An analysis of external and internal auditors’ use of ISA 240 red flags: The impact of auditors’ estimation of fraud pervasiveness

Abstract The purpose of this study is to investigate how external and internal auditors, respectively, assess the importance of and indicate the use of fraud risk factors (red flags) in their efforts to detect fraudulent financial statements and misappropriation of assets. Further, this study attempts to explain the effect of auditors’ estimation of fraud prevalence in the business environment on their assessment of fraud risk and their subsequent use of fraud risk factors. Empirical data were collected by means of a questionnaire that was sent to external auditors working for global and local audit firms in Saudi Arabia and to internal auditors working for various types of private companies. The results of the study revealed that the use of fraud risk factors by external and internal auditors is positively associated with their estimation of fraud pervasiveness in the business community. The results showed no significant differences between external and internal auditors in their use of fraud risk factors, in general. However, the results provide evidence of an association between the perceived importance of a specific risk factor and its extent of use. The implications of the results should motivate external auditors to utilize the experience and information available to internal auditors in assessing the risk of fraud.


Introduction
Despite the attention and efforts of regulators, investors, and other related parties to prevent, detect, and combat fraud, cases and consequences of fraud are increasing from year to year around the world. Globally, the Global Economic Crime and Fraud Survey 2018 conducted by PriceWaterhouseCoopers (PWC) revealed a significant increase in fraud incidences reported by the surveyed companies all around the world. Of the 7,200 surveyed companies from 123 different countries, 49% of respondents confirmed that their companies had been victims of fraud or economic crime, compared to 36% in 2016, 37% in 2014, 34% in 2011, and 30% in 2009 respectively ((PWC), P, 2018). The major responsibility for fraud detection and prevention lies with the top management of the organization. Top management responsibility includes establishing effective internal controls, maintaining sound financial reporting practices, and selecting appropriate tools and mechanisms to mitigate and prevent fraud (Gramling & Myers, 2003;Lin et al., 2011;Omar & Abu Bakar, 2012). However, both external and internal auditors play a critical Previous studies on the importance of fraud risk factors have primarily explored the perception of either external auditors or of internal auditors, independently, see for instance, (Asare et al., 2008;Blay et al., 2007;Hashim et al., 2019;Majid et al., 2001;Mock & Turner, 2005;Smith et al., 2005). Results from those studies have revealed inconclusive findings concerning which are the most effective fraud risk factors (Gullkvist & Jokipii, 2013). Furthermore, the majority of prior research on fraud risk factors has investigated the perceived importance and ranking of the factors, but less attention has been paid to the actual use of the red flags by external and internal auditors. In addition, prior research has not explained why external or internal auditors might perceive certain factors to be more or less important, and how auditors' perception of the importance of red flags could impact their actual use.
In light of these deficiencies, this study attempts to provide explicit evidence on the differences between the perceptions of external auditors and internal auditors concerning the importance of red flags and the extent of their use. More importantly, this study investigates how the perceived importance and extent of use of the red flags is influenced by auditors' expectations and assessment of fraud pervasiveness throughout the country. The remainder of this paper is organized as follows: Section 2 reviews the literature and develops the proposed research hypotheses. Section 3 describes the methods used for designing the research instrument, and for collecting, and analyzing the data. Section 4 presents the results and discusses the findings. Section 5 concludes the study and provides insights for future research.

