This study is the first to establish IAF characteristics as separate, distinct constructs that act jointly in creating IAF quality; therefore, it contributes to the overall understanding of IAF quality and the determinants of the IAF as an effective internally based financial reporting monitor.
Abbott, L. J., B. Daugherty, S. Parker and G. F. Peters. 2016. Internal Audit Quality and Financial Reporting Quality: The Joint Importance of Independence and Competence. Journal of Accounting Research 54 (1): 3-40.
In 2013, the NASDAQ Stock Market LLC (NASDAQ) proposed a rule change that would require all NASDAQ registrants to maintain an internal audit function (IAF). The New York Stock Exchange (NYSE) has required all registrants to maintain an IAF since 2006. The thinking behind these requirements is that an effective IAF provides the audit committee and other financial reporting stakeholders with critical information pertaining to a company’s risks and internal controls. Corporate governance proponents also emphasize the IAF’s role in enhancing financial reporting quality; however, despite having many proponents the IAF’s role in the financial reporting process is not yet fully understood and empirical evidence concerning the impact of IAF quality is minimal. As a result of this lack of evidence, the authors investigate the potential impact of IAF quality as a joint function of the IAF’s competence and independence. They base this view upon theoretical work stating that external audit quality is a function of the external auditor’s ability (competence) to detect accounting misstatements and willingness (independence) to oblige proper accounting treatments.
In this paper, the authors develop and test a two-factor model of IAF quality as a function of the IAF’s ability to prevent/detect financial misstatements (competence) and its inclination to report the misstatements to the audit committee and/or external auditor (independence). The study uses survey evidence from 189 Chief Internal Auditors from Fortune 1000 companies during fiscal 2009.
This study offers insights into why internal auditing is experiencing a shortage of qualified job candidates and offers a potential solution to the problem. The authors find that external auditors have negative perceptions about internal auditing, and these negative perceptions are associated with a (1) decreased desire to apply for internal auditing positions, (2) lower likelihood of recommending an in-house internal auditing career to high-performing students, and (3) higher likelihood of recommending an in-house internal auditing career to mediocre students. Internal auditors can try solving this problem by improving perceptions about internal auditing via a media campaign that raises awareness about the true internal audit career path.
Bartlett, G.D., J. Kremin, K.K. Saunders, and D.A. Wood. 2016. Attracting Applicants for In-House and Outsourced Internal Audit Positions: Views from External Auditors. Accounting Horizons 30 (1): 143-156.
The internal audit function can help organizations strengthen their risk management and corporate governance, yet the demand for qualified candidates to fill internal audit job openings exceeds the supply of interested applicants. Consequently, the internal audit function may find itself short-staffed and/or staffed with lower quality candidates, which may limit its ability to add value to the organization. In order to correct this problem, it is important to fully understand its scope and its root cause(s). Prior research attempting to gain this understanding has focused on investigating how accounting students’ beliefs about internal audit impact their interest to pursue an internal audit career. The authors of this paper extend this research by:
The authors use data from three sources. First, the authors performed an experiment using experienced external auditors—mostly seniors or associates—who were asked whether they would apply for a job described as either an accounting, in-house internal audit, or outsourced internal audit position. Second, the authors performed another experiment using experienced external auditors—mostly managers or directors—who were asked whether they would recommend that a high-performing (mediocre performer) student pursue an external audit, in-house internal audit, or outsourced internal audit career. Third, the authors surveyed high-ranking former/current external auditors who never worked in internal audit about what would make internal auditing a more appealing career for them.
Results from this study suggest that rotating internal auditors into operational management programs reduces financial reporting quality. Companies that utilize a rotational internal audit program should be aware of these possible unintended consequences. Companies utilizing these programs should consider implementing several compensating controls (listed in the findings section), as the authors have found that these controls can reduce or even eliminate (if used together) the negative consequences of rotational internal audit programs.
Christ, M.H., A. Masli, N.Y. Sharp, and D.A. Wood. 2015. Rotational internal audit programs and financial reporting quality: Do compensating controls help? Accounting, Organizations and Society 44: 37-59.
The purpose of this study is to examine unintended consequences of rotational internal audit programs. Specifically, the authors inspect how moving internal auditors out of the internal audit function and into operational management can impact financial reporting quality. In addition, the authors examine how compensating controls can mitigate the unintended consequences.
The authors initially utilize semi-structured interviews with audit executives and audit committee chairmen to identify how the rotational internal audit programs impact financial reporting quality. Using the information gathered, the authors test hypotheses utilizing archival data from various firms for the years 2000 to 2005.
