Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    Internal Audit Reporting Lines, Fraud Risk Decomposition,...
    research summary posted May 4, 2012 by The Auditing Section, last edited May 25, 2012, tagged 06.0 Risk and Risk Management, Including Fraud Risk, 06.01 Fraud Risk Assessment, 08.0 Auditing Procedures – Nature, Timing and Extent, 08.11 Reliance on Internal Auditors, 13.0 Governance, 13.07 Internal auditor role and involvement in controls and reporting 
    Internal Audit Reporting Lines, Fraud Risk Decomposition, and Assessments of Fraud Risk
    Practical Implications:

    The results of this study are important for audit firms to consider when determining the extent of reliance on internal auditor’s fraud risk assessments.  Internal auditor judgments may be influenced by pressures to decrease risk assessments when reporting to the audit committee.  Thus, the recent suggested improvements for improving audit practice and risk assessment processes by reporting to the audit committee may have adverse and unexpected consequences.  Additionally, internal auditor judgments may be influenced by an over-reliance on attitude cues, even when decomposing fraud risk assessments.  Thus, decomposition may amplify the problem that prompted its use.


    Norman, C.S., A.M. Rose, and J.M. Rose. 2010. Internal audit reporting lines, fraud risk decomposition, and assessments of fraud risk. Accounting, Organizations and Society 35: 546-557.

    internal audit, fraud risk assessment, audit committee
    Purpose of the Study:

    The internal auditor function is one of the four cornerstones of corporate governance along with senior management, the board, and external auditors.  External auditors frequently rely on the work of internal auditors, including firm risk assessments per AS5, An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements.  Internal auditors may report to management or to the audit committee.  Many investors and regulators have suggested that internal auditors should report directly to the audit committee to minimize the threats to independence and objectivity that may potentially occur when internal auditors report to management.  However, if the audit committee is given power over the internal audit function, this may create potential new threats to internal auditor independence not previously considered.  For example, many audit committees now have the authority to hire or fire the Chief Audit Executive.  This paper addresses the effects of internal audit reporting lines on the fraud risk assessment judgments of internal auditors.  Below are two objectives that the authors address in their study: 

    • Examine the extent that internal auditors may be subconsciously motivated to avoid reporting higher levels of fraud risk to the audit committee, relative to when the risks are reported to management.
    • Examine whether decomposition of fraud risk into the components of the fraud triangle (management attitude, incentives, and opportunities) improves the internal auditor’s sensitivity to opportunity and incentive cues.
    Design/Method/ Approach:

    The authors collected their evidence from highly experienced internal auditors (mean experience of 15.3 years) via survey instruments. The authors then collected additional evidence using an experiment where participants were asked to complete a simulated task. Experiment participants were experienced internal auditors with mean experience of 9.6 years.  Survey participants were asked five questions about risk assessment discussions, reporting lines, and reactions.  In the simulated task participants were asked to assess the level of fraud risk in a hypothetical firm.  Participants were assigned to either a higher or lower level of fraud risk and to a reporting line of either audit committee or management.  The research was conducted in the mid- to late-2000s time period.

    • The authors find that internal auditors perceive greater personal threats when reporting high levels of fraud risk to the audit committee than when reporting to management.  Internal auditors fear overreaction from the audit committee, potentially leading to increased workload and management reprisals.   
    • The perception of greater perceived threats leads internal auditors to reduce assessed levels of fraud risk when reporting to the audit committee relative to reporting to management.  This finding is contrary to expectations and reveals additional unexpected threats created by having internal audit report to the audit committee.
    • Internal auditors increase attention to management attitude when risk assessments are decomposed, without a corresponding increase to incentive or opportunity cues.  Thus, unlike external auditors, fraud decomposition does not appear to mitigate perceived problems associated with insensitivity to incentive and opportunity cues.    
    Risk & Risk Management - Including Fraud Risk, Auditing Procedures - Nature - Timing and Extent, Governance
    Fraud Risk Assessment, Reliance on Internal Auditors, Internal auditor role and involvement in controls and reporting
    home button