INTERNAL AUDITORS AND INDEPENDENCE: AN AGENCY …ceebi.curtin.edu.au/local/docs/5.VanPeursem.pdf · INTERNAL AUDITORS AND INDEPENDENCE: AN AGENCY LENS ON ... internal auditor is expected

K. Van Peursem, L.D. Pumphrey/FRRaG (Financial Reporting, Regulation and Governance) 2005, 4:2

INTERNAL AUDITORS AND INDEPENDENCE: AN AGENCY LENS ON CORPORATE PRACTICE

Karen Van Peursem, PhD, CA, CPA Department of Accounting The University of Waikato

New Zealand

Lela D. “Kitty” Pumphrey, CIA, PhD, CPA Department of Accounting

Idaho State University U.S.A.

ABSTRACT

This paper draws on relational governance and agency theory to evaluate the relationships between internal auditors and work associates. This is an important topic because the internal auditor is expected to monitor and report on information quality and their relationships within the organisation may or may not contribute to this purpose. The method employed was to analyse speech acts from interviews with practising, senior internal auditors. Findings indicate that the internal auditor acts as an 'agent' and ‘monitor’ for a variety of issues and to various ‘principals’, and that there is a risk that a conflation of roles between the internal auditor and senior management could occur. Conclusions are drawn as to the implications of these dilemmas for their independence. We also conclude with suggestions for further research including replication in other contexts and quantitative studies to explore the effects of gender, regulatory differences, age of audit division and experience. Key words: Internal auditors, Agency theory, Relational governance, Independence


1

Introduction

Recent problems at well-known major corporations such as Enron, Tyco, WorldCom and

Parmalat have cost shareholders, employees and the market, as a whole, billions of dollars.

As a result, market regulators, accountants and audit professionals have come under intense

scrutiny for questionable reporting practices that have led to or exacerbated these problems.

The perceived, and often very real, shortcomings of a lightly regulated free market have

given rise to a public demand for more information about the efficiency, management, risk

assurance and governance of organisations.

These are activities of concern to internal as well as to external auditors, and thus the

importance of the internal auditor’s role has come to be recognised in new legislation and

standards around the globe. In the U.S., the influential Sarbanes-Oxley Act 2002, which has

inspired greater accountability worldwide (see Ellis, 2004; Chan, 2004), effectively transfers

U.S. audit standard setting responsibilities from the accounting profession to the Federal

Government. In addition, it redefines auditor independence and, significantly for internal

auditors, requires corporate evaluation and reporting of internal controls. In Australia,

CLERP 9 (Corporate Law Economic Reform Program), which became effective from 1 July

2004, addresses similar concerns by requiring an auditor’s independence declaration and, in

general, by expanding the responsibilities of the Financial Reporting Council (FRC). The

Australian Stock Exchange (ASX) also became involved as its Corporate Governance

Council developed principles and practices of ‘best’ corporate governance resulting in

further company disclosure requirements about their internal practices (Hamilton, 2003).

These actions were motivated in part in Australia by the federally-commissioned Ramsay

Report of 2001 (Priest, 2002).


2

Similar patterns exist elsewhere. In Canada, the Canadian Securities Administration and the

Canadian accounting professional body are also requiring more disclosure on internal

controls (Anonymous, 2004a; Spira and Page, 2002, p. 648). The UK Accounting Standards

Board (ASB) has expressed concern with operational events since the Cadbury Report

(1992) and carry on with, for example, the Turnbull Reports (Anonymous, 2004b, Vinten,

2001). Overall, the eyes of the public are more firmly fixed on the functions traditionally

associated with internal audit activity and how those auditors convey that information to

their governing authority. The need for an ethical, reasonably independent and competent

internal, as well as external, auditor is thus affirmed.

The internal auditor’s role is generally seen to involve oversight and monitoring. The

internal auditor may be instrumental in guiding and evaluating the economy, efficiency and

effectiveness of an organisation’s operations and systems, and will be normally accountable

to a governing body (COSO, 2003). It is important, therefore, that the internal auditor be

reasonably independent of management as well as be able to work alongside them.

Internal auditors may not always be in a strong position to do so, however (see Al-Twaijry,

Brierley and Gwilliam, 2004; Glasscock, 2002). An Australian survey concluded, for

example, that internal auditors may not be seen as a ‘true profession’ by all, including some

of their own corporate managers (Cooper, Leung and Mathews, 1994). This can result in

less value being attributed to their services or to their views than those of so-called

‘external’ auditors. An internal audit position is seen by many as little more than a corporate

training ground for managers (Cooper, Leung and Mathews, 1994; Goodwin and Yeo,

2001). Brody and Lowe (2000) found it likely that, as a result, internal auditors will become

more involved with top management as consultants rather than as independent assessors.


3

While maintaining good relationships with managers is important in order for internal

auditors to be effective in carrying out their day-to-day activities, their reporting lines to

company directors and to audit committees are also important (see Vanasco, 1996; McCall,

2002). This relationship can be impaired if the internal auditor is not sufficiently

independent of the activities which they, themselves, are monitoring or if the governing

authority is, itself, not one that listens or responds to the issues they raise. The roles of the

internal auditor can become conflated as they try to contribute to control systems and

management processes while at the same time independently report to company directors.

Audit committees, particularly those that include outside directors, assist the internal

auditors in this regard as their presence and involvement are seen to enhance auditor

independence (Spira and Page, 2003; Vanasco, 1996, pp. 14-15; Goodwin and Yeo, 2001).

In order to be in a position to be 'heard', having an independent audit committee may help.

A recent study also indicates that forming, or having the right to form, collegial relationships

with members of the board and senior management is also important toward reaching this

goal (Van Peursem, 2004). This study is concerned with the independence aspect of the

internal auditor’s role, with the potential conflation of their roles and with the nature of the

relationships they form in the workplace. The aim of this paper is to evaluate the

independence implications of the workplace relationships internal auditors enjoy.

Summary of Principal Findings

Leung, Cooper and Robertson (2004) found in their study of Australian chief audit

executives that accountability practices and relationships between internal auditors vary.

