Accounting Horizons

Vol. 20, No. 2

June 2006
pp. 157–177

Auditor Risk Assessment: Insights from

the Academic Literature
Robert D. Allen, Dana R. Hermanson, Thomas M. Kozloski,
and Robert J. Ramsay
SYNOPSIS: To contribute to the PCAOB project on risk assessment in financial state-
ment audits, we draw on the academic literature to offer insights and conclusions on
the risk-assessment process. We use the PCAOB’s (2005) recent briefing paper on risk
assessment as the organizing framework for our literature review, and we examine
academic auditing literature addressing topics including business risk, inherent risk,
control risk, fraud risk, linking risk assessments to subsequent testing, and the audit
risk model. Overall, we believe that the results of academic research are consistent
with the PCAOB staff’s apparent reconsideration of the auditor’s risk-assessment proc-
ess. We conclude with identification of future research topics and recognition of barriers
to performing research that is relevant to standard setters.

INTRODUCTION

T
o facilitate the development of auditing standards and to inform regulators of insights
from the academic auditing literature, the Auditing Section of the American Ac-
counting Association (AAA) has decided to develop a series of literature syntheses
for the Public Company Accounting Oversight Board (PCAOB). This is the first literature
synthesis prepared under this program. This author team contains members of the Auditing
Section’s Auditing Standards Committee. Another team includes Auditing Standards and
Research Committee members, and the Section’s Executive Committee has recently selected
seven additional research teams. The views expressed in this paper are those of the authors
and do not reflect an official position of the AAA or the Auditing Standards Committee.
In addition, while discussions with PCAOB staff helped us identify the issues that are most
relevant to setting audit standards, the author team was not selected or managed by the
PCAOB, and the resulting paper expresses our views, which may or may not correspond
with views held by the PCAOB and its staff.
The PCAOB is engaged in a project on auditor risk assessment in financial statement
audits. In this project, the PCAOB is considering the development of new auditing standards

Robert D. Allen is an Associate Professor at the University of Utah, Dana R. Hermanson

is a Professor at Kennesaw State University, Thomas M. Kozloski is an Assistant Professor
at Wilfrid Laurier University, and Robert J. Ramsay is an Associate Professor at the Uni-
versity of Kentucky.
We acknowledge the research assistance of Fred Muchunu and helpful comments received from Mark Beasley,
Jean Bedard, Joe Carcello, Rich Houston, Bob Lipe (the editor), Ed O’Donnell, Arnie Wright, and the reviewers.
Submitted: July 2005
Accepted: September 2005
Corresponding author: Dana R. Hermanson
Email: dhermans@kennesaw.edu

157
158 Allen, Hermanson, Kozloski, and Ramsay

to provide additional guidance to auditors and/or to articulate new requirements in the

auditor’s risk-assessment process. On February 16, 2005, the PCAOB’s Standing Advisory
Group (SAG) discussed the risk-assessment project. In advance of the SAG meeting,
PCAOB staff prepared a briefing paper to outline issues of interest in the project (PCAOB
2005). The briefing paper poses ten broad questions for consideration by the SAG.
The purpose of our paper is to contribute to the PCAOB project by providing relevant
insights from the academic literature on auditor risk assessment. We use the briefing paper’s
ten questions as the organizing framework for our literature review. We searched the lit-
erature to identify academic research that directly or indirectly addresses issues in the
briefing paper’s ten questions.1 Note that we have tried to keep the number of cited papers
manageable, with the goal of succinctly synthesizing the research most likely to be of
interest to the PCAOB.
Our primary conclusions from the literature review are (in order of appearance in the
text):

1. Using a business process focus in assessing client risks appears to offer a number
of advantages in the audit, especially if supported with appropriate decision aids
and analytical procedures. Firms apply the business process approach differently,
so guidance for using this approach may be helpful. This approach may result in
auditors being less sensitive to micro-level risks, and decision aids must be carefully
designed, as their orientation (i.e., a negative focus emphasizing risks and their
consequences versus a positive focus) can influence auditor judgments.
2. Industry expertise and specialization are critical to effective risk assessment.
3. Fraud risk assessments are enhanced by considering fraud risks separately from
misstatements due to error, brainstorming about fraud risks, and thinking strategi-
cally about client management’s possible efforts to commit and conceal fraud.
4. Systems dynamics (a methodology for studying and managing complex feedback
systems) may provide auditors a framework to assess potential risk. In addition,
auditors may consider tools such as data envelopment analysis (‘‘a linear program-
ming-based technique that converts multiple input and output measures into a single
comprehensive measure of productive efficiency’’ [Bradbury and Rouse 2002, 263])
to help combine multiple risk-assessment models/measures. We encourage research
on the applicability of risk-assessment methods in other fields (e.g., corporate gov-
ernance ratings, directors and officers [D&O] insurers, analysts, and debt-rating
agencies) to the audit arena.
5. Individual fraud risk factors are difficult to interpret, measure, and weight. Some
evidence suggests that auditors’ fraud risk assessments are not well calibrated to
the presence of risk factors. In addition, the evidence on the effectiveness of fraud
risk decision aids is mixed.
6. Inherent risk is the potential for material misstatement in an account before con-
sidering the client’s internal controls. Inherent risk assessments (a) often are not
meaningfully applied to each assertion; (b) may be decreasing over time, possibly
to promote audit efficiency; and (c) sometimes are combined with control risk into
one risk factor.

1
Search strings included terms such as business risk, inherent risk, control risk, audit risk model, fraud risk, risk
assessment, etc. We also scanned / searched the programs of selected recent academic conferences and other
online sources to identify potentially relevant working papers, and we contacted certain researchers known to
be working in the area and asked for current working papers.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 159

7. Auditors appear to respond to global factors (e.g., management integrity, corporate

governance) when making micro-level risk assessments; however, proper weighting
of global factors is challenging in the fraud context.
8. Testing of and reliance on internal controls have increased markedly in recent years.
9. Subsequent audit testing is weakly positively related to assessed risks; therefore,
efforts to improve this linkage appear to be quite appropriate. Limited archival
evidence suggests that responsiveness to client risks has improved in recent years.
10. The audit risk model appears to be sound as a conceptual tool, but it has some
significant limitations as a mathematical equation.
The next section presents research insights, and the final section provides concluding
comments.

RESEARCH INSIGHTS RELATED TO PCAOB QUESTIONS

Below, we present the text of each PCAOB briefing paper question, followed by key
insights from the academic literature. Although we recognize that the risk of fraud is an
integral component of overall audit risk, we also recognize the special problems in iden-
tifying, assessing, and responding to fraud risk. As a result, we discuss general audit risk-
assessment issues first, followed by issues related specifically to fraud risk assessment (if
applicable).2

Using an Understanding of the Company and Its Environment to Identify and

Assess Risks
Question 1: What would an auditor need to do to obtain an adequate understanding
of the company and environment to identify risks that could result in
material misstatement of the financial statements? When answering this
question, please consider situations involving new clients about which the
firm (or office) has little or no relevant industry expertise.

Identifying and Assessing Audit Risk

In recent years, many auditors have expanded their focus to explicitly include the
client’s strategy and business processes. A number of recent studies examine whether a
business process focus affects auditors’ effectiveness in identifying risks. For example, Bell
et al. (1997) describe how this approach moves auditors from a balance sheet orientation
to a broader focus on the overall organization, its environment, and its key processes.
Lemon et al. (2000) describe the extent to which firms are adopting this focus in their
audit methodology, and Eilifsen et al. (2001) describe how this approach is applied to an
individual audit. The approach involves:

2
Auditors assess risk in the planning stage of the audit (initial risk assessment), and new evidence may be
uncovered during the audit that causes the auditor to revise the initial risk assessment. In fact, Bell et al. (2005,
15) describe all audit procedures as ‘‘different and complementary kinds of risk assessment procedures’’—
suggesting that the entire audit is a risk-assessment effort. While risk assessment may occur at different points
in the audit process, much of the academic literature addresses auditors’ initial risk assessments and their impact
on the performance of the audit. Other studies examine revisions to risk assessments when auditors uncover
new information during the audit.

