Internal Control Assessment and Interference Effects: Behavioral Research in Accounting January 2012

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/275944667
Internal Control Assessment and Interference Effects
Article in Behavioral Research in Accounting · January 2012

DOI: 10.2308/bria-10074
CITATIONS READS
11 368
3 authors:
Janet Morrill Cameron K.J. Morrill

University of Manitoba University of Manitoba
21 PUBLICATIONS 97 CITATIONS 26 PUBLICATIONS 164 CITATIONS
SEE PROFILE SEE PROFILE
Lori S. Kopp
University of Lethbridge
19 PUBLICATIONS 192 CITATIONS
SEE PROFILE
All content following this page was uploaded by Lori S. Kopp on 24 May 2016.
The user has requested enhancement of the downloaded file.

BEHAVIORAL RESEARCH IN ACCOUNTING American Accounting Association
Vol. 24, No. 1 DOI: 10.2308/bria-10074
2012
pp. 73–90
Internal Control Assessment

and Interference Effects
Janet B. Morrill
Cameron K. J. Morrill
University of Manitoba
Lori S. Kopp
University of Lethbridge
ABSTRACT: Both U.S. Generally Accepted Auditing Standards and International

Standards on Auditing require risk-based audits, where audit effort is concentrated on
accounts and financial statement assertions where the risk of material misstatement is
high. Assessing risk requires the auditor to evaluate the auditee’s internal control
systems; however, current standards and practice vary regarding the point at which risks
are to be identified. Using output interference theory, we hypothesize that risk
assessment performed by the auditor before evaluating the client’s internal control
systems will lead to a more complete identification of sources of internal control
deficiencies as compared to assessing risk after evaluating internal control systems. In
our experiment, auditors who identified risks first identified more, and more important,
internal control deficiencies than did auditors identifying controls first, although the
number of risks identified was not significantly different between the two groups. Overall,
our results suggest that audit efficiency and effectiveness depend on the sequence in
which internal control evaluation subtasks are performed.
Keywords: auditor judgment; internal control evaluation; interference.
Data Availability: Data are available from the authors upon request.
INTRODUCTION
T
he successful design and evaluation of internal control systems is playing an increasingly
important role in corporate governance and financial statement audits. Both U.S. Generally
Accepted Auditing Standards and International Standards on Auditing require risk-based
audits, where audit effort is concentrated on accounts and financial statement assertions where the
Janet Morrill and Cameron Morrill are Chartered Accountants Research Fellows at the University of Manitoba. We
express our gratitude to the Deloitte Touche Research Foundation and the University of Manitoba Centre for Accounting
Research and Education, funded by the Institute of Chartered Accountants of Manitoba, for their financial support; the
Certified General Accountants of Manitoba and British Columbia that provided participants for this study; and Jeff
Thomas and Erin Sharpe for their assistance. We also appreciate helpful comments from Theresa Libby, two anonymous
reviewers, Ed O’Donnell, participants at the University of Manitoba faculty workshop series, the Certified General
Accountants/University of Manitoba Accounting Research Conference, and comments from participants and reviewers
of annual meetings of the American Accounting Association (AAA), the Canadian Academic Accounting Association,
the Administrative Sciences Association of Canada, and the AAA Auditing Section.
Published Online: January 2012
73
74 Morrill, Morrill, and Kopp
risk of material misstatement is high. To assess the risk of material misstatement, the standards
require the auditor to acquire an understanding of the risks of an auditee’s business, including its
internal control systems. The assessment of the internal control systems is integral to the process as
controls may mitigate some of the risks that would otherwise lead to material misstatements.
Identifying risks and evaluating and improving internal control systems are also of vital interest to
public companies, given the increased scrutiny and reporting obligations in this area imposed by the
Sarbanes-Oxley Act.
At the same time, there is evidence to suggest that risk assessment and the evaluation of internal
control systems are very difficult. Roybark (2006) analyzed the inspection reports issued in 2005 by
the Public Company Accounting Oversight Board (PCAOB) and found that audit deficiencies in
internal control assessments were particularly prevalent and were an area of particular importance.
Thus, techniques that increase the effectiveness of risk assessment and internal control evaluation may
improve financial statement audits while simultaneously yielding substantial benefits to organizations
seeking to improve or assess the quality of their internal controls.
The determination of financial statement accounts and assertions containing significant risks
and/or internal control deficiencies forms the basis for the ‘‘risk-based audit’’ wherein the audit is
subsequently designed to focus audit effort in these areas. To make this determination, the auditor
must acquire knowledge of the auditee’s business, the business and entity-wide risks that entail a
risk of material misstatement in the financial statements, and how the entity’s internal control
systems address those risks. Risks are identified at increasing levels of specificity from business and
entity-wide risks, to financial statement risks, to assertion level risks, and finally to transaction level
risks. A key outcome of this process is the auditor’s determination of whether the risks at a
transaction level are appropriately reduced or eliminated by the organization’s internal control
systems, or if significant internal control deficiencies remain.
In this paper, we focus on sub-components of this process: The identification of transaction level
risks facing the organization, the assessment of controls, and the identification of internal control
deficiencies under different task sequences. While a risk-based audit is required by auditing standards,
the standards do not mandate when risks need to be evaluated in the process. The purpose of this
study is to determine whether consideration of risks first affects the internal control evaluation.
We hypothesize, based on output interference theory, that risk identification performed by the
auditor before evaluating the client’s internal control systems will lead to a more complete
identification of internal control deficiencies than risk identification performed after controls are
evaluated. We theorize that the identification of controls before identifying risks interferes with the
ability to generate risks that are not being controlled, resulting in fewer deficiencies being identified.
We also investigate whether auditors who identify controls before identifying risks will be less
successful in identifying important deficiencies.
Consistent with our expectations, we found that participants who generated risks before
identifying controls (hereafter ‘‘risks-first’’) identified significantly more internal control
deficiencies than participants who performed those tasks in the reverse order (hereafter
‘‘controls-first’’). In addition, we found that the risks-first participants identified more important
deficiencies than did the controls-first participants, where importance was defined by the judgments
of an expert panel. On this basis, we conclude that a risks-first approach appears to be more
effective. However, we also found that the risks-first participants identified significantly fewer
controls, indicating that the increase in effectiveness may entail sacrifices in the efficiency of the
audit. Given the critical importance of internal control design and evaluation to effective corporate
governance, financial statement audits, and internal control reporting and audits required under
SOX 302 and 404, these insights could be of significant interest to academics, standard setters, and
practitioners.
Behavioral Research In Accounting

