This study examines the association between internal control risk and audit fees under the voluntary adopting regime of the Basic Standard of Enterprise Internal Control in China. We find that audit fees are positively related to disclosed internal control weaknesses (ICWs). In particular, they are significantly associated with non-financial reporting-related, but not with financial reporting-related, ICWs. Our results also indicate that voluntary assurance in internal control reports can mitigate higher audit fees associated with ICWs. Our study provides timely evidence relating to the debate on whether the scope of internal control should be expanded to non-financial reporting-related areas.

Introduction

With the increasing importance of risk management in business enterprises and auditors’ roles in promoting effective risk management as part of the audit process, it is not surprising that the concept of risk management has become a focus in auditing and assurance research (Knechel, 2007). The number of academic studies devoted to investigating the relationship between enterprise risk management (ERM) and audit risk adjustments has increased (Desender and Lafuente, 2011; Knechel and Willekens, 2006). Internal control, as one of the essential elements of ERM, has attracted enormous attention in recent years, since the stipulation of the Sarbanes–Oxley Act (SOX) in the United States (US), which requires auditors to provide an assessment of clients’ internal control quality and certify their internal control reports (ICRs). Studies examining the effect of the SOX regulation on audit fees— one of the main audit risk adjustment mechanisms—predominately adopt the supply view of auditing, suggesting that clients’ internal control weaknesses (ICWs) in financial reporting represent audit risks that could have negative effects on clients, both currently (e.g., misstatement and error in financial statements) and in the future (e.g., potential litigation liability) (Bedard et al., 2008; Raghunandan and Rama, 2006; Elder et al., 2009; Foster et al., 2007; Hogan and Wilkins, 2008; Hoitash et al., 2008; Choi et al., 2010). Due to increased perceived audit risks and correspondingly increased audit hours and efforts as a result of the implementation of SOX regulation, prior studies provide conclusive evidence that clients’ internal control risk leads to auditors’ risk adjustment and resulting higher audit fees. However, whether internal control assessment of the financial reporting area under the SOX regime can truly represent a complete and accurate internal control assessment of business entities has been questioned recently (Public Company Accounting Oversight Board [PCAOB], 2013, 2015). There is a concern that internal control assessment of operational control risks can also affect financial reporting quality and this issue has been largely ignored by prior studies. It has been argued that the literature on internal control focuses only on financial reporting in an isolated way, rather than as part of an integrative evaluation of overall internal controls in business (Habib et al., 2018; Lawrence et al., 2018). Thus, the limitation of prior studies on internal control risk and audit fees is that they narrow auditors’ reactions to ICWs that exist in the financial reporting-related area only, mainly because the SOX is a financial reporting-focused internal control regulation. ERM, however, in the spirit of the Internal Control-Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), advocates that auditors should adopt a broader view of risk management, examining clients’ internal control at the management level, which might have a more direct and profound effect on the quality of the judgements and estimates made for financial statements rather than focusing solely on accounting errors (COSO, 2004, 2013; Knechel, 2007).