Jurnal Audit1 PDF

Internal Control Weaknesses
and Client Risk Management

RANDAL ELDER*
YAN ZHANG**
JIAN ZHOU***
NAN ZHOU****
We study auditors’ client risk management in the first year of the Sar-
banes-Act Oxley (SOX) 404 implementation, and find that a pecking
order exists among auditors’ strategies to manage control risk resulting
from internal control weaknesses. We first examine the relation between
internal control weaknesses and audit fees, modified opinions, and audi-
tor resignations, respectively, and establish that these are viable strat-
egies to manage control risk on a stand-alone basis. We also find that
changes in audit fees and changes in modified opinions are positively
associated with changes in reported internal control weaknesses. When
we investigate these strategies simultaneously, descriptive evidence sug-
gests that a pecking order exists among auditors’ client risk manage-
ment strategies. Ordered logit analyses further confirm that, as clients’
control risk increases, auditors are likely to respond in the order of
audit fee adjustments, modified opinions, and auditor resignations. Our
comprehensive evidence suggests that auditors use an array of ordered
strategies to manage client-related control risk.
Keywords: Internal Control Weaknesses, Client Risk Management, Audit Fee

and Audit Opinion, Auditor Resignation
*Syracuse University
**SUNY-Binghamton
***SUNY-Binghamton and Nanyang Technological University
****HKUST and SUNY-Binghamton
We thank Jean Bedard, Ayesha Dey, Denise Dickins, Weili Ge, Karla Johnstone, Mark Kohl-
beck, Ryan LaFond, Clive Lennox, and especially an anonymous reviewer for detailed and insightful
suggestions that have significantly improved the paper. We also thank workshop participants at the
2006 HKUST Summer Symposium on Accounting Research, the 2006 Annual Conference on Finan-
cial Economics and Accounting at Georgia State University, the 2007 American Accounting Associa-
tion (AAA) Annual Meeting, the 2007 AAA Auditing Midyear Meeting, the 2007 International
Conference on Accounting and Finance at Xiamen University, the 2008 JAAF/KPMG Foundation
Conference, Hofstra University, SUNY–Binghamton, SUNY–Buffalo, Syracuse University, and
Zhejiang University for helpful comments.
543
544 JOURNAL OF ACCOUNTING, AUDITING & FINANCE
1. Introduction
The Sarbanes-Oxley Act (SOX) of 2002 has changed the regulatory land-
scape for the accounting profession, especially for auditors of public companies.
The Public Company Accounting Oversight Board (PCAOB) was created to
directly monitor auditors’ work. In addition, conflicts of interest are prohibited
and civil and criminal liabilities are imposed for any violations. Consequently,
SOX has substantially increased legal liability for accountants. Before SOX,
auditors would typically face liability only after a client collapsed, but now they
face significant legal consequences for any violations of SOX provisions. For
example, a failure in PCAOB inspection could result in suspension or termina-
tion of an auditor’s registration status, without which the auditor is prohibited
from performing audits of public companies. In an extreme case, an accountant
could be sentenced to twenty years for willfully destroying or altering documents
(Wegman [2005]).
In this paper, we study how auditors manage control risk resulting from in-
ternal control weaknesses. Since auditors now assume greater risk when perform-
ing audits of public companies in this post-SOX era, such focus on client risk
management has added significance for public accounting firms. Specifically, cli-
ent-related risk can be classified into audit risk and client business risk. State-
ment on Auditing Standards (SAS) No. 107 (AICPA [2006]) decomposes audit
risk into three components: inherent risk, control risk, and detection risk.1 In
decisions related to client risk management, auditors should focus on inherent
risk and control risk, because these two components equal the likelihood of error
in clients’ accounts before the auditors’ testing (Elder and Allen [2003]).
Information on a client’s control risk was not publicly available on a large
scale before the enactment of SOX.2 This has dramatically changed, however,
because SOX has two sections specifically focusing on internal control disclo-
sures. Effective for all public firms for their fiscal years ending on or after Au-
gust 29, 2002, Section 302 (SOX 302) requires a firm’s management to disclose
significant internal control deficiencies when they certify quarterly or annual fi-
nancial statements. Section 404 (SOX 404) has two provisions: Section 404(a)
requires management to provide an assessment of internal control, and Section
404(b) requires auditors to provide an opinion on management’s assessment.3 An
accelerated filer must comply with SOX 404 for its first fiscal year ending on or
1. SAS No. 107 (AICPA [2006]) also defines combined inherent risk and control risk as the
risk of significant misstatement in the financial statements. SAS No. 107 replaced SAS No. 47
(AICPA [1983]), which first defined the audit risk model and its components.
2. Before SOX, firms were required only to disclose internal control problems in 8-Ks when
they changed auditors. SAS No. 60 required that the auditor communicate internal control deficien-
cies to the client’s audit committee. However, these communications were not generally publicly
available (Krishnan [2005]).
3. PCAOB Auditing Standard No. 2 required the auditor to issue an opinion on management’s
assessment, and a separate opinion on the effectiveness of internal control. PCAOB Auditing Stand-
ard No. 5 eliminated the opinion on management’s assessment.
INTERNAL CONTROL WEAKNESSES AND CLIENT RISK MANAGEMENT 545
after November 15, 2004; a nonaccelerated filer must comply with SOX 404(a)
for its first fiscal year ending on or after December 15, 2007, and SOX 404(b)
for its first fiscal year ending on or after December 15, 2009.4
One integral part of our analyses is to assess how auditors adjust their audit
fees in response to changes in their assessments of control risk. We thus focus
on the first year of SOX 404 implementation, an external shock forcing internal
control disclosures. This setting enables us to obtain a large number of firms that
are newly identified with internal control weaknesses under SOX 404, enhancing
the power of our test.5 Since firms will adapt to this new internal control report-
ing regime after the first year, the number of firms with changes in internal con-
trol opinions are expected to be small in subsequent years.
Specifically, we name the first year of SOX 404 implementation as the 404
period, restricting it to fiscal years ending between November 15, 2004, and No-
vember 14, 2005, to be consistent with SOX 404. We define the 302 period simi-
larly and restrict it to fiscal years ending between November 15, 2003, and
November 14, 2004. We find that auditors use an array of strategies to manage
client-related risk in the 404 period. Interestingly, a pecking order exists among
auditors’ strategies to manage control risk resulting from internal control weak-
nesses. As the level of control risk increases, auditors respond by adjusting audit
fees, issuing modified opinions, and resigning from clients.
We first examine the relation between internal control weaknesses and audit
fees, modified opinions, and auditor resignations, respectively. We find that firms
with internal control weaknesses are charged higher audit fees. When we separate
internal control weaknesses into company-level weaknesses and account-specific
weaknesses, we find that the audit fee premium for company-level weaknesses is
significantly higher than that for account-specific weaknesses. Compared with
account-specific weaknesses, company-level weaknesses are more extensive and
pervasive and thus more difficult to address in the audit. Moreover, we find that
firms with internal control weaknesses are more likely to be flagged with a modi-
fied opinion. Finally, we find that auditor resignations are more likely for firms
with internal control weaknesses. Based on these findings, we conclude that audit
fee adjustments, modified opinions, and auditor resignations are viable strategies to
manage control risk on a stand-alone basis.
We also test whether changes in audit fees and changes in modified opinions
are associated with changes in reported internal control weaknesses. During the
transition from the 302 period to the 404 period, firms newly identified with in-
ternal control weaknesses under SOX 404 are charged with greater audit fee
increases. They also are more likely to have their audit opinions changed from
4. Generally, accelerated filers are public firms with an equity market capitalization of more
than $75 million.
5. We find that 14.7 percent of our sample firms report internal control weaknesses in the first
year of SOX 404 implementation, whereas only 4.5 percent of our sample firms report such weak-
nesses in the year before SOX 404 implementation.
unqualified opinions to modified opinions and less likely to have their audit
opinions changed from modified opinions to unqualified opinions.
When we investigate these strategies simultaneously, descriptive evidence
suggests that a pecking order exists among auditors’ client risk management
strategies. The ordered logit analyses further confirm that, as the clients’ control
risk increases, auditors are likely to respond in the order of audit fee adjustments,
modified opinions, and auditor resignations. Our combined evidence suggests that
auditors use an array of ordered strategies to manage client-related control risk.
Our paper is related to the growing literature on internal control problems.
One strand of the literature focuses on the determinants of internal control prob-
lems. Krishnan (2005) finds that audit committee independence and financial ex-
pertise are associated with internal control problems before the enactment of
SOX, and Zhang, Zhou, and Zhou (2007) find that audit committee financial ex-
pertise is related to internal control weaknesses after the enactment of SOX. Ge
and McVay (2005) and Doyle, Ge, and McVay (2007a) find that internal control
weaknesses are more likely for firms that are smaller, less profitable, more com-
plex, growing rapidly, or undergoing restructuring. Ashbaugh-Skaife, Collins,
and Kinney (2007) find that firms with more complex operations, recent changes
in organization structure, more accounting risk exposure, and less investment in
internal control systems are more likely to disclose internal control deficiencies.
The other strand of the literature focuses on the consequences of internal
control problems. Doyle, Ge, and McVay (2007b) and Ashbaugh-Skaife, Collins,
Kinney, and LaFond (2008) find that firms with internal control problems tend to
have lower accruals quality. Ogneva, Subramanyam, and Raghunandan (2007)
and Ashbaugh-Skaife, Collins, Kinney, and LaFond (2009) show that internal
control deficiencies are positively related to firm risk and cost of equity capital.
Our finding that internal control weaknesses are an important determinant of
auditors’ client risk management strategies adds to the latter strand of literature.
Our paper is also related to research papers that study either the relation
between internal control problems and audit fees or the relation between internal
control problems and auditor turnover. Using internal client evaluation data from a
public accounting firm, Bedard and Johnstone (2004) examine audit risk factors in
three studies of auditors’ client risk management strategies before the enactment of
SOX. Specifically, Johnstone and Bedard (2003) study client acceptance, Johnstone
and Bedard (2004) study client dismissal, and Bedard and Johnstone (2004) study
planned audit hours and billing rates. Using internal control disclosures required
under SOX, several contemporaneous papers look at some aspects of the issues we
examine. Raghunandan and Rama (2006), Hogan and Wilkins (2008), and Hoitash,
Hoitash, and Bedard (2008) find that audit fees are associated with internal control
weaknesses; Hertz (2006) and Ettredge, Heintz, Li, and Scholz (2006) find that
auditor resignation is associated with internal control weaknesses.6
6. Ashbaugh-Skaife, Collins, and Kinney (2007) find that auditor resignations are associated
with internal control deficiencies before the enactment of SOX 404.
Unlike research that examines either audit fees or auditor turnover on a

stand-alone basis, our paper views audit fees, audit opinions, and auditor resigna-
tions as a portfolio of strategies at the disposal of auditors in managing client-
related risk, and establishes that a pecking order exists among these risk manage-
ment strategies. This pecking order evidence is new to the literature. In addition,
we document the relation between audit opinions and internal control weak-
nesses, a result absent in the aforementioned papers.
The rest of the paper is organized as follows. Section 2 discusses the back-
ground and proposes the hypotheses. Section 3 explains the data and describes
the sample selection procedures. Section 4 presents the empirical results. Section 5
concludes the paper.
2. Background and Hypotheses

