1 Introduction

From our personal life, many of us might recognize the situation in which we observe that someone near is pursuing a risky course of action that might turn from bad to worse. Parents might see their beloved ones entering an undesirable path such as excessive alcohol consumption, drunk driving, drug abuse, or other dangerous habits that are risky to themselves or others. In such situations, people are often influenced by whether their peers (e.g., friends, teammates, etc.) would exhibit similar risky behavior or not, and whether the risky behavior would meet the social norms that are shared across those peers.

When people pursue a risky path, it can be challenging to get their attention and convince them to no longer continue this risky course of action. It may not be enough just to warn them and advise them of what they ought to do. It may also be helpful for the person to know what their peers would do in similar circumstances. Nudging people’s behavior by providing them with purely descriptive information about what their peers would do in similar circumstances (i.e., a descriptive norm) has been documented in the literature. For example, descriptive norms have been shown to be effective in promoting environmentally sustainable behaviors (Lapinski et al., 2007; Goldstein et al., 2008; Schultz et al., 2008), reducing behaviors that are associated with health risks (Lapinski et al., 2013; Mollen et al., 2013), and reducing citizens’ risky behaviors regarding tax-payments (Wenzel, 2005a, b).

The challenge to effectively bring a message to stop someone else’s risky behavior not only applies to people’s personal lives and the risks that individuals take, but also applies to business risks. Our study builds on the idea of nudging with descriptive norms to stop risky courses of action in a business context. Specifically, we investigate whether internal auditors can use descriptive norms to nudge managers into stopping runaway IS projects. Runaway IS projects can have devastating effects on organizations and have been studied as behavioral entrapment to continue a risky course of action (Keil & Robey, 1999; Keil et al., 2000).

Our study contributes to the discourse regarding corporate governance in general and internal audit specifically. Academic research has suggested that internal auditors play an important role in corporate governance (Gramling et al., 2004; Sarens & De Beelde, 2006; Paape, 2007). Further, from a practice perspective, the need for an effective internal audit function that serves corporate governance has been acknowledged across multiple countries (e.g., IODSA, 2016; MCCG, 2022; FRC, 2024). Finally, the important role that internal auditors play in corporate governance has been described in professional guidelines from the global internal audit profession (IIA, 2018; IIA, 2024). Internal auditors are role-prescribed to observe and report whether risky courses of action could bring harm to the organization and its stakeholders (Sarens & De Beelde, 2006; Sarens et al., 2009; Eulerich et al., 2019). Internal audit research suggests that internal auditors often find that managers turn a deaf ear to their risk warnings, a phenomenon that is referred to as the ‘deaf effect’ in internal audit research (Lenz & Hahn, 2015; Nuijten et al., 2019). The occurrence of the deaf effect is regarded as detrimental to internal audit effectiveness (Lenz & Hahn, 2015), and therefore research is warranted to advance our understanding of how internal auditors can more effectively bring their message and reduce the deaf effect. This aligns with the recently submitted 2024 Global Internal Audit Standards that highlight the need for internal auditors to communicate effectively (IIA, 2024; Principle 11) and to achieve this, internal auditors should: (1) apply effective communication techniques (standard 11.2), and (2) take into account relationships they maintain with stakeholders, including managers as well (standard 11.1). Our study sheds light on how internal auditors can reduce the deaf effect. Following a mixed method approach, we combine a quantitative perspective with a qualitative perspective. Following a quantitative approach, we conducted a series of two experiments in which we empirically tested whether nudging with a descriptive norm (as a communication technique) and the auditor-manager relationship (i.e., whether the auditor is perceived as a trusted partner or an opponent) can influence the deaf effect and whether ‘perceived social norm’ serves as a mediating mechanism. Following a qualitative approach, we conducted a series of complementary interviews with Chief Audit Executives to further enrich our insights in how internal auditors could apply ‘nudging with a descriptive norm’ as a communication technique, and what should be considered, including the auditor-manager relationship.

While our paper is mainly aimed at contributing to the discourse on internal audit effectiveness, we also contribute to the literature on runaway IS projects by investigating the effect of a novel intervention to reduce the deaf effect in such projects. Furthermore, our study contributes to the literature on socials norms and nudging by applying the notion of ‘what your peers would do’ to a business context involving risk warnings issued by auditors to managers.

2 Literature review and theory base

Our study builds upon and contributes to three bodies of knowledge: (1) literature on internal audit effectiveness and the deaf effect, (2) literature on the deaf effect in the context of information systems (IS) projects, and (3) literature on nudging. We build upon these three bodies of knowledge by drawing on the theory base of nudging with a descriptive norm as explained below.

2.1 Internal audit effectiveness and the deaf effect

The growing body of literature on internal audit effectiveness advances our understanding of how auditors can improve the contributions they make to their organizations (Arena & Azzone, 2009; Alzeban & Gwilliam, 2014; Dal Mas & Barac, 2018; Kotb et al., 2020). Internal audit effectiveness can be understood from either a supply-side perspective or a demand-side perspective (Lenz & Hahn, 2015).

Following the demand-side perspective, internal audit effectiveness is understood from the expectations that stakeholders within the organization can have of the internal audit function (Sarens & De Beelde, 2006; Sarens et al., 2009; Messier et al., 2011; Soh & Martinov-Bennie, 2011; Lenz, 2013; Erasmus & Coetzee, 2018; Eulerich et al., 2019).

The supply-side perspective, which is the approach we take in this paper, describes effectiveness from the auditors’ perspective. Prior research in this area has investigated the organizational conditions and the skills that auditors find important to fulfil their role (Van Peursem, 2005; Pforsich et al., 2008; Mihret et al., 2010) and how such skills could be developed (Plant & Slippers, 2015; Barac et al., 2021; Coetzee & Du Plessis, 2021). In this stream of literature, internal auditors, mostly Chief Audit Executives (CAEs), describe how they assess their effectiveness. The factors considered to be important in shaping audit effectiveness include: the role of the CAE, the skills and competencies of internal auditors, organizational politics and culture, support from senior management, and the impact of the board, directly or through the audit committee (Lenz & Hahn, 2015). The supply-side perspective also highlights the need for auditors to build and maintain good relationships with their stakeholders, which are defined to be the audit committee (Goodwin, 2003; Arena & Azzone, 2009; Davies, 2009), C-level executives (Gramling et al., 2004; Sarens & De Beelde, 2006; Christopher et al., 2009), and managers or auditees (Dittenhofer, 2001; Arena & Azzone, 2009; D’Onza & Sarens, 2018). Our study is amongst the few that focus attention on the relationship between internal auditors and managers.

