Accounting Horizons Vol. 18, No. 3 September 2004 pp. 173-184 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud T. Jeffrey Wilks and Mark F. Zimbelman SYNOPSIS: This commentary examines academic research that can assist auditors in detecting and preventing fraudulent financial reporting. We review theoretical and empirical research from game theory, social psychology, judgment and decision making, and auditing to identify improvements in audit practice and promising areas for future research. This review focuses on the strategic fraud setting and suggests modifications in auditing standards that should facilitate auditors' use of strategic reasoning in this setting. We emphasize three critical audit tasks—^fraud risk assessment, audit planning, and audit plan implementation—and recommend changes to current auditing standards and identify potential research questions for each task. Keywords: audit judgment; audit planning; fraud; game theory; risk assessment; strategic reasoning. INTRODUCTION his commentary reviews academic research from several disciplines for insights regarding how auditing standards and audit research can assist auditors in detecting and deterring fraudulent financial reporting (hereafter fraud). Reducing and detecting fraud is a high priority in the audit profession as witnessed by recent regulations intended to improve auditors' ability to detect fraud, such as SAS No. 99, and the oft-cited notion that actions taken to reduce the prospect of fraud should dampen stock market volatility {Wall Street Journal 2002). We believe it will become an even higher priority in the tuture. Some leaders in the profession argue that unintentional financial statement error will diminish because of technology and that future demand for audits will depend largely on their ability to detect or deter fraud (Elliott 2002). Accordingly, improving fraud detection and deterrence may be critical for the viability of the audit profession. We believe that auditing standards must compensate for auditors'judgment limitations to effectively detect and deter fraud. Therefore, we encourage standards that explicitly recognize the strategic nature of fraud and that help auditors effectively reason in the fraud setting. Our review focuses on assisting auditors in performing three key tasks—fraud risk assessment, audit planning, and audit plan implementation—and suggests four main findings and recommendations: T T. Jeffrey Wilks is an Assistant Professor and Mark F. Zimbelman is an Associate Professor, both at Brigham Young University. We are thankful for input on a prior version of this commentary from participants at the 2002 Deloitte & Touche/University of Kansas Symposium on Auditing Problems. We also appreciate the comments and suggestions of our three anonymous reviewers and Ella Mae Matsumura. Editor's note: Jim Largay served as the editor of this manuscript. Submitted: June 2002 Accepted: May 2004 Corresponding author: Mark F. Zimbelman Email: mz@byu.edu 173 174 Wilks and Zimbelman • Current fraud checklists may inhibit auditors' ability to predict fraud. We recommend that auditors structure their fraud risk assessments to facilitate effective predictions and provide ideas on doing so. • Because the auditee can manipulate some fraud cues, audit planning should emphasize that these cues must be cautiously relied on when assessing fraud risk. • Because audit procedures are generally quite predictable, audit plans should vary the timing, type, and randomness of audit tests. • Audit policy should encourage frequent updates of fraud judgments. THE FRAUD SETTING Careful distinction between the fraud setting and other audit settings facilitates our analysis of prior research findings and observations of the practice environment. Unintentional nonfraudulent financial statement errors are static in that their incidence is unaffected by the anticipated audit. But fraud is intentional and strategic such that its incidence is affected by the anticipated audit. Bloomfield (1997) argues that interdependence between the behavior of the auditor and the auditee characterizes this intentional/strategic setting. Not surprisingly, fraud detection research suggests that audit risk is misspecified when auditors ignore this interdependence (Fellingham and Newman 1985; Shibano 1990). The analytic methods that incorporate strategic interdependence rely largely on game theory, which seeks to predict behavior based on a player's best response given the player's motivations as well as the anticipated actions of the opponent(s). Although experienced auditors often consider the strategic implications of fraud in their audit plans, research suggests that audit standards and practice aids inhibit this process. Understanding the boundaries of game theory is important for determining how audit standards might facilitate auditors' consideration of strategic behavior. For example, predicting an auditee's response to anticipated auditor behavior is very difficult. Consider Morgenstem's (1935/1976) example whereby Sherlock Holmes leaves London's Victoria Station for Dover, pursued by his opponent, Moriarity. Holmes gets off when the train stops at an intermediate station, because he correctly anticipated that Moriarity has taken a faster train to trap him in Dover. If Moriarity had been more clever, then he also would have stopped at the intermediate station. But, if Moriarity was that clever, then Holmes would have anticipated this and gone on to Dover, and so on. Morgenstem (193 5/1976,174) states, "Because of so much thinking, they might not have been able to act at all or the intellectually weaker of the two would have surrendered to the other." In this simple example, Moriarity would have escaped if he correctly anticipated what Holmes knew—a concept known as "common knowledge" (Sunder 2002). Sunder (2002, 313) discusses how the concept of common knowledge applies to auditing and notes that this concept has "barely been touched" in the field of