Volume 24, Number 1, 2012
Internal Control Assessment and Interference Effects 75
HYPOTHESIS DEVELOPMENT
Identification of Risks in Internal Control Evaluation
Risk assessment is a critical and early step in the design of an organization’s internal control
system. The Committee of Sponsoring Organizations’ (COSO) framework for internal control
(COSO 1944) and the updated guidance for small companies (COSO 2006) recommend that
companies perform a risk assessment process, which, in turn, informs the design of the internal
control system and the implementation of control activities. Risk assessment consists of two major
steps: risks must first be identified, and then their significance must be analyzed.
The timing of risk identification and analysis in the evaluation of control systems for external
financial statement audit purposes is less clear. While U.S. and international GAAS require ‘‘risk-
based audits,’’ it is not clear whether they require, or whether in practice this is equivalent to, ‘‘risks-
first audits.’’ Auditing Standard 5 (AS5), produced by the PCAOB in 2007, recommends that auditors
use a top-down approach to the audit of internal controls. This approach begins at the financial
statement level with the auditor’s understanding of the overall risks to internal control over financial
reporting (PCAOB 2007, AS5, paragraph 21). The auditor should determine the likely sources of
potential misstatements in the financial statements and might do so by asking himself or herself ‘‘what
could go wrong?’’ within a given significant account or disclosure (PCAOB 2007, AS5, paragraph
30). Therefore, the U.S. standard implies that the auditor should perform a risk generation or
identification process, and that process should occur early in the internal control evaluation. The
international standard ISA 315 suggests that the risk assessment procedure and acquiring an
understanding of internal controls are iterative and simultaneous: ISA 315 states that ‘‘all the risk
assessment procedures are performed by the auditor in the course of obtaining the required
understanding’’ (IAASB 2007, ISA 315, paragraph 7; emphasis added) of the entity and its
environment.
To acquire some insights regarding when risk assessment is done in practice, we examined the
Canadian Institute of Chartered Accountants Practice Engagement Manual (CICA 2007) and the
Certified General Accountants Association Public Practice Manual (CGA 2007). Neither manual
contains an explicit individual step wherein the auditor identifies risks, but the internal control
evaluation process in both manuals culminates in a list of internal controls cross-referenced to a list
of transaction risks. Specifically, the CICA Practice Engagement Manual (CICA 2007) contains a
‘‘risk matrix’’ listing transaction risks and their related assertions in columns and the internal
controls identified by the auditor in the rows. The auditor then places a check at the intersection of
the control and the risk to which it relates. Given that questionnaires documenting internal controls
precede the final questionnaire cross-referencing transaction risks to identified controls, it would
appear that auditors likely perform a transaction risk identification either while they document the
internal controls (consistent with ISA 315) or after they document internal controls. The Certified
General Accountants Association Public Practice Manual (CGA 2007) contains internal control
questionnaires listing financial statement assertions, associated transaction risks, and possible
controls. The auditor enters the description of the key control addressing each transaction risk,
again implying that risk assessment is performed while internal controls are documented.
Finally, we interviewed audit partners from each of the ‘‘Big 4’’ audit firms to determine at what
stage risks are identified in the internal control evaluation process. None of the firms had strict
guidelines in this area, and they varied somewhat in their approaches. One firm reported that the risk
identification stage was explicitly addressed by senior personnel as part of the audit planning
preparation, and the areas of identified high risk were communicated to audit personnel, which would
have some impact on the depth of understanding of internal control acquired. Another firm, on the
other hand, expressed that ‘‘by the end of the audit, all the evidence needs to have been gathered,
consistent with a risk-based audit.’’ All firms suggested that interviews with client personnel to

acquire an understanding of internal control tended to be ‘‘unscripted.’’ In some cases, the client
personnel would be invited to explain what controls were present in their system, whereas in other
cases the interview might start by asking client personnel what risks they perceived to be important
when the system was designed. In practice, it therefore appears that order is not consistently applied.
In the next section of the paper, we use insights from output interference theory to explain why
we believe order matters. In fact, output interference theory suggests that auditors should identify
risks before they document internal controls.
Output Interference
Output interference is a phenomenon whereby the act of recalling, or the cuing of, some items
inhibits the recall of other items (Slamecka 1968). Specifically, output interference inhibits the
retrieval of cues from memory, thereby affecting the amount of information recalled. In the auditing
literature, output interference has been found to result from the use of information provided by the
client or from audit decision aids such as questionnaires and checklists. For example, Frederick
(1991) found that auditors were affected by output interference when attempting to recall a list of 33
internal controls given to them. After reviewing the internal controls using the taxonomic
categorization of internal controls (e.g., authorization, validity of transaction, proper recording,
etc.), auditors given a partial list of internal controls recalled fewer of the remaining controls than
auditors that were not given a list of internal controls. In addition, Bierstaker (2003) found that
providing high- and low-knowledge auditors with incomplete flowcharts in addition to complete
narratives interfered with the low-knowledge auditors’ ability to recall internal control deficiencies
and strengths. There was no interference effect for the high-knowledge auditors.
Perhaps of greater relevance to our work are studies that document that interference also affects
the generation of concepts from long-term memory, rather than simply recall of recently viewed
items. That is, concepts that have received heightened activation are likely to be re-generated, while
there is a decreasing likelihood of generating items that have not been activated. During analytical
procedure judgments, Anderson et al. (1992) examined whether the generation of explanations from
one category (errors or non-errors) inhibited auditors’ ability to generate explanations from the
other category. Auditors who were asked first to think about and list non-error explanations
generated fewer error explanations than auditors asked to think about and list error explanations
before non-error explanations. Church and Schneider (1993) found that providing auditors with a
hypothesis from a particular transaction cycle inhibited retrieval of additional hypotheses from the
same transaction cycle.
The generation of transaction risks to which an organization is exposed is a difficult process.
One reason is that there are many potential risks to consider. For example, paying the same invoice
twice violates the ‘‘occurrence’’ assertion for expense accounts. The occurrence assertion for
expenses accounts could also be violated if invoices are paid for legitimate goods or services that
were never received, if cutoff errors occurred, or if there are fictitious expenses arising from
employee fraud or management fraud. In addition, the risks may be specific to the firm or industry.
Comparing the pre-specified transaction risks in the CICA and CGA manuals illustrates the
complexity of the risk identification process. For example, for the completeness, existence,
accuracy, and valuation assertions of purchases, payables, and payments, the CICA manual lists ten
transaction risks. The CGA manual contains five of those risks plus four that are not in the CICA
manual. Both questionnaires provide space for additional risks.
In current practice, auditors may embark on an identification of controls before specifically
identifying the risks to which the company is exposed. We hypothesize that performing an internal
control evaluation in this order will inhibit the generation of risks because of interference effects,
resulting in a less effective internal control assessment. In the risk generation phase, risks that are

