Abstract
Purpose
The purpose of this paper is to examine the implications of the COVID-19 pandemic on internal auditing as the pandemic forced individual internal auditors and audit teams to conduct the work remotely.
Design/methodology/approach
Five in-depth semi-structured interviews of internal audit experts that work in German retail and manufacturing industry were conducted between February and April 2021.
Findings
The authors find that the importance of audit technologies did not change significantly due to the pandemic, as audit technologies were already an integral part of internal audits. Interestingly, the transition to remote audits occurred with remarkable speed and efficiency. The presence of well-functioning information and communication technologies emerges as a critical facilitator for effective remote communication, collaboration and data exchange. However, audit technologies can only partially replace physical on-site examinations and human interaction. The main challenges of remote audits are related to the auditing of non-digitalized processes and the inherent limitations of auditee interviews and interactions.
Research limitations/implications
The authors' interview approach does not allow to cover variations between industries and between countries. While internal audit experts provided notably consistent responses during the interviews, acknowledging that the sample size is very small is important.
Practical implications
The COVID-19 pandemic serves as a catalyst for increased digitalization and technology adoption within the realm of internal auditing. A hybrid approach combining the benefits of on-site and remote audits is expected to prevail in the future.
Originality/value
The paper is among the first to document the effects of the COVID-19 pandemic on the work of internal auditing using field-based research methods.
Keywords
Citation
Jarva, H. and Zeitler, T. (2024), "Implications of the COVID-19 pandemic on internal auditing: a field study", Journal of Applied Accounting Research, Vol. 25 No. 2, pp. 355-370. https://doi.org/10.1108/JAAR-12-2021-0333
Publisher
:Emerald Publishing Limited
Copyright © 2023, Henry Jarva and Teresa Zeitler
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
The COVID-19 pandemic in early 2020 forced many firms and organizations to fundamentally change their style of work (Bick et al., 2020). Knowledge-intensive jobs responded to this exogenous shock by a rapid transition to remote work as travel and face-to-face interactions became restricted (Brynjolfsson et al., 2020). The internal audit function (IAF) was not immune to these developments as internal auditors had to transition to remote audits to perform their tasks (Eulerich et al., 2022b). The Institute of Internal Auditors (IIA), a global developer of standards and educator in the field of internal audit, defines internal auditing as follows: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes [1].” A modern governance model emphasizes the important function of internal audit in risk management, as it is one of the components of the “Three Lines Model” (IIA, 2013, 2020; Deloitte, 2017; PWC, 2017; IFAC IIA, 2018; Bantleon et al., 2021) [2].
Internal audit is in a unique position to play a crucial role in responding to the COVID-19 crisis and adapting to the changed environment (Deloitte, 2020; KPMG, 2020; Martinelli et al., 2020). However, there is a lack of academic evidence regarding the specific impact of the COVID-19 pandemic on the work of the IAF. Eulerich et al. (2022a, b) provide valuable insights by indicating that internal auditors perceive no difference in the efficiency, effectiveness, and stakeholders' reliance on results from remote and in-person audits. Nevertheless, there is still a research gap in understanding the initial effects of the pandemic on the IAF. To address this gap and gain a deeper understanding of the challenges, changes, and adaptations faced by internal auditors during the pandemic, our first research question aims to investigate: What are the initial effects of the COVID-19 pandemic on the work of the IAF? The shift to remote audits as a result of the pandemic has brought significant changes to the internal auditing landscape. However, more research is needed to assess the effectiveness and efficiency of remote audits compared to traditional in-person audits. Our second research question aims to address this gap by examining: What are the main challenges and benefits associated with remote audits? Furthermore, based on the experiences of internal auditors during the pandemic, we seek to explore the future approach of the IAF. Hence, our third research question is: What is the future approach in the IAF?
To gather data for our study, we conducted in-depth interviews with five internal audit experts who work in German retail and manufacturing companies. These interviews were conducted between February and April 2021 and followed a semi-structured format to ensure consistency in data collection while allowing participants the opportunity to provide detailed insights into important issues.
We document the following findings. The respondents note that the importance of audit technologies did not change much due to the pandemic as they were already an integral part of audits. However, before the pandemic, a full remote audit was perceived just as an attractive optional feature [3]. During the pandemic, all respondents emphasized the importance of well-functioning information and communication technology (ICT) as a critical factor in facilitating efficient remote communication, collaboration, and data exchange. In this regard our qualitative data is saturated. Firms that had those technologies available perceived the transition to remote work happening surprisingly quickly and smoothly which is generally consistent with non-accounting studies (Waizenegger et al., 2020; Kirchner et al., 2021). Moreover, new technology developments in internal auditing have been found to significantly reduce process latencies (see, Teeter et al., 2010; Eulerich et al., 2022a, b). The saved time provides additional flexibility and allows internal auditors to address other topics. As an additional benefit, it is evident that direct and indirect travel expenses are eliminated/reduced as the location constraint on audits is removed.
While advanced technologies enable and favor remote audits, some of the main disadvantages are related to the auditing of non-digitalized processes. For example, relatively simple tasks like performing tasks such as physical inspections of premises and production facilities becomes challenging in a remote environment. As risk-related audit areas cannot be simply omitted, auditors need to work with additional on-site support. This support can be provided by local auditors, third parties, or through the use of additional technology that enables virtual access to physical premises or paper documentation. In addition, as remote audit environment lacks physical presence it impedes the conduction of interviews during the audit. Factors such as different time zones, the need for meticulous meeting planning, inefficient virtual response times, and a lack of personal contact can complicate and hinder communication and collaboration. Importantly, certain audit procedures cannot be efficiently conducted remotely, resulting in a potential reduction of audit scope or depth and the possibility of overlooking certain risk areas. For example, it is important that documents and other audit evidence are inspected in their original state. Finally, the interviewed internal auditors emphasized that the physical presence of auditors at the audited location has a psychological impact [4].