auditing. While most researchers agree that determining prior knowledge is difficult, audit standards should attempt to facilitate the thinking required to predict an auditee's response. We refer to the auditor's ability to anticipate the auditee's response to auditor choices as "strategic reasoning." Important empirical questions include how and to what extent individuals engage in such reasoning (Camerer 1990, 1997). Exploring prior research can help clarify how audit standards might facilitate such judgments. Levels of Strategic Reasoning Auditing research specifies different levels of strategic reasoning. Zimbelman and Waller (1999) define reasoning that is not strategic as zero-order reasoning and specify two levels of strategic reasoning: first- and higher-order. Zero-order reasoning means players only consider conditions that directly affect them but not others. The audit risk model and single-person decision theory imply zero-order reasoning. When engaged in zero-order reasoning, the auditor simply considers his own incentives, such as audit fees, sampling costs, and penalties. The auditor assesses misstatement risk assuming auditee behavior is not affected by the audit procedures used and performs the audit to Accounting Horizons, September 2004 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud 175 maximize the cost-benefit trade-off. If auditee behavior is not affected by the audit, which seems unlikely whenfraudrisk is present, then zero-order reasoning is optimal (Fellingham and Newman 1985). In contrast, first-order strategic reasoning means that the auditor considers conditions that directly affect the auditee. Now auditors assume that auditees use zero-order reasoning and develop audit plans that consider the auditee's incentives. For example, when an auditee has incentives to conceal information, the auditor modifies the audit plan to detect the concealment. However, when assessing fraud risk, the auditor does not consider whether the auditee has anticipated the auditor's behavior. Because the auditor does not consider how the audit plan might impact management's behavior, the auditor will likely use standard approaches familiar to management. Higher-order strategic reasoning means that the auditor considers additional, potentially infinite, layers of complexity, including how management may anticipate the auditor's behavior. For example, management initially uses first-order reasoning to consider how a condition facing the auditor, who uses zero-order reasoning, affects the auditor's standard tests, perhaps by adjusting sample sizes. However, an auditor using higher-order reasoning may adjust the audit plan by introducing nonstandard procedures that anticipate management's decision induced by the condition facing the auditor. Many researchers believe that this reasoning is, at least, unnatural and difficult; only a handful of auditing studies examine this issue. Auditing Studies on Strategic Reasoning Bloomfield (1995,72) argues that strategic reasoning is challenging because of strategic dependence: "the degree to which a change in the auditor's expectation of the manager's action affects the manager's action." Strategic dependence is greatest when each player's best response changes dramatically based on the expected best response of the other player. Bloomfield (1997) collects empirical data and concludes that both auditor and auditee have difficulty predicting each other's best response when strategic dependence is high. Zimbelman and Waller (1999) also examine strategic reasoning, finding that after repeated trials in an experimental audit game, auditees are infiuenced by a condition that directly infiuences the auditor—suggesting first-order strategic reasoning takes place. This study illustrates the difficulty of determining the level of strategic reasoning involved in judgment. For example, the authors must assume that higher-order reasoning is unlikely when generating and testing their predictions. Also, because of the practical problems of using practicing auditors or managers to engage in a fraud study such as this, Bloomfield (1997) and Zimbelman and Waller (1999) rely on college-level accounting students' judgments for empirical data. Limitations aside, important policy implications can come from behavioral game theory research. Given that current audit standards based on the audit risk model fail to consider the strategic interdependence of the auditor and auditee, we recommend that such standards identify processes based on strategic reasoning (cf., Kinney 1988). Although we do not expect audit standards to formally incorporate game theory, we believe that standards based on careful consideration of the game-theoretic setting can encourage strategic reasoning and lead to significant improvements in fraud detection and deterrence. Below, we describe how such efforts at strategic reasoning might improve auditors' ability to detect and deter fraud and recommend audit practices that are designed to facilitate such reasoning. FRAUD RISK ASSESSMENT Cognitive Challenges with Processing Fraud Cues For many years, audit standards kept the auditor focused on red fiag cues for predicting fraud. SAS Nos. 53 (AICPA 1988), 82 (AICPA 1997), and 99 (AICPA 2002) all contain extensive lists of fraud risk cues. These standards led auditors to develop checklists that ensure each cue is considered Accounting Horizons, September 2004 176 fVilks and Zimbelman (Shelton et al. 2001). The checklists assume first-order reasoning and alert auditors to management's attitudes, incentives, or opportunities, but fail to consider how management could manipulate the cues on the checklists. This failure to consider management's response prevents auditors from designing procedures that management does not anticipate. For instance, when using subsequent receipts to verify the validity of a receivable, the auditor may go beyond the standard procedure and obtain additional information that ensures that the source of