The current issue and full text archive of this journal is available at www.emeraldinsight.com/0268-6902.

htm

MAJ 26,6

External auditors reliance on internal auditing: further evidence

Lois Munro
School of Accountancy, Queensland University of Technology, Brisbane, Australia, and

464
Received 23 November 2010 Revised 2 February 2011 Accepted 21 February 2011

Jenny Stewart
Department of Accounting, Finance and Economics, Grifth Business School, Grifth University, Brisbane, Australia
Abstract
Purpose The purpose of this paper is to explore whether internal audits reporting relationship with the audit committee and the clients business risk environment impact external auditors reliance on the work of internal audit. Design/methodology/approach An experiment is conducted using a 2 2 between-subjects design where we manipulate the above two factors at strong and weak levels. Participants are 66 audit partners, managers and seniors, all experienced with clients having internal audit functions. Findings The results indicate that both factors affect external auditors reliance on work already undertaken by internal audit and their use of internal auditors (IA) as assistants. The results also indicate that external auditors are more likely to use internal audit for control evaluation tasks than for substantive tests of balances. The study does not nd any signicant interaction effects between the two factors. Originality/value No prior studies have examined the inuence of reporting relationship and client business risk on external auditors reliance decisions in the current governance environment. Further, the paper examines the impact of these factors on reliance on work already undertaken by internal audit and on using IA as assistants, with respect to both control evaluation work and substantive testing of balances. Keywords Internal auditing, External auditor reliance decisions, Audit planning, Audit Committees, Business risk Paper type Research paper

Managerial Auditing Journal Vol. 26 No. 6, 2011 pp. 464-481 q Emerald Group Publishing Limited 0268-6902 DOI 10.1108/02686901111142530

1. Introduction In recent years, the internal audit function has become a key corporate governance mechanism alongside the audit committee, external audit and management (Cohen et al., 2004; Gramling et al., 2004; Schneider, 2009). As reected in the Institute of Internal Auditors (IIA, 2009), denition of internal auditing, internal audit is both an assurance and consulting activity concerned with evaluating and improving the effectiveness of risk management, control and governance processes. In the USA, the Sarbanes-Oxley Act (SOX) (US Congress, 2002) requires management to certify the adequacy of the rms internal controls and report on the effectiveness of these controls in the annual report. In addition, the New York Stock Exchange enacted a requirement in 2003 that all listed companies must have an internal audit function, either in-house or outsourced (Schneider, 2009). Research has provided evidence of a growth in internal audit in the post-SOX period, with an increase in the workload and responsibilities of internal audit

departments (Grant et al., 2009) and an increase in resources (budgets and stafng) for the internal audit function (Schneider, 2009). Australian and International Auditing Standards (ASA 610, 2009; ISA 610, 2010) specify that the activities of the internal audit function may include monitoring and improving internal controls, examination of nancial and operating information, review of operating activities, review of compliance with laws, regulations and policies, identifying and evaluating risk exposures and improving risk management, and assessing the corporate governance process (ASA 610, 2009). In addition, the Australian Securities Exchange (ASX) Corporate Governance Principles and Recommendations (ASX, 2010) specify that the internal audit function will generally perform an analysis and independent appraisal of the effectiveness of the companys risk management and internal control system on behalf of the board. As a result of these regulatory reforms, the responsibilities of the internal audit function have increased signicantly in the last decade. The changing governance environment over this time has led to an increased emphasis on the relationship between IA and external auditors (Gramling et al., 2004; Grant et al., 2009). While external auditors reliance on the work of internal audit has been researched for almost three decades (Clark et al., 1980; Margheim, 1986; Schneider, 1985; Whittington and Margheim, 1993), the focus of many studies has been on the objectivity, work performance and competence of the internal audit function (Brown, 1983; Krishnamoorthy, 1994; Messier and Schneider, 1988; Schneider, 1984). Given that there is now a closer alignment between internal and external audit in this changed environment, further examination of this relationship is warranted. The objective of this study is to examine two factors that might inuence external auditors reliance decisions in the current governance regime. These factors are the internal audits reporting relationship with the audit committee and the clients business risk environment. Using a scenario involving a nancial institution, we manipulate these factors at two levels (stronger and weaker) to explore their impact on external auditors reliance on the work of internal audit and on their use of IA as assistants in performing audit tasks[1]. Our study makes a number of key contributions. Prior studies examining the impact of internal audit reporting relationships on external auditor reliance decisions have been undertaken at a time when the regulatory emphasis on the role of audit committees was limited. Further, these studies have generally focused on internal audit objectivity by comparing functions that report to the audit committee with those that report to the chief nancial ofcer (CFO) (Maletta, 1993; Margheim, 1986; Schneider, 1985). In contrast, we compare an internal audit function where the chief audit executive (CAE) reports to the chief executive ofcer (CEO) and has not had private meetings with the audit committee, with one where the CAE reports to the audit committee and does have regular private meetings with the committee. Although both the CFO and the CEO are members of management, reporting to the CEO should increase the status of internal audit in the organisation. It also overcomes potential problems that can arise when internal audit reports to the person with direct responsibility for the nancial and accounting systems which the function is required to monitor. Hence, the main discriminating factor in our study is whether the internal audit function meets privately with the audit committee or not. Research has shown that the effectiveness of internal audit can be improved where regular meetings are held between the audit committee and internal audit (Scarbrough et al., 1998; Treadway Commission, 1987). Where these