All interviewees believe that a hybrid approach of remote and on-site audit combining their advantages is regarded as the optimal and efficient approach going forward. The time on site can be shortened by conducting remote audits, enhancing preparation, and utilizing data analysis. However, complete elimination of on-site presence is not feasible as audits of physical objects and premises are necessary to cover the full audit scope and related risks. Without the pandemic restrictions, the internal auditors would pursue this hybrid approach and partially travel again for their audits. Having gained valuable insights into the efficiency, costs, and timing of remote work, firms will not revert to the extent of on-site audits practiced prior to the pandemic. Large accounting firms have similarly concluded when assessing the implications of COVID-19 (Deloitte, 2020; KPMG, 2020).
Our study makes a significant contribution to the literature by documenting the effects of the COVID-19 pandemic on the field of internal auditing, being among the first to do so. In a closely related study, Eulerich et al. (2022a, b) found that internal auditors perceive no significant difference in the efficiency, effectiveness, and stakeholders' reliance on results between remote and in-person audits. While their findings are derived from survey data collected from 237 German internal auditors, our study provides additional insights through in-depth interviews. The findings provide implications for organizations and practitioners as the broad implementation of remote audit is a relatively new and increasingly important development in the field of internal audit. Our findings highlight the importance of organizations actively promoting flexible work options and continuously enhancing the effectiveness and efficiency of remote audits.
The paper proceeds as follows. Section 2 outlines the theory underlying the IAF, internal audit process, and remote audits. Section 3 describes our research questions while methodology and data sources are outlined in Section 4. Section 5 presents the results and Section 6 concludes.
2. Theory development
2.1 IAF and internal audit process
This section provides an overview of the IAF, its responsibilities, as well as the standard internal audit process. Given the exploratory nature of this study, the purpose of this overview is to establish key concepts and provide contextual understanding for interpreting our interview findings.
The IAF is an integral part of an organization's control system, and it is a key element of good corporate governance [5]. Internal auditors conduct financial, operational, compliance, investigative, fraud, information systems, and other miscellaneous audits to evaluate how well the organization and its business operations and systems are functioning (Teeter et al., 2010). The IAF is provided within the organization and assessments are reported to management, the board, or the audit committee. The role of internal auditors has evolved from that of a corporate watchdog to that of a trusted advisor [6]. Presently, internal auditors dedicate significant time to assessing high-risk areas, ensuring a comprehensive assurance that captures the “big picture” (Pickett, 2010). Internal auditors assess the integrity of financial information, assure the effectiveness and efficiency of operations, safeguard and verify assets and ensure compliant behavior.
Professional standards emphasize the crucial requirement for the internal audit activity to maintain independence and for internal auditors to uphold objectivity in order to effectively carry out their responsibilities, while also ensuring direct access to senior management and the board (IIA, 2017, Standard 1,100). Evidence provided by Abbott et al. (2010) suggests that an audit committee with a relatively higher level of oversight over the IAF compared to management is associated with increased emphasis on internal controls by the IAF. However, Norman et al. (2010), employing an experimental research design, find that mandating the direct reporting of the IAF to the audit committee instead of management may not be a prudent solution in addressing threats to internal auditor independence or objectivity. Conclusively, Abbott et al. (2016) affirm that the combination of competence and independence is essential for internal auditing to effectively fulfill its role as a monitor of financial reporting.
The International Professional Practices Framework (IPPF) implementation guide by the IIA outlines six key internal audit processes: (1) preparing a risk-based audit plan; (2) planning an audit and preparing the engagement work program; (3) performing audit engagements; (4) documenting audit engagements; (5) communicating results/reporting; (6) monitoring and follow-up process (IIA, 2017). These six audit engagement processes can be further classified into three main phases: planning, fieldwork, and reporting (Eulerich et al., 2022a, b). In the planning phase, auditors assess existing business risks, such as potential reputation loss, litigations, audit and control risks, as well as urgency. Risk assessment contributes to the planning of the audit framework, including the nature, extent, staffing, and timing, based on prior risk assessment. Background information from various sources, including regulatory guidelines, information technology (IT) systems, reports, analysis, and prior findings, is gathered for a well-founded risk evaluation in preparation for audit interviews. During the fieldwork/execution phase, data analytics and interviews are conducted. Data analytics plays a crucial role in extracting useful information, analyzing patterns, identifying anomalies, material misstatements, unusual transactions, as well as modeling and visualizing data (Stewart, 2015). Internal auditors are responsible for documenting sufficient, reliable, relevant, and useful information to support the engagement results and conclusions (IIA, 2019). The reporting phase involves communicating the results according to formal reporting lines.
2.2 Remote audit
In the context of the COVID-19 pandemic, remote audits have emerged as a critical component. Sayana (2003) highlights that performing audits without utilizing information technology is hardly feasible since the necessary audit information is predominantly available digitally through computer systems. Indeed, there is ample evidence demonstrating the extensive use of information technology by internal auditors in their work (Hermanson et al., 2000; Kim et al., 2009; Vasarhelyi et al., 2012; Li et al., 2018; Eulerich et al., 2022a, b, 2023; Al-Okaily et al., 2022).
The increasing availability of data in digital formats and the application of data analytics have provided the IAF with the opportunity to conduct remote audits (Christ et al., 2021). Teeter et al. (2010) argue that remote audits not only have the potential to reduce travel costs and latency, increase efficiency and coverage, but also to facilitate innovation in the internal audit process. However, Teeter et al. (2010) highlight that behavioral issues could hinder the potential benefits of remote audits if left unaddressed. These behavioral issues encompass not only the auditor's motivation, competence, and efficiency in performing tasks, but also the auditee's attempts to conceal errors or fraud, willingness to be monitored, and level of trust or distrust in the auditor.
