Tan 2018

THE ACCOUNTING REVIEW American Accounting Association
Vol. 93, No. 6 DOI: 10.2308/accr-52077

November 2018
pp. 331–355
Management’s Responsibility Acceptance, Locus of Breach,

and Investors’ Reactions to Internal Control Reports
Downloaded from aaajournals.org by Kings College London-FWIC Journals on 08/27/19. For personal use only.
Hun-Tong Tan
Nanyang Technological University
Yao Yu
University of Massachusetts Amherst
ABSTRACT: The triangle model of responsibility (Schlenker, Britt, Pennington, Murphy, and Doherty 1994) predicts
that the extent that investors hold management responsible for an adverse event is jointly determined by the links
among three elements—management, the adverse event, and the relevant accounting regulations/standards or
public norms. Applying this theory, we conduct experiments to examine how the locus of breach (external versus
internal) moderates the efficacy of management’s responsibility acceptance (higher versus lower). Our results show
The Accounting Review 2018.93:331-355.
that management’s higher (versus lower) responsibility acceptance is a more effective strategy in the presence of an
external breach, but not in the presence of an internal breach (Experiment 1). Follow-up experiments suggest that
this result is driven by the relative strength of the triangle links underlying the external versus internal breaches,
rather than the locus per se.
JEL Classifications: G40; M41.
Data Availability: Contact the authors.
Keywords: internal controls over ﬁnancial reporting; Section 404 of SOX; management explanation; locus of
breach; triangle model of responsibility; responsibility assignment.
I. INTRODUCTION
S
ection 404 of the Sarbanes-Oxley Act (SOX) (U.S. House of Representatives 2002) requires that the management of a
public company assesses and discloses the effectiveness of the company’s internal control over financial reporting
(ICFR). While these disclosures are mandatory, management discussions that accompany them are voluntary and their
content at management’s discretion. In this study, we examine the joint effects of two aspects of management’s ICFR
discussions—the extent to which management accepts responsibility for a breach of an internal control over financial reporting,
and the locus of the breach—on investors’ responsibility assignment to management and subsequent assessments of the
investment potential of the company.
Examining the effects of the amount of responsibility that management accepts for a breach of an internal control is of
interest. Regulators prescribe that management is responsible for maintaining an effective internal control system and,
therefore, managers cannot fully deny their responsibility for such breaches. At the same time, standard setters acknowledge
that control systems can provide only reasonable, not absolute, assurance for internal control effectiveness (Committee of
Sponsoring Organizations of the Treadway Commission [COSO] 2013); this enables managers to accept only a small
proportion of, but not totally deny, responsibility for internal control lapses, and opportunistically use the vagueness of this
‘‘reasonable assurance’’ statement as a defense in their internal control reports (Piercey 2009). Our analysis of actual 10-K
disclosures with material internal control weaknesses, based on a random sample of 292 ICFR reports between 2009 and 2011,
shows that 78 percent of the reports (229 reports) include the reasonable assurance statement (see Section III and examples in
We appreciate helpful comments from Mark E. Peecher (editor), two anonymous reviewers, Wei Chen, Jun Han, Lukas Helikum, Mian-Lian Ho, Terence
Ng, Wei Qiang, Zheng Qiao, Steve Salterio, Premila Shankar, Rui Shen, Seet-Koh Tan, Elaine Wang, Robert Whited, Feng Yeo, and workshop
participants at Nanyang Technological University. We thank Christopher Wolfe for sharing his experimental instrument, and Matthew Starliper and Wei
Qiang for research assistance.
Editor’s note: Accepted by Mark E. Peecher, under the Senior Editorship of Mark L. DeFond.
Submitted: September 2014
Accepted: March 2018
Published Online: March 2018
331
332 Tan and Yu
Appendix A). In the presence of such material internal control weaknesses, whether the degree of management’s responsibility
acceptance influences investors’ responsibility assignment and investment attractiveness judgments of the firm is an
unanswered question.
We also examine whether this effect is contingent on another aspect of management explanation—the locus of breach
(hereafter, breach); namely, whether the breach that leads to the discovery of an internal control weakness arises from an inside
party (e.g., a sales representative hacking into the company’s computer system) or an outside party (e.g., an outside hacker; see
Appendix A for examples). Examining the effect of internal control breaches is particularly important in the context of an
information technology security breakdown. An investigation report of corporate data breaches (Verizon 2016) shows that in
2015, a total of 64,199 technology breach cases that affected companies across 82 countries and a myriad of industries
occurred. Regulators have become increasingly concerned about the repercussions of data breaches and their disclosures. In
2011, the Securities and Exchange Commission (SEC 2011) issued a disclosure guidance on reporting obligations for public
companies regarding cybersecurity risks and cyber incidents. Recently, SEC Chairman Jay Clayton issued a statement
highlighting the importance of cybersecurity to the commission and market participants (SEC 2017) after the SEC experienced
a cyber-attack on its EDGAR corporate filing system (Michaels 2017). The SEC has also increased its scrutiny on companies to
assess whether they have adequately handled and disclosed cyber-attacks.1 The manner by which companies disclose such
breaches is important because companies are loath to alarm the public and prefer to avoid lawsuits, particularly when the
breaches involve customers’ personal data. The issue of breaches by internal versus external parties is particularly pertinent in
terms of information technology security—breaches by external parties are more common and well-publicized, but damage
done as a result of breaches by internal parties can cause more harm (Upton and Creese 2012; Zadelhoff 2016). How the locus
of such breaches interacts with managers’ responsibility acceptance in their disclosures to influence investors’ judgments is,
therefore, an important issue that has not been a subject of investigation.

We employ the triangle model of responsibility (Schlenker et al. 1994) to predict the amount of responsibility that
investors assign to management in the event of an internal control failure. According to this model, responsibility assigned to
the actor is determined by the strength of three links (henceforth referred to as triangle links) among the prescription, the actor,
and the event. The actor is deemed responsible when (1) the prescription (goals, rules, and scripts) that is applicable to the event
is clearly defined (the prescription-event link), (2) the prescription defines duty or obligation for the actor (the prescription-actor
link), and (3) the actor has control over the event (the actor-event link). The triangle model of responsibility provides a
theoretical framework with which to identify relevant cues that determine investor assignment of responsibility in an internal
control failure setting. Specifically, in this setting, ‘‘prescription’’ refers to relevant regulations and requirements for the
maintenance of a good internal control system and/or the public’s implicit expectations and norms, ‘‘actor’’ refers to firm
managers, and ‘‘event’’ refers to the breach. In applying this model, we assume that investors are aware of and attend to these
regulations, standards, and norms—this is reasonable in that the media routinely report high-profile data security breaches
(Khan 2017), associated regulatory concerns (Carey, Young, Facciponti, Moreno, and Weiss 2017), as well as litigation cases
(Kern and Bosch 2016; Bennett 2015).
We predict that the prescription-event link is stronger for external than internal breaches because standard setters and
professional bodies (e.g., Public Company Accounting Oversight Board [PCAOB] 2007; Institute of Internal Auditors [IIA]
2008; COSO 2013) make explicit prescriptions about the important role of internal control systems in preventing breaches,
but include caveats in the case of internal breaches, suggesting that prescription clarity is weaker in the latter. In addition,
media coverage (Michaels 2014; Khan 2017) of high-profile security attacks, largely by external parties, makes salient the
threat of breaches by external parties and the need for protection against these attacks. We also predict the actor-event link to
be stronger in the external than the internal breach condition because common controls, such as access controls and boundary
protection of cyber assets, are targeted more at outsiders and are less effective against insider attacks. Hence, internal
breaches are less controllable and less preventable than external breaches, as expressed in industry reports (Bamfield 2010)
and media coverage (Upton and Creese 2012; Zadelhoff 2016), which likely influence investors’ perceptions on this issue.
Finally, we predict the prescription-actor link to be similarly strong for both external and internal breaches because it is
widely accepted in litigation and regulations (Sections 302 and 404 of SOX), and also reported in the media (Coleman 2014;
DeStefano 2017; Lazarus Alliance 2017), that management is the entity responsible for maintaining an effective control
system (U.S. House of Representatives 2002), a responsibility not conditional on the locus of a breach.2 In summary,
management is deemed to be more responsible for an external breach ex ante because, compared to internal breaches,
1
Between 2015 and May 2017, the SEC has conducted over ten enforcement actions against companies with cybersecurity issues. See more details on
the SEC’s website at: https://www.sec.gov/spotlight/cybersecurity-enforcement-actions
2
It is also possible that management remains more responsible than any other party, even though management themselves are viewed as less responsible
for internal versus external breaches.
The Accounting Review

Volume 93, Number 6, 2018
Management’s Responsibility Acceptance, Locus of Breach, and Investors’ Reactions to Internal Control Reports 333
external breaches have stronger triangle links in that they are more clearly prescribed by accounting standards and are less
difficult to predict and control.
We predict that higher responsibility acceptance leads to better outcomes than lower responsibility acceptance in an
external breach situation, where the reasonable assurance argument is not persuasive, and the benefits of higher responsibility
acceptance (e.g., showing management’s integrity and willingness to remediate the weakness) become more prominent. In
contrast, we predict that lower, as opposed to higher, responsibility acceptance leads to more favorable outcomes in an internal
breach situation, where the intrusion comes from inside the company and, thus, is consistent with the message conveyed in the
reasonable assurance argument. This consistency attenuates the negative attributes (e.g., lack of integrity, reliability, and
trustworthiness) associated with lower responsibility acceptance.
We conduct a series of experiments to test our predictions. In Experiment 1, we employ a 2 3 2 between-subjects design
with responsibility acceptance (higher versus lower) and breach (external versus internal) as independent variables. We
manipulate responsibility acceptance by having management accept either a higher or lower level of responsibility for the
breach of control weakness. We manipulate the breach to be either external (an outsider hacking into the company’s computer
system) or internal (a sales representative hacking into the company’s computer system) to the company. Participants assume
the role of general investors evaluating a hypothetical firm’s investment attractiveness. They receive the firm’s background
information and the internal control disclosure, and answer questions related to their willingness to invest in the firm and the
extent to which they assign responsibility to management for the breach. Results are consistent with our predictions in the
external breach condition, but not in the internal breach condition, where we find insignificant effects.
To further test our theory and explore the insignificant results in the internal breach condition of Experiment 1, we
conducted Experiment 2, where we manipulate link strength (weak versus strong) and responsibility acceptance (higher
versus lower) between subjects, with all conditions set in the internal breach situation. In the strong-link condition, we added
a statement from an authoritative source emphasizing management’s responsibility in maintaining an effective internal
control system, and described the employee hacker as a new hire to further emphasize management’s control over the hiring
process. In the weak-link condition, we added a statement emphasizing the inherent limitations of an internal control system,
and described the employee hacker as being familiar with the company’s computer system to further weaken management’s
control over the employee’s behavior. The responsibility acceptance variable was manipulated the same way as in
Experiment 1. Results show that higher responsibility acceptance leads to lower responsibility assignment and higher
investment willingness than lower responsibility acceptance in the strong-link condition, suggesting that the efficacy of
higher responsibility acceptance when link strengths are high operates even within an internal breach condition. However,
the effect of higher versus lower responsibility acceptance remains insignificant in the weak-link condition, as in Experiment
1. To further explore this null effect, we conducted Experiment 3, where we reran the weak-link condition in Experiment 2
using proxies for more general investors, namely, participants recruited from Amazon Mechanical Turk (AMT). In contrast
to the null results in Experiment 2, we find theory-consistent results that lower responsibility acceptance leads to more
favorable evaluations and outcomes than higher responsibility acceptance in this weak-link condition. A potential
explanation to the different findings using different participant groups in Experiments 2 and 3 is that M.B.A. students,
compared to AMT workers, have greater exposure to business ethics-related course materials (e.g., management misconduct
cases) and, therefore, are likely to hold a stronger norm about management taking responsibility for an adverse event. Taken
together, our results show that it is the strength of the triangle links, rather than locus of breach per se, that moderates the
directional effect of responsibility acceptance.
Our theory and findings provide a useful framework to integrate and interpret related prior studies on the effects of
responsibility acceptance, and to also further refine their associated theories (Wolfe, Mauldin, and Diaz 2009; Elliott, Hodge,
and Sedor 2012). Wolfe et al. (2009) find that for information technology (IT) control deviations, auditors assess a deficiency to
be less significant in the presence of client concessions than denials; however, this effect disappears for manual control
deviations. We extend Wolfe et al. (2009) by showing that within an IT context, accepting more responsibility is not always
more effective than accepting less responsibility; the directional effect depends on whether the breach is external or internal.
Our paper also refines the theory and findings in Elliott et al. (2012), who examine the effect of CEOs’ responsibility
acceptance via video or text on investors’ decisions. They manipulate the responsibility acceptance/denial variable as: ‘‘(w)e are
fully responsible/not responsible for this error because we relied on the advice of our internal/external lease accounting expert
when preparing our financial statements’’ (Elliott et al. 2012, 521; emphasis added). This manipulation contains two constructs:
responsibility acceptance and whether the issue is related to an internal or external party. By explicitly examining these two
elements and finding an interaction between them, we provide a more accurate interpretation of their results.
The rest of the paper is organized as follows. Section II develops our hypotheses. Section III provides archival evidence
regarding the variation of our two independent variables in actual 10-K reports. Section IV provides details of Experiment 1.
Section V describes Experiments 2 and 3. Section VI concludes.

