Managerial Auditing Journal

An assessment of the newly defined internal audit function

Albert L. Nagy William J. Cenker
Article information:
To cite this document:
Albert L. Nagy William J. Cenker, (2002),"An assessment of the newly defined internal audit function", Managerial Auditing
Journal, Vol. 17 Iss 3 pp. 130 - 137
Permanent link to this document:
http://dx.doi.org/10.1108/02686900210419912
Downloaded on: 10 May 2015, At: 09:17 (PT)
References: this document contains references to 7 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 4294 times since 2006*
Users who downloaded this article also downloaded:
Laura F. Spira, Michael Page, (2003),"Risk management: The reinvention of internal control and the changing
role of internal audit", Accounting, Auditing & Accountability Journal, Vol. 16 Iss 4 pp. 640-661 http://
dx.doi.org/10.1108/09513570310492335
Downloaded by New York University At 09:17 10 May 2015 (PT)

Michael B. Adams, (1994),"Agency Theory and the Internal Audit", Managerial Auditing Journal, Vol. 9 Iss 8 pp. 8-12 http://
dx.doi.org/10.1108/02686909410071133
Dominic S.B. Soh, Nonna Martinov-Bennie, (2011),"The internal audit function: Perceptions of internal
audit roles, effectiveness and evaluation", Managerial Auditing Journal, Vol. 26 Iss 7 pp. 605-622 http://
dx.doi.org/10.1108/02686901111151332

Access to this document was granted through an Emerald subscription provided by 198285 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 An assessment of the newly defined internal audit
function
Keywords
Internal audit, Committees,
Risk management,
Corporate governance,
Competences
Abstract
Downloaded by New York University At 09:17 10 May 2015 (PT)
The new definition of internal
auditing defines the function as an
independent, objective assurance
and consulting activity designed
to add value and improve an
organization's operations. The
purpose of this paper is to
summarize an assessment of this
new definition obtained through
structured interviews from 11
internal audit directors of large
publicly traded companies. The
responses from the directors
indicate that there are wide
differences in viewpoints and
objectives; but a definite shift has
occurred in the overall scope of
internal audit towards operational
activities. While most of the
interviewees are in conceptual
agreement with the new internal
audit definition, an underlying
warning is vocalized: ``Don't throw
out the franchise''. That is, the
traditional role of the internal
auditor should not be completely
abandoned. These, along with
other responses pertaining to
related issues and suggestions for
future research, are summarized
throughout the paper.
Managerial Auditing Journal
17/3 [2002] 130±137
# MCB UP Limited
[ISSN 0268-6902]
[DOI 10.1108/02686900210419912]
[ 130 ]
Albert L. Nagy
Department of Accountancy, John Carroll University, Cleveland, Ohio, USA
William J. Cenker
Department of Accountancy, John Carroll University, Cleveland, Ohio, USA
Introduction
In June 1999, the Institute of Internal
Auditors (IIA) officially adopted a new
definition of the internal auditing function.
The new definition was developed by the
Guidance Task Force (GTF) and defines the
internal audit function as:
an independent, objective assurance and
consulting activity designed to add value and
improve an organization's operations. It helps
an organization accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control, and governance
processes (IIA, 2000).
The new definition shifts the focus of the
internal audit function from one of assurance
to that of value added and attempts to move
the profession toward a standards-driven
approach with a heightened identity
(Bou-Raad, 2000; Krogstad et al., 1999).
The overriding issue addressed in this
paper is whether or not the new definition
actually reflects the day-to-day activities of
internal audit departments. That is, have the
activities of internal auditors really changed?
In addition, the new definition of internal
audit elicits other issues worthy of
examination. For example, do internal audit
departments have sufficient resources and
expertise to fulfill their role as consultants?
Has there been adequate coordination with
the other traditional corporate governance
parties (e.g. audit committees and external
auditors) in regard to the changing focus of
internal audit? Where does the newly defined
internal audit department fit in the
company's organizational structure? This
article summarizes the responses and
insights to these and other related questions
from internal audit directors of large
publicly traded companies.
