adequacy for IT security breach control deviations. Heightened explanation adequacy is predicted to decrease the level of fault attributed to management for the control deviation. Decreasing management attribution for a control deviation decreases auditor judgment of control deficiency.

Dashed arrows indicate hypotheses. Both direct and indirect effects originating from persuasion tactics are hypothesized.

H1: For IT security breaches, perceived explanation adequacy will be higher for management concessions than denials.

H2: For IT security breaches, perceived management attribution will be lower for management concessions than denials.

H3: For IT security breaches, judged control deficiency will be lower for management concessions than denials.

Figure 2

Structural Equation Models of the Effect of Concession and Denial on Significance of Deficiency Judgments

[pic]

*, **, *** Denote significance at the 1%, 5%, and 10% levels, respectively. Tests are two-tailed. Rectangles indicate measured variables and ovals indicate latent variables.

a Covariances between compensating controls, misstatement magnitude, and misstatement likelihood are modeled but not shown (p < .01; Appendix B). Structural models were estimated based on covariance matrices, and indicate good fit with the comparative fit index (CFI) > .97, root mean square error of approximation (RMSEA) < .074, and the standardized root mean square residual (SRMR) < 0.046 for both models (Kline 2005). Paths in bold indicate significant indirect effects. Statistically significant indirect effects stemming from concession/denial are only found in the path model for IT security breaches: 1) concession/denial => explanation adequacy => management attribution => control deficiency (t = 3.608, p < .01); and 2) concession/denial => explanation adequacy => management attribution => magnitude of misstatement => control deficiency (t = 1.978, p = .056). Statistically significant indirect effects stemming from explanation adequacy are observed in the path model for manual application control deviations: 1) explanation adequacy => management attribution => control deficiency (t = 2.907, p < .01); 2) explanation adequacy => management attribution => magnitude of misstatement => control deficiency (t = 1.667, p = .099); and 3) explanation adequacy => management attribution => likelihood of misstatement => control deficiency (t = 1.659, p = .100).

Appendix A

Experimental Materials: Internal Control Deviations and Conversational Vignette

IT Security Breaches:

Specific Issues determined in testing information technology general controls:

1. A salesperson’s laptop had been stolen. It contained a stored password that allowed a sales order to be downloaded to the system. Several bogus orders had been placed before the password was disabled.

2. Griffin’s system had been breached in November. Indications are that approximately 2000 customer records were stolen from the customer master file. Much of the information lost was harmless. However, some of it would be of value to competitors. Additionally, approximately 500 of the customers had procurement card information on file.

IT Security Breaches Conversational Vignette:

The audit senior on the engagement, John, follows up on these issues with Derrick, the controller of Griffin Inc. The following is the discussion between John and Derrick.[17]

John: Hi Derrick. I scheduled this meeting with you to discuss some findings related to our controls audit. First, I’d like to discuss salesperson access to your sales order system.

Derrick: Sit down, John. I’d be happy to discuss that with you. Our salespeople work primarily from the field. So, we have provided them with laptops and that allows them to create sales orders and electronically file them from the field. Of course, both the laptops and our order entry system are password protected. What else can I tell you?

John: Well, I am familiar with the access controls that you just described; however, when we were performing our tests over information technology general controls, we reviewed password changes and found a cancelled password that we were told was due to a laptop theft. Apparently one of your salespeople lost their laptop and it contained the password for your order entry system?

Derrick: John, I admit that we did have a small breach of controls in access. (John, this was not a control breach. This was an unusual incident due to circumstances beyond our control.) The laptops themselves are password protected, but once that laptop is in the hands of a hacker, the laptop’s password is almost useless. In this particular instance, our salesperson had permanently stored their system password on their laptop. So, once the thief had the laptop, they basically had access to our order entry system. Now, that said, as soon as the laptop was reported stolen, we disabled that password. Additionally, our credit manager reviews sales orders and if the order is to a new customer, he catches it. John, I concede that we had a breach of a system access control, but as I said, our credit manager reviews sales orders. (John, people steal. We have controls that limit the damage from theft, but we cannot stop theft. This is not in our power. This is not a breach of controls.)

John: Did any invalid sales orders get through?

Derrick: Frankly, we did ship a very large order to one of our customers. Although they could have denied it, the order happened to be for product they normally carry so they accepted the order after they reported it. If those amounts hadn’t been paid, that could have affected our results for this year. But, the important point is that the account was paid.

John: OK, let’s get to the next issue. It appears that your main servers were hacked in November. Additionally, we found evidence that the customer master file was breached.

