Position

This section will shed light on the issues of the organizational position, size, staffing, and how to control IA.

Organizational position

Let's begin with position and corporate governance: two very important factors when it comes to independence. There are a number of IIA Inc. Standards (2001d) dealing with independence and objectivity. No. 1100 is the generic one (independence and objectivity), further detailed in 1110 (organizational independence), 1120 (individual independence), 1130 (impairments to independence or objectivity), and no less than five different Practice Advisories. Although independence is very much emphasized in the Standards and many publications, Hawkes and Adams (1995) found that customers feel that internal auditing is enhanced when auditors and their clients establish close relationships based on a cooperative and participative approach as opposed to an independent and prescriptive appraisal function.

Thus despite the views of the profession in general, there is some disagreement from outside.

Standard 1110, which deals with organizational independence, states: "The chief internal auditor should report to a level within the organization that allows the internal audit activity to fulfil its responsibilities".

The relevant Practice Advisories, 1100 and 1110, continue:

Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of engagements. It is achieved through organizational status and objectivity.

And:

1. Internal auditors should have the support of senior management and the board of directors (BOD) so they can obtain the cooperation of engagement clients and perform their work free from interference.

2. The Chief Audit Executive should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations.

3. Ideally, the Chief Audit Executive should report functionally to the Audit Committee, board of directors, or other appropriate governing authority, and administratively to the Chief Executive Officer (CEO).

4. The Chief Audit Executive should have direct communication with the BOD, Audit Committee, or other appropriate governing authority. Regular communication with the BOD helps assure independence and provides a means for it and the Chief Audit Executive to keep each other informed about matters of mutual interest.

5. Direct communication occurs when the Chief Audit Executive regularly attends and participates in meetings of the BOD, Audit Committee, or other appropriate governing authority which relate to its oversight responsibilities for auditing, financial reporting, organizational governance, and control. The Chief Audit Executive's attendance and participation at these meetings provides an opportunity to exchange information concerning the plans and activities of IA activity. The Chief Audit Executive should meet privately with the BOD, Audit Committee, or other appropriate governing authority at least once a year.

6. Independence is enhanced when the BOD concurs in the appointment and/or removal of the Chief Audit Executive.

Quite frankly, the way independence and objectivity are used interchangeably by the Standards, may cause confusion. As demonstrated above, independence for IA is an oxymoron. The same goes for objectivity. As already described - not only above, but also in Chapter 1 - the scientific debate is around two extremes: objectivity and subjectivity. This research is based on the premises of neo-positivism, allowing for "a more subjective approach than any hard-line positivist would dream of'". Objectivity as in presuming one can take a look at facts without any bias from dominant paradigms and personal feelings is very hard to do, if at all possible (Johnson and Duberley, 2000 and Partington, 2002). Independent as in subject to no one else and not being ruled by anyone or anything is in this respect definitely not the case. However you slice it, the IA reports to some principal, is his agent and, therefore, not independent.

The issue then remains, what is the best level to report to in order to foster the maximum amount of objectivity independence? From an Agency Theory perspective, the question is, what is the most appropriate principal for IA? An apparently feasible option is to go completely outside the organization. That is, outsource the IA. But then the Chief Audit Executive would no longer be seen as "one of us", which according to Williamson (1975, 1996) is one of IA's main advantages over External Auditor (see our discussion of Transaction Cost Economics in Chapter 3). He reasons that this insider status enhances the flow of information, and that would be eliminated if the Chief Audit Executive were an outsider.

This study has been conducted from the perspective of a two-tier Corporate Governance system, since this is the dominant one in The Netherlands. The IA could either report to the Management Board or to the Supervisory Board/Audit Committee. Both options are still within the organization and, therefore, the IA would not be considered an outsider. This would lead to the following scheme:

IAF

MB SB/AC

Management IAF

Agent

Agent

Principal Principal

Agent Agent

Figure 4: Possible Re-shift of the IAF: Increasing independence?