Accounting Horizons, June 2006

160 Allen, Hermanson, Kozloski, and Ramsay

● understanding and developing a mental model of the client’s strategic environment,

● understanding the key processes for executing that strategy, including the related
risks and controls, and
● relating these factors to financial statement assertions.
Understanding the client’s business processes aids in understanding key performance in-
dicators and in developing expectations for financial statement accounts.
Several studies examine the advantages of the business process approach. Organizing
information about controls around business processes produces stronger category knowl-
edge3 during auditor training and improves internal control evaluation performance com-
pared to organizing information around traditional control objectives (Kopp and O’Donnell
2005). Using such an approach also increases the extent to which auditors integrate as-
sessments of strategic business risks (O’Donnell et al. 2005). Auditors using strategic busi-
ness risk analysis document more client business risks, and they assess the strength of the
control environment and inherent risk differently (i.e., they perceive a stronger link be-
tween the strength of the control environment and the risk of material misstatement, and
between inherent risk and the risk of material misstatement) (Kotchetova 2005). Addition-
ally, auditors’ assessments of client business risk and the analysis and documentation of
business processes influence their business process-level risk assessments (Kotchetova et
al. 2005). When auditors analyze and document business processes, their process-level risk
assessments are related to their previous assessments of entity-level business risk, indicating
that documenting the process analysis creates linkages between risks at different levels.
Finally, using software adapted to a business risk approach allows auditors to identify more
risks (O’Donnell and Schultz 2003).
Two recent studies, however, document potential disadvantages of the business risk
approach. First, Ballou et al. (2004) find that when the strategic analysis of a client indicates
that it is typical of its industry, auditors may underweight small problems within business
processes. Second, O’Donnell and Schultz (2005) find evidence of a ‘‘halo effect’’ when
auditors use strategic risk assessment. Specifically, auditors performing such strategic as-
sessments with favorable results are less likely to adjust their risk assessments at the account
level when they uncover unusual fluctuations. Thus, both studies suggest that auditors get-
ting positive news from the strategic-level risk assessment may be less attuned to specific
risks noted subsequently.
Most firms have developed decision aids to help identify client business risks, partic-
ularly on first-time audits (e.g., see Bell et al. 2002). Moreover, many have developed
software that facilitates the use of the business risk approach discussed above (O’Donnell
and Schultz 2003). However, practitioners should be aware that the orientation of a decision
aid (i.e., a negative focus emphasizing risks and their consequences versus a positive focus)
can affect auditors’ judgments (Bedard and Graham 2002). Investigating auditors’ responses
relative to their actual (as opposed to hypothetical) clients, Bedard and Graham (2002) find
that auditors who use a negatively focused decision aid identify more risk factors than
auditors using a positively focused decision aid, and auditors who use a negatively focused
decision aid link substantive tests to the risk factors.4 Auditors also can use analytical

3
Stronger category knowledge means the mental structures that auditors use to store information become more
clearly defined, which enhances the auditors’ ability to encode and remember information (Kopp and O’Donnell
2005).
4
Bedard et al. (2005) find that when assessing risk of system security (a very important specific component of
the overall risk assessment), auditors decrease risk assessments when positive client characteristics are identified,
but do not increase them when negative client characteristics are identified.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 161

procedures that use a business risk approach and are adapted to clients’ key processes
(Ballou and Heitger 2004).5
Related to the top-down, strategic risk approach discussed above, using industry spe-
cialists appears to effectively promote understanding of a client’s business risk. The
specialists’ knowledge of an industry improves their audit risk assessments and affects the
quality of their audit-planning decisions and the relation between the risk assessments and
the planning decisions (Low 2004). Domain-specific experience affects auditors’ assess-
ments of the likelihood of material errors and improves the effectiveness of audit plans in
enabling auditors to detect errors (Bedard and Wright 1994). Industry specialization facil-
itates interpretation of incomplete signal patterns and improves resulting risk assessments
and suggested audit procedures (Hammersley 2004).6
The benefits of specialization extend beyond industry knowledge. For example, infor-
mation technology (IT) specialists recognize more types of security risks related to enter-
prise resource planning (ERP) implementations than financial auditors, yet financial auditors
appear to be overconfident in their ability to recognize risks in IT systems and often do
not see a need to consult with IT specialists when facing clients with ERP systems (Hunton
et al. 2004). Such overconfidence may be a significant issue, as controls are increasingly
embedded in IT systems. Brazel and Agoglia (2005) demonstrate that, in an ERP setting,
auditor reliance on IT specialists increases as the specialists’ competence increases, and the
accuracy of auditors’ inherent and control risk assessments is affected more by IT expertise
than by general audit experience.
Based on the above, we believe that adopting a top-down, strategically focused, and
process-oriented approach to risk assessment has both advantages and disadvantages. In
addition, different audit firms appear to apply this approach quite differently. For example,
Blokdijk et al. (2003) find that (then) Big 5 firms experienced increased hours when ap-
plying this approach, whereas non-Big 5 firms experienced decreased hours. Perhaps more
specific guidance on how to apply the top-down approach is needed to overcome some of
the identified limitations, especially given the recent emergence of this approach. For ex-
ample, auditors may develop decision aids and analytical procedures that correspond to this
focus—particularly when acquiring new clients in unfamiliar industries. Finally, the advan-
tages of auditor expertise and experience are well documented, suggesting the importance
of appropriately developing auditors and adequately staffing engagements.

Identifying and Assessing Fraud Risk

Assessing the risk of fraud (specifically, fraudulent financial reporting) is a particularly
challenging task for auditors to perform. Fraud involves intentional deception, and due to
low base rates of occurrence, the auditor may have little experience with actual instances
of fraud. Research provides evidence that requiring a separate assessment of the risk of
fraudulent financial reporting (a ‘‘decomposed’’ assessment, as opposed to a global assess-
ment of the risk of misstatement from both error and fraud) increases auditors’ sensitivity
to fraud risk factors that may be indicative of a material misstatement (Zimbelman 1997).
This approach is required by current auditing standards. SAS No. 99 (AICPA 2002), in
addition to requiring a separate fraud risk assessment, organizes and presents fraud risk

5
We also encourage readers to consult research on the client acceptance process (e.g., Huss and Jacobs 1991;
Johnstone 2000), which provides insights into auditors’ risk assessments prior to accepting an audit client.
6
Conversely, Anderson and Maletta (1994, 1) find in an experiment related to control risk that ‘‘the less experience
auditors possess, the more they focus on negative information and the more negative they are in making audit
judgments.’’ Thus, greater experience may not be an advantage in all audit situations.

Accounting Horizons, June 2006

162 Allen, Hermanson, Kozloski, and Ramsay

factors along the dimensions of the fraud triangle: incentive/motivation, opportunity/con-

ditions, and attitude (Loebbecke et al. 1989; Albrecht et al. 1995). Wilks and Zimbelman
(2004b) suggest that this additional decomposition of the fraud-risk-assessment task may
require less cognitive effort in assessing fraud risk and may allow auditors to better process
fraud risk factors.
Brainstorming to identify fraud risk factors also is required under SAS No. 99 (AICPA
2002). Carpenter (2005a) examines the brainstorming process in an experimental setting
and finds that brainstorming sessions: (1) decrease the total number of ideas that individual
auditors developed before the session, (2) increase the number of quality fraud-related ideas,
and (3) result in higher assessments of fraud risk (in particular, in the condition where
fraud existed). On balance, this study suggests that brainstorming sessions under SAS No.
99 are effective in identifying quality fraud indicators and promoting appropriate audit team
sensitivity to fraud risks. In addition, Carpenter (2005b) finds that the audit partner’s ori-
entation (focused on audit efficiency or audit effectiveness) influences the outcome of the
fraud brainstorming session. When the audit partner emphasizes audit efficiency, the session
results in a loss of quality ideas.
A number of studies and commentaries also address the broad issue of the need for
the auditor to think strategically when assessing the risk of fraud (Bloomfield 1997;
Zimbelman and Waller 1999; Wilks and Zimbelman 2004a). Using a game theory frame-
work, these studies assert that current auditing standards may encourage auditors to assess
fraud risk and plan audit tests as though the auditor and client interact in a static, instead
of a strategic, environment, where the client’s actions may anticipate the auditor’s assess-
ments and plans. These studies encourage standards and audit procedures that explicitly
recognize that fraud is a deception by management and that certain fraud risk indicators
may have been manipulated by management to indicate low fraud risk.
Other factors also influence the ability of the auditor to identify the risk of fraud in
client financial statements, and some of the evidence is mixed. Although most auditors have
little experience with actual instances of fraud, effective fraud risk assessment may be
enhanced by general and industry experience. Knapp and Knapp (2001) and Bernardi (1994)
find that managers are more successful than seniors in assessing the risk of fraud. Others
note that industry experience (Johnson et al. 1991), membership in certain industries
(Loebbecke et al. 1989), and consideration of the industry context (Beasley et al. 2000)
may be important in assessing the risk of fraud. However, Johnson et al. (1993) warn that
industry experience, while useful, also can impede fraud risk assessment by contributing
to a misleading cognitive representation of the entity under audit. Carcello and Nagy (2004)
and Loebbecke et al. (1989) note that many frauds are discovered in the early years of the
auditor-client relationship, although the reason for this finding is not clear (Nieschwietz et
al. 2000). Braun (2000) notes that under time pressure, a pervasive factor in public practice,
auditors will focus on the primary task of accumulating documentary evidence relating to
misstatements and will focus less on the qualitative aspects of misstatements, which are
important given the deceptive nature of fraud.
Therefore, in regard to fraud risk assessment in the context of Question 1, current
standards already include initiatives relating to some important research findings. The de-
composition of the fraud-risk-assessment task and brainstorming are examples. In addition,
research highlights the need to encourage auditors to think strategically about client motives
and likely actions. In general, auditor experience and expertise appear to contribute to the
quality of fraud risk assessments, but some of the evidence is mixed. Finally, as in all
critical aspects of the audit, devoting adequate time to the fraud-risk-assessment task is
important.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 163