2.1 Disclosure on Internal Control
SOX emphasizes internal control, which is defined as ‘‘a process, effected
by an entity’s board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives,’’ accord-
ing to the COSO framework.7 Under Securities and Exchange Commission
(SEC) Release No. 33-8124 (August 29, 2002), SOX 302 requires management
to disclose significant deficiencies in internal control when they certify quarterly
or annual financial statements. Specifically, the signing officers, responsible for
internal control, have evaluated these internal controls within the previous ninety
days and have reported the following in their findings: (1) a list of all significant
deficiencies in internal controls and information on any fraud that involves
employees who are involved with internal control activities; (2) any significant
changes in internal controls or related factors subsequent to their evaluation that
could have a significant impact on internal controls.8
Under SEC Release No. 33-8238 (June 5, 2003), Section 404(a) requires
management to provide an assessment of internal control, and Section 404(b)
requires auditors to provide an opinion on management’s assessment. Specifi-
cally, issuers are required to disclose information concerning the scope and ade-
quacy of the internal control structure and procedures for financial reporting in
7. COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission,
which undertook an extensive study of internal control to establish a common definition that would
serve the needs of companies, independent public accountants, legislators, and regulatory agencies,
and to provide a broad framework of criteria against which companies could evaluate the effective-
ness of their internal control systems. COSO published its Internal Control—Integrated Framework in
1992.
8. The actual implementation of SOX 302 is somewhat different from the original rules stated
here. Ashbaugh-Skaife, Collins, and Kinney (2007) argue that the reporting of internal control prob-
lems under SOX 302 is voluntary, whereas Doyle, Ge, and McVay (2007a) rely on the requirement
that managers must publicly disclose changes in internal control to conclude that most material weak-
nesses are disclosed under SOX 302.
their annual reports. This statement shall also include an assessment of the effec-
tiveness of such internal controls and procedures. The registered auditing firm
shall, in the same report, attest to and report on the effectiveness of the internal
control structure and procedures for financial reporting. While an accelerated
filer must comply with SOX 404 for its first fiscal year ending on or after
November 15, 2004, under SEC Release No. 33-8392 (February 24, 2004), a
nonaccelerated filer must comply with SOX 404(a)—management’s assessment
requirement—for its first fiscal year ending on or after December 15, 2007,
under SEC Release No. 33-8760 (December 5, 2006), and SOX 404(b)—the
auditor’s attestation requirement—for its first fiscal year ending on or after
December 15, 2009, under SEC Release No. 33-8934 (June 26, 2008).9
2.2 Client-Related Risk

Client-related risk can be classified into audit risk and client business risk.
Audit risk is the risk that the auditor will fail to draw attention to a material mis-
statement, deficiency, abuse, or other unacceptable matter in an audit, and thus
issue an incorrect audit opinion, whereas client business risk is ‘‘the risk that the
client’s economic condition will deteriorate in either the short term or long term’’
(Johnstone [2000]).
SAS No. 107 (AICPA [2006]) decomposes audit risk into three components:
inherent risk, control risk, and detection risk. Inherent risk is the perceived level of
risk that a material misstatement may occur in a client’s financial statements in
the absence of internal control procedures. Control risk is the perceived level of
risk that a material misstatement in the client’s financial statements will not be
detected and corrected by management’s internal control procedures. Detection
risk is the perceived level of risk that a material misstatement in the client’s finan-
cial statements will not be detected by the auditor. Because inherent risk and con-
trol risk equal the likelihood of error in clients’ accounts before the auditors’
testing (Elder and Allen [2003]), we focus on these two components of audit risk,
as they are most relevant to auditors’ client risk management decisions.
9. In SEC Release No. 33-8238 (June 5, 2003), an "accelerated filer," defined in the original
Exchange Act Rule 12b-2, referred to a U.S. company that has equity market capitalization more than
$75 million and has filed an annual report with the SEC. According to SEC Release No. 33-8618
(September 22, 2005), before December 1, 2005, "accelerated filer" status did not directly affect a
foreign private issuer filing its annual reports on Form 20-F or 40-F, even though the definition of
"accelerated filer" did not expressly exclude foreign private issuers by its terms. After December 1,
2005, a foreign private issuer meeting the accelerated filer definition, and filing its annual report on
Form 20-F or Form 40-F, became subject to the internal control reporting requirements under SOX.
SEC Release No. 33-8644 (December 21, 2005) amended the Exchange Act Rule 12b-2 definition of
an "accelerated filer" to create a new category of accelerated filer, the "large accelerated filer," for
issuers with equity market value of $700 million or more, and redefined the term "accelerated filer"
to include an issuer with equity market value of $75 million or more, but less than $700 million. A
complete list of SOX 404 compliance dates for various types of firms is summarized in a table on
page 10 of SEC Release No. 33-8934 (June 26, 2008).
2.3 Conceptual Framework

Johnstone and Bedard (2003) propose a conceptual model of client acceptance.
An auditor evaluates a client’s audit risk and business risk and the associated audit
fee from the engagement.10 When the risk or return is at an acceptable level, the
auditor prices audit risk and client business risk into the audit fee; when the risk
or return is at an unacceptable level, the auditor abandons the high-risk client.
We extend the Johnstone and Bedard (2003) model and propose a framework
of client risk management. In this framework, we consider three client risk manage-
ment strategies: (1) audit fee adjustments, (2) modified opinions, and (3) auditor
resignations. Strategies (1) and (3) are taken from Johnstone and Bedard (2003),
and strategy (2) is taken from Krishnan and Krishnan (1996) and Blacconiere and
DeFond (1997), who find that auditors are more likely to issue modified opinions
or going-concern opinions for firms with higher litigation risk or bankruptcy risk.
We further propose that a pecking order exists among an auditor’s responses to cli-
ent-related risk. When the risk is low, the auditor responds by increasing the audit
fee; when the risk is intermediate, the auditor responds by issuing a modified opin-
ion; when the risk is high, the auditor responds by resigning from the client.
2.4 Hypothesis Development

We develop our hypotheses around our conceptual framework. We first
focus on individual strategies, and try to establish that they are viable strategies
to manage risk on a stand-alone basis. We then consider the strategies simultane-
ously and try to establish whether a pecking order exists among these strategies.
The extant literature on client risk management largely focuses on client
business risk and related legal liability risk. The relation between audit fees and
client business risk is well-documented. For example, Hill, Ramsay, and Simon
(1994) find that client business risk is positively related to audit fees in the sav-
ings and loan industry from 1983 to 1988. Bell, Landsman, and Shackelford
(2001) find that high business risk increases the number of audit hours, but not
the fee per hour. Seetharaman, Gul, and Lynn (2002) find that U.K. auditors
charge higher fees for their services when their clients access U.S. capital mar-
kets, but not when they access non-U.S. capital markets, suggesting that audit
fees reflect differences in litigation risk across different liability regimes.
Recently, Ashbaugh-Skaife, Collins, Kinney, and LaFond (2009) find that
firms with internal control deficiencies have higher idiosyncratic risk. The higher
the idiosyncratic risk, the more likely a firm will experience a large drop in stock
price, which typically triggers shareholder class-action lawsuits. This suggests
10. In addition to audit risk and client business risk, Johnstone and Bedard (2003) also discuss
auditor business risk, which is defined as "the risk that the auditor firm will suffer loss resulting from
the engagement," and measure it with a dummy variable, which is equal to one if a client is a public
company, and zero if a client is a private company. We do not consider auditor business risk in our
study because our sample includes only public companies, although we note that whether a company
is public is not the only source of auditor business risk.
that firms with internal control weaknesses have additional exposure to litigation
risk, and are more likely to inflict damages to their auditors’ reputation. Because
auditor reputation is used as important collateral to ensure high-quality audits
(DeAngelo [1981]), auditors have incentives to either increase the audit fee to
take this idiosyncratic risk into account or withdraw from such clients, if the
increase in audit fee cannot justify the increase in risk.
Although audit risk factors are found to be more important in audit firm portfolio
management decisions than are financial risk factors (Johnstone and Bedard [2004]),
few studies on client risk management examine audit risk factors, because proxies
for such variables were not publicly available. Using internal client evaluation data
from a public accounting firm, Johnstone and Bedard (2003, 2004) and Bedard and
Johnstone (2004) examine audit risk factors when they study auditors’ client risk
management strategies. In particular, Bedard and Johnstone (2004) find that planned
audit personnel hours and planned hourly billing rates are higher for firms with weak
internal controls. Because the product of planned audit personnel hours and planned
hourly billing rates is equal to the total audit fee, we have the following hypothesis:
H1a: Audit fees are higher for firms with internal control weaknesses than
for firms without such weaknesses.
Although audit fees increased substantially for all accelerated filers because
of SOX 404 compliance, firms with internal control weaknesses are expected to
experience greater audit fee increases, because auditors must conduct more test-
ing and spend more resources to manage the control risk to acceptable levels for
these firms. Thus, we propose the following hypothesis.
H1b: Audit fee increases are greater for firms newly identified with internal
control weaknesses in the 404 period.
We are afforded with a unique opportunity to test Hypothesis 1b, because of
our focus on the first year of SOX 404 implementation. As a self-reporting sys-
tem by management, SOX 302 does not require supporting documentation or in-
dependent examination. In contrast, SOX 404 requires both documentation and
independent auditor examination. Because auditors need to perform independent
testing of internal controls under SOX 404, we expect that audit fees under the
SOX 404 regime will be greater than audit fees under the SOX 302 regime.
Because firms are subject to outside scrutiny from independent auditors under
SOX 404, we expect that more firms will be identified with internal control
weaknesses as they transition from the SOX 302 regime to the SOX 404 regime.
For these firms who are newly identified with internal control weaknesses, we
expect them to experience a greater increase in audit fees, because of the extra
risk and additional testing related to internal control weaknesses.
In addition to charging higher audit fees to firms with internal control weak-
nesses, auditors can also manage clients’ internal control risk by exercising more
caution and issuing modified opinions to such firms. Following Bradshaw,
Richardson, and Sloan (2001), we define a modified audit opinion as an indicator
variable that takes a value of zero for a standard unqualified opinion and a value
of one for any other modified opinion, including qualified, adverse, or unquali-
fied with explanatory language.11 Krishnan and Krishnan (1996) find that audi-
tors are more likely to issue modified opinions for firms with higher litigation
risk, and Blacconiere and DeFond (1997) find that auditors render going-concern
reports to the savings and loans that are most likely to fail ex ante. Moreover,
Francis and Krishnan (1999), Bartov, Gul, and Tsui (2000), and Bradshaw,
Richardson, and Sloan (2001) find that modified audit opinions are influenced by
earnings management, although Butler, Leone, and Willenborg (2004) argue that
the documented relation between modified opinions and abnormal accruals in
these papers rests only with companies with going-concern opinions or under fi-
nancial distress. Since these findings indicate that audit opinions are sensitive to
various sources of risk, we propose the following hypothesis:
H2a: Auditors are more likely to issue modified opinions for firms with inter-
nal control weaknesses than for firms without such weaknesses.
Cash-strapped start-up firms may always receive a going-concern opinion.
To remove these firms constantly flagged with a modified opinion, we will per-
form an analysis for the following hypothesis:12
H2b: Changes in modified audit opinions are positively associated with
changes in reported internal control weaknesses.
Risk reduction is often the reason for auditor resignation.13 Krishnan and
Krishnan (1997) find that litigation risk motivates auditors to resign from their
clients. Shu (2000) finds that auditor resignation is positively related to increased
client legal exposure. Johnstone and Bedard (2003) find that client acceptance like-
lihood is reduced in the presence of audit risk, client business risk, and auditor busi-
ness risk; Johnstone and Bedard (2004) find that riskier clients are dropped from an
audit firm’s client portfolio and newly accepted clients are less risky than the audi-
tor’s continuing clients. Therefore, we have the following hypothesis:
H3: Auditors are more likely to resign from firms with internal control weak-
nesses than from firms without such weaknesses.
If Hypotheses 1–3 are confirmed, we will be able to establish that audit fee
adjustments, modified opinions, and auditor resignations are viable strategies to man-
age control risk on a stand-alone basis. We are interested in learning whether a peck-
ing order exists among an auditor’s responses to client-related risk. Following our
11. Compustat has six codes for the audit opinion: 0 ¼ unaudited, 1 ¼ unqualified, 2 ¼ qualified
opinion, 3 ¼ no opinion, 4 ¼ unqualified with explanatory language, and 5 ¼ adverse. We did not
identify any firm with an audit opinion code of zero in our sample.
12. We thank an anonymous referee for this suggestion.
13. We focus only on auditor resignation, since auditor dismissal is initiated by a client and
hence not a tool for an auditor to reduce risk. Our results on auditor resignation are robust when we
control for auditor dismissal in our multinomial logit analyses in Table 7.
conceptual framework, we hypothesize that the severity of the auditor response is

increasing in control risk. Specifically, we have the following hypothesis:
H4: As the level of control risk increases, auditors respond in the order of (1)
audit fee adjustments, (2) modified opinions, and (3) auditor resignations.
SOX offers us a unique opportunity to study auditors’ client risk manage-
ment strategies using public information and to test these hypotheses, because
the internal control disclosures provide us with a standardized and objective
measure of control risk, a key component of audit risk. In our study of auditors’
client risk management strategies, we focus on this newly available public infor-
mation on internal control. Our proxy measures for firm control risk include an
internal control weakness indicator variable and the type of internal control
weaknesses.
3. Sample and Methodology