With the objective of obtaining meaningful
insight, we conducted structured interviews
The current issue and full text archive of this journal is available at
http://www.emeraldinsight.com/0268-6902.htm
with the directors of internal audit of 11 large
publicly traded companies (average revenues
approximately $6.4 billion), most of which
have their main offices located in northeast
Ohio. The directors are perceived as highly
motivated, well-seasoned professionals with
tenures in their current positions ranging
from two to 19 years, and internal audit staffs
ranging from three to 70 individuals. The
directors have an average of 17 years
experience in internal audit, and 19 years
with their present employer. We consider
these individuals to be some of the leading
professionals in the field of internal auditing,
and believe that their opinions and insight
would be valuable to the financial community.
The structured interviews addressed the
following four areas of interest:
1 Audit scope ± what is the overall
orientation of the internal audit
department and has it changed?
2 Organizational structure ± how is the
internal audit department perceived and
evaluated?
3 Risk management ± how does the director
assess business risk and identify audit
areas to target?
4 Audit committee ± what are the audit
committee's expectations of internal
audit?
The issues discussed with the directors are
couched in terms of discussing the changes
within their respective departments over a
ten-year time frame. Those individuals who
had not been with their respective companies
for ten years represented to have a good
understanding of their companies'
environment in the early 1990s. The remainder
of this paper provides a summary of the
responses provided by the directors to selected
questions in the above stated categories, along
with some general comments.
The scope and orientation of
internal audit
The questions in this section of the interview
address the overall orientation of the
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
interviewee's internal audit department, any
recent shift in this orientation, and several
surrounding issues arising from this shift.
Based on our discussions and consistent with
the new internal audit definition, the
orientation of internal audit has shifted
toward consulting and value added services
and away from the traditional assurance
services. Such a shift raises several
interesting issues including: has the external
auditor compensated for the reduction in
assurance services previously provided by
internal audit, and who determines the scope
of activities for the newly defined internal
audit function? The following is a
summarization of the responses to these and
other selected questions in this section of the
interview.
Question: do you agree with the changing
definition/role of the internal audit
function?
The directors interviewed generally agree
that the changed internal audit definition
focusing on value-added activities is
appropriate. Those directors in support
generally believe that ``there are no cost-
savings for departments focusing on
financials,'' and that the ``responsibility of
financial reporting `watchdog' falls mainly
on the external auditor.'' Although these
directors agree with the new definition, the
impact it has on their department's scope and
activities is minimal. A recurring
observation from the directors was that their
respective internal auditing departments
have been focusing on value-added activities
for years, and that ``the definition has finally
caught up with practice.''
Interestingly, several directors take
exception to the use of the term ``consultants''
to describe their internal auditors and are
careful to distinguish between operational
auditing and consulting. For example, one
director defines operational auditing as
``assessing business processes and controls
against established criteria. Value-adding
recommendations may or may not result
from such audits.'' In other words,
operational auditing involves the assessment
of the effectiveness of internal controls and
systems in place, and is clearly a function of
internal audit. Being a consultant, on the
other hand, was viewed as ``having a level of
knowledge and expertise that most internal
auditors do not possess.'' Consultants are
hired to solve problems or recommend
solutions, which is a different function than
assessing controls or procedures against
established criteria.
Along with questioning the capabilities
of internal auditors as consultants,
several directors are weary of the longevity
of the consultant's role. That is, consultants
are ``hired to fix problems and then go away,''
certainly not a desirable role for most
internal auditors. Thus, despite the fact
that the new internal audit definition
includes consulting as an internal audit
activity, most of the directors refuse to label
the activities of their departments as
``consulting.''
A cautionary reminder to the internal
audit community consistently given by the
directors was to ``not forget our roots.'' These
directors note that the traditional attestation
function of internal audit has been useful to
organizations for many years, and it is the
area of expertise of internal auditors.
Therefore, these directors believe that the
traditional role of internal audit should not
be completely abandoned in favor of the new
``consulting'' directive.
The few directors who disagree with the
new definition believe that any effort exerted
by professional organizations to define
the function of internal audit is fruitless.
While commending the IIA and other
organizations for offering useful guidance to
the profession, one director notes that it is
``foolish for the profession to stand up and
say, this is what you have to be.'' Another
echoes this belief by suggesting that ``the
definition of internal audit should not fall
into generalities because every company is
different. Our current chairman does not feel
that operational auditing has significant
value, certainly not as much as traditional
financial statement auditing does.
Management does, and should, dictate what
we do, not the profession.''
Questions: given the new definition of the
internal audit function, have the objectives
of your department shifted to focus on
value added activities? If so, who initiated
the change?
