**5. Empirical Results**

#### *5.1. Necessary Analysis of Conditions for Audit Risk Assessment Outcomes*

Table 5 indicates the necessity conditions. As introduced in previous sections, the necessity analysis comes to explain whether necessary conditions exist. The consistency score has to be higher than 0.9 for a condition to be necessary [77]. To simplify the necessary analysis, we focus the research on the expectation of detecting audit risk in the planification phase. The objective of the auditor is to "identify and assess the risks of material misstatements, whether due to fraud or error, at the financial statement and assertion levels, ( ... ) including the entity's internal control ( ... )" (ISA 315, reference [4]). In this sense, the fact of uncovering risks prevails, that is, the existence of expected significant risks, if true, is more relevant than expecting insignificant risks. Therefore, we are interested in those necessary conditions to expect higher audit risk levels, that is, to expect bad internal control (~fs\_intcontrol—absence of internal control), to be likely to expect errors (fs\_error—presence of expected errors), and to be likely to expect irregularities (fs\_irreg—presence of expected irregularities).


**Table 5.** Analysis of necessity for the absence of internal control and for the presence of expected errors and irregularities.

**Note:** The symbol "~" indicates logical NOT which means the absence/negation of a condition or the absence/negation of the outcome. All variables are defined in Table 2. Those conditions that have been calibrated are preceded by the "*fs\_*" prefix, so dummy conditions such as gender or new do not have it.

> As shown in Table 5, there is no exclusive necessary condition, so audit risk assessment does not happen because of any one single condition. Therefore, a comprehensive set of conditions must be given for expected high audit risk (i.e., bad internal control, and expected errors and irregularities in the financial statements). More specifically, four conditions are the most significant drivers of the outcome, either for their higher consistency values or for the wider difference between their presence and absence to explain the expected audit risk in the planification phase. At a glance, we firstly observe that female ATLs (gender) are more demanding when evaluating audit risks; secondly, less experience (~fs\_ppe) propitiates conservative attitudes reinforcing the detection of risks; thirdly, displaying the highest consistency value (87.61% in average), the attribute of being an old client (~new) clearly indicates a stricter audit risk assessment. According to our data, old clients (~new) are audited by inexperienced ATLs (less than 3 years) in the short term (less than 1 year), so their knowledge about their client is still scarce and they are more rigorous at work. Finally, in fourth place, a crowded board of directors (fs\_bod) leads to a more meticulous audit risk assessment in the planification stage. Setting aside board composition, board size matters. Traditional literature emphasizes the board size effect: communication and coordination problems increase as group size boosts, thereby leading to potential agency problems [76,78,79]. In our sample, the board size exceeds 12 people (full membership) and, because all sample firms have to be audited compulsorily, conflicts of interests may easily arise stressing agency problems between managemen<sup>t</sup> and control. This circumstance may encourage accounting discretion by managers and thus earning managemen<sup>t</sup> practices (e.g., [79]) and also may decrease firm value [76,78]. In this scenario, some procedures of the internal control may fail, be adulterated, or even not exist, and/or the financial statements as a whole are not likely to be free from material misstatements, whether due to fraud or error.

#### *5.2. Sufficiency Analyses for Audit Risk Assessment Outcomes*

In this section, we will explore the causal relationships obtained in the different equally effective configurations. It is important to say that, in all three focus outcomes, there is more than one plausible combination, and that causal asymmetry may occur. The combinations leading to the absence of internal control and to the presence of expected errors and irregularities are presented in Tables 6–8, respectively. In order to improve the

presentation and readability of the findings, we transformed the solutions from fsQCA output into tables that are easy to interpret. Following Fiss [80], the presence of a condition is indicated with a black circle (•), absence/negation with a crossed-out circle (⊗), and the "do not care" condition with a blank space. The distinction between core and peripheral is made by using large and small circles, respectively. Of course, overall consistency and coverage values will be also presented.


**Table 6.** Configurations sufficient for the absence of internal control (Outcome: ~fs\_intcontrol).

**Note:** Black circles (•) indicate the presence of a condition. Crossed-out circles (⊗) denote the absence or negation of a condition. Large circles are core conditions while small circles are peripheral conditions. "Do not care" conditions are displayed in blank spaces. All variables are defined in Table 2. Those conditions that have been calibrated are preceded by the "*fs\_*" prefix, so dummy conditions such as gender or new do not have it.