Previous studies confirm the increasing adoption of various ICT and technological solutions to enhance the efficiency and effectiveness of internal audits. Teeter et al. (2010) recognize that incorporating a remote internal audit component is not just an additional benefit of audit automation; it is a driver for technology utilization and an opportunity to transform the internal audit process. This viewpoint aligns with the perspective of the President and Chief Executive Officer (CEO) of the IIA, Anthony Pugliese, who emphasizes the transformative role of technology, stating that it has become a key strategy rather than solely focusing on increasing efficiency and effectiveness. He further emphasizes that the internal audit profession provides a unique position and perspective on how technology is used for transformational aspects, strategy, and risk identification within the entire company [7].
3. Research questions
The COVID-19 pandemic has led to the widespread adoption of remote work due to travel restrictions and limited face-to-face interactions (Bick et al., 2020; Brynjolfsson et al., 2020). Other studies have provided insights into how the pandemic and subsequent lockdowns have affected the working habits and efficiency of non-healthcare professionals. Waizenegger et al. (2020) conducted interviews with 29 knowledge workers in April 2020, focusing on their experiences with team collaboration while working from home. They found that technological affordances, previously overlooked, enabled communication among team members. While remote work reduced disruptions, it also hindered knowledge sharing. In a Danish study, Kirchner et al. (2021) investigated the impact of working from home on both managers and employees during the COVID-19 pandemic. Both groups considered their work during the pandemic more challenging than usual, but managers perceived remote work to be even more challenging than employees. Delfino and van der Kolk (2021) examined the effects of the sudden shift to remote work on management control practices in Italy. Their findings suggested that stronger (weaker) social ties among employees and managers led to flattened (increased) perceived hierarchies. These studies indicate significant variations in how individuals experienced the shift to remote work. However, limited evidence exists on how accounting professionals, particularly internal auditors, perceived the initial wave of the COVID-19 pandemic's impact on their work. Given the exploratory nature of this study, it is important to formulate research questions. Our first research question is: “What were the initial effects of the COVID-19 pandemic on the work of the IAF?”
In a related study, Eulerich et al. (2022a, b) surveyed 237 internal auditors in Germany from July to August 2020 to gather evidence on the quality of internal audits during the transition to remote audits. They aimed to capture internal auditors' perceptions of remote audits compared to in-person audits. Respondents with more experience in remote audits perceived no difference in the efficiency and effectiveness of remote audits compared to in-person audits. Eulerich et al. (2022a, b) found that auditee support was a crucial determinant of perceived success in remote audits. Respondents also indicated that certain types of audits were more or less amenable to remote auditing. To gain further insights into this issue, our second research question is: “What are the primary challenges and benefits of remote audits?” We aim to understand the main challenges and potential benefits that internal auditors encounter in remote audits. Finally, we are interested in how the pandemic experience has shaped internal auditors’ views on the future of the IAF's work. Our third research question is: “What is the anticipated approach for the future of the IAF?”
4. Methodology and data sources
This section outlines the methodology employed to investigate the application of internal audit in the context of the COVID-19 pandemic. Purposive sampling, also known as judgment sampling, was utilized to select case companies based on specific qualities. Internet searches, such as on LinkedIn, were conducted to identify participants who possessed the requisite knowledge and experience to provide relevant information (Etikan et al., 2016). Non-random sampling allows for the selection of information-rich cases that offer diverse perspectives, thereby enhancing the ability to address the research question (Etikan et al., 2016). The chosen case companies operate within the German retail and manufacturing industry, and they vary in terms of firm size and the composition of their internal audit teams. This variation enables comparisons of the effects of the COVID-19 pandemic across different firm sizes while holding the economic environment constant.
In-depth semi-structured interviews were conducted with five practicing internal auditors, who served as informants for the study. Semi-structured interviews were chosen due to their flexibility in allowing for spontaneous follow-up questions during the interview process. The interview structure, as presented in Appendix 1, was developed based on the specific characteristics of the research topic. It was pilot-tested and refined through discussions with two internal auditors who were not part of the study. Prior to the interviews, a telephone call was conducted to explain the interview's purpose and format. All interviews were conducted in the local language using the online meeting platform Zoom between February and April 2021, with assurances given to maintain the anonymity of the firms and informants. The interviews were recorded and later transcribed. Table 1 provides an overview of the interview sample.
All informants in this study possess extensive and diverse experience in the field of internal auditing. Informant A, a Certified Internal Auditor (CIA), has eight years of relevant work experience. Currently, a significant portion of his time (approximately 50%) is dedicated to the development and application of analytics and data analysis tools. Firm A, where Informant A works, is a large trading company with an annual turnover of over 100 billion euros and a considerable internal control/audit department consisting of more than 100 employees. Informant B, who gained comprehensive experience during a six-year tenure at one of the Big-4 accounting firms, has been an internal auditor in the manufacturing sector for case firm B since 2014. This internationally operating company generates an annual turnover of over 2.5 billion euros, and its audit department comprises seven employees. Additionally, Informant B is a member of the Deutsches Institut für Interne Revision (DIIR) task force for financial and accounting audits. Informant C holds certifications as a CIA and Certified Fraud Examiner (CFE) and possesses over 10 years of experience in both internal and external audits within the manufacturing industry. The internal audit department at the headquarters, where Informant C works, consists of eight employees. Furthermore, the department receives support from two auditors based in China, covering the Asia-Pacific region, and four auditors in Brazil, responsible for the North and South American divisions. The company C, Informant C's employer, has a turnover exceeding 5 billion euros. Informant D is a highly experienced head of corporate audit with more than 10 years of experience as an audit division manager. The audit department at the headquarters, which Informant D oversees, consists of five full-time employees and one part-time employee. They conduct national and international audits within the electrical engineering sector. Case company D, Informant D's employer, achieves an annual turnover of over 2 billion euros. Informant E serves as the head of internal audit and is the sole auditor within the firm. With over 20 years of relevant work experience, Informant E has gained extensive knowledge in external and internal auditing across various industries, including retail, manufacturing, non-profit, and accounting. Case company E, where Informant E works, is a global producer of nondurable goods and generates an annual turnover exceeding 400 million euros.
