Internal Control Weaknesses and Client Risk Management Randal Elder Yan Zhang Jian Zhou and Nan Zhou∗ August 08 by svs20989

VIEWS: 0 PAGES: 55

Weaknesses of a Management document sample

More Info
									         Internal Control Weaknesses and Client Risk Management



                   Randal Elder, Yan Zhang, Jian Zhou, and Nan Zhou∗




                                          August 08, 2008




∗
  Randal Elder is from Syracuse University (rjelder@syr.edu); Yan Zhang is from SUNY – Binghamton
(yzhang@binghamton.edu); Jian Zhou is from SUNY – Binghamton (jzhou@binghamton.edu); Nan Zhou
is from HKUST and SUNY − Binghamton (acnan@ust.hk). We thank Jean Bedard, Denise Dickins, Weili
Ge, Karla Johnstone, Ryan LaFond, Clive Lennox, and especially an anonymous reviewer for detailed and
insightful suggestions that have significantly improved the paper. We also thank workshop participants at
the 2007 American Accounting Association (AAA) Annual Meeting, the 2007 AAA Auditing Midyear
Meeting, the 2007 International Conference on Accounting and Finance at Xiamen University, the 2006
Annual Conference on Financial Economics and Accounting at Georgia State University, the 2006 HKUST
Summer Symposium on Accounting Research, Hofstra University, SUNY − Binghamton, SUNY –
Buffalo, Syracuse University, and Zhejiang University for helpful comments.
             Internal Control Weaknesses and Client Risk Management


                                         Abstract


         We study auditors’ client risk management in the first year of SOX 404
implementation, and find that there exists a pecking order among auditors’ strategies to
manage control risk resulting from internal control weaknesses. We first examine the
relations between internal control weaknesses and audit fee, audit fee increase, modified
opinion, and auditor resignation, respectively, and establish that these are viable
strategies to manage control risk on a stand-alone basis. When we investigate these
strategies simultaneously, descriptive evidence suggests that there exists a pecking order
among auditors’ client risk management strategies. Our ordered logit analyses document
that, as the clients’ control risk increases, auditors are likely to respond in the order of
audit fee adjustments, modified opinions, and auditor resignations. We further create an
index based on the severity of auditors’ responses, and find that the degree of control risk
is positively correlated with this auditor response index. Our comprehensive evidence
suggests that auditors use an array of ordered strategies to manage client-related control
risk.


Key Words: Internal control weaknesses; Client risk management; Audit fee and audit
opinion; Auditor resignation

JEL Classification: M42
               Internal Control Weaknesses and Client Risk Management


1. Introduction

        The Sarbanes-Oxley Act (SOX) of 2002 has changed the regulatory landscape for

the accounting profession, especially for auditors of public companies. The Public

Company Accounting Oversight Board (PCAOB) was created to monitor auditors’ work

directly. In addition, conflicts of interest are prohibited and civil- and criminal liabilities

are imposed for any violations. Consequently, SOX has substantially increased legal

liability for accountants. Before SOX, auditors would typically face liability only after a

client collapsed, but now they face significant legal consequences for any violations of

SOX. For example, a failure in PCAOB inspection could result in suspension or

termination of an auditor’s registration status, without which the auditor is prohibited

from performing audits of public companies. In an extreme case, an accountant could be

sentenced to 20 years for willfully destroying or altering documents (Wegman, 2005).

        In this paper, we study how auditors manage control risk resulting from internal

control weaknesses. Since auditors now assume greater risk when performing audits of

public companies in this post-SOX era, such focus on client risk management has added

significance for public accounting firms. Specifically, client-related risk can be classified

into audit risk and client business risk. SAS No. 107 (AICPA, 2006) decomposes audit

risk into three components: inherent risk, control risk, and detection risk.1 In decisions

related to client risk management, auditors should focus on inherent risk and control risk,




1
 SAS No. 107 (AICPA, 2006) also defines combined inherent risk and control risk as the risk of significant
misstatement in the financial statements. SAS No. 107 replaced SAS No. 47 (AICPA, 1983) which first
defined the audit risk model and its components.


                                                    1
because these two components equal the likelihood of error in clients’ accounts prior to

the auditors’ testing (Elder and Allen, 2003).

        Information on a client’s control risk was not publicly available on a large scale

prior to the enactment of SOX.2 However, this has been dramatically changed, because

SOX has two sections specifically focusing on internal control disclosures. Effective for

all public firms for their fiscal years ending on or after August 29, 2002, Section 302

(SOX 302) requires a firm’s management to disclose significant internal control

deficiencies when they certify quarterly or annual financial statements. Section 404

(SOX 404) has two provisions. Section 404(a) requires management to provide an

assessment of internal control, and Section 404(b) requires auditors to provide an opinion

on management’s assessment. An accelerated filer must comply with SOX 404 for its

first fiscal year ending on or after November 15, 2004; a non-accelerated filer must

comply with SOX 404(a) for its first fiscal year ending on or after December 15, 2007,

and SOX 404(b) for its first fiscal year ending on or after December 15, 2009.3

        One integral part of our analyses is to assess how auditors adjust their audit fees

in response to the changes in their assessments of control risk. We thus focus on the first

year of SOX 404 implementation, an external shock forcing internal control disclosures.

This setting enables us to obtain a large number of firms that are newly identified with

internal control weaknesses under SOX 404, enhancing the power of our test.4 Since

firms would adapt to this new reporting regime of internal control after the first year, the

2
  Prior to SOX, firms were only required to disclose their internal control problems in 8-Ks when they
changed auditors. SAS No. 60 required that the auditor communicate internal control deficiencies to the
client’s audit committee. However, these communications were not generally publicly available (Krishnan,
2005).
3
  Accelerated filers are public firms with an equity market capitalization of more than $75 million.
4
  14% of our sample firms are identified with internal control weaknesses in the first year of SOX 404
implementation, whereas only 4% of our sample firms are identified with such weaknesses in the year prior
to SOX 404 implementation.


                                                   2
number of firms with changes in internal control opinions would be small in subsequent

years.

           Specifically, we name the first year of SOX 404 implementation as the 404

period, restricting it to fiscal years ending between November 15, 2004 and November

14, 2005 to be consistent with SOX 404. We define the 302 period similarly and restrict

it to fiscal years ending between November 15, 2003 and November 14, 2004. We find

that auditors use an array of strategies to manage client-related risk in the 404 period.

Interestingly, there exists a pecking order among auditors’ strategies to manage control

risk resulting from internal control weaknesses. As the level of control risk increases,

auditors respond by adjusting audit fees, issuing modified opinions, and resigning from

clients.

           We first examine the relations between internal control weaknesses and audit fee,

audit fee increase, modified opinion, and auditor resignation, respectively. We find that

firms with internal control weaknesses are charged higher audit fees. When we separate

internal control weaknesses into company-level weaknesses and account-specific

weaknesses, we find that the audit fee premium for company-level weaknesses is

significantly higher than that for account-specific weaknesses. Compared with account-

specific weaknesses, company-level weaknesses are more extensive and pervasive and

thus more difficult to address in the audit. During the transition from the 302 period to

the 404 period, firms newly identified with internal control weaknesses under SOX 404

are encumbered with greater audit fee increases. Moreover, we find that firms with

internal control weaknesses are more likely to be flagged with a modified opinion.

Finally, we find that auditor resignations are more likely for firms with internal control




                                               3
weaknesses. Based on these findings, we establish that audit fee adjustments, modified

opinions, and auditor resignations are viable strategies to manage control risk on a stand-

alone basis.

       When we investigate these strategies simultaneously, descriptive evidence

suggests that there exists a pecking order among auditors’ client risk management

strategies. Our ordered logit analyses document that, as the clients’ control risk

increases, auditors are likely to respond in the order of audit fee adjustments, modified

opinions, and auditor resignations. We further create an index based on the severity of

auditors’ responses, and find that the degree of control risk is positively correlated with

this auditor response index. Our combined evidence suggests that auditors use an array

of ordered strategies to manage client-related control risk.

       Our paper is related to the growing literature on internal control problems. One

strand of the literature focuses on the determinants of internal control problems.

Krishnan (2005) finds that audit committee independence and financial expertise are

associated with internal control problems before the enactment of SOX, and Zhang,

Zhou, and Zhou (2007) find that audit committee financial expertise is related to internal

control weaknesses after the enactment of SOX. Ge and McVay (2005) and Doyle, Ge,

and McVay (2007a) find that internal control weaknesses are more likely for firms that

are smaller, less profitable, more complex, growing rapidly, or undergoing restructuring.

Ashbaugh-Skaife, Collins, and Kinney (2007) find that firms with more complex

operations, recent changes in organization structure, more accounting risk exposure, and

less investment in internal control systems are more likely to disclose internal control

deficiencies. The other strand of the literature focuses on the consequences of internal



                                              4
control problems. Doyle, Ge, and McVay (2007b) and Ashbaugh-Skaife, Collins,

Kinney, and LaFond (2008) find that firms with internal control problems tend to have

lower accruals quality. Ashbaugh-Skaife, Collins, Kinney, and LaFond (2006) and

Ogneva, Subramanyam, and Raghunandan (2007) show that internal control deficiencies

are positively related to firm risk and cost of equity capital. Our finding that internal

control weaknesses are an important determinant of auditors’ client risk management

strategies adds to the latter strand of literature.

        Our paper is also related to research papers that study either the relation between

internal control problems and audit fees or the relation between internal control problems

and auditor turnover. Using internal client evaluation data from a public accounting firm,

Bedard and Johnstone examine audit risk factors in three studies of auditors’ client risk

management strategies prior to the enactment of SOX. Specifically, Johnstone and

Bedard (2003) study client acceptance, Johnstone and Bedard (2004) study client

dismissal, and Bedard and Johnstone (2004) study planned audit hours and billing rates.

Using internal control disclosures required under SOX, several contemporaneous papers

look at some aspects of the issues we examine. Raghunandan and Rama (2006), Hogan

and Wilkins (2008), and Hoitash, Hoitash and Bedard (2008) find that audit fees are

associated with internal control weaknesses; Hertz (2006) and Ettredge, Heintz, Li, and

Scholz (2006) find that auditor resignation is associated with internal control

weaknesses.5 Different from these papers that examine either audit fee or auditor

turnover on a stand-alone basis, our paper views audit fee, audit opinion, and auditor

resignation as a portfolio of strategies at the disposal of auditors in managing client-


5
 Ashbaugh-Skaife, Collins, and Kinney (2007) find that auditor resignations are associated with internal
control deficiencies prior to the enactment of SOX 404.


                                                    5
related risk, and establishes that there is a pecking order among these risk management

strategies. This pecking order evidence is new to the literature. In addition, we

document the relation between audit opinion and internal control weaknesses, a result

absent in the aforementioned papers.

         The rest of the paper is organized as follows. Section 2 discusses the background

and proposes the hypotheses. Section 3 explains the data and describes the sample

selection procedures. Section 4 presents the empirical results. Section 5 concludes the

paper.



2. Background and hypotheses

2.1. Disclosure on internal control

         SOX emphasizes internal control, which is defined as "a process, effected by an

entity's board of directors, management and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives," according to the COSO

framework.6 Under Securities Exchange Commission (SEC) Release No. 33-8124

(August 29, 2002), SOX 302 requires management to disclose significant deficiencies in

internal control when they certify quarterly or annual financial statements. Specifically,

the signing officers, responsible for internal control, have evaluated these internal

controls within the previous ninety days and reported in their findings: (1) a list of all

deficiencies in the internal controls and information on any fraud that involves employees



6
 COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, which
undertook an extensive study of internal control to establish a common definition that would serve the
needs of companies, independent public accountants, legislators, and regulatory agencies, and to provide a
broad framework of criteria against which companies could evaluate the effectiveness of their internal
control systems. COSO published its Internal Control -- Integrated Framework in 1992.


