Internal auditing is a dynamic and challenging profession that is responding to a growing need for quality assurance in private and public sector organisations. The profession started gaining recognition in the early twentieth century in the wake of company growth. The original role of the IA was the protection of company assets and the prevention and detection of fraud. This role was extended upon the formal recognition of the profession in 1941 with the establishment of the IIA. Today, IIA standards help promote global harmonisation of the IAF's operations [1] .
1.1.2 Public Limited Liability Companies
PLCs listed on the MSE are considered to be public interest entities and thus have a greater responsibility for accountability to stakeholders. The demands for accountability and the emphasis for good governance and better risk management in the aftermath of the recent financial crisis, implies a greater need for an IAF.
1.2 NEED FOR THE STUDY
The IAF is growing in importance as stakeholders' expectations of management to provide 'an independent review of a company's operations and financial accounts, have been raised' (Laker 2004). The IAF can be an extremely valuable asset to the company in providing such independent reviews. However, there are certain challenges and barriers that need to be overcome to enable the function, where it already exists, to make a value-adding contribution; and to encourage its introduction where it does not exist.
This study focuses on barriers to Maltese IAFs and how they can be overcome. This area was chosen because to date, there has been no study that specifically tackles barriers to internal auditing in Maltese PLCs. Moreover, such a study merits specific attention due to the fact that there are several Maltese PLCs that have not yet set up an IAF.
1.3 OBJECTIVES OF THE STUDY
The main objectives of this study are therefore the following:
To identify barriers to Maltese existing internal audit units and their work and evaluate how these are being managed
To identify the main barriers to the introduction of an IAF in companies where this does not exist
1.4 SCOPE AND LIMITATIONS
Companies chosen to be part of the research for this dissertation are divided into two groups. The first group includes companies that have an IAF and the second of companies that do not have this; however, the small sample used means that the study's conclusions to the entire population of Maltese PLCs. Nonetheless, this dissertation highlights very important points that must be taken into consideration for internal audit functions in Maltese PLCs. The research takes into consideration developments up to 31st March 2013.
1.5 DISSERTATION OVERVIEW
Chapter 1 provides background information and describes the need for the study, its objectives, scope and limitations and the outline of the dissertation.
Chapter 2 contains information on the theoretical background to the study. It explains the role and functions of the internal auditor, Maltese legal requirements for PLCs, the barriers to internal auditing and suggested ways to overcome such barriers.
Chapter 3 explains the methodology used for the dissertation.
Chapters 4 and 5 present respectively the results of the primary research conducted and a discussion of these results.
Chapter 6 summarises the research findings and draws relevant conclusions. It also includes recommendations for the Maltese scenario and for areas of further research.
2.1 BACKGROUND
The official definition of internal auditing given by the Institute of Internal Auditors is the following:
'Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.'
(IIA, 2013, Standards and Guidance, Definition of Internal Auditing)
The concept of internal auditing branches out from the general definition of auditing as a:
'systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users'.
(Council on Foundations, Definition of Auditing, 2003: Handout 3)
This helped develop the traditional role of internal auditing: that of examining the reliability and integrity of financial information reported internally and externally by the firm. The audit role of the IAF also extends to operational audits, an examination of the efficiency and effectiveness of the firm's operations based on risk prioritisation. [2]
Another important role of the IA is ensuring appropriate corporate governance processes and that management has implemented a sound control system that minimises risk to the firm, ensures the achievement of objectives, and safeguards the firm's assets. It is the IA's job to ensure that management has built a system of checks and balances within the firm's operations to ensure minimum exposure to risk. The IA normally does this by means of an independent risk management assessment. [3]
2.2 LEGAL REQUIREMENTS FOR PUBLIC LIMITED LIABILITY COMPANIES IN MALTA
MFSA Listing Rules require 'an issuer whose securities are admitted to trading on a Regulated Market operating in Malta' to set up an audit committee (AC) composed of at least three directors, one of these being independent and 'competent in accounting and/or auditing'. The responsibilities of the AC are shown in the extract below.
