Internal Control and Audit Program Effectiveness: Empirical Evidence from Jordan

This article examines the relationship between some components (i.e. risk assessment, control environment and control activities) of internal control system and the effectiveness of audit program in Jordan. Based on 43 usable questionnaires, the results of the study show that the risk assessment does contribute significantly toward an effective audit program. On the other hand, the results of analysis indicate that control environment and control activities do not contribute significantly toward an effective audit program. These results give an indicator that Jordanian companies lack the necessary experience to deal with the current tools of internal control evaluation. Some applications and recommendations were suggested for both management of companies and external auditors.


Introduction
Auditors generally assess and evaluate the quality of internal control system of intended company to determine and plan the extent and process of audit work (Gaumnitz, Nunamaker, Surdick & Thomas, 1982). Thus, the Generally Accepted Auditing Standards (GAAS) in its second field work standard emphasises the necessity of evaluating the quality of internal control by the external auditor and obtaining a sufficient understanding of the entity and its internal control environment before the audit process (Mautz & Mini, 1966). Jordan follows GAAS and the Interim Law of Jordanian Association of Certified Public Accountants (JACPA) No. 73 of 2003 along with other laws which arrange and govern the audit profession in Jordan. However, the internal control has many interrelated components including, control environment, risk assessment, control activities, communication and monitoring (Karagiorgos, Drogalas & Giovanis, 2011;Li & Wei, 2008;Takahiro & Jia, 2012;Wang, 2010). For example, study by Rahahleh (2011) found that the internal control in Jordanian public organisations suffers from many problems. These include for example; lack the qualified employees, absence of the main components of internal control systems, inability to use the necessary technical tools in internal control and lack of specialised professional employees. Another study conducted in Jordan by Abdullah and Al-Araj (2011) focused mainly on two approaches of auditing, namely the traditional audit approaches and the business risk audit approach. The study investigated the main weaknesses of traditional approaches and the challenges face the adoption of the business risk audit approach. The results indicated that Jordanian auditors still using the traditional approaches of auditing and ignore the business risk audit approach for many reasons. This, however, indicates that audit profession in Jordan faces many challenges in adoption the current auditing perspectives. Accordingly, the current study comes to investigate the effect of main components of internal control system on the effectiveness of audit program. However, the relationship between internal control quality and audit program effectiveness was neglected in prior research, especially in developing countries. In particular, some studies investigated the relationship between internal control quality and the performance of audit (e.g. Karagiorgos et al., 2011) between internal control evaluation and audit program modification (e.g. Mautz & Mini, 1966). Other studies investigated the relationship between audit program structure and audit performance (e.g. McDaniel, 1990). Consequently, the current study tries to shed some light on the relationship between the different components of internal control system and audit program effectiveness. This, however, will bridge the gap in the previous studies and will contribute to the knowledge in the field, especially in developing countries which lack these types of studies. Accordingly, the current study aims to answer the following research question: Do the different components of internal control system contribute significantly to the effectiveness of audit program in Jordan?
To answer the research question, quantitative approach was incorporated in this study. Based on the responses of external Jordanian auditors, the results of study indicated that risk assessment is the only internal control system component that contributes significantly toward an effective audit program.
The reminder of the paper is organized as follows. Section two overviews the audit profession in Jordan. Section three presents the relevant literature in the subject and hypotheses to be tested. Section four describes data collection process, study variables and statistical techniques adopted. Section five discuses study findings. Section six concludes the study.

Audit Profession in Jordan
The development of accounting profession in Jordan has played a considerable role in the development of audit profession. Thus, it can be argued that audit profession is relatively new in Jordan. However, several legislations have worked together to organize the audit profession in Jordan. For example; Jordanian Companies Law No. 22 of 1997 and its amendments put much emphasis in its different articles on the audit profession in Jordan. For example it organized the process of electing the licensed auditors and how to determine their fees. It also obligated companies to present the comparative annual financial statements accompanied with their clarifications, all certified by licensed auditors. Jordanian Companies Law No. 22 of 1997 and its amendments also asked companies to keep their accounts in accordance with the recognized international accounting and auditing standards. More important, the law determined in details the auditors' duties in monitoring, revising and auditing the operations of company and its internal control system in accordance with recognized auditing rules, auditing profession principals and scientific and technical standards. The Interim Income Tax Law No. 28 of 2009 and the Interim General Sales Tax Law No. 29 of 2009 have obligated the taxpayer to keep all the necessary books and records necessary to determine the tax liability amount. Tax laws accept only those statements that prepared in accordance with international accounting standards and audited and certified by a licensed auditor. However, Despite that the Interim Law of Jordanian Association of Certified Public Accountants (JACPA) No. 73 of 2003 is an important step toward regulating and organizing the audit profession in Jordan, it needs some amendments to be in line with new developments in business market. For example, it gives low emphasis to some important issues such as independence of auditors (Rahman & Waly, 2004). Accordingly, JACPA need to investigate and review all the legal articles that govern the audit profession in Jordan in any Jordanian law, and must then accomplish all the necessary amendments and additions.