5. Empirical results
In this section, we discuss the interviews conducted and present the empirical findings. The interviews were conducted to gather information about the status of audits in various firms and to examine the transition towards remote audits, the impact of technologies such as ICT and audit technology, and assess the remote audit approach while suggesting a future audit approach.
5.1 The transition towards remote audit
The implementation of remote audit began due to travel and face-to-face meeting restrictions caused by the pandemic (Int. A, B, C, D and E). Auditee interviews, a key component of audits, were quickly adapted to remote settings. To accommodate the audit schedule, firm A focused on audits with strong analytic elements. Firms A and C utilized virtual on-site inspections with local support equipped with video-streaming devices. Firm D's internal audit team held online meetings every two days (excluding ad hoc meetings) to update colleagues.
In 2020, firms D and E had planned several audits abroad. However, due to the challenges of conducting effective audits, they shifted their focus to more remote-oriented activities, such as follow-up audits and internal topics. These included auditing travel costs based on paper folders and following up on previous issues raised by external auditors (Int. D). Follow-up audits were considered suitable for remote conduction as they required less in-depth analysis and traditional audit interviews. Firm C worked on improving audit efficiency while minimizing on-site presence. They limited on-site audits but still held meetings at their headquarters. Other firms adopted a more conservative approach, with employees mostly working from home since the pandemic outbreak (Int. A, B, D and E).
5.2 Technology impact
The availability of ICT plays a crucial role in facilitating a smooth transition to remote work (Int. A, B and C). Firms with existing technology infrastructure experienced a surprisingly quick and seamless transition. The use of ICT, particularly virtual communication tools, significantly increased compared to pre-pandemic times. To access internal servers, local data, websites, and tools, employees rely on virtual private network (VPN) connections. Consequently, IT departments had to enhance VPN capacity to accommodate the growing number of employees working from home (Int. A, D and E). Microsoft Teams emerged as the primary communication platform, replacing tools like WebEx or Skype for Business in companies A, C, and D.
Digitalized and standardized processes lend themselves well to data analysis (Int. A, C). Process mining allows for the identification of anomalies and patterns, enabling the selection of high-quality audit samples. This analytical approach provides auditors with insights into the process and facilitates the identification of systemic errors prior to audit interviews. The use of data analytics enhances auditors' knowledge base, increasing acceptance from auditees and aiding in consensus-building and goal-setting (Int. A). In remote audit interviews, comprehensive data analysis contributes positively (Int. A, B, C, D and E).
Technology enables in-depth analysis of data that surpasses human cognitive abilities. Automated analysis uncovers more results than manual examination, optimizing audit security and compliance by identifying risk areas and process discrepancies (Int. D). Standardized procedures such as invoice management, receivables and liabilities, and invoice verification can be efficiently handled through data analysis (Int. A). Therefore, data analysis is indispensable for enhancing the efficiency and effectiveness of audits (Int. A, B, C, D and E), as it accelerates the process and systematically secures activities while reducing reliance on manual controls for individual processes.
The pandemic did not significantly alter the importance of audit technologies, as they were already integral and satisfactorily implemented in audit departments. Continuous improvement is an ongoing process regardless of external factors (Int. A, B, C and E). Data analytics and data accessibility are crucial for successful remote audits, as highlighted by Int. C: “Without access to data, both on-site and remote audits would be challenging as we rely on auditees for information. This should be avoided to maintain an independent assessment of division performance.”
In conclusion, interviews indicate that data analysis supports audit activities, and the efficiency of audit technologies depends on the degree of digitalization within the audited processes.
5.3 Assessment of the remote audit
Advantages and disadvantages of remote audits are evaluated in this section. Remote audits impact the cost structure by eliminating travel expenses, such as flights, commuting, accommodation, and provisions (Int. A, D and E). However, interviewee B believes that financial considerations have a limited influence on the decision for or against remote audits. Cost savings from travel must be compared with the additional support costs, as highlighted by interviewee C. For topics that require on-site presence, firm C obtained external support to cover risks. Firms with local audit support, like firm A, experience a shift in internal costs when attempting to conduct a full-scope audit with on-site assistance.
Business trips remove auditors from their personal environment for one to two weeks (Int. A and D). On-site visits allow for efficient scheduling of meetings and spontaneous interactions with auditees (Int. D). Auditees are aware of auditors' presence and tend to prioritize fewer tasks during that period. In contrast, remote audits often follow a strict interview schedule, and auditees are only available during specified time slots while simultaneously working on other topics. Working across different time zones limits shared productive time. Virtual communication lacks the openness and liveliness of face-to-face interactions. Only one person can speak at a time in larger groups, limiting overall exchange. On-site interactions allow for casual conversations in a relaxed environment (Int. C). Physical presence of auditors emphasizes the importance of the audit and motivates auditees. Remote communication cannot fully compensate for reading body language and assessing communication partners (Int. A and D).
The effectiveness and efficiency of remote audits strongly depend on auditee cooperation. Requesting information via email or phone often results in longer response times (Int. B and E). On-site interactions allow for active instruction, reducing misunderstandings (Int. E). Clarifying issues is more challenging remotely, as expressing opinions and resolving misunderstandings are easier in person (Int. A). Auditee cooperation is influenced by cultural background, with some countries showing a preference for avoiding and concealing findings rather than engaging in collaborative process improvement. Cultural competence, tools, and proximity play a limited role in remote audits (Int. C).
The scope and depth of a remote audit are negatively affected by procedures that cannot be conducted remotely. Auditors aim to observe unembellished original states of items such as paper documents, folders, local premises, or non-digitalized processes. Areas like occupational safety, health, fire prevention, warehouses, distribution centers, and inventory management require physical presence for auditing. Questioning via web conferences or email may lead to inaccurate answers from auditees (Int. A). As a result, the scope or depth of audits may be reduced (Int. A, B and D). On-site audits often lead to accidental discoveries that are missed in remote audits (Int. D).
