Audit fees and Internal Control Weakness Disclosures

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The early 2000's witnessed major scandals and governance failures resulting in bankruptcy or financial difficulty for some of the major United States (U.S) corporations such as Enron and WorldCom among many others. The financial markets were shaken resulting in investors losing billions of dollars, jobs disappeared and many people were deeply affected by losing their retirement savings as a result. However, when questioned the arrogant attitudes of executives did not settle well with the world. For instance, Jeffrey Skilling - CEO of Enron while in congressional testimony stated that "financial reporting and disclosure vigilance is the proper domain not of a CEO, but of Enron's accountants and lawyers" (Bhamornsiri, Guinn & Schroeder, 2008, p.18). Given the public unrest following the hearings, the Senate passed the Sarbanes-Oxley Act (SOX) of 2002 on July 15, 2002 under the Bush administration (Bhamornsiri, Guinn & Schroeder, 2008, p.18).

This act introduced more regulation over corporate governance and had stringent reporting standards to allow for more transparency in the financial statements. As such the media started scrutinizing the audit profession for the increase in audit fees and over-regulation following the need to perform additional work to attest management's assessment of internal controls over financial reporting (ICFR) under Section 404 of the act (Ciesielski & Weirich, 2006, p.28). This section requires the auditor to report on the effectiveness of ICFR and express his/her opinion based on the findings. "Section 404 has been the most controversial element of SOX" to date that has led many to believe that "it needs to be repealed or the economy will be doomed" (Raghunandan & Rama, 2006, p.2; Ciesielski & Weirich, 2006, p.28). Between 2001 and 2004, total audit and audit-related fees increased by a whopping 103% based on sample of 496 out of the 500 S&P companies as per Ciesielski and Wierich. However, the study did not factor other variables within the audit pricing model that could have increased audit fees.

Canada's response to SOX 404 with an equivalent standard is Multilateral Instrument 52-11 over internal control reporting which was published as a draft on February 4, 2005. Under the draft, the implementation dates for the requirements are to be phased in based on the company's market capitalization. Companies with $500 million or greater would comply for years ending on or after June 30, 2006. As such companies with less than $75 million are to comply for years ending on or after June 30, 2009 (Leech, 2005, p.9). Canadian companies that are cross-listed and registered with the SEC have an option to waive these requirements to comply with SOX 302 and 404 instead. This paper however will not focus on the Canadian equivalent standard since there is minimal research available to date.

Previous studies by researchers have proposed audit pricing models that have factored in variables such as size of the auditee, complexity of operations, industry and amount of inventory and receivables (Simunic, 1980). However, following the issuance of SOX 404 various studies have been performed to determine the audit fee relationship with internal control weakness disclosures and have tried to update the audit pricing model.

This paper will focus on the association between audit fees and internal control weakness disclosures made pursuant to SOX 404. As a result since auditors are required to attest to management's control systems they are spending more time on their audits resulting in higher fees being charged. It can be hypothesized that the audit fee effect could be doubled as a result.

The paper will start with a background on pre-SOX era audit pricing model as developed by Simunic (1980) followed by a review of the main disclosure requirements under SOX 404 relating to internal controls. It will be followed with a literary review of studies that are focused on the relationship between internal control weakness disclosures and audit fees post-SOX era. The paper will then synthesize reviews of the studies and will provide an analysis to conclude on the association between audit fees and internal control deficiency disclosures under SOX 404.


Audit Pricing Model - A review

Audit fee research frequently refers back to the audit pricing model developed by Dan A. Simunic and his research paper "The Pricing of Audit Services: Theory and Evidence" (1980). His theoretical model indicated the main determinants of audit fees were factors such as loss exposure, loss sharing ratios and the auditor's production function. Variables related to liability loss exposure consisted of the auditee size, complexity of operations, amount of receivables and inventory and industry of the auditee regardless if the client was private or public. Loss sharing ratios related to the auditee's financial difficulty, including the accounting rate of return and whether the client had a loss in the last three years or a qualified audit report (Simunic, 1980, p.173). Variables with respect to the auditor's production function were whether the auditor was a big versus a non-big auditor (based on economies of scale), years they have been conducting the audit (the learning effect), and the industry that the auditor specializes in (p.174) [1] . Prior audit fee research based on variations of Simunic's model included the examination of how audit fees changed with firms switching auditors, firms being listed on a public exchange and auditors' perception of their client's risk (Eikner, Morris & Butler, 2005, p.3).