334 Tan and Yu
FIGURE 1
The Two-Dimension Framework of Explanations
This figure displays a 2 3 2 matrix framework for various types of explanations. The first dimension centers on whether the actor admits the harm of an act,
and the second consists of whether the actor admits responsibility. When both are admitted, the account is a concession, while denial of both constitutes a
denial. Admitting responsibility, but not harm, equates to a justification, and the opposite condition is an excuse.
II. THEORY AND HYPOTHESIS DEVELOPMENT
Management’s Responsibility Acceptance

Responsibility acceptance is one dimension generally included when people provide explanations about adverse outcomes. Such
explanations are strategies to manage the impressions on their prior actions, and can be classified into four categories: concession,
justification, excuse, and denial (Scott and Lyman 1968; Schonbach 1990). These four categories can be organized into a 2 3 2
matrix framework. The first dimension centers on whether the actor admits the harm of an act, and the second consists of whether the
actor admits responsibility. When both are admitted, the account is a concession, while non-admission of both constitutes a denial.
Admitting responsibility, but not the harm, equates to a justification, and the opposite condition is an excuse (see Figure 1).
In the context of internal control weakness disclosures, management does not have much discretion in the harm admission
dimension, since management is not allowed to deny the existence of internal control weaknesses and the potential harm to the
company when a breach occurs (SEC 2003);3 hence, justification and denial are precluded from management’s strategy set.
Choices, although limited, exist on the responsibility admission dimension. Because regulations prescribe management’s
responsibility for maintaining an effective internal control system, management is not able to completely deny their
responsibility when a breach occurs. However, management can choose to accept a large proportion of responsibility
(equivalent to a concession in Figure 1) or a small proportion of responsibility (equivalent to an excuse in Figure 1). By default,
taking only a small amount of responsibility (i.e., an excuse) implies the need for a reason. One such reason management can
use is the notion of ‘‘reasonable assurance.’’ According to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) framework, ‘‘(t)he term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that
limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently
predict with precision. Absolute assurance is not possible’’ (COSO 2013, 4). The purpose of emphasizing the reasonable
assurance concept is to remind financial statement users of the limitations inherent in every internal control system, no matter
how well it is designed and operated. However, the ambiguity of the definition and scope of reasonable assurance4 enables
management to exploit the reasonable assurance statement as a means to reduce management’s own responsibility (Piercey
2009). Appendix A provides examples for both strategic (lower responsibility acceptance) and non-strategic (higher
responsibility acceptance) use of the reasonable assurance statement.
Social psychological research has investigated the efficacy of responsibility acceptance as an impression management tactic
and finds mixed results. While some studies find that high responsibility acceptance reduces negative outcomes (e.g., penalties,
perceived severity, blame, and anger) of an offence (Darby and Schlenker 1982; Snyder and Higgins 1988; Schonbach 1990; Bies
and Sitkin 1992; Dunn and Cody 2000), other studies find that low responsibility acceptance (i.e., making excuses) reduces
personal responsibility and generates more favorable outcomes (Crant and Bateman 1993; Wood and Mitchell 1981; Rosenfeld,
Giacalone, and Riordan 1995). The mixed finding indicates both benefits and costs of high/low responsibility acceptance. High
responsibility acceptance can reflect a person’s integrity, trustworthiness, and reliability, which are desirable attributes and valued
by society at large (Goffman 1971). In addition, it also indicates an intention to remediate the problem and to avoid similar ones in
the future (Bottom, Gibson, Daniels, and Murnighan 2002). However, high responsibility acceptance likely invites blame and
increases the perceived responsibility for an adverse event. On the other hand, low responsibility acceptance has the benefit of
3
According to the SEC’s (2003, 1) implementation guidance,‘‘(m)anagement will be unable to conclude that the company’s internal control over
financial reporting is effective if there is one or more material weaknesses in such control.’’
4
The PCAOB (2007, 7) defines reasonable assurance as a high level of assurance, ‘‘understanding that there is a remote likelihood that material
misstatements will not be prevented or detected on a timely basis.’’ The SEC (2003) recognizes that while ‘‘reasonableness’’ is an objective standard,
there is a range of judgments that an issuer might make as to what is ‘‘reasonable’’ in implementing Section 404 and the Commission’s rules. An auditor
commented that ‘‘(t)he term ‘reasonable assurance’ leaves much to the imagination’’ (Goldwasser 2005, 28).

weakening perceived personal responsibility, but has the cost of indicating the lack of integrity and unwillingness to remediate the
problem if the excuses sound invalid or unconvincing (Schlenker, Pontari, and Christopher 2001; Tyler and Feldman 2007).
Therefore, the efficacy of responsibility acceptance depends on whether the situation amplifies the benefits or costs of high/low
responsibility acceptance. We posit that one such situational factor is the locus of breach.
Locus of Breach and the Triangle Model of Responsibility

We use the term ‘‘locus’’ from the term ‘‘locus of causality’’ in attribution theory (Heider 1958; Rotter 1966; Weiner 1985),
which refers to whether the cause of an outcome is internal (i.e., attributable to the person) or external (i.e., situational factors).
Similarly, in our paper, ‘‘locus of breach’’ (or ‘‘breach’’) refers to whether the breach is from within (e.g., a sales representative
hacking into the company’s computer system) or outside (e.g., an outsider hacking) the company.5 The negative outcome refers
to the consequence (e.g., change of sales orders) associated with the breach.
We employ the triangle model of responsibility (Schlenker et al. 1994) to explain how locus of breach affects investors’
judgments in the context of internal control failures. This model provides an integrative framework with linkages among the
key determinants of responsibility assignment. According to this model, the responsibility assigned to an actor is a direct
function of the strength of three linkages between the actor, the event, and the relevant prescriptions (see Figure 2, Panel A).
The three linkages are (1) prescription-event link (Link 1): whether the prescriptions (goals, rules, and scripts) that are
applicable in the situation are ambiguous; (2) prescription-actor link (Link 2): the extent to which the prescriptions are
perceived as being applicable to the actor because of duty or other requirements; and (3) actor-event link (Link 3): the extent to
which the actor seems to have control over outcomes in the situation. People are deemed to be more responsible when
prescriptions governing the event are clear, when they seem to have an obligation to behave in the prescribed ways, and when
they are perceived to have personal control over the event.

In an internal control setting, ‘‘event’’ refers to the breach of an internal control, ‘‘actor’’ refers to firm managers, and
‘‘prescription’’ refers to explicit codes and rules for the maintenance of a good internal control system and/or the public’s
implicit expectations and norms. Link 1 relates to prescription clarity, which is the link between rules and/or public
expectations/norms and the breach. We predict Link 1 to be stronger in the external breach situation than in the internal breach
situation. Accounting standards (e.g., PCAOB 2007, Auditing Standard [AS] No. 5) and guidance from professional bodies
(e.g., COSO 2013; IIA 2008) emphasize the importance of an effective control system in preventing breaches, which
establishes prescription clarity, but also explicitly recognize that inherent limitations in internal control systems exist and that
controls can be circumvented by insiders, which weakens this prescription in the case of internal breaches. Hence, while
standard setters/professional bodies make explicit prescriptions about the important role of internal control systems, they also
explicitly weaken this prescription in the case of internal breaches, suggesting that prescription clarity is weaker in the latter.
Further, the media provide extensive coverage of security attacks on high-profile organizations (e.g., Equifax, Sony Pictures,
Target Corporation) made by external parties;6 media reports also extol the need for greater information security (Verizon
2016). Hence, both the threat of external party attacks and the need for protection against these attacks are likely salient in the
public’s eyes. Media reports (e.g., Michaels 2014; Khan 2017) also reinforce perceptions of regulatory concerns for external, as
opposed to internal, breaches—these reports often cover actions taken by the regulators to investigate the internal controls of
the victims of these attacks (e.g., Target Corporation), which generally are by external parties. Overall, we expect prescription
clarity (i.e., Link 1) to be stronger for external than internal breaches.
Link 2 relates to personal obligation—the extent to which investors perceive the prescriptions relating to the maintenance
of a good internal control system to apply to the actor because of duty or other requirements. We expect this link to be equally
strong in both external and internal breach situations. Managers are custodians and agents of the firm, and the maintenance of a
good internal control system is likely unequivocally perceived to be their role and not that of another party, a role that is not
contingent on whether actual/potential breaches are caused by internal or external parties. Regulators have made this
management role very clear in their communications. Sections 302 and 404 of SOX state that it is management, specifically, the
CEO/CFO, who is responsible for the adequacy of internal controls. For example, Section 302 requires that ‘‘the signing
officers are responsible for establishing and maintaining internal controls’’ (U.S. House of Representatives 2002, 777), and
Section 404 specifies the need to ‘‘state the responsibility of management for establishing and maintaining an adequate internal
control structure and procedures for financial reporting’’ in an internal control report (U.S. House of Representatives 2002,
789). Thus, in both internal and external breach situations, regulators maintain that management is identified as the party
5
We employ the ‘‘locus’’ concept in an organizational setting. The ‘‘locus’’ concept in our study refers to whether a breach is external or internal to the
‘‘company,’’ rather than to the ‘‘manager.’’
6
The Data Breach Investigations Report by Verizon (2016) indicates that in terms of information security breaches, external, as opposed to internal,
parties were responsible in over 80 percent of the cases every year between 2010 and 2015.

