DAVID C. BURNS
ERNST AND YOUNG PROFESSOR OF ACCOUNTING
UNIVERSITY OF CINCINNATI
CINCINNATI, OHIO 452210211
JAMES W. GREENSPAN
ASSISTANT PROFESSOR OF ACCOUNTING
SETON HALL UNIVERSITY
and
CAROLYN HARTWELL
ASSISTANT PROFESSOR OF ACCOUNTING
UNIVERSITY OF DAYTON
THE STATE OF PROFESSIONALISM IN INTERNAL AUDITING
Damages resulting from the crisis in the savings and loan industry, continuing allegations of independent audit failures and recent media reports of significant declines in the moral integrity of new entrants to the managerial job market have heightened concerns about top management’s moral integrity and commitment to traditional internal control objectives. Many believe that top management officials in both the private and public sectors are failing to take adequate measures to install, maintain, and monitor adequate internal control structures within their organizations. Other related matters that appear to be inadequately addressed include the measures that need to be taken to deter fraudulent acts and unethical conduct.
Recognizing these apparent deficiencies, authoritative bodies such as the Treadway Commission have begun to look to the internal audit function to provide organizations additional internal assistance in identifying and remedying internal control deficiencies, curbing fraudulent acts, and monitoring the ethical conduct of organizational employees. For example, a significant portion of the recommendations made in the Treadway Commission Report focuses on strengthening the organizational position of the internal audit function in order to improve both its authority and capability to accomplish these duties.
These recent events have rekindled concern by scholars and practitioners about professionalism in the field of internal auditSubmitted April 1994 Accepted February 1995
ing.1 Much of this interest is driven by the implied presumption that further enhancements in the professional status of internal auditing will have a positive influence on the field’s capabilities to address the issus of fraud, deficient controls, and unethical behavior in commerical and governmental practice.
The professional status of internal auditing is an important issue. Internal Auditing must possess the status of a “genuine profession” in order to attain the requisite authority to enforce its standards on practice. Until this status is attained, commercial compliance with internal auditing standards will be largely voluntary. A field of work that must rely on voluntary compliance with its standards lacks the “genuine” status possessed by the well established professions such as medicine, law, architecture, and public accounting.
This study examines, from a historical perspective, the professional progress made by the field of internal auditing since 1977. The overriding objectives of this examination are: (1) to determine if the field of internal auditing has achieved professional status; (2) to assess whether progress has been made in enhancing the professional status of internal auditing since 1977; and (3) to suggest any actions disclosed by the analysis that might be taken by the field of internal auditing in the future to further enhance its professional status or the prospects thereof.
This study of professionalism focuses on events and activities that have transpired since 1977 for three major reasons: First, many authorities believe that the passage of the Foreign Corrupt Practices Act in 1977 marked the beginning of a new era of improved opportunities for internal auditors.2 Thus, events and activities transpiring since 1977 might be expected to reveal stronger evidence of professional status for internal auditing than events and activities transpiring before 1977. Second, many internal auditors consider the initial release of the Standards for the Professional Practice of Internal Auditing by the Institute of Internal Auditors Inc. in 1978 to be one of the most important “professional milestones” ever achieved by the field of internal auditing.3 Therefore, activities and events transpiring since 1978 under the support of these new standards should
‘For example see: Rodriquez [1991], Vessel [1991], Thornhill [1990], Miller [1989], and Westberry [1989],
1 For example, see: Sawyer [ 1991 ], p. 42 or Flesher [ 1991 ], p. 10. 3 For example see: Sawyer [1991], p.39.
provide better evidence of professional status than activities and events transpiring prior to the attainment of this notable “milestone”. Finally, two previous studies published by Burns and Haga [1977] and Dierks and Davis [1980] have cast serious doubt that internal auditing qualified as a profession (in the strictest sense) prior to 1977. Thus, our decision to commence our study in 1977 avoids replication of circumstances already treated by these former studies.
This study reveals that the prospects for professional status have improved for the field of internal auditing since 1977. Several of the serious roadblocks to professional status noted by earlier studies have begun to dissipate and have brought about improved conditions that internal auditors might capitalize on to enhance their prospects for attaining “genuine” professional status. Finally, the study suggests several available courses of action that internal auditors might consider to capitalize on these improved prospects.
PROFESSIONAL STATUS DEFINED
Definitions of a profession fall within the research realm of the field of sociology. Over the years, sociologists have developed two different types of behavioral models that have been used in the accounting arena to explain the distinctive features of a profession: (1) the “shopping list” model; and (2) the “intimidation” model. Characteristics of both models and the basic reasons that led us to favor the “intimidation” model are explained in the following two subsections.
The Shopping List Model of Professional Status
The “shopping list” model is the traditional model of professional status. It has been adopted by most occupations that have claimed professional status over the years. The “shopping list” model defines the distinctive features of a profession in terms of a list of observable “professional” traits or behavioral attributes. Traits and attributes included on the “shopping list” have been noted by various sociologists who have studied both professional and nonprofessional occupations for many years.
Specific professional traits included on a typical “shopping list” will vary somewhat depending on the sociologist who originally prepared it and the field that subsequently adopted it for their own use. Nevertheless, a typical list adopted by an occupation claiming professional status will invariably include most (i.e., attribute nine is normally omitted since it may prove embarrassing to members, and attribute eight has been declared “unconstitutional” since the publication of the B&H [1977} study) attributes included on the comprehensive “shopping list” compiled by Burns and Haga (B&H) [1977]. This B&H list has been reproduced here for the reader’s convenience as Figure 1.
FIGURE 1
THE TRADITIONAL SHOPPING LIST OF PROFESSIONAL ATTRIBUTES (1977 Version)
1. Professions are occupations that involve altruistic service to the public.
2. Professions are occupations that require long specialized training for their entrants.
3. Professions are occupations that embrace a code of ethics.
4. Professions form associations and hold meetings.
5. Professions publish learned journals aimed at upgrading their practice.
6. Professions use examinations as barriers to entry.
7. Professions try to limit their practice to members licensed by the state or certified by association boards.
8. Professions do not permit advertising of their services.
9. Professions are occupations in which practitioners wear symbolic costumes (for example, black robes, or white coats) and control access and the behavior of nonmembers in their work places (for example, court rooms, operating rooms or religious sanctuaries).
Note: Attribute 8 can no longer appear on a profession’s shopping list since it has been declared “unconstitutional.
Source: Burns and Haga [1977], p. 707.
Official CPA versions of the “shopping list” have appeared in various AICPA publications [e.g., Roy and MacNeill (1967) and Carey (1969)]. CIA and CMA versions of the “shopping list” continually appear in the membership information packets provided by the IIA and the Institute of Management Accountants (IMA) respectively. Shopping lists for CIAs and CMAs also appear frequently in many professional journals.
“For a recent example see James P. Westberry Jr., “The Pursuit Of Professionalism,” Internal Auditor, (April 1989).
B&H [1977] cited two major weaknesses in the “shopping list” model that limit its reliability and utility as a research tool.5 First, “most versions of the “shopping list” fit most of the pretenders as well as the genuine professions”. This deficiency causes the “shopping list” model to be an unreliable indicator of “genuine” professional status. Second, “shopping lists” are inadequate guides for designing programs that are aimed at either converting an occupation into a genuine profession or enhancing the status of: an already established profession”. Consequently, success of a field in developing itself along the lines of attributes appearing on a “shopping list” may be an unreliable indicator of that field’s true progress in attaining genuine professional status. These weaknesses caused us to place less reliance on “shopping list” model than on the “intimidation model” in performing this study.
