The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0268-6902.htm
MAJ
26,6
464
Received 23 November 2010
Revised 2 February 2011
Accepted 21 February 2011
Managerial Auditing Journal
Vol. 26 No. 6, 2011
pp. 464-481
q Emerald Group Publishing Limited
0268-6902
DOI 10.1108/02686901111142530
External auditors’ reliance
on internal auditing:
further evidence
Lois Munro
School of Accountancy, Queensland University of Technology,
Brisbane, Australia, and
Jenny Stewart
Department of Accounting, Finance and Economics, Griffith Business School,
Griffith University, Brisbane, Australia
Abstract
Purpose – The purpose of this paper is to explore whether internal audit’s reporting relationship
with the audit committee and the client’s business risk environment impact external auditors’ reliance
on the work of internal audit.
Design/methodology/approach – An experiment is conducted using a 2 £ 2 between-subjects
design where we manipulate the above two factors at strong and weak levels. Participants are 66 audit
partners, managers and seniors, all experienced with clients having internal audit functions.
Findings – The results indicate that both factors affect external auditors’ reliance on work already
undertaken by internal audit and their use of internal auditors (IA) as assistants. The results also indicate
that external auditors are more likely to use internal audit for control evaluation tasks than for substantive
tests of balances. The study does not find any significant interaction effects between the two factors.
Originality/value – No prior studies have examined the influence of reporting relationship and client
business risk on external auditors’ reliance decisions in the current governance environment. Further,
the paper examines the impact of these factors on reliance on work already undertaken by internal audit
and on using IA as assistants, with respect to both control evaluation work and substantive testing
of balances.
Keywords Internal auditing, External auditor reliance decisions, Audit planning, Audit Committees,
Business risk
Paper type Research paper
1. Introduction
In recent years, the internal audit function has become a key corporate governance
mechanism alongside the audit committee, external audit and management (Cohen et al.,
2004; Gramling et al., 2004; Schneider, 2009). As reflected in the Institute of Internal
Auditors (IIA, 2009), definition of internal auditing, internal audit is both an assurance
and consulting activity concerned with evaluating and improving the effectiveness of
risk management, control and governance processes. In the USA, the Sarbanes-Oxley
Act (SOX) (US Congress, 2002) requires management to certify the adequacy of the
firm’s internal controls and report on the effectiveness of these controls in the annual
report. In addition, the New York Stock Exchange enacted a requirement in 2003 that all
listed companies must have an internal audit function, either in-house or outsourced
(Schneider, 2009). Research has provided evidence of a growth in internal audit in the
post-SOX period, with an increase in the workload and responsibilities of internal audit
departments (Grant et al., 2009) and an increase in resources (budgets and staffing) for Reliance on
the internal audit function (Schneider, 2009). internal auditing
Australian and International Auditing Standards (ASA 610, 2009; ISA 610, 2010)
specify that the activities of the internal audit function may include monitoring and
improving internal controls, examination of financial and operating information, review of
operating activities, review of compliance with laws, regulations and policies, identifying
and evaluating risk exposures and improving risk management, and assessing the 465
corporate governance process (ASA 610, 2009). In addition, the Australian Securities
Exchange (ASX) Corporate Governance Principles and Recommendations (ASX, 2010)
specify that the internal audit function will generally perform an analysis and independent
appraisal of the effectiveness of the company’s risk management and internal control
system on behalf of the board. As a result of these regulatory reforms, the responsibilities
of the internal audit function have increased significantly in the last decade.
The changing governance environment over this time has led to an increased
emphasis on the relationship between IA and external auditors (Gramling et al., 2004;
Grant et al., 2009). While external auditors’ reliance on the work of internal audit has
been researched for almost three decades (Clark et al., 1980; Margheim, 1986; Schneider,
1985; Whittington and Margheim, 1993), the focus of many studies has been on the
objectivity, work performance and competence of the internal audit function (Brown,
1983; Krishnamoorthy, 1994; Messier and Schneider, 1988; Schneider, 1984). Given that
there is now a closer alignment between internal and external audit in this changed
environment, further examination of this relationship is warranted.
The objective of this study is to examine two factors that might influence external
auditors’ reliance decisions in the current governance regime. These factors are the
internal audit’s reporting relationship with the audit committee and the client’s business
risk environment. Using a scenario involving a financial institution, we manipulate
these factors at two levels (stronger and weaker) to explore their impact on external
auditors’ reliance on the work of internal audit and on their use of IA as assistants in
performing audit tasks[1].
Our study makes a number of key contributions. Prior studies examining the impact
of internal audit reporting relationships on external auditor reliance decisions have been
undertaken at a time when the regulatory emphasis on the role of audit committees was
limited. Further, these studies have generally focused on internal audit objectivity by
comparing functions that report to the audit committee with those that report to the chief
financial officer (CFO) (Maletta, 1993; Margheim, 1986; Schneider, 1985). In contrast,
we compare an internal audit function where the chief audit executive (CAE) reports to
the chief executive officer (CEO) and has not had private meetings with the audit
committee, with one where the CAE reports to the audit committee and does have
regular private meetings with the committee. Although both the CFO and the CEO are
members of management, reporting to the CEO should increase the status of internal
audit in the organisation. It also overcomes potential problems that can arise when
internal audit reports to the person with direct responsibility for the financial and
accounting systems which the function is required to monitor. Hence, the main
discriminating factor in our study is whether the internal audit function meets privately
with the audit committee or not. Research has shown that the effectiveness of internal
audit can be improved where regular meetings are held between the audit committee and
internal audit (Scarbrough et al., 1998; Treadway Commission, 1987). Where these
MAJ meetings are private, the internal audit function can be protected and is more
26,6 independent, thus enhancing corporate governance (Braiotta, 2004).
Another important contribution relates to our second manipulation which contrasts
a strong business risk environment with a weaker business risk environment. Current
auditing standards reflect a business risk approach to audit planning (ASA 315, 2009;
ISA 315, 2010), involving a top-down analysis of critical environmental factors that
466 might lead to material misstatement of the financial statements. However, while
studies have examined the impact of inherent risk on external auditors’ decisions to
rely on the work of internal audit (Felix et al., 2001; Glover et al., 2008; Maletta, 1993;
Whittington and Margheim, 1993), this is the first study to examine the impact of the
business risk environment on such reliance decisions.
A further contribution lies in our examination of the impact of these factors on decisions
to rely on work already undertaken by internal audit and decisions to use IA as assistants,
in each case differentiating between control evaluation work and substantive testing of
balances. Prior research has found differences between control evaluation work and
substantive testing (Margheim, 1986; Mills, 1996) and between reliance on work undertaken
by internal audit and using IA as assistants (Margheim and Label, 1990). However, the only
other study to examine these four reliance decisions is Munro and Stewart (2010).
We find that internal audit’s reporting relationship with the audit committee and the
client’s business risk environment both impact the extent of external audit reliance on
control evaluation work already undertaken by internal audit. The client’s business
risk environment has a marginally significant impact on reliance on substantive
testing work already undertaken but no impact is found for the reporting relationship.
With regard to using IA as assistants, both relationship with the audit committee and
the client’s business risk environment significantly impact control evaluation work
and substantive testing of balances. Consistent with Munro and Stewart (2010), we also
find that external auditors are more likely to rely on control evaluation work than
substantive testing work and that there are no significant differences between relying
on work already undertaken and using IA as assistants.
The remainder of the paper is structured as follows. In Section 2, we discuss prior
research and develop our hypotheses. This is followed by an explanation of the research
methods in Section 3. Section 4 reports and discusses the results of the study while the
final section contains some concluding comments including an acknowledgement of the
study’s limitations and suggestions for future research.