3.1 Sample Selection
We retrieve SOX 404 internal control disclosures, audit fees, and auditor
changes from AuditAnalytics, the Altman Z-Scores from Research Insight, and
the rest of the variables from Compustat. The Audit SOX 404 Internal Controls
data set provided by AuditAnalytics covers all SEC registrants who have filed
SOX 404 reports on internal controls in electronic filings since November 2004.
The data have been principally extracted from the following form types: 10-K,
10-K/A, 20-F, and 40-F.
Table 1 describes the sample selection procedures. The sample firms consist
of those with SOX 404 reports on internal controls and other necessary variables
for our 404 period with fiscal years ending between November 15, 2004, and
November 14, 2005.14 Between November 1, 2004, and December 31, 2005,
3,737 firm SEC filings on internal control appeared in AuditAnalytics.15 After
excluding 200 firms not in Compustat,16 we exclude 103 foreign firms, 65
subsidiaries, and 149 mutual funds, trusts, and Real Estate Investment Trusts.
We further exclude firms without audit-related information in AuditAnalytics and
other necessary information in Compustat for fiscal years ending between No-
vember 15, 2004, and November 14, 2005. Specifically, we exclude three firms
with missing SOX 404 internal control disclosures, four firms with missing audit
14. We require that the internal control variables and other variables pertain to fiscal years end-
ing from November 15, 2004, to November 14, 2005. Since no fiscal year is related to the auditor
change variable, we classify an auditor change into the 404 period if the announcement was made
between November 15, 2004, and November 14, 2005.
15. We exclude six duplicate observations.
16. AuditAnalytics only provides ticker symbols for sample firms. We retrieve the CUSIP infor-
mation for our sample firms from Compustat. We first merge our initial sample with Compustat by
the ticker symbol, and hand-adjust any incorrect matches. We then manually search through Compu-
stat to locate the CUSIP information for firms without ticker symbols or firms that cannot be
matched to Compustat by the ticker symbol.
TABLE 1
Sample Selection Criteria
Sample Characteristics Number of Firms
Total firms with internal control disclosures in AuditAnalytics 3,737

November 1, 2004, to December 31, 2005
Excluding firms not in Compustat (200)
Excluding foreign firms (103)
Excluding subsidiaries (65)
Excluding mutual funds, trusts, and REITs (149)
Excluding firms with no SOX 404 internal control disclosure (3)
Excluding firms with missing information on audit fees (4)
Excluding firms with missing information necessary for computing (42)
leverage, sales growth, or return-on-assets
Excluding firms with missing audit opinion (380)
Excluding firms with missing Z-Scores (274)
Excluding firms with missing information necessary for (167)
computing discretionary accruals
Final sample firms 2,350
Note: REIT ¼ real estate investment trust; SOX ¼ Sarbanes-Oxley Act.

The sample firms consist of those with internal control information and other necessary variables for
fiscal years ending between November 15, 2004, and November 14, 2005. We begin with 3,737 firms that
have internal control disclosures in AuditAnalytics from November 1, 2004, to December 31, 2005. We
exclude firms not in Compustat, foreign firms, subsidiaries, and mutual funds, trusts, and REITS. We further
exclude firms without audit related information and other necessary information for fiscal years ending
between November 15, 2004, and November 14, 2005. Data in parentheses indicate the number of firms
removed from the full set to obtain the final sample of 2,350 firms.
fee information, forty-two firms with missing information necessary for computing
leverage, sales growth, or return-on-assets, 380 firms with missing audit opinions,
274 firms with missing Z-Scores, and 167 firms with missing information necessary
for computing discretionary accruals. Our final sample consists of 2,350 firms.
3.2 Methodology
Following our conceptual framework and hypotheses, we model an auditor’s
response to risk as a function of control risk, inherent risk, client business risk,
and a set of control variables. When we study auditors’ strategies on a stand-
alone basis in the first part of our analyses, the auditor’s response takes the form
of audit fee, audit fee change, audit opinion, audit opinion change, and auditor
resignation. When we study auditors’ strategies on a combined-basis in the sec-
ond part of our analyses, the auditor’s response draws from a portfolio of strat-
egies in the order of audit fee adjustment, modified opinion, and auditor
resignation, depending on the risk level.
Control risk is the perceived level of risk that a material misstatement in a

client’s financial statements will not be detected and corrected by the manage-
ment’s internal control procedures. We use two measures of internal control
weaknesses to capture this concept. The first is an internal control weakness
dummy variable (ICW), which is equal to one if a firm is identified with at least
one internal control weakness, and the second is a pair of dummy variables cap-
turing account-specific weaknesses (ICWACCT) and company-level weaknesses
(ICWCOMP), respectively. Specifically, we follow the classification scheme in
Doyle, Ge, and McVay ([2007b], 1148–1149 and 1167) to code weaknesses into
these two mutually exclusive categories. ICWCOMP, the dummy variable for
company-level weaknesses, is equal to one if the firm has either weaknesses
related to ‘‘ineffective control environment’’ or ‘‘management override’’ in the
disclosure or weaknesses related to at least three account-specific problems;
ICWACCT, the dummy variable for account-specific weaknesses, is equal to one
if the firm has weaknesses related to less than three account-specific problems.17
Based on this construction, company-level weaknesses represent more extensive
or pervasive offenses, and account-specific weaknesses represent less extensive
or pervasive offenses. In other words, company-level weaknesses are more severe
and pose more audit difficulties.
We control for inherent risk, a component of audit risk. Following previous
literature such as Xie, Davidson, and DaDalt (2003), we use discretionary
accruals to measure financial reporting quality, and hence inherent risk. Specifi-
cally, we follow Hogan and Wilkins (2008) and adopt absolute discretionary
accruals (|DTACC|). We further control for client business risk. Because client
business risk is ‘‘the risk that the client’s economic condition will deteriorate in
either the short term or long term’’ (Johnstone [2000]), we control for leverage
(LEV), return on assets (ROA), loss (LOSS) (Johnstone and Bedard [2003, 2004];
Francis, Reichelt, and Wang [2005]), and the Altman Z-Score (ZSCORE) (Reyn-
olds and Francis [2001]; Ashbaugh-Skaife, Collins, and Kinney [2007]). LEV is
the ratio of total debts to total assets, ROA is income before extraordinary items
divided by average total assets, LOSS is an indicator variable that is equal to
one if there is a loss in the current year, and ZSCORE is used to measure finan-
cial distress, with a lower Z-Score indicating greater distress risk (Altman
[1968]).
4. Empirical Results
4.1 Univariate Analyses
Table 2 provides the variable means and medians for all firms (the full sam-
ple), ICW firms, and non-ICW firms, respectively. In addition, it also provides
17. AuditAnalytics lists the number of internal control weaknesses and summarizes the nature
of these different weaknesses.
TABLE 2
Comparison between Firms with Internal Control Weaknesses
and Firms without Internal Control Weaknesses
Full Sample ICW Non-ICW ICW vs. Non-ICW

Mean Mean Mean Mean Diff
Variables (Median) (Median) (Median) (Median Diff)
ICW 0.147 1.00 0.00 1.00***

(0.00) (1.00) (0.00) (1.00)***
ICWACCT 0.106 0.719 0.00 (0.72)***
(0.00) (1.00) (0.00) (1.00)***
ICWCOMP 0.041 0.281 0.00 0.28***
(0.00) (0.00) (0.00) (0.00)***
AUDFEE 2,300,156 2,346,934 2,292,107 54,827
(1,201,365) (1,295,730) (1,188,400) (107,330)
AUDFEECG$ 1,122,797 1,185,018 1,112,307 72,711
(648,000) (758,655) (635,676) (122,979)*
AUDFEECG 1.435 1.893 1.358 0.535***
(1.192) (1.564) (1.159) (0.405)***
NONAUDFEE 658,903 469,056 691,570 222,514***
(216,813) (182,580) (222,060) (39,480)***
TOTFEE 2,959,059 2,815,990 2,983,677 167,687
(1,452,747) (1,498,725) (1,445,000) (53,725)
OPINION 0.32 0.46 0.29 0.17***
(0.00) (0.00) (0.00) (0.00)***
OPINIONCG 0.271 0.121 0.296 0.175***
(0.00) (0.00) (0.00) (0.00)
AUDCHG 0.081 0.168 0.066 0.10***
(0.00) (0.00) (0.00) (0.00)***
DISMISSAL 0.059 0.081 0.055 0.026*
(0.00) (0.00) (0.00) (0.00)*
RESIGN 0.022 0.087 0.011 0.08***
(0.00) (0.00) (0.00) (0.00)***
|DTACC| 0.06 0.08 0.06 0.02***
(0.04) (0.05) (0.04) (0.01)***
LEV 0.20 0.20 0.20 0.00
(0.16) (0.13) (0.17) (0.04)
ROA 0.004 0.04 0.01 0.05***
(0.04) (0.01) (0.05) (0.04)***
LOSS 0.26 0.43 0.23 0.20***
(0.00) (0.00) (0.00) (0.00)***
TA 3,314 1,478 3,630 2,152***
(580) (340) (646) (306)***
SALEGR 0.23 0.19 0.24 0.05
(0.12) (0.10) (0.13) (0.03)***
BUS 2.22 2.24 2.21 0.03
(1.00) (1.00) (1.00) (0.00)
BIG4 0.93 0.86 0.94 0.08***
(1.00) (1.00) (1.00) (0.00)***
ZSCORE 5.27 3.33 5.73 2.40***
(3.61) (2.87) (3.78) (0.91)***
N 2,350 345 2,005
*
and *** denote two-tailed significance at the 10 and 1 percent levels, respectively.
Note: This table provides mean and median comparisons between firms with internal control weak-
nesses (ICW firms) and firms without internal control weaknesses (non-ICW firms). Since we need audit
fee and audit opinion information for both the 302 period and the 404 period, the sample size for
AUDFEECG$, AUDFEECG, and OPINIONCG is 2,225, including 321 for the ICW group and 1,904 for
the non-ICW group. We use the two-sample t-test to test the differences in mean and the Wilcoxon rank
sum test to test the differences in median. All variable definitions are in Appendix A.
the mean and median comparisons of the variables for ICW firms and non-ICW
firms. Internal control weaknesses are disclosed by 14.7 percent of sample firms,
including 10.6 percent with account-specific weaknesses and 4.1 percent with
company-level weaknesses. In addition, 32 percent of sample firms have modi-
fied audit opinions and 2.2 percent have auditor resignations. The change in
modified audit opinion is a decrease of 27.1 percent from the 302 period to the
404 period.18 The mean (median) audit fee is $2,300,156 ($1,201,365), and the
mean (median) audit fee change from the 302 period to the 404 period is
$1,122,797 ($648,000) or 143.5 percent (119.2%).19 The mean (median) firm size
measured by total assets is $3,314 ($580) million.
The implementation of SOX 404 leads to a substantial increase in the audit
fee. For example, Advanced Micro Devices Inc. disclosed the following in its
2005 proxy statement.
Audit fees of Ernst & Young LLP during the 2004 and 2003 fiscal years
were associated with the annual audit of our consolidated financial state-
ments, statutory audits required internationally, reviews of our quarterly
reports filed with the Securities and Exchange Commission and fees related
to other regulatory filings. In addition, in 2004, audit fees included those
fees related to Ernst & Young LLP’s audit of the effectiveness of the Com-
pany’s internal control pursuant to Section 404 of the Sarbanes-Oxley Act.
Audit fees for 2004 were $10.4 million, $7 million of which were Sarbanes-
Oxley Act Section 404 fees. Audit fees for 2003 were $2.6 million.
The SOX 404 fee is $7 million for Advanced Micro Devices, resulting in a
300 percent increase in the audit fee. Without the SOX 404 fee, the audit fee
would have been $3.4 million, representing a more modest increase of 31 percent
over that in 2003.
The mean (median) audit fee for ICW firms is higher than that for non-ICW
firms. The difference becomes significant after we control for size in our multi-
ple regression analysis in Table 3. The mean (median) audit fee increase for
ICW firms is 189.3 percent (156.4%), whereas the mean (median) audit fee
increase for non-ICW firms is 135.8 percent (115.9%). The differences for both
mean and median between these two groups are significant at the 1 percent level.
18. Since this number is unusually large, we double-check the audit opinion information from
Compustat. For entire Compustat, the percentages of firms with modified opinions are 53.4 percent
and 37.4 percent for fiscal years 2003 and 2004, respectively. When we restrict to accelerated filers
in Compustat, the percentages are 55.8 percent and 33.8 percent for fiscal years 2003 and 2004,
respectively. Different from the fiscal years 2003 and 2004 in Compustat, the 302 period and the 404
period in our paper are defined as fiscal years ending between November 15, 2003, and November
14, 2004 and between November 15, 2004, and November 14, 2005, respectively. The percentages of
firms with modified opinions are 59.5 percent and 32.4 percent for the 302 period and the 404 pe-
riod, respectively.
19. The mean (median) nonaudit fee change from the 302 period to the 404 period is
$143,822 ($21,000). This results from the SOX provisions that limit an auditor’s ability to pro-
vide nonaudit services to its audit clients.
TABLE 3
Regression Analyses of the Relation between Natural Logarithms
of Audit Fees and Internal Control Weaknesses
Variable Model 1 Model 2
Intercept 10.42 10.41