**Note:** Black circles (•) indicate the presence of a condition. Crossed-out circles (⊗) denote the absence or negation of a condition. Large circles are core conditions while small circles are peripheral conditions. "Do not care" conditions are displayed in blank spaces. All variables are defined in Table 2. Those conditions that have been calibrated are preceded by the "*fs\_*" prefix, so dummy conditions such as gender or new do not have it.


**Table 8.** Configurations sufficient for the presence of irregularities (Outcome: fs\_irreg).

**Note:** Black circles (•) indicate the presence of a condition. Crossed-out circles (⊗) denote the absence or negation of a condition. Large circles are core conditions while small circles are peripheral conditions. "Do not care" conditions are displayed in blank spaces. All variables are defined in Table 2. Those conditions that have been calibrated are preceded by the "*fs\_*" prefix, so dummy conditions such as gender or new do not have it.

> Table 6 presents the configurations for the absence of internal control, that is, what might determine that the audit team leader (ATL) expected to uncover internal control deficiencies within the firm. Holding a high capital assets proportion is core condition in four out of nine configurations (44%), which is a sign of managerial choices. Indebted clients denote high probability of expecting bad internal control in five out of nine cases (56%). In the 56% of cases too, less profitable firms are perceived to have internal control shortcomings. We expected the opposite result, but there might be an explanation. Less profitability might be what triggers income-increasing practices by managers. Female ATLs are confirmed to be a clear sufficient condition in 78% of combinations. When planning, women are more conservative and have more prudent behavior. They dedicate more effort in the planification phase to detect anomalies in internal control mechanisms, so they are more likely to uncover deficiencies. In four out of nine cases, the absence of experience is determinant. We expected its presence, but its absence means that ATLs will be more demanding when they are inexperienced auditors. Similarly, ATLs are more skeptic with shorter audit tenures, so they will be more objective. The new condition seems to be more affected by causal asymmetry than the others, because the results are not decisive. Finally, as with gender, the probability of expecting bad internal control increases as board size increases in 89% of cases (in six out of nine cases is a core condition), denoting agency problems as a result of the coexistence of various interests. In short, when female and inexperienced ATLs audit firms with high proportions of capital assets, high leverage ratios, less profitability and large board sizes, they expect bad internal control in the planification stage.

> Table 7 presents the configurations for the presence of expecting errors in the financial statements. Beyond explaining again all the conditions individually, it is more fruitful to conclude to have a broad view of detecting errors in the annual accounts when planning. Gathering information stemming from the twelve configurations, overall we may assert that the likelihood of expecting error in the financial statements increases as perceived internal control worsens (same conditions are met), and when the audit tenure is shorter (distinctive condition compared to Table 6). Table 8 indicates the combinations of conditions for the presence of expected irregularities. Unlike errors, irregularities are intentionally made. For this reason, conditions such as experience (fs\_exp) gain importance. Experienced ATLs are capable of expecting or forecasting irregularities because of their widespread background and prior know-how.

#### **6. Conclusions, Discussion and Limitations**

Auditing is a collective process conducted by professional accounting individuals whose skills, experiences, and emotions differ. The goal of an audit is to reduce uncertainty in the information and improve the degree of confidence of intended users in financial statements. Thereby, auditors aim to identify and assess risks of material misstatements at the financial statements' assertions, including the internal control of the client. To do so, it is fundamental an appropriate planning of the audit, which includes the audit team leader (ATL) appointment, an audit risk assessment, the subsequent nature, timing and extent of further audit procedures and the consideration of those factors, in the auditor's professional judgement, are significant in directing the engagemen<sup>t</sup> team's efforts.