2. Prior research and hypothesis development

The external auditor’s relationship with internal audit has become increasingly
important in the current governance environment (Glover et al., 2008; Gramling et al.,
2004; Grant et al., 2009; Schneider, 2009). The need for high-quality auditing in
conjunction with increased compliance costs places greater emphasis on the benefits of
an effective and efficient integration of the two audit functions. Professional auditing
standards allow reliance on the work of internal audit subject to an assessment of the
internal audit function (ASA 610, 2009; ISA 610, 2010). Both Australian and
international standards require the external auditor to consider four key factors when
assessing whether to rely on internal audit work. These four factors are:
(1) internal audit objectivity in terms of the status and reporting lines of the internal
audit function;
 (2) the technical competence of internal audit staff; Reliance on
(3) their exercise of due professional care; and internal auditing
(4) the communication between internal and external audit (ASA 610, 2009;
ISA 610, 2010).
Similarly, US standards require consideration of the competence, objectivity and work
performed by IA as the three key components of internal audit quality (AU Section 322 467
(AICPA, 2010); PCAOB, 2010). Additionally, the US standards specifically recognise
that the external auditor may request direct assistance from IA with respect to
obtaining an understanding of controls, testing controls and performing substantive
tests (Schneider, 2009).
A considerable body of research has explored the factors that influence external
auditors’ decisions to rely on internal audit and this has been well summarised in
Glover et al. (2008) and Gramling et al. (2004). We therefore restrict our discussion to
the specific factors examined in the present study.

Reporting relationship with the audit committee

A close working relationship between internal audit and the audit committee is
recognised as a fundamental principle of sound corporate governance (ASX, 2010;
Cohen et al., 2004; James, 2003; Treadway Commission, 1987). Internal audit
independence and objectivity should be enhanced when the function reports directly
to the audit committee as opposed to senior management (Cohen et al., 2004). According
to Gramling et al. (2004, p. 198), a strong relationship between the internal audit function
and the audit committee helps provide internal audit “with an appropriate environment
and support system for carrying out its own governance-related activities”. The audit
committee can strengthen the position of internal audit by acting as an independent
forum for the CAE to raise matters affecting management (Braiotta, 2004; Goodwin,
2003; Goodwin and Yeo, 2001).
To achieve maximum benefit, it is recognised that open lines of communication should
exist between internal audit and the audit committee. The CAE should have regular and
confidential access to the committee (IIA, 2002) to facilitate the discussion of sensitive
issues, particularly those affecting management (Braiotta, 2004). Scarbrough et al. (1998)
find that where the CAE has three or more meetings a year with the audit committee, the
CAE has greater private access to the committee. When the CAE does not meet three or
more times a year, access to the audit committee is considerably less. A significant
association between private access by the CAE to the audit committee and audit
committee review of the internal audit program and results is also found
(Scarbrough et al., 1998). These findings emphasise the importance of a good working
relationship between the CAE and the audit committee, which should strengthen both
actual and perceived objectivity and enhance corporate governance practices.
A number of studies have examined the impact of internal audit’s reporting to the audit
committee on external auditors’ objectivity assessments and reliance decisions
(Abdel-Khalik et al., 1983; Brown, 1983; Schneider, 1985; Margheim, 1986; Messier and
Schneider, 1988; Margheim and Label, 1990). These studies have generally compared
reporting lines between the audit committee and the CFO or controller, with mixed results.
The early study by Abdel-Khalik et al. (1983) finds reporting line to be the most significant
factor in external auditors’ decisions to assign work to IA. Similarly, Brown (1983) finds
MAJ that reporting line, including access to the audit committee, is the most significant factor
26,6 in external auditors’ assessment of internal audit reliability. In contrast, Margheim (1986)
finds that internal audit objectivity based on reporting lines has no significant effect on
external auditors’ reliance on work undertaken by IA. Margheim and Label (1990) obtain
similar results for external auditors’ planned usage of IA as assistants. Schneider (1985)
compares four levels of internal audit reporting:
468 (1) to the assistant controller;
(2) to the controller;
(3) to the senior vice president for operations; and
(4) to the audit committee chair.

The study provides evidence that external auditors’ reliance decisions are primarily
based on internal audit competence and work performance with less emphasis placed
on objectivity.
A direct reporting line to the CFO by internal audit is now considered to be inappropriate
and should be restricted to administrative matters only (Ernst & Young, 2006). In view of
this, we examine the impact of reporting directly to the audit committee and having regular
private meetings with the committee compared to reporting to the CEO and meeting with
the audit committee only in the presence of management. Hence, our manipulation includes
not only the reporting line but more importantly the level of direct communication with the
audit committee. In spite of the mixed results of prior research, we expect a strong
relationship with the audit committee in the current governance environment to strengthen
internal audit status and objectivity. This, in turn, should impact external auditors’
decisions relating to reliance on work already undertaken by internal audit and the use of
IA as assistants for performing audit tasks. This leads to the following hypotheses:
H1a. External auditors are more willing to rely on work already undertaken by
internal audit when internal audit has a strong reporting relationship with the
audit committee compared to a weaker relationship.
H1b. External auditors are more willing to utilise internal audit to assist in
performing audit tasks when internal audit has a strong reporting relationship
with the audit committee compared to a weaker relationship.

