Internal Control Weaknesses and Client Risk Management

Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou

August 08, 2008

Randal Elder is from Syracuse University (rjelder@syr.edu); Yan Zhang is from SUNY Binghamton (yzhang@binghamton.edu); Jian Zhou is from SUNY Binghamton (jzhou@binghamton.edu); Nan Zhou is from HKUST and SUNY Binghamton (acnan@ust.hk). We thank Jean Bedard, Denise Dickins, Weili Ge, Karla Johnstone, Ryan LaFond, Clive Lennox, and especially an anonymous reviewer for detailed and insightful suggestions that have significantly improved the paper. We also thank workshop participants at the 2007 American Accounting Association (AAA) Annual Meeting, the 2007 AAA Auditing Midyear Meeting, the 2007 International Conference on Accounting and Finance at Xiamen University, the 2006 Annual Conference on Financial Economics and Accounting at Georgia State University, the 2006 HKUST Summer Symposium on Accounting Research, Hofstra University, SUNY Binghamton, SUNY Buffalo, Syracuse University, and Zhejiang University for helpful comments.

Internal Control Weaknesses and Client Risk Management

Abstract

We study auditors client risk management in the first year of SOX 404 implementation, and find that there exists a pecking order among auditors strategies to manage control risk resulting from internal control weaknesses. We first examine the relations between internal control weaknesses and audit fee, audit fee increase, modified opinion, and auditor resignation, respectively, and establish that these are viable strategies to manage control risk on a stand-alone basis. When we investigate these strategies simultaneously, descriptive evidence suggests that there exists a pecking order among auditors client risk management strategies. Our ordered logit analyses document that, as the clients control risk increases, auditors are likely to respond in the order of audit fee adjustments, modified opinions, and auditor resignations. We further create an index based on the severity of auditors responses, and find that the degree of control risk is positively correlated with this auditor response index. Our comprehensive evidence suggests that auditors use an array of ordered strategies to manage client-related control risk.

Key Words: Internal control weaknesses; Client risk management; Audit fee and audit opinion; Auditor resignation JEL Classification: M42

1

Internal Control Weaknesses and Client Risk Management

1. Introduction

The Sarbanes-Oxley Act (SOX) of 2002 has changed the regulatory landscape for

the accounting profession, especially for auditors of public companies. The Public

Company Accounting Oversight Board (PCAOB) was created to monitor auditors work

directly. In addition, conflicts of interest are prohibited and civil- and criminal liabilities

are imposed for any violations. Consequently, SOX has substantially increased legal

liability for accountants. Before SOX, auditors would typically face liability only after a

client collapsed, but now they face significant legal consequences for any violations of

SOX. For example, a failure in PCAOB inspection could result in suspension or

termination of an auditors registration status, without which the auditor is prohibited

from performing audits of public companies. In an extreme case, an accountant could be

sentenced to 20 years for willfully destroying or altering documents (Wegman, 2005).

In this paper, we study how auditors manage control risk resulting from internal

control weaknesses. Since auditors now assume greater risk when performing audits of

public companies in this post-SOX era, such focus on client risk management has added

significance for public accounting firms. Specifically, client-related risk can be classified

into audit risk and client business risk. SAS No. 107 (AICPA, 2006) decomposes audit

risk into three components: inherent risk, control risk, and detection risk.1 In decisions

related to client risk management, auditors should focus on inherent risk and control risk,

1 SAS No. 107 (AICPA, 2006) also defines combined inherent risk and control risk as the risk of significant misstatement in the financial statements. SAS No. 107 replaced SAS No. 47 (AICPA, 1983) which first defined the audit risk model and its components.

2

because these two components equal the likelihood of error in clients accounts prior to

the auditors testing (Elder and Allen, 2003).

Information on a clients control risk was not publicly available on a large scale

prior to the enactment of SOX.2 However, this has been dramatically changed, because

SOX has two sections specifically focusing on internal control disclosures. Effective for

all public firms for their fiscal years ending on or after August 29, 2002, Section 302

(SOX 302) requires a firms management to disclose significant internal control

deficiencies when they certify quarterly or annual financial statements. Section 404

(SOX 404) has two provisions. Section 404(a) requires management to provide an

assessment of internal control, and Section 404(b) requires auditors to provide an opinion

on managements assessment. An accelerated filer must comply with SOX 404 for its

first fiscal year ending on or after November 15, 2004; a non-accelerated filer must

comply with SOX 404(a) for its first fiscal year ending on or after December 15, 2007,

and SOX 404(b) for its first fiscal year ending on or after December 15, 2009.3

One integral part of our analyses is to assess how auditors adjust their audit fees

in response to the changes in their assessments of control risk. We thus focus on the first

year of SOX 404 implementation, an external shock forcing internal control disclosures.

This setting enables us to obtain a large number of firms that are newly identified with

internal control weaknesses under SOX 404, enhancing the power of our test.4 Since

firms would adapt to this new reporting regime of internal control after the first year, the 2 Prior to SOX, firms were only required to disclose their internal control problems in 8-Ks when they changed auditors. SAS No. 60 required that the auditor communicate internal control deficiencies to the clients audit committee. However, these communications were not generally publicly available (Krishnan, 2005). 3 Accelerated filers are public firms with an equity market capitalization of more than $75 million. 4 14% of our sample firms are identified with internal control weaknesses in the first year of SOX 404 implementation, whereas only 4% of our sample firms are identified with such weaknesses in the year prior to SOX 404 implementation.

3

number of firms with changes in internal control opinions would be small in subsequent

years.

Specifically, we name the first year of SOX 404 implementation as the 404

period, restricting it to fiscal years ending between November 15, 2004 and November

14, 2005 to be consistent with SOX 404. We define the 302 period similarly and restrict

it to fiscal years ending between November 15, 2003 and November 14, 2004. We find

that auditors use an array of strategies to manage client-related risk in the 404 period.

Interestingly, there exists a pecking order among auditors strategies to manage control

risk resulting from internal control weaknesses. As the level of control risk increases,

auditors respond by adjusting audit fees, issuing modified opinions, and resigning from

clients.

We first examine the relations between internal control weaknesses and audit fee,

audit fee increase, modified opinion, and auditor resignation, respectively. We find that

firms with internal control weaknesses are charged higher audit fees. When we separate

internal control weaknesses into company-level weaknesses and account-specific

weaknesses, we find that the audit fee premium for company-level weaknesses is

significantly higher than that for account-specific weaknesses. Compared with account-

specific weaknesses, company-level weaknesses are more extensive and pervasive and

thus more difficult to address in the audit. During the transition from the 302 period to

the 404 period, firms newly identified with internal control weaknesses under SOX 404

are encumbered with greater audit fee increases. Moreover, we find that firms with

internal control weaknesses are more likely to be flagged with a modified opinion.

Finally, we find that auditor resignations are more likely for firms with internal control

4

weaknesses. Based on these findings, we establish that audit fee adjustments, modified

opinions, and auditor resignations are viable strategies to manage control risk on a stand-

alone basis.

When we investigate these strategies simultaneously, descriptive evidence

suggests that there exists a pecking order among auditors client risk management

strategies. Our ordered logit analyses document that, as the clients control risk

increases, auditors are likely to respond in the order of audit fee adjustments, modified

opinions, and auditor resignations. We further create an index based on the severity of

auditors responses, and find that the degree of control risk is positively correlated with

this auditor response index. Our combined evidence suggests that auditors use an array

of ordered strategies to manage client-related control risk.

Our paper is related to the growing literature on internal control problems. One

strand of the literature focuses on the determinants of internal control problems.

Krishnan (2005) finds that audit committee independence and financial expertise are

associated with internal control problems before the enactment of SOX, and Zhang,

Zhou, and Zhou (2007) find that audit committee financial expertise is related to internal

control weaknesses after the enactment of SOX. Ge and McVay (2005) and Doyle, Ge,

and McVay (2007a) find that internal control weaknesses are more likely for firms that

are smaller, less profitable, more complex, growing rapidly, or undergoing restructuring.

Ashbaugh-Skaife, Collins, and Kinney (2007) find that firms with more complex

operations, recent changes in organization structure, more accounting risk exposure, and

less investment in internal control systems are more likely to disclose internal control

deficiencies. The other strand of the literature focuses on the consequences of internal

5

control problems. Doyle, Ge, and McVay (2007b) and Ashbaugh-Skaife, Collins,

Kinney, and LaFond (2008) find that firms with internal control problems tend to have

lower accruals quality. Ashbaugh-Skaife, Collins, Kinney, and LaFond (2006) and

Ogneva, Subramanyam, and Raghunandan (2007) show that internal control deficiencies

are positively related to firm risk and cost of equity capital. Our finding that internal

control weaknesses are an important determinant of auditors client risk management

strategies adds to the latter strand of literature.

