Ethical pathways of internal audit reporting lines

ABSTRACT This study identifies the ethical pathways of chief audit executive reporting lines that describe internal auditing relationships with different authorities in the organization (e.g. the board of directors, audit committee, chief executive officer, and chief financial officer). The literature has placed importance of these lines as determinants for the objectivity and independence of internal auditing. Recent studies have reported inconsistent findings regarding whether reporting to high authority is the optimal reporting line compared to reporting to low authority. For this reason, there is a need for further investigation. Thus, this study harnesses the strengths and weaknesses of three ethical pathways in a decision-making model (described as the Ethical Process Thinking Model). In this way, we provide an explanation of the complex situations of internal audit reporting line in reality. The findings highlight that individuals’ different perceptions and judgments, as well as information signals can lead to different reporting lines (decision choices). The three dominant ethical pathways (i.e. preference-based, rule-based and principle-based) advance the literature by providing a clearer picture for practitioners, researchers and regulators to facilitate independence and objectivity requirements.


Introduction
The aim of this paper is to identify the ethical pathways implemented by chief audit executives (CAEs) when reporting to different authorities in the organization. A major challenge faced by CAEs 1 is to independently ensure that there is neither a material misstatement in the financial information nor any misappropriation of assets (Kagermann, William, Karlheinz, & Claus-Peter, 2008). Typically, CAEs are responsible for guaranteeing that the aforementioned are carried out successfully to obtain the most effective reaction from organization managers and thus achieve corporate objectives (Ernst & Young, 2012). This can be achieved by reporting the result of their work to a level within the organization that allows the internal audit activity to fulfil its responsibilities (IIA, 2016a). According to the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing, the CAE should report to the board in a functional manner (e.g. charter approval, planning, execution and results of audit activities) and report to the organization's chief executive officer (CEO) administratively (e.g. on budgeting, evaluations and administration matters) (IIA, 2016a). Such reporting lines represent the standard of organizational independence that has been explained in the IIA practice advisories No. 1110-1111 to promote dual reporting lines. Thus, the CAE should serve two masters (the board and the CEO) in order to facilitate organization independence (IIA, 2016b).
Prior studies have focused only on the importance of internal audit reporting lines (Fraser & Lindsay, 2004;Holt, 2012;Hoos, Kochetova-Kozloski, & d'Arcy, 2015;James, 2003James, , 2004Norman, Rose, & Rose, 2010). Nonetheless, to date, no study has examined the ethical components and issues involved in the internal audit reporting lines (i.e. the CAE reporting decisions), which may explain the previous literature's inconsistency. This is partly due to recent changes in organizations' strategic and technological innovative developments (Deloitte, 2018). For example, organizations are confronted with cyber risks and artificial intelligence tools, which requires a constant need to innovate in order to compete. Further, Deloitte (2018) acclaims that the global community is entering the fourth industrial revolution where new technologies, digitalization, and artificial intelligence are dramatically changing the business landscape.
In order to study decision makers' propensities to action, it is helpful to break up all of the pathways marked with unique decision-making processes. Hence, a decision-making model (described as the Ethical Process Thinking Model) is applied to issues that address the adoption of new tools and techniques (e.g. cyber risk components, digitalization, and artificial intelligence) as well as depicting the develop capabilities needed to effectively respond to the fourth industrial revolution challenges (Deloitte, 2018;Rodgers, 2009). This model suggests how perception, information, and judgment interact before making a decision choice. This approach can provide more meaningful relationships of the impediments or causes of decisions (Rodgers, 1997). Building on this model, we highlight how the CAE makes decisions regarding whom he/she should report within a corporate governance context, which enables us to clarify the particular ethical pathways of internal audit reporting lines.
The Ethical Process Thinking Model is useful in conceptualizing ethical dilemmas in auditing (Guiral, Rodgers, Ruiz, & Gonzalo-Angulo, 2015;Rodgers, Guiral, & Gonzalo, 2009). The unique contribution of this model is that it clarifies critical pathways in ethical decision-making (i.e. a parallel process approach instead of a serial process/ input-output approach). It incorporates the constructs of perception (framing environmental conditions), information, judgment (analysis of information/environmental condition) and decision choice as it applies to individuals/organizations. Therefore, this model was found to be useful for studying the CAEs' reporting lines. Specifically, it helped to identify the ethical pathways of the CAEs' reporting lines through revealing how perception and information, directly and indirectly, affect the reporting decision.
The Ethical Process Thinking Model extends the literature related to CAEs' reporting lines by examining the ethical pathways of the CAEs' reporting decision choices, which may play a substantial role in the evaluation of internal auditors' objectivity and independence (Abbott, Parker, & Peters, 2012;Abbott, Daugherty, Parker, & Peters, 2016;Lin, Pizzini, Vargus, & Bardhan, 2011), corporate governance (Sarens, Abdolmohammadi, & Lenz, 2012) and external auditor's reliance decision (Munro & Stewart, 2011). Rapid development in digitalization and artificial intelligence technology (Dumay, Bernardi, Guthrie, & Demartini, 2016), changes in regulatory environments and changes in the cyber risk landscape make it imperative to seek to better understanding of internal audit reporting decision.
The paper is structured as follows. First, we discuss the Ethical Process Thinking Model , followed by a literature review section. As part of that discussion, we describe the three dominant ethical positions of internal audit reporting. Our final section contains the conclusion of the study. The directions of flow (arrows) in the diagram represent the relationships or the influence of one construct to another.

