Risk Management and Ethical Environment: Effects on Internal Audit and Accounting Control Procedures

JAMAR
Vol. 6 · No. 1 · 2008



Risk Management and
Introduction
Ethical Environment:
The internal control system is a key
corporate governance facet that has
Effects on Internal Audit
attracted considerable attention in recent
and Accounting Control
years. The Committee of Sponsoring
Organizations’ (COSO)1 Internal Control –
Procedures
Integrated Framework conceptualises an

internal control system to comprise of
Kirsten Rae*
several components, including the control
Nava Subramaniam**
environment, risk assessment, monitoring
John Sands*
of controls, information and

communication, and control activities
Abstract
(COSO, 1992). See Figure One.


This study examines the impact of the scope
These components are derived from the
of risk management and ethical
way management runs a business, and are
environment on internal audit activities and
seen to be integrated with the management
the quality of accounting control
process and the internal control. More
procedures (ACPQ). The conceptual
recently, COSO’s (2004) Enterprise Risk
framework for the study is guided by
Management – Integrated Framework
COSO’s frameworks on internal controls
(hereon referred to as the ERM framework)
and enterprise risk management and data
expanded on the previous internal control
from a questionnaire survey of 64
framework by integrating the entirety of an
Australian firms are analysed using a
enterprise’s risk management processes
structural equation model. The results of
with the organisational objectives classified
the study support that (1) internal audit
under four categories: strategic, operational,
activities have a significant intervening
reporting and compliance (which may be
effect on the relationship between the scope
analysed from differing organisational
of risk management and ACPQ, and (2) a
levels i.e. divisional to sub-entity levels).
direct and positive relationship exists

between ethical environment and ACPQ.
The responsibility of implementing an
Our findings suggest that widening the
effective ERM framework lies with
scope of risk management activities do not
managers, of which the design of the
directly improve ACPQ, but that it leads to
internal control system and adherence to set
more extensive internal audit activities and
policies and procedures are vital aspects.
in turn such activities promote better

ACPQ. Further, the results indicate that
The current study, guided by COSO’s
fostering a more ethical environment
Internal Control – Integrated Framework,
directly leads to higher ACPQ. These
and the ERM Framework, focuses
results have implications for the design of
specifically on four key components of an
internal controls, namely with respect to the
internal control system.
role of internal audit activities and ethical
environment in enhancing ACPQ.


1 COSO was originally formed in 1985 as a private
Keywords
sector initiative by five major professional
Internal Audit
associations in the United States, the American
Internal control
Accounting Association, the American Institute of
Certified Public Accountants, Financial Executives
Risk Management
International, The Institute of Internal Auditors, and
Ethical Environment
the National Association of Accountants (now the
Accounting Control Procedures
Institute of Management Accountants). Its key
objective was to sponsor the National Commission on

Fraudulent Financial Reporting, which studied the


causal factors related to fraudulent financial
* Sunshine Coast University
reporting.
** Deakin University

11

---

JAMAR
Vol. 6 · No. 1 · 2008





Figure One: The Five Components of Internal Control


Internal Control System






Control
Risk
Monitoring
Information and
Control

Environment
Assessment
Communication
Activities




(AUS 402.43 and COSO, 1992)

These are:
arguably able to impact the design of

internal monitoring systems such as the
a) ethical environment - as a feature of the
extent of internal audit activities. By
control environment component,
contrast, accounting control procedures
b) scope of risk management – as an
which are more operational and
element of the risk assessment
transactions-related are more likely to be
component,
affected by the monitoring process such as
c) extent of internal audit activities – as a
internal audit activities, as well as by the
feature of the monitoring component;
broader strategic level variables, namely
and
risk management and ethical environment.
d) the quality of accounting control
A more detailed discussion of the directions
procedures (ACPQ) – as an outcome
of the relationships among these four
variable of the control activities
components is undertaken in the upcoming
component. 2
section titled, ‘Hypotheses Development’.