Our paper is also related to research papers that study either the relation between

internal control problems and audit fees or the relation between internal control problems

and auditor turnover. Using internal client evaluation data from a public accounting firm,

Bedard and Johnstone examine audit risk factors in three studies of auditors client risk

management strategies prior to the enactment of SOX. Specifically, Johnstone and

Bedard (2003) study client acceptance, Johnstone and Bedard (2004) study client

dismissal, and Bedard and Johnstone (2004) study planned audit hours and billing rates.

Using internal control disclosures required under SOX, several contemporaneous papers

look at some aspects of the issues we examine. Raghunandan and Rama (2006), Hogan

and Wilkins (2008), and Hoitash, Hoitash and Bedard (2008) find that audit fees are

associated with internal control weaknesses; Hertz (2006) and Ettredge, Heintz, Li, and

Scholz (2006) find that auditor resignation is associated with internal control

weaknesses.5 Different from these papers that examine either audit fee or auditor

turnover on a stand-alone basis, our paper views audit fee, audit opinion, and auditor

resignation as a portfolio of strategies at the disposal of auditors in managing client-

5 Ashbaugh-Skaife, Collins, and Kinney (2007) find that auditor resignations are associated with internal control deficiencies prior to the enactment of SOX 404.

6

related risk, and establishes that there is a pecking order among these risk management

strategies. This pecking order evidence is new to the literature. In addition, we

document the relation between audit opinion and internal control weaknesses, a result

absent in the aforementioned papers.

The rest of the paper is organized as follows. Section 2 discusses the background

and proposes the hypotheses. Section 3 explains the data and describes the sample

selection procedures. Section 4 presents the empirical results. Section 5 concludes the

paper.

2. Background and hypotheses

2.1. Disclosure on internal control

SOX emphasizes internal control, which is defined as "a process, effected by an

entity's board of directors, management and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives," according to the COSO

framework.6 Under Securities Exchange Commission (SEC) Release No. 33-8124

(August 29, 2002), SOX 302 requires management to disclose significant deficiencies in

internal control when they certify quarterly or annual financial statements. Specifically,

the signing officers, responsible for internal control, have evaluated these internal

controls within the previous ninety days and reported in their findings: (1) a list of all

deficiencies in the internal controls and information on any fraud that involves employees

6 COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, which undertook an extensive study of internal control to establish a common definition that would serve the needs of companies, independent public accountants, legislators, and regulatory agencies, and to provide a broad framework of criteria against which companies could evaluate the effectiveness of their internal control systems. COSO published its Internal Control -- Integrated Framework in 1992.

7

who are involved with internal activities; (2) any significant changes in internal controls

or related factors that could have a negative impact on the internal controls. 7

Under SEC Release No. 33-8238 (June 5, 2003), Section 404(a) requires

management to provide an assessment of internal control, and Section 404(b) requires

auditors to provide an opinion on managements assessment. Specifically, issuers are

required to disclose information concerning the scope and adequacy of the internal

control structure and procedures for financial reporting in their annual reports. This

statement shall also include an assessment of the effectiveness of such internal controls

and procedures. The registered auditing firm shall, in the same report, attest to and report

on the effectiveness of the internal control structure and procedures for financial

reporting. While an accelerated filer must comply with SOX 404 for its first fiscal year

ending on or after November 15, 2004 under SEC Release No. 33-8392 (February 24,

2004), a non-accelerated filer must comply with SOX 404(a) managements assessment

requirement for its first fiscal year ending on or after December 15, 2007 under SEC

Release No. 33-8760 (December 5, 2006), and SOX 404(b) the auditors attestation

requirement for its first fiscal year ending on or after December 15, 2009 under SEC

Release No. 33-8934 (June 26, 2008).8

7 The actual implementation of SOX 302 is different from the original rules stated here. Ashbaugh-Skaife, Collins, and Kinney (2007) argue that the reporting of internal control problems under SOX 302 is voluntary, whereas Doyle, Ge, and McVay (2007a) find that the actual SOX 302 disclosures tend to stress the changes in internal control. 8 In SEC Release No. 33-8238 (June 5, 2003), an accelerated filer, defined in the original Exchange Act Rule 12b-2, referred to a U.S. company that has equity market capitalization over $75 million and has filed an annual report with the SEC. According to SEC Release No. 33-8618 (September 22, 2005), prior to December 1, 2005, accelerated filer status did not directly affect a foreign private issuer filing its annual reports on Form 20-F or 40-F, even though the definition of accelerated filer did not expressly exclude foreign private issuers by its terms. After December 1, 2005, a foreign private issuer meeting the accelerated filer definition, and filing its annual report on Form 20-F or Form 40-F, became subject to the internal control reporting requirements under SOX. SEC Release No. 33-8644 (December 21, 2005) amended the Exchange Act Rule 12b-2 definition of an accelerated filer to create a new category of accelerated filer, the large accelerated filer, for issuers with equity market value of $700 million or more,

8

2.2. Client-related risk

Client-related risk can be classified into audit risk and client business risk. Audit

risk is the risk that the auditor will fail to draw attention to a material misstatement,

deficiency, abuse, or other unacceptable matter in an audit, and thus issue an incorrect

audit opinion, whereas client business risk is the risk that the clients economic

condition will deteriorate in either the short term or long term (Johnstone, 2000).

SAS No. 107 (AICPA, 2006) decomposes audit risk into three components:

inherent risk, control risk, and detection risk. Inherent risk is the perceived level of risk

that a material misstatement may occur in a clients financial statements in the absence of

internal control procedures. Control risk is the perceived level of risk that a material

misstatement in the clients financial statements will not be detected and corrected by

managements internal control procedures. Detection risk is the perceived level of risk

that a material misstatement in the clients financial statements will not be detected by the

auditor. Because inherent risk and control risk equal the likelihood of error in clients

accounts prior to the auditors testing (Elder and Allen, 2003), we focus on these two

components of audit risk, as they are most relevant to the auditors client risk

management decisions.

2.3. Conceptual framework

Johnstone and Bedard (2003) propose a conceptual model of client acceptance.

An auditor evaluates a clients audit risk and business risk and the associated audit fee

and re-defined the term accelerated filer to include an issuer with equity market value of $75 million or more, but less than $700 million. A complete list of SOX 404 compliance dates for various types of firms is summarized in a table on page 10 of SEC Release No. 33-8934 (June 26, 2008).

9

from the engagement.9 When the risk/return is at an acceptable level, the auditor prices

audit risk and client business risk into the audit fee; when the risk/return is at an

unacceptable level, the auditor abandons the high-risk client.

We extend the Johnstone and Bedard model and propose a framework of client

risk management. In this framework, we consider three client risk management

strategies: (1) audit fee adjustments, (2) modified opinions, and (3) auditor resignations.

(1) and (3) are from Johnstone and Bedard (2003), and (2) is from Krishnan and Krishnan

(1996) and Blacconiere and DeFond (1997) who find that auditors are more likely to

issue modified opinions or going-concern opinions for firms with higher litigation risk or

bankruptcy risk. We further propose that there exists a pecking order among an auditors

responses to client-related risk. When the risk is low, the auditor responds by increasing

the audit fee; when the risk is intermediate, the auditor responds by issuing a modified

opinion; when the risk is high, the auditor responds by resigning from the client.

2.4. Hypothesis development

We develop our hypotheses around our conceptual framework. We first focus on

individual strategies, and try to establish that they are viable strategies to manage risk on

a stand-alone basis. We then consider the strategies simultaneously and try to establish

that there exists a pecking order among these strategies.

9 In addition to audit risk and client business risk, Johnstone and Bedard also discuss auditor business risk, which is defined as the risk that the auditor firm will suffer loss resulting from the engagement, and measure it with a dummy variable, which is equal to one if a client is a public company, and zero if a client is a private company. We do not consider auditor business risk in our study since our sample includes only public companies, although we note that whether a company is public is not the only source of auditor business risk.

10

The extant literature on client risk management largely focuses on client business

risk and related legal liability risk. The relation between audit fee and client business risk

is well-documented. For example, Hill, Ramsey, and Simon (1994) find that client

business risk is positively related to audit fees in the savings and loan industry from 1983

to 1988. Bell, Landsman, and Shackelford (2001) find that high business risk increases

the number of audit hours, but not the fee per hour. Seetharaman, Gul, and Lynn (2002)

find that U.K. auditors charge higher fees for their services when their clients access

U.S.-, but not non-U.S., capital markets, suggesting that audit fees reflect differences in

litigation risk across different liability regimes.

