If you've spent time in a public accounting firm, you’ve probably encountered a client whose situation made you feel uneasy. Not because the numbers were obviously wrong, but because something about the company’s culture or reputation didn’t sit right with you. Maybe there were rumors in the trade press, or perhaps a Google search turned up some uncomfortable results. The question of what auditors are supposed to do with this kind of information, and what the standards actually require them to do, has been a source of professional debate for years. Just how far should auditors’ responsibilities for clients’ noncompliance with laws and regulations (NOCLAR) extend?
Accounting Standard (AS) 2405, Illegal Acts by Clients, was adopted by the Public Company Accounting Oversight Board (PCAOB) after it inherited the AICPA standards in 2003. The standard itself hasn’t changed much since it was originally adopted by the AICPA in 1989, and it remains the governing standard for auditor responsibilities around NOCLAR.
Notably, the standard doesn’t require auditors to perform specific procedures to detect illegal acts, which has drawn sustained criticism from investors and regulators who believe auditors should be doing more. The PCAOB proposed a significant revision under PCAOB Release 2023-003, but the proposal drew heavy opposition, and its planned 2024 adoption was deferred. The revision remains on the PCAOB’s active standard-setting agenda.
A study recently published in the Journal of Business Finance & Accounting, “Auditors’ Response to Client Corruption: Evidence From Google Document Frequency,” addresses two questions at the center of the debate: Can auditors detect client corruption risk before formal violations are revealed, and if so, are they responding to that risk in a way that actually improves audit quality?
According to the study’s researchers Nerissa C. Brown, professor of accountancy and associate dean at the University of Illinois Urbana-Champaign, and co-authors Jennifer R. Joe (Virginia Tech), Kecia Williams Smith (North Carolina A&T State University), and Henry Wang (Miami University), the answer to the first question is yes. Their answer to the second question is more complicated.
To measure client corruption risk, the researchers needed a way to capture both actual and perceived illegal activity at the individual firm level and to do so before any formal charges or enforcement actions were filed. Their approach was to use Google.
Drawing on a methodology developed by economists Albert Saiz and Uri Simonsohn, the researchers constructed a “Google document frequency” measure. Their reasoning for this was straightforward: The more a phenomenon actually occurs, the more likely someone is to write about it online. By counting the number of Google search results that placed a company’s stock ticker symbol within 16 words of the word “corruption,” the researchers were able to produce a firm-specific, year-by-year estimate of noncompliance risk.
Ticker symbols were used rather than company names because they’re uniquely assigned. For instance, searching “AAPL” returns Apple-specific results in a way that searching “Apple” doesn’t. The researchers also excluded tickers with common alternative meanings to reduce noise in the data, and they scaled their measure by the total number of Google searches for a given ticker symbol.
This approach draws on a concept known as “wisdom of crowds,” which highlights how large amounts of decentralized information, when properly aggregated, can reliably signal phenomena that are otherwise difficult to observe directly. The same principle has been applied in studies using social media posts to predict consumer behavior and company revenues.
The Google document frequency measure also holds up to empirical scrutiny. The researchers validated it against three independent databases of actual corporate noncompliance: the RepRisk database, Audit Analytics Litigation database, and Stanford Law School Foreign Corrupt Practices Act (FCPA) Clearinghouse. Through this, the researchers found that firms with higher corruption scores were significantly more likely to face federal litigation, FCPA violations, and other corporate misconduct events in the following year. The Google-based measure predicted future legal trouble rather than simply coinciding with it.
The study’s first main finding is that auditors are already responding to elevated client corruption risk. Firms moving from the lowest to the highest corruption decile faced an approximate 3% increase in audit fees, and this result held after controlling for local political corruption and actual instances of noncompliance.
The researchers also tested whether those higher fees reflected genuine additional work or simply a risk premium charged for accepting a riskier engagement. They used the unexplained portion of audit fees (the amount not accounted for by standard determinants of client complexity and engagement characteristics) as a proxy for unobserved audit effort.
In doing so, the researchers found that the fee increases associated with higher corruption risk were driven by additional effort, not premium pricing: “We find that our results are driven by increased audit effort rather than simply higher fee premiums charged to corrupt clients,” the researchers note. That additional effort included expanded legal consultations, greater use of specialists, more extensive audit committee communications, and the involvement of more senior engagement team members.
Despite higher audit efforts and fees, clients with high corruption risk were still significantly more likely to restate their financial statements in subsequent periods. “Although auditors appropriately price for noncompliance risk, their execution of the audit does not fully adjust for the risk identified,” the researchers conclude.
Overall, the audit error analysis makes this conclusion concrete. Clients with high Google document frequency scores showed a significant increase in “false negatives,” where the auditor doesn’t flag an issue and the client later restates. In other words, auditors were more likely to miss material problems with clients at firms where corruption risk was highest.
Prior research suggests that when auditors face elevated risk, they tend to expand the extent of their testing without making sufficient changes to the nature of their tests. In fact, more invoice testing using the same approach won’t uncover a sophisticated bribery arrangement. Addressing corruption risk effectively requires changes to what procedures are performed, not just how many.
For certified public accountants (CPAs), the key lesson from this study is that recognizing corruption risk isn’t enough—the audit response also has to change. Firm-specific risk assessment needs to go beyond regional or industry-level corruption indicators.
“Our evidence is noteworthy because our corruption measure incorporates both actual and perceived corruption … and has a broad corruption focus that moves beyond the political or foreign corruption considered in prior work,” the researchers explain.
Importantly, the researchers also note that any engagement team with internet access can run structured searches for firm-specific online corruption signals during audit planning. Simple document-frequency counts can serve as a practical tool for noncompliance risk assessment, one that works alongside existing procedures rather than replacing them.
The study also raises the question of legal and regulatory expertise within audit teams. A common objection to expanding auditor NOCLAR responsibilities is that auditors lack the legal training to recognize complex violations. While the researchers found that auditors have the capacity to identify corruption risk, the problem they encounter is translating that identification into audit procedures that work. Therefore, firms should consider targeted training and increased use of specialists who can help engagement teams recognize warning signs across a range of regulatory environments, including environmental, labor, and securities law.
The PCAOB’s proposed revision to AS 2405 remains deferred, but the subject hasn’t gone away. This study provides evidence that’s directly relevant to regulators’ concerns: Auditors can detect corruption risk, and they do price for it. What’s less clear, however, is whether their procedures (once those higher fees are set) are designed to catch the problems that corruption risk signals.
“[Our] study provides evidence suggesting that revisions to AS 2405 could achieve improved auditor performance surrounding their clients’ NOCLAR,” the researchers conclude.
For CPAs, the practical implication is that the tools for better corruption risk assessment are already available. Using a Google search to check for firm-specific corruption is a low-cost step that’s worth taking. But it’s also a step that needs to be followed by redesigned audit procedures that match the risks those signals reveal—and that’s where the profession still has room to improve.
Joshua Herbold, Ph.D., CPA, is a teaching professor of accountancy and associate head in the Gies College of Business at the University of Illinois Urbana-Champaign and sits on the Illinois CPA Society Board of Directors.