336 Tan and Yu
FIGURE 2
The Triangle Model of Responsibility
Panel A: Theoretical Constructs

Panel B: Predicted Strength of Each Link

Panel A displays the theoretical constructs and the links between them in the triangle model of responsibility. This model proposes that perceived
responsibility is a direct function of the strength of three linkages between the actor, the event, and the relevant prescriptions governing it. People are seen
as more responsible when prescriptions governing the event are clear, when they seem to have an obligation to behave in the prescribed ways, and when
they are perceived to have personal control over the relevant event.
Panel B displays the predicted strength of each link in the triangle model. Link 1 and Link 3 are predicted to be stronger in the external breach situation
than in the internal breach situation. The strength of Link 2 is predicted to be similar in both breach conditions.
responsible for setting up an effective internal control system, a fact commonly reported in the media and professional
magazines (Coleman 2014; DeStefano 2017; Lazarus Alliance 2017).7
Link 3 relates to personal control, and pertains to the link between management (actor) and the breach (event). We expect this
link to be stronger in external breach situations than in internal breach situations. A breach is deemed to be uncontrollable if
management’s voluntary actions cannot effectively prevent the occurrence of a breach. Breaches by parties inside a company may
be more difficult to prevent and, therefore, are less controllable than those by parties outside a company. A survey of global
retailers (Bamfield 2010) reports that employee theft is more difficult to prevent than customer theft. Anecdotal evidence also
shows that collusions among employees are hard to prevent and detect (Summerour 2002). Consistent with the COSO (2013)
framework’s stand that members of a company can circumvent internal controls, an internal breach situation (e.g., a hacking by an
employee) is more difficult for management to prevent and control than an external breach situation (e.g., a hacking by an
outsider). Access controls, password policies, and boundary protection of cyber assets, which are common controls, are targeted
more at outsiders. Such controls, even if implemented well, are effective against outsiders, but are less effective in terms of
preventing attacks by insiders, a point also mentioned in the media (Upton and Creese 2012; Zadelhoff 2016).8
7
These news articles maintain that management must ensure that proper controls are in place to detect and respond to cyber threats.
8
Boundary protection, a common control for safeguarding a company’s assets, creates a ‘‘perimeter’’ around the company’s assets. It is a defense against
possible attacks by outsiders, but not insiders.

To summarize, locus of breach affects responsibility assignment. Links 1 and 3 are stronger with an external breach than an
internal breach; Link 2 is equally strong with both breaches (see Figure 2, Panel B). Below, we discuss how locus of breach and
responsibility acceptance jointly affect responsibility assignment.
Interaction between Responsibility Acceptance and Locus of Breach

Psychology research suggests that the effectiveness of an explanation increases with the believability and persuasiveness of
arguments (Bies and Shapiro 1987; Barton and Mercer 2005). For example, Tyler and Feldman (2007) find that excuses are
more effective in reducing personal responsibility when they are more believable. We suggest that accepting higher (lower)
responsibility is likely to be more effective for an external (internal) breach.

In an internal control weakness setting, management can accept lower responsibility by employing the reasonable
assurance argument, which emphasizes the inherent limitations of internal control systems. External breaches generally
involve stronger triangle links and, therefore, stronger perceptions of responsibility on the part of managers. The
inconsistency between the reasonable assurance argument (which argues for less responsibility) and the external breach
situation (which implies higher responsibility) makes the reasonable assurance argument appear deficient and inadequate in
the eyes of the investors. On the other hand, accepting higher responsibility is consistent with the stronger triangle links
perceived by investors, and is likely seen to be a more valid response compared to accepting less responsibility. Hence, we
expect higher responsibility acceptance to result in more favorable outcomes than lower responsibility acceptance in the
situation of an external breach.
Internal breaches have weaker links in the triangle model, making the need to accept responsibility for the control
failures less apparent than that in the external breach situation. The use of a reasonable assurance argument, specifying the
inherent limitations of an internal control system in terms of its inability to prevent insider breaches, is also more
appropriate in this instance. Therefore, investors may perceive management’s response of accepting less responsibility,
through invoking the reasonable assurance argument in the case of an internal breach, to be more valid and adequate; in
contrast, the beneficial effect of responsibility acceptance that we predict for an external breach is not likely in the presence
of an internal breach.
H1: In the presence of an external (internal) breach, investors assign less (more) responsibility to management when
management accepts more, rather than less, responsibility.
Investment Willingness
We expect that the effects on responsibility assignment predicted in H1 will also apply to investors’ willingness to
invest in the company for two reasons. First, when investors assign more responsibility to management for an internal
control failure, they likely believe that management cannot prevent or detect any material misstatement of the
company’s financial statements on a timely basis. A potentially less reliable internal control system implies that
controls that safeguard the assets of the company may not be in place, and that the reliability/validity of accounting
numbers generated within the company may be questionable. Consequently, investors may consider the company to be
a less appropriate investment vehicle. Prior studies have demonstrated a negative association between the existence of
internal control weaknesses and firm investment (Hammersley, Myers, and Shakespeare 2008; J. Rose, Norman, and A.
Rose 2010).
Second, investors likely question management’s credibility when they deem management responsible for control issues.
Investors may question management’s competence and trustworthiness in terms of effectively running the entire company.
They may also experience negative emotions, such as disappointment and anger, while assigning responsibility to management.
Both credibility assessment (Mercer 2005; Yang 2012) and affective reactions (Elliott, Jackson, Peecher, and White 2014)
influence investors’ judgment and decisions. In summary, we predict that responsibility acceptance and breach interactively
affect investment willingness in a manner similar to their effects on responsibility acceptance.
H2: In the presence of an external (internal) breach, investors are more (less) willing to invest in the firm when
management accepts more, rather than less, responsibility for the internal control failure.
III. ARCHIVAL EVIDENCE

We coded actual internal control reports to assess whether variation exists in how management describes locus of breach
and the extent to which management accepts responsibility for internal control failures. We randomly collected 300 reports

338 Tan and Yu
containing material weaknesses between 2009 and 2011 in the Audit Analytics database.9 We dropped eight observations with
missing values. Therefore, our final sample consists of 292 observations.
One author of the paper and a doctoral student independently coded these reports. The doctoral student was unaware of our
hypotheses. Inter-rater agreement is 93 percent, and discrepancies were resolved through discussion. The locus variable was
coded in terms of whether control weaknesses are related to internal factors (e.g., lack of segregation of duties) or external
factors (e.g., statements prepared by a third-party accounting firm). Our coding shows that the majority (229, or 78.4 percent) of
the reports mention only internal factors, 45 (15.6 percent) reports mention both internal and external factors, three reports (1
percent) mention only external factors, and 15 (5.1 percent) reports do not specify the factors related to the weaknesses (see
Appendix A for examples of internal and external factors).
We used three variables to capture our responsibility acceptance construct. The first variable is ‘‘responsibility statement,’’
which is coded as 1 if the report contains the statement that ‘‘management is responsible for establishing and maintaining
adequate internal control over financial reporting’’ or similar statements, and 0 otherwise. The second variable is ‘‘non-strategic
assurance,’’ which is coded as 1 if the report contains a reasonable assurance argument that is not worded to fend off
management’s responsibility, and 0 otherwise. The third variable is ‘‘strategic assurance,’’ which is coded as 1 if the report
words the reasonable assurance argument in a strategic fashion to reduce management responsibility, and 0 otherwise. The
descriptive results show that among our 292 reports, 278 (95.2 percent) contain the responsibility statement, 146 (50 percent)
include the non-strategic reasonable assurance argument, and 83 (28.4 percent) include the strategic reasonable assurance
argument (see Appendix A for examples).
These analyses of the actual reports show significant variations in the locus of internal control breaches and the extent to
which management accepts responsibility for internal control failures, as well as the strategic use of the ‘‘reasonable assurance’’
argument.10,11 The impact of these variations on investors’ responsibility assignment and related investment judgments is
unknown, and also difficult to determine using archival means, given that responsibility assignment perceptions are not
observable. We conduct experiments to examine this issue.
IV. EXPERIMENT 1
Participants
Our participants were 78 M.B.A. students from two large universities in Singapore. The participants had an average
working experience of 7.27 years. Fifty-five percent of the participants were male. We randomly assigned participants to
experimental conditions. M.B.A. students are valid proxies for general investors as they have basic knowledge of accounting,
business finance, and financial markets to respond meaningfully to our materials (Elliott, Hodge, Kennedy, and Pronk 2007).12
Experimental Design and Independent Variables

We employed a 2 3 2 between-subjects design with Breach (internal, external) and Responsibility Acceptance (lower,
higher) as independent variables. All participants received the management’s report on internal control over financial reporting,
which stated that ‘‘(t)here was a failure to maintain adequate access controls over the sales recording system.’’ We used an
information technology (IT) breach setting, consistent with the scenarios used in Wolfe et al. (2009) and Rose et al. (2010). In
the manipulation of external (internal) breach, participants read the following:
This material weakness resulted from an outsider (a sales representative) hacking into the computer system and
changing the sales orders.
9
We first selected all reports (n ¼ 5,251) containing material weaknesses between 2009 and 2011 in the Audit Analytics database. Since we planned to
analyze the market reactions, as well, we matched the companies issuing these reports with those in the Center for Research in Securities Prices (CRSP)
database that have permanent identifiers (‘‘PERMNO’’) to link to market returns. The overlap resulted in 732 reports, among which we randomly
selected 300, with 100 reports from each year.
10
All p-values are two-tailed unless otherwise specified.
11
Besides the variables mentioned above, we also captured the reporting companies’ cumulative abnormal returns (CARs) during the (2, 2) window
around the filing dates. Using CARs as the dependent variable, we ran a linear regression with locus and the three variables measuring responsibility
acceptance as independent variables, controlling for remediation plans, restatement, number of weakness, Big 4 auditors, market value, book/market
ratio, whether there is a loss in earnings, and whether the dates of the earnings announcement coincide with the 10-K filings. The results show that
market reactions are less negative when management accepts low, rather than high, responsibility (i.e., responsibility statement: coefficient ¼0.06, t ¼
1.83, p ¼ 0.07; strategic assurance: coefficient ¼ 0.07, t ¼ 3.16, p , 0.01). Given that the majority of the reports mention internal factors, we interpret
this finding to be consistent with our prediction that taking low responsibility is more efficacious for managers when the locus is internal.
12
We obtained approvals for all the experiments reported in this paper from the Institutional Review Board at the institutions where the experiments took
place.