While Lenz and Hahn (2015) emphasized the need for research that examines moments of discomfort and conflict that auditors encounter, specifically calling for further research on the deaf effect (i.e., when managers turn a deaf ear to risk warnings issued by auditors), very few studies in the field of internal auditing have addressed this topic. Based on interviews with Chief Audit Executives, Nuijten et al. (2019) examined eleven deaf effect situations. More specifically, they identified a range of actions that internal auditors took to overcome a deaf effect situation and they examined how the auditor-manager relationship (AMR) unfolded until the deaf effect was eventually resolved. They found that the actions that auditors take, are both a cause and an effect of whether the manager and the auditor see themselves as either partners or opponents in terms of their relationship.

Without explicitly referring to the deaf effect or to the discourse on internal audit effectiveness, a recent study by Brown and Fanning (2019), examined persuasion techniques that internal auditors could follow to bring their message to the attention of business managers in the domain of financial reporting. In their experiment they present two different approaches that internal auditors can take to bring their message to managers: a ‘participative approach’ (also referred to as ‘coach’) versus a ‘traditional approach’ (also referred to as ‘police officer’). For internal auditors who follow a participative approach, managers’ agreement with the auditor’s advice increases when the auditor provides a favor compared to when the auditor does not provide a favor. In contrast, they find that for internal auditors who follow a traditional approach, managers’ agreement with the auditor’s advice decreases when the auditor provides a favor compared to when the auditor does not provide a favor.

Brown and Fanning (2019) suggest that future research could also investigate different types of persuasion techniques that internal auditors could use to make their recommendations more persuasive to managers, such as informational social influence (Cialdini, 1984) and how they influence manager behavior. Following this call for further research, in our study we build on the prior work of Nuijten et al. (2016) and examine how both AMR and nudging with a descriptive norm can shape perceived social norms, thereby helping internal auditors to become more persuasive in bringing their message to managers’ attention. More specifically, we test the idea that internal auditors could follow a combined approach in bringing their message to managers. First, they can add a descriptive norm to the message and tell what the manager’s peers would do in this situation. This approach is consistent with Cialdini (1984) and Cialdini and Goldstein (2004) who also used messages containing descriptive norms that describe what others do, or the behaviors they engage in. Second, internal auditors can develop a relationship with the manager such that the auditor is viewed as a ‘partner’ rather than an ‘opponent when they communicate the message to the manager. We elaborate the idea that both elements can shape the manager’s perception of a social norm. Social norms are the accepted standards of behavior of social groups (Cialdini, 1984; Cialdini & Goldstein, 2004). In the context of our study, social norms refer to whether it is found acceptable to push further a risky course of action or not.

2.2 The deaf effect in the context of information systems (IS) projects

Information systems researchers Keil and Robey (1999, p. 82) coined the phrase deaf effect in 1999, defining it as a situation in which actors in positions of authority “turn a deaf ear to signs of trouble.” In this and a subsequent article (Keil & Robey, 2001) they provide specific examples of the deaf effect in IS projects based on interviews with both internal and external auditors who spoke of their frustration in blowing the whistle on a troubled project only to find that their risk warnings were ignored (or worse, caused them to be fired from their job).

Following the initial field-based observations of the deaf effect reported by Keil and Robey (1999, 2001), several researchers (Cuellar et al., 2006; Cuellar, 2009; Nuijten, 2012; Lee et al., 2014) began to conduct scenario-based laboratory experiments to investigate the factors that influence the deaf effect in IS projects. In these experiments, internal auditors were portrayed as messengers and business managers were portrayed as message recipients. These studies examined characteristics of the messenger (Cuellar et al., 2006; Lee et al., 2014), characteristics of the recipient (Lee et al., 2014; Nuijten et al., 2016), as well as how the message was framed in terms of gains versus losses (Nuijten et al., 2016). Furthermore, Nuijten et al. (2016) examined how the auditor-manager relationship (AMR) could influence the deaf effect in IS projects.Footnote 1 The internal auditor and manager were portrayed either as partners (inspired by stewardship theory, in which relationships are based on principles of trust and goal alignment) or opponents (inspired by agency theory in which relationships are based on principles of distrust and goal incongruence). Nuijten et al. (2016) found that when an internal auditor is seen as a collaborative partner, managers will be less likely to turn a deaf ear to risk warnings issued by the auditor. The rationale behind this is that decision makers are more likely to be responsive to risk warnings when the auditor has the clear goal of contributing to management performance rather than exposing management failures.

In this study, we build upon prior research on the deaf effect and AMR by examining a different approach that internal auditors could follow to present their message. Specifically, we focus on how two factors—nudging with a descriptive norm and AMR—indirectly influence the deaf effect through perceived social norms. Of course, the deaf effect for messages that are issued by internal auditors is relevant beyond the context of IS projects. As noted earlier, research on the deaf effect could also contribute to the discourse on internal audit effectiveness (Lenz & Hahn, 2015).

2.3 Nudging

Behavioral economists have introduced the idea that nudging can be an effective means of eliciting desired behavior without exercising strong forms of control or forcing compliance (Thaler & Sunstein, 2009). These ideas have recently been applied to the context of auditor decisions and our study is not the first to examine the use of nudges in the domain of auditing. In an eye-tracking experiment that involved 12 undergraduate students in auditing, Gajewski et al. (2022) examined whether nudges in the user interface of a financial reporting system could influence subjects’ visual attention to audit evidence indicative of aggressive reporting. Further, in an experiment with 48 experienced auditors, Nolder et al. (2022) investigated whether using skeptical language to frame a firm’s accounting estimate decision could be an effective nudge. They found some support for the notion that such a nudge could elicit a higher level of professional skepticism in auditors performing a complex audit task.

While prior studies have thus begun to examine how auditors could be nudged, our research examines how internal auditors themselves could effectively apply a specific nudge to reduce the deaf effect. Our study is the first to apply the concept of nudging with a descriptive norm in a business context involving the deaf effect.