FIGURE 1
Hypothesized Cognitive Process with Controls-First Approach
Task Steps Hypothesized Cognitive Effect
1. Document system: What controls are Activates mental representations of controls
in place?
2. What risks are addressed by the Activates risks addressed by the client’s internal controls
identified controls?
3. Generate risks Controlled risks activated in the previous step are likely to be
re-generated and activated even further. Other uncontrolled
risks are less likely to be activated due to interference from
controlled risks
4. Determine if all risks are addressed Likely to be ‘‘yes,’’ since few uncontrolled risks would have
been generated in prior step
5. Determine if there are significant Likely to be ‘‘no,’’ since all risks identified (which are
deficiencies controlled) have been addressed (because they are
controlled)
addressed by controls compete for generation with risks that ultimately are not addressed by
controls. The risks that are addressed by controls are more likely to be generated as they would
have been activated during the previous step, when the auditors matched the controls they identified
to the risks addressed by those controls. Therefore, the process of matching controls to risks would
inhibit the subsequent generation of risks that are not controlled, i.e., internal control deficiencies.
This process is summarized in Figure 1.
If such interference occurs, then beginning the internal control evaluation with the
documentation of the existing internal control structure will reduce the likelihood that internal
control deficiencies are identified by the auditor. We hypothesize that internal control deficiency
identification is enhanced by asking the auditor to generate risks before identifying the controls in
place, as the links to controlled risks will not have been previously activated.1 This leads to the
following hypothesis, stated in alternative form:
H1: Auditors who identify risks first will identify more internal control deficiencies in the
system than auditors who identify controls first.
H1 proposes that the quantity of risks and internal control deficiencies identified will be
affected by the order in which tasks are performed. We also explore whether task order will affect
the importance of internal control deficiencies identified, where the importance of an internal
control deficiency is a function of the likelihood of occurrence of the underlying risk in the absence
of the control, and the significance of the repercussions of that occurrence (COSO 1994).
Auditors in the risks-first task order group must generate risks before investigating the controls
in place. Prior research has shown that an important component of auditor knowledge is the
1
This hypothesis is also somewhat related to framing effects. Emby (1995) found that auditors rely less on internal
controls when words such as ‘‘risk’’ are embedded in the task materials. It is suggested that the use of these words
activates a different problem representation, or frame, that changes the auditor’s judgments. There is at least one
substantial difference between the framing studies and this study: Framing studies investigate the impact of
changing the wording of the experimental materials whereas, in our study, we vary the way (specifically the order)
in which the auditor performs the task. We did not expect framing to have a significant effect, but we further
consider this issue in a later section of the paper.

knowledge of error occurrence rates and that experienced auditors will generate more frequently
occurring errors as an explanation for audit findings (Libby and Frederick 1990; Tubbs 1992). In
similar fashion, we expect that auditors in the risks-first condition are likely to generate more
frequently occurring risks. If any of these risks are not addressed by the system of internal controls,
it is likely that the resulting internal control deficiencies would be very significant.
Auditors in the controls-first condition, on the other hand, are less likely to be able to identify
significant internal control deficiencies as they are hampered by the interference effects resulting
from the identification of risks that are already controlled by the auditee. Companies implement
internal controls subject to a cost-benefit criterion (COSO 1994). The controls adopted are thus
likely to be related to ‘‘typical’’ risks, in the sense that these risks are likely to be significant to many
organizations. Libby and Frederick (1990) and Heiman-Hoffman et al. (1995) found that an
inherited typical (i.e., frequently occurring) error inhibited the retrieval of additional errors or
hypotheses more than an inherited atypical error. In an internal control evaluation setting, auditors
in a controls-first condition are more likely to ‘‘inherit’’ a typical (frequently occurring) risk as these
are the risks that are most likely to be controlled by the company. Therefore, we expect that this will
significantly inhibit the generation of additional risks, which could include typical high frequency
risks, resulting in less effective internal control evaluations.2 In the worst case, one of those high
frequency risks could be uncontrolled by the company. Again, if the important risk is not identified,
then an important deficiency would not be identified. In other words, auditors in the risks-first group
are more likely to generate important risks, which will lead to identifying important deficiencies, as
auditors likely know what risks are important. Auditors in the controls-first group are less likely to
generate important risks and are, hence, less likely to generate important deficiencies, as the typical
controls that they likely encountered in the system generate the most interference.
To summarize, we argue that important deficiencies and risks are less likely to be identified by
auditors in the controls-first condition, as the controls they identify are likely to be typical and will
thus interfere with the generation of other typical risks. We are, therefore, making a link between
‘‘typical’’ and ‘‘important.’’ The two terms are associated in that, as noted above, controls become
typical as many companies adopt them. The reason companies adopt them is presumably because
they are important. However, we acknowledge that these terms may not be equivalent, particularly
as companies may face important risks that are specific to their situation that would not be
considered typical. Similarly, we argue that auditors in the risks-first condition are more likely to
uncover important deficiencies as they are likely to generate frequently occurring risks. As
importance is a function of both frequency and the magnitude of the consequences, ‘‘importance’’
and ‘‘frequently occurring’’ are related terms but are not necessarily equivalent. Therefore, we
phrase our investigation of task order effect and the importance of deficiencies as a research
question rather than a hypothesis:
RQ1: Do auditors who identify risks first identify more important internal control deficiencies
in the system than auditors who identify controls first?
2
The arguments presented here relate to internal control evaluations conducted in ‘‘real life,’’ whereas our
participants are working with a hypothetical case. The controls described in our experimental case address typical
risks only insofar as the internal control system described in our case is representative of typical systems. Our
experimental case was pilot-tested for realism by ten managers from Big 4 audit firms. If interference theory is
applicable in an internal control evaluation setting, as we suggest, we are confident that the controls in our case
should induce interference effects in our experimental setting in the same way that they would in real life.