Client’s business risk environment

The extent to which external auditors decide to rely on the work of internal audit is an
important audit-planning judgment. A key part of audit planning is the need to
understand the client’s overall business risk and to evaluate the impact of specific
business risks on the risk of material misstatement in the financial report (Gay and
Simnett, 2010). Business risk can be defined as:
[. . .] the risk that an entity’s business objectives will not be attained as a result of the external
and internal factors, pressures, and forces brought to bear on the entity and, ultimately,
the risk associated with the entity’s survival and profitability (Bell et al., 1997).
While the impact of the client’s business risk environment on reliance decisions has not
previously been examined, prior research suggests that external auditors do consider the
impact of global factors such as management integrity and corporate governance
when making other audit-planning judgments (Allen et al., 2006; Beaulieu, 2001;
Kizirian et al., 2005). Hanno and Agoglia (1999) find that auditors consider management Reliance on
and governance characteristics to be the most important factors when evaluating the internal auditing
client’s control environment. Cohen and Hanno (2000) use an experiment to examine the
impact of management control philosophy and corporate governance on audit-planning
judgments. They find that auditors are sensitive to both factors when making control
risk assessments and planning judgments pertaining to the level of substantive testing.
Bedard and Johnstone (2004) examine client risk assessments made by audit 469
engagement partners in a large public-accounting firm to test the impact of earnings
management risk and corporate governance risk on audit planning and pricing
decisions. They report a significant positive relation between earnings management risk
and planned audit hours and billing rates. They also find a significant interaction effect
between earnings management risk and corporate governance risk. However, corporate
governance risk on its own is not found to be associated with increases in planned audit
hours and billing rates. Finally, Cohen et al. (2007) examine whether the strength of board
roles (agency and resource dependence) affect auditors’ risk assessments and audit
program planning. While they do not find a significant association between inherent risk
assessments and board roles, they do find that auditors assess control risk to be greater
when both the agency and resource dependence roles of the board are weaker. They also
report a negative association between planned audit effort and weaker board roles.
Overall, these studies suggest that auditors are sensitive to the client’s overall risk,
control and governance environment when making audit-planning decisions.
A small number of studies have examined the impact of inherent risk on external
auditors’ reliance on the work of internal audit but these have generally related to the audit
of specific account balances such as accounts receivable (Maletta, 1993; Whittington and
Margheim, 1993). Maletta and Kida (1993) examine both inherent risk and control
architecture in the context of accounts receivable. They find complex interactions between
external auditors’ reliance decisions and levels of inherent risk and control strength,
suggesting a configural relationship between inherent risk and the strength of control
architecture. Margheim and Label (1990) examine reliance decisions in a high-risk
situation but do not manipulate risk as an independent variable. Overall, inherent risk is
examined by Felix et al. (2001) who find that the significance of other factors affecting
internal audit contribution to the external audit (namely, internal audit availability and the
relationship between external and internal audit) is contingent on inherent risk being high.
In a more recent study, Glover et al. (2008) find that the external auditors’ reliance on
internal audit is higher when they perform objective tasks (such as accounting for
pre-numbered documents) compared to subjective tasks (such as reviewing inventory
turnover ratios to identify obsolete inventory). In addition, their evidence suggests that
this effect is magnified when inherent risk was assessed as high, that is, when
management bonuses were based on earnings targets, management used aggressive
accounting techniques and earnings announcements did not meet market expectations
(Glover et al., 2008).
In the present study, we manipulate the overall business risk environment of the client
by contrasting a financial institution with increasing profitability, stable management,
and strong risk management and control systems with one suffering a damaged
reputation following two recent electronic-banking frauds which impacted profitability
and market share and resulted in management changes including a new CEO.
While the impact of the client’s business risk environment on external auditors’ reliance
MAJ on the work of internal audit has not previously been examined, we predict an
26,6 association for a number of reasons. First, the business risk approach of modern
auditing emphasises an assessment of the business risk environment as fundamental to
audit planning and to an evaluation of audit risk (Gay and Simnett, 2010). This approach
should therefore impact control evaluation and the nature and extent of audit testing
(ASA 315, 2009; ISA 315, 2010). Second, weaknesses in the business risk environment
470 cast doubt on the client’s overall commitment to strong corporate governance, further
impacting on the external auditor’s risk assessment. The prior research discussed above
suggests that auditors do consider such global factors in their risk assessments and
judgments relating to planned audit hours. Just as external auditors plan to increase
audit testing when factors associated with management and governance are weaker, we
expect that they would be less willing to rely on the work of IA in such situations.
A further reason is that, given that one of the key roles of internal audit is to monitor
internal controls (ASA 610, 2009; ISA 610, 2010), external auditors may consider that the
existence of control weaknesses reflects on the quality of the internal audit function. For
all of these reasons, it would be expected that external auditors would see less benefit in
internal audit and would prefer to perform their own tests rather than rely on the client’s
IA. We therefore test the following hypotheses:
H2a. External auditors are more willing to rely on work already undertaken by
internal audit when the client’s business risk environment is strong compared
to when it is weaker.
H2b. External auditors are more willing to utilise internal audit to assist in
performing audit tasks when the client’s business risk environment is strong
compared to when it is weaker.

Interaction effects
There is limited prior research and theoretical support for the likelihood of an interaction
effect between the two independent variables and hence we do not make any predictions
in this regard. However, it is possible that external auditors will be more willing to rely
on the work of IA when internal audit has a strong reporting relationship with the audit
committee only when the overall business risk environment is strong. This is consistent
with the findings of prior studies in the context of inherent risk. For example, Felix et al.
(2001) and Glover et al. (2008) report that the effect of factors influencing reliance
decisions is greater when inherent risk is high. Further, Maletta (1993) and Maletta and
Kida (1993) report complex interactions between inherent risk, control strength and
internal audit objectivity in external auditors’ decisions to use IA as assistants.
We therefore pose the following research question:
RQ1. Is there an interaction effect between internal audit’s reporting relationship
with the audit committee and the client’s overall business risk environment
with respect to external auditors’ (i) reliance on work already undertaken by
internal audit and (ii) utilisation of IA as assistants.