Most managers opine that the focus had
shifted several years prior to the definitional
change and that the new definition simply
better reflects existing practice. However,
only two managers indicate that the
initiative for the change originated with the
internal audit department. A consistent
theme in the responses is that management,
not the profession, ultimately determines
the orientation of the internal audit
department of a company. One comment
perhaps best illustrates the actual status,
even though the manager agrees with the
changed definition: ``We [internal auditors]
are trying to dictate what we are; but
actually it is dictated by management
expectations.''
[ 131 ]
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
[ 132 ]
Question: assuming a shift in your
department's focus, has there been a
satisfactory coordination with the
activities of the external auditor?
The responses to this question fell on a
spectrum from ``total coordination'' to
``coordination just not being there.'' Not
surprisingly, the level of coordination with
the external auditor seems to be dependent
upon the focus of the internal audit
department. That is, directors of departments
with a significant orientation towards
the traditional assurance/compliance
services indicate far more extensive
coordination with the external auditor. The
directors whose departments have an
operational focus generally consider their
role (that of improving operational
efficiency) quite different than that of the
external auditor (assuring the financials),
and thus believe that less coordination is
necessary.
A director from a ``pure operational shop''
indicates that the communication between
the internal and external auditors is as if ``the
Great Wall of China exists between the two.
We've got a long way to go and I am not sure
that we will ever get there [coordination].
External auditors perform, at best, only a
cursory review of the suggested internal
audit plans.'' On the other end of the
spectrum, a director of a company that
requires extensive compliance audits,
because of many overseas divisions,
indicates that total coordination exists
between external and internal auditors.
For this company, the external auditor
``performs an extensive review of the internal
audit program so that work will not be
duplicated.''
Several directors of departments focusing
primarily on operational auditing express a
general concern about the level of review
being conducted on the quarterly reports
(10-Qs). These directors note that the shift
in focus toward operations coincides
with a reduction of traditional attestation
testing, and that the external auditors
``had not increased their level of detailed
testing to compensate.'' When asked if the
quarterly statements are being reviewed at
an adequate level, many of the directors
simply did not know. These responses
raise additional questions that may be
worthy of future empirical research.
For example, has the shift towards
operational auditing by the internal auditors
created a gap in the attestation review
function? Are important accounts receiving
adequate attestation review? Are quarterly
results receiving adequate attestation
review?
Questions: based on your experience, what
is the relative input from the following
sources in determining what subject
matter to audit: line manager, top
management, audit committee, internal
audit director, and other? Has this
changed over the past ten years?
Consistent with internal audit departments
moving toward an operational/consulting
orientation, the directors interviewed
indicate that the relative input from the
department's ``customers'' (i.e. line managers
and top management) has increased over the
last ten years. The internal audit directors
still possess significant input in determining
what should be audited, but not nearly as
much as ten years ago. One director, who
labels his department of ten years past as a
``graveyard'' where ``nothing was being
done,'' asserts that the department was run
by a director who dictated 100 percent of the
department's activities without input of any
kind from line managers or top management.
An interesting, and perhaps disturbing,
observation from the responses is that the
audit committee has minimal-to-no input in
determining the audit plan.
Another observation consistent with
internal audit departments moving toward
an operational/consulting orientation is that
directors are allotting significant amounts of
budget time for unanticipated requests from
customers. Arguably, consulting and value-
added activities are more reactionary than
traditional assurance activities and thus are
more difficult to plan. One director from a
``purely operational'' shop sets aside
approximately one-half of his department's
time for unanticipated requests, and justifies
this act by stating ``in the 1980s our activities
were driven internally. In the 2000s, I don't
do it if someone doesn't want it done.''
Organizational structure
Some interesting organizational structure
issues arise from the newly defined internal
audit role. One such issue is how does
management evaluate the activities of
internal audit? That is, the traditional
assurance function of internal audit, often
perceived as a ``necessary evil,'' had a clear
and distinct role within the organization and
the value of these services often went
unquestioned. However, by migrating toward
a consulting role within the organization,
internal audit departments may lose the
safety net of being labeled as a ``necessary
evil'' and may now have to justify the value of
their activities to top management on a
continuous basis. By reaching an
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
understanding with management of what
makes internal audit services value-added,
internal audit ensures that their services will
be fully utilized and that their
recommendations will be respected (Flesher
and Zanzig, 2000). The following is a
summarization of the responses to selected
questions in this section of the interview.
