The Relationship Between the Internal Audit and Corporate Culture in the Avoidance of Fraud

I. Introduction

This paper is focused on exploring the interaction between auditing, mostly internal auditing functions, and good corporate governance. Specifically, the research question revolves around determining the necessary culture, structure, and qualities of an organization that has an effective independent IAF and is, therefore, able to be checked into maintaining in line with the interests of their stakeholders. Cohen and Hanno provide a solid definition of corporate governance, when they define it as “those oversight activities undertaken by the board of directors and audit committee to ensure the integrity of the financial reporting process” (Cohen & Hanno, 2000, p. 134). In other words, corporate governance is what ensures a corporation does not commit corporate fraud, among other things. It is what keeps a corporation accountable. But given that the market has many different levels of impetus toward fraud (as indicated, if nothing else, by the seeming inexhaustible stream of fraud that we have witnessed in the last century), it is a crucial question to determine what creates effective and ethical corporate governance.

The Institute of Internal Auditors outlines four key elements of good corporate governance: “the external auditor, the audit committee, management, and the [internal audit function] IAF” (Gramling, Maletta, Schneider, & Church, 2004, p. 194). Existing research suggests that the internal audit function (IAF) plays a support function for the other three elements of corporate governance, allowing for the creation of institutions that are best able to foster quality governance (Gramling et al., 2004, p. 194). Corporate governance is understood as the mechanism by which the representatives of the firm’s stakeholders act in their interests, providing “risk and control processes administered by management” (Gramling et al., 2004, p. 195). Effective corporate governance creates systems of accurate reporting and the creation of internal controls. The IAF is critical to this function, as it is capable of accessing the entire organization and serving as “the eyes and ears” of the other three corporate governance parties (Gramling et al., 2004, p. 196).

The IAF is capable of becoming a support structure for the other the three elements of corporate governance when it is objective, able to advise and analyze the company without an underlying motivation toward a particular conclusion (Goodwin & Yeo, 2001, p. 2001). Without a strong and a consistent IAF, companies are more prone to fraud (Beasley, Beasley, Carcello, Hermanson, & Lapides, 2000, p. 441). Specifically, according to Beasley, fraudulent companies are “less likely to have an audit committee in place prior to the fraud” (Beasley et al., 2000, p. 444).

A consistent trend in this research and its equivalents in the literature is the fact that corporate governance is dependent on independence and a mitigation of the inevitable conflicts of interests within corporate governance. This paper will explore the mechanisms by which a corporation is able to construct an independent and competent IAF. Specifically, this paper will argue that the creation of a legitimate IAF cannot be boiled down simply to organizational structure; in order to maintain a consistently effective intern auditing function, it is necessary to foster a corporate culture consistent with its purpose. The question of how does one create and encourage a corporate culture with a particular content is complex, and beyond the scope of this paper. Instead, the argument will be that in order to understand the efficacy of auditors in relation to the rest of corporate governance, it is necessary to move past simple discussions of the organizational structure and acknowledge the way that the “tone at the top” can shape every level of the company.

II. The Positive Effects of an Independent and Strong IAF and Audit Committee

One of the most persistent proposals for the cornerstone of strong corporate governance is the maintenance of qualified, committed, and independent auditors (Cohen, Krishnamoorthy, & Wright, 2002, p. 578). There is extensive research on the determination and measurement of IAF quality. The typical criteria used to determine quality IAF are “competence, objectivity, and work performance”(Gramling et al., 2004, p. 199). Competence has been evaluated in many ways, but researches have found things like the knowledge of company processes, professional certification, and experience to be good operationalizations of competence (Gramling et al., 2004, p. 200). Objectivity is mostly determined by the reporting relationship, as the systems of dependence make it more difficult for IAF to maintain its objectivity. The structure of the organization should be such that the executive running it is reporting high enough not to create a conflict of interest (Goodwin & Yeo, 2001, p. 109). Research consistently finds that strong corporate governance is one of the most important factors in the efficacy of audits within corporations. Specifically, corporations that appear to take auditing seriously are unsurprisingly better at it, demonstrating the interconnection between

Independence is associated with a decrease of fraud. In a recent study, the percentage of audit committees entirely consisting of directors with no relationship to the company other than stock ownership was considerably lower for companies that had been found to commit fraud compared to non-fraud companies (Beasley et al., 2000, p. 450). This research also found that fraudulent companies had fewer audit committee meetings and less frequent internal audit support (Beasley et al., 2000, p. 453). This indicates both a lack of opportunity to deter criminal accounting practices, but also the lack of support for auditing practices, with weak governance and a culture that isn’t focused on preventing criminal accounting behavior.