Reliance on internal auditing

465

MAJ 26,6

466

meetings are private, the internal audit function can be protected and is more independent, thus enhancing corporate governance (Braiotta, 2004). Another important contribution relates to our second manipulation which contrasts a strong business risk environment with a weaker business risk environment. Current auditing standards reect a business risk approach to audit planning (ASA 315, 2009; ISA 315, 2010), involving a top-down analysis of critical environmental factors that might lead to material misstatement of the nancial statements. However, while studies have examined the impact of inherent risk on external auditors decisions to rely on the work of internal audit (Felix et al., 2001; Glover et al., 2008; Maletta, 1993; Whittington and Margheim, 1993), this is the rst study to examine the impact of the business risk environment on such reliance decisions. A further contribution lies in our examination of the impact of these factors on decisions to rely on work already undertaken by internal audit and decisions to use IA as assistants, in each case differentiating between control evaluation work and substantive testing of balances. Prior research has found differences between control evaluation work and substantive testing (Margheim, 1986; Mills, 1996) and between reliance on work undertaken by internal audit and using IA as assistants (Margheim and Label, 1990). However, the only other study to examine these four reliance decisions is Munro and Stewart (2010). We nd that internal audits reporting relationship with the audit committee and the clients business risk environment both impact the extent of external audit reliance on control evaluation work already undertaken by internal audit. The clients business risk environment has a marginally signicant impact on reliance on substantive testing work already undertaken but no impact is found for the reporting relationship. With regard to using IA as assistants, both relationship with the audit committee and the clients business risk environment signicantly impact control evaluation work and substantive testing of balances. Consistent with Munro and Stewart (2010), we also nd that external auditors are more likely to rely on control evaluation work than substantive testing work and that there are no signicant differences between relying on work already undertaken and using IA as assistants. The remainder of the paper is structured as follows. In Section 2, we discuss prior research and develop our hypotheses. This is followed by an explanation of the research methods in Section 3. Section 4 reports and discusses the results of the study while the nal section contains some concluding comments including an acknowledgement of the studys limitations and suggestions for future research. 2. Prior research and hypothesis development The external auditors relationship with internal audit has become increasingly important in the current governance environment (Glover et al., 2008; Gramling et al., 2004; Grant et al., 2009; Schneider, 2009). The need for high-quality auditing in conjunction with increased compliance costs places greater emphasis on the benets of an effective and efcient integration of the two audit functions. Professional auditing standards allow reliance on the work of internal audit subject to an assessment of the internal audit function (ASA 610, 2009; ISA 610, 2010). Both Australian and international standards require the external auditor to consider four key factors when assessing whether to rely on internal audit work. These four factors are: (1) internal audit objectivity in terms of the status and reporting lines of the internal audit function;

(2) the technical competence of internal audit staff; (3) their exercise of due professional care; and (4) the communication between internal and external audit (ASA 610, 2009; ISA 610, 2010). Similarly, US standards require consideration of the competence, objectivity and work performed by IA as the three key components of internal audit quality (AU Section 322 (AICPA, 2010); PCAOB, 2010). Additionally, the US standards specically recognise that the external auditor may request direct assistance from IA with respect to obtaining an understanding of controls, testing controls and performing substantive tests (Schneider, 2009). A considerable body of research has explored the factors that inuence external auditors decisions to rely on internal audit and this has been well summarised in Glover et al. (2008) and Gramling et al. (2004). We therefore restrict our discussion to the specic factors examined in the present study. Reporting relationship with the audit committee A close working relationship between internal audit and the audit committee is recognised as a fundamental principle of sound corporate governance (ASX, 2010; Cohen et al., 2004; James, 2003; Treadway Commission, 1987). Internal audit independence and objectivity should be enhanced when the function reports directly to the audit committee as opposed to senior management (Cohen et al., 2004). According to Gramling et al. (2004, p. 198), a strong relationship between the internal audit function and the audit committee helps provide internal audit with an appropriate environment and support system for carrying out its own governance-related activities. The audit committee can strengthen the position of internal audit by acting as an independent forum for the CAE to raise matters affecting management (Braiotta, 2004; Goodwin, 2003; Goodwin and Yeo, 2001). To achieve maximum benet, it is recognised that open lines of communication should exist between internal audit and the audit committee. The CAE should have regular and condential access to the committee (IIA, 2002) to facilitate the discussion of sensitive issues, particularly those affecting management (Braiotta, 2004). Scarbrough et al. (1998) nd that where the CAE has three or more meetings a year with the audit committee, the CAE has greater private access to the committee. When the CAE does not meet three or more times a year, access to the audit committee is considerably less. A signicant association between private access by the CAE to the audit committee and audit committee review of the internal audit program and results is also found (Scarbrough et al., 1998). These ndings emphasise the importance of a good working relationship between the CAE and the audit committee, which should strengthen both actual and perceived objectivity and enhance corporate governance practices. A number of studies have examined the impact of internal audits reporting to the audit committee on external auditors objectivity assessments and reliance decisions (Abdel-Khalik et al., 1983; Brown, 1983; Schneider, 1985; Margheim, 1986; Messier and Schneider, 1988; Margheim and Label, 1990). These studies have generally compared reporting lines between the audit committee and the CFO or controller, with mixed results. The early study by Abdel-Khalik et al. (1983) nds reporting line to be the most signicant factor in external auditors decisions to assign work to IA. Similarly, Brown (1983) nds

Reliance on internal auditing

467

MAJ 26,6

468

that reporting line, including access to the audit committee, is the most signicant factor in external auditors assessment of internal audit reliability. In contrast, Margheim (1986) nds that internal audit objectivity based on reporting lines has no signicant effect on external auditors reliance on work undertaken by IA. Margheim and Label (1990) obtain similar results for external auditors planned usage of IA as assistants. Schneider (1985) compares four levels of internal audit reporting: (1) to the assistant controller; (2) to the controller; (3) to the senior vice president for operations; and (4) to the audit committee chair. The study provides evidence that external auditors reliance decisions are primarily based on internal audit competence and work performance with less emphasis placed on objectivity. A direct reporting line to the CFO by internal audit is now considered to be inappropriate and should be restricted to administrative matters only (Ernst & Young, 2006). In view of this, we examine the impact of reporting directly to the audit committee and having regular private meetings with the committee compared to reporting to the CEO and meeting with the audit committee only in the presence of management. Hence, our manipulation includes not only the reporting line but more importantly the level of direct communication with the audit committee. In spite of the mixed results of prior research, we expect a strong relationship with the audit committee in the current governance environment to strengthen internal audit status and objectivity. This, in turn, should impact external auditors decisions relating to reliance on work already undertaken by internal audit and the use of IA as assistants for performing audit tasks. This leads to the following hypotheses: H1a. External auditors are more willing to rely on work already undertaken by internal audit when internal audit has a strong reporting relationship with the audit committee compared to a weaker relationship. H1b. External auditors are more willing to utilise internal audit to assist in performing audit tasks when internal audit has a strong reporting relationship with the audit committee compared to a weaker relationship. Clients business risk environment The extent to which external auditors decide to rely on the work of internal audit is an important audit-planning judgment. A key part of audit planning is the need to understand the clients overall business risk and to evaluate the impact of specic business risks on the risk of material misstatement in the nancial report (Gay and Simnett, 2010). Business risk can be dened as:
[. . .] the risk that an entitys business objectives will not be attained as a result of the external and internal factors, pressures, and forces brought to bear on the entity and, ultimately, the risk associated with the entitys survival and protability (Bell et al., 1997).