The outcome would be that, in Agency Theory terms, the relationship between the Management Board and IA changes from a principal-agent to an agent-agent one. The question would then be whether the Management Board will cease to regard IA as its instrument. And if so, what might that mean? Are they going to create a new one, solely serving them? Surely, the most logical reaction would be that IA is now in the hands of the Supervisory Board and out of the direct control of the Management Board. On the one hand, that would inherently foster independence.

On the other, that might stir up a fair amount of alienation within the organization, and not only within the Management Board. The Williamson argument that they are "one of us" might also be affected as well. In the case studies this issue has been addressed and this will be discussed in Chapter 5, with some surprising results.

While the IIA Inc. Standards (2001d) do not provide a clear statement about whether or not IA should report to the highest level of an organization, the Practice Advisories do. The ambiguous distinction between "functional" and "administrative" reporting lines is further detailed in yet another PA (1110-2), where the following explanation is given:

The functional reporting line for the internal audit function is the ultimate source of its independence and authority. As such, The IIA recommends that the Chief Audit Executive report functionally to the Audit Committee, Board of Directors, or other appropriate governing authority. Administrative Reporting is the reporting relationship within the organization's management structure that facilitates the day-to-day operations of the internal audit function.

The IIA Inc seems to be of two minds. Standard setters seem to acknowledge via the Practice Advisories that the Audit Committee would be the most suitable candidate. But the Standards themselves are less outspoken and for reasons one can only guess. Maybe their perspective is influenced by what would be acceptable to members of the Management Board. And who would blame them?

Now let's take a look at some data pertaining to the positioning of IA within the organization.

Using a 14-page survey that was sent to 750 CIA's in US associates, The Conference Board studied reporting lines in mid 1988 (1990). The response rate was 51%, and covered 375 surveys.

Table 2-1: Reporting lines of the Chief Audit Executive (surveys Conference Board) Reporting lines

(in%)

1963 1978 1988

CFO 7 34 48

CEO 2 6 17

Audit Committee 0 5 10

Controller 54 30 15

others 37 25 10

The development is clear. There is an undeniable shift towards higher ranked officers and also the Audit Committee is increasingly reported to. There are other surveys (IIA, 2001c, p 88) showing that the trend continued.

Table 2-2: Reporting lines of the Chief Audit Executives (survey IIA Inc) Reporting lines

(in %)

IIA Inc 2001¹⁴

CFO 59

CEO 9

Audit Committee 32

Controller 12

others 11

The trend may even have gained in pace. According to Gray (2004), due to the Sarbanes-Oxley Act internal auditors might be on the verge of being reporting to the Audit Committee.

"In terms of status, they are now reporting directly to the audit committee and play a greater role in the audit committee's meeting agenda." (2004, xvi) But it comes at a cost. That is, the image of IA is shifting back toward the dreaded "company police officers" - hatchet men - (2004, xxi) instead of the desired (by the profession that is) image of partners or consultants.

14 The numbers add up to well above 100% because multiple answers were possible.

As will be shown in Chapter 3, many IAF's functionally report to the CEO and administratively to the CFO or the like. At the end of the day, the administrative report will most likely be the one who "signs the pay check" and will be leading in appraising the Chief Audit Executive and the IA. From the agency perspective, nothing really changes. Both CEO and CFO are members of the principal body for IA. Hughes (2004) has some strong feelings on this issue as well.

It is time that the audit committees quit undermining the internal auditors by having them report to the CEO or CFO, the most likely originators of fraudulent practices.

The internal auditor should report both functionally and administratively to the audit committee.

That these issues have been bobbing around for a long time can be seen by comparing statements from nearly 50 years ago and now. In 1957 Walker (1957, 9) wrote that IA could report to the controller, treasurer, or "any officer of sufficient rank as will assure adequate consideration and action on the findings and recommendations". But, according to him, it was neither necessary nor practical to report to the Management Board. He wrote, "in our opinion, it is not practical in most cases because we believe internal auditing can be most effective as a tool in the hands of active management" (1957, 9). Surely, almost 50 years ago it was a different era, allowing for a different set-up. As will be shown below, the current era would sharply disagree with what was then acceptable.