One relatively recent and critical development intended to reinforce the IAF was the Sarbanes-Oxley Act of 2002 (Abbott, Parker, Peters, & Rama, 2007, p. 804). This act severely curtailed the outsourcing of IAFs to external firms. The two assumptions that were determinative of the increase of the restrictions were, first, all IAF outsourcing was considered to be equally problematic. Second, management was assumed to be the one deciding on IAF outsourcing (Abbott et al., 2007, p. 804). Abbot et al tested, in their research, the hypothesis that it was the efficacy of the audit committees themselves that determined whether or not outsourcing was used in a destructive or productive way. Using survey data, they determined that there was a distinction between the outsourcing of routine auditing activities and special auditing functions. (Abbott et al., 2007, p. 830) Interestingly, they also determined that effective audit committees (“defined as those that are independent, meet frequently, and include a financial expert” (Abbott et al., 2007, p. 839) are more effective at outsourcing the less destructive forms of auditing out to external vendors (Abbott et al., 2007, p. 830). In this way, the rules of Sarbanes-Oxley seem to function in part to compensate for weak corporate governance and ineffective internal culture around auditing.

IV. Auditing Efficacy as a product of Corporate Organizational Structure

The organizational structure has an undeniable effect on the efficacy of IAF and other types of audits. Different types of processes and systems create different patterns of behavior, and auditors need to be able to consider the high degree of variance while determining an audit strategy (Cohen et al., 2002, p. 577). For instance, in Cohen et al.’s words, “a corporate governance structure that is primarily under the sway of management is not likely to curb overly aggressive accounting policies” (Cohen et al., 2002, p. 577), demonstrating the interaction between the different aspects of corporate governance. The way that this has been traditionally understood is in the formal analyses of different sorts of corporate personhood and structure, looking at things like supervisor relationships and the effects of delegation. This section of the paper will explore those concerns and illustrate why this approach, in itself, is inadequate for truly understanding what makes a corporation transparent and able to curb behavior such as aggressive accounting policies and fraud.

One prominent way in the literature to understand the way an organization like a firm functions is called “agency theory,” which is prominent in all sorts of studies of organizations like accounting, economics, finance, and marketing. At its most basic, agency theory studies the ubiquitous relationship “in which one party (the principal) delegates work to another (the agent), who performs this work” (Eisenhardt, 1989, p. 58). The defining metaphor is that of a contract. The two main problems in agency relationships that agency theory attempts to tackle are: first, the agency problem that arises when either there is a conflict in the aims of the principal and agent or it is difficult for the principal to determine what the agent is doing (Eisenhardt, 1989, p. 58). The second problem, risk sharing, “arises when the principal and agent have different attitudes toward risk” (Eisenhardt, 1989, p. 58). In this view, managers are not assumed to act in the shareholders interest; instead, they are acting in their own interest (Cohen et al., 2002, p. 579). This makes the auditor’s independence from management critical, as the managers underneath the agent model wouldn’t hesitate to manipulate the truth for their own gain.

Underneath agency theory, the rational for an internal audit is that it makes the flow of information between the principals and the agents more efficient. In Michael Adams paper, “Agency Theory and the Internal Audit,” he attempts to construct a robust theory of how internal audits function in terms of agency theory, using it to empirically test whether or not the differences in result reflect differences in organizational form. His test case is the insurance industry (Adams, 1994, p. 10). For instance, he discusses what happens to the internal audit of a company that has been bought out. Adams argues that the fact there is seemingly no relationship between leveraged buy-outs and the downsizing of internal audits can be explained in part by the desire for LBO managers to have increased knowledge of the firm which they have recently acquired. The situation is uncertain, and so, “LBO managers may perceive there to be a contracting cost advantage in retaining, and even strengthening, the existing internal audit function” (Adams, 1994, p. 11). He makes many other claims, for instance, discussing why out-sourcing is cost-inefficient insofar as it is far more difficult to keep track of thee specific agents that they have deputized to finish the work (Adams, 1994). In order to be effective, though, it is absolutely critical that the auditors be experts in monitoring behavior, as the rest of the corporation will likely not adhere to the standards of legal and ethical accounting without strong supervision (Cohen et al., 2002, p. 579). A strong monitoring and strategic regime in the corporate governance structure gives the potential for “both a more efficient (e.g., less extent of tests of details) and more effective (greater assurance of the integrity of the financial statements) audit” (Cohen et al., 2002, pp. 579-580).