The ethical process thinking model
The Ethical Process Thinking Model (Rodgers, 2009;Rodgers et al., 2009) separates the decision-making process into four major concepts of perception (P), information (I), judgment (J) and decision choice (D) (See Figure 1). These stages are always presented in a decision-making context, yet their predominance or ordering influences the decision outcome (Foss & Rodgers, 2011). In this model, perception and information are Figure 1. The ethical process thinking model (Ethical Beginnings, Rodgers, 2009, p. 19), where perception = (P), information = (I), judgment = (J) and decision choice = (D) (see note 2). interdependent because "information can influence how the decision maker frames a problem (perception) or how he/she select the evidence (information) to be used in later decision-making stages (judgment and choice)" (Rodgers et al., 2009, p. 350). Higher levels of coherence between perception and information generally indicate that the information set is more reliable and relevant. The degree to which information is available, reliable or relevant affects the ability to achieve a higher level of decision-making processing. Time pressure, changing environments and level of expertise in accumulating knowledge wisely can further push one into alternative ethical positions (Rodgers, 2009). Nielsen, Mitchell, and Nørreklit (2015, p. 78) argued that "each company has a different way of handling information uncertainty and of interacting with the coalition of decision-participants". Typically, individuals encode and analyse the information and perception throughout the judgment stage before making a decision. However, errors, pressure or conflicts of interest may affect the decision choice, which can result from cognitive mechanisms of which decision makers are largely unaware (Rodgers, 1999). Generally, this model provides a broad conceptual framework for examining interrelated processes that affect ethical decisions. The first process ("perception" in Figure 1) concerns heuristics of framing effects (Kahneman, 2003), and can influence judgment and decision choice. Perception in our study refers to the CAEs' environment and how they view the available information. It is a higher mental activity level that includes analysing accounting information. Such perceptual processing is an automatic reaction to information, and individuals respond differently according to their experience, qualification, morale, environment, and so on. In this model, information affects judgment. For instance, decision makers' evaluations of particular prospects are influenced by previous experience and memorized information. Typically, before the CAEs decide to whom they should report, they encode the information and develop a knowledge representation for the problem. Furthermore, the strategies of judgment that affect CAEs' decision choices are under their deliberate control. Consequently, perception and judgment can affect decision choice.
The next section highlights the three primary pathways depicted in the Ethical Process Thinking Model. We consider these three pathways to be essential in offering a better understanding of the audit reporting lines, which will be applied in more detail later in the paper.

Why use an ethical process thinking model?
The recent financial crisis has highlighted the awareness, attitude and behaviour of employees toward internal and external risk. In addition, the recession pressure and environmental changes pose new and different risks. These changes reflect the growth of business activities in size, scope, and complexity. Now, more than ever, the internal audit function (IAF) is recognized as a key pillar in an organization's overall governance structure (Gramling, Maletta, Schneider, & Church, 2004). Internal auditors' responsibilities have been translated directly into an expectation to deliver deeper assurance beyond the areas of strategy, risk and sustainable analytics (IIA, 2016a). Internal auditors should report functionally to the highest authority in the organization (Boyle, DeZoort, & Hermanson, 2015;Chambers & Odar, 2015;IIA, 2016b).
Past literature has indicated that the CAE's primary responsibilities may be compromised due to "who they report to" (e.g. the board of directors, audit committees (ACs), the CEO, the chief financial officer (CFO) or other executives) (IIA, 2013b). The proposition is that authorities' pressure, lack of support or conflicts of interest can lead to different reporting lines (decision choice) (Christopher, Sarens, & Leung, 2009), which result from cognitive mechanisms of which decision makers are largely unaware (Rodgers, 1999). For example, internal auditors believe that they are not free to report fraud, wrongdoing or mistakes because of management pressure (Al-Twaijry, Brierley, & Gwilliam, 2003). In addition, Norman et al. (2010) found that internal auditors reduce their risk assessment because of AC pressure. Furthermore, Sweeney and Roberts (1997) found that an auditor's level of moral development affected his or her sensitivity to ethical issues and independence judgements. Shifting the focus from the importance of internal audit reporting lines to the issue of the reporting decision can provide an explanation of the complex situation of internal audit reporting line in reality.
In addition, the previous investigation of internal audit reporting lines reported inconsistent findings. Some studies support dual reporting lines by reporting to high authority functionally and the CEO administratively (Holt, 2012;IIA, 2016c;James, 2003;Munro & Stewart, 2011). In contrast, other studies have argued that there are difficulties in CAEs reporting deficiencies directly to ACs in full (Bame-Aldred, Brandon, Messier, Rittenberg, & Stefaniak, 2013;Schneider, 2009). The regulatory and best practices guidance typically fails to explicitly delineate the duties of high authorities (e.g. the board of director and AC) regarding the IAF. Consequently, different sources of information and environmental conditions can lead to different reporting decisions. For instance, the cognitive abilities of decision makers are a key input into decisions, and not all people have the ability to apply them sufficiently in order to ensure error-free judgment (Libby & Luft, 1993). This may present the limitation of Norman et al.'s (2010) study, as they rely solely on highly experienced auditor samples and did not consider less experienced auditor, which may have produced different findings. Furthermore, Nielsen et al. (2015) found that strategic task environment may reveal different methodological approaches to decision making. Therefore, diversity pertaining to situations related to laws, regulations, and rules, as well as norms, cultures, and ethics, may lead to different decision-making processes. Consequently, it is expected that CAEs with different situations may follow different ethical positions to make a reporting decision, by focusing on their personal interest, other interest or just follow the regulations regardless of the consequences of their reporting decision.
The Ethical Process Thinking Model is also useful in conceptualizing a number of important issues in accounting and management (Foss & Rodgers, 2011;Rodgers, Simon, & Gabrielsson, 2017;Rodgers & Housel, 1987), ethics/corporate social responsibility issues (Rodgers, Söderbom, & Guiral, 2014) and ethical dilemmas in auditing (Guiral et al., 2015;Rodgers et al., 2009). It provides a broad conceptual framework for examining interrelated processes influencing the decisions that affect organizations (Nutt, 1998;Trevino & Youngblood, 1990). This model's unique contribution is that it clarifies critical pathways in ethical decision-making (i.e. a parallel process instead of a serial process). It incorporates the constructs of perception (framing environmental conditions), information, judgment (analysis of information/environmental condition) and decision choice as it applies to organizations. However, not all of the four major concepts are necessary for each of the six pathways. For that reason, this study focuses on the primary ethical pathways (preferences-based [ethical egoism], rule-based [deontology] and principle-based [utilitarianism]) in order to examine the basic ethical position of the CAEs' reporting lines. These three primary ethical pathways tend to be the most discussed and applied ethical positions in accounting and auditing . They are considered the basic ethical position representing (1) an individual's utility, (2) rules pertaining to an organization/society, and (3) satisfying a group emphasis towards a goal (Rodgers & Gago, 2004). Rodgers (2009, p. 26), for instance, observed that "individuals with a strong sense of ethical process thinking are more likely to act ethically than are those who are operating with a weak or non-existent preference, rules, and principles ethical system." Additionally, CAEs have different knowledge and experience and face different motivations, incentives, and threats, which can influence their reporting lines. For example, if the CAE's experience level is high, quicker decisions may be made as a result of low reliance on the information (P D). However, this pathway may cause harm to others since important information may be ignored. Consequently, not all individuals may have the ability to make a decision without analysing the situation. They refer to the judgment stage before making a decision (P J D). In this pathway, the CAEs are fully aware of the laws, rules, and regulations, but when these rules are underdeveloped, other factors are given greater power to facilitate the transaction (Peng, Sun, Pinkham, & Chen, 2009). In the same way, the existence of reliable and relevant 4 information can help decision makers to analyse the situation and make a decision (I J D). This pathway works better with unstable environments, as it is more general than rule-based and it accommodates moral values. It helps the CAEs to weigh the available information and make the decision depending on the principle of maximizing good and minimizing harm. Nonetheless, individuals' values differ and cannot be applied in a consistent manner.
We argue that each of these major ethical pathways can lead to or influence the interpretation of an ethical dilemma that deals with material misstatement or misappropriation of assets. For example, Jones (1991) argued that individuals and organizations consider ethical positions drivers of the decisions-making process or action taking.
In addition, this paper centres on the internal audit reporting line stemming from three important aspects. First, we still know very little about CAEs' challenges in serving two masters; for example, Gramling et al. (2004) indicated a paucity of research with respect to the relationships between the IAF and the other two masters (AC and CAE). Second, fairly consistent findings across some recent studies have suggested that this issue should be investigated (e.g. Christopher et al., 2009;Stewart & Subramaniam, 2010;Zaman & Sarens, 2013). Third, internal audit reporting lines affect the objectivity and independence of internal auditors (IIA, 2011, p. 3), and the importance of these traits continues to increase with the development of the business environment (IIA, 2011).