We further contend that both risk
In summary, the objectives of this study are
management and ethical environment can
to examine (1) the direct effects of the
be viewed as internal control components
scope of risk management, ethical
that operate at a broader strategic level
environment and extent of internal audit
within the organisation. In other words,
activities, on ACPQ, (2) the direct effects of
senior management tend to set the risk
ethical environment and the scope of risk
appetite for the organisation and invest in
management on the extent of internal audit
related strategies for the management of the
activities, and (3) the intervening role of the
entity’s risks. Likewise, ethical values may
extent of internal audit activities in the
be communicated by example through
relationship between the scope of risk
leadership and management’s strict
management and ACPQ.
adherence to admonishing those who

violate the ethical standards or code
Motivation for Study
(Schwepker and Hartline, 2005; Weaver,
In general, the motivation for the present
Trevino and Cochran, 1999b). These
study is largely derived from the lack of
broader strategic components, in turn are
empirical evidence on the relationships

between related internal control features.
2 We did not assess the information and
Such evidence is vital for several reasons.
communication component for reasons relating to

project manageability including keeping the survey
Firstly, in the wake of the recent corporate
instrument at a reasonable length. We believe that
collapses, regulators have intensified their
future studies may take the opportunity to extend
research by including this component.
attention on internal controls. High profile
12

---

JAMAR
Vol. 6 · No. 1 · 2008



cases such as WorldCom and Enron clearly
Although, traditionally, the review of the
highlight how accounting and related
internal control system has always been a
internal controls had failed as a result of
key part of an external audit, the formal
poor design and inappropriate behaviour of
reports by both management and the auditor
staff (Cunningham, 2004; Hwang and
are new requirements. By having a better
Staley, 2005). At the same time,
understanding of the inter-connections of
organisations are increasingly faced with a
the various components within a system of
growing number of options for managing an
internal controls, management will be better
internal control system including the
able to review and report on the quality of
adoption of ERM, self-assessment controls,
the overall system.
ethical and board evaluation processes and

a plethora of accounting-based controls
Thirdly, in addition to such regulatory
(Cohen, Krishnamoorthy and Wright, 2002;
requirements, various corporate governance
Fadzil, Haron and Jantan, 2005). Yet, there
guidelines (e.g. the United Kingdom’s
is little understanding on how these various
Turnbull Report (1999) and the Australian
control strategies and mechanisms may
Stock Exchange’s (ASX) corporate
affect each other. Furthermore, the need for
governance guidelines (2007)), and
a better understanding of such relationships
professional practice documents (e.g. IIA,
becomes even more imperative as the costs
2001a) have been issued with
of designing and implementing internal
recommendations on a variety of strategies
controls have grown significantly in recent
for internal control enhancement. For
years. For example, it is reported that the
instance, management leadership i.e. ‘tone
costs associated with meeting the
at the top’ has been much emphasised in
requirements of the Sarbanes-Oxley (SOX)
such recommendations (ASX, 2007).
Act passed by the U.S. Congress in 2002

averaged about US $35 million for large
Further, these various guidelines have also
firms in the first year (Verschoor, 2005).
placed significant emphasis on an entity’s
Interestingly, a large part of these costs
approach to risk management as a key
relate to the application of transaction
mechanism that overarches the design of
control processes. Therefore, a better
internal controls through-out the
understanding of the inter-relationships
organisation.
between key internal control features is

increasingly critical for identifying the
Organisations have been encouraged to
overall effectiveness and efficiency of a
undertake an ERM approach, which
control system. A poor selection of controls
involves a process “designed to identify
not only increases the probability of errors
potential events that may affect the entity,
and mis-statements but also increases the
manage risks within its risk appetite, and to
potential for fraud occurrence, which
provide reasonable assurance regarding the
subsequently affects organisational
achievement of entity objectives” (COSO,
performance.
2003, p.3). Likewise, it is advocated that

proper assurance processes, particularly that
Secondly, recent regulatory focus on the
undertaken by the internal audit function is
reporting of internal control quality
another vital internal control component.
necessitates more empirical evidence on the
Yet, the literature suggests that there can be
inter-relationships between different
trade-offs in the selection of control
internal control components. For example,
mechanisms within an organisation. Such
the SOX Act mandates that management
an approach is akin to a ‘substitution of
assess and report on the effectiveness of the
controls’ strategy where senior
firm’s internal controls over financial
management may elect to forgo or
reporting (Agami, 2006). The Act also
substitute one type of control for another
stipulates that the independent auditor
(Noreen, 1988; Stansbury and Barry, 2007).
should report on management's assessment
Unfortunately, there is still little
of the effectiveness of the company's
understanding on how these various control
internal controls over financial reporting.
strategies and mechanisms affect and
13