We come to some similar findings in New Zealand from an agency perspective, and we find


4

that these internal auditors are obligated to a variety of individuals and for a variety of

purposes. It may be difficult for internal auditors to distinguish between these roles. This is

the crux of their dilemma in an environment in which they are expected to report

independently as well as support management. Nonetheless, our findings do point to some

useful distinctions and practices that, in the better situations, may inform us all.

Background

Relational governance is an important, underlying and normative concept applied to express

the potential benefits from having reasonably-independent relationships between internal

auditors and workplace others. Agency theory is an important financial economic

perspective on personal motivation. Together, they are used here to express how these

relationships are negotiated in the New Zealand context.

Relational Governance

Organisational governance has traditionally been equated with organisational control,

influencing managers and staff to assure their actions serve organisational purposes. Those

in this field may refer to patterns of authority that determine the allocation of organisational

resources and which define the alignments of organisational interests (Daily, Dalton and

Canella, 2003; Sundaramurthy and Lewis, 2003). The purpose underlying such control,

monitoring, and alignment functions of governance is to achieve broad organisational goals.

This may be done through social integration that coordinates the responsibilities and actions

of interdependent actors. Governance, as social integration, implies that managers work

within relationships to integrate work responsibilities, foster internalisation of organisational


5

goals and create intrinsic commitment to collective organisational interests.

(Sundaramaurthy and Lewis, 2003). Such practice essentially substitutes a social and

relational form of governance for a bureaucratic understanding of governance that is based

on control and hierarchy (McGinnis, Pumphrey, Trimmer and Wiggins, 2004).

An internal auditor also uses collaboration and social relationships to help align goals and to

improve intraorganisational integration (Van Peursem, 2004). Examining patterns of social

relations, as undertaken in the present study, is particularly useful, therefore, for explaining

internal operations and their potential (McGinnis et al. 2004). Studies on relational

governance thus give us reason to believe that the internal auditor’s relationships with

managers, board members and others matter to help ensure effective corporate governance.

Agency Theory Applied

We will be using the principles of agency theory to evaluate these relationships. Applying a

financial-economics-based theory such as ‘agency’ is of value both to understand an aspect

of organisational practice, and to influence the manner in which management plans,

establishes and maintains control systems (San Miguel, 2002). Though not widely applied

to internal audit, agency theory has been suggested as a useful basis to analyse why some

organisations have internal audit departments and others do not, to examine how

organisational change affects internal audit departments and to evaluate how or why internal

audit departments vary in the way they do (Adams, 1994). Agency theory has been applied

to determine why some public accountants contract for internal auditing (Caplan and

Kirschenheiter, 2000) and to examine moral hazards within management systems of

different cultures (Ekanayake, 2004; Evans, 2003). There is clearly room for further


6

application. The issue of why internal audit departments vary is of concern here and, in

particular, there is an interest in whether agency theory may be able to help explain the

relationships between internal auditors and others (see Van Peursem, 1995).

Jensen and Meckling (1976, p. 308), in their seminal work on agency theory, defined agency

as "a contract under which one or more (principals) engage another person (the agent) to

perform some service on their behalf which involves delegating some decision-making

authority to the agent". It has been applied to many economics-related disciplines including

finance (Thornton, 1985), accounting (Watts and Zimmerman, 1978; Ettridge, Simon, Smith

and Stone, 1994) and external financial audit (Wallace, 1985). The economics-driven model

shares assumptions that mark it as a distinct model of human motivation and behaviour.

These include the assumption that players will be rational, maximizing individuals who take

actions that serve their personal interests, irrespective of any moral guidelines to the

contrary (Thornton, 1985). Agency theory, in its purest (and efficient market) form, also

assumes that individuals will take into account all available information, rationally and

instantly, to make these decisions. Assumptions of an efficient market can be relaxed to

explain the importance of accounting practices and contracting services. In an imperfect

market for information, contracting with accountants, auditors and others becomes one

means of monitoring – and making visible – agency costs to principals who cannot know

everything at any one point in time (see for example, Watts and Zimmerman, 1986).

For managers, unacceptable activities such as 'shirking' their duties or realising unauthorised

perquisites (perks) are also rational behaviours which can only be (rationally) reduced

through incurring monitoring (agency) costs. Agency costs also include reductions in rents

(e.g., salary adjustments), bonding (such as insurance) or monitoring activities (such as


7

accounting or audit practices). Wallace (1985) brought these concepts firmly into the

external auditing realm, in particular with respect to audit's place as a monitoring cost.

We believe that a similar rationale could be used to explain the roles and relationships that

exist within an organisation, and which involve the internal auditor. Contracts can and,

using agency theory rationales, should be made to constrain self-serving managers on behalf

of shareholder principals. Agency costs – such as internal monitoring – will then be

incurred internally. The Sarbanes-Oxley Act 2002 provides an example of how the internal

auditor can be placed in a 'monitoring' position, not only to shareholder-owners but also by

requiring them to report to the public.

There are inherent challenges in relying on these ‘unmonitored’ monitors, however, because

auditors are, of course, subject to the same shirking and perk risks as are others. In the

public arena there are some, albeit imperfect, means to monitor (and control) auditor

activity. External auditors, for example, have had to pay a number of agency-type fees to

ensure the quality of their monitoring such as insurance premiums, court costs to defend

against claims of negligence and, of course, the costs of professional membership.

Such controls are not inherent to the internal auditor’s position. Generally controls over the

internal auditor’s behaviour are instituted through hiring and firing. Therefore, in a

managerial hegemony situation (where there is a weak board) the CEO is likely to be a very

powerful influence over the internal auditor. Moreover, if internal auditors hold themselves

up as managers-in-waiting, as their claims to consultancy activities would suggest, then the

matter is further complicated because they are also agents to managers and accountable for

the same behaviours to which managers are subject. This complex web creates an inherent


8

dilemma for the internal auditor: how can they carry out their monitoring role over

management when they are not subject to effective monitoring themselves? There are a

number of complex dilemmas, and we use agency theory to help evaluate them as these New

Zealand internal auditors describe their relationships with workplace others.

Method

The spotlight has only recently been placed on the independence of internal auditors, and

there is little in the literature as yet to suggest how they are responding to it. As such, this

work is an exploratory study of their understandings of those experiences and of their work

relationships. Therefore we found it appropriate to adopt a qualitative and exploratory

research approach.