                                                     6
who are involved with internal activities; (2) any significant changes in internal controls

or related factors that could have a negative impact on the internal controls. 7

         Under SEC Release No. 33-8238 (June 5, 2003), Section 404(a) requires

management to provide an assessment of internal control, and Section 404(b) requires

auditors to provide an opinion on management’s assessment. Specifically, issuers are

required to disclose information concerning the scope and adequacy of the internal

control structure and procedures for financial reporting in their annual reports. This

statement shall also include an assessment of the effectiveness of such internal controls

and procedures. The registered auditing firm shall, in the same report, attest to and report

on the effectiveness of the internal control structure and procedures for financial

reporting. While an accelerated filer must comply with SOX 404 for its first fiscal year

ending on or after November 15, 2004 under SEC Release No. 33-8392 (February 24,

2004), a non-accelerated filer must comply with SOX 404(a) – management’s assessment

requirement – for its first fiscal year ending on or after December 15, 2007 under SEC

Release No. 33-8760 (December 5, 2006), and SOX 404(b) – the auditor’s attestation

requirement – for its first fiscal year ending on or after December 15, 2009 under SEC

Release No. 33-8934 (June 26, 2008).8


7
  The actual implementation of SOX 302 is different from the original rules stated here. Ashbaugh-Skaife,
Collins, and Kinney (2007) argue that the reporting of internal control problems under SOX 302 is
voluntary, whereas Doyle, Ge, and McVay (2007a) find that the actual SOX 302 disclosures tend to stress
the changes in internal control.
8
  In SEC Release No. 33-8238 (June 5, 2003), an “accelerated filer”, defined in the original Exchange Act
Rule 12b-2, referred to a U.S. company that has equity market capitalization over $75 million and has filed
an annual report with the SEC. According to SEC Release No. 33-8618 (September 22, 2005), prior to
December 1, 2005, “accelerated filer” status did not directly affect a foreign private issuer filing its annual
reports on Form 20-F or 40-F, even though the definition of “accelerated filer” did not expressly exclude
foreign private issuers by its terms. After December 1, 2005, a foreign private issuer meeting the
accelerated filer definition, and filing its annual report on Form 20-F or Form 40-F, became subject to the
internal control reporting requirements under SOX. SEC Release No. 33-8644 (December 21, 2005)
amended the Exchange Act Rule 12b-2 definition of an “accelerated filer” to create a new category of
accelerated filer, the “large accelerated filer,” for issuers with equity market value of $700 million or more,


                                                       7
2.2. Client-related risk

         Client-related risk can be classified into audit risk and client business risk. Audit

risk is the risk that the auditor will fail to draw attention to a material misstatement,

deficiency, abuse, or other unacceptable matter in an audit, and thus issue an incorrect

audit opinion, whereas client business risk is “the risk that the client’s economic

condition will deteriorate in either the short term or long term” (Johnstone, 2000).

         SAS No. 107 (AICPA, 2006) decomposes audit risk into three components:

inherent risk, control risk, and detection risk. Inherent risk is the perceived level of risk

that a material misstatement may occur in a client’s financial statements in the absence of

internal control procedures. Control risk is the perceived level of risk that a material

misstatement in the client’s financial statements will not be detected and corrected by

management’s internal control procedures. Detection risk is the perceived level of risk

that a material misstatement in the client’s financial statements will not be detected by the

auditor. Because inherent risk and control risk equal the likelihood of error in clients’

accounts prior to the auditors’ testing (Elder and Allen, 2003), we focus on these two

components of audit risk, as they are most relevant to the auditors’ client risk

management decisions.



2.3. Conceptual framework

         Johnstone and Bedard (2003) propose a conceptual model of client acceptance.

An auditor evaluates a client’s audit risk and business risk and the associated audit fee

and re-defined the term “accelerated filer” to include an issuer with equity market value of $75 million or
more, but less than $700 million. A complete list of SOX 404 compliance dates for various types of firms
is summarized in a table on page 10 of SEC Release No. 33-8934 (June 26, 2008).


                                                     8
from the engagement.9 When the risk/return is at an acceptable level, the auditor prices

audit risk and client business risk into the audit fee; when the risk/return is at an

unacceptable level, the auditor abandons the high-risk client.

         We extend the Johnstone and Bedard model and propose a framework of client

risk management. In this framework, we consider three client risk management

strategies: (1) audit fee adjustments, (2) modified opinions, and (3) auditor resignations.

(1) and (3) are from Johnstone and Bedard (2003), and (2) is from Krishnan and Krishnan

(1996) and Blacconiere and DeFond (1997) who find that auditors are more likely to

issue modified opinions or going-concern opinions for firms with higher litigation risk or

bankruptcy risk. We further propose that there exists a pecking order among an auditor’s

responses to client-related risk. When the risk is low, the auditor responds by increasing

the audit fee; when the risk is intermediate, the auditor responds by issuing a modified

opinion; when the risk is high, the auditor responds by resigning from the client.



2.4. Hypothesis development

         We develop our hypotheses around our conceptual framework. We first focus on

individual strategies, and try to establish that they are viable strategies to manage risk on

a stand-alone basis. We then consider the strategies simultaneously and try to establish

that there exists a pecking order among these strategies.




9
  In addition to audit risk and client business risk, Johnstone and Bedard also discuss auditor business risk,
which is defined as “the risk that the auditor firm will suffer loss resulting from the engagement,” and
measure it with a dummy variable, which is equal to one if a client is a public company, and zero if a client
is a private company. We do not consider auditor business risk in our study since our sample includes only
public companies, although we note that whether a company is public is not the only source of auditor
business risk.


                                                      9
        The extant literature on client risk management largely focuses on client business

risk and related legal liability risk. The relation between audit fee and client business risk

is well-documented. For example, Hill, Ramsey, and Simon (1994) find that client

business risk is positively related to audit fees in the savings and loan industry from 1983

to 1988. Bell, Landsman, and Shackelford (2001) find that high business risk increases

the number of audit hours, but not the fee per hour. Seetharaman, Gul, and Lynn (2002)

find that U.K. auditors charge higher fees for their services when their clients access

U.S.-, but not non-U.S., capital markets, suggesting that audit fees reflect differences in

litigation risk across different liability regimes.

        Recently, Ashbaugh-Skaife, Collins, Kinney, and LaFond (2006) find that firms

with internal control deficiencies have higher idiosyncratic risk. The higher the

idiosyncratic risk, the more likely a firm will experience a large drop in stock price,

which typically triggers shareholder class-action lawsuits. This suggests that firms with

internal control weaknesses have additional exposure to litigation risk, and are more

likely to inflict damages to their auditors’ reputation. Because auditor reputation is used

as an important collateral to ensure high-quality audits (DeAngelo, 1981), auditors have

incentives to either increase the audit fee to take this idiosyncratic risk into account or

withdraw from such clients, if the increase in audit fee cannot justify the increase in risk.

        Although audit risk factors are found to be more important in audit firm portfolio

management decisions than are financial risk factors (Johnstone and Bedard, 2004), few

studies on client risk management examine the audit risk factors, because proxies for

such variables were not publicly available. Using internal client evaluation data from a

public accounting firm, Johnstone and Bedard (2003, 2004) and Bedard and Johnstone




                                               10
(2004) examine audit risk factors when they study auditors’ client risk management

strategies. In particular, Bedard and Johnstone (2004) find that planned audit personnel

hours and planned hourly billing rates are higher for firms with weak internal controls.

Because the product of planned audit personnel hours and planned hourly billing rates is

equal to total audit fee, we have the following hypothesis.

       Hypothesis 1: Audit fees are higher for firms with internal control weaknesses
          than for firms without such weaknesses.

       Although audit fees are destined to increase substantially for all accelerated filers

due to SOX 404 compliance, firms with internal control weaknesses are expected to

experience greater audit fee increases, because auditors will conduct more testing and

spend more resources to manage the control risk to acceptable levels for these firms.

Thus, we propose the following hypothesis.

       Hypothesis 2: Audit fee increases are greater for firms newly identified with
          internal control weaknesses in the 404 period.

       We are afforded with a unique opportunity to test Hypothesis 2, because of our

focus on the first year of SOX 404 implementation. As a self-reporting system by

management, SOX 302 does not require supporting documentation or independent

examination. On the contrary, SOX 404 requires both documentation and independent

auditor examination. Because auditors need to perform independent testing of internal

controls under SOX 404, we expect that audit fees under the SOX 404 regime will be

greater than audit fees under the SOX 302 regime. Because firms are subject to outside

scrutiny from independent auditors under SOX 404, we expect that more firms will be

identified with internal control weaknesses as they transition from the SOX 302 regime to

the SOX 404 regime. For these firms who are newly identified with internal control




                                             11
weaknesses, we expect them to experience a greater increase in audit fees, because of the

extra risk and additional testing related to internal control weaknesses.

        In addition to charging firms with internal control weaknesses higher audit fees,

auditors can also manage clients’ internal control risk by exercising more caution and

issuing modified opinions to such firms. Following Bradshaw, Richardson, and Sloan

(2001), we define modified audit opinion as an indicator variable that takes a value of

zero for a standard unqualified opinion and a value of one for any other modified opinion,

including qualified, adverse, or unqualified with explanatory language.10 Krishnan and

Krishnan (1996) find that auditors are more likely to issue modified opinions for firms

with higher litigation risk, and Blacconiere and DeFond (1997) find that auditors render

going-concern reports to the savings and loans that are most likely to fail ex ante.

Moreover, Francis and Krishnan (1999), Bartov, Gul, and Tsui (2000), and Bradshaw,

Richardson, and Sloan (2001) find that modified audit opinions are influenced by

earnings management, though Butler, Leone, and Willenborg (2004) argue that the

documented relation between modified opinions and abnormal accruals in these papers

rests only with companies with going-concern opinions or under financial distress. Since

these findings indicate that audit opinions are sensitive to various sources of risk, we

propose the following hypothesis.

        Hypothesis 3: Auditors are more likely to issue modified opinions for firms with
           internal control weaknesses than for firms without such weaknesses.




10
  COMPUSTAT has six codes for the audit opinion: 0 = unaudited, 1 = unqualified, 2 = qualified opinion,
3 = no opinion, 4 = unqualified with explanatory language, and 5 = adverse. We do not have any firm with
an audit opinion code of zero in our sample.


                                                  12
         Risk reduction is often the reason for auditor resignation.11 Krishnan and

Krishnan (1997) find that litigation risk motivates auditors to resign from their clients.

Shu (2000) finds that auditor resignation is positively related to increased client legal

exposure. Johnstone and Bedard (2003) find that client acceptance likelihood is reduced

in the presence of audit risk, client business risk, and auditor business risk; Johnstone and

Bedard (2004) find that riskier clients are dropped from an audit firm’s client portfolio

and newly accepted clients are less risky than the auditor’s continuing clients. Therefore,

we have the following hypothesis.

         Hypothesis 4: Auditors are more likely to resign from firms with internal control
            weaknesses than from firms without such weaknesses.

         If Hypotheses 1-4 are confirmed, we will be able to establish that audit fee

adjustments, modified opinions, and auditor resignations are viable strategies to manage

control risk on a stand-alone basis. We are interested in learning whether there is a

pecking order among an auditor’s responses to client-related risk. Following our

conceptual framework, we hypothesize that the severity of the auditor response is

increasing in control risk. Specifically, we have the following hypothesis.

         Hypothesis 5: As the level of control risk increases, auditors respond in the order
            of (1) audit fee adjustments, (2) modified opinions, and (3) auditor
            resignations.