Overall, the authors find that the practice of rotating internal auditors into operational management positions is related to lower financial reporting quality. Specifically, it increases Accounting Risk (that evaluates the risk of misreporting by identifying suspicious patterns in accounting data). However, the authors find that several compensating controls can reduce this negative effect. Specifically, the authors find the effect is reduced when companies only rotate staff internal audit positions, have a more effective audit committee, and when management asks the internal audit function to have a greater role in the financial reporting process. Findings also demonstrate that including all three of these compensating controls can eliminate the unintended consequences.
This study’s results are important to regulators thinking about requiring issuance of an internal audit report and practitioners planning how to respond to such proposals. The authors suggest that the assurance internal audit report, which leads to more conservative risk assessment when internal auditors mainly report to the audit committee, may prove rather costly and unpopular among internal auditors. Meanwhile, the descriptive internal audit report, which prior research found to be useful to investors, does not make internal auditors more conservative, but it may prove less costly and more popular among internal auditors. Ultimately, these findings suggest that regulators need to discuss any internal audit report proposals with key stakeholders, including internal auditors, before getting too far into the rule making process.
Boyle, D. M., F. T. DeZoort, and D. R. Hermanson. 2015. The Effects of Internal Audit Report Type and Reporting Relationship on Internal Auditors' Risk Judgments. Accounting Horizons 29 (3): 695-718.
External stakeholders want information to help them better understand corporate governance at the companies they follow. Although disclosure about many elements of corporate governance is currently available, little is known about the internal audit function. Such information asymmetry may be decreased via the issuance of an internal audit report. In fact, a few organizations have voluntary started issuing internal audit reports to external stakeholders. However, nothing is known about whether and how different forms of these reports impact internal auditors’ judgments. These judgments may also be impacted by whether the internal auditors mainly report to management or the audit committee. The purpose of this study is to discover:
The authors hope to find answers to these questions in order to provide regulators with insights that can be used when considering potential regulation of the internal audit function.
The authors collected their evidence prior to August 2013 via a case emailed to highly experienced IIA members working at public and nonpublic companies. In this case, the authors manipulated the presence of a descriptive internal audit report, presence of an assurance internal audit report, and whether the internal auditor reported to management or the audit committee. Participants were asked to make fraud risk and control risk assessments, as well as explain whether and why they support or do not support the issuance of descriptive and assurance internal audit reports.
These results have implications for both audit research and practice as well as policy makers and firms deciding on whether to outsource the internal audit function. From a research perspective, this study is the first to examine how external auditors view various internal audit outsourcing arrangements. Further, the results indicate a potential cost of internal audit outsourcing that has not been previously considered. That is, if outsourced internal auditors provide other services, the cost of the external audit could increase, which potentially interferes with some of the expected cost savings of AS No. 5.
Brandon, D. M. 2010. External Auditor Evaluations of Outsourced Internal Auditors. Auditing: A Journal of Practice & Theory 29 (2): 159-173.
In the last several decades many companies began outsourcing the internal audit function (IAF) to public accounting firms. The prevalence of outsourcing is likely to continue given current exchange requirements to establish and maintain an IAF. Further, lack of an IAF could be considered a significant internal control deficiency or even a material weakness. The primary concern over external auditors providing nonaudit services appears to be the potential negative effects of the fees from those services on the external auditor’s objectivity. This concern was so pervasive that part of the Sarbanes-Oxley Act prohibits external auditors from performing certain nonaudit services for external audit clients. The Panel on Audit Effectiveness acknowledges the role of internal audit in maintaining good corporate governance and encourages the cooperation between internal and external auditors. Public accountants can utilize the client-specific expertise possessed by strong internal audit departments to increase external audit efficiency (resulting in cost savings that could be passed on to the auditee) and also provide a higher level of assurance. These benefits are of particular interest given concerns over the cost of complying with Section 404 of the Sarbanes-Oxley Act (SOX).
This study investigates some implications of an outsourced internal auditor providing nonaudit services.
The 89 participants for the study were experienced practicing auditors. Fifty-six participants were obtained via contact partners at the respective firm. The contact partners were asked to distribute the instruments to auditors who typically evaluate internal auditors. The remaining participants were obtained through an in-house training session. 89 auditors participating, approximately 64 percent were CPAs and had an average of 4.7 years of audit experience. The evidence was gathered prior to September 2007.
