Professional Documents
Culture Documents
SUMMARY
In recent years, the role of internal auditing (IA)
in corporate governance has received increasing
attention, due to its links to the internal control-risk
management system. Internal auditors have
exploited this renewed interest by transforming
their functions and extending their areas of
involvement to risk management, control and
governance processes. Such changes have had the
aim of increasing the value added by IA to
organizations. However, this change also requires
a redesigning of IA processes, competencies and
roles.
This study provides empirical evidence of the
organizational choices that could help improve the
effectiveness of IA. We have defined how to
measure IA effectiveness and identified research
Correspondence to: Marika Arena, Dipartimento di Ingegneria
Gestionale, Politecnico di Milano, Piazza Leonardo da Vinci, 32,
Milan, Italy. Email: marika.arena@polimi.it
audit
committee,
corporate
ISSN 1090-6738
2009 Blackwell Publishing Ltd, 9600 Garsington Rd, Oxford OX4 2DQ,
UK and Main St., Malden, MA 01248, USA.
44
INTRODUCTION
Over the last few years, scholars and practitioners
have acknowledged that internal auditing (IA)
should undergo a major change in order to add
more value to a company. For this reason, IA
has been extending its area of involvement, from
more traditional accounting and financial control,
to operational control and to risk management
and corporate governance (Institute of Internal
Auditors, 1999; Spira & Page, 2003). Recent
contributions have stressed how IA can act to
achieve this aim. First, it can make line managers
conscious of their responsibility concerning risks
and controls (see, for instance, COSO, 2004; the
Turnbull Report, 1999). Second, it can act as a
consultant that monitors risks, identifies
weaknesses in control systems and facilitates the
implementation of enterprise risk management
(ERM) (Leithhead, 1999; Lindow & Race, 2002; Spira
& Page, 2003; Matyjewicz & DArcangelo, 2004; Page
& Spira, 2004; Beasley et al., 2005; Sarens & De
Beelde, 2006a; Fraser & Henry, 2007). Third, it can
aid the audit committee (AC) and external auditors
in their duties, especially when the AC is in charge
of monitoring the internal control system
(Goodwin, 2003; Gramling et al., 2004; Mat Zain &
Subramaniam, 2007).
Empirical evidence of the efforts of IA to take
on these new roles has been provided in research
from different countries. In the USA and Australia,
recent research has highlighted a paradigmatic
shift in the activities performed by internal
auditors, which is coherent with the definition of
the IIA1 (see, for instance, Bou-Raad, 2000; Nagy &
Cenker, 2002; Cooper et al., 2006; Hass et al., 2006;
Burnaby & Hass, 2008). In Europe, the situation is
still very diversified. However, there are several
signs of the IA attempting to extend its area of
involvement (see, for instance, Melville, 2003;
Paape et al., 2003; Sarens & De Beelde, 2006a).
According to the results of the recent CBOK project,
over the last few years, IA activities in European
companies have increasingly been focusing on
consulting, governance, IT and management
Blackwell Publishing Ltd. 2009
45
Resources and
competencies of an
IA team
+
Processes and
activities:
Involvement of IA in
risk management
IA
Effectiveness
+
+
Organizational role:
level of interaction
between IA and AC
46
RESEARCH METHOD
Sampling and conduct of survey
The data collection was based on a survey of the
largest companies in Italy. The initial sample
targeted the top 300 Italian companies
(Mediobanca, 20032) and included a few financial
holdings. To make the sample more consistent,
we replaced the holding companies with their
operational subsidiaries, ending up with 364
organizations, competing in a wide range of
activities (manufacturing, bank and insurance,
utilities, etc.). The resulting sample was also
diversified in terms of listing choices and included
both listed and unlisted organizations.
The survey design was based on questions that
could be easily answered by the target-respondents
(the CAEs) and which would limit possible
framing effects. In order to develop the tool for
the data collection correctly, the questions
were previously discussed with some CAEs to
understand how the respondents would interpret
the questions. In addition, the questionnaire
was first tested in some companies before being
distributed to the whole sample; the pilot test led to
a few changes in order to make the questions more
understandable.
