STRATEGIC AUDITING WITH INCOMPLETE INFORMATION Nahnhee Choi School of Professional Accountancy Long Island University - C.W. Post Brookville, NY 11548-1300 Edward Blocher Kenan-Flager School of Business University of North Carolina Chapel Hill, NC 27599-3490 Romesh Saigal Dept of Industrial and Operations Engineering University of Michigan Ann Arbor, MI 48109-2117 Technical Report 96-5 January 1996

STRATEGIC AUDITING WITH INCOMPLETE INFORMATION Nahnhee Choi School of Professional Accountancy Long Island University - C.W. Post Brookville, NY 11548-1300 516-299-2096 Edward Blocher Kenan-Flagler School of Business University of North Carolina Chapel Hill, NC 27599-3490 919-962-3200 Romesh Saigal* Department of Industrial and Operations Engineering University of Michigan Ann Arbor, MI 48109-2117 313-763-7544 January 1996 * Author's research partially supported by the grant CCR - 9321550 from the National Science Foundation

STRATEGIC AUDITING WITH INCOMPLETE INFORMATION ABSTRACT This paper examines the decisions of an internal auditor and manager in a strategic setting. The manager issues a financial report that affects the manager's compensation, and the internal auditor chooses whether or not to investigate the report for potential fraud. We use a game-theoretic framework to capture the strategic aspects of the auditor's and manager's decisions - the decision by each player is influenced by the anticipated decision of the opposing player. Previous models of this type are games of complete information, in which each player knows their opponent, the opponent's decision options, and the opponent's decision payoffs. In contrast to previous work, this paper develops a game of incomplete information, in which each player is uncertain about the opponent. Incomplete information is operationalized as follows. The auditor is either experienced or inexperienced, unknown to the auditee; and the auditee either has or does not have integrity, unknown to the auditor. The analysis using an incomplete information game provides new insights into strategic auditing. We develop two equilibria, and derive and interpret optimal strategies for each. The optimal strategies for the internal auditor with incomplete information have two important characteristics: (1) the optimal strategies are equally likely to be pure and randomized strategies, in contrast to audit games of complete information in which the optimal strategy is always a randomized strategy, and (2) when the optimal strategy is a randomized strategy, the auditor must exaggerate his or her action, to compensate for the auditee's lack of information about the auditor, again, in contrast to complete information games.

STRATEGIC AUDITING WITH INCOMPLETE INFORMATION 1 Introduction The strategic approach to auditing has been examined by a number of papers, both in an external audit setting (Fellingham and Newman, 1985; Fellingham et al, 1989; Newman and Noel, 1989; Shibano, 1990; Patterson, 1993) and in an internal audit setting (Anderson and Young, 1988; Finley, 1991; Hansen, 1993; Morton, 1993). The external audit papers tend to focus on risk analysis, such as control risk assessment, while the internal audit papers tend to focus on fraud. The common element of both streams of work is the development of a game-theoretic approach to analyze the audit decision context and to focus on the interactive nature of the auditor-auditee relationship. The game models developed in these papers, as for any game model, can be classified in two ways: (1) either a cooperative or noncooperative game, and (2) either a complete or incomplete information game'. All the games cited above are examples of noncooperative games with complete information. This paper extends this work by developing a noncooperative game with incomplete information, for the internal audit context. 1.1 Noncooperative Games Noncooperative games are those in which the players have opposite interests, in contrast to cooperative games in which the players have strictly identical interests. Game models in auditing are of the noncooperative form because of the inherent conflicting interests in the audit context (Fellingham et al, 1989, p4; Anderson and Young, 1988, p28). Other non-game models, for example decision theory models and optimization models which have been widely used in auditing research, describe the audit situation as a single-person setting without 1Games can be classified in other ways as well, which are not presented here because they are not critical to the development of this paper. One additional classification is two person versus n-person games; the cited games and ours are two-person games involving an auditor and auditee. Another classification is perfect and imperfect information games; the cited games and ours are imperfect information games, that is, each player cannot observe the opponent's move, and effectively the players are assumed to make simultaneous moves ( Fellingham and Newman, 1985, p637; Fellingham et al, 1989, p5). 1