Literature review and development of hypotheses
Fraud has cost businesses huge losses (Beasley et al., 2010;Huang et al., 2017) and has resulted in the collapse of large companies such as Enron and WorldCom (Biegelman, 2013;Porter et al., 2012). In most cases, the fraud was perpetrated internally by management or employees (Phua et al., 2010). Researchers who have investigated the perception of users of financial statements regarding the objectives of auditors, revealed that users of the financial statements consider fraud detection to be the main objective of auditors, which indicates their concerns of the severity and pervasiveness of fraud (Halbouni, 2015).
While auditors view fraud prevention as a management responsibility, users of financial statements' expect auditors to detect fraud as a part of their audit responsibility (Al-Dhubaibi, 2020; Koornhof & Du Plessis, 2000). However, in contrast to public expectations, fraud in the financial statements may not be detected even when auditors perform the audit work in accordance with international standards on auditing. The specific responsibilities of auditors for fraud detection and prevention are stated in the ISA 240 (Chong, 2013), which provides guidance for auditors concerning fraud risk assessment and response (Gullkvist & Jokipii, 2013). According to this standard, auditors are responsible for performing appropriate audit procedures and considering the audit risk factors to ensure that the audited financial statements are free from material misstatements caused by frauds (intentional behavior) or errors (unintentional behavior). From the perspective of the audit profession, auditors are compelled to comply with all stipulated requirements of ISA 240 (Lou & Wang, 2009).
Previous research has emphasized the role of both external and internal auditors in fraud detection and prevention e.g., (Church et al., 2001;Gullkvist & Jokipii, 2013;Mock & Turner, 2005;Moyes et al., 2013;Norman et al., 2010;Petraşcu & Tieanu, 2014;Smith et al., 2005). These studies reported the use of fraud risk factors by external and internal auditors to assess the risk of fraud and to respond appropriately to any such assessed risk. For instance, Church et al. (2001) found that the internal auditors in their study assigned more tests for detecting fraud when the general income was greater than expected and an earnings-based plan was used. Mock and Turner (2005) stated that a decision made by internal auditors to change the planned audit program is significantly influenced by the identification of fraud factors and overall client risk. While internal auditors work to understand the cause of fraud and find suitable ways to prevent more fraud in the future, external auditors attempt to detect it (Norman et al., 2010). In their recent study, Hijazi and Mahboub (2019) asked auditors in Lebanon whether the ISA 240 red flags assist them in detecting fraud. Auditors' responses showed that they place high importance on the red flags stipulated by ISA 240 in fraud detection.
Auditors with a better understanding of fraud types, the way it occurs, and its relative rate of occurrence are more capable of using the fraud risk factors (red flags) to identify fraudulent activities and detect fraud (Carpenter & Mahoney, 2001;Omar & Abu Bakar, 2012). In general, the purpose of using red flags is to direct auditors' attention towards the possibility of fraud occurring in the client's financial statements (Pincus, 1989) and to create a better professional judgment about the assertions made in the financial statements (Glover & Aono, 1995). Red flags could alert the auditors to the existence of fraud and facilitate early warnings to the clients (Smith et al., 2005).
Fraud risk assessment by external auditors and the function of the internal audit are affected by client-specific circumstances (Goodwin, 2004) and the particular country context (Martinis et al., 2011). Krambia-Kapardis et al. (2010) noted that although the use of red flags by auditors might not lead to the discovery of all fraud cases, they increase auditors' sensitivity to high-risk fraudulent activities. The Association of Certified Fraud Examiners ((ACFE), A. o. C. F. E, 2008) reported that internal auditors detected fraudulent incidences in 19% of fraud cases discovered in 2008 compared to 9% that were detected by external auditors.
Accordingly, Martinis et al. (2011) suggested that, despite the application of auditing standards across countries, audit planning and processes should be tailored to the specific economic and social conditions of each country. In this context, this study expects that auditors attention to and efforts towards fraud detection are influenced by their expectations of the level of fraud pervasiveness in their country. As a consequence, use of the red flags by external auditors and by internal auditors is expected to be associated with their perception about the level of fraud pervasiveness in the business community. Based on previous research findings and arguments, it is hypothesized that: H1: Internal auditors' estimation of the pervasiveness of fraud in Saudi Arabia is higher than external auditors' estimation.
