Audit and Remediation Strategies in the Presence of Evasion Capabilities

In this paper, we provide prescriptive insights on how to uncover an adverse issue that may occur in organisations with the capability to evade audit detection. To that end, we formalise the problem of designing efficient auditing and remedial strategies as the optimal stochastic control of a piecewise deterministic Markov process. In our framework, a principal seeks to uncover and remedy an issue that occurs to an agent at a random point in time, and which harms the principal if not addressed promptly. This occurrence is the agent’s private information. Further, the agent can exert effort to render the principal’s audits ineffective at discovering the issue. We fully characterise, in closed form, the corresponding optimal policy, which can be implemented as a dynamic remedial cost-sharing mechanism with cyclic audits. We show that the strength of the agent’s evasion capability, as measured by its implementation cost and effectiveness in invalidating audits, changes the nature of the audit policy. When the agent’s evasion capability is limited, the principal runs the audit according to a deterministic schedule. Otherwise, however, the audit schedule becomes random. Further, the principal’s auditing frequency and cost may increase or decrease with the agent’s evasion capability.