The audit risk assessment is critical. Audits must follow a risk-based approach due to the impossibility to check all transactions within the client. A correct audit risk assessment lowers the audit risk to an acceptable level and avoids incurring two types of erroneous conclusions as a consequence of under-audits (issuing an inappropriate opinion) or over-audits (costly inefficient effort). There is no doubt that lower-level audit team members gather most audit evidence, however, the ATL plays a crucial role from the planification stage until the audit report, with the audit opinion issued and signed by the audit partner, and are decisive for an effective and efficient audits. The audit risk assessment is mainly carried out by the ATL, and this evaluation is highly based on subjective judgements. The ATL must assess internal control and the expected and perceived existence of errors (unintended misstatements) and irregularities (intended misstatements) in the financial statements' assertions. Thereby, ATLs determine if a risk in an accounting area or transaction is classified as a key risk, material risk, or insignificant risk. This "ambiguity" or "fuzziness" in determining the risk level makes the application of fuzzy theory particularly meaningful, as audit risk assessment involves people' though, inference and perception, and thus retaining certain degree of such fuzziness. Therefore, this study extends our understanding of the role of ATL characteristics on the audit risk assessment when planning. Furthermore, smaller audit firms have attracted limited attention both in practice and in academic research since PCAOB inspections were implemented and reinforced at international level. This paper adds knowledge in this respect, raising awareness that the study of SME audit firms is essential and concerns the whole market. Even though the audit market is often dominated by Big 4 and second-tier audit firms, small- and medium-sized audit firms shape the market behavior.

Using hand-collected and private data taken from legal applications declared by audit firms to the national public oversight board (ICAC), spanning 2001 to 2015, the results from the fuzzy-set modelling are substantial. The analysis of necessity reveals that there is no exclusive necessary condition. This evidences the fact that SME audit firms conduct more complex audits than we initially believed. Concretely, four conditions are the most significant drivers of the outcome (expected bad internal control and expected errors and irregularities in the financial statements): the presence of female ATLs, inexperienced ATLs, old audit clients, and large board size. This supports previous evidence on that audit risk assessment (or related audit quality practices) are not only influenced by auditor' features, but also by client characteristics. The sufficient analyses show the existence of more than one possible configuration, and that causal asymmetry happens. With respect to the absence of internal control (the ATL expects to find deficiencies in the internal control of the client when planning), the results indicate that female and inexperienced ATLs planning the audit indebted firms with high proportions of capital assets, less profits, and with large board sizes as being expected to have bad internal control. Women are more demanding and prefer quality to reduce costs; in addition, the lack of experience makes them be more prudent and conservative when assessing the audit risk. In the case of firm characteristics, the presence of high levels of leverage and larger board size denote the presence of high agency costs and more conflicts of interests as the number of parties increases, which incentivizes bad practice. For the presence of errors in the financial statements' assertions, the same conditions are met, and also in shorter audit tenures. The

lack of prior knowledge of the client triggers more demanding conducts and more checks in detail. Finally, but not least, conditions such as the ATL's experience gains importance to expect irregularities. Irregularities are intended errors, and experienced ATLs are capable of forecasting irregularities because of their widespread and accumulated background. Sometimes manager discretion is difficult to guess, so experienced ATLs are more alert for discretionary practices that are not adequately revealed in the financial statements.

From a managerial point of view, the literature has demonstrated that the client's managemen<sup>t</sup> may exert influence on auditors, which is more relevant in countries where no market-based institutional incentives exist, such as the Spanish context. Additionally, the audit risk assessment implies that the auditor must inquire with management, among other parties. These arguments, which are more pronounced in SME audit firms, come to confirm the existence of managerial pressures on auditors and thus on their assessment of the audit risk in the initial stage of the audit work, which will determine the subsequent audit procedures and the allocation of available resources. Our results evidence that ATL characteristics, such as gender, are core conditions to evaluate and determine managemen<sup>t</sup> risks.

When interpreting the results, some limitations must be considered. First, fuzzy theory establishes combinations of conditions that, in the judgement of the researcher, have high values of consistency and coverage but, however, causal asymmetries may happen. Second, despite the sensitive nature of our data, the results may not be able to be generalized to audit practices outside Spain, as potential differences and consensus in audit work environments exist across countries. Future research on ATL characteristics, designation, and audit risk assessment should consider endogeneity problems, as the appointment of the ATL is not trivial, so the audit partner might indirectly influence the audit risk assessment from the beginning of the audit. As well, exploring various existing audit environments at international and size levels would show us cultural differences and size behaviors between larger and smaller audit firms.

**Author Contributions:** Conceptualization, E.B.-C. and J.S.-M.; Data curation, L.P.-E.; Formal analysis, L.P.-E.; Methodology, L.P.-E.; Supervision, L.P.-E., J.S.-M. and G.L.-S.; Writing—original draft, L.P.-E.; Writing—review & editing, L.P.-E. and E.B.-C. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Conflicts of Interest:** The authors declare no conflict of interest.
