خطوط گزارش دهی حسابرسی داخلی، تجزیه ریسک کلاهبرداری و ارزیابی ریسک کلاهبرداری

The main purpose of this research is to examine the effects of internal audit reporting lines on fraud risk assessments made by internal auditors when the level of fraud risk varies. Significant emphasis has been placed on the importance of reporting lines in maintaining the autonomy of internal auditors, but the perceived benefits of requiring internal audit to report directly to the audit committee have not been validated or systematically investigated. Results of an experiment involving 172 experienced internal auditors and additional survey findings indicate that internal auditors perceive more personal threats when they report high levels of risk directly to the audit committee, relative to management. Perceived threats lead internal auditors to reduce assessed levels of fraud risk when reporting to the audit committee relative to when reporting to management. This finding runs counter to the anticipated benefits of requirements that the internal audit function report directly to the audit committee, and it reveals potential conflicts of interest and independence threats created by the audit committee itself. We also investigate the effects of fraud risk decomposition on risk assessments made by internal auditors. We find that fraud risk assessment decomposition does not have the same effects on internal auditors as it has on external auditors, and the effects of decomposition do not align with the expected benefits of decomposition.

Professional guidance developed by the Institute of Internal Auditors (Attribute Standard 1110) states that the Chief Audit Executive should report directly to the audit committee, and investor protection groups have made strong calls for the cessation of reporting by internal audit functions to the CFO and other top executives (e.g., Johnson, 2006 and Moody’s Investor Services. 2006, 2006). Similar calls for reporting directly to the audit committee have recently been made by professionals, academic researchers, and other professional organizations, all of which suggest that internal auditors are key players in day-to-day corporate integrity, sound reporting, and anti-fraud activities (e.g., Berman, 2006, Kaplan and Schultz, 2007, KPMG, 2006 and Salierno, 2007). A common concern expressed by these individuals and organizations is that without appropriate reporting lines, business cannot be conducted effectively or efficiently (Berman, 2006), and reporting to management undermines the internal audit function’s independence and objectivity (Balkaran, 2007). That is, internal auditors face conflicts of interest when they report to management. Research demonstrates that external auditors’ conflicts of interest (e.g., legal requirements to be independent and provide unbiased evaluations of financial disclosures versus incentives to maintain fees and create employment opportunities with clients) influence external auditors’ objectivity and independence (Demski, 2003, King, 2002, Moore et al., 2006 and Nelson, 2005). However, little research has examined how conflicts of interest influence the judgments of internal auditors. Internal auditing is considered one of the four cornerstones of corporate governance, along with senior management, the board, and the external auditors and, as such, internal audit must be free from potential influence or interference by management. The majority of internal audit departments in publicly-traded firms distribute their efforts and report their findings to either top management (often the CFO) or the audit committee, depending upon the source of the request. Cenker and Nagy (2004) interviewed nine CAEs of large publicly listed corporations (average total assets of approximately $15 billion) and found that eight report to the CFO or CEO and one reports to the chief risk officer. A recent report by the Institute of Internal Auditors indicates that approximately 40% of Chief Audit Executives (CAEs) report to the CFO and nearly 20% do not report functionally to the audit committee (Balkaran, 2007). Investor protection agencies worry that internal auditors cannot objectively examine financial disclosures, evaluate internal controls, or assess risks when they report the results of their efforts to their supervisors, such as the CFO (Johnson, 2006). Investor concerns echo the findings of the IIA standards – the reporting line for internal auditors is important and can have significant effects on their judgments. Changing the primary reporting line away from management and to the audit committee is expected to mitigate problems associated with internal auditors’ conflicts of interest, but this assumption has not been investigated. Furthermore, Nieschwietz, Schultz, and Zimbleman (2000) encourage accounting researchers to investigate (1) the effects of multiple sources of accountability on fraud risk assessments and (2) how auditors assess fraud risk. While these calls for research are aimed at better understanding fraud risk assessments by external auditors, clearly such an investigation of internal auditors’ fraud risk assessments is equally important. As a result of the Sarbanes Oxley Act of 2002 and associated stock exchange regulations, the internal audit function now faces substantial scrutiny and oversight from the firm’s audit committee – indeed, many audit committee (AC) charters include provisions that give the AC the authority to hire or fire the Chief Audit Executive (Cenker & Nagy, 2004). Such power over internal audit creates the potential for new threats to internal audit independence that have not previously been considered. It is possible that reporting to the audit committee creates independence and objectivity threats that are equivalent to, or even greater than, the threats created by reporting to management for certain internal auditor roles. Currently, the question of which reporting line creates the greater threats to independence and/or objectivity is unclear, and experimental investigation is necessary. Accordingly, the primary purpose of our research is to examine the effects of internal audit reporting lines on the judgments of internal auditors. We focus our investigation on fraud risk assessment. We selected this task for several reasons. First, assessments of fraud risk represent judgments where internal auditors face significant pressures from management because internal auditors must evaluate the likelihood that members of management (who are in control of the internal auditors’ evaluations and promotions) are committing fraud. Internal auditors may feel pressure to compromise their independence to appease management. Second, fraud risk assessments are critical to the organization, and undiscovered fraud can cause serious damage to the viability of the firm, if not dissolution. Third, fraud is difficult for external auditors to detect, and recent regulation promotes greater reliance by external auditors on the risk assessments of internal auditors (e.g., PCAOB AS5, 2007). As Albrecht (1996) points out, fraud is not an event that is normally witnessed firsthand, and it is often too ambiguous for external parties to discover. Green and Calderon (1996) argue that internal auditors are optimally positioned to identify and assess any red flags that might indicate fraud, and internal auditors face increasing pressures to assess firm risks. Fourth, the extant research on auditors’ fraud risk assessments focuses primarily on external auditors’ judgments, and as such, little research exists on internal auditors’ judgments ( Asare, Davidson, & Gramling, 2003). Finally, a fraud risk assessment task allows us to extend previous research of fraud risk assessments made by external auditors. A recent study by Wilks and Zimbelman (2004) examines the effects of the decomposition of fraud risks (following the fraud triangle described in SAS No. 99) on external auditors’ assessments of fraud risk. The authors investigate concerns expressed by regulators, practitioners, and academics that external auditors may be insensitive to situational factors, such as fraud opportunities and incentives, when management’s attitude indicates low levels of fraud risk. Wilks and Zimbelman (2004) found that auditors were more sensitive to opportunity and incentive cues when auditors were required to make a decomposed assessment of fraud risk, as opposed to a holistic assessment. Curiously, they discovered that increased sensitivity to incentive and opportunity cues only occurred when the incentive and opportunity cues were indicative of low levels of fraud risk. That is, decomposition of fraud risk assessments decreased overall assessments of risk when opportunity and incentive cues were not indicative of high fraud risk, but decomposed risk assessments did not increase assessed levels of fraud risk relative to holistic assessments when opportunity and incentive cues were indicative of high fraud risk. We find meaningful opportunities to extend the literature related to the decomposition of fraud risk assessments. The internal audit function can play a substantial role in fraud detection and fraud risk assessment (e.g., Green and Calderon, 1996, KPMG, 2006 and Welch et al., 1996), and external auditors might rely on risk assessments made by internal auditors. Given that internal auditors face different motivations, incentives, and threats than external auditors, and internal auditors have different knowledge and experience relative to external auditors, internal auditors may not be influenced by risk decomposition in the same manner as external auditors are. Wilks and Zimbelman (2004) find that decomposed risk assessments increase external auditors’ attention to incentive and opportunity cues only when incentive and opportunity cues are indicative of low risk. Our study replicates the decomposition tests from Wilks and Zimbelman (2004) to determine whether these results hold for internal auditors. Our results indicate that internal auditors perceive threats when reporting high levels of fraud risk to management. However, internal auditors perceive greater personal threats when they report high levels of fraud risk directly to the audit committee. The greater perceived threats associated with reporting high levels of fraud risk to the audit committee lead internal auditors to reduce assessed levels of fraud risk when reporting to the audit committee relative to reporting to management. This finding runs counter to the anticipated benefits of requiring the internal audit function to report directly to the audit committee, and it reveals potential independence and objectivity threats created by the audit committee itself. We also find that fraud assessment decomposition does not have the same effects on internal auditors as it has on external auditors. Decomposition resulted in increased attention to management attitude, which represents the opposite effect sought by practitioners and regulators. Overall our research findings provide evidence that recent recommendations for improving internal audit practice and risk assessment processes can have significant, unintended consequences.