         SOX offers us a unique opportunity to study auditors’ client risk management

strategies using public information and test the above hypotheses, because the internal

control disclosures provide us with a standardized and objective measure of control risk,

a key component of audit risk. In our study of auditors’ client risk management


11
  We focus only on auditor resignation, since auditor dismissal is initiated by a client and hence not a tool
for an auditor to reduce risk. Our results on auditor resignation are robust when we control for auditor
dismissal in our multinomial logit analyses in Table 6.


                                                     13
strategies, we focus on this newly available public information on internal control. Our

proxy measures for firm control risk include an internal control weakness indicator

variable and the type of internal control weakness.



3. Sample and methodology

3.1. Sample selection

        We retrieve SOX 404 internal control disclosures, audit fees, and auditor changes

from AuditAnalytics, the Altman Z-Scores from Research Insight, and the rest of the

variables from COMPUSTAT. The internal control dataset provided by AuditAnalytics

covers all SEC registrants who have disclosed their assessments of internal controls over

financial reporting in electronic filings since November 2004. The data have been

principally extracted from the following form types: 10-K, 10-K/A, 20-F and 40-F.

        Table 1 describes the sample selection procedures. The sample firms consist of

those with internal control information and other necessary variables for our 404 period

with fiscal years ending between November 15, 2004 and November 14, 2005.12 There

were 3,737 firm SEC filings on internal control between November 1, 2004 and

December 31, 2005 in AuditAnalytics.13 After excluding 181 firms not in

COMPUSTAT,14 we exclude 105 foreign firms, 71 subsidiaries, and 149 mutual funds,

trusts, and Real Estate Investment Trusts. We also exclude 26 firms without information

12
   We require that the internal control variables and other variables pertain to fiscal years ending from
November 15, 2004 to November 14, 2005. Since there is no fiscal year related to the auditor change
variable, we classify an auditor change into the 404 period if the announcement was made between
November 15, 2004 and November 14, 2005.
13
   We exclude 6 duplicate observations.
14
   AuditAnalytics only provides ticker symbols for sample firms. We retrieve the Cusip information for our
sample firms from COMPUSTAT. We first merge our initial sample with COMPUSTAT by the ticker
symbol, and hand-adjust any incorrect matches. We then manually search through COMPUSTAT to locate
the Cusip information for firms without ticker symbols or firms that cannot be matched to COMPUSTAT
by the ticker symbol.


                                                   14
on market value of equity, since we need such information to determine whether a firm is

an accelerated filer. We further exclude firms without audit related information in

AuditAnalytics and other necessary information in COMPUSTAT for fiscal years ending

between November 15, 2004 and November 14, 2005. Specifically, we exclude three

firms with missing SOX 404 internal control disclosures, two firms with missing

information on audit fee, 29 firms with missing necessary information for computing

leverage, sales growth, or return-on-assets, 380 firms with missing audit opinions, 274

firms with missing Z-Scores, and 167 firms with missing necessary information in

computing discretionary accruals. We further exclude 44 non-accelerated filers whose

equity market capitalizations were less than $75 million at the end of the most recently

completed second fiscal quarter before their fiscal years ending between November 15,

2004 and November 14, 2005. Our final sample consists of 2,306 firms.



3.2. Methodology

        Following our conceptual framework and hypotheses, we model an auditor’s

response to risk as a function of control risk, inherent risk, client business risk, and a set

of control variables. When we study auditors’ strategies on a stand-alone basis in the first

part of our analyses, the auditor’s response takes the form of audit fee, audit fee change,

modified opinion, and auditor resignation. When we study auditors’ strategies on a

combined-basis in the second part of our analyses, the auditor’s response draws from a

portfolio of strategies in the order of audit fee adjustment, modified opinion, and auditor

resignation, depending on different risk levels.




                                              15
        Control risk is the perceived level of risk that a material misstatement in a client’s

financial statements will not be detected and corrected by the management’s internal

control procedures. We use two measures of internal control weaknesses to capture this

concept. The first is an internal control weakness dummy variable (ICW) which is equal

to one if a firm is identified with at least one internal control weakness, and the second is

a pair of dummy variables capturing account-specific weaknesses (ICWACCT) and

company-level weaknesses (ICWCOMP), respectively. Specifically, we follow the

classification scheme in Doyle, Ge, and McVay (2007b, pg. 1148-49 and 1167) to code

weaknesses into these two mutually exclusive categories. ICWCOMP, the dummy

variable for company-level weaknesses is equal to one if the firm has either weaknesses

related to “ineffective control environment” or “management override” in the disclosure

or weaknesses related to at least three account-specific problems; ICWACCT, the dummy

variable for account-specific weaknesses, is equal to one if the firm has weaknesses

related to less than three account-specific problems.15 Based on this construction, we can

see that company-level weaknesses represent more extensive or pervasive offenses, and

account-specific weaknesses represent less extensive or pervasive offenses. In other

words, company-level weaknesses are more severe and pose more audit difficulties.

        We control for inherent risk, a component of audit risk. Following previous

literature such as Xie, Davidson, and DaDalt (2003), we use discretionary accruals

(DTACC) to measure financial reporting quality, and hence inherent risk. We further

control for client business risk. Since client business risk is “the risk that the client’s

economic condition will deteriorate in either the short term or long term” (Johnstone,


15
  AuditAnalytics lists the number of internal control weaknesses and summarizes the nature of these
different weaknesses.


                                                   16
2000), we control for leverage (LEV), return on assets (ROA), loss (LOSS) (Johnstone

and Bedard, 2003 and 2004; Francis, Reichelt, and Wang, 2005), and the Altman Z-Score

(ZSCORE) (Reynolds and Francis, 2001; Ashbaugh-Skaife, Collins, and Kinney, 2007).

LEV is the ratio of total debts to total assets, ROA is income before extraordinary items

divided by average total assets, LOSS is an indicator variable that is equal to one if there

is a loss in the current year, and ZSCORE is used to measure financial distress with a

lower Z-Score indicating greater distress risk (Altman, 1968).



4. Empirical results

4.1. Univariate analyses

         Table 2 provides the variable means and medians for all firms, ICW firms and

non-ICW firms, respectively. In addition, it also provides the mean and median

comparisons of the variables for ICW firms and non-ICW firms. 14.3% of sample firms

disclose internal control weaknesses, including 10.5% with account-specific weaknesses

and 3.8% with company-level weaknesses. In addition, 32% of sample firms have

modified audit opinions and 1.9% have auditor resignations. The mean (median) audit

fee is $2,322,920 ($1,209,190), and the mean (median) audit fee change from the 302

period to the 404 period is $1,132,693 (656,400).16 The mean (median) firm size

measured by total assets is $3,366 ($600) million.

         The implementation of SOX 404 leads to a substantial increase in the audit fee.

For example, Advanced Micro Devices Inc. disclosed the following in its 2005 proxy

statement.

16
   The mean (median) non-audit fee change from the 302 period to the 404 period is -146,007 (-22,000).
This results from the SOX provisions that limit an auditor’s ability to provide non-audit services to its audit
clients.


                                                      17
       Audit fees of Ernst & Young LLP during the 2004 and 2003 fiscal
       years were associated with the annual audit of our consolidated
       financial statements, statutory audits required internationally,
       reviews of our quarterly reports filed with the Securities and
       Exchange Commission and fees related to other regulatory filings.
       In addition, in 2004, audit fees included those fees related to
       Ernst & Young LLP's audit of the effectiveness of the Company's
       internal control pursuant to Section 404 of the Sarbanes-Oxley
       Act. Audit fees for 2004 were $10.4 million, $7 million of which
       were Sarbanes-Oxley Act Section 404 fees. Audit fees for 2003
       were $2.6 million.

As we can see, the SOX 404 fee is $7 million for Advanced Micro Devices, resulting in a

300% increase in the audit fee. Without the SOX 404 fee, the audit fee would have been

$3.4 million, representing a more modest increase of 31% over that in 2003.

       The mean (median) audit fee for ICW firms is higher than that for non-ICW

firms. The difference becomes significant after we control for size in our multivariate

analysis in Table 3. The median audit fee increase for ICW firms is significantly greater

than that for non-ICW firms. Modified opinions were received by 46% of the ICW firms

and 29% of the non-ICW firms. The difference between these two groups is significant

at the 1% level, implying that auditors are more likely to flag ICW firms with modified

opinions. Auditors resigned from 8.8% of the ICW firms, compared to 1% of the non-

ICW firms. The difference between these two groups is significant at the 1% level,

suggesting that ICW is related to auditor resignation. For example, Myers Industries Inc.

disclosed that it received the resignation from Ernst & Young on April 13, 2005, and

hired KPMG as its new auditor on June 9, 2005. The following is an excerpt from its 8-K

filed on June 9, 2005.

       As disclosed in the Company's Form 10-K/A filed on May 2, 2005,
       management concluded that the Company's disclosure controls and
       procedures were not effective as of December 31, 2004 due to
       material weaknesses identified in the business segment reporting
       process, the financial statement close process and the income tax
       process. E&Y issued an adverse opinion on the effectiveness of
       internal controls over financial reporting because of these
       material weaknesses as of December 31, 2004.



                                            18
We analyze the relation between auditor resignation and internal control weaknesses

more rigorously in Table 6.

       For both mean and median, ICW firms tend to have significantly poorer

performance, higher distress risk and smaller total assets. They are also significantly

more likely to incur a loss and use non-Big 4 auditors. Our univariate results on ROA,

LOSS, and firm size are consistent with those in Ge and McVay (2005) and Doyle, Ge,

and McVay (2007a), as they find that internal control weaknesses are more likely for

firms that are smaller and less profitable.



4.2. Audit fee and internal control weaknesses

4.2.1. Audit fee

       We use the Ordinary Least Square (OLS) model to test the relation between audit

fee and internal control weaknesses in Table 3. Specifically, we model the natural

logarithm of audit fee (AUDFEE) as a function of audit risk (control risk and inherent

risk), client business risk, and a set of control variables. Equation (1) presents the

specifications for Model 1 that uses an ICW dummy. All variable definitions are in the

Appendix. For firm i in year t,


          LOG ( AUDFEE ) it = β 0 + β 1 ICW it + β 2 DTACC it + β 3 LEV it + β 4 ROAit + β 5 LOSS it + β 6 ZSCORE it
                                                                              15
          + β 7 LOG (TA ) it + β 8 SALEGR it + β 9 LOG ( BUS ) it + β 10 BIG 4 + ∑ INDUSTRY +ε it                (1)
                                                                              j =11




       We expect the coefficient on ICW to be positive, because a firm with weak

internal controls has a greater amount of risk and thus requires more testing from its

auditor (Arens, Elder, and Beasley, 2006). For example, for any significant account or



                                                             19
any phase of financial operations in which controls are weak, the auditors need to expand

the nature and extent of their tests of the account balances. Moreover, part of the audit

fee is the SOX 404 fee, which will certainly be higher when a weakness exists. Because

auditors expend more resources for firms with internal control weaknesses, they need to

charge higher audit fees to cover their additional costs.

       We control for other sources of client-related risk. We use discretionary accruals

(DTACC) to measure financial reporting quality and thus proxy for the firm’s inherent

risk. We expect that the audit fee is positively related to discretionary accruals, as

auditors will charge higher audit fees for firms with poor financial reporting quality. We

use leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score (ZSCORE) to

capture client business risk. Consistent with Francis, Reichelt, and Wang (2005), we

expect firms with high leverage (LEV), losses (LOSS), and poor performance (ROA) to

pay higher audit fees. We also expect that low Z-Score firms to pay higher audit fees.