In the deaf effect context, the concept of nudging relates to the auditor-manager relationship in the sense that nudging occurs within the context of that relationship. In this study, we develop a research model that brings together nudging and AMR. The rationale for combining these two constructs is that both nudging and AMR may reduce the deaf effect by influencing perceived social norms. Both the packaging of the message (i.e., whether it includes a descriptive norm) and the nature of the auditor-manager relationship (i.e., whether the auditor is perceived as a trusted partner or an opponent) can affect how a message is perceived. Thus, a descriptive norm that is provided as an integral part of the message may guide managers towards choices that are desired from an organizational perspective. Further, whether such messages come from allies or partners, rather than opponents, can shape the manager’s perception of the social norm that is being communicated.

While prior research has advanced our understanding of the deaf effect, the effect of nudging with a descriptive norm has not been examined in this context. This gap in our understanding is an important one to explore because nudging with a descriptive norm represents an intervention that would be easy to implement in practice and there are good theoretical reasons to believe that it could reduce the deaf effect.

One of the most effective ways to nudge is through social influence (Thaler & Sunstein, 2009). For example, it has been shown that the behavior of peers affects productivity and tax compliance in field settings (Tayler & Bloomfield, 2011). Similarly, Mas and Moretti (2009) found that cashiers in a retail setting became more productive when a highly productive worker was introduced into their shift. Examples like these clearly show that the social influence of peers can be significant.

The cumulative findings from prior research on normative social influence show that the actions of other people have a powerful effect on both behavioral intentions and actual behavior (Sherif, 1936; Deutsch & Gerard, 1955; Cialdini et al., 1990; Cialdini & Goldstein, 2004; Jacobson et al., 2011). Many norms-based interventions appear to have an influence on human behavior (e.g., Cialdini et al., 1990, 1991; Cialdini, 2005; Schultz et al., 2007; Griskevicius et al., 2008) and numerous studies can be found on the effect of a descriptive norm in the areas of sociology, psychology and behavioral research. Research has shown that communicating a descriptive norm (i.e., how most people behave in a given situation) induces conformity to the communicated behavior (Schultz, 1999; Griskevicius et al., 2006; Nolan et al., 2008).

Thaler and Sunstein (2009) further explain the use of a descriptive norm in nudging and its positive effects on eliciting desired behavior. They recount numerous examples in which individuals can be nudged to behave in a certain way simply by informing them about what other people are doing. One example of this is the online promotion of organ donation in the state of Illinois where their website brings the power of social norms into play by plainly stating: “87% of adults in Illinois feel that registering as an organ donor is the right thing to do” (Thaler & Sunstein, 2009, p. 184). Such nudges work because we generally like to do what most other people consider to be the right thing to do in a given situation.

A descriptive norm can serve as a decisional shortcut for behavior (Cialdini et al., 1990). Such norms are thought to influence behavior because they provide information about the right way to act in certain situations (Cialdini, 1984; Cialdini & Goldstein, 2004; Jacobson et al., 2011). For example, Goldstein et al. (2008) examined how hotel guests behave when a card has been placed on the bathroom towel rack asking them to reuse their towels. In a field experiment, they tried to increase towel reuse by testing the effect of putting different messages on the card. One of the messages included the appeal “JOIN YOUR FELLOW GUESTS IN HELPING TO SAVE THE ENVIRONMENT,” and emphasized that the majority of hotel guests reuse their towels. This message proved to be much more effective than messages without a descriptive norm such as “HELP SAVE THE ENVIROMENT.” Similar results were also obtained by other researchers, for example, by Schultz et al. (2008) (in their towel re-use experiment in hotel rooms), Lapinski et al. (2013) (for the effects of a descriptive norm on hand washing), Maloney et al. (2013) (for the effects of a descriptive norm on voting behavior), and Lapinski et al. (2007) (for the effects of a descriptive norm on water conservation attitudes and behavior).

Mollen et al. (2013), examined the influence of a descriptive norm on food choices by conducting a field experiment in an on-campus food court. Effects of different messages on students’ food choice were compared against each other and a no-message control condition. They found that a healthy descriptive norm message resulted in healthier choices as compared with the no norm control condition. Similarly, in an experiment with 1,200 Australian citizens, Wenzel (2005a, b) found that simply informing taxpayers of the high rate of compliance increased compliance levels.

While the effectiveness of nudging with a descriptive norm has been examined in extant literature, our study is the first to assess how it applies in a business context, more specifically in the context of AMR, where the messenger (auditor) and the recipient (manager) can have a relationship as partners or as opponents.

3 Research model and hypotheses

3.1 Influence of a descriptive norm in the internal auditor’s message on the manager’s perceived social norm and the deaf effect

Much of the prior work on nudging with descriptive norms has examined how people behave in response to nudges that occur outside of any particular organizational context. For nudging to be a useful tool in a business context involving internal auditors, however, it is important to determine whether nudges that managers receive from an auditor can be effective and whether this is affected by the nature of the auditor-manager relationship. Toward this end, we examine the effect of a descriptive norm that internal auditors can deliver along with their risk warnings to determine if this can influence managers’ decisions.

Prior work has suggested that a descriptive norm can influence behavior by reinforcing perceived social norms. In this study, we explore this mediating mechanism by measuring the effect of an internal auditor’s message containing a descriptive norm on the social norms that are perceived by managers who received the internal auditor’s message. We posit that nudging the manager through a descriptive norm in the internal auditor’s message can indirectly influence the manager’s deaf effect to risk warnings by altering the manager’s perceived social norm. Specifically, we posit that a manager will be more likely to perceive that his/her peers would stop and no longer continue a risky course of action, when he/she receives an auditor’s risk warning that states that the manager’s peers would stop the risky course of action (i.e. the message contains a descriptive norm). Furthermore, we posit that a manager who perceives that his/her peers would stop and no longer continue a risky course of action, would be likely to stop the risky course of action. Thus, we state the following mediation hypothesis:

H1).An internal auditor’s message containing a descriptive norm will influence how a manager reacts to a risk warning. Specifically, an internal auditor’s message containing a descriptive norm will positively influence a manager’s perceived social norm thereby reducing the deaf effect.

