External auditors’ use and perceptions of fraud factors in assessing fraudulent financial reporting risk (FFRR): Implications for audit policy and practice

This study used semi-structured interviews with twenty-four external auditors to explore how they perceive and use fraud factors when assessing fraudulent financial reporting risk in external audits. The fraud factors include top management’s motive, integrity, opportunity, rationalisation, and capabilities. The participants work for Big four audit firms and have international auditing experience, specifically in the US, the UK, Egypt, the UAE, Qatar, Bahrain, and Saudi Arabia. The findings reveal that top management’s integrity and motives are, in theory, the most critical factors in fraud risk assessment. However, a self-selection bias pushes external auditors not to evaluate these essential factors because they are too complicated to assess, and not enough guidance is provided to them by standard setters or audit firms. In turn, external auditors concentrate mainly on evaluating the opportunities to commit fraud when assessing fraud risk. This may lead to non-optimal fraud risk assessment and, ultimately, non-optimal audit quality. The findings have implications for policy, practice, and future research, later discussed.


Introduction
The external auditor's role in maintaining accountability in an organisation can be depicted through the lens of agency theory.In broad terms, an agency is any relationship between two parties in which one, the agent, represents the other, the principal, in day-to-day transactions.The principal(s) have hired the agent to perform a service on their behalf.By definition, an agent is using the resources of a principal.
The principal has entrusted money but has little or no day-to-day input.Principals delegate decision-making authority to agents.Because the agent makes many decisions that affect the principal financially, differences of opinion and priorities, methods, motives, and interests can arise.Agency theory assumes that the interests of a principal and an agent are not always aligned.The difference in priorities and interests between agents and principals is the principal-agent problem (Jensen & Meckling 1976;Zey 2015).
Fraud and misappropriation of funds represent perfect examples of the type of moral hazard issues that are an endemic feature of principal-agent relations, as Heath (2009) clarified.Resolving the differences in expectations is called reducing agency loss.External audits are one of the methods proposed for reducing agency loss (ICAEW 2005).If done correctly, external audits could deter fraudulent management behaviour and mitigate information asymmetry risk, thereby protecting shareholders' interests (Guragai & Hutchison 2019).From that perspective, an external audit is a vital corporate governance mechanism introduced to address the agency problem, and external auditors' ability to detect material fraud is essential to ensure accountability and restore trust in corporate governance (Dezoort & Harrison 2018).
Nevertheless, recent evidence implies that external auditors' skills in material fraud detection need improvement.Al-Dhubaibi and Sharaf-Addin (2022) find that the internal auditors' evaluation of the possibility of fraud occurrence is higher than the external auditors' evaluation.
Based on the analysis of 2110 real cases of occupational fraud, the Association of Certified Fraud Examiners (ACFE 2022) reports that although external audit is the most common anti-fraud control in organisations around the globe, external auditors only managed to detect 2% of fraud cases.
Fraud risk assessment is an integral part of the audit process, but it is also a complex task as it includes a lot of subjectivity and professional judgement (Turley et al. 2016).Task complexity could adversely impact audit performance, especially with insufficient knowledge and skills to perform a particular task (Alissa et al. 2014).To mitigate the adverse impact of task complexity on external auditors' performance, Bonner (1994) suggested providing adequate training and guidance to external auditors.A crucial starting point in enhancing external auditors' ability to detect fraud is identifying the relative importance of fraud factors in risk assessment (Asare et al. 2015).That is because knowledge of the relative importance of fraud factors reduces the risk of self-selection bias and the likelihood of ignoring essential factors that could adversely impact the quality of fraud risk assessment (Albrecht et al. 2008).Self-selection bias could arise when external auditors are unaware of the relative significance of fraud factors and under time or budget constraints, which may then force them to select fraud factors that are easier to assess rather than the ones that are more significant in assessing fraud risk (PCAOB 2012;Hurley 2017).
The extant literature identifies five fraud factors that matter in countering fraud.These factors include motives to commit fraud, the opportunity for fraud, rationalisation of fraud, integrity, and fraud perpetrators' capabilities (Cressey 1950;Albrecht, 1984;Wolfe & Hermanson 2004).Motives are viewed as key antecedents of fraud and reasons for doing something, especially one that is hidden or not obvious.
They can be financial (e.g. the desire to receive a bonus or financial need) or nonfinancial (e.g.revenge or ego) (Kassem 2018).Opportunities are chances to commit fraud without being caught, and they usually come about from weaknesses in an organisation's internal control system.Examples of control weaknesses include a lack of monitoring, ineffective audits, or the concentration of power in the hands of one or a few individuals (Wells 2011).Rationalisation is the ability to justify a wrongful act to feel better about it and is usually used by individuals with low integrity (Albrecht 1984).Examples of fraud rationalisation include "I was only borrowing the money, I am not a thief", "everybody is doing it", or "They mistreated me; they deserve it".On the other hand, integrity is doing the right thing even if no one is watching (Kassem 2021).Fraud perpetrators' capabilities are traits that allow individuals to commit fraud, including sound knowledge of accounting and weaknesses in an organisation's control system, the ability to overcome stress, power within the organisation, and confidence that the perpetrator will get away with fraud even if caught (Wolfe & Hermanson 2004).
