Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Internal audit: A case study of impact and quality of an internal control audit

Internal audit: A case study of impact and quality of an internal control audit INTRODUCTIONIn recent decades, there has been growing pressure on companies to improve internal controls—a development in which a number of events and stakeholders have joined forces. Increasing regulatory pressure, along with the economic consequences of ineffective internal controls, has been documented since the introduction of Sarbanes–Oxley (Ashbaugh‐Skaife et al., 2009). The financial crisis amplified this pressure by introducing a myriad of disclosure requirements which are dependent on effective internal controls regarding compliance and reporting (Van der Stede, 2011). Most recently, and due to procedural weaknesses and ineffective internal controls, a number of large money‐laundering cases have led to new regulatory requirements (Yeoh, 2020). Responding to the risk of not complying with these and other regulatory requirements, companies are motivated to use best practice guidelines and frameworks (Sarens & Christopher, 2010). Furthermore, there is a managerial desire to have well‐controlled business processes (Sarens et al., 2009).Traditionally, when companies needed assistance regarding internal controls, they turned to external auditor (EA) (Power, 2009). However, since Sarbanes–Oxley, the regulatory requirements governing the independence of EAs have been tightened, imposing restrictions on companies' use of EAs as advisers (Abbott et al., 2007). As an alternative, companies with an internal audit function (IAF) might utilise this resource; it seems that IAF has played a key role in providing advice and assurance about the quality of internal controls (Maijoor, 2000; Spira & Page, 2003) and that this importance has grown in recent years (Oussii & Boulila Taktak, 2018).Even though it seems that IAF are an important player, it generally does not have a well‐defined role in relation to internal control (Arena & Sarens, 2015). Regarding internal controls we know that a competent and independent IAF decreases internal control deficiencies (Mazza & Azzali, 2015). Furthermore, competences can be proxied by number of severe internal control weaknesses detected by IAF (Oussii & Boulila Taktak, 2018) and effectiveness can be measured by the recommendation implementation rate (Turetken et al., 2020). However, considering IAF's importance, it is surprising that there is little academic knowledge about their impact on internal controls (Bame‐Aldred et al., 2012; Roussy et al., 2020). To improve this knowledge, the aim of this paper is to explore to what extent and how IAF affect internal controls. Further, the paper analyses whether this impact adds value to the company.Recognising that IAFs vary in quality in terms of both independence and professional qualifications (Arena & Jeppesen, 2010), a single‐case study (Yin, 2009) has been performed of an IAF in a large Danish financial institution (the Group) governed by detailed regulatory EU‐based requirements.1 The IAF studied is, according to the audit agreement governed by the audit committee, responsible for the internal control audit, including the related management letter reporting. To allow for comparison with other companies, the case study includes a contextual description of boundaries, role and qualifications. An important element of the context is the interaction between IAF and client, which is part of the management letter process. This process is a step‐by‐step interaction in which each step is settled before the next interaction occurs. One of the steps is an interaction on IAF's observations, which are assessed internal control weaknesses. The remainder of the management letter process involves interactions aimed at mitigating these weaknesses and reporting the result to management.Responding to the research question, the analysis includes management letters for the period 2008–2017. The result of the analysis contributes with a detailed understanding of how IAF, through the management letter process, impacts the internal control system in a financial institution (Bame‐Aldred et al., 2012; Roussy et al., 2020). Beyond adding to the limited knowledge of IAF's impact on changes to internal controls this study provides details about the quality assessment of internal audits (Trotman & Duncan, 2018).The paper is organised as follows: Section 2 contains a description of the method. Section 3 presents the theoretical outline and conceptual framework. In Section 4, ‘Audit in the Group’, the management letter process and the interaction between IAF and client is illustrated and explained, and the contextual features are described. Section 5 and 6 present the findings regarding the research question, and in Section 7, the case study is discussed and concluded.METHODBecause little is known about IAF's impact on internal controls, a single‐case study is used to explore the phenomenon in detail. This method is appropriate given that the focus is on a real‐life situation with a variety of data sources (Yin, 2009). Looking at the elements of the research question, the ‘extent’ of the impact is assessed primarily through an analysis of the management letters. This analysis is also used as a basis for gaining a general understanding of the management letter process. The main part of the case study, investigation into ‘how’ IAF affect internal controls, is based on a qualitative analysis of the interactions involved in the management letter process.The data sources used include interviews of IAF and client staff, observations in meetings and archival documents, the management letters themselves and IAFs' supporting memos and working papers. Access was also granted to the annual customer satisfaction survey, through which IAF is evaluated by the client. The Group considers the information assessed and analysed to be confidential. The confidentiality agreement allowed me free access to information on the Group's premises. Further, I was placed in IAF, where I collected data alongside IAF and had immediate access to the staff. According to the terms of the confidentiality agreement, I was not allowed to remove information from the premises without approval from the head of IAF. To honour the confidentiality requirement, and to obtain sufficient evidence that the observations and quotes used in the paper would fairly represent the informants' attitudes, we agreed that the relevant sections of the paper should be reviewed by the informants. In addition, the Head of IAF reviewed the entirety of Section 4 (‘Audit in the Group’) and Section 6 (‘How does IAF affect internal controls?’).The Group did not allow the use of a voice recorder. Instead, notes were taken during each interview, and memos were produced immediately after the meetings. Furthermore, we agreed that informal follow‐up meetings could be arranged if required. Because I was located in the IAF department and close to both first‐ and second‐line staff, the opportunity to go back to the interviewees was repeatedly taken, not only to clarify issues but also to expand the interviews and thereby obtain more information and a deeper understanding. The informal nature of the meetings resulted in interviews of more than 30 persons. The main informants were six IAF staff and five client representatives. The case study was initiated in June 2013 and finalised in November 2018.The research approach is qualitative with a positivistic spirit (Power & Gendron, 2015). This classification is also supported by the researcher's cultural memory, which is based on years of audit experience (Daoust & Malsch, 2019), including a taken‐for‐granted assumption that work in general, this case study included, can be replicated to verify observations and conclusions.Review—management lettersTo clarify the extent of the impact, a detailed analysis was made of management letters covering the period 2008–2017. On an annual basis, 30–35 management letters are prepared, each with two to five recommendations. For the period analysed, a total of 821 recommendations were reported.The management letter reporting in the Group consists of two sections: an audit memo and a management summary. Together, these sections fulfil the definition of a management letter (Manson et al., 2001). An important element in the management letter is the classification of recommendations (Hellman, 2006). The Group uses a prioritisation based on three categories (1, 2 and 3). This is comparable with American Institute of Certified Public Accountants (AICPA, 2008) classifications: ‘material weakness’ (1), ‘significant deficiency’ (2) and ‘deficiency’ (3). Furthermore, a long‐form audit report (LFAR) addressed to the board of directors is closely linked to the management letter process, as it summarises the result of the audit.To classify the information by criteria other than level of priority, a coding of the wording of the observations, risk evaluations and recommendations was performed (Brinkmann & Kvale, 2015). Based on this coding, a number of classifications were derived, inspired by a study of management letters (Manson et al., 2001). If the observation or the risk evaluation included a reference that could be related to ‘legal’, ‘regulatory’ or ‘internal policy’ issues, it was classified accordingly. If no such reference was included, the recommendation was considered to be based on the auditor's professional judgement and was classified as ‘audit’.Management letter processTo explore the nature of the interactions illustrated in Figure 2, responsive interviews (Rubin & Rubin, 2011) based on a number of main questions (Appendix A) were conducted with IAF and client staff. To support the dialogue and keep the conversations focused, the overview of the management letter process (Figure 2) and the combined IAF–client interaction model (Figure 1) were used. Furthermore, 10 recommendations were selected to provide detailed input to the assessment of the audit and business value of the IAF–client interaction and to the assessment of the quality dimension of the management letter process.THEORETICAL OUTLINE AND CONCEPTUAL FRAMEWORKThe interaction between EA and client has been the subject of studies since 1991, when issues regarding the audit opinion on the financial statement were analysed by Antle and Nalebuff. Following this study, several other papers have focused on the interactions between EA and client regarding the audit of financial reporting; these include studies by Gibbins et al. (2001) and Beattie et al. (2004). The conceptual models described in these papers have been updated in subsequent studies by Salterio (2012) and Fearnley et al. (2011). These models focus on the interaction between EA and the client; in this, they differ from the present study, in which IAF performs the internal control audit. However, the nature of the IAF, including their independence from the executive board, is similar to that of an EA, and the quality of the work seems to be at the same level (Bame‐Aldred et al., 2012; Stefaniak et al., 2012). Consequently, the conceptual models of Salterio (2012) and Fearnley et al. (2011) are useful to guide the data collection and organise the observations supporting an analysis of IAF's impact on the company's internal controls. Derived from these studies, Figure 1 presents the model used in this paper.1FIGURECombined IAF–client interaction model based on Salterio (2012) and Fearnley et al. (2011)Overall, the model is used to describe the behaviour (5) of IAF and the client when interacting regarding an issue (4) related to the management letter process (Figure 2). The output (6), which is a decision on the implementation of new controls or the improvement of existing ones, is classified as either a client, a joint or an IAF product. Furthermore, a number of contextual features—regulatory (1), general (2) and IAF/client (3)—affect the interaction between IAF and the client.InteractionThe interaction begins with an ‘issue’ (4), which can be a recommendation or, later in the management letter process, a draft management summary or the LFAR. The nature of the behaviour exhibited in the interaction by both IAF and client (5) ranges from ‘permissive’ through ‘argumentative’ to ‘insisting’. ‘Insisting’ behaviour can be illustrated by a situation in which the IAF, due to professional responsibilities or legal requirements, have thresholds which cannot be exceeded. In contrast to ‘insisting’, ‘permissive’ behaviour is seen in situations in which one of the parties simply accepts the arguments of the other. A third type of situation, in which the behaviour of the parties is more mixed, or in which they try to find some middle ground, should also be anticipated (Kulset & Stuart, 2018; Murnighan & Bazerman, 1990). This intermediate style of interaction between ‘permissive’ and ‘insisting’ has been labelled ‘argumentative’. According to Beattie et al. (2000), interactions can range from an ‘exchange of information’ through ‘discussion’ to ‘negotiation’. Of these classifications, only ‘negotiation’ is clearly defined in the literature. These classifications are used to describe the combined behaviour of IAF and the client. The type of behaviour exhibited can also be viewed as a result of the interaction strategy chosen by IAF and the client. According to McCracken et al. (2011) an overall distributive interaction strategy can be either ‘contending’, ‘compromising’ or ‘conceding’. As an alternative, an integrative interaction strategy is focused on a joint problem solving, where the output both preserves IAF's objective and allows the client to feel that they have achieved their own objectives.The output of the interaction (6) can be classified as either a client product, a joint product or an IAF product (Salterio, 2012). For a number of years, the annual report has been considered a joint product (Antle & Nalebuff, 1991).The combined IAF–client interaction model addresses the output from an interaction perspective but does not consider the quality dimension. To access this dimension, the internal audit quality framework developed by Trotman and Duncan (2018) was utilised. This framework includes an assessment of five quality dimensions: ‘context’, ‘inputs’, ‘processes’, ‘outputs’ and ‘outcomes’. Even though the definitions differ, the combined IAF–client interaction model and the management letter process (Figure 2) provide input to the quality assessment of all dimensions except ‘outcomes’, which includes an assessment of ‘value‐add’. An indication of a value‐adding ‘outcome’ is acceptance of IAF's recommendations. This assessment of quality, based on considerations of specific dimensions, is distant from the value‐adding concepts previously promoted by the big audit firms (Power, 2000).Contextual featuresContextual features (1), (2) and (3) are categories of factors that in varying degrees affect the core interaction. Examples of these, derived from the initial studies of the factors (Beattie et al., 2004; Gibbins et al., 2001) and subsequent, related papers by the same authors, have been added in a ‘bullet’ format.The regulatory/legal context (1) has been analysed by Fearnley et al. (2011), who compare their results with those of the initial study by Beattie et al. (2004). The ‘risk of being caught’ has risen in the period between these two studies, and this has shifted the behaviour of the client (5) from insisting towards passive acceptance. One example is the impact of the Sarbanes–Oxley Act, through which auditors have been mandated more power, which has resulted in a move from a permissive to a more insisting style of behaviour (Brown & Wright, 2008).Regarding the general interaction context (2), the ‘tone from the top’ (Lail et al., 2015) could be a policy by the board of directors on ‘no surprises’, which tends to make the parties more co‐operative (Fearnley et al., 2011). Again, one example is the Sarbanes–Oxley Act, which dictates that the auditor needs assurance in order to certify the internal controls. On the other hand, the cost of controls for complying with auditors' recommendations can be high (Carney, 2006). In such a situation, the preferences of the parties could differ.The audit/client context (3) has been analysed in a number of studies. The development of this feature is analysed by Fearnley et al. (2011), who, in comparing with an early study by Beattie et al. (2000), finds that the impact of the audit/client context has diminished relative to that of the regulatory/legal context. A different result is reported in a study on the effect of past client relationship, which concludes that the impact of the audit/client context is significant (Brown‐Liburd & Wright, 2011). The focus on ‘length of relationship’ is inspired by an interest in