The Intimidation Model of Professional Status
The intimidation model is a causal model that describes why certain occupations enjoy their distinctive status as genuine professions and why others do not. The essential concept underlying the intimidation model is that the “genuine” professions maintain autonomy in their work environment by exercising intimidative power. This capacity to maintain autonomy by exercising intimidative power is the critical visible ingredient that distinguishes genuine professions from wouldbe professions and pretenders. Therefore, occupations that lack authoritative intimidative power simply do not qualify as “genuine” professions under the intimidation model.
According to B&H, genuine professions draw their intimidative power from the following two interrelated sources:
1. High Cruciality — Clients, employers and other outside groups comprising the relevant work audience of a profession consider the profession to be absolutely critical to their continuing prosperity, welfare and/or survival.
5Bums and Haga [1977], p. 707.
‘Internal auditing has effectively “qualified” as a profession under the “shopping list” model since 1974 the year of its first CIA Exam. As of 1974 it possessed 7 of the 9 attributes on the list presented in Figure 1. The only attribute not yet attained by internal auditing is attribute 9 which involves a distinctive costume and controlled access to its work realm. Attribute 6 is, of course, illegal.
2. High Mystique — Clients, employers and other significant outside groups comprising the relevant work audience of a profession consider members of the profession to possess expertise bordering on the sublime over a work ideology that is baffling but essential.
In forming these two perceptions, the relevant work audience of the occupation effectively bestow “genuine professional status” on all membersingoodstanding of the group who are sanctioned to provide the occupation’s services. This bestowing of status provides the “genuine” profession its intimidative power and authority.
Occupations involved in a line of work not susceptible to the cultivation of high mystique and high cruciality will normally face serious impediments to gaining “genuine” professional status. Lacking a basis for the cultivation of these perceptions, these occupations will have little hope of gaining intimidative power.
Under the intimidation model an occupation possesses sufficiently high degrees of mystique and cruciality to qualify as a genuine profession whenever a preponderance of its members possess the effective capability to win disputes with their relevant work audience through the application of mild or stronger forms of intimidative behavior. The ultimate intimidative weapon, wielded by genuine professionals, is the threat to withdraw or withhold future services.
The possession of this ultimate weapon operates somewhat like a “doomsday device” for the “genuine” professions. Clients or employers baffled by the somewhat mystical advice of a professional practitioner such as a physician or attorney will normally suspend their own judgments and defer to the advice of the professional. This deference takes place out of fear that further argument might provoke the professional into threatening withdrawal of further services. If the practitioner is a member of a “genuine” profession these services will be perceived to be absolutely essential (i.e., highly crucial) and available from no
7 Occupations seeking or claiming professional status often become involved with unionization as an alternative means to gain autonomy over their line of work when their efforts to professionalize have failed to win them professional intimidative power based on high mystique and cruciality. See Burns and Haga [1977], p. 707.
other source (high mystique) than another member of the profession.
Known capability to apply this ultimate intimidative weapon permits the professions to win most routine disputes with clients or employers by applying milder and more polite forms of intimidative behavior in daytoday practice. CPAs, physicians, attorneys, and architects all apply intimidative behavior to win minor and serious disputes with clients or employers who refuse or are reluctant to follow their professional advice. For example, CPAs win many minor disputes with less sophisticated audit clients in daytoday practice by applying subtle forms of intimidative behavior such as the frequent use of technical accounting jargon and recitations of complex quotes from authoritative accounting standards. Stronger forms of intimidative behavior such as threats to issue qualified or even more severe adverse audit opinions are also used in independent audit practice to win more serious disputes with clients. In the most serious disputes the ultimate threat to withdraw from the audit may be used. This ultimate threat to withdraw from the audit will normally cause all but the most difficult clients to cease further argument and follow the advice of the independent auditor. This change in the attitude of the client takes place because withdrawal of the CPA from the audit for “legitimate professional reasons” would often bring about serious and potentially “life threatening” implications for the client entity.8 This life or death power is the essence of “high cruciality” as these terms are interpreted by the intimidation model.
The study of internal auditing discussed in the remainder of this article emphasizes the use of the “intimidation model” in analyzing events and activities relevant to internal auditing’s professional status. As compared to the “shopping list” model, the “intimidation” model prescribes more rigorous and objective criteria for separating the “genuine” professions from the wouldbe professions and the pretenders. In addition, the high mystique and high cruciality sources of intimidative power identified by the “intimidation” model provide a better research basis than the professional attributes of the “shopping list” model for evaluating any changes that have taken place since 1977 in
“These implications could include the inability to secure independent audit services from any other CPA and legal actions suspending further trading in its securities on the organized securities market.
the professional status of internal auditing.9 This is the case because changes that affect the cruciality and/or mystique of internal auditing should directly influence the intimidative power of practicing members in the internal auditing field.
ANALYSIS OF THE PROFESSIONAL STATUS OF INTERNAL AUDITING
Three different historical perspectives were pursued to examine the professional status of the internal auditing field. First, relevant research dealing with the practice of internal auditing was reviewed and examined to search for evidence of effective intimidative power on the part of internal auditors. This review commenced with the 1977 B&H article. Second, the IIA Standards For The Professional Practice Of Internal Auditing (IIA Standards) and the current revised IIA Code of Ethics (COE) were analyzed to identify evidence of provisions sanctioning two types of behavior: (1) intimidative behavior befitting a “genuine” profession, or (2) “unprofessional” (e.g., weak or professionally inappropriate) behavior. This review of IIA Standards and COE covered related standard setting activities of the IIA since the initial publication date of the IIA Standards in 1978. Finally, legal statutes and legislative activities along with the activities of authoritative regulatory agencies and investigatory groups were reviewed since 1977. This review was conducted to identify any current or prospective authoritative sources of support for the intimidative power of internal auditors.
Results of the Literature
Our literature review did not reveal any convincing evidence that internal auditing has gained effective professional intimidative power in the preponderance of organizations that currently maintain an internal audit function. The studies and research reviewed tend to suggest that many more auditors are likely to be intimidated by top management than vice versa.
” For example changes in Federal Laws since 1977 have forced medicine, law and public accounting to drop their traditional ethical rules prohibiting advertising of their services. Since the mid1980’s these fields have not been permitted to maintain attribute 8. Failure to maintain this attribute has not had any discernible impact on the professional status of medicine , law or public accounting. Even without attribute 8 these fields continue to qualify as “genuine” professions if any fields so qualify.
Therefore, there appears to be continuing reason to doubt that internal auditing qualifies as a “genuine” profession under the tough criterion imposed by the “intimidation” model.
