Efrim Boritz

ABSTRACTWe examine factors associated with employees' susceptibility to phishing attacks in a professional services firm and a financial services firm (bank). We measure three dimensions of suspicion (skepticism, suspicion of hostility, and interpersonal trust), and three cognitive traits (risk-taking propensity, cognitive [inhibitory] control, and social cognition), while controlling for demographic and work context factors. We find that these traits interact in complex ways in determining individuals' susceptibility to phishing attacks. Bank employees are more susceptible to being phished than professional services firm employees, but within the bank, the employees with professional certificates are less susceptible to phishing attacks than other bank employees. Also, employees with self-reported responsibility for cybersecurity are less likely to be phished. These findings could be used to create a screening tool for identifying which employees are particularly susceptible to phishing attacks, to tailor training, or redesign jobs to counter those susceptibilities and reduce security risk.

It gives me great pleasure to be the discussant of the paper by Emby and Finley. My comments are divided into three parts. First, I shall briefly summarize the paper and its key findings. Then I shall review the context of the paper and raise questions about the authors' interpretation of their study and findings. Finally, I shall conclude with a brief summary of my comments.Summary of Emby and Finley's paper: The authors gave auditors materials summarizing internal control strengths and weaknesses. The background information provided in both scenarios was identical. They asked the subjects to plan substantive tests to be carried out in connection with the inventory audit. Then, they gave subjects one of two version of a set of additional information about seven internal control cues and asked them to make a revised decision about the extent of substantive testing required. When they asked the subjects to base their decision on internal control strengths, they obtained one result. When they asked the subjects to make the same decision based on internal control risks, they obtained another result. The differences in extent of substantive tests proposed were significant. The authors interpret this finding to be an instance of a framing effect.Furthermore, the authors found that when they asked a subset of the subjects to consider all the control related information cues one by one and to rate the direction and relevance of the evidence, the framing effect disappeared. The authors interpret this finding as an example of an effective debiasing technique for eliminating the effects of the "framing bias" induced by using the word risks in one version of the task and the word strengths in another version of the task.The paper is deceptively simple. It is well written, clear, and uncluttered. The design appears to be straightforward, and the findings are significant and noteworthy. I like the use of the initial judgment as a covariate in the analysis, which is competently carried our and clearly described. Although the paper appears to be simple, I believe that it provides us with an opportunity to consider a number of very subtle issues.

In this paper we provide a synthesis of the research that has been performed on business models and business model descriptions. We address a series of seven research questions aimed at exploring the nature of business models and business model descriptions to better understand how they are and can be used in accounting and auditing. Our focus is on how business models are defined, what their elements are, and how they can be presented to stakeholders to enable and enhance their understanding of an entity’s value creation process. We identify research that defines the purpose, components, and uses of business models, and find an extensive management literature in these areas. We also identify research on business model descriptions, including how business models should be described and evaluated, what expertise is needed to create and use a business model description, and what are the challenges to preparing, and using a business model description. Based on our literature review, we conclude that research into business model descriptions is limited and suggest possible areas of future research.

Although several studies have examined individuals' privacy concerns and companies' privacy policy disclosures, only a few studies examined whether customers' privacy concerns are adequately addressed in companies' privacy policy disclosures. This study investigates companies' privacy policy statements and important privacy policies that individuals want to know. We examine the privacy policy statements of 136 companies from the U.S. and Canada

This article presents a discussion of research on the effects of different response elicitation methods on the audit planning and review judgments. The study involved 40 auditors, at five different levels of expertise, who reviewed the audit strategy of a hypothetical senior and provided evaluations of the original plan, a revised set of plans, and reports of their difficulty in making the required judgments. The materials included a list of observations about strengths and weaknesses in the client's sales, receivables, and receipts system, as observed and recorded by the hypothetical auditor and an audit plan.

Restatements of audited financial statements are used for evaluating reporting quality, audit quality and for other evaluative purposes. Prior research shows that restatements that correct unintentional errors have different implications for statement preparers, users, auditors and regulators than restatements that correct intentional misstatements. However, manually classifying restatements into these categories can be tedious, time-consuming and inconsistently performed. Therefore, we constructed a Naïve Bayes machine learning algorithm to classify restatements by management intent based on the language in restatement announcements. Empirical tests of the algorithmically classified restatements show that this classification is an effective, efficient alternative to manual classification and more reliable than other commonly used automated methods such as classifying based on restatement direction or magnitude. Our method does not require a dictionary of words associated with management intent, is easily replicated and scalable and may be used to classify restatements disclosed at the same time as financial results.