While the impact of the clients business risk environment on reliance decisions has not previously been examined, prior research suggests that external auditors do consider the impact of global factors such as management integrity and corporate governance when making other audit-planning judgments (Allen et al., 2006; Beaulieu, 2001;

Kizirian et al., 2005). Hanno and Agoglia (1999) nd that auditors consider management and governance characteristics to be the most important factors when evaluating the clients control environment. Cohen and Hanno (2000) use an experiment to examine the impact of management control philosophy and corporate governance on audit-planning judgments. They nd that auditors are sensitive to both factors when making control risk assessments and planning judgments pertaining to the level of substantive testing. Bedard and Johnstone (2004) examine client risk assessments made by audit engagement partners in a large public-accounting rm to test the impact of earnings management risk and corporate governance risk on audit planning and pricing decisions. They report a signicant positive relation between earnings management risk and planned audit hours and billing rates. They also nd a signicant interaction effect between earnings management risk and corporate governance risk. However, corporate governance risk on its own is not found to be associated with increases in planned audit hours and billing rates. Finally, Cohen et al. (2007) examine whether the strength of board roles (agency and resource dependence) affect auditors risk assessments and audit program planning. While they do not nd a signicant association between inherent risk assessments and board roles, they do nd that auditors assess control risk to be greater when both the agency and resource dependence roles of the board are weaker. They also report a negative association between planned audit effort and weaker board roles. Overall, these studies suggest that auditors are sensitive to the clients overall risk, control and governance environment when making audit-planning decisions. A small number of studies have examined the impact of inherent risk on external auditors reliance on the work of internal audit but these have generally related to the audit of specic account balances such as accounts receivable (Maletta, 1993; Whittington and Margheim, 1993). Maletta and Kida (1993) examine both inherent risk and control architecture in the context of accounts receivable. They nd complex interactions between external auditors reliance decisions and levels of inherent risk and control strength, suggesting a congural relationship between inherent risk and the strength of control architecture. Margheim and Label (1990) examine reliance decisions in a high-risk situation but do not manipulate risk as an independent variable. Overall, inherent risk is examined by Felix et al. (2001) who nd that the signicance of other factors affecting internal audit contribution to the external audit (namely, internal audit availability and the relationship between external and internal audit) is contingent on inherent risk being high. In a more recent study, Glover et al. (2008) nd that the external auditors reliance on internal audit is higher when they perform objective tasks (such as accounting for pre-numbered documents) compared to subjective tasks (such as reviewing inventory turnover ratios to identify obsolete inventory). In addition, their evidence suggests that this effect is magnied when inherent risk was assessed as high, that is, when management bonuses were based on earnings targets, management used aggressive accounting techniques and earnings announcements did not meet market expectations (Glover et al., 2008). In the present study, we manipulate the overall business risk environment of the client by contrasting a nancial institution with increasing protability, stable management, and strong risk management and control systems with one suffering a damaged reputation following two recent electronic-banking frauds which impacted protability and market share and resulted in management changes including a new CEO. While the impact of the clients business risk environment on external auditors reliance

Reliance on internal auditing

469

MAJ 26,6

470

on the work of internal audit has not previously been examined, we predict an association for a number of reasons. First, the business risk approach of modern auditing emphasises an assessment of the business risk environment as fundamental to audit planning and to an evaluation of audit risk (Gay and Simnett, 2010). This approach should therefore impact control evaluation and the nature and extent of audit testing (ASA 315, 2009; ISA 315, 2010). Second, weaknesses in the business risk environment cast doubt on the clients overall commitment to strong corporate governance, further impacting on the external auditors risk assessment. The prior research discussed above suggests that auditors do consider such global factors in their risk assessments and judgments relating to planned audit hours. Just as external auditors plan to increase audit testing when factors associated with management and governance are weaker, we expect that they would be less willing to rely on the work of IA in such situations. A further reason is that, given that one of the key roles of internal audit is to monitor internal controls (ASA 610, 2009; ISA 610, 2010), external auditors may consider that the existence of control weaknesses reects on the quality of the internal audit function. For all of these reasons, it would be expected that external auditors would see less benet in internal audit and would prefer to perform their own tests rather than rely on the clients IA. We therefore test the following hypotheses: H2a. External auditors are more willing to rely on work already undertaken by internal audit when the clients business risk environment is strong compared to when it is weaker. H2b. External auditors are more willing to utilise internal audit to assist in performing audit tasks when the clients business risk environment is strong compared to when it is weaker. Interaction effects There is limited prior research and theoretical support for the likelihood of an interaction effect between the two independent variables and hence we do not make any predictions in this regard. However, it is possible that external auditors will be more willing to rely on the work of IA when internal audit has a strong reporting relationship with the audit committee only when the overall business risk environment is strong. This is consistent with the ndings of prior studies in the context of inherent risk. For example, Felix et al. (2001) and Glover et al. (2008) report that the effect of factors inuencing reliance decisions is greater when inherent risk is high. Further, Maletta (1993) and Maletta and Kida (1993) report complex interactions between inherent risk, control strength and internal audit objectivity in external auditors decisions to use IA as assistants. We therefore pose the following research question: RQ1. Is there an interaction effect between internal audits reporting relationship with the audit committee and the clients overall business risk environment with respect to external auditors (i) reliance on work already undertaken by internal audit and (ii) utilisation of IA as assistants. 3. Research methods To test our hypotheses, we conducted an experiment using a 2 2 between-subjects design. The rst factor involves the CAEs reporting lines and relationship with the audit committee. The second factor relates to the strength of the clients business risk