Although the relative significance of these five fraud factors has long been debated, this study identified significant literature gaps.One critical gap is the very little evidence of how external auditors view the relative importance of fraud factors in fraud risk assessment (Boyle et al. 2015;Huang et al. 2017) and how external auditors use fraud factors in audit practice (Albrecht et al. 2008).Another noticeable gap is the lack of evidence regarding the rationale for external auditors' perceptions and self-selection bias in fraud risk assessment.Moreover, there are conflicting views concerning the relative significance of these five fraud factors in fraud risk assessment in auditing (see Hogan et al. 2008;Cohen et al. 2010;Boyle et al. 2015;Huang et al. 2017).Besides, only a handful of studies provided empirical evidence (Boyle et al. 2015;Huang et al. 2017).
This study addresses these gaps by exploring (i) how external auditors perceive and use fraud factors (i.e.integrity, motives, opportunities, capabilities, and rationalisation) when assessing fraudulent financial reporting risk (FFRR) in the external audit practice.(ii) the rationale for external auditors' perceptions and self-selection bias, if any.The data were collected via semi-structured interviews with twenty-four Big four external auditors with at least five years of audit experience and three years of experience in fraud risk assessment.Four interviews were conducted with audit partners, 11 with audit managers, and nine with senior external auditors.
Fraudulent financial reporting is the focus of this study for several reasons.It adversely affects published audited financial statements' integrity, quality, and reliability, severely threatening market participants' confidence in the audit profession and corporate governance system (Rezaee 2005).Besides, it is the costliest occupational fraud reported by the Association of Certified Fraud Examiners (ACFE) in its 2022 Report to the Nations on Occupational Fraud and Abuse.Additionally, failure to detect fraudulent financial reporting is always accompanied by scrutiny of external auditors (Sikka 2018) and, in some cases, litigation when they perform their duties negligently (Guenin-Paracini and Gendron 2010).
The five fraud factors considered in this study will be discussed from the top management's perspective for the following reasons.Top management usually perpetrates fraudulent financial reporting due to its power to override internal controls and manipulate financial accounts (Wells 2011).Similarly, a recent global study by the ACFE (2022) reports that top management and executives committed the most fraudulent financial reporting fraud cases.
The present study's findings show that top management's integrity and motives are, in theory, the most critical factors in fraud risk assessment.However, a selfselection bias pushes external auditors not to evaluate these essential factors because they are too complicated to assess, and not enough guidance is provided to them by standard setters or audit firms.In turn, external auditors concentrate mainly on evaluating the opportunities to commit fraud when assessing fraud risk.This may lead to non-optimal fraud risk assessment and, ultimately, non-optimal audit quality.The findings have implications for policy, practice, and future research, later discussed.
This paper contributes to the audit literature in several ways.First, it is among very few empirical studies (Boyle et al. 2015;Huang et al. 2017) that explore how external auditors use and perceive the relative significance of fraud factors in the external audit practice.However, it is the first to provide a rationale for external auditors' views and practices in this regard.Therefore, it expands the current debate in the audit literature around accountability and fraud risk assessment in the audit practice.Second, the literature provides conflicting views regarding the relative significance of fraud factors.Providing empirical research is the way to resolve research conflicts by generating undeniable facts, as Hosmer (2000) pointed out.This study resolves the current disagreements by providing empirical evidence on what matters in assessing fraudulent financial reporting risk in the audit practice as seen through experienced external auditors' eyes.
This study is important and timely, given that the Financial Reporting Council (FRC) in the UK identified fraud risk as one of the priority areas in its future audit inspections following the increased corporate collapse due to fraud (e.g.BHS (Mustoe 2020); Patisserie Valerie (O'Connell 2021); Wirecard (Hill 2022)) and the current need for external audit and corporate governance reforms (FRC 2019;ICAEW 2022).
The rest of the paper is organised as follows.Sect."Elucidating external auditors' responsibility for fraud detection" elucidates external auditors' responsibility for fraud detection as highlighted in professional audit standards.Sect."Theoretical framework" discusses the theoretical framework upon which this study is based.Sect."Literature review" critically reviews previous studies and identifies literature gaps.Sect."Method" describes the study's methodology.Sect."Results" presents the results, and Sect."Discussion and implications" presents the study's results and implications.Finally, it concludes in Sect."Conclusion" and provides new directions for future research.

Elucidating external auditors' responsibility for fraud detection
Needless to say, the primary responsibility of detecting and preventing fraud lies in the hands of an organisation's top management and those charged with governance (Wells 2011) (Elder et al. 2010).
Both audit standards (ISA 240 and SAS 99) require external auditors to assess and respond to fraudulent financial reporting risk through the lens of the fraud triangle model by categorising this risk into (1) risk of motives/pressure to commit fraud, (2) risk of opportunity to commit fraud, and (3) risk of rationalisation of fraud.External auditors must also consider management's integrity, use professional scepticism throughout the audit, and consider the risk of management overriding controls.Additionally, external auditors are expected to discuss among the engagement team members and the engagement partner how and where the client's financial statements may be susceptible to material misstatement due to fraud, including how fraud might occur.In reporting suspected fraud, external auditors must communicate any fraud-related matters to top management and those charged with governance on a timely basis.Suppose external auditors suspect that top management or those charged with governance might be involved in fraud.In that case, they should report the occurrence or suspicion to a party outside the entity and advise the entity to seek legal counsel.