Recently, Ashbaugh-Skaife, Collins, Kinney, and LaFond (2006) find that firms

with internal control deficiencies have higher idiosyncratic risk. The higher the

idiosyncratic risk, the more likely a firm will experience a large drop in stock price,

which typically triggers shareholder class-action lawsuits. This suggests that firms with

internal control weaknesses have additional exposure to litigation risk, and are more

likely to inflict damages to their auditors reputation. Because auditor reputation is used

as an important collateral to ensure high-quality audits (DeAngelo, 1981), auditors have

incentives to either increase the audit fee to take this idiosyncratic risk into account or

withdraw from such clients, if the increase in audit fee cannot justify the increase in risk.

Although audit risk factors are found to be more important in audit firm portfolio

management decisions than are financial risk factors (Johnstone and Bedard, 2004), few

studies on client risk management examine the audit risk factors, because proxies for

such variables were not publicly available. Using internal client evaluation data from a

public accounting firm, Johnstone and Bedard (2003, 2004) and Bedard and Johnstone

11

(2004) examine audit risk factors when they study auditors client risk management

strategies. In particular, Bedard and Johnstone (2004) find that planned audit personnel

hours and planned hourly billing rates are higher for firms with weak internal controls.

Because the product of planned audit personnel hours and planned hourly billing rates is

equal to total audit fee, we have the following hypothesis.

Hypothesis 1: Audit fees are higher for firms with internal control weaknesses than for firms without such weaknesses.

Although audit fees are destined to increase substantially for all accelerated filers

due to SOX 404 compliance, firms with internal control weaknesses are expected to

experience greater audit fee increases, because auditors will conduct more testing and

spend more resources to manage the control risk to acceptable levels for these firms.

Thus, we propose the following hypothesis.

Hypothesis 2: Audit fee increases are greater for firms newly identified with internal control weaknesses in the 404 period.

We are afforded with a unique opportunity to test Hypothesis 2, because of our

focus on the first year of SOX 404 implementation. As a self-reporting system by

management, SOX 302 does not require supporting documentation or independent

examination. On the contrary, SOX 404 requires both documentation and independent

auditor examination. Because auditors need to perform independent testing of internal

controls under SOX 404, we expect that audit fees under the SOX 404 regime will be

greater than audit fees under the SOX 302 regime. Because firms are subject to outside

scrutiny from independent auditors under SOX 404, we expect that more firms will be

identified with internal control weaknesses as they transition from the SOX 302 regime to

the SOX 404 regime. For these firms who are newly identified with internal control

12

weaknesses, we expect them to experience a greater increase in audit fees, because of the

extra risk and additional testing related to internal control weaknesses.

In addition to charging firms with internal control weaknesses higher audit fees,

auditors can also manage clients internal control risk by exercising more caution and

issuing modified opinions to such firms. Following Bradshaw, Richardson, and Sloan

(2001), we define modified audit opinion as an indicator variable that takes a value of

zero for a standard unqualified opinion and a value of one for any other modified opinion,

including qualified, adverse, or unqualified with explanatory language.10 Krishnan and

Krishnan (1996) find that auditors are more likely to issue modified opinions for firms

with higher litigation risk, and Blacconiere and DeFond (1997) find that auditors render

going-concern reports to the savings and loans that are most likely to fail ex ante.

Moreover, Francis and Krishnan (1999), Bartov, Gul, and Tsui (2000), and Bradshaw,

Richardson, and Sloan (2001) find that modified audit opinions are influenced by

earnings management, though Butler, Leone, and Willenborg (2004) argue that the

documented relation between modified opinions and abnormal accruals in these papers

rests only with companies with going-concern opinions or under financial distress. Since

these findings indicate that audit opinions are sensitive to various sources of risk, we

propose the following hypothesis.

Hypothesis 3: Auditors are more likely to issue modified opinions for firms with internal control weaknesses than for firms without such weaknesses.

10 COMPUSTAT has six codes for the audit opinion: 0 = unaudited, 1 = unqualified, 2 = qualified opinion, 3 = no opinion, 4 = unqualified with explanatory language, and 5 = adverse. We do not have any firm with an audit opinion code of zero in our sample.

13

Risk reduction is often the reason for auditor resignation.11 Krishnan and

Krishnan (1997) find that litigation risk motivates auditors to resign from their clients.

Shu (2000) finds that auditor resignation is positively related to increased client legal

exposure. Johnstone and Bedard (2003) find that client acceptance likelihood is reduced

in the presence of audit risk, client business risk, and auditor business risk; Johnstone and

Bedard (2004) find that riskier clients are dropped from an audit firms client portfolio

and newly accepted clients are less risky than the auditors continuing clients. Therefore,

we have the following hypothesis.

Hypothesis 4: Auditors are more likely to resign from firms with internal control weaknesses than from firms without such weaknesses.

If Hypotheses 1-4 are confirmed, we will be able to establish that audit fee

adjustments, modified opinions, and auditor resignations are viable strategies to manage

control risk on a stand-alone basis. We are interested in learning whether there is a

pecking order among an auditors responses to client-related risk. Following our

conceptual framework, we hypothesize that the severity of the auditor response is

increasing in control risk. Specifically, we have the following hypothesis.

Hypothesis 5: As the level of control risk increases, auditors respond in the order of (1) audit fee adjustments, (2) modified opinions, and (3) auditor resignations.

SOX offers us a unique opportunity to study auditors client risk management

strategies using public information and test the above hypotheses, because the internal

control disclosures provide us with a standardized and objective measure of control risk,

a key component of audit risk. In our study of auditors client risk management

11 We focus only on auditor resignation, since auditor dismissal is initiated by a client and hence not a tool for an auditor to reduce risk. Our results on auditor resignation are robust when we control for auditor dismissal in our multinomial logit analyses in Table 6.

14

strategies, we focus on this newly available public information on internal control. Our

proxy measures for firm control risk include an internal control weakness indicator

variable and the type of internal control weakness.

3. Sample and methodology

3.1. Sample selection

We retrieve SOX 404 internal control disclosures, audit fees, and auditor changes

from AuditAnalytics, the Altman Z-Scores from Research Insight, and the rest of the

variables from COMPUSTAT. The internal control dataset provided by AuditAnalytics

covers all SEC registrants who have disclosed their assessments of internal controls over

financial reporting in electronic filings since November 2004. The data have been

principally extracted from the following form types: 10-K, 10-K/A, 20-F and 40-F.

Table 1 describes the sample selection procedures. The sample firms consist of

those with internal control information and other necessary variables for our 404 period

with fiscal years ending between November 15, 2004 and November 14, 2005.12 There

were 3,737 firm SEC filings on internal control between November 1, 2004 and

December 31, 2005 in AuditAnalytics.13 After excluding 181 firms not in

COMPUSTAT,14 we exclude 105 foreign firms, 71 subsidiaries, and 149 mutual funds,

trusts, and Real Estate Investment Trusts. We also exclude 26 firms without information

12 We require that the internal control variables and other variables pertain to fiscal years ending from November 15, 2004 to November 14, 2005. Since there is no fiscal year related to the auditor change variable, we classify an auditor change into the 404 period if the announcement was made between November 15, 2004 and November 14, 2005. 13 We exclude 6 duplicate observations. 14 AuditAnalytics only provides ticker symbols for sample firms. We retrieve the Cusip information for our sample firms from COMPUSTAT. We first merge our initial sample with COMPUSTAT by the ticker symbol, and hand-adjust any incorrect matches. We then manually search through COMPUSTAT to locate the Cusip information for firms without ticker symbols or firms that cannot be matched to COMPUSTAT by the ticker symbol.

15

on market value of equity, since we need such information to determine whether a firm is

an accelerated filer. We further exclude firms without audit related information in

AuditAnalytics and other necessary information in COMPUSTAT for fiscal years ending

between November 15, 2004 and November 14, 2005. Specifically, we exclude three

firms with missing SOX 404 internal control disclosures, two firms with missing

information on audit fee, 29 firms with missing necessary information for computing

leverage, sales growth, or return-on-assets, 380 firms with missing audit opinions, 274

firms with missing Z-Scores, and 167 firms with missing necessary information in

computing discretionary accruals. We further exclude 44 non-accelerated filers whose

equity market capitalizations were less than $75 million at the end of the most recently

completed second fiscal quarter before their fiscal years ending between November 15,

2004 and November 14, 2005. Our final sample consists of 2,306 firms.

3.2. Methodology

Following our conceptual framework and hypotheses, we model an auditors

response to risk as a function of control risk, inherent risk, client business risk, and a set

of control variables. When we study auditors strategies on a stand-alone basis in the first

part of our analyses, the auditors response takes the form of audit fee, audit fee change,

modified opinion, and auditor resignation. When we study auditors strategies on a

combined-basis in the second part of our analyses, the auditors response draws from a

portfolio of strategies in the order of audit fee adjustment, modified opinion, and auditor

resignation, depending on different risk levels.