This article presents information related to issues discussed at the 1998 Audit Symposium. Presenting their views on traditional audit, experts commented that they didn't really know what opportunities existed in the assurance market but some early indications showed that in fact the market was shifting, not from the point of view that people trusted each other any more than they ever did, but from the point of view that historical financial information was becoming less relevant. Other sources of information were becoming more relevant. Commenting about career openings in the assurance sector Gail Sergenian professor at the Suffolk University said that their intake is becoming correspondingly larger from sources possessing business knowledge. The sense of getting a broad understanding of what makes up business performance measures, how reliable they are and how one make them more reliable. Pricing of assurance services was another important issue discussed an experts felt that pricing is typically a cost oriented phenomenon in most professional service firms and there was reference made to the rather substantial financial success of our friends in law offices and underwriting offices who tend to be more value-oriented in their pricing activities.

The authors gratefully acknowledge the financial support provided by the University of Waterloo Centre for Information Systems Assurance, sponsored by the Canadian Institute of Chartered Accountants, the Information Systems Audit and Control Association, and Caseware IDEA ...

Abstract. Increased Internet traffic and the sophistication of companies in tracking that traffic have made privacy as a critical issue in electronic commerce (e-commerce), and in turn spawned a number of research works in the literature. Despite this, what is lacking is an effort to understand the relationships among the various studies. The purpose of this paper is to consider the fields of information systems, business and marketing, and provide a framework for the research works that have dealt with three main stakeholders, namely customer, company and government, as well as the interaction arising among them. We review the literature and identify opportunities for future research. 1.

This paper reviews literature from 1999 to 2012 related to Computer Assisted Auditing Techniques (CAATs) to document the experience of academics of using Generalized Audit Software (GAS) within the classroom. It also explores the impact of Big Data, the regulatory environment (e.g. XBRL) as well as data visualization. Both academic and practitioner-oriented publications were reviewed to obtain an understanding of the current state of computer-assisted audit/audit data analytics techniques in both academe and industry. Three appendices are provided that include: An analysis of published CAAT cases: instructors will be able to determine which case(s) best fit(s) into their curriculum, A list of CAATs used in practice: practitioners will have an idea of what types of data analytic procedures are being applied by external and internal auditors, and A summary of the difference between system and data oriented testing.

The issue of determinants of a search-facilitating technology such as “Extended Business Reporting Language (XBRL)” has drawn considerable attention from the global academic community. This research focuses on executive team characteristics to investigate their association with the voluntary adoption of XBRL technology beyond the effect of firm characteristics. We investigated whether these characteristics (information system- and/or business/financial related- competencies) within the executive team affected the quality of the XBRL-tagged filings. Our findings demonstrate higher levels of information systems competencies were positively associated with early adoption of XBRL; whereas, higher levels of other business related-competencies (e.g. financial expertise) were negatively associated with it. Furthermore, IS competency was negatively associated with the technical aspects of XBRL. These results extend the literature on the influence of management on corporate decisions and can be used as a guide for investigating voluntary adoption of other reporting technologies, and further inform regulators and users of XBRL

ABSTRACTPrevious studies indicate that auditors are able to identify fraud risk factors, but may not be able to translate this knowledge into an audit plan that effectively takes these factors into account to increase the likelihood of detecting fraud. Fraud specialists may be able to compensate for such limitations. This study investigates the relative merits of involving fraud specialists in assisting auditors by developing an audit plan that would effectively address fraud risk in a revenue cycle. Results show that fraud specialists did not differ from auditors in the number of procedures selected from a standard audit program; nor were these procedures cumulatively more effective than those selected by auditors. Fraud specialists generated a greater number of non-standard additional audit procedures, and those procedures were marginally more effective, but less efficient, than those of auditors, except for certain groups of procedures. Finally, although the fraud specialists proposed significantly more additional (non-standard) procedures than auditors, their proposed budget increase for this category of procedures was significantly smaller than the budget increase proposed by auditors. Adjustments to the overall time budget did not differ between fraud specialists and auditors.Data Availability: Data are available from the authors upon request.