Theoretical framework
Much of the current understanding concerning fraud factors emerged from the work of Donald Cressey in 1950.Cressey posits that fraud occurs when three fraud factors exist, including (i) non-shareable financial needs, (ii) opportunity, and (iii) rationalisation.Over the years, Cressey's hypothesis has become known as "the fraud triangle".The first side of the fraud triangle represents a pressure or motive to commit the fraudulent act, including financial and non-financial motives; the second side represents a perceived opportunity, and the third stands for rationalisation (Wells 2011).Albrecht et al. (1984) introduced the "Fraud Scale Model" as an alternative to the fraud triangle model replacing rationalisation with integrity as the latter is more observable and easier to assess.Additionally, Albrecht et al. believed that individuals with low integrity tend to rationalise their acts.
In 2004, Wolfe and Hermanson introduced the "Fraud Diamond Model", which extends the fraud triangle by "the fraudster's capabilities".They argued that many frauds would not have occurred without the right person with the right capabilities to implement the details of the fraud.They also suggested four observable traits for committing fraud; (1) Authoritative position or function within the organisation, (2) capacity to understand and exploit accounting systems and internal control weaknesses, (3) confidence that they will not be detected or, if caught they will get out of it easily, and (4) capability to deal with the stress created within an otherwise good person when they commit immoral acts.
As explained in Sect."Elucidating external auditors' responsibility for fraud detection", the international professional audit standards (ISA 240) and its American counterpart (SAS 99) require external auditors to explicitly consider most of the factors proposed by these theoretical fraud models while assessing fraudulent financial reporting risk (FFRR), specifically (i) motives, (ii) opportunities, (iii) rationalisation, and (iv) management integrity.
However, it does not explicitly require external auditors to consider fraud perpetrators' capabilities, discounting what the fraud diamond model proposes.Still, empirical evidence shows that external auditors perform better fraud risk assessments when considering the fraud diamond components (see Boyle et al. 2015).To resolve these conflicting views, the current study explores external auditors' views on the significance of the five fraud factors proposed in all these fraud models.These fraud factors include (i) motives, (ii) opportunity, (iii) rationalisation, (iv) management integrity, and (v) fraud perpetrators' capabilities.The aim is to determine these factors' relevance in assessing FFRR in terms of their relative significance and use in the external audit practice.The following section highlights the literature gaps that this study attempted to address.

Literature review
The extant literature identifies five fraud factors that matter in fraud risk assessment.These fraud factors include motives, the opportunity for fraud, rationalisation of fraud (Cressey 1950), integrity (Albrecht et al. 1984), and fraud perpetrators' capabilities (Wolfe and Hermanson 2004).However, significant literature gaps exist concerning these fraud factors' significance and use in risk assessment in external audits.
A noticeable gap is very little evidence of how external auditors view the relative importance of fraud factors in fraud risk assessment.Additionally, there is a lack of evidence regarding the rationale for external auditors' perceptions and self-selection bias in fraud risk assessment.One study by Huang et al. (2017) considered the views of a small sample of external auditors on the relative importance of the fraud triangle factors (i.e.motives, opportunity, and rationalisation).Another study by Boyle et al. (2015) finds that external auditors evaluate fraud risk factors based on a fraud diamond practice aid that provided significantly higher fraud risk assessments than those using a fraud triangle practice aid.However, both studies did not explore the rationale behind external auditors' views.Albrecht et al. (2008) argue that some external auditors spend too much time looking at opportunities for fraud, sometimes recognizing management motivations, and probably not much time on the rationale of management or management integrity in fraud risk assessment.However, there is no evidence of why external auditors may discretionally consider some fraud factors while overlooking others in fraud risk assessment.
In addition to the minimal empirical evidence, there are conflicting views concerning the relative significance of fraud factors.Some view top management's motive as the most critical fraud factor (Huang et al. 2017) and that successful external auditors can combine a deep understanding of top management's knowledge, intentions, and preferences (Grazioli et al. 2006).In contrast, others suggest that opportunity rather than motivation better predicts deviant behaviour and is the key to controlling fraud (Dellaportas 2012).On the other hand, Cohen et al. (2010) suggest that external auditors consider rationalisation and top management attitude.Conversely, others indicate that rationalisation is the least important fraud factor (Huang et al. 2017), difficult to observe (Dorminey et al. 2010), and should be replaced by integrity (Albrecht, 1984;Albrecht 2014).Murphy (2012) adds that rationalisation is a consequence of misreporting but not a predictor.This contradicts Cressey's (1950) finding that rationalisation predicts fraud and that potential fraud offenders can justify why their crime is acceptable to themselves (and maybe others).Surprisingly, in some cases, the authors contradicted their findings.For instance, Schuchter et al. (2015) find that opportunity is crucial.Still, the same authors reported different results in another study (Schuchter et al. 2016) when they found that motivation is more important than opportunity.

Data collection
Semi-structured interviews were conducted with twenty-four Big four external auditors to gain insights into the current research issue.On average, the interviews lasted 40 min.Fourteen interviews were conducted via Skype, and ten interviews were conducted via Viber, a free international calls mobile application.Four interviews were conducted with audit partners, 11 with audit managers, and nine with senior external auditors.All interviewees had at least five years of audit experience and three years of experience in fraud risk assessment in auditing and were professionally qualified.Thus, they have sufficient experience in fraud risk assessment in different contexts and can provide meaningful insights into the fraud risk assessment process.The participants' experience was crucial to ensure that participants had enough knowledge to answer the research questions.Respondents with insufficient knowledge or experience may have deliberately guessed the answer, a tendency known as an 'uninformed response', which reduces data reliability (Saunders et al. 2009).