Internal Control and Audit Program Effectiveness
Internal control has different meanings. That is, it is difficult to give only one optimal definition to the internal control. This is because it can be explained and seen from different perspectives (Cristina, Mariana & Cristina, 2010). However, internal control is defined as a process, affected by the actions of board of directors and other organizational structure levels in the firm, designed to provide reasonable assurance toward achieving firm's objectives, plans and strategies under the related laws, rules, polices and regulations (Domnişoru & Vînătoru, 2008;Li & Wei, 2008). Recently, big companies increasingly started to include detailed management reports on the effectiveness and efficiency of internal control systems in their annual corporate reports as an indicator to a good corporate governance practice (Leng & Li, 2011;Saha & Arifuzzaman, 2011). However, the evaluation of internal control system is based mainly on assessment of the internal quality control of the intended company on three main levels, including appropriate internal control, insufficient internal control and deficient internal control (Calotă & Iana, 2009). The effectiveness of a company's internal control system is generally recognized as a prerequisite to the auditing process as it is considered the major determinant of the selection, timing, and the extent to which auditing procedures should be applied or restricted (Terrell, 1974). However, according to Xiao (2011) firms may incorporate many procedures to enhance and develop their internal control systems. These include for example; dividing responsibilities, creating internal audit divisions, using efficient electronic information tools and giving more attention to their employees' skills by sharing them in periodic training courses and seminars. Accordingly, the internal control systems have many aspects need to be assessed before starting the auditing procedures in that the evaluation of it involves the joint evaluation of the reliability and www.ccsenet.org/ibr International Business Research Vol. 5, No. 9; credibility of all evidence collected on the various strengths and weaknesses of different aspects of internal control system and then prepare a rigorous audit program based on the result of such evaluation (Weber, 1978). Thus, it looks that the internal control evaluation is a prerequisite of audit program planning, which is the prerequisite of the audit process itself. In this context, Joyce (1976) argued early that external auditors collect, evaluate, and combine information in formulating an opinion about the fairness and credibility of different financial statements by performing professional judgment in determining the type and extent of information to collect and test using well-prepared audit programs. Accordingly, audit planning process involves preparing audit programs after evaluating the internal control structure, reliability and risk (Murphy & Brown, 1992). This, however, means, that external auditor must evaluate internal control as part of the audit examination (Abdel-khalik, Snowball & Wragge, 1983).
However, the audit program represents all the details of audit work necessary to achieve a professional job under different situations of internal control (Mautz & Mini, 1966;Terrell, 1974). Abroad set of regulations focused on the importance of audit planning stage and proposed many details in this regard. For example, SAS No. 47 emphasises the audit planning stage in that auditor should consider materiality in determining how much evidence is needed to evaluate the financial statements during the audit process. This, however, helps auditors to achieve all the necessary work in effective way to meet the needs of financial statement users and to comply with audit professional standards (Read, Mitchell & Akresh, 1987). SAS No. 82 gives more emphasis to the risk assessment, as one of audit control components, as it provides specific indicators of high fraud risk and guidance to auditors on how to assess fraud risks and to modify their audit plans according to the results of these risks evaluation (Glover, Prawitt, Schultz & Zimbelman, 2003). Glover et al. (2003) results indicated that audit planning stage show greater sensitivity to fraud risk since the presence of SAS No. 82. In particular, the findings indicated that post-SAS No. 82 auditors are more conscious of the need to modify audit plans and are more likely to increase the extent and quantity of their audit tests when compared with pre-SAS No. 82 (see also Hoffman, 1997). However, SAS No. 99 has focused on many audit program planning issues, especially those related to risks. It requires auditor to gather and fully assess all the necessary information needed to fully identify risks of material misstatement due to fraud, to assess and evaluate these risks after taking into account an evaluation of the entity's audit program and internal control and to respond and build on the results (Ramos, 2003).
Most of the previous studies in auditing have focused on internal control without connecting it to audit program. Thus, the current study will investigate the related relevant studies for the current topic.