environment with respect to protability, management stability, risk management and control systems. Both factors were manipulated at strong and weak levels to give four treatment groups. Research instrument The research instrument contained two independent scenarios relating to external auditors reliance on the work of internal audit. This paper reports only the results of the second scenario[2]. The instrument was divided into three parts, together with an instruction sheet. Parts A and B comprised the rst and second scenarios, respectively, each followed by a series of questions. The third part of the instrument contained some questions relating to the participants background. The instrument was tested using a group of nal year auditing students, a number of academics with auditing experience and four audit practitioners. This testing conrmed the strength of the manipulations. However, as we did not conduct the experiment in a controlled environment, we omitted specic manipulation checks in order to minimise the likelihood of demand effects. Participants Participants in the study consisted of 66 partners, managers and seniors from external audit rms in Australia. All participants were required to have experience with clients with internal audit functions. Contact was made with an audit partner from the Big Four and two mid-tier accounting rms in ve major Australian cities to engage their support. The partners agreed to distribute copies of the instrument to colleagues with the required experience. Responses were mailed directly to the researchers in a reply-paid envelope. A total of 98 instruments were distributed, with 66 usable responses being received, giving a response rate of 67 percent. Table I presents a summary of the biographical details of the participants. While the mid-tier rms agreed to participate, only four responses were received from these rms, owing to a lack of experience with clients with internal audit functions[3]. Almost, 70 percent of participants hold the rank of manager or partner. Approximately, 58 percent are males and just over half are 30 years of age or less. The mean years of experience are slightly more than ten, ranging from a minimum of two years to a maximum of 36 years. The number of clients with internal audit functions averaged four, with a range from one to 12. Differences in responses due to rm, rank, age, gender and experience were tested using analyses of variance (ANOVA) and co-variance (ANCOVA). These tests indicated that none of these factors impact our reported results. The scenario The scenario involved a regional bank that had been listed for ten years and had been expanding its operations across Australia. The two extreme versions of the scenario are shown in the Appendix. Participants were rst provided with some background information relating to the banks assets and protability. Details of the audit committee indicated that it complied with the ASX Corporate Governance Principles concerning independence and expertise and that it met six times per year. The committee approved the internal audit program before the start of the year and reviewed the internal audit reports at each meeting. The internal audit function comprised 16 staff, most of whom were qualied IA or systems auditors. The CAE was a Certied Internal Auditor with almost ten years experience in the banking industry. He was particularly

Reliance on internal auditing

471

MAJ 26,6

No. Category of rm Big Four Middle tier Position Partner Manager Senior Gender Male Female Age group 21-30 31-40 Over 40 Years of experience Number of clients with internal audit 62 4 17 29 20 38 28 34 19 13 Mean 10.8 4.0

% 93.9 6.1 25.8 43.9 30.3 57.6 42.4 51.5 28.8 19.7 Maximum 36.0 12

472

Table I. Biographic information of participants

SD 8.0 2.0

Minimum 2.0 1

knowledgeable about compliance issues and the regulatory environment in which the bank operated. Approximately 60 percent of internal audit time was devoted to assurance work (including internal controls, risk management and nancial reporting activities) and 30 percent to compliance work. The remaining 10 percent of the time was spent on special projects. This description was designed to indicate an internal audit function that the external auditors would assess to be competent and well resourced. Participants were told that their rm had recently been appointed as auditor and the clients management had expressed a desire for a close working relationship between external and internal audit. This would involve the exchange of audit plans, programs, ndings and reports. The rm had also been asked to consider the extent to which the audit team could rely on the work of internal audit. Independent variables The rst independent variable involves internal audits reporting relationship with the audit committee. In the strong relationship condition, the CAE had a direct reporting line to the chairman of the audit committee. He met with the chairman regularly on a private basis and attended and reported at all audit committee meetings. In the weaker condition, the CAE reported to the CEO. He attended audit committee meetings along with other members of senior management. While the committee could request private meetings with the CAE, no such meetings had been held. The second independent variable is the strength of the clients business risk environment. In the strong condition, the senior management of the bank was described as being very stable, with the current CEO holding the position for ten years. Net prot had increased 6 percent over last year, with an average increase of 8 percent over the last ve years and the bank had been steadily growing its market share. The bank appeared to have strong risk management and internal control systems in place and had developed a sound reputation with regard to its electronic-banking technologies. In the weaker condition, there had been a number of changes to the senior management team over the last two years, and the current CEO had held the position for nine months.

