International Journal of Auditing

Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers

of Internal Audit Effectiveness
Marika Arena and Giovanni Azzone
Politecnico di Milano, Italy

This study attempts to understand the organizational drivers of

internal audit effectiveness in the light of recent changes in the
mission of internal auditing and its central role in corporate
governance. On the basis of data from 153 Italian companies,
our survey shows that the effectiveness of internal auditing is
influenced by: (1) the characteristics of the internal audit team,
(2) the audit processes and activities, and (3) the organizational
links. Internal audit effectiveness increases in particular when
the ratio between the number of internal auditors and
employees grows, the Chief Audit Executive is affiliated to
the Institute of Internal Auditors, the company adopts control
risk self-assessment techniques, and the audit committee is
involved in the activities of the internal auditors.
Key words: Internal audit,
governance, audit quality

SUMMARY
In recent years, the role of internal auditing (IA)
in corporate governance has received increasing
attention, due to its links to the internal control-risk
management system. Internal auditors have
exploited this renewed interest by transforming
their functions and extending their areas of
involvement to risk management, control and
governance processes. Such changes have had the
aim of increasing the value added by IA to
organizations. However, this change also requires
a redesigning of IA processes, competencies and
roles.
This study provides empirical evidence of the
organizational choices that could help improve the
effectiveness of IA. We have defined how to
measure IA effectiveness and identified research
Correspondence to: Marika Arena, Dipartimento di Ingegneria
Gestionale, Politecnico di Milano, Piazza Leonardo da Vinci, 32,
Milan, Italy. Email: marika.arena@polimi.it

audit

committee,

corporate

hypotheses following the latest literature. The data

used to test the hypotheses were collected through
a questionnaire, which was sent to 364 Italian
companies, and a response rate of 47% was obtained.
The data analysis showed that IA effectiveness
is influenced by: (1) the characteristics of the IA
team, (2) the audit processes and activities, and (3)
the organizational links. IA effectiveness increases
in particular when: the ratio between the number
of internal auditors and employees grows, the
Chief Audit Executive is affiliated to the Institute
of Internal Auditors (IIA), the company adopts
control risk self-assessment techniques, and the
audit committee is involved in the activities of the
internal auditors.
These results have both practical and theoretical
implications. The paper first suggests that IA
professional bodies should re-design the set of
skills and competencies needed for their
profession, consistent with the evolution that is
currently taking place in the role of IA within
organizations. Furthermore, particular attention

ISSN 1090-6738
2009 Blackwell Publishing Ltd, 9600 Garsington Rd, Oxford OX4 2DQ,
UK and Main St., Malden, MA 01248, USA.

44

should be paid to defining the organizational

position of the IA unit, since this can influence
its effectiveness. On the theoretical side, this
paper highlights the limitations of studying IA
effectiveness on its own and highlights the need
to consider the diverse set of organizational links
which could influence internal auditing.

INTRODUCTION
Over the last few years, scholars and practitioners
have acknowledged that internal auditing (IA)
should undergo a major change in order to add
more value to a company. For this reason, IA
has been extending its area of involvement, from
more traditional accounting and financial control,
to operational control and to risk management
and corporate governance (Institute of Internal
Auditors, 1999; Spira & Page, 2003). Recent
contributions have stressed how IA can act to
achieve this aim. First, it can make line managers
conscious of their responsibility concerning risks
and controls (see, for instance, COSO, 2004; the
Turnbull Report, 1999). Second, it can act as a
consultant that monitors risks, identifies
weaknesses in control systems and facilitates the
implementation of enterprise risk management
(ERM) (Leithhead, 1999; Lindow & Race, 2002; Spira
& Page, 2003; Matyjewicz & DArcangelo, 2004; Page
& Spira, 2004; Beasley et al., 2005; Sarens & De
Beelde, 2006a; Fraser & Henry, 2007). Third, it can
aid the audit committee (AC) and external auditors
in their duties, especially when the AC is in charge
of monitoring the internal control system
(Goodwin, 2003; Gramling et al., 2004; Mat Zain &
Subramaniam, 2007).
Empirical evidence of the efforts of IA to take
on these new roles has been provided in research
from different countries. In the USA and Australia,
recent research has highlighted a paradigmatic
shift in the activities performed by internal
auditors, which is coherent with the definition of
the IIA1 (see, for instance, Bou-Raad, 2000; Nagy &
Cenker, 2002; Cooper et al., 2006; Hass et al., 2006;
Burnaby & Hass, 2008). In Europe, the situation is
still very diversified. However, there are several
signs of the IA attempting to extend its area of
involvement (see, for instance, Melville, 2003;
Paape et al., 2003; Sarens & De Beelde, 2006a).
According to the results of the recent CBOK project,
over the last few years, IA activities in European
companies have increasingly been focusing on
consulting, governance, IT and management
Blackwell Publishing Ltd. 2009

M. Arena and G. Azzone

audits, while reducing resources used for

compliance and financial audits (Allegrini et al.,
2008). In Italy, where this research was carried out,
the same trend is being followed (see, for instance,
Allegrini & DOnza, 2003; Arena et al., 2006).
This change in the mission of IA should lead
companies to a simultaneous and consistent
redesigning of its processes, skills and roles.
Unfortunately, there is still a lack of knowledge
about the organizational dimensions a company
should act on and how it should modify them in
order to improve the added value of IA.
This paper is an attempt to help answer these
questions, through the analysis of the organizational
drivers that influence the effectiveness of IA. We
have defined how to measure such IA effectiveness
and identified research hypotheses according to
the state of the art in the literature (see next section).
The data used to test the hypotheses were collected
through a questionnaire, which was sent to 364
Italian companies and a response rate of 47% was
obtained.
The paper is structured as follows. The next
section contains the research hypotheses. The
following
section
presents
the
research
methodology, defines the main variables and how
to measure them and also clarifies how the survey
was conducted. Then the main results are described
and the final section discusses the results and their
implications.

FORMULATING THE HYPOTHESES

The conceptual model tested in this work is
summarized in Figure 1. The effectiveness of IA
is linked to three sets of items that group the
main organizational dimensions: resources and
competencies of an IA team, activities and
processes performed and organizational role. These
dimensions emerged in prior research as relevant
elements that characterize an IA unit (see, for
instance, Cooper et al., 1996; Al-Twaijry et al., 2003;
Paape et al., 2003; Tettamanzi, 2003; Kwon & Banks,
2004) and potentially have an impact on IA
effectiveness, as discussed below.

Resources and competencies of the internal

audit team
A preliminary condition for IA to be able to do its
duties is the availability of a sufficiently large
number of skilled professionals (see, for instance,
Turnbull, 1999).
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

45

Resources and
competencies of an
IA team

+
Processes and
activities:
Involvement of IA in
risk management

IA
Effectiveness

+
+

Organizational role:
level of interaction
between IA and AC

Figure 1: The model.

The size of an IA team, one of the key criteria

used by external auditors to evaluate its quality
(see, for instance, Felix et al., 2001; Al-Twaijry et al.,
2004, Mat Zain et al., 2006), clearly determines the
amount of time that internal auditors can dedicate
to auditing activities. Furthermore, in a larger
team, there could be a higher rotation of auditors,
which could lead to more objectivity. Gul &
Subramaniam (1994) showed that when auditors
are more acquainted with auditees they are less
objective in the case of managerial conflicts.
Hence, we can formulate the first research
hypothesis:
H1: IA effectiveness is positively related to the
size of the IA team.
Auditors competencies are also potentially
relevant and are taken into account by external
auditors to determine their reliance on IA work
(Gibbs & Schroeder, 1979; Clark et al., 1981; Messier
& Schneider, 1988; Maletta, 1993; Gramling &
Myers, 1997; Felix et al., 2001; Al-Twaijry et al.,
2004). Skilled auditors are more able to provide
advice to improve the internal control system
(Brody et al., 1998; Mat Zain et al., 2006), to complete
audits, to find consistent solutions based on
previous experiences and to deal with complex and
conflicting situations (Flesher & Zanzig, 2000; Mat
Zain et al., 2006).
Blackwell Publishing Ltd. 2009

The auditors competencies can also increase the

effectiveness of the IA team by improving the
recognition of their role within the organization.
Previous studies underlined that line managers
often believe that internal auditors do not have
enough knowledge to provide useful help
(Griffiths, 1999; Van Peursem, 2004, 2005) and, if
this is the case, they do not take into account their
advice, hence reducing the effectiveness of IA (Van
Peursem, 2004, 2005).
According to this, we can formulate the second
research hypothesis:
H2: IA effectiveness is positively related to the
competencies of the internal auditors.