The full transcripts from six extensive semi-structured interviews with senior internal

auditors at six diverse New Zealand organisations, and the researchers’ related observations

of the participants’ policies and worksites, form the basis for the analysis. We identified and

analysed each speech act, that is, each sentence or paragraph in which they described their

relationships with others. Ninety speech acts were identified in this way. Drawing on these

speech acts, we considered how and under what conditions their relationships could be

understood in terms of ‘monitoring costs’, ‘agent’ or ‘principal’ concepts. Two researchers

participated in this classification.

We gathered information about each organisation and had access to various documents they

used to explain their positions, procedures or measures. The interviews asked each of them,

among other things, how they dealt with others in the workplace. In particular, we asked


9

about how they communicated their ideas with middle managers, with staff, with their CEO

and board, and others with whom they dealt on a regular basis.

Semi-structured interviews, such as those used here, are valuable toward providing depth in

understanding particularly where, such as in this case, the researchers wish to know about

general topics (Fontana and Frey, 2003, pp 73-78). As this study is essentially one about the

participants’ view of their work ‘worlds’, including how they perceive their relationships,

the semi-structured format is appropriate (Collis and Hussey, 2003, p. 168). The interviews

were not totally open-ended because structuring the interview to some degree may improve

interview validity and help ensure that the interviews are conducted in the same way (see

Collis and Hussey, 2003, pp. 167-170; Arvey and Campion, 1982 in Wiesner and Cronshow,

1988).

We thus addressed potential reliability problems associated with qualitative research by

beginning with a fixed set of questions about the participants’ roles, activities, reporting

activities and workplace communications. To obtain the depth of understanding and

‘discovery’ that we desired we also encouraged the participants to speak freely. As a result,

the comments they made were followed up with questions beyond the ‘script’ in order to

discover ‘meanings’ using interview methods such as that described in the research methods

literature (see Zikmund, 2003, pp. 126-131; Collis and Hussey, 2003, pp. 167-170).

Obtaining access to an appropriate group can be difficult and, in some cases, participants

may have confidentiality concerns about such contacts (Collis and Hussey, 2003, pp. 168-

170). In this study, however, the interviews followed on from an earlier and extensive

survey of just under 300 respondents who were asked to express their willingness to be

interviewed. Obtaining appropriate participation was, therefore, not a problem. From the 20


10

or so who responded and who provided information to contact them, six were seen to be

appropriate because of the seniority they enjoyed and the variety of organisations they

represented. Confidentiality concerns were addressed through applying normal ethical

procedures and disclosures common to the researchers’ university practice.

Problems can emerge if participants do not ‘understand’ the issues or the questions in a

qualitative study, or are unable to convey their thoughts (Collis and Hussey, 2003, pp. 168-

169). To reduce the risk of this occurring, each question was explored in-depth and

interviews were recorded in their entirety so that the transcript could be reviewed to ensure a

reasonable interpretation. In addition, each participant was given an opportunity to review

the way in which we ‘understood’ and ‘classified’ their comments several weeks after the

last interview. Having two researchers to analyse the results also provided some

triangulation in the analysis process. Overall, these methods were used to ensure – to the

most reasonable extent – interview reliability and an appropriate interpretation of the

participants’ thoughts.

These internal auditors were from different types and sizes of organisations and enjoyed

various professional and career backgrounds despite their common IIA membership. We

attempted to look at a wide range, rather than a large number, of internal auditors to gather

an in-depth understanding of the New Zealand ‘case’. As many internal audit groups are

found to be within government organisations, and far fewer in the private sector, half of the

participants were selected from government organisations and all are introduced to the

reader below.

PS is the senior audit and assurance manager of a large internal audit division of a large

organisation. He has held similarly senior positions at other organisations overseas within


11

the internal audit profession itself. He also has an extensive professional accounting

background. His organisation employs over 1000 people throughout New Zealand and

contracts primarily to government. He has a large audit staff of 39, 17 of whom are in the

internal audit division (with the remainder in ‘fraud’). PS enjoys a direct line of

accountability to the board, nine of whom are outside appointees and executives.

PV is the internal audit manager of a large audit group within a major, listed New Zealand

manufacturing and service corporation. He manages a professional team of 16 internal

auditors. He has worked for 13 years within a private sector accounting firm with a

background and extensive senior experience in external audit. He has been a senior internal

auditor at his present organisation for six years. His team both consults and reports directly

to the audit committee of his governing board and to the CEO. They carry out a

combination of compliance and consultative projects for the organisation.

PA is an audit partner in a major international accounting firm. His department specifically

carries out internal audit contracts with and within a variety of organisations. PA’s expertise

is in technology audits and he leads a large, highly-specialised team which carries out

technology audits, risk management investigations, fraud investigations and external audit

support. All work in internal auditing is carried out through contractual arrangements and

the parties to whom they report depend upon the contractual conditions but are generally, in

name at least, governing bodies.

MI is the (acting) audit manager of three personnel in the internal audit group of a

government social distribution department. The department has approximately 1000

employees and about 20 separate offices throughout New Zealand and within six different

business groups. MI’s background is in the social sciences. She has internal audit training

but no accounting or auditing experience. (Only one member of her team of three, the


12

newest auditor, has a financial background.) She is relatively new to the internal audit role

having only been employed in that capacity in the last several years. MI has served four

different CEOs in that time and, as a result, there has been little support for, or consistency,

in internal audit practices. This audit group primarily carries out compliance audits on a

spot basis and based on areas perceived to be of high risk. Two of the divisions have their

own ‘auditors’ but they are only accountable internally to that division. MI’s original

interest in participating in the study was to ensure that we knew that 'accounting' was not

what they did. She is the only woman represented.

MD is the Corporate Assurance Officer for a large service-based government organisation.

As with MI’s situation, several divisions have their own ‘auditors’ who are not accountable

outside that division. MD’s audit group is small and is only two years old. Its existence is

owed to a recommendation from one of the major accounting firms. His professional

background and expertise is in information systems. He is a self-taught internal auditor who

both inspired and encouraged the leadership in his organisation, with whom he has been

affiliated for over twelve years, to form an internal audit division. He has drawn particular

attention to the risk in the payroll they manage. His group works closely with the central

government’s auditors (Audit New Zealand) on a variety of projects. This audit group is

accountable to the chief financial officer, to a senior functional chief and to a risk liaison

group for generally distinct purposes.