H2: There is a significant and positive association between the estimation of fraud pervasiveness and the use of fraud risk factors by both external and internal auditors. Krambia-Kapardis et al. (2010) argued that the legal responsibility of external auditors to detect material misstatements in general, and those related to fraud in particular, has increased in recent years. However, external auditors have less information about the audit client compared to internal auditors. External auditors are outsiders to the auditee's company, with limited presence in the client's premises. Hence they need to consider the use of fraud risk factors in order to assess the risk of material misstatements as a result of fraudulent activities (James, 2003;Wells, 2002). To detect fraud or even increase the chance of detection, ISA 240 directs auditors to consider the incentives for its occurrence, the opportunities for potential perpetrators, and their attitudes or possible rationalization. Knowing the motive and the opportunity of a person to commit fraud and any rationalization afterward, empowers the auditor to identify fraud risk incidence and perform the proper audit procedure to detect it (Krambia-Kapardis et al., 2010). For instance, auditors have used an abnormal increase in reported income, suspected bonus plans, and an increase in restrictive debt covenants as red flags for audit risk identification (Church et al., 2001). Both external and internal auditors play a critical role in detecting and preventing corporate and financial reporting fraud (Law, 2011;Omar & Abu Bakar, 2012) and establishing effective corporate governance practices (Halbouni, 2015).
While external auditors are expected to detect fraud during the audit work time span (Al-Dhubaibi, 2021), internal auditors are expected to prevent its occurrence as watchdogs throughout the year. Alleyne and Howard (2005) pointed out that internal auditors are better equipped to detect and prevent fraud. Internal auditors play an important role in preventing asset misappropriation and reducing the volume of corruption within their organizations (Abbott et al., 2012;Burnaby et al., 2011). Research studies have investigated the perceived importance of red flags related to the two main fraud types, namely: misappropriation of assets, and fraudulent financial reporting. Gullkvist and Jokipii (2013) found that internal auditors perceive the importance of red flags related to detecting misappropriation of assets to be more important than red flags associated with fraudulent financial reporting, whereas external auditors perceive red flags of both types of fraud to be important. Internal auditors work inside the organizations and use a range of techniques to uncover fraud, such as scrutinizing internal control, performing surprise audits, communicating with whistleblowers, and overseeing the financial reporting process (Burnaby et al., 2011), thus they have less need to use the fraud risk factors than external auditors who are outside the organizations (Apostolou et al., 2001).
The hypothesized differences between external auditors and internal auditors regarding the importance and use of red flags in the investigation of fraud is justified by the explicit differences between the two categories of auditors with respect to their professional role and the nature of their linkages to the organizations. Furthermore, the positioning of each group within the financial reporting process intensifies the differences. In this connection, internal auditors are insiders, part of the organization concerned; hence they are in a position to oversee the financial reporting process throughout the fiscal year. In contrast, external auditors are outsiders to the auditee; therefore, they merely review the results of the financial reporting process (financial statements) after its completion, except for the limited effects of interim audits. According to Gullkvist and Jokipii (2013), the differences in the materiality magnitude and the approach of its assessment between external and internal auditors, contribute to the differences they may place on the importance of each fraud risk factor and the extent of its use. Since external auditors are likely to be auditing many firms, compared to internal auditors who are dealing with only one firm, the external auditors probably have a greater need to use the fraud risk indicators to assess the probability of fraud occurrence (Moyes et al., 2013). Based on previous research findings and the arguments raised, it is hypothesized that: H3: External auditors place more importance on the fraud risk factors in detecting fraud than internal auditors do.