antecedents to present interactions (Salterio, 2012). For example, the behaviour chosen when dealing with a significant audit difference has been analysed in combination with the result of previous interactions (Hatfield et al., 2010). The study indicates that the magnitude of the audit difference influences the nature of the auditor's interaction, moving it in the direction of being more insisting. There is, however, also a pull in the opposite direction because client concessions from prior interactions could have the same impact.AUDIT IN THE GROUPInteraction between IAF and clientThe result of an internal control audit is reported in a management letter (Manson et al., 2001). Although the management letter is formally prepared by the IAF, it is also the result of a process involving a number of interactions between IAF and the client. Because the Group had no existing description of the management letter process, an overview description was prepared, and handshake symbols were inserted where interaction between IAF and the client was identified; see Figure 2:2FIGUREManagement letter process—internal control audit—overview [Colour figure can be viewed at wileyonlinelibrary.com]The description is based on a review of the management letters supported by interviews of IAF staff responsible for the individual steps of the process. There are three documents prepared as part of the management letter process, an audit memo, the management summary and the LFAR.Audit memoThe most detailed document in the management letter process is the audit memo, which describes the result of the internal control audit, focusing on the identified weaknesses. The main purpose is to communicate the result of the audit, mainly to the staff responsible for the reviewed processes. Appendix A to the audit memo includes the following headings in a table format: observation, risk evaluation, recommendation and local management's comments. A prioritisation (1–3) of the observations is also included. The first interaction in the management letter process is a meeting between the IAF manager and client staff in which the observations are presented and adjusted if necessary. The overall aim is to establish an objective description of the observations. Figure 2 refers to this interaction as ‘meeting about initial observations’.The next step for the IAF is to prepare a description of the potential risk and a recommendation for mitigating the weakness. The second interaction is a meeting about the recommendation, in which the primary objective is to ensure that the improvements of internal controls will mitigate the risks identified.When the above steps have been finalised, a draft report with observations, risk evaluation and recommendations is sent to local management. The main objective is for the local management to prepare comments upon the observations including a description of specific actions that will mitigate the risks and deadlines for implementation. The third interaction is a meeting between local management and IAF in which the draft audit memo is presented. In addition to agreeing on the description of the observations, actions, deadlines and so on, the prioritisation of the observations is another important issue, because all Priority 1 and some Priority 2 observations are included in the LFAR, which is forwarded to the Financial Supervisory Authorities (FSA). After the local management and IAF have agreed, the audit memo is finalised and signed by both parties.Management summaryUsing the signed audit memos, IAF prepares a management summary addressed to the executive board. The summary provides an overview of the observations from the audit memos, including prioritisation and a status (open/closed) on the action items from the local management comments. The fourth interaction is a meeting in which the draft management summary is presented to the executive board. At this meeting, the executive board comment on the conclusion, but the main issue is the open action items and a potential prioritisation of these at Group level. After agreement between the executive board and IAF is achieved, the management summary is finalised and signed by both parties.Long‐form audit reportEvery quarter, IAF prepares a draft LFAR for the board of directors (audit committee). The LFAR at an overall level describes the audit performed and provides a summary of the results, including all Priority 1 and some Priority 2 observations. There is no specific rule for the selection of Priority 2 observations, but observations related to compliance with FSA regulations are often included in the LFAR. The fifth interaction is a meeting with the same structure as those held with the executive board, but in which the reports presented are the signed management summary and the draft LFAR. Upon agreement, the LFAR is finalised and prepared for the board of directors. Because the audit committee members are also part of the board, the presentation is considered a formality, where the LFAR is signed by the board members and thus formally approved.Contextual featuresThe combined interaction model (Figure 1) includes three contextual features that can describe the impact on the IAF–client interaction: ‘regulatory/legal’, ‘general interaction’ and ‘audit/client’.Regulatory legal contextThe Danish regulatory requirements are in all material aspects EU‐based, and most of the requirements governing IAF are included in the ‘Executive order on auditing financial undertakings etc. as well as financial Groups’ (EO, 2015). The main requirements, supporting independence from the client, are the following:Appointment and dismissal of the head of IAF must be made by the board of directors and approved by FSA.The budget for IAF must be approved by the board of directors.IAF are not allowed to perform any functions other than auditing.The audit must comply with generally accepted auditing standards and be performed in accordance with the audit agreement. Specific reference is made to ISA 315.EA must perform a sample‐based quality review of IAF work and report the result to the board of directors in the LFAR. Specific reference is made to ISA 610.2The audit committee has responsibility for ensuring that an audit agreement is entered into between EA and IAF. According to the audit agreement, the internal control audit and the related management reporting are the responsibility of IAF, as is traditional (Arena & Sarens, 2015). In contrast, the audit of the financial statement is performed primarily by EA, supported by IAF staff. The co‐operation between EA and IAF results in an integrated financial and internal control audit (Kinney et al., 2013). The agreed sharing of the audit in the Group is consistent with the view that IAF have an advantage over EA, because they experience a higher level of identification with the business and know its processes better. IAF have a long‐term view, because they do not have to consider the renewal of the assignment and thus are able to provide a less lenient internal control evaluation (Stefaniak et al., 2012).All activities in the Group are subject to mandatory inspections by FSA. An inspection normally covers a business area, and a total of four to six inspections are carried out annually. The reports from FSA must be published on the Group's homepage (EO, 2014). However, the inspection reports from FSA regarding internal controls are of a general nature and often lack any description of specific weaknesses. Although it may not be a primary objective, it seems that there is an impact of the mandatory inspections from FSA. This impact is recognised by the head of IT security, who also serves as an internal consultant in relation to internal control issues:First‐line functions prefer to develop solutions that are reasonably secure—that way they avoid potential problems with IAF, us or FSA at a later stage. (Head of IT security)General interaction contextThe risk of being exposed to negative audit reports reflects the ‘tone from the top’, and compliance with financial legislation has a high priority for the board of directors. Without stating the fact in a formal policy, the board finds it unacceptable that there should be problems complying with regulatory requirements. Both company and personal issues are involved in this view:Those who are on several financial services boards are more risk‐averse. They tend to be very careful not to be exposed to negative audit reports. (Board member)The issue of being exposed is amplified by the fact that both the internal and external LFAR, addressed to the board of directors, must be forwarded to FSA. If critical matters are included, it should be expected that FSA will request further information, for example, the supporting management letters and minutes from board meetings. These requests are formally addressed to the board of directors. As a consequence of this practice, problems related to internal control identified by IAF and/or FSA are transparent to the audit committee and the board of directors.The ‘tone from the top’ can also be of a more direct nature and driven by common sense considerations. A client manager explained an example of informal verbal communication from one of the board members:I got a very clear message from a board member: ‘We don't want loans that exceed the collateral—none at all’. Needless to say, this gave rise to an internal review and a general clarification of the requirements to the employees. (Client manager)IAF/client contextAlthough not a requirement, it is a long‐standing local practice that the head of IAF in major Danish financial institutions is a state‐authorised auditor. IAF staff members have degrees as state‐authorised auditors (20%), master's degrees in auditing (30%), master's degrees in finance (20%) and bachelor's degrees in accounting (30%). Except for the staff with master's degrees in finance, the other members have substantial experience working with a ‘Big 4’ audit firm. These past experiences have an impact on their professional identity as auditors (Daoust & Malsch, 2019). Supporting this identity, members of IAF have been active in the Institute of Internal Auditors and the Danish Institute of EA. Furthermore, some members of IAF teach auditing at master's level at Copenhagen Business School.The IAF/client context is based on a working relationship of mutual respect, on both a personal and a professional level. In interviews with both IAF and client members, the working relationship was described as good. This view is supported by the annual customer satisfaction survey, in which IAF in summary is evaluated thus: ‘Excellent working relations—a constructive and objective partner’. The summary is supported by high scores in a number of areas, including ‘meet expectations’, ‘do things right the first time’, ‘responsibility’ and ‘understanding of the customer (client)’. It seems that the positive working relations affect the interactions in the management letter process:We have only a very few examples of recommendations from IAF which seem unreasonable. We always ask for—and get—an explanation. In general, the recommendations are reasonable. (Client manager)Furthermore, it seems that IAF also seeks to strike a balance between the potential improvement of internal controls and the total number of recommendations:If we get a reasonable result (mitigation of risk), there is no need to go further. There is also the future working relation to consider. (IAF manager)In an interview with the head of IAF about the specific interaction context, it was mentioned that:We don't report minor details; it will just irritate the client and we will most likely have trouble getting through with the important issues. I believe that this approach explains why you don't see examples of withdrawn recommendations. (Head of IAF)The value of the internal control audit, including the identification of weaknesses, also depends on the coordination of the audit (Lin et al., 2011). During the case study, meetings between IAF and EA were observed. These meetings related primarily to detailed planning and sharing of the results of the work performed. The nature of these meetings indicates a joint‐audit approach, which can be seen as a way of utilising the combined knowledge and thus improving the overall level of comfort (Sarens et al., 2009). Furthermore, in the year‐end LFAR, EA must state whether the work stipulated in the audit agreement has been carried out and whether IAF have performed satisfactorily, including remaining independent from the executive board. In each of the years included in the case study, EA reported that IAF met the regulatory requirements and that the result of the internal control audits supported the planned high control reliance.TO WHAT EXTENT DOES IAF AFFECT INTERNAL CONTROLS?The review of management letter reporting covering the period 2008–2017 included a total of 821 recommendations. Table 1 presents the recommendations, classified by IAF's prioritisation and divided into implementation of new controls and improvement of existing ones:1TABLESummary of recommendations in management letters by priorityNew controlsExisting controlsTotalPriorityPriorityPriorityYearTotal123Total123Total123200821713162348118310611220094583345574261001575102010121925974210718511220112111465974111808551720121931425134087065410201319115352438107155313201423217471251189446822201520310753234177354424201620114564342198445624201723119372349209546823Total22328158375984142713082169585167The only year with a significantly higher number of recommendations for new controls is 2009—following the financial crisis and an increase in new requirements from FSA (Van der Stede, 2011). Apart from 2009, the number of recommendations for new controls is stable at around 20 on an annual basis. The recommendations, classified by nature of requirement, are listed in Table 2:2TABLERecommendations classified by nature of requirementNew controlsExisting controlsTotalPriorityPriorityPriorityYearTotal123Total123Total123Legal23022154331207735321Regulatory (FSA)491329789115820138248727Internal policy262186140898341661011640Audit12513892331519240564403232979Total22328158375984142713082169585167Of the recommendations for implementation of new controls, 32% relate to legal and regulatory requirements, 12% to compliance with internal policies and 56% to IAF's professional judgement without reference to any specific requirement.The review of the management letters also covered management comments, including deadlines for when the risks would be mitigated. There are some examples in which mitigating actions were delayed compared to the initial plan. The main explanation for these delays is that a number of recommendations had been used as input to the implementation of a new system, which might have resulted in a redesign of supporting processes and internal controls. Based on a review of the database of recommendations maintained by IAF, all issues had, however, been closed by the time of the study. In summary, an average of approximately 20 new controls is implemented annually in response to the IAF's recommendations. Besides having a significant impact on the level of internal controls, the acceptance of all recommendations is an indication of a high quality IAF (Trotman & Duncan, 2018).HOW DOES IAF AFFECT INTERNAL CONTROLS?The analysis focuses on five interactions at different stages in the management letter process (see Figure 2):Meeting about initial observationsMeeting about recommendationsMeeting about draft audit memoMeeting about draft management summaryMeeting about draft LFARMeeting about initial observationsThe audit typically results in a number of observations, which are documented in Appendix A to the audit memo. An observation is the most detailed level in the management letter and is the subject of the first interaction between IAF and the client. The objective of this interaction is to arrive at a common understanding of the observations, which are internal control weaknesses identified by IAF as part of the process audit (Figure 2). The basis for this agreement is that the IAF manager sends a draft of Appendix A to the client staff member who has been involved in the audit. If necessary, a meeting is held between the parties to clarify any misunderstandings and prepare any necessary adjustments to the description in order to make it as precise as possible.Based on a review of changes to the draft appendices, working papers, memos, mails and supporting interviews with IAF staff, no unsolved disagreements were identified regarding the description of the observations. Neither have I been able to identify any ‘differing preferences’ (Salterio, 2012) which were not solved by the presentation of facts or any indications of insisting behaviour on the part of IAF. This finding is supported by two client managers representing