Additional Means to Identify and Assess Risks

Question 2: Are there any additional risk factors or sources of information about risk
analysis that you would recommend for consideration in developing stan-
dards for auditors of financial statements?

Identifying and Assessing Audit Risk

The business risk approach to auditing discussed under Question 1 requires an under-
standing of systems dynamics to help identify unintended consequences of management
decisions (Hecht 2005). Individuals often have insufficient understanding of causal rela-
tionships, and systems thinking provides the ‘‘language, cognitive tool set and perspectives
that enable decision makers to form reasonably accurate and complete mental representa-
tions of complex environments’’ (Hecht 2005, 1). Systems thinking facilitates identification
of unintended consequences of actions by creating feedback loops that illustrate linkages
of actions to financial statement assertions (Bell et al. 1997). Hecht (2005) demonstrates
how such thinking helps to identify unintended consequences of redundant controls.
Beyond the strategic/business process focus discussed in Question 1, client bankruptcy
risk is another important consideration for auditors, given the high cost the auditor often
bears after a client bankruptcy. Bankruptcy prediction research in the areas of accounting,
finance, computer science, etc., provides a number of methodologies for assessing bank-
ruptcy risk. For example, McKee (2003) lists 11 bankruptcy prediction models suggested
in academic studies.7 He then uses rough sets theory to develop two additional models
using factors from the previous 11.
Another emerging technique, data envelopment analysis (DEA), is ‘‘a linear program-
ming-based technique that converts multiple input and output measures into a single com-
prehensive measure of productive efficiency’’ (Bradbury and Rouse 2002, 263). It has the
ability to accommodate a range of expert opinions on the importance of a specific risk
factor (e.g., several different bankruptcy prediction models), rather than using the median
or mean value. DEA can be used to provide high-risk and low-risk assessments and provides
benchmark audit units from which other units can be evaluated. A number of academic
papers propose DEA as a bankruptcy prediction model (e.g., Cielen et al. 2004; Paradi et
al. 2004), and recent work suggests that using multiple bankruptcy prediction methods
together may produce the best results (West et al. 2005). Such bankruptcy risk assessments
may be an important part of pre-audit planning, as pre-engagement risk is strongly related
to higher discretionary accruals (Turner et al. 2004).
Beyond the bankruptcy arena, D&O insurers, financial analysts, and debt-rating agen-
cies also have sophisticated methods of assessing the risk profiles of companies. We also
note recent developments in creating corporate governance ratings of public companies. We
encourage research on the application of such ratings and methodologies to the audit
environment.

Identifying and Assessing Fraud Risk

With regard to the assessment of the risk of fraudulent financial reporting, research
provides empirical insight and refinement into known fraud risk factors and sheds light on

7
The 11 are: univariate ratio models (Beaver 1966), multiple discriminant analysis (Altman 1968), multivariate
conditional probability models (Ohlson 1980), recursive partitioning models (Marais et al. 1984; Frydman et al.
1985), linear programming (Wallin and Sundgren 1995), expert systems (Messier and Hansen 1988), survival
analysis (Lane et al. 1986; Luoma and Laitinen 1991), neural networks (Bell et al. 1990; Hansen and Messier
1991; Tam and Kiang 1992; Koh and Tan 1999), chaos theory (Lindsay and Campbell 1996), rough sets theory
(McKee 1998; Slowinski et al. 1999), and genetic programming (McKee and Lensberg 2002).

Accounting Horizons, June 2006

164 Allen, Hermanson, Kozloski, and Ramsay

new sources of information about fraud risk. For instance, Beasley (1996) finds that the
boards of directors of ‘‘no fraud’’ firms have a higher percentage of outside members than
‘‘fraud’’ firms. Summers and Sweeney (1998) find that, in the presence of fraud, insiders
reduce their holdings in the firm. Lee et al. (1999) report that the earnings-operating cash
flow relation is a signal for assessing the risk of fraud. Abbott et al. (2004) find that the
independence and activity level of the audit committee are negatively associated with fi-
nancial statement restatements. Bell and Carcello (2000) study fraud and nonfraud audit
engagements and find financial statement fraud to be associated with weak controls, rapid
growth, profitability problems, a strong emphasis on meeting targets, untruthful manage-
ment, public ownership, and an interaction between weak controls and an aggressive finan-
cial reporting attitude. However, as discussed in our response to Question 4 below, specific
fraud risk factors are subject to various uses and interpretations by different auditors, par-
ticularly with regard to the weighting and importance assigned to them.
A common source of reminders about fraud risk factors, as well as a vehicle for fraud
risk analysis, continues to be the fraud-risk-assessment decision aid. The use of fraud risk
decision aids is common in practice (Shelton et al. 2001) and is widely researched by
academics. Decision aids span levels of sophistication that range from simple checklists on
paper to expert systems that provide feedback (e.g., Eining et al. 1997). For example, the
expert system used in Eining et al. (1997) employs ‘‘constructive dialogue’’: five elements
that engage and instruct the auditor, as opposed to simply providing an assessment to the
auditor.8 The text of SAS No. 82 (AICPA 1997) contains lengthy lists of fraud risk factors,
and many firms include these lists in their firm decision aid materials (Shelton et al. 2001).
SAS No. 99 (AICPA 2002) also includes lists of risk factors (although in an appendix) and
organizes the risk factors according to the conceptual framework of the fraud triangle.
Again, however, research findings in this area are mixed. Pincus (1989) reports that
use of a fraud ‘‘red flag’’ questionnaire has no impact in a ‘‘no fraud’’ scenario and is
dysfunctional in the ‘‘fraud’’ scenario of an experiment. Asare and Wright (2004) find that
auditors who use a SAS No. 82-based risk checklist make lower assessments of fraud risk
than auditors who do not use a checklist. Auditors using decision aids based on statistical
models often are more effective at predicting fraud than unaided auditors (e.g., Hansen et
al. 1996; also see Bell and Carcello [2000] for a fraud risk model); however, auditors appear
reluctant to rely on decision aids (Boatsman et al. 1997). Eining et al. (1997) find that
auditors using an expert system that provides feedback (constructive dialogue) to the auditor
during the fraud risk assessment are more likely to rely on that type of decision aid than
auditors using a statistical model that provides a risk assessment only. As Nieschwietz et
al. (2000) note, reluctance to use decision aids may relate to the problem of ‘‘false posi-
tives’’ (assessing fraud risk as high when it is, in fact, low, which can contribute to audit
inefficiency). Excessive concerns regarding audit inefficiency may be somewhat mitigated
in the current environment of accounting scandals and alleged audit failures.
In summary, researchers have identified a number of factors associated with financial
statement fraud. However, research on the effectiveness of various fraud-risk-assessment
decision aids has produced mixed results, and few conclusions regarding the use of such
aids can be drawn.

8
The five elements are: judgment decomposition (the fraud assessment is broken down into the elements of the
fraud triangle), prior judgment (the auditor must make an assessment before viewing the expert system results),
rule presentation (the system informs the auditor of the rules being used), reassessment opportunity (the auditor
is allowed to change his or her previous assessment), and deviation justification (the auditor must explain why
his or her assessment is different from the expert system’s assessment).

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 165

Assessing (Measuring) Inherent Risk

Question 3: Should auditors be required to assess and document the level of risk (as
described above)9 for each identified risk and relevant assertions of all
significant accounts?