In Chapter 4 I will come back to this subject. For the moment, let us conclude that Tabaksblat (2003, 31) is ambiguous about who should be responsible for the care and feeding of IA, and who it should ultimately be responsible to. Yes, it should operate under the Management Board. But the Audit Committee also has some responsibility for IA.

Irish (1957), a representative of the Institute of Chartered Accountants in Australia, states that the internal auditor must be able to act without fear or favour and he should not be pilloried if he speaks unpalatable truths. "Superficially at least, this would seem to demand [that] he be given some element of independence." (1957, 17) A sentence like that nowadays would make many internal auditors shiver with horror. Words like "superficially" and "some element of independence" show a disdain not worth repeating. The tenor that one catches every now and then during drinks at the bar is the old dispute between internal and external auditors about who is best suited to serve the needs of management. And sometimes one notices glimpses of that in Corporate Governance codes like Tabaksblat.¹⁵

Irish acknowledges of course that there is a principal-agent relationship that hampers independence. He goes on to stress the need to clarify the role and objectives of the IAF and the need for every internal auditor to be independent in mind. This also seems to be a Pavlovian response. It seems that everyone is aware that independence is not going to be solved via positioning the IAF somewhere in the organization under the jurisdiction of the Management Board. The deus ex machina is the independence in mind, relying heavily on the character of the professional, like the "probity of character" good luck mantra uttered by Flint.

15 One of the best practices reads as follows: "The external auditor and the audit committee shall be involved in drawing up the work schedule of the internal auditor. They shall also take cognizance of the findings of the internal auditor'." This shows that the internal auditor is what the external auditor would like him to be.

MacPherson (1957, 21) is exemplary in this respect. He stated, correctly, that independence is relative and not absolute, and referred to mental attitude as an essential element for any internal auditor. Stokvis (1957, 49) swam against the current at the 1957 conference and showed that he was ahead of the curve by proposing that "it is essential that the internal auditor should receive his instructions from top-management alone". His views are common ground today and have been elaborated in many ways in the IIA Standards.

All to no avail to solve the independence issue, I would argue. From an Agency Theory perspective, the best solution to the problem is to make the Supervisory Board/Audit Committee the principal of IA. The most important question resulting from that solution is whether there will be adverse effects that would lead the organization to come up with a second best solution. In the one-tier environment and the applicable corporate governance codes this is already forthcoming and envisioned. Whether Management Boards or Supervisory Board/Audit Committees like it or not, there is no other option than making IAF report to - and subject to - the Audit Committee. In a two-tier environment this might lead to more cut backs.

As became clear in the Tabaksblat code and the case studies, Management Boards do not like the idea at all. Supervisory Board/Audit Committee's are also reluctant to embrace this idea.

As are Chief Audit Executive's. But the last mentioned are more in favour of this position because it will enhance their independence. However, they acknowledge that this will come at a cost and will not necessarily make life easier. The alienation of the rest of the organization – no longer to be seen as one of us – and the envisioned difficulties in opening up of interviewees and accessing information are certainly aspects to ponder. In organizations where corporate governance and culture are very well developed, no real barriers might be encountered. But for those that are lagging behind in that respect, Chief Audit Executives will be facing more severe cut backs.

There seems to be at least one differing view with regard to IA supporting the Audit Committee. Nagy and Cenker (2002) questioned 11 Chief Audit Executives and discovered that most of them said their role in assisting the Audit Committee of overseeing financial reporting had not changed in the last few years. And none of them anticipated that it would change in the near future. But this was in 2002, just prior to the Sarbanes-Oxley Act coming into effect. All that would change shortly thereafter.