MJ is the senior (and sole) auditor in a government organisation of two hundred employees

including four local subdivisions. This group provides ‘coordination and leadership’,

advising the Minister on ‘activities’ of the organisation. He has an accounting background,

and was previously employed in a senior position by the New Zealand Audit Office. MJ

describes himself as a ‘jack of all trades’ and, like MD, is accountable to a wide range of

senior managers and elected ministers.


13

Results

Our results are illustrated in Tables I, II and III. In total, we identified 90 speech acts that

are relevant to these internal auditors’ relationships with others, most of which could be

understood in agency terms. The analysis is divided into issues relevant to the internal

auditor acting as an 'agent' or as a 'monitor'. We found no speech act that portrayed the

‘internal auditor as principal’1, and have thus not included this category in our analysis. We

also found comments referring to what were, on the surface of it, non-agency-like

relationships. These are brought into the analysis later in this section.

Auditor as 'Agent'

We find that these internal auditors are obligated to a variety of individuals as an 'agent' and

for a variety of purposes. Those parties to whom they are most commonly held to account

are the external auditor, senior financial managers, the CEO (or equivalent), or their

equivalents in government.

1 We suggest that there may have been more if we had asked questions on their relationships with their

own audit team, but this was not the focus of the investigation.


14

Table I: Agent Roles of the Internal Auditor

Who

Role and Organisation

To what principal?

For what purpose?

External auditor

When needed MD

Corporate assurance officer, large public sector organisation

Senior financial managers Advising on projects

MJ Sole internal auditor in medium-sized government organisation

CEO via group managers (no apparent relationship with the Board to allow them to effectively act as principal)

Question, investigate, understand, listening, 'turn things around', develop and facilitate risk management framework, investigative queries, assure that things working 'properly', picking up on issues, 'mining', internal consultancy, restricting managers, adding value, monitor quality assurance, ensure accountability 'owned'. Follow up enquiries

(not specified)

Audit activities, systems changes

CEO and the Audit committee 'administratively together with general manager

MI Senior auditor, and one of three, in government department Government

Advice

(not specified) Identifying risk profile, facilitating risk process, guiding risk management process

To external auditors and other oversight auditors

For external financial information

PS Senior audit and assurance manager in large but unlisted, profit-oriented organisation.

To the general manager For policy initiatives; for quality assurance and project management

CEO, then audit committee, also external auditors

Advisory consulting, risk plan

Externals, users of financial and regulatory reports

Co-agents with external auditor for audit work

Managers implied For compliance, to check controls, what's needed for a project

Managers The ‘business’

Advisory, consulting (Manager is 'agent' for 'doing it', for process and for instituting controls.)

PV

Internal audit manager in a major, listed corporation

Board and CEOs For skill-base (information technologists, engineer, project people, accountants) and interpersonal skills

(not specified) Employing external technical contractors, having technical & core skills; writing and 'convincing others, horizontal role across policy and coordination; Translate technical issues and risks into business speak, operate at multiple levels, understand all levels of risk, align with organisational direction, big picture person; Communication, negotiation, understanding viewpoints

CEO Others not specified

In terms of organisation, to add value

PA

Audit partner in a major CA professional firm

Various managers at various levels of the enterprise

Monitoring issues of interest, varies across organisations, pro-active contribution, quality assurance, project management, business objective not operational roles

* Each set of initials represents one of the six different interviewees


15

In some cases they also report to middle-level managers, and this may be a reflection of

issues specific to each organisation. For example, MJ’s accountability is communicated via

group managers. This appears to be related to a less-than-ideal communication pathway to

the governing authority. PV is accountable to a variety of managers, but this appears

because he operates in a consulting or advisory capacity.

A group less commonly named is the audit committee or board. This may be because

internal auditors are, as is illustrated in Table I, agents for ‘advising on projects’, ‘adding

value’ and the like which are at a functional level. Unless there is a problem with these

activities, it seems logical that functional topics are less likely to be of interest to the

strategy-seeking board.

An inconsistency emerges, however, where it would appear that the same obligation (of the

auditor-agent) is due to both the CEO and to the audit committee/board as joint ‘principals’.

This practice seems to be most prevalent in the government organisations and comprises a

less-than-ideal conflation of roles. Under such circumstances the auditor may find it

difficult to hold the CEO accountable to the board since the CEO appears to be part of the

board. Even where there is an audit committee, which would normally exclude the CEO,

this problem is found to exist. MI describes a confusing situation in which internal auditors

are accountable to the CEO and to the audit committee "administratively together with the

general manager". In contrast, PS is more careful to distinguish the roles by clarifying that

the auditor is accountable to the external auditors for external financial information and to

the general manager for policy initiatives, quality assurance and project management. PA

also makes a clear distinction. While a clear path for reporting certain events to certain

‘principals’ exists in some organisations, it is not present in all.


16

Looking to the ‘purpose’ for which the auditor is an ‘agent’, we find that there is a common

obligation to ‘consult’ in their role:

"Advising on projects"

"Advice"

"Develop and facilitate risk management framework …"

"Identifying risk profile, facilitating risk process, guiding risk management process"

"Policy initiatives, quality assurance, project management"

"Advisory consulting, risk plan"

"In terms of the organisation, to add value"

"... Pro-active contribution ... project management, business objective not operational roles"

These phrases indicate that the internal auditors believe they are supporting management, as

opposed to actually carrying out actions. This is an important distinction as it indicates to us

that these internal auditors will be in a reasonable position to audit management actions

since they were not directly involved in how they were carried out. Implementing system

changes, complying with personnel policy, managing stock or carrying out production

functions are tasks commonly left to managers, not to internal auditors. It is noted that

while several of these participants emphasised this point, not all of them did. Hence the

practice – again – may not be consistent. Nonetheless, the distinction may be one that

contributes to independence where it is effective, as it is a ‘point of difference’ that

distinguishes the internal auditor’s role from the manager’s role.