(138.82)*** (139.07)***
ICW 0.33
(9.54)***
ICWACCT 0.27
(7.17)***
ICWCOMP 0.50
(7.50)***
|DTACC| 0.15 0.14
(1.03) (1.00)
LEV 0.17 0.16
(2.76)*** (2.63)***
ROA 0.28 0.27
(4.40)*** (4.15)***
LOSS 0.10 0.09
(2.87)*** (2.83)***
ZSCORE 0.004 0.004
(3.11)*** (3.03)***
LOG(TA) 0.49 0.49
(56.62)*** (56.53)***
SALEGR 0.02 0.02
(1.20) (1.29)
LOG(BUS) 0.13 0.13
(6.95)*** (6.90)***
BIG4 0.39 0.40
(7.23)*** (7.48)***
Adjusted R2 69.22% 69.35%
N 2,350 2,350
***
denotes two-tailed significance at the 1 percent level.
Note: This table presents the regression results for the natural logarithm of audit fee (LOG(AUDFEE))
and audit risk variables, client business variables, and control variables. The White (1980) heteroskedasticity-
consistent t-statistics are reported in parentheses. In our regression models, we use dummy variables to control
for industries (computers, retail, pharmaceutical products, electronic equipment, and business services) with
more than 5 percent of the total sample observations, but do not report the coefficients on these industry
dummies for brevity. The industry classification follows Fama and French (1997). All variable definitions are
in Appendix A.
Modified opinions were received by 46 percent of the ICW firms and 29 percent
of the non-ICW firms.20 The difference between these two groups is significant
at the 1 percent level, implying that auditors are more likely to flag ICW firms
with modified opinions. Auditors resigned from 8.7 percent of the ICW firms,
compared with 1.1 percent of the non-ICW firms. The difference between these
two groups is significant at the 1 percent level, suggesting that ICW is related to
auditor resignation. For example, Airspan Networks had material weaknesses21
and disclosed that it received the resignation from Ernst & Young in its 8-K filed
on August 29, 2005.
On August 23, 2005, Ernst & Young LLP (‘‘Ernst & Young’’), which serves
as the independent registered public accounting firm for Airspan Networks,
Inc. (the ‘‘Company’’), notified the Company that Ernst & Young will resign
as the Company’s independent registered public accounting firm upon com-
pletion of its interim review of the Company’s financial statements to be
included in the Company’s Quarterly Report on Form 10-Q for the three
months ending October 2, 2005. Ernst & Young did not seek the Company’s
consent to its resignation. Therefore, Ernst & Young’s decision to resign was
not recommended or approved by the Company’s Board of Directors or Audit
Committee. . . . The report of Ernst & Young on the effectiveness of the Com-
pany’s internal control over financial reporting as of December 31, 2004
expressed an unqualified opinion on management’s assessment and an adverse
opinion on the effectiveness of internal control over financial reporting.
We analyze the relation between auditor resignation and internal control
weaknesses more rigorously in Table 7 (see Section 4.4).
ICW firms tend to have significantly higher absolute discretionary accruals,
poorer performance, higher distress risk, and smaller total assets. They also are
significantly more likely to incur a loss and use non-Big 4 auditors. Our univari-
ate results on ROA, LOSS, and firm size are consistent with those in Ge and
McVay (2005) and Doyle, Ge, and McVay (2007a), as they find that internal
control weaknesses are more likely for firms that are smaller and less profitable.
4.2 Audit Fees and Internal Control Weaknesses

4.2.1 Audit Fee
We use an Ordinary Least Squares (OLS) model to test the relation between
the natural logarithm of audit fee and internal control weaknesses in Table 3.
20. We searched through SEC filings and could not find an example that directly links the
modified opinion to internal control quality.
21. In the same 8-K, Airspan Network stated that ‘‘the Company had a material weakness in its
internal control pertaining to the review and evaluation of the accounting treatment required for com-
plex and non-standard Stockholders’ equity transactions. In addition, . . ., the Company reported a ma-
terial weakness in its internal control relating to revenue recognition accounting and disclosure of
sales contracts with extended payment terms.’’
Specifically, we model audit fee (AUDFEE) as a function of audit risk (control

risk and inherent risk), client business risk, and a set of control variables. Eq. (1)
presents the specifications for Model 1 in Table 3 that uses an ICW dummy. All
variable definitions are in Appendix A. For firm i in year t,
We expect the coefficient on ICW to be positive, because a firm with weak inter-
nal controls has a greater amount of risk and thus requires more testing from its audi-
tor (Arens, Elder, and Beasley [2006]). For example, for any significant account or
any phase of financial operations in which controls are weak, the auditors need to
expand the nature and extent of their tests of the account balances. Moreover, part of
the audit fee is the SOX 404 fee, which certainly will be higher when a weakness
exists. Because auditors expend more resources for firms with internal control weak-
nesses, they need to charge higher audit fees to cover their additional costs.
We control for other sources of client-related risk. We use the absolute value
of discretionary accruals (|DTACC|) to measure financial reporting quality and thus
proxy for the firm’s inherent risk. We expect that the audit fee is positively related
to absolute discretionary accruals, as auditors will charge higher audit fees for firms
with poor financial reporting quality. We use leverage (LEV), return on assets
(ROA), loss (LOSS), and Z-Score (ZSCORE) to capture client business risk. Con-
sistent with Francis, Reichelt, and Wang (2005), we expect firms with high lever-
age (LEV), losses (LOSS), and poor performance (ROA) to pay higher audit fees.
We also expect that low Z-Score firms to pay higher audit fees.
We further control for other variables related to the audit fee variable. We
expect that audit fees will be higher for large clients and thus control for size,
measured as the natural logarithm of total assets (TA). Because prior studies show
that the former Big 8 firms are able to charge a premium for their perceived high-
quality services (e.g., Francis [1984]; Francis and Stokes [1986]; Palmrose
[1986]), we introduce a Big 4 dummy variable (BIG4), indicating whether a firm
is audited by a Big 4 auditor. Following Francis, Reichelt, and Wang (2005), we
control for the natural logarithm of the number of business segments (BUS), as
audit fees will be higher for clients with complex operations. Audit fees may also
be related to sales growth (SALEGR), which is equal to the change in sales divided
by the sales in the previous year. On the one hand, firms with strong sales growth
are expected to pay higher fees, because demand is greater for audit work. On the
other hand, firms with strong sales growth are expected to pay lower fees, because
these firms are performing well and pose less risk for auditors. Therefore, the
expected sign for the coefficient on sales growth is ambiguous.
Finally, following Johnstone and Bedard (2003) and Francis, Reichelt, and
Wang (2005), we control for industry effects based on the Fama and French
(1997) forty-eight-industry classification. We set the cutoff points at 5 percent of

total observations and introduce the industry dummies for computers, retail, phar-
maceutical products, electronic equipment, and business services to our regres-
sion models in Tables 3–7 and 10. The coefficients on these dummy variables
are not reported in Tables 3–7 and 10 for brevity.22
Consistent with Hypothesis 1a, we find that audit fees are significantly
higher for ICW firms at the 1 percent level.23 Bedard and Johnstone (2004) find
that planned audit personnel hours and planned hourly billing rates are signifi-
cantly higher for firms with weak internal controls. Since the product of planned
audit personnel hours and planned hourly billing rates is equal to the total audit
fee, our results are consistent with those in Bedard and Johnstone (2004). For cli-
ent risk variables, audit fees are significantly smaller for high ROA firms, and
greater for firms with losses and high distress risk. However, the coefficients on
LEV are negative, contrary to our expectation. For control variables, audit fees
are significantly higher for large firms, firms with a large number of business
segments, and Big 4 clients.
We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that
the coefficients on ICWACCT and ICWCOMP are significantly positive at the 1
percent level. The coefficient on ICWCOMP is significantly larger than that on
ICWACCT, suggesting that auditors charge greater audit fees for company-level
weaknesses, the more severe type of offenses, than for account-specific weak-
nesses, the less severe type of offenses. We discuss the significance of the differ-
ence in the following paragraphs.
To measure the economic significance of our results, we follow prior litera-
ture (e.g., Lyon and Maher [2005]) and estimate an audit fee premium associated
with an ICW indicator variable to be (ea 1), where a is the coefficient on the
ICW indicator variable. Because the coefficient on the ICW indicator variable is
0.33 in Model 1, the audit fee premium for ICW firms over non-ICW firms is
39.1 percent. The premium’s magnitude appears to be in line with the findings in
prior studies. For example, Seetharaman, Gul, and Lynn (2002) find that the
audit fee premium for U.K. companies listed on U.S. stock exchanges is 20 per-
cent; Lyon and Maher (2005) find that the audit fee premium for firms that
reported payments of bribes is 43 percent.
We use the coefficients on ICWACCT and ICWCOMP from Model 2, and
find that the audit fee premium for account-specific weaknesses is 31 percent,
and that for company-level weaknesses is 64.9 percent. By testing the difference
between the coefficients on ICWACCT and on ICWCOMP in Model 2 (Greene
[2000], 284), we find that the audit fee premium for company-level weaknesses
is significantly higher than that for account-specific weaknesses at the 1 percent
22. We later report in the robustness check section that our results are similar to those reported
in Tables 3–7 and 10 if we exclude these industry dummy variables from our regression models.
23. In unreported tests, we do not find any relation between nonaudit fees and ICWs, suggest-
ing that an ICW, a measure of control risk, is priced only into the audit fee.
level. Our result is consistent with the finding in Doyle, Ge, and McVay (2007b)
that accruals quality is affected by company-level weaknesses rather than by
account-specific weaknesses. Consequently, auditors charge greater audit fees for
company-level weaknesses to compensate for the risk associated with poor
accruals quality.
4.2.2 Change in Audit Fees

In this section, we study how auditors adjust their audit fees in response to
the changes in their risk assessments. We use an OLS model to test the rela-
tion between change in audit fees and change in reported internal control
weaknesses in Table 4. Specifically, we model the audit fee change as a func-
tion of changes in audit risk (control risk and inherent risk), change in client
business risk, and change in a set of control variables in Eq. (2). For firm i in
year t,
ICWCG used in Model 1 is a variable representing the change in reported inter-

nal control weaknesses from the 302 period to the 404 period. Because the Audit
SOX 404 Internal Controls data set by AuditAnalytics contains only SOX 404 inter-
nal control disclosures, we use the internal control data set compiled by Doyle, Ge,
and McVay (2007b) for the 302 period.24 The dependent variable is the audit fee
change (AUDFEECG), the difference in audit fee between the 302 period and the
404 period divided by the audit fee for the 302 period. We define other independent
variables used in Table 4 in a similar fashion and provide the details in Appendix A.
The sample size for Tables 4 and 6 is 2,225, because we need audit and financial in-
formation for both the 302 period and the 404 period. From our sample of 2,350
firms, we first exclude forty-two firms with missing audit and financial information
in the 302 period. We then exclude one outlier (Tetra Technologies Inc. with a lever-
age change of 7,286), based on the standard SAS procedure in our regression
24. Data are available at either Weili Ge’s website at Washington or Sarah McVay’s website at
Utah. For the 302 period, we start with the Doyle, Ge, and McVay (2007b) data set, and make sure
that the internal control disclosures are for fiscal years or fiscal quarters ending between November
15, 2003, and November 14, 2004, by searching through the SEC filings. If an observation is from
an 8-K, we require that the 8-K filing date is between November 15, 2003, and November 14, 2004.
We then read through the excerpts of internal control disclosures in their dataset and, in many instan-
ces, the original disclosures in 10-K, 10-Q, or 8-K to code the number of weaknesses and the types
of weaknesses.
TABLE 4
Regression Analyses of the Relation between Changes in Audit Fees and
Changes in Reported Internal Control Weaknesses
Intercept 1.30 1.31