recognizing the conflicting interests and responsibilities of the auditor and auditee. These models cannot therefore effectively model and describe the professionalism of auditing, both internal and external, which requires independence and objectivity - effective separation of auditee and auditor because of conflicting interests.2 The game model is therefore more descriptive of actual audit settings, for both internal and external auditing. The main benefit of the game-theoretic approach to auditing is the additional insight provided by modeling the auditor-auditee relationship as one of opponents having conflicting interests, that is, a noncooperative game. 1.2 Complete and Incomplete Information Games Complete information games are those wherein all players (both the auditor and the auditee in this case) have common knowledge of the following: (a) all the players (b) all the actions available to all the players (c) all the potential outcomes to all the players from all available actions Anderson and Young (1988, p29&p39) observe that, for the internal audit context, complete information games "may not be representative of certain audits, e.g., initial audits." That is, the auditor is uncertain about the nature of the auditee. This may be true for many continuing audits as well, due to changes in the firm's management and operations. Also, because surprise is an important aspect of internal auditing (Hughes, 1977), it is likely that at least one or more of the three conditions of complete information will not be descriptive of the actual audit context. Fellingham and Newman (1985, p648), Fellingham et al (1989, p17), and Anderson and Young (1989, p39) call for the development of incomplete information games. 2Independence and objectivity are professional standards for both internal and external auditors (Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Altmore Springs, Florida, 1978; The Code of Professional Ethics of Certified Public Accountants, Revised 1988). 2

"One area which seems particularly appropriate for auditing involves games with incomplete information, in which either the auditor or the client is uncertain about the preferences or exact payoffs of the opponent (See Harsanyi [1967,1968a,1968b]). This perspective allows incorporation of uncertainty about the nature of the game being played. For example, the client might be one of n types, and each type may be expected to'play' differently." (Fellingham and Newman, 1985, p648). Similarly, the auditor can be of n types, and each type is expected to play differently. This paper investigates the incomplete information game as a means to obtain additional' insight into strategic auditing. 1.3 The Internal Audit Setting Internal auditing is the focus of the auditee-auditor relationship in this paper because management fraud is a key concern of the internal auditor (Report of the National Commission on Fraudulent Financial Reporting, 1987). Moreover, as Shibano (1990) has shown, the crucial role of the game theoretic framework is to model the auditor-auditee relationship when potential fraud is involved. Shibano uses a "hidden information" setting in which the auditee privately observes a signal, and then selects a report which can be either false or true with respect to that signal. The auditor investigates the accuracy of the auditee's report using sample information. The single-person formulation, such as decision theory can be used to model the audit context where simple error (not fraud) is involved. Thus, Shibano shows clearly that the interactive feature of the game model is particularly appropriate when potential fraud is involved. 1.4 Pure and Randomized Strategies The solution to a noncooperative game is a Nash equilibrium which is derived from the players' available actions and related payoffs. A "pure" strategy is one in which the player chooses a single action from the available actions, while a randomized strategy is one in which the player chooses more than one action, with a certain probability distribution. 3

Randomized strategies are common solutions to complete information games (Fellingham and Newman, 1985; Anderson and Young, 1988; Fellingham et al, 1989; Hansen, 1993, Morton, 1993). Fellingham and Newman (1985) and Fellingham et al (1989) state that many audit settings result in randomized strategies, and illustrate many of them. Similarly, Anderson and Young (1988, p39) state that their game model demonstrates the importance of the auditor using randomized strategies ("being unpredictable").3 In contrast to the common finding of randomized strategies for complete information games, the finding for incomplete information games is that frequently the optimal strategy is a pure strategy. This suggests that uncertainty about the nature of the opponent (i.e., incomplete information) may decrease the tendency to randomize in audit game models. Also, our model shows that the incomplete information setting causes auditors with different preferences to attend more strongly to their preferences and as a result to exaggerate the differences between their actions. That is, with incomplete information one type of auditor increases significantly his or her probability of using a pure strategy; the other type of auditor significantly decreases the probability of using the same strategy. This is illustrated in the following two sections. These findings show the important new insights about strategic auditing through formulating the game model as an incomplete information game. There is a strong contrast between the equilibrium optimal strategies for complete and incomplete information games.. The remainder of the paper is organized in three parts. The next section presents the game model with complete information for comparative purposes. The following section describes the game with incomplete information and analyzes the effect of incomplete information on strategic auditing. The paper concludes with a discussion of implications and suggestions for future research. 3Hughes (1977), using a dynamic, non-game model, also develops the value of randomization in the internal audit context by showing that the solution of an infinite-state, time varying Markov process can produce an audit series having an unequal number of periods between audits unless the decision problem is constrained to require uniform internal audits. 4