Net prot had decreased 10 percent over last year although it had averaged an increase of 6 percent over the last ve years. Market share had been growing until a setback last year. This was due to two scandals with respect to electronic-banking fraud which damaged the banks reputation and led to the resignation of the former CEO. The bank appeared to be taking steps to strengthen its risk management and internal control systems and had made some progress in rebuilding its reputation with regard to its electronic-banking technologies. However, it would be some time before the bank regained the market share it had lost as a result of the scandals. Dependent variables Participants were rst asked to provide preliminary assessments of the extent to which they would be prepared to rely on work already undertaken by internal audit. This question was divided into two parts, the rst relating to the evaluation of internal nancial controls and the second with respect to substantive tests of account balances. They were then asked to provide similar assessments of the extent to which they would be prepared to utilise internal audit to assist in performing audit tasks, again divided into control evaluation tasks and substantive tests of balances. For all questions, an 11-point scale was provided, with end points of 0 (to a very limited extent) and 10 (to a very great extent). 4. Results H1a and H2a predict that external auditors are more willing to rely on work already undertaken by internal audit when internal audit has a strong reporting relationship with the audit committee and when the clients business risk environment is strong. Results are reported in Table II where Panel A shows that external auditors are more willing to rely on control evaluation work than on substantive testing. The means for control evaluation range from a low of 3.89 in the weaker reporting relationship/weaker business risk environment treatment to a high of 7.13 in the strong reporting relationship/strong business risk environment treatment. The main effects of the two independent variables are highly signicant ( p # 0.004). The substantive testing means range from 2.89 in the weaker reporting relationship/weaker business risk environment treatment group to 4.40 in the strong reporting relationship/strong business risk environment group. The business risk environment manipulation is marginally signicant ( p 0.097) while the reporting relationship manipulation is not signicant. Overall, these results provide support for H1a and H2a, particularly with respect to relying on control evaluation work. However, the interaction effects between the two independent variables for both control evaluation and substantive testing are not signicant ( p 0.922 and p 0.434, respectively). H1b and H2b predict that the internal audit functions relationship with the audit committee and the strength of the clients business risk environment inuence external auditors use of IA as assistants. Table III reports the test results for these hypotheses. Panel A shows the means across the treatment groups for both control evaluation work and substantive testing of balances. For control evaluation, the means range from 4.17 for the weaker reporting relationship/weaker business risk environment treatment to 6.73 for the strong reporting relationship/strong business risk environment treatment. For substantive testing, the means for the same treatment groups range from 3.06 to 5.53. Panel B shows the results of the ANOVA tests. The main effects of the two independent variables are signicant at p 0.026 for control evaluation and p 0.049

Reliance on internal auditing

473

MAJ 26,6

Evaluation of internal controls

Substantive testing of balances

474

Table II. The impact of audit committee reporting relationship and client risk environment on external auditors reliance on work already undertaken by internal audit

Panel A: means a (SD) and cell sizes Stronger risk Weaker risk Stronger risk Weaker risk environment environment Overall environment environment Overall Strong AC 7.13 (1.88) 5.44 (2.61) 6.26 (2.41) 4.40 (3.02) 4.25 (2.38) 4.32 (2.66) relationship n 15 n 16 n 31 n 15 n 16 n 31 Weaker AC 5.47 (2.27) 3.89 (2.52) 4.66 (2.50) 4.06 (2.90) 2.89 (2.17) 3.46 (2.58) relationship n 17 n 18 n 35 n 17 n 18 n 35 Overall 6.25 (2.23) 4.62 (2.64) 5.41 (2.57) 4.22 (2.92) 3.53 (2.34) 3.86 (2.63) n 32 n 34 n 66 n 32 n 34 n 66 Panel B: analysis of variance b Source of variation Mean square F p-value Mean square F p-valueb Strength of AC relationship (AC) 44.108 8.004 0.003 7.154 1.038 0.156 Strength of risk environment (RE) 42.344 7.684 0.004 11.898 1.726 0.097 AC RE 0.053 0.010 0.922 4.271 0.620 0.434 Notes: a11-point scale (0 to a very limited extent and 10 to a very great extent); bone-tailed where direction predicted

Evaluation of internal controls

a

Substantive testing of balances

Table III. The impact of audit committee reporting relationship and client risk environment on external auditors use of internal audit as assistants

Panel A: means (SD) and cell sizes Stronger risk Weaker risk Stronger risk Weaker risk environment environment Overall environment environment Overall Strong AC 6.73 (2.19) 5.25 (2.93) 5.97 (2.66) 5.53 (3.14) 4.19 (2.66) 4.84 (2.93) relationship n 15 n 16 n 31 n 15 n 16 n 31 Weaker AC 5.35 (2.42) 4.17 (2.45) 4.74 (2.48) 4.35 (3.12) 3.06 (2.15) 3.69 (2.71) relationship n 17 n 18 n 35 n 17 n 18 n 35 6.00 (2.38) 4.68 (2.71) 5.32 (2.62) 4.91 (3.14) 3.59 (2.44) 4.23 (2.93) Overall n 32 n 34 n 66 n 32 n 34 n 66 Panel B: analysis of variance Source of variation Mean square F p-valueb Mean square F p-valueb Strength of AC relationship (AC) 24.923 3.939 0.026 21.954 2.842 0.049 Strength of risk environment (RE) 29.263 4.625 0.018 28.687 3.713 0.030 AC RE 0.362 0.057 0.812 0.010 0.001 0.972 Notes: a11-point scale (0 to a very limited extent and 10 to a very great extent); bone-tailed where direction predicted

for substantive tests of balances, indicating that external auditors are more willing to use IA as assistants both when internal audit has a close reporting relationship with the audit committee and when the clients business risk environment is strong. Thus, H1b and H2b are both supported. Again, there are no signicant interaction effects between the independent variables for both control evaluation and substantive testing ( p 0.812 and p 0.972, respectively).