3. Research methods
To test our hypotheses, we conducted an experiment using a 2 £ 2 between-subjects
design. The first factor involves the CAE’s reporting lines and relationship with the audit
committee. The second factor relates to the strength of the client’s business risk
environment with respect to profitability, management stability, risk management and Reliance on
control systems. Both factors were manipulated at strong and weak levels to give four internal auditing
treatment groups.

Research instrument
The research instrument contained two independent scenarios relating to external
auditors’ reliance on the work of internal audit. This paper reports only the results of the 471
second scenario[2]. The instrument was divided into three parts, together with an
instruction sheet. Parts A and B comprised the first and second scenarios, respectively,
each followed by a series of questions. The third part of the instrument contained some
questions relating to the participant’s background. The instrument was tested using a
group of final year auditing students, a number of academics with auditing experience
and four audit practitioners. This testing confirmed the strength of the manipulations.
However, as we did not conduct the experiment in a controlled environment, we omitted
specific manipulation checks in order to minimise the likelihood of demand effects.

Participants
Participants in the study consisted of 66 partners, managers and seniors from external
audit firms in Australia. All participants were required to have experience with clients
with internal audit functions. Contact was made with an audit partner from the Big Four
and two mid-tier accounting firms in five major Australian cities to engage their support.
The partners agreed to distribute copies of the instrument to colleagues with the
required experience. Responses were mailed directly to the researchers in a reply-paid
envelope. A total of 98 instruments were distributed, with 66 usable responses being
received, giving a response rate of 67 percent.
Table I presents a summary of the biographical details of the participants. While the
mid-tier firms agreed to participate, only four responses were received from these firms,
owing to a lack of experience with clients with internal audit functions[3]. Almost,
70 percent of participants hold the rank of manager or partner. Approximately,
58 percent are males and just over half are 30 years of age or less. The mean years of
experience are slightly more than ten, ranging from a minimum of two years to a
maximum of 36 years. The number of clients with internal audit functions averaged
four, with a range from one to 12. Differences in responses due to firm, rank, age, gender
and experience were tested using analyses of variance (ANOVA) and co-variance
(ANCOVA). These tests indicated that none of these factors impact our reported results.

The scenario
The scenario involved a regional bank that had been listed for ten years and had been
expanding its operations across Australia. The two extreme versions of the scenario
are shown in the Appendix. Participants were first provided with some background
information relating to the bank’s assets and profitability. Details of the audit
committee indicated that it complied with the ASX Corporate Governance Principles
concerning independence and expertise and that it met six times per year. The committee
approved the internal audit program before the start of the year and reviewed the
internal audit reports at each meeting. The internal audit function comprised 16 staff,
most of whom were qualified IA or systems auditors. The CAE was a Certified Internal
Auditor with almost ten years experience in the banking industry. He was particularly
MAJ
No. %
26,6 Category of firm
Big Four 62 93.9
Middle tier 4 6.1
Position
Partner 17 25.8
472 Manager 29 43.9
Senior 20 30.3
Gender
Male 38 57.6
Female 28 42.4
Age group
21-30 34 51.5
31-40 19 28.8
Over 40 13 19.7
Table I. Mean SD Maximum Minimum
Biographic information Years of experience 10.8 8.0 36.0 2.0
of participants Number of clients with internal audit 4.0 2.0 12 1

knowledgeable about compliance issues and the regulatory environment in which the
bank operated. Approximately 60 percent of internal audit time was devoted to
assurance work (including internal controls, risk management and financial reporting
activities) and 30 percent to compliance work. The remaining 10 percent of the time was
spent on special projects. This description was designed to indicate an internal audit
function that the external auditors would assess to be competent and well resourced.
Participants were told that their firm had recently been appointed as auditor and the
client’s management had expressed a desire for a close working relationship between
external and internal audit. This would involve the exchange of audit plans, programs,
findings and reports. The firm had also been asked to consider the extent to which the
audit team could rely on the work of internal audit.

Independent variables
The first independent variable involves internal audit’s reporting relationship with the
audit committee. In the strong relationship condition, the CAE had a direct reporting
line to the chairman of the audit committee. He met with the chairman regularly on a
private basis and attended and reported at all audit committee meetings. In the weaker
condition, the CAE reported to the CEO. He attended audit committee meetings along
with other members of senior management. While the committee could request private
meetings with the CAE, no such meetings had been held.
The second independent variable is the strength of the client’s business risk
environment. In the strong condition, the senior management of the bank was described
as being very stable, with the current CEO holding the position for ten years. Net profit
had increased 6 percent over last year, with an average increase of 8 percent over the last
five years and the bank had been steadily growing its market share. The bank appeared
to have strong risk management and internal control systems in place and had
developed a sound reputation with regard to its electronic-banking technologies. In the
weaker condition, there had been a number of changes to the senior management team
over the last two years, and the current CEO had held the position for nine months.
Net profit had decreased 10 percent over last year although it had averaged an increase Reliance on
of 6 percent over the last five years. Market share had been growing until a setback last internal auditing
year. This was due to two scandals with respect to electronic-banking fraud which
damaged the bank’s reputation and led to the resignation of the former CEO. The bank
appeared to be taking steps to strengthen its risk management and internal control
systems and had made some progress in rebuilding its reputation with regard to its
electronic-banking technologies. However, it would be some time before the bank 473
regained the market share it had lost as a result of the scandals.

Dependent variables
Participants were first asked to provide preliminary assessments of the extent to which
they would be prepared to rely on work already undertaken by internal audit. This
question was divided into two parts, the first relating to the evaluation of internal financial
controls and the second with respect to substantive tests of account balances. They were
then asked to provide similar assessments of the extent to which they would be prepared
to utilise internal audit to assist in performing audit tasks, again divided into control
evaluation tasks and substantive tests of balances. For all questions, an 11-point scale was
provided, with end points of 0 (to a very limited extent) and 10 (to a very great extent).