2 Strategic Auditing with Complete Information This section develops an audit game model in which the internal auditor and auditee have complete information. The game model is as follows. The president of a company is guaranteed a base salary and a cash bonus. The cash bonus is based upon an actual return on assets, as compared to budget. Under this plan, the president has the incentive to overstate revenues or to understate expenses, so as to maximize income and return on assets. Various types of fraud are possible, including improper revenue recognition, overbilling, and improper deferral or capitalization of expenses. The role of the internal auditor is to prevent and/or detect fraud. The owners of the company are assumed to be indifferent to any fraud less than a certain material amount. Thus, the president (hereafter, auditee) has two pure strategies: no fraud or material fraud. The internal auditor also has two actions: no testing or 100% testing. It is assumed that 100% testing will accurately detect material fraud.4 Because the auditor cannot observe the auditee's act, the game is a simultaneous move game. 2.1 Auditee Payoffs If the auditee commits fraud and the auditor chooses no testing, the auditee receives a higher bonus - the amount of the fraud, as symbolized by F in Exhibit 1. On the other hand, if the auditor examines 100%, material fraud is detected, and the auditee pays a penalty for material fraud. The penalty is a function of the amount of fraud, and is a penalty rate (P) multiplied by the amount of fraud (F). 4The implicit assumption is that there are no unintentional (no fraud) errors. 5

Exhibit 1 Auditee's payoff matrix No fraud Material fraud No testing 0 F 100% testing 0 -PF where "F" represents the incremental bonus due to material fraud "P" represents the penalty rate for material fraud when material fraud is detected 2.2 Auditor costs If the internal auditor does 100% testing, the auditor's cost is the auditor's labor, that is, the opportunity cost arising from allocating the scarce audit labor to a given auditee - symbolized by S in Exhibit 2. If the auditor chooses no testing, and the auditee commits material fraud, the company incurs the loss due to undetected material fraud, represented by M in the model. The auditor's objective is to minimize expected cost, while the auditee's goal is to maximize expected payoff. There are two restrictions on the cost matrix and the payoff matrix. The first restriction is that the cost of 100% testing is less than the loss to the company due to undetected fraud. The second restriction is that the penalty rate for material fraud is greater than zero if material fraud is detected. 6

Exhibit 2 Auditor's cost matrix No fraud Material fraud No testing 0 M 100% testing S S where "M" represents loss to company due to undetected material fraud and is defined as the amount of fraud F plus the cost of wrong decisions due to unreliable information. "S" represents the cost of 100% testing 2.3 Solution of the Complete Information Game The solution of this game is a Nash equilibrium. Appendix A presents the development of the solution concept and the proof of the equilibrium strategies for the game. Given the auditee payoffs in Exhibit 1, the auditor costs in Exhibit 2, and the restrictions on them, no pure equilibrium strategy exists.5 However, there is a randomized strategy solution, as shown in Exhibit 3. Exhibit 3: Nash Equilibrium Strategies for the Complete Information Game Player Strategy Probability (Randomized Strategy) Auditor No testing P/(1 + P) 100% testing 1/(1 + P) Auditee No fraud 1 - S/M Material fraud S/M In the Nash equilibrium, each player randomizes so that the opponent is indifferent about the alternative actions. In other words, the auditor randomizes so that the auditee 5If the auditor selects no testing, then the auditee selects material fraud as a best response. But the auditor's best response to material fraud by auditee is 100% testing. Similarly, the auditee's best response to 100%o testing is no fraud. A similar proof is shown in Fellingham et al (1989). 7