Processes and activities: involvement of IA

in risk management
The change in perspective of IA over the last few
years has already been discussed. Roughly
speaking, we can distinguish between a traditional
internal audit, focused on compliance and
monitoring, and a new internal audit, which is
focused on improving corporate performance
(Bou-Raad, 2000). Traditional IA examines
whether line managers, in trying to reach their
objectives, respect corporate boundaries (Simons,
1994) and it could, in the short term, reduce
efficiency and profitability, i.e. the main
Int. J. Audit. 13: 4360 (2009)

46

performances that measure the results of line

managers. Owing to its links to risk management,
new IA helps managers understand what could
prevent them from reaching expected targets
(see, for instance, COSO, 2004; Matyjewicz &
DArcangelo, 2004; Beasley et al., 2005; Jackson,
2005). According to the IIA Position Statement
(2004), the core role of IA in ERM is to provide
objective assurance to the board on the
effectiveness of an organizations ERM activities to
help ensure key business risks are being managed
appropriately and that the system of internal
control is operating effectively. Furthermore,
internal auditors can provide consulting services to
assist the organization in identifying, evaluating,
and
implementing
risk
management
methodologies and controls to address significant
risks (Practice Advisory 2110-1). However, there
are also some roles that internal auditors should
not undertake, because they could impair their
objectivity and independence, such as setting the
risk appetite or taking decisions on risk responses,
etc. (For a discussion on the role of IA in ERM, see
the IIA Position Statement, 2004.)
While recognizing the need for internal auditors
to avoid inappropriate involvement in risk
management, there is evidence in the literature
of the benefits related to internal auditors
participation in certain risk management tasks.
In fact, by monitoring the internal control system
implanted to manage risks, the IA can provide
feedback concerning the effectiveness of such
controls, and therefore help managers to reach their
objectives. Sawyer (2003) underlines that an effort to
clarify the link between risks and controls improves
the quality of audit reports. De La Rosa (2005) claims
there is a need for integration between audit reports
and ERM results so that auditors can help line
managers to understand the weaknesses of internal
controls and hence improve communication
between auditors and auditees (Melville, 1999). A
few analyses concerning managers expectations
towards IA confirm this point. Griffiths (1999)
underlines that several Chief Finance Officers
(CFOs) consider risk management as one of the
most important activities of IA, even though there is
general dissatisfaction about the capacity of internal
auditors in this field. Analysing CEOs and CFOs
perceptions of the role of IA, Sarens & De Beelde
(2006b) stress that top managers expect internal
auditors to assist them to formalize risk
management systems and to create a reasonable
level of awareness about risks and controls.
Blackwell Publishing Ltd. 2009

M. Arena and G. Azzone

Hence, we can formulate the third research

hypothesis:
H3: IA effectiveness is positively related to the
involvement of internal auditors in risk
management.

Organizational role: interaction between

internal audit and the audit committee
The position of IA in an organization is bounded; it
is a corporate unit that should have a large amount
of autonomy and independence in order to
perform its activities in a proper manner. A key
decision about the organizational role of IA
concerns its relationship with the audit committee
(AC).
Growing interest in corporate governance has
lead a few scholars to explore such a link (see, for
instance, Scarbrough et al., 1998; Goodwin & Yeo,
2001; Raghunandan et al., 2001, Goodwin, 2003). IA
and the AC are two different control bodies: IA
operates within the organization, while the AC is
made up of members of the Board of Directors.
These two bodies, however, have related purposes:
one of the objectives of the AC is to monitor and
evaluate the internal control system, which is also
the primary goal of the IA team (see, for instance,
COSO, 1992; Blue Ribbon Committee, 1999;
Combined Code, 2003).
A real interaction between IA and AC is very
important for both (Raghunandan et al., 1998;
Bishop et al., 2000; Goodwin, 2003) and, in fact,
many guidelines and standards (BRC, 1999; SEC,
IIA, 2000) promote such cooperation. Furthermore,
some scholars stress its importance for the
performance of audit committees (see, for instance,
Raghunandan et al., 1998).
Focusing on IA, the interaction with the AC
makes information exchange and data availability
easier (Raghunandan et al., 1998; Bishop et al., 2000;
Walker, 2004; Mat Zain et al., 2006). The AC
monitoring of IA could also help identify problems
in IA itself and offer opportunities for
improvement.
If IA reports to the AC, its role within the
organization is also reinforced and the
communication of managerial problems to the top
levels of the company is helped (Braiotta, 1999;
Goodwin & Yeo, 2001). Professional standards
underline that The chief audit executive should
report to a level within the organization that
allows the internal audit activity to fulfil its
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

responsibilities (Attribute Standard 1110, IIA,

2000). This is also acknowledged by CEOs. In an
Australian survey, Cooper et al. (1994) claimed that
more than a half of the interviewed CEOs stated
that the IA had to report to the audit committee.
Other studies mention that a close link between
the AC and IA can promote the role of the latter
within the organization (Goodwin & Yeo, 2001;
Raghunandan et al., 2001; Goodwin, 2003), increase
its opportunity to suggest improvement actions
and to see them implemented in practice (unsolved
problems would in fact be communicated to the AC
and then to the CEO).
Hence, our last research hypothesis is:
H4: IA effectiveness is positively related to a
close link between the IA and the audit
committee.

RESEARCH METHOD
Sampling and conduct of survey
The data collection was based on a survey of the
largest companies in Italy. The initial sample
targeted the top 300 Italian companies
(Mediobanca, 20032) and included a few financial
holdings. To make the sample more consistent,
we replaced the holding companies with their
operational subsidiaries, ending up with 364
organizations, competing in a wide range of
activities (manufacturing, bank and insurance,
utilities, etc.). The resulting sample was also
diversified in terms of listing choices and included
both listed and unlisted organizations.
The survey design was based on questions that
could be easily answered by the target-respondents
(the CAEs) and which would limit possible
framing effects. In order to develop the tool for
the data collection correctly, the questions
were previously discussed with some CAEs to
understand how the respondents would interpret
the questions. In addition, the questionnaire
was first tested in some companies before being
distributed to the whole sample; the pilot test led to
a few changes in order to make the questions more
understandable.
Before delivering the questionnaires, telephone
calls were used to confirm whether the companies
had an IA department. Sixty organizations from the
initial sample had no IA unit and were excluded
from the study. In the remaining companies, the
researchers contacted the CAEs to present the
research objectives and arrange the delivery of
Blackwell Publishing Ltd. 2009

47

Table 1: List of different industries involved in the

study
Industry
Bank and Insurance
Automotive
Aviation
Building
Chemicals and Drugs
Distribution
Electric and optical
appliance
Fashion and luxury
Food and drinks
Glass
Health care
Holding
Hotels and catering
ICT
Mechanical
Media and entertainment
Metal sector
Oil and gas
Paper production
Plant engineering
Publishing
Real estate
Rubber
Textile
Transport
Utilities
Total respondents

No. of
% of
respondents respondents
43
4
1
4
6
5
6

28.1
2.6
0.7
2.6
3.9
3.3
3.9

4
7
1
1
5
2
10
7
7
2
6
2
3
3
1
2
4
7
10
153

2.6
4.6
0.7
0.7
3.3
1.3
6.5
4.6
4.6
1.3
3.9
1.3
2.0
2.0
0.7
1.3
2.6
4.6
6.5
100.0

the questionnaire. The respondents had the option

of answering an e-mailed electronic copy of the
questionnaire or a hard copy, sent by fax. After the
first contact, the researchers made two reminder
phone calls.
A total of 170 questionnaires were collected, with
an overall response rate of 47%, but 17 were
excluded because some questions had not been
answered, leading to an actual response rate of 42%
(153 usable questionnaires). The respondents
distribution, in terms of industry field, is presented
in Table 1.
Two procedures were used to assess the
non-response bias. First, a control of the reasons
for non-response was performed (see Krumwiede,
1998). This information was collected through
follow-up phone calls, in which it was asked why
the CAE decided not to participate in the study.
Table 2 shows that the most frequent motivation for
the lack of response was related to the lack of time
(28%) or to the location of the audit department in
Int. J. Audit. 13: 4360 (2009)

M. Arena and G. Azzone

48

Table 2: Reasons for not answering

Reasons for
not answering

No. of
non-respondents

% of
non-respondents

Lack of time
Lack of interest
Centralized
audit
department
IA Department
recently
introduced
Not known
Not applicable
Privacy
Difficult
contingent
situation
Other
Total

38
3
27

28.36%
2.24%
20.15%

1.49%

43
8
5
4

32.09%
5.97%
3.73%
2.99%

4
134

2.99%
100.00%

a different parent company (20%). Only a few

companies indicated that they were not interested
in the project or considered the questionnaire
unsuitable for their company. Some 32% of the
non-respondents did not provide any feedback on
their failure to answer.
As suggested by Oppenheim (1966), the
existence of a non-response bias was further tested
by comparing the responses of the early and late
respondents. The existence of statistical differences
between the two groups of companies was tested
applying the chi-square test (categorical variables)
and the t-test (continuous variables). There was no
significant evidence of a response bias. Finally, a
possible source of bias could be related to the
choice of the sample frame (the list of the top Italian
companies), and some caution should therefore be
taken when extending these results to other
countries.