funds was not a related party. Designing such "unanticipated" procedures will challenge auditors because existing procedures are viewed as best practices that, at least in part, reflect the limitations of auditor cognition. But if auditors do not engage in strategic reasoning, they will overlook opportunities to surprise the auditee by being unpredictable in the nature, timing, or extent of audit procedures. Pincus (1989) and Asare and Wright (2004) studied the effects of fraud checklists on risk assessments. These studies used an actual fraud case that varied fraud checklist usage between participants. Results indicate that auditors who use checklists are less sensitive to fraud than auditors who do not use checklists. Asare and Wright (2004) suggest that this occurs because a checklist not organized around an intuitive framework, such as the fraud risk model, keeps auditors from developing a "coherent story" when assessing fraud risk. They argue that checklist use results in reduced cognitive processing. We conclude that these studies suggest that checklist use prevents auditors from reasoning strategically. Although the cues in a fraud checklist may help auditors engage in firstorder reasoning, auditors' cognitive limitations make it difficult for them to put themselves in the shoes of the auditee when simply reviewing a list of cues. Fraud Checklists, the "Dilution Effect," and Strategic Reasoning Research on the "dilution effect" in fraud risk assessments demonstrates other manifestations of auditors' cognitive limitations. The dilution effect occurs when people rely too much on cues that are irrelevant to the judgment at hand and too little on relevant cues (Nisbett et al. 1981). Thus, a cue list that contains irrelevant cues impairs auditors' ability to appropriately consider relevant cues. Three audit risk assessment studies report this effect. Hackenbrack (1992) presented two groups of auditors with two sets of information. One group reviewed irrelevant information before reviewing relevant information pertaining to fraud risk. The other group reviewed only the relevant information. Results indicate that auditors who reviewed irrelevant information made less extreme fraud risk assessments than auditors who reviewed relevant information. Hoffinan and Patton (1997) reported similar results. Finally, Waller and Zimbehnan (2003) use archival data to provide evidence that the dilution effect exists in auditors' field judgments. They also find that the dilution effect reduces the accuracy of practicing auditors' risk judgments. We believe that fraud checklists can be structured to facilitate strategic reasoning and increase this accuracy. The above research suggests that fraud checklists inhibit auditors from reasoning strategically. Assuming audit firms benefit from using fraud checklists,' one may ask whether checklists can be designed to facilitate strategic reasoning. Fraud theory provides a potential solution. Fraud is believed to result from the interaction of three factors—incentive, opportunity, and attitude (Albrecht et al. 1995; Loebbecke et al. 1989)—known as the fraud triangle: • Incentive results from a perceived benefit from committing fraud such as accounting-based bonuses or stock options. • Opportunity results from working conditions, including control deficiencies and/or management override, that result in circumstances allowing fraud to occur. • Attitude involves the propensity of the individual to rationalize the fraud, perhaps because the individual feels underpaid or underappreciated. ' It appears that the major audit firms all follow a relatively structured approach in this area (Shelton et al. 2001), perhaps due to benefits that firms perceive from using such structure. For example, frauds tend to have predictable similarities as reviews of SEC cases suggest that most frauds result from revenue overstatement. Also, firms utilize inexperienced staff and rely on structure as a quality control mechanism. Finally, legal liability may also drive the use of structure. Accounting Horizons, September 2004 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud 177 We believe that if fraud checklists incorporate this theory, auditors should be better able to process fraud cues. Moreover, if upfront categorization of fraud cues according to incentives, opportunities, and attitude requires less effort in cue processing, auditors may use their additional cognitive capacity to reason strategically about how management will behave. Decomposition, Attribution, and Strategic Reasoning A recommendation to improve judgment accuracy is to decompose a decision into component decisions, separately consider each component, and then recombine the components to make the global decision (Raiffa 1968). Referred to as decomposition, this process is thought to improve decisions for several reasons. Research suggests that decomposition leads decision makers to modify their information search. Studies find that individuals who decompose a decision process cues normally overlooked or underweighted when the decision is not decomposed (Jiambalvo and Waller 1984). For example, Zimbelman (1997) found that practicing auditors used more time reading and processing information on fraud cues when required to decompose risk assessments into separate assessments of fraud and error. SAS No. 99 takes a step toward decomposing fraud judgments as it categorizes fraud cues using the fraud triangle. While such categorization may help auditors think more broadly about fraud risk factors, research suggests that frirther gains in auditors' sensitivity result from requiring separate component risk assessments for each dimension of the fraud triangle. Thus, if auditors are required to separately evaluate the fraud risk due to each fraud-triangle component, then auditors may be better able to assimilate the cues, and focus more on cues that are naturally underweighted (Jones 1990; Heiman-Hoffrnan et al. 1996). Although an auditor may sense