How Strategic Reasoning and Brainstorming Can Help Auditors Detect Fraud Free

Both academic accounting research (e.g., Zimbelman 1997) and the Public Company Accounting Oversight Board (PCAOB 2007) report that auditors often fail to effectively modify their standard audit procedures in response to fraud risk. Auditors are effective at identifying when they are in a setting with heightened fraud risk, but they tend to respond to that risk by increasing the extent of their audit procedures instead of changing the nature of their procedures.¹ That is, in response to increased fraud risk, auditors tend to do more of the same procedures rather than plan different procedures. For example, they might set a larger sample size rather than perform different audit procedures that would be effective for detecting a particular fraud. Further, academic research (e.g., Asare and Wright 2004) finds that using a standard audit program can be a factor that discourages auditors from changing the nature of their procedures, because they tend to perform the same tests they performed in the prior year.

This paper summarizes a recent study (“Do Strategic Reasoning and Brainstorming Help Auditors Change Their Standard Audit Procedures in Response to Fraud Risk?” [Hoffman and Zimbelman 2009], The Accounting Review) that conducted an experiment in a high-fraud-risk setting to investigate whether brainstorming in groups and/or employing strategic reasoning helped audit managers who were given standard audit programs design better fraud procedures. Strategic reasoning takes place when an auditor considers how an audit client may be concealing a fraud scheme from standard audit tests. In response, the auditor modifies the audit to search for potential concealed fraud. The idea underlying strategic reasoning is that auditors can benefit from thinking about the audit as a strategic game (e.g., chess) rather than as a game of chance. In a chess match, for example, a chess master is constantly considering what his/her opponent's next moves will be. Auditors who engage in strategic reasoning consider how client management might be concealing a fraud from the auditor (e.g., Fellingham and Newman 1985; Wilks and Zimbelman 2004). When planning audit procedures, auditors who reason strategically consider how management may have anticipated the auditor's planned procedures and then strategically planned the fraud so as to avoid detection.

The tasks required by brainstorming and strategic reasoning are considered complex and challenging. Thinking like fraud perpetrators and creating new audit tests to catch them is much more difficult than simply changing the sample size for a set of audit procedures that has been used for many years. Strategic reasoning formalizes the thinking process implied by the brainstorming requirement by walking auditors through a set of questions designed to get them to consider how a scheme could be concealed from the normal audit process and how the audit tests could be adapted to detect that concealment. Specifically, Hoffman and Zimbelman (2009) operationalize this strategic reasoning process by requiring auditors to answer the following four questions: (1) What potential frauds may have occurred? (2) What procedures would you normally perform to detect these frauds? (3) How could management conceal the potential frauds from the typical procedures you normally perform? (4) How could your audit plan be modified to detect the concealed frauds?

While SAS No. 99 (AICPA 2002) does not discuss strategic reasoning per se, its requirement to employ brainstorming has some components that can help auditors achieve the benefits of strategic reasoning. Table 1 illustrates how the components of SAS No. 99 (and the current fraud standard as documented in AU 316) correspond to Hoffman and Zimbelman's (2009) experimental manipulation based on the four-step strategic reasoning process. Note that AU 316.14 maps directly into the first three steps in the strategic reasoning process. While the auditing standard does not explicitly address the fourth step of the strategic reasoning process, we believe that designing procedures to find the fraud is one of the implied purposes of the brainstorming exercise. Both brainstorming and strategic reasoning encourage auditors to think of tests that would be atypical and unpredictable from the client's point of view, and develop high-quality, creative ideas to design procedures to detect a fraud concealed by management. Hoffman and Zimbelman's (2009) study explored the extent to which the brainstorming and strategic reasoning requirements overlap and whether auditors benefit from performing strategic reasoning in groups, pooling their collective cognitive resources when performing the strategic reasoning task.

The paper summarized in this article used a fraud case based on an SEC Accounting and Auditing Enforcement Release (AAER). The study found that each of the interventions (i.e., receiving strategic reasoning instructions and brainstorming in groups) improved auditors' planning judgments. However, the combination of the two interventions was not more effective than either one used alone. That is, once individual audit managers were explicitly instructed to reason strategically, adding more audit managers to the process in a brainstorming group did not result in better judgments. Similarly, auditors who went through the brainstorming process and were asked to perform the strategic reasoning process did not perform any better than those who brainstormed without being explicitly instructed to reason strategically. However, we do note that it is possible that, for hierarchical audit teams, strategic reasoning in brainstorming groups could result in better judgments than those of individual, less-experienced auditors reasoning strategically on their own. In addition, brainstorming in hierarchical groups may provide other benefits to the audit team, such as improving the training of lower-level auditors and conveying a sense of skepticism to all audit team members.