Measures and statistical analysis

Dependent variable
The dependent variable was IA effectiveness. In
general, effectiveness can be defined as the capacity
to obtain results that are consistent with targets or,
as Dittenhofer (2001) points out in different words,
the achievement of the internal auditing process
is when internal auditing performs in such a way
so as to accomplish the task described by the
internal auditing objective. Though several parties
Blackwell Publishing Ltd. 2009

advocate the need to measure IA effectiveness (for

instance, Barrett, 1986; Sawyer, 1995; Dittenhofer,
2001; KPMG, 2004; Van Gansberghe, 2005; Mihret
& Yismaw, 2007; Ridley & DSilva, 2008), there is
no generally acknowledged or operational measure
for this purpose.
The different approaches can be divided into
three main sets: process measures, output
measures and outcome measures.
Process measures are based on the evaluation
of the quality of IA procedures, such as the level
of compliance with IIA standards or the ability
to plan, execute and communicate audit findings
(for instance Spraakman, 1997; Wang, 1997; Fadzil
et al., 2005). Though this approach was adopted
frequently in the previous literature, it suffers from
a major limitation as it is based on the hypothesis
that IA activity is effective if IA procedures are
carried out properly, without considering the needs
of the main stakeholders in each individual audit
(Lampe & Sutton, 1994). This is in contrast with
the current trend that stresses the relevance of
value-added activities and indicates stakeholders
satisfaction as one of the critical performance
categories for IA activities (see, for instance, the
Practice Advisory 1311-2).
Output measures appear more consistent with
the need to consider the changing expectations
of IA customers, as well as the relevance of
value-added activities in shaping performance
indicators (Frigo, 2002). Among the possible
indicators, particular attention has been paid to the
ability of IA to respond to auditees needs (see, for
instance, Barrett, 1986; Frigo, 2002; Ziegenfuss,
2000). In this context, a recent work by Ziegenfuss
(2000) has highlighted that the survey results
of auditee satisfaction and the percentage of
recommendations that are implemented are the
performance measures considered by the CAE
to be most suitable to evaluate IA effectiveness.
The first measure, though potentially interesting,
can be hard to apply to an extensive survey, as
it requires the involvement of a representative
sample of auditees for each company. The latter
measure also suffers from some limitations, as
it is at least partially beyond IA control and does
not account for qualitative differences between
recommendations (Salierno, 2000). However, it
appears more suitable for collecting data from an
extensive study.
Finally, there are outcome measures which tackle
the impact of a certain output of the audit process.
According to Dittenhofer (2001), when evaluating
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

the effectiveness of the internal auditing operation,

a positive response would be given when the
internal auditor: (1) audits the achievement of the
auditees objectives and finds no problems, and no
problems surface following the audit; or (2) audits
and finds problems; and (3) recommends solutions
to the problems; and the solutions resolve the
problems. From this statement it is clear that
outcome measures address a wide range of aspects,
i.e. all the elements on which audit activities have
an impact. These include both efficiency and
effectiveness of the audited processes and
corporate results. At a process level, for example,
the impact of IA activities has been related to cost
savings generated by the implementation of
suggested recommendations (see, for instance,
Cashell & Aldhizer III, 2002). At a corporate level,
outcome measures can address the IA contribution
to corporate performance, such as profit, growth, or
share price; or its role in the avoidance of corporate
failures. Though such an approach appears
potentially interesting, as confirmed by recent
practitioners literature (see, for instance,
Blackburn, 2004), measuring outcomes involves
inherent difficulties. The main problems are related
to the existence of a delay between the time when a
certain action is taken and when its impact is
comprehensible. Furthermore, the contribution of
each item (i.e., IA intervention) may not be isolated
easily (see, for instance, Smith, 1995; Perrin, 1998;
Heinrich, 2002).
Based on the above considerations, IA
effectiveness was measured, in this study, as the
percentage of recommendations suggested by
the internal auditors and actually implemented
by the auditees. Though this solution suffers from
the previously discussed limitations, the choice
appears more consistent with the objectives of this
paper, that is, to address IA impact, while avoiding
the problems related to outcome measures.
The
percentage
of
recommendations
implemented by the auditees was measured
through a four point Likert-type item (%IMP).
Here, 1 corresponds to a low level of
implementation of actions suggested by the
internal auditors (below 20%), 2 is a mediumlow
level of implementation (between 20% and 50%),
3 is a mediumhigh level of implementation
(between 50% and 80%) and 4 indicates a high level
of implementation of suggested actions (more than
80%).
Table 3 presents the descriptive statistics for the
dependent variable.
Blackwell Publishing Ltd. 2009

49

Table 3: Descriptive statistics: percentage of

recommendations suggested by internal auditors
and actually implemented by the auditees
Implemented
recommendations
(%IMP)

No.

1 (<20%)
2 (20% < n < 50%)
3 (50% < n < 80%)
4 (>80%)
Total

12
29
69
43
153

7.84
18.95
45.10
28.10
100.00

Independent variables
The list of independent variables and their
descriptive statistics are presented in Tables 4 and
5. The constructs investigated in this research
include: (1) the size of the IA units, (2) the internal
auditors competencies, (3) the involvement of the
internal auditors in activities supporting risk
management processes, and (4) the level of
interaction between the IA and AC.
In order to measure the size of an IA unit,
reference was made to two variables. First, the
number of internal auditors (NIAS), which was
also used in prior research as an indicator of
the resources potentially available to the IA
departments (see, for instance, Goodwin & Yeo,
2001; Goodwin, 2003; Paape et al., 2003; Carcello et
al., 2005; Goodwin-Stewart & Kent, 2006; Mat Zain
et al., 2006). A logarithmic transformation was
applied to improve the reliability of the measure
and reduce collinearity when performing the
regression analysis (see, for instance, Mat Zain et
al., 2006).3
Second, we adopted the ratio between the
number of internal auditors and the number of
employees in the analysed companies (RATIO).
The adoption of a relative measure provides a more
significant indication of the resources that are
actually available for IA activities (see also Makosz
& McCuaig, 1990).
The second construct refers to internal auditors
competencies. Here, three variables were adopted:
the membership of the Chief Audit Executive
(CAE) to the Institute of Internal Auditors (IIA), the
achievement of professional certification issued
by the IIA (CERT_IIA) and the achievement of
Certified Public Accountant certification by the
internal auditors (CERT_CPA).
The IIA plays a relevant role in the education and
training of internal auditors by organizing courses,
Int. J. Audit. 13: 4360 (2009)

M. Arena and G. Azzone

50

Table 4: Descriptive statistics

lnNIAS (ln (no. of internal auditors))

RATIO (no. of internal auditors/no. of employees)
CERT_IIA (no. of internal auditors with IIA
certification / no. of employees)
CERT_CPA (no. of internal auditors with CPA
certification / no. of employees)
IIA (membership of the CAE to the IIA)
lnRM (ln (% of FTE used for risk assessment + 1))
CRSA (adoption of CRSA techniques)
FSCAC (AC factor score)
FREQAC (frequency of meetings between IA and AC)
lnSALE (ln (sales))
IND (industry)
LIST (listing)

conferences and seminars (Lewington, 1996;

Dunlop & Hassall, 1997; ORegan, 2001). The IIA is
open to all individuals involved in internal auditing
and related issues, therefore membership is not
selective. However, the participation of the CAE in
the IIA may be a sign of the inclination of the audit
unit towards training activities and competency
development. The variable adopted here (IIA) was
given a value of 1 when the CAE was a member of
the IIA and a value of 0 otherwise.
Similarly, professional certification may be
related to the level of competencies of an IA unit
(see, for instance, Kalbers & Fogarty, 1995; Fadzil et
al., 2005). In particular, two different types of
certification appear relevant: (1) certifications
issued by the IIA (in particular CIA) which identify
specific IA competencies, and (2) CPA certification,
which refers to broader accounting competencies.
Previous research has highlighted the relevance of
professional certification, though with contrasting
results. Myers & Gramling (1997) highlighted that
CIA certification (Certified Internal Auditor) is
considered a sign of professional competency by
the CAE, though it is not recognized by line
managers to any extent. The authors also reported
on cases where CPA certification is given more
importance than CIA certification (see also Cooper
et al., 1996; Al-Twaijry, 2003). Similarly, Kalbers &
Fogarty (1995) highlighted a still limited diffusion
of certification: in their study, 52.6% of the
responding internal auditors had no accounting
certification, 28.8% were CPAs and only 7.7% were
CIAs. In European countries, the situation is also
differentiated. In Belgium, only 33% of the internal
Blackwell Publishing Ltd. 2009

No.