H4: External auditors use the fraud risk factors for detecting fraud more than internal auditors do.
H5: There is a significant association between the level of importance both external and internal auditors place on a specific risk factor and the extent of use of that factor.

Instrument design
This study used a survey instrument to collect the empirical data from two groups of respondents (external auditors, and internal auditors). Two sets of the questionnaire were prepared and tailored specifically to each group of respondents. Each set contained identical questions and items that aimed to test the research hypotheses. The differences between the two sets of questionnaires were related to the demographic information that varied between external auditors and internal auditors. In addition to the demographic portion, the questionnaire contained two sections. The first section sought the auditors' perception of the degree of fraud pervasiveness within the business community in Saudi Arabia. Auditors' estimation of fraud pervasiveness was measured using a seven-point Likert scale, ranging from "1 = Limited" to "7 = Pervasive". The second section of the questionnaire was designed to investigate the perceived importance and actual use of 30 selected fraud risk factors that were extracted from the ISA 240. This section measured the auditors' perception of the importance of fraud risk factors in assessing and detecting fraud using a seven-point Likert scale that ranged from "1 = Not Important" to "7 = Extremely Important". The actual use of fraud risk factors as reported by auditors was measured in this section as well, using a seven-point Likert scale that ranged from "1 = Never Used" to "7 = Extremely Used". Fraud risk factors included in the questionnaire were selected from two types of risk factors: the first type is related to misstatements arising from fraudulent financial reporting (17 factors), and the second type is related to misstatements arising from misappropriation of assets (13 factors). Both types of risk factors were selected based on the framework of the fraud triangle theory. Of the 17 factors that are related to misstatements arising from fraudulent financial reporting, four factors are classified under the heading of Incentives or Pressures, four factors are classified under Opportunities, while the rest are classified under Attitudes or Rationalizations of fraud drivers and enablers. Similarly, risk factors related to misstatements arising from misappropriation of assets were also selected from the three classifications of Incentives/Pressures, Opportunities, and Attitudes/Rationalizations.

Data collection
The sample of external auditors included the audit firms and offices registered with the Saudi Organization for Certified Public Accountants (SOCPA), the accounting and auditing professional body of Saudi Arabia that oversees professional practices in the country. The questionnaire set for external auditors was disseminated to auditors through channels, including emails and electronic forms, as well as personally submitting a hardcopy of the questionnaire to a number of auditors at the premises of their audit firms. Similarly, the questionnaire was delivered to internal auditors working in Riyadh province via emails and personal visits to a number of companies. A total of 105 valid responses (50 responses from external auditors, and 55 responses from internal auditors) were received and used. Table 1 presents the demographics of the respondents and their organizations. External auditors are working for global (42%) and local (58%) audit firms with different positions of partners, audit managers, senior auditors, and auditors. Internal auditors work for several types of firms with sizes ranging from very small to very large. 24% are heads of internal audit departments, 18% are senior internal auditors, and the rest are internal auditors.

Analytical methods used
The Independent Samples T-Test was used to explore variations between external and internal auditors with regard to their perception of fraud pervasiveness and fraud risk factors effectiveness.
The T-test analysis was further used to test whether the actual use of fraud risk factors by external auditors is statistically different from that of internal auditors. The analysis was performed on two levels. First, all factors were aggregated and analyzed to test the hypotheses. Then, a detailed test was run to find out the variations between the two groups with respect to the importance and use of each risk factor independently. Finally, Pearson Correlation analysis was used to test the relationship between auditors' perception of fraud pervasiveness and the use of fraud risk factors, as well as the relationship between the perceived importance of each factor and the extent of its use.

Empirical results and discussion
The following subsections present the analysis and the empirical results of hypotheses testing. Table 3 display the analysis of variances between external and internal auditors regarding their assessment of the degree of fraud pervasiveness in Saudi Arabia. Further, they demonstrate the association between the degree of fraud pervasiveness as perceived by auditors and the use of fraud risk factors by those auditors. Tables 4 and 5 present the analysis of variances between external and internal auditors concerning their respective perceived importance of the fraud risk factors in aggregate and the importance of every single factor. Tables 6 and 7 illustrate the analysis of variances between external and internal auditors regarding their use of the fraud risk factors on both an aggregated and single-factor basis, whereas Table 8 provides an analysis of the association between the perceived importance of each fraud risk factor and its use.  Table 2, it is assumed that the population variances are relatively equal. Hence, the assumption of variance homogeneity has been met and the data of the equal variance estimate was used to examine the differences between external and internal auditors.