---

JAMAR
Vol. 6 · No. 1 · 2008



compensate for each other. Such knowledge

is vital as the choice and design of the
Control environment: this sets the tone for
internal controls which, in turn, has direct
the organisation, providing the foundation
implications for the overall quality of an
for all other components of internal control,
internal control system.
and influences the control consciousness of

its people. It includes integrity, ethical
In summary, the current study thus aims to
values and the competence of all members
contribute to the literature by providing
of the entity, as well as management’s
empirical evidence based on a systematic
philosophy and operating leadership style,
study of a selected set of internal control
which are dimensions associated with an
components. The remainder of the paper is
ethical environment (Chen, Sawyer and
organised as follows. The next section
Williams, 1997).
provides the background to COSO’s

Internal Control – Integrated Framework.
Risk assessment: this is the identification
Subsequent sections provide the
and analysis of relevant risks, internal and
development of several testable hypotheses
external, to the achievement of the
and a delineation of the research method.
objectives, forming a basis for determining
The final two sections discuss the results
how the risks should be managed.
and the conclusions of the study,

respectively.
Control activities: these help ensure that the

necessary procedures are taken to help
Background: COSO’s Internal
ensure that an entity achieves its objectives.
Control – Integrated Framework
Control procedure activities occur
The main objectives of COSO’s
throughout the organisation, at all levels
Internal
and in all functions.
Control – Integrated Framework are to
provide a common definition of internal

control, and to provide a standard to assess
Information and communication: internal
the effectiveness of internal controls. The
and external information must be identified,
framework defines internal control as “a
captured and communicated in a form and
process, effected by an entity’s board of
timeframe that enables people to carry out
directors, management and other personnel,
their responsibilities. Effective
designed to provide reasonable assurance
communication also must occur in a
regarding the achievement of objectives in
broader sense, flowing down, across and up
(1) the effectiveness and efficiency of
the organisation.
operations, (2) the reliability of financial

reporting, and (3) the compliance of
Monitoring: internal control systems need
applicable laws and regulations” (COSO,
to be monitored, a process that assesses the
1992). The term ‘process’ is used in a broad
quality of the system’s performance over
sense where it goes beyond procedures to
time. This is accomplished though ongoing
include the corporate culture and related
monitoring activities such as the internal
organisational policies. Further, through the
audit activities.
inclusion of "effectiveness" (the

achievement of objectives) into the ambit of
COSO argues that there is a synergy and
internal control, COSO recognises the
linkage among these components, forming
existence of business objectives and assists
an integrated system that reacts
in aligning the definition with business risk
dynamically to changing conditions. The
approaches to audit (Spira and Page, 2003).
internal control system is seen to be

intertwined with the entity’s operating
COSO’s
activities and to exist for fundamental
Internal Control – Integrated
business reasons. In the following section,
Framework models internal control as
comprising of five interrelated components,
hypotheses for the present study are
which are derived from the way
developed. Figure Two provides an
management, runs a business. The
overview of the various hypothesised
components are:
relationships.
14