Min

Max

Mean

Std.
deviation

153
153
153

0.00
0.00
0.00

6.40
0.13
1.00

1.66
0.01
0.07

1.24
0.01
0.17

153

0.00

1.00

0.09

0.22

153
153
153
153
153
153
153
153

0.00
0.00
0.00
-1.16
0.00
16.10
0.00
0.00

1.00
4.26
1.00
1.36
5.00
25.18
1.00
1.00

0.65
2.12
0.62
0.00
1.78
20.95
0.28
0.50

0.48
1.03
0.49
1.00
1.59
1.57
0.45
0.50

auditors within an IA department have one or more

IA-related certifications (IIA Belgium, 2006), and in
Greece the majority of internal auditors in listed
organizations are not certified (Koutoupis, 2006).
Though this measure is consistent with previous
research, it suffers from some limitations as it
neglects non-accounting qualifications such as IT
or technical skills which are now becoming more
critical.
Finally, the variables adopted in this analysis are
CERT_IIA and CERT_CPA, which were computed
as the ratio between the number of internal
auditors with a certain certification and the overall
number of internal auditors in the IA unit. Tables 4,
5 and 6 present the relevant descriptive statistics
and correlation analysis.
The level of involvement of the IA in activities
to help the risk management process is measured
by two variables: the adoption of control risk
self-assessment techniques (CRSA) and the
percentage of time employed by the internal
auditors to carry out risk assessment.
Control self-assessment (CSA) techniques are
defined as processes where auditors and
management work cooperatively to set and
evaluate standards for control through workshop
and discussion (Jordan, 1995; Melville, 1999). Prior
research pointed out that the adoption of these
techniques contributed to a shift in the focus of
IA activities from monitoring to a continuous and
systemic review of the system of internal controls,
aimed at identifying and managing enterprise risk
(McCuaig, 1998; Melville, 1999). The adoption of
CSA/CRSA techniques is a measure of the level of
Int. J. Audit. 13: 4360 (2009)

 Blackwell Publishing Ltd. 2009

(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)

lnNIAS
RATIO
CERT_IIA
CERT_CPA
IIA
lnRM
CRSA
FSCAC
FREQAC
lnSALE
IND
LIST

(1)
0.170*
1

(2)

Table 5: Correlation analysis

(4)
-0.304**
-0.078
-0.099
1

(3)
-0.011
-0.119
1
0.280**
-0.141
0.180*
-0.086
1

(5)
-0.143
-0.003
0.111
0.007
-0.083
1

(6)
0.080
-0.164*
0.108
0.172*
0.043
0.064
1

(7)
0.182*
0.050
0.001
0.127
0.079
0.015
0.254**
1

(8)

0.113
0.059
-0.024
0.188*
0.106
0.016
0.301**
0.836**
1

(9)

0.374**
-0.203*
0.227**
-0.238**
0.459**
-0.017
0.046
0.072
0.102
1

(10)

0.264**
0.354**
-0.231**
-0.202*
-0.147
-0.110
0.039
0.065
0.149
-0.256**
1

(11)

0.106
-0.212**
0.024
0.114
0.142
-0.048
0.140
0.323**
0.310**
0.163*
-0.193*
1

(12)

Identifying Organizational Drivers of Internal Audit Effectiveness

51

Int. J. Audit. 13: 4360 (2009)

M. Arena and G. Azzone

52

Table 6: Frequencies (dummy variables)

No.
Membership of the CAE to the IIA (IIA)
0 (No)
54
1 (Yes)
99
Adoption of CRSA techniques (CRSA)
0 (No)
58
1 (Yes)
95
Listing (LIST)
0 (Unlisted firm)
76
1 (Listed firm)
77
Industry (IND)
0 (Manufacturing and
110
utilities)
1 (Financial service
43
providers)

Table 7: Factor analysis and Cronbachs alpha

%
35.29
64.71
37.90
62.10
49.67
50.33

Component

Involvement of the AC in the

monitoring and controlling of the
IA activities
Involvement of the AC in the review
of the IA reports
Involvement of the AC in the
definition of the audit plan
Cronbachs alpha

0.959
0.935
0.951
0.943

71.90
28.10

collaboration and interaction between internal

auditors and managers in monitoring and
enhancing the internal control/risk management
system. The variable used here (CRSA) was given a
value of 1 when the company had implemented
CSA/CRSA techniques and a value of 0 otherwise.
A second variable is the percentage of time (Full
Time Equivalent), employed in risk assessment
activities (RM). Prior research adopted percentages
of time to explore the tasks in which internal
auditors were engaged (see, for instance, Paape et
al., 2003).4
A logarithmic transformation was applied to
enhance the reliability of the measure and reduce
collinearity, which could affect the reliability of the
regression analysis.
Finally, the level of interaction between IA and
the audit committee was measured using two
variables: the frequency of AC meetings with the
CAE and the level of participation of the AC in the
monitoring and reviewing of IA work.
The frequency of meetings between the AC and
IA has often been used in prior research to measure
the relationship between the two bodies (see, for
instance, Goodwin & Yeo, 2001; Goodwin, 2003;
Goodwin-Stewart & Kent, 2006; Mat Zain et al.,
2006). In this paper, the frequency of the meetings
between the CAE and AC was measured using a
numeric variable (FREQAC) where 0 = no meeting
between the CAE and the AC, 1 = one meeting per
year between the CAE and the AC, 2 = two
meetings per year between the CAE and the AC,
3 = three meetings per year between the CAE and
the AC and 4 = four or more meetings per year
between the CAE and the AC.
Blackwell Publishing Ltd. 2009

FSCAC

The level of participation of the AC in IA

activities was measured using multiple survey
items. As no consensual scales were readily
available in the literature, we developed three items
to deal with different interaction phases between
the IA and the AC: identification of the IA units
objectives and the definition of the audit plan;
monitoring and controlling of the audit activities;
and review of IA reports. The level of involvement
of the AC in these activities was measured
on a five-point Likert scale, with the lowest value
being 1 and the highest value 5. A confirmatory
factor analysis highlighted that these items can be
grouped into one (with 92.51% of variance
explained); furthermore the reliability analysis
showed
satisfactory
results
(Cronbachs
alpha = 0.943). Henceforth, reference is made to the
resulting item (FSCAC); the related statistics are
shown in Table 7.
Some control variables were included in the
model in order to verify the relevance of the
contextual factors that can influence the results
of the analysis. The control variables were the
companys size, the type of industry and listing.
Size has been used as a control variable in
previous research dealing with IA organization
and IA effectiveness (Goodwin-Stewart & Kent,
2006; Mat Zain et al., 2006; Coram et al., 2008). Size
was measured according to the sales (SALE). A
logarithmic transformation was applied to improve
the reliability of the measure and to reduce
collinearity when performing the regression
analysis.
Industry was included to take into account the
possible role of different normative requirements
concerning IA in different industries. In Italy, as
in some other countries, banks and insurance
companies are the only organizations where IA
activities are regulated by law. The sample
companies were accordingly divided into two
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

53

Table 8: Ordered logit regression model

Variables
lnSALE (ln (sales))
IND (industry)
LIST (listing)
lnNIAS (ln (no. of internal auditors))
RATIO (no. of internal auditors/no. of employees)
CERT_IIA (no. of internal auditors with IIA certification/
no. of employees)
CERT_CPA (no. of internal auditors with CPA
certification/no. of employees)
IIA (membership of the CAE to the IIA)
lnRM (ln (% of FTE used for risk assessment + 1))
CRSA (adoption of CRSA techniques)
FSCAC (AC factor score)
FREQAC (frequency of meetings between IA and AC)
LR chi2 = 134.38
Prob > chi2 = 0.000
Pseudo R2 = 0.358

groups: IND was given a value of 1 if the firm was

a bank or an insurance company and 0 otherwise.
The last control variable encompasses listing
choices. Listed companies, though not required to
adopt IA units, have more precise requirements
with respect to internal controls. This could
influence the set of activities performed as well as
their effectiveness (see, for instance, Allegrini &
DOnza, 2003). Listing was measured using a
dichotomous variable (LIST) which was given a
value of 1 if the company was listed and 0 otherwise.
Table 5 also presents the descriptive statistics
and the correlation analysis for the control variable.
Some of the correlations appear to be high, which
raises the possibility of multicollinearity. Therefore,
particular attention was paid to this issue in the
data analysis.