       We further control for other variables related to the audit fee variable. We expect

that audit fees will be higher for large clients and thus control for size, measured as the

natural logarithm of total assets (TA). Since prior studies show that the former Big 8

firms are able to charge a premium for their perceived high-quality services (e.g., Francis,

1984; Francis and Stokes, 1986; and Palmrose, 1986), we introduce a Big 4 dummy

variable (BIG4), indicating whether a firm is audited by a Big 4. Following Francis,

Reichelt, and Wang (2005), we control for the natural log of the number of business

segments (BUS), as audit fees will be higher for clients with complex operations. Audit

fees may also be related to sales growth (SALEGR), which is equal to the change in sales

divided by the sales in the previous year. On the one hand, firms with strong sales




                                             20
growth are expected to pay higher fees, since there is more demand for audit work. On

the other hand, firms with strong sales growth are expected to pay lower fees, since these

firms are performing well and pose less risk for auditors. Therefore, the sign for the

coefficient on sales growth is ambiguous.

         Finally, following Johnstone and Bedard (2003) and Francis, Reichelt, and Wang

(2005), we control for industry effects based on the Fama and French (1997) 48-industry

classification. We set the cutoff points at five percent of total observations and introduce

the industry dummies for computers, retail, pharmaceutical products, electronic

equipment, and business services to our regression models in Tables 3-6 and 9-10. The

coefficients on these dummy variables are not reported in Tables 3-6 and 9-10 for the

sake of brevity.17

         Consistent with Hypothesis 1, we find that audit fees are significantly higher for

ICW firms at the 1% level.18 Bedard and Johnstone (2004) find that planned audit

personnel hours and planned hourly billing rates are significantly higher for firms with

weak internal controls. Since the product of planned audit personnel hours and planned

hourly billing rates is equal to the total audit fee, our results are consistent with those in

Bedard and Johnstone (2004). For client risk variables, audit fees are significantly

smaller for high ROA firms, and greater for firms with losses and high distress risk.

However, the coefficients on LEV are negative, contrary to our expectation. For control

variables, audit fees are significantly higher for large firms, firms with a large number of

business segments, and Big 4 clients.


17
   We later report in the robustness check section that our results are similar to those reported in Tables 3-6
and 9-10 if we exclude these industry dummy variables from our regression models.
18
   In unreported tests, we do not find any relation between non-audit fees and ICW, suggesting that ICW, a
measure of control risk, is priced only into the audit fee.


                                                      21
       We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that the

coefficients on ICWACCT and ICWCOMP are significantly positive at the 1% level.

The coefficient on ICWCOMP is significantly larger than that on ICWACCT, suggesting

that auditors charge greater audit fees for company-level weaknesses, the more severe

type of offenses, than for account-specific weaknesses, the less severe type of offenses.

We will elaborate on this point in the next paragraph.

       We further measure the economic significance of our results. Following prior

literature, such as Lyon and Maher (2005), we estimate an audit fee premium associated

with an ICW indicator variable to be (e a − 1) , where a is the coefficient on the ICW

indicator variable. Since the coefficient on the ICW indicator variable is 0.33 in Model 1,

the audit fee premium for ICW firms over non-ICW firms is 39.1%. The premium’s

magnitude appears to be in line with the findings in prior studies. For example,

Seetharaman, Gul, and Lynn (2002) find that the audit fee premium for U.K. companies

listed on U.S. stock exchanges is 20%; Lyon and Maher (2005) find that the audit fee

premium for firms that reported payments of bribes is 43%.

       We use the coefficients on ICWACCT and ICWCOMP from Model 2, and find

that the audit fee premium for account-specific weaknesses is 31.0%, and that for

company-level weaknesses is 64.9%. By testing the difference between the coefficient

on ICWACCT and that on ICWCOMP in Model 2 (Greene, 2000; pg. 284), we find that

the audit fee premium for company-level weaknesses is significantly higher than that for

account-specific weaknesses at the 1% level. Our result is consistent with the finding in

Doyle, Ge, and McVay (2007b) that accruals quality is affected by company-level

weaknesses rather than by account-specific weaknesses. Consequently, auditors charge



                                            22
greater audit fees for company-level weaknesses to compensate for the risk associated

with poor accruals quality.



4.2.2. Audit fee change

         In this section, we study how auditors adjust their audit fees in response to the

changes in their risk assessments. We use the Ordinary Least Square (OLS) model to test

the relation between audit fee change and change in internal control weakness opinions in

Table 4. Specifically, we model audit fee change as a function of changes in audit risk

(control risk and inherent risk), change in client business risk, and change in a set of

control variables in Equation (2). For firm i in year t,

         AUDFEECG it = β 0 + β 1 ICWCG it + β 2 DTACCCG it + β 3 LEVCG it + β 4 ROACG it + β 5 LOSSCG it
                                                                           14
         + β 6 ZSCORECG it + β 7TACG it + β 8 SALEGRCG it + β 9 BUSCG it + ∑ β j INDUSTRY + ε it   ( 2)
                                                                           j =10




         ICWCG used in Model 1 is a variable representing the change in internal control

weakness opinions from the 302 period to the 404 period. Because AuditAnalytics

contains only SOX 404 internal control disclosures, we use the internal control dataset

compiled by Doyle, Ge, and McVay (2007b) for the 302 period.19 The dependent

variable is the audit fee change (AUDFEECG), the difference in audit fee between the

302 period and the 404 period divided by the audit fee for the 302 period. We define

other independent variables used in Table 4 in a similar fashion and provide the details in

the Appendix. The sample size for Table 4 is 2,189, because we need auditing and


19
  Available at either Weili Ge’s Website at Washington or Sarah McVay’s website at Utah. For the 302
period, we start with the Doyle, Ge, and McVay (2007b) dataset, and make sure that the internal control
disclosures are for fiscal years or fiscal quarters ending between November 15, 2003 and November 14,
2004 by searching through the SEC filings. If an observation is from 8-K, we require that the 8-K filing
date is between November 15, 2003 and November 14, 2004. We then read through the excerpts of internal
control disclosures in their dataset and, in many instances, the original disclosures in 10-K, 10-Q, or 8-K to
code the number of weaknesses and the types of weaknesses.


                                                         23
financial information for both the 302 period and the 404 period. From our sample of

2,306 firms, we first exclude 38 firms with missing auditing and financial information in

the 302 period. We then exclude one outlier (Tetra Technologies Inc with a leverage

change of 7,286), based on the standard SAS procedure in our regression analyses. We

finally exclude 76 firms with zero leverage and two firms with zero sales growth in the

302 period, because we cannot calculate changes for these variables.

        Confirming Hypothesis 2, we find that audit fee increases are greater for firms

newly identified with internal control weaknesses in the 404 period.20 The coefficient on

ICWCG in Model 1 is significantly positive at the 1% level. Because auditors need to

perform independent testing of internal controls under SOX 404, audit fees in the 404

period ($2.3 million on average) are significantly higher than those in the 302 period

($1.2 million on average). Because firms are subject to outside scrutiny from

independent auditors under SOX 404, significantly more firms are identified with ICW in

the 404 period (14%) than those in the 302 period (4%). During the transition from the

SOX 302 regime to the SOX 404 regime, we find that firms newly identified with ICW

experience a greater increase in audit fees, because of the ICW related risk and additional

testing. For other variables, the coefficients on LOSSCG and TACG are significantly

positive. LOSSCG is a change in the LOSS indicator variable, and TACG is the change

in total assets divided by the total assets in the 302 period. Our results thus suggest that

firms will experience an audit fee increase, if they turn from a profit situation in the 302




20
  We have 43 sample firms that are identified with internal control weaknesses in the 302 period and with
no such weaknesses in the 404 period. The interpretation would be reversed for these firms.


                                                   24
period to a loss situation in the 404 period or if they grow in size from the 302 period to

the 404 period.21

         We replace ICWCG with similarly defined ICWACCTCG and ICWCOMPCG in

Model 2. The coefficient on ICWCOMPCG is larger than that on ICWACCTCG,

indicating that the audit fee increase is greater for firms newly identified with company-

level weaknesses than for those newly identified with account-level weaknesses. Again,

a larger increase in audit fees is used to compensate for the exposure to a greater level of

risk.



4.3. Modified audit opinion and internal control weaknesses

         We use the logit model to test the relation between modified audit opinion and

internal control weaknesses in Table 5. Specifically, we model modified audit opinion as

a function of audit risk (control risk and inherent risk), client business risk, and a set of

control variables. Equation (3) presents the specifications for Model using an ICW

dummy. The modified audit opinion variable (OPINION) is equal to one, if the firm’s

audit opinion code is between 2 and 5, and zero otherwise. All other variable definitions

are in the Appendix. For firm i in year t,


     OPINION   it   = β 0 + β 1 ICW it + β 2 DTACC   it   + β 3 LEV it + β 4 ROA it + β 5 LOSS it
                                                                                     14
     + β 6 ZSCORE    it   + β 7 LOG (TA ) it + β 8 SALEGR    it   + β 9 BIG 4 it +   ∑β
                                                                                     j =10
                                                                                             j   INDUSTRY + ε it   ( 3)




21
  Our results in Table 4 remain unchanged when we add four dummy variables to capture the different
types of auditor changes among the Big 4 and non-Big 4 auditors. These four dummy variables represent
auditor changes from a Big 4 to another Big 4, a Big 4 to a non-Big 4, a non-Big 4 to a Big 4, and a non-
Big 4 to another non-Big 4.


                                                          25
       Since auditors are more likely to issue modified opinions for firms with high

litigation risk (Krishnan and Krishnan, 1996) or render going concern opinions for firms

with bankruptcy risk, we hypothesize that ICW firms are more likely to be flagged with

modified audit opinions than non-ICW firms. We control for discretionary accruals

(DTACC), a proxy for inherent risk. While Francis and Krishnan (1999), Bartov, Gul,

and Tsui (2000), and Bradshaw, Richardson, and Sloan (2001) suggest that modified

audit opinions are influenced by earnings management, Butler, Leone, and Willenborg

(2004) find that the documented relation between modified opinions and abnormal

accruals in these papers rests only with firms with going-concern opinions. We further

control for leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score

(ZSCORE) to capture the impact of client business risk. We expect that firms with high

leverage, losses, and low Z-Scores are more likely to receive modified opinions, whereas

firms with high return on assets are less likely to receive modified opinions. Finally, we

control for size (LOG(TA)) and sales growth (SALEGR).

       We find that ICW firms are significantly more likely to be flagged with modified

audit opinions than non-ICW firms. The marginal effect indicates that an ICW firm has a

21.8% increase in the likelihood of receiving a modified opinion. The coefficient on

discretionary accruals is insignificant. This is consistent with Butler, Leone, and

Willenborg (2004) who find that modified opinions are not influenced by discretionary

accruals for firms without going concern opinions, because the super majority of our

sample firms does not have going concern opinions according to AuditAnalytics. In

addition, high leverage firms and high distress risk, as well as large firms, are more likely

to be flagged with modified opinions.




                                             26
        We replace ICW with ICWACCT and ICWCOMP in Model 2 and find similar

results. Interestingly, the coefficient on ICWCOMP is smaller than that on ICWACCT.

The marginal effects indicate that a firm with account-specific weaknesses has a 23.2%

increase in the likelihood of receiving a modified opinion and that a firm with company-

level weaknesses has a 19.0% increase in the likelihood of receiving such an opinion.

Given that modified opinions tend to be based on account-related issues, auditors likely

do not have the latitude to provide modified opinions to larger issues, such as “tone at the

top.”22 Thus, auditors are more likely to issue modified opinions to firms with the less

severe account-specific weaknesses, suggesting that auditors use the modified opinion

strategy when they are exposed to a lower level of risk.23



4.4. Auditor resignation and internal control weaknesses

        We study the relation between auditor resignation and internal control weaknesses

in Table 6. Since auditor turnover can be initiated by either the auditor or the client, we

control for auditor dismissal, and perform a multinomial logit regression analysis that

permits separate coefficient estimates for auditor dismissal and auditor resignation by

using firms without auditor changes as the reference group.

