Corresponding author: Marc Eulerich ( marc.eulerich@uni-due.de ) Academic editor: Chris D. Knoops
© 2020 Anna Eulerich, Marc Eulerich.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
Eulerich A, Eulerich M (2020) What is the value of internal auditing? – A literature review on qualitative and quantitative perspectives. Maandblad Voor Accountancy en Bedrijfseconomie 94(3/4): 83-92. https://doi.org/10.5117/mab.94.50375
|
In recent years, research on internal audit has developed significantly. Numerous papers have discussed the importance of internal auditing (IA) as a central pillar of the corporate governance system. Through its activities, IA supports the Audit Committee and the CEO/C-Level. As an independent, objective assurance and advisory function, it is designed to add value through the audit of the internal control system, risk management and the governance processes. Interestingly, research on internal audit unfortunately rarely corresponds to these added value concept defined in the core responsibilities. Therefore, this literature review attempts to highlight the possible perspectives of the added value discussion and to help define future research avenues.
Internal auditing, internal audit function, value, literature review
In practice, internal auditing is one of the central pillars of good corporate governance. This article presents the added value from various perspectives in more detail and thus helps in the practical implementation and cooperation with internal audit.
In recent years, companies have been confronted with a multitude of new challenges, such as increasing economic complexity, extended regulatory requirements, and technological advances. Political and economic crises today tend to have worldwide negative effects and their frequency of occurrence is much higher than in the past. The financial crisis in 2007 caused investors, creditors, and other interest groups to put a stronger focus on corporate governance structures in order to meet their new needs (
At the same time a critical debate regarding IA’s actual role and value has evolved (Ernst and Young 2007). The Institute of Internal Auditors’ (IIA) definition summarizes the activities of IA as assurance and audit services, which aim to create value and improve an organization’s operations. (
The role and position of IA is quite complicated when it comes to the stakeholder interests. There are diverse and sometimes unclear expectations and needs placed on IA (
Depending on the requirements from the CEO/CFO and audit committee, the strategy and activities of the IAF have to be in line with the organizational goals. Furthermore, the quality and quantity of IAF resources have to be sufficient and aligned with the current and future objectives of the company as well. If the IAF is not able to use its resources to satisfy the needs of the main stakeholders, the position and perception of the IAF might harm the corporate governance of the whole company. Whether and how this multitude of different demands by the AC and the CEO/CFO succeeds in practice is assessed differently in the literature. Strongly connected to this strand of the literature is the question how to appropriately measure the added value, and which determinants influence the value creation of IA. Especially, since the value is not only characterized by the internal audit function’s output (e.g., number of audits, findings, recommendations), but also by the character of tasks performed by the internal audit function (e.g., focus on assurance vs. consulting activities) or the role model (e.g., watchdog vs. trusted advisor).
The paper at hand gives a short but comprehensive overview on the existing literature thereby categorizing the approaches and perspectives on this multi-layered topic. Additionally, we will compare our findings regarding the actual role of IA to IA’s role defined by the IIA.
The structure of the paper is as follows. Following the introduction, our second chapter presents the methodology, the literature review and presents different approaches to measure the value. Chapter three discusses our results and concludes.
Examining the existing literature’s view on IA’s added value, we will divide this chapter into four subsections. The first section presents our approach to identify relevant research. The second section deals with the IIA’s definition of IA and the roles of IA which can be derived from it. The third subsection discusses the approaches to define and measure IA’s added value. Finally, the fourth section presents the evaluation of the added value IA provides or is asked to provide in the literature reviewed. We included a table with the most important papers in Appendix
Our review consists of search, selection, analysis, and synthesis processes. We focus on the identification of an active discussion in the field of IA’s value creation, and we aim to offer detailed insights into the content and direction of these discussions in order to provide a useful overview. We end up with a set of papers that includes qualitative as well as quantitative approaches, where all papers have the terms ‘‘internal audit”, “value”, “quality”, “effectiveness”, and “efficiency” in title, abstract, keywords, or body of the paper. We use different literature reviews (e.g.
The IIA defines IA as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” (
Based on IIA’s definition, mission statement and additional explanation, the added value seems to be clear at the first sight. Nevertheless, since the potential areas where the IA can be used are so manifold, the value discussion is based on a) the concrete activities performed and results delivered by the IA and b) the specific stakeholder needs and roles IA has to fulfill.