Before delivering the questionnaires, telephone
calls were used to confirm whether the companies
had an IA department. Sixty organizations from the
initial sample had no IA unit and were excluded
from the study. In the remaining companies, the
researchers contacted the CAEs to present the
research objectives and arrange the delivery of
Blackwell Publishing Ltd. 2009
47
No. of
% of
respondents respondents
43
4
1
4
6
5
6
28.1
2.6
0.7
2.6
3.9
3.3
3.9
4
7
1
1
5
2
10
7
7
2
6
2
3
3
1
2
4
7
10
153
2.6
4.6
0.7
0.7
3.3
1.3
6.5
4.6
4.6
1.3
3.9
1.3
2.0
2.0
0.7
1.3
2.6
4.6
6.5
100.0
48
No. of
non-respondents
% of
non-respondents
Lack of time
Lack of interest
Centralized
audit
department
IA Department
recently
introduced
Not known
Not applicable
Privacy
Difficult
contingent
situation
Other
Total
38
3
27
28.36%
2.24%
20.15%
1.49%
43
8
5
4
32.09%
5.97%
3.73%
2.99%
4
134
2.99%
100.00%
49
No.
1 (<20%)
2 (20% < n < 50%)
3 (50% < n < 80%)
4 (>80%)
Total
12
29
69
43
153
7.84
18.95
45.10
28.10
100.00
Independent variables
The list of independent variables and their
descriptive statistics are presented in Tables 4 and
5. The constructs investigated in this research
include: (1) the size of the IA units, (2) the internal
auditors competencies, (3) the involvement of the
internal auditors in activities supporting risk
management processes, and (4) the level of
interaction between the IA and AC.
In order to measure the size of an IA unit,
reference was made to two variables. First, the
number of internal auditors (NIAS), which was
also used in prior research as an indicator of
the resources potentially available to the IA
departments (see, for instance, Goodwin & Yeo,
2001; Goodwin, 2003; Paape et al., 2003; Carcello et
al., 2005; Goodwin-Stewart & Kent, 2006; Mat Zain
et al., 2006). A logarithmic transformation was
applied to improve the reliability of the measure
and reduce collinearity when performing the
regression analysis (see, for instance, Mat Zain et
al., 2006).3
Second, we adopted the ratio between the
number of internal auditors and the number of
employees in the analysed companies (RATIO).
The adoption of a relative measure provides a more
significant indication of the resources that are
actually available for IA activities (see also Makosz
& McCuaig, 1990).
The second construct refers to internal auditors
competencies. Here, three variables were adopted:
the membership of the Chief Audit Executive
(CAE) to the Institute of Internal Auditors (IIA), the
achievement of professional certification issued
by the IIA (CERT_IIA) and the achievement of
Certified Public Accountant certification by the
internal auditors (CERT_CPA).
The IIA plays a relevant role in the education and
training of internal auditors by organizing courses,
Int. J. Audit. 13: 4360 (2009)
50
No.
Min
Max
Mean
Std.
deviation
153
153
153
0.00
0.00
0.00
6.40
0.13
1.00
1.66
0.01
0.07
1.24
0.01
0.17
153
0.00
1.00
0.09
0.22
153
153
153
153
153
153
153
153
0.00
0.00
0.00
-1.16
0.00
16.10
0.00
0.00
1.00
4.26
1.00
1.36
5.00
25.18
1.00
1.00
0.65
2.12
0.62
0.00
1.78
20.95
0.28
0.50
0.48
1.03
0.49
1.00
1.59
1.57
0.45
0.50
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
lnNIAS
RATIO
CERT_IIA
CERT_CPA
IIA
lnRM
CRSA
FSCAC
FREQAC
lnSALE
IND
LIST
(1)
0.170*
1
(2)
(3)
-0.011
-0.119
1
0.280**
-0.141
0.180*
-0.086
1
(5)
-0.143
-0.003
0.111
0.007
-0.083
1
(6)
0.080
-0.164*
0.108
0.172*
0.043
0.064
1
(7)
0.182*
0.050
0.001
0.127
0.079
0.015
0.254**
1
(8)
0.113
0.059
-0.024
0.188*
0.106
0.016
0.301**
0.836**
1
(9)
0.374**
-0.203*
0.227**
-0.238**
0.459**
-0.017
0.046
0.072
0.102
1
(10)
0.264**
0.354**
-0.231**
-0.202*
-0.147
-0.110
0.039
0.065
0.149
-0.256**
1
(11)
0.106
-0.212**
0.024
0.114
0.142
-0.048
0.140
0.323**
0.310**
0.163*
-0.193*
1
(12)
52
Component
0.959
0.935
0.951
0.943
71.90
28.10
FSCAC
53
The model
In order to explore the research hypotheses, we
adopted an ordinal logit regression model, since
the dependent variable is a Likert-scale item.
