Print
What is the value of internal auditing? – A literature review on qualitative and quantitative perspectives
expand article infoAnna Eulerich, Marc Eulerich§
‡ Unaffiliated, Duisburg, Germany
§ University Duisburg Essen, Duisburg, Germany
Open Access

Summary

In recent years, research on internal audit has developed significantly. Numerous papers have discussed the importance of internal auditing (IA) as a central pillar of the corporate governance system. Through its activities, IA supports the Audit Committee and the CEO/C-Level. As an independent, objective assurance and advisory function, it is designed to add value through the audit of the internal control system, risk management and the governance processes. Interestingly, research on internal audit unfortunately rarely corresponds to these added value concept defined in the core responsibilities. Therefore, this literature review attempts to highlight the possible perspectives of the added value discussion and to help define future research avenues.

Keywords

Internal auditing, internal audit function, value, literature review

Relevance to practice

In practice, internal auditing is one of the central pillars of good corporate governance. This article presents the added value from various perspectives in more detail and thus helps in the practical implementation and cooperation with internal audit.

1. Introduction

In recent years, companies have been confronted with a multitude of new challenges, such as increasing economic complexity, extended regulatory requirements, and technological advances. Political and economic crises today tend to have worldwide negative effects and their frequency of occurrence is much higher than in the past. The financial crisis in 2007 caused investors, creditors, and other interest groups to put a stronger focus on corporate governance structures in order to meet their new needs (Ruud 2003). In this context, companies are increasingly concerned with designing their internal control system and risk management effectively and efficiently and ensuring that planned activities and guidelines are actually implemented. This development has been accompanied by an increasing relevance of internal auditing (IA) as a key element for the assurance of corporate governance processes, risk management, and the internal control systems (Anderson et al. 2012).

At the same time a critical debate regarding IA’s actual role and value has evolved (Ernst and Young 2007). The Institute of Internal Auditors’ (IIA) definition summarizes the activities of IA as assurance and audit services, which aim to create value and improve an organization’s operations. (IIA 2020). However, current studies find that the services offered by IA, and hence the degree to which the IIA’s definition is fulfilled, may vary, and stakeholders in the profession ask whether IA is able to live up to its assigned role at all (Heesakkers et al. 2019). To visualize the divergent perception of IA, consider the following example. While Ernst and Young (2007) questions whether IA is a “star or extra”, a huge part of the literature calls IA not-so-flattering “jack of all trades” and “master of none” (Roussy and Perron 2018).

The role and position of IA is quite complicated when it comes to the stakeholder interests. There are diverse and sometimes unclear expectations and needs placed on IA (Lenz and Sarens 2012). The different stakeholders of IA pursue numerous specific objectives, which in turn require specific activities from IA. For example, the audit committee or supervisory board requires a very high level of assurance and needs an IAF with a strong focus on internal controls, risk management and governance processes. The CEO and CFO might want to have an IAF with additional consulting/advisory activities, which would directly affect the allocation of IA’s resources.

Depending on the requirements from the CEO/CFO and audit committee, the strategy and activities of the IAF have to be in line with the organizational goals. Furthermore, the quality and quantity of IAF resources have to be sufficient and aligned with the current and future objectives of the company as well. If the IAF is not able to use its resources to satisfy the needs of the main stakeholders, the position and perception of the IAF might harm the corporate governance of the whole company. Whether and how this multitude of different demands by the AC and the CEO/CFO succeeds in practice is assessed differently in the literature. Strongly connected to this strand of the literature is the question how to appropriately measure the added value, and which determinants influence the value creation of IA. Especially, since the value is not only characterized by the internal audit function’s output (e.g., number of audits, findings, recommendations), but also by the character of tasks performed by the internal audit function (e.g., focus on assurance vs. consulting activities) or the role model (e.g., watchdog vs. trusted advisor).

The paper at hand gives a short but comprehensive overview on the existing literature thereby categorizing the approaches and perspectives on this multi-layered topic. Additionally, we will compare our findings regarding the actual role of IA to IA’s role defined by the IIA.