We manipulated responsibility acceptance by varying the extent to which management accepted their responsibilities for
the hacking incident. In the lower responsibility acceptance condition, participants read the following:13
A control system, no matter how well conceived and operated, can provide only reasonable rather than absolute
assurance that the objectives of the control system are met. Our management team is of the opinion that no control
system can provide absolute assurance that all control issues (including this hacking instance) will be detected.
In contrast, participants in the higher responsibility acceptance condition read the following:
A control system should be well conceived and operated to provide reasonable (not absolute) assurance that the
objectives of the control system are met. Our management team acknowledges the responsibility to ensure that our
control system should provide reasonable assurance that control issues (including this hacking instance) will be
detected.
Procedure
We completed the experiment under controlled conditions and under the supervision of an experimenter. We provided
participants with the background information of a hypothetical firm, selected financial data of the firm, the management’s report
on internal control over financial reporting, and a series of questions. Participants assumed the role of a general investor in all
conditions. The background information of the hypothetical firm, Griffin Inc., was adapted from Wolfe et al. (2009). Griffin
Inc. was a typical manufacturing company. The selected financial data and the stock price history showed a slow, but steady,
growth, creating a favorable impression of the firm and its investment attractiveness prior to the control weakness disclosure.
After reading the background information of the firm, participants received the management’s report on internal control over
financial reporting described in Auditing Standard No. 5 (PCAOB 2007). We told participants that there was a material
weakness—a failure to maintain adequate access controls over the sales recording system in the corresponding reporting period.
The reports were identical across all experimental conditions, except for the breach and responsibility acceptance manipulations.
We chose material weaknesses, rather than other types of weaknesses, because of two reasons. First, the main purpose of
internal control is to identify any material weakness. As stated in the SEC (2005) Staff Statement, ‘‘the overall focus of internal
control reporting should be on those items that could result in material errors in the financial statements.’’ Second, the
disclosure of material weaknesses has significant capital market consequences (Ogneva, Subramanyam, and Raghunandan
2007; Hammersley et al. 2008; Palmrose, Richardson, and Scholz 2004).
Across all conditions, we told participants that management would take further remediation efforts during the next fiscal year.
Hence, management’s intention to rectify the weakness remained identical in all conditions. Following Rose et al. (2010), we also
informed participants that an independent auditor conducted his or her own evaluation of the firm’s internal control over financial
reporting and identified the same control problem. Hence, there was no conflict between the findings of management and the
auditor. Participants then made several assessments about the firm, including questions on investment willingness and
responsibilities assigned to management. Finally, participants answered manipulation check and debriefing questions.
Dependent Variables
To examine how investors assigned responsibilities to management, we asked participants, ‘‘How much responsibility do
you think the management should take for the internal control failure?’’ (where 0 ¼ no responsibility, and 10 ¼ all
responsibility). We used the average of the following two questions to measure investment willingness: (1) ‘‘How willing are
you to invest in Griffin’s stock?’’ (where 0 ¼ absolutely not willing to invest, and 10 ¼ absolutely willing to invest), and (2)
‘‘Suppose you hold Griffin’s stock. How will you change your holdings of Griffin’s stock?’’ (where 5 ¼ significantly decrease,
0 ¼ no change, and 5 ¼ significantly increase). Cronbach’s alpha for the two questions is 0.74, above the 0.70 cutoff (Cortina
1993).14
13
We assessed whether participants have similar perceptions about the scope of reasonable assurance by asking, ‘‘Do you think the hacking instance
described in the case is within or outside the scope of reasonable assurance?’’ (where 5 ¼ within reasonable assurance, and 5 ¼ outside reasonable
assurance). The mean response is 0 in the high responsibility acceptance condition, and 0.32 in the low responsibility condition; the difference is not
significant (F1,65 ¼ 0.18, p ¼ 0.68). This result suggests that it is unlikely that the effect of responsibility acceptance is due to investors’ different
perceptions about the scope of reasonable assurance across conditions. We also asked participants the extent to which they perceived management’s
explanation to be defensive on an 11-point scale (0 ¼ not defensive at all; 10 ¼ extremely defensive). The mean response is 5.33 for the high
responsibility acceptance condition, and 6.06 for the low responsibility acceptance condition; the difference is insignificant (F1,65 ¼ 1.93, p ¼ 0.17).
This result suggests that a defensive tone cannot explain the difference between the high and low responsibility acceptance conditions.
14
The second question was converted to a 0–10 scale to be combined with the first measurement. We obtain similar results when we analyze each
question separately.

340 Tan and Yu
Manipulation Checks
To assess the effectiveness of our responsibility acceptance manipulation, we asked participants, ‘‘To what extent is
Griffin’s management taking responsibility for the hacking incident?’’ (where 5 ¼ deny responsibility, and 5 ¼ accept
responsibility). The mean response in the higher responsibility acceptance condition is 1.60, significantly higher than the mean
response (0.21) in the lower responsibility acceptance condition (F1,76 ¼ 5.65, p ¼ 0.02), suggesting a successful manipulation
of responsibility acceptance. To assess the effectiveness of our breach manipulation, we asked participants to identify whether
the material weakness results from an outsider or a sales representative hacking into the computer system. Eighty-six percent of
participants correctly answered this question.15
Tests of Hypotheses
H1 predicts that in the presence of an external (internal) breach, investors assign less (more) responsibility to
management when management accepts more, rather than less, responsibility. We conduct an ANOVA to analyze the
interactive effect of breach and responsibility acceptance on responsibility assigned to management. Table 1 reports the
descriptive statistics and ANOVA results. Figure 3, Panel A illustrates the results. We find a significant interactive effect ( p
¼ 0.03, one-tailed). Specifically, we find that in the presence of an external breach, the mean assessment in the higher
responsibility acceptance condition (mean ¼ 8.11) is marginally significantly lower than that in the lower responsibility
acceptance condition (mean ¼ 9.00, p ¼ 0.06, one-tailed). In the presence of an internal breach, the mean assessment in the
higher responsibility acceptance condition (mean ¼ 8.67) is higher than that in the lower responsibility acceptance
condition (mean ¼ 8.13), but the difference is insignificant (p ¼ 0.17, one-tailed). Thus, our results only partially support
H1.
H2 predicts a similar pattern for investment willingness. We conduct an ANOVA with breach and responsibility
acceptance as the independent variables and investment willingness as the dependent variable (see Table 2 and Figure 3, Panel
B). The ANOVA results show a significant interactive effect on investment willingness (p ¼ 0.01, one-tailed). Specifically, in
the presence of an external breach, investors’ mean willingness to invest is 4.63 in the higher responsibility acceptance
condition, significantly higher than the mean of 3.00 in the lower responsibility acceptance condition (p ¼ 0.02, one-tailed). In
the presence of an internal breach, investors’ mean willingness to invest is not significantly different between the higher and
lower acceptance conditions, although the means are directionally consistent with our prediction (means ¼ 3.72 and 4.50,
respectively; p ¼ 0.13, one-tailed). Again, our results partially support H2.16
We also assess the simple main effects of breach at each level of responsibility acceptance (see Table 1, Panel C and Table
2, Panel C). With lower responsibility acceptance, investment willingness is significantly higher in the presence of an internal,
rather than external, breach (means ¼ 4.50 and 3.00, respectively; p ¼ 0.04). However, the simple effect of breach on
investment willingness with higher responsibility acceptance is insignificant (means ¼ 3.72 and 4.63, respectively; p ¼ 0.18).
Together, these results suggest that the different effects between higher and lower responsibility acceptance at each level of
breach result primarily from the lower responsibility acceptance condition.17
15
We excluded 11 participants who failed this question for the subsequent analyses. Results are similar if we use responses from all participants. If we
exclude failures on manipulation checks on both breach and responsibility acceptance, then results are similar for the responsibility assignment variable,
but the interaction between the two manipulated variables on investment willingness becomes insignificant (F1,41 ¼ 1.04, p ¼ 0.16, one-tailed).
16
We conducted a separate experiment to test whether a direct denial of responsibility leads to similar results as those found in Experiment 1. Participants
were 28 M.B.A. students from a major university in the U.S. We used a 1 3 2 between-subjects design with responsibility acceptance (high versus
denial) as the independent variable, with both cells set in the original external breach condition in Experiment 1. In the denial condition, participants
were told that ‘‘(a) control system should be well conceived and operated to provide reasonable (not absolute) assurance that the objectives of the
control system are met. Our management team does not take the responsibility to ensure that our control system can provide assurance that all control
issues (including this hacking instance) will be detected.’’ The high responsibility acceptance condition is equivalent to that used in Experiment 1.
Results show that high responsibility acceptance leads to marginally more favorable evaluations (i.e., higher perceived credibility of management: F1,26
¼ 2.52, p ¼ 0.06, one-tailed; and lower perceived misstatement likelihood: F1,26 ¼ 2.13, p ¼ 0.08, one-tailed) and significantly higher investment
willingness (F1,26 ¼ 3.21, p ¼ 0.04, one-tailed) than a denial of responsibility.
17
To test whether the perceived severity of external versus internal breaches can explain our results, we measured participants’ perception on the severity
of the breach on a scale of 0 (not severe at all) to 10 (extremely severe). The mean rating for severity is 6.79 for the external breach condition, and 7.18
for the internal breach condition; the difference is insignificant (F1,65 ¼ 0.52, p ¼ 0.48). An ANOVA test detects neither main nor interaction effects
(smallest p ¼ 0.50, corresponding F1,63 ¼ 0.46). Therefore, severity cannot explain the interactive effects of breach and responsibility acceptance. This
result also precludes the possibility that severity mediates the effect of the manipulated variables on either responsibility assignment or investment
willingness.

TABLE 1
Results on Responsibility Assignment in Experiment 1
Panel A: Descriptive Statistics across Treatment Conditions:a Mean (Standard Deviation) n ¼ Sample Size
Breachc
Responsibility Acceptanceb Internal External Total
Higher 8.67 8.11 8.39
(0.84) (2.17) (1.64)

n ¼18 n ¼18 n ¼ 36
Lower 8.13 9.00 8.55
(1.82) (1.13) (1.56)
n ¼ 16 n ¼ 15 n ¼ 31
Total 8.41 8.52 8.46
(1.40) (1.81) (1.60)
n ¼ 34 n ¼ 33 n ¼ 67
Panel B: ANOVA
Sum of Mean
Sources Squares df Square F p-value
Breach (B) 0.43 1 0.43 0.17 0.68

Resp. Acc. (R) 0.50 1 0.50 0.20 0.66
B3R 8.52 1 8.52 3.36 0.03*
Error 159.53 63 2.53
Panel C: Mean Contrasts

Mean Contrast Contrast Value p-value
lexternal breach-higher lexternal breach-lower 0.89 0.06*
lexternal breach-lower lexternal breach-lower 0.87 0.13
lexternal breach-higher lexternal breach-higher 0.56 0.30
* One-tailed equivalent given directional prediction.
a
Responsibility assignment: responses on an 11-point scale asking participants how much responsibility they think the management should take for the
internal control failure (where 0 ¼ no responsibility, and 10 ¼ all responsibility).
b
Responsibility acceptance is manipulated by whether management takes a larger or smaller proportion of responsibility for the internal control failure.
c
Breach is manipulated by whether the material weakness results from an outsider or a sales representative hacking into the computer system and changing
the sales orders.
Supplemental Analyses
Test of the Triangle Model of Responsibility
To test Link 1 of the triangle model of responsibility (prescription clarity; see Figure 2), we asked participants, ‘‘Do you think
that current regulations clearly prescribe the need to maintain an effective internal control system?’’ (where 0 ¼ not at all clear, and
10 ¼ extremely clear). Participants exposed to an external breach reported a mean of 6.27, significantly higher than the mean of
5.21 reported by those exposed to an internal breach (F1,65 ¼ 2.74, p ¼ 0.05, one-tailed). This finding supports our expectation that
the prescription-event link is stronger for an external breach than for an internal breach.18 To test Link 2 (personal obligation), we
asked participants, ‘‘Do you think that current regulations clearly prescribe the management as the primary party responsible for
internal control failures such as this hacking instance?’’ (where 0 ¼ not at all clear, and 10 ¼ extremely clear). The mean responses
in the external and internal breach conditions are 4.82 and 4.53, respectively, and not significantly different (F1,65 ¼ 0.19, p ¼
0.67). To test Link 3 (personal control), we asked participants, ‘‘How much control does Griffin’s management have in preventing
18
This result is consistent with participants interpreting the question from the perspective of the internal/external breach condition that they had been
exposed to, given that our instructions said, ‘‘Please answer the following questions based on your understanding of Griffin.’’