        Johnstone and Bedard (2004) identify audit risk and client business risk as

determinants of audit firm portfolio management decisions. We are particularly

interested in the internal control aspect of audit risk. Since ICW firms are likely to have

greater audit risk than non-ICW firms, we expect that audit firms are more likely to stop


22
  We thank an anonymous referee for this insight.
23
  Table 6 finds that auditors are more likely to tender their resignations to firms with the more severe
company-level weaknesses. Table 8 presents further evidence that auditors tend to use different strategies
to manage different levels of control risk.


                                                    27
serving those ICW firms, due to risk avoidance. We control for other sources of client-

related risk and include discretionary accruals (DTACC). Again, auditors are more likely

to resign from clients with high discretionary accruals, so as to avoid risk. We use

leverage (LEV), return on assets (ROA), loss (LOSS), and Z-Score (ZSCORE) to capture

client business risk. Consistent with the argument for DTACC, auditors are more likely

to resign from clients with high leverage, losses, and low Z-Scores. We expect that

auditors are less likely to shy away from high ROA firms (Johnstone and Bedard, 2004).

         Following Johnstone and Bedard (2004), we include the natural logarithm of audit

fee as a control variable in our logit model. Audit firms are less likely to resign from

clients, if audit fees are large. Following Landsman, Nelson, and Rountree (2005), we

include two other control variables. We control for the natural logarithm of size (TA)

and predict that auditor resignations are less likely for large firms, because DeAngelo

(1981) argues that large clients incur higher costs of auditor changes. We also control for

sales growth (SALEGR) because high growth clients may face higher litigation risk

(Stice, 1991). However, we do not provide a directional prediction on this variable.

         Model 1 presents the results from the multinomial logit regressions using the ICW

dummy variable. The choice variables are auditor resignation, auditor dismissal, and

continuous auditor appointment, respectively. Auditor resignation (RESIGNATION) is

one if a firm’s auditor resigned from the firm, and auditor dismissal (DISMISSAL) is one

if a firm dismissed its auditor.24 We find that auditor resignations are significantly more

likely for ICW firms, confirming Hypothesis 4. The marginal effect indicates that an


24
   Auditor dismissal is introduced as a control. Our results on auditor dismissal are consistent with the prior
literature on audit opinion shopping (Chow and Rice, 1982; Smith, 1986). When we run logit regressions
using auditor resignation as the only choice variable, our results on auditor resignation are similar to those
reported in Table 6.


                                                     28
ICW firm has a 3.2% increase in the likelihood to experience auditor resignation. Our

result on auditor resignation is consistent with that in Bedard and Johnstone (2004), as

they find that clients with control risk are more likely to be classified in the auditor’s

discontinued client portfolio. In both periods, we find that auditor resignations are

significantly less likely for large firms and more likely for loss firms. While the

coefficient on audit fee is not significant, the coefficient on ROA is positive, contrary to

our expectation.

        We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that the

coefficients on ICWACCT and ICWCOMP are significantly positive at the 1% level. In

particular, the coefficient on ICWCOMP is larger than that on ICWACCT. The marginal

effects indicate that a firm with account-specific weaknesses has a 1.9% increase in the

likelihood to experience auditor resignation and a firm with company-level weaknesses

has a 9.5% increase in the likelihood to experience auditor resignation. Auditor

resignations are more likely for firms with the more severe company-level weaknesses,

suggesting that auditors use the resignation strategy when they are exposed to a higher

level of risk.



4.5. Pecking order analyses

4.5.1. Descriptive analyses

        In the previous sections, we have established that audit fee adjustments, modified

opinions, and auditor resignations are viable strategies on a stand-alone basis. We now

study these strategies simultaneously. Table 7 presents the Pearson correlations for

internal control weakness variables and auditor response strategies. The sample size is




                                              29
2,163 for Tables 7-10. Since we focus on auditors’ responses to control risk, we exclude

131 auditor dismissal firms from the full sample of 2,306 firms. We then exclude one

firm with missing audit fee information in the 302 period. We finally exclude 11 auditor

resignation firms with modified opinions, because these opinions may be issued by their

replacement auditors.

        ICW is significantly related to increasing audit fees (FEECHG), issuing modified

opinions (OPINION), and tendering auditor resignations (RESIGN). Interestingly,

ICWACCT is significantly correlated with FEECHG and OPINION, but ICWCOMP is

significantly correlated to FEECHG and RESIGN. While auditors increase audit fees for

all types of weaknesses, they tend to use resignations for the more severe company-level

weaknesses and issue modified opinions for the less severe account-specific weaknesses.

These findings suggest that there is a pecking order among auditors’ risk management

strategies.

        The correlation between FEECHG and OPINION is significantly negative at the

5% level, suggesting that FEECHG and OPINION may be substitutes. We also examine

the 297 ICW firms from the sample of 2,163 firms used in Tables 7-10, and classify them

into one group with modified opinions and another group without modified opinions.

Out of these 297 ICW firms, the average audit fee increase for 132 firms with modified

opinions is 173% and that for 165 firms without modified opinions is 203%. These

findings provide additional evidence that FEECHG and OPINION may be substitutes.

Since firms who resign from the clients no longer assess audit fees and issue opinions, the

correlations between RESIGN and FEECHG and between RESIGN and OPINION are

not applicable.




                                            30
        We follow the preliminary findings in Table 7 and further investigate whether

auditors’ risk management strategies have a pecking order of audit fee adjustments,

modified opinions, and auditor resignations. We first sort our sample into three mutually

exclusive groups: (1) firms with no auditor resignations and no modified opinions, (2)

firms with modified opinion but no auditor resignations, and (3) firms with auditor

resignations.25 We refer to Group 1 as the Fee Adjustment Group and assign a value of 1,

Group 2 as the Modified Opinion Group and assign a value of 2, and Group 3 as the

Resignation Group and assign a value of 3. Note that 3 is the most severe response,

whereas 1 is the least severe response.

        Table 8 presents the descriptive evidence by comparing the proportion of internal

control weaknesses, including account-specific weaknesses and company-level

weaknesses, for each strategy group. ICW are found in 9.8% of the firms in Group 1,

19.8% of the firms in Group 2, and 61.8% of the firms in Group 3. There is an increasing

trend in the proportion of ICW firms from Group 1 to Group 3. The difference between

Groups 2 and 1 and that between Groups 3 and 2 are significant at the 1% level,

suggesting that there is a pecking order in client risk management strategies. Auditors

are likely to raise audit fees when dealing with a portfolio of clients with low control risk

on average, issue modified opinions when dealing with a portfolio of clients with

intermediate control risk on average, and tender their resignations when dealing with a

portfolio of clients with high control risk on average.

        We further separate ICW into ICWACCT and ICWCOMP. Over 74%

(0.073/0.098) of ICW firms in the Fee Adjustment Group and 80% (0.159/0.198) of such


25
  As we discuss in the following paragraph, we exclude 11 auditor resignation firms with modified
opinions, because these opinions may be issued by their replacement auditors.


                                                   31
firms in the Modified Opinion Group have account-specific weaknesses, whereas 71%

(0.441/0.618) of ICW firms in the Resignation Group have company-level weaknesses.

These findings again suggest that there exists a pecking order in auditors’ client risk

management strategies. Auditors tend to increase audit fees and issue modified opinions

to manage control risk resulting from the less severe account-specific weaknesses and use

resignations to manage control risk resulting from the more severe company-level

weaknesses. This message is consistent with our findings in Tables 5 and 6, adding

credence to our results.



4.5.2. Ordered logit analyses

       Table 9 employs the ordered logit regression. The auditor response as a dependent

variable is assigned a value of 1 for the Fee Adjustment Group, 2 for the Modified

Opinion Group, and 3 for the Resignation Group. Model 1 presents the results from the

ordered logit regressions using the ICW dummy variable. The coefficient on ICW is

significant at the 1% level. Because the auditor attestation requirement in SOX 404

exposes auditors to control risk, auditors manage this risk by using a set of ordered

strategies. Loss firms and high distress risk firms, as well as large firms, are more likely

to trigger severe responses. The sign for the coefficient on ROA is contrary to our

prediction.

       We replace ICW with ICWACCT and ICWCOMP in Model 2, and find the

coefficients on ICWACCT and ICWCOMP to be significantly positive. Thus, our

combined evidence from Models 1 and 2 suggests that there exists a pecking order among

auditor’s client risk management strategies. As the clients’ control risk increases,




                                             32
auditors are likely to respond in the order of audit fee adjustments, modified opinions,

and auditor resignations.



4.5.3. Auditor response index

       We follow the group classification schedule in Section 4.5.1, and create an index

based on the severity of auditors’ responses. Groups 1, 2, and 3 are the audit fee

adjustment, modified opinion, and auditor resignation groups, respectively. We first sort

all our sample firms by group numbers from 1 to 3, and then sort all firms within each

group by the audit fee increase variable in ascending order. Based on this order, we

calculate the fractional ranks for these firms and let the auditor response index be the

fractional rank value. According to our construction, a large index value represents a

more severe response from the auditor and vice versa.

       We perform OLS regressions of the auditor response index over internal control

weaknesses and other control variables in Table 10. Consistent with our ordered logit

analyses, we exclude auditor dismissal firms and auditor resignation firms with modified

opinions, when we construct the auditor response index. Model 1 presents the regression

results using the ICW dummy variable. The coefficient on ICW is significant at the 1%

level, again suggesting the existence of pecking order. High leverage firms, large firms,

and Big 4 firms are more likely to trigger severe responses. The coefficient on ROA is

inconsistent with our prediction.

       We replace ICW with ICWACCT and ICWCOMP in Model 2, and find that

ICWACCT and ICWCOMP are each significantly associated with this auditor response

index at the 1% level. The combined evidence from pecking order analyses in Models 1




                                             33
and 2 suggests that auditors draw from a set of ordered strategies to manage client-related

control risk.



4.6. Robustness checks

        (1) We perform all the analyses in Tables 2-3 and 5-10 for the 302 period in an

        earlier version. While the results are somewhat weaker, they are very similar to

        those reported in Tables 2-3 and 5-10.

        For all models in Tables 3-6 and 9-10, we perform the following tests:

        (2) We replace the ICW dummy with the number of internal control weaknesses.

        (3) We replace total assets with either sales or market value of equity as of

        December 31, 2004 as a measure of size.

        (4) We include 44 non-accelerated filers in our analyses.

        (5) We winsorize discretionary accruals, leverage, and return on assets at the 1%

        and 99% levels to minimize the impact of extreme values.

        (6) We exclude the industry dummy variables used in Tables 3-6 and 9-10.

        In all these cases, our results are robust to these alternative specifications, adding

credence to our findings.



5. Conclusions

        Using several measures of clients’ control risk based on their recent public

internal control disclosures under SOX 404, we study how auditors manage their client-

related risk. We find that there exists a pecking order among auditors’ strategies to

manage control risk resulting from internal control weaknesses. We first examine the




                                              34
relations between internal control weaknesses and audit fee, audit fee increase, modified

opinion, and auditor resignation, respectively, and establish that these are viable

strategies to manage control risk on a stand-alone basis. When we investigate these

strategies simultaneously, descriptive evidence suggests that there exists a pecking order

among auditors’ client risk management strategies. Our ordered logit analyses confirm

that, as the clients’ control risk increases, auditors are likely to respond in the order of

audit fee adjustments, modified opinions, and auditor resignations. We further create an

index based on the severity of auditors’ responses, and find that the degree of control risk

is positively correlated with this auditor response index. Our comprehensive evidence

suggests that auditors use an array of ordered strategies to manage client-related control

risk.