Assessing Audit Risk

Waller (1993), Mock and Wright (1993), and Elder and Allen (2003), among others,
examine auditors’ inherent risk assessments on actual audits. Waller (1993) finds that in-
herent risk assessments tend to be the same for all assertions related to a particular account.
Thus, most auditors appear to assess inherent risk for the key assertion for an account and
then use that assessment for all other assertions related to the account. Mock and Wright
(1993, 39) find ‘‘moderate variation across clients in perceived risks, but little change in
the nature of evidence gathered.’’
Elder and Allen (2003) find the same result as Waller (1993)—auditors typically assess
risk identically across all assertions related to an account. In addition, Elder and Allen
(2003) find that inherent risk assessments are significantly lower in 1999 than in 1994, and
the inherent risk assessments in their study are lower than the assessments in Waller
(1993).10 Also, research on the audit risk model indicates that inherent risk and control risk
often get blurred or combined (e.g., Haskins and Dirsmith 1995; Messier and Austen 2000).
Based on these studies, inherent risk assessments (1) often are not meaningfully applied to
each assertion; (2) may be decreasing over time, possibly to promote audit efficiency; and
(3) sometimes are combined with control risk into one combined risk factor.

Assessing Fraud Risk

Regarding fraud risk assessment and documentation requirements, Zimbelman (1997)
notes that the separate assessment of (and by implication, documentation of) fraud risk
increases auditors’ attention to fraud risk factors and cues. Phillips (1999) provides evidence
that accounts identified as high risk are more likely to garner auditors’ attention than those
identified as low risk. These studies seem to support the efficacy of requiring the assessment
and documentation of all identified risks for all significant accounts and related assertions.
However, the method of documentation of risks and judgments regarding risks could be
important, as Agoglia et al. (2003) report that the type of memo justifying a risk assessment
(they examined three variations) can affect the judgment of the auditor and the reviewer of
the auditor’s memo.

Global Factors in Assessing Inherent Risk at the Account Level

Question 4: How much weight can be given to global factors, such as industry con-
ditions or management integrity and competence, in assessing inherent
risk at the account level (that is, can global factors serve only to increase
the assessed level of risk, or can they also reduce it)?

Audit Risk Assessment

Several studies address the relation of global factors with auditors’ planning decisions.
Beaulieu (2001) explores the relation of new clients’ perceived integrity with auditors’ risk

9
PCAOB (2005, 11) outlined an approach to inherent risk assessment that would require the auditor to (1)
‘‘evaluate the potential effects of the identified risks on the financial statements,’’ (2) ‘‘assess the level of risk
for identified risks,’’ and (3) ‘‘have an appropriate basis for that risk assessment.’’
10
Note that Waller (1993) and Elder and Allen (2003) examine different samples of audit clients, so direct com-
parisons are not possible.

Accounting Horizons, June 2006

166 Allen, Hermanson, Kozloski, and Ramsay

assessments and planning decisions, and he finds lower risk assessments when perceived
integrity is high. In addition, lower risk assessments translate into less audit work and lower
fees.
Cohen and Hanno (2000) examine the impact of corporate governance and management
control philosophy (global factors reflecting governance, tone at the top, etc.) on auditors’
client acceptance and planning judgments. Practicing auditors evaluated a written case
where the corporate governance structure is either strong or weak and management’s control
philosophy is either strong or weak. The authors find that ‘‘auditors were more willing to
recommend client acceptance and more likely to reduce substantive testing in the presence
of stronger corporate governance or management control philosophy’’ (Cohen and Hanno
2000, 134). Thus, the authors find evidence that auditors use global factors in assessing
control risk at the assertion level. In addition, the auditors reduce their control risk assess-
ments and extent of substantive testing in the presence of stronger global factors. The
authors do not specifically address inherent risk assessments at the assertion level, and
global factors do not significantly influence the timing of substantive procedures (interim
versus year-end).
Bedard and Johnstone (2004, 277) find that ‘‘auditors plan increased effort and billing
rates for clients with earnings manipulation risk, and that the positive relations between
earnings manipulation risk and both effort and billing rates are greater for clients that also
have heightened corporate governance risk.’’ Thus, governance factors appear to magnify
the linkage between risk and audit effort.
Finally, auditors appear to consider the direction of the board of directors’ focus when
making audit risk assessments and planning decisions (Cohen et al. 2005). In an experi-
mental setting, audit partners and managers reduce control risk and planned audit effort if
board members have a high focus on monitoring management activity (agency focus). They
also reduce planned audit effort (but not inherent or control risk) when board members
have a high focus on developing strategy, getting access to resources, etc. (resource focus).
Based on these studies, global factors appear to be considered when auditors assess risks
and make audit-planning decisions.

Fraud Risk Assessment

Graham and Bedard (2003) examine the effect of specific fraud risk factor categories
on audit-planning decisions in a sample of audit clients. They find that while risk factors
are identified in several broad categories (e.g., industry/competition, management integrity,
financial condition, and performance pressure), only financial condition factors are associ-
ated with increased fraud risk assessments. Audit test planning is more strongly associated
with identified fraud risk factors than with fraud risk assessments. Thus, it appears that
auditors’ fraud risk assessments do not always capture fraud risk factors very well, but
auditors do consider the fraud risk factors in their audit planning.
In assessing the risk of fraudulent financial reporting, the importance, diagnostic ability,
and weighting of risk factors are investigated by a number of studies. Auditors assign
different weights to risk factors based on the type of clients (large versus small) with which
they have experience (Hackenbrack 1993). Wilks and Zimbelman (2004b), in a study that
examines assessments of fraud risk when difficult-to-assess ‘‘attitude’’ risk factors indicate
low fraud risk, suggest that auditors may be differentially sensitive to ‘‘incentive’’ and
‘‘opportunity’’ risk factors depending on the method of assessment that they use (decom-
posed assessments of fraud risk using the elements of the fraud triangle versus global
assessment of overall fraud risk). Hackenbrack (1992) finds evidence that fraud risk as-
sessments are subject to the ‘‘dilution effect’’ (a bias in decision making that results in less

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 167

extreme fraud risk assessments in the presence of irrelevant information, which tends to
‘‘dilute’’ relevant information). Another study reports the same effect and further notes that
this bias was not mitigated by accountability to a supervisor (Hoffman and Patton 1997).
Wood (2005) finds evidence that the use of a fraud-risk-assessment decision aid increases
auditor susceptibility to the dilution effect. In conclusion, the issue of how much weight to
assign to various risk factors, including high-level or global risk factors, is undecided. In
addition, the process for evaluating and weighting individual risk factors can significantly
affect the outcome of the risk assessment.

Assessing Control Risk

Question 5: Should auditors be required to test controls in each audit of the financial
statements? If so, what types of controls should be tested (such as, controls
designed to mitigate identified risks, controls over relevant assertions
of significant accounts, or only controls that result in greater audit
efficiency)?
Question 6: Should rotation of tests of controls from year to year be prohibited, or
should it be permitted under certain conditions? If permitted, under what
conditions should rotation be allowed?
A few studies examine auditors’ control-testing strategies. Waller (1993) examines au-
ditors’ risk assessments in real engagements. One finding is that ‘‘in a predominance of
cases [over 80 percent], CR [control risk] is assessed at the maximum probably for reasons
of efficiency’’ (Waller 1993, 784). Thus in the early 1990s, auditors seem to use a substan-
tive, balance sheet audit approach, as it was believed to be more efficient than testing and
relying on internal controls. Mock and Wright (1993) and O’Keefe et al. (1994) find similar
results.
More recently, Elder and Allen (2003) examine auditors’ risk assessments and planning
decisions in samples of audits from two periods, 1994 and 1999. The authors find signifi-
cantly lower control risk assessments in 1999 than in 1994, and reliance on internal controls
increased substantially from the time of the Waller (1993) study. The authors note:
[T]here are several reasons why auditors have likely increased their reliance on controls. In the past,
auditors may have assessed control risk as high and eliminated the documentation and tests of con-
trols. However, SAS No. 55 (AICPA 1988) requires auditors to obtain an understanding of internal
control. This requirement, along with rotational testing of controls and a likely reduction in sample
sizes for tests of controls, have likely made it more cost effective to test and rely on controls. (Elder
and Allen 2003, 992)

In addition, we expect the Section 404 internal control audits to promote even more
control testing. Auditors now are required to test controls as of year-end, and extending
such efforts to address control effectiveness during the fiscal period may be even less
difficult than in the past.