4. Results
H1a and H2a predict that external auditors are more willing to rely on work already
undertaken by internal audit when internal audit has a strong reporting relationship
with the audit committee and when the client’s business risk environment is strong.
Results are reported in Table II where Panel A shows that external auditors are more
willing to rely on control evaluation work than on substantive testing. The means for
control evaluation range from a low of 3.89 in the weaker reporting relationship/weaker
business risk environment treatment to a high of 7.13 in the strong reporting
relationship/strong business risk environment treatment. The main effects of the two
independent variables are highly significant ( p # 0.004). The substantive testing means
range from 2.89 in the weaker reporting relationship/weaker business risk environment
treatment group to 4.40 in the strong reporting relationship/strong business risk
environment group. The business risk environment manipulation is marginally
significant ( p ¼ 0.097) while the reporting relationship manipulation is not significant.
Overall, these results provide support for H1a and H2a, particularly with respect to
relying on control evaluation work. However, the interaction effects between the two
independent variables for both control evaluation and substantive testing are not
significant ( p ¼ 0.922 and p ¼ 0.434, respectively).
H1b and H2b predict that the internal audit function’s relationship with the audit
committee and the strength of the client’s business risk environment influence external
auditors’ use of IA as assistants. Table III reports the test results for these hypotheses.
Panel A shows the means across the treatment groups for both control evaluation work
and substantive testing of balances. For control evaluation, the means range from
4.17 for the weaker reporting relationship/weaker business risk environment treatment
to 6.73 for the strong reporting relationship/strong business risk environment treatment.
For substantive testing, the means for the same treatment groups range from 3.06 to 5.53.
Panel B shows the results of the ANOVA tests. The main effects of the two independent
variables are significant at p ¼ 0.026 for control evaluation and p ¼ 0.049
MAJ
Evaluation of internal controls Substantive testing of balances
26,6
Panel A: means a (SD) and cell sizes
Stronger risk Weaker risk Stronger risk Weaker risk
environment environment Overall environment environment Overall
Strong AC 7.13 (1.88) 5.44 (2.61) 6.26 (2.41) 4.40 (3.02) 4.25 (2.38) 4.32 (2.66)
474 relationship n ¼ 15 n ¼ 16 n ¼ 31 n ¼ 15 n ¼ 16 n ¼ 31
Weaker AC 5.47 (2.27) 3.89 (2.52) 4.66 (2.50) 4.06 (2.90) 2.89 (2.17) 3.46 (2.58)
relationship n ¼ 17 n ¼ 18 n ¼ 35 n ¼ 17 n ¼ 18 n ¼ 35
Overall 6.25 (2.23) 4.62 (2.64) 5.41 (2.57) 4.22 (2.92) 3.53 (2.34) 3.86 (2.63)
n ¼ 32 n ¼ 34 n ¼ 66 n ¼ 32 n ¼ 34 n ¼ 66
Panel B: analysis of variance
Table II. Source of variation Mean square F b
p-value Mean square F p-valueb
The impact of audit Strength of AC
committee reporting relationship (AC) 44.108 8.004 0.003 7.154 1.038 0.156
relationship and client Strength of risk
risk environment on environment (RE) 42.344 7.684 0.004 11.898 1.726 0.097
external auditors’ AC £ RE 0.053 0.010 0.922 4.271 0.620 0.434
reliance on work
already undertaken by Notes: a11-point scale (0 – to a very limited extent and 10 – to a very great extent); bone-tailed where
internal audit direction predicted

Evaluation of internal controls Substantive testing of balances

a
Panel A: means (SD) and cell sizes
Stronger risk Weaker risk Stronger risk Weaker risk
environment environment Overall environment environment Overall
Strong AC 6.73 (2.19) 5.25 (2.93) 5.97 (2.66) 5.53 (3.14) 4.19 (2.66) 4.84 (2.93)
relationship n ¼ 15 n ¼ 16 n ¼ 31 n ¼ 15 n ¼ 16 n ¼ 31
Weaker AC 5.35 (2.42) 4.17 (2.45) 4.74 (2.48) 4.35 (3.12) 3.06 (2.15) 3.69 (2.71)
relationship n ¼ 17 n ¼ 18 n ¼ 35 n ¼ 17 n ¼ 18 n ¼ 35
6.00 (2.38) 4.68 (2.71) 5.32 (2.62) 4.91 (3.14) 3.59 (2.44) 4.23 (2.93)
Overall n ¼ 32 n ¼ 34 n ¼ 66 n ¼ 32 n ¼ 34 n ¼ 66
Panel B: analysis of variance
Source of variation Mean square F p-valueb Mean square F p-valueb
Table III. Strength of AC
The impact of audit relationship (AC) 24.923 3.939 0.026 21.954 2.842 0.049
committee reporting Strength of risk
relationship and client environment (RE) 29.263 4.625 0.018 28.687 3.713 0.030
risk environment on AC £ RE 0.362 0.057 0.812 0.010 0.001 0.972
external auditors’ use
of internal audit Notes: a11-point scale (0 – to a very limited extent and 10 – to a very great extent); bone-tailed where
as assistants direction predicted

for substantive tests of balances, indicating that external auditors are more willing to
use IA as assistants both when internal audit has a close reporting relationship
with the audit committee and when the client’s business risk environment is strong.
Thus, H1b and H2b are both supported. Again, there are no significant interaction
effects between the independent variables for both control evaluation and substantive
testing ( p ¼ 0.812 and p ¼ 0.972, respectively).
 Overall, our results demonstrate the importance of the two factors manipulated in this Reliance on
scenario on external auditors’ reliance on internal audit work. With respect to the impact internal auditing
of internal audit’s relationship with the audit committee, we have noted that the results of
prior studies have been mixed. While our findings are not directly comparable with these
studies, it appears that external auditors in the current governance environment
recognise that reporting and having private access to the audit committee strengthens
internal audit objectivity. Furthermore, the results for our business risk manipulation 475
are consistent with studies that have considered the impact of global factors such as
management integrity and corporate governance on other audit planning decisions.
To answer RQ, none of the interaction effects are significant. Hence, the results
indicate that the impact of these factors is additive rather than interactive. External
auditor reliance on internal audit is greatest when internal audit has a strong reporting
relationship with the audit committee and when the client’s business risk control
environment is strong. This applies both to work already undertaken by internal audit
and to utilising IA as assistants.
We also performed paired sample t-tests to test for differences between our results with
respect to control evaluation compared to substantive tests of balances and between
reliance on work already undertaken by internal audit and using IA as assistants. Results
of these tests are reported in Table IV. Panel A of this table shows that, for both reliance on
work already undertaken by internal audit and for using IA as assistants, the differences
between control evaluation tasks and substantive testing are highly significant
( p # 0.001), with external auditors relying more on control evaluation tasks. Panel B
shows that no significant differences are found between reliance on work already
undertaken and using IA as assistants for both control evaluation tasks and substantive
testing. These findings are consistent with those reported in Munro and Stewart (2010).