METHOD
We conducted our study using accountants completing their auditing courses required to
receive the Certified General Accountant (CGA) professional designation.3 The experiment was
administered to a total of 78 participants on three separate occasions, to accountants attending
sessions at the end of CGA Auditing 1 or Auditing 2 courses in two different cities.4 The responses
of three participants were eliminated as their responses were incomplete and impossible to encode.
Demographic information on the participants is provided in Table 1. The mean age of participants
was 33.4 years, and their mean work experience was 42.9 months, reflecting the fact that the
auditing course is typically taken within one year of receiving the CGA professional designation.
There were no statistically significant differences in demographic variables detected between the
two experimental groups. All experimental participants appeared to be motivated and were
compensated for their time. Additionally, a $100.00 prize was offered to the participant with the
highest score, so we have no reason to believe that the participants were not fully engaged in the
task. Participants were given as much time as they needed to complete the task. In the session where
we monitored time, the average time to complete the task was 56 minutes, with the minimum and
maximum time being 40 and 90 minutes, respectively. The task, adapted from Kopp and Bierstaker
(2006), involved the evaluation of the internal controls of the purchases/payables/payments cycle of
a medical supply company. The system description is included in Appendix A.
The participants were randomly assigned to one of two conditions, which varied in the order of
the sub-tasks to be completed. Participants in the first condition (the risks-first condition) identified
the risks that should be addressed by an internal control system. They then received the detailed
narrative description of the internal control system, after which they were given a second
opportunity to identify risks in the system. They then identified the controls in the system and
identified any deficiencies. These steps are outlined in Figure 2.
The second task order condition group (the controls-first group) received the narrative
description first and were instructed to identify the controls in the system, after which they were
asked to identify all the risks and finally any internal control deficiencies in the system. In both
conditions, once the first step was completed, participants were permitted to go back to previous
steps at any time, but were not able to skip forward.
Participants in both groups were provided a training task before completing the experimental
task. The training task was a complete evaluation of a sales/receivables/receipts system. The
training task demonstrated the order of subtasks to be completed, which varied between the two
groups, but the content of the task (the system description, and the risks, controls, and deficiencies
identified) was identical for both groups.
In order to ensure that the groups adhered to the proper order of subtasks to be completed, we
implemented two procedures. First, participants had to complete their case on three-part, carbonless
3
On average, participants reported being in level 4.4 of the 5-level CGA program, which requires an undergraduate
university degree.
4
We performed t-tests of differences in the dependent variables used in the study (number of risks, controls, and
deficiencies identified) to ensure that there were no significant differences between City and Course groups. The
groups (City 1 versus City 2 and Audit 1 versus Audit 2 students) had no significant differences between the
number of risks identified or the number of controls identified. On average, however, the City 1 participants
generated significantly more deficiencies than did the City 2 participants (mean 3.26 versus 2.22, p , 0.05), and
the Audit 1 participants, somewhat surprisingly, generated significantly more deficiencies than did the Audit 2
participants (3.53 versus 2.43, p , 0.04). Such differences could be due to different work environments or
instructor effects, for example. We argue that these differences do not affect our conclusions as participants in the
different city/course combinations were assigned randomly to the two experimental conditions, and the overall
results reported here hold within each City and Course group. Nevertheless, we controlled for City, Course, and
Months of Experience in our reported analyses.

TABLE 1
Participant Information
Mean Mean
(Standard Deviation) of (Standard Deviation) of
Risk First Condition Control First Condition Mann-Whitney
n ¼ 38 n ¼ 36 t U
Months of accounting work 49.7 36.0 1.23 0.67
experience (55.5) (29.4)
Age in years 34.1 32.6 0.80 1.10
(7.7) (7.6)
Difficulty of task (1 ¼ not, 11 5.5 5.9 0.79 0.46
¼ very) (2.4) (1.9)
Realism of task (1 ¼ not, 11 ¼ 8.1 7.8 0.52 0.48
very) (2.1) (2.5)
Difficulty of ordering of task 5.2 5.5 0.45 0.38
steps (1 ¼ not, 11 ¼ very) (2.6) (1.9)
Difference between performance 6.6 7.1 0.59 0.79
of the task and how they (4.0) (3.5)
usually perform it (1 ¼ not,
11 ¼ very)
None of the differences between conditions are statistically significant at conventional levels.
answer sheets. The answer sheets consisted of a three-column table, with columns for risks,
controls, and deficiencies, with the order varying according to the condition. Each row of the table
was to contain a risk and a control that addressed that risk, or a deficiency if no control existed. On
the top sheet, only one column of the three-column table was available (the other two columns were
shaded in). That column was entitled ‘‘Risks’’ for the risk-first condition, and was entitled
‘‘Controls’’ for the control-first condition. After completing that first step, the participants turned to
the second page of the answer sheet, which now had two columns free and the third column shaded
out. The first column contained a carbon copy of the answers they had written on the top page,
leaving the second column to be filled in. The second column provided space for controls, for the
risk-first condition, and risks, for the control-first condition. After filling in the second column on
the second page, participants proceeded to the third page where they filled in their deficiency
assessment in the last column.
These three-part sheets assured us that participants did not skip steps. In particular, by
examining the second page, we could ensure that the participant had filled out the first step on the
first page, as only a carbon copy appeared on the first column of the second page, while the second
column of the second page contained original ink. As an additional control, we had participants in
the risks-first condition request the detailed narrative description part way through the task, and we
checked that they had attempted to identify risks if they were in the risk-first condition before
distributing the narrative. Hence, we were assured that all participants completed the tasks in the
order prescribed.
Participants also were asked how difficult and realistic they found the task; how difficult they
found the ordering of the task to be; and how different they found the performance of the task to be
from the way they usually performed it.

FIGURE 2
Order of Steps in Experimental Task
Participants in both conditions were told not to skip steps, although they were permitted to return to previous
steps at any time.
RESULTS
Information about the participants in our study and results of manipulation checks are
presented in Table 1.5 There were no significant differences between the means of the two groups,
indicating that (1) the perception of key features of the task was consistent across groups; and (2)
the random assignment of participants to groups was effective in controlling for potentially
confounding variables.
The possible risks, deficiencies, and controls that could have been identified from the case are
listed in Table 2. The risks, deficiencies, and controls identified by each participant were coded by
two of the co-authors independently.6 The third sheet was used for this analysis, which, therefore,
contained all the risks, deficiencies, and controls that were ultimately identified by each participant,
either in the initial step or in later steps. The variables RISK, CONTROL, and DEFICIENCY
represent the total number of different valid risks, controls, and deficiencies, respectively, identified
by each participant. Descriptive statistics of these variables are presented in Table 3. On average,
5
Results of independent samples t-tests are presented in Table 4. We also performed Mann-Whitney nonparametric
U-tests. Results were qualitatively similar.
6
The kappa coefficient of inter-coder reliability was 89.6 percent, and all disagreements were reconciled.