(41.25)*** (41.37)***
ICWCG 0.48
(5.53)***
ICWACCTCG 0.33
(3.91)***
ICWCOMPCG 0.90
(4.82)***
|DTACC|CG 0.00 0.00
(0.79) (0.70)
LEVCG 0.001 0.001
(0.84) (0.77)
ROACG 0.00 0.00
(0.10) (0.05)
LOSSCG 0.20 0.19
(3.37)*** (3.25)***
ZSCORECG 0.004 0.004
(1.43) (1.20)
TACG 0.32 0.32
(3.89)*** (3.89)***
SALEGRCG 0.00 0.00
(1.62) (1.52)
BUSCG 0.07 0.06
(1.43) (1.16)
Adjusted R2 4.78% 5.65%
N 2,225 2,225
***
Note: This table presents the regression results for the change in audit fees (AUDFEECG) and changes
in audit risk variables, client business variables, and control variables. The White (1980) heteroskedasticity-
consistent t-statistics are reported in parentheses. In our regression models, we control for industry dum-
mies, but do not report the coefficients on these industry dummies for brevity. See Table 3 for more details.
The sample size for Table 4 is 2,225 because we need audit and financial information for both the 302 period
and the 404 period. From our sample of 2,350 firms, we first exclude 42 firms with missing audit and finan-
cial information in the 302 period. We then exclude one outlier (Tetra Technologies Inc. with a leverage
change of 7,286) based on the standard SAS procedure in our regression analyses. We finally exclude 80
firms with zero leverage and two firms with zero sales growth in the 302 period because we cannot calculate
changes for these variables. All variable definitions are in Appendix A.
analyses. We finally exclude eighty firms with zero leverage and two firms with zero
sales growth in the 302 period, because we cannot calculate changes for these varia-
bles.
Confirming Hypothesis 1b, we find that audit fee increases are greater for firms
newly identified with internal control weaknesses in the 404 period.25 The coefficient
on ICWCG in Model 1 is significantly positive at the 1 percent level. Because audi-
tors need to perform independent testing of internal controls under SOX 404, audit
fees in the 404 period ($2.3 million on average) are significantly higher than those in
the 302 period ($1.2 million on average). Because firms are subject to outside scru-
tiny from independent auditors under SOX 404, significantly more firms are identi-
fied with an ICW in the 404 period (14.7%) than those in the 302 period (4.5%).
During the transition from the SOX 302 regime to the SOX 404 regime, we find that
firms newly identified with an ICW experience a greater increase in audit fees,
because of the ICW-related risk and additional testing. For other variables, the coeffi-
cients on LOSSCG and TACG are significantly positive. LOSSCG is a change in the
LOSS indicator variable, and TACG is the change in total assets divided by the total
assets in the 302 period. Our results thus suggest that firms will experience an audit
fee increase if they turn from a profit situation in the 302 period to a loss situation in
the 404 period, or if they grow in size from the 302 period to the 404 period.26
We replace ICWCG with similarly defined ICWACCTCG and ICWCOMPCG
in Model 2, and find that results are similar to those reported for Model 1. The
coefficient on ICWCOMPCG is larger than that on ICWACCTCG, indicating that
the audit fee increase is greater for firms newly identified with company-level
weaknesses than for those newly identified with account-level weaknesses.
Again, a larger increase in audit fees is used to compensate for the exposure to a
greater level of risk.
4.3 Modified Audit Opinions and Internal Control Weaknesses

4.3.1 Modified Audit Opinion
We use a logit model to test the relation between modified audit opinions and
internal control weaknesses in Table 5. Specifically, we model modified audit opin-
ions as a function of audit risk (control risk and inherent risk), client business risk,
and a set of control variables. Eq. (3) presents the specifications for Model using an
ICW dummy variable. The modified audit opinion variable (OPINION) is equal to
25. We have forty-six sample firms that are identified with internal control weaknesses in the
302 period and with no such weaknesses in the 404 period. The interpretation would be reversed for
these firms.
26. Our results in Table 4 remain unchanged when we add four dummy variables to capture the
different types of auditor changes among the Big 4 and non-Big 4 auditors. These four dummy varia-
bles represent auditor changes from a Big 4 to another Big 4, a Big 4 to a non-Big 4, a non-Big 4 to
a Big 4, and a non-Big 4 to another non-Big 4.
one if the firm’s audit opinion code is between two and five, and zero otherwise.
All other variable definitions are in Appendix A. For firm i in year t,
TABLE 5
Logit Analyses of the Relation between Modified Audit Opinions
and Internal Control Weaknesses
Intercept 3.20 3.19

(100.97)*** (99.97)***
ICW 0.98
(52.31)***
ICWACCT 1.01
(44.78)***
ICWCOMP 0.88
(13.26)***
|DTACC| 0.04 0.04
(0.00) (0.00)
LEV 0.47 0.47
(3.45)* (3.32)*
ROA 0.001 0.008
(0.00) (0.00)
LOSS 0.11 0.12
(0.58) (0.59)
ZSCORE 0.06 0.06
(22.15)*** (22.36)***
LOG (TA) 0.37 0.37
(110.95)*** (111.01)***
SALEGR 0.12 0.12
(1.16) (1.12)
BIG4 0.03 0.02
(0.02) (0.01)
Pseudo R2 13.38% 13.39%
N 2,350 2,350
*
Note: This table presents the logit regression results for modified audit opinion (OPINION) and audit
risk variables, client business variables, and control variables. The w2 statistics are reported in the parenthe-
ses. In our regression models, we control for industry dummies, but do not report the coefficients on these
industry dummies for brevity. See Table 3 for more details. All variable definitions are in Appendix A.
Since auditors are more likely to issue modified opinions for firms with
high litigation risk (Krishnan and Krishnan [1996]) or render going-concern
opinions for firms with bankruptcy risk, we hypothesize that ICW firms are
more likely to be flagged with modified audit opinions than non-ICW firms.
We control for absolute discretionary accruals (|DTACC|), a proxy for inherent
risk. While Francis and Krishnan (1999), Bartov, Gul, and Tsui (2000), and
Bradshaw, Richardson, and Sloan (2001) suggest that modified audit opinions
are influenced by earnings management, Butler, Leone, and Willenborg (2004)
find that the documented relation between modified opinions and abnormal
accruals in these studies rests only with firms with going-concern opinions.
We further control for leverage (LEV), return on assets (ROA), loss (LOSS),
and Z-Score (ZSCORE) to capture the impact of client business risk. We expect
that firms with high leverage, losses, and low Z-Scores are more likely to
receive modified opinions, whereas firms with high return on assets are less
likely to receive modified opinions. Finally, we control for size (LOG(TA)) and
sales growth (SALEGR).
Consistent with Hypothesis 2a, we find that ICW firms are significantly
more likely to be flagged with modified audit opinions than non-ICW firms. The
marginal effect indicates that an ICW firm has a 21.9 percent increase in the
likelihood of receiving a modified opinion. The coefficient on absolute discre-
tionary accruals is insignificant. This is consistent with Butler, Leone, and Wil-
lenborg (2004) who find that modified opinions are not influenced by
discretionary accruals for firms without going-concern opinions, because the
supermajority of our sample firms does not have going-concern opinions accord-
ing to AuditAnalytics. In addition, high leverage firms and high distress risk, as
well as large firms, are more likely to be flagged with modified opinions.
We replace ICW with ICWACCT and ICWCOMP in Model 2 and find simi-
lar results. Interestingly, the coefficient on ICWCOMP is smaller than that on
ICWACCT. The marginal effects indicate that a firm with account-specific weak-
nesses has a 22.9 percent increase in the likelihood of receiving a modified opin-
ion and that a firm with company-level weaknesses has a 20 percent increase in
the likelihood of receiving such an opinion. Given that modified opinions tend to
be based on account-related issues, auditors likely do not have the latitude to
provide modified opinions for larger issues, such as ‘‘tone at the top.’’27 Thus,
auditors are more likely to issue modified opinions to firms with the less severe
account-specific weaknesses, suggesting that auditors use the modified opinion
strategy when they are exposed to a lower level of risk.28
27. We thank an anonymous referee for this insight.

28. Table 7 finds that auditors are more likely to tender their resignations to firms with the
more severe company-level weaknesses. Table 9 presents further evidence that auditors tend to use
different strategies to manage different levels of control risk.
4.3.2 Change in Modified Audit Opinions

In this section, we study how auditors adjust their audit opinions in response
to the changes in their risk assessments. We use an ordered logit model to test
the relation between changes in modified audit opinions and changes in reported
internal control weaknesses in Table 6. Specifically, we model audit opinion
changes as a function of changes in audit risk (control risk and inherent risk),
TABLE 6
Ordered Logit Analyses of the Relation between Changes in Modified Audit
Opinions and Changes in Reported Internal Control Weaknesses
ICWCG 0.70
(30.22)***
ICWACCTCG 0.74
(27.14)***
ICWCOMPCG 0.59
(8.11)***
|DTACC|CG 0.00 0.00
(0.00) (0.00)
LEVCG 0.00 0.00
(0.00) (0.00)
ROACG 0.001 0.001
(0.88) (0.89)
LOSSCG 0.07 0.07
(0.39) (0.42)
ZSCORECG 0.003 0.003
(0.32) (0.32)
TACG 0.09 0.09
(0.79) (0.79)
SALEGRCG 0.00 0.00
(0.01) (0.01)
BIG4CG 0.48 0.49
(2.47) (2.51)
Pseudo R2 1.86% 1.88%
N 2,225 2,225
***
Note: This table presents the ordered logit regression results for the change in modified audit opinions
(OPINIONCG) and changes in audit risk variables, client business variables, and control variables. The w2
statistics are reported in the parentheses. In our regression models, we control for industry dummies, but do
not report the coefficients on these industry dummies for brevity. See Table 3 for more details. The sample
size for this table is the same as that for Table 4. All variable definitions are in Appendix A.
change in client business risk, and change in a set of control variables in Eq. (4).
For firm i in year t,
The dependent variable OPINIONCG represents the change in modified audit

opinions from the 302 period to the 404 period, and can take a value of 1, 0, and
1. A value of 1 for OPINIONCG implies that the firm receives a modified opinion
in the 302 period, and an unqualified opinion in the 404 period; vice versa for a
value of one. When OPINIONCG takes a value of zero, it means that there is no
change in modified opinion from the 302 period to the 404 period. Other variables
are similar to those used in Table 4 and defined in Appendix A. The sample size
for Table 6 is 2,225, the same as that used for Table 4, because we again need audit
and financial information for both the 302 period and the 404 period.
Given the ordinal nature of the dependent variable OPINIONCG, we use or-
dered logit model for our analyses and find confirming evidence for Hypothesis 2b.
The coefficient on ICW is positively significant at the 1 percent level, suggesting
that changes in modified audit opinions are related to changes in reported internal
control weaknesses. We further calculate the marginal effects for the ICW variable.
A firm newly identified with internal control weaknesses in the 404 period has a 3
percent increase in the likelihood of having its audit opinion changed from an
unqualified opinion in the 302 period to a modified opinion in the 404 period, and a
15.0 percent decrease in the likelihood of having its audit opinion changed from a
modified opinion in the 302 period to an unqualified opinion in the 404 period. The
coefficients on other change variables are not significant.
We replace ICWCG with ICWACCTCG and ICWCOMPCG in Model 2, and
find results similar to those reported for Model 1. While both variables are signifi-
cant at the 1 percent level, the coefficient on ICWACCTCG is larger than that on
ICWCOMPCG. We again calculate the marginal effects. A firm with newly identi-
fied account-specific weaknesses has a 3.2 percent increase in the likelihood of
having its audit opinion changed from an unqualified opinion in the 302 period to a
modified opinion in the 404 period, whereas a firm with newly identified company-
level weaknesses has a 2.5 percent increase in such likelihood. Moreover, a firm
with newly identified account-specific weaknesses has a 15.9 percent decrease in
the likelihood of having its audit opinion changed from a modified opinion in the
302 period to an unqualified opinion in the 404 period, whereas a firm with newly
identified company-level weaknesses has a 12.7 percent decrease in such likeli-
hood. When there are changes in internal control weaknesses, auditors are more
likely to change their audit opinions for firms with the less severe account-specific
weaknesses, because modified opinions tend to be based on account-related issues.
Consistent with our findings in Table 5, our results again suggest that auditors use
the modified opinion strategy when they are exposed to a lower level of risk.
4.4 Auditor Resignations and Internal Control Weaknesses