different business units who jointly described the interaction with IAF as follows:If they (IAF) have got a wrong impression of a procedure—they are willing to listen to valid arguments. (Client manager)If there are different views, it is up to the client to present further documentation to support adjustments. Therefore, the meeting is an argumentative exchange of information supporting, adjusting or rejecting the observation, and the output is a joint product.Meeting about recommendationsWhen the observations have been agreed upon, IAF prepares a risk evaluation and a recommendation, which is included in Appendix A to the audit memo. The recommendations that issue from this second interaction are sent to the same client staff member who previously approved the observations. From an IAF perspective, the objective of the recommendations is to improve the level of internal controls and thus obtain audit evidence from test of controls when the improvement is implemented (Eilifsen et al., 2010). IAF prepares the recommendation but is open to changes:Regarding the recommendations, it is of less importance how the issue is solved. When we have agreed on an observation, it is up to the client to suggest a solution—as long as it works. But the recommendation should mitigate the risk—otherwise we must try again. We need to close the observation; how it happens is actually of minor importance. (IAF manager)This view is supported by the head of IAF:There is no point in preparing a recommendation if the client has no practical options for implementing an improvement. Then it is better to suggest another solution as long as the risk is mitigated. (Head of IAF)This practical approach is also illustrated by the way the client handles the recommendation. Because it is the client's responsibility at a later stage to implement a solution, the client staff member often goes back to local management to agree on a solution.The nature of both the IAF and client side of the interaction can be classified primarily as argumentative. There are, however, indications that IAF could insist if necessary. The statement that ‘the recommendation should mitigate the risk’ indicates the existence of minimum requirements to the solutions. The combined behaviour is, however, still a discussion aimed at describing a recommendation and a solution which can be implemented to fulfil the audit requirements. Therefore, the output of the interaction is a joint product because both parties take part in a co‐operative manner.Meeting about draft audit memoWhen the recommendations are agreed upon, Appendix A is finalised. This includes a prioritisation of observations. There are no formally defined criteria for the prioritisation, and according to the head of IAF, it is based on ‘professional judgment’.3 The prioritisation is of interest, because Priority 1 recommendations are always reported in the LFAR, together with some Priority 2 observations. Furthermore, IAF prepares a draft audit memo, which is a summary of observations and recommendations included in Appendix A. This document is the focus of the third interaction. The prioritisation is essential for the local management, and it is the main item on the agenda for the draft audit memo meeting:The local managers don't mind our recommendations, and they prefer to have well‐controlled business processes. If we are reasonable with our recommendations, they comply. However, they do not like priority 1 observations. Being exposed to the board of directors is not seen as a desirable situation. (IAF manager)A client manager agrees:It is obvious that priority 1 recommendations can lead to reactions from the board of directors, which may cause unnecessary turmoil in the organisation—a situation we want to avoid for obvious reasons; but in general, the recommendations from IAF are reasonable. (Client manager)A detailed review of draft and final audit memos indicates that the number of Priority 1 recommendations is reduced as a result of the interaction. IAF sometimes encounters a desire from local management to change the priorities:… we might sometimes agree on a priority 2 instead of 1. It is, however, a bargaining situation—if we change priority from 1 to 2, we could perhaps agree to speed up the deadline for implementation. (Head of IAF)The ‘deadline for implementation’ refers to the final element of Appendix A, which is the management comment. In this section, local management comments on the observations and recommendations and commits to a deadline. The deadline for mitigating the risk is important, because IAF follows up on the agreed deadlines on an ongoing basis.The behaviour exhibited by both IAF and the client is classified as argumentative leaning towards insisting, and the combined nature of the interaction is classed as a negotiation. This is mainly due to the potential exposure to the board of directors. When the management comments have been finalised, the audit memo is signed by both parties. Even though the number of Priority 1 recommendations is reduced as a result of the interaction, IAF make the final decision. Therefore, the draft audit memo should be classified as primarily an IAF product.Meeting about draft management summaryBased on the audit memos, IAF prepares a management summary. This document is the fourth issue that results in interaction and is presented at a meeting with the executive board. As part of the case study, draft and final management summaries were compared. Only very few changes were made, and they all concerned how to prioritise the various implementation projects aimed at mitigating the identified risks. Because the executive board has a consolidated view on these projects, this might have an impact on the solutions and the deadlines agreed with local management:It is a management decision how to prioritise the resources—and it is clearly not our job to be involved in this process. We accept the decisions and plan our audit accordingly. (Head of IAF)This is seen as a permissive attitude based on a professional understanding of roles and responsibilities, including potential independence issues. Because the changes to the draft management summary are the result of management decisions, the output is classified as a client product.Meeting about draft long‐form audit reportThe fifth issue is the LFAR report, which includes descriptions of all Priority 1 and some Priority 2 recommendations. This document is sent to the audit committee and presented at a meeting. According to the head of IAF, the meeting with the audit committee is of a formal nature, and the document is owned by IAF:It is our document and our professional responsibility. Further, we have been involved in the whole process, and therefore it is not acceptable if the audit committee changes our professional judgment. (Head of IAF)I see this as an indication that the behaviour of IAF is argumentative, leaning towards insisting, and the meeting should be classified as an exchange of information. A review of draft and final LFARs revealed no substantive changes. This can also be explained by the fact that the audit committee is involved in the management letter process at a rather late stage, when all other parties have agreed on the details. The output is the final LFAR, which is signed by the board of directors. The document is an IAF product, because IAF has both the formal and the actual responsibility.Outcome of the management letter processThe output from the management letter process and the combined IAF–client interaction model is a joint product defined as a number of accepted audit recommendations. After implementation of these recommendations, the outcome is an improved level of internal control. Assessing the audit and business value of this outcome, I presented the respondents with a number of specific recommendations, asking the client to evaluate the business value and IAF to evaluate the audit value. As part of this assessment, we asked the respondents to consider that the Group is governed by regulatory requirements, which might overrule business‐driven considerations.The business value of the improved level of internal controls was discussed with client managers. It was recognised that the recommended internal control improvements without exception were required to mitigate business risks, but sometimes, the supporting formalistic documentation is seen as being mainly a defence against FSA that does not serve a business purpose. As an example, IAF had observed ‘Failure to comply with FSA's documentation requirements and loan limits’ and recommended ‘… a review of real estate loans to ensure compliance with FSA's loan limits and documentation requirements’:This is a typical recommendation primarily for the benefit of FSA. The control is performed as expected, but not documented according to requirements from FSA. From a business perspective it makes no difference—but we accept the recommendation and see it as a defence when we have inspections from FSA. (Client manager)The evaluation of the audit value of the recommendations was based on a discussion with the head and deputy of IAF. They explained that all audits were performed according to the annual audit plan and standard audit instructions but, for 50% of them, additional work was performed due to requirements from FSA:Due to information from network groups, we pay more attention to areas which we know that FSA is aware of. If, for example, another bank has struggled with FSA regarding real estate loans, we use additional resources to ensure that all risks are mitigated. You might say that the audit serves both a traditional audit purpose and at the same time as a kind of defence against FSA. After all, we prefer to have a good reputation and working relations with FSA—it makes things much easier. (Deputy head of IAF)These comments lead to a question about the extent of this extra work related to internal controls initiated by FSA:All the specific recommendations would have been included in the management letters if the audit had been performed in a situation where we didn't have to consider regulatory requirements. The only difference is that two recommendations would most likely not have been included in the LFAR. (Head of IAF)Both recommendations relate to failure to comply with regulatory requirements. The first recommendation is implementation of a system‐based access control aiming at ensuring that employees working in more than one legal entity comply with FSA's requirement for ‘double employment’. The second recommendation ‘… a review of real estate loans to ensure compliance with FSA's loan limits and documentation requirements’, is also commented by a client manager, re above.This assessment supports the conclusion that recommendations would have been included in the management letters independent of the regulatory requirements and that they add value from an audit perspective.The recommendations were also discussed with a client manager with professional audit as well as business experience. In general, he agreed with both the IAF and client evaluation and summarised the situation as follows:They are recommendations which FSA would no doubt report—most likely as orders—and with good reason. However, we should have proper internal controls in place in these areas no matter what FSA might say. (Head of IT security)Regarding one specific recommendation, he was even clearer. IAF had observed ‘Inadequate testing of an external developed IT system. The “system” calculates impairment on loans without considering guarantees and does not use updated values of other securities’. Based on this observation, it was recommended that ‘procedures should be established ensuring that external developed applications are tested before implementation. Furthermore, a critical review of the “system” to correct the above and any other errors’:The recommendation and our mitigation of the risk are totally independent of whether FSA exists or not. The issue is too important from both an audit and a business perspective to be affected by FSA's assessment. (Head of IT security)Based on these discussions, it seems that all respondents recognise the regulatory requirements. However, the outcome of the management letter process, the improved level of internal control, would have been implemented independently of the regulatory requirements because IAF's recommendations add value from both an audit and a client perspective.DISCUSSION AND CONCLUSIONBased on a single‐case study, the management letters from IAF and the supporting process in a large financial institution were analysed. In the case study, IAF is organised, staffed and working in such a way that EA can rely on the work delivered at a level of high control reliance. IAF performs only auditing and is not involved in any other roles. This clear role definition is both supported by regulatory requirements and recognised as agreed local practice. Consequently, IAF complies with general independence and ethical requirements.As part of the study, a detailed review was conducted of the management letter reporting of the internal control audits for 2008–2017. The review clarified the extent to which IAF impact internal controls. In total, 223 (27%) of the observations resulted in recommendations for implementation of new controls. The remaining 598 (73%) relate to improvements to existing controls, including documentation. All recommendations reported in management letters are implemented, without exception. Based on this analysis, IAF have a significant impact on internal controls and deliver work at a high quality (Trotman & Duncan, 2018).As a basis for the analysis of how IAF affect internal controls, a description of the management letter process was established, including five interactions between IAF and the client (Figure 2). To contribute to an understanding of how internal control audits impact internal controls, these interactions were analysed based on the theories of audit–client interaction (Fearnley et al., 2011; Salterio, 2012). The results are summarised in Table 3:3TABLESummary of the nature of interaction viewed through the combined model (Figure 2)Meeting regarding:BehaviourOutputIAFClientCombined1. Initial observationsArgumentativeArgumentativeExchange of informationJoint product2. RecommendationsArgumentative/insistingArgumentativeDiscussionJoint product3. Draft audit memoArgumentative/insistingArgumentative/ insistingNegotiationIAF product4. Draft management summaryPermissiveArgumentative/ insistingExchange of informationClient product5. Draft long‐form audit reportArgumentative/insistingPermissiveExchange of informationIAF productIAF and the client both exhibit mixed behaviour, but their behaviour is predominantly argumentative when making decisions regarding internal control audits. The examples of mixed behaviour are as expected (Murnighan & Bazerman, 1990). The mixed behaviour is also supported by IAF as they consider when ‘enough is enough’ with the aim of supporting the long‐term relationship (Stefaniak et al., 2012). The combined IAF and client behaviour is primarily an exchange of information in which issues are presented at meetings between IAF and the client and the quality of information decides the output of the interaction. There are, however, two exceptions, namely, the overall prioritisation of the resources required to improve existing controls or implement new ones and the LFAR. The prioritisation of resources is a management responsibility and thus a client product, and IAF fully respect the authority of the executive board. The LFAR, on the other hand, is IAFs' responsibility, being their report to the board of directors, and consequently it is an IAF product.A key element in the management letter process is the meeting regarding the initial observation, where a common understanding of an internal control weakness is established. The remainder of the management letter process might be considered as interactions aimed at mitigating this weakness and reporting the result to management. Even though IAF's behaviour in these remaining interactions is predominantly argumentative/insisting, the interaction strategy could be seen as integrative, aiming at joint problem solving (McCracken et al., 2011). Supporting this view, the ‘trade‐off’, from an IAF perspective, is the prioritisation of the recommendations, whereas their key objective of mitigating the audit risk is not discussed. Mitigation of audit risk is achieved, because the output of the IAF–client interaction is the decision on implementation of new controls or improvement of existing ones, which should be considered a joint product. This joint product and understanding have been established through a step‐by‐step process in which disagreements are settled before the next step is started. The fact that different levels of employees have agreed