Summary of SOX 404 Provisions

Section 404 is comprised of two main sections being 404(a) and 404(b). The first section outlines management's responsibilities toward including an internal control report in the annual report. It outlines management's responsibility towards establishing and maintaining adequate controls over the financial reporting environment and provides an assessment of the effectiveness of the ICFR for the fiscal year. Executives and financial officers are required to make quarterly and annual assessments with respect to the effectiveness of ICFR to the SEC.

Section 404(b) pertains to the auditor's responsibility requiring a report to be issued over the internal control assessments made by auditee management. The audit opinion issued in the report should indicate if management maintained in all material respects effective ICFR as of a specific date based on the control criteria used by management (Bhamornsiri, Guinn & Schroeder, 2008, p.19). This section became effective for fiscal years ending on or after November 15, 2004 for accelerated filers (Hogan & Wilkins, 2008, p.222). Companies with market capitalization of below $75 million are considered to be non-accelerated filers and section 404 became effective for these companies for fiscal years ending or after July 15, 2007 (Foster, Ornstein & Shastri, 2007, p.664).

Given the widespread impact of the extensive work required towards internal control reporting the audit pricing model needs to be updated accordingly post-SOX era.


This part of the paper will provide a literary review of findings of the association between audit fees and internal control weakness disclosures in particular pursuant to SOX implementation.

"SOX Section 404 Material Weakness Disclosures and Audit Fees" (2006) a research paper by Raghunandan and Rama examined the relationship between audit fees and internal control weakness disclosures pursuant to SOX 404. Their sample included 660 manufacturing firms that had a December 31, 2004 year end that had to file a section 404 report by May 15, 2005 (Raghunandan & Rama, 2006, p.99). The sample was specific to manufacturing industry as prior research demonstrated that audit fees varied across industries, in effect this reduced the variation within the sample.

The authors took keen interest in results that mainly related to the magnitude of higher fees, relation of audit fees with prior year audit fees and the effects of internal control weaknesses on audit fees. Findings indicated that the audit fees for 2004 were must higher than the corresponding fees for 2003 with the mean being 86 percent higher. 58 firms that did disclose material weaknesses in ICFR resulted in higher audit fees. It was also found that the audit fees for fiscal 2004 was 43 percent higher for firms that reported a section 404 material weakness disclosure in comparison with firms without the disclosure (p.100).

It was indicated that given the time frame of the official implementation of SOX that was issued in 2003, companies were made aware well in advance about the required reporting requirements before 2004. As well auditors were always expected to assess the strength of internal controls of the auditee when planning for audits under the auditing standards. Therefore it would be expected to have high audit fees regardless of the fiscal year or standard. However, the fact that the section 404 material weakness indicator was significant in explaining audit fees for fiscal 2004, but not for 2003 was found to be surprising (p.100). Results indicated that auditors most likely would not done extensive testing of internal controls in 2003. However given the new standards being set and heavier accountability being placed on the auditor, additional work would have been performed in 2004 that resulted in higher fees being charged with respect to ICFR weaknesses. The change could have also been explained with the fact that the PCAOB issued auditing standard No. 2 (similar to SOX 404(b)) only in March 2004 (p.103).

The association between audit fees and material weakness disclosures was found not to vary depending on the type of internal control weakness. Internal control weaknesses were categorized as either being systemic or not-systemic based on the classifications of bond rating agencies (p.109). Systemic weaknesses are problems with governance or personnel quality in charge of financial reporting functions. The authors were trying to determine the magnitude of higher fees charged to understand better the association between audit fees and internal control weakness disclosures.