We study the relation between auditor resignations and internal control weak-
nesses in Table 7. Since auditor turnover can be initiated by either the auditor or the
client, we control for auditor dismissal, and perform a multinomial logit regression
TABLE 7
Multinomial Logit Analyses of the Relation between Auditor Resignations,
Auditor Dismissals, and Internal Control Weaknesses
Model 1 Model 2
Variable RESIGNATION DISMISSAL RESIGNATION DISMISSAL
Intercept 4.47 6.13 3.92 6.05

(2.38) (12.22)*** (1.86) (11.84)***
ICW 1.97 0.36
(38.73)*** (2.34)
ICWACCT 1.44 0.27
(13.85)*** (1.02)
ICWCOMP 2.76 0.59
(50.34)*** (2.35)
|DTACC| 3.32 0.68 3.25 0.69
(10.05)*** (0.30) (9.17)*** (0.30)
LEV 1.08 0.12 1.18 0.14
(4.48)** (0.08) (5.14)** (0.10)
ROA 1.04 0.44 1.21 0.45
(2.82)* (0.55) (3.68)* (0.57)
LOSS 0.57 0.18 0.56 0.18
(2.37) (0.45) (2.27) (0.46)
ZSCORE 0.00 0.00 0.01 0.00
(0.30) (0.12) (0.46) (0.11)
LOG(AUDFEE) 0.13 0.40 0.06 0.40
(0.23) (6.59)*** (0.05) (6.29)**
LOG(TA) 0.45 0.33 0.38 0.33
(6.18)*** (10.10)*** (4.39)** (9.80)***
SALEGR 0.05 0.23 0.01 0.23
(0.19) (0.91) (0.00) (0.93)
Pseudo R2 7.38% 8.04%
N 2,350 2,350
* **
, , and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.
Note: This table presents the multinomial logit regression results between auditor resignations
(RESIGNATION), auditor dismissals (DISMISSAL), and internal control weaknesses. We use firms without
auditor changes as our reference group, and obtain separate coefficient estimates for RESIGNATION and
DISMISSAL. The w2 statistics are reported in the parentheses. In our regression models, we control for indus-
try dummies, but do not report the coefficients on these industry dummies for brevity. See Table 3 for more
details. All variable definitions are in Appendix A.
analysis that permits separate coefficient estimates for auditor dismissal and auditor
resignation by using firms without auditor changes as the reference group.
Johnstone and Bedard (2004) identify audit risk and client business risk as
determinants of audit firm portfolio management decisions. We are particularly
interested in the internal control aspect of audit risk. Since ICW firms are likely to
have greater audit risk than non-ICW firms, we expect that audit firms are more
likely to stop serving ICW firms, because of risk avoidance. We control for other
sources of client-related risk and include absolute discretionary accruals
(|DTACC|). Again, auditors are more likely to resign from clients with large abso-
lute discretionary accruals to avoid risk. We use leverage (LEV), return on assets
(ROA), loss (LOSS), and Z-Score (ZSCORE) to capture client business risk. Con-
sistent with the argument for DTACC, auditors are more likely to resign from cli-
ents with high leverage, losses, and low Z-Scores. We expect that auditors are less
likely to shy away from high ROA firms (Johnstone and Bedard [2004]).
Following Johnstone and Bedard (2004), we include the natural logarithm of
audit fee as a control variable in our logit model. Audit firms are less likely to
resign from clients if audit fees are large. Following Landsman, Nelson, and
Rountree (2009), we include two other control variables. We control for the natu-
ral logarithm of size (TA) and predict that auditor resignations are less likely for
large firms, because DeAngelo (1981) argues that large clients incur higher costs
of auditor changes. We also control for sales growth (SALEGR) because high-
growth clients may face higher litigation risk (Stice [1991]). However, we do not
provide a directional prediction on this variable.
Model 1 presents the results from the multinomial logit regressions using the
ICW dummy variable. The choice variables are auditor resignation, auditor dismissal,
and continuous auditor appointment. Auditor resignation (RESIGNATION) is one if a
firm’s auditor resigned from the firm, and auditor dismissal (DISMISSAL) is one if a
firm dismissed its auditor.29 We find that auditor resignations are significantly more
likely for ICW firms, confirming Hypothesis 3. The marginal effect indicates that an
ICW firm has a 4.2 percent increase in the likelihood of auditor resignation. Our
result for auditor resignation is consistent with that in Bedard and Johnstone (2004),
as they find that clients with control risk are more likely to be classified in the audi-
tor’s discontinued client portfolio. In addition, we find that auditor resignations are
significantly more likely for firms with large absolute discretionary accruals, con-
firming our prediction. This is consistent with DeFond and Subramanyam (1998),
who find that discretionary accruals are significant in the last year of an auditor
change. We also find that auditor resignations are significantly less likely for large
firms and more likely for loss firms. While the coefficient on audit fee is not signifi-
cant, the coefficient on ROA is positive, contrary to our expectation.
29. We also use auditor dismissal as a control variable. Our results on auditor dismissal are
consistent with the prior literature on audit opinion shopping (Chow & Rice [1982]; Smith [1986]).
When we run logit regressions using auditor resignation as the only choice variable, our results on
auditor resignation are similar to those reported in Table 7.
We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that
the coefficients on ICWACCT and ICWCOMP are significantly positive at the 1
percent level. In particular, the coefficient on ICWCOMP is larger than that on
ICWACCT. The marginal effects indicate that a firm with account-specific weak-
nesses has a 2.6 percent increase in the likelihood of auditor resignation and a
firm with company-level weaknesses has an 11 percent increase in the likelihood
of auditor resignation. Auditor resignations are more likely for firms with the
more severe company-level weaknesses, suggesting that auditors use the resigna-
tion strategy when they are exposed to a higher level of risk.
4.5 Pecking-Order Analyses

4.5.1 Descriptive Analyses
In the previous sections, we established that audit fee adjustments, modified
opinions, and auditor resignations are viable strategies on a stand-alone basis.
We now study these strategies simultaneously. Table 8 presents the Pearson cor-
relations for internal control weakness variables and auditor response strategies.
TABLE 8
Pearson Correlation Table for Internal Control Weakness Variables
and Auditor Response Strategies
ICW ICWACCT ICWCOMP AUDFEECG OPINION RESIGNATION
ICW 1.00 0.83 0.50 0.15 0.12 0.16

(0.00) (0.00) (0.00) (0.00) (0.00)
ICWACCT 1.00 0.07 0.08 0.12 0.02
(0.00) (0.00) (0.00) (0.25)
ICWCOMP 1.00 0.15 0.02 0.24
(0.00) (0.36) (0.00)
AUDFEECG 1.00 0.04 NA
(0.04)
OPINION 1.00 NA
RESIGNATION 1.00
N 2,197
Note: This table presents the Pearson correlations for internal control weakness variables and auditor
response strategies. NA stands for ‘‘not applicable.’’ Since firms that resign from clients no longer assess
audit fees and issue audit opinions, we designate the correlations between RESIGNATION and
AUDFEECG and between RESIGNATION and AUDOPINION as NA. The p-values are presented in the
parentheses. The sample size is 2,197 for Tables 8–10. Since we focus on auditors’ responses to control
risk, we exclude 139 auditor dismissal firms from the full sample of 2,350 firms. We then exclude one firm
with missing audit fee information in the 302 period. We finally exclude thirteen auditor resignation firms
with modified opinions, because these opinions may be issued by their replacement auditors. All variable
definitions are in Appendix A.
The sample size is 2,197 for Tables 8–10. Because we focus on auditors’
responses to control risk, we exclude 139 auditor dismissal firms from the full
sample of 2,350 firms. We then exclude one firm with missing audit fee informa-
tion in the 302 period. Finally, we exclude thirteen auditor resignation firms with
modified opinions, because these opinions may be issued by their replacement
auditors.
ICW is significantly related to increasing audit fees (AUDFEECG), modi-
fied opinions (OPINION), and auditor resignations (RESIGNATION). Interest-
ingly, ICWACCT is significantly correlated with AUDFEECG and OPINION,
but ICWCOMP is significantly correlated to AUDFEECG and RESIGNATION.
While auditors increase audit fees for all types of weaknesses, they tend to use
resignations for the more severe company-level weaknesses and issue modified
opinions for the less severe account-specific weaknesses. These findings suggest
that a pecking order exists among auditors’ risk management strategies.
The correlation between AUDFEECG and OPINION is significantly negative
at the 5 percent level, suggesting that AUDFEECG and OPINION may be substi-
tutes. We also examine the 308 ICW firms from the sample of 2,197 firms used
in Tables 8–10, and classify them into one group with modified opinions and
another group without modified opinions. Out of these 308 ICW firms, the aver-
age audit fee increase for 136 firms with modified opinions is 145 percent and
that for 172 firms without modified opinions is 175 percent. The difference
between the two groups is significant at the 10 percent level. These findings pro-
vide additional evidence that AUDFEECG and OPINION may be substitutes.
Because firms that resign from clients no longer assess audit fees and issue opin-
ions, the correlations between RESIGNATION and AUDFEECG and between
RESIGNATION and OPINION are not applicable.
We follow the preliminary findings in Table 8 and further investigate
whether auditors’ risk management strategies have a pecking order of audit fee
adjustments, modified opinions, and auditor resignations. We first sort our sam-
ple into three mutually exclusive groups: (1) firms with no auditor resignations
and no modified opinions, (2) firms with modified opinion but no auditor resig-
nations, and (3) firms with auditor resignations. We refer to Group 1 as the Fee
Adjustment Group and assign a value of one, Group 2 as the Modified Opinion
Group and assign a value of two, and Group 3 as the Resignation Group and
assign a value of three. Note that three is the most severe response, whereas one
is the least severe response.
Table 9 presents the descriptive evidence by comparing the proportion of in-
ternal control weaknesses, including account-specific weaknesses and company-
level weaknesses, for each strategy group. ICWs are found in 10.2 percent of the
firms in Group 1, 20.1 percent of the firms in Group 2, and 55.3 percent of the
firms in Group 3. There is an increasing trend in the proportion of ICW firms
from Group 1 to Group 3. The difference between Groups 2 and 1 and that
between Groups 3 and 2 are significant at the 1 percent level, suggesting that a
pecking order exists in client risk management strategies. Auditors are likely to
TABLE 9
Proportion of Firms with Internal Control Weaknesses
in Each Auditor Response Group
Difference Difference
Group 1 Group 2 Group 3 between between
Audit Fee Modified Auditor Groups Groups
Variable Adjustment Opinion Resignation 2 and 1 3 and 2
ICW 0.102 0.201 0.553 0.099*** 0.352***

ICWACCT 0.075 0.157 0.158 0.082*** 0.001
ICWCOMP 0.027 0.044 0.395 0.017** 0.351***
N 1,482 677 38
**
Note: This table presents the proportion of firms with internal control weaknesses, including account-
specific weaknesses and company-level weaknesses, for each auditor response group. The rows for
ICWACCT and ICWCOMP are italicized to emphasize that the summation of these two rows is equal to the
ICW row. We use the two-sample t-test to test the differences in mean between Groups 2 and 1 and between
Groups 3 and 2, respectively. The sample size for this table is the same as that for Table 8. All variable defi-
nitions are in Appendix A.
raise audit fees when dealing with a portfolio of clients with low control risk on
average, issue modified opinions when dealing with a portfolio of clients with in-
termediate control risk on average, and tender their resignations when dealing
with a portfolio of clients with high control risk on average.
We further separate ICW into ICWACCT and ICWCOMP. We find 73.5 per-
cent (0.075/0.102) of ICW firms in the Fee Adjustment Group and 78.1 percent
(0.157/0.201) of ICW firms in the Modified Opinion Group have account-
specific weaknesses, whereas 71.4 percent (0.395/0.553) of ICW firms in the
Resignation Group have company-level weaknesses. These findings again suggest
that a pecking order exists in auditors’ client risk management strategies. Audi-
tors tend to increase audit fees and issue modified opinions to manage control
risk resulting from the less severe account-specific weaknesses and use resigna-
tions to manage control risk resulting from the more severe company-level weak-
nesses. This is consistent with our findings in Tables 5 and 7, adding credence to
our results.
4.5.2 Ordered Logit Analyses