that management has high ethical values leading to low fraud risk due to attitude, practitioners fear that focusing on low-risk attitude cues causes auditors to erroneously assess fraud risk as too low when opportunity and incentive risks are high (Jonas 2001; SAS No. 99). Wilks and Zimbelman (2004) explore the effects of a fraud-triangle decomposition on auditors' sensitivity to opportunity and incentive cues when management's attitude suggests low fraud risk. This study provides evidence that auditors who first decompose fraud risk assessments into component assessments of attitude, opportunity, and incentive risks are more sensitive to the opportunity and incentive cues. However, this effect appears to work only when opportunity and incentive cues suggest low fraud risk. Because decomposition makes auditors' fraud risk assessments lower in the low-risk case while making no difference in the high-risk case, a decomposition that requires separate assessments for all three components of the fraud triangle probably will not increase auditors' effectiveness, but may help them become more efficient. Strategic reasoning can also help auditors make better fraud risk assessments. For example, auditors could begin their assessments by considering whether opportunity and incentive cues suggest other than low fraud risk. When these cues signal other than low fraud risk, auditors should look for attitude cues that point in the same direction. Auditing standards that govern fraud risk assessments should explicitly address auditees' ability to manipulate cues in order to influence auditors' perceptions of fraud risk. We encourage fiiture research that examines these issues. The Reliability of Fraud Cues The strategic nature of fraud settings suggests that auditors consider the auditee's ability to manipulate fraud cues. Risk assessment standards could encourage first- or higher-order strategic reasoning by requiring auditors to identify all the cues that suggest low fraud risk and evaluate the ways management may be manipulating the auditor's perception of fraud risk. We surveyed practicing auditors to identify the categories of cues they consider to be most susceptible to management concealment. We find that auditors generally agree that attitude cues are most easily concealed. Accounting Horizons, September 2004 178 IVilks and Zimbelman followed by opportunity cues. Therefore, cues that suggest low fraud risk and that can be manipulated by management should not be relied on for assessing fraud risk. We recommend a risk assessment policy that encourages strategic reasoning by prompting auditors to consider management's ability to conceal fraud risk information. Future research should help determine the best means to facilitate such reasoning. PLANNING EFFECTIVE FRAUD TESTS Varying the Nature, Timing, and Extent of Audit Plans Current audit theory and practice require auditors to assess misstatement risks and to adjust detection risk accordingly. Adjustments to detection risk can involve changes to the nature, timing, or extent of audit tests and in staffing and supervising the audit. Our use of the terms "nature" and "extent" involve the/orw of evidence collected to test an assertion and the sample size being tested, respectively. Thus, a procedure that differs in the nature of the evidence involves testing a given sample using a different form of evidence, such as analytical procedures, confirmations, or documentation. Because the sample is the same, extent is held constant. An auditor tests a given assertion by collecting a set of facts. A given set of facts can include documents, confirmations, examinations, observations, analytical relationships, inquiries, and so on. Variation in the nature of the audit plan leads to differences in the composition of the set of facts. Note that the nature of evidence from internal documents differs from, and is generally considered less reliable than, the nature of evidence from outsiders' representations. Audit standards require some specific procedures on all audits to minimize certain audit risks. For example, auditors must confirm accounts receivable and physically examine inventory to detect frauds that would otherwise be concealed. Although the objective of these procedures is to eliminate future audit failures, one result is that a manager who is aware of these standard procedures can design a fraud that will not be detected by the procedures. Thus, auditors should respond to fraud risk by engaging in strategic reasoning and planning procedures that the auditee cannot predict. Predictability as a Function of the Nature, Timing, or Extent of Evidence Frauds can go undetected when the audit plan is too predictable. The predictability of audit tests can be varied by changing the nature, timing, or extent of the evidence collected during the audit. Although procedures such as confirming receivables are mandatory on all audits, the nature of the procedures can be modified to limit the auditee's means of concealment. For example, when examining subsequent receipts for accounts receivable confirmations not returned, the auditor may use unexpected forms of evidence to verify the source of funds. An auditor who is concerned about fraud and suspects that funds shown on a bank deposit are from a related party instead of an independent customer can go beyond normal audit procedures to determine the original source of funds. Similarly, an auditor observing inventory could verify existence by requiring the client to open boxes that are difficult to access. Procedures such as this can effectively detect or deter fraud if the client sees that the auditor regularly modifies the nature of the evidence collected in ways that are unexpected or unusual. The timing of the evidence refers to when each fact is observed or collected, perhaps during the year or at year-end. Finally, the extent of the evidence refers to the sample size or proportion of the population of possible evidence items collected. Surprising