Results indicate that certain external auditor judgments and decisions are negatively affected when an outsourced internal auditor also provides consulting services, while other judgments (long touted by proponents of auditor-provided nonaudit services as benefits) are not. Specifically, inconsistent with proponents of auditor-provided nonaudit services, competence perceptions do not appear to be improved by the provision of consulting services. Consistent with arguments of opponents of auditor-provided nonaudit services, external auditor perceptions of internal auditor objectivity appears to be impacted negatively by the provision of consulting services. Further, consistent with previous research, these results appear to be tempered by the staffing of the team providing the consulting services.
Other results indicate reduced planned reliance on outsourced internal auditors also providing other services. External auditors appear reluctant to rely on outsourced internal auditors providing additional services, regardless of staffing decisions. Results also indicate differences in audit fee adjustments. Specifically, participants would recommend greater audit fee increases when consulting services are provided, again regardless of the outsourcing arrangement.
The results suggest that internal auditors contribute to decreased reliability of disclosed amounts. It appears that the incentives of external auditors and internal auditors are closely aligned on this issue. In general, both of these parties seem to feel less responsibility for disclosed, relative to recognized amounts. The results indicate that financial reporting location has significant effects on internal auditors’ decisions to correct misstatements. Specifically, internal auditors are more willing to waive disclosed misstatements relative to recognized misstatements. Contrary to expectations, the results do not indicate that increased audit committee expertise and associated increases in audit committee members’ perceived powers cause internal auditors to be less willing to waive misstatements.
Norman, C. S., J. M. Rose, and I. S. Suh. 2011. The effects of disclosure type and audit committee expertise on Chief Audit Executives’ tolerance for financial misstatements. Accounting, Organizations & Society 36 (2): 102-108.
External audit partners are more willing to waive misstatement corrections for disclosed than for recognized amounts. This willingness to allow misstatements may increase management’s incentives to manipulate disclosed amounts and increase the levels of error and bias in disclosed information. While external auditors are more willing to waive disclosed amounts, relative to recognized amounts, internal auditors may require management to adjust misstatements regardless of their reporting locations. If internal auditors do not tolerate misstatements that are disclosed, this will increase the reliability (i.e., decrease the random error and bias) of disclosed amounts and decrease the likelihood of management manipulation of disclosed amounts. As a result, the impact to practice of external auditors’ willingness to waive misstated disclosures could be mitigated or even eliminated by internal audit oversight.
The authors examine Chief Audit Executives’ and deputy Chief Audit Executives’ decisions to require adjustments of misstatements that are either recognized or disclosed. Chief Audit Executives (CAEs) may require equivalent adjustments for recognized and disclosed amounts, and act to counter the actions of management and external auditors. Understanding the decision processes of CAEs will help to inform regulators and standard setters of the underlying factors that drive financial statement reliability.
The participants are 73 Chief Audit Executives (CAEs) and deputy CAEs. CAEs and deputy CAEs are the ultimate decision makers in internal audit. None of these participants are from outsourced internal audit departments. The average number of years of internal audit experience is 13.71. The study was completed on paper and provided to participants in sealed envelopes by one of the study’s authors. All participants completed the materials in their professional offices under controlled conditions in the presence of one of the authors. The evidence was gathered prior to 2011.
The results of this study indicate that reporting location has a significant effect on internal auditors’ decisions. Specifically, CAEs and their deputies require lesser amounts of misstatement correction of disclosed amounts relative to recognized amounts. While increased audit committee expertise increases audit committee members’ perceived power over management, the authors do not find that CAEs require greater misstatement corrections when the audit committee has more financial expertise, relative to less expertise. It appears that internal auditors may not have enough concern about disclosed misstatements to warrant a decision to exercise the power they derive from audit committee expertise. The results suggest that internal auditors, like external auditors and managers, act to decrease the perceived and actual reliability of disclosed information. Further, increasing the power of the internal audit function does not mitigate this problem. The authors find reason for serious concerns about the accuracy of disclosed amounts, relative to recognized amounts.
The results speak to the need for regulators to consider the incentives of the various stakeholders when determining policy. Should policy makers consider expanding or restricting specific oversight roles, they should consider the concomitant effects on the internal audit function, and the differential incentives faced by the audit committee and executive management. In addition, as audit committees and managers jointly work or oversee the work of internal auditors, the results suggest that these two oversight participants should consider how their respective incentives potentially bias the focus of the internal audit department away from a mix of activities that optimally address the greater business risks of the company. Likewise, as external auditors assess the organizational status of the internal audit department, they may also wish to consider the apparent focus of internal audit as a potential indication of oversight control.