TABLE 2
Descriptions of Controls, Risks, and Deficiencies
Panel A: Controls
Description of Control n Importance
C1. Purchases are initiated by supplies manager (segregation of duties) 20 6.0
C2. Inventory re-order point exists 16 4.0
C3. Large purchases are approved by the production manager 53 5.7
C4. Goods are counted when received 52 5.0
C5. Invoices are checked for accuracy when received 45 5.0
C6. Not used
C7. A disbursement voucher is prepared as A/P is entered 5 1.3
C8. A/P manager reviews disbursement vouchers 18 5.0
C9. A/P manager approves payments 30 6.0
C10. Batch summary is checked by cashier to checks 23 4.7
C11. Aborted payments are marked 18 2.7
C12. There is adequate segregation of duties 21 6.7
C13. Invoices are matched to supporting documentation 0 4.7
C14. The cashier is authorized by the Board of Directors 10 1.3
C15. Goods are counted to verify that quantities are correct 0 6.0
C16. The packing slip is matched to receiving report 0 5.0
C17. All purchase orders are authorized 0 5.7
C18. Purchase order is matched to receiving report 44 4.7
C19. Invoice is matched to receiving report 40 6.7
C20. Invoice is matched to purchase order 46 4.7
n refers to the number of participants, out of 74, who identified the control. Importance is the mean ranking of importance
by three judges, on a scale of 1 (not important at all) to 7 (very important).
Panel B: Risks
Description of Risk n Importance
R1. All purchases relate to the entity 61 6.7
R2. All purchases are made from valid approved suppliers 34 3.7
R3. Purchases are made if and only if required 0 4.0
R4. All goods ordered are received 37 3.0
R5. The quantity received equals the quantity on receiving report 48 4.3
R6. All goods received are updated to inventory records 10 6.0
R7. All goods received are posted to A/P 14 6.3
R8. Payables are recorded if and only if goods are received 0 6.7
R9. Inventory records are adjusted if and only if goods are received 0 6.0
R10. The quantity entered in inventory is the quantity received 7 6.0
R11. Pricing and extensions of invoices are correct 43 5.0
R12. Amounts are correctly posted to inventory and A/P 16 6.0
R13. Payables and inventory are not recorded twice 1 5.3
R14. Payables are posted to correct suppliers 5 5.0
R15. Payments are not paid twice 13 4.7
R16. Payments are only made for legitimate A/P 51 6.0
R17. Aborted payments are not sent out 13 2.7
R18. All checks are made out in proper amount 6 5.3
R19. All payment amounts are correctly recorded 8 5.7
(continued on next page)

TABLE 2 (continued)
Description of Risk n Importance
R20. Payments are posted to correct suppliers 5 5.0
R21. All payments are recorded 6 6.0
R22. All payments are paid promptly 8 4.3
R23. Payables are not paid too early 1 3.0
R24. There is an adequate segregation of duties 22 6.7
R25. Logical access is controlled 4 6.7
R26. Physical access is controlled 25 6.3
R27. Purchase orders are not used twice 2 2.3
R28. Purchase orders are not lost or out of sequence 5 2.3
R29. Prices paid are not too high 13 3.7
R30. The quality of goods ordered is sufficient 14 4.0
R31. Goods are not received that were not ordered 11 3.0
R32. Items received are not damaged 2 4.0
R33. Goods returned are properly authorized 1 5.0
R34. Goods returned are accounted for properly 2 5.3
R35. Purchases are made when required 20 4.7
R36. Purchases are made only when needed 63 3.7
R37. Payables are recorded when goods are received 12 6.3
R38. No payables are recorded unless goods are received 38 5.7
R39. Inventory records are updated as soon as goods are received 4 5.7
R40. Inventory records are updated only when goods are received 4 6.0
n refers to the number of participants, out of 74, who identified the risk. Importance is the mean ranking of importance by
three judges, on a scale of 1 (not important at all) to 7 (very important).
Panel C: Deficiencies
Description of Deficiency n Importance
D1. Should have an approved supplier list 26 3.7
D2. Should perform periodic inventory counts 8 6.7
D3. Should compare batch totals of inventory record adjustments 7 6.0
to receiving reports
D4. Invoices should be stamped when recorded 0 5.0
D5. There should be follow-up of purchase order numbers 16 4.0
D6. Invoices should be cancelled once paid 11 4.3
D7. Should perform a periodic reconciliation of supplier 4 5.3
statements
D8. Bank reconciliations should be done 8 7.0
D9. A batch summary of checks paid should be compared to 1 4.7
A/P posting
D10. Receiving reports should be pre-numbered with follow-up 5 4.7
D11. There should be periodic follow-up of open order file 12 4.3
D12. Disbursements should be made on due date less processing 1 4.0
time
D13. Software programs should be password protected 3 6.3
D14. Warehouse access should be restricted 10 6.3
D15. There should be examination/follow-up of quality of goods 5 4.3
D16. Should review signed checks before sending out or checks 27 6.0
should have a 2nd signature
(continued on next page)