Question: do you feel an increased need to
justify the services of internal auditing to
top management?
Surprisingly, only one of the directors
interviewed found it important to justify the
services of internal audit to top management
on a continuous basis. In general, the
directors believe that their services are
perceived within their organization as
important and have never felt the threat of
being outsourced or discontinued. Most
directors cite a strong ``tone at the top'' in
regard to quality reporting and controls,
and thus feel no need to continuously justify
their existence. The one director who
perceives an ``absolute'' need to justify the
department is in an organization whose
management is committed to value-based
management (VBM), and thus feels
compelled to present cost savings or value
added amounts from internal audit to top
management and the audit committee. These
responses reflect a potential inconsistency. Is
it hypocritical for internal auditors, who
assess the efficiencies and justification of
organizational units' services, to avoid the
scrutiny of being evaluated themselves by
others?
Question: do you measure the amount of
value-added by your department?
Consistent with the previous question's
responses, most of the directors interviewed
do not attempt to quantify or measure the
amount of value that is added from their
department's activities. These directors do
not feel threatened or pressured to justify
their department's services, and thus believe
that measuring the amount of value-added
would be a pointless exercise. Additionally,
these directors opined that the inherent
difficulty in measuring value-added amounts
makes quantifying them impossible or at best
problematic. One director went so far as to
indicate that it is ``dysfunctional'' to report
such an amount because management may
use this number as a benchmark for future
results.
Despite the inherent difficulties in
measuring value-added amounts, a few of the
directors interviewed quantify and report
this amount to top management on an annual
basis. These directors believe that
quantifying and reporting the value-added
amount is a positive process that can be
measured objectively. Annual cost savings
captured by internal audit is the basis for
this measurement. These directors view the
process as ``job security,'' that helps promote
a company-wide attitude of perceiving
internal audit as a ``resource.'' Only one of
the directors is required to formally establish
a target goal as part of the operating budget
(the one director subject to VBM). Reviews of
fleet leasing arrangements (number of
vendors, evaluating lease/purchase options),
and healthcare (improved Medicare
integration, use of generic drugs), were given
as examples where ``real dollar'' savings were
generated by the departments.
Question: do you survey your customers to
obtain feedback about the performance of
your audit staff?
Two viewpoints emerged from the responses.
One group of directors believes that
surveying their customers is a useful
technique in assessing the amount of value
that their department is providing. These
surveys typically ask for an evaluation of the
individual auditor's effectiveness and
professionalism. Most of these directors (all
but one) indicate that the survey results are
not directly linked to the auditor's
compensation, but may be used as criteria
when considering promotions. The one
director whose company formally links the
internal audit department's annual bonus to
survey results represents a department that
is heavily operational in nature and the
director believes that ``customer satisfaction
should weigh in compensation decisions.''
The other group of directors believes that
surveying customers is not a justifiable
exercise for internal audit departments to
perform. This group suggests that such
information is ``worthless'' and could
``potentially undermine the auditor's
objectivity and independence.'' One director
summarizes this group's viewpoint by
stating, ``I want our auditors to do their job
and not worry about `finding' things or
satisfying the customer. An auditor that
does not find anything wrong or discover
cost-savings did not necessarily do a
bad job.''
Question: how receptive are your
customers toward implementing your
department's recommendations?
All of the directors interviewed insist that
their customers (i.e. line managers) are very
receptive toward implementing internal
audit's recommendations. One director's
comments are generally reflective of the
[ 133 ]
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
[ 134 ]
responses to this question: ``If we have more
than one or two recommendations out of 100
not implemented it would be surprising.'' The
reasons given for the high implementation
rates varied. One director stated that
``internal audit works closely with the line
managers to derive an effective and plausible
plan to implement any recommendations.''
Other directors rely on the backing and
influence of upper management to ensure
timely implementation of recommendations.
For example, two of the directors post audit
recommendations on the company-wide
intra-net for all managerial employees
(including upper management) to view.
These recommendations are not removed
until implemented.
Risk management
The internal auditing profession suggests
that ``the internal auditing process provides
assurance to management and the audit
committee that risks to the organization are
understood and managed appropriately'' (IIA,
2000). The newly defined internal audit role
requires the auditor, among other things, to
identify and assess the risks of the company.