342 Tan and Yu
FIGURE 3
Interaction Effects of Responsibility Acceptance and Breach in Experiment 1
Panel A: Results on Responsibility Assignment

Panel B: Results on Investment Willingness

This figure displays the interaction effects of responsibility acceptance and breach on participants’ ratings of responsibility assignment to management
(Panel A) and willingness to invest in the firm (Panel B).
Investment willingness: a simple average of the responses to two questions: (1) ‘‘How willing are you to invest in Griffin’s stock?’’ (where 0 ¼ absolutely
not willing to invest, and 10 ¼ absolutely willing to invest), and (2) ‘‘Suppose you hold Griffin’s stock. How will you change your holdings of Griffin’s
stock?’’ (where 5 ¼ significantly decrease, 0 ¼ no change, and 5 ¼ significantly increase).
Breach: in the external (internal) breach condition, the material weakness results from an outsider (a sales representative) hacking into the computer system
and changing the sales orders.
Responsibility acceptance: in the higher responsibility acceptance condition, the management takes a large proportion of responsibility for the internal
control failure; in the lower responsibility acceptance condition, the management takes a small proportion of responsibility for the internal control failure.
this internal control weakness?’’ (where 0 ¼ no control, and 10 ¼ a lot of control). The mean response in the external breach
condition is 7.52, significantly higher than the mean response of 6.47 in the internal breach condition (F1,65 ¼ 3.20, p ¼ 0.04, one-
tailed). These results support the hypothesized links in the triangle model of responsibility.
Norms for Managers to Take Responsibility

To understand whether there is a norm among investors regarding what type of statement they expect management to
make, we asked participants, ‘‘Suppose you have not read the management’s report on internal controls over financial reporting.

TABLE 2
Results on Investment Willingness in Experiment 1
Breachc
Responsibility Acceptanceb Internal External Total
Higher 3.72 4.63 4.18
(2.14) (1.99) (2.09)

n ¼ 18 n ¼ 18 n ¼ 36
Lower 4.50 3.00 3.77
(1.71) (2.13) (2.04)
n ¼ 16 n ¼ 15 n ¼ 31
Total 4.09 3.89 3.99
(1.96) (2.19) (2.06)
n ¼ 34 n ¼ 33 n ¼ 67
Panel B: ANOVA
Sum of Mean
Breach (B) 1.42 1 1.42 0.35 0.56

Resp. Acc. (R) 3.09 1 3.09 0.77 0.38
B3R 24.31 1 24.31 6.05 0.01*
Error 253.01 63 4.02

linternal breach-higher linternal breach-lower 0.78 0.13*
lexternal breach-lower linternal breach-lower 1.50 0.04
lexternal breach-higher linternal breach-higher 0.91 0.18
a
b
c
Breach is manipulated by whether the material weakness results from an outsider or a sales representative hacking into the computer system and changing
the sales orders.
What statement do you expect the management, in general, is likely to provide in such a situation?’’ (where 0 ¼ management is
not responsible, and 10 ¼ management is fully responsible). The overall mean response is 6.48, significantly higher than the
midpoint of 5 (t66 ¼ 18.19, p , 0.01), and there are no significant main or interaction effects (F1,63 , 0.87, p . 0.36). This
result supports a premise in our theory that it is the norm for management to accept responsibility for an adverse event.
Explanation Adequacy
In our theory, we posit that investors will perceive management’s explanation for the breach to be more adequate with
higher (lower) responsibility acceptance in the external (internal) locus condition. Following Wolfe, Mauldin, and Diaz (2009),
we asked participants to assess the adequacy of management’s explanation on an 11-point scale (where 0 ¼ not at all adequate,
and 10 ¼ extremely adequate). Results show a significant interaction between responsibility acceptance and breach (F1,63 ¼
6.60, p ¼ 0.01, one-tailed) with the predicted pattern. In the external breach condition, higher responsibility acceptance (mean ¼
3.89) is perceived to be more adequate than lower responsibility acceptance (mean ¼ 2.80); the difference is marginally
significant (F1,63 ¼ 1.73, p ¼ 0.10, one-tailed). In the internal breach condition, however, higher responsibility (mean ¼ 2.61) is
perceived to be less adequate than lower responsibility acceptance (mean ¼ 4.50, F1,63 ¼ 5.40, p ¼ 0.01, one-tailed). Results
support our explanation adequacy argument.

344 Tan and Yu
FIGURE 4
Structural Equation Model
**, *** Denote one-tailed significance at the 5 percent and 1 percent levels, respectively.
This figure displays the structural equation modeling investigating the process through which responsibility assignment affects investment willingness.
This model has adequate fit, with a minimum discrepancy divided by degrees of freedom (v2/df ) ¼ 1.45, comparative fit index (CFI) ¼ 0.98, and root mean
square error of approximation (RMSEA) ¼ 0.06 (Kline 2011). Standardized coefficients are labeled above the corresponding arrows.
Structural Equation Model

We conducted structural equation modeling to investigate the process through which responsibility assignment affects
investment willingness (see Figure 4). Our model shows that the interaction of our two manipulated variables has a significant
direct effect on responsibility assignment (coefficient ¼ 0.40, p ¼ 0.03, one-tailed), which, in turn, has a direct effect on
misstatement likelihood (coefficient ¼ 0.23, p ¼ 0.03, one-tailed). Misstatement likelihood directly influences both impression
of management (the latent factor of management’s credibility and investors’ affective reactions: coefficient ¼0.33, p , 0.01,
one-tailed) and investment willingness (coefficient ¼0.27, p , 0.01, one-tailed). Impression of management also has a direct
effect on investment willingness (coefficient ¼ 0.71, p , 0.01, one-tailed). This model has adequate fit, with a minimum
discrepancy divided by degrees of freedom (v2/df ) ¼ 1.45, comparative fit index (CFI) ¼ 0.98, and the root mean square error of
approximation (RMSEA) ¼ 0.06 (Kline 2011).
V. EXPERIMENTS 2 AND 3
Experiment 2
Motivation and Design
Results from Experiment 1 only partially support our hypotheses in that we found significant effects of responsibility
acceptance only in the external breach condition, but not in the internal breach condition. The insignificant result in the
internal breach condition opens the door to one of two possible reasons. First, the effect of higher versus lower
responsibility acceptance on responsibility assignment and investment willingness applies only to external, but not
internal, breaches, perhaps because external breaches are more salient from media exposure. Using this logic, varying the
strength for each triangle link within the internal breach condition would not yield any differential effect. That is, even if
the link strength (i.e., the strength of the responsibility-increasing nature of the link) were further weakened in the internal
breach condition, an approach of low responsibility acceptance would not reap benefits. Similarly, if the link strength were
strengthened in the internal breach condition, there would not be benefits in terms of accepting high versus low
responsibility.
Second, consistent with the triangle model of responsibility, it is the link strength that affects the efficacy of responsibility
acceptance. This argument suggests that strengthening the link strength, even in the internal breach condition, would yield a
result where accepting more responsibility is superior to accepting less responsibility. In contrast, further weakening the link
strength in the internal breach condition should yield a result where lower responsibility acceptance is superior to higher
responsibility acceptance.
To distinguish between these possibilities, we conduct Experiment 2, where we vary the link strength within the internal
breach condition. Varying link strength also allows us to test whether the insignificant finding in the internal breach condition
of Experiment 1 is due to its relatively weak manipulation. Specifically, in Experiment 1, the case material did not explicitly
state the inherent limitation of an internal control system to prevent hacking by an insider, and participants had to infer this
information themselves.

We employed a 2 3 2 between-subjects design with Link Strength (strong, weak) and Responsibility Acceptance (higher,
lower) as the independent variables—all the four conditions used the original internal breach setting. The responsibility
acceptance variable was manipulated the same way as in Experiment 1. In the strong-link condition, we adapted the following
statement from the COSO (2013) framework to emphasize management’s responsibility in maintaining an effective internal
control system:
Implementing an effective internal control system is a part of management’s overall responsibility. Management
retains ultimate responsibility for meeting the requirements for an effective system of internal control. Management
should implement measures to prevent control breaches, including those by insiders. An authoritative security report
indicates that control systems can be carefully designed to prevent such breaches.
This statement reinforces the prescription-event, prescription-actor, and actor-event links by explicitly reminding readers
that the onus is on management to safeguard against insider control breaches. In addition, we described the hacker to be a sales
representative who is ‘‘newly recruited by management.’’ This description further strengthens the actor-event link because
management has control over the recruiting process and should have screened out employees who can do potential harm to the
company.
In the weak-link condition, we presented the following statement, also adapted from the COSO (2013) framework:
While internal controls provide reasonable assurance of achieving the entity’s objectives, limitations do exist. An
internal control system, even if effective, cannot prevent breaches by insiders. An authoritative security report
indicates that insiders, being in the know about the company’s operations, can circumvent the most carefully-designed
internal control systems.
This statement weakens the prescription-event, prescription-actor, and actor-event links by explicitly highlighting the
inherent limitations in internal control systems. Moreover, we described the hacker to be a sales representative who is ‘‘familiar
with the system.’’ This description weakens the actor-event link in that management has little control in preventing the hacking
by an insider who is very familiar with the system.
Participants
We recruited participants from an M.B.A. alumni program in a major university in the U.S. To ensure that participants
have some minimum accounting and investment background to understand the case materials, we required participants to have
taken at least two accounting courses and have at least one year of investment experience. The final sample consisted of 78
participants. Participants had an average age of 36.5 years, with an average working experience of 14 years and an average
investment experience of 9.3 years. On average, participants had taken 3.3 accounting courses, 3.2 finance courses, and 2.7
economics courses. Other than the experimental manipulations, participants went through the same procedures as in
Experiment 1.19
Results
To assess the effectiveness of our manipulation of link strength, we asked participants to indicate whether the COSO
(2013) framework excerpt that they had read in the case material was one strengthening or weakening the link; they could also
indicate that they had not read any excerpt from this framework. Eighty-three percent of the participants correctly answered this
question. We also asked participants whether the hacker is ‘‘newly recruited’’ (for the strong-link condition) or ‘‘very familiar
with the system’’ (for the weak-link condition). Eighty-six percent of the participants correctly answered this question. Hence,
our manipulation of link strength is successful.
To check the manipulation of the responsibility acceptance variable, we asked participants to assess the extent to which
management was taking responsibility for the breach (0 ¼ deny responsibility, and 10 ¼ accept responsibility). The mean
response in the higher acceptance condition (mean ¼ 6.37) is significantly higher than that in the lower acceptance condition
(mean ¼ 4.75, F1,76 ¼ 7.13, p ¼ 0.01), consistent with a successful manipulation of responsibility acceptance.
We measure responsibility assignment the same way as in Experiment 1. The ANOVA results show an insignificant
interaction between link strength and responsibility acceptance on responsibility assignment (p ¼ 0.13, one-tailed).
19
In Experiment 1, we described the breach in the case material as ‘‘(t)here was a failure to maintain adequate access controls over the sales recording
system. This material weakness resulted from an outsider (a sales representative) hacking into the computer system and changing the sales orders.’’ In
Experiments 2 and 3, we changed this description to ‘‘(t)here was a failure to maintain adequate access controls over the sales recording system.
Because of this access control weakness in the control system, the Company’s sales recording system was breached’’ (see Appendix B). We also used
this new description in the supplementary experiment described in footnote 21.