                                              35
                                       Appendix
                                  Variable Definitions

Dependent variables:

AUDFEE:      Total audit fee
NON-AUDFEE:  Total non-audit fee
TOTFEE:      Total fee
OPINION:     1 if the firm received a modified opinion (Audit opinion code is
             between 2 and 5 for #149); 0 otherwise, following Bradshaw,
             Richardson, and Sloan (2001).
AUDCHG:      1 if the firm changed auditor; 0 otherwise
RESIGNATION: 1 if the firm’s auditor resigned; 0 otherwise
DISMISSAL:   1 if the firm dismissed its auditor; 0 otherwise
INDEX:       Auditor response index. Please see the text for details.

Audit risk variables:

ICW:              1 if the firm has internal control weaknesses; 0 otherwise
ICWACCT:          Account-specific weakness. 1 if the firm has weaknesses related to less
                  than three account-specific problems; 0 otherwise, following Doyle,
                  Ge, and McVay (2007b).
ICWCOMP:          Company-level weakness. 1 if the firm has either weaknesses related
                  to “ineffective control environment” or “management override” in the
                  disclosure or weaknesses related to at least three account-specific
                  problems; 0 otherwise, following Doyle, Ge, and McVay (2007b).
DTACC:            Residual from TOTACCi,t = β0(1/TAi,t-1) + β1(ΔSALESi,t - ΔARi,t) /
                  TAi,t-1 + β2(PPEi,t / TAi,t-1), following Kothari, Leone, and Wasley
                  (2005). Note that TOTACC = [EBEI(#123) – (CFO(#308) –
                  EIDO(#124))] / lagged total assets, following Hribar and Collins
                  (2002); ΔSALES is the change in a firm’s sales revenue (#12); ΔAR is
                  the change in accounts receivable (#2); PPE is gross property, plant,
                  and equipment (#7); and TA is total assets (#6). The regression is
                  estimated for firms in a given two-digit SIC code each year

Client business risk variables:

LEV:              Ratio of total debts, both short-term (#34) and long-term (#9), to total
                  assets (#6)
ROA:              Income before extraordinary items (#18) divided by average total
                  assets (#6)
LOSS:             1 if the firm incurred losses (#172) in the current fiscal year; 0
                  otherwise
ZSCORE            Altman (1968) Z-Score measure of financial distress risk




                                           36
Control variables:

TA:                       Total assets (#6), in millions
SALEGR:                   Sales growth is the difference in sales (#12) between year t and
                          year t-1 over sales (#12) in year t-1
BUS:                      Number of business segment (Compustat segment file)
BIG4:                     1 if the firm’s auditor is a Big4 (#149); 0 otherwise

Change variables:

AUDFEECG:                 Change in audit fee from the 302 period to the 404 period divided
                          by the audit fee in the 302 period
ICWCG:                    Change in the ICW dummy variable from the 302 period to
                          the 404 period
ICWCOMPCG:                Change in the dummy variable for company-level material
                          weaknesses from the 302 period to the 404 period
ICWACCTCG:                Change in the dummy variable for account-specific material
                          weaknesses from the 302 period to the 404 period
DTACCCG:                  Change in discretionary accruals from the 302 period to the
                          404 period divided by the discretionary accruals in the 302
                          period
LEVCG:                    Change in leverage from the 302 period to the 404 period
                          divided by the leverage in the 302 period
ROACG:                    Change in return on assets from the 302 period to the 404
                          period divided by the return on assets in the 302 period
LOSSCG:                   Change in the LOSS dummy variable from the 302 period to
                          the 404 period
ZSCORECG:                 Change in ZSCORE from the 302 period to the 404 period
                          divided by the ZSCORE in the 302 period
TACG:                     Change in totals assets from the 302 period to the 404 period
                          divided by the totals assets in the 302 period
SALEGRCG:                 Change in sales growth from the 302 period to the 404 period
                          divided by the sales growth in the 302 period

Note:
COMPUSTAT item numbers are in parentheses. The 302 period is for fiscal years ending between
November 15, 2003 and December 14, 2004 during which firms were governed by SOX 302, and the 404
period is for fiscal years ending between November 15, 2004 and December 14, 2005 during which firms
were governed by SOX 404. We require all variables (except for AUDCHG and the change variables)
pertain to fiscal years ending between November 15, 2003 and November 14, 2004 for the 302 period, and
to fiscal years ending from November 15, 2004 to December 14, 2005 for the 404 period. Since there is no
fiscal year related to AUDCHG, the auditor change variable, we classify an auditor change into the 302
period, if the announcement was made between November 15, 2003 and November 14, 2004, and into the
404 period if the announcement was made between November 15, 2004 and November 14, 2005. The
change variables capture the changes in these variables from the 302 period to the 404 period.




                                                  37
                                       References

Altman, E., 1968. Financial ratios, discriminant analysis, and the prediction of corporate
 bankrupcy. Journal of Finance 23: 589–609.

American Institute of Certified Public Accountants (AICPA). 1983. Audit Risk and
 Materiality in Conducting an Audit. Statement on Auditing Standards No. 47. New
 York, NY: AICPA.

_____. 1988. Reports on Audited Financial Statements. Statement on Auditing Standards
  No. 58. New York, NY: AICPA.

_____. 1988. Communication of Internal Control Structure Related Matters Noted in an
  Audit. Statement on Auditing Standards No. 60. New York, NY: AICPA.

_____. 2006. Audit Risk and Materiality in Conducting an Audit. Statement on Auditing
  Standards No. 107. New York, NY: AICPA.

Arens, A., R. Elder and M. Beasley. 2006. Auditing and Assurance Services: An
 Integrated Approach. Upper Saddle River, NJ: Prentice-Hall.

Ashbaugh-Skaife, H., D. Collins, and W. Kinney. 2007. The discovery and consequences
 of internal control deficiencies prior to SOX-mandated audits. Journal of Accounting
 and Economics, 44 (1-2): 166-192.

Ashbaugh-Skaife, D. Collins, W. Kinney, and R. LaFond. 2006. The effect of internal
 control deficiencies on firm risk and cost of capital. Working Paper, University of
 Wisconsin, University of Iowa, University of Texas, and MIT.

_____. 2008. The effect of SOX internal control deficiencies and their remediation on
 accrual quality. The Accounting Review 83 (1): 217-250.

Asbaugh, H., R. LaFond and B. Mayhew. 2003. Do non-audit services compromise
 independence? Further evidence. The Accounting Review 78 (2): 611-639.

Bartov, E., F. Gul, and J. Tsui. 2000. Discretionary-accruals models and audit
 qualifications. Journal of Accounting and Economics 30: 421-452.

Becker, C., M. DeFond, J. Jiambalvo, and K. R. Subramanyam. 1998. The effect of audit
 quality on earnings management. Contemporary Accounting Research 15 (1): 1-24

Bedard, J., and K. Johnstone. 2004. Earnings manipulation risk, corporate governance
 risk, and auditors’ planning and pricing decisions. The Accounting Review 79: 277-
 304.




                                            38
Bell, T., W. Landsman and D. Shackelford. 2001. Auditors’ perceived business risk and
 audit fees: Analysis and evidence. Journal of Accounting Research 39 (June): 35-44.

Blue Ribbon Committee (BRC). 1999. Report and Recommendations of the Blue Ribbon
 Committee on Improving the Effectiveness of Corporate Audit Committees. Stamford,
 CT: BRC.

Blacconiere, W. G. and M. DeFond. 1997. An investigation of independent audit
 opinions and subsequent independent auditor litigation of publicly-traded failed savings
 and loans. Journal of Accounting and Public Policy 16 (4): 415-454.

Bradshaw, M., S. Richardson, and R. Sloan. 2001. Do analysts and auditors use
 information in accruals? Journal of Accounting Research 39 (1): 45-73.

Butler, M., A. Leone, and M. Willenborg. 2004. An empirical analysis of auditor
 reporting and its association with abnormal accruals. Journal of Accounting and
 Economics 37: 139-165.

Chang, J., and N. Hwang. 2003. The impact of retention incentives and client business
 risks on auditors’ decisions involving aggressive reporting practices. Auditing: A
 Journal of Practice and Theory 22 (2): 207-218.

Chow, C., and S. Rice. 1982. Qualified audit opinions and auditor switching. The
 Accounting Review 57: 326-335.

Chung, H., and S. Kallapur. 2003. Client importance, non-audit services and abnormal
 accruals. The Accounting Review 78 (4): 931-955.

DeAngelo, L. 1981. Auditor independence, “low balling”, and disclosure regulation.
 Journal of Accounting and Economics 3: 113-127.

DeBerg, C., S. Kaplan, and K. Pany. 1991. An examination of some relationships
 between non-audit services and auditor change. Accounting Horizons 5: 17-28.

DeFond, M.L. and K.R. Subramanyam. 1998. Auditor changes and discretionary
 accruals. Journal of Accounting and Economics 25 (February): 35-67.

Doyle, J., W. Ge, and S. McVay. 2007a. Determinants of weakness in internal control
 over financial reporting. Journal of Accounting and Economics, 44 (1-2): 193-223.

_____. 2007b. Accruals quality and internal control over financial reporting. Accounting
 Review, 82 (5): 1141-1170.

Elder, R., and R. Allen. 2003. A longitudinal field investigation of auditor risk
  assessments and sample size decisions. The Accounting Review 78 (4): 983-1002.




                                           39
Ettredge, M., J. Heintz, C. Li, and S. Scholz. 2006. Auditor realignments accompanying
  implementation of SOX 404 reporting requirements. Working paper, University of
  Kansas.
Fama, E., and K. French. 1997. Industry cost of equity. Journal of Financial Economics
 43 (2): 153-193.
Francis, J. 1984. The effect of audit firm size on audit prices: A study of the Australian
  market. Journal of Accounting and Economics 6 (2): 133-151.
Francis, J., and D. Stokes. 1986. Audit prices, product differentiation, and scale
  economies: Further evidence from the Australian audit market. Journal of Accounting
  Research 24 (2): 383-393.
Francis, J., and J. Krishnan. 1999. Accounting accruals and auditor reporting
  conservatism. Contemporary Accounting Research 16: 135-165.
Frankel, R., M. Johnson, and K. Nelson. 2002. The relation between auditor’s fees for
  non-audit services and earnings quality. The Accounting Review (Supplement): 71-105.

Ge, W., and S. McVay. 2005. The disclosure of material weaknesses in internal control
 after the Sarbanes-Oxley Act. Accounting Horizon 19 (3): 137-158.

Greene, W. 2000. Econometric Analysis. Upper Saddle River, NJ: Prentice-Hall

Henniger, W.G. 2001. The association between auditor litigation and abnormal accruals.
 The Accounting Review 76 (January): 111-126.

Hertz, K. 2006. The impact of SOX on auditor resignations and dismissals. Working
 paper, University of Washington.

Hill, J., R. Ramsay, and D. Simon. 1994. Audit fees and client business risk during the
 S&L Crisis: Empirical evidence and directions for future research. Journal of
 Accounting and Public Policy 13: 185-203.

Hogan, C., and M. Wilkins. 2008. Evidence on the audit risk model: Do auditors increase
 audit effort in the presence of internal control deficiencies? Contemporary Accounting
 Research 25 (1): 219-242.

Hoitash, R., U. Hoitash, and J. Bedard. 2008. Internal Control Quality and Audit Pricing
under the Sarbanes-Oxley Act. Auditing: A Journal of Practice and Theory 27 (1), 105-
126.