The model
In order to explore the research hypotheses, we
adopted an ordinal logit regression model, since
the dependent variable is a Likert-scale item.
Standard tests were performed to verify the
reliability of the model and these provided
acceptable results concerning the underlying
assumptions (Long & Freese, 2006). The
approximate likelihood-ratio test suggests that the
proportional odds assumption was not violated
(chi2 = 27.10, p = 0.30).
The following regression model was tested:
Blackwell Publishing Ltd. 2009

Coefficients

Standard
errors

Significance
P > |z|

-0.101
-0.263
0.016
-0.194
84.908
-0.436

0.152
0.574
0.386
0.196
26.275
0.983

-0.66
-0.46
0.04
-0.99
3.23
-0.44

0.507
0.647
0.968
0.322
0.001
0.657

0.021

0.937

0.02

0.982

1.321
0.021
1.518
1.345
0.538

0.415
0.169
0.416
0.363
0.234

3.18
0.13
3.65
3.71
2.30

0.001
0.900
0.000
0.000
0.022

% IMPi = b0 i + b1lnNIASi + b2 RATIOi + b3CERT_IIAi +

b4CERT_CPAi + b5 IIAi + b6lnRMi +
b7 CRSAi + b8 FREQACi + b9 FSCACi +
b10lnSALEi + b11INDi + b12 LISTi + ei
The first and the second variables, lnNIAS and
RATIO, were used to explore the first research
hypothesis (H1), CERT_IIA, CERT_CPA, and IIA
were used to test the second research hypothesis
(H2), lnRM and CRSA were used to explore the third
research hypothesis (H3). Finally, FREQAC and
FSCAC were used to test the last hypothesis (H4).
The following section reports the results of the
statistical analysis. A sensitivity analysis was also
performed in order to test the reliability of the
proposed model.

RESULTS
Table 8 presents the results of the regression
analysis carried out on the percentage of
recommendations suggested by the internal
auditors and actually implemented by the auditees.
The regression model is statistically significant
(LR chi2 = 134.38; p < 0.00, pseudo R2 = 0.36).
Unexpectedly, the data analysis shows that none of
the control variables are related to the effectiveness
of the IA unit. Instead, the regression analysis made
it possible to at least partially validate the
previously formulated hypotheses.
As far as the first research hypothesis is
concerned, the statistical analysis showed a positive
Int. J. Audit. 13: 4360 (2009)

54

relationship between the resources available to the

IA unit and the percentage of actions implemented
by their auditees. In other words, the ratio between
the number of internal auditors and the number
of company employees (RATIO) was positively
related to the IA effectiveness (z = 3.23, p < 0.00).
The analysis, instead, did not show any relationship
between the overall number of internal auditors
and IA effectiveness. This result is sound if we take
into account that the relative measure adopted
in this research (RATIO) allows the resources used
to perform the IA activities to be compared with
the auditable universe. According to these
considerations, it can be concluded that the first
research hypothesis is at least partially confirmed
by the data analysis.
The second research hypothesis relates to the
competencies of the IA units. In this case, the
regression analysis highlighted a positive
relationship between the membership of the CAE
to the Italian chapter of the IIA (IIA) and the
percentage of implemented actions (z = 3.18,
p < 0.00). The data analysis, instead, did not
show any link between the percentage of
recommendations enacted by managers and the
employment of internal auditors with professional
certification. Hence, again, the research hypothesis
is partially supported.
The third hypothesis concerns the level of
involvement of the IA in activities supporting the
risk management process. The statistical analysis
showed contrasting results. The percentage of
actions implemented by the auditees is positively
related to the implementation of CRSA techniques
(z = 3.65, p < 0.00). The data, instead, do not provide
evidence of the existence of any relationship with
the percentage of time employed for risk
assessment activities on IA effectiveness.
Finally, the last research hypothesis concerns the
level of interaction between the internal auditors
and the audit committee. Both the frequency of
meetings between the AC and the CAE and the
level of involvement of the AC in IA activities are
positively related to the percentage of implemented
actions (z = 2.30, p < 0.02 and z = 3.71, p < 0.00,
respectively).

M. Arena and G. Azzone

First, the regression was run after removing

highly correlated variables, one by one, in order
to verify their influence on the significance of
other variables included in the model. The same
procedure was reiterated by removing the control
variables. Though this analysis resulted in small
changes in the coefficient, there were no differences
in the significant variables.
Since the factor score for AC involvement in
IA activities (FSCAC) was highly correlated to the
frequency of meetings (FREQAC), we combined
the items included in FSCAC with the variable
FREQAC through a factor analysis. The regression
model was run replacing the two variables with the
new factor score, which was significant at p < 0.00,
but no relevant changes in the other variables were
shown.
Third, we ran the regression model adding the
early/late respondent variable in order to further
verify the existence of a response bias. This variable
was not significant in determining the percentage
of recommendations implemented by the auditees,
nor did it modify the significance of any other
variables previously included in the model.
Fourth, we verified whether outsourcing could
affect the link between the effectiveness of IA and
the number of IA staff. We added a dichotomous
variable (OUT) which was given a value of 1 if the
company uses outsourced IA services, at least
partially and 0 otherwise. The variable did not
influence IA effectiveness. While small changes in
the coefficients were recorded, there were no
relevant differences in the significant variables.
Finally, we added an AGE variable, to measure
the age of the IA unit. We adopted a dichotomous
variable which was given a value of 0 where the IA
unit was established within the last five years and
1 otherwise. This variable could be used as an
indicator of the experience of the function, at least
in relation to the firm context. The regression
analysis was not affected by the introduction of this
new variable: the data did not provide any evidence
concerning the significance of the AGE variable and
there were no significant changes in the other
variables.

DISCUSSION AND CONCLUSIONS

Sensitivity analysis
A sensitivity analysis, where different variables
were introduced and removed, was performed to
verify the reliability of the regression model.
Blackwell Publishing Ltd. 2009

Among the different systems adopted by

companies to ensure sound corporate governance,
IA has recently gained high attention due to its
links with the internal control-risk management
system (see, for instance, Power, 2007). Internal
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

auditors have exploited this renewed interest, by

transforming their function and extending their
area of involvement to risk management, control
and governance processes. Such a shift has the
purpose of increasing the value added by IA to
respond to the specific needs of the organizations.
However, this change also means that the IA
processes, competencies and roles need to be
modelled accordingly in order to increase the
ability of IA to respond to the needs of the
organization and thus enhance its effectiveness.
Starting from this consideration, the paper has
analysed the organizational dimensions a company
should act on to improve IA effectiveness. The data
used to test the hypotheses were collected through
a questionnaire which was sent to 364 Italian
companies, generating a response rate of 47%.
The test of the hypotheses showed that the
effectiveness of IA is influenced by several
organizational dimensions (characteristics of the
IA team, processes and activities, organizational
links). The percentage of implemented suggestions
increases when:
the ratio between the number of internal
auditors and the employees is higher;
the CAE is affiliated to the Institute of Internal
Auditors;
the company adopts CRSA techniques;
the audit committee is involved in the activities
of the internal auditors.
These conclusions may be of help in the design
of IA within specific organizations in order to
improve its effectiveness. However, a systemic
analysis of these results could help to better
understand their relevance, implications and
limitations.
First, the paper clarifies the fact that the
structural characteristics of an IA unit may
influence its effectiveness. The positive role of the
ratio between the number of internal auditors and
the employees, in particular, indicates how
important it is for IA to have sufficient resources
compared to the auditable universe. This result may
appear somewhat trivial. However, it can influence
future decisions on whether to increase the share of
budget and staff dedicated to IA, a step which
many companies are currently pursuing, due to
recent financial scandals (Carcello et al., 2005;
Goodwin-Stewart & Kent, 2006).
The second set of results concerns those elements
which could contribute to IA effectiveness by
enhancing its legitimation at both top levels and for
line managers. Here, two elements appear critical:
Blackwell Publishing Ltd. 2009

