Discussion of ‘‘Internal Control

Weaknesses and Client Risk

Management’’
AIYESHA DEY*

Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou (2009) study audi-
tors’ strategies to manage client risk resulting from internal control
weaknesses in the first year of The Sarbanes-Oxley Act (SOX) 404
implementation. They first examine the relation between internal control
weaknesses and audit fees, modified opinions, and auditor resignations,
respectively, and establish that these are viable strategies to manage
control risk on a stand-alone basis. They also document that that a
pecking order exists among auditors’ client control risk management
strategies—as control risk increases, auditors are likely to respond in
the order of audit fee adjustments, modified opinions, and auditor resig-
nations. The authors’ idea to look at a portfolio of decisions is an im-
portant step in the research in this area, and this approach can be
generalized to similar studies. However, certain aspects of the hypothe-
sis development and research design limit the authors’ ability to
adequately address their primary research objective.

1. Introduction
Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou (henceforth, EZZZ)
address a question that is timely and important to accounting researchers, practi-
tioners, and regulators, particularly in the post-Sarbanes-Oxley Act (SOX) era:
how do auditors manage their client risk? EZZZ study how auditors manage con-
trol risk resulting from internal control weaknesses. The authors first examine
the relation between internal control weaknesses and audit fees, modified opin-
ions, and auditor resignations, respectively. EZZZ document that firms with in-
ternal control weaknesses are charged higher audit fees, and the fees are higher
for the more severe company-level weaknesses, than the less severe account-
specific weaknesses. EZZZ also find that firms with internal control weaknesses
are more likely to be flagged with modified opinions and more likely to have
auditor resignations. These results are consistent with the evidence in the

*University of Chicago Booth School of Business

581
582 JOURNAL OF ACCOUNTING, AUDITING & FINANCE

literature on the relation between client-related risks and audit fees, modified
opinions, and auditor resignations.
The more interesting analysis in the paper is the authors’ examination of the
above methods from the point of view of a portfolio of client management strat-
egies. EZZZ infer from their findings that as client control risk increases, audi-
tors are likely to respond in the order of audit fee adjustments, modified
opinions, and auditor resignations. EZZZ conclude that auditors use an array of
ordered strategies to manage client control risk. This pecking-order analysis
relates to the general literature on audit firm portfolio management. EZZZ pro-
vide an important step in understanding how audit firms manage their client port-
folios in terms of adapting to client control risk. However, I have some
reservations about their hypotheses regarding the ordering of these strategies, and
on the validity of the inferences from the results. In the remainder of this docu-
ment, I discuss these issues with a focus on the pecking-order analysis, given that
this forms the primary contribution of this paper. I conclude by providing some
directions for future research on this topic.

2. The Client Risk Assessment Process

2.1 Pecking-Order Hypothesis
The authors hypothesize that as the level of control risk increases, auditors
respond in the order of (1) audit fee adjustments, (2) modified opinions, and
(3) auditor resignations. What remains to be established is whether this ordering
adequately reflects the stages in the client risk assessment process followed in
practice. Based on prior research as well as conversations with a few auditors, a
simplistic process of a typical audit firm’s client acceptance or retention policy
is outlined below (Bedard and Johnstone [2004]).
An audit firm’s emerging client portfolio will be based on an evaluation of
potential clients, continuing clients and discontinued clients. At the beginning of
a period or client portfolio management process, the audit firm assesses (or reas-
sesses) the audit risk and client business risk of a potential (or continuing) client
to determine whether to engage or continue a client (Stage 1). The auditor evalu-
ates both the client-related risks as well as the resources available to the audit
firm to conduct a thorough investigation of the client. If the client does not meet
the acceptable standards in terms of the related risks, or if the audit firm’s
resources are insufficient to audit this client, the auditor does not submit a bid
with a fee proposal to the new client (or resigns from the existing client). If the
client meets the standard, then the auditor submits a fee proposal to the client
(Stage 2). If the client does not accept the proposal, then as before the auditor is
not hired by the new client or resigns from an existing client. If the client
accepts the proposal, then in the next stage the auditor is hired (Stage 3). During
this period, the auditor performs the audit and reports the results and opinion to
the client. If the opinion is favorable, then that is published in the client’s
DISCUSSION OF ‘‘INTERNAL CONTROL WEAKNESSES’’ 583