For example, Tabor (1983) focused on two main issues on auditing. These include the reliability of internal control and the subsequent audit program planning decision. In general, the result of study shows some degree of consensus among respondents at the preliminary audit program stage and a significant difference at the audit program revision stage. These results indicated that the audit procedure, the related tasks of audit and experience may influence the consensus. Abdel-khalik et al. (1983) assessed the effect of some internal audit variables (i.e. integrated test facility, test data, generalized audit software, the level to which the internal auditing department reports and the internal auditor's level of responsibility in reviewing changes in application programs) on the judgments made by external auditors in planning audit programs. The finding revealed that the administrative level to which the head of the internal auditing department reports and the level of the organizational independence of the internal auditing staff were the main important factors that affect the judgments made by external auditors in planning audit programs. Quadackers, Mock and Maijoor (1996) assessed the relationship between audit risk-as a one component of internal control components-and audit program planning details. The results indicated that there is much variation in audit risk aspects between clients and among the audit risk aspects per client. The study also indicated that-to some degree-there is risk variation over time. Audit programs differ substantially between clients over time. However, the results of the study indicated that, in addition to risk, some other factors such as time pressure, budget constraints and changes in the audit team may affect audit program planning. Asare and Wright (2004) examined the impact of different types of risk assessment (i.e. standard risk checklist versus no checklist) and program development (i.e. standard program versus no program) tools on two perspectives of fraud planning effectiveness; namely, the quality of audit procedures relative to a benchmark validated by a panel of experts, and the propensity to consult fraud experts. 69 auditors made risk assessments and developed an audit program. Findings from study indicated that auditors who used a standard risk checklist as structured by SAS No, 82, made lower risk assessments in comparison with those without a checklist. That is, the use of the checklist was associated with a less effective detection of the fraud. Results also indicated that auditors with a standard audit program designed a relatively less effective fraud program than those without a standard audit program but were not interesting in using fraud experts. Over two www.ccsenet.org/ibr Vol. 5, No. 9; years of audit, study by Mock and Turner (2005) investigated the actual fraud risk assessments and their effects on audit programs of audit clients of three large audit firms following the issuance of SAS No. 82. Study findings indicated that the number and type of fraud risk factors identified varies according to clients, industries, and fraud risk categories. Furthermore, for 20 percent of year one and 31 percent of year two audits examined, the results showed that auditors modified the nature, extent of audit procedures and assigned more experienced audit team members to the audit, or added or deleted audit procedures. Both correlation analysis and a multivariate model showed that the decision to modify the planned audit program in response to the fraud risk assessment was influenced significantly by the identification and documentation of fraud risk factors as required by SAS No. 82 at the audit planning stage and the consequent stages. Multivariate analysis results indicated that the audit team's decisions concerning extent, staffing, adding or deleting procedures were statistically related to the number and type of documented fraud risks and to overall client risk. This study, however, is proved that risk assessment is a critical factor in determining the components of audit program and the time and extent of audit procedures. Kizirian, Mayhew and Sneathen (2005) results supported the importance of assessing management integrity in audit planning and client misstatements discovery. Fukukawa, Mock and Wright (2006) examined whether the adjustment of audit planning (i.e. nature, extent, timing and staffing) is influenced by risk assessment using archival data from 235 clients from audit firm in Japan. In general, the results of the study revealed only some relationship between client risks and audit planning process. In particular, the results indicated that although audit planning is based on nature of assessments of many audit risk variables, the associations between client risks and audit plans are rather modest. The findings also indicated that client risks that comprise business risk and fraud risk affect audit planning to some extent. Finally, the results suggested a substitution effect between audit planning judgments in response to risky client such as increasing the extent of validity tests while decreasing the extent of confirmations. Study by Johnstone, Li and Rupley (2011) revealed a positive association between disclosure of internal control material weaknesses (ICMWs) and subsequent turnover of members of boards of directors, audit committees, and top management. That is, the results revealed a positive association between remediation of ICMWs and both turnover of audit committee members and improvements in the characteristics of boards of directors, audit committees, and top management. In addition, the results indicated that improvements in the audit committee characteristics are most strongly associated with the remediation of ICMWs relating to control activities. Finally, results provided evidence that changes in corporate governance characteristics occur concurrently with the remediation of ICMWs.