In general, it seems like agency theory is simply a particular away of articulating institutional relationships that is not too distinct from the general methods of organizational theory writ large (Eisenhardt, 1989). Some perspectives hold that corporate governance is not at all important, though, conceptualizing the specifics as largely attempts to be consistent with regulatory form (Cohen et al., 2002, p. 579). Under this view, the agents of corporate governance is largely symbolic in terms of providing oversight, as management “selects cronies and colleagues who will not curtail their actions” (Cohen et al., 2002, p. 579). This pessimistic view essentially argues that the nominal independence of a particular appointee is irrelevant, as it is unable to account for the many and varied ways in which individual actors can manipulate the rules and regulations to serve their interests. It seems, though, that both conceptions of the function of corporate governance can be correct, just for different corporations. That is to say, perhaps the organizational structure of corporate governance can only tell us so much, and we must instead moved to more qualitative understandings of the processes embedded in any particular corporation. In other words, the corporate culture is critical to the development of an audit strategy.

V. The Efficacy of Auditing as a product of Corporate Culture

Even though the actual institutional structure of the organization is critically important for things such as their willingness to listen to audits, it isn’t sufficient to study the empirical cultural structure alone. No corporate structure is sufficient to check bad behavior if the employees are conspiring together, or actively negligent in their duties. The corporate structure is what comes into play in tweaking, or fine-tuning, corporations who are already in some sense committed to following the law and engaging well. When corporations have not yet “bought in” to the idea that legal accounting practices are important, it would be far more difficult to induce them too simply by the manipulation of their corporate structure. In order to be able to create a truly effective auditing regime within a corporation is necessary to also foster a culture that is sympathetic to the aims of auditing and capable of being transparent.

This is a slightly troubling conclusion, insofar as if it is the case that corporate governance is so formative for the development of auditing practices, it becomes difficult to see how reform can actually happen in a consistent or predictable way. An excellent example of this dynamic is the fact that changing the law on the books does not guarantee the shift in corporate governance. Laws, by themselves and immediately, cannot change corporate culture or the way individual executives in individual firms approach running their business. Things like the institutional structure, however, are easy to control and examine externally and are, therefore, subject to much regulation. The question remains, however, about the efficacy of such legal intervention and if it is actually capable of actualizing the change it aims for.

The Sarbanes-Oxley Act of 2002 (SOX) is a vivid example. Faced with the many colorful and disastrous public revelations of fraud from companies such as Enron, WorldCom, HealthSouth, Adelphia and others, the US passed SOX in an attempt to “legislate… ethical behavior” (Rockness & Rockness, 2005, p. 31). There have always been fraudulent reporting and unethical corporate management, since there have been corporations. The difference between the failures and public collapses in the late nineties and what had come before is that the frauds were more spectacular and more able to do massive damage (Rockness & Rockness, 2005, p. 35). This ethical failure is fundamentally due to a cultural failure, with many researchers suggesting that failures such as Enron being attributable to a corporate culture of “overly aggressive financial performance targets and a can-do culture that did not tolerate failure” (Rockness & Rockness, 2005, p. 38). Unethical behavior in companies tends to slide and increase, because many people engage in a small unethical act in what they believe is in the best interest of themselves and of the corporation. Particularly in the context of Skilling, the CEO of Enron at the time, the corporate culture was such that it seemed better to make a small ethical fudge on one’s numbers than fail to be rising to increasingly higher standards (Rockness & Rockness, 2005, p. 38).

Serious failures in accounting seem in this way to be due to a corporate culture that is not conducive to making ethical decisions in a consistent, well-supported manner. The SOX bill is strongly punitive, attempting to force expected behaviors and responsibilities through large penalties. It also attempts to regulate behavior through the clear delineation of what the responsibilities of senior management should be, outlining ethical obligations that they must follow (Rockness & Rockness, 2005, p. 45). SOX takes an unprecedentedly strong approach to regulating this behavior, using jail time instead of just various fines and punishments in that perspective (Rockness & Rockness, 2005, p. 45). Most of the inducements existent in SOX, however, is the creation of a regulatory regime to strengthen the independence of auditors in public companies. This follows from the analysis of the organizational components to IAF efficacy and the importance of independence therein (Rockness & Rockness, 2005, p. 46).