16

Control risk is the perceived level of risk that a material misstatement in a clients

financial statements will not be detected and corrected by the managements internal

control procedures. We use two measures of internal control weaknesses to capture this

concept. The first is an internal control weakness dummy variable (ICW) which is equal

to one if a firm is identified with at least one internal control weakness, and the second is

a pair of dummy variables capturing account-specific weaknesses (ICWACCT) and

company-level weaknesses (ICWCOMP), respectively. Specifically, we follow the

classification scheme in Doyle, Ge, and McVay (2007b, pg. 1148-49 and 1167) to code

weaknesses into these two mutually exclusive categories. ICWCOMP, the dummy

variable for company-level weaknesses is equal to one if the firm has either weaknesses

related to ineffective control environment or management override in the disclosure

or weaknesses related to at least three account-specific problems; ICWACCT, the dummy

variable for account-specific weaknesses, is equal to one if the firm has weaknesses

related to less than three account-specific problems.15 Based on this construction, we can

see that company-level weaknesses represent more extensive or pervasive offenses, and

account-specific weaknesses represent less extensive or pervasive offenses. In other

words, company-level weaknesses are more severe and pose more audit difficulties.

We control for inherent risk, a component of audit risk. Following previous

literature such as Xie, Davidson, and DaDalt (2003), we use discretionary accruals

(DTACC) to measure financial reporting quality, and hence inherent risk. We further

control for client business risk. Since client business risk is the risk that the clients

economic condition will deteriorate in either the short term or long term (Johnstone,

15 AuditAnalytics lists the number of internal control weaknesses and summarizes the nature of these different weaknesses.

17

2000), we control for leverage (LEV), return on assets (ROA), loss (LOSS) (Johnstone

and Bedard, 2003 and 2004; Francis, Reichelt, and Wang, 2005), and the Altman Z-Score

(ZSCORE) (Reynolds and Francis, 2001; Ashbaugh-Skaife, Collins, and Kinney, 2007).

LEV is the ratio of total debts to total assets, ROA is income before extraordinary items

divided by average total assets, LOSS is an indicator variable that is equal to one if there

is a loss in the current year, and ZSCORE is used to measure financial distress with a

lower Z-Score indicating greater distress risk (Altman, 1968).

4. Empirical results

4.1. Univariate analyses

Table 2 provides the variable means and medians for all firms, ICW firms and

non-ICW firms, respectively. In addition, it also provides the mean and median

comparisons of the variables for ICW firms and non-ICW firms. 14.3% of sample firms

disclose internal control weaknesses, including 10.5% with account-specific weaknesses

and 3.8% with company-level weaknesses. In addition, 32% of sample firms have

modified audit opinions and 1.9% have auditor resignations. The mean (median) audit

fee is $2,322,920 ($1,209,190), and the mean (median) audit fee change from the 302

period to the 404 period is $1,132,693 (656,400).16 The mean (median) firm size

measured by total assets is $3,366 ($600) million.

The implementation of SOX 404 leads to a substantial increase in the audit fee.

For example, Advanced Micro Devices Inc. disclosed the following in its 2005 proxy

statement.

16 The mean (median) non-audit fee change from the 302 period to the 404 period is -146,007 (-22,000). This results from the SOX provisions that limit an auditors ability to provide non-audit services to its audit clients.

18

Audit fees of Ernst & Young LLP during the 2004 and 2003 fiscal years were associated with the annual audit of our consolidated financial statements, statutory audits required internationally, reviews of our quarterly reports filed with the Securities and Exchange Commission and fees related to other regulatory filings. In addition, in 2004, audit fees included those fees related to Ernst & Young LLP's audit of the effectiveness of the Company's internal control pursuant to Section 404 of the Sarbanes-Oxley Act. Audit fees for 2004 were $10.4 million, $7 million of which were Sarbanes-Oxley Act Section 404 fees. Audit fees for 2003 were $2.6 million.

As we can see, the SOX 404 fee is $7 million for Advanced Micro Devices, resulting in a

300% increase in the audit fee. Without the SOX 404 fee, the audit fee would have been

$3.4 million, representing a more modest increase of 31% over that in 2003.

The mean (median) audit fee for ICW firms is higher than that for non-ICW

firms. The difference becomes significant after we control for size in our multivariate

analysis in Table 3. The median audit fee increase for ICW firms is significantly greater

than that for non-ICW firms. Modified opinions were received by 46% of the ICW firms

and 29% of the non-ICW firms. The difference between these two groups is significant

at the 1% level, implying that auditors are more likely to flag ICW firms with modified

opinions. Auditors resigned from 8.8% of the ICW firms, compared to 1% of the non-

ICW firms. The difference between these two groups is significant at the 1% level,

suggesting that ICW is related to auditor resignation. For example, Myers Industries Inc.

disclosed that it received the resignation from Ernst & Young on April 13, 2005, and

hired KPMG as its new auditor on June 9, 2005. The following is an excerpt from its 8-K

filed on June 9, 2005.

As disclosed in the Company's Form 10-K/A filed on May 2, 2005, management concluded that the Company's disclosure controls and procedures were not effective as of December 31, 2004 due to material weaknesses identified in the business segment reporting process, the financial statement close process and the income tax process. E&Y issued an adverse opinion on the effectiveness of internal controls over financial reporting because of these material weaknesses as of December 31, 2004.

19

We analyze the relation between auditor resignation and internal control weaknesses

more rigorously in Table 6.

For both mean and median, ICW firms tend to have significantly poorer

performance, higher distress risk and smaller total assets. They are also significantly

more likely to incur a loss and use non-Big 4 auditors. Our univariate results on ROA,

LOSS, and firm size are consistent with those in Ge and McVay (2005) and Doyle, Ge,

and McVay (2007a), as they find that internal control weaknesses are more likely for

firms that are smaller and less profitable.

4.2. Audit fee and internal control weaknesses

4.2.1. Audit fee

We use the Ordinary Least Square (OLS) model to test the relation between audit

fee and internal control weaknesses in Table 3. Specifically, we model the natural

logarithm of audit fee (AUDFEE) as a function of audit risk (control risk and inherent

risk), client business risk, and a set of control variables. Equation (1) presents the

specifications for Model 1 that uses an ICW dummy. All variable definitions are in the

Appendix. For firm i in year t,

)1(4)()(

)(15

1110987

6543210

itj

ititit

ititititititit

INDUSTRYBIGBUSLOGSALEGRTALOG

ZSCORELOSSROALEVDTACCICWAUDFEELOG

=

++++++

++++++=

We expect the coefficient on ICW to be positive, because a firm with weak

internal controls has a greater amount of risk and thus requires more testing from its

auditor (Arens, Elder, and Beasley, 2006). For example, for any significant account or

20

any phase of financial operations in which controls are weak, the auditors need to expand

the nature and extent of their tests of the account balances. Moreover, part of the audit

fee is the SOX 404 fee, which will certainly be higher when a weakness exists. Because

auditors expend more resources for firms with internal control weaknesses, they need to

charge higher audit fees to cover their additional costs.

We control for other sources of client-related risk. We use discretionary accruals

(DTACC) to measure financial reporting quality and thus proxy for the firms inherent

risk. We expect that the audit fee is positively related to discretionary accruals, as

auditors will charge higher audit fees for firms with poor financial reporting quality. We

use leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score (ZSCORE) to

capture client business risk. Consistent with Francis, Reichelt, and Wang (2005), we

expect firms with high leverage (LEV), losses (LOSS), and poor performance (ROA) to

pay higher audit fees. We also expect that low Z-Score firms to pay higher audit fees.

We further control for other variables related to the audit fee variable. We expect

that audit fees will be higher for large clients and thus control for size, measured as the

natural logarithm of total assets (TA). Since prior studies show that the former Big 8

firms are able to charge a premium for their perceived high-quality services (e.g., Francis,

1984; Francis and Stokes, 1986; and Palmrose, 1986), we introduce a Big 4 dummy

variable (BIG4), indicating whether a firm is audited by a Big 4. Following Francis,

Reichelt, and Wang (2005), we control for the natural log of the number of business

segments (BUS), as audit fees will be higher for clients with complex operations. Audit

fees may also be related to sales growth (SALEGR), which is equal to the change in sales

divided by the sales in the previous year. On the one hand, firms with strong sales

21

growth are expected to pay higher fees, since there is more demand for audit work. On

the other hand, firms with strong sales growth are expected to pay lower fees, since these

firms are performing well and pose less risk for auditors. Therefore, the sign for the

coefficient on sales growth is ambiguous.