TABLE 2 (continued)
Description of Deficiency n Importance
D17. Should review minimum re-order levels 4 3.3
D18. Should compare prices/get bids 7 3.7
D19. Should restrict access to check-signing machine 3 6.3
D20. Should follow up incorrect orders 0 4.0
D21. Should ensure prompt recording/proper cutoff at year end 4 5.3
D22. Should follow up disbursement vouchers 1 5.0
D23. Should have control over goods returned 1 4.0
D24. Should have control over invoices reaching A/P, such as 4 4.3
having a list of invoices that have been forwarded
D25. Should have segregation of purchase authorization and 17 4.0
receiving for ALL purchases
D26. Should review all aborted payments 2 2.7
n refers to the number of participants, out of 74, who identified the deficiency. Importance is the mean ranking of
importance by three judges, on a scale of 1 (not important at all) to 7 (very important).
individual participants identified 5.50 different controls, 8.50 different risks, and 2.53 different
deficiencies.
It is important to note that there is not a one-to-one mapping of risks, controls, and deficiencies,
that is, the number of deficiencies is not necessarily equal to the number of risks less the number of
controls. This is because one control may address more than one risk. For example, management
review of documentation before payment could prevent unauthorized purchases, incorrect payment
amounts, and/or unsupported payments. Similarly, risks may be addressed by more than one
control. Unauthorized purchases may be prevented by both a purchase requisition system and by
management review of documentation before payment.
H1 deals with the task order effect on the number of deficiencies identified. ANCOVA tests for
this hypothesis, controlling for city, course, and months of experience, are presented in Table 4.
Participants in the risks-first condition identified 2.92 deficiencies on average, compared to 2.11 in
the controls-first condition. This difference is significant at p , 0.01, strongly supporting H1.
To assess the importance of deficiencies identified for RQ1, we had three judges rate the
importance of the risks, controls, and deficiencies in our experimental case. One judge was a partner
of risk advisory services for a Big 4 public accounting firm; the second judge was an internal
auditor of a large publicly traded firm who had extensive experience in the design and evaluation of
internal control systems; and the third judge had taught courses in internal control, which included
the evaluation of internal control field projects performed by students registered in the course. Each
judge assessed importance on a scale of 1 (not important at all) to 7 (very important).7 The
importance of each risk, control, and deficiency was then measured by the mean assessment of the
three judges. As can be seen from Table 2, the importance scores of all the strengths, deficiencies,
and risks varied widely. An important justification for our research question is that it gives us a
better indication of the effectiveness of the internal control evaluations. While there were several
deficiencies in the system, some were significantly more important than others. Therefore, an
effective control evaluation would identify both a significant number of deficiencies, and important
7
Importance was not explicitly defined for the judges. They were told to assess the importance based on ‘‘whatever
they would be most concerned with in the situation of being an advisor to the company.’’

TABLE 3
Descriptive Statistics
Variable n Minimum Maximum Mean Standard Deviation
CONTROL 74 0 11 5.50 3.19
RISK 74 0 17 8.50 2.99
DEFICIENCY 74 0 6 2.53 1.72
CONTROLIMPORT 74 0 56.33 30.29 15.82
RISKIMPORT 74 0 85.33 42.30 15.46
DEFICIENCYIMPORT 74 0 29.33 12.28 8.24
CONTROL, RISK, and DEFICIENCY are the number of distinct controls, risks, and deficiencies, respectively, identified
by each of the participants. For the CONTROLIMPORT, RISKIMPORT, and DEFICIENCYIMPORT variables, the
importance of each control, risk, and deficiency was rated on a scale of 1 (not important) to 7 (very important) by three
judges, and a mean rating was computed. CONTROLIMPORT, RISKIMPORT, and DEFICIENCYIMPORT are the sums
of those importance ratings of the controls, risks, and deficiencies, respectively, identified by each of the participants.
ones. For this reason, our variable adds the deficiencies identified, effectively weighted by their
importance.
We constructed deficiency importance variables (DEFICIENCYIMPORT) for each participant
equal to the sum of the mean importance scores of the deficiencies identified by that participant.8
The mean importance scores, presented in Table 3, were 30.29, 42.30, and 12.28 for controls, risks,
and deficiencies, respectively.
To investigate RQ1, the internal control deficiency importance scores (DEFICIENCYIMPORT)
of the risks-first group were compared with those of the controls-first group. ANCOVA results,
controlling for city, course, and months of experience, are presented in Table 4. The mean
importance score of the risks-first group was 13.99, compared with 10.47 for the controls-first
group, which is statistically significant at p , 0.01.
Our importance scores are based on both the importance of the item identified and the number
of items identified. Therefore, a participant could theoretically achieve a high importance score by
identifying a large number of less-important controls. As a check on the validity of our results,
presented in Table 2, we identified and analyzed only those controls and deficiencies that were
judged as having above-median importance (greater than or equal to 5 on a seven-point scale) by all
three judges. This resulted in a possible set of seven deficiencies and five controls. Similar to our
reported analysis, the risks-first group identified marginally, but significantly, more of these
deficiencies but significantly fewer of these controls.
It is also interesting to note from Table 4 that the risks-first group identified significantly fewer
controls than the controls-first group, a result that we had not anticipated. Specifically, the risks-first
group identified 3.47 controls versus 7.64 controls identified on average for the controls-first group.
The importance of the controls identified was also significantly different. It may be that the task
ordering effectively induced a framing effect. Emby (1995) found that auditors recommended more
(less) extensive substantive testing, indicating less (more) reliance on internal controls, when
instructed to evaluate the risk (versus strength) of the internal control system. We did not expect a
framing effect in our experiment, as the wording we used was identical in both task conditions.
8
The list of identified risks, controls, and deficiencies, with mean importance scores, are presented in Table 2. A
participant who identified only risks R1, R2, and R3 (see Panel B of Table 2), for example, would be assigned a
RISKIMPORT score of 6.7 þ 3.7 þ 4.0 ¼ 14.4.

TABLE 4
Cell Means by Task Order Condition
Mean Mean
(Standard Deviation) of (Standard Deviation) of
Risk First Condition Control First Condition Fþ
(n ¼ 38) (n ¼ 36) (df ¼ 1,59)
DEFICIENCY 2.92 2.11 11.33***
(1.63) (1.74)
RISK 8.63 8.36 1.72
(2.94) (3.07)
CONTROL 3.47 7.64 39.76***
(2.15) (2.67)
DEFICIENCYIMPORT 13.99 10.47 8.16***
(7.67) (8.54)
RISKIMPORT 42.92 41.64 0.90
(15.42) (15.69)
CONTROLIMPORT 22.40 38.61 16.75***
(13.67) (13.62)
*, **, *** Indicate significance at p , 0.10, p , 0.05, and p , 0.01 levels, respectively.
CONTROL, RISK, and DEFICIENCY are the number of distinct controls, risks, and deficiencies, respectively, identified
by each of the participants. For the CONTROLIMPORT, RISKIMPORT, and DEFICIENCYIMPORT variables, the
importance of each control, risk, and deficiency was rated on a scale of 1 (not important) to 7 (very important) by three
judges, and a mean rating was computed. CONTROLIMPORT, RISKIMPORT, and DEFICIENCYIMPORT are the sums
of those importance ratings of the controls, risks, and deficiencies, respectively, identified by each of the participants.
þ
F is the result of ANCOVA tests of the risk-first versus control-first effect, controlling for City and Course (fixed
effects), and months of experience as a covariate.
Even so, our results were consistent with such a framing effect. In Emby’s (1995) case, losses were
averted by increasing substantive testing. In our case, our losses may have been averted by
concentrating on internal control deficiencies more than concentrating on internal control strengths.
Our finding that participants in the risks-first condition identified fewer controls also has
important implications. While our hypothesis that more deficiencies and more important
deficiencies would be reported by the risks-first group was supported, it is perhaps surprising to
note that the number of risks generated by the two groups was not significantly different; the
risks-first group generated 8.63 risks while the controls-first group generated 8.36 risks, but this
may be an artifact of our experimental design. Since they identified more controls, they also
naturally identified more risks. However, it is an illustration of our theory that the risks generated
did not lead to a more effective identification of deficiencies, as these risks were already controlled,
and they were unable to generate more risks (that were not controlled) in the subsequent step.
Therefore, the controls-first group did identify almost as many risks as the risks-first group did, but
ultimately did worse in identifying deficiencies.
Supplemental Analysis
We were surprised that overall, our participants identified only 5.5 out of 20 controls, 8.5 out of
40 risks, and 2.53 out of 26 deficiencies, and the minimum number of controls, risks, and
deficiencies identified across all participants was zero. While this does suggest that the process of
deficiency identification is difficult, it also calls into question whether our participants were

