Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    Auditors’ Internal Controls over Financial Reporting D...
    research summary posted December 1, 2014 by Jennifer M Mueller-Phillips, tagged 01.0 Standard Setting, 01.04 Impact of 404, 07.0 Internal Control, 07.01 Scope of Testing 
    Auditors’ Internal Controls over Financial Reporting Decisions: Analysis, Synthesis, and Research Directions
    Practical Implications:

    In the planning phase, the PCAOB and key stakeholders should consider developing an ICOFR audit risk model to serve as a conceptual planning and evaluative model. Audit firms should pay attention to aligning auditors’ skill sets to their task assignments and employ other mechanisms that encourage consultations.

    Scoping decisions remain underexplored. Nevertheless, anecdotal evidence suggests that auditors may be cognitively wired to scope some types of ELCs but not others. Firms may consider the interactions between auditors and client personnel that explain the tendency for auditors to evaluate only the ELCs scoped by the client.

    Audit firms should pay special attention to how audit teams design testing plans to test ELCs that are not easily tested by attribute sampling methods (e.g., management philosophy and operating style). This is necessary to address concerns by PCAOB inspections that some auditors identified ELCs that appeared to be designed to operate with a high degree of precision, but failed to obtain sufficient audit evidence of their operating effectiveness.

    In the evaluation phase, firms should consider mechanisms that can help auditors “imagine what could go wrong where nothing wrong has happened.” Examples of such mechanisms include restructuring the task (e.g., documentation, decomposition of the task, or requirements to list what could go wrong). In the reporting phase, firms should consider having a requirement to specifically require auditors to consider the needs of a prudent official. This requirement may be a countervailing check on their detection and disclosure incentives.

    For more information on this study, please contact Stephen K. Asare.


    Asare, S. A., B. C. Fitzgerald, L. E. Graham, J. R. Joe, E. M. Negangard, and C. J. Wolfe. 2013. Auditors’ Internal Controls over Financial Reporting Decisions: Analysis, Synthesis, and Research Directions. Auditing: A Journal of Practice and Theory 32 (sp1): 131-166.

    Auditor judgment and decision-making; internal controls; Sarbanes-Oxley Act; literature synthesis; standard setting
    Purpose of the Study:

    This paper synthesizes the literature on auditors’ evaluation of and reporting on companies’ internal control over financial reporting (ICOFR) as required by the Sarbanes-Oxley Act (SOX). The purpose of the synthesis is (1) to provide stakeholders with information on how, and how well, auditors perform the ICOFR task; (2) to highlight implementation issues related to auditors’ application of the ICOFR standard and empirical findings related to regulatory concerns; (3) to identify gaps in the existing accounting literature and fruitful areas of future research; and (4) to stimulate additional research focusing on important regulatory areas as well as understanding and improving auditors’ ICOFR decisions.

    Design/Method/ Approach:

    The authors develop a framework to organize the literature on post-SOX ICOFR research. The framework suggests that there are five phases of the ICOFR audit: (1) planning; (2) scoping; (3) testing; (4) evaluation; and (5) reporting. It also suggests that auditors’ performance on the tasks within each phase are affected by (a) the auditor’s attributes, (b) the client’s attributes, (c) the interaction between the auditor and the client, (d) task attributes, and (e) environmental attributes. Following the framework, the authors describe and evaluate auditors’ performance on the specific tasks within each phase of the ICOFR audit. They end their analysis of each phase with a brief summary of the findings, discussion of the under-studied performance determinants, and suggestions for future research.


    Key takeaways from the synthesis paper include the following:

    • In the planning phase, there is an absence of a generally agreed upon ICOFR audit risk model akin to the audit risk model used in the audit of the financial statements. Auditors are not fully aware of the risks in complex enterprise resource planning systems, may be overconfident in their ability to assess risks in this setting, and are reluctant to seek consultation from computer assurance specialists.
    • The evidence from the studies on scoping suggests that the more prescription-oriented Auditing Standard No. 2 induced inefficiencies, some of which have been eliminated by the risk-based scoping prescribed by Auditing Standard No. 5. Further, there is evidence that management trustworthiness and investment in monitoring controls affect scoping decisions.
    • Auditors’ experience, knowledge, and training enhance testing strategies. However, providing auditors with client-prepared documentation before they make an independent assessment can hinder their ability to evaluate internal controls.
    • In the evaluation phase, auditors’ severity assessments are unduly influenced by the absence of a misstatement.
    • In the reporting phase, detection and disclosure incentives play a role in whether existing material weaknesses are reported.
    • The article includes a summary of the authors’ findings related to the Public Company Accounting Oversight Board (PCAOB) staff’s stated interest in the auditor’s testing of entity-level controls (ELCs), multi-location scoping, and the effect of compensating controls on the evaluation of identified control deficiencies.
    • Proposed areas of research related to the audit of ICOFR likely to influence future regulation are presented.
    Internal Control, Standard Setting
    Impact of 404, Scope of Testing