B&H [1977] applied the intimidation model to examine the professional status of CPAs, management accountants, and internal auditors near the close of the decade of the 1970s. They determined that as of 1977 the cumulative efforts of the IIA had been unsuccessful in attaining genuine professional status for the field of internal auditing, because their members lacked effective intimidative power in practice. As of 1977′, membership in the IIA and/or possession of a valid CIA credential did not provide internal audit staff members and/or the director of internal audit the effective capacity to control the autonomy of the internal audit function in most organizations. In the late 1970s top management officials could constrain the organizational activities open to internal audit or stonewall sensitive findings discovered by its internal auditors. Management could effectively respond to the internal auditing function’s threats of resignation, withdrawal or suspension of further services by simply replacing its professional internal audit staff with more cooperative employees who were neither CIAs nor members of the IIA. The fact that management considered members of the laity as alternative sources of internal audit services indicated that internal auditing lacked sufficient cruciality and mystique in the eyes of high echelon management to maintain its professional autonomy in most organizations. Consequently, B&H concluded that internal auditing failed to qualify as a “genuine” profession as of 1977.
In 1980, Dierks and Davis (D&D) [1980] applied the intimidation model to reexamine the conditions of cruciality and mystique in internal audit practice. They were motivated to reexamine this issue because of the enactment of the Foreign Corrupt Practices Act in 1977 (FCPA 1977), and the issuance of IIA standards in 1978. Both of these events provided internal auditors an opportunity to assume a more crucial role in monitoring, testing, evaluating and reporting on their organizations’ internal controls. The IIA standards also appeared to provide IIA members and CIAs an improved basis for gaining enhanced mystique and cruciality.
D&D had internal auditors complete a survey instrument to measure their perceptions of how management and others viewed their (i.e., the internal auditor’s) cruciality and mystique. Cruciality and mystique were assessed in eight different areas covered by the then relatively new IIA Standards. Measurements of mystique and cruciality were separately captured for each area on a five point Likert scale ( 1 indicating high and 5 indicating low). Overall averages for mystique and cruciality were generally below the midpoint of the scale. The final overall conclusions reached by D&D were that internal auditing had not yet achieved genuine professional status, but that this status was now within internal auditing’s grasp.
Unfortunately, D&D’s conclusions are open to serious questions, because they did not address their survey directly to members of management, the boards of directors, the audit committees or other key organizational insiders that comprised the relevant work audience of the internal audit function. In addition, D&D did not ask the internal auditors whether or not they possessed the capability to control the autonomy ol the internal audit function in their employing organization through intimidation. How members of an occupation view their own mystique and cruciality matters little if their work audience fails to share the same view.10 Thus, there is reason to doubt that the actual professional status of internal auditors in 1980 was any different than it was in 1977 when the B&H study took place.
The results of the Mautz, Tiessen, and Colson (M.T&C) [1984] study provided some evidence of insufficiency in the perception of cruciality enjoyed by internal auditors in top US companies during the early 1980s. Management officials responding in the study listed “inadequate appreciation by this company of internal audit capabilities” as the number one factor inhibiting the usefulness of the internal audit function in their organization. Members of the audit committees of the same companies participating in the M,T& C study listed “inadequate appreciation of internal auditing capabilities” as the number two factor inhibiting the usefulness of the internal audit function in their companies. This strong feeling of “inadequate appreciation” does not indicate that the internal audit functions enjoyed a perception of high cruciality in their respective organizations.
Unfortunately, M.T&C study did not address the issue of the professional intimidative power possessed by the internal audit (unctions of the companies which participated in their study. The study did indicate that a significant portion (72%) of the participating audit committee members shared the perception that internal auditors were among the best technically qualified employees in their organizations. Unfortunately, technical competence is only one of many factors that determines the perception of mystique enjoyed by a profession.” Consequently, evidence resulting from the M,T&C study cannot be used to assess the perception of mystique enjoyed by the internal audit functions that participated in the study.
Research published subsequent to the D&D and M.T&C studies, dealing with mystique, cruciality or the intimidative power of internal auditors, continued to indicate symptoms of insufficient intimidative power on the part of internal auditors into the late 1980s. The lack of intimidative power demonstrated by management’s ability to dismiss an “uncooperative” internal auditor was reported by Wells [1985] as a continuing concern among practicing internal auditors in the 1985 era.
Studies dealing with the internal audit reporting of sensitive issues and “whistle blowing” provide further evidence of insufficiency in the intimidative power of internal auditors during the decade of the 1980’s. For example, in a study dealing with internal audit reporting of sensitive issues, Near and Miceli [1988] (N&M) noted “fear of retaliatory action by management” as a legitimate concern shared by a significant number of directors of internal audit. The N&M study further indicated that a significant number of internal auditors participating in their study considered “possible retaliatory action by management” as a relevant decision factor in their deliberations involving decisions on whether to pursue or not pursue formal audit reporting of sensitive findings.
Case studies on “whistle blowing” such as those published by Suchodolski [1981], Wells [1985], and Vinten [1992] illustrate instances in practice where sensitive issues discovered in internal audits were either blocked from the formal audit report or otherwise “stonewalled” by higher level management officials of notable organizations. Some of these “whistle blowing” cases involved instances where wellintentioned internal auditors attempting to comply with IIA standards were fired and/or seriously punished by management officials of their employing organizations. These whistle blowing cases illustrate instances in practice during the 1980s where the intimidative power of the internal auditor was insufficient to overcome management. Dishonest managers in these “whistle blowing” cases did not defer to the judgments of their internal auditors and forced the inter nal auditors to move beyond the intimidative behavior sanctioned by the internal auditing field to effectively commit career suicide by “blowing the whistle”.
Verschoor [1989] noted significant evidence of weak audit committee support for the internal audit functions in the defense industry in the late 1980s. Evidence of two major factors which continued to impair the intimidative power of internal auditing (restrictions placed on the scope of internal audits by top management; and weak support of the internal audit function by audit committees) was also noted in a study conducted by Tiessen and Barrett [1989]. Johns [1991] reported some evidence of a minor increase in higher level management support for the internal audit function in the public utilities industry for the decade of the 1980s. Johns’ report was based on 1980 and 1989 surveys conducted by the American Gas Association and Edision Electric Institute, respectively.
Research published in the 1990s continues to provide no clear evidence that internal auditing has gained sufficient intimidative power to qualify it as a “genuine” profession under the intimidation model. The lack of sufficient intimidative power by internal auditors was pointed out by Vessel [1991] with the claim that “instead of being able to intimidate management, internal auditors are more likely to be intimidated by management”. Evidence of continuing weak support of the internal audit function by audit committees was reported by Peacock and Pelfrey [1991]. Further evidence indicating insufficient intimidative power of the internal audit function was recently reported by Kalbers [1992] who surveyed the directors of internal audit and audit committee members of a random sample of 90 US companies. His sample was drawn from Value Line Investment Survey. Directors of internal audit responding to Kalbers’ survey indicated a perception that the top management officials in their companies “did not encourage” the submission of internal audit reports to their audit committees that contained findings dealing with such matters as: weaknesses in the companies’ internal control structures; accounting errors; or irregularities. Responses and remarks by the internal audit directors participating in the Kalbers study also indicated that a significant number of internal auditor directors fear retaliatory action by top management. This later finding tends to agree with Vessels [1991] earlier report that a significant number of internal auditors continue in the 1990s to be more intimidated by management than vice versa.
In general, the review of relevant research did not disclose convincing evidence that internal auditors currently possess sufficient intimidative power to place them on par with the well established “genuine” professions such as medicine, law, and public accounting. Most organizations can still replace their internal audit director (or any other internal audit staff member) with a member of the laity who is willing to subordinate internal auditing’s interests to those held by senior management.