Finally, following Johnstone and Bedard (2003) and Francis, Reichelt, and Wang

(2005), we control for industry effects based on the Fama and French (1997) 48-industry

classification. We set the cutoff points at five percent of total observations and introduce

the industry dummies for computers, retail, pharmaceutical products, electronic

equipment, and business services to our regression models in Tables 3-6 and 9-10. The

coefficients on these dummy variables are not reported in Tables 3-6 and 9-10 for the

sake of brevity.17

Consistent with Hypothesis 1, we find that audit fees are significantly higher for

ICW firms at the 1% level.18 Bedard and Johnstone (2004) find that planned audit

personnel hours and planned hourly billing rates are significantly higher for firms with

weak internal controls. Since the product of planned audit personnel hours and planned

hourly billing rates is equal to the total audit fee, our results are consistent with those in

Bedard and Johnstone (2004). For client risk variables, audit fees are significantly

smaller for high ROA firms, and greater for firms with losses and high distress risk.

However, the coefficients on LEV are negative, contrary to our expectation. For control

variables, audit fees are significantly higher for large firms, firms with a large number of

business segments, and Big 4 clients.

17 We later report in the robustness check section that our results are similar to those reported in Tables 3-6 and 9-10 if we exclude these industry dummy variables from our regression models. 18 In unreported tests, we do not find any relation between non-audit fees and ICW, suggesting that ICW, a measure of control risk, is priced only into the audit fee.

22

We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that the

coefficients on ICWACCT and ICWCOMP are significantly positive at the 1% level.

The coefficient on ICWCOMP is significantly larger than that on ICWACCT, suggesting

that auditors charge greater audit fees for company-level weaknesses, the more severe

type of offenses, than for account-specific weaknesses, the less severe type of offenses.

We will elaborate on this point in the next paragraph.

We further measure the economic significance of our results. Following prior

literature, such as Lyon and Maher (2005), we estimate an audit fee premium associated

with an ICW indicator variable to be )1( ae , where a is the coefficient on the ICW

indicator variable. Since the coefficient on the ICW indicator variable is 0.33 in Model 1,

the audit fee premium for ICW firms over non-ICW firms is 39.1%. The premiums

magnitude appears to be in line with the findings in prior studies. For example,

Seetharaman, Gul, and Lynn (2002) find that the audit fee premium for U.K. companies

listed on U.S. stock exchanges is 20%; Lyon and Maher (2005) find that the audit fee

premium for firms that reported payments of bribes is 43%.

We use the coefficients on ICWACCT and ICWCOMP from Model 2, and find

that the audit fee premium for account-specific weaknesses is 31.0%, and that for

company-level weaknesses is 64.9%. By testing the difference between the coefficient

on ICWACCT and that on ICWCOMP in Model 2 (Greene, 2000; pg. 284), we find that

the audit fee premium for company-level weaknesses is significantly higher than that for

account-specific weaknesses at the 1% level. Our result is consistent with the finding in

Doyle, Ge, and McVay (2007b) that accruals quality is affected by company-level

weaknesses rather than by account-specific weaknesses. Consequently, auditors charge

23

greater audit fees for company-level weaknesses to compensate for the risk associated

with poor accruals quality.

4.2.2. Audit fee change

In this section, we study how auditors adjust their audit fees in response to the

changes in their risk assessments. We use the Ordinary Least Square (OLS) model to test

the relation between audit fee change and change in internal control weakness opinions in

Table 4. Specifically, we model audit fee change as a function of changes in audit risk

(control risk and inherent risk), change in client business risk, and change in a set of

control variables in Equation (2). For firm i in year t,

)2(14

109876

543210

itj

jitititit

itititititit

INDUSTRYBUSCGSALEGRCGTACGZSCORECG

LOSSCGROACGLEVCGDTACCCGICWCGAUDFEECG

++++++

+++++=

=

ICWCG used in Model 1 is a variable representing the change in internal control

weakness opinions from the 302 period to the 404 period. Because AuditAnalytics

contains only SOX 404 internal control disclosures, we use the internal control dataset

compiled by Doyle, Ge, and McVay (2007b) for the 302 period.19 The dependent

variable is the audit fee change (AUDFEECG), the difference in audit fee between the

302 period and the 404 period divided by the audit fee for the 302 period. We define

other independent variables used in Table 4 in a similar fashion and provide the details in

the Appendix. The sample size for Table 4 is 2,189, because we need auditing and

19 Available at either Weili Ges Website at Washington or Sarah McVays website at Utah. For the 302 period, we start with the Doyle, Ge, and McVay (2007b) dataset, and make sure that the internal control disclosures are for fiscal years or fiscal quarters ending between November 15, 2003 and November 14, 2004 by searching through the SEC filings. If an observation is from 8-K, we require that the 8-K filing date is between November 15, 2003 and November 14, 2004. We then read through the excerpts of internal control disclosures in their dataset and, in many instances, the original disclosures in 10-K, 10-Q, or 8-K to code the number of weaknesses and the types of weaknesses.

24

financial information for both the 302 period and the 404 period. From our sample of

2,306 firms, we first exclude 38 firms with missing auditing and financial information in

the 302 period. We then exclude one outlier (Tetra Technologies Inc with a leverage

change of 7,286), based on the standard SAS procedure in our regression analyses. We

finally exclude 76 firms with zero leverage and two firms with zero sales growth in the

302 period, because we cannot calculate changes for these variables.

Confirming Hypothesis 2, we find that audit fee increases are greater for firms

newly identified with internal control weaknesses in the 404 period.20 The coefficient on

ICWCG in Model 1 is significantly positive at the 1% level. Because auditors need to

perform independent testing of internal controls under SOX 404, audit fees in the 404

period ($2.3 million on average) are significantly higher than those in the 302 period

($1.2 million on average). Because firms are subject to outside scrutiny from

independent auditors under SOX 404, significantly more firms are identified with ICW in

the 404 period (14%) than those in the 302 period (4%). During the transition from the

SOX 302 regime to the SOX 404 regime, we find that firms newly identified with ICW

experience a greater increase in audit fees, because of the ICW related risk and additional

testing. For other variables, the coefficients on LOSSCG and TACG are significantly

positive. LOSSCG is a change in the LOSS indicator variable, and TACG is the change

in total assets divided by the total assets in the 302 period. Our results thus suggest that

firms will experience an audit fee increase, if they turn from a profit situation in the 302

20 We have 43 sample firms that are identified with internal control weaknesses in the 302 period and with no such weaknesses in the 404 period. The interpretation would be reversed for these firms.

25

period to a loss situation in the 404 period or if they grow in size from the 302 period to

the 404 period.21

We replace ICWCG with similarly defined ICWACCTCG and ICWCOMPCG in

Model 2. The coefficient on ICWCOMPCG is larger than that on ICWACCTCG,

indicating that the audit fee increase is greater for firms newly identified with company-

level weaknesses than for those newly identified with account-level weaknesses. Again,

a larger increase in audit fees is used to compensate for the exposure to a greater level of

risk.

4.3. Modified audit opinion and internal control weaknesses

We use the logit model to test the relation between modified audit opinion and

internal control weaknesses in Table 5. Specifically, we model modified audit opinion as

a function of audit risk (control risk and inherent risk), client business risk, and a set of

control variables. Equation (3) presents the specifications for Model using an ICW

dummy. The modified audit opinion variable (OPINION) is equal to one, if the firms

audit opinion code is between 2 and 5, and zero otherwise. All other variable definitions

are in the Appendix. For firm i in year t,

)3(4)(14

109876

543210

itj

jitititit

itititititit

INDUSTRYBIGSALEGRTALOGZSCORE

LOSSROALEVDTACCICWOPINION

++++++

+++++=

=

21 Our results in Table 4 remain unchanged when we add four dummy variables to capture the different types of auditor changes among the Big 4 and non-Big 4 auditors. These four dummy variables represent auditor changes from a Big 4 to another Big 4, a Big 4 to a non-Big 4, a non-Big 4 to a Big 4, and a non-Big 4 to another non-Big 4.

26

Since auditors are more likely to issue modified opinions for firms with high

litigation risk (Krishnan and Krishnan, 1996) or render going concern opinions for firms

with bankruptcy risk, we hypothesize that ICW firms are more likely to be flagged with

modified audit opinions than non-ICW firms. We control for discretionary accruals

(DTACC), a proxy for inherent risk. While Francis and Krishnan (1999), Bartov, Gul,

and Tsui (2000), and Bradshaw, Richardson, and Sloan (2001) suggest that modified

audit opinions are influenced by earnings management, Butler, Leone, and Willenborg

(2004) find that the documented relation between modified opinions and abnormal

accruals in these papers rests only with firms with going-concern opinions. We further

control for leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score

(ZSCORE) to capture the impact of client business risk. We expect that firms with high

leverage, losses, and low Z-Scores are more likely to receive modified opinions, whereas

firms with high return on assets are less likely to receive modified opinions. Finally, we

control for size (LOG(TA)) and sales growth (SALEGR).