An important issue to note here is that the Listing Rules do not require companies listed on the Malta Stock Exchange (MSE) to have an IA. Additionally, these rules do not include specific reference to the role and responsibilities of the IA. This is a major barrier to the development of the IAF in Maltese PLCs and could explain why many still do not have such a function. [4]
The situation is different in local banks. The MFSA Banking regulations incorporate the requirements of the Basel II framework. Under Basel II the IAF is to be implemented as the third line of defence in a company, performing independent reviews of the first line of defence- the business units, and the second line of defence- the risk organisation responsible for monitoring risks.
With the proposed implementation of the Solvency II framework in Malta in 2014, insurance companies will be 'obliged to comply with internal control requirements by means of establishing a bespoke risk management function, a compliance function and an internal audit function on the basis of the guiding rules outlined in the Directive'.
Despite Basel II and Solvency II requirements, the IAF in Maltese firms needs to be given more prominence in local legislation to promote the development of the function.
The following sections deal with factors that must be taken into consideration to help reduce or eliminate barriers to an effective IAF.
2.3 INTERNAL AUDITOR INDEPENDENCE
The IIA describes independence and objectivity as crucial elements in the work of the IA. Indeed, the credibility and value of the assurance services provided by the function are derived from its 'independence of mind and independence in appearance' (Stewart & Subramaniam 2009).
IIA Standard 1100 states that "the internal audit activity should be independent, and IAs should be objective in performing their work." Despite this, Spencer Pickett, in his textbook on internal auditing, explains that the lack of independence is the greatest barrier to the work of IAs present in firms today.
In 2001, the IIA published "Independence and Objectivity: A Framework for IAs" as a guide to IAs. The framework highlights threats to IA independence, mainly: economic interest; social pressure; personal relationships; familiarity and self-review.
The IA has a unique position because s/he is employed by management but is also expected to review management's actions. Therefore, there is a certain tension faced by the IA as s/he depends on management for employment but must assess it objectively. Whether the IA can maintain objectivity in this case is a point of doubt (Paape 2007).
The threat of personal relationships hindering the IA's independence is particularly strong in Malta, given the small size of our island.
A self-review threat may arise when the IA reviews his/her own work. This might be the result of the dual role of the IA within the organisation with respect to management and the AC.
The IA acts as a consultant to management, recommending improvements in the efficiency and effectiveness of operations and helping management to reach the firm's objectives. The role of the IA when serving the AC is to provide assurance that the entire firm is complying with the controls set up by the AC and this is done by means of auditing the firm's operations.
Due to these different roles, the IA faces a conflict. The assurance duties performed for the AC consist of auditing what has been previously recommended to management by him/her, thus presenting a self-review threat.
Many academics have questioned whether this dual role of the IA is possible (Hermanson and Rittenberg 2003; Anderson 2003); and Flesher and Zanzig (2000) noted that this conflict could have negative implications on the credibility of the function.
The IIA's recommendation is that the IA should report directly to the AC instead of to upper management. The relationship between the AC and the IA was examined by Abbott in 2007. The three facets of the relationship studied were: the reporting lines, termination rights and budgetary control.
The results showed that when the AC has a stronger influence on the IAF than management, the duties of the IA would increasingly consist of internal control evaluations. However, from the sample interviewed, it was found that the IA was fulfilling duties at the instruction of both management and the AC and not having one main body to answer to.
The IIA emphasises that if the AC expects the IA to examine the company's internal control system, then it should provide adequate resources to the IA to execute its audit plan.
Lack of financial support could pose several threats to the work of the IA. Firstly, there could be a reduction in the scope of the work; secondly, skilled IAs might be discouraged to apply for a position in the IAF of a firm that does not allocate sufficient funds (Jefferson Wells 2004, Hermanson 2002). Lastly, a tight budget could lead to IAs not being given the necessary training on current issues related to their field.
Another recommendation of the IIA Independence and Objectivity Framework is the drawing up of an audit charter that specifically establishes the purpose, authority and responsibility of the IAF; a formal support of the function's independence and objectivity in the firm.
One could argue that outsourcing the IAF would also help to solve the independence issue as an external service provider does not have the conflict of an employee. However, an external service provider would not have the same in-depth knowledge of the firm as an employee, and might still behave in the same way as an employee as his payment also depends on management.