3.2 Influence of internal Auditor – Manager Relationship on the manager’s perceived social norm and the deaf effect

In deaf effect situations, messengers report risk warning messages to decision makers who have the choice to listen to these messages and take corrective action or to not listen and continue the project as planned (Nuijten et al., 2016). In our domain of interest, the auditor plays the role of the messenger who delivers a risk warning and the manager (in our case, the project owner and decision maker) must decide whether or not to act on the risk warning. Nuijten et al. (2016) differentiate between an auditor-manager relationship (AMR) in which the auditor is seen as a partner and one in which the auditor is seen as an opponent. In their study, Nuijten et al. (2016) found that managers are more likely to heed the auditor’s risk warning and discontinue the course of action when the auditor is considered to be a partner instead of an opponent.

Cialdini and Goldstein (2004) posited that when making choices, people look at those who are similar to them. Based on the idea that people are most influenced by similar others, we posit that the auditor-manager relationship (partner vs. opponent) will impact perceived social norms. Specifically, we theorize that when the auditor is viewed as a partner (i.e., who has goals that are aligned with the manager) rather than an opponent (who has goals that are not aligned with the manager) the message is more likely to be perceived as a social norm.

In a study along these lines, Berger and Rand (2008) show that a descriptive norm can actually decrease (rather than increase) compliance when the descriptive norm is associated with an undesirable group. Extrapolating from this finding, we theorize that it is important to consider the source of the message and how the target recipient views the source. Prior work has shown that decision makers are more receptive to a risk warning when it comes from an internal auditor who is perceived as a partner rather than an opponent (Nuijten et al., 2016).

Specifically, we posit that a manager will be more likely to perceive that his/her peers would stop and no longer continue a risky course of action, when he/she receives a risk warning from an internal auditor that the manager sees as a partner (versus an opponent). In that case he/she might consider the auditor to be part of his own social group, sharing the same social norm to stop the risky course of action. Furthermore, we posit that a manager who perceives that his/her peers would stop and no longer continue a risky course of action, would be likely to stop the risky course of action. Based on the above theorizing, we offer the following mediation hypothesis:

H2).The nature of the auditor-manager relationship (partner or opponent) will influence how a manager reacts to an internal auditor’s message containing a risk warning. Specifically, a message received from an internal auditor who is seen as a partner will be perceived more as a social norm, thereby reducing the deaf effect.

Based on our literature review and theorizing, we developed the research model shown in Fig. 1 which we test in this study. As shown in the model, our dependent variable is a manager’s willingness to continue a troubled project, which serves as a proxy for the deaf effect, as it provides an indication of the degree to which the auditor’s risk warning and recommendation to redirect the project influences the decision-maker. We posit that perceived social norms will influence the deaf effect and that both AMR (i.e., whether the internal auditor is seen as a partner or an opponent) and whether or not the message delivered by the auditor contains a descriptive norm will indirectly influence the deaf effect through perceived social norms.

In our model, gender, work experience, and risk propensity are included as control variables based on prior work by Cuellar et al. (2006) revealing that the deaf effect can be influenced by both gender and work experience, as well as prior work by Lee et al. (2014) showing that risk propensity can also influence the deaf effect. While these studies revealed that gender, work experience and risk propensity can influence the deaf effect, we are not aware of any studies that included these variables in a business context that involved auditor messages including descriptive norms. Thus, in our study we adopted the control variables of the Cuellar et al. (2006) and Lee et al. (2014) studies in our experiments.

Fig. 1
figure 1

Research model

4 Method

To test our model, we conducted a mixed method study which involved two scenario-based laboratory experiments as well as qualitative interviews with Chief Audit Executives. We conducted our primary experiment with managers using a 2 × 2 factorial design in which we manipulated the risk warning message of the internal auditor (by including or not including nudging with a descriptive norm) and the auditor-manager relationship (AMR) (partner vs. opponent). We conducted a second experiment with students as a robustness check, and then validated and explored our results further by conducting interviews with 10 Chief Audit Executives.

4.1 Participants

Our participants for the primary experiment consisted of 88 U.S. managers recruited from the Qualtrics subject pool. These managers had an average age of 37.7 years (standard deviation of 9.5 years), an average work experience of 18.1 years (standard deviation of 9.8 years), and an average of 7.4 years of experience working with IS projects (standard deviation of 6.0 years). 47% were male and 53% were female. Responses were only added to our dataset after they met two basic criteria: (1) respondents had confirmed that they were native English speakers, and (2) respondents exceeded a minimum time threshold that was established for completing the experiment, so that we could be assured that they took the task seriously.

The second experiment, which was conducted as a robustness check, involved 170 undergraduate students who were enrolled in Accounting and Information Systems courses at two Belgian Universities. The students had an average age of 23.6 years (standard deviation of 4.2 years) and an average work experience of 1.5 years. 75% of the students were Europeans and the majority were Belgian citizens. 63% were male and 37% were female.

4.2 Scenario and treatments

In our scenario we asked the participants to consider themselves to be the project owner of an information system project within an insurance company. The scenario used in this experiment was based on one used by Nuijten et al. (2016) and involves a situation in which the subject (playing the role of a project owner) is informed that Mr. Johnson from the Internal Audit department has recently found serious problems with the project and advises that the project should be redirected (i.e., not continue as planned).

Consistent with prior studies in behavioral economics that have used similar treatments (e.g., Goldstein et al., 2008; Kredentser et al., 2012), we created the following message for our descriptive norm treatment: “Mr. Johnson informed you that MOST of your PEER COLLEAGUES Project Owners within THIS company REDIRECT the project under these circumstances. Subsequently, Mr. Johnson advised you to JOIN YOUR FELLOW PEERS and REDIRECT the project LIKE YOUR PEERS DO.” As a control, we crafted the following message that did not include a descriptive norm: Mr. Johnson advised you to REDIRECT the project.

We independently manipulated the auditor-manager relationship (AMR) to be either partner or opponent (Nuijten et al., 2016). For the partner treatment, we stated: “Mr. Johnson (the Internal Auditor) has a long history of working COLLABORATIVELY with IS project teams with the goal of helping to identify and manage project risks, thus enabling project owners to be successful. He is seen by the project management as adding value to the process. Thus, Mr. Johnson is treated as a TRUSTED PARTNER to management.” For the opponent treatment, we stated: “Mr. Johnson (the Internal Auditor) has a long history of working AGAINST IS project teams with the goal of exposing project failings, thus embarrassing project owners. He is seen as a policeman who does not add any value to the development process. Thus, Mr. Johnson is treated as an OPPONENT WHO IS NOT TO BE TRUSTED.” The complete scenario and manipulations can be found in Appendix 1.