Overall, our results demonstrate the importance of the two factors manipulated in this scenario on external auditors reliance on internal audit work. With respect to the impact of internal audits relationship with the audit committee, we have noted that the results of prior studies have been mixed. While our ndings are not directly comparable with these studies, it appears that external auditors in the current governance environment recognise that reporting and having private access to the audit committee strengthens internal audit objectivity. Furthermore, the results for our business risk manipulation are consistent with studies that have considered the impact of global factors such as management integrity and corporate governance on other audit planning decisions. To answer RQ, none of the interaction effects are signicant. Hence, the results indicate that the impact of these factors is additive rather than interactive. External auditor reliance on internal audit is greatest when internal audit has a strong reporting relationship with the audit committee and when the clients business risk control environment is strong. This applies both to work already undertaken by internal audit and to utilising IA as assistants. We also performed paired sample t-tests to test for differences between our results with respect to control evaluation compared to substantive tests of balances and between reliance on work already undertaken by internal audit and using IA as assistants. Results of these tests are reported in Table IV. Panel A of this table shows that, for both reliance on work already undertaken by internal audit and for using IA as assistants, the differences between control evaluation tasks and substantive testing are highly signicant ( p # 0.001), with external auditors relying more on control evaluation tasks. Panel B shows that no signicant differences are found between reliance on work already undertaken and using IA as assistants for both control evaluation tasks and substantive testing. These ndings are consistent with those reported in Munro and Stewart (2010). 5. Conclusion This study examines two factors that may inuence external auditors reliance on the work of internal audit in the current governance environment. The strength of both internal audits reporting relationship with the audit committee and the clients business risk environment signicantly impact reliance decisions with respect to both internal control evaluations and substantive tests of balances.
Panel A: control evaluation compared to substantive testing Overall mean Substantive Mean paired Paired sample Overall mean testing difference t-test p-value Control evaluation Work already undertaken 5.41 3.86 1.55 4.738 0.000 Using IA as assistants 5.32 4.23 1.09 3.440 0.001 Panel B: reliance on work already undertaken compared to using IA as assistants Overall mean Overall mean Using IA as Mean paired Paired sample Work already Assistants difference t-test p-value undertaken Control evaluation 5.41 5.32 0.09 0.469 0.641 Substantive testing 3.86 4.23 20.37 21.509 0.136

Reliance on internal auditing

475

Table IV. Differences between control evaluation and substantive testing and between reliance on work already undertaken and using internal auditors (IA) as assistants

MAJ 26,6

476

There are a number of limitations of our study which should be borne in mind when interpreting these ndings. Our sample size is relatively small and, as with all experimental designs, the ndings of our study may not be generalisable to other populations. We did not include manipulation checks in the instrument to avoid the possibility of demand effects in an experiment that was undertaken in an uncontrolled environment. While our preliminary testing was designed to conrm the strength of our manipulations, we cannot be certain that all participants interpreted the manipulations as intended. Finally, we acknowledge that the manipulations of our independent variables involve more than one aspect and hence it is not possible to isolate which aspects are driving the signicant results. Our audit committee reporting relationship variable manipulates both reporting line and the privacy of meetings. This was designed to reect realism as it is unlikely that a CAE who reports directly to the audit committee would not also have private access to the committee. Our second manipulation builds a story of either a strong business risk environment or a weak one, and again, for realism purposes, it is a multi-faceted construct including protability, management stability and risk and control systems. However, we note that multi-faceted constructs have been used in other studies that measure global factors such as corporate governance strength, management integrity, management control philosophy and board roles (Kizirian et al., 2005; Beaulieu, 2001; Cohen and Hanno, 2000; Cohen et al., 2007). As in all studies of this nature, identifying which aspects of our constructs are driving results is an avenue for further research. In spite of these limitations, our results have important implications for regulators and others concerned with the role of audit in corporate governance. The need for strong governance has led to increasing costs of compliance and hence determining the most efcient and effective balance between internal and external auditing remains a challenge. The present study highlights factors that can affect external auditors reliance on internal audit work in the current governance environment. A strong reporting relationship and regular private meetings with the audit committee strengthen the willingness of external auditors to rely on internal audit work. Furthermore, other aspects of governance such as the overall business risk environment have a signicant impact on external auditors reliance decisions. These ndings are important for businesses seeking to obtain a cost-effective integration of internal and external audit without compromising audit quality. Further research could be undertaken to examine the impact on reliance decisions of other aspects of the factors explored in this study. For example, with regard to internal audits reporting relationship with the audit committee, studies could examine whether the characteristics of the audit committee inuence external auditors perceptions of internal audit objectivity and hence their reliance decisions. In addition, the impact on reliance decisions of other aspects of the business risk environment could be explored. Our study has focused primarily on internal factors associated with protability, management stability and risk and control systems and therefore there are opportunities to examine external factors such as competition, market growth and regulatory requirements (Gay and Simnett, 2010). The impact of these factors could be captured by manipulating the industry in which the client operates. In addition, auditors assessments of audit risk are likely to be impacted by their business risk assessment and hence, inherent and control risk assessments could act as intervening variables in the external audit reliance decision. Path analysis could be used to explore these

relationships in greater depth. Finally, as noted, further dissection of both independent variables could provide insights into those facets which are more likely to impact external auditors decisions to rely on internal audit work.
Notes 1. It should be noted that we conducted two experiments in a single research study. The present paper reports the results of only one of these experiments. The other experiment examined the impact of sourcing arrangements (in-house versus outsourced internal audit activities) and internal audits consulting role on external auditors reliance decisions. The results of this experiment are reported in Munro and Stewart (2010). 2. As noted, the results of the rst scenario are reported in Munro and Stewart (2010). The manipulations for that scenario were internal audit outsourcing and internal audits consulting role. To reduce the risk of confounding effects, the four versions of one scenario were randomly mixed with the four versions of the other. This resulted in 16 versions of the instrument. Importantly, it should be noted that we did not change the order of the two scenarios and hence there are no order effects to consider. 3. Qualitatively, similar results are obtained when these four respondents are omitted from the sample. References Abdel-Khalik, A.R., Snowball, D. and Wragge, J.H. (1983), The effects of certain internal audit variables on the planning of external audit programs, The Accounting Review, Vol. 58 No. 2, pp. 215-27. AICPA (2010), AU section 322, The Auditors Consideration of the Internal Audit Function in an Audit of Financial Statements, American Institute of Certied Public Accountants, available at: www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/ AU-00322.pdf (accessed 2 November 2010). Allen, R.D., Hermanson, D.S., Kozloski, T.M. and Ramsay, R.J. (2006), Auditor risk assessment: insights from the academic literature, Accounting Horizons, Vol. 20 No. 2, pp. 157-77. ASA 315 (2009), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, Auditing and Assurance Standards Board (AUASB), available at: www.auasb.gov.au/admin/le/content102/c3/ASA_315_27-10-09. pdf (accessed 2 November 2010). ASA 610 (2009), Using the Work of Internal Auditors, Auditing and Assurance Standards Board (AUASB), available at: www.auasb.gov.au/admin/le/content102/c3/ASA_610_27-10-09. pdf (accessed 2 November 2010). ASX (2010), Corporate Governance Principles with 2010 Amendments, 2nd ed., Australian Securities Exchange (ASX) Corporate Governance Council, available at: www.asx.com.au/about/pdf/ cg_principles_recommendations_with_2010_amendments.pdf (accessed 2 November 2010). Beaulieu, P.R. (2001), The effects of judgments of new clients integrity upon risk judgments, audit evidence, and fees, Auditing: A Journal of Practice & Theory, Vol. 20 No. 2, pp. 85-99. Bedard, J.C. and Johnstone, K.M. (2004), Earnings manipulation risk, corporate governance risk, and auditors planning and pricing decisions, The Accounting Review, Vol. 79 No. 2, pp. 277-304. Bell, T.B., Marrs, F.O., Solomon, I. and Thomas, H. (1997), Auditing Organisations through a Strategic-systems Lens: The KPMG Business Measurement Process, KPMG, New York, NY.