Other descriptions of their agency relationships appear to be more in the tradition of what

we might expect of auditors. These are the system and control or compliance functions to

which internal auditors are in a unique position to contribute. Our participants refer to those

measures that ensure that the projects are appropriately controlled in the traditional sense:


17

"Turn things around ... assure that things working properly, picking up on issues, internal consultancy

..."

"Audit activities, systems changes"

"Co-agents with external auditor for audit work"

"For compliance, to check controls ..."

"Monitoring issues of interests ... quality assurance ..."

"Question, investigate, understand, listening ... investigative queries ... mining ..."

"... to check controls, what's needed for a project"

"Monitoring issues of interest ... quality assurance, project management, business objective not

operational roles"

The traditional ‘tick and check’ function distinguishes the internal auditor’s activities from

those of the managers, and the internal auditor appears to be a clear agent for them. We

note that in some cases, however, internal auditors select the subject for audit “in

consultation” with management, indicating that they may not have the authority they need

when it comes to selecting that which they intend to review.

Another range of expressions refers to the skills that would be expected of an internal

auditor. Insofar as those skills are both desired and present in the individuals employed, it

would seem that the internal auditors have an obligation toward applying them as part of

their responsibilities as an agent:

“[The internal auditor is responsible for having or acquiring] "skill-base ... IT, engineer, project

people, accountants… and [having] interpersonal skills”


18

"Employing external technical contractors, having technical and core skills ... writing and convincing

others, translate technical issues and risks into business speak, operate at multiple levels, big picture

person ... communication, negotiation, understanding viewpoints"

"Co-agents with external auditor for audit work"

"... [Controlling a] subtle way ...”

Both technical and social skills are valued and it seems that internal auditors are inclined to

develop collegial relationships with their work colleagues.

Overall, four features emerge to suggest that the internal auditor is: the responsible ‘agent’

for informed consultation on projects that add value to the organisation, the responsible

‘agent’ for carrying out traditional audit duties of control and oversight and expected to have

and apply technical and social skills in undertaking work with employees. Finally the most

commonly-named ‘principal’ is senior management or the CEO. While these points

dominate, these auditors nonetheless fail to express a consistent view on these issues,

leading us to suggest that there is likely to be significant variation in practice.

Auditor as 'Monitor'

An equally complex situation is encountered with respect to the internal auditor’s activities

as a ‘monitor.’ The following analyses the participants’ discourse on the roles they adopt in

this capacity (Table II) and the responsibilities for which they are held to account (Table

III).


19

Table II: Monitoring Roles of the Internal Auditor

Who?

Role and Organisation

To what principal or what agent?

Summary of Comments

[External users implied]; To Board & CEO of manager; Managers agents & monitors

Joint monitors with external auditor for Audit activity; State of internal controls; Using self-assessment

MD

Corporate assurance officer in large public sector organisation CFO/ Chief of Services;

Corporate Risk Officer, Ministry; of Management

Project management issues; Policy, relative administration; Ineffective systems or policies

MJ

Sole internal auditor in medium-sized government organisation

To government and Board; Of management

Ownership issues, capabilities of the organisation, how processes carried out; 'Turning things around'', looking at things from [audit] perspective, getting acceptance on [audit] rationales, restrict managers, quality assurance, 'as auditor', ensure accountability is 'owned', to 'restrict' others

To government of the 'organisation'

Internally for legal compliance

MI

Acting senior auditor, and one of three, in government department

To CEO and Audit Committee and Public of management

Monitor in public interest (Audit Committee not an active principal )

To Board/ CEO (formally); Chairman/ Board of managers

Relative risk and risk assessment (to Board) and control status (to CEO)

To general manager Policy [process of carrying out implied], plans, using follow up

PS

Senior audit and assurance manager in large unlisted, profit-oriented organisation.

[Not specified] Policy assurance and project management

To CEO of the manager

Reporting on 'audit grading'

To Board/ Audit Committee via Charter of management (incl CEO) (using follow up)

Accountability, 'independence', state of internal controls by looking at processes "to Board & CEO", audit committee receives annual formal report: other reports by auditor to CEO

PV

Internal audit manager in a major, listed corporation Auditor may become monitor (from agent

with managers) if something 'out of beam' To Audit Committee for CEO (ideally); if Audit Committee missing, no apparent principal, for share price stakeholders; To Government for CEO (indirectly; To CEO in 'his role'

Too often monitoring role arbitrated and ineffective; Not directly a monitor for enforcing good government practice, monitor for managers in subtle way, no longer monitor of past manager performance; (not specified)

PA

Audit partner in a major CA professional firm

Government Monitor CEO though not for enforcing government practice

* Each set of initials represents one of the six different interviewees

The monitoring role appears to call on the internal auditor to review information flows

between corporate ‘agents’ (primarily management) and their corporate ‘principals’

(primarily, but not exclusively, the governing body). A pattern found is that there is no


20

consistent ‘principal’ for the auditor-as-monitor, although this may be in part attributable to

the fact that the auditor must adopt several roles, and thus accept oversight from various

sources. In some cases the CEO (or other senior manager) and a governing body member

are referred to together. This is more concerning and is another illustration of how

conflation of their role can occur. Consider the situation in which the auditor-as-monitor

reports to the CEO and an independent board together who, themselves, have opposing

interests. The action the auditor should take is not clear, should, for example, the CEO be

shirking and thereby damaging the organisation as a whole. The ‘subtle relationship skills’

to which one auditor refers would certainly be useful at that point and would seem to be the

least of what they would need in such a dilemma.

There are varying experiences as to how well the audit committees work and whether they

are effective principals.

“The audit committee’s now meeting more often than it used to … it’s now four times a year …

what’s come out of the States probably hasn’t changed [things here] hugely in terms of the importance

of the committee and its role but it’s really reinforced it … [this company] has always had pretty good

governance” (PV)

Elsewhere, the activities of the audit committee appear to be either less clear or less

functional. Typical of the three government organisations is MD’s description of a complex

web of accountabilities, none of which is clearly linked into an audit committee or its

equivalent:

[Our Chief Executive] is accountable to the audit committee and sort of functionally as an audit unit,

we’ve got a direct reporting line to the Chief Executive however (MD)


21

PA, in his unique external contracting position, has the opportunity to observe a number of

organisations and comments on his observations:

“[In my contracts] there has to be reporting to an independent audit committee. I say that because my

perception of what happens in reality is not quite like that! Some of our clients do have that sort of

structure in place. I’d be fairly critical of [others including] some of the government arrangements at

the moment; when I think that the CEO, certainly in terms of what I can see in the central government

agencies, place[s] far too much on … arbitrating what in internal audit matters” (PA).