is indifferent as to the acts of no fraud or material fraud; similarly, the auditee randomizes so that the auditor is indifferent as to no testing or 100% testing. 3 Strategic Auditing with Incomplete Information An incomplete information game of the auditee-auditor relationship models the uncertainty each player has about the opponent. Uncertainty is included by defining two (or more; for simplicity we use only two) types of auditors - the auditee is uncertain which is present in any realization of the game. Similarly, there are two types of auditees - and the auditor is uncertain which. We model the two types of auditees and two types of auditors as follows. A type one auditee has a higher penalty for material fraud than for the type two auditee (P1 > P2). The new payoffs for auditees are summarized in Exhibit 4, where j is the index for auditee type. An interpretation for the difference between auditee types is that the type one auditee has higher integrity than auditee type two, and therefore more to lose in reputation if fraud is detected. In this sense, the higher level of penalty reflects the greater loss of reputation for auditee type one. The two types of auditors differ in the level of auditing cost. Auditor type one has higher auditing cost than auditor two (S1 > S2).6 The auditor costs are shown in Exhibit 4, where i is the index for auditor type. The interpretation of the difference in auditor costs can be explained as follows. The more costly auditor is so because of experience, where we assume that, though the experienced auditor is likely to be more efficient, the salary cost of the experienced auditor is sufficiently high, that the cost of 100% testing will therefore be higher for the experienced auditor. 6If S1 < S2, the role of each type of auditor is reversed. The equilibrium strategy of a type one auditor becomes the equilibrium strategy of the type two auditor, and vice versa. 8

Exhibit 4 The cost of type i auditor No fraud Material fraud No testing 0 M 100% testing Si Si The payoff matrix of type j auditee No fraud Material fraud No testing 0 F 100% testing 0 -PjF Uncertainty is included in the game in the following way. Both the auditors and auditees are assumed to know the proportion, or probability, of each type of opponent. We use W7 to represent the proportion of type one auditees, and (1 - r-) be the proportion of type two auditees.7 And we assume each auditor type to be equally likely. Also, to eliminate unlikely equilibria, we assume that the type one auditee, having the higher cost of material fraud, always has no incentive to commit fraud. Because of their honesty, some auditees will not commit material fraud (though the auditor does not know whether or not the auditee is honest in the incomplete information game). Other than to define the two auditee and auditor types, the game structure is the same as for the complete information game developed earlier. 4 Solution of the Incomplete Information Game The solution for the incomplete information game is also a Nash equilibrium. Both auditors and auditees derive the expected cost or payoff functions contingent upon the type of opponent, weighted by the probability distributions over opponent types ( 7r for type one auditee and 1- 7r for type two auditee; 1 for each auditor). Each auditor minimizes the weighted average of cost functions while each auditee maximizes the weighted average of 7We believe that wr is determined by the general economy, industry trends, and/or operating conditions in the company. 9

payoff functions.8 Exhibit 5 presents the weighted average cost and payoff functions.9 Exhibit 5 Expected cost to a type i auditor is SiXi + (1- Xi){rY1 + (1 - 7r)Y2}M Expected payoff to a type j auditee is YjF{1 - (X1 + X2)/2} - PjYjF(X1 + X2)/2 where Xi represent probability of 100% testing by type i auditor, i E {1, 2}. and Yj represent probability of material fraud by type j auditee j E {1, 2}. We derive and analyze two incomplete information game equilibria. In the first equilibrium, the penalties for material fraud are higher (P2 > 1) than in the second equilibrium (P2 < 1; P1 > P2). The first equilibrium can be interpreted as the case of a strong control environment. The company's board and audit committee have a strict standard for management behavior, which is operationalized by higher penalties for fraud for both types of auditees in the incomplete information game. In contrast, the lower penalties in equilibrium two represent a control environment in which the board and audit committee have a less strict standard about fraud. Neither equilibrium involves levels for P1, because we have assumed that the type one auditee always has no incentive to commit fraud. Equilibrium One: (S1 > S2, 0 < S2/M < (1 - 7r), 1 < P2)10 The unique Nash strategies for this equilibrium are shown in Exhibit 6. Appendix B presents the proof of the equilibrium strategies. Exhibit 6: Nash Strategies for the Incomplete Information Game Assuming a Strong Control Environment 8Harsanyi (1967, 1968a, 1968b). 9In the previous section, both the auditor and the auditee know the type of opponent with certainty, and four different games with complete information are possible depending on the types of auditor and auditee. However, in this section, only one game with incomplete information occurs, given the probability distributions over the opponent types. 10If the condition 0 < S2/M < (1 - 7r), does not hold, equilibrium one will not be achieved until new audit technology brings S2/M to (1 - rr) or below (1 - 7r). 10