Standard tests were performed to verify the
reliability of the model and these provided
acceptable results concerning the underlying
assumptions (Long & Freese, 2006). The
approximate likelihood-ratio test suggests that the
proportional odds assumption was not violated
(chi2 = 27.10, p = 0.30).
The following regression model was tested:
Blackwell Publishing Ltd. 2009
Coefficients
Standard
errors
Significance
P > |z|
-0.101
-0.263
0.016
-0.194
84.908
-0.436
0.152
0.574
0.386
0.196
26.275
0.983
-0.66
-0.46
0.04
-0.99
3.23
-0.44
0.507
0.647
0.968
0.322
0.001
0.657
0.021
0.937
0.02
0.982
1.321
0.021
1.518
1.345
0.538
0.415
0.169
0.416
0.363
0.234
3.18
0.13
3.65
3.71
2.30
0.001
0.900
0.000
0.000
0.022
RESULTS
Table 8 presents the results of the regression
analysis carried out on the percentage of
recommendations suggested by the internal
auditors and actually implemented by the auditees.
The regression model is statistically significant
(LR chi2 = 134.38; p < 0.00, pseudo R2 = 0.36).
Unexpectedly, the data analysis shows that none of
the control variables are related to the effectiveness
of the IA unit. Instead, the regression analysis made
it possible to at least partially validate the
previously formulated hypotheses.
As far as the first research hypothesis is
concerned, the statistical analysis showed a positive
Int. J. Audit. 13: 4360 (2009)
54
55
56
ACKNOWLEDGEMENTS
The authors wish to thank the editor and the two
anonymous reviewers for their comments and
advice.
NOTES
1. Internal auditing is an independent, objective
assurance and consulting activity designed to
add value and improve an organizations
operations. It helps an organization accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control,
and governance processes (IIA, 2000).
2. Mediobanca is the leading investment bank in
Italy and its Research Department is a highly
specialized centre for financial analysis and
research. The annual editions of the Top Italian
Companies constitutes the most authoritative and
complete classification of the main Italian
corporations.
3. However, this measure is based on
self-evaluation by the CAE and we did not
distinguish between assurance and consulting
activities in relation to risk assessment and its
use can therefore be open to criticism.
4. Consistent with this choice, the descriptive
statistics show the logarithmic transformation of
the NIAS variable. The minimum value reported
is zero, which corresponds to one internal
auditor (since ln 1 = 0).
REFERENCES
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2003), The development of internal audit in Saudi
Arabia: an institutional theory perspective, Critical
Perspective on Accounting, Vol. 14, No. 5, pp. 50731.
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2004), An examination of the relationship between
internal and external audit in the Saudi Arabian
corporate sector, Managerial Auditing Journal, Vol.
19, No. 7, pp. 92945.
Blackwell Publishing Ltd. 2009
57
58
59
60
AUTHOR PROFILES
Marika Arena is researcher at Politecnico di
Milano, Italy. She received her PhD from
Politecnico di Milano in 2007. Her research
interests are in internal auditing and management
accounting.
Giovanni Azzone is professor of management
control systems at Politecnico di Milano, Italy. His
research interests include performance evaluation
in public sectors, management accounting and
strategic management and internal auditing.