Results of the Historical Review of HA Pronouncements
Our review of IIA promulgations disclosed a number of different provisions sanctioning the application of internal audit measures that might be perceived by management as mild, moderate or strong forms of intimidative behavior. These intimidative measures appeared to focus primarily on three basic issues treated in this section: (1) internal auditor involvement with circumstances involving illegal or improper business activities or discreditable actions; (2) management reluctance or refusal to follow internal audit advice; and (3) management imposed internal audit scope restrictions. These issues are most pertinent to our analysis of internal auditing’s professional status because they relate directly to the two major benefits enjoyed by all “genuine” professions: (1) the authority to make final judgments pertaining to the profession’s line of work, and (2) protection of the profession’s autonomy over its work ideology.
Issue 1: Circumstances involving illegal or improper business activities and discreditable actions
IIA Standards prescribe the use of the “ultimate intimidative weapon” under two circumstances. These circumstances are covered by Rules II and III of the IIA COE respectively.13 These rules state as follow:
Rule II
Members and CIAs shall exhibit loyalty in all matters pertaining to the affairs of their organization or to whoever they may be rendering a service. However, Mem
12 Sec Burns and Haga [1977], p. 708. For a more extended discussion see Friedrich [1958], pp. 2548, and; Hughes [1963].
13 Standard 240 of the IIA Standards requires compliance with the IIA COE.
bers and CIAs shall not knowingly be a party to any illegal or improper business activity.
Rule III
Members and CIAs shall not knowingly engage in activities which are discreditable to the profession of internal auditing or their organization.
Circumstances covered by these rules might arise in conjunction with a new offer of employment or in conjunction with an ongoing internal audit employment situation. In “employment offer situations”, Rule II implies that an internal auditor should refuse an offer of employment from an organization that is known by him / her to be actively involved in illegal or otherwise improper business activity. Rule III also implies that an internal auditor should refuse an offer of employment from an organization that obviously intends to place him/her under duress to perform discreditable acts.
In “ongoing employment” cases, Rule II implies that an internal auditor should resign employment with an organization that refuses to follow his / her advice (or the advice of others) to refrain from illegal or otherwise improper business activity. Rule II might also call for resignation where top management and the board fail to take appropriate action to follow up on illegal acts reported to them by the internal auditor in accordance with Guideline 280.06 of the original IIA Standards. This guideline compels the internal auditor to notify “appropriate authorities” in the organization whenever he/she suspects instances of “wrongdoing”.15 Similarly, Rule III implies that an internal auditor should resign employment with an organization that places him/her under strong duress to perform duties that constitute discreditable acts.
Both of these rules have been devised to operate as strong deterrents to illegal or improper business activities in practice.
14 Actions violating provisions of the IIA COE and activities violating the organization’s ethical conduct code would “qualify” as discreditable acts.
15 Guideline 280.06 and IIA Professional Standards Bulletin 835 further stipulate that the internal auditor should discuss all instances of suspected wrongdoing with appropriate organization officials and recommend any further internal audit or management investigatory procedures that appear to be war ranted in the circumstances. These promulgations further stipulate that the internal auditor should take further followup steps to determine that internal auditing’s responsibilities with respect to the circumstances reported have been met.
They effectively block organizations sincerely desiring to maintain (or legally required to maintain) a professional internal audit function from engaging in illegal or improper business activities. Well recognized professions such as medicine, law and public accounting have enacted similar rules to accomplish essentially the same deterrent functions. Thus, internal auditing’s prescribed intimidative measures for “Issue 1” appear to compare favorably with those prescribed by the “genuine” professions.
Issue 2: Management refusal to follow internal audit advice
IIA promulgations appear to focus their secondmost severe forms of intimidative behavior on the issue of top management’s refusals to accept the auditor’s formal conclusions or follow the internal auditor’s “formal advice”. Here IIA promulgations do not prescribe the use of “ultimate professional weapons” unless the audit issues at hand “qualify” as Rule II or Rule III circumstances under the IIA COE.
For audit issues falling outside the scope of Rules II and III, IIA Standards recommend a variety of intimidative measures. These measures have gradually evolved over time since the original issuance of the IIA Standards in 1978. The evolution of these measures reflects a progressive increase in the intimidative pressure applied on higher levels of management to follow the internal auditor’s advice.
Intimidative measures recommended by the original IIA Standards include three that continue to be particularly pertinent to the issue of management resistance to the internal auditor’s advice. First, audit reporting measures recommended by Guideline 430.06 effectively place significant intimidative pressure on local auditee management to concur with the auditor’s findings and advice. Guideline 430.06 requires management to explain the detailed basis of all significant disagreements it has with the auditor’s findings or advice. These explanations are included (along with other management comments) in the final audit report. Therefore, managers desiring to contest the auditor’s findings (or desiring to ignore or otherwise depart from the auditor’s advice) find it necessary to develop a rationale for their argument superior to that prepared by the internal 1 auditor for his/her advice. This management rationale must be sufficiently convincing to pass review by higher level management and the board. Rejection of lower management’s rationale
100 The Accounting Historians Journal, December 1994
by higher echelon officials may jeopardize lower level management’s job security. The prospects of such a rejection should add intimidative power to Guideline 430.06’s provisions. This is especially true where auditee management’s motives for resisting the auditor’s advice are truly inappropriate (e.g., to avoid open embarrassment or additional work commitments to resolve problems noted by the auditor).
The second intimidative measure recommended by the original IIA Standards involves followup audits. Standard 400 prescribes followup audits to exert intimidative pressure on management to fulfill its promises and take prompt and effective action to implement the internal auditor’s formal advice. Finally, Guideline 440.01 imposes direct intimidatve pressure on senior level management in the event that it ultimately decides to back auditee level management’s rationale for disagreeing with the auditor’s findings or advice. In these cases, Guideline 440.01 directs the internal auditor to determine that “management and the board has assumed the risk of not taking corrective action on reported findings”. The requirement to provide this “risk acknowledgment” to the auditor should intimidate senior level management and cause them to reconsider their decision to back lower level management’s rationale. This is the case because a “risk acknowledgment” could later be used to weaken senior management’s line of defense in the event that severe problems actually materialized as a result of their deliberate failure to follow the internal auditor’s advice.
IIA promulgations of 1983 recommended at least three additional intimidative measures to strengthen internal auditors’ arsenal for combating management resistance to their advice. First, Guideline 430.04.1 of Statement on Interned Auditing Standards (SIAS) No. 2 sanctioned the practice of including a section in current audit reports presenting an updated status report on actions taken by management to comply with the auditors’ advice presented in previous reports. Use of these status reports provides internal auditors an additional formal reporting measure to maintain intimidative pressure on management to comply with their advice. Second, Guideline 430.06.1 of SIAS No. 2 prescribed more rigorous formal audit report documentation for audit findings. This documentation included an internal audit analysis of the actual or potential organizational risks associated with each audit finding. The necessity to discredit these risk analyses should reinforce the intimidative power of Guideline 430.06’s previous recommendations for audit report documentation of management’s rationale for disagreeing with the auditor’s advice. Finally, three additional 1983 IIA promulgations significantly enhanced the intimidative pressure placed on higher echelon officials by Guideline 440.01 of the original IIA Standards. IIA Professional Standards Bulletin 8317 (PSB 8317) specifically stipulated that the internal auditor should pursue lower management disagreements with internal audit advice to the senior management and board level. This pursuance had only been implied by Guideline 440.01. PSB 8317 further clarified that the auditor should formally inform senior management and the board of the organization risks associated with failure to follow the auditor’s advice. Here former Guideline 440.01 had not specified formal notification in writing and had not explicitly mentioned that this notification should include the auditor’s analysis of risks associated with matters in dispute.