Risk of Material Misstatement and Auditor Response to Risk Assessment

Question 7: Should auditors be required to document a specific assessment of ROMM
[risk of material misstatement] for identified risks and relevant assertions
of significant accounts using a methodology that can be applied consis-
tently and that considers both qualitative and quantitative aspects of risk?
Why or why not?
Question 8: Should some or all of the proposed elements—guidelines for determining
minimum audit procedures, more definitive documentation requirements,
and examples and case studies—be incorporated into auditing standards

Accounting Horizons, June 2006

168 Allen, Hermanson, Kozloski, and Ramsay

regarding linkage between risk assessments and audit responses? Why or

why not? Are there other elements that should be included?

Audit Risk Assessment

Most of the academic research related to Questions 7 and 8 suggests that the linkage
between risk assessments and the extent of testing is weaker than one may expect. For
example, Mock and Wright (1993) examine planning decisions documented in actual audit
working papers. Although risk assessments across clients differ moderately, little change in
audit evidence decisions is noted. The ‘‘extent’’ of testing is primarily used to address
changes in risk; the ‘‘nature’’ of testing changes little.
In a later study, Mock and Wright (1999) again report the absence of a strong relation
between client risks and audit programs. Houston (1999) finds lower risk assessments in
the presence of audit fee pressure and offers some evidence that auditors address this lower
risk by performing less work in lower risk areas. Bierstaker and Wright (2001, 2005) extend
Houston’s (1999) research and find evidence that audit plans may not be adequately risk-
adjusted when there are pressures to reduce fees or when the audit partner emphasizes audit
efficiency.
Most recently, Fukukawa et al. (2005) find, from a set of Japanese audits, that the
association between client risks and audit plans again is somewhat weak. While client risks
that comprise business risk affect audit planning to some extent, Fukukawa et al. (2005)
find that fraud risk factors have little impact on audit planning.
A number of other studies reach similar conclusions regarding the linkage between
risks and audit testing. Elder and Allen (2003) examine changes in risk assessments and
sample sizes for three firms between 1994 and 1999. They find that auditors rely on controls
and assess inherent risk below the maximum on most audits and are more likely to do so
in the 1999 period. Overall, they find that the linkage between risk assessments and sample
sizes is stronger in the 1994 period and is not significant for some firms in the sample.
Johnstone and Bedard (2001) find that higher client risk is associated with using the work
of specialists, involvement of experts, and higher audit fees, but is not associated with
additional audit hours. Thus, the nature of audit testing varies with risk, but the extent
(audit hours invested) of testing is not changed. Glover et al. (2000) find that many auditors
do not revise their audit plans (i.e., do not increase testing) when analytical procedures
indicate significant unexpected fluctuations.
Finally, Wright and Bedard (2000) report that client risk factors affect various audit-
planning tasks such as audit program effectiveness and justification of audit tests. However,
client risk factors are not associated with differences in extent of testing or with justification
of extent of testing decisions. Their results also imply the importance of identifying and
communicating client risk factors to all audit team members in the planning stage of the
audit.
In contrast to the results above, some studies report a significant relation between risk
and the extent of audit tests. For example, Guess et al. (2000) find that greater risk is
associated with more audit testing, and Walo (1995) finds that risk is associated with ad-
ditional audit work. Also, Beaulieu (2001) finds that lower risk assessments are associated
with reduced audit effort and lower fees. Bedard and Johnstone (2004) find that auditors
plan more extensive testing in the presence of earnings manipulation risk, and this linkage
is magnified in the presence of higher corporate governance risk. Finally, Johnstone and
Bedard (2005) provide evidence of greater auditor risk responsiveness post-Sarbanes-Oxley,
an encouraging finding. This paper shows increasing risk responsiveness (in terms of total
planned hours) from 2001 to 2003 in audits of public companies of a large auditing firm.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 169

Graham and Bedard (2003) may help to explain the sometimes-weak relation between
risk assessments and audit effort. They find that planned testing is more related to the
presence of specific fraud risk factors than to fraud risk assessments. That is, a generalized
risk assessment is not as important in forming an audit plan as knowledge of the specific
client issues under consideration. Their results imply that documentation of account- and
assertion-level risk assessments would be helpful in engagement planning.
Research also examines whether industry expertise improves the linkage between risk
assessments and the extent of testing. The results are mixed. Wright and Wright (1997) do
not find that industry expertise has a significant effect on risk assessments or revisions to
audit planning. However, Low (2004) finds that auditor knowledge of the client’s industry
improves audit risk assessments and directly influences the perceived quality of audit-
planning decisions.

Fraud Risk Assessment

The research findings regarding the assessment of fraud risk are consistent with many
of those reported above. Studies conducted specifically in the context of fraud risk assess-
ments uncover little evidence of an explicit linkage of risk assessments to planned audit
procedures that address the identified fraud risk (Zimbelman 1997; Glover et al. 2003;
Graham and Bedard 2003; Asare and Wright 2004). Rather, auditors often respond to fraud
risks by expanding their standard audit testing, which is not specifically targeted to the
identified fraud risks. In other words, a typical audit response is to perform ‘‘more of the
same’’ testing, rather than performing different testing specifically targeted to the identified
fraud risk. In addition, Asare and Wright (2004) find that auditors often are reluctant to
consult with their firm’s forensic accountants.
In summary, prior research suggests a positive, but often weak, relation between risk
assessments and testing—both for general audit risk assessment and fraud risk assessment.
Overall, the results suggest that requiring documentation of the risk-assessment process and
providing additional guidance, including examples and case studies, may help auditors to
strengthen the linkage between risk assessments and audit testing. In addition, efforts to
promote interaction between financial auditors and forensic accountants may be warranted.

Other Issues: The Audit Risk Model

Question 10: What other advice do you have relating to consideration of auditing
standards for risk assessment (suggestions, practice issues, etc.)?
Another topic discussed in the briefing paper (PCAOB 2005) is the appropriateness of
the audit risk model.11 The briefing paper notes that the POB Panel and the Joint Working
Group (representatives from auditing standard setters in Canada, the U.K., and the U.S., as
well as academics) have expressed general support for the audit risk model as a basis for
audit planning.
Over the past 20 years, various researchers examined issues related to the adequacy or
appropriateness of the audit risk model (ARM), and the conclusions are mixed. Some
research supports the model. For example, Dusenbury et al. (2000) conclude that the ARM
does not understate the risk of material misstatement, and Houston et al. (1999) find that

11
The PCAOB briefing paper also asked: ‘‘Question 9—Do you disagree with any of the [POB Panel on Audit
Effectiveness (2000)] recommendations listed in [the PCAOB briefing paper’s] Appendix A? If so why?’’ Some
of the issues raised by the POB Panel on Audit Effectiveness (2000) have been addressed in the sections above.
We are not aware of research that would refute any of these recommendations.

Accounting Horizons, June 2006

170 Allen, Hermanson, Kozloski, and Ramsay

the model works well in describing auditor behavior in the presence of unintentional fi-
nancial statement errors (but it does not work well for fraud). Libby et al. (1985) find that
the ARM is consistent with auditors’ decisions.
Conversely, other studies have asserted that the ARM has shortcomings, including:
● inherent risk and control risk get blurred or mixed (e.g., Haskins and Dirsmith 1995;
Messier and Austen 2000);
● the ARM does not consider the quality of audit evidence (Dusenbury and Reimers
1996);
● the ARM does not consider the risk of incorrect rejection (e.g., Kinney 1989;
Sennetti 1990; Boritz and Zhang 1999); and
● the ARM is inconsistent with actual auditors’ judgments (Daniel 1988; Strawser
1990).
Additional discussions of the ARM are found in Jiambalvo and Waller (1984), Lea et al.
(1992), Pany and Whittington (2001), and Blokdijk (2004).
Part of the reason for the divergent views of the ARM may relate to whether one views
the ARM as a conceptual guide or as a precise mathematical equation. As a conceptual
guide, the ARM has been endorsed by the POB Panel and others, and we view it as a
helpful tool in audit planning. However, research has exposed limitations in the model as
a precise mathematical equation, and many have called for additional guidance for auditors
attempting to implement the ARM.12

CONCLUSION
We attempt to link academic research to issues raised in the ten questions posed in the
recent PCAOB (2005) briefing paper on audit risk assessment. Overall, we believe that the
academic research is supportive of the PCAOB staff’s apparent reconsideration of the risk-
assessment process.
Going forward, we encourage additional research related to the issues raised in the
PCAOB’s briefing paper. The issues include (See Carmichael and Holstrum [2005] for a
similar list of research topics.):
1. What is the linkage between strategy/business process information and specific
audit testing?
2. How can audit firms better address controls imbedded in IT systems, especially
when the auditors do not have an IT background? What base IT knowledge do
financial auditors need so as not to be overconfident and to know when they need
assistance? How can audit firm systems promote consultation between financial
auditors and IT specialists?
3. How can risk-assessment methods used in other fields (e.g., corporate governance,
D&O insurance, financial analysis, and debt rating) be used to enhance auditor risk
assessment?
4. What factors contribute to auditors combining their inherent risk and control risk
assessments? What are the implications of mixing inherent risk and control risk
assessments?