4.3 Constructs and measures

Our independent variables were manipulated and treated as dichotomous variables. The presence or absence of a descriptive norm in the message was captured in the variable MDN (1 = Message including a descriptive norm; 0 = Message without a descriptive norm). Auditor-manager Relationship was captured in the variable AMR (1 = partner; 0 = opponent). The perceived social norm, which served as the mediator variable PSN in our model, was measured using a four-item scale developed for this study. Our dependent variable was the decision to continue a troubled information system project (Continue) despite the auditor’s risk warning and recommendation to redirect the project. We assessed this construct using a single well-established measurement item (Nuijten et al., 2016).

Consistent with prior studies (Keil et al., 2000; Cuellar et al., 2006), risk propensity (RiskProp) was measured using four items adapted from Sitkin and Weingart (1995). Appendix 1 shows all the construct measures that were employed. All analyses were done in Stata.

5 Results

5.1 Primary experiment (managers)

First, we conducted manipulation checks to ensure that our treatments were effective. The descriptive norm manipulation check consisted of a single item, MDNmc, which was used to assess whether subjects noticed and were able to recall whether or not the scenario contained a descriptive norm (i.e., whether the auditor Mr. Johnson mentioned how peers would behave in the situation as described in the scenario).

Table 1 shows the mean values of MDNmc for each of the four treatment conditions in Experiment 1. As indicated, the treatment with a descriptive norm resulted in higher MDNmc values for the treatment groups with a descriptive norm and lower MDNmc values for the treatment groups without a descriptive norm.

Table 1 Mean values for MDNmc by treatment condition

In order to test the effectiveness of our manipulation to portray the internal auditor as a partner or as an opponent, we adopted a manipulation check for AMR from Nuijten et al. (2016). Using a 3-item scale (see AMRmc under the measures section of Appendix 1) we computed a composite score.

Table 2 presents the mean values of AMRmc for each of the four treatment conditions. As indicated, the AMRmc values are lower for the opponent treatment groups and higher for the collaborative partner treatment groups.

Table 2 Mean values for AMRmc by treatment condition

To confirm these results, two separate two-way ANOVAs with interaction were conducted; one using MDNmc as the dependent variable and one using AMRmc as the dependent variable. The results of these ANOVAs, shown in Tables 3 and 4, confirmed that each manipulation was effective. Further, no significant interaction effect between AMR and MDN were detected.

Table 3 Factorial ANOVA results on MDNmc
Table 4 Factorial ANOVA results on AMRmc

Based on these manipulation checks we assessed that the manipulations were effective.

5.1.1 Measurement model assessment

For testing our research model, we chose Partial Least Squares (PLS) analysis. By using PLS we could assess both the measurement model and structural model together (Gefen et al., 2000, 2011).

Before testing our structural model, we determined the validity of our measurement model through four tests of convergent and discriminant validity as described by Fornell and Larcker (1981) and by Chin (1998).

First, we assessed individual item reliability by examining the item-to-construct loadings for each construct that was measured with multiple indicators. According to Hair et al. (2010) factor loading estimates should be higher than 0.5, as then the shared variance between each item and its associated construct exceeds the error variance. As shown in Table 5, all loadings exceeded the threshold of 0.5, and all exceeded the more conservative threshold of 0.7.

Second, we investigated the construct reliability for each block of measures (i.e., the internal consistency reliability). Table 5 reports the Cronbach’s alpha, the Dillon-Goldstein’s coefficients (ρC) and the Dijkstra-Henseler’s ρA (rho_A) values. In order to establish adequate reliability, these values should exceed 0.7. Table 5 shows that the Dijkstra-Henseler’s ρA, Dillon-Goldstein’s ρC and Cronbach’s α all exceed this value.

Third, we assessed the level of correlation of multiple indicators of the same construct. Fornell and Larcker (1981) view Average Variance Extracted (AVE) as a measure of construct reliability. The guideline threshold for AVE is 0.5, which means that 50% or more of the variance of the indicators is accounted for (Chin, 1998). As Table 5 indicates, the AVE values in our model exceeded the 0.5 threshold.

Table 5 Validity of measurement model

Fourth, we examined whether our latent variables are statistically different from one another, by computing the heterotrait-monotrait ratio of correlations (HTMT). The HTMT ratio should be lower than 1 and preferably under 0.85 in order to establish discriminant validity. Table 6 shows that all ratios are well below this conservative upper bound of 0.85, thus providing good evidence of discriminant validity.

Table 6 Heterotrait-Monotrait ratio of correlations

5.1.2 Structural model assessment

Having an adequate measurement model in place, we tested our hypotheses by examining the structural model. Results of our analysis can be seen in Fig. 2, with more detailed information provided in Tables 7 and 8. Given the directional nature of the hypotheses, we used one-tailed tests.

Fig. 2
figure 2

Structural model showing results from primary experiment (Managers) Footnote

Dashed lines refer to paths that are included in the model and tested but not formally hypothesized.

The explanatory power of a structural model can be evaluated by examining the R-squared value for the ultimate dependent variable. Table 7 shows that the explanatory power of our structural model is adequate with an R-squared of 0.495 for our dependent variable Continue. As shown in Fig. 2; Table 7, the Descriptive Norm (MDN) to Perceived Social Norm (PSN) path is significant (path coefficient of 0.281 and p = 0.001), the path from Auditor-manager Relationship (AMR) to Perceived Social Norm (PSN) is significant (path coefficient of 0.277 and p = 0.001), and the path from Perceived Social Norm (PSN) to Continue is significant (path coefficient of -0.243 and p = 0.000). The direct path from AMR to Continue is also significant (path coefficient of -0.242 and p = 0.002).

Table 7 Standardized path coefficients for experiment 1 (Managers)

As shown in Table 8, perceived social norm (PSN) was found to mediate the effects of both AMR and descriptive norm (MDN) on Continue. Thus, both H1 and H2 were supported.