SIAS No. 7 (1989) further enhanced the intimidative pressures focused on senior management and board members by requiring that senior management and board level “risk acknowledgments” be formally documented in an executive level management version of the audit report. This increased the vulnerability of these “risk acknowledgments” to detection by legal authorities and the organization’s external auditor.
At the present time, these, senior management and board level “risk acknowledgments” are the most powerful intimidative weapons sanctioned by IIA promulgations to combat management reluctance to follow the internal auditors’s advice. IIA promulgations do not explicitly recommend further application of the “ultimate weapon” where the audit committee or board tacitly or explicitly support senior management’s decisions to ignore or depart from the internal auditor’s advice pertaining to matters falling outside the scope of Rules II and III of the IIA COE.
Measures suggested by IIA promulgations to combat management resistance reflect some possible symptoms of “unprofessional behavior” from the standpoint of the intimidation model. It may be argued, for example, that IIA Standards providing management an opportunity to openly argue with the auditor’s advice in the formal audit report constitute a weak or “unprofessional response” to management’s challenge of the professional practitioner’s judgments. Practitioners of the “genuine” professions such as medicine and law normally react to such challenges by simply suggesting that the challenger (i.e., client or employer) might obtain a second opinion from another “qualified” professional practitioner. Hence the standards of medicine, canons of law, and AICPA Professional Standards contrast quite dramatically with IIA promulgations on this issue. The standards of these three genuine professions effectively prohibit arguments with clients on issues involving the practitioner’s judgments about the profession’s work ideology. Under the intimidation model a profession’s judgments are final!
Issue 3: Management imposed internal audit scope restrictions
IIA pronouncements also prescribe strong intimidative measures to avert inappropriate scope restrictions by management. Two of the strongest measures prescribed for this issue include: (1) the use of formal internal audit charters; and (2) the formal reporting of scope restrictions imposed by management to the board.
The original IIA Standards, issued in 1978, prescribed the use of formal internal audit charters. Subsequent pronouncements of the IIA have reinforced the effectiveness of these original charter provisions by clarifying many of the detailed matters that should be covered by a properly prepared charter. These detailed matters include considerations pertaining to the organizational position of the internal audit function, internal audit access to information, measures that need to be taken to assure the objectivity of internal audit staff members , and the scope of the responsibilities and duties of the internal audit. As a result, charters prepared in accordance with current IIA Standards should provide the internal audit function strong intimidative “contractual” support for resisting inappropriate attempts by management to bar internal audit access to a sensitive area or otherwise restrict the scope of an ongoing or scheduled internal audit. Most violations of a properly prepared charter will require review and approval by senior management and the audit committee or board in larger organizations.
SIAS No. 7 (1989) recommends explicit formal reporting measures for management imposed scope restrictions. For significant restrictions,these measures involve formal appeal to senior level management for a rescission of the scope restriction. If the senior management appeal fails, SIAS No. 7 prescribes immediate written notification of the board.
6See Burns and Haga p. 709.
Where the restrictions imposed by senior management and the board clearly appear to be motivated by an attempt to conceal illegal or improper business activities, IIA Standard 220 would appear to apply. This standard would invoke Rule II of the IIA COE which might require the auditor(s) involved to consider a threat of resignation. However, existing IIA promulgations do not appear to call for intimidative action stronger than written board notification where scope restrictions violating charter provisions are imposed for less serious inappropriate motives (e.g., to avert “untimely” audit disclosure of circumstances falling outside the scope of Rule II that would embrass management or possibly jeopardize their job security). Failure of the IIA Standards to address this latter category of scope restriction motives with stronger intimidative measures, effectively sanctions the continuance of substandard internal auditing services from the standpoint of the organization’s charter. This type of circumstance is prohibited by standards that regulate most of the genuine professions. For example, standards in the field of medicine would require a companyemployed physician to resign his or her post if the employer attempted to prohibit him/her from providing medical services to specific employees and those services were guaranteed under the employees’ job contracts.
The true intimidative power of the measures treated in this section ultimatly depend on management’s perceptions of the internal auditor’s cruciality and mystique. If these perceptions are “high”, the IIA measures covered should carry intimidative power. On the other hand, if these perceptions are insufficient, the measures covered may represent little more than a nuisance to management. The studies and articles covered in our previous literature review tend to cast some serious doubts on the strength of these management perceptions. Consequently, it appears that, as of this time, the measures covered in this section carry at least some intimidative power with the management officials of some organizations but may well represent a nuisance to the managers of others. This leads us to suspect that internal auditing currently scores higher on cruciality than it does on mystique.
17 Internal auditing must possess some cruciality in the eyes of management. Otherwise thev would not tolerate its nuisance behavior.
Results of the Historical Review of Activities of Authoritative and/ or Regulatory Agencies/Groups
Our review of the activities of authoritative groups and regulatory agencies disclosed several positive signs for internal auditing’s professional prospects. Some of these signs relate to improved prospects for gaining enhanced cruciality and others relate to improved prospects for gaining enhanced mystique.
Mounting public concerns for improved internal control conditions in business and government since 1977 have improved the legal and regulatory agency support prospects for any field of work that is truly equipped to render effective assistance in the area of internal control. Internal auditors occupy an ideal organization position to render this assistance and legislators and regulatory groups seem to have become increasingly aware of this since 1977. Much of this increased awareness appears to have resulted due to the organized efforts of the IIA.18
Since 1977 internal auditors have scored several victories in winning legislative recognition and support for IIA Standards and the internal audit function in general. These victories include specific recognition and support in the Foreign Corrupt Practices Act of 1977 (FCPA 1977) and the Federal Manager’s Accountability Act of 1981 (FMAA 1981).
The FCPA 1977 and the FMAA 1981 have improved internal auditors’ prospects for gaining enhanced cruciality. Both of these acts imposed legal responsibilities and serious penalties directly on senior management officials for installing, maintaining and monitoring adequate internal controls. As Flesher [1991] points out, these new legal responsibilities and penalties heightened most top managers’ concerns for internal control. These heightened concerns have motivated many management officials to increase organizational requirements for internal control system monitoring, testing and evaluation services including the formal documentation thereof. Evidence of this gain in cruciality has been reported by Flesher [1991] who stated that the result of the FCPA 1977 was “the hiring of more internal auditors by corporations with internal audit departments, and the establishment of new internal audit departments by those organizations that did not already have them”.19
” For an indepth review of these IIA efforts see Flesher [1991]. ‘See Flesher [1991], p. 10.
Since the enactment of the FCPA 1977, the SEC has instituted more than 174 injunctive actions and more than 31 administrative proceedings under the act’s accounting and internal control provisions. Many of these enforcement actions have resulted in the issuance of injunctive orders directing companies to strengthen their audit committees and internal audit functions.20 Directives of this type tend to indicate that the SEC and the U.S. Justice Department recognize the internal audit function and consider it to be an important force for combating corporate fraud, internal control problems, and financial reporting deficiencies. This formal recognition is a strong signal that, the SEC and the U.S. Justice Department may be joining the relevant work audience of internal auditing. This improves the prospects for further legislation and regulations that may bolster the cruciality of internal auditing.