the client by doing unannounced test counts of inventory is considered a change in timing. Similarly, varying sample size may be effective, especially when past scope limitations allowed the client to hide numerous small misstatements that collectively comprise a material misstatement. In such a situation the auditor should use technology or analytical procedures to test the entire population. Accounting Horizons. September 2004 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud 179 The Nature of Audit Evidence and Fraud Detection Some auditing research suggests that audit policy should encourage auditors to modify the nature or timing of audit tests (Fellingham and Newman 1985; Nieschwietz et al. 2000). But archival and experimental research indicates that practicing auditors plan to collect the same evidence items from year to year, thereby holding the nature of their evidence constant (Bedard 1989; Glover et al. 2003). Additionally, fraud studies fmd that requiring auditors to explicitly assess fraud risk results in changes to the extent but not the nature of planned evidence (Zimbelman 1997; Glover et al. 2003). Numerous other studies report similar results in risk settings other than fraud (Bedard et al. 1999). There are several reasons why auditors do not oflen vary the nature of their audit plans in the face of increased fraud risk. One reason is that auditors do not have a vast array of new or unique evidence items to choose from. Even so, research suggests that auditors fail to vary the mix of standard procedures that differ in their nature as well as their perceived potential for fraud detection. This fmding is troubling since modifying the extent of evidence is less likely to be effective in a strategic setting than modifying the nature of evidence. Thus, if audit plans vary only in terms of the extent of the evidence collected, then auditees can predict the nature of the audit evidence, stay under the radar screen, and conceal a fraud. Another explanation for the lack of variability in the nature of audit plans is that auditors find it difficult to assess the effectiveness of various audit tests at detecting fraud. Glover et al. (2003) collect evidence on highly experienced fraud experts' perceptions regarding the effectiveness of standard audit procedures at detecting receivables fraud. The participating partners had an average of over 25 years of experience and were deemed to be top fraud-audit experts by their firm. Using standard procedures found in the audit literature. Glover et al. (2003) report significant variation in these experts' perceptions of effectiveness. This finding could be explained in at least two ways. First, auditors' lack sufficient understanding of the effectiveness of various audit tests at detecting fraud to allow for consensus on this task. Second, auditors could have difficulty selecting among the audit procedures because the various schemes for perpetrating receivables fraud make selecting a few procedures problematic. This latter possibility suggests an important role for strategic reasoning in designing procedures that are responsive to the circumstances of the auditee. Increasing Variability in the Nature of Audit Evidence We believe that requiring auditors to reflect on how they might prevent management from concealing a fraud from planned audit evidence is likely to promote effective variation in the nature of the evidence. Also, audit standards could require auditors to develop their audit strategy independently of prior or standard procedures whenever fraud risk exists. To effectively do so, experienced auditors such as audit managers likely need to be involved. Effective standards should be aimed at encouraging strategic reasoning leading to more audit plans that consider how an auditee may be concealing a fraud from standard procedures. The standard program could be used as a decision aid to ensure completeness once the audit team develops key procedures aimed at areas of the audit where fraud risk exists. At any rate, identifying and developing effective methods for getting auditors to go beyond the standard audit programs and typical audit procedures should be pursued in future research. Standard Audit Programs and Strategic Reasoning On a closely related theme, Asare and Wright (2004) examine how standard audit programs affect audit-planning decisions for detecting fraud. In their study, practicing auditors reviewed an actual audit case involving fraud, assessed fraud risk, and designed appropriate audit tests. As expected, those auditors given a standard audit program generated fewer audit tests aimed at the specific fraud scenario than auditors who did not use a standard audit program. This finding suggests Accounting Horizons, September 2004 180 miks and Zimbelman that standard audit programs inhibit auditors' ability to engage in strategic reasoning to select effective procedures for fraud detection. Thus, audit standards should consider eliminating auditors' use of standard audit programs for purposes of fraud detection. Recent audit standards are evolving in a way that could facilitate strategic reasoning among audit team members. For example, SAS No. 99 states that "members of the audit team should discuss the potential for material misstatement due to fraud" (AICPA 2002, para. 14), implying an interactive group discussion. One area of research relevant to this group "brainstorming" session is the decisionmaking research on "groupthink" (Janis 1972). This research stream reports that many conditions affect whether group communication sessions generate effective insights. For example, social pressures in a group setting can be very influential to the outcome. Group dynamics aside, we believe policymakers should require auditors to engage in strategic reasoning that focuses on these two issues: • Considering how the auditee may commit material fraud; • Determining how management could conceal a fraud from the auditor. Thus, audit standards