"Audit Costs, material weaknesses under SOX Section 404" (2007) another research paper by Foster, Ornstein and Shastri focused their analyses on the audit fee costs and material weaknesses reported for companies of different sizes after the implementation of SOX 404. The sample for the study consisted of companies that were listed in the Audit AnalyticsTM database (Foster, Ornstein & Shastri, 2007, p.662). The database consisted of audit fee information from 2003-2005 with a total of 3,497 companies. Their findings included a substantial increase during the first year of compliance with section 404 with an increase of 73 percent from 2003 to 2004, and that fees have not dropped ever since. Potential reasons provided for the substantial rise was attributed to the increased level of audit procedures that had to be performed or the auditor's fear of public scrutiny following the downfall of Arthur Andersen. It was noted with a comparison of 2004 audit fees for companies with material weaknesses against companies with effective controls the audit fees charged were at least 30 percent higher. This finding is consistent with the study by Raghunandan and Rama (2006) where audit fees for disclosing material weaknesses was 43 percent higher than for firms without such disclosure.

Findings also indicated that company size which is determined by sales revenue affected the likelihood of a material weakness being reported. Approximately 10 and 6 percent of companies with sales over $1 billion reported material internal control weaknesses, when compared to approximately 18 and 9 percent with sales less than $1 billion in 2004 and 2005 respectively (p.667).

A professional publication "Sarbanes-Oxley Section 404 and Internal Controls" (2007) by Bedard, Graham, R.Hoitash and U.Hoitash analyzed the effect that company size had on audit fees for 2004 and 2005, two years of compliance with SOX 404. Total assets were used as a measure to determine company size. Findings indicated that companies that reported material weaknesses in ICFR for both years were smaller than companies with effective controls (Bedard, Graham, Hoitash & Hoitash, 2007, p.34). A possible explanation for the rise in audit fees for smaller firms was the potential for a lack of resources available to address the internal control weaknesses such as the lack of internal audit resources (p.34). Their study also found that audit fees were substantially higher for companies reporting internal control weaknesses with the fees being almost doubled when compared to firms with no reported weaknesses (p.35). "Ups and Downs of Audit Fees Since the Sarbanes-Oxley Act" (2006) another professional publication by Ciesielski & Wierich also found that with regards to the S&P 500, combined audit fees and audit-related fees increased by 41% relative to 2003, the first year of compliance with section 404 (Ciesielski & Wierich, 2006, p.29). The internal control disclosures were attributed to being one of the reasons for the rise in audit fees. They explained that the audit fees were on the rise mainly to acquire compensation for potential future litigation when the "sturdier audit wasn't enough" (Ciesielski & Wierich, 2006, p.31).

A research paper "Internal Control Quality and Audit Pricing under the Sarbanes-Oxley Act" (2008) by R. Hoitash, U. Hoitash & Bedard analyzed the relationship between audit fees and ICFR weakness disclosures in compliance with SOX 404. The sample consisted of 2,501 accelerate filers that was not limited by industry with fiscal year ends up to October 31, 2005 (p.106) unlike companies that were taken just from the manufacturing industry in Raghunandan's & Rama's research (2006). They found strong evidence of positive association of audit fees with internal control problems under compliance with section 404 for the first year in 2004 that was consistent with research by Raghunandan & Rama (2006) (Hoitash, Hoitash & Bedard, 2008, p.123). As costs increased for engagement effort to comply with the standard these cost increases are passed on to clients in the presence of ICFR weaknesses and/or charge the client a risk premium to compensate the auditor for residual risk (p.123).

However contrary to Raghunandan's & Rama's research, based on the sample the researchers found that audit pricing for companies with ICFR problems varied by severity of the problem. Severity was determined as being material weaknesses (MW) or significant deficiencies (SD) (p.105). The two categories are distinguished in the materiality of the misstatement likely to be prevented or detected, and by disclosure being mandatory or voluntary (p.123). It was found that there was a strong association of audit fees with MW and an insignificant association with SD (p.123). The authors noted that the distinction between MW and SD is somewhat complex and difficult.