Reliance on internal auditing

477

MAJ 26,6

478

Braiotta, L. (2004), The Audit Committee Handbook, 4th ed., Wiley, New York, NY. Brown, P.R. (1983), Independent auditor judgement in the evaluation of the internal audit function, Journal of Accounting Research, Vol. 21 No. 2, pp. 444-55. Clark, M.W., Gibbs, T.E. and Schroeder, R.G. (1980), Evaluating internal audit departments under SAS No. 9: criteria for judging competence, objectivity, and performance, The Woman CPA, Vol. 22, July, pp. 8-11. Cohen, J.R. and Hanno, D.M. (2000), Auditors consideration of corporate governance and management control philosophy in preplanning and planning judgements, Auditing: A Journal of Practice & Theory, Vol. 19 No. 2, pp. 133-46. Cohen, J.G., Krishnamoorthy, G. and Wright, A. (2004), The corporate governance mosaic and nancial reporting quality, Journal of Accounting Literature, Vol. 23, pp. 87-152. Cohen, J.G., Krishnamoorthy, G. and Wright, A. (2007), The impact of roles of the board on auditors risk assessments and program planning decisions, Auditing: A Journal of Practice & Theory, Vol. 26 No. 1, pp. 91-112. Ernst & Young (2006), Trends in Australian and New Zealand internal auditing, Third Annual Benchmarking Survey 2006, Ernst & Young, Sydney. Felix, W., Gramling, A. and Maletta, M. (2001), The contribution of internal audit as a determinant of external audit fees and factors inuencing this contribution, Journal of Accounting Research, Vol. 22 No. 1, pp. 31-53. Gay, G. and Simnett, R. (2010), Auditing and Assurance Services in Australia, McGraw-Hill, Sydney. Glover, S.M., Prawitt, D.F. and Wood, D.A. (2008), Internal audit sourcing arrangement and the external auditors reliance decision, Contemporary Accounting Research, Vol. 25 No. 1, pp. 193-213. Goodwin, J. (2003), The relationship between the audit committee and the internal audit function: evidence from Australia and New Zealand, International Journal of Auditing, Vol. 7 No. 3, pp. 263-78. Goodwin, J. and Yeo, T.Y. (2001), Two factors affecting internal audit independence and objectivity: evidence from Singapore, International Journal of Auditing, Vol. 5 No. 2, pp. 107-25. Gramling, A., Maletta, M., Schneider, A. and Church, B. (2004), The role of the internal audit function in corporate governance: a synthesis of the extant internal auditing literature and directions for future research, Journal of Accounting Literature, Vol. 23, pp. 194-244. Grant, C.T., Park, N. and Wheeler, S.W. (2009), Non audit, external audit, and internal audit services in a post-SOX world, Internal Auditing, Vol. 24 No. 1, pp. 28-35. Hanno, D.M. and Agoglia, C. (1999), The relative importance of corporate governance characteristics: an audit perspective, International Journal of Business Studies, Vol. 7 No. 2, pp. 1-14. IIA (2002), Practice Advisory 2060-2: Relationship with the Audit Committee, The Institute of Internal Auditors, Altamonte Springs, FL. IIA (2009), International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL, available at: www.iia.org.au/ AboutIIA/defnoa.html (accessed February 2011). ISA 315 (2010), International Standard on Auditing 315: Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, available at: www.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (accessed 22 November 2010).