---

JAMAR
Vol. 6 · No. 1 · 2008



Figure Two: The Relationships Hypothesised in H1 to H6


Risk Management

H1: +

H4: +


Extent IA
Accounting Control Procedural Quality

H2 +

H

5: –
H3 +


Ethical Environment


Indirect Relationship (Mediation Effect) Hypothesis

H6 + H2H4 path


Hypothesis Development

Risk Management - ACPQ
Accounting Control Procedures Quality
Management has the responsibility to
(ACPQ)
identify business risks, assess the
Accounting control procedures aim to
significance and likelihood of risk
prevent and detect transaction errors and
occurrence, and decide how to manage such
omissions, and to correct such errors and
risks. The IIA’s (2001b) Practice advisory
omissions, where possible. A recent CPA
statement on Assessing the Adequacy of
Australia’s survey indicated that about two-
Risk Management Processes denotes that
thirds of small businesses claim to have
management need to install sound risk
internal accounting controls in place in
management processes and periodically
most transaction areas e.g. sales, purchases,
communicate such risk strategies to all
accounts receivable, etc. (Hartcher, 2003).
stakeholders in the organisation. Nielson,
Accounting control procedures include
Kleffner and Lee’s (2005) study found that
authorisation of transactions, record
sophisticated shareholders are increasingly
keeping custody, and segregation of duties.
demanding that management become more
The quality of the various accounting
involved in risk management planning and
control procedures (ACPQ) determines the
development of effective principles so as to
timeliness and the accuracy of the detection
strengthen the firm’s overall corporate
of errors and omissions. In general, there
governance structure. It is also argued that
are two dimensions to ACPQ. The first
the risks managed ought to extend beyond
refers to the quality of the design of the
the purely financial to embrace the broad
internal accounting controls e.g. the format
range of risks experienced by companies
of authorisation procedures relating to a
such as environmental, social and other
given transaction. The second relates to the
business risks (Lindow & Race, 2002).
extent to which various employees within

the organisation adhere to internal control
The process of risk management includes
policies and procedures (Marshall, 1995).
the identification, assessment, monitoring
Thus, both the internal control design and
and treatment of risks. As the scope of risk
employee adherence to the set procedures
management expands, firms are likely to
are critical for enhancing ACPQ. Therefore,
cover a larger number of areas of an
the higher the ACPQ, the more likely that
organisation’s activities as well as the
errors and misappropriations will be
variety of risks including financial,
detected.
environmental, industry and operational
15

---

JAMAR
Vol. 6 · No. 1 · 2008



type risks (Fatemi and Glaum, 2000).
value and improve an organization's
Beasley, Frigo and Litman (2007) highlight
operations. It helps an organization
the importance of having an enterprise wide
accomplish its objectives by bringing a
approach to risk management and argue that
systematic, disciplined approach to
as organisations invest in a wider set of risk
evaluate and improve the effectiveness
management processes, the organisational
of risk management, control, and
objectives can be more easily met.
governance processes (IIA, 2000)”.


We predict that the greater the scope of risk
This revised definition expands the focus of
management activities, the higher the
the internal audit function from one of
ACPQ. This is because, as the scope of risk
assurance to one providing a value added
management widens, a greater number of
approach (Bou-Raad, 2000; Krogstad,
staff from different areas tend to become
Ridley and Rittenberg, 1999). Thus, it is no
more aware of, and involved in risk
surprise that internal auditors have become
management activities. A greater
increasingly involved in consultancy work,
involvement in risk management ought to
covering non-financial areas such as
lead to higher levels of relevant knowledge
business unit processes, operational
and strategies to mitigating such risks. Staff
efficiencies and compliance with laws and
who are more exposed to risk management
regulations (Verschoor and Farrell, 1996).
in turn will be better able to identify
Consequently, there is now a greater
weaknesses in the existing internal controls.
variance in internal audit programs both in
Consequently, the staff will be in a better
their nature and scope. For example,
position to offer valuable suggestions to
internal auditors may undertake compliance
improve the internal control weaknesses.
type audits only, or a variety of other
Further, from an individual psychological
performance and operational audit type
perspective, staff are also likely to be more
reviews. This increased variance in internal
motivated to adhere to internal controls
audit programs may enhance organisational
when they better understand the potential
opportunities to improve accounting control
consequences to the organisation of failing
procedural quality.
to follow proper accounting control

procedures.
We predict that the larger the extent of

internal audit activities, the higher the
Based on the above discussion, the first
ACPQ. This is because, with greater levels
hypothesis of this study is as suggested:
of checking and monitoring of the internal

control features across a variety of a firm’s
H
business sections, as well as increased value
1: There is a direct and positive
relationship between the scope of risk
added activities, the probability of finding
management and ACPQ.
weaknesses in the internal accounting
controls increases. Given that accounting
Internal Audit Activity - ACPQ
control procedures often tend to relate to
Traditionally, the internal audit function’s
transaction authorisation and processing, a
role has been to assess the effectiveness of
higher level of internal audit activities
organisational internal controls, and to
would serve to increase the detection of
report to management where and how
control weaknesses and failures. Colbert
internal controls could be strengthened
and Alderman (1998), for example, found
(Van Peursem, 2004). In June 1999, the
that internal audit test results are highly
Institute of Internal Auditors (IIA) officially
valued by fraud investigators their fraud
adopted a revised definition of the internal
detection procedures, and that such reports
auditing function and integrated this
have helped in prompting further
definition into its code of ethics. The
investigations. In other words, as the nature
internal audit function is defined as:
and scope of the internal audit activities

increases, the higher the probability of
“an independent, objective assurance
detecting errors and fraud. Consequently,
and consulting activity designed to add
with greater detection of weaknesses, more
16