This section of the interview addresses what
types of techniques and support are available
to the internal auditors in performing this
function. The following summarizes the
responses to two of the questions included in
this section of the interview.
Question: how are problem areas identified
within your company?
This question generated a wide range of
responses among the directors. Problem
identification procedures range from
judgmental (``seat of the pants'') selection and
traditional audit universe coverage to using
highly complex risk-assessment models.
Those that use a judgmental process
generally believe ``that the expertise and
experience of the people in our department
makes internal audit the logical source to
identify the areas within the company to
examine.'' Criteria such as management
changes, previous audit results, and time
since last audit were often noted as important
judgmental factors.
Several of the directors interviewed use
sophisticated risk models to identify
potential problem areas (areas of high risk)
within their company. These models
consider upward to 100 variables (e.g. size,
management change, system change, last
time audited), primarily driven by the COSO
criteria, when identifying risk areas. Three
of the directors indicate that their companies
had created formal risk management
departments. However, surprisingly, the
level of interaction between internal audit
and these risk management departments is
considered to be minimal.
Whether risk areas are identified through
a ``matrix model'' or by ``seat of the pants''
decisions, the ultimate responsibility for risk
identification lies with the internal audit
director. Although the opinions among the
interviewed directors differed with respect to
what are the best techniques available in
identifying risks, most of the directors
indicate that the overall process has become
more standardized and more effective. One
director suggests that ``the risk models drive
you to the key risk areas. Thus, overall audit
time is more efficiently being spent.''
The directors often mentioned the 1992
Committee on Sponsoring Organizations
(COSO) report on internal control as being an
``overriding drive'' for risk management
activities. That is, several of the directors
attempt to formally integrate the COSO
criteria in their risk management processes.
The level of integration varied from
discussing the COSO concepts with line
management on a periodic basis to
incorporating the COSO criteria in formal
risk models.
Consistent with the new internal audit
definition, all of the internal audit directors
are performing risk assessment activities.
However, the risk assessment techniques
being used by the directors vary
significantly. We encourage future research
to identify and assess common parameters
and methods being employed by internal
audit departments in their risk assessment
function. This research would aid in
determining a ``best practices'' model that
auditors could use in identifying potential
problem areas. In addition, the extent of
coordination between internal audit and
formal risk assessment departments should
be addressed by future research.
Question: to what extent does your
company use a control self-assessment
(CSA) process?
Control self-assessment (CSA) has been
promoted as an effective tool for risk
assessment (Figg, 1999). Although the
directors interviewed share this same
sentiment, only one indicates that CSA is
currently being used within his company
(and at a very minimal level). Generally, the
directors suggest that CSA is difficult and
costly to implement and monitor, and thus
have not used this tool to date. The following
director's comment reflects the underlying
weariness of the group about CSA: ``I don't
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
fully believe in it [CSA] or understand it. The
jury is still out as to its value at the end of the
day.'' Another director adds that ``CSA
doesn't really train anybody about internal
controls.''
Despite its underlying complications,
several directors predict that CSA is going to
be implemented in the near future. One
director emphasizes that ``a benefit [of CSA]
is that it makes the business unit stand up
and recognize that they are responsible for
internal controls.'' Another notes that ``if we
can become truly good at it [CSA], it could
add value.''
Audit committee
Recently, the SEC finalized rules to improve
the effectiveness of audit committees. These
rules were in response to the
recommendations from the Blue Ribbon
Committee and generally increase the
independence and financial literacy
requirements of audit committee members
(NYSE, 1999). In addition, the new rules
require more meaningful communication
between the external auditor and the audit
committee. It should be noted that all of the
interviewed directors consider their audit
committees' expertise in financial
accounting matters as either good or
excellent.
Given the new requirements of audit
committees, several issues arise concerning
the newly defined internal audit function.
Specifically, how coordinated are the efforts
of the newly defined internal audit function
and the apparently more effective audit
committee? For example, how do these
apparently improved audit committees view
the internal audit function? And, are the
audit committees' perceptions of internal
audit consistent with the new definition?
Finally, has the communication and
coordination with audit committees changed
as a result of the newly defined internal audit
role and increased audit committee
requirements? These and other issues are
addressed in this section of the interview.
Question: what are your perceptions of the
expectations of the audit committee in
regard to your department's oversight of
financial reporting matters?
The responses to this question were divided.