12
We note that Srivastava and Shafer (1992) and others have developed and / or researched the belief function as
an alternative to the ARM. In the belief function approach, the auditor assigns weight to three categories (instead
of two in the ARM): evidence supporting risk of misstatement, evidence not supporting misstatement, and lack
of evidence on misstatement. The auditor’s goal is to reduce the third category by gathering evidence that
supports either of the other two. The ARM does not allow a category of ignorance, but instead lumps positive
evidence and missing evidence into the same category.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 171

5. How can auditors better develop and implement fraud-risk-assessment tools? How
can auditors be encouraged to think strategically when assessing fraud risk?
6. When is rotational control testing appropriate? How does such testing relate to
testing performed for the audit of internal control over financial reporting?
7. Is the linkage between risks and audit testing increasing in the wake of Sarbanes-
Oxley?
8. How can fraud risk be integrated into the audit risk model? How well do auditors
currently combine fraud risk assessments with ARM elements?
In addition, we believe that the emergence of the integrated audit of internal controls
and financial statements (PCAOB 2004) offers research opportunities including:
1. How does risk assessment for the financial statement audit relate to risk assessment
for the internal control audit and vice versa?
2. Are risks strongly linked to audit effort in internal control audits?
3. What should be the nature of an audit risk model for the integrated audit of internal
controls and financial statements?
Finally, we believe that two important barriers hinder the production of academic re-
search with direct application to audit standard setting. First, academic researchers and
journals heavily emphasize positive research (documenting how things are). We encourage
the academic auditing community to make a greater commitment to normative research
(how things should be) in the future. Positive research can provide a basis for normative
recommendations, but to meet the needs of regulators, researchers need to be willing and
able to offer their views on how things should be. Of course, researchers must clearly
differentiate empirical results from normative suggestions that may reflect personal value
judgments, assumptions, etc. In addition, journal editors and reviewers need to be open to
high-quality normative research. Alternatively, researchers who publish positive research in
scholarly journals should consider sending the article along with a normative cover letter
to relevant regulators.
Second, auditing research cannot proceed without data. Recognizing the practical and
legal issues that may need to be resolved, we encourage the PCAOB to work toward
providing a database of suitably disguised audit process and outcome data for researchers
to analyze, along with appropriate ‘‘safe harbor’’ rules for firms providing such data. In the
current litigious environment, the audit firms seem less willing to provide the information
researchers need to assess audit efficiency and effectiveness. The result is a loss to the
public good, which we hope the PCAOB can help to address.

REFERENCES
Abbott, L. J., S. Parker, and G. Peters. 2004. Audit committee characteristics and restatements. Au-
diting: A Journal of Practice & Theory 23 (1): 69–87.
Agoglia, C. P., T. Kida, and D. Hanno. 2003. The effects of alternative justification memos on the
judgments of audit reviewees and reviewers. Journal of Accounting Research 41 (1): 33–47.
Albrecht, W. S., G. W. Wernz, and T. L. Williams. 1995. Fraud: Bringing Light to the Dark Side of
Business. New York, NY: McGraw-Hill.
Altman, E. I. 1968. Financial ratios, discriminant analysis and the prediction of corporate bankruptcy.
Journal of Finance 23 (4): 589–609.
American Institute of Certified Public Accountants (AICPA). 1988. Consideration of Internal Control
in a Financial Statement Audit. Statement on Auditing Standards No. 55. New York, NY:
AICPA.

Accounting Horizons, June 2006

172 Allen, Hermanson, Kozloski, and Ramsay

———. 1997. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Stan-
dards No. 82. New York, NY: AICPA.
———. 2002. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Stan-
dards No. 99. New York, NY: AICPA.
Anderson, B. H., and M. Maletta. 1994. Auditor attendance to negative and positive information: The
effect of experience-related differences. Behavioral Research in Accounting 6: 1–20.
Asare, S., and A. Wright. 2004. The effectiveness of alternative risk assessment and program planning
tools in a fraud setting. Contemporary Accounting Research 21 (2): 325–352.
Ballou, B., C. E. Earley, and J. S. Rich. 2004. The impact of strategic-positioning information on
auditor judgments about business-process performance. Auditing: A Journal of Practice & The-
ory 23 (2): 71–88.
———, and D. L. Heitger. 2004. A cognitive characterization of audit analytical procedures under
strategic-systems auditing. Working paper, Miami University.
Beasley, M. 1996. An empirical analysis of the relation between the board of director composition
and financial statement fraud. The Accounting Review 71 (4): 443–465.
———, J. Carcello, D. Hermanson, and P. Lapides. 2000. Fraudulent financial reporting: Consider-
ation of industry traits and corporate governance mechanisms. Accounting Horizons 14 (4):
441–455.
Beaulieu, P. 2001. The effects of judgments of new clients’ integrity upon risk judgments, audit
evidence, and fees. Auditing: A Journal of Practice & Theory 20 (2): 85–100.
Beaver, W. 1966. Financial ratios as predictors of failure. Journal of Accounting Research 4 (Supple-
ment) 71–111.
Bedard, J., and A. M. Wright. 1994. The functionality of decision heuristics: Reliance on prior audit
adjustments in evidential planning. Behavioral Research in Accounting 6 (Supplement): 62–89.
———, and L. Graham. 2002. The effects of decision aid orientation on risk factor identification and
audit test planning. Auditing: A Journal of Practice & Theory 21 (2): 39–56.
———, and K. Johnstone. 2004. Auditors’ assessments of and responses to earnings management
risk and corporate governance risk. The Accounting Review 79 (2): 277–304.
———, L. Graham, and C. Jackson. 2005. Information systems risk and audit planning. International
Journal of Auditing 9 (2): 147–163.
Bell, T., G. S. Ribar, and J. Verchio. 1990. Neural nets versus logistic regression: A comparison of
each model’s ability to predict commercial bank failures. Proceedings of the 1990 Deloitte &
Touche / University of Kansas Symposium on Auditing Problems, 29–54.
———, F. Marrs, I. Solomon, and H. Thomas. 1997. Auditing Organizations Through a Strategic-
Systems Lens. New York, NY: KPMG LLP.
———, and J. V. Carcello. 2000. A decision aid for assessing the likelihood of fraudulent financial
reporting. Auditing: A Journal of Practice & Theory 18 (1): 169–184.
———, J. M. Bedard, K. F. Johnstone, and E. Smith. 2002. KRisk: A computerized decision aid for
client acceptance and continuance risk assessments. Auditing: A Journal of Practice & Theory
21 (2): 97–103.
———, M. E. Peecher, and I. Solomon. 2005. The 21st Century Public Company Audit. New York,
NY: KPMG LLP.
Bernardi, R. 1994. Fraud detection: The effect of client integrity and competence and auditor cognitive
style. Auditing: A Journal of Practice & Theory 13 (Supplement): 68–84.
Bierstaker, J., and A. Wright. 2001. The effects of fee pressure and partner pressure on audit planning
decisions. Advances in Accounting 18: 25–46.
———, and ———. 2005. The interaction between auditors’ risk perceptions and partner preferences
on audit program planning. Advances in Accounting 21: 1–24.
Blokdijk, H., F. Drieenhuizen, D. A. Simunic, and M. T. Stein. 2003. Determinants of the mix of
audit procedures: Key factors that cause auditors to change what they do. Working paper, Vrije
Universiteit Amsterdam.
———. 2004. Tests of control in the audit risk model: Effective? efficient? International Journal of
Auditing 8 (2): 185–194.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 173