sufficiently engaged or competent to perform this task. Participants appeared to be engaged, and in
the session in which we measured time, all participants spent at least 40 minutes on the task. None
of the participants had a zero score on more than one variable, so we concluded that none needed to
be eliminated because of non-engagement.
With respect to performance, our participants did not rate the task as being especially
difficult—participants in the two conditions ranked the task as 5.1 and 5.5 on an 11 point scale,
where 0 was ‘‘not difficult’’ and 11 was ‘‘very difficult.’’ Furthermore, it is important to note that the
total number of deficiencies (the denominator of our ratio) is somewhat overstated, as the list
includes any valid deficiency that any of our participants generated. For example, several
participants identified that two signatures were not required for checks under $200. Our judges,
recognizing that this control was implemented due to cost-benefit considerations, did not rate this as
an important deficiency. This is the reason that we performed our second set of analyses where each
participant’s responses were weighted by the importance of the risks, controls, and deficiencies that
they identified. Therefore, the participant would be considered to have generated a deficiency for
the purposes of testing H1, but the participant would receive a lower score, all other things being
equal, on the DEFICIENCYIMPORT variable used to test RQ1. However, this coding scheme
meant that we did have a very large number of possible deficiencies, and it would not be surprising
that participants did not identify many of them, as many were not important.
Nevertheless, we did perform some tests to determine if our participants were sufficiently
competent for our study to be valid. We first investigated the performance and results of our sub-
groups. As previously noted, the experiment was administered to a total of 78 participants on three
separate occasions, to accountants attending sessions at the end of CGA Auditing 1 or Auditing 2
courses in two different cities. The number of risks identified and the number of controls identified
did not differ significantly between the groups (City 1 versus City 2 and Audit 1 versus Audit 2
students). On average, however, the City 1 participants generated significantly more deficiencies
than did the City 2 participants (mean 3.26 versus 2.22, p , 0.05), and the Audit 1 participants,
somewhat surprisingly, generated significantly more deficiencies than did the Audit 2 participants
(3.53 versus 2.43, p , 0.04). However, even though some groups appeared to perform better than
others, the overall results of our study hold within each City and Course group.
LIMITATIONS, DISCUSSION, AND CONCLUSIONS

This study examined the effect of the order of internal control evaluation sub-tasks on the
quality of that evaluation. Interference theory suggests that auditors who generate risks before
identifying system controls will identify more risks. We argue that identification of more risks, in
turn, helps the auditor to identify more deficiencies in the control system. Conversely, prior
identification of controls will interfere with the auditor’s ability to generate risks and, therefore, to
identify deficiencies. Our experimental results are consistent with this argument. Participants that
identified risks first identified more deficiencies. However, these risks-first participants also
identified fewer controls than participants that identified the controls first. In other words, the
risks-first participants tended to under-identify controls that were present.
These results indicate that there could be a trade-off between audit efficiency and audit
effectiveness. If auditors fail to identify deficiencies in the client’s system, this undermines the
effectiveness of the audit. The auditor’s failure to identify deficiencies may imply that errors are
present in the final audited financial statements. Secondarily, the auditor cannot identify potential
improvements to be made to the client’s system, which are often a significant component of the
‘‘value-added’’ services provided by the audit.
Our study is subject to the usual limitations regarding experimental conditions, although, as
noted, economic incentives were put in place and participants appeared to be engaged in the task. A

particular limitation of this study, however, is that the nature of the task materials may have
imposed some structure on the task. Since the participants had to fill out risks, controls, and
deficiencies in a tabular format, they were perhaps more organized in their approach than they
would otherwise be. Additional research into the effects of such a structured approach would be a
useful extension of this research.
Another limitation is that our importance scores relied on assessments made by three judges.
To ensure that our results were as valid as possible, we first compared the judges’ assessments to
ensure that there was a reasonable level of consensus. The pair-wise correlations of the three
judges’ scores were all statistically significant (at the p , 0.10 level between judges 1 and 2; at the
p , 0.05 level between judges 1 and 3; and at the p , 0.01 level between judges 2 and 3). We also
performed all analyses using the assessments of the individual judges rather than the average
assessments and found qualitatively similar results.
Our results suggest that audit effectiveness can be improved by identifying the risks to be
addressed by the system before analyzing the controls. However, participants following this
sub-task order tended to under-identify controls. This hinders audit efficiency, as the auditor will
then ultimately place less reliance on the internal control system in place than could be otherwise
justified. A possible solution to this problem would be to employ both strategies: One member of
the audit team could follow a risks-first task order, while another member follows a controls-first
task order. Alternatively, the reviewer could follow a different task ordering than the subordinate.
Research into the effects of a combined strategy of this sort could be of value to practitioners.
Our results also have implications for standard setters. Current auditing standards do not
specify the order in which auditors perform the sub-tasks comprising the internal control evaluation,
or even clearly state that auditors should generate for themselves a list of the risks related to
financial reporting. This study suggests that these are alternative specifications of the internal
control evaluation process that have potentially important implications for audit efficiency and
effectiveness.
REFERENCES
Anderson, J. C., S. E. Kaplan, and P. M. J. Reckers. 1992. The effects of output interference on analytical
procedures judgments. Auditing: A Journal of Practice & Theory 11 (2): 1–13.
Bierstaker, J. L. 2003. Auditor recall and evaluation of internal control information: Does task-specific
knowledge mitigate part-list interference? Managerial Auditing Journal 18 (1/2): 90–100.
Canadian Institute of Chartered Accountants (CICA). 2007. Practice Engagement Manual. Toronto,
Canada: CICA.
Certified General Accountants Association of Canada (CGA). 2007. Public Practice Manual. Vancouver,
Canada: CGA Association of Canada.
Church, B., and A. Schneider. 1993. Auditors’ generation of diagnostic hypotheses in response to a
superior’s suggestion: Interference effects. Contemporary Accounting Research 10: 333–350.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1994. Report of the
National Commission on Fraudulent Financial Reporting. New York, NY: COSO.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2006. Internal Control
over Financial Reporting-Guidance for Smaller Public Companies. New York, NY: COSO.
Emby, C. 1995. Framing and presentation mode effects in professional judgment: Auditors’ internal control
judgments and substantive testing decisions. Auditing: A Journal of Practice & Theory 13
(Supplement): 102–115.
Frederick, D. M. 1991. Auditors’ representation and retrieval of internal control knowledge. The Accounting
Review 66 (April): 240–258.