Most of the directors believe that the audit
committee expects internal audit to either
``improve the efficiency of operations,'' or act
primarily in an ``operational role,'' and that
assuring the integrity of the financial
statements is the responsibility of the
external auditor. The remaining directors
believe that the audit committee expects
internal audit to evaluate the fairness of the
financial statements (i.e. traditional
assurance service) and that this evaluation is
to be done at a more detailed level than that
of the external auditor.
One director suggests that the audit
committee's expectation of internal audit is
not ``in sync'' with what is being done. That
is, the audit committee expects financial
statement audits from internal audit, when
in fact internal audit is operationally focused
and does not perform financial statement
audits. Despite this observation, the director
does not feel threatened because he has
always received positive feedback from the
audit committee.
Question: has your role in assisting the
audit committee in their function of
overseeing the company's financial
reporting changed in the past few years?
This question was derived from the
supposition that the new audit committee
requirements are consistent with the new
definition of internal audit, and that the new
internal audit function will provide greater
assistance to the audit committee in its
oversight of reporting and risk management
and control (Bishop et al., 2000). The
responses to this question from the directors
do not support this supposition, at least in
regard to internal audit assisting the audit
committee in its role of overseeing financial
reporting. Most of the directors indicate that
their role in assisting the audit committee of
overseeing financial reporting has not
changed in the past few years, and several
directors indicate having assumed a lesser
role in regard to this function. None of the
directors anticipate this changing anytime in
the near future.
Questions: how often do you communicate
directly with the audit committee? Has this
changed in the last ten years?
In general, the directors meet with the
audit committee at every audit committee
meeting, which usually occurs three-to-four
times a year. The frequency of direct
meetings has generally stayed the same or
increased slightly over the past ten years.
All of the directors have direct access to
the chairman of the audit committee, and
several indicate that they often meet
throughout the year on an informal basis.
Additionally, all of the directors state that
they meet, or have the option to meet, with
the audit committee without members of
management or the public accountants
present.
[ 135 ]
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
Downloaded by New York University At 09:17 10 May 2015 (PT)
[ 136 ]
Conclusion
The purpose of this paper is to present some
insight and opinions about the newly defined
internal audit function and related issues
from several internal audit directors of large
companies. As the above responses reflect,
the internal audit function varies
significantly among companies from a
traditional assurance orientation to that of a
value-added and consulting orientation, with
most companies landing somewhere in the
middle. Furthermore, the orientation or role
of internal auditing appears to be determined
primarily by management, and not from the
profession, internal audit professionals, or
the audit committee.
Some of the interviewed directors raise the
question of whether the internal audit
function could and/or should be defined by
the profession in the first place. These
directors believe that top management is
appropriately defining their organization's
internal audit function, and that the
profession should concentrate its efforts on
providing guidance and support. Despite this
viewpoint, the directors' responses suggest
that most of their internal audit departments
have shifted toward a more value-added or
operational focus, which is consistent with
the new definition. Therefore, the new
internal audit definition appears to better
describe the current practice of internal
auditing, at least among the organizations
included in this study, even if it may be a few
years late in coming.
A concern expressed by several of the
directors is whether the internal audit
department and the external auditor
adequately coordinated their efforts to
address the recent shift in internal audit's
focus toward operations. That is, because of
limited resources most internal audit
departments were forced to reduce their level
of traditional assurance services as a result of
their shift in orientation. Ideally, the external
auditor would increase their level of
assurance testing in order to compensate for
internal audit's reduction in this area.
Unfortunately, most of the interviewed
directors believe that this is not occurring,
especially in the area of reviewing the
quarterly statements (i.e. the external auditor
has not increased, or not increased enough,
their assurance testing). We encourage future
research to address this area.
All but one of the directors do not feel
threatened or feel an increased need to justify
their services to top management and believe
that management respects and understands
the value of the services that internal audit
provides. The directors support the new
internal audit definition's suggestion that risk
assessment is a key function of internal audit.
Interestingly, however, those directors from
companies that have formal risk assessment
departments indicate that the level of
coordination between internal audit and the
risk assessment department is minimal at
best. The responses also suggest that the
internal audit departments are capable and
have an adequate level of expertise to carry
out proper risk assessment procedures. Given
the wide variety of risk assessment techniques
employed by the sampled companies, the
directors are apparently still searching for the
most effective risk assessment method. We
encourage future research to aid the internal
auditing profession in identifying and
assessing effective risk assessment methods
and techniques.