5. Conclusion
This study examines two factors that may influence external auditors’ reliance on the
work of internal audit in the current governance environment. The strength of both
internal audit’s reporting relationship with the audit committee and the client’s business
risk environment significantly impact reliance decisions with respect to both internal
control evaluations and substantive tests of balances.

Panel A: control evaluation compared to substantive testing

Overall mean
Overall mean Substantive Mean paired Paired sample
Control evaluation testing difference t-test p-value
Work already
undertaken 5.41 3.86 1.55 4.738 0.000
Using IA as
assistants 5.32 4.23 1.09 3.440 0.001 Table IV.
Panel B: reliance on work already undertaken compared to using IA as assistants Differences between
Overall mean Overall mean control evaluation and
Work already Using IA as Mean paired Paired sample substantive testing and
undertaken Assistants difference t-test p-value between reliance on work
Control evaluation 5.41 5.32 0.09 0.469 0.641 already undertaken and
Substantive using internal auditors
testing 3.86 4.23 20.37 21.509 0.136 (IA) as assistants
MAJ There are a number of limitations of our study which should be borne in mind when
26,6 interpreting these findings. Our sample size is relatively small and, as with all experimental
designs, the findings of our study may not be generalisable to other populations. We did
not include manipulation checks in the instrument to avoid the possibility of demand
effects in an experiment that was undertaken in an uncontrolled environment. While our
preliminary testing was designed to confirm the strength of our manipulations, we cannot
476 be certain that all participants interpreted the manipulations as intended.
Finally, we acknowledge that the manipulations of our independent variables involve
more than one aspect and hence it is not possible to isolate which aspects are driving the
significant results. Our audit committee reporting relationship variable manipulates
both reporting line and the privacy of meetings. This was designed to reflect realism as it
is unlikely that a CAE who reports directly to the audit committee would not also have
private access to the committee. Our second manipulation builds a story of either a
strong business risk environment or a weak one, and again, for realism purposes, it is a
multi-faceted construct including profitability, management stability and risk and
control systems. However, we note that multi-faceted constructs have been used in other
studies that measure global factors such as corporate governance strength, management
integrity, management control philosophy and board roles (Kizirian et al., 2005;
Beaulieu, 2001; Cohen and Hanno, 2000; Cohen et al., 2007). As in all studies of this
nature, identifying which aspects of our constructs are driving results is an avenue for
further research.
In spite of these limitations, our results have important implications for regulators
and others concerned with the role of audit in corporate governance. The need for strong
governance has led to increasing costs of compliance and hence determining the most
efficient and effective balance between internal and external auditing remains a
challenge. The present study highlights factors that can affect external auditors’ reliance
on internal audit work in the current governance environment. A strong reporting
relationship and regular private meetings with the audit committee strengthen the
willingness of external auditors to rely on internal audit work. Furthermore, other
aspects of governance such as the overall business risk environment have a significant
impact on external auditors’ reliance decisions. These findings are important for
businesses seeking to obtain a cost-effective integration of internal and external audit
without compromising audit quality.
Further research could be undertaken to examine the impact on reliance decisions of
other aspects of the factors explored in this study. For example, with regard to internal
audit’s reporting relationship with the audit committee, studies could examine whether
the characteristics of the audit committee influence external auditors’ perceptions of
internal audit objectivity and hence their reliance decisions. In addition, the impact on
reliance decisions of other aspects of the business risk environment could be explored.
Our study has focused primarily on internal factors associated with profitability,
management stability and risk and control systems and therefore there are opportunities
to examine external factors such as competition, market growth and regulatory
requirements (Gay and Simnett, 2010). The impact of these factors could be captured by
manipulating the industry in which the client operates. In addition, auditors’
assessments of audit risk are likely to be impacted by their business risk assessment
and hence, inherent and control risk assessments could act as intervening variables in
the external audit reliance decision. Path analysis could be used to explore these
relationships in greater depth. Finally, as noted, further dissection of both independent Reliance on
variables could provide insights into those facets which are more likely to impact internal auditing
external auditors’ decisions to rely on internal audit work.

Notes
1. It should be noted that we conducted two experiments in a single research study. The present
paper reports the results of only one of these experiments. The other experiment examined 477
the impact of sourcing arrangements (in-house versus outsourced internal audit activities)
and internal audit’s consulting role on external auditors’ reliance decisions. The results of
this experiment are reported in Munro and Stewart (2010).
2. As noted, the results of the first scenario are reported in Munro and Stewart (2010).
The manipulations for that scenario were internal audit outsourcing and internal audit’s
consulting role. To reduce the risk of confounding effects, the four versions of one scenario
were randomly mixed with the four versions of the other. This resulted in 16 versions of the
instrument. Importantly, it should be noted that we did not change the order of the two
scenarios and hence there are no order effects to consider.
3. Qualitatively, similar results are obtained when these four respondents are omitted from the
sample.