Derrick: Again, John, I have to admit that security was breached. (Again, John, this was not a control breach. This system breach was due to circumstances beyond our control.) It looks like we were socially engineered. Someone began attacking our system. Of course, our firewall picked it up. Then one of our system administrators got a phone call, and the caller said that our system was attacking his system. Our administrator said he didn’t think that was the case and that we were being attacked also. In any event, the two decided that they would work on this problem together, and our administrator gave the caller access to part of our system. Well, the caller was the hacker and he used his access to our system to breach the customer master file. As you know, he got about 500 procurement card numbers. Luckily the liability on those is limited. (John, how do you protect yourself against something like this? Bad guys are constantly trying to break into our system. We cannot control that. One of them just got through this time.) And don’t forget, John, we trained our people against this type of threat.

John: How quickly did you discover the breach?

Derrick: You know, John, that’s the insidious thing. When one of our employees lets a hacker into our system, we don’t have any mechanism to catch them. If we don’t stop them at the gate, it’s trouble. We didn’t know that our system had been breached until the pro-cards started getting charged fraudulently, and it eventually led back to our shop.

John: Is there any possibility of an unrecorded liability here?

Derrick: No, I don’t think so, John. It could have been larger, but we caught it in time. All the cards have been stopped. We’ve paid damages and none of our customers have indicated legal action. I think we are fine.

[pause as John considers the situation]

Derrick: Listen, John, we are very concerned that we maintain strong internal controls. I readily concede that we had a couple of control issues. But, (We do not have issues with our controls. There is nothing wrong with our controls over system security. These issues that you’ve brought up are things that are beyond the control of any normal business or system. And,) with our compensating controls, nothing has occurred that caused a material misstatement of profits.

Manual Application Control Breakdowns:

Specific Issues determined in testing application controls in the revenue cycle:

1. Near the end of the year, the electronic approval by the credit manager was missing for several customer orders that exceeded the credit limit. These orders were still processed without the approval.

2. The analysis of the daily unapplied cash exception reports indicated a number of unreported discounts to customers. Upon further investigation the auditor found that salespeople gave discounts to customers and failed to record them on the customer order. In most instances, adjustments to revenue were made without contacting the salespeople.

Manual Application Control Breakdowns Conversational Vignette:

The audit senior on the engagement, John, follows up on these issues with Derrick, the controller of Griffin Inc. The following is the discussion between John and Derrick. [18]

John: Hi Derrick. I scheduled this meeting with you to discuss some findings related to our controls audit. First, I’d like to discuss the controls over the approval of credit.

Derrick: Sit down, John. I’d be happy to discuss that with you. We have a credit manager who approves all customer credit limits and then approves all orders exceeding the credit limit specifically determined for each customer. When we have a new customer, our credit manager uses a software application that allows him to check credit ratings with three credit rating agencies. Once he has the credit ratings, he assigns a credit limit. He also reviews credit ratings for all customers on a semi-annual basis and adjusts the limits accordingly. For our largest clients, he performs this on a quarterly basis. When orders come in, they are checked against the current available credit limit. If there is not enough available credit, the order is reviewed. If approved, the credit manager uses a special password to approve the order and release it for processing. What else can I tell you?

John: Well, I am familiar with the process that you just described; however, when we were performing our tests over revenue cycle application controls, we found some orders that were missing an approval from the credit manager. It appears that these orders were routed through the system in another way and were filled without credit approval.

Derrick: John, I admit that we did have a small breach of controls in credit approval. (John, this was not a control breach. This was an unusual incident due to circumstances beyond our control.) During September, our credit manager was really sick and had to be out for several weeks. So, we performed a handful of system overrides to release orders for processing. (We have no power over situations like this. The guy was so sick we couldn’t even discuss the situation with him for over a week.)

John: Oh. Who performed the override and did this individual check the available credit?

Derrick: The system override was performed by the Service Specialist Supervisor, Brenda. She was able to check available credit for our existing customers, but she could not access the software to check credit for new customers. We would have liked to take the time to get the access, but we needed to process the orders in a timely manner. It affected only a few new customers and we monitored it closely. John, I concede that we had a breach of this control, but as I said, we monitored it closely. (This was an isolated case based on events that were outside our control. It affected only a few new customers and we did not want to risk losing those customers simply because we couldn’t check their credit in a timely fashion. We had no other alternatives and we monitored it closely. John, this is not a breach of controls.)

John: I guess the next question that I have is whether you know if this has had any impact on your financial statements.

Derrick: Frankly, we did have one new customer that placed a very large order that was approved without a credit check. If those amounts hadn’t been paid, that could have affected our results for this year. But, the important point is that the account was paid.