Strategy Probability Auditor Type One No testing 1 100% testing 0 Auditor Type Two No testing (P2 - 1)/(1 + P2) 100% testing 2/(1 + P2) Auditee Type One No fraud 1 Material fraud 0 Auditee Type two No fraud 1 - S2/[(1 - 7r)M] Material fraud S2/[(1 - 7r)M)] The equilibrium strategies also satisfy the following condition which assures that the expected payoff from material fraud for the type one auditee is less than zero, so that this auditee always has no incentive to commit fraud, as assumed earlier: YIF{1 - (1 + Pi)(X- + X2)/2} <0 (1) where X1 and X2 represent the equilibrium probability of 100% testing by type one and type two auditor, respectively. The first equilibrium represents a strong control environment in which the board and audit committee have set a high standard for management behavior. Given the probability of material fraud, the cost of 100% testing is greater than the expected cost of no testing for the type one auditor. The type two auditor is indifferent about the two alternatives. Equilibrium Two: (S1 > S2, 0 < S2/M < (1 - 7), P2 < 1) The unique Nash strategies for this equilibrium are shown in Exhibit 7. Appendix B presents the proof. The solution also satisfies the property represented in Inequality (1). Exhibit 7: Nash Strategies for the Incomplete Information Game Assuming a Weak Control Environment 11

Strategy Probability Auditor Type One No testing 2P2/(1 + P2) 100% testing (1 - P2)/(1 + P2) Auditor Type Two No testing 0 100% testing 1 Auditee Type One No fraud 1 Material fraud 0 Auditee Type Two No fraud 1 - Sl/[( - 7r)M] Material fraud S/[(1 - 7r)M] The second equilibrium represents a weaker control environment than the first equilibrium. The board and audit committee have set a less strict standard for management behavior. Given the probability of material fraud, the cost of 100% testing is less than the expected cost of no testing for the type two auditor. The type one auditor is indifferent about the two alternatives. At each equilibrium, the cost of 100% testing is the same as the expected cost of no testing for one of the two types of auditors. For the other auditor type, the cost of 100% testing is greater or less than the expected cost of no testing. Thus, with incomplete information, the equilibrium strategies are frequently pure strategies (e.g., no testing or 100% testing) in contrast to the common result of randomized strategies for complete information games. Moreover, even when the cost of 100% testing is the same as the expected cost of no testing for the auditor, the auditor exaggerates its move by increasing the probability of a certain action. For example, the type two auditor doubles the probability of 100% testing with incomplete information (compare Exhibit 3 and Exhibit 6). Similarly, the type one auditor doubles the probability of no testing with incomplete information (compare Exhibit 3 and Exhibit 7). This exaggeration of moves, the increase in probability for certain actions, is necessary for the auditor with incomplete information because one type of auditor can influence the behavior of the auditee only with probability. In other words, this exaggeration of moves results from the fact that the probabilities of 100% testing by the type one and type two auditors are equally weighted in the expected payoff to the auditee, as shown in Exhibit 5. 12

The proportion of auditees does not affect the equilibrium strategies of the auditors, nor does the proportion of auditors affect the equilibrium strategies of auditees, as shown in Exhibit 7. However, again from Exhibit 7 we see that the equilibrium strategy of the type two auditee changes as the proportion of type two auditees (1 -r) increases - the probability of material fraud decreases with an increase in the proportion of type two auditees. If the type two auditee does not decrease the probability of material fraud accordingly, then the expected cost of no testing will get larger and auditors will increase the probability of 100% testing. 5 Discussion In this paper we present two game models of the internal auditor-auditee relationship. First, we present a game of complete information which shows that the optimal solution for both auditor and auditee is to have randomized strategies. The randomized probabilities are a function of the auditors costs and the payoffs to the auditee. Second, we formulate an incomplete information game by adding uncertainty about the nature of the auditor and auditee. There are two types of auditees - one with a higher penalty for detected fraud than the other. To focus our attention on the most likely equilibria, one type of auditee is assumed to never commit fraud (though the auditor does not know which one). Also, there are two types of auditors - an experienced auditor with higher testing cost than the other. We derive and analyze two equilibria - one which represents a strong control environment and the other a weak control environment. There are two important results. First, the solutions are often pure strategies, in contrast to the findings for complete information games which typically yield randomized strategies. Second, the auditor exaggerates his or her move to compensate for the fact that the auditee's expected payoff function (Exhibit 5) is the weighted average of the expected payoffs contingent upon each type of auditor. The auditor must increase significantly the odds of no testing (auditor type one) or of 100% testing (auditor type two) to make the auditee indifferent between material fraud and no fraud. The scenario of "exaggerated moves" is similar to that where two policemen try to get 13