References
Abdel-Khalik, A.R., Snowball, D. and Wragge, J.H. (1983), “The effects of certain internal audit
variables on the planning of external audit programs”, The Accounting Review, Vol. 58
No. 2, pp. 215-27.
AICPA (2010), “AU section 322”, The Auditor’s Consideration of the Internal Audit Function in
an Audit of Financial Statements, American Institute of Certified Public Accountants,
available at: www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/
AU-00322.pdf (accessed 2 November 2010).
Allen, R.D., Hermanson, D.S., Kozloski, T.M. and Ramsay, R.J. (2006), “Auditor risk assessment:
insights from the academic literature”, Accounting Horizons, Vol. 20 No. 2, pp. 157-77.
ASA 315 (2009), Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment, Auditing and Assurance Standards Board
(AUASB), available at: www.auasb.gov.au/admin/file/content102/c3/ASA_315_27-10-09.
pdf (accessed 2 November 2010).
ASA 610 (2009), Using the Work of Internal Auditors, Auditing and Assurance Standards Board
(AUASB), available at: www.auasb.gov.au/admin/file/content102/c3/ASA_610_27-10-09.
pdf (accessed 2 November 2010).
ASX (2010), Corporate Governance Principles with 2010 Amendments, 2nd ed., Australian Securities
Exchange (ASX) Corporate Governance Council, available at: www.asx.com.au/about/pdf/
cg_principles_recommendations_with_2010_amendments.pdf (accessed 2 November 2010).
Beaulieu, P.R. (2001), “The effects of judgments of new clients’ integrity upon risk judgments,
audit evidence, and fees”, Auditing: A Journal of Practice & Theory, Vol. 20 No. 2, pp. 85-99.
Bedard, J.C. and Johnstone, K.M. (2004), “Earnings manipulation risk, corporate governance risk,
and auditors’ planning and pricing decisions”, The Accounting Review, Vol. 79 No. 2,
pp. 277-304.
Bell, T.B., Marrs, F.O., Solomon, I. and Thomas, H. (1997), Auditing Organisations through
a Strategic-systems Lens: The KPMG Business Measurement Process, KPMG,
New York, NY.
MAJ Braiotta, L. (2004), The Audit Committee Handbook, 4th ed., Wiley, New York, NY.
26,6 Brown, P.R. (1983), “Independent auditor judgement in the evaluation of the internal audit
function”, Journal of Accounting Research, Vol. 21 No. 2, pp. 444-55.
Clark, M.W., Gibbs, T.E. and Schroeder, R.G. (1980), “Evaluating internal audit departments
under SAS No. 9: criteria for judging competence, objectivity, and performance”,
The Woman CPA, Vol. 22, July, pp. 8-11.
478 Cohen, J.R. and Hanno, D.M. (2000), “Auditor’s consideration of corporate governance and
management control philosophy in preplanning and planning judgements”, Auditing:
A Journal of Practice & Theory, Vol. 19 No. 2, pp. 133-46.
Cohen, J.G., Krishnamoorthy, G. and Wright, A. (2004), “The corporate governance mosaic and
financial reporting quality”, Journal of Accounting Literature, Vol. 23, pp. 87-152.
Cohen, J.G., Krishnamoorthy, G. and Wright, A. (2007), “The impact of roles of the board on
auditors’ risk assessments and program planning decisions”, Auditing: A Journal of
Practice & Theory, Vol. 26 No. 1, pp. 91-112.
Ernst & Young (2006), “Trends in Australian and New Zealand internal auditing”, Third Annual
Benchmarking Survey 2006, Ernst & Young, Sydney.
Felix, W., Gramling, A. and Maletta, M. (2001), “The contribution of internal audit as a
determinant of external audit fees and factors influencing this contribution”, Journal of
Accounting Research, Vol. 22 No. 1, pp. 31-53.
Gay, G. and Simnett, R. (2010), Auditing and Assurance Services in Australia, McGraw-Hill,
Sydney.
Glover, S.M., Prawitt, D.F. and Wood, D.A. (2008), “Internal audit sourcing arrangement and the
external auditor’s reliance decision”, Contemporary Accounting Research, Vol. 25 No. 1,
pp. 193-213.
Goodwin, J. (2003), “The relationship between the audit committee and the internal audit
function: evidence from Australia and New Zealand”, International Journal of Auditing,
Vol. 7 No. 3, pp. 263-78.
Goodwin, J. and Yeo, T.Y. (2001), “Two factors affecting internal audit independence and
objectivity: evidence from Singapore”, International Journal of Auditing, Vol. 5 No. 2,
pp. 107-25.
Gramling, A., Maletta, M., Schneider, A. and Church, B. (2004), “The role of the internal audit
function in corporate governance: a synthesis of the extant internal auditing literature and
directions for future research”, Journal of Accounting Literature, Vol. 23, pp. 194-244.
Grant, C.T., Park, N. and Wheeler, S.W. (2009), “Non audit, external audit, and internal audit
services in a post-SOX world”, Internal Auditing, Vol. 24 No. 1, pp. 28-35.
Hanno, D.M. and Agoglia, C. (1999), “The relative importance of corporate governance
characteristics: an audit perspective”, International Journal of Business Studies, Vol. 7
No. 2, pp. 1-14.
IIA (2002), Practice Advisory 2060-2: Relationship with the Audit Committee, The Institute of
Internal Auditors, Altamonte Springs, FL.
IIA (2009), International Professional Practices Framework (IPPF), The Institute of Internal
Auditors Research Foundation, Altamonte Springs, FL, available at: www.iia.org.au/
AboutIIA/defnofia.html (accessed February 2011).
ISA 315 (2010), International Standard on Auditing 315: Identifying and Assessing the Risks
of Material Misstatement through Understanding the Entity and its Environment,
available at: www.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (accessed
22 November 2010).
ISA 610 (2010), International Standard on Auditing 610: Using the Work of Internal Auditors, Reliance on
available at: www.ifac.org/download/a034-2010-iaasb-handbook-isa-610.pdf (accessed
22 November 2010). internal auditing
James, K. (2003), “The effects of internal audit structure on perceived financial statement fraud
prevention”, Accounting Horizons, Vol. 17 No. 4, pp. 315-27.
Kizirian, T.G., Mayhew, B.W. and Sneathen, L.D. Jr (2005), “The impact of management integrity
on audit planning and evidence”, Auditing: A Journal of Practice & Theory, Vol. 24 No. 2, 479
pp. 49-67.
Krishnamoorthy, G. (1994), “External auditors’ evaluations of internal audit work: a cascaded
inference approach”, unpublished PhD thesis, University of Southern California,
Los Angeles, CA.
Maletta, M. (1993), “An examination of auditors’ decisions to use internal auditors as assistants:
the effect of inherent risk”, Contemporary Accounting Research, Vol. 9 No. 2, pp. 508-25.
Maletta, M. and Kida, T. (1993), “The effect of risk factors on auditors’ configural information
processing”, The Accounting Review, Vol. 68 No. 3, pp. 681-91.
Margheim, L. (1986), “Further evidence on external auditors’ reliance on internal audit”, Journal
of Accounting Research, Vol. 24 No. 1, pp. 194-205.
Margheim, L. and Label, W. (1990), “External auditor reliance on internal auditors when audit
risk is high: some empirical findings”, Advances in Accounting, Vol. 8, pp. 293-311.
Messier, W.F. Jr and Schneider, A. (1988), “A hierarchical approach to the external auditor’s
evaluation of the internal auditing function”, Contemporary Accounting Research, Vol. 4
No. 2, pp. 337-53.
Mills, T.Y. (1996), “The effect of cognitive style on external auditors’ reliance decisions on
internal audit functions”, Behavioral Research in Accounting, Vol. 8, pp. 49-73.
Munro, L. and Stewart, J. (2010), “External auditors’ reliance on internal audit: the impact of
sourcing arrangements and consulting activities”, Accounting and Finance, Vol. 50 No. 2,
pp. 371-87.
PCAOB (2010), Auditing Standard No. 5 – An Audit of Internal Control over Financial Reporting
that is Integrated with an Audit of Financial Statements, Public Company Accounting
Oversight Board, available at: www.pcaobus.org/Standards/Auditing/Pages/Auditing_
Standard_5.aspx (accessed 2 November 2010).
Scarbrough, D.P., Rama, D.V. and Raghunandan, K. (1998), “Audit committee composition and
interaction with internal auditing: Canadian evidence”, Accounting Horizons, Vol. 12 No. 1,
pp. 51-62.
Schneider, A. (1984), “Modelling external auditors’ evaluations of internal auditing”, Journal of
Accounting Research, Vol. 22 No. 2, pp. 657-78.
Schneider, A. (1985), “The reliance of external auditors on the internal audit function”, Journal of
Accounting Research, Vol. 23 No. 2, pp. 911-19.
Schneider, A. (2009), “The nature, impact and facilitation of external auditor reliance on internal
auditing”, Academy of Accounting and Financial Studies Journal, Vol. 13 No. 4, pp. 41-53.
Treadway Commission (1987), Report of the National Commission on Fraudulent Financial
Reporting, National Commission on Fraudulent Financial Reporting, Geneva.
United States Congress (2002), Sarbanes-Oxley Act, Public Law 107-204, 107th Cong., 2nd Sess.,
GPO, Washington, DC.
Whittington, R. and Margheim, L. (1993), “The effects of risk, materiality, and assertion
subjectivity on external auditors’ reliance on internal auditors”, Auditing: A Journal of
Practice & Theory, Vol. 12 No. 1, pp. 50-64.
MAJ Appendix
Strong relationship with the audit committee and strong business risk environment
26,6 Morningside Bank Ltd is a regional bank that has been listed on the ASX for ten years. It has
started expanding its operations into all states of Australia and has been steadily growing its
market share. The bank has total assets of $10 billion and total liabilities of $9.5 billion. Net profit
for the last financial year amounted to $70 million. This represents an increase of 6 percent over
last year and an average increase of 8 percent over the last five years.
480 Senior management of the bank has been very stable and the current CEO has held the position
for ten years. The bank appears to have strong risk management and internal control systems in
place and has developed a sound reputation with regard to its electronic-banking technologies.
The audit committee meets the ASX corporate governance guidelines concerning
independence and financial literacy of its members. One member is a qualified accountant with
banking experience. The committee has six meetings per year. The audit committee approves the
internal audit program before the start of the year and reviews the internal audit reports at each
meeting.
The internal audit function is comprised of 16 staff, most of whom are qualified IA or systems
auditors. The chief internal auditor (CIA) is a Certified Internal Auditor with almost ten years
experience in the banking industry. He is particularly knowledgeable about compliance issues
and the regulatory environment in which the bank operates. Approximately 60 percent of
internal audit time is devoted to assurance work (including internal controls, risk management
and financial reporting activities) and 30 percent to compliance work. The remaining 10 percent
of time is spent on special projects. The CIA has a direct reporting line to the chairman of the
audit committee. He meets with the chairman regularly on a private basis and attends and
reports at all audit committee meetings. The internal audit budget is $2.5 million.
Your firm has recently been appointed as auditor of the bank. The CEO has expressed a
desire for a close working relationship between yourselves and internal audit. This goal has the
support of the audit committee and your firm has been asked to collaborate with the CIA to
develop an integrated audit planning process. This would involve the exchange of audit plans,
programs, findings and reports. The firm has also been asked to consider the extent to which the
audit team can rely on the work of internal audit. The external audit fee would be approximately
$500,000 with no reliance on the work of internal audit.
Assume you are the audit supervisor for this audit. The partner in charge of the audit has
asked you to make a preliminary assessment of internal audit and its effect on the external audit.
You have examined the internal audit manuals and working papers for the last two years.
You are happy that due professional care has been taken by internal audit staff.