SOX acknowledge the importance of a strong and ethical corporate culture that starts at the top, but it does not have the tools to truly enforce it. Section 406 mandates that public corporations have a code of ethics, but the existence of the code is not sufficient to ensure it’s adoption (Rockness & Rockness, 2005, p. 46). Much like one hundred years of U.S. legislative attempts to legally induce ethical behavior, SOX has proven inadequate to the task (Rockness & Rockness, 2005, p. 47) In the long run, corporate culture is best understood and manipulated positively. In Rockness’s words, “business ethics is not a set of impositions and constraints but rather is the motivating force behind business behaviors” (Rockness & Rockness, 2005, p. 48). These traits are fundamentally social behaviors and exist in the context of the institutions that they are surrounded by, but are not encompassed by that. In terms of auditing, a corporate culture would need to be conducive to allowing the auditors to work independently and with seriousness, taking their recommendations as important parts of the larger corporate governance. Companies need to take auditing seriously in order for it to be successful, regardless of the specifics of the institutional structure.

Beyond the specific case of SOX, changing the law does not appear to guarantee any change in corporate governance. Particularly in international studies of legal regimes, the relationship between the law and economics has largely been considered to be a black box. Recent research in cross-national legal practices has aimed to unpack that distinction and evaluate more closely the ways in which culture and law intersect. Specifically, Licht et al. evaluates correlations between national cultures that promote “assertiveness in reconciling conflicting interests and that promotes tolerance for the uncertainty this creates” with the ability to use the law as a method of dealing with economic disputes (Licht, Goldschmidt, & Schwartz, 2005, p. 232). Additionally, and more problematically for the prospect of reform, the evidence they find also suggests that the culture is persistent despite formal legal reform. In their research, culture “refers to the complex of meanings, symbols, and assumptions about what is good or bad, legitimate or illegitimate that underlie the prevailing practices and norms in society” (Licht et al., 2005, p. 233). Specifically, they use dichotomies such as: embeddedness/autonomy, hierarchy/egalitarianism, mastery/harmony, individualism/collectivism, power distance, uncertainty avoidance, and masculinity/femininity (Licht et al., 2005, p. 235). They theorize that these general conceptual maps relate to investor rights in a complicated way, mainly reliant on a culture’s focus on Mastery and their tolerance of uncertainty (Licht et al., 2005, p. 236). The critical element is that cultures must be willing and able to challenge one another for the sake of a third party, which is a foundational element to a corporate governance that is properly oriented toward its stakeholders. There relationship between culture, law, and corporate behavior is complex and functions on many different levels, changing only slowly in response to shifts in daily life as opposed to formal reform (Licht et al., 2005, p. 252). In their words, “prevailing cultural values generate a path dependence dynamic that may slow down or block adaption to change” (Licht et al., 2005, p. 252).

One fascinating case in terms of the relationship between corporate culture and the efficacy of internal audits is Goodwin and Yeo’s research on Singapore. Internationally, IAF is often used as a “management training ground.” This means that the IAF is a frequent stop for management on the way to other managerial positions, with the desire to train versatile and well-rounded managers (Goodwin & Yeo, 2001, p. 111). The initial problem is that this seems like it makes a truly independent IAF impossible, insofar as there is no real separation between the auditors and the rest of the company. With a traditional understanding of independence, as reflected in United States legislation like SOX, this should be devastating. This institutional structure leads to situations where an auditee might become the immediate superior of the auditor after they are transferred back out into the normal management track (Goodwin & Yeo, 2001, p. 119), a clear and obvious concern in terms of mitigating personal conflict of interest. However, the survey respondents did not seem concerned, with 48% disagreeing with the idea that this could “lead to impairment in the work of internal auditors” and a further 20% taking a neutral position (Goodwin & Yeo, 2001, p. 119). However, this corporate structure was also associate with an extremely high value being placed on the auditing function, with only 13.8% disagreeing with the idea that experience in internal auditing was valuable for management (Goodwin & Yeo, 2001, p. 120). Additionally, and although there is no evidence thus far of a causal link, companies that used IAF as a management training ground were more likely to have a separate audit committee composed of more independent directors (Goodwin & Yeo, 2001, p. 122). A plausible explanation for this finding is that a corporation that has many former auditors in high management positions understands the value and importance of auditing. That is to say, it is possible that the detriment to independence from such a corporate structure would be outweighed by the benefit to a corporate culture conducive to and compatible with auditing.

