The Effects of Internal Audit Report Type and Reporting Relationship on Internal Auditors' Risk Judgments

Abstract

SYNOPSISThe governance literature (e.g., Archambeault, DeZoort, and Holt 2008) highlights the lack of internal audit information available to external stakeholders and discusses the need for a publicly available internal audit report (IAR) to describe the function and/or provide assurance. We study the effects of IAR type (i.e., descriptive IAR, assurance IAR) and internal audit reporting relationship (i.e., primarily to management or primarily to the audit committee) on internal auditors' judgments. Specifically, 108 experienced internal auditors provided fraud risk and control risk assessments in an experiment where IAR type and reporting relationship were manipulated randomly between subjects. Fraud risk assessments are higher (more conservative) when internal auditors provide assurance in an IAR or when they report primarily to the audit committee. A significant interaction indicates that internal auditors provide higher control risk assessments when they provide assurance in an IAR and report primarily to the audit committee. Providing descriptive information in an IAR to external stakeholders does not significantly affect internal auditors' fraud risk or control risk assessments. Supplemental results indicate moderate and varied support among internal auditors for the issuance of a descriptive IAR to external stakeholders, but significantly less support for the issuance of an assurance IAR. The results, in combination with Holt and DeZoort's (2009) evidence regarding the effect of descriptive IARs on investors' judgments, suggest the need for discussions of the value of IARs in practice.