Given the study's focus on external auditors' views, practices, and rationale, interviewing external auditors was the most suitable method to understand how external auditors conduct a fraud risk assessment.The audit standards require external auditors to assess and respond to fraudulent financial reporting risk, as explained in Sect."Elucidating external auditors' responsibility for fraud detection".Hence, external auditors are best positioned to tell us how they conduct a fraud risk assessment and apply the requirements of the audit standards.Semi-structured interviews were used because they allow interviewees to provide their views through free-flowing discussions and are the best way to explore research questions related to "how" and "why" (Bryman 2012).
Big 4 auditors are the four largest international accounting and professional services firms.They are Deloitte, Ernest & Young (EY), KPMG, and PwC.Each provides audit, tax, consulting, and financial advisory services to major corporations.The Big four was chosen because they are more likely to have more knowledge and experience and better audit quality than other non-Big 4 audit firms, as noted in prior studies (Chen et al. 2016;Jiang et al. 2019).
The interviews took place between April 2016 and November 2016.They were conducted in English with external auditors having international experience in auditing.During the interview, the participants were in different jurisdictions, including the US, the UK, Egypt, the UAE, Qatar, Bahrain, and Saudi Arabia.The participants' views and practices were not dependent on one context, as clarified in the interviews through probe questions.All these countries comply with ISA 240 except the US, which applies SAS 99.However, both audit standards have similar requirements regarding external auditors' responsibilities for fraud in a financial statement audit, as elucidated in Sect."Elucidating external auditors' responsibility for fraud detection" of this paper.
Consistent with protecting each interviewee's anonymity, Table 1 provides highlevel descriptive data for each interviewee, including their code, rank, years of audit experience, years of experience in fraud risk assessment, and education.The participant code in an interview is given after each quote using the participant code identified in Table 1 (e.g.P1, P2, etc.).
Snowballing was used for sampling purposes.First, two personal contacts who are audit partners at two Big 4 audit firms were approached.Then, they were asked to approach other external auditors interested in participating in the current study and having at least five years of audit experience and at least three years of experience in fraud risk assessment.Snowballing requires the random invitation of subjects to participate in the study and hence does not create estimation issues and biases (Krishen et al. 2019).In auditing, the snowballing approach can work well, even when researching firms, as the pool of experts in some areas are so tiny that they know their peers in other firms (Malsch and Salterio 2016).
Regarding the sample size, recommendations for qualitative research were followed to continue interviewing until no new information was collected from additional interviews, a term called "saturation" (Teddlie and Tashakkori 2009).Most positive researchers in auditing have found that saturation occurs well before reaching the end of their sampling plan, which generally involves between 15 and 30 interviews (Malsch and Salterio 2016).
Several measures were taken to ensure the data's trustworthiness (i.e.reliability).A semi-structured interview script with open-ended questions was developed in consultation with two senior academics, one senior partner, and three audit managers from the Big four audit firms.This ensures the wording, structure, and questions are precise and easy to understand.Permission was sought to record each interview digitally, granted in each instance except for once.Notes were taken during the interviews to reduce errors and ensure reliability.
The research addressed all relevant ethical issues, including anonymity, confidentiality, anxiety/stress to participants, and loss or damage to data.Ethical approvals were obtained before using any human participants in this study.All participants were provided with a participants information sheet and a consent form (see supporting information).My approach to interviews was to position myself as a learner and active listener to allow the researchers to speak openly and freely, as recommended in qualitative research (Berg 2009;Tracy 2019).I used prompts and follow-up questions to obtain elaborations and clarifications on the interviewees' responses and critical areas in my research.
Each interview began by describing the research's objective and emphasising that complete anonymity would be provided to the interviewees and their employing organisation.I then enquired into the interviewee's background (e.g.professional career and current position, years of audit experience, place of work, and educational background) and whether they have experience in fraud risk assessment.This was followed by two questions: "(i) In your opinion, what is the relative importance of the following five factors (top management's motives, opportunity, rationalisation, integrity, and capabilities) in assessing fraudulent financial reporting risk?Why?" "(ii) which fraud factor(s) do you consider when assessing fraudulent financial reporting risk in audit practice?Why?".The last two research questions are open-ended to avoid bias and encourage external auditors to share their views freely.
The participants were probed to answer the first question to share any other fraud factors they perceived significant in assessing FFRR and provide the rationale for their answers.
The five fraud factors (top management's motives, opportunity, rationalisation, integrity, and capabilities) and their definitions were also provided in the participant information sheet (see supporting information) to ensure the participants equally understood fraud factors.

Data analysis
Following prior studies' approaches to qualitative data analysis (Gioia et al. 2013;Apriliyanti and Randoy 2017), thematic analysis was used to examine the data as it provides a flexible tool to analyse qualitative data in a rich and detailed manner (Yamahaki and Fyrnas 2016).Thematic analysis is a "method for identifying, analyzing and reporting patterns or themes within data" (Braun and Clarke 2006: p. 79).The interviews were conducted and coded in English to avoid translation bias or any changes in the meaning of the interviewees' responses.