ISA 610 (2010), International Standard on Auditing 610: Using the Work of Internal Auditors, available at: www.ifac.org/download/a034-2010-iaasb-handbook-isa-610.pdf (accessed 22 November 2010). James, K. (2003), The effects of internal audit structure on perceived nancial statement fraud prevention, Accounting Horizons, Vol. 17 No. 4, pp. 315-27. Kizirian, T.G., Mayhew, B.W. and Sneathen, L.D. Jr (2005), The impact of management integrity on audit planning and evidence, Auditing: A Journal of Practice & Theory, Vol. 24 No. 2, pp. 49-67. Krishnamoorthy, G. (1994), External auditors evaluations of internal audit work: a cascaded inference approach, unpublished PhD thesis, University of Southern California, Los Angeles, CA. Maletta, M. (1993), An examination of auditors decisions to use internal auditors as assistants: the effect of inherent risk, Contemporary Accounting Research, Vol. 9 No. 2, pp. 508-25. Maletta, M. and Kida, T. (1993), The effect of risk factors on auditors congural information processing, The Accounting Review, Vol. 68 No. 3, pp. 681-91. Margheim, L. (1986), Further evidence on external auditors reliance on internal audit, Journal of Accounting Research, Vol. 24 No. 1, pp. 194-205. Margheim, L. and Label, W. (1990), External auditor reliance on internal auditors when audit risk is high: some empirical ndings, Advances in Accounting, Vol. 8, pp. 293-311. Messier, W.F. Jr and Schneider, A. (1988), A hierarchical approach to the external auditors evaluation of the internal auditing function, Contemporary Accounting Research, Vol. 4 No. 2, pp. 337-53. Mills, T.Y. (1996), The effect of cognitive style on external auditors reliance decisions on internal audit functions, Behavioral Research in Accounting, Vol. 8, pp. 49-73. Munro, L. and Stewart, J. (2010), External auditors reliance on internal audit: the impact of sourcing arrangements and consulting activities, Accounting and Finance, Vol. 50 No. 2, pp. 371-87. PCAOB (2010), Auditing Standard No. 5 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements, Public Company Accounting Oversight Board, available at: www.pcaobus.org/Standards/Auditing/Pages/Auditing_ Standard_5.aspx (accessed 2 November 2010). Scarbrough, D.P., Rama, D.V. and Raghunandan, K. (1998), Audit committee composition and interaction with internal auditing: Canadian evidence, Accounting Horizons, Vol. 12 No. 1, pp. 51-62. Schneider, A. (1984), Modelling external auditors evaluations of internal auditing, Journal of Accounting Research, Vol. 22 No. 2, pp. 657-78. Schneider, A. (1985), The reliance of external auditors on the internal audit function, Journal of Accounting Research, Vol. 23 No. 2, pp. 911-19. Schneider, A. (2009), The nature, impact and facilitation of external auditor reliance on internal auditing, Academy of Accounting and Financial Studies Journal, Vol. 13 No. 4, pp. 41-53. Treadway Commission (1987), Report of the National Commission on Fraudulent Financial Reporting, National Commission on Fraudulent Financial Reporting, Geneva. United States Congress (2002), Sarbanes-Oxley Act, Public Law 107-204, 107th Cong., 2nd Sess., GPO, Washington, DC. Whittington, R. and Margheim, L. (1993), The effects of risk, materiality, and assertion subjectivity on external auditors reliance on internal auditors, Auditing: A Journal of Practice & Theory, Vol. 12 No. 1, pp. 50-64.

Reliance on internal auditing

479

MAJ 26,6

480

Appendix Strong relationship with the audit committee and strong business risk environment Morningside Bank Ltd is a regional bank that has been listed on the ASX for ten years. It has started expanding its operations into all states of Australia and has been steadily growing its market share. The bank has total assets of $10 billion and total liabilities of $9.5 billion. Net prot for the last nancial year amounted to $70 million. This represents an increase of 6 percent over last year and an average increase of 8 percent over the last ve years. Senior management of the bank has been very stable and the current CEO has held the position for ten years. The bank appears to have strong risk management and internal control systems in place and has developed a sound reputation with regard to its electronic-banking technologies. The audit committee meets the ASX corporate governance guidelines concerning independence and nancial literacy of its members. One member is a qualied accountant with banking experience. The committee has six meetings per year. The audit committee approves the internal audit program before the start of the year and reviews the internal audit reports at each meeting. The internal audit function is comprised of 16 staff, most of whom are qualied IA or systems auditors. The chief internal auditor (CIA) is a Certied Internal Auditor with almost ten years experience in the banking industry. He is particularly knowledgeable about compliance issues and the regulatory environment in which the bank operates. Approximately 60 percent of internal audit time is devoted to assurance work (including internal controls, risk management and nancial reporting activities) and 30 percent to compliance work. The remaining 10 percent of time is spent on special projects. The CIA has a direct reporting line to the chairman of the audit committee. He meets with the chairman regularly on a private basis and attends and reports at all audit committee meetings. The internal audit budget is $2.5 million. Your rm has recently been appointed as auditor of the bank. The CEO has expressed a desire for a close working relationship between yourselves and internal audit. This goal has the support of the audit committee and your rm has been asked to collaborate with the CIA to develop an integrated audit planning process. This would involve the exchange of audit plans, programs, ndings and reports. The rm has also been asked to consider the extent to which the audit team can rely on the work of internal audit. The external audit fee would be approximately $500,000 with no reliance on the work of internal audit. Assume you are the audit supervisor for this audit. The partner in charge of the audit has asked you to make a preliminary assessment of internal audit and its effect on the external audit. You have examined the internal audit manuals and working papers for the last two years. You are happy that due professional care has been taken by internal audit staff. Weaker relationship with the audit committee and weaker business risk environment Morningside Bank Ltd is a regional bank that has been listed on the ASX for ten years. It has started expanding its operations into all states of Australia and, until a setback last year, has been steadily growing its market share. The bank has total assets of $10 billion and total liabilities of $9.5 billion. Net prot for the last nancial year amounted to $70 million. This represents a decrease of 10 percent over last year but an average increase of 6 percent over the last ve years. There have been a number of changes to the senior management team over the last two years, and the current CEO has held the position for nine months. The setback in market share last year was due to two scandals with respect to electronic-banking fraud which damaged the banks reputation and led to the resignation of the former CEO. The bank appears to be taking steps to strengthen its risk management and internal control systems and has made some progress in rebuilding its reputation with regard to its electronic-banking technologies. However, it will be some time before the bank regains the market share it lost as a result of the scandals. The audit committee meets the ASX corporate governance guidelines concerning independence and nancial literacy of its members. One member is a qualied accountant with banking experience. The committee has six meetings per year. The audit committee

approves the internal audit program before the start of the year and reviews the internal audit reports at each meeting. The internal audit function is comprised of 16 staff, most of whom are qualied IA or systems auditors. The CIA is a Certied Internal Auditor with almost ten years experience in the banking industry. He is particularly knowledgeable about compliance issues and the regulatory environment in which the bank operates. Approximately 60 percent of internal audit time is devoted to assurance work (including internal controls, risk management and nancial reporting activities) and 30 percent to compliance work. The remaining 10 percent of time is spent on special projects. The CIA reports to the CEO. He attends audit committee meetings along with other members of senior management. While the committee can request private meetings with the CIA, no such meetings have been held. The internal audit budget is $2.5 million. Your rm [. . .] (identical to previous scenario).

Reliance on internal auditing

481

Corresponding author Lois Munro can be contacted at: l.munro@qut.edu.au

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com Or visit our web site for further details: www.emeraldinsight.com/reprints