---

JAMAR
Vol. 6 · No. 1 · 2008



strategies can be developed to remedy the
shared system of values), a more highly
weaknesses in the internal control system.
ethical environment is created.


Thus, the second hypothesis for the study is
In an empirical study by Valentine, Godkin
as follows:
and Lucero (2002), a positive association

was found between ethical environment and
H
employee organisational commitment.
2: There is a direct and positive
relationship between the extent of internal
Based on a sample of 304 young working
audit activities and ACPQ.
adults, Valentine et al. (2002) found that

ethical environment was positively and
significantly associated with the level of
Ethical Environment - ACPQ
employees’ organisational commitment.3
While accounting control procedures can be

easily written down as formal
Furthermore, in a recent study, Kizirian and
organisational policies, getting individuals
Leese (2004) studied audit papers of 60
or employees to adhere to such policies is
information systems audit engagements and
another issue. Carelessness, laziness and
found that the ethical tone of the audit
even disobedience are plausible reasons for
clients’ management has a significant
ignoring accounting control procedures.
impact on the strength of their security
However, it is likely that in a more ethical
controls.
environment, employees will tend to follow

company rules and regulations because it
Based on the preceding discussion, we
would be the morally acceptable behaviour.
predict that in a more ethical environment,

employees will be more willing to adhere to
Prior studies claim that the ethical
the organisation’s accounting control
environment within the firm is likely to
procedures. It is expected that the greater
influence employee behaviours in two
the ethical environment, the higher the
ways. First, through organisational
ACPQ as employees’ with a higher moral
socialisation processes, employees will
consciousness will be more willing to ‘do
learn to behave according to the level of
the right thing’ by their employers.
ethical climate, and the higher the ethical

values, the greater the ethical outcomes
The third hypothesis for this study thus is as
(Ardts, Jansen & Van der Velde, 2001).
follows:


Second, empirical evidence also indicates
H3: There is a direct and positive
that management’s attitude to corporate
relationship between ethical environment
ethical environment, exampled by ethical
and ACPQ.
leadership, has a positive impact on overall
employee behaviour (Weaver et al, 1999a).
Risk Management - Internal Audit
The ethical environment of an organisation
Activity
is seen to encompass aspects of upper
In organisations where the scope of risk
management’s tone in achieving
management activities is large, employees
organisational objectives, their value
are likely to be more actively involved in a
judgments and management styles (COSO,
wide ranging set of activities. The
1992; AUS 402.43)
awareness among employees about the

various types of risks faced by their
Victor and Cullen (1987) introduced the
organisation, how such risks may be
concept of ‘ethical climate’ to explain and
interconnected, and the risk mitigation
predict organisational ethical behaviour.
strategies put in place by management, is
They suggested that when morally
expected to be greater in firms with a wide
acceptable behaviours based on honesty and
risk management agenda than those firms
integrity are actively promoted and become

part of an organisation’s culture (i.e. a
3 Organisational commitment refers to the extent to
which employees feel connected with the company’s
values and way of doing things (Schwepker, 1999).
17