External vs internal auditors' estimation of fraud pervasiveness in Saudi Arabia
Auditors were asked to rate, on a seven-point Likert scale, their estimation of the fraud pervasiveness within businesses in Saudi Arabia. As presented in Table 2, the mean score of the external auditors' responses is 2.64, while the mean score of the internal auditors' responses is 3.89. The variation between the external and internal auditors' estimation of fraud pervasiveness is significant at t = 5.814, (P < 0.01). The internal auditors' estimation of the rate of fraud cases' occurrence within organizations in Saudi Arabia is higher than that of external auditors. In accordance with these results, Hypothesis one is supported.
Unlike external auditors who have limited access to their clients' information, internal auditors have full access and authority to their organizations' operational and financial information. Hence, they are in a position to make more precise expectations about the probability of fraud occurrence in similar organizations. This result confirms the findings of prior research that emphasized the role of information available for internal auditors to prevent and detect fraud e.g., (Asare et al., 2008;Burnaby et al., 2011;Petraşcu & Tieanu, 2014). While external auditors' work starts at the end of the accounting cycle with the aim of ensuring the fairness and truthfulness of its outputs (the financial statements), internal auditors' work is continues throughout the accounting cycle. In addition, external auditors collect audit evidence on a test basis (sample of transactions) whereas internal auditors oversee the financial transactions and operational activities throughout the entire year. Further, internal auditors can be involved in the internal control systems of their organizations. Hence, internal auditors have a wider view of their organization and a deeper knowledge of its financial and operational activities. Accordingly, internal auditors' capacity to detect fraud incidents is greater than that of external auditors. This is consistent with the findings of the Association of Certified Fraud Examiners ((ACFE), A. o. C. F. E, 2008) report which indicates that internal auditors have detected more fraud cases than external auditors did.

The association between auditors' estimation of the pervasiveness of fraud in the business community and their use of fraud risk factors
External and internal auditors were requested to indicate their degree of use of each fraud risk indicator. The responses of both external and internal auditors to the 30 fraud risk indicators were aggregated and the average use of the 30 risk indicators was obtained for each auditor in the two groups. Following that, the association between the overall average scores of the fraud risk factors and the auditors' estimation of fraud pervasiveness was tested. The results of the Pearson Correlation analysis presented in Table 3 indicate a significant and positive association between the auditors' use of the fraud risk indicators and their estimation of the fraud pervasiveness in the business community. Therefore, Hypothesis two is supported.

Mean Scores Levene's Test for Equality of Variances
External auditors' assessment of fraud risk in the client's organization is influenced by their general assessment of the fraud pervasiveness in the business community as a whole. This applies to internal auditors as well: the higher the estimation by internal auditors of fraud pervasiveness, the higher the perceived possibility of fraud occurrence in their respective organizations. When auditors believe that the rate of fraud cases in the business community is high, and consequently, the possibility of its occurrence in the organizations of their clients' (for external auditors) or their own organizations (for internal auditors) is high, they will use the fraud risk indicators to make the appropriate fraud risk assessment and design an appropriate audit program to respond to the assessed risk. This result supports the suggestion of Martinis et al. (2011) that the audit planning and processes should be tailored to the specific economic and social conditions of each country.

External vs internal auditors' perceived importance of fraud risk factors
The independent groups t-test analysis was used to find whether differences existed between external and internal auditors' perceptions regarding the importance of fraud risk factors. The data were screened for normality and homogeneity of variances using the same procedures that have been discussed in section 4-1, above. Normality analysis showed that the response scores are normally distributed. However, Levene's test for equality of variance revealed a significant variance, indicated by the probability value of (P < 0.05). Hence, the t-value and the two-tail significance for the unequal variance estimates were interpreted. To test hypothesis 3, the responses from each external and internal auditor on the importance of the selected 30 fraud risk factors have been aggregated and an average score of the perceived importance of the 30 fraud risk factors was obtained for each auditor. Then, the overall mean score of the external auditors and the overall mean score of the internal auditors were compared to find out whether there is a significant difference between the two groups.
The results of the t-test analysis presented in Table 4 show that there is a significant difference between external auditors and internal auditors' perception of the importance of the fraud risk factors. External auditors place more importance on the role of fraud risk factors, with a mean score of 4.51. On the other hand, internal auditors perceive the fraud risk factors to be moderately important in fraud detection efforts with a mean score of 3.56. Thus, external auditors' perception of the importance of the fraud risk factors is significantly higher than that of internal auditors with a difference of t = 4.823, (P < 0.01). Accordingly, Hypothesis three is supported.
These results are in line with prior studies such as Burnaby et al. (2011) and Apostolou et al. (2001) who explained that internal auditors use a range of techniques to uncover fraud, such as performing surprise audits, communicating with whistleblowers, and overseeing the financial Table 3