Opinions vary regarding the optimal depth and scope of audits. Risks differ based on the digitalization of audited processes. Some firms employ external on-site support to cover specific risks. Alternative approaches include using cameras, drones, and Google Glass to capture real-time video streams of the environment. Interactive communication guides on-site personnel in conducting audit procedures (Int. A and D). For heavily digitalized processes, the higher costs of on-site audits may not justify the potential benefits, according to interviewee A. Remote audits should be assessed based on the audit area, with compliance audits, fraudulent acts, embezzlement, and theft requiring in-person interactions for precise questioning and behavioral analysis (Int. E).
One challenge faced by IAFs is keeping staff motivated and supported in remote environments (Deloitte, 2020). Interviewee B notes the lack of contact with other divisions, leading to reduced knowledge and contribution to audit schedule planning. Physical presence of auditors in auditees' premises emphasizes the importance of the audit and increases auditee engagement. However, the lack of motivation due to the remote environment was not mentioned by the interviewees.
Overall, our findings align with prior audit research. The choice of communication mode affects the extent of bias in client responses, with face-to-face interactions yielding higher-quality responses than email or other mediums (Saiewitz and Kida, 2018). Face-to-face interactions include more content and follow-up questions compared to computer-mediated communication (Bennett and Hatfield, 2018). Internal auditors also recognize the value of face-to-face interactions. Table 2 below provides a comprehensive summary of the advantages and disadvantages of remote internal audits.
5.4 The future approach of audit
The future approach envisioned by most interviewees is a combination of on-site and remote audits. This approach aims to shorten the time spent on-site through remote audits, meticulous preparation, and data analysis (Int. A, B, C, D and E). The primary drivers for this development towards remote audits are reduced travel costs (Int. B and E) and improved time management (Int. A, D). On-site auditors can be minimized as they are supported by remote teams (Int. A). Additionally, continuous audit approaches can ensure routine system checks and mitigation controls, with key performance indicators assessed remotely contributing to audit analytics (Int. A, C).
However, the interviewees strongly emphasize that the value of being on-site cannot be fully replaced by remote auditing (Int. A, B, C, D and E). The physical presence at the audited location has a psychological impact (Int. D and E). Int. D describes this as follows: “It is important to show presence at the audited division. They need to see that there are people that come from the headquarters to Brazil for them, especially to look at their business and warehouse. The psychological effect should not be underestimated.” A practitioner's journal article published in Internal Auditor aligns with this view, stating that “When it comes to managing fraud risk, practitioners need to make their presence known” (Kaissi, 2021). Furthermore, the firm must decide if reducing the scope or depth of the audit to enable remote conduction is acceptable. The inability to physically audit certain objects on-site is one of the major drawbacks of remote audits (Int. A, B, C and D).
In the absence of pandemic restrictions, the interviewees express a preference for on-site audits, particularly for specific types of audits (Int. A, B, C, D and E). Several remote audit processes were already part of the audit process before the COVID-19 pandemic. Audit planning, analysis, and follow-up can be efficiently and effectively conducted remotely (Int. A, C and E). Following the pandemic, the decision to conduct remote audits will be a conscious choice based on a risk assessment conducted by the firm. As Int. C states: “The risk assessment will consider various factors, such as data access, digitalization of audited units, country specifics, language, and cultural barriers. It depends on a combination of weighted factors.” This decision is also influenced by corporate culture, industry sector, and the firm's location (Int. A and E).
6. Conclusions
This paper presents empirical insights into the transition towards remote audits and the impact of technology on the IAF and audit processes during the COVID-19 pandemic. The study highlights the crucial role of ICT infrastructure in facilitating a smooth transition to remote work and emphasizes the significance of data analysis in enhancing audit efficiency and effectiveness. Remote audits offer benefits such as cost savings and improved time management, but they also pose challenges related to auditee cooperation, reduced interaction, and limitations in conducting certain procedures remotely. The interviewees envision a future approach that combines on-site and remote audits, recognizing the value of on-site presence and the need to assess the scope and depth of remote audits. Firms are advised to conduct risk assessments considering various factors and make informed decisions based on their specific context. This study contributes to the existing research on remote audits and provides valuable insights for auditors and organizations in shaping their audit strategies in the future. The COVID-19 pandemic has accelerated the adoption of remote work and digital technologies in the internal audit field. ICT infrastructure has played a vital role in enabling collaboration, communication, and data exchange. Audit technologies designed for different processes have facilitated the execution of audits. The study's interviews highlight the importance of well-functioning ICT tools for knowledge acquisition and sharing. Remote audits offer advantages such as reduced travel expenses and increased flexibility, but they also present challenges in planning, communication, and conducting certain procedures. The experts interviewed suggest a hybrid approach combining remote and on-site audits as the most effective and efficient approach for the future.
The research findings have important implications for the future of internal audit practices. The combination of on-site and remote audits emerges as a favorable approach, allowing for cost savings, improved time management, and the utilization of technology for efficient data analysis. However, it is crucial to recognize that the value of on-site presence cannot be fully replaced, particularly in terms of the psychological effect and the ability to physically assess certain objects. Therefore, firms need to carefully assess the scope and depth of audits that can be conducted remotely, considering factors such as risk assessment, corporate culture, industry area, and country-specific considerations. These implications highlight the need for a balanced approach that leverages the benefits of remote audits while ensuring the necessary on-site presence for effective and comprehensive auditing.
However, there are several limitations to our research. Our interview approach does not allow for the examination of variations between industries and countries. While internal audit experts provided remarkably similar responses to the interview questions, the sample size was very small. Therefore, caution must be exercised before generalizing the results to other industries and countries. It is important to acknowledge that our study does not attempt to explain variations in the observed responses, but rather raises important issues regarding the impact of the recent pandemic on the work of the IAF. We encourage future research to address these limitations. Further research could explore the role played by the IAF in risk management during the COVID-19 pandemic. Additionally, future studies could assess the hybrid approach of remote and on-site audits from different perspectives, including those of auditees, external parties, and company management.