346 Tan and Yu
TABLE 3
Results on Responsibility Assignment in Experiment 2
Link Strengthc
Responsibility Acceptanceb Weak Strong Total
Higher 6.20 5.72 5.97
(2.53) (3.30) (2.89)

n ¼ 20 n ¼ 18 n ¼ 38
Lower 6.75 7.60 7.18
(1.86) (2.62) (2.29)
n ¼ 20 n ¼ 20 n ¼ 40
Total 6.48 6.71 6.59
(2.21) (3.07) (2.65)
n ¼ 40 n ¼ 38 n ¼ 78
Panel B: ANOVA
Sum of Mean
Link Strength (L) 0.67 1 0.67 0.10 0.75

Resp. Acc. (R) 28.67 1 28.67 4.22 0.04
L3R 8.58 1 8.58 1.26 0.13*
Error 503.36 74 6.80

lstrong-link/higher lstrong-link/lower 1.88 0.02*
lweak-link/higher lweak-link/lower 0.55 0.25*
lstrong-link/lower lweak-link/lower 0.85 0.31
lstrong-link/higher lweak-link/higher 0.48 0.58
a
Responsibility assignment: responses on an 11-point scale asking participants how much responsibility they think management should take for the
b
Link Strength: in the strong-link (weak-link) condition, a statement emphasizing the chances of an insider hacking is present (absent).
c
Nonetheless, the simple effect of Responsibility Acceptance shows that in the strong-link condition, participants assign
significantly less responsibility to management when it takes more (mean ¼ 5.72), rather than less, responsibility (mean ¼ 7.60,
p ¼ 0.02, one-tailed). In the weak-link condition, however, participants assign similar responsibility to management whether
management takes more (mean ¼ 6.20) or less responsibility (mean ¼ 6.75, p ¼ 0.25, one-tailed; see Table 3 and Figure 5, Panel
A).
With respect to the investment willingness measure that we used in Experiment 1, ANOVA results show a significant
interaction between link strength and responsibility acceptance (p ¼ 0.03, one-tailed). Specifically, in the strong-link condition,
investors are more willing to invest in Griffin’s stock when management accepts more (mean ¼ 3.94), rather than less,
responsibility (mean ¼ 2.75, p ¼ 0.02, one-tailed). In the weak-link condition, the mean willingness is not significantly different
between the higher (mean ¼ 4.25) and lower responsibility acceptance conditions (mean ¼ 4.45, p ¼ 0.35, one-tailed; see Table
4 and Figure 5, Panel B).
The significant results in the strong-link condition of Experiment 2 suggest that the driver of the favorable outcomes of
higher versus lower responsibility acceptance is the high link strength rather than the external locus, as all the conditions of
Experiment 2 are set in the internal breach situation. With respect to the insignificant results in the weak-link condition of
Experiment 2, we conjecture that M.B.A. students, who have been regularly exposed to business ethics-related course

FIGURE 5
Interaction Effects of Responsibility Acceptance and Link Strength in Experiment 2
Panel A: Results on Responsibility Assignment

Panel B: Results on Investment Willingness

This figure displays the interaction effects of responsibility acceptance and link strength on participants’ ratings of responsibility assignment to
management (Panel A) and willingness to invest in the firm (Panel B).
Link Strength: in the strong-link (weak-link) condition, a statement emphasizing management’s responsibility (inherent limitations) is added.
Responsibility acceptance: in the higher responsibility acceptance condition, the management takes a large proportion of responsibility for the internal
control failure; in the lower responsibility acceptance condition, the management takes a small proportion of responsibility for the internal control failure.
materials, may have greater expectations that managers assume responsibility for an adverse event. In that case, we are less
likely to observe favorable outcomes from lower responsibility acceptance even in the weak-link condition, as prior research
indicates that norm-inconsistent behavior is less accepted than norm-consistent behavior (Gibbs 1981; Brauer and Chekroun
2005; Sun, Tan, and Zhang 2015). To test this conjecture, we conducted Experiment 3, where we reran the weak-link condition
of Experiment 2 with investor proxies from Amazon Mechanical Turk, who are less likely to subscribe to this expectation
compared to the M.B.A. students.

348 Tan and Yu
TABLE 4
Results on Investment Willingness in Experiment 2
Link Strengthc
Responsibility Acceptanceb Weak Strong Total
Higher 4.25 3.94 4.11
(1.66) (1.50) (1.57)

n ¼ 20 n ¼ 18 n ¼ 38
Lower 4.45 2.75 3.60
(1.92) (1.46) (1.89)
n ¼ 20 n ¼ 20 n ¼ 40
Total 4.35 3.32 3.85
(1.77) (1.58) (1.75)
n ¼ 40 n ¼ 38 n ¼ 78
Panel B: ANOVA
Sum of Mean
Link Strength (L) 19.57 1 19.57 7.21 0.01

Resp. Acc. (R) 4.81 1 4.81 1.77 0.19
L3R 9.46 1 9.46 3.48 0.03*
Error 200.89 74 2.72

lstrong-link/higher lstrong-link/lower 1.19 0.02*
lweak-link/higher lweak-link/lower 0.20 0.35*
lstrong-link/lower lweak-link/lower 1.70 ,0.01
lstrong-link/higher lweak-link/higher 0.31 0.57
a
b
c
Link Strength: in the strong-link (weak-link) condition, a statement emphasizing the chances of an insider hacking is present (absent).
Experiment 3
We employed the same experimental instrument as Experiment 2 (except for the changes in the investment willingness
questions) and tested the weak-link condition with 93 participants from Amazon Mechanical Turk (AMT).20 With regard to
investment willingness questions, we posit that investors are less likely to be willing to invest in a firm upon receiving negative
news (a control breach). Therefore, we added another two questions in Experiment 3 to measure investment willingness that
better reflect this possibility. Specifically, we asked participants how they valued their position in Griffin’s stock after reading
the information in the management report and the excerpt of the COSO (2013) framework (5 ¼ significantly less, 0 ¼ no
change, and 5 ¼ significantly more). In the other question, we asked participants to assess the risk of a moderate decline (1–10
20
Participants had an average age of 36.3 years, with an average working experience of 16.1 years, and an average investment experience of 9.4 years. On
average, participants had taken 4.0 accounting courses, 3.7 finance courses, and 3.1 economics courses. Our initial sample included 152 participants.
We removed 52 participants who had failed the manipulation check questions. We removed four participants who spent less than five minutes (the
bottom 5 percent), as it is clear that these participants did not diligently complete the task. Last, we removed three participants whose responses are
more than 1.5 times the difference between the first and third quartiles (Hoaglin, Iglewicz, and Tukey (1986) and about three standard deviations from
the mean.

percent) of Griffin’s stock price within the next year (0 ¼ price is very unlikely to decline, and 10 ¼ price is very likely to
decline).
The one-way ANOVA result shows that participants assign marginally more responsibility to management when
management takes more (mean ¼ 8.29), rather than less, responsibility (mean ¼ 7.69, F1,91 ¼ 2.66, p ¼ 0.05, one-tailed) in the
weak-link condition. In terms of investment willingness, we averaged the responses to the four questions that measure this
variable (Cronbach’s alpha ¼ 0.84). Results show that, consistent with the link-strength argument, investors are less willing to
invest in the firm when management accepts higher (mean ¼ 2.10), rather than lower, responsibility (mean ¼ 1.45, F1,91 ¼
2.91, p ¼ 0.05, one-tailed).21 These results complement the results in Experiment 2 and, together, support the theoretical
argument that it is link strength, not locus of breach, that moderates the effect of responsibility acceptance in that within the
internal breach condition, the directional effect of higher versus lower responsibility acceptance flips between the strong- and
weak-link conditions.22
Overall Discussion of Strong-Link versus Weak-Link Conditions

Exhibit 1 summarizes the results from our three main experiments. Our results suggest strong support for the efficacy of
managers taking higher responsibility for control breaches when link strengths are strong, whether in a situation of external
breaches (Experiment 1) or internal breaches where expectations of management responsibility are high (Experiment 2, strong-
link condition). There is weaker support for the efficacy of managers taking lower responsibility for control breaches where
link-strengths are weaker, specifically, in the case of an internal breach. We find no support for this proposition in Experiment 1
or Experiment 2 (both using M.B.A. students), but find support in Experiment 3 (using an identical manipulation as that in
Experiment 2). Hence, the efficacy of taking lower responsibility for internal breaches appears to be sensitive to the type of
investors.
VI. CONCLUSION
This study investigates the joint effects of two aspects present in ICFR reports on investors’ judgment and decision
making: the amount of responsibility that management accepts for breaches of control weaknesses and the locus of such
breaches. In Experiment 1, we find that in the presence of an external breach, M.B.A. participants assign less responsibility to
management and are more willing to invest in the firm when management accepts more, rather than less, responsibility. In
contrast, in the presence of an internal breach, the effect of responsibility acceptance is not significant. In additional analyses,
we find support for the triangle model of responsibility. Experiment 2 employs M.B.A. participants, and we document that with
strengthened triangle links in an internal breach setting, higher, as opposed to lower, responsibility acceptance leads to higher
investment willingness and lower responsibility assignment; however, we failed to find the opposite result when we further
weakened the triangle links. In Experiment 3, we reran the weak-link condition of Experiment 2 using AMT participants, and
find some evidence that they prefer lower responsibility acceptance when the triangle links are weakened in the same internal
breach setting. Together, Experiments 1, 2, and 3 suggest that it is the strength of the triangle links, rather than locus of breach
per se, that moderates the effect of responsibility acceptance.
We provide additional insights regarding the effects of managers’ explanations on investors’ judgments. Our findings
complement prior research on management’s explanations and provide a framework to integrate the results from prior studies.
For instance, in an auditor-management negotiation setting, Wolfe et al. (2009) examine whether management
acknowledgment of the existence of a control deficiency (concession) or denial of its existence (denial) influences auditors’
judgments. They conclude that for information technology (IT) control deviations, auditors assess that the deficiency is less
significant in the presence of concessions than denials, while for manual control deviations, there is no difference between
concessions and denials. Their theoretical argument is that the presence of an irrelevant non-diagnostic technology element
(e.g., the IT element) dilutes perceived management blame and, thus, concessions are more effective than denials in an IT
condition. We extend Wolfe et al. (2009) by showing that in an IT context, accepting more responsibility is not always more
effective than accepting less responsibility; the directional effect depends on whether the breach is external or internal. In fact,
21
Other than the change-in-holdings question (F1,91 ¼ 0.01, p ¼ 0.46, one-tailed), each of the other three investment-related questions has significant
effects in the predicted direction (smallest p ¼ 0.03, one-tailed, corresponding F1,91 ¼ 3.84).
22
We further tested the weak-link condition of Experiment 2, but weakened the manipulation by removing the phrase ‘‘familiar with the system,’’ using
46 investor proxies recruited from the Qualtrics Panel. Participants have similar demographic backgrounds as those in Experiment 3. Results show that
investors assign less responsibility to management when responsibility acceptance is lower (mean ¼ 5.91), rather than higher (mean ¼ 6.96); the
difference is marginally significant (F1,44 ¼ 1.94, p ¼ 0.09, one-tailed). Results are not significant regarding the investment willingness questions (F1,44
, 0.98, p . 0.16, one-tailed). It appears that results become weaker if the actor-event link (manipulated through the ‘‘familiar with the system’’ phrase)
is not concurrently weakened.