Consistent with recent SEC rulings to
improve the effectiveness of audit
committees, all of the directors believe that
the financial literacy of their company's
audit committee members is either good or
excellent. Additionally, the audit committees
meet rather frequently throughout the year,
and all of the directors indicate that a strong
communication channel exists between the
chairman of the audit committee and the
internal audit director. The vast majority of
the directors believe that the activities of
their department coincide with the audit
committee's expectation.
Surprisingly, despite the new
responsibilities recently bestowed on audit
committees concerning financial reporting
oversight, none of the directors indicate an
increased role in assisting their audit
committee with this function. Additionally,
none of the directors anticipate this changing
in the near future. Perhaps the audit
committees are looking elsewhere for
assistance in fulfilling their role as financial
statement overseer. Regardless of the
orientation of the internal audit department,
the internal auditor should be a valuable
resource to the audit committee in helping
them meet their responsibilities. Perhaps
internal auditors need to better express
exactly how they can be of assistance to their
audit committees.
We hope that the opinions and insights
provided in this article stimulate further
discussion and research in the areas
surrounding the newly defined internal audit
function. Although the number of directors
interviewed is relatively small (11), which
raises concerns about generalities of the
responses, we believe that the responses
presented are both insightful and thought
provoking. By having a limited sample size,
we were able to perform structured
interviews that resulted in more detailed
responses to specific questions. We found
 Albert L. Nagy and
William J. Cenker
An assessment of the newly
defined internal audit function
Managerial Auditing Journal
17/3 [2002] 130±137
The authors would like to
acknowledge the
contribution of the
members of the Northeast
Ohio Roundtable Group, The
Cleveland/Akron Chapter of
the Institute of Internal
Auditors, and especially
Dave Richards of
FirstEnergy. The authors
further appreciate the
helpful comments by
participants at the 2000
Downloaded by New York University At 09:17 10 May 2015 (PT)
IIA's Industry Audit Series:
Utilities Conference.
that, given the high variation of the scope
and activity of internal audit departments in
our sample, face-to-face interviews was the
appropriate technique to obtain reasonable
and meaningful responses. Such interviews
would not have been feasible with a larger
sample size. In summary, we hope that the
detailed responses presented help bring
awareness to the issues and concerns
associated with the implementation of the
newly defined internal audit role, and that
the internal audit profession will be better
equipped to aid internal auditors in
providing value-enhancing service to the
business community.
References
Bishop, W., Hermanson, D., Lapides, P. and
Rittenberg, L. (2000), ``The year of the audit
committee'', Internal Auditor, April, pp. 46-51.
Bou-Raad, G. (2000), ``Internal auditors and a
value-added approach: the new business
regime'', Managerial Auditing Journal,
Vol. 15 No. 4, pp. 182-6.
Figg, J. (1999), ``The power of CSA'', Internal
Auditor, August, pp. 28-35.
Flesher, D. and Zanzig, J. (2000), ``Management
accountants express a desire for change in the
functioning of internal auditing'', Managerial
Auditing Journal, Vol. 15 No. 7, pp. 331-7.
Institute of Internal Auditors (IIA) (2000), Internal
Auditing: Adding Value across the Board,
Corporate Brochure, IIA.
Krogstad, J., Ridley, A. and Rittenberg, L. (1999),
``Where we're going'', Internal Auditor,
October, pp. 27-33.
New York Stock Exchange (NYSE) (1999), Report
and Recommendations of the Blue Ribbon
Committee on Improving the Effectiveness of
Corporate Audit Committees, NYSE, New
York, NY.
[ 137 ]
 This article has been cited by:

1. Joe Christopher, Philomena Leung. 2015. Tensions Arising from Imposing NPM in Australian Public Universities: A
Management Perspective. Financial Accountability & Management 31:10.1111/faam.2015.31.issue-2, 171-191. [CrossRef]
2. F. Greg Burton, Matthew W. Starliper, Scott L. Summers, David A. Wood. 2015. The Effects of Using the Internal Audit
Function as a Management Training Ground or as a Consulting Services Provider in Enhancing the Recruitment of Internal
Auditors. Accounting Horizons 29, 115-140. [CrossRef]
3. Hany Elbardan, Maged Ali, Ahmad Ghoneim. 2015. The dilemma of internal audit function adaptation. Journal of Enterprise
Information Management 28:1, 93-106. [Abstract] [Full Text] [PDF]
4. Dessalegn Getie Mihret. 2014. How can we explain internal auditing? The inadequacy of agency theory and a labor process
alternative. Critical Perspectives on Accounting 25, 771-782. [CrossRef]
5. Hussein Issa, Alexander Kogan. 2014. A Predictive Ordered Logistic Regression Model as a Tool for Quality Review of
Control Risk Assessments. Journal of Information Systems 28, 209-229. [CrossRef]
6. Carlo Regoliosi, Alessandro d’Eri. 2014. “Good” corporate governance and the quality of internal auditing departments in
Italian listed firms. An exploratory investigation in Italian listed firms. Journal of Management & Governance 18, 891-920.