Mautz and Sharaf (1961) suggest three elements of IA independence within a firm. These are: 'programming independence', enabling the IA to control the audit program; 'investigative independence', giving the IA access to all necessary evidence; and 'reporting independence', allowing the IA to report freely.
In addition to independence, the IIA Standards also emphasise the importance of objectivity: a state of mind that must be maintained by the IA in the performance of his/her duties. The IA should try to avoid conflicts of interest and maintain an unbiased attitude by avoiding the audit of operations in which s/he was involved and submitting his/her work to a higher authority (Attribute Standard 1120).
Staff rotation is also another measure to retain objectivity. An additional safeguard would be for the IA to be subject to quality assurance reviews to ensure that objectivity and professionalism are maintained.
Many IAs use the IIA Code of Ethics as a point of reference. The Code specifies that the IA must make a balanced assessment of all relevant circumstances, avoid situations which would cause bias, and disclose all material facts relevant to the activities being reviewed.
2.4 INTERNAL AUDITOR RELATIONSHIP WITH MANAGEMENT
Van Peursem (2005) mentions the agency theory as underpinning the relationship between management and the IA. In a situation where management places the company's objectives above its own personal interests, the IA would not be needed. However, in practice, the IA is needed to ensure that management acts in the shareholders' interest.
The IIA Practice Advisory 1110-2 takes another view of the matter and recommends that the IA should report administratively to management in order to gain support for its everyday activities. Top management can help the IA by indicating high-risk areas to be tackled in the audit (Arena & Azzone 2009); and by displaying confidence in the IA's capabilities through the implementation of his/her recommendations. The latter is essential in helping to form a good perception of the IA's work, enabling it to deliver value to the firm (Sarens & De Beelde 2006).
Lack of management support is a main hindrance to the work of the IA. Mark Schlageter, of Thomson Reuters, stated that the AC and executive management should 'visibly and vocally demonstrate support' for the IAF to make the task of internal auditing easier. An open communication line between management and the IA would enable this support to be felt through information flow and feedback (Loss 2000).
A Maltese study by Noemi Martin (2010) examined the relationship between the IA and management by interviewing both parties in 10 Maltese companies. The main issues quoted were: timing, resources provision, management implementation of recommendations and management attitude to risks. However, overall the relationship was stated to be a good one.
2.5 THE INTERNAL AUDITOR AND THE FIRM'S INTERNAL CONTROL SYSTEM
An important question that is posed by stakeholders of a firm is whether the company is 'in control'. The concern stems from the fact that companies like Enron, Worldcom and HBOS had issued a statement (according to the applicable legislation) stating that they were 'in control', but in reality there were strategic problems in control within the firm.
The formal definition of internal control is as follows:
A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations;
Reliability of financial reporting;
Compliance with applicable laws and regulations;
Safeguarding of assets.
(COSO Framework, December 2011, p. 1)
Swinkels (2009) suggests the following points as important to be taken into consideration by the IA in assuring a sound internal control system for the firm.
The IA has to ensure that top management have not only set objectives, but have systems that check the compliance of operations with these objectives, for example; ensuring that what is taught to employees is actually practised and assessing organisational culture which directly affects firm performance.
The IA must also consider the firm's external environment, and how this will affect company strategy, and in turn the management control framework. With respect to this role, one barrier could be the frequency of change in the firm's environment, systems and processes which might be too rapid for the traditional audit approach to work effectively (Spira & Page 2002).
2.6 THE INTERNAL AUDITOR AND RISK MANAGEMENT
In a PWC 2012 study on the state of the internal audit profession: 'Aligning internal audit; are you on the right floor?'; stakeholders pointed out that the IA needs to have a higher standard of performance in order to effectively support the organisation's risk management system.
Less than 45% of those surveyed stated that they are happy with how risks are being managed. Even though the direct responsibility for risks is that of management, the IA is employed to gain an understanding of the firm's risk environment, to ensure that management has employed a good control system and to consult and give recommendations as to how best to mitigate these risks to improve firm performance.
One of the most prominent views of the literature is that lack of resources and staff, and organisational and cultural resistance, are also barriers to the IA in his/her duties with respect to risk management. These are normally resolved through trust-based relationships built over time, where stakeholders value the IA's contributions.