Auditors in the United States also seem to acknowledge the importance of corporate culture and “tone.” In an extensive study consisting of interviews with 36 practicing auditors, Cohen et al. found that respondents primarily understood corporate governance in terms of the action and behavior of senior management, above the other three of the four “planks” (Cohen et al., 2002, p. 582). Auditors are some of the most qualified commentators to speak in the actual functioning of corporations, given their constant exposure to the details of different types of institutional structures, making this a valuable source of data on the practices of corporations. One auditor specifically cited the CEO as setting the “ethical spine” that is operative on all other corporate governance functions (Cohen et al., 2002, p. 582). They also generally stressed the necessity for upper management to consent to be governed, separating the institutional structure of monitoring and control from its efficacy (Cohen et al., 2002, p. 582). Practicing auditors understand the process of auditing in terms of the personalities of management and their ethical spines, their willingness to be consistent with the demands on them that are necessitated by the auditing process and a consistent commitment to good accounting practices. All of the respondents gathered information about the governance of a corporation when conducting an audit and half of them said that the governance plays a key role in deciding to accept a client at all (Cohen et al., 2002, p. 583). The strongest factor cited in terms of what constituted a “strong” governance was “the credibility of management,” (Cohen et al., 2002, p. 584) which speaks to not any particular institutional concern as much as the general interaction of corporation and culture. Indeed, 84% of respondents “believed governance will play a greater role in the future while 77 percent indicated that corporate governance should play a greater role than is currently observed in practice” (Cohen et al., 2002, p. 587).

VI. Conclusion

To quote Arthur Levitt, former chair of the SEC, “the link between a company’s directors and its financial reporting system has never been more crucial” (Cohen et al., 2002, p. 577). Auditors, in order to be able to fulfill their job to the necessary extent, must be able to work closely and in concert with other members of the “corporate governance mosaic” (Cohen et al., 2002, p. 577). The smooth functioning of the auditing processes and the IAF is essential to the development of the corporation as a whole, but the burden of this functioning does not fall entirely on them. As this paper has elaborated, the efficient and effective functioning of auditors in large corporations depends on many factors, including the organizational structure of the corporation and the corporate culture. Those two aspects are mutually reinforcing and they can blend to either create a culture that is conducive to fraud or inimical to it.

This focus on tone and culture, in addition to the more traditional understandings of monitoring and independence, shifts both the need for further research and further thought in regulation regimes to an exploration of what makes a culture and how one can shape it. On face, this would seem difficult to regulate, but with a clearer understanding of the mechanisms by which a corporation develops a corporate culture conducive to transparent and honest accounting practices, it may be possible.

References

Abbott, L. J., Parker, S., Peters, G. F., & Rama, D. V. (2007). Corporate Governance, Audit Quality, and the Sarbanes-Oxley Act: Evidence from Internal Audit Outsourcing. The accounting review, 82(4), 803-835. doi: 10.2307/30243479

Adams, M. B. (1994). Agency theory and the internal audit. Managerial Auditing Journal, 9(8), 8-12.

Beasley, M., Beasley, J., Carcello, D., Hermanson, P., & Lapides. (2000). Fraudulent Financial Reporting: Consideration of Industry Traits and Corporate Governance Mechanisms. Accounting Horizons, 14(4), 441-454.

Cohen, J., Krishnamoorthy, G., & Wright, A. M. (2002). Corporate governance and the audit process*. Contemporary accounting research, 19(4), 573-594.

Cohen, J. R., & Hanno, D. M. (2000). Auditors' consideration of corporate governance and management control philosophy in preplanning and planning judgments. Auditing: A Journal of Practice & Theory, 19(2), 133-146.

Eisenhardt, K. M. (1989). Agency theory: An assessment and review. Academy of management review, 14(1), 57-74.

Goodwin, J., & Yeo, T. Y. (2001). Two factors affecting internal audit independence and objectivity: evidence from Singapore. International Journal of Auditing, 5(2), 107-125.

Gramling, A. A., Maletta, M. J., Schneider, A., & Church, B. K. (2004). The role of the internal audit function in corporate governance: A synthesis of the extant internal auditing literature and directions for future research. Journal of Accounting Literature, 23(1), 194-244.

Licht, A. N., Goldschmidt, C., & Schwartz, S. H. (2005). Culture, law, and corporate governance. International Review of Law and Economics, 25(2), 229-255.

Rockness, H., & Rockness, J. (2005). Legislated ethics: From Enron to Sarbanes-Oxley, the impact on corporate America. Journal of Business Ethics, 57(1), 31-54.