Table 10 reports the ordered logit regression. The auditor response as a de-
pendent variable is assigned a value of one for the Fee Adjustment Group, two
for the Modified Opinion Group, and three for the Resignation Group. Model 1
TABLE 10
Ordered Logit Analyses of the Relation between Auditor Responses
and Internal Control Weaknesses
ICW 1.14
(70.06)***
ICWACCT 0.97
(40.52)***
ICWCOMP 1.71
(49.68)***
|DTACC| 1.16 1.16
(3.47)* (3.45)*
LEV 0.50 0.54
(4.01)** (4.71)**
ROA 0.36 0.43
(0.66) (0.91)
LOSS 0.26 0.27
(3.05)* (3.07)*
ZSCORE 0.04 0.04
(13.63)*** (12.42)***
LOG (TA) 0.32 0.32
(86.25)*** (86.22)***
SALEGR 0.04 0.05
(0.24) (0.37)
BIG4 0.11 0.19
(0.28) (0.73)
Pseudo R2 10.15% 10.38%
N 2,197 2,197
* **
, , and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.
Note: This table presents the ordered logit regression results for auditor responses in the order of audit
fee adjustments, modified opinions, and auditor resignations and audit risk variables, client business varia-
bles, and control variables. The w2 statistics are reported in the parentheses. In our regression models, we
control for industry dummies, but do not report the coefficients on these industry dummies for brevity. See
Table 3 for more details. The sample size for this table is the same as that for Table 8. All variable defini-
tions are in Appendix A.
presents the results from the ordered logit regressions using the ICW dummy
variable. The coefficient on ICW is significantly positive at the 1 percent level,
supporting Hypothesis 4. Because the auditor attestation requirement in SOX 404
exposes auditors to control risk, auditors manage this risk by using a set of or-
dered strategies. Moreover, firms with large absolute discretionary accruals are
more likely to trigger severe responses. Loss firms and high distress risk firms,
as well as large firms, are also more likely to cause severe responses. We replace
ICW with ICWACCT and ICWCOMP in Model 2, and find the coefficients on
ICWACCT and ICWCOMP to be significantly positive at the 1 percent level. Our
results from Models 1 and 2 suggest that a pecking order exists among auditors’
client risk management strategies. As the clients’ control risk increases, auditors
are likely to respond in the order of audit fee adjustments, modified opinions,
and auditor resignations.
We further follow the group classification schedule in Section 4.5.1, and cre-
ate an index based on the severity of auditors’ responses. Groups 1, 2, and 3 are
the audit fee adjustment, modified opinion, and auditor resignation groups,
respectively. We first sort all our sample firms by group numbers from 1 to 3,
and then sort all firms within each group by the audit fee increase variable in
ascending order. Based on this order, we calculate the fractional ranks for these
firms and let the auditor response index be the fractional rank value. According
to our construction, a large index value represents a more severe response from
the auditor and vice versa. Our untabulated results show that the ICW variable
has a significantly positive impact on the auditor response index, suggesting that
ICW firms are more likely to trigger severe responses from the auditors. The
combined evidence in this section suggests that auditors draw from a set of or-
dered strategies to manage client-related control risk.
4.6 Robustness Checks

We perform the following robustness tests:
(1) We perform all the analyses in Tables 2–3, 5, and 7–10 for the 302 pe-
riod. While the results are somewhat weaker, they are similar to those
reported in Tables 2–3, 5, and 7–10.
For all models in Tables 3–7 and 10, we perform the following tests:
(2) We replace the ICW dummy with the number of internal control weak-
nesses.
(3) We replace total assets with either sales or market value of equity as of
December 31, 2004, as a measure of size.
(4) We winsorize absolute discretionary accruals, leverage, and return on assets
at the 1 percent and 99 percent levels to reduce the impact of extreme values.
(5) We exclude the industry dummy variables used in Tables 3–7 and 10.
In all these cases, our results are robust to these alternative specifications,
adding credence to our findings.
5. Conclusion
Using several measures of clients’ control risk based on their recent public
internal control disclosures under SOX 404, we study how auditors manage
their client-related risk. We find that a pecking order exists among auditors’
APPENDIX A
Variable Definitions
Dependent Variables:
AUDFEE: Total audit fee.

NON-AUDFEE: Total non-audit fee.
TOTFEE: Total fee.
OPINION: One if the firm received a modified opinion (Audit opinion
code is between 2 and 5 for #149); zero otherwise, fol-
lowing Bradshaw, Richardson, and Sloan [2001]).
AUDCHG: One if the firm changed auditor; zero otherwise.
RESIGNATION: One if the firm’s auditor resigned; zero otherwise.
DISMISSAL: One if the firm dismissed its auditor; zero otherwise.
Audit Risk Variables:
ICW: One if the firm has internal control weaknesses; zero

otherwise.
ICWACCT: Account-specific weakness. One if the firm has weaknesses
related to less than three account-specific problems; zero
otherwise (following Doyle, Ge, and McVay [2007b]).
ICWCOMP: Company-level weakness. One if the firm has either
weaknesses related to ‘‘ineffective control environment’’
or ‘‘management override’’ in the disclosure or
weaknesses related to at least three account-specific
problems; zero otherwise (following Doyle, Ge, and
McVay [2007b]).
|DTACC|: The absolute value of DTACC. DTACC is the residual from
TOTACCi,t ¼ b0(1/TAi,t1) þ b1(DSALESi,t DARi,t)/
TAi,t1þ b2(PPEi,t/TAi,t1) (following Kothari, Leone,
and Wasley [2005]). Note that TOTACC ¼ [EBEI(#123)
– (CFO(#308) – EIDO(#124))]/lagged total assets
(following Hribar and Collins [2002]); DSALES is the
change in a firm’s sales revenue (#12); DAR is the
change in accounts receivable (#2); PPE is gross
property, plant, and equipment (#7); and TA is total
assets (#6). The regression is estimated for firms in a
given two-digit SIC code each year.
Client Business Risk Variables:
LEV: Ratio of total debts, both short-term (#34) and long-term

(#9), to total assets (#6).
ROA: Income before extraordinary items (#18) divided by average
total assets (#6).
LOSS: One if the firm incurred a loss (#172) in the current fiscal
year; zero otherwise.
ZSCORE: Altman (1968) Z-Score measure of financial distress risk.
(continued )
APPENDIX A (Continued)
Control Variables:
TA: Total assets (#6), in millions.

SALEGR: Sales growth is the difference in sales (#12) between year t
and year t1 over sales (#12) in year t 1.
BUS: Number of business segments (Compustat segment file).
BIG4: One if the firm’s auditor is a Big 4 auditor (#149); zero
otherwise.
Change Variables:
AUDFEECG$: Change in audit fees from the 302 period to the 404 period.
AUDFEECG: Change in audit fees from the 302 period to the 404 period
divided by audit fees in the 302 period.
OPINIONCG: Change in the modified opinion dummy variable from the
302 period to the 404 period.
ICWCG: Change in the internal control weakness dummy variable
from the 302 period to the 404 period.
ICWCOMPCG: Change in the dummy variable for company-level material
weaknesses from the 302 period to the 404 period.
ICWACCTCG: Change in the dummy variable for account-specific material
weaknesses from the 302 period to the 404 period.
|DTACC|CG: Change in discretionary accruals from the 302 period to
the 404 period divided by discretionary accruals in the
302 period.
LEVCG: Change in leverage from the 302 period to the 404 period
divided by leverage in the 302 period.
ROACG: Change in return on assets from the 302 period to the 404
period divided by the return on assets in the 302 period.
LOSSCG: Change in the LOSS dummy variable from the 302 period
to the 404 period.
ZSCORECG: Change in ZSCORE from the 302 period to the 404 period
divided by the ZSCORE in the 302 period.
TACG: Change in totals assets from the 302 period to the 404
period divided by totals assets in the 302 period.
SALEGRCG: Change in sales growth from the 302 period to the 404
period divided by the sales growth in the 302 period.
Note: Compustat item numbers are in parentheses. The 302 period is for fiscal years ending between
November 15, 2003, and December 14, 2004, during which time firms were governed by SOX 302, and the
404 period is for fiscal years ending between November 15, 2004, and December 14, 2005, during which
time firms were governed by SOX 404. We require all variables (except for AUDCHG and the change varia-
bles) pertain to fiscal years ending between November 15, 2003, and November 14, 2004, for the 302 pe-
riod, and to fiscal years ending from November 15, 2004, to December 14, 2005, for the 404 period.
Because no fiscal year is related to AUDCHG, the auditor change variable, we classify an auditor change
into the 302 period if the announcement was made between November 15, 2003, and November 14, 2004,
and into the 404 period if the announcement was made between November 15, 2004, and November 14,
2005. The change variables capture the changes in these variables from the 302 period to the 404 period.
strategies to manage control risk resulting from internal control weaknesses. We