---

JAMAR
Vol. 6 · No. 1 · 2008



with narrow risk management plans.
punishing managers in order to align their
Consequently, with the choice of a wider
interests with the organisation’s (Weaver et
set of risk management activities and areas,
al., (1999a). Another strategy is to develop
employees are likely to find value in
or adopt alternative controls that are more
internal audit activities, because such
behaviour-oriented. engendering a more
activities help to identify breakdowns in
ethical environment may work as an
both the design of their risk management
alternative means of control, which, in turn,
plans and related internal controls,
alleviates the need to expand or change a

firm’s traditional control system.
Also, the internal audit function is well

placed to aid in improving risk management
Based on the preceding arguments, we
strategies. Lindow and Race (2002), for
propose that the demand for internal audit
instance, argue that as a firm widens its risk
activities would be negatively related to
management activities, there will be greater
ethical environment. Management
demand for the internal audit function to
committed to fostering a high ethical
assist in administrating and monitoring
environment may be less motivated to
many of these risk management activities.
increase more traditional control features
Similarly, Spira and Page (2003) observe
such as internal audit activities because
that, in view of the Turnbull report, some
there will be greater trust in employees to
companies have expanded their internal
follow set rules and procedures. Therefore,
audit function to include specialists such as
based on the above discussion, the fifth
engineers and marketers to broaden their
hypothesis for study is as follows:
operational risk perspective. Senior

management can engage internal auditors to
H5: There is a direct and negative
not only audit control activities, but also
relationship between ethical environment
help to monitor a company's risk profile and
and the extent of internal audit activities.
play a key role in identifying areas that
improve risk management processes.
Intervening Effect of the Extent of
Accordingly, we predict that as the scope of
Internal Audit Activities
risk management increases, there will be
In the preceding discussion, it was proposed
greater demand for more extensive internal
that there is a positive relationship between
audit involvement.
the scope of risk management and the

extent of internal audit activities (H ). In
4
Thus, based on the above discussion, the
addition, a positive relationship was also
following hypothesis is proposed:
proposed between the extent of internal

audit activities and ACPQ (H ). When
2
H4: There is a positive relationship between
viewed together, the two predicted
the scope of risk management and the
relationships suggest that internal audit may
extent of internal audit activities.
act as a significant intervening variable in
the relationship between the scope of risk
Ethical Environment - Internal Audit
management activity and ACPQ. 4
Activities

Organisations have several choices for
We therefore hypothesise the sixth and final
improving on their existing control system.
hypothesis for study:
For example, one strategy is to invest in

more sophisticated controls that add onto or
complement their traditional control system
such as increasing the number and the

variety of controls (e.g. a moving from a
4 Although a significant proposed relationship is
simple to a more sophisticated information
proposed for H2, a negative significant relationship is
system or performance evaluation system).
proposed in H5 between ethical environment and
Traditional control systems tend to be
extent of internal audit activities. Therefore, an
predominantly outcome controls-based
indirect relationship is not proposed between ethical
environment and ACPQ.
whereby the focus is on either rewarding or

18

---

JAMAR
Vol. 6 · No. 1 · 2008



H6: The extent of internal audit activities
Questionnaire Administration
has a significant intervening effect on the
Financial controllers were chosen as survey
relationship between the scope of risk
participants for two key reasons. Firstly,
management and ACPQ.
they are in a senior position and thus, are

expected to have a very good understanding
Research Method
of the quality of internal control procedures.
Secondly, financial controllers are often
Sample
actively involved in the oversight of any
Data collection was undertaken through a
system reviews and changes, and thus
questionnaire survey distributed to financial
would be aware of any control weaknesses
controllers (otherwise termed chief
or malfunctions of internal control
accountants) of medium to large Australian
procedures.
firms. The sample population involved

firms from a cross-section of industries
The questionnaire was accompanied by a
such as manufacturing, retail, automotive
letter to introduce the purpose of the study
dealerships, information technology,
along with a reply paid envelope for their
wineries and fisheries, and hotels. The
responses. Follow up calls were made
database comprised two major sources. The
approximately two weeks after the
first data set accessed the BRW list of 1000
questionnaires were sent out5. To test for
largest Australian firms (September, 2003)
non-response bias, responses from the first
(www.brw.com.au). One hundred and sixty
and last 20 surveys were analysed with no
(160) firms whose revenues ranged from
significant results6.
$20 million to $110 million per annum

were selected randomly from the database
Of the 320 questionnaires sent out to the
for this study with the aim of accessing
organisations selected for participation, a
medium to large-sized firms. The second
total of 67 responses were received
database comprises one hundred and sixty
(approximately 21% response rate), of
(160) four and five star hotels in Australian
which 64 were useable (18.8% usable
capital cities derived from the Dawson’s
responses). Three of the returned
(2003) hotel directory.
questionnaires were discarded due to
incomplete responses. As shown in Table
Questionnaire Development
One, nearly half the respondents were from
A questionnaire was developed based a
large firms i.e. 100 employees and above
literature review of prior studies, and the
and about 28% from less than 49
research instrument was pre-tested using six
employees.
participants: the financial controllers of two