Severity was defined yet again in another context which was similar to Raghunandan's & Rama's research (2006). General, company level problems such as the control environment, personnel quality were found to be more severe than account-specific problems where they had greater association with accruals quality and auditor realignments (p.123). Results from the study demonstrated there were significant associations of audit fees and ICFR problems and greater association was found with general problems. Major associations of fees were also found with pervasive problems that had to ability to affect multiple accounts and for accounts in which the SEC had taken significant interest (p.123). Based on the findings it can be concluded that audit fees are affected by the degree of problem severity across multiple dimensions.

Similar findings in "Pervasiveness, severity, and remediation of internal control material weaknesses under SOX Section 404 and audit fees" (2009) by Mitra stated that the analyses done demonstrated a significant positive relationship between audit fees and severity of ICFR weaknesses in years of disclosures. A sample of 854 firms was taken that disclosed ICFR weaknesses for the first time in 2004 to 2006 mainly to investigate the association between the severity of ICFR weakness disclosures and audit fees (Mitra, 2009, p.369). The author controlled for the effect of other firm-specific variables that would cause variation in audit fees (p.371). The severity definition was similar to Raghunandan's & Rama's research (2006) as being defined as either systemic or non-systemic.

Lastly, a research paper by Hogan & Wilkins (2008) titled "Evidence on the Audit Risk Model: Do Auditors Increase Audit Fees in the Presence of Internal Control Deficiencies?" uses an approach that differs from prior research such as Raghunandan & Rama (2006) and Hoitash, Hoitash & Bedard (2008) reviewed above. The authors use SOX 302 disclosures and audit fees in prior periods in an effort to measure the auditor's response to increased control risk as opposed to the rise in audit fees resulting from SOX 404 testing efforts (Hogan & Wilkins, 2008, p.220).

SOX section 302, was implemented on August 29, 2002 that requires management to disclose in the financials that control processes and procedures are designed and implemented to overlook the financial reporting process. The CEO and CFO are required to conclude and sign off on the effectiveness of the controls employed and disclose any material changes to internal controls (p.222). This standard mainly deals with the disclosure of ICFR by management.

The authors did not pursue their study in the direction of SOX 404 due to the fact that audit fees from 2004 to 2005 primarily reflected documentation and remediation efforts as demonstrated by Raghunandan & Rama (2006) and Hoitash, Hoitash & Bedard (2008) rather than increased substantive testing. The authors instead gathered financial data and analyzed audit fees for the pre and post SOX 302 disclosure requirement (p.223).

The findings of this study were similar however to prior research stated previously in that it was found that audit fees were significantly higher for firms that had internal control deficiencies in the fiscal year preceding the year in which the internal control problem was disclosed (p.220). The fee effect was found to be economically significant as a company would have to pay an additional 35 percent in audit fees when internal control deficiencies were present. This finding is contrary to Raghunandan & Rama's research (2006) that found fiscal 2004 weakness disclosures to have a significant audit fee effect when compared to 2003.

The study also examined the relation of audit fees and severity of internal control problems. The definition of severity is similar to the Hoitash, Hoitash & Bedrad(2008) study. Their research concluded that audit fees as a percentage of total assets were significantly higher (all most three times larger) among companies that had material weaknesses than among nonmaterial weaknesses (p.227). This finding is similar to Hoitash, Hoitash & Bedrad (2008) and Mitra (2009) research where audit fees depended on the severity of the internal control deficiency.


As demonstrated in the literary review, it is evident that there is a strong association between audit fees and ICFR weakness disclosures pursuant to SOX especially in the first year of compliance being 2004. There were many potential reasons that justified the positive relationship in the research conducted along with alternate and sometimes opposing findings which will all be addressed in this section.