the truth out of a suspect. It is more effective (or strategic) for them to exaggerate the difference between their moves in a given situation. That is, one of them plays a nice guy and the other plays a bad guy. Even without formal coordination of strategies between two types of auditors or auditees, the same phenomenon seems to occur in the game with incomplete information." One of them increases the probability of 100% testing, and the other decreases the probability of 100% testing. 6 Future Research The game developed here can be extended to a multiple period setting. Because internal audits are typically done at varying, sometimes lengthy intervals (Hughes, 1977), an internal audit is likely to be a single-shot game due to changes in personnel, operations, or business factors over the relatively long time period. However, the game can also be modeled as a finitely repeated game. The literature on reputation (Kreps and Wilson, 1982; Kreps et al, 1982; Milgrom and Roberts, 1982a; Milgrom and Roberts, 1982b) predicts bluffing in a multiple-period game. That is, because the assessment of the opponents type is dependent on prior moves, a weaker player tries to influence the probability assessment of the other player by mimicking the stronger player as the game is repeated. 11According to the Folk Theorem, outcomes associated with cooperation can be supported by noncooperative equilibrium strategies (Friedman, 1986, p103). 14

REFERENCES Anderson, U., and R.A. Young. 1988. Internal Audit Planning in an Interactive Environment. Auditing: A Journal of Practice and Theory (Fall): 23-42. Fellingham, J.C., and D.P. Newman. 1985. Strategic Considerations in Auditing. The Accounting Review (October): 634-650. Fellingham, J.C., D.P. Newman, and E. R. Patterson. 1989. Sampling Information in Strategic Audit Settings. Auditing: A Journal of Practice and Theory (Spring): 1-21. Finley, D. R. 1991. Fraud Detection Strategy Analysis for Internal Auditors. Applications of Management Science 6. Friedman, James. 1986. Game Theory with Applications to Economics. Oxford Press, Inc. Hansen, S.C. 1993. Strategic Sampling, Physical Units Sampling, and Dollar Units Sampling. The Accounting Review (April): 323- 345. Harsanyi, J.C. 1967. Games with Incomplete Information Played by "Bayesian" Players, I: The Base Model. Management Science (March): 159-182. Harsanyi, J.C. 1968a. Games with Incomplete Information Played by "Bayesian" Players, II: Bayesian Equilibrium Points. Management Science (March): 320-334. Harsanyi, J.C. 1968b. Games with Incomplete Information Played by "Bayesian" Players, III: The Basic Probability Distribution of the Game. Management Science (March): 486-502. Hughes, J.S. 1977. Optimal Internal Audit Timing. The Accounting Review (January): 56-68. Kreps, D.M., P. Milgrom, J. Roberts, and R. Wilson. 1982. Rational Cooperation in the Finitely Repeated Prisoner's Dilemma. Journal of Economic Theory 27: 245-252. 15

