SYNOPSIS: This study examines whether internal audit reporting structure and internal audit sourcing arrangement affect financial statement users' perceptions of ability of the internal audit function to prevent financial statement fraud. A survey of lending officers finds that in-house internal audit departments that report to senior management are perceived as less able to provide protection against fraudulent reporting compared to in-house departments that report solely to the board of directors' audit committee. This finding is particularly important in light of the SEC's recent consideration of whether the audit committee should be directly responsible for oversight of the internal auditor.
This study does not find a difference in users' perceptions of financial statement fraud prevention between outsourced internal audit teams and in-house internal audit departments when both report to the audit committee. Results suggest that increases in perceived audit expertise may occur with outsourcing, but such increases may not significantly enhance user confidence in the internal audit function because users perceive outsourced teams to have less in-depth knowledge of the company than in-house internal audit departments.
Keywords: internal audit; reporting structure; outsourcing; fraudulent financial reporting. Data Availability: Data used in this study are available from the author upon request.
In the wake of recent corporate failures, many reforms were undertaken to restore user confidence, including the Sarbanes-Oxley Act of 2002 and the resulting SEC rules to implement its provisions. The New York Stock Exchange (NYSE), American Stock Exchange (AMEX), and NASDAQ also proposed new corporate governance rules (NYSE 2003; AMEX 2003; NASDAQ 2003). While these enacted and proposed reforms focus mainly on the responsibilities of the independent auditor and the audit committee, the reforms also recognize the role of the internal auditor in restoring user confidence. For example, newly proposed NYSE rules require all listed companies to have an internal audit function. Furthermore, the SEC recently considered whether it should regulate the relationship between the internal auditor and the audit committee (SEC 2003). This study examines two dimensions of that relationship: reporting structure and sourcing arrangement.
With respect to reporting structure, many in-house internal audit departments report primarily to senior management that has sole responsibility for hiring and firing the chief internal auditor. SEC members expressed the need for the internal auditor to have open access to the audit committee. Although former chief accountant Robert Herdman (2002) stated that the audit committee must be given "direct, unfettered, independent access" to the internal auditor, reporting to management may hinder such access. In proposing rules to implement the Sarbanes-Oxley Act, the SEC requested public comment on whether the audit committee should be made directly responsible for the appointment, compensation, retention, and oversight of the internal auditor. The SEC chose not to impose this restriction after reviewing public comment (SEC 2003), but the potential effects of this structure warrant further study. This study examines whether different reporting structures lead to perceived differences in the level of fraud protection provided by the internal audit function.
Sourcing arrangement is also a key factor that distinguishes internal audit functions. Much controversy surrounds internal audit outsourcing in recent years. As a result, the Sarbanes-Oxley Act now prohibits outsourcing the internal audit to the company's financial statement auditor, while it allows outsourcing the internal audit to a different firm. The current study examines how outsourcing to a Big 5 firm under both conditions impacts users' perceptions of the internal audit function.
Results of this study indicate that users perceive internal audit departments that report to senior management as less able to provide protection against fraudulent reporting compared to (1) in-house departments that report solely to the audit committee and (2) outsourced internal audit teams that report to the audit committee. …