should require processes that lead to the design of unpredictable audit approaches in any audit seeking to detect and deter fraud. Training, Expertise, and Strategic Reasoning Understanding the client's environment and business model is critical to designing unpredictable audit approaches. Moreover, a thorough understanding of the client's environment and business risks significantly increases the auditor's ability to engage in strategic reasoning. Recent revisions in audit methodology (Bell et al. 1997; Lemon et al. 2000) may enhance auditors' ability to detect fraud by increasing their understanding of the competitive, economic, and regulatory forces affecting clients' business risks and opportunities. This knowledge should aid in understanding the economics underlying clients' transactions, and may be crucial for detecting fraud (Erickson et al. 2000). However, Eilifsen et al. (2001) note that while a business risk audit approach may lead to a better understanding of fraud conditions and pressures, there is potential for reduced fraud detection due to less transaction testing. More research is needed to assess the effects of business risk audit methods on strategic reasoning during fraud risk assessment, audit-planning decisions, and fraud detection. The complexity inherent in fraud-related decision contexts may require bringing greater general expertise to the audit. While research in this area is sparse, some findings suggest that more experienced auditors are better at discovering fraud when performing analytical procedures (Knapp and Knapp 2001). One area of expertise not yet studied is that of specific fraud training and experience. Many firms employ Certified Fraud Examiners (CFEs) to perform forensic accounting and fraud investigation services. Engaging these individuals early may help the audit team in strategic reasoning exercises aimed at identifying potential fraud schemes and developing procedures to detect such schemes. Also, these professionals are trained to recognize verbal and nonverbal indicants of deception, a potentially effective tool for financial statement auditors (Wells 1992). Perhaps auditors can use CFE expertise to more effectively implement SAS No. 99's interviewing requirements. Future research should be aimed at determining how such expertise can improve auditors' fraud detection. IMPLEMENTING THE AUDIT PLAN Learning during the Audit One theme in behavioral game theory is the need for individuals to learn about their opponent's strategies through immediate, repeated feedback (Camerer 1990). Participants who are given the opportunity to learn from repeated trials at a game will adjust to their opponent's strategies and psychological biases. Thus, favorable conditions for learning are more likely to result in an optimal solution than poor conditions for learning (Camerer 1997; Zimbelman and Waller 1999). Accounting Horizons, September 2004 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud 181 Because auditors rarely get timely feedback, the audit environment is not generally considered to be conducive to learning (Waller and Felix 1984). Given the importance of learning in strategic settings, we believe audit standards should be designed to help auditors maximize all their opportunities to learn. One potentially important opportunity for learning occurs when the auditor interacts with client personnel. At times an auditor may sense that management is discouraging a specific audit approach or is engaged in "legitimately" managing earnings. For example, management may lobby for an aggressive accounting interpretation or engage the audit firm to assist in structuring transactions that lack business purpose but help meet reporting objectives. Greater sensitivity to these opportunities for learning could lead to more effective audits. Another opportunity for feedback on efforts to manage earnings occurs when auditors detect misstatements. When a misstatement is detected, the auditor should consider whether it is intentional. Because determining intent is likely to be difficult (Jamal et al. 1995), the context of other management actions relating to attempts to manage earnings may help to establish intent. The auditor should therefore carefully note any attempts by management to manipulate accounting or auditing results for current action or future reference. In some cases, strategic actions by management may be difficult to detect because they are dispersed throughout the organization and/or its accounting system. Reviewing the entire audit team's interactions with management during the current and previous audits may help refine perceptions regarding management's strategic behavior. This becomes especially effective when it motivates reconsidering the assessment of fraud risk during the audit or in the review stage. As auditors discuss patterns of management behavior that suggest an attempt to manipulate the audit outcome, they should engage in strategic reasoning and revisit the audit plan. The strategic reasoning should again address the question of how management might conceal a fraud from the audit so that the auditor can design unpredictability into the audit approach. Anchoring on Prior Judgments Decision-making predispositions may lead auditors to focus on their prior assessments of fraud risk and not effectively learn from signals received during the audit. For example, Joyce and Biddle (1981) report that auditors' fraud judgments are influenced by an initial anchor and Wilks (2002) finds that auditors' cognition is influenced by the goals and motives of the decision maker. Anecdotal evidence suggests that after performing pre-engagement acceptance procedures, auditors are unlikely to change their beliefs that fraud risk is low. This initial "anchor" may be difficult to overcome, especially when the auditor faces performance pressure to be efficient (Braun 2000). Some firms give auditors "credit" for prior knowledge (Winograd et al. 2000) but, in the strategic setting, this