Stakeholders in the survey indicated that the IA is expected to 'navigate the new risk landscape' of the firm by identifying the top risks as communicated by management, and following up by acting upon these risks. The IA could also amend the audit plan in real time, giving an adept response to management actions and allocating resources to the crucial areas.
2.7 MEASURING INTERNAL AUDITOR EFFECTIVENESS
One of the main barriers to the work of IAs is the difficulty in measuring the effectiveness of their work. If stakeholders do not evaluate the work of the IA in a proper manner, they can never truly know the contribution that the IA is giving to the firm.
IIA Standards normally focus on five main areas to determine IA effectiveness: independence, professional proficiency, scope of work, performance of audit work and management of the IAF (Dittenhofer 2001).
Productivity must also be taken into consideration. The IA may comply with standards but still remain unable to contribute something of value to the company (Dittenhofer 2001). Dittenhofer emphasised the importance of measuring the IA's contribution to the achievement of company goals and the quality of the auditee's control operations.
At operation level, the contribution can be seen by means of cost savings. At a higher level, share price increases, profit increases, growth and sound corporate governance could reflect IA effectiveness, as well as improvements in risk management and internal control processes (Arena &Azzone 2009).
In a study by Ziegenfuss (2000) CAEs considered auditee satisfaction and the percentage of IA recommendations followed as more suitable measures. IIA Attribute Standard 1300 proposes a more formal evaluation by means of a quality assurance program that continuously monitors the IAF in the firm.
Another formal approach to measuring IA performance is benchmarking which has been defined as:
'The process of continuously measuring and comparing one's business processes against comparable processes in leading organisations to obtain information that will help the organisation identify and evaluate improvements'
(Andersen and Pattersen, 1996, p. 4)
A Maltese study by Balzan and Baldacchino (2007) revealed a poor awareness of benchmarking in Maltese firms: local IA evaluation techniques were described as 'mere rudimentary comparisons, essentially backward and inward-looking in nature'.
2.8 INTERNAL AUDITOR RELATIONSHIP WITH EXTERNAL AUDITORS
In a study by Soh and Martinov-Bennie (2011), chief audit executives interviewed stated that there was a good relationship between the internal and external auditors, with both parties working together to avoid duplication and promote cost efficiency. Cohen et al. (2010) found that external auditors (EAs) perceived IAs to be more independent, reliable, and collaborative and having a greater status in the organisation than in previous years.
However, the IAs in the study by Van Peursem (2005) did not view themselves as having a proper relationship with the EA, with some describing the relationship as being distinct and intimidating.
Guidance for the relationship between the external and internal auditors is provided in ISA 610: 'Using the Work of Internal Auditors'; and ISA 315: 'Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment'.
Coordination between the internal and external auditor could enhance audits performed because IAs have a detailed knowledge of the company which EAs do not possess, while EAs are exposed to a wider variety of clients and issues. ISA 610 states that the internal and external auditor have different objectives; however, the way in which they achieve objectives may be similar. Without coordination, there would be a waste of time for the IAF as it may duplicate work already done by the EA.
Wood (2004) recommended the following for the IAF: taking initiative in seeking coordination with the EA, complying with standards, convincing stakeholders of the benefits from the EA's work and following up on control deficiencies identified by the EA. Throughout the year, constant communication should help both parties to achieve better audit coverage, and break down the barriers which often exist between the IA and the EA.
3.1 PRELIMINARY RESEARCH
The objective of the study was to find out what barriers, if any may exist for the IAF in Maltese PLCs and if so, the reasons for these. The field of study was chosen after a thorough analysis of Faculty of Economics, Management and Accountancy past dissertations. This was complemented by extensive research on the subject matter and a detailed preliminary discussion with an experienced Maltese IA.
3.2 DATA COLLECTION
Data was collected from both primary and secondary sources. Secondary data was obtained from books, dissertations, journals, research papers, on-line databases and websites, in order to obtain an understanding of the existing body of knowledge on the subject. Both Maltese and foreign studies were referred to; however, there was no Maltese study specifically related to barriers to IAFs. Primary data was collected by means of semi-structured interviews which included both quantitative and qualitative questions.