List of informants and conducted interviews
Informant id and position | IA work experience | Industry (turnover) | IA team size | Interview date | Interview length |
|---|---|---|---|---|---|
| A: Senior internal auditor, CIA | Eight years | Retail trade (>100 billion EUR) | >100 | 11.02.2021 | 75 min |
| B: Senior internal auditor | 10–15 years | Heating and refrigeration systems (>2.5 billion EUR) | 7 | 08.03.2021 | 55 min |
| C: Corporate internal auditor, CIA, CFE | 10–15 years | Manufacturing (>5 billion EUR) | 14 | 09.03.2021 | 60 min |
| D: Head of corporate audit, PhD | 10–15 years | Industrial automation (>2 billion EUR) | 5–6 | 12.03.2021 | 65 min |
| E: Head of corporate audit | 20–25 years | Battery manufacturing (>400 million EUR) | 1 | 09.04.2021 | 55 min |
Note(s): Acronyms: IA = internal audit; CIA = certified internal auditor; CFE = certified fraud examiner
Source(s): Table created by author
Advantages and disadvantages of a remote audit by topics
| Advantages | Disadvantages |
|---|---|
| Topic: Omission of travel | |
| Cost-saving (Int. A, D, E) Additional flexibility through time-saving (Int. A, D) Less strenuous for auditors, better work-life-balance (Int. A, D) | Additional on-site support required (Int. C) Less shared productive time in different time zones (Int. C) |
| Topic: Meeting arrangements | |
| More efficient scheduling and switching between meetings (Int. D) Total timing more flexible and simpler to extend (Int. A) | No spontaneous meetings (Int. A, C) More precise planning required remotely (Int. A, C) |
| Topic: Communication | |
| Response time and efficiency of communication depending more on auditees' willingness to cooperate (Int. A, C, E) More difficult to create proximity (Int. C) and interpret body language (Int. E), the psychological effect of personal meetings omitted (Int. D, E) Lacking contact to other divisions (Int. B) | |
| Topic: Technology | |
| Driver for digitalization and technology usage (Int. C) ICT enables smooth communication and exchange (Int. A, B, C, D) Technology can mitigate disadvantages of remote audit (Int. A, B, C, D) | More guided conversations due to schedules and only one person can speak using ICT (Int. C, D) |
| Topic: Scope and depth | |
| Saved time allows taking on further topics (Int. A, D) | Reduced scope or depth as certain audit procedures cannot be conducted remotely (Int. A, B, C, D) leading to uncovered risk areas (Int. A, C) Poor quality of documents and replica online, easier to falsify (Int. E) |
Source(s): Table created by author
Notes
This definition is retrieved from https://www.theiia.org/en/about-us/about-internal-audit/on August 15, 2022.
The “Three Lines Model” is a framework that delineates the responsibilities of different parties involved in effective risk management and governance. The Three Lines Model breaks down governance and organizational risk management into three main components: i) The governing body, which is accountable to stakeholders and responsible for organizational oversight; ii) management, which takes actions to achieve organizational objectives; and iii) internal audit, which provides independent assurance. External assurance providers offer additional assurance. This model was formerly referred to as the “Three Lines of Defence”.
Following Teeter et al. (2010) and Eulerich et al. (2022a, b), we define remote audits as performing audit procedures from different locations than the auditee's premises using ICT. We acknowledge that internal audits before the pandemic were not exclusively conducted in-person. In contrast, it is our understanding that pre-pandemic audits often involved a combination of in-person and remote procedures, with remote methods commonly used for planning and reporting, and in-person fieldwork being the norm. However, the notable shift during the COVID-19 pandemic was the near-total reliance of internal auditors on remote audits.
The psychological effect encompasses various aspects, including engaging the auditee, highlighting the importance of the IAF, reading the body language of the communication partner, and to deter fraudulent acts. Interviewed experts believe that technological solutions like such as video streams cannot fully replace the physical presence of internal auditors. Teeter et al. (2010) and Kaissi (2021) reach the same conclusion.
We do not discuss the relationship between internal and external audit functions. For a comprehensive understanding of the relationship between internal and external audit functions, Adams (1994) provides valuable insights in an early paper, outlining an agency theory framework for internal audit research, which explains internal-external auditor relationships and internal audit outsourcing. Gramling et al. (2004) offer a comprehensive discussion on how the IAF contributes to corporate governance by examining its relationships with the external auditor, the audit committee, and the management. Davidson et al. (2013) provide an examination of the external auditor's reliance on the IAF.
The term watchdog in an auditing context goes back to the Victorian origins of the auditing profession. A British judge named Lord Justice Lopes famously stated in 1896 during the case of Kingston Cotton Mill Company: “An auditor is not bound to be a detective or… to approach his work with suspicion or with a foregone conclusion that there is something wrong. He is a watch-dog, but not a bloodhound.” Plender (1927). More recently, the IIA's former president and CEO Richard Chambers used the term “trusted advisor” to describe internal auditors' current role within organizations (Chambers, 2017).
The views are taken from the discussion between the former and current IIA's executives available at https://internalauditor.theiia.org/en/video/2021/april/insights--advice-meet-the-iias-new-president--ceo/(accessed 14.8.2022).
ICT = Information and communication technology
CAAT = Computer-assisted audit techniques
Data availability: Contact the authors.
Typical interview structure
1. Introduction
Introduction to the topic and interview schedule.
Presentation of the interviewee (position, firm, daily tasks and composition of audit team).
2. COVID-19 and remote audit
To what extent did the COVID-19 pandemic influence internal audit?
Status in the firm: how was the transition to remote audit?
3. Technology impact
Did you face any difficulties in using ICT to communicate, collaborate, and exchange data?
What kind of audit tools do you use? (Analysis, visualization and planning).
Are any changes planned to adapt to remote audit requirements?
What effect does audit technology have on the effectiveness and efficiency of an audit?
4. Evaluation of remote audit
What advantages or disadvantages do you see using remote audit? (Cost, personal, location, timing, traveling).