The themes were selected based on inductive content analysis, meaning the codes were derived from and linked to data analysis.I coded the transcripts using open coding, a free data coding requiring carefully reading participants' responses line by line and word by word to interpret the data (Berg 2009).In qualitative research, coding identifies a passage in the text, searches and identifies concepts, and finds relations between them (Tracy 2019).I coded all the interviews to ensure a consistent approach as a sole researcher.However, I asked an independent researcher, an expert in qualitative data, to review the coding process to ensure consistency and reliability (Cohen's kappa 0.83).
In the first step of the analysis, the transcripts were coded into two main categories (i) external auditors' perceptions of the relative significance of fraud factors in assessing FFRR; (ii) the use of fraud factors in the audit practice.Afterwards, the relative significance of fraud factors was further classified into three sub-categories based on careful analysis and observation of interviewees' responses: (a) essential or critical factor(s); (b) important but non-essential factor(s); and (c) the least important or unimportant factor.
Also, several themes emerged from analysing external auditors' rationale for the significance and use of fraud factors in the audit practice.These themes include • Audit standards requirements, • Availability or lack of know-how, • Impact on accounts, • Impact on top management behaviour, and • Relevance to the audit context Relevant participants' responses were matched with relevant codes/categories (see Table 2, the coding book used in this analysis).Quotations supporting the key indicators and the related themes were identified and incorporated into the coding scheme.The data were further analysed with the aid of NVivo.

The relative significance of fraud factors in assessing FFRR -External auditors' perceptions and rationale
The findings reveal that all external auditors perceive top management's motives (n = 24; 100%) as an essential or critical factor in assessing FFRR.Similarly, most external auditors viewed top management's integrity level (n = 20; 83%) as an essential or critical factor in assessing FFRR.The majority (n = 20; 83%) emphasised that external auditors are unlikely to detect fraud and bias in financial statements unless they understand top management's motivations and integrity.
Both opportunity (n = 23; 96%) and fraud perpetrators' capabilities (n = 22; 92%) were perceived as important but non-essential factors.However, all participants perceive rationalisation as the least important fraud factor in assessing FFRR.Using probe questions during the interviews, participants were asked about any other fraud factors they thought could be significant in assessing FFRR, but the answer was negative.Table 3 summarises the interviewees' responses.
The analysis of external auditors' rationale indicates that it was based on (i) the impact of fraud factors on top management's behaviour, (ii) the impact of fraud factors on the accounts, and (iii) fraud factors' relevance to the boundaries of the external audit professional requirements.From the external auditors' perspectives, top management's motives and integrity are essential because they could directly impact the financial accounts (n = 22; 92%), determine top management actions and behaviour, and highly increase fraudulent financial reporting risk (n = 20; 83%).Besides, the extent and degree of manipulations in the financial statements will depend on what motivates top management and how honest they are (n = 13; 54%).Other external auditors (n = 7; 29%) asserted that top  2 shows themes from analysing external auditors' rationale for the significance and use of fraud factors in the audit practice.Inductive thematic analysis emerging from the data was used to identify relevant categories and themes management's motives are also more likely to impact accounting assumptions and estimates and how they are treated.They also believed that both factors could be good indicators for potential manipulations in the financial statements.
In explaining their rationale further, some external auditors (n = 9; 37%) added that top management would not bear the cost of committing fraud unless they have a strong motive and lack integrity.Some of their comments were: Integrity goes hand in hand with motives.If top management has a strong motive to commit fraud and lacks integrity, financial reporting fraud becomes more likely.Without considering top management motivations, and their level of integrity, detecting material fraud is impossible (P1) Top management could manipulate the financial statement figures to achieve their goals, so understanding top management motivations could alert external auditors to the more vulnerable accounts of top management manipulations.We live in a different era where external auditors need to be less trusting and more sceptical of top management practices if they wish to be successful in detecting material fraud (P3) Motives are the main drive for fraudulent financial reporting.Pressure to achieve targets could increase the risk of fraudulent financial reporting, especially if performance is linked to financial targets (P4) Top management motivations could lead to manipulations in the financial statements, especially if top management lacks integrity.This could impact the financial statements depending on top management's motives or what management seeks to achieve.The revenue account, for example, will always be a high-risk account as it is vulnerable to top management's manipulations (P2) Top management must have a reason to commit fraud, such as the desire to get bonuses.Otherwise, why would they commit fraud and bear its risk (P12) Probing questions were then used to explore how understanding top management motives and their integrity level could help external auditors assess FFRR.Some (n = 5; 21%) explained that knowing what may motivate top management to commit FFR could forewarn external auditors of the more vulnerable accounts of top management's manipulations.In the meantime, assessing top management integrity will help external auditors decide how likely these manipulations are.They provided the following examples to show how top management motives could result in manipulations of financial statements: Executives could manipulate the share price or earnings to receive their bonuses.This is particularly possible if their remuneration is linked to specific financial targets or if they want to meet the budget.This should alert external auditors to give more attention to the revenue and profit accounts (P5) If top management intends to avoid paying taxes, they could overstate expenses or understate revenues.However, they will inflate profitability and share prices to obtain financing.That is why we strongly believe understanding top management motives matters.(P7) Regarding opportunity and fraud perpetrators' capabilities, external auditors believe they are important but not essential factors because they do not have the same impact on top management's behaviour or the financial accounts that top management's motives and integrity have.More than half of the participants (n = 14; 58%) explained that opportunity and fraud perpetrators' capabilities only facilitate the perpetration of fraud.Still, they will not be why top management perpetrates fraud and bear its consequences (e.g.reputational risk, litigation, fees).Others (n = 12; 50%) added that top management usually could override strong internal controls or create opportunities.So, the only thing that will trigger fraud perpetration is what top management wants to achieve (i.e.motives) and their integrity level (n = 9; 37%).Rezaee (2005) argues that given the high cost associated with financial statement fraud, corporations' decision to engage in such activities must be justified by strong motives that compel firms to behave illegally.