Fargason [1993] reports evidence that the U.S. Courts may also be developing a perception that internal auditing is a valuable professional service. Fargason states that in the past decade, the number of U.S. court cases involving internal auditors as witnesses has increased dramatically. He further points out that the courts are increasingly considering the internal audit function to be a reliable source of valuable evidential information. Recent legal cases cited by Fargason illustrate instances where higher courts have reversed the judgments of lower courts on the basis of documentary evidence prepared by internal auditors. He also points out that the U.S. Congress and many state legislatures have been increasing their reliance on internal audit reports in drafting new legislation.
The Treadway Commission Report of 1987 represents another important victory for internal auditing from the standpoint of improving its prospects for gaining enhanced cruciality in public companies. At least six of the recommendations contained in the commission’s final report reinforce the application of corporate control measures that affect internal auditing. Corporate compliance with these recommendations can be expected to offer internal auditors in public companies improved prospects for gaining enhanced cruciality.
First, and perhaps most important of all, the Treadway Commission Report explicitly recommended that all public corporations should maintain an internal audit function. This first
20For example see SEC Administrative Proceeding File No. 36123 involving The Telex Corporation.
recommendation effectively mandates the existence of a viable internal audit function in all public companies. This mandate clearly conveys a message that the members of the Treadway Commission consider the internal audit function as crucial. It also sends privately held companies desiring to become publicly held a strong signal that they should install an effective internal audit function.
The Treadway Commission Report stipulated that public corporations should maintain a standing audit committee comprised of nonmanagement directors to coordinate internal and external audit activities. Compliance with this second recommendation effectively forces senior mangement to consider its support of the internal audit function to be a more crucial concern. This is the case because unsatisfactory support of the internal audit function by senior level management may be communicated directly to non management directors of the company by the internal audit function.
The final Treadway Commission Report encouraged the use of formal internal audit charters by public companies. This third recommendation relevant to internal auditing provided additional authoritative support for one of internal auditing’s strongest intimidative measures for combating unjustified audit scope restrictions by management. Treadway Commission support for charters makes it increasingly difficult for management to resist the internal auditor’s requests for formal internal audit charters in public companies. Charters effectively enhance the cruciality of the internal audit function by means of their detailed contractual provisions.
The Treadway Commission also encouraged the use of ethical conduct codes by public companies. This fourth recommendation provides internal auditing new prospects for expanding its services in public companies. The internal audit function would seem to be the most logical organizational candidate for monitoring employee compliance with the provisions of the organization’s ethical conduct code. Added responsibilities in this area enhance internal auditing’s prospects for gaining enhanced mystique and cruciality.
The Treadway Commission Report recommended the inclusion of “management responsibility letters” in the annual reports of public companies. These letters require members of senior management to formally acknowledge that they have met their primary responsibilities under the FCPA 1977 for installing, maintaining and monitoring adequate internal controls in the company. These formal declarations increase the importance of the internal audit work performed to support top management’s representations. For example, significant deficiencies in internal controls reported to top management by the internal auditor might hamper top management’s ability to claim that it has met its responsibilities under the FCPA 1977. Therefore, this fifth recommendation of the Treadway Commission offers internal auditing additional prospects for gaining cruciality in the eyes of management.
The Treadway Commission also recommended the inclusion of an “audit committee letter” in the annual report of public companies. This sixth recommendation offers internal auditors stronger prospects for gaining cruciality than the “management responsibility letter”. This is so because the “audit committee letter” would require the chairperson of the audit committee to comment on matters pertaining to the scope of audit activities as well as any significant audit findings.
The Internal ControlIntegrated Framework project performed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides internal auditors additional outside authoritative support that should serve to improve its prospects for gaining mystique and cruciality in public corporations. The final COSO report issued in 1992 clarified the importance of the internal audit function as an objective inhouse evaluator of the organization’s internal control structures. The COSO report further recommended the adoption of IIA Standards and also strongly supported the Treadway Commission’s previous recommendation for the inclusion of “management responsibility letters” in the annual reports of public companies. These COSO report recommendations have improved the prospects for future federal legislation requiring “management responsibility letters” as well as compliance with other recommendations of the Treadway Commission covered previously.
The passage of the Federal Deposit Insurance Act of 1991 (FDIC [1991]) may improve internal auditors’ prospects for gaining cruciality in the banking industry. The FDIC [1991] includes provisions mandating internal control reporting by management and independent auditors for all but small insured depository institutions. Management compliance with the internal control provisions of this new law should enhance the cruciality of internal audit support in many banking institutions. According to Gujarathi and Raghundan [1993], the success of the internal control reporting provisions of the FDIC law could have future implications for all public companies.
Other legislative victories scored by internal auditing since 1977 include the adoption of IIA Standards by five states. In 1982, California became the first state in the U.S. to pass a law that required all state and local governmental internal auditors to comply with the IIA Standards. Since 1982, at least four other states ( i.e., Tennessee (1984), Virginia (1985), Florida (1986) and Texas (1987)) have enacted legislation similar to that enacted by California. Flesher [1991] also reports that several other states have enacted similar ordinances.22 State laws requiring compliance with IIA Standards, have enhanced internal auditing’s prospects for gaining both enhanced cruciality and mystique at the state and local levels of the public sector.
Changes in the AICPA standards pertaining to the independent auditor’s consideration of the internal audit function appear to pose mixed implications for the professional prospects of internal auditing. On the positive side, several new provisions of SAS No. 65 can be interpreted as effectively alleviating much of the CPA/internal auditor skillsubordination problem previously noted by B&H in their 1977 analysis.23 Unlike its predecessor pronouncement (SAS No. 9), SAS No. 65 explicitly recognizes the field of internal auditing as a profession separate from independent auditing. For example, SAS No. 65 explicitly acknowledges the IIA standards as appropriate standards for conducting internal audit activities and evaluating the quality of the performance of the internal audit function.24 SAS No. 65 also explicitly mentions “professional certification” and “continuing education” as important indicators of the competency of internal auditors. These latter provisions can be interpreted to
“According to B&H the “skillsubordination” problem had traditionally blocked internal auditing from gaining exclusive mystique over the internal auditing work ideology. Most members of internal auditing’s work audience have traditionally perceived that CPAs possess high mystique in areas dealing with internal auditing as well as high mystique over all other areas of auditing. This skill subordination problem is similar to the problem faced by nurses in the field of medicine.
“SAS No. 65, par. 11.
sanction the internal auditing field as a profession separate and distinct from the field of independent auditing.
SAS No. 65 also contains some new provisions that effectively reinforce critical factors that operate to enhance the mystique and cruciality of internal auditors. For example, SAS No. 65 contains new provisions which should discourage top management and the board from imposing significant restrictions on the audit activities performed by the internal audit function. In determining independent audit reliance on the work performed by the auditee’s internal audit function, SAS No. 65 mentions that the client’s adoption of: IIA Standards; internal audit charters; audit committees; certification of internal audit staff members; continuing education for internal auditors; and high echelon reporting level status would be viewed favorably by the independent auditor. Many corporate entities can be expected to adopt these measures to appease their independent auditors. Increased adoption of these items by corporations can be expected to improve many of the important conditions necessary for the field of internal auditing to gain increased mystique and cruciality.