Hribar, P., and D. W. Collins. 2002. Errors in estimating accruals: Implications for
  empirical research. Journal of Accounting Research 40 (1): 105-34.

Johnstone, K. 2000. Client-acceptance decisions: Simultaneous effects of client business
  risk, audit risk, auditor business risk, and risk adaptation. Auditing: A Journal of Practice
  and Theory 19 (1): 1-25.


                                              40
Johnstone, K., and J. Bedard. 2003. Risk management in client acceptance decisions. The
  Accounting Review 78 (4): 1003-1026.

Johnstone, K.M., and J. C. Bedard. 2004. Audit firm portfolio management decisions.
  Journal of Accounting Research 42 (4): 659-690.

Kothari, S.P., A. Leone, and C. Wasley. 2005. Performance matched discretionary
 accrual measures. Journal of Accounting and Economics 39 (1): 163-197.
Krishnan J. 2005. Audit committee quality and internal control: An empirical analysis.
 The Accounting Review 80 (2): 649-675.
Krishanan, J., and J. Krishnan. 1996. The role of economic trade-offs in the audit opinion
 decision: An empirical analysis. Journal of Accounting, Auditing, & Finance 11 (Fall):
 565-586.
_____. 1997. Litigation risk and auditor resignations. The Accounting Review 72
 (October): 539-560.

Landsman, W., K. Nelson, and B. Rountree. 2005. An empirical analysis of big N
 auditor switches. Working paper, University of North Carolina, Chapel Hill.

Lyon, J., and M. Maher. 2005. The importance of business risk in setting audit fees:
 Evidence from cases of client misconduct. Journal of Accounting Research 43 (1):
 133-151.

Ogneva, M., Subramanyam, K., and K. Raghunandun. 2007. Internal control weaknesses
 and cost of equity: Evidence from SOX Section 404 disclosures. The Accounting
 Review 82 (5): 1255-1297.

Palmrose, Z. 1986. Audit fees and auditor size: Further evidence. Journal of
 Accounting Research 24 (1): 97-110.

Public Company Accounting Oversight Board (PCAOB), 2004. An Audit of Internal
 Control over Financial Reporting Performed in Conjunction with an Audit of Financial
 Statements. Auditing Standard No. 2. Washington, D.C.: PCAOB.

Raghunandan, K., and D. Rama. 2006. SOX Section 404 material weakness disclosures
 and audit fees. Auditing: A Journal of Practice and Theory 25 (1): 99-114.

Reynolds, K., and J. Francis. 2001. Does size matter? The influence of large clients on
 office-level auditor reporting decisions. Journal of Accounting and Economics 30:
 375-400.

Seetharaman, A., F. Gul, and S. Lynn. 2002. Litigation risk and audit fees: Evidence from
 UK firms cross-listed on US markets. Journal of Accounting and Economics 33 (1):
 91-115.


                                            41
Securities Exchange Commission (SEC). August 29, 20002. Certification of Disclosure
 in Companies’ Quarterly and Annual Reports. Release No. 33-8124. Washington, D.C.:
 SEC.

_____. June 5, 2003. Management's Report on Internal Control over Financial
 Reporting and Certification of Disclosure in Exchange Act Periodic Reports. Release
 No. 33-8238. Washington, D.C.: SEC.

_____. February 24, 2004. Management's Report on Internal Control over Financial
  Reporting and Certification of Disclosure in Exchange Act Periodic Reports. Release
  No. 33-8392. Washington, D.C.: SEC.

_____. September 22, 2005. Management's Report on Internal Control Over Financial
 Reporting and Certification of Disclosure in Exchange Act Periodic Reports of
 Companies that Are Not Accelerated Filers. Release No. 33-8618. Washington, D.C.:
 SEC.

_____. December 21, 2005. Revisions to Accelerated Filer Definition and Accelerated
 Deadlines for Filing Periodic Reports. Release No. 33-8644. Washington, D.C.: SEC.

_____. December 15, 2006. Internal Control Over Financial Reporting in Exchange Act
 Periodic Reports of Non-Accelerated Filers and Newly Public Companies. Release No.
 33-8760. Washington, D.C.: SEC.

_____. June 26, 2008. Internal Control Over Financial Reporting in Exchange Act
 Periodic Reports of Non-Accelerated Filers. Release No. 33-8934. Washington, D.C.:
 SEC.

Shu, S. 2000. Auditor resignations: clientele effects and legal liability. Journal of
 Accounting and Economics 29 (2): 173-205.

Smith, D. 1986. Auditor ‘subject to’ opinions, disclaimers, and auditor changes.
 Auditing: A Journal of Practice and Theory 6 (fall): 95-108.

Stice, J. 1991. Using financial and market information to identify pre-engagement factors
  associated with lawsuits against public accountants. The Accounting Review 66 (July):
  516-533.

Wegman, J. 2005. The Sarbanes-Oxley Act and accountant liability. Proceedings of the
 Academy of Legal, Ethical and Regulatory Issues 9 (2): 47-51.

White, H., 1980. A heteroskedasticity-consistent covariance matrix estimator and a direct
 test for heteroskedasticity. Econometrica 48: 817-838.




                                             42
Xie, B., W. Davidson, and P. DaDalt. 2003. Earnings management and corporate
 governance: the role of the board and the audit committee. Journal of Corporate Finance
 9: 295-316.

Zhang, Y., J. Zhou, and N. Zhou. 2007. Audit committee quality, auditor independence,
 and internal control weaknesses. Journal of Accounting and Public Policy, 26 (3): 300-
 327.




                                           43
Table 1. Sample selection criteria

Sample characteristics                                                                Number of firms

Total firms with internal control disclosures in AuditAnalytics November                     3,737
1, 2004 to December 31, 2005
Excluding firms not in Compustat (excluding 2 duplicates)                                    (181)
Excluding foreign firms                                                                      (105)
Excluding subsidiaries                                                                       (71)
Excluding mutual funds, trusts, and REITs                                                    (149)
Excluding firms without information on market value of equity                                (26)
Excluding firms with no SOX 404 internal control disclosure                                   (3)
Excluding firms with missing information on audit fee                                         (2)
Excluding firms with missing necessary information in computing                              (29)
leverage, sales growth, or return-on-assets
Excluding firms with missing audit opinion                                                   (380)
Excluding firms with missing Z-Scores                                                        (274)
Excluding firms with missing necessary information in computing                              (167)
discretionary accruals
Excluding non-accelerated filers                                                             (44)
Final sample firms                                                                           2,306

The sample firms consist of those with internal control information and other necessary variables for fiscal
years ending between November 15, 2004 and November 14, 2005. We begin with 3,737 firms that have
internal control disclosures in AuditAnalytic from November 1, 2004 to December 31, 2005. We exclude
firms not in COMPUSTAT, foreign firms, subsidiaries, and mutual funds, trusts, and REITS. We also
exclude firms with missing information on market value of equity, as this information is needed to
determine accelerated filer status. We further exclude firms without audit related information and other
necessary information for fiscal years ending between November 15, 2004 and November 14, 2005. We
finally exclude non-accelerated filers because these firms need not comply with SOX 404. Data in
parentheses indicate the number of firms removed from the full set to obtain the final sample of 2,306
firms.




                                                     44
Table 2. Comparison between firms with internal control weaknesses and firms
without internal control weaknesses
                                 Full Sample         ICW           Non-ICW       ICW vs. Non-
                                                                                        ICW
               Variables    Mean                     Mean             Mean          Mean Diff
                          (Median)                (Median)         (Median)      (Median Diff)
               ICW          0.143                     1.00             0.00          1.00***
                            (0.00)                  (1.00)           (0.00)         (1.00)***
               ICWACCT      0.105                    0.730             0.00         (0.73)***
                            (0.00)                  (1.00)           (0.00)         (1.00)***
               ICWCOMP      0.038                    0.270             0.00          0.27***
                            (0.00)                  (0.00)           (0.00)         (0.00)***
               AUDFEE     2,322,920               2,402,863        2,309,569          93,294
                         (1,209,190)             (1,344,660)      (1,198,550)       (146,110)
               AUDFEECG   1,132,693               1,218,068        1,118,766          99,302
                          (656,400)               (800,000)        (643,334)      (156,666)**
               NONAUDFEE   664,058                 478,308          695,079       -216,771***
                          (220,336)               (184,900)        (224,759)      (-39,859)***
               TOTFEE     2,986,978               2,881,171        3,004,648         -123,477
                         (1,468,837)             (1,534,232)      (1,457,489)        (76,743)
               OPINION       0.32                     0.46             0.29          0.17***
                            (0.00)                  (0.00)           (0.00)         (0.00)***
               AUDCHG       0.076                     0.16             0.06          0.10***
                            (0.00)                  (0.00)           (0.00)         (0.00)***
               DISMISSAL    0.057                    0.076             0.05             0.03
                            (0.00)                  (0.00)           (0.00)           (0.00)*
               RESIGN       0.019                    0.088             0.01          0.08***
                            (0.00)                  (0.00)           (0.00)         (0.00)***
               DTACC        –0.02                    -0.02            -0.02             0.00
                           (–0.01)                  (-0.01)          (-0.01)           (0.00)
               LEV           0.20                     0.20             0.20             0.00
                            (0.16)                  (0.12)           (0.17)           (-0.05)
               ROA           0.01                    -0.03             0.01          -0.04***
                            (0.05)                  (0.01)           (0.05)        (-0.04)***
               LOSS          0.25                     0.41             0.22          0.19***
                            (0.00)                  (0.00)           (0.00)         (0.00)***
               TA           3,366                    1,528            3,672         -2,144***
                            (600)                    (346)            (660)         (-314)***
               SALEGR        0.23                     0.20             0.24             -0.04
                            (0.13)                  (0.10)           (0.13)        (-0.03)***
               BUS           2.23                     2.26             2.22             0.04
                            (1.00)                  (1.00)           (1.00)            (0.00)
               BIG4          0.93                     0.86             0.94          -0.08***
                            (1.00)                  (1.00)           (1.00)         (0.00)***
               ZSCORE        5.53                     3.84             5.81          -1.97***
                            (3.71)                  (2.95)           (3.84)        (-0.89)***
               N            2,306                     330             1,976
This table provides mean and median comparisons between firms with internal control weaknesses (ICW
firms) and firms without internal control weaknesses (non-ICW firms). We use the two-sample t-test to test
the differences in mean and the Wilcoxon rank sum test to test the differences in median. All variable
definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.