Significant emphasis has been placed on the importance of internal audit reporting lines in maintaining the independence of internal auditors, but this emphasis has been based almost solely on the intuitive appeal that accurate, objective information can only be provided when internal auditing has a direct reporting line to the audit committee (Balkaran, 2007). We investigate the effects of reporting line on internal auditors’ assessments of fraud risk in a controlled, laboratory setting. Our results suggest that requiring the internal audit function of an organization to report directly to the audit committee may not be a wise solution for internal auditor independence or objectivity threats. We find that internal auditors decrease their assessments of risk when the results of risk assessments are reported directly to the audit committee, relative to when the results are reported to management. We triangulate our findings with interviews of highly experienced practitioners and a survey of internal auditors in order to understand why internal auditors feel pressure to decrease risk assessments when reporting to the audit committee. Our analyses reveal that internal auditors view the audit committee as an additional personal threat, in addition to the threats posed by management. Internal auditors believe that all information is filtered through management, regardless of reporting line. In addition, internal auditors fear over-reaction by the audit committee to indicators of risk that can lead to workload increases and management reprisals. Finally, internal auditors believe that management poses the greatest threats when internal auditors report high levels of risk to the audit committee without first working with management to mitigate the risks. Taken together, internal auditors’ beliefs and perceptions lead them to be more concerned about reporting risk to the audit committee than they are concerned about reporting risk to management. We also investigated another dimension of the fraud risk assessment process – decomposition of risk assessment judgments. Regulators and academics have expressed significant concerns that external auditors focus too heavily on management attitude cues during fraud risk assessments, while focusing too little on incentive and opportunity cues (AICPA, 2002, Heiman-Hoffman et al., 1996, Jonas, 2001 and Shelton et al., 2001). Wilks and Zimbelman (2004) investigated the effectiveness of risk decomposition as a mechanism to reduce over-reliance on attitude cues and found that decomposition increased sensitivity to incentive and opportunity cues, but only when these cues indicated a low risk of fraud. Our results reveal that internal auditors are not influenced by decomposition in the same manner as external auditors. For internal auditors, decomposition of fraud risk assessments results in increased attention to management attitude cues across all levels of risk, without corresponding increase in attention to incentive or opportunity cues. These findings indicate that any attempts to mitigate perceived problems associated with insensitivity to incentive and opportunity cues by decomposing risk assessments can actually amplify the problem that prompted consideration of mitigating mechanisms. Due to differences in the practice requirements and legal environments faced by internal and external auditors, these two groups of auditors react differently to risk decomposition. The results from analyses of the effects of reporting lines and fraud risk decomposition each indicate that recent recommendations for improving audit practice and risk assessment processes can have adverse and unexpected consequences for the internal audit function. Our findings highlight the need for empirical examination of assumptions about the benefits of new legal requirements (such as requirements to report to the audit committee) and the problems associated with drawing conclusions about the judgment processes of internal auditors from studies of external auditor judgment.