Use of Fraud Risk Factors
The pervasiveness of fraud in Saudi Arabia

N 105
*.Correlation is significant at the 0.05 level (2-tailed). reporting process, thus they have less need to use the fraud risk factors than external auditors who are outsiders to the organizations. External auditors perform their audit work mainly at the end of the fiscal year to express an opinion about the financial statements. As such, they plan and perform audit work to gain reasonable assurance that the financial statements are free from material misstatements caused by errors or fraud. In doing so, auditors examine the client's records and transactions on a test basis. In other words, they examine only a small portion of the transactions and records that are selected as a sample for the purpose of audit. However, the sample size and composition which auditors decide to select depends on their personal assessment of the probable material misstatement and assessed fraud risk. To assess the risk of fraud, external auditors need to use the fraud risk indicators to estimate the probability of fraud occurrence and the area in which it is expected to be committed. The results presented in Table 4 emphasize the expectation of this study about the greater importance given to fraud risk factors by external auditors. In contrast, internal auditors work for a single organization throughout the year. They are able to verify the documents, records, systems, internal controls, and any other operational or financial processes to investigate the possibility of any misstatements or fraud. As a result, they place less importance on fraud risk indicators than external auditors. These results are consistent with Gullkvist and Jokipii (2013) who indicated that external auditors report a higher perceived importance of fraud risk factors related to fraudulent financial reporting. However, their study showed that internal auditors place more importance on the fraud risk factors related to the misappropriation of assets. The results of the present study are also in conformance with the findings of other studies which have indicated that external and internal auditors have different perceptions about the importance of fraud risk factors based on the type of fraud or the conditions that could lead perpetrators to commit fraud (Halbouni, 2015;Moyes, 2007). Table 5 provides a detailed analysis of the variations between external and internal auditors with regard to the importance they attribute to each fraud risk factor. The results of the independent groups t-test (t-value and p-value) showed that the variation between external and internal auditors is highly significant at (P < 0.01) for 19 factors, significant at (P < 0.05) for five factors, moderately significant at (P < 0.10) for two factors, and insignificant for only four factors. The three factors that showed the highest variation between external and internal auditors are; (1) Inventory items that are small in size, of high value, or in high demand, (2) Large amounts of cash on hand or processed, and (3) Inadequate system of authorization and approval of transactions (for example, in purchasing). The four factors that showed insignificant variation between external and internal auditors are factors related to management behavior. Behavioral factors such as the enforcement of the entity's values or ethical standards, low morale among senior management, and displeasure or dissatisfaction with the entity are difficult to measure and highly subjective. Therefore, both external and internal auditors indicated relatively low perceived importance for those factors with insignificant differences between the two groups. The significance levels are indicated as: *significant at the 0.10 level; **significant at the 0.05 level; and ***significant at the 0.01 level.