[CrossRef]
7. Paul John Steinbart, Robyn L. Raschke, Graham Gal, William N. Dilla. 2013. Information Security Professionals' Perceptions
about the Relationship between the Information Security and Internal Audit Functions. Journal of Information Systems 27,
65-86. [CrossRef]
8. Ester Gras‐Gil, Salvador Marin‐Hernandez, Domingo Garcia‐Perez de Lema. 2012. Internal audit and financial reporting in
Downloaded by New York University At 09:17 10 May 2015 (PT)

the Spanish banking industry. Managerial Auditing Journal 27:8, 728-753. [Abstract] [Full Text] [PDF]
9. Ibrahim El‐Sayed Ebaid. 2011. Internal audit function: an exploratory study from Egyptian listed firms. International Journal
of Law and Management 53:2, 108-128. [Abstract] [Full Text] [PDF]
10. Dessalegn Getie Mihret, Kieran James, Joseph M. Mula. 2010. Antecedents and organisational performance implications of
internal audit effectiveness. Pacific Accounting Review 22:3, 224-252. [Abstract] [Full Text] [PDF]
11. Lois Munro, Jenny Stewart. 2010. External auditors’ reliance on internal audit: the impact of sourcing arrangements and
consulting activities. Accounting & Finance 50:10.1111/acfi.2010.50.issue-2, 371-387. [CrossRef]
12. Jenny Stewart, Nava Subramaniam. 2010. Internal audit independence and objectivity: emerging research opportunities.
Managerial Auditing Journal 25:4, 328-360. [Abstract] [Full Text] [PDF]
13. Nuno Castanheira, Lúcia Lima Rodrigues, Russell Craig. 2009. Factors associated with the adoption of risk‐based internal
auditing. Managerial Auditing Journal 25:1, 79-98. [Abstract] [Full Text] [PDF]
14. Marika Arena, Giovanni Azzone. 2009. Identifying Organizational Drivers of Internal Audit Effectiveness. International
Journal of Auditing 13:10.1111/ijau.2009.13.issue-1, 43-60. [CrossRef]
15. Joe Christopher, Gerrit Sarens, Philomena Leung. 2009. A critical analysis of the independence of the internal audit function:
evidence from Australia. Accounting, Auditing & Accountability Journal 22:2, 200-220. [Abstract] [Full Text] [PDF]
16. Dessalegn Getie Mihret, Getachew Zemenu Woldeyohannis. 2008. Value‐added role of internal audit: an Ethiopian case study.
Managerial Auditing Journal 23:6, 567-595. [Abstract] [Full Text] [PDF]
17. Lara Balzan, Peter J. Baldacchino. 2007. Benchmarking in Maltese internal audit units. Benchmarking: An International Journal
14:6, 750-767. [Abstract] [Full Text] [PDF]
18. Dessalegn Getie Mihret, Aderajew Wondim Yismaw. 2007. Internal audit effectiveness: an Ethiopian public sector case study.
Managerial Auditing Journal 22:5, 470-484. [Abstract] [Full Text] [PDF]
19. Albert L. Nagy, William J. Cenker. 2007. Internal Audit Professionalism and Section 404 Compliance: The View of Chief
Audit Executives from Northeast Ohio. International Journal of Auditing 11:10.1111/ijau.2007.11.issue-1, 41-49. [CrossRef]
20. Abdulrahman A.M. Al‐Twaijry, John A. Brierley, David R. Gwilliam. 2004. An examination of the relationship between
internal and external audit in the Saudi Arabian corporate sector. Managerial Auditing Journal 19:7, 929-944. [Abstract] [Full
Text] [PDF]