Table 8 Indirect effects of structural model for experiment 1 (Managers)

5.2 Replication experiment (with students) serving as a robustness check

The second experiment, which was conducted with students, represents a replication of the primary experiment with managers and serves as a robustness check on our findings. The same manipulation checks and measurement model assessment were done in the second experiment. The manipulations were found to be effective, and the measurement model was comparable to the results obtained for the primary experiment. Since the purpose of the second study was just to determine if the results of the primary study could be replicated with a different sample of participants, for the sake of brevity we present only the structural model results.

5.2.1 Structural model assessment

Results of our analysis can be seen in Fig. 3, with more detailed information provided in Tables 9 and 10.

Fig. 3
figure 3

Structural model showing results from experiment 2 (Students)

Table 9 Standardized path coefficients for experiment 2 (Students)

Table 9 shows that the explanatory power of our structural model is adequate with an R-squared of 0.258 for our dependent variable Continue. As shown in Fig. 3; Table 9, the Descriptive Norm (MDN) to Perceived Social Norm (PSN) path is significant (path coefficient of 0.219 and p = 0.001), the path from Auditor-manager Relationship (AMR) to Perceived Social Norm (PSN) is significant (path coefficient of 0.297 and p < 0.001), and the path from Perceived Social Norm (PSN) to Continue is significant (path coefficient of -0.194 and p = 0.016). The direct path from AMR to Continue is also significant (path coefficient of -0.304 and p < 0.001).

As shown in Table 10, perceived social norm (PSN) was found to mediate the effects of both AMR and descriptive norm (MDN) on Continue. Thus, both H1 and H2 were supported.

Table 10 Indirect effects of structural model for experiment 2 (Students)

The fact that we were able to replicate the pattern of results obtained in the primary experiment (with managers) using a completely different pool of participants (students), serves as a robustness check on our findings.

5.3 Enriching the experiment results with insights from internal audit professionals

While the experiments allowed us to test individual relationships in a causal model, we acknowledge that our model is simplified and cannot include all factors that could be relevant in an actual business context in which internal auditors attempt to bring their message to management’s attention. Therefore, we conducted a series of 10 interviews with internal auditors to gain further insights.

5.3.1 Interviewee characteristics

We conducted interviews with ten Chief Audit Executives who have been in the position to bring their message to management’s attention regarding information systems projects. In Appendix 2 we present a table with the descriptive characteristics of our interviewees. All of our interviewees worked for large organizations in The Netherlands and Belgium (i.e., four financial institutions, one energy provider, two hospitals, one municipality, a railway provider, and one provider of internal audit services). The interviewees were recruited from the first author’s network of internal audit professionals, and they were selected for their experience as a Chief Audit Executive as well as their knowledge of internal audit standards and practices. All interviewees still are or have been active members of the executive board and committees of the Dutch Institute of Internal Auditing Chapter (IIA-NL). Two of our interviewees have chaired the IIA-NL chapter and one of our interviewees has been the vice chair of professional practices on the global executive board of the IIA. All our interviewees are or have been actively involved as lecturers in the IIA-accredited IAEP excellence programs for internal audit education in the Netherlands.

5.3.2 Interview process

Based on an interview protocol we asked the interviewees open-ended questions about their experiences with nudging business managers using a descriptive norm. More specifically, our interviews aimed to address two things: (1) the perceived effectiveness of nudging with a descriptive norm, and (2) views on nudging from professional and ethical perspectives. To address our first topic, we asked: ‘do you think that managers in a business context could effectively be nudged with a descriptive norm coming from the internal auditor as it worked in our experiments?’, ‘do you use nudging with a descriptive norm?’ and ‘what factors could influence the effectiveness?’. To address the second topic, we asked: ‘to what extent do you think that nudging could raise ethical or professional issues if it is applied by internal auditors?’, and ‘is it allowed for internal auditors to nudge?’. All interviews were conducted by two members of the research team. Due to the Covid-19 pandemic, all interviews were conducted on-line using MS-Teams. Interviews typically lasted between one hour and seventy-five minutes. All interviews were tape recorded and transcribed verbatim. Prior to recording anything, participants were assured that they would remain anonymous and that any information they shared would be treated as confidential.

5.3.3 Interview results

Interviewee responses were grouped as factors by the first author. The factors as well as which and how many interviewees had mentioned this factor are presented in Appendix 2, along with a summary of interviewee responses. To assess the reliability of the process and the table, an external academic reviewer (who was not involved in our study) performed a review. The appendix shows that in the last three interviews no new perspectives were added, thus providing evidence of saturation.

The interviews both supported and enriched the results of our experiments. Our interviewees confirmed that managers in a business context are influenced by what their peers do. Interestingly, many of our interviewees confirmed that they have actually applied a descriptive norm to bring their message to the manager’s attention more effectively. For example, one of the CAE’s (interviewee #1) said (quote translated from Dutch): “I always use examples about how others do things within the organization to influence the manager to whom I communicate the risk warning. And that works in most of the situations.” Referring to how others do things in the organization is also used by another CAE (interviewee #5) we interviewed who said (quote translated from Dutch): “When I define actions together with management about resolving audit issues I say, ‘this is the way it is done by others in the organization.”

We asked our interviewees to comment on how managers in real-life organizational settings would compare to the participants in our experiments in terms of their receptivity to being nudged with a descriptive norm (i.e., being informed what their peers would do). Several CAEs indicated that they thought managers in a real-life business context would be equally or even more strongly affected by information of what their peers do than participants in our experiments. For example, one of our interviewees (interviewee #8) explained that the managers within his bank consider themselves as a “team of peers” and that nobody wants to underperform compared to their peers or be the weakest link. The interviewee suggested that therefore managers in his bank would be more easily influenced by information about their peers’ behavior than participants in an experiment who do not face the same group pressure. Furthermore, other interviewees added that organizational incentives and career opportunities often trigger managers to compare their own performance to that of their peers. This can make managers be more susceptible to being influenced by a descriptive norm than participants in an experiment who don’t have such incentives. Interestingly, many of our interviewees mentioned that a descriptive norm in a highly competitive organization context could have the opposite of the intended effect, if managers see their peers as competitors (for example for promotion to a higher position in the organization). One of the interviewees (interviewee #9) explained this high-competition context by describing the Tour de France race in which cyclists climb the steepest mountain with the aim of being the first one to reach the top. He illustrated the effect of a descriptive norm in this situation as follows: “if you learn that your competitor would give up, that can highly motivate you to not give up and continue in an attempt to outperform and beat your competitor.” Two of our interviewees (interviewees #3 and #10) added another interesting perspective on how nudging with a descriptive norm could have the opposite of the intended effect. Both interviewees worked at organizations with “a very low maturity level” and a very low quality of IS project managers. In such a context, if the internal auditor used a descriptive norm to tell a manager what “his/her peers would do” then the very poor performance those peers would not convince someone to act according to his/her peers. Based on these insights, further research is needed to confirm that the type of nudging we employed in our experiments would be effective in actual organizational settings. Our interview data with the CAEs suggest that they can be, but that the efficacy may depend on the specific organizational context.