John: OK, let’s get to the next issue. It appears that customer discounts are not always recorded. Additionally, we found evidence that some unrecorded discounts are excessive.

Derrick: Again, John, I have to admit that sometimes this control has been breached. (Again, John, this was not a control breach. This issue is due to circumstances beyond our control.) Our salespeople are required to record all discounts and our system checks to ensure that discounts are within acceptable limits on all orders. But, the salespeople don’t always do it. (Sometimes, they get busy, forget and don’t record the discount or get approval, but that’s just human error outside our control. We remind them, but John, you know what salespeople are like. They’re not like auditors. They just aren’t as good about paperwork.) However (And), don’t forget, John, I review a gross margin report on a monthly basis to make sure that something like excessive discounts doesn’t get out of hand.

John: Is anyone doing anything else to ensure the accuracy of invoice amounts around quarter ends?

Derrick: No, because I am reviewing gross margin reports which would pick up any material misstatements. I fully recognize that our product line has wide variation in margins, but I think that I have enough experience to know if something is seriously out of whack.

[pause as John considers the situation]

Derrick: Listen, John, we are very concerned that we maintain strong internal controls. I readily concede that we had a couple of control issues. But, (We do not have issues with our controls. There is nothing wrong with our controls over revenue. These issues that you’ve brought up are things that are beyond the control of any normal business or system. And,) with our compensating controls, nothing has occurred that caused a material misstatement of profits.

Appendix B

Pearson Correlations (p-value)

| |Concede |Explanation |Management |Compensating |Magnitude of |Likelihood of |Control |

Variablesa |Deny |Adequacy |Blame |Could |Should |Controls |Misstatement |Misstatement |Deficiency | | | | | | | | | | | | | | | | | | | | | | | |Concede/Deny |1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |Adequate Explanation |-0.229 |1 | | | | | | | | | |(0.001) | | | | | | | | | | | | | | | | | | | | |Management Blame |0.061 |-0.146 |1 | | | | | | | | |(0.380) |(0.000) | | | | | | | | | | | | | | | | | | | |Management could have done |0.127 |-0.362 |0.631 |1 | | | | | | | |(0.066) |(0.000) |(0.000) | | | | | | | | | | | | | | | | | | |Management should have done |0.121 |-0.575 |0.491 |0.577 |1 | | | | | | |(0.079) |(0.000) |(0.000) |(0.000) | | | | | | | | | | | | | | | | | |Compensating

Controls |-0.114 |0.464 |-0.392 |-0.273 |-0.334 |1 | | | | | |(0.098) |(0.000) |(0.000) |(0.000) |(0.000) | | | | | | | | | | | | | | | | |Magnitude of Misstatement |0.145 |-0.346 |0.386 |0.349 |0.383 |-.357 |1 | | | | |(0.035) |(0.000) |(0.000) |(0.000) |(0.000) |(0.000) | | | | | | | | | | | | | | | |Likelihood of Misstatement |0.108 |-0.356 |0.422 |0.286 |0.449 |-0.196 |0.587 |1 | | | |(0.117) |(0.000) |(0.000) |(0.000) |(0.000) |(0.004) |(0.000) | | | | | | | | | | | | | | |Significance of Deficiency |0.131 |-0.478 |0.591 |0.461 |0.519 |-0.363 |0.544 |0.534 |1 | | |(0.056) |(0.000) |(0.000) |(0.000) |(0.000) |(0.000) |(0.000) |(0.000) | | | | | | | | | | | | | |Pearson correlation (p-value) shown; n = 210 – 212.

a All variables defined in Table 2. Cell sizes vary due to the three missing responses noted in Table

-----------------------

[1] We informally polled Big 4 auditors and received responses that indicated it was common for clients to take self-serving views of internal control deviations and attempt to persuade the auditor that the deviation is not a deficiency, either by conceding an inconsequential issue or denying the issue. Because a group of lower-level deficiencies can sum to a higher-level internal control deficiency (PCAOB 2007), the auditors we polled indicated that manager concern is not strongly limited by a materiality threshold, and managers tended to challenge all control deviations.

[2] IT security breaches involve inappropriate use of a firm’s information system whereby firm data is changed and/or illicitly used. Most security breaches are caused by employee failure to follow control procedures (Gansler & Lucyshyn 2005). Manual application control breakdowns involve deviations within a particular application (e.g., accounts receivable) and are also based upon employee failure. All control deviations in this research are based upon employee failures. IT security breaches can be classified as application control breakdowns or as pervasive control breakdowns dependent on whether the control is designed to protect single or multiple applications.