Weaker relationship with the audit committee and weaker business risk environment
Morningside Bank Ltd is a regional bank that has been listed on the ASX for ten years. It has
started expanding its operations into all states of Australia and, until a setback last year, has been
steadily growing its market share. The bank has total assets of $10 billion and total liabilities of
$9.5 billion. Net profit for the last financial year amounted to $70 million. This represents a
decrease of 10 percent over last year but an average increase of 6 percent over the last five years.
There have been a number of changes to the senior management team over the last two years,
and the current CEO has held the position for nine months. The setback in market share last year
was due to two scandals with respect to electronic-banking fraud which damaged the bank’s
reputation and led to the resignation of the former CEO. The bank appears to be taking steps to
strengthen its risk management and internal control systems and has made some progress in
rebuilding its reputation with regard to its electronic-banking technologies. However, it will be
some time before the bank regains the market share it lost as a result of the scandals.
The audit committee meets the ASX corporate governance guidelines concerning
independence and financial literacy of its members. One member is a qualified accountant
with banking experience. The committee has six meetings per year. The audit committee
approves the internal audit program before the start of the year and reviews the internal audit Reliance on
reports at each meeting.
The internal audit function is comprised of 16 staff, most of whom are qualified IA or systems internal auditing
auditors. The CIA is a Certified Internal Auditor with almost ten years experience in the banking
industry. He is particularly knowledgeable about compliance issues and the regulatory
environment in which the bank operates. Approximately 60 percent of internal audit time is
devoted to assurance work (including internal controls, risk management and financial reporting
activities) and 30 percent to compliance work. The remaining 10 percent of time is spent on 481
special projects. The CIA reports to the CEO. He attends audit committee meetings along with
other members of senior management. While the committee can request private meetings with
the CIA, no such meetings have been held. The internal audit budget is $2.5 million.
Your firm [. . .] (identical to previous scenario).

Corresponding author
Lois Munro can be contacted at: [email protected]

To purchase reprints of this article please e-mail: [email protected]

Or visit our web site for further details: www.emeraldinsight.com/reprints