How Fraud Risk Decomposition Affects Auditors' Fraud Risk Assessments Open Access

Auditors' risk judgments are a key input during audit planning, and include identifying significant risks of material misstatement, such as fraud risks, as well as planning responses to identified risks. Importantly, for many years auditing standards have guided auditors to consider both likelihood and magnitude when assessing risk (see, e.g., SAS 99, AICPA 2002; AS 2110, PCAOB 2010a). This paper summarizes the results of a study we conducted, entitled “The Influence of Judgment Decomposition on Auditors' Fraud Risk Assessments: Some Trade-Offs” (Simon, Smith, and Zimbelman 2018), that considered the impact of having auditors separately assess likelihood and magnitude before assessing overall fraud risk for individual fraud schemes.

Standard setters continue to focus auditors' attention on magnitude and likelihood in risk assessments. For instance, AS 2110.26 states, “In identifying and assessing risks of material misstatement, the auditor should … Assess the likelihood of misstatement, including the possibility of multiple misstatements, and the magnitude of potential misstatement to assess the possibility that the risk could result in material misstatement of the financial statements” (PCAOB 2010a, emphasis added; see AU-C 315.27 [AICPA 2012] for a similar statement). Furthermore, AS 2110.70 states, “To determine whether an identified and assessed risk is a significant risk, the auditor should evaluate whether the risk requires special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk” (PCAOB 2010a, emphasis added).¹

Given the prevalence of auditing standards prescribing that auditors assess both the likelihood and magnitude of a fraud risk when performing risk assessments, it is important to understand the effects of evaluating these two components of risk on auditors' overall risk judgments. The focus of our research was to experimentally examine whether separately assessing likelihood and magnitude before assessing overall fraud risk (hereafter, LM decomposition) impacts auditors' overall fraud risk judgments.²

In our first experiment, we invited experienced practitioner auditors to read an auditing case scenario and to assess the risk of various potential fraud schemes at the client. The case, including the potential fraud schemes, was developed starting with a case from a previously published research study (Hoffman and Zimbelman 2009), and used information taken from an SEC Accounting and Auditing Enforcement Release (AAER; see SEC 1997). In addition, each fraud scheme was evaluated ahead of time and rated as either a higher- or a lower-risk fraud scheme by a panel of individuals with partner-level audit experience.³ Our findings showed that, on average, auditors who engaged in an LM decomposition when evaluating higher-risk fraud schemes assessed lower overall fraud risk than auditors who made their risk assessments without separately evaluating the likelihood and magnitude of the higher-risk fraud schemes. We did not find this effect when auditors made overall risk assessments for schemes that were deemed to be lower-risk.

We believe that this finding should be of interest to practitioners for several reasons. First, given the significant negative consequences—both for auditors and market participants—when fraud goes undetected, it is important for auditors to understand the potential for different audit approaches to influence their professional skepticism and judgments when they assess fraud risks. Second, if auditors adhere to standards and take the time to explicitly consider the likelihood and magnitude of a threat before assessing overall fraud risk (i.e., an LM decomposition), our findings suggest that they may lower their fraud risk assessments for higher-risk schemes. In other words, it is possible that an LM decomposition could impair professional skepticism and, ultimately, audit quality. Finally, there remains the possibility that these lower fraud risk assessments may improve audit efficiency if auditors are prone to over-audit when fraud risk is high.

In addition to our primary finding highlighted above, we also conducted follow-up experiments with university students, in a non-audit setting, to examine potential psychological factors underlying our results. Results from those studies demonstrated lower overall risk judgments for both higher- and lower-risk threats when individuals performed an LM decomposition prior to their overall risk judgment. Overall, we believe these findings are important for practitioners and standard setters as both groups strive to improve auditors' risk assessment processes.

Our study used several experiments to explore how an LM decomposition might impact individuals' risk judgments. In our first experiment, we had 101 auditors (98 percent were working as managers or higher) complete an online audit case that required them to learn about a client and to make audit planning judgments, including risk assessments of several potential fraud schemes that had been identified in an earlier brainstorming session. Using an experiment allowed us to create alternative scenarios wherein auditors were required (or not) to perform an LM decomposition prior to assessing overall risk, which allowed us to investigate the impact of such a requirement on auditors' judgments.⁴

In our auditor experiment, we had two different groups. In each group, auditors made fraud risk judgments and judgments about the likelihood and magnitude of a potential fraud scheme. However, approximately half of our auditors made their likelihood and magnitude judgments prior to making overall fraud risk judgments and the others made overall fraud risk judgments without explicitly evaluating likelihood or magnitude.⁵ We labeled the former group as the “Decomposition” condition since auditors made the component likelihood and magnitude judgments (i.e., an LM decomposition) prior to making their overall fraud risk judgments, and the latter group was labeled as the “Holistic” condition. We also varied the level of fraud risk in the case with our participants considering both lower- and higher-risk fraud schemes. Each auditor in the study evaluated a series of four potential fraud schemes, two of which were higher-risk threats and two were lower-risk threats.⁶ This experimental design allows us to explore how LM decomposition affects auditors' risk judgments for both lower- and higher-risk fraud schemes.