reports. If the opinion is unfavorable, the client may still publish the opinion and
retain the auditor, or the client may disagree with the opinion that could result in
either the auditor resigning from the client firm or the client firm firing the audi-
tor. Figure 1 graphically depicts the various stages in the portfolio management
process.
Applying the above stages to the context of the paper, the auditor can resign
in Stage 1 of the client assessment process, if the client control risk is greater than
that acceptable by the audit firm. The audit firm may also resign (or not engage a
new client) in Stage 2 when the client does not accept an engagement fee that is
consistent with the associated risks. The auditor also may resign in the final stage
when the client and auditor disagree on the opinion. In other words, the auditor
resignation can occur even before a modified opinion or fee adjustment.
With respect to fee adjustments and modified opinions, the fee adjustment
takes place at the stage at which the audit firm has evaluated the risks and decided
on an appropriate engagement fee. The opinion is arrived upon at the end of the
period after the auditor has performed the audit. In other words, once the audit
firm engages a client, the audit fee and following opinion are consistent with the
level of control risk. Firms with higher levels of control risk are likely to have
higher audit fees as well as modified opinions, or if the firm remediates the inter-
nal control problem, then the opinion may be unqualified as well. The argument
for why the ordering between these decisions is necessarily increasing in the con-
trol risk is not well communicated in the paper. Overall, these points imply that
there likely is more to the client management process than the pecking-order
theory suggested by the authors.

FIGURE 1
Auditor Client Portfolio Management Decision
584 JOURNAL OF ACCOUNTING, AUDITING & FINANCE

2.2 Variation in Risk Assessment Criteria

EZZZ posit that internal control disclosures serve as a means of reassessing
client control risk. A crucial factor the authors ignore in this context is how this
assessment of risk differs across audit firms of different sizes. It is important to
consider audit firm size while examining the client risk assessment, as firms of
different sizes are likely to have different cost structures and different risk toler-
ance criterion. Prior research documents that large audit firms have a common
view of risk in the client engagement decision (Raghunandan and Rama [1999]).
Small audit firms also have been documented to be more likely to resign for cost
reasons—for instance, increased oversight and liability insurance costs are pri-
mary reasons for resignations. Given that audit firms of different sizes have dif-
ferent resources, it is plausible that the risk tolerance criterion of these firms will
differ and be reflected in the client management strategies.1
Next, EZZZ contend that in decisions related to client risk management,
auditors should focus on inherent risk and control risk, because these two compo-
nents equal the likelihood of error in clients’ accounts before the auditors’ test-
ing.2 However, the audit firm is likely to consider not only the level of risk it is
willing to take on in its portfolio, but also the resources it has available to be
able to conduct a through investigation of a client of a certain risk level. In other
words, detection risk is likely to factor into the audit firm’s client management
strategy as well. Given that detection risk is likely to be highly correlated with
auditor quality or size, this provides another reason to consider audit firm size
while developing client risk management hypotheses.
Finally, the risk assessment criterion for new and existing clients also may
be different, and audit firms are likely to process these two subgroups differently.
For instance, prior studies document that audit firms do not simply reject all
high-risk clients; decisions are made based on emerging portfolio of new and
existing clients (see Simunic and Stein [1990]; Francis and Reynolds [2002],
among others). In cases with existing clients, prior studies have argued that audit
firms prefer to resign rather than attempt to risk-adjust pricing with a client with
increased risks. It is suggested to be more rational behavior for the incumbent
auditor to resign the client and provide an opportunity for a different audit firm,
with different characteristics and less knowledge of the client, to perform the
engagement (Krishnan and Krishnan [1997]; Bockus and Gigler [1998]). There-
fore, the strategies adopted for managing client control risk are likely to differ
across new and existing clients.