Abbott, L. J., S. Parker, and G. F. Peters. 2010. Serving Two Masters: The Association between Audit Committee Internal Audit Oversight and Internal Audit Activities. Accounting Horizons 24 (1): 1-24.
This study examines the association between the activities performed by the internal audit function (hereafter, IAF) and the extent of audit committee oversight of the IAF. Two primary concerns motivate this study. First, relatively little regulatory or best practices guidance relates to the distribution of IAF activities, and virtually no current research has been done about these activities. The authors believe this topic to be important because current New York Stock Exchange listing rules require registrants to maintain an IAF, increasing the pervasiveness of internal audit. The second motivation concerns the relatively incomplete set of audit-committee related regulations. In particular, the Sarbanes-Oxley Act of 2002 (SOX) requires audit committee oversight of internal controls over financial reporting and also mandates reporting on a registrant’s internal controls. However, SOX is silent on internal audit, a key participant in both the financial reporting process and the internal control structure. Moreover, SOX does not address internal audit’s reporting relationship with the audit committee or the audit committee’s duties concerning internal audit resources.
The survey questionnaire was mailed to Fortune 1000 companies, after excluding banks. Consistent with much prior internal audit research, the survey was directed to CIAs. The first survey was sent in July 2006 and resulted in a total of 72 usable responses. A follow-up mailing was conducted in September 2006 and produced an additional 62 usable responses. This lead to the final sample size of 134 observations.
The authors find that the percentage of the IAF budget devoted to internal-controls-based activities is positively related to the measure of the audit committee’s oversight. In particular, audit committees with greater IAF oversight are associated with larger percentages of IAF hours being allocated toward internal controls activities. Moreover, the results suggest that a significant number of Fortune 1000 companies have audit committees that appear to have little oversight of the IAF. This speaks to the relevance and timeliness of the recommendations of numerous parties concerning audit committee internal audit termination/hiring rights and budgetary controls.
The authors also document significant differences in the allocation of IAF budgets across different activities, an area with very little prior research. They find that the majority of the IAF budget is devoted to internal controls activities, but the remainder, allocated to non-controls activities, is considerable. The evidence indicates that outsourcing arrangements are quite prevalent, but are also quite specific. In particular, the majority of outsourcing hours were spent on Section 404- related activities, with a lesser portion devoted to assisting the external auditor with the financial statement audit. The results suggest that an audit committee’s demand for better internal controls may lead to greater IAF focus on internal controls.
This study makes an original contribution to the development of new knowledge on internal auditing. It concludes that internal auditors tend to lack independence and audit committee members often exercise disturbingly weak power (on the internal audit function), as compared to the top managers. This points to the difficulty of applying an idealized conception of independence and purist governance principles to practice. That is, it encourages auditors to consider the appropriateness of internal auditing as a meaningful independent assurance device in operating the corporate governance "mosaic."
Roussy, M. 2015. Welcome to the day-to-day of internal auditors: How do they cope with conflict? Auditing: A Journal of Practice and Theory 34 (2): 237-264.
The internal audit function (IAF) was made mandatory in both private and public companies in North America in the early 2000s. This paper proposes a ''micro-level'' analysis of the way in which internal auditors express role conflicts in their day-to-day practice and how they perceive, manage, and resolve them. The study seeks to show that the independence of the internal auditor is often not up to the standards that are expected of the internal audit function (IAF), and therefore unlikely to play an effective governance oversight role compatible with the ideal of the new public management governance reform.
A field study was conducted involving semi-structured interviews with 42 internal auditors working in 13 public sector organizations. Interviews were conducted between May and October 2010. Each interviewee had 10-15 years of experience in internal auditing, with 20-25 years of professional experience total. Data was interpreted in the light of a theoretical analysis framework designed especially for this study. Organizational and social context was taken into consideration for each interview.
Overall, the results indicate that internal auditors have a relative lack of independence (as compared with the Institute of Internal Auditors’ standards.) More specifically:
Ultimately, the study concludes that internal auditors behave as if the IAF were a means for managerial control, instead of a governance mechanism.
These findings suggest that regulators, audit committees, and other stakeholders should consider ways to improve IAF quality, specifically IAF competence, and IAFs improve corporate governance by assisting audit committees in monitoring management. This study provides empirical evidence consistent with the proposition that IAF quality and competence deter management misconduct. IAF quality and, particularly, IAF competence are important in deterring observable instances of management misconduct, both accounting- and nonaccounting-related. These findings are important because in the early 2000s, regulators responded to public outcry over observable management misconduct, yet IAF quality was largely left out of the regulatory debate and reforms that followed.