In respect to Jordan, Study by Rahahleh (2011) focused on the different authorities that hinder the adoption of internal control systems in public fund in Jordan. The study also tried to outline the main problems and obstacles that may limit the effective adoption of internal control in Jordan. The study also suggested some solutions to the outlined problems. Results of study revealed that internal control face many problems in Jordan related mainly to the limitation of skilful employees, absence of main internal control components and absence of ethical rules and performance measures of internal control. The study suggested that Jordan government should active the role of Audit Bureau to supervise and control the different components of internal control system in Jordan. Another Jordanian study (Abdullah & Al-Araj, 2011) gave more emphasis to the business risk audit approach. The result of the study revealed that Jordanian companies still using the traditional approach of auditing which has many limitations resulted in unfair opinion. The study outlined the main benefits, procedures and prerequisites for adopting the business risk audit approach. Off the benefits are lower audit costs and time, greater harmony with International standards on auditing (ISAs), better control environment and the ability to assess all the related risks. Thus, adoption of this approach contributes strongly toward enhancing the internal control of Jordanian companies. The main procedures of adopting business risk audit approach are to give more attention to the clients' activities and environment, to identify the main factors of risk and to assess the internal control. The main prerequisites for adopting business risk audit approach are to create the relevant atmosphere in the company environment by getting good knowledge about all the legislations that control and govern the audit profession in Jordan preparing the employees to deal with this new approach in context of Jordan and developing an effective audit program. Some of these recommendations are consistent with that of Khasharmeh (2009), who found that Jordanian auditors should have good computer skills to evaluate and assess the internal control system.
As stated previously, there is no particular study that investigated directly the relationship between internal control quality and audit program effectiveness, especially in developing countries. This study therefore argues that the relationship between the different components of internal control and audit program effectiveness is positive. This is because strong internal control system is an important a prerequisite for an effective audit program as outlined in the above mentioned prior studies. Accordingly, it can be hypothesized that:

H1: There is a positive relationship between control environment, as a component of internal control system, and audit program effectiveness.
H2: There is a positive relationship between risk assessment, as a component of internal control system, and audit program effectiveness.
H3: There is a positive relationship between control activities, as a component of internal control system, and audit program effectiveness.

Sample and Data
The questionnaire of this study was directed to sample of licensed practicing auditors in Jordan. In particular, 102 questionnaires were distributed with 45 questionnaires collected including 43 usable questionnaires. This yields a response rate of 42%, which is very good. However, the study instrument was tested and edited many times before distribution. The respondents were invited to participate in the study through a covering letter attached to the first page of the questionnaire explaining the main purpose of the study. The questionnaire has three main sections with close-end questions. The last page of the questionnaire includes a general question asks respondents to make any necessary comment or suggestion. Five-point Likert scale was used in this study as it is very simple and clearer than other scales. Table 1 shows the main characteristics of the study respondents.  To achieve the objective of the current study, nine items were adapted from previous studies (Johnstone et al., 2011;Karagiorgos et al., 2011) to measure the internal control quality. However, these items represent three components of internal quality, namely; control environment, risk assessment and control activities. In respect to www.ccsenet.org/ibr International Business Research Vol. 5, No. 9; the dependent variable, audit program effectiveness, four items were adapted from McDaniel (1990) to measure it. However, reliability analysis was performed to all the study variables. However, Tables 2 shows the descriptive statistics for the main items that used to measure the control environment. Table 3 shows the descriptive statistics for the second independent variable, namely risk assessment and Table 4 describe the control activities variable. In respect to the dependent variable, Table 5 shows the descriptive statistics for the four items that used to measure the variable.    Table 6 shows the descriptive analysis and reliability test result of the study variables. In particular, the result of reliability analysis indicates that all the study factors are reliable with satisfactory Cronbach alpha values of 0.817 for control environment factor, 0.820 for risk assessment, 0.846 for control activities and 0.858 for the dependent factor of the study (Hair et al., 2006).

Results and Discussion
To achieve the objective of the current study and to test the related hypotheses, two tests were performed; namely Pearson's correlation analysis and multiple regression analysis. However, Pearson's correlation analysis is fundamental to multiple regression analysis and was performed to assess the nature and direction of the relationship between the dependent variable and independent variables, as well as the nature of the relationship between all the study's variables. Table 7 shows Pearson correlation matrix for both the dependent variable and the independent variables. The results show that control environment is not significantly correlated (r = 0.235, p > 0.01) with the dependent variable; namely audit program effectiveness. On the other hand, the results show strong significant correlate (r = 0.674, p < 0.01) between risk assessment and audit program effectiveness.  Vol. 5, No. 9; Similarly, the results indicate a significant correlation (r = 0.406, p < 0.01) between control activities and audit program effectiveness. However, Table 7 shows that the Correlation matrix results does not have high correlation values and therefore avoids the problem of multicollinearity (Hair et al., 2006). Despite that correlation analysis is very simple and subject to many limitations (Pallant, 2001), the results of it reported in Table 7 give us the basis to further investigate the relationship between the independent variables and the dependent variable through the following multiple regression.   The result of multiple regression as shown in Table 8 indicates that the relationship between control environment, as one of internal control system components, and audit program effectiveness not significant (Beta = -0.183, t-value = -1.268, p = 0.212). Accordingly, H1 which stated that there is a positive relationship between control environment, as a component of internal control system, and audit program effectiveness, was not supported at the 0.05 significance level. The justification of this result is built on the idea that most companies in Jordan do not actually apply, for example, the segregation of duties in their work as required. They have not organisational structure, as example, to provide the framework within which the duties are identified. This, however, is correct for other aspects of control environment. Accordingly, the different perspectives of control environment do not contribute significantly toward an effective audit program in Jordan.