350 Tan and Yu
EXHIBIT 1
Summary of Experiments 1, 2, and 3
a
More favorable ¼ less responsibility assignment and higher investment willingness; less favorable ¼ more responsibility assignment and lower
investment willingness.
in Experiment 3, we find some evidence that lower responsibility acceptance can be more effective than higher responsibility
acceptance with an internal breach. Specifically, in Wolfe et al.’s (2009) experiment, the IT control deficiencies involved
external parties (a notebook was stolen with the password stored inside; an intruder stole customer procurement card
information). Therefore, their finding that a concession, as opposed to a denial, leads to lower auditor assessment of the
deficiency significance for IT control deficiencies (both cases are external breaches) is consistent with our result in Experiment
1 that high, as opposed to low, responsibility acceptance leads to more favorable outcomes with an external breach. Moreover,
our Experiment 3 refines their ‘‘IT-diluting-blame’’ theory by showing that accepting high responsibility can invite blame that
offsets or even outweighs the blame that is diluted by the IT element, making high responsibility acceptance a less effective
communication strategy.
Our framework can also explain results in the textual disclosure condition in Elliott et al. (2012). Elliott et al. (2012)
examine the effect of CEOs’ responsibility acceptance via video or text on investors’ decisions. The responsibility acceptance/
denial variable is manipulated as: ‘‘(w)e are fully responsible/not responsible for this error because we relied on the advice of
our internal/external lease accounting expert when preparing our financial statements’’ (Elliott et al. 2012, 521; emphasis
added). This manipulation involves two constructs. The ‘‘internal/external lease accounting expert’’ element in Elliott et al.
(2012) is comparable to the breach variable (i.e., the ‘‘internal/external hacker’’) in our study in the sense that both describe
whether the adverse event is associated with internal staff or an outsider. The ‘‘responsibility acceptance/denial’’ element in
Elliott et al. (2012) is comparable to the responsibility acceptance variable in our study. We extend Elliott et al. (2012) by
separately manipulating these two elements and finding an interaction between them. We find that responsibility acceptance
does matter in a textual disclosure, with the direction of the effect conditional on whether the related cause is internal or
external.
Our findings inform regulators and standard setters on how the ‘‘reasonable assurance’’ argument can be strategically used
by managers as a defense to ameliorate investors’ negative reactions to the disclosure of material weaknesses. These results
suggest the need for a better clarification to the public on what ‘‘reasonable assurance’’ means in order to mitigate this
expectation gap problem (see Koh and Sah 1998; McEnroe and Martens 2001; Goldwasser 2005). This aspect is important
because a majority (78 percent) of the ICFR reports in our sample of actual 10-K reports emphasize the ‘‘reasonable assurance’’
aspect of internal control systems, among which 36 percent are stated strategically with the intent to fend off responsibility.

Managers should find our findings informative. Although our analysis of actual 10-K reports indicates that managers do
vary their disclosures in terms of accepting more or less responsibility for an internal control failure that is attributable to an
internal or external factor, it is unclear whether they are aware how these factors affect investors’ judgments. Our findings
suggest that not all disclosures of an internal control failure are equally effective in mitigating the negative impact on investors’
judgments—the efficacy of adopting more or less responsibility for the adverse event depends on whether the cause of the event
comes from within or outside the company.
Similarly, boards of directors should find our results of interest. Our finding that disclosure of an adverse corporate event
has a direct impact both on investors’ responsibility assignment and investment willingness, along with evidence of an indirect
effect of responsibility assignment on investment willingness (see our structural equation modeling results), has implications
for boards of directors. It may be that when investors heavily blame management for an adverse corporate event, the board may
need to consider firing the key players or hire anew to mitigate the associated negative effect on investors’ investment
willingness.
Our paper has limitations. First, our theory suggests that internal and external breaches differ in both the prescription-event
and the actor-event links. Our paper is not able to distinguish which specific link drives the results, nor do we know how a
complex combination of different links that are made explicit influences the results. Moreover, it is possible that the language
used to describe each link, even when made explicit, can matter. For instance, prior studies show that readability effects matter
more when there is inconsistency in the message communicated (Tan, Wang, and Zhou 2015), and explicit links that have
opposite responsibility-assignment perceptions can induce feelings of inconsistency that introduce readability effects. Future
research can examine this issue. Second, in our analyses of actual internal control reports, our coding of locus of breach may
involve noise. Companies may encounter events reflecting both internal and external breaches, but choose to focus on
discussing internal breaches because they are more salient, and it is also sometimes hard and/or effortful to identify an external
cause for the breach. Besides, companies may not distinguish between control breaches and weaknesses in their reports.
Further, managers’ attributions may vary depending on whether they disclose the breaches in the internal control reports or the
media, since the target audiences are different. Consequently, the extent of internal breaches in our archival analysis may be
overstated or understated.
REFERENCES
Bamfield, J. 2010. The Global Retail Theft Barometer 2010: Monitoring the Costs of Shrinkage and Crime in the Global Retail Industry.
Nottingham, U.K.: Center for Retail Research.
Barton, J., and M. Mercer. 2005. To blame or not to blame: Analysts’ reactions to external explanations for poor financial performance.
Journal of Accounting and Economics 39 (3): 509–533. https://doi.org/10.1016/j.jacceco.2005.04.006
Bennett, C. 2015. SEC goes after investment adviser for poor cybersecurity. The Hill (September 22). Available at: https://thehill.com/
policy/cybersecurity/254554-sec-goes-after-investment-firm-for-poor-cybersecurity
Bies, R. J., and D. L. Shapiro. 1987. Interactional fairness judgments: The influence of causal accounts. Social Justice Research 1 (2):
199–218. https://doi.org/10.1007/BF01048016
Bies, R., and S. Sitkin. 1992. Excuse-making in organizations: Explanation as legitimation. In Explaining One’s Self to Others: Reason
Giving in a Social Context, edited by McLaughlin, M., M. Cody, and S. Read, 183–198. Hillsdale, NJ: Lawrence Erlbaum
Associates.
Bottom, W. P., K. Gibson, S. E. Daniels, and J. K. Murnighan. 2002. When talk is not cheap: Substantive penance and expressions of
intent in rebuilding cooperation. Organization Science 13 (5): 497–513. https://doi.org/10.1287/orsc.13.5.497.7816
Brauer, M., and P. Chekroun. 2005. The relationship between perceived violation of social norms and social control: Situational factors
influencing the reaction to deviance. Journal of Applied Social Psychology 35 (7): 1519–1539. https://doi.org/10.1111/j.1559-
1816.2005.tb02182.x
Carey, P., K. D. Young, J. Facciponti, J. V. Moreno, and S. Weiss. 2017. Equifax data breach highlights SEC disclosure obligations for
public companies in the wake of cybersecurity attacks. National Law Review (September 18). Available at: https://www.
natlawreview.com/article/equifax-data-breach-highlights-sec-disclosure-obligations-public-companies-wake
Coleman, D. 2014. Taking responsibility for cybersecurity. Audit Analytics (December 22). Available at: https://www.auditanalytics.com/
blog/taking-responsibility-for-cybersecurity/
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal Control—Integrated Framework. Jersey
City, NJ: AICPA.
Cortina, J. M. 1993. What is coefficient alpha? An examination of theory and applications. Journal of Applied Psychology 78 (1): 98–104.
https://doi.org/10.1037/0021-9010.78.1.98
Crant, J. M., and T. S. Bateman. 1993. Assignment of credit and blame for performance outcomes. Academy of Management Journal 36
(1): 7–27.

352 Tan and Yu
Darby, B. W., and B. R. Schlenker. 1982. Children’s reactions to apologies. Journal of Personality and Social Psychology 43 (4): 742–
753. https://doi.org/10.1037/0022-3514.43.4.742
DeStefano, M. 2017. Whose fault is that data breach? NSK Inc. (May 9). Available at: https://info.focustsi.com/it-services-boston/will_
you_be_responsible_for_data_breach_-0
Dunn, D., and M. J. Cody. 2000. Account credibility and public image: Excuses, justifications, denials and sexual harassment.
Communication Monographs 67 (4): 372–391. https://doi.org/10.1080/03637750009376518
Elliott, W. B., F. D. Hodge, and L. M. Sedor. 2012. Using online video to announce a restatement: Influences on investment decisions and
the mediating role of trust. The Accounting Review 87 (2): 513–535. https://doi.org/10.2308/accr-10202
Elliott, W. B., F. D. Hodge, J. J. Kennedy, and M. Pronk. 2007. Are M.B.A. students a good proxy for nonprofessional investors? The
Accounting Review 82 (1): 139–168. https://doi.org/10.2308/accr.2007.82.1.139

Elliott, W. B., K. E. Jackson, M. E. Peecher, and B. J. White. 2014. The unintended effect of corporate social responsibility performance
on investors’ estimates of fundamental value. The Accounting Review 89 (1): 275–302. https://doi.org/10.2308/accr-50577
Gibbs, J. P. 1981. Norms, Deviance, and Social Control: Conceptual Matters. New York, NY: Elsevier.
Goffman, E. 1971. Relations in Public. New York, NY: Harper.
Goldwasser, D. L. 2005. The past and future of reasonable assurance. Innovations in Auditing (November): 28–31.
Hammersley, J. S., L. A. Myers, and C. Shakespeare. 2008. Market reactions to the disclosure of internal control weaknesses and to the
characteristics of those weaknesses under Section 302 of the Sarbanes Oxley Act of 2002. Review of Accounting Studies 13 (1):
141–165. https://doi.org/10.1007/s11142-007-9046-z
Heider, F. 1958. The Psychology of Interpersonal Relations. New York, NY: Wiley.
Hoaglin, D. C., B. Iglewicz, and J. W. Tukey. 1986. Performance of some resistant rules for outlier labeling. Journal of the American
Statistical Association 81 (396): 991–999. https://doi.org/10.1080/01621459.1986.10478363
Institute of Internal Auditors (IIA). 2008. Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners. Lake
Mary, FL: IIA.

Kern, J., and C. J. Bosch. 2016. SEC steps up cybersecurity enforcement with $1 million fine against Morgan Stanley. National Law
Review (June 30). Available at: https://www.governmentcontractslawblog.com/2016/06/articles/compliance/sec-steps-up-
cybersecurity-enforcement-with-1-million-fine-against-morgan-stanley/
Khan, R. 2017. Equifax, SEC, and Deloitte cyber breaches: Is it time to remove executive immunity from prosecutions? Forbes (October
3). Available at: https://www.forbes.com/sites/roomykhan/2017/10/03/equifax-sec-and-deloitte-cyber-breaches-is-it-time-to-
remove-executive-immunity-from-prosecutions/#18e7e19a727f
Kline, R. B. 2011. Principles and Practice of Structural Equation Modeling. New York, NY: Guilford Press.
Koh, H. C., and W. Sah. 1998. The expectation gap in auditing. Managerial Auditing Journal 13 (3): 147–154.
Lazarus Alliance. 2017. Data Breach Responsibility: Who Takes the Fall When a Company Gets Hacked? Available at: https://
lazarusalliance.com/data-breach-responsibility/
McEnroe, J. E., and S. C. Martens. 2001. Auditors’ and investors’ perceptions of the ‘‘expectation gap.’’ Accounting Horizons 15 (4):
345–358. https://doi.org/10.2308/acch.2001.15.4.345
Mercer, M. 2005. The fleeting effects of disclosure forthcomingness on management’s reporting credibility. The Accounting Review 80
(2): 723–744. https://doi.org/10.2308/accr.2005.80.2.723
Michaels, D. 2014. Hacked companies face SEC scrutiny over disclosure. Bloomberg (July 7). Available at: https://www.bloomberg.com/
news/articles/2014-07-02/hacked-companies-face-sec-scrutiny-over-disclosure
Michaels, D. 2017. SEC discloses Edgar corporate filing system was hacked in 2016. Wall Street Journal (September 20). Available at:
https://www.wsj.com/articles/sec-discloses-edgar-corporate-filing-system-was-hacked-in-2016-1505956552
Ogneva, M., K. R. Subramanyam, and K. Raghunandan. 2007. Internal control weakness and cost of equity: Evidence from SOX Section
404 disclosures. The Accounting Review 82 (5): 1255–1297. https://doi.org/10.2308/accr.2007.82.5.1255
Palmrose, Z-V., V. J. Richardson, and S. Scholz. 2004. Determinants of market reactions to restatement announcements. Journal of
Accounting and Economics 37 (1): 59–89. https://doi.org/10.1016/j.jacceco.2003.06.003
Piercey, M. D. 2009. Motivated reasoning and verbal vs. numerical probability assessment: Evidence from an accounting context.
Organizational Behavior and Human Decision Processes 108 (2): 330–341. https://doi.org/10.1016/j.obhdp.2008.05.004
Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over Financial Reporting that is Integrated
with an Audit of Financial Statements. Auditing Standard No. 5. Washington, DC: PCAOB.
Rose, J. M., C. S. Norman, and A. M. Rose. 2010. Perceptions of investment risk associated with material control weakness pervasiveness
and disclosure detail. The Accounting Review 85 (5): 1787–1807. https://doi.org/10.2308/accr.2010.85.5.1787
Rosenfeld, P., R. A. Giacalone, and C. A. Riordan. 1995. Impression Management in Organizations: Theory, Measurement, Practice.
London, U.K.: Routledge.
Rotter, J. B. 1966. Generalized expectancies for internal versus external control of reinforcement. Psychological Monographs 80 (1): 1–
28. https://doi.org/10.1037/h0092976
Schlenker, B. R., B. A. Pontari, and A. N. Christopher. 2001. Excuses and character: Personal and social implications of excuses.
Personality and Social Psychology Review 5 (1): 15–32. https://doi.org/10.1207/S15327957PSPR0501_2