large locally based firms, three academics
A range of industries was represented in
who had significant industry experience and
this study. These were categorized into
one forensic accountant, whose firm
Manufacturing, Retail, Hotel and Other
specialised in forensic consulting. Face-to-
Services and no significant difference was
face interviews were conducted, leading to
found to exist between hotel and non-hotel
minor changes to wordings in several
participants’ responses.
questions.


The questionnaire instrument included
5 Ethical clearance for this research was obtained
distinct sections for each of the four
from Griffith University’s Social Sciences, Business,
variables and a section capturing
and Arts Ethics Sub Committee. A letter was
participants’ demographic information.
forwarded to each firm, with a declaration that the
questionnaire was given ethical clearance by the

University’s sub committee, along with the researcher

and supervisor’s contact details. Each letter sought
respondent’s participation in fully completing the

questionnaire, allowing the opportunity for each
participant to remain anonymous.
6 The non-response bias testing followed the method

used by Firth (1978).
19

---

JAMAR
Vol. 6 · No. 1 · 2008




Table One: Sample Respondents by Number of Employees
Number of Employees
Number of Respondents
Percent of Respondents
Less than 49
18
28%
50-100 15
23%
More than 100
31
49%
Total 64
100%


Variable Measurement Model
what extent did your organisation, in the
ACPQ was assessed based on a seven-item
last financial year undertake internal audit
scale, whereby the items were adapted from
activities?”. An eight-point scale was also
the ‘Small Business Sample’ Section of
provided with 0 being ‘none’, 1
CPA Australia’s Small Business survey
representing to ‘a very small extent’ and 7
(CPA Australia, 2003). Each participant
signifying ‘a very large extent’.
was required to rate the firm’s internal

control strength, using a 7-point Likert-type
Ethical environment was measured using a
scale with 1=very poor to 7=very good, in
five item, five-point Likert-type scale as
seven key areas. These include ‘cash
developed by Hunt, Wood and Chonko
management’, ‘bank accounts’, ‘physical
(1989). Ethical environment was evaluated
assets’, ‘purchasing and accounts payable’,
using the ethical tone at the senior
‘sales’, ‘employee recruitment’ and
management level because COSO (1992)
‘payroll’. Data analyses were based on the
asserts that the overall ethical tone in an
Z-score of a factor analysis for the seven-
organisation is developed from the top
item (KMO = .841; Sig = 0.000). A
down, and must be exampled to the lower
confirmatory factor analysis produced
staff levels of the organisation before an
goodness of fit indices that support this
ethical environment will be assimilated by
measurement model (see Table Three).7
the whole organisation. The measure
The internal reliability of the measure for
consisted of statements such as, “Top
these seven-items for each participant was
management in my organisation has let it be
also strong with the Cronbach Alpha being
known that unethical behaviour will not be
0.875.
tolerated”, and “If a manager in my

organisation is discovered to have engaged
The questionnaire also asked an additional
in unethical behaviour that results primarily
question on the perceived quality of the
in the entity’s gain (rather than personal
internal controls overall so as to gain an
gain) he or she will be promptly
assessment of the respondent’s overall
reprimanded. The Cronbach Alpha
judgement of the strength of the internal
evaluating the internal reliability of the
controls. A bivariate correlation analysis
ethical scale is 0.807. Further, a factor
between the average score of the 7-item
analysis revealed a unidimensional scale for
measure and the ‘overall’ rating indicates a
the five-item ethical environment scale
significant and strong correlation exists.
(KMO = .766; Sig = 0.000) and provided a

Z-score, which was supported by the
The extent of internal audit activities was
confirmatory factor analysis shown in Table
measured by asking each respondent “To
Three.


Scope of risk management was measured
7 The confirmatory factor analysis was conducted
by asking each respondent to rate the extent
using structural equation modelling within the AMOS
to which four items of risk management
statistical software program.
20

---