The preference-based pathway (Egoism) P D
This pathway is based on individuals acting in accordance with their self-interest (Rodgers & Gago, 2001). They focus on what they need, want and desire and give more weight to results that positively rather than negatively affect themselves. Thus, they care more about their own interests than those of others when the two conflict (Rodgers, 2009). The meaning of "preference" presumes a real decision choice between alternatives. These alternatives can be seen as a source of motivation (e.g. happiness, satisfaction, and gratification), whereby individuals' preferences enable the selection of a decision choice (Rodgers, 2009). The decision is made based on perception, ignoring previous judgment or information. In this regard, internal audit standards require an independent and objective evaluation to continue existing in every decision (IIA, 2016a). Lampe, Smith, and Nesheim (1992) studied self-interested behaviour and found that it adversely affected auditors' ethical decision-making. They argued that "auditors always make conservative ethical decisions to avoid breaking laws, rules, or principles … … however, is not straightforward in all situations" (Lampe et al., 1992, p. 36). Moeller (2004), however, acclaimed that CAEs may split their time between assisting the AC, management and external auditors, which creates time constraint problems. It can be concluded that unavailable information, personal interest, and time pressure can encourage CAEs to follow the preference-based ethical pathway. Therefore, the decision of whom to report to is made by ignoring previous judgment or information signals. Building on this pathway, CAEs, influenced by their "perception", can have an opportunity to solve ethical problems, provided they have adequate experience and personal ethics.

The rule-based pathway (Deontology) P J D
In this pathway, decisions are motivated by laws, procedures, guidelines and individuals' rights. The decision is non-consequential, judgment-oriented and conditioned by one's perception of rules and laws. Information is not required because the decision is driven by regulations (Rodgers, 2009). For instance, Guiral, Rodgers, Ruiz, and Gonzalo (2010) examined how perceived consequences affect auditors' decision-making. They concluded that auditors' perceptions regarding the consequences of issuing a qualified audit opinion are an essential determinant of audit reporting decisions. Another example is Lampe et al. (1992), who provided a measurement of self-interest behaviour that influences auditors' ethical decision-making; nonetheless, they found rule-based platforms to be the most significant influence on auditors' ethical decision-making. This is especially the case when considering external concerns, moral judgment and self-interest in order to analyse the situation before making a decision. Employees' awareness about the formal regulations can decrease the ethical wrongdoings (Cordis & Lambert, 2017). In our research paradigm, internal auditors typically follow the standard of organization independence by reporting to the AC functionally and CEO administratively (IIA, 2013a). This is highlighted by the pathway of P J D, which suggests a rule over substance perspective, since the information (I) concept is played down or ignored for decision-making purposes (Guiral et al., 2010). As such, by following a rule-based perspective, internal auditors should report to the highest authority in the organization, but in some situation, such as when a conflict of interest exists, they may develop analytical procedures to determine their decision. Thus, any decision should consist of a rule-based theme of the analytical evolution of the evidence, both negative and positive, regardless of the decision's substance.
3.3. The principle-based pathway (utilitarianism) I J D Principles represent standards that assist people in making decisions, such as a concept or idea (e.g. values, attitudes and beliefs) that define the extent of a possible outcome (Rodgers, 2009). The principle-based pathway reflects the utilitarianism position, which is more concerned about decision consequences that maximize the utility for all through promoting values related to personal loyalty, intellectual understanding and political liberty (Rodgers, 2009). This ethical pathway advocates that society should always produce the greatest possible balance of positive value or the minimum balance of negative value for all individuals affected. It can be argued that Nigerian authorities have been criticized, as they did not do enough to control the behaviour of its members in accordance with its issued codes of ethics. This is because despite the acclaimed codes of ethics, many reported cases of professional misconduct have been met with a compromising stance by authorities (Bakre, 2007). Accordingly, not always regulations are followed. Thus, the principle-based pathway highlights that properly weighted information can play a strong role in determining the reporting propensity of internal auditors. People learn their principles from friends and family through their social needs and relationships. Building on this foundation, individuals that agree with group standards typically order and weight the available information before rendering a decision. In this regard, the principle-based pathway attempts to facilitate the greatest good for the organization affected by the decision (Rodgers & Gago, 2001).