55

IA positioning, and in particular its relationship

with the AC, and the interaction with line
managers.
At top levels, we have confirmed the positive
impact of a close link between IA and the AC on
IA effectiveness. This finding extends the results
of other researchers, who have testified the role
of such a link in improving the traditional
performance of IA (quality of the reports,
efficiency in data analysis, completeness in
identifying non-compliance). The involvement of
the AC in the activities of internal auditors may be
proof of the commitment of the organization to
auditing and increase the credibility of auditors
and leading line managers to be more active in
implementing their suggestions.
At a middle management level, the legitimation
of internal auditors is closely related to the
changing role of the IA, which increasingly acts as
a consultant within an organization. This changing
role is highlighted in the study through the positive
relationship between IA effectiveness and the
adoption of CRSA. This technique requires the
direct involvement of line managers and their
active role in risk identification and monitoring
(Melville, 1999), while internal auditors mainly
play a facilitating role. On the one hand, this type
of interaction encourages internal auditors to
cooperate with managers and to focus on
operational activities, thus legitimating the
auditors role at a middle management level. On
the other hand, it poses the problem of balancing
internal auditors active participation in CRSA with
their monitoring role, in order not to impair their
objectivity and independence. Our results confirm
the opportunity that internal auditors have, as a
professional body, to increase their involvement in
activities which support the risk management
process in order to improve the added value of
their work. Some caution should, however, be
taken to avoid inappropriate involvement in tasks
that the managers are responsible for. The lack
of correlation between IA effectiveness and the
share of time that the auditors dedicate to risk
management could appear to be in contrast with
this result. However, although the adoption of
CRSA is an objective measure of the attitude of a
company towards risk management, we measured
time allocation according to a self-assessment by
the CAE. For this reason, the data could be
unreliable and could induce a bias in the analysis.
Furthermore, as we previously mentioned, we did
not distinguish between assurance and consulting
Int. J. Audit. 13: 4360 (2009)

56

services, which could also introduce a bias into the

analysis.
These results lead to some implications which
could be relevant at both a practical and theoretical
level. The relevance of the organizational links
on influencing IA effectiveness suggests the
importance of the proper positioning of the IA unit,
a point which has also been debated by other
scholars. Furthermore, the relevance of the
organizational links highlights the importance of
studying IA within its organizational realm,
considering the whole set of relations that could
influence it. Most previous research has studied
IA on its own, or focused on the relationship
between IA and AC or IA and the external audit.
However, to the authors knowledge, there are
very few studies that simultaneously consider
the interactions with different actors of the
organization, including senior and middle
managers (see, for instance, Sarens & De Beelde,
2006b) and none that address IA effectiveness. In
our opinion, this constitutes a potential limitation
to the complete understanding of IA effectiveness.
Finally, the third set of results highlights the
relevance of properly designing IA competencies.
The changing role of internal auditors has
determined the creation of new skills to perform
activities that are more closely related to risk
management and corporate governance. However,
risk management requires different competencies
from compliance; it needs auditors who are able
to understand the main drivers of business
performance, to deal with different sources of risk,
to involve line managers and increase their
confidence in risks and controls. Hence, it is
not surprising that our results on internal
auditors competencies, even though apparently
counterintuitive, confirm what was reported in
Gramling & Myers (1997), who claimed that
auditors professional certification (CIA in
particular) does not influence the perceptions of
line managers and their willingness to implement
suggestions. A possible explanation for this is that
professional certification, in general, is based on
traditional skills and does not guarantee an
improvement in new competencies. The positive
impact of the affiliation of the CAE to the IIA does
not rule out this conclusion; it represents more a
measure of the interest of CAEs in updating their
information and knowledge (and again, this is
consistent with a greater interest in risk
management than in compliance) than of the level
of competencies of the IA team.
Blackwell Publishing Ltd. 2009

M. Arena and G. Azzone

The discussion on the results of the study

highlights its main limitations.
First, the research used the survey method for
data collection. This method prevents the
possibility of explaining and giving details on the
questions to the respondents and may therefore not
ensure high external validity because the researcher
is unable to completely control how the
respondents interpret the questions. From this
point of view, the nature of the study should be
considered exploratory and its results could be
further verified and dealt with in depth using more
intensive research methods.
Second, the survey was carried out in Italy and
the data collected can be considered representative
of large Italian organizations, but some caution
should be applied when extending these results to
other contexts, with different legislative settings or
levels of development of IA. In Italy, for instance,
IA is a relatively new discipline and there are no
legislative requirements for Italian companies to
establish IA units or to perform IA activities (with
financial service providers being the only
exception).
Furthermore, the analysis of the results has
clarified that some of the data used in this research
are too aggregated to obtain a clear picture of certain
issues. One point concerns the processes and
activities that internal auditors carry out. As our
study confirms the opportunity for involvement of
internal auditors in risk management, we believe
that it would be useful, in future studies, to refer
to a clear framework of the different activities that
the IA performs in risk management (for instance,
the IIA Position Statement), in order to understand
where the role of IA is more critical. For this
purpose, a more reliable measure of time dedicated
to each activity should be used rather than the CAE
self-assessment.
Another problem concerns the definition of the
competencies of internal auditors. We used the
employment of certified auditors within the IA unit
as a proxy. The research, however, shows that
this is not directly linked to IA effectiveness. We do
not believe that this is due to the irrelevance of
competencies, but rather to the fact that our
definition of competencies, even though in line
with other scholars, is not consistent with present
requirements. Hence, future research should start
from a more detailed analysis of the competencies
that are theoretically required of internal auditors,
in order to understand which specific skills can
influence their effectiveness.
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

This latter comment leads, in our opinion, to a

final implication of the paper. It, in fact, suggests
that IA professional bodies should re-design the set
of skills and competencies that are needed for their
profession, consistently with the evolution that is
taking place in the role of internal auditing in
organizations.

ACKNOWLEDGEMENTS
The authors wish to thank the editor and the two
anonymous reviewers for their comments and
advice.

NOTES
1. Internal auditing is an independent, objective
assurance and consulting activity designed to
add value and improve an organizations
operations. It helps an organization accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control,
and governance processes (IIA, 2000).
2. Mediobanca is the leading investment bank in
Italy and its Research Department is a highly
specialized centre for financial analysis and
research. The annual editions of the Top Italian
Companies constitutes the most authoritative and
complete classification of the main Italian
corporations.
3. However, this measure is based on
self-evaluation by the CAE and we did not
distinguish between assurance and consulting
activities in relation to risk assessment and its
use can therefore be open to criticism.
4. Consistent with this choice, the descriptive
statistics show the logarithmic transformation of
the NIAS variable. The minimum value reported
is zero, which corresponds to one internal
auditor (since ln 1 = 0).

REFERENCES
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2003), The development of internal audit in Saudi
Arabia: an institutional theory perspective, Critical
Perspective on Accounting, Vol. 14, No. 5, pp. 50731.
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2004), An examination of the relationship between
internal and external audit in the Saudi Arabian
corporate sector, Managerial Auditing Journal, Vol.
19, No. 7, pp. 92945.
Blackwell Publishing Ltd. 2009