[3] Following AS 5 all control exceptions had a direct effect on the financial statements.

[4] Our informal poll of auditors provided anecdotal evidence that significant deficiencies are more common than material weaknesses and our descriptive statistics (see Table 1) reveal that auditors in our study were almost three times more likely to encounter a significant deficiency than a material weakness.

[5] Naquin and Kurtzberg (2004) compare errors involving technology (malfunction of computer program leading to a train collision) to human error (same collision caused by conductor error). We extend Naquin and Kurtzberg (2004) by explicitly comparing human error involving technology to human error alone.

[6] Our model predicts a series of mediated effects. While all model effects are tested, we formally hypothesize only the expected effects of the management persuasion tactics.

[7] IT controls contain both automated and manual elements (AICPA 2006). However, control deviations in a properly designed and implemented IT control should result from manual failures as opposed to automated failures. Therefore, all control deviations in our study have their origin in human error, regardless of whether the context is an IT security breach or a manual application control breakdown.

[8] Aside from the structural equation analysis, management attribution is reported and analyzed as the mean of its three underlying 11-point scales; a factor analysis-based management attribution construct produced inferentially identical results.

[9] Internal consistency reliability is calculated as follows: (((i)2/[(((i)2 + ((1-(i2)], where (i refers to the ith component loading and (1-(i2) refers to the ith error variance. This reliability coefficient is similar to Cronbach’s alpha, but weights each factor by its loading, as opposed to assuming equal weights (Bagozzi and Kimmel 1995). (Cronbach’s alpha is calculated at 0.80.) With respect to discriminant validity, constructs were constrained to be equal for each pair of variables, and then were left unconstrained in a comparison model. By setting the constructs equal, the model assumed both variables to be capturing the same construct. If the Ç2- value of the uncoing the constructs equal, the model assumed both variables to be capturing the same construct. If the χ2- value of the unconstrained model is significantly smaller than that of the constrained model, then the variables are demonstrating discriminant validity (Anderson and Gerbing 1988).

[10] The 11-point scale on the compensating controls question ranged from -5 to 5, because it encompassed both negative and positive perceptions. All other questions have scales ranging from 1 to 11.

[11] The experiment was run previous to the implementation of AS 5. Therefore, we solicited demographics on AS 2 training.

[12] Five auditors reported audit experience of 90 to 120 months. If we consider them outliers and drop them from our analyses months of audit experience is no longer significantly different across treatment conditions (p = .177). Dropping these auditors from our sample and re-running our statistical analyses produced results substantially identical to those reported. They are, therefore, left in the sample.

[13] Repeated measures multivariate analysis of variance (RMANOVA) results support the reported individual repeated measure ANOVAs. For IT control deviations, concession/denial is significant (Pillai’sTrace = 0.283; p < .01) and the interaction of case-by-concession/denial is insignificant (Pillai’sTrace = 0.040; p = .557). For manual control deviations, concession/denial is insignificant (Pillai’sTrace = 0.006; p = .962) and the interaction of case-by-concession/denial is insignificant (Pillai’sTrace = 0.031; p = .688).

[14] As noted in the methods section, the comparison of IT security breach control deviations and manual application control deviations required the comparison of different deviation cases. Therefore, the possibility exists that differences between the IT security breach cases and the manual application control cases are due to underlying differences in the cases, as opposed to cognitive processing differences for IT security breach and manual application control deviations.

[15] This result is validated by the SEM models shown in Figure 2 which include and control for auditor perceptions of plausibility, severity, and management attribution.

[16] We also performed a multi-group SEM analysis that tested simultaneously the IT security breach and manual application control models. The multi-group analysis allowed the testing of differences in individual paths between the IT security breach and manual application control models. The multi-group analysis validated that the path leading from concession/denial persuasion tactics to explanation adequacy differed between the IT security breach and manual application control models (χ2 = 22.553; p < .01).

[17] Italicized text represents the concession manipulation. Italicized text in parenthesis represents the denial manipulation.

[18] Italicized text represents the concession manipulation. Italicized text in parenthesis represents the denial manipulation.

-----------------------

Management

Persuasion tactics (Concede or Deny)

Management Attribution for the Control Deviation

Perceived Explanation

Adequacy

Auditor

Control Deficiency Judgment

Context of Control Deviation

(IT security breaches

or manual application controls breakdown)

Concession/

Denialb

Control Deficiency

-2.389*

Misstatement

M |s÷ø! " # 7 8 9  à ì í î [19]]^~ˆ‰ÇÈíîïÿ

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download