We find that ICW firms are significantly more likely to be flagged with modified

audit opinions than non-ICW firms. The marginal effect indicates that an ICW firm has a

21.8% increase in the likelihood of receiving a modified opinion. The coefficient on

discretionary accruals is insignificant. This is consistent with Butler, Leone, and

Willenborg (2004) who find that modified opinions are not influenced by discretionary

accruals for firms without going concern opinions, because the super majority of our

sample firms does not have going concern opinions according to AuditAnalytics. In

addition, high leverage firms and high distress risk, as well as large firms, are more likely

to be flagged with modified opinions.

27

We replace ICW with ICWACCT and ICWCOMP in Model 2 and find similar

results. Interestingly, the coefficient on ICWCOMP is smaller than that on ICWACCT.

The marginal effects indicate that a firm with account-specific weaknesses has a 23.2%

increase in the likelihood of receiving a modified opinion and that a firm with company-

level weaknesses has a 19.0% increase in the likelihood of receiving such an opinion.

Given that modified opinions tend to be based on account-related issues, auditors likely

do not have the latitude to provide modified opinions to larger issues, such as tone at the

top.22 Thus, auditors are more likely to issue modified opinions to firms with the less

severe account-specific weaknesses, suggesting that auditors use the modified opinion

strategy when they are exposed to a lower level of risk.23

4.4. Auditor resignation and internal control weaknesses

We study the relation between auditor resignation and internal control weaknesses

in Table 6. Since auditor turnover can be initiated by either the auditor or the client, we

control for auditor dismissal, and perform a multinomial logit regression analysis that

permits separate coefficient estimates for auditor dismissal and auditor resignation by

using firms without auditor changes as the reference group.

Johnstone and Bedard (2004) identify audit risk and client business risk as

determinants of audit firm portfolio management decisions. We are particularly

interested in the internal control aspect of audit risk. Since ICW firms are likely to have

greater audit risk than non-ICW firms, we expect that audit firms are more likely to stop

22 We thank an anonymous referee for this insight. 23 Table 6 finds that auditors are more likely to tender their resignations to firms with the more severe company-level weaknesses. Table 8 presents further evidence that auditors tend to use different strategies to manage different levels of control risk.

28

serving those ICW firms, due to risk avoidance. We control for other sources of client-

related risk and include discretionary accruals (DTACC). Again, auditors are more likely

to resign from clients with high discretionary accruals, so as to avoid risk. We use

leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score (ZSCORE) to capture

client business risk. Consistent with the argument for DTACC, auditors are more likely

to resign from clients with high leverage, losses, and low Z-Scores. We expect that

auditors are less likely to shy away from high ROA firms (Johnstone and Bedard, 2004).

Following Johnstone and Bedard (2004), we include the natural logarithm of audit

fee as a control variable in our logit model. Audit firms are less likely to resign from

clients, if audit fees are large. Following Landsman, Nelson, and Rountree (2005), we

include two other control variables. We control for the natural logarithm of size (TA)

and predict that auditor resignations are less likely for large firms, because DeAngelo

(1981) argues that large clients incur higher costs of auditor changes. We also control for

sales growth (SALEGR) because high growth clients may face higher litigation risk

(Stice, 1991). However, we do not provide a directional prediction on this variable.

Model 1 presents the results from the multinomial logit regressions using the ICW

dummy variable. The choice variables are auditor resignation, auditor dismissal, and

continuous auditor appointment, respectively. Auditor resignation (RESIGNATION) is

one if a firms auditor resigned from the firm, and auditor dismissal (DISMISSAL) is one

if a firm dismissed its auditor.24 We find that auditor resignations are significantly more

likely for ICW firms, confirming Hypothesis 4. The marginal effect indicates that an

24 Auditor dismissal is introduced as a control. Our results on auditor dismissal are consistent with the prior literature on audit opinion shopping (Chow and Rice, 1982; Smith, 1986). When we run logit regressions using auditor resignation as the only choice variable, our results on auditor resignation are similar to those reported in Table 6.

29

ICW firm has a 3.2% increase in the likelihood to experience auditor resignation. Our

result on auditor resignation is consistent with that in Bedard and Johnstone (2004), as

they find that clients with control risk are more likely to be classified in the auditors

discontinued client portfolio. In both periods, we find that auditor resignations are

significantly less likely for large firms and more likely for loss firms. While the

coefficient on audit fee is not significant, the coefficient on ROA is positive, contrary to

our expectation.

We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that the

coefficients on ICWACCT and ICWCOMP are significantly positive at the 1% level. In

particular, the coefficient on ICWCOMP is larger than that on ICWACCT. The marginal

effects indicate that a firm with account-specific weaknesses has a 1.9% increase in the

likelihood to experience auditor resignation and a firm with company-level weaknesses

has a 9.5% increase in the likelihood to experience auditor resignation. Auditor

resignations are more likely for firms with the more severe company-level weaknesses,

suggesting that auditors use the resignation strategy when they are exposed to a higher

level of risk.

4.5. Pecking order analyses

4.5.1. Descriptive analyses

In the previous sections, we have established that audit fee adjustments, modified

opinions, and auditor resignations are viable strategies on a stand-alone basis. We now

study these strategies simultaneously. Table 7 presents the Pearson correlations for

internal control weakness variables and auditor response strategies. The sample size is

30

2,163 for Tables 7-10. Since we focus on auditors responses to control risk, we exclude

131 auditor dismissal firms from the full sample of 2,306 firms. We then exclude one

firm with missing audit fee information in the 302 period. We finally exclude 11 auditor

resignation firms with modified opinions, because these opinions may be issued by their

replacement auditors.

ICW is significantly related to increasing audit fees (FEECHG), issuing modified

opinions (OPINION), and tendering auditor resignations (RESIGN). Interestingly,

ICWACCT is significantly correlated with FEECHG and OPINION, but ICWCOMP is

significantly correlated to FEECHG and RESIGN. While auditors increase audit fees for

all types of weaknesses, they tend to use resignations for the more severe company-level

weaknesses and issue modified opinions for the less severe account-specific weaknesses.

These findings suggest that there is a pecking order among auditors risk management

strategies.

The correlation between FEECHG and OPINION is significantly negative at the

5% level, suggesting that FEECHG and OPINION may be substitutes. We also examine

the 297 ICW firms from the sample of 2,163 firms used in Tables 7-10, and classify them

into one group with modified opinions and another group without modified opinions.

Out of these 297 ICW firms, the average audit fee increase for 132 firms with modified

opinions is 173% and that for 165 firms without modified opinions is 203%. These

findings provide additional evidence that FEECHG and OPINION may be substitutes.

Since firms who resign from the clients no longer assess audit fees and issue opinions, the

correlations between RESIGN and FEECHG and between RESIGN and OPINION are

not applicable.

31

We follow the preliminary findings in Table 7 and further investigate whether

auditors risk management strategies have a pecking order of audit fee adjustments,

modified opinions, and auditor resignations. We first sort our sample into three mutually

exclusive groups: (1) firms with no auditor resignations and no modified opinions, (2)

firms with modified opinion but no auditor resignations, and (3) firms with auditor

resignations.25 We refer to Group 1 as the Fee Adjustment Group and assign a value of 1,

Group 2 as the Modified Opinion Group and assign a value of 2, and Group 3 as the

Resignation Group and assign a value of 3. Note that 3 is the most severe response,

whereas 1 is the least severe response.

Table 8 presents the descriptive evidence by comparing the proportion of internal

control weaknesses, including account-specific weaknesses and company-level

weaknesses, for each strategy group. ICW are found in 9.8% of the firms in Group 1,

19.8% of the firms in Group 2, and 61.8% of the firms in Group 3. There is an increasing

trend in the proportion of ICW firms from Group 1 to Group 3. The difference between

Groups 2 and 1 and that between Groups 3 and 2 are significant at the 1% level,

suggesting that there is a pecking order in client risk management strategies. Auditors

are likely to raise audit fees when dealing with a portfolio of clients with low control risk

on average, issue modified opinions when dealing with a portfolio of clients with

intermediate control risk on average, and tender their resignations when dealing with a

portfolio of clients with high control risk on average.

We further separate ICW into ICWACCT and ICWCOMP. Over 74%

(0.073/0.098) of ICW firms in the Fee Adjustment Group and 80% (0.159/0.198) of such

25 As we discuss in the following paragraph, we exclude 11 auditor resignation firms with modified opinions, because these opinions may be issued by their replacement auditors.

32

firms in the Modified Opinion Group have account-specific weaknesses, whereas 71%

(0.441/0.618) of ICW firms in the Resignation Group have company-level weaknesses.

These findings again suggest that there exists a pecking order in auditors client risk

management strategies. Auditors tend to increase audit fees and issue modified opinions

to manage control risk resulting from the less severe account-specific weaknesses and use

resignations to manage control risk resulting from the more severe company-level

weaknesses. This message is consistent with our findings in Tables 5 and 6, adding

credence to our results.