Kreps, D.M., P. Milgrom, J. Roberts, and R. Wilson. 1982. Reputation and Imperfect Information. Journal of Economic Theory 27: 253-279. Milgrom, P., and J. Roberts. 1982a. Predictions, Reputation, and Entry Deterrence. Journal of Economic Theory 27: 280-312. Milgrom, P., and J. Roberts. 1982b. Limit Pricing and Entry under Incomplete Information: An Equilibrium Analysis. Econometrica (March): 443-459. Miltz, D., J. C. Gui, and M. Willekens. 1991. A Risk Based Allocation of Internal Audit Time: A Case Study. Auditing: A Journal of Practice and Theory (Fall): 49-61. Morton, S. 1993. Strategic Auditing for Fraud. The Accounting Review (October): 825839. Newman, P. and J. Noel. 1989. Error Rates, Detection Rates, and Payoff Functions in Auditing. Auditing: A Journal of Practice and Theory (Supplement): 50-66. Patterson, E. R. 1993. Strategic Sample Size Choice in Auditing. Journal of Accounting Research (Autumn): 272-293. Report of the National Commission on Fraudulent Financial Reporting. 1987. The National Commission on Fraudulent Financial Reporting. (The "Treadway Report") Shibano, T. 1990. Assessing Audit Risk from Errors and Irregularities. Journal of Accounting Research (Supplement): 110- 140. 16

Appendix A Proposition 1. A noncooperative solution to the game with complete information exists. If P > 0 and M > S, then, the unique equilibrium strategies are as follows: Strategy Probability Auditor "no testing" P/(1 + P) "100% testing" 1/(1 + P) Auditee "no fraud" (1 - S/M) "material fraud" S/M Proof: Let X represent the probability of "100% testing." Let Y represent the probability of "material fraud." Let X* and Y* be the equilibrium probabilities of "100% testing" or "material fraud." Expected cost to auditor is SX + (1 - X)YM = X(S - YM) + YM. Expected payoff to auditee is YF(1 - X) - (PX)YF = YF[(1 - X) - PX] = YF[1 - (1 + P)X]. Then, F{1-X*(1+P)}(Y*-Y) > 0 for every 0 < Y < 1 and (S-Y*M)(X-X*) > 0 for every 0 < X < 1. If {1 - X*(1 + P)} = 0 and (S - Y*M) = 0, the above two conditions are satisfied. Thus, since P > 0 and M > S, X* = 1/(1 + P) and Y* = S/M. To see the uniqueness, if {1-X*(1+P)} > 0, then Y* = 1, and (S-Y*M) < Oso X* = 1 and 0 > P a contradiction. Also, if {1 - X*(1 + P)} < 0, then Y* = 0 and X* = 0 a contradiction. 17

Appendix B Equilibrium 1. If S1 > S2,0 < S2/M < (1 - 7r), and 1 < P2, the unique Nash strategies are as follows: Strategy Probability Auditor Type 1 "no testing" 1 "100% testing" 0 Type 2 "no testing" (P2 - 1)/(1 + P2) "100% testing" 2/(1 + P2) Auditee Type 1 "no fraud" 1 "material fraud" 0 Type 2 "no fraud" 1 - S2/[( - 7r)M] "material fraud" S2/[(1 - r)M] The equilibrium strategies also satisfy Y1F{l - (1 + Pi)(X* + X*)/2} < 0 where X1 and X2 represent the equilibrium probability of "100% testing" by type 1 and 2 auditor respectively. Proof: Let X1 and X2 represent probability of "100% testing" by type 1 and 2 auditor respectively. Let Y1 and Y2 represent probability of "material fraud" by type 1 and 2 auditee respectively. S1/M > S2/M and P1 > P2. Expected cost to a type i auditor is SiXi + [1- Xi]{rY1 + (1 - 7r)Y2}M = Xi[Si - {7Y1 + (1 - 7r)Y2M] + {TrY1 + (1 - r)Y2}M Expected payoff to a type j auditee is YjF[1 - (X1 + X2)/2] - PjYjF(Xi + X2)/2 = YF[1 - (X1 + X2)/2 - Pj(X1 + X2)/2] = YjF[1 - (1 + Pj)(X1 + X2)/2] Let X, X 2*Y, and Y2 be equilibrium probability of the four players. The equilibrium strategies of the four players must meet the following conditions: [S1 - M{rY7* + (1 - 7r)Y*}[XX - X*] > 0 for all 0 < X1 < 1 [S2 - M{ 7rY* + (1 - )Y2*}[X2 - X;] > 0 for all 0 < X2 < 1 [1 - (1 + P1)(Xi + X*)/2][Y* - Y1] > 0 for all 0 < Y1 < 1 [1 -(1 + P2)(X; + X2)/2][Y2* - Y2] > 0 for all 0 < Y2 < 1 18