Schlenker, B. R., T. W. Britt, J. Pennington, R. Murphy, and K. Doherty. 1994. The triangle model of responsibility. Psychological
Review 101 (4): 632–652. https://doi.org/10.1037/0033-295X.101.4.632
Schonbach, P. 1990. Account Episodes—The Management or Escalation of Conflict. Cambridge, U.K.: Cambridge University Press.
Scott, M. H., and S. M. Lyman. 1968. Accounts. American Sociological Review 33 (1): 46–62. https://doi.org/10.2307/2092239
Securities and Exchange Commission (SEC). 2003. SEC Implements Internal Control Provisions of Sarbanes-Oxley Act; Adopts
Investment Company R&D Safe Harbor. Washington, DC: SEC. Available at: http://www.sec.gov/news/press/2003-66.htm
Securities and Exchange Commission (SEC). 2005. Staff Statement on Management’s Report on Internal Control Over Financial
Reporting. Washington, DC: SEC.
Securities and Exchange Commission (SEC). 2011. CF Disclosure Guidance: Topic No. 2—Cybersecurity. Washington, DC: SEC.
Securities and Exchange Commission (SEC). 2017. Statement on Cybersecurity by Chairman Jay Clayton. Washington, DC: SEC.
Available at: https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20

Snyder, C. R., and R. L. Higgins. 1988. Excuses: Their effective role in the negotiation of reality. Psychological Bulletin 104 (1): 23–35.
https://doi.org/10.1037/0033-2909.104.1.23
Summerour, J. 2002. The collusion factor. Progressive Grocer 81 (12): 6.
Sun, Y., H-T. Tan, and J. Zhang. 2015. Effect of concession-timing strategies in auditor-client negotiations: It matters who is using them.
Contemporary Accounting Research 32 (4): 1489–1506. https://doi.org/10.1111/1911-3846.12139
Tan, H-T., E. Y. Wang, and B. Zhou. 2015. How does readability influence investors’ judgments? Consistency of benchmark performance
matters. The Accounting Review 90 (1): 371–393. https://doi.org/10.2308/accr-50857
Tyler, J. M., and R. S. Feldman. 2007. The double-edged sword of excuses: When do they help, when do they hurt. Journal of Social and
Clinical Psychology 26 (6): 659–688. https://doi.org/10.1521/jscp.2007.26.6.659
Upton, D. M., and S. Creese. 2012. The danger from within. Harvard Business Review (September): 94–101.
U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H.R. 3763]. Washington, DC: Government
Printing Office.
Verizon. 2016. 2016 Data Breach Investigations Report. Available at: http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-
executive-summary_xg_en.pdf
Weiner, B. 1985. An attributional theory of achievement motivation and emotion. Psychological Review 92 (4): 548–573. https://doi.org/
10.1037/0033-295X.92.4.548
Wolfe, C. J., E. G. Mauldin, and M. C. Diaz. 2009. Concede or deny: Do management persuasion tactics affect auditor evaluation of
internal control deviations? The Accounting Review 84 (6): 2013–2037. https://doi.org/10.2308/accr.2009.84.6.2013
Wood, R. E., and T. R. Mitchell. 1981. Manager behavior in a social context: The impact of impression management on attributions and
disciplinary actions. Organizational Behavior and Human Performance 28 (3): 356–378. https://doi.org/10.1016/0030-
5073(81)90004-0
Yang, H. I. 2012. Capital market consequences of managers’ voluntary disclosure styles. Journal of Accounting and Economics 53 (1/2):
167–184. https://doi.org/10.1016/j.jacceco.2011.08.003
Zadelhoff, M. 2016. The biggest cybersecurity threats are inside your company. Harvard Business Review. Available at: https://hbr.org/
2016/09/the-biggest-cybersecurity-threats-are-inside-your-company

354 Tan and Yu
APPENDIX A
Examples of Each Category in the Archival Coding
Variable Level Example
Locus Internal ‘‘the Company did not maintain effective internal control over financial reporting, solely
relating to improper segregation of duties identified within the Company’s Defense
segment. During the fourth quarter of 2011, members of the Company’s financial
staff had access to automated accounting functions and the ability to administer security
over the processing of accounting data.’’ (National Presto Industries, Inc., 10-K filing
for the fiscal year ended December 31, 2011)

External ‘‘the Company did not maintain effective controls over the preparation and review of the
income tax provision. Management’s review of the income tax provision, which was
prepared by an outside tax advisor, failed to identify an error related to the nature and
timing of temporary differences related to indefinite lived intangible assets when
establishing a valuation allowance on deferred tax assets.’’ (Affirmative Insurance
Holdings, Inc., 10-K filing for the fiscal year ended December 31, 2009)
Responsibility Statement Present ‘‘The Company’s management is responsible for establishing and maintaining adequate
internal control over financial reporting.’’ (First Potomac Realty Trust, 10-K filing for
the fiscal year ended December 31, 2010)
Absent Absence of such (or similar) statement. (e.g., Subay, Inc., 10-K filing for the fiscal year
ended September 30, 2010)
‘‘Because of its inherent limitations, internal control over financial reporting may not
Reasonable Assurance Non-Strategic

Argument prevent or detect misstatements. Also, projections of any evaluation of effectiveness to
future periods are subject to the risk that controls may become inadequate because of
changes in conditions, or that the degree of compliance with the policies and procedures
may deteriorate.’’ (Telestone Technologies Corporation, 10-K filing for the fiscal year
ended December 31, 2011)
Strategic ‘‘Based on that evaluation, our Chief Executive Officer and our Chief Financial Officer
concluded that the current disclosure controls and procedures as of December 31, 2010
were not effective . . . Our management does not expect that our disclosure controls or
our internal controls will prevent all errors and all fraud. A control system, no matter
how well conceived and operated, can provide only reasonable rather than absolute
assurance that the objectives of the control system are met . . . Because of the inherent
limitations in all control systems, no evaluation of controls can provide absolute
assurance that all control issues and instances of fraud (if any) within the Company have
been detected.’’ (Applied Minerals Inc., SEC 10-K filing for the fiscal year ended
December 31, 2010)
Absent Absence of the ‘‘reasonable assurance’’ argument. (e.g., Zale Corporation, SEC 10-K filing
for the fiscal year ended July 31, 2010)
APPENDIX B
Manipulations in Experiment 2
Manipulation of Prescription
[Strong-link] Implementing an effective internal control system is a part of management’s overall responsibility.
Management retains ultimate responsibility for meeting the requirements for an effective system of internal control.
Management should implement measures to prevent control breaches, including those by insiders. An authoritative security
report indicates that control systems can be carefully designed to prevent such breaches.
[Weak-link] While internal controls provide reasonable assurance of achieving the entity’s objectives, limitations do exist.
An internal control system, even if effective, cannot prevent breaches by insiders. An authoritative security report indicates
that insiders, being in the know about the company’s operations, can circumvent the most carefully designed internal
control systems.

Manipulation of Responsibility Acceptance

There was a failure to maintain adequate access controls over the sales recording system.
Because of this access control weakness in the control system, the Company’s sales recording system was breached. A
sales representative, [strong-link] newly recruited by management/[weak-link] familiar with the system, was able to
successfully hack into the computerized sales recording system, change the sales orders, and steal customers’ data.
[Higher responsibility acceptance] A control system should be well conceived and operated to provide reasonable
(not absolute) assurance that the objectives of the control system are met.
Our management team acknowledges the responsibility to ensure that our control system should provide
reasonable assurance that control issues (including this hacking instance) will be detected.
[Lower responsibility acceptance] A control system, no matter how well conceived and operated, can provide only
reasonable, rather than absolute, assurance that the objectives of the control system are met.
Our management team is of the opinion that no control system can provide absolute assurance that all control
issues (including this hacking instance) will be detected.
Management will be taking further remediation efforts during the next fiscal year. The independent auditor has also
conducted its own evaluation of Griffin’s internal control over financial reporting, and identified the same control weakness.


Tan 2018

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Tan 2018

Transféré par

Droits d'auteur :

Formats disponibles

THE ACCOUNTING REVIEW American Accounting Association

Vol. 93, No. 6 DOI: 10.2308/accr-52077

Management’s Responsibility Acceptance, Locus of Breach,

therefore, an important issue that has not been a subject of investigation.

The Accounting Review

The Accounting Review

II. THEORY AND HYPOTHESIS DEVELOPMENT

Management’s Responsibility Acceptance

The Accounting Review

Locus of Breach and the Triangle Model of Responsibility

they are perceived to have personal control over the event.

The Accounting Review

Panel A: Theoretical Constructs

Panel B: Predicted Strength of Each Link

The Accounting Review

Interaction between Responsibility Acceptance and Locus of Breach

responsibility is likely to be more effective for an external (internal) breach.

III. ARCHIVAL EVIDENCE

The Accounting Review

Experimental Design and Independent Variables

The Accounting Review

The Accounting Review

The Accounting Review

(0.84) (2.17) (1.64)

Breach (B) 0.43 1 0.43 0.17 0.68

Panel C: Mean Contrasts

The Accounting Review

Panel A: Results on Responsibility Assignment

Panel B: Results on Investment Willingness

Norms for Managers to Take Responsibility

The Accounting Review

(2.14) (1.99) (2.09)

Breach (B) 1.42 1 1.42 0.35 0.56

Panel C: Mean Contrasts

The Accounting Review

Structural Equation Model

The Accounting Review

The Accounting Review

(2.53) (3.30) (2.89)

Link Strength (L) 0.67 1 0.67 0.10 0.75

Panel C: Mean Contrasts

The Accounting Review

Panel A: Results on Responsibility Assignment

Panel B: Results on Investment Willingness

The Accounting Review

(1.66) (1.50) (1.57)

Link Strength (L) 19.57 1 19.57 7.21 0.01

Panel C: Mean Contrasts

The Accounting Review

Overall Discussion of Strong-Link versus Weak-Link Conditions

The Accounting Review

The Accounting Review

The Accounting Review

Accounting Review 82 (1): 139–168. https://doi.org/10.2308/accr.2007.82.1.139

Mary, FL: IIA.

The Accounting Review

Available at: https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20

The Accounting Review

for the fiscal year ended December 31, 2011)

Reasonable Assurance Non-Strategic

The Accounting Review

Manipulation of Responsibility Acceptance

The Accounting Review

Vous aimerez peut-être aussi