Literature review
Academic researchers and professional practitioners have made several attempts to investigate internal audit reporting lines, which reports inconsistent findings. For example, some studies support the notion of dual reporting lines by reporting to high authority functionally and the CEO administratively (Holt, 2012;IIA, 2016c;James, 2003;Munro & Stewart, 2011). In contrast, other studies have argued that there are difficulties in CAEs reporting deficiencies only to ACs (Bame-Aldred et al., 2013;Schneider, 2009). However, the reality of the internal audit reporting line is much more complex than dual reporting requirements. One would assume that the CAEs should fulfil their roles to the best of their abilities. However, some CAEs can face a career risk by reporting the deficiencies of their manager's operation, which represents the major issue of CAEs' reporting mission (Fraser & Lindsay, 2004). In addition, there is a personal threat from the AC, in addition to threats from management, which make internal auditors reduce their risk assessments when reporting to the AC. For these reasons, Norman et al. (2010) argued that dual reporting to the AC and CEO is not a wise solution for independence (organization independence) and objectivity (individual independence). Currently, the reason for the previous literature's inconsistency remains unclear, as does the question of which reporting line is optimal for ensuring the independence and/or objectivity of internal auditors, which also needs further investigation.
However, examining the ethical pathway of the CAEs' reporting decision can provide more insight into the CAE's relationship with different authorities by considering the interrelationships between internal auditor's perception (e.g. environment support and competency), available information (e.g. relevant and reliable), judgment (e.g. pressure, sensitivity and conflict) and decision (e.g. reporting line). Studying these pathways is likely to provide ample opportunities for future research, which can provide new insights.
For example, an application of a CAEs' ethical decision pathway can provide more light on how they deal with issues such as the Sarbanes-Oxley Act (SOX-Act) (United States Congress, 2002). That is, senior management is responsible for assessing the design and adequacy of internal controls over financial reporting and reporting the result within their annual report. Also, the AC is responsible for overseeing the integrity of financial statements, risk management, and internal control. However, management and AC often turn to the IAF to support compliance with these requirements (PwC advisory, 2005), which CAEs can administer influence depending upon their ethical decision pathway.
Some issues have been raised by Moeller (2004) in his article regarding IAF before and after the SOX-Act. For example, he claimed that reporting relationships differ from one corporation to another. These reporting issues may be better understood by addressing the CAEs' ethical decision pathway employed in an organization internal audit review.
This literature review raises a number of issues in internal audit reporting lines. For instance, reporting relationships differ from one corporation to another. Internal audit activities generally differ in importance as perceived by management and AC (IIARF, 2003). Also, internal auditing is currently struggling in Australian and Zimbabwe parastatals as a result of the lack of internal support for the IAF (AC and CEO support) (Christopher et al., 2009;Matavire & Dzama, 2013). Furthermore, Rupšys and Stačiokas (2005) argued that a theoretical approach is usually not implemented in practice due to traditional concerns of internal auditings, such as compliance accounting matters rather than management issues. To that extent, several members of the AC Leadership Networks in North America noted that 48% of internal auditing typically reports administratively to the CFO, as compared to 27% reporting to the CEO (Tapestry Networks, 2013). The aforementioned issues can be addressed more succinctly by providing some examples of the determinants of a particular reporting mechanism as depicted by the Ethical Process Thinking Model (see Figure 2). In this way, examining a particular ethical pathway can provide a useful approach to addressing critical issues.
(3) Information: as described in International Accounting Standard (IAS) No. 8, information should be both relevant and reliable (IASB, 2013). (4) Decision (e.g. reporting to the AC of the board, the CEO, the CFO or other executives).

Further discussion of the pathways
Below, we examine the three primary ethical pathways in light of the previous literature.