Heiman-Hoffman, V., D. Moser, and J. Joseph. 1995. The impact of an auditor’s initial hypothesis on
subsequent performance at identifying actual errors. Contemporary Accounting Research 11 (2):
763–779.
International Auditing and Assurance Standards Board (IAASB). 2007. Handbook of International Auditing
Assurance and Ethics Pronouncements. New York, NY: International Federation of Accountants.
Kopp, L. S., and J. L. Bierstaker. 2006. Auditors’ memory of internal control information: The effect of
documentation preparation versus review. Advances in Accounting Behavioral Research 9: 27–50.
Libby, R., and D. M. Frederick. 1990. Experience and the ability to explain audit findings. Journal of
Accounting Research 28 (2): 348–367.
Public Company Accounting Oversight Board (PCAOB). 2007. Auditing Standard No 5. Washington,
D.C.: PCAOB.
Roybark, H. M. 2006. An Analysis of Audit Deficiencies Based on PCAOB Inspection Reports Issued
During 2005. Journal of Accounting, Ethics & Public Policy 6 (2): 125–154.
Slamecka, N. J. 1968. An examination of trace storage in free recall. Journal of Experimental Psychology
76: 504–513.
Tubbs, R. M. 1992. The effect of experience on the auditor’s organization and amount of knowledge. The
Accounting Review 67 (October): 783–801.
APPENDIX A
SYSTEM DESCRIPTION USED FOR EXPERIMENTAL TASKS
You are the senior in charge of an important client for your firm, Wittim Medical Supplies, Inc.
Wittim manufactures a variety of medical supplies, including test tubes, thermometers, and
disposable surgical garments. Your task today is the internal control evaluation of the purchasing
cycle.
The supplies manager initiates the purchase and maintains the inventory records. The records
include reorder points for all regularly used items. The supplies manager prepares a purchase
requisition on a two-part, pre-numbered form. After signing the requisition, he files one copy by
requisition number and sends the other copy to the purchasing department. Requisitions for items
that will cost over $100 must be approved by the production manager before being sent to the
purchasing department.
PURCHASING DEPARTMENT
The purchasing department checks a purchase requisition for proper approval and selects a
vendor. A five-part, pre-numbered purchase order is prepared. Copies are sent to the vendor,
receiving department, accounts payable, and the supplies manager. The purchasing department
records the current purchase and files its purchase order and requisition copies by purchase order
number in the open order file. The receiving department files its copy in a file by purchase order
number. The supplies manager files his copy with its corresponding purchase requisition.
RECEIVING DEPARTMENT
An authorized receiving department employee counts the goods to verify that they were
received, compares the count to the packing slip, and prepares a four-part receiving report. Copies
of the receiving report are sent to the supplies manager, the purchasing department, and accounts
payable. The receiving department files its copy of the receiving report and the packing slip with its
copy of the purchase order. The supplies manager updates the inventory records when he receives
the receiving report and then files the purchase order, purchase requisition, and receiving report by

purchase order number. The purchasing department files its copy with the order in the open order
file.
The purchasing department receives two-part invoices from the vendors. One copy of the
approved invoice is sent to accounts payable. The purchase order, purchase requisition, invoice, and
receiving report are then filed in the closed order file by purchase order number.
ACCOUNTS PAYABLE DEPARTMENT

The accounts payable department receives and matches purchase orders and approved invoices
from the purchasing department with receiving reports from the receiving department. The invoices
are checked for prices, quantities, and mathematical accuracy. A clerk initials them if they are
accurate. When all the documents are received, a clerk posts the payable amount to the particular
vendor’s payable account, prepares a pre-numbered disbursement voucher, and attaches it to the
purchase order, receiving report, and invoice. The package is then given to the accounts payable
manager for review and approval for payment. The manager gives the approved disbursement
vouchers to a second clerk. The clerk batches and totals the approved vouchers and prepares a batch
summary. The batch summary is sent to the accounting department. A third clerk completes a
two-part, pre-numbered check for each disbursement voucher. The check and the disbursement
vouchers are sent to the cashier.
CASH DISBURSEMENTS DEPARTMENT

The cashier totals the checks and compares the total to the batch summary. She then signs the
checks with the treasurer’s signature using a check-signing machine. She is authorized by the board
of directors to disburse company funds. She then places the first copies of the check/remittances in
envelopes and sends them to the vendors. The second copy is sent to the accounting department.
The checks for aborted payments are marked to prevent their payment.

Copyright of Behavioral Research in Accounting is the property of American Accounting Association and its
content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for individual use.
View publication stats

Internal Control Assessment and Interference Effects: Behavioral Research in Accounting January 2012

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Control Assessment and Interference Effects: Behavioral Research in Accounting January 2012

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Internal Control Assessment and Interference Effects

Article in Behavioral Research in Accounting · January 2012

Janet Morrill Cameron K.J. Morrill

SEE PROFILE SEE PROFILE

The user has requested enhancement of the downloaded file.

Internal Control Assessment

ABSTRACT: Both U.S. Generally Accepted Auditing Standards and International

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

LIMITATIONS, DISCUSSION, AND CONCLUSIONS

Behavioral Research In Accounting

Behavioral Research In Accounting

Behavioral Research In Accounting

ACCOUNTS PAYABLE DEPARTMENT

CASH DISBURSEMENTS DEPARTMENT

Behavioral Research In Accounting

View publication stats

You might also like