3.2.1 Sample and Response Rate
The analysis was limited to PLCs since the population of all local limited liability companies, was considered by the supervisor to be too vast in view of the time constraint and word limit for this dissertation.
A list of local PLCs was obtained from the MFSA in order to select a sample to be interviewed. The next step was to determine which companies in the list have an IAF and which companies do not. A mixed sample gives a much better insight into the local situation than a sample focusing solely on companies having an IAF.
Such a sample was especially required in this dissertation in order to highlight barriers that companies without an IAF face in setting up IAFs, and in order to find the reason behind the lack of IAFs in such Maltese PLCs. Companies in the sample that have an IAF were selected to investigate whether they also face any such barriers and if so how they manage these barriers to gain an effective contribution from the function.
In selecting the sample, it was found that a number of PLCs were simply the 'financing arm' of the private company and therefore in this case, outside the scope of the study. Such companies were excluded from the population when selecting the sample.
Due to the short time available only twenty five companies from the list were contacted. These included companies of different size and operating in different industries, namely: gaming, travel, insurance, hotels, banking, manufacturing, retail, telecommunications, and IT.
In order to determine which of these twenty five companies have an IAF and which do not, a thorough analysis was made of the corporate governance statements in the published financial statements of these companies. Results showed that eleven out of twenty five companies 44% - do not have an IAF. This is a substantial percentage when considering that these are listed companies of a certain size and stature; hence the need to obtain a sample representative of the local situation.
From the twenty five companies contacted, twelve companies replied, giving a response rate of 48%. Thus, the final sample drawn up consisted of twelve companies and a total of twelve face-to-face interviews were conducted. Five of the twelve companies interviewed 42%- stated that they do not have an IAF, leaving 58% of the sample that was made up of companies that have an IAF.
Table 3.1: Respondent Characteristics
No. of org.
Type of IAF
Head Count
In-housed
Out-sourced
No IAF
Organisation
IAF
1-50
51-500
501-1000
1000+
1-5
6-10
11+
12
6
1
5
2
6
2
2
5
1
1
3.3 RESEARCH INSTRUMENT
The main research instrument was the one-to-one semi-structured interview conducted with twelve organisations. Personal interviews were conducted in preference to mailed questionnaires in order to enable more information to be gathered from a detailed discussion with the participants.
3.3.1 Interview Schedule Design
Two separate interview schedules were prepared. One schedule was designed for companies that do not have an IAF and the other for companies that do have this function. The schedules were divided into sections as shown in Table 3.2.
Table 3.2 Interview Schedule Design
Companies having an IAF
Interview conducted with chief IA
Companies not having an IAF
Interview conducted with Financial Controller/Audit Committee Member
Reason for not having an IAF
Q1
Role and Function of the IA
Q1 - 2
Role and Function of the IA
Q2 - 3
Independence
Q3 - 7
Independence
Q4 - 8
Role Conflict
Q8 - 11
Role Conflict
Q9 - 12
Relationship with Management
Q12
Relationship with Management
Q13
Risk Management
Q13
Risk Management
Q14
Measuring IA Effectiveness
Q14 - 16
Measuring IA Effectiveness
Q15 - 17
Internal Audit Profession
Q17
Internal Audit Profession
Q18
Relationship with EA
Q18 - 19
Relationship with EA
Q19
Both interview schedules consisted of open-ended and closed-ended questions. Open-ended questions were used where a more elaborate explanation of the concept was needed. Closed-ended questions consisted of statements presented to the interviewees for which they had to indicate their level of agreement according to a five-point Likert scale.
3.3.2 Conduct of Interviews
Interviews were held during the period from December 2012 to March 2013 at the interviewees' premises and lasted on average forty five minutes. The interview questions were e-mailed to the interviewees in advance to enable a preliminary analysis of the questions prior to the meeting.
3.4 DATA ANALYSIS
Quantitative data consisted of numerical answers to Likert-scale questions. On the advice of Dr. Frank Bezzina, the median rank for each question was calculated for both groups individually and in total. The median was chosen rather than the mean to avoid suspect results due to outliers. A Mann-Whitney U test was used to test for differences between the ranks of the two groups.