Without an effective audit committee, it may be more difficult to challenge the CEO.

“[If the independent audit committee is ineffective] I suppose [internal audit] changes its direction,

instead of being an area which can add value to the organisation as a whole… it tends to be more… a

department which will aid the CEO in his role… I think that a strong audit committee is a powerful

aid. If it’s done correctly I think audit committees challenge CEOs…” (PA)

The internal auditor-as-monitor, in the absence of an effective audit committee, will have to

convince the principal, CEO or the Board, through the power of personal persuasion.

“[Is management helpful toward achieving action?] "Oh it is, but it's up to how well you [the internal

auditor] drive that ... and sell it. You're not going to get it unless you can convince the powers that be

that ...this is actually necessary." (PS)

Obtaining management buy-in on audit rationales and ensuring that accountability is 'owned'

are challenges and may reflect on that aspect of the internal auditor’s relationships with top

management (Table II). A further consideration is given to what the internal-auditor-as-

monitor’s responsibilities comprise (Table III).


22

Table III: The Auditor’s Responsibilities as Monitor

Apparent 'Principal' For What Responsibility * External users, shareholders Joint monitors with external auditors for external, financial

information Governance groups (Board, Audit Committee or Ministry) only

Relative administration Ownership issues Organisational capabilities How processes carried out Legal compliance (2) Public interest Risk assessment Control status If something appears out of place

Senior Managers/ CEO Only Project management Turning things around Getting acceptance on [audit] rationales Restrict managers and others Quality assurance Ensure accountability is 'owned' Control status Carrying out policy NOT past performance of manager

Board and CEO Combined Internal controls Processes

* In all cases management was named. As the level of manager was not always specified, or in other cases the term was used to refer to managers 'generically', we did not distinguish between upper- and middle-level management.

The auditor may be expected to provide an account to the boards of the condition of the

organisation's internal controls. While, on the face of it, internal controls would not

normally be of strategic importance, it is perhaps a telling indication of the times that boards

wish to be informed of such operational matters.

For the most part, however, internal auditors only report to their governing body on external

issues, not in internal efficiencies unless they are in some way extraordinary. This includes

reporting on such issues as legal compliance, organisational goals, ownership issues and

public interest concerns. There seem to be distinctions, therefore, between what these

auditors monitor for governing bodies and what they monitor for senior management. If

these comments are indicative of a wider practice, then this may be one fundamental way in

which their relationships with their boards differ from their relationships with their CEOs.


23

Nonetheless, and citing the points raised above, it would appear that the internal auditor's

role may be effective only insofar as there exists an independent board which is ready to

listen and act upon the auditor's assessments.

Other Roles

Not all of the internal auditors' relationships can be defined as resting strictly within the

agency model, of course, as the auditor’s work draws them into a variety of relationships

with others. Some of those to which these auditors refer serve educational or social needs

and, as such, do not appear to have ‘agency’ implications.

“ ... and then we had the education days ... their type of education days and training programmes I find

really useful, more so than the ICANZ” (MJ)

“When I first got here, and the new Zealand IIA wasn’t really that well run or that focused, it was

more of a donation because I felt that ... we should actually be supporting the IIA” (PV)

“[About a team of external auditors] They sort of do their own independent audits and they also help

us and we help them. My role of helping them this year was to [provide assistance organise material

needed for their audit]” (MD)

In other cases, however, these casual relationships may mask the more serious purpose of

reinforcing their ‘monitoring’ role. In particular, the internal auditor’s relationships with

association members seem to contribute to an ‘independence of mind’ for the auditor-as-

monitor by bringing them closer into the ethos of the audit community.


24

“The internal audit association have monthly meetings and they always have a darn good speaker ...

that's primarily to try to get people to sort of move away, shall we say management thinking and

[from developing a non-independent relationship with their managers]” (MD)

“We go along to the [IIA] education days and a few other training courses ... when we can ... I think

it's useful to know what's going on in the audit world, because they get speakers in from all over the

place, new things have come along ... if you have a particular problem [with managers] ... you can get

hold of people [for advice]” (MI)

“I find it's very useful, particularly when you work in isolation, and to be able to have contacts with

other [IIA] colleagues and other organisations” (MJ)

This may also, in selected cases, be the case in their relationships with the external auditor

as well, though few commented on external auditors in ‘relationship’ terms and those that

did sometimes indicated a distant and possibly intimidating relationship:

“We work really closely with the external auditors and simplistically we’ll look at the P&L and

operational things and they’ll look at the balance sheet” (PV)

“[Our relationship with the external auditor is] Excellent! External auditors do no control work in our

organisation [so they must trust what you’ve done?] Well if they didn’t, I’m sure one of us would find

out [laughter]” (PS)

“To be honest, we just don’t have the budget to bring in [external auditors]” (MI)

Their collegiality with other audit professionals may be an important mechanism to reduce

the risk of being caught up in the ‘day-to-day’ or identifying too closely with managers’

interests. It may be this association that also enables the internal auditor to ‘educate’ their

own managers in return:


25

“But what I wanted to try and do is get [managers] to buy into ... [the fact that risk is] their

responsibility ... but I've found it does take time to ... get that understanding and get that [buy

in]”(MD).

“You've got to be quite clear about what you're going to do, and keep on emphasising things ...

challenge is ... getting to those people that just don't want to hear but are presenting a big risk to the

department” (MI)

Improving the manager’s ‘knowledge’ seems to be a pseudonym for convincing managers to

accept their ‘agent’ responsibilities. As such, even the most casual relationships they enjoy

with other auditors may help to solidify their monitoring role.