A few more participants (n = 7; 29%) explained that existing opportunities for fraud are more likely to encourage top management and employees to commit fraud only if they have the motive to commit a crime, lack integrity, and the risk of getting caught is remote.As some of them put it: In the case of fraudulent financial reporting, opportunity and capabilities do not really matter as much as top management motives and integrity level because top management will always have the power to override controls to achieve their targets.In that case, if top management does not have the motive to manipulate the financial statements, they will not look for fraud opportunities (P2) Motives are the drive for fraudulent behaviour.Opportunity only facilitates the perpetration of fraud.If someone does not have the motive to commit fraud, why would they look for an opportunity to commit a crime they will not benefit from (P9) For example, in developing countries, fraud opportunities will always be found, either because of weaknesses in the internal control system or loopholes in accounting and tax regulations.However, not every manager or executive will exploit those weaknesses.I came across cases where companies were full of control deficiencies, yet top management had enough integrity not to exploit them and was happy to cooperate with the audit team (P8) Those participants (n = 12; 50%) who viewed fraud perpetrators' capabilities as an important fraud factor explained that their rationale is that focussing on the traits or factors that could enhance fraud perpetrators' capabilities will guide external auditors to those individuals who are more likely to exploit existing internal control weaknesses, thereby saving external auditors time and effort in fraud risk assessments.For example, others (n = 10; 42%) referred to individuals with excessive power in the organisation as they are more likely to abuse their power and override internal controls.Hence, alerting auditors to look into these individuals' cases.Additionally, focusing on the traits or factors that could enhance fraud perpetrators' capabilities will guide external auditors to look in the right direction when assessing control weaknesses.In particular, the auditor referred to the following traits: (i) the concentration of power in the hand of one or few individuals, (ii) knowledge of weaknesses in accounting regulations or internal controls, and (iii) the ability to escape penalties due to political connections or corruption in the legal system (see Table 4).
All external auditors (n = 24; 100%) consented that rationalisation is the least important fraud factor in assessing FFRR.Their rationale was based on the factor's relevance to the external audit profession's nature or requirements.Their reasons were that rationalisation is more likely to be only known during fraud investigations and interrogations, which is beyond the scope of the external audit (n = 11; 46%).Others added that dishonest top management might only use rationalisation to deny responsibility and escape penalty, not necessarily a condition to commit fraud (n = 13; 54%).
Based on their rationale, some participants (n = 10; 42%) believe that only individuals with low integrity tend to rationalise their fraudulent behaviour or misconduct.As such, they recommended that rationalisation be integrated into assessing top management integrity rather than being regarded as a separate fraud factor.A Table 4 Traits that external auditors recommended considering when assessing fraud perpetrators' capabilities-Total number of participants (n): 24 This table summarises external auditors' views on the traits that should be considered in assessing fraud perpetrators' capabilities to commit fraudulent financial reporting.'n' refers to the number of participants that have identified each trait Traits n Per cent (%) The concentration of power in the hand of one or few individuals within the organisation 20 83 Good knowledge of weaknesses in accounting regulations and/or the internal control system 18 75 The ability to escape the penalty due to political connections or a corrupt legal system 18 75 few more external auditors (n = 4; 17%) indicated that rationalisation might only be used by managers who perpetrate fraudulent financial reporting to either reduce or escape penalty and not necessarily a condition for fraud perpetration, which is another reason why it should not be considered as a separate fraud factor.The comments of two participants were as follows: Rationalisation is somehow linked to integrity because if a person lacks integrity, rationalisation will be more likely to help them escape the penalty.Also, only people who lack integrity tend to rationalize their misbehaviour, so rationalisation should not be considered as a separate fraud factor but integrated into the assessment of top management's integrity (P11) Rationalisation should not be considered independently, indicating a low top management integrity level.Should the risk assessment process relating to top management integrity indicate strong controls, this will eventually reduce rationalisation risk (P12)

Fraud factor(s) external auditors use in assessing FFRR in the audit practice
Regarding external auditors' actual practices, they all mentioned that only opportunity is considered in assessing FFRR.External auditors justified this as follows.