Future: would you continue remote audit after COVID-19? (Why?)
What makes remote audits successful/efficient? (Technology, digital analysis and communication).
5. Concluding remarks
Is there anything you want to add to the subject?
Survey instrument, original form
1. Introduction
Introduction to the topic and interview schedule (Organizational questions?)
Presentation of the interviewee (position, firm, daily tasks and size of audit team).
2. Remote audit
Status in the firm: how was the transition to remote audit? (Reason: COVID-19?)
Did you face any difficulties in using ICT [8] to communicate, collaborate, and exchange data?
Did you use remote audit before? (maybe in form of a continuous audit?)
What advantages or disadvantages do you see using remote audit? (cost, personal, location, timing, traveling).
3a. Analytics and computer-assisted audit techniques (CAAT) [9] (audit technology)
What kind of tools do you use? (Analysis, visualization and planning).
Would you consider those tools as easily applicable/advanced/complex? (Why?)
Are any changes planned to adapt to remote audit requirements? (Necessary?)
3b. Firm assessment regarding analytics and CAAT
Which of the factors would you consider most relevant/irrelevant for a high audit technology implementation in your firm? (Why?)
What effect does audit technology have on the effectiveness and efficiency of an audit?
4. Evaluation of remote audit
Future: would you continue remote audit after COVID-19? (Why?)
How do analytics and CAAT affect audit performance? (More important remotely?)
To what extent does the usage of audit technology (CAAT and analytics) foster remote audit?
What makes remote audit successful/efficient? (Technology, digital analysis, communication?)
Is there anything you want to add to the subject?
References
Abbott, L.J., Parker, S. and Peters, G.F. (2010), “Serving two masters: the association between audit committee internal audit oversight and internal audit activities”, Accounting Horizons, Vol. 24 No. 1, pp. 1-24, doi: 10.2308/acch.2010.24.1.1.
Abbott, L.J., Daugherty, B., Parker, S. and Peters, G.F. (2016), “Internal audit quality and financial reporting quality: the joint importance of independence and competence”, Journal of Accounting Research, Vol. 54 No. 1, pp. 3-40, doi: 10.1111/1475-679X.12099.
Adams, M.B. (1994), “Agency theory and the internal audit”, Managerial Auditing Journal, Vol. 9 No. 8, pp. 8-12.
Al-Okaily, M., Alqudah, H.M., Al-Qudah, A.A. and Alkhwaldi, A.F. (2022), “Examining the critical factors of computer-assisted audit tools and techniques adoption in the post-COVID-19 period: internal auditors perspective”, VINE Journal of Information and Knowledge Management Systems, (ahead-of-print), doi: 10.1108/VJIKMS-12-2021-0311.
Bantleon, U., d'Arcy, A., Eulerich, M., Hucke, A., Pedell, B. and Ratzinger-Sakel, N. (2021), “Coordination challenges in implementing the three lines of defense model”, International Journal of Auditing, Vol. 25 No. 1, pp. 59-74, doi: 10.1111/ijau.12201.
Bennett, G.B. and Hatfield, R.C. (2018), “Staff auditors' proclivity for computer-mediated communication with clients and its effect on skeptical behavior”, Accounting, Organizations and Society, Vol. 68, pp. 42-57, doi: 10.1016/j.aos.2018.05.003.
Bick, A., Blandin, A. and Mertens, K. (2020), “Work from home after the COVID-19 outbreak”, Working paper 2017. The Federal Reserve Bank of Dallas.
Brynjolfsson, E., Horton, J.J., Ozimek, A., Rock, D., Sharma, G. and TuYe, H.Y. (2020), COVID-19 and Remote Work: an Early Look at US Data (No. W27344), National Bureau of Economic Research, Cambridge, MA.
Chambers, R.F. (2017), Trusted Advisors: Key Attributes of Outstanding Internal Auditors, Internal Audit Foundation, Altamonte Springs, FL.
Christ, M.H., Eulerich, M., Krane, R. and Wood, D.A. (2021), “New frontiers for internal audit research”, Accounting Perspectives, Vol. 20 No. 4, pp. 449-475, doi: 10.1111/1911-3838.12272.
Davidson, B.I., Desai, N.K. and Gerard, G.J. (2013), “The effect of continuous auditing on the relationship between internal audit sourcing and the external auditor's reliance on the internal audit function”, Journal of Information Systems, Vol. 27 No. 1, pp. 41-59, doi: 10.2308/isys-50430.
Delfino, G.F. and van der Kolk, B. (2021), “Remote working, management control changes and employee responses during the COVID-19 crisis”, Accounting, Auditing and Accountability Journal, Vol. 34 No. 6, pp. 1376-1387, doi: 10.1108/AAAJ-06-2020-4657.
Deloitte (2017), “Three lines of defence: time to rethink and reframe the model”, available at: https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu-three-lines-defense-13072017.pdf (accessed 1 March 2022).
Deloitte (2020), “Internal audit considerations in response to COVID-19. Navigating change: an unprecedented challenge”, available at: https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/audit/deloitte-uk-internal-audit-response-to-covid-19.pdf (accessed 14 December 2021).
Etikan, I., Musa, S.A. and Alkassim, R.S. (2016), “Comparison of convenience sampling and purposive sampling”, American Journal of Theoretical and Applied Statistics, Vol. 5 No. 1, pp. 1-4.
Eulerich, M., Masli, A., Pickerd, J. and Wood, D. (2023), “The impact of audit technology on audit task outcomes: evidence for technology-based audit techniques”, Contemporary Accounting Research, Vol. 40 No. 2, pp. 981-1012, doi: 10.1111/1911-3846.12847.
Eulerich, M., Pawlowski, J., Waddoups, N.J. and Wood, D.A. (2022a), “A framework for using robotic process automation for audit tasks”, Contemporary Accounting Research, Vol. 39 No. 1, pp. 691-720, doi: 10.1111/1911-3846.12723.