4.5.2. Ordered logit analyses

Table 9 employs the ordered logit regression. The auditor response as a dependent

variable is assigned a value of 1 for the Fee Adjustment Group, 2 for the Modified

Opinion Group, and 3 for the Resignation Group. Model 1 presents the results from the

ordered logit regressions using the ICW dummy variable. The coefficient on ICW is

significant at the 1% level. Because the auditor attestation requirement in SOX 404

exposes auditors to control risk, auditors manage this risk by using a set of ordered

strategies. Loss firms and high distress risk firms, as well as large firms, are more likely

to trigger severe responses. The sign for the coefficient on ROA is contrary to our

prediction.

We replace ICW with ICWACCT and ICWCOMP in Model 2, and find the

coefficients on ICWACCT and ICWCOMP to be significantly positive. Thus, our

combined evidence from Models 1 and 2 suggests that there exists a pecking order among

auditors client risk management strategies. As the clients control risk increases,

33

auditors are likely to respond in the order of audit fee adjustments, modified opinions,

and auditor resignations.

4.5.3. Auditor response index

We follow the group classification schedule in Section 4.5.1, and create an index

based on the severity of auditors responses. Groups 1, 2, and 3 are the audit fee

adjustment, modified opinion, and auditor resignation groups, respectively. We first sort

all our sample firms by group numbers from 1 to 3, and then sort all firms within each

group by the audit fee increase variable in ascending order. Based on this order, we

calculate the fractional ranks for these firms and let the auditor response index be the

fractional rank value. According to our construction, a large index value represents a

more severe response from the auditor and vice versa.

We perform OLS regressions of the auditor response index over internal control

weaknesses and other control variables in Table 10. Consistent with our ordered logit

analyses, we exclude auditor dismissal firms and auditor resignation firms with modified

opinions, when we construct the auditor response index. Model 1 presents the regression

results using the ICW dummy variable. The coefficient on ICW is significant at the 1%

level, again suggesting the existence of pecking order. High leverage firms, large firms,

and Big 4 firms are more likely to trigger severe responses. The coefficient on ROA is

inconsistent with our prediction.

We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that

ICWACCT and ICWCOMP are each significantly associated with this auditor response

index at the 1% level. The combined evidence from pecking order analyses in Models 1

34

and 2 suggests that auditors draw from a set of ordered strategies to manage client-related

control risk.

4.6. Robustness checks

(1) We perform all the analyses in Tables 2-3 and 5-10 for the 302 period in an

earlier version. While the results are somewhat weaker, they are very similar to

those reported in Tables 2-3 and 5-10.

For all models in Tables 3-6 and 9-10, we perform the following tests:

(2) We replace the ICW dummy with the number of internal control weaknesses.

(3) We replace total assets with either sales or market value of equity as of

December 31, 2004 as a measure of size.

(4) We include 44 non-accelerated filers in our analyses.

(5) We winsorize discretionary accruals, leverage, and return on assets at the 1%

and 99% levels to minimize the impact of extreme values.

(6) We exclude the industry dummy variables used in Tables 3-6 and 9-10.

In all these cases, our results are robust to these alternative specifications, adding

credence to our findings.

5. Conclusions

Using several measures of clients control risk based on their recent public

internal control disclosures under SOX 404, we study how auditors manage their client-

related risk. We find that there exists a pecking order among auditors strategies to

manage control risk resulting from internal control weaknesses. We first examine the

35

relations between internal control weaknesses and audit fee, audit fee increase, modified

opinion, and auditor resignation, respectively, and establish that these are viable

strategies to manage control risk on a stand-alone basis. When we investigate these

strategies simultaneously, descriptive evidence suggests that there exists a pecking order

among auditors client risk management strategies. Our ordered logit analyses confirm

that, as the clients control risk increases, auditors are likely to respond in the order of

audit fee adjustments, modified opinions, and auditor resignations. We further create an

index based on the severity of auditors responses, and find that the degree of control risk

is positively correlated with this auditor response index. Our comprehensive evidence

suggests that auditors use an array of ordered strategies to manage client-related control

risk.

36

Appendix Variable Definitions

Dependent variables: AUDFEE: Total audit fee NON-AUDFEE: Total non-audit fee TOTFEE: Total fee OPINION: 1 if the firm received a modified opinion (Audit opinion code is

between 2 and 5 for #149); 0 otherwise, following Bradshaw, Richardson, and Sloan (2001).

AUDCHG: 1 if the firm changed auditor; 0 otherwise RESIGNATION: 1 if the firms auditor resigned; 0 otherwise DISMISSAL: 1 if the firm dismissed its auditor; 0 otherwise INDEX: Auditor response index. Please see the text for details. Audit risk variables: ICW: 1 if the firm has internal control weaknesses; 0 otherwise ICWACCT: Account-specific weakness. 1 if the firm has weaknesses related to less

than three account-specific problems; 0 otherwise, following Doyle, Ge, and McVay (2007b).

ICWCOMP: Company-level weakness. 1 if the firm has either weaknesses related to ineffective control environment or management override in the disclosure or weaknesses related to at least three account-specific problems; 0 otherwise, following Doyle, Ge, and McVay (2007b).

DTACC: Residual from TOTACCi,t = 0(1/TAi,t-1) + 1(SALESi,t - ARi,t) / TAi,t-1 + 2(PPEi,t / TAi,t-1 ), following Kothari, Leone, and Wasley (2005). Note that TOTACC = [EBEI(#123) (CFO(#308) EIDO(#124))] / lagged total assets, following Hribar and Collins (2002); SALES is the change in a firms sales revenue (#12); AR is the change in accounts receivable (#2); PPE is gross property, plant, and equipment (#7); and TA is total assets (#6). The regression is estimated for firms in a given two-digit SIC code each year

Client business risk variables: LEV: Ratio of total debts, both short-term (#34) and long-term (#9), to total

assets (#6) ROA: Income before extraordinary items (#18) divided by average total

assets (#6) LOSS: 1 if the firm incurred losses (#172) in the current fiscal year; 0

otherwise ZSCORE Altman (1968) Z-Score measure of financial distress risk

37

Control variables: TA: Total assets (#6), in millions SALEGR: Sales growth is the difference in sales (#12) between year t and

year t-1 over sales (#12) in year t-1 BUS: Number of business segment (Compustat segment file) BIG4: 1 if the firms auditor is a Big4 (#149); 0 otherwise Change variables: AUDFEECG: Change in audit fee from the 302 period to the 404 period divided

by the audit fee in the 302 period ICWCG: Change in the ICW dummy variable from the 302 period to

the 404 period ICWCOMPCG: Change in the dummy variable for company-level material

weaknesses from the 302 period to the 404 period ICWACCTCG: Change in the dummy variable for account-specific material

weaknesses from the 302 period to the 404 period DTACCCG: Change in discretionary accruals from the 302 period to the

404 period divided by the discretionary accruals in the 302 period

LEVCG: Change in leverage from the 302 period to the 404 period divided by the leverage in the 302 period

ROACG: Change in return on assets from the 302 period to the 404 period divided by the return on assets in the 302 period

LOSSCG: Change in the LOSS dummy variable from the 302 period to the 404 period

ZSCORECG: Change in ZSCORE from the 302 period to the 404 period divided by the ZSCORE in the 302 period

TACG: Change in totals assets from the 302 period to the 404 period divided by the totals assets in the 302 period

SALEGRCG: Change in sales growth from the 302 period to the 404 period divided by the sales growth in the 302 period

Note: COMPUSTAT item numbers are in parentheses. The 302 period is for fiscal years ending between November 15, 2003 and December 14, 2004 during which firms were governed by SOX 302, and the 404 period is for fiscal years ending between November 15, 2004 and December 14, 2005 during which firms were governed by SOX 404. We require all variables (except for AUDCHG and the change variables) pertain to fiscal years ending between November 15, 2003 and November 14, 2004 for the 302 period, and to fiscal years ending from November 15, 2004 to December 14, 2005 for the 404 period. Since there is no fiscal year related to AUDCHG, the auditor change variable, we classify an auditor change into the 302 period, if the announcement was made between November 15, 2003 and November 14, 2004, and into the 404 period if the announcement was made between November 15, 2004 and November 14, 2005. The change variables capture the changes in these variables from the 302 period to the 404 period.

38

References

Altman, E., 1968. Financial ratios, discriminant analysis, and the prediction of corporate bankrupcy. Journal of Finance 23: 589609.

American Institute of Certified Public Accountants (AICPA). 1983. Audit Risk and

Materiality in Conducting an Audit. Statement on Auditing Standards No. 47. New York, NY: AICPA.