There is no professional guidance in the current audit standards (ISA 240; SAS99) to incorporate top management's motives and integrity in the fraud risk assessment.Audit firms do not provide such guidance due to the lack of know-how and time constraints.As quoted by some Despite the significance of top management motives and integrity, we do not consider them in fraud risk assessment due to a lack of professional guidance on assessing these two factors.The audit standards require us to consider these two factors in assessing fraud but do not guide how to do it.Let us also be frank; audit firms never provide such guidance.The reasons for this are the lack of know-how and also the time pressure we face daily (P16) The only factor considered is the opportunity, to be honest.It is easy to assess and not necessarily the most significant factor.COSO, for example, provides an excellent guide regarding effective control frameworks.We usually refer to that guide in our assessments.I have not heard of any professional guidance that assesses top management motives and integrity anywhere I worked (P2) Two more external auditors added that opportunities come about due to weaknesses in internal controls.The audit standards require external auditors to assess control risks and understand the control environment, which can easily be assessed using guidance from the audit standards or COSO internal control framework.However, no clear guidance exists on integrating management's motives and integrity into fraud risk assessments.As one senior auditor put it: We must consider the opportunity for fraud because the audit standards require us to assess control risk and to have a good understanding of the control environment.There is actually much emphasis on this.Weaknesses in internal con-trols result in more opportunities for fraud.There is also clear guidance on control assessments in both the standards and professional reports like COSO (P10) Most external auditors (20, 83%) added that fraud perpetrators' capabilities (FPC) are not considered in practice because the audit standards did not explicitly require external auditors to consider them in fraud risk assessment.As explained earlier, the rationalisation of fraud is hardly considered due to its irrelevance to the auditing context.From the external auditors' perspectives, rationalisation is not observable and is more likely to be known during fraud investigations and interrogations outside the external audit scope.Additionally, rationalisation might only be used by managers who perpetrate fraudulent financial reporting to either reduce or escape the penalty and is not necessarily a condition for fraud perpetration.

Discussion and implications
This study's findings show that top management's integrity and motives are, in theory, the most critical factors in fraud risk assessment.However, a self-selection bias pushes external auditors not to evaluate these essential factors because they are too complicated to assess, and not enough guidance is provided to them by standard setters or audit firms.In turn, external auditors concentrate mainly on evaluating the opportunities to commit fraud when assessing fraud risk.This may lead to non-optimal fraud risk assessment and, ultimately, non-optimal audit quality.The findings have implications for research, policy, and practice, as discussed below.
From a theoretical perspective, the findings support and align with the agency theory that highlights the issue of trust between agents and principals due to different interests and motives.This study argues that top management can manipulate an organisation's financial statements if they have motives and lack integrity.Therefore, the findings urge external auditors to spend more time and effort assessing management's motives and integrity when assessing FFRR, as these two fraud factors directly impact management's behaviour and financial accounts.
Given the minimal empirical evidence on this topic, the current study expands the audit literature by adding practice-based evidence concerning the fraud factors that matter the most in assessing FFRR in the external audit practice.The results support Huang et al.'s (2017) conclusion that motives are the most critical fraud factors, and rationalisation is the least important in assessing FFRR.However, unlike Huang et al., this study explores five fraud factors instead of three factors and provides a rationale for external auditors' views.
Equally, this study agrees with the results of Boyle et al. (2015) concerning the consideration of fraud perpetrators' capabilities in fraud risk assessment to improve overall audit quality.This study highlights three traits external auditors must consider when assessing top management's capabilities.These traits include power within the organisation, knowledge of accounting and existing weaknesses in internal controls, and the ability to escape penalties.However, unlike Boyle et al., this study provides a rationale for external auditors' views and explores management integrity, which Boyle et al. overlooked.Further, the results explain the reasons behind Albrecht et al. (2008) conclusion that external auditors spend too much time looking at the opportunity for fraud in practice but probably not much time on top management motivations or integrity.The present study's findings show that top management's integrity and motives are, in theory, the most critical factors in fraud risk assessment.However, a self-selection bias pushes external auditors not to evaluate these essential factors because they are too complicated to assess, and not enough guidance is provided to them by standard setters or audit firms.In turn, external auditors concentrate mainly on evaluating the opportunities to commit fraud when assessing fraud risk.Therefore, the present study implies that unless audit standards guide external auditors to assess top management's motives and integrity, they will continue to self-select the fraud factors that are easier to assess despite their relative importance.This may lead to non-optimal fraud risk assessment and, ultimately, non-optimal audit quality.The findings call for future studies exploring ways to aid external auditors in assessing and integrating top management's motives and integrity in the audit process.
The study also uncovers that the auditors believe rationalisation is not a fraud predictor but rather a way dishonest management can shift the blame and escape penalties.Therefore, it agrees with Murphy's (2012) conclusion that rationalisation is a consequence of misreporting and not a predictor.In contrast, it disagrees with Cressey's (1950) findings that rationalisation is a predictor of fraud.
From a policy perspective, the study finds that top management motives and integrity are essential factors in assessing FFRR.Drawing external auditors' attention to the significance of these two factors could reduce the risk of self-selection bias and improve the quality of fraud risk assessment.In the meantime, it calls for an update in the fraud-related audit standards (ISA 240; SAS 99) to emphasise the relative significance of top management's motives and integrity level and guide on assessing and incorporating these two fraud factors in the audit process.Although the audit standards (ISA 240; SAS 99) require external auditors to consider top management's motives and integrity in fraud risk assessments, their significance is underrated and not emphasised enough in both standards.
The study also recommends that audit standards consider fraud perpetrators' capabilities in assessing FFRR, as this fraud factor is currently overlooked yet was viewed by experienced external auditors as equally important to opportunity.Ignoring important fraud factors could reduce the quality of fraud risk assessment, reducing the likelihood of detecting material fraud (Albrecht et al., 2008).Also, dealing with knowledgeable and capable personnel for committing and concealing fraud has limited guidance in the standards.