From the negative standpoint, the provisions of SAS No. 65 impose additional restraints on the independent auditor’s reliance on the internal auditor’s work in high risk areas (i.e., compared to SAS No. 9). Both Barrett [1990] and Vessel [1991] believed that management and other members, of the internal auditing work audience will perceive this decreased willingness to rely on the internal auditor’s work as an indication of internal auditing’s inferior technical capabilities (i.e., as compared to the independent auditor). If it develops in practice, a perception of this latter type would further perpetuate the skillsubordination problem noted by B&H in 1977. This is true even though the independent auditor’s reluctance to rely on the internal auditor’s work in high risk areas may be justified on the grounds that the internal audit function does not share legal responsibility with the external auditor for overlapping audit work.
In general, the activities, events, and trends covered in this section disclose some very favorable professional prospects for internal auditing. The following section presents some suggested future courses of action that might be taken by internal auditors to capitalize on these opportunities to gain enhanced mystique and cruciality.
RECOMMENDATIONS FOR ENHANCING THE PROFESSIONAL STATUS OF INTERNAL AUDITING
The intimidation model suggests a definite order of development in the two basic conditions that provide the genuine professions their authority and intimidative power. Development of the conditions which provide the profession enhanced mystique must first take place in order to provide the evolving profession a unique subject matter basis for gaining enhanced cruciality. Therefore, internal auditors should focus their immediate efforts on opportunities that have the greatest potential to enhance their mystique.
The opportunity to become the predominant experts in the area of auditing and evaluating traditional accountingtype internal controls appears to be the best alternative for cultivating enhanced mystique in the current political, legal, and business environment. The general public, the SEC, the Treadway Commission, legislators, and the organized securities markets all seem eager to find an occupational group that can apply improved auditing methods to insure that corporate top management meets its fiduciary responsibilities for installing and maintaining adequate systems of traditional internal controls. Internal auditors are in an ideal position to provide this type of service. CPAs appear to be the only other available group that might be able render additional assistance in this area. However, CPAs are currently facing intense competitive pressures to control independent audit time and fees. This pressure impairs their ability to spend additional audit time examining internal control issues that do not relate directly to their opinion on the financial statements. In this competitive environment CPAs can only provide additional help in the area of traditional internal control by offering a special attest service.26 This additional attest service would certainly result in a significant increase in the annual billings to clients by independent auditors. Since internal auditors are already familiar with corporate controls, they should be capable of providing this same service at a lower cost than CPAs.
26 These new attest services are covered by AICPA Statement on Standards for Attestation Engagements No.2 Reporting on an Entity’s Internal Control Structure over Financial Reporting. (August,1993).
Internal auditors as a group should begin to refocus their efforts on the development and implementation of improved techniques for evaluating and testing traditional internal controls. This audit area offers internal auditors some excellent opportunities for cultivating high mystique. One of the best opportunities deals with the mystical area of risk assessment.
Internal auditors can develop improved techniques for gathering and documenting and sharing internal control risk assessment information. Improved information of this type would provide internal auditors superior bases for developing their internal control audit test criteria and for defending their internal control audit findings and recommendations.27 Improved information of this type might include the following items: (1) listings of potential errors, irregularities, and illegal acts that pose inherent risks to the organization (henceforth referred to as threats); (2) inherent risk estimates for each threat including estimates of occurrence rates or likelihoods of occurrence and estimates of possible error magnitudes or dollar losses; and (3) estimates of internal control effectiveness levels.
Internal auditors have direct daily access to the world’s foremost experts in risk assessment. These experts are the clerical employees, who perform accounting, operating, and other internal controlrelated duties in the specific areas where errors, irregularities, and inefficiencies either originate or first become susceptible to detection. These employees normally possess the best available insight pertaining to threats, inherent risk levels, and control effectiveness related to their work areas. Internal auditors should develop improved techniques for gathering, documenting, validating, and sharing this insightful information possessed by employees.
Internal auditors might pursue projects to develop improved techniques to take better advantage of this information and knowledge. For example, the IIA might be encouraged to sponsor ongoing programs to gather risk assessment information from its members in various industries. Information gathered could be used to compile industry data pertaining to such matters as: (1) the types of errors and irregular and illegal acts
“This might permit the IIA to revise its standards to’discourage formal audit report coverage of management’s disagreements with the internal auditor’s findings and recommendations on “traditional internal control audits”. It is doubtful that this coverage can be eliminated for operational auditing concerns falling outside the scope of “traditional” internal control issues.
perceived by internal auditors to constitute control threats in various industries; (2) potential error rates and probabilities of occurrence assessed by internal auditors for common threats in various industries; and (3) internal audit assessments of potential damages for common threats in various industries. Information of this type could be supplied to practicing internal auditors in the form of a subscription service which would provide subscribers an improved basis for performing and defending the reasonableness of risk assessments in their organizations. Improved capabilities to perform inherent and control risk assessments would provide internal auditors a distinct advantage over independent auditors who do not have time to address threats and risks at the grassroots level. Improved risk assessment information of this type would likely increase the mystique of internal auditing.
Action to take advantage of the opportunity to gain professional status in the area of traditional control auditing will require internal auditors to modify their current thinking regarding operational auditing. Internal auditors currently consider operational auditing to be their “premier” professional service much like public accounting considers independent auditing to be theirs. Our historical analysis has led us to the conclusion that this line of thinking on the part of internal auditors may be faulty.
Operational auditing is not a type of internal auditing service that is susceptible to the cultivation of high mystique and high cruciality. This is primarily because it involves a nearly undefinable work ideology. The most successful operational auditor is a “jack of all trades” who can provide objective help to management in dealing with nearly any operational problem. Unfortunately a “jack of all trades” is typically perceived to be “a master of none.” Mastery over no discipline turns out to be the antitheses of a profession. From this standpoint “operational auditing” should probably occupy a position in internal auditing’s service line similar to the positions occupied by management advisory services (MAS) and tax advisory services (TAS) in the field of public accounting. This is not to suggest that internal auditors should abandon or deemphasize the importance of operational auditing. What is being suggested is that internal auditors should begin to cultivate a “professional level of expertise” over the specific area dealing with auditing traditional control concerns. Professional expertise in this limited area would provide internal auditors intimidative power over a crucial subject area similar to the independent auditing service area that is the principle source of public accounting’s professional status. This change would not necessarily require any reduction in the valuable operational auditing services currently being rendered by internal audit departments. After all, many practicing CPAs consider MAS and TAS to be their most beneficial and lucrative service areas. This is true even though CPAs’ have not and probably never will enjoy high cruciality in these service areas.
The field of internal auditing can also capitalize on several other opportunities to enhance its cruciality as the exclusive provider of traditional control auditing. The current trend for companies to adopt internal auditing charters is an excellent example of one of these opportunities. Regulatory groups requiring or recommending the use of internal auditing charters could be encouraged to consider charter provisions requiring the organization to employ a director of internal audit who either possesses a valid CIA credential or is at least a member in good standing of the ITA. A requirement of this nature would effectively prohibit management from replacing its professional director of internal auditing with a nonprofessional director, who is not bound to adhere to the profession’s standards. Regulations mandating IIA membership and/or the possession of a CIA credential would also significantly improve internal auditing’s status under the “shopping list” model.