_____. 1988. Reports on Audited Financial Statements. Statement on Auditing Standards

No. 58. New York, NY: AICPA. _____. 1988. Communication of Internal Control Structure Related Matters Noted in an

Audit. Statement on Auditing Standards No. 60. New York, NY: AICPA. _____. 2006. Audit Risk and Materiality in Conducting an Audit. Statement on Auditing

Standards No. 107. New York, NY: AICPA. Arens, A., R. Elder and M. Beasley. 2006. Auditing and Assurance Services: An

Integrated Approach. Upper Saddle River, NJ: Prentice-Hall. Ashbaugh-Skaife, H., D. Collins, and W. Kinney. 2007. The discovery and consequences

of internal control deficiencies prior to SOX-mandated audits. Journal of Accounting and Economics, 44 (1-2): 166-192.

Ashbaugh-Skaife, D. Collins, W. Kinney, and R. LaFond. 2006. The effect of internal

control deficiencies on firm risk and cost of capital. Working Paper, University of Wisconsin, University of Iowa, University of Texas, and MIT.

_____. 2008. The effect of SOX internal control deficiencies and their remediation on

accrual quality. The Accounting Review 83 (1): 217-250. Asbaugh, H., R. LaFond and B. Mayhew. 2003. Do non-audit services compromise

independence? Further evidence. The Accounting Review 78 (2): 611-639. Bartov, E., F. Gul, and J. Tsui. 2000. Discretionary-accruals models and audit

qualifications. Journal of Accounting and Economics 30: 421-452. Becker, C., M. DeFond, J. Jiambalvo, and K. R. Subramanyam. 1998. The effect of audit

quality on earnings management. Contemporary Accounting Research 15 (1): 1-24 Bedard, J., and K. Johnstone. 2004. Earnings manipulation risk, corporate governance

risk, and auditors planning and pricing decisions. The Accounting Review 79: 277-304.

39

Bell, T., W. Landsman and D. Shackelford. 2001. Auditors perceived business risk and audit fees: Analysis and evidence. Journal of Accounting Research 39 (June): 35-44.

Blue Ribbon Committee (BRC). 1999. Report and Recommendations of the Blue Ribbon

Committee on Improving the Effectiveness of Corporate Audit Committees. Stamford, CT: BRC.

Blacconiere, W. G. and M. DeFond. 1997. An investigation of independent audit

opinions and subsequent independent auditor litigation of publicly-traded failed savings and loans. Journal of Accounting and Public Policy 16 (4): 415-454.

Bradshaw, M., S. Richardson, and R. Sloan. 2001. Do analysts and auditors use

information in accruals? Journal of Accounting Research 39 (1): 45-73. Butler, M., A. Leone, and M. Willenborg. 2004. An empirical analysis of auditor

reporting and its association with abnormal accruals. Journal of Accounting and Economics 37: 139-165.

Chang, J., and N. Hwang. 2003. The impact of retention incentives and client business

risks on auditors decisions involving aggressive reporting practices. Auditing: A Journal of Practice and Theory 22 (2): 207-218.

Chow, C., and S. Rice. 1982. Qualified audit opinions and auditor switching. The

Accounting Review 57: 326-335. Chung, H., and S. Kallapur. 2003. Client importance, non-audit services and abnormal

accruals. The Accounting Review 78 (4): 931-955. DeAngelo, L. 1981. Auditor independence, low balling, and disclosure regulation.

Journal of Accounting and Economics 3: 113-127. DeBerg, C., S. Kaplan, and K. Pany. 1991. An examination of some relationships

between non-audit services and auditor change. Accounting Horizons 5: 17-28. DeFond, M.L. and K.R. Subramanyam. 1998. Auditor changes and discretionary

accruals. Journal of Accounting and Economics 25 (February): 35-67. Doyle, J., W. Ge, and S. McVay. 2007a. Determinants of weakness in internal control

over financial reporting. Journal of Accounting and Economics, 44 (1-2): 193-223. _____. 2007b. Accruals quality and internal control over financial reporting. Accounting

Review, 82 (5): 1141-1170. Elder, R., and R. Allen. 2003. A longitudinal field investigation of auditor risk

assessments and sample size decisions. The Accounting Review 78 (4): 983-1002.

40

Ettredge, M., J. Heintz, C. Li, and S. Scholz. 2006. Auditor realignments accompanying implementation of SOX 404 reporting requirements. Working paper, University of Kansas.

Fama, E., and K. French. 1997. Industry cost of equity. Journal of Financial Economics 43 (2): 153-193.

Francis, J. 1984. The effect of audit firm size on audit prices: A study of the Australian market. Journal of Accounting and Economics 6 (2): 133-151.

Francis, J., and D. Stokes. 1986. Audit prices, product differentiation, and scale economies: Further evidence from the Australian audit market. Journal of Accounting Research 24 (2): 383-393.

Francis, J., and J. Krishnan. 1999. Accounting accruals and auditor reporting conservatism. Contemporary Accounting Research 16: 135-165.

Frankel, R., M. Johnson, and K. Nelson. 2002. The relation between auditors fees for non-audit services and earnings quality. The Accounting Review (Supplement): 71-105.

Ge, W., and S. McVay. 2005. The disclosure of material weaknesses in internal control

after the Sarbanes-Oxley Act. Accounting Horizon 19 (3): 137-158. Greene, W. 2000. Econometric Analysis. Upper Saddle River, NJ: Prentice-Hall Henniger, W.G. 2001. The association between auditor litigation and abnormal accruals.

The Accounting Review 76 (January): 111-126. Hertz, K. 2006. The impact of SOX on auditor resignations and dismissals. Working

paper, University of Washington. Hill, J., R. Ramsay, and D. Simon. 1994. Audit fees and client business risk during the

S&L Crisis: Empirical evidence and directions for future research. Journal of Accounting and Public Policy 13: 185-203.

Hogan, C., and M. Wilkins. 2008. Evidence on the audit risk model: Do auditors increase

audit effort in the presence of internal control deficiencies? Contemporary Accounting Research 25 (1): 219-242.

Hoitash, R., U. Hoitash, and J. Bedard. 2008. Internal Control Quality and Audit Pricing under the Sarbanes-Oxley Act. Auditing: A Journal of Practice and Theory 27 (1), 105-126. Hribar, P., and D. W. Collins. 2002. Errors in estimating accruals: Implications for

empirical research. Journal of Accounting Research 40 (1): 105-34. Johnstone, K. 2000. Client-acceptance decisions: Simultaneous effects of client business

risk, audit risk, auditor business risk, and risk adaptation. Auditing: A Journal of Practice and Theory 19 (1): 1-25.

41

Johnstone, K., and J. Bedard. 2003. Risk management in client acceptance decisions. The

Accounting Review 78 (4): 1003-1026. Johnstone, K.M., and J. C. Bedard. 2004. Audit firm portfolio management decisions.

Journal of Accounting Research 42 (4): 659-690. Kothari, S.P., A. Leone, and C. Wasley. 2005. Performance matched discretionary

accrual measures. Journal of Accounting and Economics 39 (1): 163-197.

Krishnan J. 2005. Audit committee quality and internal control: An empirical analysis. The Accounting Review 80 (2): 649-675.

Krishanan, J., and J. Krishnan. 1996. The role of economic trade-offs in the audit opinion decision: An empirical analysis. Journal of Accounting, Auditing, & Finance 11 (Fall): 565-586.

_____. 1997. Litigation risk and auditor resignations. The Accounting Review 72 (October): 539-560.

Landsman, W., K. Nelson, and B. Rountree. 2005. An empirical analysis of big N

auditor switches. Working paper, University of North Carolina, Chapel Hill. Lyon, J., and M. Maher. 2005. The importance of business risk in setting audit fees:

Evidence from cases of client misconduct. Journal of Accounting Research 43 (1): 133-151.

Ogneva, M., Subramanyam, K., and K. Raghunandun. 2007. Internal control weaknesses

and cost of equity: Evidence from SOX Section 404 disclosures. The Accounting Review 82 (5): 1255-1297.

Palmrose, Z. 1986. Audit fees and auditor size: Further evidence. Journal of

Accounting Research 24 (1): 97-110. Public Company Accounting Oversight Board (PCAOB), 2004. An Audit of Internal

Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 2. Washington, D.C.: PCAOB.

Raghunandan, K., and D. Rama. 2006. SOX Section 404 material weakness disclosures

and audit fees. Auditing: A Journal of Practice and Theory 25 (1): 99-114. Reynolds, K., and J. Francis. 2001. Does size matter? The influence of large clients on

office-level auditor reporting decisions. Journal of Accounting and Economics 30: 375-400.

Seetharaman, A., F. Gul, and S. Lynn. 2002. Litigation risk and audit fees: Evidence from

UK firms cross-listed on US markets. Journal of Accounting and Economics