Bloomfield, R. 1997. Strategic dependence and the assessment of fraud risk: A laboratory study. The
Accounting Review 72 (4): 517–538.
Boatsman, J., C. Moeckel, and B. Pei. 1997. The effects of decision consequences on auditors’ reliance
on decision aids in audit planning. Organizational Behavior and Human Decision Processes
71: 211–247.
Boritz, J. E., and P. Zhang. 1999. The auditor’s objectivity under negligence liability system. Auditing:
A Journal of Practice & Theory 18 (Supplement): 147–165.
Bradbury, M. E., and P. Rouse. 2002. An application of data envelopment analysis to the evaluation
of audit risk. Abacus 38 (2): 263–279.
Braun, R. 2000. The effect of time pressure on auditor attention to qualitative aspects of misstatements
indicative of potential fraudulent financial reporting. Accounting, Organizations and Society 25
(3): 243–259.
Brazel, J. F., and C. P. Agoglia. 2005. An examination of auditor planning judgments in a complex
AIS environment: The moderating role of auditor AIS expertise. Working paper, North Carolina
State University.
Carcello, J., and A. Nagy. 2004. Audit firm tenure and fraudulent financial reporting. Auditing: A
Journal of Practice & Theory 23 (2): 55–70.
Carmichael, D. R. and G. L. Holstrum. 2005. PCAOB standards-setting update. The Auditor’s Report
(Spring). Available at http: / / aaahq.org / audit / Pubs / Audrep / 05spring / item10.htm.
Carpenter, T. D. 2005a. Audit team brainstorming, fraud risk identification, and fraud risk assessment:
Implications of SAS No. 99. Working paper, University of Georgia.
———. 2005b. Audit team brainstorming, partner influence, and fraud detection: Implications of SAS
No. 99. Working paper, University of Georgia.
Cielen, A., L. Peeters, and K. Vanhoof. 2004. Bankruptcy prediction using a data envelopment anal-
ysis. European Journal of Operational Research 154 (2): 526–532.
Cohen, J. R., and D. M. Hanno. 2000. Auditors’ consideration of corporate governance and manage-
ment control philosophy in preplanning and planning judgments. Auditing: A Journal of Practice
& Theory 19 (2): 133–146.
———, G. Krishnamoorthy, and A. Wright. 2005. The impact of corporate board focus on auditors’
risk assessments and program planning decisions. Working paper, Boston College.
Daniel, S. 1988. Some empirical evidence about the assessment of audit risk in practice. Auditing: A
Journal of Practice & Theory 7 (2): 174–181.
Dusenbury, R. B., and J. L. Reimers. 1996. An empirical study of belief-based and probability-based
specifications of audit risk. Auditing: A Journal of Practice & Theory 15 (2): 12–28.
———, ———, and S. W. Wheeler. 2000. The audit risk model: An empirical test for conditioned
dependencies among assessed component risks. Auditing: A Journal of Practice & Theory 19
(2): 105–117.
Eilifsen, A., W. Knechel, and P. Wallage. 2001. Application of the business risk audit model: A field
study. Accounting Horizons 15 (3): 193–207.
Eining, M., D. Jones, and J. Loebbecke. 1997. Reliance on decision aids: An examination of auditors’
assessment of management fraud. Auditing: A Journal of Practice & Theory 16 (2): 1–19.
Elder, R. J., and R. D. Allen. 2003. A longitudinal field investigation of audit risk assessments and
sample size decisions. The Accounting Review 78 (4): 983–1002.
Frydman, H., E. I. Altman, and D. Kao. 1985. Introducing recursive partitioning for financial classi-
fication: The case of financial distress. Journal of Finance 40 (1): 269–291.
Fukukawa, H., T. Mock, and A. Wright. 2005. Audit program plans and audit risk: A study of Japanese
practice. Working paper, Nagasaki University.
Glover, S., J. Jiambalvo, and J. Kennedy. 2000. Analytical procedures and audit planning decisions.
Auditing: A Journal of Practice & Theory 19 (2): 27–45.
———, D. Prawitt, J. Schultz, and M. Zimbelman. 2003. A comparison of audit planning decisions
in response to increased fraud risk: Before and after SAS No. 82. Auditing: A Journal of
Practice & Theory 22 (3): 237–251.

Accounting Horizons, June 2006

174 Allen, Hermanson, Kozloski, and Ramsay

Graham, L., and J. Bedard. 2003. Fraud risk factors and audit planning. International Journal of
Auditing 7 (1): 55–70.
Guess, A., T. Louwers, and J. Strawser. 2000. The role of ambiguity in auditors’ determination of
budgeted audit hours. Behavioral Research in Accounting 12: 119–138.
Hackenbrack, K. 1992. Implications of seemingly irrelevant evidence in audit judgment. Journal of
Accounting Research 30 (1): 54–76.
———. 1993. The effect of experience with different sized clients on auditor evaluations of fraudulent
financial reporting indicators. Auditing: A Journal of Practice & Theory 12 (1): 99–110.
Hammersley, J. S. 2004. Pattern identification and industry-specialist auditors. Working paper, Uni-
versity of Georgia.
Hansen, J., and W. Messier, Jr. 1991. Artificial neural networks: Foundations and application to a
decision problem. Expert Systems With Applications 3: 135–141.
———, J. McDonald, W. Messier, Jr., and T. Bell. 1996. A generalized qualitative-response model
and the analysis of management fraud. Management Science 42: 1022–1032.
Haskins, M. E., and M. W. Dirsmith. 1995. Control and inherent risk assessments in client engage-
ments: An examination of their interdependencies. Journal of Accounting and Public Policy 14
(1): 63–83.
Hecht, G. 2005. Accountants’ understanding of circular causality as a determinant of unintended
consequence identification. Working paper, Emory University.
Hoffman, V., and J. Patton. 1997. Accountability, the dilution effect, and conservatism in auditors’
fraud judgments. Journal of Accounting Research 35 (2): 227–237.
Houston, R. W. 1999. The effects of fee pressure and client risk on audit seniors’ time budget deci-
sions. Auditing: A Journal of Practice & Theory 18 (2): 70–86.
———, M. F. Peters, and J. H. Pratt. 1999. The audit risk model, business risk, and audit planning
decisions. The Accounting Review 74 (3): 281–298.
Hunton, J. E., A. M. Wright, and S. Wright. 2004. Are financial auditors overconfident in their ability
to assess risks associated with enterprise resource planning systems? Journal of Information
Systems 18 (2): 7–28.
Huss, H. F., and F. Jacobs. 1991. Risk containment: Exploring auditor decisions in the engagement
process. Auditing: A Journal of Practice & Theory 10 (2): 16–32.
Jiambalvo, J., and W. Waller. 1984. Decomposition and assessments of audit risk. Auditing: A Journal
of Practice & Theory 3 (2): 80–88.
Johnson, P., K. Jamal, and R. Berryman. 1991. Effects of framing on auditor decisions. Organizational
Behavior and Human Decision Processes 50: 75–105.
———, S. Grazioli, and K. Jamal. 1993. Fraud detection: Intentionality and deception in cognition.
Accounting, Organizations and Society 18: 467–488.
Johnstone, K. 2000. Client-acceptance decisions: Simultaneous effects of client business risk, audit
risk, auditor business risk, and risk adaptation. Auditing: A Journal of Practice & Theory 19
(1): 1–25.
———, and J. Bedard. 2001. Engagement planning, bid pricing, and client response in the market
for initial attest engagements. The Accounting Review 76 (2): 199–221.
———, and ———. 2005. Audit planning and pricing during the period surrounding passage of the
Sarbanes-Oxley Act. Working paper, University of Wisconsin–Madison.
Kinney, W. R., Jr. 1989. Achieved audit risk and the audit outcome space. Auditing: A Journal of
Practice & Theory 8 (Supplement): 67–84.
Knapp, C. A., and M. C. Knapp. 2001. The effects of experience and explicit fraud risk assessment
in detecting fraud with analytical procedures. Accounting, Organizations and Society 26 (1):
25–37.
Koh, H. C., and S. S. Tan. 1999. A neural network approach to the prediction of going concern status.
Accounting and Business Research 29 (3): 211–216.
Kopp, L. S., and E. O’Donnell. 2005. The influence of a business-process focus on category knowledge
and internal control evaluation. Accounting Organizations and Society 30 (5): 423–434.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 175