Literature tied to the rule-based ethical pathway (P J D)
The purpose of rules and laws is to enable society to function for the benefit of its members and their beneficiaries. They refer to one or more social, educational, moral or religious purposes. This pathway emphasizes that correct action is one where the laws or other rules are followed regardless of the action's consequences (Rodgers, 2009). Decision-making in this pathway is judgment oriented and conditioned by one's perception of the rules and laws (Rodgers & Gago, 2001). In view of all the studies supporting dual reporting lines, one may assume that CAEs are highly qualified to apply the standard of organization independence. These studies assume there are no difficulties, time pressures or ethical matters that might influence their or others' interests. It is expected that auditors with conventional moral development in nature more likely to comply absolutely with professional independence standards (Sweeney & Roberts, 1997). That means that CAEs should follow the rule-based pathway by reporting to the board or AC, in which the decision is non-consequential and the rule should be implemented regardless of the substance of the transaction. The decision is induced by a judgment based on a perception of a circumstance. Figure 3 shows that the information is not required (P J D) because the regulations are well-known by the CAE in the entity. In this case, the CAEs' reporting lines are controlled by regulation (e.g. standards, charter and the code of ethics).
The rule-based ethical pathway reinforces the idea of making consistent decisions, which may occur more regularly when the same rules are implemented without bias. However, there may be times when the rules do not support the substance of the accounting transaction. For example, an independence threat results from the weak power exercised by the AC compared to the top managers (Roussy, 2015), or from the conflict of interest between the two masters (Norman et al., 2010). Furthermore, it has been found that lower financial reporting quality is associated with using IAF as a training ground, but this negative effect can be reduced with an effective AC (Christ, Masli, Sharp, & Wood, 2015). Lisic, Neal, Zhang, and Zhang (2016) confirm that AC effectiveness is negatively associated with CEO power, especially when the CEO is the chairman of the board, has higher compensation or has previously held executive positions in the company. Nonexecutive directors are more likely to produce higher quality information than others (Yekini, Adelopo, Andrikopoulos, & Yekini, 2015). In a country with a structure like Saudi Arabia, because of management pressure, internal auditors believe that they are not free to report fraud, wrongdoing or mistakes. Inadequate resources, lack of qualified staff and independence restrictions are the main reasons behind such independence threats (Al-Twaijry et al., 2003). Alzeban and Gwilliam (2014) argued that internal audit effectiveness is linked to hiring qualified staff, providing sufficient resources and having an independent IAF. A low level of independence from management influences the work value and reliance on the work of the IAF (Al-Twaijry, Brierley, & Gwilliam, 2004). That is, the recommendation to report to high authority can create tension with management, as the traditional role of the IAF is the "eyes and ears" of management. In summary, from the discussion above, it can be expected that management pressure, lack of support from high authority and insufficient resources can affect internal auditors' reporting decisions.

Literature tied to the preference-based ethical pathway (P D)
In contrast to the above studies, other studies, such as Norman et al.'s (2010), have argued that requiring internal audit reporting to the AC is not a wise solution to independence and objectivity threats. They investigated how internal audit reporting lines affect fraud risk assessments made by internal auditors when the level of fraud risk varies. They included 142 highly experienced internal auditors in their survey. They found that internal auditors usually reduce risk assessment when they report directly to the AC as a result of the personal threat that stems from the AC, as well as the management threat (Norman et al., 2010).
In addition, Schneider (2009) points out in his article that internal auditors might be reluctant to report directly to the AC of the board regarding controversial issues involving senior management (Schneider, 2009). This view was supported by Bame-Aldred et al. (2013) in their literature review as a result of the difficulties of IAF reporting excessive risks directly to the board (Bame- Aldred et al., 2013). Also, Fraser and Lindsay claim that CAEs face a career risk when reporting the full deficiencies of the operation of their manager or the person who decides their salary, evaluations, and bonus, and this is the major problem of the CAEs' reporting mission (Fraser & Lindsay, 2004).
Furthermore, a recent study by Hoos et al. (2015) examined internal auditors' independence in their potentially competing roles of serving two masters (AC and management), as well as its effect on their judgment. They tested the hierarchy within IAFs and the preferences communicated by a superior internal auditor. Their experimental treatment consisted of two different instructions of a superior internal auditor: the priority of management (cost reduction) and the priority of the AC (effectiveness). They found that CAEs make significantly different judgments depending on communicated superior preferences. They highlight the importance of hierarchical interactions within the IAF for examination of independence.
These studies have demonstrated the difficulties of applying the rule-based pathway. For instance, personal threat, sensitivity, conflict of interest and superior preferences can affect the decision (Bame- Aldred et al., 2013;Christopher et al., 2009;Fraser & Lindsay, 2004;Hoos et al., 2015;Norman et al., 2010;Schneider, 2009). In the presence of such difficulties, the CAE may follow the preference-based pathway and ignore the application of the rule. It is predictable that the CAE weighs the information provided by the entity as very low and bases his final decision on his perception. Therefore, the decision of to whom he/she should report is made by ignoring previous judgment or information signals. Personal interest, the absence of relevant and reliable information and time pressure can be important factors that encourage the CAE to follow a preference-based ethical pathway (P D in Figure 4) over a rule-based pathway (P J D). Moeller (2004) claimed that CAEs may split their time between assisting the AC, management and external auditors, which creates time constraint problems (Moeller, 2004). In this pathway, the CAEs with expert knowledge typically prove more beneficial in solving an ethical problem that requires a great deal of experience, but they do not necessarily follow rules or principles when solving such ethical dilemmas. In other words, if CAEs have a good understanding of the work issues, they are more likely to identify control weaknesses or areas for improvement in addition to needing less time to perform a specific task (Havelka & Merhout, 2013).

Literature tied to the principle-based ethical pathway (I J D)
A principle-based pathway is one way of responding to the CAEs' values, attitudes, and beliefs. Principles tend to be more general than rules, which motivate individuals to create more rules in written form (Rodgers, 2009). They follow what they think is right, aiming to maximize the utility for all. They order information to make their decision according to the greatest good for the greatest number of people. Figure 5 illustrates that this ethical pathway is controlled by information signals (I J D) because this type of decision is a consequential decision based on the substance of the transaction. This viewpoint advocates that correct action is one that promotes subjective well-being.
The choice of this pathway can be viewed in light of the study by Arnold, Dorminey, Neidermeyer, and Neidermeyer (2013), which compared three sectors of internal and external auditors in order to examine the mediation effect that social consensus and the magnitude of consequences has on the decision path. They found decision paths to be influenced by the expected consequences. The case of WorldCom is the best example of this pathway. When the treatment of line costs as capital expenditures were discovered by WorldCom's internal auditor, Cynthia Cooper, she discussed the misclassification with the CFO and the controller, after which she reported the matter to the head of the AC (Lyke & Jickling, 2002). The strong information signal guided the internal auditor to do what she thought was right and would satisfy all parties. The principle-based ethical pathway is practical when dealing with an issue that is not specifically addressed by the rules. Moreover, a generalizable format can operate better in unstable or changing environments. However, a CAE's values, attitudes or beliefs might not be applied on a consistent basis, thereby causing reporting issues or asset production problems. Table 1 summarizes the strengths and weaknesses of internal audit reporting lines in terms of the preference-based (ethical egoism), rule-based (deontology) and principlebased (utilitarianism) pathways.