Participants in the experiment were 91 practicing audit managers with an average of over five years of experience with one large international audit firm.² As described in more detail later, all participating auditors were given information about the audit (e.g., financial statements and results of preliminary analytical procedures), and were provided with the prior-year audit plan for the sales and accounts receivable cycle. They then completed an audit-planning task by budgeting hours to audit procedures. While the auditors were not specifically instructed to modify last year's plan, performing this task implicitly required them to decide whether and how to modify the prior year's audit procedures for the current-year audit.³

The experiment placed the audit managers into one of four different conditions; auditors in each condition performed the same audit-planning task for the same high-fraud-risk case, but were provided with different instructions as follows: (1) auditors in one condition worked in three-person brainstorming groups and also received instructions to engage in strategic reasoning (Brainstorming/Strategic Reasoning); (2) auditors in a second condition engaged in strategic reasoning but worked individually (No Brainstorming/Strategic Reasoning); (3) auditors in a third condition worked in three-person brainstorming groups but did not receive any instructions about strategic reasoning (Brainstorming/No Strategic Reasoning); (4) auditors in a fourth condition worked individually and did not receive any instructions about strategic reasoning (No Brainstorming/No Strategic Reasoning).⁴

The experiment involved five phases that were completed using computer software. First, participants read about a hypothetical audit client. Second, each participant provided a fraud risk assessment. Third, the strategic reasoning and/or brainstorming interventions were administered. For example, participants in the strategic reasoning condition completed an exercise requiring them to engage in strategic reasoning. Similarly, at this point those in the brainstorming condition were assigned to groups of three and instructed to brainstorm together. Fourth, all participants completed the audit-planning task that required them to document their audit plan for this year's audit. In doing so they were required to document several aspects of the audit, including budgeted hours, sample sizes, and sample composition.⁵ Finally, each participant completed a questionnaire that collected demographic information, including audit experience and experience with fraud.

Hoffman and Zimbelman (2009) used a case based on an actual SEC AAER; details of the case were changed from the SEC's AAER in order to disguise the actual company. Participants received information that described the company, its industry, management, business strategy, financial information, and results from preliminary analytical procedures performed at interim by an audit senior. All participants were told that the study involved fraud risk assessments and audit planning. In order to suggest that the company has high fraud risk, participants were told that ten fraud risk factors from SAS No. 99 were present. All participants received a set of 12 audit procedures that were included in the prior year's audit program, and were asked to document their audit-planning decisions for the current year. The participants were allowed to follow the prior-year audit approach or document how they would change the approach by documenting their budgeted hours, sample sizes, and other information about the audit approach. Half of the participants performed this task after performing the four-question strategic reasoning task and half performed it in brainstorming groups, which results in the four possible combinations described above.

The case provided information that suggested how a fraud could have been perpetrated. Specifically, management told the auditors that an end-of-year increase in accounts receivable was attributable to a new marketing strategy instituted in mid-November. The company reallocated marketing responsibilities, turning all sales of analog products over to its distributors and focusing its efforts on a newer line of digital products. To implement this plan, distributors were given significant incentives to buy analog products in mid-November and December. The case is consistent with a revenue fraud perpetrated by channel stuffing obsolete inventory through the distributor sales channel.

Table 2 presents a summary of Hoffman and Zimbelman's (2009) results. The “No Intervention” column presents the results of auditors performing the task individually without receiving either the brainstorming or strategic reasoning intervention. The last column indicates the average of the next three treatment conditions: (1) individuals who received the strategic reasoning intervention, (2) brainstorming groups that did not receive the strategic reasoning intervention, and (3) brainstorming groups that also received the strategic reasoning intervention. We present the average of the interventions in these three conditions because the results in the three treatment conditions were not statistically different from one another.

Participants' audit-planning decisions were compared to those of three fraud experts who have extensive experience as partners working in the forensics area at the national level of three different international public accounting firms. The experts were not told what the actual fraud was, but worked through the case and listed effective procedures for detecting the fraud. All of the experts correctly identified the type of fraud and noted several changes to the nature of the standard audit procedures that could be used to detect the fraud.

The case required the participants to provide details about their planned audit procedures, which primarily centered around four audit procedures: (1) accounts receivable confirmations, (2) subsequent cash receipts testing, (3) sales returns testing, and (4) “other” procedures. Participants' effectiveness was evaluated based on the similarity of their audit-planning decisions to the experts' responses. For example, when participants budgeted hours for confirming receivables, the audit-planning task required them to specify which customers they chose to focus on and what types of confirmations they would send. Because the experts indicated that auditors should modify the prior-year confirmation testing by sending more positive confirmations to the distributor accounts, auditors who did this were deemed more effective than those who sent fewer positive confirmations to distributor accounts. As is evident in Table 2, Procedure 1(b), auditors who did not receive any intervention sent 16 percent positive confirmations to distributors, whereas those who received the interventions sent over twice that amount (35 percent) of positive confirmations to distributors.