Based upon the last assumption on types of auditees 12, Y1F[1-(l+PI)(X*+X2)/2] < 0. Thus, Y1* = 0. Using the result of Proposition 1, Y = {7Yl* + (1 - )Y*} = S2/M. Therefore, {S2 - YM} = 0. Then, {S1 - YM} > 0 since S1/M > S2/M. Thus, X2 is arbitrary and Xi = 0. X = (X1 + X2)/2 = 1/(1 + P2) because {1 -(1 + P1)(X/ + X2)/2} < 0 and P1 > P2. Therefore, {1 -(1 + P2)(Xj + X*)/2} = 0. Thus, Yj* = 0 and Y2* is arbitrary. Since {1-(1 + P2)(X+ + X*)/2} = 0 and X1 = 0,X2 = 2/(1 + P2). Since {S2 -MY} = 0 and Yj* = 0,Y2* = S2/[(1 - 7r)M]. Since 0 < S2/M < (1- 7r), and 1 < P2,0 < X2 < 1 and 0 < 2* 1. Equilibrium 2. If S1 > S2, 0 < S1/ M < (1 - r), and P2 < 1, the unique Nash strategies are as follows: Strategy Probability Auditor Type 1 "no testing" 2P2/(1 + P2) "100% testing" (1 - P2)/(1 + P2) Type 2 "no testing" 0 "100% testing" 1 Auditee Type 1 "no fraud" 1 "material fraud" 0 Type 2 "no fraud" 1 - Si/[( - 7r)M] "material fraud" Si/[(1 - -r)M] The equilibrium strategies also satisfy Y1F{1 - (1 + P1)(X* + X*)/2] < 0 where X* and X* represent the equilibrium probability of "100% testing" by type 1 and 2 auditor. Proof: Let X1 and X2 represent probability of "100% testing" by type 1 and 2 auditor respectively. Let Y1 and Y2 represent probability of "material fraud" by type 1 and 2 12When Inequality (1) holds, Yj* = 0, and Y* = S2/[(1- 7r)M]. As long as 0 < S2/M < (1- 7r),0 < Y2* < 1. Therefore, Inequality (1) is equivalent to 0 < S2/M < (1 - r). That is, Inequality (1) is equivalent to assuming that testing is not costly. If Inequality (1) does not hold, then Yl* = 1/r[S2/M - (1 - r)], and Y2* = 1. As long as (1- wr) < S2/M < 1,0 < Y* < 1. Thus, assuming that Inequality (1) does not hold is equivalent to assuming that testing is costly. 19

auditee respectively. S1/M > S2/M and Pi > P2. Let X*,X2*,Y* and Y2 be equilibrium probability of the four players. The equilibrium strategies of the four players must meet the following conditions: [S1 - M{rY* + (1 - 7r)Y*}[Xi - X*] > 0 for all 0 < X1 < 1 [S2 - M{rY* + (1 - 7r)Y2*[X2 - X2] > 0 for all 0 < X2 < 1 [1 - (1 +P)(X + X)/2][Yl* - Y] > 0 for all 0 < Y~ < 1 [1 -(1+ P2)(Xi + X*)/2][Y2* - Y2] > 0 for all 0 < Y2 < 1 Based upon the last assumption, [1- (1 + Pi)(Xi + X*)/2] < 0. Thus, Y1 = 0. Using the result of Proposition 1, Y = {7rY* + (1 - 7)Y2*} = S1/M. Therefore, {Si - YM} 0. Then, {S2- YM} < 0 since S1/M > S2/M. Thus, X; = 1 and X1 is arbitrary. X = (X1 + X*)/2 = 1/(1 + P2) because {1 - (1 + Pi)(X* + X*)/2} < 0 and P1 > P2. Therefore, {1 -(1 + P2)(Xi + X*)/2} = 0. Thus, Y*- = 0 and Y2* is arbitrary. Since {1 -(1 + P2)(Xr + X*)/2} = 0 and Xr = (1 - P2)/( + P2), X = 1. Since {S1 - MY} = 0 and Y* = 0, Y = Si/[(1- 7r)M]. Since 0 < S1/M < (1- 7r), and 1 > P2,0 < X2 < 1 and 0 < Y2 < 1. 20

UNIVERSITY OF MICHIGAN IIII11111111 11111 3 9015 04735 3670