the ‘step‐by‐step’ interactions might explain an unconditional acceptance from the audit committee. Potentially, the audit committee, and therefore also the board of directors, could disagree with the recommendations, but then, they would be in opposition to both IAF and the business decisions taken as part of the management letter process.This conclusion regarding co‐operation is different from that of a study by Hellman (2006) in which the client was found to be more aggressive towards the auditors and disagreements were reported. However, there is an important contextual difference, because the study by Hellman (2006) is based on management letters produced in the period 1999–2001, before the requirements regarding audit independence imposed by Sarbanes–Oxley. In that period, the audit approach was focused on delivering ‘added value’ to the client (Power, 2000). Furthermore, that study concludes that the audit was considered useful if it supported the hierarchical management control in the company (Hellman, 2006). This top‐down approach differs significantly from the ‘bottom‐up’ audit in the management letter process, in which each interaction is agreed before proceeding to the next level. Also, the recommendations in the management letters in the present case study are based on a strict internal control evaluation.Even though a strict internal control assessment might be distant from the ‘added value’ approaches promoted by the big audit firms (Power, 2000), the internal control audit performed by IAF seems to add value. This conclusion is supported by viewing the result of the case study through the lens of internal audit quality (Trotman & Duncan, 2018). The technical skills and experience of IAF match the qualifications seen in big audit firms. Furthermore, it seems that objectivity (Stefaniak et al., 2012) and soft skills are at the same level, which is supported by the annual customer (client) satisfaction surveys. The ‘technical production’ and ‘service interaction’ dimensions, supported by the management letter process and the step‐by‐step structure and acceptance, seem to be crucial to the classification of the outcome as value‐adding. The outcome of this process is an improved level of internal controls that is unconditionally accepted by the client. This is seen as an indication of a valuable outcome adding both significant business and audit value through the mitigation of risk. Mitigation of the audit risk is supported by the annual formal statement from EA accepting the result of the internal control audits and the full integration of it in the remaining part of the audit of the Group's annual report, which is based on a high control reliance. Consequently, the result illustrates a fully integrated financial and internal control audit (Kinney et al., 2013). Furthermore, it seems that the regulatory requirements only have a limited impact, because almost all recommendations would have been implemented independently of the regulatory regime. This result differs from those of previous studies regarding financial reporting in which the risk of being caught has been found to be the most important contextual feature (Fearnley et al., 2011).This paper contributes with a detailed understanding of how IAF impact the internal controls system in a financial institution (Bame‐Aldred et al., 2012; Roussy et al., 2020). It also adds a deeper understanding of the management letter process compared to previous studies. Furthermore, the results suggest that the audit approach documented in the management letter process, including the step‐by‐step settlement of the interactions, is crucial to an assessment of the outcome as value‐adding. This suggestion adds detail to the ‘technical production’ and ‘service interaction’ dimensions included in the ‘Internal Audit Quality Framework’ by Trotman and Duncan (2018).Based on a review of management letters covering a period of 10 years, it seems that the auditors continue each year to issue new recommendations for improvements to internal controls. It could be of interest for further research to explore how this is possible. One explanation could be that the systems and procedures after an implementation project is finalised fail to include an ongoing improvement matching contextual changes. An alternative or supplementary explanation might be that system implementations are primarily considered a technology‐driven activity that does not include internal control requirements. Furthermore, IAF have indicated that they use additional resources to meet regulatory requirements. It could be of interest for future research to explore the nature and magnitude of the burden and how much additional work this requires beyond what is needed to mitigate the audit risk. Considering mitigation of risk, the case identified an overlap between mitigation of audit and business risk, supporting a joint interest between auditor and client. It could be of interest for further research to analyse the impact of this overlap on internal control audits.There are some weaknesses in and limitations to the study. The analysis is based on a specific set of interactions between IAF and the client in a major financial institution. The management letter process, including the interactions involved and the co‐operation between IAF and EA, might be different in other companies. These limitations notwithstanding, the study contributes to an understanding of the extent to which IAF affect internal controls and how they do so.ACKNOWLEDGEMENTThere are no funders to report for this submission.CONFLICT OF INTERESTNo conflict of interest.ETHICS STATEMENTI confirm complying with Wiley's Guidelines on Publishing Ethics.AUTHOR CONTRIBUTIONThe author confirms sole responsibility for the following: study conception and design, data collection, analysis and interpretation of results and manuscript preparation.DATA AVAILABILITY STATEMENTThe data that support the findings of this study are available from the corresponding author upon reasonable request.ENDNOTES1An important objective of the regulatory requirements is to support independence from the client and in particular the executive functions. The term ‘client’ is consistently used by IAF, and by, for example, Arena and Jeppesen (2010), when referring to the executive functions.2The references to ISA 315 and 610 are also included in the description of the relation between internal and external audit in ‘The internal audit function in banks’ (Bank for International Settlements [BIS], 2012).3‘Auditor's professional judgment’ is also used by International Federation of Accountants (IFAC, 2009) as a guideline for ranking findings.REFERENCESAbbott, L. J., Parker, S., Peters, G. F., & Rama, D. V. (2007). Corporate governance, audit quality, and the Sarbanes‐Oxley Act: Evidence from internal audit outsourcing. The Accounting Review, 82(4), 803–835.American Institute of Certified Public Accountants. (2008). Communicating internal control related matters identified in an audit. Statement on Auditing Standards No. 115. AICPA.Antle, R., & Nalebuff, B. (1991). Conservatism and auditor‐client negotiations. Journal of Accounting Research, 29, 31–54.Arena, M., & Jeppesen, K. K. (2010). The jurisdiction of internal auditing and the quest for professionalization: The Danish case. International Journal of Auditing, 14(2), 111–129.Arena, M., & Sarens, G. (2015). Internal auditing: Creating stepping stones for the future. International Journal of Auditing, 19(3), 131–133.Ashbaugh‐Skaife, H., Collins, D. W., Kinney, W. R. Jr., & LaFond, R. (2009). The effect of SOX internal control deficiencies on firm risk and cost of equity. Journal of Accounting Research, 47(1), 1–43.Bame‐Aldred, C. W., Brandon, D. M., Messier, W. F. Jr., Rittenberg, L. E., & Stefaniak, C. M. (2012). A summary of research on external auditor reliance on the internal audit function. Auditing: A Journal of Practice & Theory, 32(sp1), 251–286.Bank for International Settlements. (2012). The internal audit function in banks. BIS.Beattie, V., Fearnley, S., & Brandt, R. (2000). Behind the audit report: A descriptive study of discussions and negotiations between auditors and directors. International Journal of Auditing, 4(2), 177–202.Beattie, V., Fearnley, S., & Brandt, R. (2004). A grounded theory model of auditor‐client negotiations. International Journal of Auditing, 8(1), 1–19.Brinkmann, S., & Kvale, S. (2015). Interviews: Learning the craft of qualitative research interviewing (Vol. 3). Sage.Brown, H. L., & Wright, A. M. (2008). Negotiation research in auditing. Accounting Horizons, 22(1), 91–109.Brown‐Liburd, H. L., & Wright, A. M. (2011). The effect of past client relationship and strength of the audit committee on auditor negotiations. Auditing: A Journal of Practice & Theory, 30(4), 51–69.Carney, W. J. (2006). The costs of being public after Sarbanes‐Oxley: The irony of going private. Emory LJ, 55, 141.Daoust, L., & Malsch, B. (2019). How ex‐auditors remember their past: The transformation of audit experience into cultural memory. Accounting, Organizations and Society, 77, 101050.Eilifsen, A., Messier, W. F., Glover, S. M., & Prawitt, D. F. (2010). Auditing and assurance services. McGraw‐Hill Higher Education.EO. (2014). Executive Order no. 1567 of 23 December 2014. Executive order on auditing financial undertakings etc. obligation to publish FSA's assessments. Available in Danish—https://www.finanstilsynet.dk/EO. (2015). Executive Order no. 1912 of 30 December 2015. Executive order on auditing financial undertakings etc. as well as financial groups. https://www.finanstilsynet.dk/Fearnley, S., Beattie, V., & Hines, T. (2011). Reaching key financial reporting decisions: How directors and auditors interact. John Wiley & Sons.Gibbins, M., Salterio, S., & Webb, A. (2001). Evidence about auditor–client management negotiation concerning client's financial reporting. Journal of Accounting Research, 39(3), 535–563.Hatfield, R. C., Houston, R. W., Stefaniak, C. M., & Usrey, S. (2010). The effect of magnitude of audit difference and prior client concessions on negotiations of proposed adjustments. The Accounting Review, 85(5), 1647–1668.Hellman, N. (2006). Auditor–client interaction and client usefulness—A Swedish case study. International Journal of Auditing, 10(2), 99–124.International Federation of Accountants. (2009). International Auditing and Assurance Standards Board (IAASB), International Standard on Auditing 265, Communicating deficiencies in internal control to those charged with governance and management.Kinney, W. R. Jr., Martin, R. D., & Shepardson, M. L. (2013). Reflections on a decade of SOX 404 (b) audit production and alternatives. Accounting Horizons, 27(4), 799–813.Kulset, E., & Stuart, I. (2018). Auditor–client negotiations over disputed accounting issues: Evidence from one of the Norwegian Big 4 firms. International Journal of Auditing, 22(3), 435–448.Lail, B., MacGregor, J., Stuebs, M., & Thomasson, T. (2015). The influence of regulatory approach on tone at the top. Journal of Business Ethics, 126(1), 25–37.Lin, S., Pizzini, M., Vargus, M., & Bardhan, I. R. (2011). The role of the internal audit function in the disclosure of material weaknesses. The Accounting Review, 86(1), 287–323.Maijoor, S. (2000). The internal control explosion. International Journal of Auditing, 4(1), 101–109.Manson, S., McCartney, S., & Sherer, M. (2001). The value of management letters to unlisted companies. The British Accounting Review, 33(4), 549–568.Mazza, T., & Azzali, S. (2015). Effects of internal audit quality on the severity and persistence of controls deficiencies. International Journal of Auditing, 19(3), 148–165.McCracken, S., Salterio, S. E., & Schmidt, R. N. (2011). Do managers intend to use the same negotiation strategies as partners? Behavioral Research in Accounting, 23(1), 131–160.Murnighan, J. K., & Bazerman, M. H. (1990). A perspective on negotiation research in accounting and auditing. Accounting Review, 65(3), 642–657.Oussii, A. A., & Boulila Taktak, N. (2018). The impact of internal audit function characteristics on internal control quality. Managerial Auditing Journal, 33(5), 450–469.Power, M. (2000). The audit society—Second thoughts. International Journal of Auditing, 4(1), 111–119.Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6–7), 849–855.Power, M. K., & Gendron, Y. (2015). Qualitative research in auditing: A methodological roadmap. Auditing: A Journal of Practice & Theory, 34(2), 147–165.Roussy, M., Barbe, O., & Raimbault, S. (2020). Internal audit: From effectiveness to organizational significance. Managerial Auditing Journal, 35(2), 322–342.Rubin, H. J., & Rubin, I. S. (2011). Qualitative interviewing: The art of hearing data. Sage.Salterio, S. E. (2012). Fifteen years in the trenches: Auditor–client negotiations exposed and explored. Accounting and Finance, 52, 233–286.Sarens, G., & Christopher, J. (2010). The association between corporate governance guidelines and risk management and internal control practices: Evidence from a comparative study. Managerial Auditing Journal, 25(4), 288–308.Sarens, G., De Beelde, I., & Everaert, P. (2009). Internal audit: A comfort provider to the audit committee. The British Accounting Review, 41(2), 90–106.Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640–661.Stefaniak, C. M., Houston, R. W., & Cornell, R. M. (2012). The effects of employer and client identification on internal and external auditors' evaluations of internal control deficiencies. Auditing: A Journal of Practice & Theory, 31(1), 39–56.Trotman, A. J., & Duncan, K. R. (2018). Internal audit quality: Insights from audit committee members, senior management, and internal auditors. Auditing: A Journal of Practice & Theory, 37(4), 235–259.Turetken, O., Jethefer, S., & Ozkan, B. (2020). Internal audit effectiveness: operationalization and influencing factors. Managerial Auditing Journal, 35(2), 238–271.Van der Stede, W. A. (2011). Management accounting research in the wake of the crisis: Some reflections. The European Accounting Review, 20(4), 605–623.Yeoh, P. (2020). Banks' vulnerabilities to money laundering activities. Journal of Money Laundering Control, 23(1), 122–135.Yin, R. K. (2009). Case study research: Design and methods (applied social research methods). Sage.AAppendixINTERVIEW GUIDEAs part of the introduction to the first employee interview, I made a brief presentation of the project and the research question. This included an introduction to the overview of the management letter process (Figure 1) and the combined IAF–client interaction model (Figure 2). After the introduction, the discussion began. Depending on the area, the interview focused on either ‘how?’ or ‘why?’ questions:A.1Main ‘how?’ questionsBased on the description of the management letter process, where do you see yourself?What is your role in the process (or interaction)?How would you describe your working relationship with IAF (or the client)?Could you give examples of how you interact with IAF (or the client)?I have established a scale describing the behaviour of IAF (or the client)—see Figure 2. Where do you see IAF (or the client)?The part of the process you are involved in—what is the outcome?Do you have an impact on the outcome, and could you give some examples?I have established a scale describing the outcome, which you can see in Figure 2. How would you classify the outcome?A.2Main ‘why?’ questionsThe interviews focusing on the ‘why?’ questions were conducted after the conclusion of the ‘how?’ part had been established. Consequently, the introduction included a brief summary of the result of this work (joint product based on objective arguments).I have established three categories of contextual features (Figure 2). Do you think that any of these have an impact on your co‐operation with IAF in the management letter process?As part of the ‘how?’ questions, I asked about the working relationship with IAF. Do you think that this has an impact?In your view, what is the impact of the board (i.e., the ‘tone from the top’) and the behaviour of the management in general?Can you provide examples of how the board or management has intervened in the process or has otherwise had an indirect impact?In your view, what is the impact of FSA?Can you provide examples of how FSA has intervened in the process or has otherwise had an indirect impact?Which one (management or FSA) do you consider to be the most important, and why?Regarding the specific meeting—are there examples in which the agreement reached on one issue could have an impact on the rest of the issues to be discussed? http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png International Journal of Auditing Wiley

Internal audit: A case study of impact and quality of an internal control audit

International Journal of Auditing , Volume 26 (3) – Jul 1, 2022

Loading next page...