Conclusion and Recommendations

It is comforting to observe that these professionals generally agree that the internal auditor’s

voice should be a relatively distinct one that ‘supports’, as opposed to ‘performs’,

management functions within the traditional bounds of auditor oversight. Nonetheless, and

despite such self-knowledge, these distinctions do not seem to carry the same weight in all,

or consistently through all, of these practices in a way that would suggest that they are fully

observed.

The analysis reveals that the reason for this may lie in the fact that it is very difficult for the

internal auditor to control their own involvement in and with management. It does not

appear to be, for most of these auditors, a lack of knowledge about what they should do.

Most seem to know to step back when circumstances require them to do so. Their dilemma

seems to lie in the paradox that they need to be both adept at holding themselves


26

accountable to the CEO and, at the same time, accountable to the audit committee about the

CEO. This point is illustrated from the following findings.

Several of these internal auditors have indicated a less-than-uniform level of 'management'

to whom and about whom they report. Whether the internal auditor is acting as ‘monitor’ or

‘agent’, such questions appear to exist and they contribute to a concerning conflation in the

auditor’s role. This is potentially a significant problem for the auditor and for the

organisation because, in a managerial hegemonic situation with a dominant CEO, that CEO

may be able to ‘shirk’ without monitoring oversight and with impunity if a clear reporting

line is not established.

Most of these internal auditors act as monitors between agent-managers and director-

principals and yet at the same time are also the agents accountable to the CEO-directors for

proper oversight. This is another practice that leads to a conflation in their role. If an

auditor becomes involved in changes being made to a system, it would be all too easy to

become involved in implementing that system and, ultimately, monitoring their own work.

There is a fine line between advising and implementing, and one to which the internal

auditor must be sensitive in their communications and relations with others. One way to

address this dilemma would appear to be found in the existence of a quality Audit Charter,

one in which reporting relationships are clearly defined. All of the organisations discussed

had Audit Charters (except for the independent contractor). In fact, one participant had

insisted that his Charter include provisions about accountability (reporting to others, when

and for what) before he would accept the position. While it may be difficult to make such


27

demands prior to employment, it would seem to be an important opportunity if one can to

establish the relationship and role.

Related to these points is the dilemma that most of these auditors face in addressing

expectations that senior managers will have some input into formulating the audit plan or

programme. This effectively makes the auditors co-agents with management for what would

normally comprise audit decisions. While the purpose may be to ensure that the results of

the audit work will meet organisational needs and be accepted by employees, and it may

indeed serve such a purpose, it is also a practice which places the auditor’s independence at

risk. This is because the manager could ‘discourage’ the auditor from conducting

investigations into areas in which that manager feels vulnerable. This is yet another

‘conflation’ of the auditor’s role as it permits the managers to intrude into activities

normally associated with someone who enjoys independent oversight.

The findings reveal some informative ways in which these internal auditors address these

problems. For example, participants often found themselves explaining their own role to

their own managers and workmates. By ‘educating’ their colleagues as to what the auditor

can and cannot do, and when they will and will not do it, a clarity of role can potentially be

carved out by the internal auditor. This may explain why these auditors refer to their skills

in communication and in building relationships so frequently. Relational governance is not

an empty term to these auditors. They must ensure that their lines of communication are

strong so that they can explain their position in a way that is likely to be understood and

accepted by their work colleagues.


28

The presence of a strong audit committee has to be another important feature in reducing the

effects of audit role conflation. As long as the audit committee excludes the CEO and is

competent and involved, there may be a clearer line of authority for the internal auditor to

report about the CEO. If the audit committee is absent or weak, and if the CEO or other

senior managers are overly influential, then auditors are simply not in a position to challenge

unethical practices when they exist near the top of the organisation. The risk from being a

co-agent with line managers may be partially offset, it would seem, by having real access to

those responsible for governance. While it is difficult to say whether a casual relationship

between the internal auditor and the audit committee would serve these purposes well, an

easily-accessible one would seem to hold some promise.

Finally, the casual relationships internal auditors appear to enjoy with other members of

their profession may mask the serious service they contribute to the auditor’s independence.

Leaders in internal audit departments and auditors who find themselves working in isolation

seem to benefit from the audit ethos which their professional association provides. That

their closest working colleagues – managers – are also those to whom they may be charged

to monitor highlights further the importance of these luncheons and seminars with their

peers. This sharing of concerns, and how to resolve them, may be what turns the tide when

it comes to making important decisions impacting independence.

Most participants seem to be aware of the point at which they should ‘pull back’ from

becoming too involved in managerial decisions. But whether they can do so or not is

another story. Ultimately, their success at being an ‘agent’ for their risk-analysis skills may

also depend on their success at being a ‘monitor’ of their management, a situation perhaps


29

more reliant on relational governance, personal communication skills and workplace ethos

than formal structures may imply.

Limitations and Suggestions for Further Research

A limitation of the study is its New Zealand focus. Practice in New Zealand may or may not

reflect that in other contexts. In particular, law and regulation may lead to different

practices overseas. For this reason, we suggest that the study be replicated in other contexts.

The issues still matter, however, as these internal auditors share, in common with internal

auditors globally, their professional association and code. The IIA provides guidance,

ethical codes, education and a particular vision so there is likely to be a common range of

issues on the international scale, but perhaps handled in different ways in different places.

It must also be acknowledged that there would be people acting as internal auditors who are

not IIA members, and that their views and practices are not incorporated into the study. We

note, however, that where 'best practice' is not performed by IIA members, it may be all the

more prevalent in internal audit departments which do not include IIA members. Hence, we

would suggest that we are probably observing the best of internal audit independence

practice.

The sample size is small and does not permit statistical evaluation, thereby limiting the

generalizability of the findings. Nonetheless, the intent of reaching out to a variety of

practices and practitioners was achieved, as was the desire to explore their discourse in

greater depth than a statistically-sized survey could have made possible. We suggest that, as

an exploratory study, it establishes a foundation for quantitative studies which could look for


30

patterns in internal audit relationships across such variables as gender lines, experience,

national/legal boundaries or the age of audit departments.

There are other opportunities for further research. Replication of this study in other

jurisdictions has been suggested. It would also be of value to explore the implications, in

reporting terms, of maintaining an 'agent', 'monitoring' or 'principal' role. In general, the

issue of internal auditor independence is an important topic to explore further. Issues raised

in the New York Attorney General’s pursuit of management-stacked boards (Anonymous,

2004c) suggest to us that if auditors somehow confuse their obligations, and with whom

those obligations lie, there may ultimately be a heavy price to pay.