Conclusion
The role that internal auditors play in evaluating dual reporting lines is essential for facilitating organization independence. However, fairly inconsistent findings across some recent studies have suggested that the issue needs to be investigated further. We found meaningful opportunities to extend the literature related to CAEs' reporting lines by examining the ethical pathways of the CAEs' reporting decision, which can play a substantial role in evaluating internal auditors' objectivity and independence. Our paper seeks to provide a clear explanation of the basic components that support the three primary ethical pathways in order to understand the interrelationships between different factors that can influence the ethical position of the CAEs' reporting decision.
Implementing the Ethical Process Thinking Model was found to be useful for studying the CAEs' reporting lines. Specifically, it helped to identify the ethical pathways of the CAEs' reporting lines through revealing how perception and information, directly and indirectly, affect the reporting decision. It shifts the focus from the importance of internal audit reporting lines to the issue of the reporting decision in order to provide an explanation of the complex situation of internal audit reporting line in reality. Because of this, it was possible to demonstrate the strengths and weaknesses of the three primary ethical pathways. First, in the preference-based ethical pathway (ethical egoism), CAEs with expert knowledge typically prove more beneficial in solving an ethical problem that requires a great deal of experience, but they do not necessarily follow rules or principles when solving such ethical dilemmas. Second, the rule-based ethical pathway (deontology) reinforces the idea of making consistent decisions, which may occur more regularly when the same rules are implemented without bias. However, there may be times when the rules do not support the substance of the accounting transaction. Finally, the principle-based ethical pathway (utilitarianism) is practical when an issue exists that the rules do not specifically address. It is controlled by the information signals and the substance of the transaction. Moreover, it tends to be more general than rule-based, and its generalizable format can operate better in unstable or changing environments. However, a CAE's values, attitudes or beliefs might not be applied on a consistent basis, thereby causing reporting issues or asset production problems.
Hopefully, our presentation of three dominant ethical pathways (preference, rule, and principle) can provide the accounting and auditing profession with useful procedures for dealing with the very important issue of corporate governance. Each organization has its legal system and its conditions, which have an effect on the available information and There may be times when the rules do not support the substance of the accounting transaction.
A CAE's values, attitudes or beliefs might not be applied on a consistent basis, thereby causing reporting issues or asset production problems.
individuals' perceptions. Accordingly, individuals' different perception and judgment, as well as information signals can lead to different reporting lines (decisions). We believe that such a framework is a useful start for researchers to analyse and debate the effect that format internal audit reporting lines have on an organization's well-being.

Practical implications
The results of this study advance the literature by providing a clearer picture for practitioners, researchers and regulators to facilitate independence and objectivity requirements. Our results also speak to the need for regulators to consider the effect on the CAEs' ethical decision making pathways. In addition, organizations' appropriate governance authorities oversee the work of internal auditors; our results suggest that these authorities should consider the nature of IAF environment (e.g. IAF activities) that address the objective of their organization and eliminate any expected bias or conflict of interest that may influence CAEs' actions (i.e. decision making).
The findings of this study complement our understanding of how reporting relationships work, which is useful to inform external auditors' reliance decisions by using the work of internal auditors, or using them for direct assistance.

Study Limitation and Future Research
In summary, our paper is subject to possible limitations. For instance, we only considered the primary ethical pathways. However, according to Rodgers and Gago (2001), there are six dominant ethical pathways. Future research should examine all the six ethical pathways for internal audit reporting lines. We provide an empirical example in the Appendix A, which examines the ethical pathways of CAEs' reporting relationships with the appropriate authority and the interactions between their perceptions, judgements and decision choices. In addition, the example investigates the interactions between the CAE's assessment pertaining to internal audit technical expertise and the activities of internal audit in terms of governance review with the extent of using information technology tools and techniques. Our findings also highlight the need for empirical examination of different factors (e.g. environmental support, competency and ethical considerations) that can influence CAEs' reporting decisions, as understanding these relationships would assist researchers in improving IAF's ability to fulfil its charge. In addition, further investigation of the influence that different boundaries such as knowledge, geographical and cultural have on the CAEs' reporting lines decision is called for in the profession. Finally, future research should also focus on how organizations adapt to formal and informal institutional changes and regulatory shifts. For instance, studying the difference between developing and developed countries could reveal important implications (Alzeban & Gwilliam, 2014;Parker, 2011), and more tests could be utilized based on experimental and case studies (Christ et al., 2015).

Introduction
This empirical example examines the ethical pathways of the Chief Audit Executives' (CAEs) reporting relationships with the appropriate authority and the interactions between their perceptions and decision choices. Further, it explores the interactions between the CAE's assessment regarding internal audit technical expertise and the activities of internal audit in terms of governance review with the extent of using information technology tools and techniques. Ethical pathways are built upon by a simultaneous analysis to examine the relationships among the investigated factors, which provides a better understanding of dealing with governance review issues and effective reporting relationships. A worldwide survey administered by the Institute of Internal Auditors Research Foundation is used to conduct our tests.
The lack of empirical evidence about the effect of corporate governance on the strength of the IAF in general (Desai, Roberts, & Srivastava, 2010) and reporting relationships in particular, requires more investigation (Lenz & Hahn, 2015). According to Abbott et al. (2016), it has been suggested that future research should fully explore the relationship between the IAF and AC, in order to understand the determinants of the mix of IAF activities.
In this empirical example, we found a significant positive relation between CAEs' perception regarding the extent of internal audit activities related to governance review and the CAEs' reporting relationship with the appropriate governance authority. Examination shows the CAEs' perception and available information (e.g. technical expertise competency) are largely driven by their judgment (e.g. the extent of using IT tools and techniques), which influences their decision making pathway. However, Smart PLS simultaneous analysis results indicate that CAEs follow different decision-making pathways depending on the internal audit activities and characteristics.
From the aforementioned, our study supports prior research by offering a modelling perspective. That is, shifting the focus from the importance of internal audit reporting relationships to the inclusion of several stages leading to the reporting decision. Figure A1 shows the study framework. This model is built to examine the ethical pathways of the CAEs' reporting relationships. It represents CAEs' perception related to the extent of internal audit governance review activities (e.g. ethics, strategy and performance, compensation assessments, and environmental sustainability). A close relationship with the appropriate authority, such as those charged with governance 5 (e.g. the audit committee of the board), supports the independence and objectivity of the internal auditors (Abbott et al., 2016;Lin et al., 2011, Prawitt, Smith, & Wood, 2009).