Qualitative data was analysed in order to compare responses between the two main interviewee groups. Common responses and differences were highlighted.
3.5 LIMITATIONS
A number of limitations were encountered during the research phase:
The low response rate obtained
Groups were made up of less than eight respondents each, while eight is the preferred minimum number for a Mann-Whitney U test
Due to the time constraints and word limit, only a small sample could be chosen; a larger sample would have resulted in more information for analysis
Due to the required word limit, the analysis of qualitative data was restricted to the more important comments made
Despite the above limitations, this researcher believes that the findings and the conclusions reached in this study shed useful light on the subject matter of the study.
4.1 THE ROLE AND FUNCTIONS OF THE INTERNAL AUDITOR
It is interesting to note that there seems to be agreement among the two company groups interviewed with respect to the role of the IA. The two main aspects of the IA role pointed out were: the 'operational role', carrying out reviews of operations and procedures in the company and making recommendations to senior management regarding the proper functioning of controls; and the 'ad-hoc' element, being investigations into reported concerns.
Such concerns could involve matters of fraud, which may come up as a result of the IA's investigations into operations. The term 'value-adding' was repeatedly mentioned, and also reflected in a respondent's comment stating that his company 'really needed' an IAF.
The IA's role is often defined in the audit plan approved by the AC, changing according to the 'risk picture' in order to tackle material areas that have a significant operational or financial impact. As evidenced by one respondent, the role of an outsourced IAF is generally defined by AC instructions.
A more formal IAF exists within two companies, being the third line of defence in an organised Enterprise Risk Management framework overseeing customer-facing units and compliance and risk management units.
The concept of the on-going nature of the IA's work is not popular with all respondents. Some stated that the IA is simply needed to perform occasional spot checks on risk areas pointed out by the AC.
Companies not having an IAF were asked whether they believe that the EA alone is sufficient to provide assurance regarding internal operations. All respondents disagreed with this, stating that this is management's responsibility; however, one interviewee noted that the EA's representation letter does provide some form of assurance on the adequacy of internal processes.
4.1.1 Extending the Internal Auditor's Role
Interviewees had different opinions on this. One IA explained that IAs should get involved at an early stage in the decision making process to make a more relevant contribution by evaluating the relevance and reliability of the data and testing the strength of the process.
Most IAs believe that there is no need for a role extension since the function already covers audit areas extensively, performing 'deep dive audits' for specific high risk areas, and maintaining well-trained staff. Only one company in the sample made a specific commitment to expand the role of the current IA and also employ an additional professional for that role.
4.2 INTERNAL AUDITOR INDEPENDENCE
All respondents agreed that independence is essential to the role of the IA. Table 4.1 shows the results.
Table 4.1 IA Independence
Median Total
Median with IAF
Median without IAF
P-value*
The IA must be independent in the performance of duties
5
5
4
0.006
1 = Strongly Disagree and 5 = Strongly Agree
*Significantly different between companies having an IAF and companies without an IAF at a level of significance ≤0.05
Note: With IAF- Group 1, Without IAF- Group 2
Some respondents explained independence in terms of the IA's reporting line to the highest authorities in the company. Respondents in the IA group highlighted the importance of organisational structure and the 'tone at the top' within the company that enables the IAF freedom to choose areas for review- the so-called programming independence. Only one respondent, within the second group, was an exception to this opinion, stating that the IA should strictly follow AC instructions.
Most respondents mentioned the concept of 'independence of mind': forming an unbiased opinion, criticising 'systems rather than people' as one IA put it. The second group (those without an IAF) highlighted the importance of the IA's resistance to intimidation and the objectivity needed to form conclusions on sensitive issues.
The independence 'in appearance' was mentioned by the head IA of a large company, emphasising that IAF members should preferably not be associated with reviews of departments with which they were previously employed.
The p-value in table 4.1 indicates that the ranking in the two groups is significantly different, which is supported by the greater importance attributed to independence in the first group.
4.2.1 Independence at the Audit Committee Level
Respondents agreed on the importance of independence at the AC level. Table 4.2 shows no significant difference between responses given by the two groups.