first examine the relation between internal control weaknesses and audit fees,
modified opinions, and auditor resignations, respectively, and establish that these
are viable strategies to manage control risk on a stand-alone basis. We also find that
changes in audit fees and changes in modified opinions are positively associated
with changes in reported internal control weaknesses. When we investigate these
strategies simultaneously, descriptive evidence suggests that a pecking order exists
among auditors’ client risk management strategies. Our ordered logit analyses con-
firm that as clients’ control risk increases, auditors are likely to respond in the order
of audit fee adjustments, modified opinions, and auditor resignations. Our compre-
hensive evidence suggests that auditors use an array of ordered strategies to manage
client-related control risk.
REFERENCES
AICPA (American Institute of Certified Public Accountants). 1983. Audit Risk and Materiality in
Conducting an Audit. Statement on Auditing Standards No. 47. New York, NY: AICPA.
———. 1988a. Reports on Audited Financial Statements. Statement on Auditing Standards No. 58.
New York, NY: AICPA.
———. 1988b. Communication of Internal Control Structure Related Matters Noted in an Audit.
Statement on Auditing Standards No. 60. New York, NY: AICPA.
———. 2006. Audit Risk and Materiality in Conducting an Audit. Statement on Auditing Standards
No. 107. New York, NY: AICPA.
Altman, E., 1968. ‘‘Financial Ratios, Discriminant Analysis, and the Prediction of Corporate Bank-
rupcy.’’ Journal of Finance 23: 589–609.
Arens, A., R. Elder, and M. Beasley. 2006. Auditing and Assurance Services: An Integrated
Approach. Upper Saddle River, NJ: Prentice-Hall.
Asbaugh, H., R. LaFond, and B. Mayhew. 2003. ‘‘Do Non-Audit Services Compromise Independ-
ence? Further Evidence.’’ The Accounting Review 78 (2): 611–639.
Ashbaugh-Skaife, H., D. Collins, and W. Kinney. 2007. ‘‘The Discovery and Consequences of Inter-
nal Control Deficiencies Prior to SOX-Mandated Audits.’’ Journal of Accounting and Eco-
nomics 44 (1–2): 166–192.
Ashbaugh-Skaife, H., D. Collins, W. Kinney, and R. LaFond. 2008. ‘‘The Effect of SOX Internal
Control Deficiencies and Their Remediation on Accrual Quality.’’ The Accounting Review 83
(1): 217–250.
———. 2009. ‘‘The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity.’’ Jour-
nal of Accounting Research 47 (March): 1–43.
Bartov, E., F. Gul, and J. Tsui. 2000. ‘‘Discretionary-Accruals Models and Audit Qualifications.’’
Journal of Accounting and Economics 30: 421–452.
Bedard, J., and K. Johnstone. 2004. ‘‘Earnings Manipulation Risk, Corporate Governance Risk, and
Auditors’ Planning and Pricing Decisions.’’ The Accounting Review 79: 277–304.
Bell, T., W. Landsman, and D. Shackelford. 2001. ‘‘Auditors’ Perceived Business Risk and Audit
Fees: Analysis and Evidence.’’ Journal of Accounting Research 39 (June): 35–44.
BRC (Blue Ribbon Committee). 1999. Report and Recommendations of the Blue Ribbon Committee
on Improving the Effectiveness of Corporate Audit Committees. Stamford, CT: BRC.
Blacconiere, W., and M. DeFond. 1997. ‘‘An Investigation of Independent Audit Opinions and Subse-
quent Independent Auditor Litigation of Publicly-Traded Failed Savings and Loans.’’ Journal
of Accounting and Public Policy 16 (4): 415–454.
Bradshaw, M., S. Richardson, and R. Sloan. 2001. ‘‘Do Analysts and Auditors Use Information in
Accruals?’’ Journal of Accounting Research 39 (1): 45–73.
Butler, M., A. Leone, and M. Willenborg. 2004. ‘‘An Empirical Analysis of Auditor Reporting and
Its Association with Abnormal Accruals.’’ Journal of Accounting and Economics 37: 139–
165.
Chow, C., and S. Rice. 1982. ‘‘Qualified Audit Opinions and Auditor Switching.’’ The Accounting
Review 57: 326–335.
DeAngelo, L. 1981. ‘‘Auditor Independence, ÔLow Balling,Õ and Disclosure Regulation.’’ Journal of
Accounting and Economics 3: 113–127.
DeFond, M., and K. Subramanyam. 1998. ‘‘Auditor Changes and Discretionary Accruals.’’ Journal of
Accounting and Economics 25 (February): 35–67.
Doyle, J., W. Ge, and S. McVay. 2007a. ‘‘Determinants of Weakness in Internal Control over Finan-
cial Reporting.’’ Journal of Accounting and Economics 44 (1–2): 193–223.
———. 2007b. ‘‘Accruals Quality and Internal Control over Financial Reporting.’’ The Accounting
Review 82 (5): 1141–1170.
Elder, R., and R. Allen. 2003. ‘‘A Longitudinal Field Investigation of Auditor Risk Assessments and
Sample Size Decisions.’’ The Accounting Review 78 (4): 983–1002.
Ettredge, M., J. Heintz, C. Li, and S. Scholz. 2006. ‘‘Auditor Realignments Accompanying Imple-
mentation of SOX 404 Reporting Requirements.’’ Working paper, University of Kansas.
Fama, E., and K. French. 1997. ‘‘Industry Cost of Equity.’’ Journal of Financial Economics 43 (2): 153–193.
Francis, J. 1984. ‘‘The Effect of Audit Firm Size on Audit Prices: A Study of the Australian Mar-
ket.’’ Journal of Accounting and Economics 6 (2): 133–151.
Francis, J., and D. Stokes. 1986. ‘‘Audit Prices, Product Differentiation, and Scale Economies: Fur-
ther Evidence from the Australian Audit Market.’’ Journal of Accounting Research 24 (2):
383–393.
Francis, J., and J. Krishnan. 1999. ‘‘Accounting Accruals and Auditor Reporting Conservatism.’’ Con-
temporary Accounting Research 16: 135–165.
Francis, J., K. Reichelt, and D. Wang. 2005. ‘‘The Pricing of National and City-Specific Reputations
for Industry Expertise in the U.S. Audit Market.’’ The Accounting Review 80 (1): 113–136.
Ge, W., and S. McVay. 2005. ‘‘The Disclosure of Material Weaknesses in Internal Control after the
Sarbanes-Oxley Act.’’ Accounting Horizon 19 (3): 137–158.
Greene, W. 2000. Econometric Analysis. Upper Saddle River, NJ: Prentice-Hall
Hertz, K. 2006. ‘‘The Impact of SOX on Auditor Resignations and Dismissals.’’ Working paper, Uni-
versity of Washington.
Hill, J., R. Ramsay, and D. Simon. 1994. ‘‘Audit Fees and Client Business Risk during the S&L Cri-
sis: Empirical Evidence and Directions for Future Research.’’ Journal of Accounting and Pub-
lic Policy 13: 185–203.
Hogan, C., and M. Wilkins. 2008. ‘‘Evidence on the Audit Risk Model: Do Auditors Increase Audit
Effort in the Presence of Internal Control Deficiencies?’’ Contemporary Accounting Research
25 (1): 219–242.
Hoitash, R., U. Hoitash, and J. Bedard. 2008. ‘‘Internal Control Quality and Audit Pricing under the
Sarbanes-Oxley Act.’’ Auditing: A Journal of Practice and Theory 27 (1): 105–126.
Hribar, P., and D. W. Collins. 2002. ‘‘Errors in Estimating Accruals: Implications for Empirical
Research.’’ Journal of Accounting Research 40 (1): 105–34.
Johnstone, K. 2000. ‘‘Client-Acceptance Decisions: Simultaneous Effects of Client Business Risk,
Audit Risk, Auditor Business Risk, and Risk Adaptation.’’ Auditing: A Journal of Practice
and Theory 19 (1): 1–25.
Johnstone, K., and J. Bedard. 2003. ‘‘Risk Management in Client Acceptance Decisions.’’ The
Accounting Review 78 (4): 1003–1026.
———. 2004. ‘‘Audit Firm Portfolio Management Decisions.’’ Journal of Accounting Research 42
(4): 659–690.
Kothari, S., A. Leone, and C. Wasley. 2005. ‘‘Performance Matched Discretionary Accrual Meas-
ures.’’ Journal of Accounting and Economics 39 (1): 163–197.
Krishnan J. 2005. ‘‘Audit Committee Quality and Internal Control: An Empirical Analysis.’’ The
Accounting Review 80 (2): 649–675.
Krishnan, J., and J. Krishnan. 1996. ‘‘The Role of Economic Trade-Offs in the Audit Opinion Decision:
An empirical Analysis.’’ Journal of Accounting, Auditing, & Finance 11 (Fall): 565–586.
———. 1997. ‘‘Litigation Risk and Auditor Resignations.’’ The Accounting Review 72 (October):
539–560.
Landsman, W., K. Nelson, and B. Rountree. 2009. ‘‘Auditor Switches in the Pre- and Post-Enron
Eras: Risk or Realignment?’’ The Accounting Review 84 (March): 531–558.
Lyon, J., and M. Maher. 2005. ‘‘The Importance of Business Risk in Setting Audit Fees: Evidence
from Cases of Client Misconduct.’’ Journal of Accounting Research 43 (1): 133–151.
Ogneva, M., Subramanyam, K., and K. Raghunandan. 2007. ‘‘Internal Control Weaknesses and Cost
of Equity: Evidence from SOX Section 404 Disclosures.’’ The Accounting Review 82 (5):
1255–1297.
Palmrose, Z. 1986. ‘‘Audit Fees and Auditor Size: Further Evidence.’’ Journal of Accounting
Research 24 (1): 97–110.
PCAOB (Public Company Accounting Oversight Board). 2004. An Audit of Internal Control over Fi-
nancial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing
Standard No. 2. Washington, DC: PCAOB.
———. 2007. An Audit of Internal Control over Financial Reporting that is Integrated with an Audit
of Financial Statements. Auditing Standard No. 5. Washington, DC: PCAOB.
Raghunandan, K., and D. Rama. 2006. ‘‘SOX Section 404 Material Weakness Disclosures and Audit
Fees.’’ Auditing: A Journal of Practice and Theory 25 (1): 99–114.
Reynolds, K., and J. Francis. 2001. ‘‘Does Size Matter? The Influence of Large Clients on Office-
Level Auditor Reporting Decisions.’’ Journal of Accounting and Economics 30: 375–400.
SEC (Securities and Exchange Commission). August 29, 2002. Certification of Disclosure in Compa-
nies’ Quarterly and Annual Reports. Release No. 33-8124. Washington, DC: SEC.
———. June 5, 2003. Management’s Report on Internal Control over Financial Reporting and Certi-
fication of Disclosure in Exchange Act Periodic Reports. Release No. 33-8238. Washington,
DC: SEC.
———. February 24, 2004. Management’s Report on Internal Control over Financial Reporting and
Certification of Disclosure in Exchange Act Periodic Reports. Release No. 33-8392. Washing-
ton, DC: SEC.
———. September 22, 2005. Management’s Report on Internal Control over Financial Reporting
and Certification of Disclosure in Exchange Act Periodic Reports of Companies that Are
Non-Accelerated Filers. Release No. 33-8618. Washington, DC: SEC.
———. December 21, 2005. Revisions to Accelerated Filer Definition and Accelerated Deadlines for
Filing Periodic Reports. Release No. 33-8644. Washington, DC: SEC.
———. December 15, 2006. Internal Control over Financial Reporting in Exchange Act Periodic
Reports of Non-Accelerated Filers and Newly Public Companies. Release No. 33-8760. Wash-
ington, DC: SEC.
———. June 26, 2008. Internal Control over Financial Reporting in Exchange Act Periodic Reports
of Non-Accelerated Filers. Release No. 33-8934. Washington, DC: SEC.
Seetharaman, A., F. Gul, and S. Lynn. 2002. ‘‘Litigation Risk and Audit Fees: Evidence from UK
firms Cross-Listed on US markets.’’ Journal of Accounting and Economics 33 (1): 91–115.
Shu, S. 2000. ‘‘Auditor Resignations: Clientele Effects and Legal Liability.’’ Journal of Accounting
and Economics 29 (2): 173–205.
Smith, D. 1986. ‘‘Auditor ÔSubject toÕ Opinions, Disclaimers, and Auditor Changes.’’ Auditing: A
Journal of Practice and Theory 6 (Fall): 95–108.
Stice, J. 1991. ‘‘Using Financial and Market Information to Identify Pre-Engagement Factors Associ-
ated with Lawsuits against Public Accountants.’’ The Accounting Review 66 (July): 516–533.
Wegman, J. 2005. ‘‘The Sarbanes-Oxley Act and Accountant Liability.’’ Proceedings of the Academy
of Legal, Ethical and Regulatory Issues 9 (2): 47–51.
White, H. 1980. ‘‘A Heteroskedasticity-Consistent Covariance Matrix Estimator and a Direct Test for
Heteroskedasticity.’’ Econometrica 48: 817–838.
Xie, B., W. Davidson, and P. DaDalt. 2003. ‘‘Earnings Management and Corporate Governance: the
Role of the Board and the Audit Committee.’’ Journal of Corporate Finance 9: 295–316.
Zhang, Y., J. Zhou, and N. Zhou. 2007. ‘‘Audit Committee Quality, Auditor Independence, and Inter-
nal Control Weaknesses.’’ Journal of Accounting and Public Policy 26 (3): 300–327.
Copyright of Journal of Accounting, Auditing & Finance is the property of Greenwood Publishing and its
content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for individual use.

Jurnal Audit1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Jurnal Audit1 PDF

Uploaded by

Copyright:

Available Formats

Internal Control Weaknesses

and Client Risk Management

Keywords: Internal Control Weaknesses, Client Risk Management, Audit Fee

Unlike research that examines either audit fees or auditor turnover on a

2. Background and Hypotheses

2.2 Client-Related Risk

2.3 Conceptual Framework

2.4 Hypothesis Development

conceptual framework, we hypothesize that the severity of the auditor response is

3. Sample and Methodology

Sample Characteristics Number of Firms

Total firms with internal control disclosures in AuditAnalytics 3,737

Note: REIT ¼ real estate investment trust; SOX ¼ Sarbanes-Oxley Act.

Control risk is the perceived level of risk that a material misstatement in a

Full Sample ICW Non-ICW ICW vs. Non-ICW

ICW 0.147 1.00 0.00 1.00***

Variable Model 1 Model 2

Intercept 10.42 10.41

4.2 Audit Fees and Internal Control Weaknesses

Specifically, we model audit fee (AUDFEE) as a function of audit risk (control

(1997) forty-eight-industry classification. We set the cutoff points at 5 percent of

4.2.2 Change in Audit Fees

ICWCG used in Model 1 is a variable representing the change in reported inter-

Variable Model 1 Model 2

Intercept 1.30 1.31

4.3 Modified Audit Opinions and Internal Control Weaknesses

Variable Model 1 Model 2

Intercept 3.20 3.19

27. We thank an anonymous referee for this insight.

4.3.2 Change in Modified Audit Opinions

Variable Model 1 Model 2

The dependent variable OPINIONCG represents the change in modified audit

4.4 Auditor Resignations and Internal Control Weaknesses

Intercept 4.47 6.13 3.92 6.05

4.5 Pecking-Order Analyses

ICW ICWACCT ICWCOMP AUDFEECG OPINION RESIGNATION

ICW 1.00 0.83 0.50 0.15 0.12 0.16

ICW 0.102 0.201 0.553 0.099*** 0.352***

4.5.2 Ordered Logit Analyses

Variable Model 1 Model 2

4.6 Robustness Checks

AUDFEE: Total audit fee.

Audit Risk Variables:

ICW: One if the firm has internal control weaknesses; zero

Client Business Risk Variables:

LEV: Ratio of total debts, both short-term (#34) and long-term

TA: Total assets (#6), in millions.

strategies to manage control risk resulting from internal control weaknesses. We

You might also like

ICW 0.102 0.201 0.553 0.099* 0.352*