We provide a theoretical investigation of the effects of the Sarbanes‐Oxley Act of 2002 on auditing intensity and internal control strength. We propose a model of strategic auditing in which the auditor can use resources for both internal control tests and substantive tests, while the manager can choose the strength of internal controls and the amount of fraud.
We find that control tests are a valuable tool for the auditor when control strength is informative about the likelihood of fraud. We find that Sarbanes‐Oxley has the desired effect of inducing stronger internal control systems and less fraud, but does not necessarily induce higher levels of control testing. Our model suggests that audit risk increases as a result of the Sarbanes‐Oxley Act.