may cause auditors to overlook new fraud cues and enhance management's ability to predict auditor behavior. Research suggests that a prior belief is not likely to change even when new audit evidence suggests that it should. Audit standards should therefore discourage auditors from anchoring on prior fraud risk assessments or audit plans. For example, auditors could be required to document their interactions with management after each area of an audit and how they considered the implications that these interactions have on fraud risk. Another approach is to require rotations of audit personnel to get a fresh perspective on the audit. Jamal et al. (1995) found that second-partner reviews were more effective at detecting fraud when the partners continually viewed unexpected results as suggestive of fraud. Audit standards designed to encourage a similar mindset among reviewing auditors may prove effective at detecting fraud. SUMMARY AND CONCLUDING REMARKS This commentary uses a game theory perspective of the fraud setting to develop audit policy and practice action steps intended to improve fraud detection and deterrence. Our overall recommendation Accounting Horizons, September 2004 182 miks and Zimbelman is that, because of the strategic nature of fraud, audit policymakers should replace standards that inhibit auditors' strategic reasoning with standards that encourage strategic reasoning. In particular, we offer findings and recommendations for three key tasks—fraud risk assessment, audit planning, and audit plan implementation. Specific findings and recommendations related to fraud risk assessment include: • Auditors who use long lists of fraud cues and fraud checklists are inaccurate in their fraud-risk assessments. • Auditors generally overweight cues indicative of management's character even though these cues are the most likely cues to be unreliable. • Audit standards should be designed to persuade auditors to consider how management might manipulate their perceptions of fraud cues. Findings and recommendations related to audit planning are: • Auditors should develop audit strategies that are unpredictable, especially with regard to the nature of their evidence. • Audit plans are more predictable and less effective at detecting fraud when auditors use procedures based on prior audits or standard audit programs. • Audit standards should require auditors to engage in strategic reasoning by considering the types of fraud that management might perpetrate and how these frauds might be concealed from the audit. • The goal of audit standards should be to encourage auditors to gather new, unusual, or random audit evidence not easily anticipated by management. Finally, our findings and recommendations related to the implementation of the audit are: • Learning from experience is critical to effectively performing in a strategic setting. • Auditors are often insensitive to new evidence regarding fraud risk and can more effectively learn from their interactions with the client. • Audit standards can improve learning by requiring activities such as documenting and communicating the nature of their interactions with management. The current body of research suggests that implementing our suggestions will help auditors to detect fraud by facilitating auditors' strategic reasoning. Although there is considerable fraud research, additional research will help audit policymakers design effective and efficient methods of detecting fraud. We also believe our suggestions will help deter fraud as auditees see auditors becoming more effective at strategic reasoning. However, other fruitful areas for deterring or detecting fraud are not addressed in this paper, such as stronger Boards of Directors and anonymous employee communication methods. Nor do we discuss independence issues that can influence both fraud detection and deterrence. We encourage additional research in these areas and audit standards based on this research. Finally, we acknowledge that the research we rely upon for our recommendations cannot fully simulate the complex economic, legal, and regulatory environments that influence audit practices. Some practices that basic research finds detrimental may have benefits overlooked by the research. For example, audit structure elements like checklists may be necessary in the auditors' current legal environment and may have significant quality control benefits in audit firms. Although we focus on detecting and deterring fraud, we encourage standard setters to consider the impact of our recommendations in the context of the entire audit environment. We also encourage research designed to examine these issues under several methodologies to obtain both external and internal validity (Waller and Zimbelman 2003). Accounting Horizons, September 2004 Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud 183 REFERENCES Albrecht, W. S., G W. Wemz, and T. L. Williams. 1995. Fraud: Bringing Light to the Dark Side of Business. New York, NY: McGraw-Hill. American Institute of Certified Public Accountants (AICPA). 1988. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Standards No. 53. New York: AICPA. . 1997. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Standards No. 82. New York: AICPA. -. 2002. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Standards No. 99. New York: AICPA. Asare, S., and A. Wright. 2004. The eifectiveness of alternative risk assessment and program planning tools in a fraud setting. Contemporary Accounting Research (Summer): 325-352. Bedard, J. 1989. Archival investigation of audit program planning. Auditing: A Journal of Practice & Theory (Fall): 57-71. , T. Mock, and A. Wright. 1999. Evidential planning in auditing: A review of the empirical research. Journal of Accounting Literature 18: 96-142. Bell, T., F. Marrs, I. Solomon, and H. Thomas. 1997. Auditing Organizations Through a Strategic-Systems Lens: The KPMG Business Measurement Process. Montvale, NJ: KPMG Peat Marwick LLP. Bloomfield, R. J. 1995. Strategic dependence and inherent risk assessments. The Accounting Review 70: 7 1 90. . 