                                                      45
Table 3. Regression analyses on the relation between audit fees and the disclosure of
internal control weaknesses

                                Variable         Model 1         Model 2
                                Intercept         10.43           10.42
                                                (137.27)***     (137.61)***
                                ICW                0.33
                                                  (9.32)***
                                ICWACCT                              0.27
                                                                    (7.05)***
                                ICWCOMP                              0.50
                                                                    (7.20)***
                                DTACC               0.17             0.17
                                                   (1.36)           (1.39)
                                LEV                -0.15            -0.15
                                                 (-2.46)**        (-2.38)**
                                ROA                -0.26            -0.26
                                                 (-3.84)***       (-3.72)***
                                LOSS                0.11             0.11
                                                   (3.10)***        (3.05)***
                                ZSCORE             -0.003           -0.003
                                                  (-2.84)***       (-2.79)***
                                LOG(TA)             0.49             0.49
                                                 (55.97)***       (55.88)***
                                SALEGR             -0.02            -0.02
                                                 (-0.97)          (-1.09)
                                LOG(BUS)            0.13             0.13
                                                   (7.01)***        (6.96)***
                                BIG4                0.36             0.37
                                                   (6.55)***        (6.80)***
                                Adjusted R2      69.11%           69.23%
                                N                  2,306            2,306

This table presents the regression results between the natural logarithm of audit fee and audit risk variables,
client business variables, and control variables. The White (1980) heteroskedasticity-consistent t statistics
are reported in parentheses. In our regression models, we use dummy variables to control for industries
(computers, retail, pharmaceutical products, electronic equipment, and business services) with more than 5
percent of the total sample observations, but do not report the coefficients on these industry dummies for
brevity. The industry classification follows Fama and French (1997). All variable definitions are in the
Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      46
Table 4. Regression analyses on the relation between audit fee change and change in
internal control weakness opinions

                               Variable                 Model 1      Model 2
                               Intercept                  1.31         1.32
                                                      (41.11)***    (41.30)***
                               ICWCG                      0.50
                                                       (5.52)***
                               ICWACCTCG                                 0.34
                                                                     (3.91)***
                               ICWCOMPCG                                 0.93
                                                                     (4.77)***
                               DTACCCG                     0.00         0.00
                                                         (0.49)        (0.37)
                               LEVCG                      0.002         0.002
                                                         (1.12)        (1.00)
                               ROACG                      -0.00         -0.00
                                                         (-0.23)       (-0.05)
                               LOSSCG                      0.20          0.19
                                                       (3.23)***     (3.14)***
                               ZSCORECG                   0.005         0.005
                                                         (1.57)        (1.27)
                               TACG                        0.32          0.31
                                                       (3.86)***     (3.86)***
                               SALEGRCG                   -0.00         -0.00
                                                         (-1.51)       (-1.42)
                               BUSCG                      -0.06         -0.05
                                                         (-1.28)       (-1.02)
                               Adjusted R2               4.82%         5.73%
                               N                          2,189         2,189


This table presents the regression results between the audit fee changes and changes in audit risk variables,
client business variables, and control variables. The White (1980) heteroskedasticity-consistent t statistics
are reported in parentheses. In our regression models, we control for industry dummies, but do not report
the coefficients on these industry dummies for brevity. See Table 3 for more details. The sample size for
Table 4 is 2,189, because we need auditing and financial information for both the 302 period and the 404
period. From our sample of 2,306 firms, we first exclude 38 firms with missing auditing and financial
information in the 302 period. We then exclude one outlier (Tetra Technologies Inc with a leverage change
of 7,286) based on the standard SAS procedure in our regression analyses. We finally exclude 76 firms
with zero leverage and two firms with zero sales growth in the 302 period because we cannot calculate
changes for these variables. All variable definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, 1 percent levels, respectively.




                                                      47
Table 5. Logit analyses on the relation between audit opinion and the disclosure of
internal control weaknesses

                               Variable          Model 1         Model 2
                               Intercept          -3.23           -3.22
                                                 (99.31)***      (98.58)***
                               ICW                 0.98
                                                 (50.61)***
                               ICWACCT                             1.02
                                                                 (44.57)***
                               ICWCOMP                             0.84
                                                                 (11.17)***
                               DTACC               -0.16          -0.16
                                                   (0.07)         (0.08)
                               LEV                  0.45           0.44
                                                   (2.93)*        (2.84)*
                               ROA                  0.17           0.16
                                                   (0.13)         (0.12)
                               LOSS                 0.12           0.12
                                                   (0.60)         (0.63)
                               ZSCORE              -0.06          -0.06
                                                  (20.85)***     (21.01)***
                               LOG(TA)              0.37           0.37
                                                 (106.31)***    (105.45)***
                               SALEGR              -0.12          -0.11
                                                   (1.04)         (0.97)
                               BIG4                 0.11           0.09
                                                   (0.21)         (0.16)
                               Pseudo R2           13.37%         13.39%
                               N                    2,306          2,306

This table presents the logit regression results between audit opinion and audit risk variables, client
business variables, and control variables. The χ2 statistics are reported in the parentheses. In our
regression models, we control for industry dummies, but do not report the coefficients on these industry
dummies for brevity. See Table 3 for more details. All variable definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      48
Table 6. Multinomial logit analyses of the relation between auditor change and the
disclosure of internal control weaknesses

                Variable                     Model 1                        Model 2
                                    Resignation   Dismissal        Resignation   Dismissal
                INTERCEPT             -4.40         -5.77            -3.64         -5.67
                                      (1.95)      (10.38)***         (1.33)        (9.95)***
                ICW                    2.20          0.32
                                     (40.82)***     (1.74)
                ICWACCT                                               1.59          0.21
                                                                    (14.26)***     (0.55)
                ICWCOMP                                               3.07          0.63
                                                                    (55.58)***     (2.45)
                DTACC                  0.69          0.82             0.90          0.84
                                      (0.21)        (0.72)           (0.35)        (0.75)
                LEV                    0.88          0.17             0.96          0.18
                                      (2.08)        (0.16)           (2.33)        (0.19)
                ROA                    1.66          0.21             1.77          0.21
                                      (4.26)**      (0.14)           (4.62)**      (0.15)
                LOSS                   0.94         -0.09             0.92         -0.09
                                      (5.90)**      (0.11)           (5.41)**      (0.11)
                ZSCORE                 0.00          0.00             0.00          0.00
                                      (0.00)        (0.09)           (0.00)        (0.08)
                LOG(AUDFEE)            0.25          0.35             0.17          0.34
                                      (0.78)        (4.69)**         (0.35)        (4.40)**
                LOG(TA)               -0.76         -0.29            -0.69         -0.28
                                     (13.49)***     (7.18)***       (10.75)***     (6.91)***
                SALEGR                 0.09         -0.21             0.03         -0.21
                                      (0.56)        (0.82)           (0.05)        (0.85)
                Pseudo R2                    8.60%                          9.45%
                N                             2,306                          2,306

This table presents the multinomial logit regression results. We use firms without auditor changes as our
reference group, and obtain separate coefficient estimates for auditor resignation and auditor dismissal.
The χ2 statistics are reported in the parentheses. In our regression models, we control for industry
dummies, but do not report the coefficients on these industry dummies for brevity. See Table 3 for more
details. All variable definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      49
Table 7. Pearson correlation table for internal control weakness variables and
auditor response strategies


                    ICW       ICWACCT        ICWCOMP         FEECHG       OPINION        RESIGN
      ICW           1.00         0.84           0.48           0.16         0.12           0.18
                                (0.00)         (0.00)         (0.00)       (0.00)         (0.00)
   ICWACCT                       1.00          -0.06           0.08         0.13           0.03
                                               (0.00)         (0.00)       (0.00)         (0.14)
   ICWCOMP                                      1.00           0.16         0.01           0.27
                                                              (0.00)       (0.62)         (0.00)
    FEECHG                                                     1.00         -0.04          NA
                                                                           (0.05)
   OPINION                                                                  1.00           NA

    RESIGN                                                                                 1.00

    Total N =
     2,163


This table presents the Pearson correlations for internal control weakness variables and auditor response
strategies. NA stands for “not applicable.” Since firms who resign from clients no longer assess audit fees
and issue audit opinions, we designate the correlations between RESIGN and FEECHG and between
RESIGN and OPINION as NA. The p-values are presented in the parentheses. The sample size is 2,163
for Tables 7-10. Since we focus on auditors’ responses to control risk, we exclude 131 auditor dismissal
firms from the full sample of 2,306 firms. We then exclude one firm with missing audit fee information in
the 302 period. We finally exclude 11 auditor resignation firms with modified opinions, because these
opinions may be issued by their replacement auditors. All variable definitions are in the Appendix.




                                                    50
Table 8. Proportion of firms with internal control weaknesses in each auditor
response group

   Variable          Group 1          Group 2         Group 3         Difference        Difference
                    Audit Fee         Modified        Auditor          between            between
                    Adjustment        Opinion        Resignation       Groups             Groups
                                                                       2 and 1           3 and 2
   ICW                 0.098            0.198           0.618         0.100***          0.419***


   ICWACCT             0.073            0.159           0.176          0.086***           0.017


   ICWCOMP             0.025            0.039           0.441            0.014          0.402***


   Total N =           1,463             666               34
   2,163



This table presents the proportion of firms with internal control weaknesses, including account-specific
weaknesses and company-level weaknesses, for each auditor response group. The rows for ICWACCT and
ICWCOMP are italicized to emphasize that the summation of these two rows is equal to the ICW row. We
use the two-sample t-test to test the differences in mean between Groups 2 and 1 and between Groups 3 and
2, respectively. The sample size for this table is the same as that for Table 7. All variable definitions are in
the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      51
Table 9. Ordered logit analyses of the relation between auditor responses and the
disclosure of internal control weaknesses

                         Variable         Model 1         Model 2
                         Intercept 1       -3.02            -3.09
                                          (89.18)***      (91.23)***
                         Intercept 2       -6.67            -6.75
                                         (317.76)***     (319.22)***
                         ICW                1.18
                                          (73.78)***
                         ICWACCT                               1.02
                                                           (44.26)***
                         ICWCOMP                               1.77
                                                           (49.72)***
                         DTACC              -0.05             -0.05
                                            (0.01)            (0.01)
                         LEV                 0.44              0.47
                                            (2.86)*           (3.20)*
                         ROA                 0.74              0.77
                                            (2.12)            (2.28)
                         LOSS                0.38              0.37
                                            (5.79)**         (5.65)***
                         ZSCORE             -0.05             -0.05
                                           (13.80)***      (13.38)***
                         LOG(TA)             0.31              0.31
                                           (75.61)***      (75.22)***
                         SALEGR             -0.01             -0.02
                                            (0.01)            (0.06)
                         BIG4                0.15              0.22
                                            (0.43)            (0.92)
                         Pseudo R 2        10.24%           10.45%
                         N                  2,163            2,163

This table presents the ordered logit regression results between auditor responses in the order of audit fee
adjustments, modified opinions, and auditor resignations and audit risk variables, client business variables,
and control variables. The χ2 statistics are reported in the parentheses. In our regression models, we
control for industry dummies, but do not report the coefficients on these industry dummies for brevity. See
Table 3 for more details. The sample size for this table is the same as that for Table 7. All variable
definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      52
Table 10. Regression analyses on the relation between the auditor response index
and the disclosure of internal control weaknesses

                                Variable         Model 1         Model 2
                                Intercept          0.30             0.30
                                                  (8.36)***       (8.21)***
                                ICW                0.19
                                                 (10.55)***
                                ICWACCT                             0.16
                                                                  (8.22)***
                                ICWCOMP                             0.26
                                                                  (7.68)***
                                DTACC              -0.07           -0.07
                                                  (-1.04)         (-1.05)
                                LEV                 0.09            0.10
                                                   (3.15)***      (3.24)***
                                ROA                 0.09            0.09
                                                   (1.84)*         (1.96)**
                                LOSS                0.01            0.01
                                                   (0.69)          (0.67)
                                ZSCORE             -0.001          -0.001
                                                  (-1.31)         (-1.24)
                                LOG(TA)             0.01            0.01
                                                   (2.51)**        (2.50)**
                                SALEGR              0.01            0.01
                                                   (1.43)          (1.32)
                                BIG4                0.09            0.10
                                                   (3.53)***      (3.79)***
                                Adjusted R2        8.29%          8.57%
                                N                  2,163          2,163

This table presents the regression results between the auditor response index and audit risk variables, client
business variables, and control variables. The auditor response index, defined in the text, captures the
severity of auditor responses with a higher index value indicating a more severe auditor response. The
White (1980) heteroskedasticity-consistent t statistics are reported in parentheses. In our regression
models, we control for industry dummies, but do not report the coefficients on these industry dummies for
brevity. See Table 3 for more details. The sample size for this table is the same as that for Table 7. All
variable definitions are in the Appendix.

*, **, and *** denote two-tailed significance at the 10, 5, and 1 percent levels, respectively.




                                                      53

								
To top