Kotchetova, N. 2005. Analysis of client’s strategy and auditor’s risk assessment. Working paper,
University of Waterloo.
———, T. Kozloski, and W. Messier, Jr. 2005. Do performance and documentation of business process
analysis influence auditors’ risk assessments? Working paper, University of Waterloo.
Lane, W., S. Looney, and J. Wansley. 1986. An application of the Cox proportional hazards model
to bank failure. Journal of Banking and Finance 10: 511–531.
Lea, R. B., S. J. Adams, and R. F. Boykin. 1992. Modeling of the audit risk-assessment process at
the assertion level within an account balance. Auditing: A Journal of Practice & Theory 11
(Supplement): 152–179.
Lee, T., R. Ingram, and T. Howard. 1999. The difference between earnings and operating cash flow
as an indicator of financial reporting fraud. Contemporary Accounting Research 16 (4): 749–
787.
Lemon, W., K. Tatum, and W. Turley. 2000. Developments in the Audit Methodologies of Large
Accounting Firms. Caxton Hill, Harford, U.K.: Stephen Austin & Sons Ltd.
Libby, R., J. T. Artman, and J. J. Willingham. 1985. Process susceptibility, control risk, and audit
planning. The Accounting Review 60 (2): 212–230.
Lindsay, D. H., and A. Campbell. 1996. A chaos approach to bankruptcy prediction. Journal of
Applied Business Research 12 (4): 1–9.
Loebbecke, J., M. Eining, and J. Willingham. 1989. Auditors’ experience with material irregularities:
Frequency, nature and detectability. Auditing: A Journal of Practice & Theory 8 (2): 1–28.
Low, K. 2004. The effects of industry specialization on audit risk assessments and audit-planning
decisions. The Accounting Review 79 (1): 201–219.
Luoma, M., and E. Laitinen. 1991. Survival analysis as a tool for company failure prediction. Omega
19 (6): 673–678.
Marais, M., J. Patell, and M. Wolfson. 1984. The experimental design of classification models: An
application of recursive partitioning and bootstrapping to commercial bank loan classifications.
Journal of Accounting Research 22 (Supplement): 87–114.
McKee, T. E. 1998. A mathematically derived rough set model for bankruptcy prediction. In Collected
Papers of the Seventh Annual Research Workshop on Artificial Intelligence and Emerging Tech-
nologies in Accounting, Auditing and Tax, edited by C. E. Brown. Sarasota, FL: Artificial
Intelligence / Emerging Technologies Section of the American Accounting Association.
———, and T. Lensberg. 2002. Genetic programming and rough sets: A hybrid approach to bank-
ruptcy classification. European Journal of Operational Research 138: 436–451.
———. 2003. Rough sets bankruptcy prediction models versus auditor signaling rates. Journal of
Forecasting 22 (8): 569.
Messier, W. F., Jr. and J. V. Hansen. 1988. Inducing rules for expert system development: An example
using default and bankruptcy data. Management Science 34 (12): 1403–1415.
———, and L. A. Austen. 2000. Inherent risk and control risk assessments: Evidence on the effect
of pervasive and specific risk factors. Auditing: A Journal of Practice & Theory 19 (2): 119–
131.
Mock, T. J., and A. Wright. 1993. An exploratory study of auditors’ evidential planning judgments.
Auditing: A Journal of Practice & Theory 12 (2): 39–61.
———, and ———. 1999. Are audit program plans risk adjusted? Auditing: A Journal of Practice
& Theory 18 (1): 55–74.
Nieschwietz, R., J. Schultz, Jr., and M. Zimbelman. 2000. Empirical research on external auditors’
detection of financial statement fraud. Journal of Accounting Literature 19: 190–246.
O’Donnell, E., and J. Schultz. 2003. The influence of business-process-focused audit support software
on analytical procedures judgments. Auditing: A Journal of Practice & Theory 22 (2): 265–
279.
———, and ———. 2005. The halo effect in business risk audits: Can strategic risk assessment bias
auditor judgment about accounting details? The Accounting Review 80 (3): 921–939.
———, J. L. Bierstaker, and J. Schultz. 2005. Strategic-systems auditing: The influence of alternative
task structures on auditor sensitivity to risk factors. Working paper, Arizona State University.

Accounting Horizons, June 2006

176 Allen, Hermanson, Kozloski, and Ramsay

Ohlson, J. 1980. Financial ratios and the probabilistic prediction of bankruptcy. Journal of Accounting
Research 18 (1): 109–131.
O’Keefe, T., D. Simunic, and M. Stein. 1994. The production of audit services: Evidence from a
major public accounting firm. Journal of Accounting Research 32 (2): 241–261.
Pany, K. J., and O. R. Whittington. 2001. Research implications of the Auditing Standards Board’s
current agenda. Accounting Horizons 15 (4): 401–411.
Paradi, J. C., M. Asmild, and P. C. Simak. 2004. Using DEA and worst practice DEA in credit risk
evaluation. Journal of Productivity Analysis 21 (2): 153–165.
Phillips, F. 1999. Auditor attention to and judgments of aggressive financial reporting. Journal of
Accounting Research 37 (1): 167–189.
Pincus, K. 1989. The efficacy of a red flags questionnaire for assessing the possibility of fraud.
Accounting, Organizations and Society 14: 153–163.
Public Company Accounting Oversight Board (PCAOB). 2004. An Audit of Internal Control over
Financial Reporting Conducted in Conjunction with an Audit of Financial Statements. Auditing
Standard No. 2. Washington, D.C.: PCAOB.
———. 2005. Standing Advisory Group Meeting: Risk Assessment in Financial Statement Audits.
Washington, D.C.: PCAOB.
Public Oversight Board Panel of Audit Effectiveness. 2000. The Panel on Audit Effectiveness Report
and Recommendations. New York, NY: AICPA.
Sennetti, J. 1990. Toward a more consistent model for audit risk. Auditing: A Journal of Practice &
Theory 9 (2): 103–112.
Shelton, S., O. R. Whittington, and D. Landsittel. 2001. Auditing firms’ fraud risk assessment prac-
tices. Accounting Horizons 15 (1): 19–34.
Slowinski, R., R. Susmaga, and C. Zopounidis. 1999. Business failure prediction using rough sets.
European Journal of Operational Research 114: 263–280.
Srivastava, R., and G. Shafer. 1992. Belief-function formulas for audit risk. The Accounting Review
67 (2): 249–283.
Strawser, J. R. 1990. Human information processing and the consistency of the audit risk model.
Accounting and Business Research 21 (Winter): 67–75.
Summers, S., and J. Sweeney. 1998. Fraudulently misstated financial statements and insider trading:
An empirical analysis. The Accounting Review 73 (1): 131–146.
Tam, K. Y., and M. Y. Kiang. 1992. Managerial applications of neural networks: The case of bank
failure predictions. Management Science 38 (7): 926–947.
Turner, J. L., T. J. Mock, and D. Manry. 2004. The association of discretionary accruals with pre-
audit engagement risk. Working paper, University of Memphis.
Waller, W. S. 1993. Auditors’ assessments of inherent and control risk in field settings. The Accounting
Review 68 (4): 783–803.
Wallin, J., and S. Sundgren. 1995. Using linear programming to predict business failure: An empirical
study. Available at: http: / / www.shh.fi / depts / redovis / research / jwss95 / jwssma95.htm.
Walo, J. 1995. The effects of client characteristics on audit scope. Auditing: A Journal of Practice &
Theory 14 (1): 115–124.
West, D., S. Dellana, and J. Qian. 2005. Neural network ensemble strategies for financial decision
applications. Computers & Operations Research 32 (10): 2543–2559.
Wilks, J., and M. Zimbelman. 2004a. Using game theory and strategic reasoning concepts to prevent
and detect fraud. Accounting Horizons 18 (3): 173–184.
———, and ———. 2004b. Decomposition of fraud risk assessments and auditors’ sensitivity to
fraud cues. Contemporary Accounting Research 21 (3): 719–745.
Wood, L. 2005. The influence of decision aid use on auditor processing of irrelevant information in
fraud risk assessment. Working paper, Virginia Polytechnic Institute and State University.
Wright, A., and J. Bedard. 2000. Decision processes in audit evidential planning: A multistage in-
vestigation. Auditing: A Journal of Practice & Theory 19 (1): 123–143.
Wright, S., and A. Wright. 1997. The effect of industry experience on hypothesis generation and audit
planning decisions. Behavioral Research in Accounting 9: 273.

Accounting Horizons, June 2006

Auditor Risk Assessment: Insights from the Academic Literature 177

Zimbelman, M. 1997. The effects of SAS No. 82 on auditors’ attention to fraud risk factors and audit
planning decisions. Journal of Accounting Research 35 (Supplement): 75–97.
———, and W. Waller. 1999. An experimental investigation of auditor-auditee interaction under
ambiguity. Journal of Accounting Research 37 (Supplement): 135–155.

Accounting Horizons, June 2006