 
/lp/wiley/internal-audit-a-case-study-of-impact-and-quality-of-an-internal-Tf10xl9uxQ
Publisher
Wiley
Copyright
© 2022 John Wiley & Sons Ltd
ISSN
1090-6738
eISSN
1099-1123
DOI
10.1111/ijau.12280
Publisher site
See Article on Publisher Site

Abstract

INTRODUCTIONIn recent decades, there has been growing pressure on companies to improve internal controls—a development in which a number of events and stakeholders have joined forces. Increasing regulatory pressure, along with the economic consequences of ineffective internal controls, has been documented since the introduction of Sarbanes–Oxley (Ashbaugh‐Skaife et al., 2009). The financial crisis amplified this pressure by introducing a myriad of disclosure requirements which are dependent on effective internal controls regarding compliance and reporting (Van der Stede, 2011). Most recently, and due to procedural weaknesses and ineffective internal controls, a number of large money‐laundering cases have led to new regulatory requirements (Yeoh, 2020). Responding to the risk of not complying with these and other regulatory requirements, companies are motivated to use best practice guidelines and frameworks (Sarens & Christopher, 2010). Furthermore, there is a managerial desire to have well‐controlled business processes (Sarens et al., 2009).Traditionally, when companies needed assistance regarding internal controls, they turned to external auditor (EA) (Power, 2009). However, since Sarbanes–Oxley, the regulatory requirements governing the independence of EAs have been tightened, imposing restrictions on companies' use of EAs as advisers (Abbott et al., 2007). As an alternative, companies with an internal audit function (IAF) might utilise this resource; it seems that IAF has played a key role in providing advice and assurance about the quality of internal controls (Maijoor, 2000; Spira & Page, 2003) and that this importance has grown in recent years (Oussii & Boulila Taktak, 2018).Even though it seems that IAF are an important player, it generally does not have a well‐defined role in relation to internal control (Arena & Sarens, 2015). Regarding internal controls we know that a competent and independent IAF decreases internal control deficiencies (Mazza & Azzali, 2015). Furthermore, competences can be proxied by number of severe internal control weaknesses detected by IAF (Oussii & Boulila Taktak, 2018) and effectiveness can be measured by the recommendation implementation rate (Turetken et al., 2020). However, considering IAF's importance, it is surprising that there is little academic knowledge about their impact on internal controls (Bame‐Aldred et al., 2012; Roussy et al., 2020). To improve this knowledge, the aim of this paper is to explore to what extent and how IAF affect internal controls. Further, the paper analyses whether this impact adds value to the company.Recognising that IAFs vary in quality in terms of both independence and professional qualifications (Arena & Jeppesen, 2010), a single‐case study (Yin, 2009) has been performed of an IAF in a large Danish financial institution (the Group) governed by detailed regulatory EU‐based requirements.1 The IAF studied is, according to the audit agreement governed by the audit committee, responsible for the internal control audit, including the related management letter reporting. To allow for comparison with other companies, the case study includes a contextual description of boundaries, role and qualifications. An important element of the context is the interaction between IAF and client, which is part of the management letter process. This process is a step‐by‐step interaction in which each step is settled before the next interaction occurs. One of the steps is an interaction on IAF's observations, which are assessed internal control weaknesses. The remainder of the management letter process involves interactions aimed at mitigating these weaknesses and reporting the result to management.Responding to the research question, the analysis includes management letters for the period 2008–2017. The result of the analysis contributes with a detailed understanding of how IAF, through the management letter process, impacts the internal control system in a financial institution (Bame‐Aldred et al., 2012; Roussy et al., 2020). Beyond adding to the limited knowledge of IAF's impact on changes to internal controls this study provides details about the quality assessment of internal audits (Trotman & Duncan, 2018).The paper is organised as follows: Section 2 contains a description of the method. Section 3 presents the theoretical outline and conceptual framework. In Section 4, ‘Audit in the Group’, the management letter process and the interaction between IAF and client is illustrated and explained, and the contextual features are described. Section 5 and 6 present the findings regarding the research question, and in Section 7, the case study is discussed and concluded.METHODBecause little is known about IAF's impact on internal controls, a single‐case study is used to explore the phenomenon in detail. This method is appropriate given that the focus is on a real‐life situation with a variety of data sources (Yin, 2009). Looking at the elements of the research question, the ‘extent’ of the impact is assessed primarily through an analysis of the management letters. This analysis is also used as a basis for gaining a general understanding of the management letter process. The main part of the case study, investigation into ‘how’ IAF affect internal controls, is based on a qualitative analysis of the interactions involved in the management letter process.The data sources used include interviews of IAF and client staff, observations in meetings and archival documents, the management letters themselves and IAFs' supporting memos and working papers. Access was also granted to the annual customer satisfaction survey, through which IAF is evaluated by the client. The Group considers the information assessed and analysed to be confidential. The confidentiality agreement allowed me free access to information on the Group's premises. Further, I was placed in IAF, where I collected data alongside IAF and had immediate access to the staff. According to the terms of the confidentiality agreement, I was not allowed to remove information from the premises without approval from the head of IAF. To honour the confidentiality requirement, and to obtain sufficient evidence that the observations and quotes used in the paper would fairly represent the informants' attitudes, we agreed that the relevant sections of the paper should be reviewed by the informants. In addition, the Head of IAF reviewed the entirety of Section 4 (‘Audit in the Group’) and Section 6 (‘How does IAF affect internal controls?’).The Group did not allow the use of a voice recorder. Instead, notes were taken during each interview, and memos were produced immediately after the meetings. Furthermore, we agreed that informal follow‐up meetings could be arranged if required. Because I was located in the IAF department and close to both first‐ and second‐line staff, the opportunity to go back to the interviewees was repeatedly taken, not only to clarify issues but also to expand the interviews and thereby obtain more information and a deeper understanding. The informal nature of the meetings resulted in interviews of more than 30 persons. The main informants were six IAF staff and five client representatives. The case study was initiated in June 2013 and finalised in November 2018.The research approach is qualitative with a positivistic spirit (Power & Gendron, 2015). This classification is also supported by the researcher's cultural memory, which is based on years of audit experience (Daoust & Malsch, 2019), including a taken‐for‐granted assumption that work in general, this case study included, can be replicated to verify observations and conclusions.Review—management lettersTo clarify the extent of the impact, a detailed analysis was made of management letters covering the period 2008–2017. On an annual basis, 30–35 management letters are prepared, each with two to five recommendations. For the period analysed, a total of 821 recommendations were reported.The management letter reporting in the Group consists of two sections: an audit memo and a management summary. Together, these sections fulfil the definition of a management letter (Manson et al., 2001). An important element in the management letter is the classification of recommendations (Hellman, 2006). The Group uses a prioritisation based on three categories (1, 2 and 3). This is comparable with American Institute of Certified Public Accountants (AICPA, 2008) classifications: ‘material weakness’ (1), ‘significant deficiency’ (2) and ‘deficiency’ (3). Furthermore, a long‐form audit report (LFAR) addressed to the board of directors is closely linked to the management letter process, as it summarises the result of the audit.To classify the information by criteria other than level of priority, a coding of the wording of the observations, risk evaluations and recommendations was performed (Brinkmann & Kvale, 2015). Based on this coding, a number of classifications were derived, inspired by a study of management letters (Manson et al., 2001). If the observation or the risk evaluation included a reference that could be related to ‘legal’, ‘regulatory’ or ‘internal policy’ issues, it was classified accordingly. If no such reference was included, the recommendation was considered to be based on the auditor's professional judgement and was classified as ‘audit’.Management letter processTo explore the nature of the interactions illustrated in Figure 2, responsive interviews (Rubin & Rubin, 2011) based on a number of main questions (Appendix A) were conducted with IAF and client staff. To support the dialogue and keep the conversations focused, the overview of the management letter process (Figure 2) and the combined IAF–client interaction model (Figure 1) were used. Furthermore, 10 recommendations were selected to provide detailed input to the assessment of the audit and business value of the IAF–client interaction and to the assessment of the quality dimension of the management letter process.THEORETICAL OUTLINE AND CONCEPTUAL FRAMEWORKThe interaction between EA and client has been the subject of studies since 1991, when issues regarding the audit opinion on the financial statement were analysed by Antle and Nalebuff. Following this study, several other papers have focused on the interactions between EA and client regarding the audit of financial reporting; these include studies by Gibbins et al. (2001) and Beattie et al. (2004). The conceptual models described in these papers have been updated in subsequent studies by Salterio (2012) and Fearnley et al. (2011). These models focus on the interaction between EA and the client; in this, they differ from the present study, in which IAF performs the internal control audit. However, the nature of the IAF, including their independence from the executive board, is similar to that of an EA, and the quality of the work seems to be at the same level (Bame‐Aldred et al., 2012; Stefaniak et al., 2012). Consequently, the conceptual models of Salterio (2012) and Fearnley et al. (2011) are useful to guide the data collection and organise the observations supporting an analysis of IAF's impact on the company's internal controls. Derived from these studies, Figure 1 presents the model used in this paper.1FIGURECombined IAF–client interaction model based on Salterio (2012) and Fearnley et al. (2011)Overall, the model is used to describe the behaviour (5) of IAF and the client when interacting regarding an issue (4) related to the management letter process (Figure 2). The output (6), which is a decision on the implementation of new controls or the improvement of existing ones, is classified as either a client, a joint or an IAF product. Furthermore, a number of contextual features—regulatory (1), general (2) and IAF/client (3)—affect the interaction between IAF and the client.InteractionThe interaction begins with an ‘issue’ (4), which can be a recommendation or, later in the management letter process, a draft management summary or the LFAR. The nature of the behaviour exhibited in the interaction by both IAF and client (5) ranges from ‘permissive’ through ‘argumentative’ to ‘insisting’. ‘Insisting’ behaviour can be illustrated by a situation in which the IAF, due to professional responsibilities or legal requirements, have thresholds which cannot be exceeded. In contrast to ‘insisting’, ‘permissive’ behaviour is seen in situations in which one of the parties simply accepts the arguments of the other. A third type of situation, in which the behaviour of the parties is more mixed, or in which they try to find some middle ground, should also be anticipated (Kulset & Stuart, 2018; Murnighan & Bazerman, 1990). This intermediate style of interaction between ‘permissive’ and ‘insisting’ has been labelled ‘argumentative’. According to Beattie et al. (2000), interactions can range from an ‘exchange of information’ through ‘discussion’ to ‘negotiation’. Of these classifications, only ‘negotiation’ is clearly defined in the literature. These classifications are used to describe the combined behaviour of IAF and the client. The type of behaviour exhibited can also be viewed as a result of the interaction strategy chosen by IAF and the client. According to McCracken et al. (2011) an overall distributive interaction strategy can be either ‘contending’, ‘compromising’ or ‘conceding’. As an alternative, an integrative interaction strategy is focused on a joint problem solving, where the output both preserves IAF's objective and allows the client to feel that they have achieved their own objectives.The output of the interaction (6) can be classified as either a client product, a joint product or an IAF product (Salterio, 2012). For a number of years, the annual report has been considered a joint product (Antle & Nalebuff, 1991).The combined IAF–client interaction model addresses the output from an interaction perspective but does not consider the quality dimension. To access this dimension, the internal audit quality framework developed by Trotman and Duncan (2018) was utilised. This framework includes an assessment of five quality dimensions: ‘context’, ‘inputs’, ‘processes’, ‘outputs’ and ‘outcomes’. Even though the definitions differ, the combined IAF–client interaction model and the management letter process (Figure 2) provide input to the quality assessment of all dimensions except ‘outcomes’, which includes an assessment of ‘value‐add’. An indication of a value‐adding ‘outcome’ is acceptance of IAF's recommendations. This assessment of quality, based on considerations of specific dimensions, is distant from the value‐adding concepts previously promoted by the big audit firms (Power, 2000).Contextual featuresContextual features (1), (2) and (3) are categories of factors that in varying degrees affect the core interaction. Examples of these, derived from the initial studies of the factors (Beattie et al., 2004; Gibbins et al., 2001) and subsequent, related papers by the same authors, have been added in a ‘bullet’ format.The regulatory/legal context (1) has been analysed by Fearnley et al. (2011), who compare their results with those of the initial study by Beattie et al. (2004). The ‘risk of being caught’ has risen in the period between these two studies, and this has shifted the behaviour of the client (5) from insisting towards passive acceptance. One example is the impact of the Sarbanes–Oxley Act, through which auditors have been mandated more power, which has resulted in a move from a permissive to a more insisting style of behaviour (Brown & Wright, 2008).Regarding the general interaction context (2), the ‘tone from the top’ (Lail et al., 2015) could be a policy by the board of directors on ‘no surprises’, which tends to make the parties more co‐operative (Fearnley et al., 2011). Again, one example is the Sarbanes–Oxley Act, which dictates that the auditor needs assurance in order to certify the internal controls. On the other hand, the cost of controls for complying with auditors' recommendations can be high (Carney, 2006). In such a situation, the preferences of the parties could differ.The audit/client context (3) has been analysed in a number of studies. The development of this feature is analysed by Fearnley et al. (2011), who, in comparing with an early study by Beattie et al. (2000), finds that the impact of the audit/client context has diminished relative to that of the regulatory/legal context. A different result is reported in a study on the effect of past client relationship, which concludes that the impact of the audit/client context is significant (Brown‐Liburd & Wright, 2011). The focus on ‘length