Hypothesis development
In 2003, the IIA Research Foundation investigated the conflicts of internal audit reporting relationships before the implementation of the Sarbanes-Oxley Act (SOX-Act) of 2002 (United States Congress, 2002). They demonstrated that the IAFs' activities generally differ in importance as perceived by the AC and management (IIARF, 2003). This view has been supported by Abbott et al. (2016) who investigated the relationship between AC oversight variables (reporting lines, termination rights, and budgetary control) and the nature of IAF activities. They proposed the connection between the AC's oversight and an internal controls-oriented focus. They found a strong positive association between AC oversight and the IAF budget allocated toward internal control activities (Abbott et al., 2016).
The importance of IAF as a mechanism for corporate governance has increased. DeZoort and Salterio (2001) showed that good communication between internal auditors and AC could improve corporate governance quality. In addition, the IAF is one of the four cornerstones of corporate governance. The head of the IAF should communicate with the AC about their progress (Gramling et al., 2004).

P D
H1. There is a relationship between CAEs' perceptions regarding the activities of governance review and their relationship with the appropriate authority.
Individuals' perceptions about the extent of IAF activities related to governance review differ. Not all of them have the ability to make a decision without analysing the situation. They refer to the judgment stage before making a decision. However, in the era of technology, the importance of using IT tools and techniques has grown with the increased reliance on IT for business operations and assurance (Stoel, Havelka, & Merhout, 2012). "Living in an information and communication technological environment requires ethical decision-making approaches that can assist us to arrive to better decisions" (Rodgers, 2009, p. 2). In the US, the SOX-Act (United States Congress 2002) requires the use of information systems to produce financial statements. This is a vital part of documenting and testing compliance with management's IT control objectives, as well as an integral part of IT governance. Adopting IT tools and techniques enhances control environment, reduces time pressure, and eliminates errors. Due to the significant role of internal audit and IT, the author considers how CAEs' judgment related to the extent of using IT tools and techniques influences the decision making pathway (e.g. CAEs' reporting relationship with the appropriate authority).

P J
H2. There is a relationship between CAEs' perceptions regarding the activities of governance review and the extent of using IT tools and techniques.
The selection of quality internal auditors is important to enable organizations to maintain external and internal legitimacy and integrity of their systems, operations, and business processes. Objectivity and competence may be viewed as a continuum, but a high level of competence cannot compensate for lack of objectivity and the opposite is also true. Competency shows the general level of capability of the IAF; in other words, whether experienced leadership, staff and resources are available. According to the IIA's Global Internal Audit Competency Framework (IIA, 2013b), these Figure A1. Study framework.
three elements are related to each other and represent the technical expertise. General levels of technical expertise may comprise technical skills and knowledge (Havelka & Merhout, 2013). Technical expertise measures the competency of governance, risk and control appropriate to the organization, the competency of applying the IPPF and the competency of maintaining expertise on the business environment, industry practices and specific organization factors (IIA, 2013b). Competent IAF is expected to use IT tools and techniques more, in order to activate and speed analysis process before making a decision.

I J
H3. There is a relationship between the CAEs' assessment of technical expertise and the extent of using IT tools and techniques.
As discussed previously, not all CAEs have the same knowledge and ability to make a decision without considering analysis stage, which needs time and effort. It is rational to expect that some CAEs are concerned about the consequences of their decisions. For example, it has been found that the adoption of whistleblowing law and the awareness of employees reduce the prevalence of corporate fraud by increasing the probability that corporate malfeasance is detected and punished (Cordis & Lambert, 2017). For that reason, the CAEs weight the current situation of their IAF and the influence of performed activities before making a reporting decision. However, the IAF looks at technology as a way to improve the analysis process and productivity. Technology can help automate activities, such as risk assessment, planning and scheduling, and monitor and track audit remediation and follow up. The extent of using IT tools and techniques is an essential part of the IAF to succeed in its evolving mandate. IT tools and techniques can help the CAEs to decide better and faster. Studies reveal that IT tools and techniques support decision makers faced with difficult decisions (Bohanec, 2009). This enables the auditor to weight and compare decision choices and criteria across alternatives ).

J D
H4. There is a relationship between the extent of using IT tools and techniques and CAEs' relationship with the appropriate authority.

Methodology and model specification
The study framework ( Figure A1) shows the process by which an individual's decision choice is made. Building on this model, we can highlight the relationship between the CAE and the appropriate authority within a corporate governance context, which enables us to clarify the ethical pathway of the CAE. Information 6 in our study refers to non-financial information pertaining to the reality of how the entity (IAF) functions. We use technical expertise as information to represent the competence of the IAF and evaluate the current situation of IAF. The outcome of the information processing is the CAE's assessment of IAF services. Making an assessment is in many ways similar to making a decision as it involves cognitive processing, retrieving information and activating perception and judgment. Perception concerns the heuristics of framing effects (Kahneman, 2003). It refers to framing the decision making process. Individuals' perceptions "simply implement positions that are likely to gain the favour of those to whom they are accountable" (Rodgers, 2006, p. 11). In our study perception refers to the outlining of the CAEs' knowledge (how they view the nature of internal audit activities related to the issue of governance review). Consequently, both perception and available information affect judgment, resulting in part from the influence on individuals of their experience, qualification, morale, and organization environment. The judgment includes the process CAEs implement to analyse the current situation of internal audit (technical expertise), as well as the influences from the perception stage (the extent of IT cybersecurity activities). Judgment in our study refers to the extent of using IT tools and techniques.