ABSTRACT Account balances are typically subjected to separate audit procedures (e.g., accounts receivable and inventory). Two or more assertions about a single financial balance may be subjected to separate tests (e. g., completeness and existence). Two or more transaction streams combining to form a single balance (e. g., sales on account and cash receipts on account combine into accounts receivable) may be tested separately. A financial balance may be subdivided into two or more account components for separate testing (e.g., retail accounts receivable and wholesale accounts receivable). In all of these audit testing scenarios, the question arises as to the appropriate way to combine or aggregate the evidence gathered from separate tests of subpopulations into an overall conclusion about the amount of audit risk being borne, that is, the risk of a material amount of misstatement remaining undetected in the overall population at the conclusion of such separate audit tests. A number of algorithms and heuristics have been proposed for combining audit risks at the subpopulation level into overall risk conclusions about audit risk at a more aggregate level. Some of the heuristics involve piecemeal evaluation of individual subpopulations to draw overall conclusions about the financial statements as a whole. This paper analyzes one such approach, the Poisson distribution-based “max rule,” for combining judgments of audit risk based on tests of subpopulations. This prescription has been interpreted to mean that the overall risk of material misstatement in a population is the maximum of the audit risks computed with respect to the individual subpopulations, but we believe that such an interpretation is incorrect. Furthermore, given the literature that has promoted the max rule, some auditors could misapply the concurrency property of the Poisson distribution. Although the max rule may be justified at the planning stages of the audit, we show that, if it is used at the evaluation stage of the audit, it can lead to underestimation of the upper error limit and overall risk faced upon completing tests of subpopulations and should not be used to evaluate results of audit procedures applied to subpopulations to draw overall audit conclusions.Résumé. Les soldes des comptes sont habituellement assujettis à des procédés de vérification distincts (comptes clients et stocks, par exemple). Deux assertions ou plus relatives à un même solde financier peuvent être assujetties à des sondages distincts (intégralité et existence, par exemple). Deux chaînes d'opérations ou plus qui se combinent pour produire un même solde (ventes à crédit et encaissements sur les ventes à crédit donnant lieu, par exemple, aux comptes clients) peuvent faire l'objet de sondages distincts. Un solde financier peut être subdivisé en deux éléments ou plus pouvant être soumis à des sondages distincts (comptes clients, ventes au détail, et comptes clients, ventes en gros). Peu importe le scénario, cependant, une question se pose: quelle est la façon appropriée de combiner ou d'agréger l'information probante livrée par les différents sondages appliqués aux sous-populations en une conclusion globale relative à l'importance du risque lié à la vérification, c'est-à-dire le risque qu'il subsiste une quantité importante de déclarations erronées non détectées dans l'ensemble de la population, au terme de ces sondages de vérification distincts. Bon nombre d'algorithmes et de méthodes heuristiques ont été proposés pour combiner les risques liés à la vérification obtenus à l'échelon des sous-populations de manière à pouvoir tirer des conclusions relatives au risque global lié à la vérification à un échelon supérieur. Certaines de ces méthodes heuristiques font intervenir l'évaluation à la pièce des différentes sous-populations dans le but de formuler des conclusions générales au sujet des états financiers dans leur ensemble. Les auteurs analysent l'une de ces méthodes, la « règle du maximum » basée sur la distribution de Poisson, visant à combiner les jugements relatifs au risque lié à la vérification établi à partir des sondages auxquels les sous-populations sont soumises. Selon l'interprétation qui en est faite, cette règle signifie que le risque global qu'il se trouve une erreur importante dans une population équivaut au maximum des risques liés à la vérification calculés pour les différentes sous-populations; or, selon les auteurs, cette interprétation est inexacte. En outre, compte tenuque des chercheurs ont préconisé la règle du maximum, certains vérificateurs pourraient appliquer à mauvais escient la propriété de concurrence de la distribution de Poisson. Bien que l'application de la règle du maximum puisse être justifiée dans les phases de planification de la vérification, les auteurs démontrent que, si elle est utilisée à l'étape de l'évaluation de la vérification, elle peut conduire à une…

Abstract. This paper reports the results of an empirical investigation of auditor judgment involving the assessment of audit risk and planning of an audit strategy. The study focuses on whether methodological techniques used for conducting research affect decision behavior; in ...

ABSTRACTWe compare the financial statement data (excluding footnotes) reported by 105 randomly selected firms in their 10-K filings with data contained in XBRL filings and data reported by three data aggregators/distributors: Compustat, Google Finance, and Yahoo! Finance. We find that 48 percent to 63.2 percent of the 10-K financial statement items available in XBRL filings are not available from the aggregators/distributors. However, aggregator/distributor-provided data contain many financial items that are not in the official 10-K or XBRL filings but could be useful to users. For items included both in XBRL and by aggregators/distributors, all but 0.01 percent of the XBRL data amounts agree with the 10-K filings, whereas 6.5 percent to 7.7 percent of the amounts provided by aggregators/distributors do not, depending on the aggregator/distributor. Most differences are material, and the differences in items used in bankruptcy prediction and earnings quality models result in significant differences in the model results.