31

References

Al-Twaijry, A. A. M., Brierley, J.A., & Gwilliam, D. R. (2004). An examination of the relationship between internal and external audit in the Saudi Arabian corporate sector, Managerial Auditing Journal, 19(7), 929-944. Adams, M. B. (1994). Agency Theory and the Internal Audit. Managerial Auditing Journal. 9(8), 8-12. Anonymous. (2004a, June 12). ASB issues draft standard on the operating and financial review, Double Entries, 6. Anonymous. (2004b). The report: Yet to see uniform model for gauging risk. Credit Control, 25(5), 608. Anonymous. (2004c, November). Marsh and Mac. Business Week, 35-43. Brody, R. G., & Lowe, D. J. (2000). The New Role of the Internal Auditor: Implications for Internal Auditor Objectivity. International Journal of Auditing, 4, 169-176. Caplan, D. H., & Kirschenheiter, M. (2000). Outsourcing and Audit Risk for Internal Audit Services. Contemporary Accounting Research. 17(3), 387-428. Chan, S. (2004, October 11). Mapping COSO and CobiT for Sarbanes-Oxley compliance. IT Audit: A Service of the Institute of Internal Auditors, www.theiia.org/itaudit/index.cfm. Collis, J., & Hussey, R. (2003). Business Research. Basingstoke, Hampshire, UK: Palgrave Macmillan. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2003). Internal Control – Integrated Framework COSO, 4, www.coso.org Cooper, B. J., Leung, P., & Mathews, C. (1994). Internal Audit: An Australian Profile. Managerial Auditing Journal, 9(3), 13-19. Daily, C. M., Dalton, D. R., & Cannella, A. A. (2003). Corporate Governance: Decades of Dialogue and Data. Academy of Management Review, 28(3), 371-382. Ekanayake, S. (2004). Agency theory, national culture and management control systems. Journal of American Academy of Business, 4/1-2, 49-54. Ellis, T. (2004, December 12). Exporters to the US must pull their SOX up. National Business Review, 28, col. 1-6. Ettridge, M., Simon, D., Smith D., & Stone, M. (1994). Why Do Companies Purchase Timely quarterly Reviews? Journal of Accounting and Economics, 18(2), 131-155. Evans, L. (2003). Auditing and audit firms in German before 1931. The Accounting Historians Journal, 30(2), 29-65.


32

Fontana, A., & Frey, J. H. (2003). The interview: From structured questions to negotiated text. In N. K. Denzin & Y. S. Lincoln (Eds.), Collecting and Interpreting Qualitative Materials (2nd Edition). London: Sage Publications. Glasscock, K. L. (2002). Auditees or clients? The Internal Auditor, 59(4), 84-85. Goodwin, J., & Yeo, T. Y. (2001). Two Factors Affecting Internal Audit Independence and Objectivity: Evidence from Singapore. International Journal of Auditing, 5, 107-125. Hamilton, L. (Chairperson). (2003). Principles of Good Corporate Governance and Practice Recommendations. Sydney: Australian Stock Exchange (ASX). Jensen, M. C., & Meckling, W. H. (1976). Theory of the Firm:Managerial Behavior, Agency Costs and Ownership Structure, Journal of Financial Economics, 3, 305-360. Leung, P., Cooper, B., & Robertson, P. (2004). The Role of Internal Audit in corporate Governance and Management. Melbourne: RMIT Publishing. McCall, S. M. (2002). The auditor as consultant. The Internal Auditor, 59(6), 35-39. McGinnis, S. K., Pumphrey, L. D., Trimmer, K. J., & Wiggins, C. (2004). Sustaining and extending organisation strategy via information technology governance. Proceedings of the 37th Hawaii International Conference on Social Sciences, Hawaii. Priest, A. (2002, April 19). CPA Australia puts forward a financial reporting framework. Accounting Education News, www.accountingeducation.com San Miguel, J. G. (2002). The Behavioral Sciences and Concepts and Standards for management Planning and Control. Accounting, Organizations and Society. 2(2), 177-186. Spira, L. F., & Page, M. (2002). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661. Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit, Accounting, Auditing & Accountability Journal, 16(4), 640-661. Sundaramurthy, C., & Lewis, M. (2003). Control and Collaboration: Paradoxes of Governance, Academy of Management Review, 28(3), 397-415. Thornton, D. B. (1985, January), A Look at Agency Theory for the Novice: Part 2, J.H. Amernic (Ed.), CA Magazine, 93-100. Van Peursem, K. A. (2004). Internal auditors’ role and authority: New Zealand evidence. Managerial Auditing Journal, 19(3), 378-393. Van Peursem, K. A. (2005). Conversations with Internal Auditors: The Power of Ambiguity. Managerial Auditing Journal. 20(5), 489-512.


33

Vanasco, R. R. (1996). Auditor independence: An international perspective. Managerial Auditing Journal, 11(9), 4-48. Vinten, G. (2001). Corporate governance and the sons of Cadbury. Corporate Governance, 1(4), 4-8. Wallace, W. A. (1985). Auditing Monographs, New York: Macmillan Inc. Watts, R. L. and Zimmerman, J.L. (1978). Towards a positive theory of the determination of accounting standards. The Accounting Review, 53 (1), 112-134. Watts, R. L., & Zimmerman, J. L. (1986). Positive Accounting Theory, Englewood Cliffs, New Jersey: Prentice-Hall. Weisner, W. H., & Cronshaw, S. F. (1988). A Meta-analytic investigation of the impact of interview format and degree of structure on the validity of the employment interview. Journal of Occupational Psychology, 61(4), 275-291. Zikmund, W. G. (2003). Business Research Methods. Mason, OH: Thomson

INTERNAL AUDITORS AND INDEPENDENCE: AN AGENCY …ceebi.curtin.edu.au/local/docs/5.VanPeursem.pdf · INTERNAL AUDITORS AND INDEPENDENCE: AN AGENCY LENS ON ... internal auditor is expected

Documents