Another example of a change in the nature of an audit procedure is to extend the “window” in which auditors examine both subsequent cash receipts and sales returns. An auditor whose concern was to increase the extent of testing would examine more cash receipts and sales return items but not change the timeframe used to examine these items. However, an auditor who changed the nature of the test as the experts recommended would use a longer timeframe for testing because the auditor is concerned that distributors will be slower to pay for “channel-stuffed” sales and/or will return the sales after a relatively long time period because they had a side agreement.⁶ In addition, the experts also recommended focusing primarily on the distributor accounts during this extended window.

The results for these procedures were similar to those found for confirmations sent. Specifically, auditors who performed the task using strategic reasoning and/or in brainstorming groups recommended extending the subsequent cash receipts window by an average of 72 days versus 59 days for auditors who did not receive any intervention. Those who received the interventions also extended the sales returns window to 76 days compared to 59 days for those who did not receive any intervention. In addition, as shown in Table 2, auditors who received the interventions focused significantly more on the distributor accounts than on the non-distributor accounts, budgeted more hours for interviewing employees (e.g., lower-level clerks, shipping personnel), and budgeted more hours for performing computer assisted audit techniques (CAATs) than those who did not receive any intervention. Hoffman and Zimbelman (2009) concluded that engaging in strategic reasoning and brainstorming clearly led auditors to modify the nature of the audit plan to investigate the specific fraud that was implied by the case materials, with similar results for all groups receiving the strategic reasoning and/or brainstorming treatments.

Auditing standards require auditors to brainstorm as part of audit planning to detect fraud. However, neither auditing standards nor prior research indicate whether or how brainstorming will help the auditor detect fraud. Hoffman and Zimbelman (2009) showed that one benefit of brainstorming is that it helps auditors to achieve the same benefits as reasoning strategically. Table 1 illustrates how similar strategic reasoning and brainstorming are to each other, and Hoffman and Zimbelman (2009) found that both the brainstorming and strategic reasoning interventions helped auditors to structure the audit-planning task differently, presumably making it less cognitively taxing, and enabling them to design more effective fraud detection procedures.

The study also found that strategic reasoning and brainstorming helped auditors to offset the negative effect that is usually associated with using a standard audit program—auditors were not inhibited from generating new ideas that were not listed on the standard program. Helping auditors overcome the usual blocking of creativity that is associated with the use of a standard audit program could allow them to benefit from the increased audit efficiency of a standardized audit program without sacrificing audit effectiveness. Because audit firms seem committed to using standardized audit programs, these results suggest that, to avoid a mechanistic approach to audit planning, auditors should reason strategically when using standardized programs.

Another approach firms could take in order to encourage audits to be less predictable is to require auditors to propose novel procedures in response to specific fraud risks. One way to do this would be to develop a menu of non-standard audit procedures that are linked to specific fraud risks, where firms require auditors to select some number of non-standard procedures each year and rotate through the procedures on a regular basis to prevent the audit client from predicting the audit approach. While it may seem more efficient to use such an approach instead of having auditors create new procedures on their own for each fraud risk encountered on an audit, a potential downside to this menu-driven approach is that it would make it easier for client management to predict the non-standard procedures because they would be known by, for example, accounting personnel who were former auditors. In any case, it would likely be beneficial if auditors, as part of documenting their brainstorming session, were required to document the changes they made to the audit approach in response to fraud risk.

Using the four steps in the strategic reasoning intervention formalizes the actions desired by SAS No. 99 and structures the brainstorming task for auditors. We encourage audit firms to adopt these steps as an individual exercise to be performed prior to the audit team's brainstorming meeting. In this study, audit manager participants either made judgments alone or in a group. However, we anticipate that it could be helpful for all audit team members to first go through the four-step, strategic-reasoning process individually and then later bring their thoughts to the brainstorming group. Managers might benefit from this process, but it may be especially helpful to staff or in-charge auditors who could potentially increase their contribution to the brainstorming process and also learn from it. Our findings inform audit practitioners about the benefit of structuring the fraud detection process using these four steps. It also is beneficial for them to know that brainstorming is not just one more item to check off on a list of requirements, but that it is an imporant process that can improve their audits. Our study confirms the benefits of brainstorming, and shows that brainstorming can help auditors to reason strategically as well as think creatively about how management could perpetrate and hide a fraud from auditors' standard procedures.