EXHIBIT 4. Survey Questions Related to the CAEs' Decision
Reporting relationship with the appropriate authority (1 = Lowest authority (other); 2 = Low Authority (CFO, Vice president of finance); 3 = Middle authority (CEO, president, head of Government agency); 4 = High authority (AC, or equivalent); 5 = Highest Authority (Board of directors)).

Statement
Authority level DEC1: What is the primary functional reporting line for the CAE? 1 2 3 4 5 DEC2: Who makes the final decision for appointing the CAE? 1 2 3 4 5 DEC3: Who is ultimately responsible for evaluating the performance of the CAE? 1 2 3 4 5

PLS-SEM results
The smart-PLS simultaneous analysis allows us to interpret how the CAEs integrated the information about the competency of IAF, which may be driven by their perception of internal audit activities. Table A1 shows the result of path coefficients for the total sample (2235 CAEs). Overall, the CAEs follow different decision-making pathways depending on the internal audit competency, activities and the extent of using technology tools. The model results seem to be consistent with the researcher's assumptions (i.e. hypotheses 1-4). Significant pathways and correlations are described in Figure A2. CAEs' perception about the extent of governance review have direct impact on their reporting relationships (decision stage)  Figure A2. Significant paths and correlations coefficients. Effect *significant at p < 0.1; **significant at p < 0.05; and ***significant at p < 0.01. Bidirectional arrows are comparable to correlation coefficients (r); unidirectional arrows are similar to regression coefficients (β).
In addition, technical expertise competency has direct impact on the judgment stage (i.e. H3: β3 = 0.214, p < 0.01). That is, there is a relationship between IAF technical competency and the extent of using IT tools and techniques, which influences the CAEs reporting decision (I J D).
Finally, Table A2 shows the results of indirect effects of information and perception on the decision stage in model A and model B. In addition, Table A3 shows the result of the total effect for each pathway. It can be seen that in both models, both indirect and total effect are significant, with p-value < 0.01 & 0.05.

Discussion and conclusion
This study examines the ethical pathway of CAEs' reporting relationships with the appropriate governance authority as example of the assumptions that have been made in the main conceptual paper above. It was found that the CAEs' perception about the extent of governance review activities have direct impact on their reporting relationships. This direct relationship represents the preferencebased ethical pathway (P D). This finding may be interpreted in the light of the argument of Norman et al. (2010) that the requirement of internal audit reporting to the audit committee of the board is not a wise solution to independence and objectivity threats, as it raises an ethical consideration, as the quality of audit reports might vary. It seems that some CAEs make decisions according to their perception by ignoring the rule (do not report the full result to the board), and the available information (real risk assessment). In this case, the authors assume that CAEs may have negative intentions, or do not understand (or dismiss) the rules.
However, in other cases, CAEs employ investigatory and analytical tools to diagnose the cause of problems. In addition, the IAFs' activities generally differ in importance as perceived by the AC and management (IIARF, 2003). Consequently, individuals' perceptions about the extent of IAF activities related to governance review differ, and not all of them have the ability to decide without analysing the situation. These factors, as well as differing environmental conditions, lead some CAEs to refer to the judgment stage before deciding.
It has been found that there is a direct positive relationship between the CAEs' perception and the CAEs' judgment stage, as well as a direct positive relationship between the extent of using IT tools and techniques and the reporting decision. This represents the indirect relationship between the CAEs' perception and decision through their judgment, which can be explained by the lens of a rule-based ethical pathway (P J D). Given all the studies supporting dual reporting  lines (e.g. Holt, 2012;James, 2003), one may assume that the CAEs are highly qualified to apply the standard of organization independence. These studies assume there are no difficulties or ethical matters that might influence CAEs' or others' interests. In such a case, CAEs may adopt the rule-based pathway, in which the decision is non-consequential, and the rule implemented regardless of the substance of the transaction. Information is not required because the regulations are well known by the CAE in the entity. In other words, the CAEs' reporting relationship regulations (e.g. standards, charter and the code of ethics) are captured in their "perception stage" when deciding. The rule-based ethical pathway reinforces the idea of making consistent decisions, which may occur more regularly when the same rules are implemented without bias. However, there may be times when the rules do not support the substance of the accounting transaction, as the stress from following the rules is considered to be a major obstacle to achieving organizations' objectives. The decision makers may look at the consequence of their decisions and ignore their perceptions. They refer to the principle-based ethical pathway and follow what they think is beneficial for the greatest number of people affected by the situation.
This study found a direct positive relationship between technical expertise and the judgment stage, as well as a direct positive relationship between the extent of using IT tools and techniques and reporting decision. These relationships represent the principle-based ethical pathway (I J D). A principle-based ethical pathway can be followed by CAEs who have personal standards and values. The choice of this pathway can be viewed in the light of the study by Arnold et al. (2013), which compared three sectors of internal and external auditors to examine the mediation effect of social consensus and magnitude of consequences of the decision path. They found that the decision paths are influenced by the expected consequences of the decision. The principle-based ethical pathway is practical when a situation exists whereby rules do not specifically address the issue. Moreover, it may operate better in unstable or changing environments. However, a CAE's values, attitudes or beliefs may not be applied on a consistent basis, thereby causing reporting issues or assets production problems.
In summary, the implementation of the Ethical Process Thinking Model was found to be useful to study the CAEs' reporting relationships. It helped to identify the ethical pathways of the CAEs' reporting relationships through the direct and indirect relationships between internal audit activities, technical expertise and reporting decision.