On the other hand, H2 which stated that there is a positive relationship between risk assessment, as a component of internal control system, and audit program effectiveness is supported at at the 0.05 significance level (Beta = www.ccsenet.org/ibr Vol. 5, No. 9; 0.848, t-value = 4.967, p = 0.000). This result indicates that the risk assessment is contributed significantly toward an effective audit program. One supportive study by Quadackers, Mock and Maijoor (1996) assessed the relationship between audit risk and audit program details. The results indicated that there is material variation in audit risk factors between clients and among the audit risk factors per client. However, the result of the current study is consistent with that of Mock and Turner (2005) which indicated that the decision to modify the audit program was influenced significantly by the results of fraud risk assessment as required by SAS No. 82. In addition, study by Blokdijk, Drieenhuizen, Simunic, and Stein (2006) found that Big 5 auditors allocated relatively more effort to risk factors assessment than non-Big 5 auditors which produced a higher audit quality level. Furthermore, this result is consistent, to a considerable, extent, with that of Fukukawa, Mock and Wright (2006), which indicated that client risks that comprise business risk and fraud risk affect audit planning to some extent. Apart from a limited studies (e.g. Mock & Wright, 1999), most of previous studies in the field support the current study result which indicates that the risk assessment is an important pre-request stage to the auditing procedure itself.
Finally, the result of analysis does not support the the existence of a positive relationship between control activities and audit program effectiveness. Thus, H3 which stated that there is a positive relationship between control activities, as a component of internal control system, and audit program effectiveness is fully rejected (Beta = -0.100, t-value = -0.578, p = 0.567). The justification of this result is built on the argument that the internal control systems in Jordanian companies is impaired and lacks the scientific current tools as most of these companies depends on old procedures in evaluation their internal control systems. This result is supported by the findings of Rahahleh (2011) who found that the internal control systems in Jordanian public organisations, for example, suffer from many limitations and obstacles especially the technical ones. This, however, is a shared responsibility of companies' management and both internal and external auditors to enhance the used tools in testing and evaluating the different systems of internal control.

Summary and Conclusion
The current study maim aim is to assess if the different components of internal control system contribute significantly toward the effectiveness of audit program in Jordan. To achieve this objective, forty three well-designed questionnaires were analyzed based on the Jordanian licensed practicing auditors' responses.
Three hypotheses were developed and tested empirically. The result of study indicated that only one component of the three used components of internal control system in the current study, namely risk assessment, is contribute significantly toward an effective audit program. In respect to the control environment and control activities, the result of analysis indicated that they do not contribute significantly toward an effective audit program. These results indicate that Jordanian companies face many obstacles in applying an effective internal control system and they direct their efforts to investigate the risks that they might face. These results also indicate that Jordanian companies lack the necessary experience to deal with the current technical tools of internal control evaluation. Accordingly, academics, managers and auditor are responsible on this deficiency. A shared training courses, research and seminars are required in internal control systems. Companies in Jordan are responsible about the effectiveness of internal control systems. Accordingly, qualified and well-educated employees are necessary requirements to develop the internal control system, which is the critical prerequisite for the auditing process as a whole.
The current study contributes significantly toward developing the internal control systems in Jordan and other developing countries which have few studies in this field. The study shed some light on the main factors (R² = 0.488) that may affect the audit program planning. In addition, the study contributes to the knowledge in this area. Despite these features and applications, the current study has some limitations. The current study used a cross-sectional design which has many limitations. The small sample study is the second limitation of the current study. Accordingly, future study may follow a longitudinal approach to overcome the limitations of the current study and may incorporate the other components of internal control system. Other opportunity for future research will be to assess the effect of the different components of internal control on the subsequent adjustments of audit program in Jordan and other developing countries. Future research may outline the obstacles that face the internal control systems in Jordan and suggest alternative tools for adopting the different procedures of internal control system. In addition, future study may assess the role of internal auditors in ensuring the quality of internal audition and how this joint relationship may affect the audit program.