Association between Audit Fees and ICFR Weakness Disclosures

Auditing standards have recognized the significance of internal controls in auditing where weak internal controls over financial reporting may suggest lower reliability of financial accounting information (Raghunandan & Rama, 2006, p.102). However, corporate controls play a major role in the prevention of material misstatements from being reported on the financial statements. They also help auditors in providing some degree of investor protection by reducing the risk of misstatements being reported (Hoitash, Hoitash & Bedard, 2008, p. 105) as auditors cannot always provide a strong guarantee that the financials are free of material error. Auditors perform engagements based on their assessments of audit risk for the particular client which is dependent on component risk assessments of inherent risk, control risk and detection risk of the audit risk model. As such if the assessment of control risk is high (presence of material weaknesses) it will affect overall audit risk and will result in significant work that will have to be done. Additional work includes (i) testing and making changes to the audit program (ii) time spent with the partner relating to discussion with client management, and (iii) documenting the weakness as being a MW or a SD [2] (Raghunandan & Rama, 2006, p.102).

Prior to SOX, auditors had the option of not relying on internal controls by performing extensive substantive procedures to provide assurance to financial information. Auditors were only expected to have a general understanding of auditee internal controls and test them accordingly only if chosen to rely on (Raghunandan & Rama, 2006). Pursuant to SOX, the requirements to assess the effectiveness of internal control disclosures and the responsibility placed on the auditor has likely affected the audit approach. As such these changes require greater engagement effort on part of the auditor that could logically result in the rise of audit fees with high internal control risks present.

Most of the prior studies such as Raghunandan & Rama (2006); Hoitash, Hoitash & Bedard (2008) did not conclusively determine if in fact substantive testing increased when ICFR weaknesses were present and offered various explanations for the rise in audit fees. However, the study by Hogan & Wilkins (2008) that tried to determine audit fee association with the presence of ICFR deficiencies did find that fees were an indication of audit effort and as such auditors do conduct more substantive tests when ICFR weaknesses are present (Hogan & Wilkings, 2008, p.233). Foster, Ornstein & Shastri (2007) also stated the fact that there was potential for more audit procedures to be performed with the presence of ICFR deficiencies for fear of being scrutinized for not carrying out a proper audit following the demise of Arthur Andersen. These findings provide evidence that that in fact audit fees can be expected to be adjusted in the presence of ICFR weaknesses thus increasing the level of audit work (substantive testing along with internal control testing) to be conducted.

Audit Fees and Severity of ICFR Weaknesses

There were opposing findings with respect to this issue where it would be expected for audit prices to vary incrementally based on the severity of the ICFR weakness. Logically, the more severe and pervasive the internal control weakness the higher the audit fee that should be charged to reduce the risk of the financials being materially misstated. Studies conducted by Hoitash, Hoitash & Bedard (2008); Mitra (2009); Hogan & Wilkins (2008) found evidence of the incremental association between the severity of the ICFR weakness and audit prices. However, Raghunandan & Rama (2006) found no evidence of such an association.

The surprising finding was that both Hoitash, Hoitash & Bedard (2008) as well as Mitra (2009) had defined severity in a context that was very similar to Raghunandan & Rama (2006). Severity in these studies was defined to be either systemic that was based on general corporate problems that were pervasive such as tone at the top, quality of personnel in charge of financial reporting etc. However, given the similarity in the definitions, the results of both the studies Hoitash, Hoitash & Bedard (2008) and Mitra (2009) found significant relationship between audit fees and the severity of ICFR problems which were contrary to Raghunandan & Rama (2006) findings. There was however similarities in the definition of severity between Hogan & Wilkins (2008) and Hoitash, Hoitash & Bedard (2008) - this study used two different definitions of severity. In these two studies severity was determined to be MW or SD that contrasted the Raghunandan & Rama (2006) definition.

As such the opposing findings might have also risen due to differences in samples chosen, ways the studies were conducted or even the time frame examined other than the differences in the definition of severity. For instance the Raghunandan & Rama (2006) study consisted of a sample that was comprised mainly of manufacturing firms while the other study samples represented a mix of firms across various industries. As well, there were differences in the time period over which the studies were conducted varying from 2003 to 2006. However, auditors must rely on a variety of considerations including professional judgment when distinguishing if a control weakness is systemic or not-systemic based on one definition or a MW/SD based on the other definition. As such differences in judgment on part of the researchers while conducting the studies could have contributed to different findings.

Audit Fees and Auditee Size