of relationship’ is inspired by an interest in antecedents to present interactions (Salterio, 2012). For example, the behaviour chosen when dealing with a significant audit difference has been analysed in combination with the result of previous interactions (Hatfield et al., 2010). The study indicates that the magnitude of the audit difference influences the nature of the auditor's interaction, moving it in the direction of being more insisting. There is, however, also a pull in the opposite direction because client concessions from prior interactions could have the same impact.AUDIT IN THE GROUPInteraction between IAF and clientThe result of an internal control audit is reported in a management letter (Manson et al., 2001). Although the management letter is formally prepared by the IAF, it is also the result of a process involving a number of interactions between IAF and the client. Because the Group had no existing description of the management letter process, an overview description was prepared, and handshake symbols were inserted where interaction between IAF and the client was identified; see Figure 2:2FIGUREManagement letter process—internal control audit—overview [Colour figure can be viewed at wileyonlinelibrary.com]The description is based on a review of the management letters supported by interviews of IAF staff responsible for the individual steps of the process. There are three documents prepared as part of the management letter process, an audit memo, the management summary and the LFAR.Audit memoThe most detailed document in the management letter process is the audit memo, which describes the result of the internal control audit, focusing on the identified weaknesses. The main purpose is to communicate the result of the audit, mainly to the staff responsible for the reviewed processes. Appendix A to the audit memo includes the following headings in a table format: observation, risk evaluation, recommendation and local management's comments. A prioritisation (1–3) of the observations is also included. The first interaction in the management letter process is a meeting between the IAF manager and client staff in which the observations are presented and adjusted if necessary. The overall aim is to establish an objective description of the observations. Figure 2 refers to this interaction as ‘meeting about initial observations’.The next step for the IAF is to prepare a description of the potential risk and a recommendation for mitigating the weakness. The second interaction is a meeting about the recommendation, in which the primary objective is to ensure that the improvements of internal controls will mitigate the risks identified.When the above steps have been finalised, a draft report with observations, risk evaluation and recommendations is sent to local management. The main objective is for the local management to prepare comments upon the observations including a description of specific actions that will mitigate the risks and deadlines for implementation. The third interaction is a meeting between local management and IAF in which the draft audit memo is presented. In addition to agreeing on the description of the observations, actions, deadlines and so on, the prioritisation of the observations is another important issue, because all Priority 1 and some Priority 2 observations are included in the LFAR, which is forwarded to the Financial Supervisory Authorities (FSA). After the local management and IAF have agreed, the audit memo is finalised and signed by both parties.Management summaryUsing the signed audit memos, IAF prepares a management summary addressed to the executive board. The summary provides an overview of the observations from the audit memos, including prioritisation and a status (open/closed) on the action items from the local management comments. The fourth interaction is a meeting in which the draft management summary is presented to the executive board. At this meeting, the executive board comment on the conclusion, but the main issue is the open action items and a potential prioritisation of these at Group level. After agreement between the executive board and IAF is achieved, the management summary is finalised and signed by both parties.Long‐form audit reportEvery quarter, IAF prepares a draft LFAR for the board of directors (audit committee). The LFAR at an overall level describes the audit performed and provides a summary of the results, including all Priority 1 and some Priority 2 observations. There is no specific rule for the selection of Priority 2 observations, but observations related to compliance with FSA regulations are often included in the LFAR. The fifth interaction is a meeting with the same structure as those held with the executive board, but in which the reports presented are the signed management summary and the draft LFAR. Upon agreement, the LFAR is finalised and prepared for the board of directors. Because the audit committee members are also part of the board, the presentation is considered a formality, where the LFAR is signed by the board members and thus formally approved.Contextual featuresThe combined interaction model (Figure 1) includes three contextual features that can describe the impact on the IAF–client interaction: ‘regulatory/legal’, ‘general interaction’ and ‘audit/client’.Regulatory legal contextThe Danish regulatory requirements are in all material aspects EU‐based, and most of the requirements governing IAF are included in the ‘Executive order on auditing financial undertakings etc. as well as financial Groups’ (EO, 2015). The main requirements, supporting independence from the client, are the following:Appointment and dismissal of the head of IAF must be made by the board of directors and approved by FSA.The budget for IAF must be approved by the board of directors.IAF are not allowed to perform any functions other than auditing.The audit must comply with generally accepted auditing standards and be performed in accordance with the audit agreement. Specific reference is made to ISA 315.EA must perform a sample‐based quality review of IAF work and report the result to the board of directors in the LFAR. Specific reference is made to ISA 610.2The audit committee has responsibility for ensuring that an audit agreement is entered into between EA and IAF. According to the audit agreement, the internal control audit and the related management reporting are the responsibility of IAF, as is traditional (Arena & Sarens, 2015). In contrast, the audit of the financial statement is performed primarily by EA, supported by IAF staff. The co‐operation between EA and IAF results in an integrated financial and internal control audit (Kinney et al., 2013). The agreed sharing of the audit in the Group is consistent with the view that IAF have an advantage over EA, because they experience a higher level of identification with the business and know its processes better. IAF have a long‐term view, because they do not have to consider the renewal of the assignment and thus are able to provide a less lenient internal control evaluation (Stefaniak et al., 2012).All activities in the Group are subject to mandatory inspections by FSA. An inspection normally covers a business area, and a total of four to six inspections are carried out annually. The reports from FSA must be published on the Group's homepage (EO, 2014). However, the inspection reports from FSA regarding internal controls are of a general nature and often lack any description of specific weaknesses. Although it may not be a primary objective, it seems that there is an impact of the mandatory inspections from FSA. This impact is recognised by the head of IT security, who also serves as an internal consultant in relation to internal control issues:First‐line functions prefer to develop solutions that are reasonably secure—that way they avoid potential problems with IAF, us or FSA at a later stage. (Head of IT security)General interaction contextThe risk of being exposed to negative audit reports reflects the ‘tone from the top’, and compliance with financial legislation has a high priority for the board of directors. Without stating the fact in a formal policy, the board finds it unacceptable that there should be problems complying with regulatory requirements. Both company and personal issues are involved in this view:Those who are on several financial services boards are more risk‐averse. They tend to be very careful not to be exposed to negative audit reports. (Board member)The issue of being exposed is amplified by the fact that both the internal and external LFAR, addressed to the board of directors, must be forwarded to FSA. If critical matters are included, it should be expected that FSA will request further information, for example, the supporting management letters and minutes from board meetings. These requests are formally addressed to the board of directors. As a consequence of this practice, problems related to internal control identified by IAF and/or FSA are transparent to the audit committee and the board of directors.The ‘tone from the top’ can also be of a more direct nature and driven by common sense considerations. A client manager explained an example of informal verbal communication from one of the board members:I got a very clear message from a board member: ‘We don't want loans that exceed the collateral—none at all’. Needless to say, this gave rise to an internal review and a general clarification of the requirements to the employees. (Client manager)IAF/client contextAlthough not a requirement, it is a long‐standing local practice that the head of IAF in major Danish financial institutions is a state‐authorised auditor. IAF staff members have degrees as state‐authorised auditors (20%), master's degrees in auditing (30%), master's degrees in finance (20%) and bachelor's degrees in accounting (30%). Except for the staff with master's degrees in finance, the other members have substantial experience working with a ‘Big 4’ audit firm. These past experiences have an impact on their professional identity as auditors (Daoust & Malsch, 2019). Supporting this identity, members of IAF have been active in the Institute of Internal Auditors and the Danish Institute of EA. Furthermore, some members of IAF teach auditing at master's level at Copenhagen Business School.The IAF/client context is based on a working relationship of mutual respect, on both a personal and a professional level. In interviews with both IAF and client members, the working relationship was described as good. This view is supported by the annual customer satisfaction survey, in which IAF in summary is evaluated thus: ‘Excellent working relations—a constructive and objective partner’. The summary is supported by high scores in a number of areas, including ‘meet expectations’, ‘do things right the first time’, ‘responsibility’ and ‘understanding of the customer (client)’. It seems that the positive working relations affect the interactions in the management letter process:We have only a very few examples of recommendations from IAF which seem unreasonable. We always ask for—and get—an explanation. In general, the recommendations are reasonable. (Client manager)Furthermore, it seems that IAF also seeks to strike a balance between the potential improvement of internal controls and the total number of recommendations:If we get a reasonable result (mitigation of risk), there is no need to go further. There is also the future working relation to consider. (IAF manager)In an interview with the head of IAF about the specific interaction context, it was mentioned that:We don't report minor details; it will just irritate the client and we will most likely have trouble getting through with the important issues. I believe that this approach explains why you don't see examples of withdrawn recommendations. (Head of IAF)The value of the internal control audit, including the identification of weaknesses, also depends on the coordination of the audit (Lin et al., 2011). During the case study, meetings between IAF and EA were observed. These meetings related primarily to detailed planning and sharing of the results of the work performed. The nature of these meetings indicates a joint‐audit approach, which can be seen as a way of utilising the combined knowledge and thus improving the overall level of comfort (Sarens et al., 2009). Furthermore, in the year‐end LFAR, EA must state whether the work stipulated in the audit agreement has been carried out and whether IAF have performed satisfactorily, including remaining independent from the executive board. In each of the years included in the case study, EA reported that IAF met the regulatory requirements and that the result of the internal control audits supported the planned high control reliance.TO WHAT EXTENT DOES IAF AFFECT INTERNAL CONTROLS?The review of management letter reporting covering the period 2008–2017 included a total of 821 recommendations. Table 1 presents the recommendations, classified by IAF's prioritisation and divided into implementation of new controls and improvement of existing ones:1TABLESummary of recommendations in management letters by priorityNew controlsExisting controlsTotalPriorityPriorityPriorityYearTotal123Total123Total123200821713162348118310611220094583345574261001575102010121925974210718511220112111465974111808551720121931425134087065410201319115352438107155313201423217471251189446822201520310753234177354424201620114564342198445624201723119372349209546823Total22328158375984142713082169585167The only year with a significantly higher number of recommendations for new controls is 2009—following the financial crisis and an increase in new requirements from FSA (Van der Stede, 2011). Apart from 2009, the number of recommendations for new controls is stable at around 20 on an annual basis. The recommendations, classified by nature of requirement, are listed in Table 2:2TABLERecommendations classified by nature of requirementNew controlsExisting controlsTotalPriorityPriorityPriorityYearTotal123Total123Total123Legal23022154331207735321Regulatory (FSA)491329789115820138248727Internal policy262186140898341661011640Audit12513892331519240564403232979Total22328158375984142713082169585167Of the recommendations for implementation of new controls, 32% relate to legal and regulatory requirements, 12% to compliance with internal policies and 56% to IAF's professional judgement without reference to any specific requirement.The review of the management letters also covered management comments, including deadlines for when the risks would be mitigated. There are some examples in which mitigating actions were delayed compared to the initial plan. The main explanation for these delays is that a number of recommendations had been used as input to the implementation of a new system, which might have resulted in a redesign of supporting processes and internal controls. Based on a review of the database of recommendations maintained by IAF, all issues had, however, been closed by the time of the study. In summary, an average of approximately 20 new controls is implemented annually in response to the IAF's recommendations. Besides having a significant impact on the level of internal controls, the acceptance of all recommendations is an indication of a high quality IAF (Trotman & Duncan, 2018).HOW DOES IAF AFFECT INTERNAL CONTROLS?The analysis focuses on five interactions at different stages in the management letter process (see Figure 2):Meeting about initial observationsMeeting about recommendationsMeeting about draft audit memoMeeting about draft management summaryMeeting about draft LFARMeeting about initial observationsThe audit typically results in a number of observations, which are documented in Appendix A to the audit memo. An observation is the most detailed level in the management letter and is the subject of the first interaction between IAF and the client. The objective of this interaction is to arrive at a common understanding of the observations, which are internal control weaknesses identified by IAF as part of the process audit (Figure 2). The basis for this agreement is that the IAF manager sends a draft of Appendix A to the client staff member who has been involved in the audit. If necessary, a meeting is held between the parties to clarify any misunderstandings and prepare any necessary adjustments to the description in order to make it as precise as possible.Based on a review of changes to the draft appendices, working papers, memos, mails and supporting interviews with IAF staff, no unsolved disagreements were identified regarding the description of the observations. Neither have I been able to identify any ‘differing preferences’ (Salterio, 2012) which were not solved by the presentation of facts or any indications of insisting behaviour on the part of