Beside the definition from the professional regulator, the scientific literature offers a broad variety of possible positive effects of the IAF and thus also possible value definitions. E.g.
In sum, this stream of the literature focus on monitoring tasks of the IAF. Since the audit committee and the senior management is not able to audit and monitor all governance-related activities and processes, they rely on internal auditing as an independent and objective support function.
Altogether, this stream of research tries to identify positive financial effects of internal auditing, since it is more than a “cost center” and creates value in different areas.
Furthermore, the work of the IA can also lead to a change in the costs of the external audit (
A huge body of research covers the effects of internal auditing on the external auditor. Internal auditing could influence external audit fees and the external audit quality. Other papers address the reliance decision of the external auditor and look for factors that could impair this reliance.
A further added value of the work of IA, especially through its assurance activities, is its impact on the issue of fraud. According to this, an effective IA has a positive influence on the prevention and identification of fraud from the company’s perspective. This influence increases the more responsibility the IA assumes in this area and the more training the internal auditors complete in this area (
Studies about internal auditing and fraud focus on the traditional understanding of an internal auditor. Someone who looks for irregularities in the organization made by a fraudster. Although this seems to be one of the origins of internal auditing, fraud detection and prevention is still a topic with relevance for organisations around the world.
Other papers discuss the value of the IA through the implementation of a so-called Management Training Ground (MTG) (
The research about MTG apply a common practice: Using the internal audit function as a perfect place to develop employees to future managers. Since an internal auditor has to understand internal controls, risk management and good governance in the organization, identify weaknesses and look for potential improvements, an internal auditor is trained to improve the governance and processes in a company.
Although there is a clear and precise definition of what IA is and should do, the actual role IA has within an organization is also important (see e.g.
IA as a “comfort provider” also supports the AC by auditing and evaluating risk management, internal controls and governance processes (
In their study,
Based on the different areas where IA can be used, the described models show the variety of potential roles IA has to present. While some IAs focus on one specific role, others try to create their own role model merging two or more aspects.
The existing literature extensively discusses how IA’s added value could actually be defined and how to measure it accurately. There is a considerable long list of quantitative and qualitative determinants as well as approaches using a combination of both to systematically categorize various determinants.
In order to measure the value creation and the effectiveness of the IA department, a performance measurement system can be used. The system consists of a set of metrics, which quantify the effectiveness and the efficiency of IA’s actions and hence its value creation (
First, the number of completed IA actions, i.e. audits and audit reports, can be used to measure IA performance (
Second, the qualification and skills of auditors in the department is regarded to have strong influence on the added value created by IA. Thereby, the qualification and skills of auditors could either be recorded simply by the number of existing certification (
Third, value creation can also be linked to senior management’s demand for IA services, as this means additional activity for the IA department (
Fourth, the quality of the IA department’s operational work can be measured by hours of actual field work (
Finally, the effect of IA actions on a company’s standard KPIs, like e.g. EBITDA (Earnings before Interest, Depreciation and Amortization) or liquidity, can be used to measure value creation as well (
For those determinants that are not collectable via metrics, a different approach is needed. In order to include qualitative determinants into the list of factors that impact the value creation of IA, techniques like e.g. interviews, post-engagement surveys, or 360 degree feedback are possible approaches to gain information.
Furthermore,
One approach to combine quantitative and qualitative determinants that effect IA’s value creation is using a balanced scorecard (
In order to meet the needs of various stakeholders, a working group from the IIA Netherlands developed the Internal Audit Ambition Model (IA AM). The model is an excellent tool for self-reflection, internal validation of compliance, and definition of the level of ambition of the IA department. It also helps to communicate with the Board of Directors, and in particular the AC, since it measures both, the achieved level as well as the ambition. Furthermore, if CAEs are willing to share the data, it can also be used as a benchmarking tool. Six topics are included in the IA AM: “Services and role of IA”, “Professional processes”, “Performance measurement and accountability”, “Personnel Management”, “Organization and relations”, and “Governance structures”. “Performance measurement and accountability” thereby refers to all information needed to manage, conduct, and control IA’s activities and thus to eventually determine its performance. This includes the objectives of the IA department, budget for the audit plan, and alignment of the plan with the organization’s strategy.