The Financial Reporting Council (FRC, 2016) asserts the importance of following up on audit standards by seeing how they are put into audit practice, asking the external auditors whether they are working, and revising the standards accordingly to ensure audit quality.The requirements of the audit standards had not changed since 2016, when this study was conducted.However, there is more emphasis on improving external auditors' skills in challenging management (FRC 2019) and detecting fraudulent financial reporting (ICAEW 2022).In particular, the FRC Executive Director of Supervision, David Rule, said While we see many examples of high-quality audits, our inspectors are still identifying too many audits which require significant improvements.Inspections show that challenge of management is a particular area of concern on which audit firms need to focus (FRC 2019) The Institute of Chartered Accountants and Wales (ICAEW 2022) reported there is a public perception that external auditors can and should be doing much more to deter and detect fraud and prevent the unexpected failure of large companies.Consequently, the ICAEW recommends that audit firms "change ingrained cultures, behaviours and mindsets, assessing the need for greater, risk-assessed specialist and forensic involvement at all audit stages, embedding fraud-related learnings across the firm and reinforcing professional scepticism".
The current study draws audit regulators' attention to the type of change required to enhance external auditors' skills in fraud risk assessment.Such guidance should not be ignored or left to audit firms as this will result in inconsistencies in audit qualities among audit firms.Audit standards are the benchmark against audit quality.Hence they should include precise and complete guidance.
From an audit practice perspective, this study suggests that external auditors are unlikely to detect fraud and bias in the financial statements unless they consider top management motives and integrity level.For that reason, it recommends that future audits focus more on the audit of top management's motives and integrity in assessing fraudulent financial reporting risk and proactively look for signs of management dishonesty and motives to commit fraud during the ordinary course of the audit.Prior studies suggest that reactive strategies based on history and experiences do not give external auditors the forward predictive approach necessary to detect and deter top management from engaging in financial manipulations in today's dynamic and competitive business setting (Apostolou et al. 2001).
In addition, it calls audit firms for enhanced professional training, curriculum, and communication where the relative importance of fraud factors in assessing FFRR is emphasised and professional guidance on assessing significant factors is provided.Research confirms that fraud-related knowledge is gained mainly through training and not through experience (Hammersley 2011;Siriwardane. et al., 2014), and insufficient fraud-related knowledge and training are among the most critical inhibitors to external auditors in detecting fraud (Asare et al. 2015).

Conclusion
This study uses semi-structured interviews with external auditors to explore how external auditors use and perceive the relative significance of fraud factors (i.e.integrity, motives, opportunities, capabilities, and rationalisation) when assessing FFRR during an audit.The findings show that top management's integrity and motives are, in theory, the most critical factors in fraud risk assessment.However, a self-selection bias pushes external auditors not to evaluate these essential factors because they are too complicated to assess, and not enough guidance is provided to them by standard setters or audit firms.In turn, external auditors concentrate mainly on evaluating the opportunities to commit fraud when assessing fraud risk.This may lead to non-optimal fraud risk assessment and, ultimately, non-optimal audit quality.
Overall, it recommends that future research, audit firms, and audit regulators must develop guidance on incorporating these two significant fraud factors in fraud risk assessments in auditing to encourage external auditors to consider them in the audit practice.How external auditors could assess and incorporate top management's motives and integrity is an understudied research area and an overlooked issue in the audit practice.
Like any other study, this study has limitations.First, it did not consider any data regarding age or gender, as this is outside the scope of the current study's aim.The study focussed on how external auditors view and use fraud factors in assessing FFRR, not the impact of external auditors' characteristics in fraud risk assessment.Future research should explore the impact of these variables on external auditors' views and practices in fraud risk assessment.Second, some issues were not raised in the interview, such as the time pressure of external auditors, access to documents and other factors that may hinder a successful audit.Future research should expand the current study by exploring these issues and their impact on fraud risk assessment in the audit practice.Future studies should also explore external auditors' views on the fraud pentagon in fraud risk assessment, as the current study did not cover this fraud model.Despite these limitations, this study is among very few empirical studies (Boyle et al. 2015;Huang et al. 2017) that explore how external auditors view and use the relative significance of fraud factors in fraud risk assessment.However, it is the first to provide a rationale for external auditors' views and practices in this regard.
. Nevertheless, external auditors also have responsibility for fraud detection detailed in the International Standard on Auditing (ISA) 240: The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements (IAASB 2009) and its American counterpart Statements on Auditing Standards (SAS) 99: Consideration of Fraud in a Financial Statement Audit (ASB 2002).The International Standards in Auditing (ISAs) are used globally except in the United States of America, where Statements on Auditing Standards (SASs) are used.However, there is no difference between ISA 240 and SAS 99 regarding external auditors' fraud responsibilities

Table 1
Demographics of Interviewees a ACCA: Associate Chartered Certified Accountant of the Association of Chartered Certified Accountants (ACCA) b CFE: Certified Fraud Examiners, Association of Certified Fraud Examiners (ACFE) c FCA: Fellow Chartered Accountant of the Institute of Chartered Accountants in England and Wales (ICAEW) d CPA: Certified Public Accountant of the American Institute of Certified Public Accountants (AICPA) e ESAA: Egyptian Society of Accountants and External auditors a ACA: Associate Chartered Accountant of ICAEW Table 1

Table 3
Ranking of fraud factors from the external auditors' perspectives-Total number of participants (n): 24 This table summarises external auditors' perceptions of the significance of fraud factors in assessing FFRR.This was a closed-ended question (CE)."n" represents the number of participants who indicated each fraud factor's significance.The other category was used to encourage participants to share any other fraud factors that could be significant in assessing FFRR