Eulerich, M., Wagener, M. and Wood, D.A. (2022b), “Evidence on internal audit quality from transitioning to remote audits because of COVID-19”, Journal of Information Systems, Vol. 36 No. 3, pp. 219-234, doi: 10.2308/ISYS-2021-021.
Gramling, A.A., Maletta, M.J., Schneider, A. and Church, B.K. (2004), “The role of the internal audit function in corporate governance: a synthesis of the extant internal auditing literature and directions for future research”, Journal of Accounting Literature, Vol. 23, pp. 194-244.
Hermanson, D.R., Hill, M.C. and Ivancevich, D.M. (2000), “Information technology‐related activities of internal auditors”, Journal of Information Systems, Vol. 14 Nos s-1, pp. 39-53, doi: 10.2308/jis.2000.14.s-1.39.
International Federation of Accountants (IFAC)/Institute of Internal Auditors (IIA) (2018), “United, connected and aligned: how the distinct roles of internal audit and the finance function drive good governance”, available at: https://www.ifac.org/system/files/publications/files/United-Connected-and-Aligned-FINAL.pdf (accessed 1 March 2022).
Institute of Internal Auditors (IIA) (2013), “IIA position paper: the three lines of defence in effective risk management and control”, FL.
Institute of Internal Auditors (IIA) (2017), “Implementation guides: international professional practices framework (IPPF)”, FL.
Institute of Internal Auditors (IIA) (2019), “Implementation guides: international professional practices framework (IPPF)”, FL, available at: https://www.theiia.org/globalassets/documents/standards/implementation-guides-gated/2019-implementation-guides-all.pdf
Institute of Internal Auditors (IIA) (2020), “The IIA’S three lines model: an update of the three lines of defense”, FL, available at: https://www.theiia.org/globalassets/site/about-us/advocacy/three-lines-model-updated.pdf
Kaissi, M. (2021), “Where were the internal auditors?”, Internal Auditor, Vol. 78 No. 1, p. 66.
Kim, H.J., Mannino, M. and Nieschwietz, R.J. (2009), “Information technology acceptance in the internal audit profession: impact of technology features and complexity”, International Journal of Accounting Information Systems, Vol. 10 No. 4, pp. 214-228, doi: 10.1016/j.accinf.2009.09.001.
Kirchner, K., Ipsen, C. and Hansen, J.P. (2021), “COVID-19 leadership challenges in knowledge work”, Knowledge Management Research and Practice, Vol. 19 No. 4, pp. 493-500, doi: 10.1080/14778238.2021.1877579.
KPMG (2020), “Remote auditing for internal auditors: adjusting to the ‘new normal’”, available at: https://assets.kpmg/content/dam/kpmg/be/pdf/2020/05/KPMG-RemoteAuditingInternalAuditors.pdf (accessed 14 December 2021).
Li, H., Dai, J., Gershberg, T. and Vasarhelyi, M.A. (2018), “Understanding usage and value of audit analytics for internal auditors: an organizational approach”, International Journal of Accounting Information Systems, Vol. 28, pp. 59-76, doi: 10.1016/j.accinf.2017.12.005.
Martinelli, M., Friedman, A.E. and Lanz, J. (2020), “The impact of COVID-19 on internal audit”, The CPA Journal, Vol. 90 No. 6, pp. 60-63.
Norman, C.S., Rose, A.M. and Rose, J.M. (2010), “Internal audit reporting lines, fraud risk decomposition, and assessments of fraud risk”, Accounting, Organizations and Society, Vol. 35 No. 5, pp. 546-557, doi: 10.1016/j.aos.2009.12.003.
Pickett, K.H.S. (2010), The Internal Auditing Handbook, 3rd ed., John Wiley & Sons, New York, NY.
Plender, W. (1927), “Accountant's certificate in connection with the accountant's responsibility”, Journal of Accountancy, Vol. 43 No. 4, pp. 253-263.
PWC (2017), “The three lines of defence model of tomorrow”, available at: https://www.pwc.nl/nl/assets/documents/pwc-3linesofdefencemodel.pdf (accessed 1 March 2022).
Saiewitz, A. and Kida, T. (2018), “The effects of an auditor’s communication mode and professional tone on client responses to audit inquiries”, Accounting, Organizations and Society, Vol. 65, pp. 33-43, doi: 10.1016/j.aos.2017.10.002.
Sayana, S.A. (2003), “Using CAATs to support IS audit”, Information Systems Control Journal, Vol. 1, pp. 21-23.
Stewart, T.R. (2015), “Data analytics for financial statement audits”, Audit Analytics and Continuous Audit: Looking toward the Future, AICPA, New York, NY, pp. 105-128.
Teeter, R.A., Alles, M.G. and Vasarhelyi, M.A. (2010), “The remote audit”, Journal of Emerging Technologies in Accounting, Vol. 7 No. 1, pp. 73-88.
Vasarhelyi, M.A., Alles, M., Kuenkaikaew, S. and Littley, J. (2012), “The acceptance and adoption of continuous auditing by internal auditors: a micro analysis”, International Journal of Accounting Information Systems, Vol. 13 No. 3, pp. 267-281, doi: 10.1016/j.accinf.2012.06.011.
Waizenegger, L., McKenna, B., Cai, W. and Bendz, T. (2020), “An affordance perspective of team collaboration and enforced working from home during COVID-19”, European Journal of Information Systems, Vol. 29 No. 4, pp. 429-442, doi: 10.1080/0960085X.2020.1800417.
Further reading
DIIR Arbeitskreis MaRisk (2019), “Online-Revisionshandbuch. für die Interne Revision in Kreditinstituten”, Deutsches Institut für Interne Revision e.V. Frankfurt, available at: https://www.diir.de/fachwissen/revisionshandbuch-marisk/ (accessed 14 December 2021).
Acknowledgements
The authors wish to thank Emma-Riikka Myllymäki, Lasse Niemi, Margit Vogt, and two anonymous reviewers for helpful comments and suggestions.