IAF. This finding is supported by two client managers representing different business units who jointly described the interaction with IAF as follows:If they (IAF) have got a wrong impression of a procedure—they are willing to listen to valid arguments. (Client manager)If there are different views, it is up to the client to present further documentation to support adjustments. Therefore, the meeting is an argumentative exchange of information supporting, adjusting or rejecting the observation, and the output is a joint product.Meeting about recommendationsWhen the observations have been agreed upon, IAF prepares a risk evaluation and a recommendation, which is included in Appendix A to the audit memo. The recommendations that issue from this second interaction are sent to the same client staff member who previously approved the observations. From an IAF perspective, the objective of the recommendations is to improve the level of internal controls and thus obtain audit evidence from test of controls when the improvement is implemented (Eilifsen et al., 2010). IAF prepares the recommendation but is open to changes:Regarding the recommendations, it is of less importance how the issue is solved. When we have agreed on an observation, it is up to the client to suggest a solution—as long as it works. But the recommendation should mitigate the risk—otherwise we must try again. We need to close the observation; how it happens is actually of minor importance. (IAF manager)This view is supported by the head of IAF:There is no point in preparing a recommendation if the client has no practical options for implementing an improvement. Then it is better to suggest another solution as long as the risk is mitigated. (Head of IAF)This practical approach is also illustrated by the way the client handles the recommendation. Because it is the client's responsibility at a later stage to implement a solution, the client staff member often goes back to local management to agree on a solution.The nature of both the IAF and client side of the interaction can be classified primarily as argumentative. There are, however, indications that IAF could insist if necessary. The statement that ‘the recommendation should mitigate the risk’ indicates the existence of minimum requirements to the solutions. The combined behaviour is, however, still a discussion aimed at describing a recommendation and a solution which can be implemented to fulfil the audit requirements. Therefore, the output of the interaction is a joint product because both parties take part in a co‐operative manner.Meeting about draft audit memoWhen the recommendations are agreed upon, Appendix A is finalised. This includes a prioritisation of observations. There are no formally defined criteria for the prioritisation, and according to the head of IAF, it is based on ‘professional judgment’.3 The prioritisation is of interest, because Priority 1 recommendations are always reported in the LFAR, together with some Priority 2 observations. Furthermore, IAF prepares a draft audit memo, which is a summary of observations and recommendations included in Appendix A. This document is the focus of the third interaction. The prioritisation is essential for the local management, and it is the main item on the agenda for the draft audit memo meeting:The local managers don't mind our recommendations, and they prefer to have well‐controlled business processes. If we are reasonable with our recommendations, they comply. However, they do not like priority 1 observations. Being exposed to the board of directors is not seen as a desirable situation. (IAF manager)A client manager agrees:It is obvious that priority 1 recommendations can lead to reactions from the board of directors, which may cause unnecessary turmoil in the organisation—a situation we want to avoid for obvious reasons; but in general, the recommendations from IAF are reasonable. (Client manager)A detailed review of draft and final audit memos indicates that the number of Priority 1 recommendations is reduced as a result of the interaction. IAF sometimes encounters a desire from local management to change the priorities:… we might sometimes agree on a priority 2 instead of 1. It is, however, a bargaining situation—if we change priority from 1 to 2, we could perhaps agree to speed up the deadline for implementation. (Head of IAF)The ‘deadline for implementation’ refers to the final element of Appendix A, which is the management comment. In this section, local management comments on the observations and recommendations and commits to a deadline. The deadline for mitigating the risk is important, because IAF follows up on the agreed deadlines on an ongoing basis.The behaviour exhibited by both IAF and the client is classified as argumentative leaning towards insisting, and the combined nature of the interaction is classed as a negotiation. This is mainly due to the potential exposure to the board of directors. When the management comments have been finalised, the audit memo is signed by both parties. Even though the number of Priority 1 recommendations is reduced as a result of the interaction, IAF make the final decision. Therefore, the draft audit memo should be classified as primarily an IAF product.Meeting about draft management summaryBased on the audit memos, IAF prepares a management summary. This document is the fourth issue that results in interaction and is presented at a meeting with the executive board. As part of the case study, draft and final management summaries were compared. Only very few changes were made, and they all concerned how to prioritise the various implementation projects aimed at mitigating the identified risks. Because the executive board has a consolidated view on these projects, this might have an impact on the solutions and the deadlines agreed with local management:It is a management decision how to prioritise the resources—and it is clearly not our job to be involved in this process. We accept the decisions and plan our audit accordingly. (Head of IAF)This is seen as a permissive attitude based on a professional understanding of roles and responsibilities, including potential independence issues. Because the changes to the draft management summary are the result of management decisions, the output is classified as a client product.Meeting about draft long‐form audit reportThe fifth issue is the LFAR report, which includes descriptions of all Priority 1 and some Priority 2 recommendations. This document is sent to the audit committee and presented at a meeting. According to the head of IAF, the meeting with the audit committee is of a formal nature, and the document is owned by IAF:It is our document and our professional responsibility. Further, we have been involved in the whole process, and therefore it is not acceptable if the audit committee changes our professional judgment. (Head of IAF)I see this as an indication that the behaviour of IAF is argumentative, leaning towards insisting, and the meeting should be classified as an exchange of information. A review of draft and final LFARs revealed no substantive changes. This can also be explained by the fact that the audit committee is involved in the management letter process at a rather late stage, when all other parties have agreed on the details. The output is the final LFAR, which is signed by the board of directors. The document is an IAF product, because IAF has both the formal and the actual responsibility.Outcome of the management letter processThe output from the management letter process and the combined IAF–client interaction model is a joint product defined as a number of accepted audit recommendations. After implementation of these recommendations, the outcome is an improved level of internal control. Assessing the audit and business value of this outcome, I presented the respondents with a number of specific recommendations, asking the client to evaluate the business value and IAF to evaluate the audit value. As part of this assessment, we asked the respondents to consider that the Group is governed by regulatory requirements, which might overrule business‐driven considerations.The business value of the improved level of internal controls was discussed with client managers. It was recognised that the recommended internal control improvements without exception were required to mitigate business risks, but sometimes, the supporting formalistic documentation is seen as being mainly a defence against FSA that does not serve a business purpose. As an example, IAF had observed ‘Failure to comply with FSA's documentation requirements and loan limits’ and recommended ‘… a review of real estate loans to ensure compliance with FSA's loan limits and documentation requirements’:This is a typical recommendation primarily for the benefit of FSA. The control is performed as expected, but not documented according to requirements from FSA. From a business perspective it makes no difference—but we accept the recommendation and see it as a defence when we have inspections from FSA. (Client manager)The evaluation of the audit value of the recommendations was based on a discussion with the head and deputy of IAF. They explained that all audits were performed according to the annual audit plan and standard audit instructions but, for 50% of them, additional work was performed due to requirements from FSA:Due to information from network groups, we pay more attention to areas which we know that FSA is aware of. If, for example, another bank has struggled with FSA regarding real estate loans, we use additional resources to ensure that all risks are mitigated. You might say that the audit serves both a traditional audit purpose and at the same time as a kind of defence against FSA. After all, we prefer to have a good reputation and working relations with FSA—it makes things much easier. (Deputy head of IAF)These comments lead to a question about the extent of this extra work related to internal controls initiated by FSA:All the specific recommendations would have been included in the management letters if the audit had been performed in a situation where we didn't have to consider regulatory requirements. The only difference is that two recommendations would most likely not have been included in the LFAR. (Head of IAF)Both recommendations relate to failure to comply with regulatory requirements. The first recommendation is implementation of a system‐based access control aiming at ensuring that employees working in more than one legal entity comply with FSA's requirement for ‘double employment’. The second recommendation ‘… a review of real estate loans to ensure compliance with FSA's loan limits and documentation requirements’, is also commented by a client manager, re above.This assessment supports the conclusion that recommendations would have been included in the management letters independent of the regulatory requirements and that they add value from an audit perspective.The recommendations were also discussed with a client manager with professional audit as well as business experience. In general, he agreed with both the IAF and client evaluation and summarised the situation as follows:They are recommendations which FSA would no doubt report—most likely as orders—and with good reason. However, we should have proper internal controls in place in these areas no matter what FSA might say. (Head of IT security)Regarding one specific recommendation, he was even clearer. IAF had observed ‘Inadequate testing of an external developed IT system. The “system” calculates impairment on loans without considering guarantees and does not use updated values of other securities’. Based on this observation, it was recommended that ‘procedures should be established ensuring that external developed applications are tested before implementation. Furthermore, a critical review of the “system” to correct the above and any other errors’:The recommendation and our mitigation of the risk are totally independent of whether FSA exists or not. The issue is too important from both an audit and a business perspective to be affected by FSA's assessment. (Head of IT security)Based on these discussions, it seems that all respondents recognise the regulatory requirements. However, the outcome of the management letter process, the improved level of internal control, would have been implemented independently of the regulatory requirements because IAF's recommendations add value from both an audit and a client perspective.DISCUSSION AND CONCLUSIONBased on a single‐case study, the management letters from IAF and the supporting process in a large financial institution were analysed. In the case study, IAF is organised, staffed and working in such a way that EA can rely on the work delivered at a level of high control reliance. IAF performs only auditing and is not involved in any other roles. This clear role definition is both supported by regulatory requirements and recognised as agreed local practice. Consequently, IAF complies with general independence and ethical requirements.As part of the study, a detailed review was conducted of the management letter reporting of the internal control audits for 2008–2017. The review clarified the extent to which IAF impact internal controls. In total, 223 (27%) of the observations resulted in recommendations for implementation of new controls. The remaining 598 (73%) relate to improvements to existing controls, including documentation. All recommendations reported in management letters are implemented, without exception. Based on this analysis, IAF have a significant impact on internal controls and deliver work at a high quality (Trotman & Duncan, 2018).As a basis for the analysis of how IAF affect internal controls, a description of the management letter process was established, including five interactions between IAF and the client (Figure 2). To contribute to an understanding of how internal control audits impact internal controls, these interactions were analysed based on the theories of audit–client interaction (Fearnley et al., 2011; Salterio, 2012). The results are summarised in Table 3:3TABLESummary of the nature of interaction viewed through the combined model (Figure 2)Meeting regarding:BehaviourOutputIAFClientCombined1. Initial observationsArgumentativeArgumentativeExchange of informationJoint product2. RecommendationsArgumentative/insistingArgumentativeDiscussionJoint product3. Draft audit memoArgumentative/insistingArgumentative/ insistingNegotiationIAF product4. Draft management summaryPermissiveArgumentative/ insistingExchange of informationClient product5. Draft long‐form audit reportArgumentative/insistingPermissiveExchange of informationIAF productIAF and the client both exhibit mixed behaviour, but their behaviour is predominantly argumentative when making decisions regarding internal control audits. The examples of mixed behaviour are as expected (Murnighan & Bazerman, 1990). The mixed behaviour is also supported by IAF as they consider when ‘enough is enough’ with the aim of supporting the long‐term relationship (Stefaniak et al., 2012). The combined IAF and client behaviour is primarily an exchange of information in which issues are presented at meetings between IAF and the client and the quality of information decides the output of the interaction. There are, however, two exceptions, namely, the overall prioritisation of the resources required to improve existing controls or implement new ones and the LFAR. The prioritisation of resources is a management responsibility and thus a client product, and IAF fully respect the authority of the executive board. The LFAR, on the other hand, is IAFs' responsibility, being their report to the board of directors, and consequently it is an IAF product.A key element in the management letter process is the meeting regarding the initial observation, where a common understanding of an internal control weakness is established. The remainder of the management letter process might be considered as interactions aimed at mitigating this weakness and reporting the result to management. Even though IAF's behaviour in these remaining interactions is predominantly argumentative/insisting, the interaction strategy could be seen as integrative, aiming at joint problem solving (McCracken et al., 2011). Supporting this view, the ‘trade‐off’, from an IAF perspective, is the prioritisation of the recommendations, whereas their key objective of mitigating the audit risk is not discussed. Mitigation of audit risk is achieved, because the output of the IAF–client interaction is the decision on implementation of new controls or improvement of existing ones, which should be considered a joint product. This joint product and understanding have been established through a step‐by‐step process in which disagreements are settled before