As already mentioned, there is a multitude of expectations placed on the IA department. Satisfying different stakeholders’ needs and acting as a modern, standard-compliant IA function can be a major challenge. The International Professional Practice Framework (IPPF) of the IIA (
Despite the great number of determinants discussed to measure the outcome effect of IA and thus the added value, the actual value created and its origin must be considered in an organization specific manner. The value created by IA has to be evaluated in context of positioning and status of the IA department within the organization. Among others, the access to resources, the support IA receives within the organization, the organization’s objectives and the organization’s strategies significantly defines the environment IA operates in and thus influences IA’s performance (
In the overall context of corporate governance and internal auditing, the issue of creating added value plays a central role. This literature review shows possible dimensions how internal audit can create added value through its services and how this can be measured.
A review of the literature has shown that added value through internal auditing is a multi-dimensional construct. A possible summarizing and complementary formulation to the general definition of the IIA for the definition of value added by internal audit could therefore be as follows:
The added value of internal auditing is the creation of value for its stakeholders by enabling them to counteract the possible effects of risks along the value chain, and by enabling cost savings by implementing optimization potentials and strengthening corporate governance, thus strengthening confidence in the integrity of the company.
We identify quantitative and qualitative determinants for measuring and assessing value added at the first level. It has been shown that a large number of possible indicators are found in the literature, which partly overlap and partly complement each other when comparing the individual sources. As a quantitative indicator, the degree of implementation of the audit plan in particular was given priority, while special importance was attached to the competence and satisfaction of internal audit stakeholders in the area of qualitative indicators.
At the second level, combined approaches, like the balanced scorecard, the IA ambition model or the IPPF external assessment were discussed as possible approaches for incorporating the identified determinants into an overall system for control and evaluation.
In sum, internal auditing is considered to be of great importance in the process of establishing good corporate governance, for example by creating value in the areas of internal controls, risk management and governance processes. Furthermore, based on the advisory activities of the IAF, additional value can be created by improvement of processes and information to support management decisions. However, there are influencing factors that can weaken the potential added value of internal auditing, especially in the case of an unsuitable positioning within the organization. The results of this paper contribute to the current discussion by presenting and structuring the overall research streams and practical discussion of the added value of internal auditing. Nevertheless, it should be noted that the results are subject to limitations due to the still insufficient investigation of individual determinants and the lack of an analyses of best practice concepts.
Due to the increasing focus of organizations on assessing their functions on the basis of their value creation, it can be assumed that our discussion will be continued in the future and is currently covered in a forthcoming report of the IIA Research Foundation (
Dr. Anna Eulerich is working in the corporate planning function of a global automotive supplier company. She earned her phd in micro-economics at the University Duisburg-Essen.
Prof. Dr. Marc Eulerich, CIA, holds the chair for internal auditing at the University Duisburg-Essen. He has published multiple articles in the field of internal audit and corporate governance. E-mail: marc.eulerich@uni-due.de
Overview of relevant literature
Category | Authors | Year | Findings |
---|---|---|---|
Corporate Governance | Chambers and Odar | 2015 | IA does not assume a pure governance oversight role |
Corporate Governance | Anderson et al. | 2012 | Factors driving the investment into the IAF are driven by the governance structure. |
Corporate Governance | Sarens and Abdolmohammadi | 2011 | IA as a monitoring role |
Corporate Governance | Archambeault et al. | 2008 | IA reporting improves governance transparency |
Corporate Governance | Goodwin-Stewart and Kent | 2006 | IA as an instrument to reduce audit fees |
Corporate Governance | Gramling et al. | 2004 | Literature review |