Table 4.2 Audit Committee Independence
Median Total
Median with IAF
Median without IAF
P-value*
Independence at the AC level is important within a company
4
4
4
0.729
1 = Strongly Disagree and 5 = Strongly Agree
*Note: Significantly different only if the level of significance ≤ 0.05. No significance in this case.
Note: With IAF- Group 1, Without IAF- Group 2
Some respondents in group 1 consider AC independence as having non-executive directors as AC members. Other IAs emphasised the sole responsibility of the AC in setting strategy and reviewing management, an agent of company shareholders. Just as the AC needs a strong IA, the IA needs a strong independent AC to support the function, as explained by one IA.
The situation in practice is somewhat different, with respondents from both groups explaining that control over the function is not strictly reserved to the AC, but rather to the whole board, and at times even management. This is especially the case when the AC is only interested in the ultimate financial result and operational issues are discussed with management.
4.2.2 Threats to Independence
The majority of respondents agreed that independence is mostly threatened by the 'human element': personal relationships with fellow managers being assessed and social pressures from auditees. Extensive experience within a company was described as a 'double-edged sword', enabling a better understanding of departments' functions but creating some tension with colleagues during audit reviews.
The IA's dependence on company payroll was also mentioned by respondents in both groups, with the IA's independence of mind being emphasised as crucial in such situations. Nevertheless, one respondent from the second group explained that one cannot afford to ignore payroll and peer pressures in small companies.
A corporate culture of resistance to change and a perception of the IA as a watchdog are major barriers that the IA has to break in order to build trust-based relationships and be consulted by management as an independent professional within the company.
Self-reviews brought about by the IA's involvement in setting up systems is a major threat to independence, according to the literature. However, respondents in group two felt that though such segregation of duties is ideal, independence of mind should counter the threat. Most respondents in group one feel that threats to independence are well managed in practice and do not hinder the proper functioning of the IAF.
4.2.3 Measures to Ensure Internal Auditor Independence
Three solutions were presented to respondents as possible measures to ensure IA independence within a company. Table 4.3 shows that in all three cases, there is no significant difference between the rankings of the two groups.
Table 4.3 Measures to Ensure IA Independence
Median Total
Median with IAF
Median without IAF
P-value*
a. IA responds to both management and ultimate governing body
3
2
4
0.416
b. Formal audit charter specifying IA status and responsibility
4
4
3
0.173
c. Outsourcing the IAF
3
3
3
0.161
1 = Strongly Disagree and 5 = Strongly Agree
*Note: Significantly different only if the level of significance ≤ 0.05. No significance in this case.
Note: With IAF- Group 1, Without IAF- Group 2
The general opinion in both groups was that the IA should have a direct reporting line to the AC with only a 'reporting protocol' to management to tackle all issues at an early stage. However, one IA who stated that draft IA reports should go first to management for their comments before the submission of the final report.
A formal audit charter approved by the AC exists within all companies in group one except for the company outsourcing the IAF where a formal engagement letter approved by the AC is prepared explaining the duties of the IA appointed. The audit charter is considered by two IAs as setting the foundation for the IA's role and giving the IA access to information. It can also be used to inform employees what to expect from the IA, as specified by two group two respondents. However, other respondents believed that this is only needed for a new IAF and that ultimately the IA's personal characteristics affect independence.
Respondents seemed uncertain if outsourcing the IAF would assist IA independence. The majority of IAs expressed their doubts regarding the effectiveness of a professional who would not have in-depth knowledge and understanding of the company. Some were also sceptical due to fee dependence, indicating the similarity to payroll dependence for an in-house function and the lack of commitment by a service provider receiving a low fee.
Outsourcing was mentioned as an option for areas in which the company lacks specific expertise. The only respondent advocating outsourcing was from group two; however, the perceived duties of such a professional were described as investigative in nature.
4.2.4 Internal Auditor Reporting Responsibility
Respondents from group one stated that they report to the AC and some also mentioned reporting to the company chairman. Interviewees from the second group agree with the concept of the IA reporting to the AC with one respondent stipulating that the IA should report specifically to the AC member with a background in accounting/auditing.