Tabaksblat came up with provisions that require the Audit Committee to stay in contact with IA. Biewinga, Bossert, and Dassen (2003) regretted that Tabaksblat did not allow for a direct communication line between Audit Committee and IA. In their view, the Audit Committee needs independent information pertaining to the risk and control systems of the organization and IA would be best suited to be their supplier. I couldn't agree more. There is other research providing supporting data for a closer relationship between the Audit Committee and IA.

Goodwin (2003) studied the relationship between Audit Committee and IA. Her conclusions are also worth mentioning.

The most important finding of the study is that the independence of the audit committee and the level of accounting experience amongst committee members have a complementary impact on audit committee relations with internal audit. While independence is associated with a number of issues of process, it is the proportion of committee members with an accounting or finance background that is associated with the extent of the review of internal audit work.… It would appear that independence alone is not sufficient, and the extent of accounting expertise on the committee will help ensure that the audit committee makes appropriate use of the work of internal audit as recommended by the IIA. (2003, 274)

According to Goodwin, adequate expertise on the part of the Audit Committee is a necessary condition to maximize the positive impacts of IA. I am in total agreement with this standpoint.

Considering what happened later - after spectacular corporate failures like Enron, WorldCom, Ahold, and Parmalat - the Institute of Chartered Accountants of Scotland (ICAS) seemed to have been in possession of a crystal ball in 1993.

In our opinion the corporate governance framework within which external auditors operate is deficient. We believe it is reasonable for the public to expect that the external auditors are independent of the directors of companies being audited. Within the present corporate governance framework it is not clear that this is the case. (1993, 29)

And with regard to internal audit their opinion is equally noteworthy. The Chief Audit Executive "should report to a Financial Reporting and Audit Committee (FRAC) made up entirely of non-executive directors. The FRAC should approve the appointment, and the termination of the employment of the Chief Audit Executive. The Chief Audit Executive should be free to communicate with the external assessors at any time" (1993, 32). ICAS continued: "We believe that companies without a strong internal audit function will be unable to provide an audit committee with sufficient information to fulfil its responsibilities." (1993, 35-36)

According to the ICAS, the FRAC should run interference between two sets of needs. One, those of the IA for independence and authority. Two, those of the external auditor to supervise and control IA activities. The Chief Audit Executive and the external auditor should attend all meetings of the FRAC. It is tempting to say that the developments discussed in Chapter 4, are just that what the ICAS paper already pronounced as desirable, although many at that time probably would have considered it "a bridge too far".

The IIA The Netherlands (1999) did a survey of Chief Audit Executives, and 58% of them agreed that the Supervisory Board should appoint the Chief Audit Executive. In a study by Paape, Scheffe and Snoep (2003) among 332 Chief Audit Executives of top-listed companies in the EU, it was shown that two thirds had an Audit Committee. But due to different regulations on the issue, the per country numbers went up and down like a yo yo. For example, in the UK - where Audit Committee's are required - 100% of the respondents had them. In Austria and Portugal – where they were not – the percentages dropped to zero.

When questioned who should appoint the Chief Audit Executive, 59% agreed it should be the Audit Committee. It seems Chief Audit Executive's in the EU like the idea of being appointed by the Supervisory Board/Audit Committee. Not surprisingly, because if they were to be appointed by the Audit Committee this would not only enhance their independence, but also their stature. Although the idea of being appointed by the Supervisory Board/Audit Committee might be appealing to the majority of the Chief Audit Executive's, there are some

When questioned who should appoint the Chief Audit Executive, 59% agreed it should be the Audit Committee. It seems Chief Audit Executive's in the EU like the idea of being appointed by the Supervisory Board/Audit Committee. Not surprisingly, because if they were to be appointed by the Audit Committee this would not only enhance their independence, but also their stature. Although the idea of being appointed by the Supervisory Board/Audit Committee might be appealing to the majority of the Chief Audit Executive's, there are some