57

Allegrini, M. & DOnza, G. (2003), Internal auditing

and risk assessment in large Italian companies: an
empirical survey, International Journal of Auditing,
Vol. 7, No. 3, pp. 191208.
Allegrini, M., DOnza, G., Melville, R., Paape, L. &
Sarens, G. (2008), CBOK Europe: A State of the Art
of the Internal Audit Profession in Europe. Paper
presented at the First Global Academic Conference
on Internal Auditing and Corporate Governance,
2022 April, Rotterdam.
Arena, M., Arnaboldi, M. & Azzone, G. (2006),
Internal audit in Italian organizations: a multiple
case study, Managerial Auditing Journal, Vol. 21, No.
3, pp. 27592.
Barrett, M. J. (1986), Measuring internal auditing
performance, Internal Auditing, Vol. 2, pp. 3035.
Beasley, M. S., Clune, R. & Hermanson, D. R. (2005),
ERM: a status report, The Internal Auditor, Vol. 62,
No. 1, pp. 6773.
Bishop, W. G. III, Hermanson, D. R., Lapides, P. D. &
Rittenberg, L. E. (2000), The year of the audit
committee, The Internal Auditor, Vol. 57, No. 2, pp.
4651.
Blackburn, S. D. (2004), How effective is your internal
audit function?, Online available: www.in2itive.biz
Blue Ribbon Committee (BRC) on Improving the
Effectiveness of Corporate Audit Committees
(1999), Report and Recommendations of the Blue Ribbon
Committee on Improving the Effectiveness of Audit
Committees. New York: NYSE and NASD.
Bou-Raad, G. (2000), Internal auditors and a
value-added approach: The new business regime,
Managerial Auditing Journal, Vol. 15, No. 4, pp. 182
6.
Braiotta, L. (1999), The Audit Committee Handbook, 3rd
edn. New York: John Wiley.
Brody, R. G., Golen, S. P. & Reckers, P. M. J. (1998),
An empirical investigation of the interface between
internal and external auditors, Accounting and
Business Research, Vol. 28, No. 3, pp. 16072.
Burnaby, P. & Hass, S. (2008), A Global Summary
of the Common Body of Knowledge 2006 US
Respondents Compared to Non-US Respondents,
Paper presented at the First Global Academic
Conference on Internal Auditing and Corporate
Governance, 2022 April, Rotterdam.
Carcello, J. V., Hermanson, D. R. & Raghunandan, K.
(2005), Changes in internal auditing during the
time of the major US accounting scandals,
International Journal of Auditing, Vol. 9, No. 2, pp.
11727.
Cashell, J. D. & Aldhizer III, G. R. (2002), An
examination of internal auditors emphasis on value
added services, Internal Auditing, Vol. 17, No. 5,
pp. 1931.
Clark M. W., Gibbs T. E. & Schroeder, R. G. (1981),
How CPAs evaluate internal auditors, CPA Journal,
Vol. 51, pp. 1015.
Combined Code (2003), The Combined Code on
Corporate Governance, London: Financial Reporting
Council.
Int. J. Audit. 13: 4360 (2009)

58

Committee of Sponsoring Organizations of the

Treadway Commission (COSO) (1992), Internal
Control-Integrated Framework, New York: Coopers
and Lybrand.
Committee of Sponsoring Organizations of the
Treadway Commission (COSO) (2004), Enterprise
Risk Management-Integrated Framework, New York:
COSO.
Cooper, B. J., Leung, P. & Mathews, C. (1994), Internal
audit: An Australian profile, Managerial Auditing
Journal, Vol. 9, No. 3, pp. 1319.
Cooper, B. J., Leung, P. & Mathews C. M. H. (1996),
Benchmarking a comparison of internal audit in
Australia, Malaysia and Hong Kong, Managerial
Auditing Journal, Vol. 11, No. 1, pp. 2329.
Cooper, B. J., Leung, P. & Wong, G. (2006), The Asia
Pacific literature review on internal auditing,
Managerial Auditing Journal, Vol. 21, No. 8, pp.
82234.
Coram, P., Ferguson, C. & Moroney, R. (2008),
Internal audit, alternative internal audit structures
and the level of misappropriation of assets fraud,
Accounting & Finance, Vol. 48, No. 4, pp. 543
59.
De La Rosa, S. (2005), ERM-based audit reports, The
Internal Auditor, Vol. 62, No. 6, pp. 7376.
Dittenhofer, M. (2001), Internal audit effectiveness: an
expansion of present methods, Managerial Auditing
Journal, Vol. 16, No. 8, pp. 44350.
Dunlop, A. & Hassall, T. (1997), Learning never
stops, Internal Auditing, October, pp. 2223.
Fadzil, F. H., Haron, H. & Jantan, M. (2005), Internal
auditing practices and internal control system,
Managerial Auditing Journal, Vol. 20, No. 8, pp.
84466.
Felix, W. L., Gramling, A. A. & Maletta, M. J. (2001),
The contribution of internal audit as a determinant
of external audit fees and factors influencing this
contribution, Journal of Accounting Research, Vol. 39,
No. 3, pp. 51325.
Flesher, D. L. & Zanzig, J. S. (2000), Management
accountants express a desire for change in the
functioning of internal auditing, Managerial
Auditing Journal, Vol. 15, No. 7, pp. 3317.
Fraser, I. & Henry, W. (2007), Embedding risk
management:
Structures
and
approaches,
Managerial Auditing Journal, Vol. 22, No. 4, pp.
392409.
Frigo, M. L. (2002), A Balanced Scorecard Framework for
Internal Auditing Departments, Altamonte Springs,
FL: The Institute of Internal Auditors Research
Foundation.
Gibbs, T. E. & Schroeder, R. G. (1979), Evaluating
the competence of internal audit departments, in
Symposium on Auditing Research HI. Urbana:
University of Illinois, pp. 207225.
Goodwin, J. (2003), The relationship between the
audit committee and the internal audit function:
Evidence from Australia and New Zealand,
International Journal of Auditing, Vol. 7, No. 3, pp.
26378.
Blackwell Publishing Ltd. 2009

M. Arena and G. Azzone

Goodwin, J. & Yeo, T. Y. (2001), Two factors affecting

internal audit independence and objectivity:
Evidence from Singapore, International Journal of
Auditing, Vol. 5, No. 2, pp. 10725.
Goodwin-Stewart, J. & Kent, P. (2006), The use of
internal audit by Australian companies, Managerial
Auditing Journal, Vol. 21, No. 1, pp. 81101.
Gramling, A. A. & Myers, P. M. (1997), Practitioners
and users perceptions of the benefits of certification
of internal auditors, Accounting Horizons, Vol. 11,
No. 1, pp. 3953.
Gramling, A. A., Maletta, M. J., Schneider, A. &
Church, B. K. (2004), The role of the internal audit
function in corporate governance: A synthesis of the
extant internal auditing literature and directions
for future research, Journal of Accounting Literature,
Vol. 23, pp. 194244.
Griffiths, P. (1999), Understanding the expectations
of finance directors towards internal audit and its
future, Managerial Auditing Journal, Vol. 14, No. 9,
pp. 48996.
Gul, F. A. & Subramaniam, N. (1994), Audit
committee, gifts and discounts, familiarity as
factors affecting internal auditors professional
objectivity, The Review of Business Studies, Vol. 3,
No. 1, pp. 8899.
Hass, S., Abdolmohammadi, M. J. & Burnaby, P.
(2006), The Americas literature review on internal
auditing, Managerial Auditing Journal, Vol. 21, No. 8,
pp. 83544.
Heinrich, C. J. (2002), Outcomes-based performance
management in the public sector: Implications for
government accountability and effectiveness, Public
Administration Review, Vol. 62, No. 6, pp. 71225.
Institute of Internal Auditors (IIA) (1999), Definition
of Internal Auditing, Altamonte Springs, FL: The
Institute of Internal Auditors.
Institute of Internal Auditors (2000), Professional
Internal Auditing Standards: Standards for the
Professional Practice of Internal Auditing and Statement
of Responsibilities of Internal Auditors, Altamonte
Springs, FL: Institute of Internal Auditors.
Institute of Internal Auditors Belgium (2006), Internal
Audit in Belgium: The Shaping of Internal Audit
Today and the Future Expectations Survey
Results, Brussels: The Institute of Internal Auditors
Belgium, available at: www.iiabel.be.
Institute of Internal Auditors UK and Ireland (2004),
The role of internal audit in enterprise-wide risk
management, Position Statement, London.
Jackson, R. A. (2005), Role play, The Internal Auditor,
Vol. 62, No. 2, p. 44.
Jordan, J. (1995), Control Self Assessment: Making the
Right Choice, Altamonte Springs, FL: Institute of
Internal Auditors.
Kalbers, L. P. & Fogarty, T. J. (1995), Professionalism
and its consequences: A study of internal auditors,
Auditing: A Journal of Practice and Theory, Vol. 14, No.
1, pp. 6486.
Koutoupis, A. (2006), Corporate Governance and
Business Risk Management Regulations and Best
Int. J. Audit. 13: 4360 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness

Practices Impact on Internal Controls and Internal

Audit Activities within Greek Publicly Listed
Enterprises, Paper presented at the Fourth
European Academic Conference on Internal Audit
and Corporate Governance, London.
KPMG (2004), Building a success model for internal audit:
The balanced scorecard. Available online at: http://
www.kpmg.com.sg/publications/ras_Building
ASuccess.pdf.
Krumwiede, K. (1998), The implementation stages of
activity-based costing and the impact of contextual
and organisational factors, Journal of Management
Accounting Research, Vol. 10, pp. 23977.
Kwon, I. G. & Banks, D. W. (2004), Factors related to
the organizational and professional commitment of
internal auditors, Managerial Auditing Journal, Vol.
19, No. 5, pp. 60622.
Lampe, J. C. & Sutton, S. G. (1994), Evaluating the
work of internal audit: a comparison of standards
and empirical evidence, Accounting and Business
Research, Vol. 24, Autumn, pp. 33548.
Leithhead, B. S. (1999), Managing change and size
risks, The Internal Auditor, Vol. 56, No. 6, pp. 6869.
Lewington, D. (1996), 2020 vision, Managerial
Auditing Journal, Vol. 11, No. 7, pp. 311.
Lindow, P. E. & Race, J. D. (2002), Beyond traditional
audit techniques, Journal of Accountancy, Vol. 194,
No. 1, pp. 2833.
Long, J. S. & Freese, J. (2006), Regression Models for
Categorical Dependent Variables, Using Stata, Rev.
edn. College Station, TX: Stata Press.
Makosz, P. & McCuaig, B. W. (1990), Ripe for
renaissance, Internal Auditor, December.
Maletta, M. J. (1993), An examination of auditors
decisions to use internal auditors as assistants: The
effect of inherent risk, Contemporary Accounting
Research, Vol. 9, No. 2, pp. 50826.
Matyjewicz, G. & DArcangelo, J. R. (2004), ERMbased auditing, Internal Auditing, Vol. 19, No. 6,
pp. 418.
Mat Zain, M. & Subramaniam, N. (2007), Internal
auditor
perceptions
on
audit
committee
interactions: A qualitative study in Malaysian public
corporations, Corporate Governance: An International
Review, Vol. 15, No. 5, pp. 894908.
Mat Zain, M., Subramaniam, N. & Stewart, J. (2006),
Internal auditors assessment of their contribution
to financial statement audits: The relation with
audit committee and internal audit function
characteristics, International Journal of Auditing, Vol.
10, No. 1, pp. 118.
McCuaig, B. W. (1998), Auditing assurance and CSA,
The Internal Auditor, June.
Mediobanca (2003), Le principali societ italiane,
Available online at: www.mbres.it.
Melville, R. (1999), Control self assessment in the
1990s: The UK perspective, International Journal of
Auditing, Vol. 3, No. 3, pp. 191206.
Melville, R. (2003), The contribution internal auditors
make to strategic management, International Journal
of Auditing, Vol. 7, No. 3, pp. 20922.
Blackwell Publishing Ltd. 2009

59

Messier, W. F. & Schneider, A. (1988), A hierarchical

approach to the external auditors evaluation of
the internal auditing function, Contemporary
Accounting Research, Vol. 4, Spring, pp. 33753.
Mihret, D. G. & Yismaw, A. W. (2007), Internal audit
effectiveness: An Ethiopian public sector case
study, Managerial Auditing Journal, Vol. 22, No. 5,
pp. 47084.
Myers, P. M. & Gramling, A. A. (1997), The perceived
benefits of certified internal auditor designation,
Managerial Auditing Journal, Vol. 12, No. 2, pp. 7079.
Nagy, A. L. & Cenker, W. J. (2002), An assessment
of the newly defined internal audit function,
Managerial Auditing Journal, Vol. 17, No. 3, pp. 1307.
ORegan, D. (2001), Genesis of a profession: Towards
professional status for internal auditing, Managerial
Auditing Journal, Vol. 6, No. 4, pp. 21527.
Oppenheim, A. N. (1966), Questionnaire Design and
Attitude Measurement, London: Heinemann.
Paape, L., Scheffe, J. & Snoep, P. (2003), The
relationship between the internal audit function and
corporate governance in the EU A survey,
International Journal of Auditing, Vol. 7, No. 3, pp.
24762.
Page, M. & Spira, L. F. (2004) The Turnbull Report,
Internal Control and Risk Management: The Developing
Role of Internal Audit, The Institute of Chartered
Accountants of Scotland.
Perrin, B. (1998), Effective use and misuse of
performance measurement, American Journal of
Evaluation, Vol. 19, No. 3, pp. 36779.
Power, M. (2007), Organized Uncertainty, Designing
a World of Risk Management, Oxford: Oxford
University Press.
Raghunandan, K., Rama, D. & Scarbrough, P. (1998),
Accounting and auditing knowledge level of
Canadian audit committees: Some empirical
evidence, Journal of Internal Accounting, Auditing
and Taxation, Vol. 7, No. 2, pp. 18194.
Raghunandan, K., Read, W. J. & Rama, D. V. (2001),
Audit committee composition, gray directors,
and interaction with internal auditing, Accounting
Horizons, Vol. 15, No. 2, pp. 10518.
Ridley, J. & DSilva, K. (2008), Explorations into
Cutting Edge Internal Auditing since 1941, Paper
presented at the First Global Academic Conference
on Internal Auditing and Corporate Governance,
2022 April, Rotterdam.
Salierno, D. (2000), The right measures, The Internal
Auditor, Vol. 57, No. 1, pp. 4146.
Sarens, G. & De Beelde, I. (2006a), Internal auditors
perception about their role in risk management: A
comparison between US and Belgian companies,
Managerial Auditing Journal, Vol. 21, No. 1, pp. 6380.
Sarens, G. & De Beelde, I. (2006b), The relationship
between internal audit and senior management:
A qualitative analysis of expectations and
perceptions, International Journal of Auditing, Vol.
10, No. 3, pp. 21941.
Sawyer, L. B. (1995), An internal audit philosophy,
The Internal Auditor, August, pp. 4655.
Int. J. Audit. 13: 4360 (2009)

M. Arena and G. Azzone

60

Sawyer, L. B. (2003), Sawyers Internal Auditing. The

Practice of Modern Internal Auditing, Altamonte
Springs, FL: Institute of Internal Auditors, Inc.
Scarbrough, D. P., Rama, D. V. & Raghunandan, K.
(1998), Audit committee composition and
interaction with internal auditing: Canadian
evidence, Accounting Horizons, Vol. 12, No. 1, pp.
5162.
Simons, R. (1994), How new top managers use control
systems as levers of strategic renewal, Strategic
Management Journal, Vol. 15, pp. 16989.
Smith, P. (1995), Performance indicators and
outcomes in the public sector, Public Money &
Management, Vol. 15, No. 4, pp. 1316.
Spraakman, G. (1997), Transaction cost economics:
A theory of internal audit, Managerial Auditing
Journal, Vol. 17, No. 7, pp. 32330.
Spira, L. F. & Page, M. (2003), Risk management: The
reinvention of internal control and the changing
role of internal audit, Accounting, Auditing and
Accountability Journal, Vol. 16, No. 4, pp. 64061.
Tettamanzi, P. (2003), Internal Auditing: Evoluzione
storica, stato dellarte e tendenze di sviluppo. Italia e
Regno Unito a confronto. Milan: Egea.
Turnbull (1999), Internal Control: Guidance for Directors
of Listed Companies Incorporated in the United
Kingdom, London: Institute of Chartered
Accountants in England and Wales.
Van Gansberghe, C. N. (2005), Internal auditing in
the public sector: A consultative forum in Nairobi,
Kenya, shores up best practices for government

Blackwell Publishing Ltd. 2009

audit professionals in developing nations, Internal

Auditor, Vol. 62, No. 4, pp. 6973.
Van Peursem, K. (2004), Internal auditors role and
authority: New Zealand evidence, Managerial
Auditing Journal, Vol. 19, No. 3, pp. 37893.
Van Peursem, K. (2005), Conversations with internal
auditors: The power of ambiguity, Managerial
Auditing Journal, Vol. 20, No. 5, pp. 489512.
Walker, R. G. (2004), Gaps in guidelines on audit
committees, Abacus, Vol. 40, No. 2, pp. 15792.
Wang, X. (1997), Development trends and future
prospects of internal auditing, Managerial Auditing
Journal, Vol. 12, No. 4/5, pp. 2004.
Ziegenfuss, D. E. (2000), Measuring performance,
The Internal Auditor, Vol. 57, No. 1, pp. 3640.

AUTHOR PROFILES
Marika Arena is researcher at Politecnico di
Milano, Italy. She received her PhD from
Politecnico di Milano in 2007. Her research
interests are in internal auditing and management
accounting.
Giovanni Azzone is professor of management
control systems at Politecnico di Milano, Italy. His
research interests include performance evaluation
in public sectors, management accounting and
strategic management and internal auditing.

Int. J. Audit. 13: 4360 (2009)