1. There is evidence of a trend toward risk avoidance by audit firms over time, which is likely
to be heightened in the period after the scandals and SOX (Jones and Raghunandan [1998]). On the
other hand, some research documents large firms’ willingness to consistent or increasing amounts of
risk over time (Francis and Reynolds [2002]).
2. Inherent risk is risk that a material misstatement may occur in the client’s financial state-
ments in the absence of internal control procedures. Control risk is the risk that a material misstate-
ment in the client’s financial statements will not be detected and corrected by the client’s internal
control procedures.
DISCUSSION OF ‘‘INTERNAL CONTROL WEAKNESSES’’ 585

3. Some Empirical Issues

3.1 Measurement of Client Risk
Given the author’s objective, one of the key requirements that need to be
met in the empirical design is to capture the severity of client control risk. The
authors measure the presence of at least one internal control problem using a
dummy variable (ICW). To measure the severity of the internal control problem,
they further classify these weaknesses as company-level weaknesses (when the
weaknesses are related to ‘‘ineffective control environment’’ or ‘‘management
override’’ or to at least three account-specific problems, ICWCOMP) or account-
specific weaknesses (weaknesses related to fewer than three account-specific
weaknesses, ICWACCT). Although I understand the logic behind this argument,
it would be informative to know what accounts are considered under these
account-specific weaknesses. Some accounts are extremely complex and can be
considered to have more pervasive weaknesses (e.g., hedge accounting). In that
case, the authors may be classifying a potentially severe control weakness in the
less severe category. Also, it is not clear from the document how many of these
are ‘‘material weaknesses’’ and ‘‘significant deficiencies’’ as classified by SOX.
This classification is likely to be a better indication of severity.
The authors measure inherent risk of a client firm using discretionary
accruals. Accruals can reflect business practices in a given economy. Variables
like business complexity, firm size, growth, and governance structure (particu-
larly audit committee characteristics) are likely to better reflect the probability of
material misstatements. For client business risks, the authors use the measures le-
verage, return on assets, whether the firm makes a loss in the current year, and
the Altman Z-Score, which is a measure of financial distress. It would be inter-
esting to see how these characteristics are correlated with internal control weak-
nesses. This would indicate whether the ICW, ICWCOMP, and ICWACT
dummies are measuring ‘‘control risk’’ or certain other firm characteristics of
the clients that the audit firms are not equipped or willing to include in their
portfolio.

3.2 Selection Bias

Another important concern in this analysis is that of potential selection
bias. Prior research has shown that several characteristics related to a firm’s in-
herent risk are associated with internal control weaknesses, and these character-
istics are associated with such audit decisions as fees and modified opinions
(for instance, Bell, Landsman, and Shackelford [2001]; Ge and McVay [2005];
Doyle, Ge, and McVay [2007]). The current research design does not eliminate
the likelihood of self-selection, which makes it difficult to interpret the coeffi-
cients. This becomes more of a concern given the likelihood of a shift in risk
tolerance standards, and the possible aversion of audit firms toward certain
types of clients.
586 JOURNAL OF ACCOUNTING, AUDITING & FINANCE

3.3 Governance Controls

An important result in the literature is the effect of corporate governance
mechanisms on auditors’ decisions. Auditors are more likely to resign from
engagements for which they perceive that the probability of hidden audit risk is
high (Krishnan and Krishnan [1997]; Bockus and Gigler [1998]). Building on
this literature, Lee, Mande, and Ortman (2004) provide direct evidence on the
association between auditor resignation and audit committee and board character-
istics. Audit committees and boards perform a variety of tasks, including appoint-
ing the external auditors, overseeing management reporting practices, and
improving firms’ internal control systems. As a result, when firms have these
effective corporate governance mechanisms in place, auditors perceive that the
probability of hidden audit risk is lower and, thus, they are less likely to resign.
The authors do not consider client firms’ corporate governance environments,
but incorporating these in the research design would increase the credibility of
the results, particularly given that governance mechanisms are likely to be signif-
icantly related to audit firms’ client management decisions.