External vs internal auditors' use of fraud risk factors
Hypothesis four proposes that external auditors use the fraud risk factors for assessing fraud risk more than internal auditors do. This proposition has been tested using the independent groups t-test. The results of Levene's test for equality of variance showed a probability value that is greater than 0.05. Hence, it is assumed that the population variances are relatively equal. Given that the assumptions of normality and equality of variance have been met, the t-test results of equality of variance estimates were interpreted. The results presented in Table 6 showed no significant variation in the use of fraud risk factors between external and internal auditors. Therefore, Hypothesis four is not supported. The mean score of external auditors' use of fraud risk factors is (3.66) which is close to the mean score of internal auditors (3.58). The extent of use of fraud risk factors by internal auditors is in conformity with the degree of importance they attribute to the factors. However, the moderate level of use of the factors by external auditors, despite the higher perceived importance, could be attributed to the low estimation of fraud pervasiveness by external auditors. It was evident, as discussed in section 4.2 earlier, that there is a significant association between auditors' estimation of fraud pervasiveness and auditors' use of fraud risk factors. Consistent with the results of aggregated use of the fraud risk factors that is presented in Table 6, the detailed analysis of the t-test for the use of each fraud risk factors displayed in Table 7, showed no significant differences between external and internal auditors in the use of 23 factors out of the surveyed 30 factors. Table 8 presents the Pearson Correlation of the perceived importance of each fraud risk factor, by both external and internal auditors, and its extent of use. The results showed that the level of importance attributed to each factor is highly correlated with its extent of use. In other words, the results indicate a positive and significant association between the importance attributed to a certain fraud risk factor and the extent of use of that factor. The association of all factors is significant at (P < 0.05) level. Accordingly, Hypothesis five is supported. International Standard on Auditing 240 provides a large number of audit risk factors that auditors can use in fraud risk assessment. Further, the standard states that these factors are merely examples of a wide spectrum of factors that auditors could use based on their experience and professional judgment. Thus, the auditors will select and use the factors which they believe are effective and important in assessing fraud risk and eventually in detecting the fraud.

Conclusion
This study has investigated the attitudes of external and internal auditors towards the effectiveness of fraud risk factors that were introduced by the International Standard on Auditing 240 in assessing the risk of and detecting fraud. Further, this study probed the expectations of the external and the internal auditors regarding the rate of fraud perpetration in the business community in Saudi Arabia and how those expectations are associated with the extent of use of fraud risk factors. In addition, this study explored the variations between the external and the internal auditors regarding their views and use of fraud risk factors. The results indicated that the internal auditors' evaluation of the possibility of fraud occurrence is higher than the external auditors' evaluation. This variation can be attributed to the close involvement of internal auditors in the businesses and organizations they work for. Hence, the internal auditor is in a position to evaluate the management and employees' behavior and attitudes. The results further revealed a significant and positive association between auditors' estimation of fraud pervasiveness in the immediate corporate environment and their actual use of fraud risk factors introduced by ISA 240. An auditor's estimation of fraud pervasiveness in the overall business community will be reflected in his or her assessment of fraud risk in a specific organization. The significance levels are indicated as: *significant at the 0.10 level; **significant at the 0.05 level; and ***significant at the 0.01 level.
The results showed that external auditors place more importance on the fraud risk factors in assessing and detecting fraud than internal auditors do. However, the results showed that though external auditors place more importance on the fraud risk factors when compared to internal auditors, their application of the factors is at the same level as that of internal auditors. Finally, the results provide evidence of the association between the level of importance both external and internal auditors place on a specific risk factor and the extent of use of that factor. This study contributes to the literature in several ways. First, it highlights the response of two types of auditors to the fraud risk factors proposed by standards setters. Further, this paper is the first paper (to the best of our knowledge) that investigates the association between the perceived fraud prevalence in the wider business environment and the use of fraud risk factors for a particular audit assignment (company). Finally, this paper provides evidence that auditors are selective when using fraud risk factors based on their experience and the personal perceived importance of each factor. On the other hand, this study contributes to the audit profession through the proven importance of understanding the audit environment, particularly the prevalence of fraud, in the efforts of auditors to successfully detect and uncover fraud. This study did have some limitations. First, the subjectivity of answers is a common limitation of the survey type research. Another limitation was the low response rate from both external and internal auditors. Future research may improve the investigation by employing other methodological approaches such as experimental methods to obtain more objective and conclusive results about the use of red flags by external and internal auditors.