Management responsibility letters also offer internal auditors significant opportunities under both the “intimidation” and “shopping list” models. To capitalize on these opportunities, internal auditors should focus their auditing expertise on traditional internal control concerns and lobby for requirements that the director of internal auditing cosign the management responsibility letter. A requirement of this type should increase internal auditing’s cruciality under the intimidation model. Furthermore, legal responsibilities associated with signing the management responsibility letter would provide internal auditing a clear justification for claiming altruistic service to the general public as well as to management and the organization. This would improve internal auditing’s status under attribute No. I ol the “shopping list” (see Figure 1) by adding the general public to internal auditing’s list of altruistic service beneficiaries.
In the future, increased use ol audit committee letter’s in annual reports may offer internal auditors opportunities similar to those just discussed for management responsibility letters. Therefore, internal auditors desiring enhanced professional status should seriously consider supporting such a requirement.
SUMMARY AND CONCLUSIONS
This study examined the progress made toward achieving professional status by internal auditing. The intimidation model was employed to assess both the progress made by internal auditing along with its current status. A review of the literature did not reveal any evidence of the intimidative power necessary to qualify for professional status. However, a historical review of IIA professional pronouncements and the activities of various authoritative and/or regulatory agencies indicated that there is considerable support for internal auditing to move up to professional status if the field is willing to take several important steps.
The single most important step is the need for internal auditors to change their thinking regarding the composition of their current service line. An improved traditional control auditing service needs to be developed and implemented to replace “operational auditing” as internal auditing’s premier professional service line. If internal auditing is to gain professional status on par with that possessed by medicine or law it needs to gain sufficient intimidative power to force top management into facing up to its internal control responsibilities as defined by the FCPA of 1977 and the FMAA of 1981. Intimidative power to force top management to comply with operational audit findings other than those that deal with traditional controls is not necessary and probably not proper.
Professional authority over the area of traditional control concerns will not be a comfortable role for many internal auditors. This role will force the auditor to claim expertise and knowhow in the area of traditional controls far superior to that possessed by top management and others.
The Treadway Commission and the SEC are currently looking for a professional group that will take the responsibility for ensuring that top management of large organizations meets its internal control responsibilities. It appears obvious that these groups are not interested in an internal auditor who “thinks like management.” What they are definitely looking for is a group which possesses the “professional” capabilities to outthink top management in areas dealing with auditing and evaluating traditional accountingtype internal control concerns. If internal auditors truly desire professional status, perhaps it is time for them to acknowledge this important message.
REFERENCES
American Institute of Certified Public Accountants, Statement on Auditing Standards No. 65: The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements (New York: AICPA, 1991).
, Professional Standards Volume 1 (New York: AICPA, 1992).
, Statement on Auditing Standards No. 55: Consideration of Internal
Control Structure in a Financial Statement Audit (New York: AICPA, 1988). _, Statement on Auditing Standards No. 9: The Effect of an Internal
Audit Function on the Scope of the Independent Auditor’s Examination (New York: AICPA, 1976).
_, Statement on Standards for Attestation Engagements No. 2: Reporting
on an Entity’s Internal Control Structure over Financial Reporting (New York:
AICPA, 1993). Anderson, Urton L., “The External Auditor’s Consideration of the Internal Audit
Function” Internal Auditing (Summer 1991), pp. 5967. Barrett, Michael J., “SAS 9’s Successor is Ugly,” The Internal Auditor, (April
1990) pp. 3134. Burns, David C. and William J. Haga, “Much Ado About Professionalism: A
Second Look at Accounting,” The Accounting Review (July 1977), pp. 705715.
Carey, John L., The Rise of the Accounting Profession from Technician to Professional (New York: AICPA, 1969). Committee of Sponsoring Organizations of the Treadway Commission Internal
Control Integrated Framework: Reporting to External Parties (Jersey City, NJ,
(1992). Dierks, Paul A. and Elaine A. Davis, “The Cruciality and Mystique of Internal
Auditing: Last Prerequisites for Professionalism?” The Internal Auditor
(April 1980), pp. 3646. Fargason, James Scott, “Internal Auditor and the Law” Internal Auditor (August
1993), pp. 4246. Flesher, Dale L., The Institute of Internal Auditors: 50 Years of Progress Through
Sharing, (Altamonte Springs, Florida: Institute of Internal Auditors Inc.,
1991).
Friedrich, Carl J., Tradition and Authority, (Praeger, 1972), pp. 5152. Gujarathi, Mahendra and K. Raghunandan, “Management Reporting on Internal
Control: An Update” Internal Auditing (Summer 1993), pp. 1323. Hughes, Everett C,”Professions,” in Kenneth Lynn ed., The Professions in
America (Beacon Press, 1963).
Institute of Internal Auditors, Code of Ethics, (Altamonte Springs, Florida: Insti
tute of Internal Auditors Inc., 1988).
, Standards for the Professional Practice of Internal Auditing,
(Altamonte Springs, Florida: Institute of Internal Auditors Inc., 1992). Johns, Grahm F.,”The Utilities Internal Auditor” Internal Auditor (June 1991),
pp.113115. Kalbers, Lawrence, “Audit Committees and Internal Auditors” Internal Auditor (December 1992) pp.3744.
Kowalczyk, David S., Cadmus’ Operational Auditing (New York: John Wiley & Sons, 1987).
Mautz, Robert K., Peter Tiessen, and Robert H. Colson, Internal Auditing: Directions and Opportunities (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 1984).
Miller, Herbert, “Preparing for Tomorrow’s Professionalism,” The Internal Auditor (October 1989), pp. 149.
Near, Janet P. and Marcia P. Miceli, The Internal Auditor’s Ultimate Responsibility: The Reporting of Sensitive Issues (Allamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 1988).
Peacock, Eileen and Sandra Pelfrey, “Internal Auditors and the Code of Conduct” Internal Auditor (February 1991) pp.4550.
Rodriguez, Clifton H., “Internal Auditing True/False A Real Profession,” Internal Auditing (Summer 1991), pp. 9396.
Roy, Robert H. and James H. MacNeill, Horizons for a Profession (New York: AICPA, 1967).
Sawyer, Lawrence B., “Internal Auditing: Practice and Professionalism” Internal Auditor (June 1991) pp. 3842.
Suchodolski, “Uncovering False Repoting to the Government” in Whistle Blowing: Loyalty and Disent in the Corporation, Westin, ed. (New York; McGrawHill 1981).
Thornhill, William T., “Beware of Wolves in Sheep’s Clothing,” Internal Auditing (Fall 1990), pp. 2934.
Tiessen, P. and M. Barrett, “Organizational Support for Internal Audit,” Internal Auditing (Fall 1989), pp. 3953.
Treadway Commission, Report of the National Commission on Fraudulent Financial Reporting (New York: AICPA, 1987).
Verschoor, Curtis C, “Measuring Audit Committee Effectiveness in the Defense Industry’,” Internal Auditing (Winter 1989), pp. 1325.
Vessel, Herbert, “Internal Auditors, Professionalism, and External Auditors’ Acceptance,” Internal Auditing (Fall 1991), pp. 8892.
Vinten, Gerald, “The Whistleblowing Internal Auditor: The Ethical Dilemma,” Internal Auditing (Fall 1992) pp. 2633.
Wells, Stephen F., “Ethics in Practice A Personal Challenge,” The Internal Auditor (February 1985), pp. 5862.
Westberry, James P., “The Pursuit of Professionalism,” Internal Auditor (April 1989), pp. 2229.