Corporate Governance | Leung et al. | 2011 | IR does not sufficiently assume the role of governance oversight |
External Audit | Abbott et al. | 2012 | Increases the efficiency of the overall testing needs |
External Audit | Al-Twaijry et al. | 2004 | Cost savings for both the company and external auditors |
External Audit | Felix et al. | 2001 | Cost savings for the company |
External Audit | Singh and Newby | 2010 | Findings show a reduction of audit fees when internal audit is in place. |
External Audit | Ho and Hutchinson | 2010 | External auditors rely on internal auditing and charge lower audit fees. |
External Audit | Alzeban and Sawan | 2016 | Higher external audit fees are charged when the IAF does not follow the IIA standards |
Fraud | Coram et al. | 2008 | Detects fraud, strengthens internal control system |
Fraud | Asiedu and Deffor | 2017 | IA as a tool to fight against fraud and corruption |
Fraud | Drogalas et al. | 2017 | IA as a fraud detection instrument |
Fraud | Ma‘ayan and Carmeli | 2016 | IA can improve the ethical behavior in companies |
Literature Review | Behrend and Eulerich | 2019 | Literature review covering 90 years of internal audit reseearch |
Literature Review | Roussy and Perron | 2018 | Literature review |
Literature Review | Roussy and Brivot M | 2016 | Literature review |
Literature Review | Lenz and Hahn | 2015 | Identifying macro and micro factors that influence the perceived value of internal auditing. |
Measurement | Ziegenfuss | 2000 | Transfer of the traditional BSC approach to internal auditing |
Measurement | Boţa-Avram and Palfi | 2009 | Discussion of usable measures for IAF effectiveness. |
Measurement | Easmus and Coetzee | 2018 | Discussion of drivers of stakeholder expectations about the value of IA |
Measurement | Rupšys and Boguslauskas | 2007 | How to measure the efficiency of the IAF |
Measurement | Savčuk | 2007 | How to measure the efficiency of the IAF |
Measurement | Van Staden and Steyn | 2009 | CAEs as the main success factor of high quality IAFs |
Measurement | Frigo | 2002 | Transfer of the traditional BSC approach to internal auditing |
MTG | Carcello et al. | 2018 | Strengthens management confidence in their work |
MTG | Bond | 2011 | IA can add additional value through the implementation of an MTG environment |
MTG | Christ et al. | 2012 | Effects of MTG might influence the judgment of internal auditors |
MTG | Messier et al. | 2011 | Negative effects of MTG environment on the reliance decision. |
MTG | Rose et al. | 2013 | Effects of MTG on thee objectivity and judgment of internal auditors |
Performance | Oussii and Taktak | 2018 | Positive effects of IA on ICS quality |
Performance | Carcello et al. | 2017 | Improves risk management |
Performance | Jiang et al. | 2016 | Economic benefits |
Performance | Trotman and Trotman | 2015 | IA in sustainability issues |
Performance | Mihret | 2014 | The IA as a control mechanism |
Performance | Lin et al. | 2011 | Improves the control system |
Performance | Al-Jaifi et al. | 2017 | IA as a part of the overall governance structure helps to improve stock market liquidity |
Performance | Prawitt et al. | 2009 | Reduction of earnings management when IAF is in place |
Role Models | Roussy and Perron | 2018 | Multiple roles help to characterize the current and future research |
Role Models | D`Onza et al. | 2015 | Strengthens the effectiveness of internal controls and risk management |
Role Models | Vinnari and Skaerbaek | 2014 | Central role in risk management |
Role Models | Roussy | 2013 | IA as protector and helper of the management |
Role Models | Lenz and Sarens | 2012 | No clear role for IA |
Role Models | Soh and Martinov-Bennie | 2011 | IA self-assessment: IA as advisor, assessment of the audit committee: IA as auditor; supports the audit committee in achieving its tasks |
Role Models | Arena and Azzone | 2009 | Identifies weaknesses in the ICS, facilitates ERM, sensitizes management |
Role Models | Sarens et al. | 2009 | IA as „comfort provider“ of the Audit Committee |
Role Models | Mihret and Woldeyohannis | 2008 | Added value must be defined in the context of the company |
Role Models | Sarens and DeBeelde | 2006 | Improves, shapes and maintains the corporate culture |
Role Models | Goodwin and Yeo | 2001 | Supports the management and the board of directors in achieving their goals |
Role Models | Spira and Page | 2003 | Identifying the role model of internal auditing in enterprise risk management |
Role Models | Eulerich et al. | 2019 | internal auditors still havee a negative stigma and stakeeholders see negative effects |
Role Models | Goodwin and Yeo | 2001 | AC relationship and MTG environment as drivers of independence and objectivity |
Role Models | Van Peursem | 2005 | Different role models of internal auditors affect their work. |