During the interviews we also questioned the CAEs about whether there were any differences in the effectiveness of nudging with a descriptive norm depending upon whether the internal auditor is seen by management as a collaborative partner or an opponent. The interview data supports what was observed in our experiments, in that nudging was seen as less effective and perhaps even counterproductive when it is used by an auditor who is viewed as an opponent. One of the interviewees (interviewee #1) stipulated that (quote translated from Dutch): “If you as a policeman [attempt to] influence others by comparing them to others who do things properly, then the nudging will not work and it may have the opposite effect.” Another CAE (interviewee #8) said (quote translated from Dutch): “In my organization an internal auditor who points out the mistakes that managers make will not be effective.”

In terms of the ethics of nudging with a descriptive norm and whether such behavior would violate professional standards, the CAEs we spoke with did not see any major ethical or professional obstacles to incorporate nudging in their communication toolbox as an internal auditor. As paraphrased from several of our interviewees, it is just part of the internal auditors’ communication to management to bring their message.

6 Discussion and implications

Before discussing the implications of our study, it is appropriate to consider the main findings and the limitations. The study’s two main findings are:

  1. (1)

    Nudging with a descriptive norm has an indirect influence on the deaf effect through perceived social norms.

  2. (2)

    The auditor-manager relationship has an indirect influence on the deaf effect through perceived social norms.

Specifically, we found that: (1) including a descriptive norm in the auditor’s message helps managers to perceive a social norm that reduces the deaf effect, and (2) when the internal auditor who delivers a risk warning is seen as a partner rather than an opponent, the manager also perceives such a message as a social norm that reduces the deaf effect.

Despite these results, our two experiments and the interviews also revealed that something seemingly simple and effective as nudging with a descriptive norm, might not turn out to be that simple when it is applied in complex organizational settings. More specifically, the use of a descriptive norm is not perceived by everyone as a social norm, so in some circumstances it could have unanticipated and undesirable effects. Our study revealed four considerations for internal auditors who want to successfully apply a descriptive norm of “what someone’s peers would do” to avoid the deaf effect.

First, the auditor-manager relationship determines whether the auditor’s advice to stop the risky course of action would be seen as coming from someone who is seen as a partner (vs. an opponent) and would be perceived as a social norm. In daily practice internal auditors may struggle to maintain such a relationship, and managers may not always see auditors as their partners when they feel criticized. Second, our interviews revealed that for a descriptive norm to be effective, it helps to keep the message simple, positive, action oriented and to leave room for choice.

Third, the manager’s personal characteristics should be considered. More specifically, the manager’s risk attitude and the years of working experience could influence the manager’s receptivity to the auditor’s message. Our interviews suggest that the use of a descriptive norm of what someone’s peers would do, would be most effective for more senior and risk-averse managers.

Fourth, organizational context is an important consideration in determining if descriptive norms in an auditor’s message will be effective. Specifically, descriptive norms are likely to be more effective in a cooperative organization culture in which peers are seen as belonging to the same group, as opposed to a competitive culture in which peers are seen as competitors or rivals to be beaten. Additionally, descriptive norms are likely to be more effective in a mature organization in which peers are seen as successful and a good example to be followed, rather than in an organization where peers are performing poorly and are not seen as good role models to follow. Finally, organization incentives (e.g., financial incentives) should be considered as they could influence the effectiveness of using descriptive norms.

6.1 Limitations

This research involved two laboratory experiments and some qualitative interviews to enrich the results obtained in the experiments. We believe that the mixed method approach involving both quantitative and qualitative data represents a strength. Having said that, there are limitations associated with the type of experiments we conducted (i.e., scenario-based laboratory experiments). While experiments allow the researcher to achieve high internal validity, this comes at some cost in terms of external validity. Experimental designs for studies such as ours should not be evaluated based on the degree to which they reflect actual organizational settings, but rather on whether they contribute to our ability to test causal relationships that extend our understanding of human decision making (Dobbins et al., 1988). To achieve a high level of internal validity our study took a necessarily narrow focus and involved a small number of variables to achieve a high degree of control. Hence, in our experimental approach we were unable to include all the complexities of real work situations. This trade-off of higher internal validity for lower external validity is common in laboratory experiments and should not be construed as a flaw, though it does represent a limitation. Thus, any generalization of the findings of this study to other settings should be done with caution. It is possible that the results would be different in other settings as there are other organizational and political factors that may also affect managers’ deaf effect responses to risk warnings. Thus, further research is needed to confirm that our findings would be effective in actual organizational settings.

While our first experiment involved the use of managers, who are familiar with business settings, we replicated our experiment with a dedicated group of student participants who enrolled in university courses in the specific domain of managing information systems projects. We found the same pattern of results, adding robustness to our findings.

Second, we further explored our results by conducting a series of interviews with practicing internal auditors and gained additional insight into some factors that could influence the effectiveness of nudging with descriptive norms for internal auditors to bring their message to management’s attention. In the context of our study, we did not further test these factors and therefore suggest that they could be included in future research.

Despite the above limitations, this study contributes to our understanding of how internal auditors may be able to reduce the deaf effect and thereby influence the trajectory of troubled IS projects by issuing risk warnings that contain a descriptive norm. This is the first empirical study that we are aware of that examines whether nudging with a descriptive norm may improve the effectiveness of the Internal Audit function with respect to the management of IS projects.