Ege, M. S. 2015. Does Internal Audit Function Quality Deter Management Misconduct? Accounting Review 90 (2): 495-527.
This study examines the relation between internal audit function (IAF) quality, as defined by standard-setters, and the likelihood of management misconduct, such as financial reporting fraud, bribery, and misleading disclosure practices. Standard-setters posit that IAFs serve as a key resource to audit committees for monitoring senior management and that high-quality IAFs deter management misconduct. However, U.S. regulators do not enforce IAF quality or require disclosures relating to IAF quality. The U.S. Securities and Exchange Commission (SEC) proposed requirements to increase IAF quality by adding the appointment, compensation, retention, and oversight of the internal auditor to audit committee responsibilities, but these proposed requirements were abandoned. Ten years later, after withdrawing its recent proposal to require high-quality IAFs, NASDAQ is considering how to revise the proposed rules. These proposals demonstrate the need for evidence regarding whether IAF quality results in improved monitoring of management.
This study informs standard-setters, regulators, audit committees, and shareholders about whether IAF quality deters management misconduct incrementally to other monitors.
The author obtained the initial sample from the Institute of Internal Auditors’ proprietary Global Auditing and gathered additional information from COMPUSTAT. The final sample covers 1,398 firm-years representing 617 unique firms from 2000 through 2009. The management misconduct sample comes from four data sources: the Federal Securities Regulation Database, the Stanford Securities Class Action Clearinghouse, SEC’s website and the Department of Justice website.
The author finds a negative relation between IAF quality and management misconduct, even after controlling for other determinants of misconduct, including board of director, audit committee, and external auditor quality. This effect is economically significant, as a firm with IAF quality one standard deviation above the mean is approximately 2.3 percentage points less likely to have management misconduct than a firm with average IAF quality. This is approximately 29.5 percent of the 7.7 percent unconditional probability of management misconduct. Further analysis reveals that IAF competence, but not objectivity, is negatively related to the likelihood of management misconduct, suggesting that IAF competence is important in deterring management misconduct.
Misconduct firms have low IAF quality and IAF competence during misconduct years as compared to a matched sample of firms. Then, in post-misconduct years, misconduct firms increase IAF quality through IAF competence. This increase in competence is due to hiring more certified internal auditors and increasing training. However, misconduct firms do not appear to have lower IAF objectivity during or after misconduct years compared to a matched sample. These results are consistent with the proposition from standard-setters that IAFs serve as a key resource for audit committees in monitoring management.
The findings suggest that high-quality IAFs are effective at deterring both types of management misconduct. Disclosures related to IAF quality would assist stakeholders in predicting accounting-related management misconduct.
The primary result that audit committee involvement is significantly and positively associated with “outsourcing” is an important finding that suggests a need for management to pay close attention to the role that audit committee plays in “outsourcing” internal audit activities. The significance of value-added-activities, missing-skill-set, and audit-staff-vacancies on “outsourcing” also require management attention because collectively these three variables indicate trade-offs between acquiring the expertise in-house or “outsourcing” to external service providers.
For more information on this study, please contact Mohammad Abdolmohammadi
Abdolmohammadi, M. 2013. Correlates of Co-Sourcing/Outsourcing of Internal Audit Activities. Auditing: A Journal of Practice and Theory 32(3): 69-85.
I use responses from 1,059 chief audit executives (CAEs) of organizations located in Australia, Canada, New Zealand, South Africa, the U.K./Ireland, and the U.S. to investigate several correlates of co-sourcing/outsourcing (referred to as simply “outsourcing”) of internal audit activities.
In 2010 the Institute of Internal Auditors Research Foundation (IIARF) conducted a survey of IIA’s membership world-wide. The long survey had detailed questions about various issues from CAE attributes, organization characteristics, to practice issues such as “outsourcing.” Called the Common Body of Knowledge in Internal Auditing or CBOK (2010), this database has responses from internal auditors of varying experience and professional rank. I only use CAE responses for my study of “outsourcing” because CAEs are presumed to be highly knowledgeable about various issues of internal audit activities, including “outsourcing.” While CBOK (2010) has over 13,500 responses from members of various professional rank (CAEs, audit managers, etc.) in over 100 countries, I limit the data used in my study to only CAEs from Anglo-culture countries. This is to mitigate the possibility of differences due to various languages and cultural dimensions, such as uncertainty avoidance, levels of femininity/masculinity, etc.