Both U.S. Generally Accepted Auditing Standards and International Standards on Auditing require risk-based audits, where audit effort is concentrated on accounts and financial statement assertions where the risk of material misstatement is high. Assessing risk requires the auditor to evaluate the auditee's internal control systems; however, current standards and practice vary regarding the point at which risks are to be identified. Using output interference theory, we hypothesize that risk assessment performed by the auditor before evaluating the client's internal control systems will lead to a more complete identification of sources of internal control deficiencies as compared to assessing risk after evaluating internal control systems. In our experiment, auditors who identified risks first identified more, and more important, internal control deficiencies than did auditors identifying controls first, although the number of risks identified was not significantly different between the two groups. Overall, our results suggest that audit efficiency and effectiveness depend on the sequence in which internal control evaluation subtasks are performed.

Data Availability: Data are available from the authors upon request.

You do not currently have access to this content.