6.2 Implications for research

While prior research has noted the importance of the auditor-manager relationship (AMR) and how this can influence the deaf effect, it has not examined the role that perceived social norms can play in this area. The unique contribution of our work is that we shine a spotlight on the mediating role of perceived social norms and how these influence the deaf effect while also being influenced by both AMR and a descriptive norm included in the risk warning. By focusing on what the auditor can do to craft the message in a way that reduces the deaf effect, our research contributes to this discourse and addresses an important theoretical gap. Specifically, we introduce a novel research model that leverages the idea of nudging with a descriptive norm. Our study builds upon and significantly extends the work of Nuijten et al. (2016) by introducing the idea of nudging to the problem of the deaf effect, and we test how it is related to the social norm that managers perceive after they receive a message from an internal auditor who is seen as a partner versus an opponent. Furthermore, our study identifies additional factors that could further enrich the research model and provide opportunities for future research.

Ours is the first study to show that nudging with a descriptive norm may indirectly reduce the deaf effect response to an auditor’s risk warning. While prior literature has established that a descriptive norm can serve as an effective nudge, our study is the first to shed light on how such an approach may work in the context of the deaf effect.

While our study reveals that nudging can be effective in the short term, more research is needed to determine the long-term effects of nudging on internal auditor effectiveness. Since relationships such as the AMR can develop and change over time, additional research is warranted to determine whether nudging with a descriptive norm might impact the AMR over time.

Our study reveals several factors that could further enrich the model and we invite other researchers to test them in future studies. The results of our study point to organizational context factors (e.g., how competitive the culture is within an organization) and personal factors (e.g., risk propensity and work experience) that warrant further research, as they could shape the effectiveness of descriptive norms in nudging a manager’s behavior.

Further research is needed to explore the effect of other types of nudging on the deaf effect response to risk warnings. Another type of nudging, for example, might involve making things easy for managers by, for example, minimizing bureaucratic procedures or obstacles that could prevent them from taking appropriate actions to deal with risks. Another approach might be to change the character of project review meetings so that the default is that a project will not go forward in the presence of major risks that remain unaddressed. Conversely, if the situation can be structured in a way such that ignoring the auditor’s risk warning and pressing forward requires effort to justify, this will have the effect of nudging the manager in the desired direction. We hope that our work will encourage others to investigate additional types of nudging that could be effective in reducing the deaf effect.

Finally, while we examine how nudging can make auditors more effective in a very specific situation, we believe that our findings have implications for research on corporate governance more broadly, as internal auditors could potentially use nudging across a wide range of situations to improve the quality of corporate governance.

6.3 Practical implications

This study has important practical implications because it suggests that auditors can use techniques from behavioral economics (i.e., nudging) to indirectly reduce the deaf effect through perceived social norms. Unlike other factors which have been discussed in the deaf effect literature, nudging is a technique that can be quickly and easily applied. However, it can also have unanticipated effects if the nudges are not properly aligned with the organizational context. Therefore, internal auditors should be careful in when and how they apply nudging with a descriptive norm.

Translating the results of our study to the internal audit practice, offer the following advice to auditors:

  1. (1)

    The effectiveness of a risk warning message that is delivered by an internal auditor is not only determined by the quality of its content, but also depends on how the message is communicated,

  2. (2)

    Internal Auditors should be aware that communication techniques are part of the auditor’s toolbox and therefore cannot be ignored,

  3. (3)

    Embedding descriptive norms in the auditor’s message could be an effective nudge but should be used cautiously. In order to effectively use a descriptive norm in a risk warning, the internal auditor must consider whether assumed relational, message, organizational, and personal factors are conducive to this approach.

  4. (4)

    Nudging with a descriptive norm should not violate the auditor’s trustworthiness and credibility. Therefore, the message should not contain any false statements that could backfire.

Although our study focuses specifically on how internal auditors can be more effective in bringing a message to management when IS projects go awry, we believe that its relevance to practice is much broader than that. In today’s complex society, organizations – both public and private – face the challenge to act responsibly and remain alert to any risk behavior that could cause damage to the own organization, to its stakeholders and to society at large. Regulatory bodies promulgate corporate governance standards and now increasingly encourage organizations to implement proper structures to manage not only financial risks but include environmental and social risks as well. Our study relates to this broader development in two ways.

First, internal auditors play an important role in corporate governance with their focus on risks in general and behavioral risks specifically. This was illustrated at the European Corporate Governance Conference that was held in March 2024 and in which the chairman of the European Confederation of Internal Audit Associations stressed the need to incorporate risk behavior in corporate governance practices and highlighted the contribution that internal auditors can make to effective corporate governance. Of course, in order to fulfil this ambition, internal auditors need to communicate effectively when they observe and identify risk behavior that could cause damage. Our study aligns with the recently submitted 2024 Global Internal Audit Standards (IIA, 2024) that suggest that internal auditors can achieve this, by (1) applying effective communication techniques (standard 11.2), and (2) taking into account relationships they maintain with stakeholders, including managers as well (standard 11.1). Our study sheds light on how internal auditors can reduce the deaf effect, following an approach that combines these two factors.

Second, in the era of digitization, organizations seek to capitalize on the promises of information systems while managing the risks that are inherent to such systems. Therefore, successful information systems projects are crucial to most organizations. Furthermore, successful corporate governance could require solid enterprise risk management systems or ESG (environmental, social, and governance)-implementations that also heavily depend on information systems projects that must be implemented successfully. Therefore, our example of internal auditors who find a deaf ear for their risk warnings regarding a runaway information system project is highly relevant to the broader context of internal auditing and corporate governance as well.

In conclusion, we believe it is important for internal auditors to learn and understand how the presentation of a message beyond its content, can influence the effectiveness of the message. This suggests that proper training of internal auditors in communication technique could be beneficial and that under the right circumstances nudging could be used effectively and ethically. Such training would need to include how to apply a communication technique like nudging with a descriptive norm in daily practice, how to identify and recognize circumstances where it could be effectively used, and how to keep it consistent with the ethical and professional standards. To comply with professional standards, any information the internal auditor might provide in a nudge must be a fair and correct representation and must not harm the internal auditor’s credibility.

We hope that the results of our study will provide an avenue for internal auditors to deal with the problem of the deaf effect and thereby contribute to more effective corporate governance.