4. Conclusion
Notwithstanding the issues discussed above, the EZZZ paper studies an
interesting and timely research question. The idea to examine a portfolio of deci-
sions that audit firms make with respect to client acceptance or retention is com-
mendable. In particular, the evidence documented by EZZZ raises a number of
ideas for further analysis. One extension of this analysis is to examine how the
client risk management strategies of auditors have changed in the current regula-
tory environment, whether the change reflects risk avoidance, and whether such
avoidance methods violate public interest. Another avenue is the examination of
the role of competition among the big audit firms in affecting client acceptance
decisions in the current regulatory environment. A useful exercise is to model
the joint decision framework between auditors’ client acceptances and clients’
decisions on selecting auditors. Finally, one can investigate the implications of
post-SOX audit realignments and audit firm portfolio characteristics for audit
quality and, consequently, for standard-setting.

REFERENCES

Bedard, J. C., and K. M. Johnstone. 2004. ‘‘Audit Firm Portfolio Management Decisions.’’ Journal of
Accounting Research 42 (4): 659–690.
Bell, T. B., W. R. Landsman, and D. A. Shackelford. 2001. ‘‘Auditors’ Perceived Business Risk and
Audit Fees: Analysis and Evidence.’’ Journal of Accounting Research 39 (1): 35–43.
Bockus, K., and F. Gigler. 1998. ‘‘A Theory of Auditor Resignation.’’ Journal of Accounting
Research 36: 191–208.
Doyle, J., W. Ge, and S. McVay. 2007. ‘‘Determinants of Weakness in Internal Control over Finan-
cial Reporting.’’ Journal of Accounting and Economics 44 (1–2): 193–223.
Elder, R., Y. Zhang, J. Zhou, and N. Zhou. 2009. ‘‘Internal Control Weaknesses and Client Risk
Management.’’ Journal of Accounting, Auditing, and Finance, forthcoming.
DISCUSSION OF ‘‘INTERNAL CONTROL WEAKNESSES’’ 587
Francis, J. R., and J. K. Reynolds. 2002. ‘‘Do large Accounting Firms Screen Out Risky Audit Cli-
ents.’’ Working paper, University of Missouri.
Ge, W., and S. McVay. 2005. ‘‘The Disclosure of Material Weaknesses in Internal Control after the
Sarbanes-Oxley Act.’’ Accounting Horizons 19 (3): 137–158.
Jones, F. L., and K. Raghunandan. 1998. ‘‘Client Risk and Recent Changes in the Market for Audit
Services.’’ Journal of Accounting and Public Policy 17: 169–81.
Krishnan, J., and J. Krishnan. 1997. ‘‘Litigation Risks and Auditor Resignations.’’ The Accounting
Review 72: 539–560.
Lee, H. Y., V. Mande, and R. Ortman. 2004. ‘‘The Effect of Audit Committee and Board of Director
Independence on Auditor Resignation.’’ Auditing: A Journal of Practice & Theory 23 (2):
131–146.
Raghunandan, K., and D. Rama. 1999. ‘‘Auditor Resignations and the Market for Audit Services.’’
Auditing: A Journal of Practice and Theory 18: 124–134.
Simunic, D. A., and M. T. Stein. 1990. ‘‘Audit Risk in a Client Portfolio Context.’’ Contemporary
Accounting Research 6: 329–40.
Copyright of Journal of Accounting, Auditing & Finance is the property of Greenwood Publishing and its
content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for individual use.