1997. Strategic dependence and the assessment of fraud risk: A laboratory study. The Accounting Review 11: 5X1-52,%. Braun, R. L. 2000. The effect of time pressure on auditor attention to qualitative aspects of misstatements indicative of potential fraudulent financial reporting. Accounting, Organizations and Society 25: 243259. Camerer, C. 1990. Behavioral game theory. In Insights in Decision Making: A Tribute to Hillel J. Einhorn, edited by R. M. Hogarth. Chicago, IL: University of Chicago Press. . 1997. Progress in behavioral game theory. Journal of Economic Perspectives (Fall): 167-188. Eilifsen, A., W. R. Knechel, and P. Wallage. 2001. Application of the business risk audit model: A field study. Accounting Horizons (September): 193-207. Elliott, R. K. 2002. Twenty-first century assurance. Auditing: A Journal of Practice & Theory March: 139-146. Erickson, M., B. W. Mayhew, and W. L. Felix. 2000. Why do audits fail? Evidence from Lincoln Savings and Loan. Journal ofAccounting Research (Spring): 165-194. Fellingham, J. C , and D. P. Newman. 1985. Strategic considerations in auditing. The Accounting Review (October): 634-650. Glover, S. M., D. F. Prawitt, J. J. Schultz, Jr., and M. F. Zimbelman. 2003. A comparison of audit planning decisions in response to increased fraud risk: Before and afler SAS No. 82. Auditing: A Journal of Practice & Theory (September): 237-251. Hackenbrack, K. 1992. Implications of seemingly irrelevant evidence in audit judgment. Journal of Accounting Research (Spring): 126-136. Heiman-Hoffman, V. B., K. P. Morgan, and J. M. Patton. 1996. The warning signs of fraudulent financial reporting. Journal of Accountancy (October): 75-77. Hoffman, V. B., and J. M. Patton. 1997. Accountability, the dilution effect, and conservatism in auditors' fraud judgments. Journal of Accounting Research (Fall): 227-238. Jamal, K., P. E. Johnson, and R. G Berryman. 1995. Detecting framing eifects in financial statements. Contemporary Accounting Research 12: 85-105. Janis, I. L. 1972. Victims of Groupthink. Boston, MA: Houghton Miftlin. Jiambalvo, J., and W. Waller. 1984. Decomposition and assessments of audit risk. Auditing: A Journal of Practice & Theory 3 (Spring): 80-88. Jonas, G 2001. Remarks given at the American Accounting Association National Meeting, August 14, Atlanta, Georgia. Jones, E. E. 1990. Interpersonal Perception. New York, NY: W.H. Freeman and Co. Joyce, E., and G Biddle. 1981. Anchoring and adjustment in probabilistic inference in auditing. Journal of Accounting Research 19: 120—45. Accounting Horizons, September 2004 184 tVilks and Zimbelman Kinney, W. R. 1988. Attestation research opportunities: 1987. Contemporary Accounting Research (Spring): 416-425. Knapp, C. A., and M. C. Knapp. 2001. The effects of experience and explicit fraud risk assessment in detecting fraud with analytical procedures. Accounting, Organizations and Society 26: 25-37. Lemon, W. M., K. W. Tatum, and W. S. Turley. 2000. Developments in the Audit Methodologies of Large Accounting Firms. London, U.K.: Auditing Practices Board. Loebbecke, J. K., M. M. Eining, and J. J. Wiilingham. 1989. Auditors' experience with material irregularities: Frequency, nature, and detectability. Auditing: A Journal of Practice & Theory (Fall): 1-28. Morgenstem, 0.1976; Perfect foresight and economic equilibrium. In Selected Writings ofOskarMorgenstern, edited by A. Schotter, 169-183. New York, NY: New York University Press. Originally published in 1935. Nieschwietz, R. J., J. J. Schultz, Jr., and M. F. Zimbelman. 2000. Empirical research on external auditors' detection of financial statement fraud. Journal ofAccounting Literature 19; 190-246. Nisbett, R. E., H. Zukier, and R. E. Lemley. 1981. The dilution effect: Nondiagnostic information weakens the implications of diagnostic information. Cognitive Psychology (April): 248-277. Pincus, K. 1989. The efficacy of a red flags questionnaire for assessing the possibility of fraud. Accounting, Organizations and Society 14: 153-163. Raiffa, H. 1968. Decision Analysis: Introductory Lectures on Choices under Uncertainty. Boston, MA: AddisonWesley. Shelton, S. W., O. R. Whittington, and D. Landsittel. 2001. Auditing firms' fraud risk assessment practices. Accounting Horizons (Maich): 19-33. Shibano, T. 1990. Assessing audit risk from errors and irregularities. Journal of Accounting Research 28 (Supplement): 110-140. Sunder, S. 2002. Knowing what others know: Common knowledge, accounting and capital markets. Accounting Horizons (December): 305-318. fVall Street Journal. 2002. Accounting woes roil stock markets as nervous investors stampede exits. (January 30). Interactive Edition. Waller, W. S., and W. F. Felix. 1984. The auditor and learning from experience: Some conjectures. Accounting, Organizations and Society 9: 383-406. , and M. F. Zimbelman. 2003. A cognitive footprint in archival data: Generalizing the dilution effect fi-om laboratory to field settings. Organizational Behavior and Human Decision Processes (July): 254268. Wells, J. T. 1992. Fraud assessment questioning. Internal Auditor (August): 24-29. Wilks, T. J. 2002. Predecisional distortion of evidence as a consequence of real-time audit review. The Accounting Review (January): 51-72. , and M. F. Zimbelman. 2004. Decomposition of fraud risk assessments and auditors' sensitivity to fraud cues. Contemporary Accounting Research (forthcoming). Winograd, B. N., J. S. Gerson, and B. L. Berlin. 2000. Audit practices of PricewaterhouseCoopers. Auditing: A Journal of Practice & Theory (Fall): 175-182. Zimbelman, M. F. 1997. The effects of SAS No. 82 on auditors' attention to fraud risk factors and audit planning decisions. Journal of Accounting Research (Supplement): 75-97. , and W. S. Waller. 1999. An experimental investigation of auditor-auditee interaction under ambiguity. Journal of Accounting Research (Supplement): 135-155. Accounting Horizons, September 2004