the next step is started. The fact that different levels of employees have agreed the ‘step‐by‐step’ interactions might explain an unconditional acceptance from the audit committee. Potentially, the audit committee, and therefore also the board of directors, could disagree with the recommendations, but then, they would be in opposition to both IAF and the business decisions taken as part of the management letter process.This conclusion regarding co‐operation is different from that of a study by Hellman (2006) in which the client was found to be more aggressive towards the auditors and disagreements were reported. However, there is an important contextual difference, because the study by Hellman (2006) is based on management letters produced in the period 1999–2001, before the requirements regarding audit independence imposed by Sarbanes–Oxley. In that period, the audit approach was focused on delivering ‘added value’ to the client (Power, 2000). Furthermore, that study concludes that the audit was considered useful if it supported the hierarchical management control in the company (Hellman, 2006). This top‐down approach differs significantly from the ‘bottom‐up’ audit in the management letter process, in which each interaction is agreed before proceeding to the next level. Also, the recommendations in the management letters in the present case study are based on a strict internal control evaluation.Even though a strict internal control assessment might be distant from the ‘added value’ approaches promoted by the big audit firms (Power, 2000), the internal control audit performed by IAF seems to add value. This conclusion is supported by viewing the result of the case study through the lens of internal audit quality (Trotman & Duncan, 2018). The technical skills and experience of IAF match the qualifications seen in big audit firms. Furthermore, it seems that objectivity (Stefaniak et al., 2012) and soft skills are at the same level, which is supported by the annual customer (client) satisfaction surveys. The ‘technical production’ and ‘service interaction’ dimensions, supported by the management letter process and the step‐by‐step structure and acceptance, seem to be crucial to the classification of the outcome as value‐adding. The outcome of this process is an improved level of internal controls that is unconditionally accepted by the client. This is seen as an indication of a valuable outcome adding both significant business and audit value through the mitigation of risk. Mitigation of the audit risk is supported by the annual formal statement from EA accepting the result of the internal control audits and the full integration of it in the remaining part of the audit of the Group's annual report, which is based on a high control reliance. Consequently, the result illustrates a fully integrated financial and internal control audit (Kinney et al., 2013). Furthermore, it seems that the regulatory requirements only have a limited impact, because almost all recommendations would have been implemented independently of the regulatory regime. This result differs from those of previous studies regarding financial reporting in which the risk of being caught has been found to be the most important contextual feature (Fearnley et al., 2011).This paper contributes with a detailed understanding of how IAF impact the internal controls system in a financial institution (Bame‐Aldred et al., 2012; Roussy et al., 2020). It also adds a deeper understanding of the management letter process compared to previous studies. Furthermore, the results suggest that the audit approach documented in the management letter process, including the step‐by‐step settlement of the interactions, is crucial to an assessment of the outcome as value‐adding. This suggestion adds detail to the ‘technical production’ and ‘service interaction’ dimensions included in the ‘Internal Audit Quality Framework’ by Trotman and Duncan (2018).Based on a review of management letters covering a period of 10 years, it seems that the auditors continue each year to issue new recommendations for improvements to internal controls. It could be of interest for further research to explore how this is possible. One explanation could be that the systems and procedures after an implementation project is finalised fail to include an ongoing improvement matching contextual changes. An alternative or supplementary explanation might be that system implementations are primarily considered a technology‐driven activity that does not include internal control requirements. Furthermore, IAF have indicated that they use additional resources to meet regulatory requirements. It could be of interest for future research to explore the nature and magnitude of the burden and how much additional work this requires beyond what is needed to mitigate the audit risk. Considering mitigation of risk, the case identified an overlap between mitigation of audit and business risk, supporting a joint interest between auditor and client. It could be of interest for further research to analyse the impact of this overlap on internal control audits.There are some weaknesses in and limitations to the study. The analysis is based on a specific set of interactions between IAF and the client in a major financial institution. The management letter process, including the interactions involved and the co‐operation between IAF and EA, might be different in other companies. These limitations notwithstanding, the study contributes to an understanding of the extent to which IAF affect internal controls and how they do so.ACKNOWLEDGEMENTThere are no funders to report for this submission.CONFLICT OF INTERESTNo conflict of interest.ETHICS STATEMENTI confirm complying with Wiley's Guidelines on Publishing Ethics.AUTHOR CONTRIBUTIONThe author confirms sole responsibility for the following: study conception and design, data collection, analysis and interpretation of results and manuscript preparation.DATA AVAILABILITY STATEMENTThe data that support the findings of this study are available from the corresponding author upon reasonable request.ENDNOTES1An important objective of the regulatory requirements is to support independence from the client and in particular the executive functions. The term ‘client’ is consistently used by IAF, and by, for example, Arena and Jeppesen (2010), when referring to the executive functions.2The references to ISA 315 and 610 are also included in the description of the relation between internal and external audit in ‘The internal audit function in banks’ (Bank for International Settlements [BIS], 2012).3‘Auditor's professional judgment’ is also used by International Federation of Accountants (IFAC, 2009) as a guideline for ranking findings.REFERENCESAbbott, L. J., Parker, S., Peters, G. F., & Rama, D. V. (2007). Corporate governance, audit quality, and the Sarbanes‐Oxley Act: Evidence from internal audit outsourcing. The Accounting Review, 82(4), 803–835.American Institute of Certified Public Accountants. (2008). Communicating internal control related matters identified in an audit. Statement on Auditing Standards No. 115. AICPA.Antle, R., & Nalebuff, B. (1991). Conservatism and auditor‐client negotiations. Journal of Accounting Research, 29, 31–54.Arena, M., & Jeppesen, K. K. (2010). The jurisdiction of internal auditing and the quest for professionalization: The Danish case. International Journal of Auditing, 14(2), 111–129.Arena, M., & Sarens, G. (2015). Internal auditing: Creating stepping stones for the future. International Journal of Auditing, 19(3), 131–133.Ashbaugh‐Skaife, H., Collins, D. W., Kinney, W. R. Jr., & LaFond, R. (2009). The effect of SOX internal control deficiencies on firm risk and cost of equity. Journal of Accounting Research, 47(1), 1–43.Bame‐Aldred, C. W., Brandon, D. M., Messier, W. F. Jr., Rittenberg, L. E., & Stefaniak, C. M. (2012). A summary of research on external auditor reliance on the internal audit function. Auditing: A Journal of Practice & Theory, 32(sp1), 251–286.Bank for International Settlements. (2012). The internal audit function in banks. BIS.Beattie, V., Fearnley, S., & Brandt, R. (2000). Behind the audit report: A descriptive study of discussions and negotiations between auditors and directors. International Journal of Auditing, 4(2), 177–202.Beattie, V., Fearnley, S., & Brandt, R. (2004). A grounded theory model of auditor‐client negotiations. International Journal of Auditing, 8(1), 1–19.Brinkmann, S., & Kvale, S. (2015). Interviews: Learning the craft of qualitative research interviewing (Vol. 3). Sage.Brown, H. L., & Wright, A. M. (2008). Negotiation research in auditing. Accounting Horizons, 22(1), 91–109.Brown‐Liburd, H. L., & Wright, A. M. (2011). The effect of past client relationship and strength of the audit committee on auditor negotiations. Auditing: A Journal of Practice & Theory, 30(4), 51–69.Carney, W. J. (2006). The costs of being public after Sarbanes‐Oxley: The irony of going private. Emory LJ, 55, 141.Daoust, L., & Malsch, B. (2019). How ex‐auditors remember their past: The transformation of audit experience into cultural memory. Accounting, Organizations and Society, 77, 101050.Eilifsen, A., Messier, W. F., Glover, S. M., & Prawitt, D. F. (2010). Auditing and assurance services. McGraw‐Hill Higher Education.EO. (2014). Executive Order no. 1567 of 23 December 2014. Executive order on auditing financial undertakings etc. obligation to publish FSA's assessments. Available in Danish—https://www.finanstilsynet.dk/EO. (2015). Executive Order no. 1912 of 30 December 2015. Executive order on auditing financial undertakings etc. as well as financial groups. https://www.finanstilsynet.dk/Fearnley, S., Beattie, V., & Hines, T. (2011). Reaching key financial reporting decisions: How directors and auditors interact. John Wiley & Sons.Gibbins, M., Salterio, S., & Webb, A. (2001). Evidence about auditor–client management negotiation concerning client's financial reporting. Journal of Accounting Research, 39(3), 535–563.Hatfield, R. C., Houston, R. W., Stefaniak, C. M., & Usrey, S. (2010). The effect of magnitude of audit difference and prior client concessions on negotiations of proposed adjustments. The Accounting Review, 85(5), 1647–1668.Hellman, N. (2006). Auditor–client interaction and client usefulness—A Swedish case study. International Journal of Auditing, 10(2), 99–124.International Federation of Accountants. (2009). International Auditing and Assurance Standards Board (IAASB), International Standard on Auditing 265, Communicating deficiencies in internal control to those charged with governance and management.Kinney, W. R. Jr., Martin, R. D., & Shepardson, M. L. (2013). Reflections on a decade of SOX 404 (b) audit production and alternatives. Accounting Horizons, 27(4), 799–813.Kulset, E., & Stuart, I. (2018). Auditor–client negotiations over disputed accounting issues: Evidence from one of the Norwegian Big 4 firms. International Journal of Auditing, 22(3), 435–448.Lail, B., MacGregor, J., Stuebs, M., & Thomasson, T. (2015). The influence of regulatory approach on tone at the top. Journal of Business Ethics, 126(1), 25–37.Lin, S., Pizzini, M., Vargus, M., & Bardhan, I. R. (2011). The role of the internal audit function in the disclosure of material weaknesses. The Accounting Review, 86(1), 287–323.Maijoor, S. (2000). The internal control explosion. International Journal of Auditing, 4(1), 101–109.Manson, S., McCartney, S., & Sherer, M. (2001). The value of management letters to unlisted companies. The British Accounting Review, 33(4), 549–568.Mazza, T., & Azzali, S. (2015). Effects of internal audit quality on the severity and persistence of controls deficiencies. International Journal of Auditing, 19(3), 148–165.McCracken, S., Salterio, S. E., & Schmidt, R. N. (2011). Do managers intend to use the same negotiation strategies as partners? Behavioral Research in Accounting, 23(1), 131–160.Murnighan, J. K., & Bazerman, M. H. (1990). A perspective on negotiation research in accounting and auditing. Accounting Review, 65(3), 642–657.Oussii, A. A., & Boulila Taktak, N. (2018). The impact of internal audit function characteristics on internal control quality. Managerial Auditing Journal, 33(5), 450–469.Power, M. (2000). The audit society—Second thoughts. International Journal of Auditing, 4(1), 111–119.Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6–7), 849–855.Power, M. K., & Gendron, Y. (2015). Qualitative research in auditing: A methodological roadmap. Auditing: A Journal of Practice & Theory, 34(2), 147–165.Roussy, M., Barbe, O., & Raimbault, S. (2020). Internal audit: From effectiveness to organizational significance. Managerial Auditing Journal, 35(2), 322–342.Rubin, H. J., & Rubin, I. S. (2011). Qualitative interviewing: The art of hearing data. Sage.Salterio, S. E. (2012). Fifteen years in the trenches: Auditor–client negotiations exposed and explored. Accounting and Finance, 52, 233–286.Sarens, G., & Christopher, J. (2010). The association between corporate governance guidelines and risk management and internal control practices: Evidence from a comparative study. Managerial Auditing Journal, 25(4), 288–308.Sarens, G., De Beelde, I., & Everaert, P. (2009). Internal audit: A comfort provider to the audit committee. The British Accounting Review, 41(2), 90–106.Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640–661.Stefaniak, C. M., Houston, R. W., & Cornell, R. M. (2012). The effects of employer and client identification on internal and external auditors' evaluations of internal control deficiencies. Auditing: A Journal of Practice & Theory, 31(1), 39–56.Trotman, A. J., & Duncan, K. R. (2018). Internal audit quality: Insights from audit committee members, senior management, and internal auditors. Auditing: A Journal of Practice & Theory, 37(4), 235–259.Turetken, O., Jethefer, S., & Ozkan, B. (2020). Internal audit effectiveness: operationalization and influencing factors. Managerial Auditing Journal, 35(2), 238–271.Van der Stede, W. A. (2011). Management accounting research in the wake of the crisis: Some reflections. The European Accounting Review, 20(4), 605–623.Yeoh, P. (2020). Banks' vulnerabilities to money laundering activities. Journal of Money Laundering Control, 23(1), 122–135.Yin, R. K. (2009). Case study research: Design and methods (applied social research methods). Sage.AAppendixINTERVIEW GUIDEAs part of the introduction to the first employee interview, I made a brief presentation of the project and the research question. This included an introduction to the overview of the management letter process (Figure 1) and the combined IAF–client interaction model (Figure 2). After the introduction, the discussion began. Depending on the area, the interview focused on either ‘how?’ or ‘why?’ questions:A.1Main ‘how?’ questionsBased on the description of the management letter process, where do you see yourself?What is your role in the process (or interaction)?How would you describe your working relationship with IAF (or the client)?Could you give examples of how you interact with IAF (or the client)?I have established a scale describing the behaviour of IAF (or the client)—see Figure 2. Where do you see IAF (or the client)?The part of the process you are involved in—what is the outcome?Do you have an impact on the outcome, and could you give some examples?I have established a scale describing the outcome, which you can see in Figure 2. How would you classify the outcome?A.2Main ‘why?’ questionsThe interviews focusing on the ‘why?’ questions were conducted after the conclusion of the ‘how?’ part had been established. Consequently, the introduction included a brief summary of the result of this work (joint product based on objective arguments).I have established three categories of contextual features (Figure 2). Do you think that any of these have an impact on your co‐operation with IAF in the management letter process?As part of the ‘how?’ questions, I asked about the working relationship with IAF. Do you think that this has an impact?In your view, what is the impact of the board (i.e., the ‘tone from the top’) and the behaviour of the management in general?Can you provide examples of how the board or management has intervened in the process or has otherwise had an indirect impact?In your view, what is the impact of FSA?Can you provide examples of how FSA has intervened in the process or has otherwise had an indirect impact?Which one (management or FSA) do you consider to be the most important, and why?Regarding the specific meeting—are there examples in which the agreement reached on one issue could have an impact on the rest of the issues to be discussed?

Journal

International Journal of AuditingWiley

Published: Jul 1, 2022

Keywords: audit negotiation; audit quality; audit report; internal audit; internal control

References