The case scenario provided our auditor participants with summarized audit planning information, including client- and industry-specific background, the client's management team, sales and receivables cycle, acquisitions, pending litigation, and a list of SAS 99 red flags pertaining to the company. The participants also read about the results of interim tests of controls (indicating low control risk) and preliminary analytical procedures. Finally, participants read information about a revised marketing and sales distribution strategy that (unbeknownst to research participants) the fraud was based on.

Next, the auditors were told that an SAS 99 brainstorming session occurred and that, given the audit budget, there was a need to prioritize the brainstorming ideas. Participants were informed that they needed to assess the four fraud schemes, which were not presented in any particular order. We then introduced the experimental manipulation so that participants in the Decomposition condition performed the LM decomposition just prior to making their overall fraud scheme risk judgments, whereas participants in the Holistic condition made their fraud scheme risk judgments without considering the LM judgments.⁷ Finally, participants answered demographic and other questions to conclude the study.

Our main focus was the auditors' overall fraud risk assessments for each of the four fraud schemes. The auditors assessed fraud risk on a scale from 1 (Very Low) to 10 (Very High) for each scheme. After evaluating each fraud scheme, the auditors were asked to allocate scarce audit resources to investigating the various schemes. In two follow-up experiments, we asked university students to make related judgments in a setting involving business risks in a non-auditing scenario. These experiments replicate the main finding from our auditor experiment (i.e., that an LM decomposition results in lower overall risk assessments for higher-risk issues) while exploring potential cognitive mechanisms to potentially explain the results of our auditor experiment.

In summary, the auditors who participated in our first experiment were asked to evaluate a series of four potential fraud schemes that had been generated in a fraud brainstorming session during the planning stage of a hypothetical audit engagement. The participants evaluated the likelihood, magnitude, and overall fraud risk of each fraud scheme, though the order of these assessments varied based on the assigned experimental condition. We used the average responses for the two higher-risk schemes and, separately, for the two lower-risk schemes as our measures of assessed fraud risk for the higher-risk and lower-risk schemes, respectively.⁸

As shown in Table 1 and Figure 1, regardless of which condition they were assigned to, the auditors effectively identified higher- and lower-risk fraud schemes by assessing average overall fraud risk at 6.63 (out of 10) for higher-risk schemes, compared to average assessments of 4.26 for the lower-risk schemes. In addition, auditors across all conditions evaluated the higher-risk fraud schemes, on average, as being more likely (6.22 to 3.91) and as having a greater potential magnitude (6.48 to 5.44) than the lower-risk fraud schemes. Finally, Table 1 shows that auditors across all conditions allocated more effort, on average, to investigating the higher-risk fraud schemes (67.6 percent) relative to the lower-risk fraud schemes (32.4 percent). Thus, overall, the auditors demonstrated an ability to effectively discern between relatively higher- and lower-risk fraud schemes, and made audit effort allocations accordingly.

Interestingly, the auditors' fraud risk assessments of the higher-risk schemes were influenced by whether or not the auditors performed an LM decomposition before evaluating the overall fraud risk. When auditors made an LM decomposition before making their overall fraud risk assessments for higher-risk schemes, the auditors' fraud risk assessments were lower than auditors who performed the overall fraud risk assessment before being asked to specifically consider the likelihood and magnitude of the schemes. In other words, the act of decomposing the overall risk assessment into likelihood and magnitude components appears to have caused auditors to reduce their fraud risk assessments for higher-risk fraud schemes. Perhaps because auditors across all experimental conditions viewed the lower-risk fraud schemes as relatively low-risk threats, decomposing the assessments for lower-risk fraud schemes did not significantly influence the auditors' assessments. Based on the auditor experiment and a pair of follow-up experiments, we concluded that asking auditors to focus first on their likelihood assessments of the fraud schemes led them to reduce their overall fraud risk assessments for the higher-risk schemes. In addition, we also concluded that performing an LM decomposition also appeared to result in better alignment between auditors' likelihood assessments and their overall risk assessments.

Current auditing standards indicate that auditors should consider both likelihood and magnitude when assessing risk (see, e.g., AS 2110.26, PCAOB 2010a; AU-C 315.27, AICPA 2012). In our study, we examined the potential implications of explicitly considering these two factors prior to making an overall risk assessment. We conducted and included a detailed discussion of three experiments in our study, including one with 101 experienced auditors. In the auditor experiment, auditors assessed the fraud risk of potential fraud schemes while in the non-auditor experiments participants assessed risks for potential sources of damage to a key company asset. Across the three experiments, we consistently found that having individuals assess likelihood and magnitude prior to overall risk resulted in overall risk assessments that were lower for relatively higher-risk threats. In our non-auditor experiments, we also found evidence that assessing likelihood and magnitude can decrease overall risk assessments for relatively lower-risk threats.

We believe these findings have important implications for standard setters and practitioners. First, we believe our results suggest a potential unintended consequence of standard setters' emphasis on likelihood and magnitude when assessing risk. As a result, we recommend that standard setters encourage auditors to be aware that an LM approach could decrease their concerns about threats that have been identified as higher-risk, and to also be sure to gather sufficient evidence in such areas when such risks exist. Second, we recommend that auditors consider assessing overall risk before explicitly assessing a risk's likelihood and magnitude when seeking to comply with current auditing standards. Doing so may help them avoid the unintended consequence described previously.