The structure of the paper is as follows. Following the introduction, our second chapter presents the methodology, the literature review and presents different approaches to measure the value. Chapter three discusses our results and concludes.

2. Literature review

Examining the existing literature’s view on IA’s added value, we will divide this chapter into four subsections. The first section presents our approach to identify relevant research. The second section deals with the IIA’s definition of IA and the roles of IA which can be derived from it. The third subsection discusses the approaches to define and measure IA’s added value. Finally, the fourth section presents the evaluation of the added value IA provides or is asked to provide in the literature reviewed. We included a table with the most important papers in Appendix 1, describing their specific approach and the main findings.

2.1 Identifying relevant research

Our review consists of search, selection, analysis, and synthesis processes. We focus on the identification of an active discussion in the field of IA’s value creation, and we aim to offer detailed insights into the content and direction of these discussions in order to provide a useful overview. We end up with a set of papers that includes qualitative as well as quantitative approaches, where all papers have the terms ‘‘internal audit”, “value”, “quality”, “effectiveness”, and “efficiency” in title, abstract, keywords, or body of the paper. We use different literature reviews (e.g. Behrend and Eulerich 2019; Roussy and Perron 2018; Lenz and Hahn 2015) as a starting point for the identification of a potential classification. Afterwards, we deep-dive into the existing literature based on the specific experience of the authors and the different search routines in the common literature databases. Finally, we double-check if the identified papers fit into our framework.

2.2 Definition, roles and prior research of IA

2.2.1 Definition

The IIA defines IA as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” (IIA 2020). Furthermore, the IIA offers an additional explanation for the added value: “The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes” (IIA 2020). Finally, the mission statement of the IIA added a supplementary perspective: „To enhance and protect organizational value by providing risk-based and objective assurance, advice and insight” (IIA 2020).

Based on IIA’s definition, mission statement and additional explanation, the added value seems to be clear at the first sight. Nevertheless, since the potential areas where the IA can be used are so manifold, the value discussion is based on a) the concrete activities performed and results delivered by the IA and b) the specific stakeholder needs and roles IA has to fulfill.

2.2.2 Internal auditing and improvement of the corporate governance framework and governance processes

Beside the definition from the professional regulator, the scientific literature offers a broad variety of possible positive effects of the IAF and thus also possible value definitions. E.g. Gramling et al. (2004) define IA as an effective tool to monitor and improve corporate governance and see the strongest value of IA in the improvement of the corporate governance framework. This perception of the added value of IA is substantiated by numerous subsequent papers (e.g. Goodwin-Stewart and Kent 2006; Archambeault et al. 2008). Sarens and Abdolmohammadi (2011) verify this finding by stating that IA performs a monitoring role in corporate governance, and furthermore show that IA reduces information asymmetries between the audit committee and management. However, recent studies argue that IA does not sufficiently fulfil its “governance oversight role” (Leung et al. 2011) and thus stakeholders’ expectation of the IA function are significantly lowered (Chambers and Odar 2015).

In sum, this stream of the literature focus on monitoring tasks of the IAF. Since the audit committee and the senior management is not able to audit and monitor all governance-related activities and processes, they rely on internal auditing as an independent and objective support function.

2.2.3 Internal auditing and improvement of the performance

Al-Jaifi et al. (2017), in their analysis of the relationship between the strength of corporate governance and stock market liquidity in Malaysia, found that companies with strong corporate governance - and strong internal audit - have a positive effect on their stock market liquidity. Mihret (2014) departs from the traditional perspective of IA and considers it a control mechanism that creates added value by increasing the return on capital. Prawitt et al. (2009) find in their study that internal audit reduces the use of so-called earnings management (the use of accounting techniques to create financial statements that present an overly positive view of a company’s business activities and financial position) and thus, enhances the quality of financial reporting.

Jiang et al. (2016) find that IAF’s involvement in operations-related services has a significant positive association with operating performance. Furthermore, the authors separate the IAF activities into traditional areas (e.g., operational audit) and more business-oriented services (e.g., strategy consulting), and show that the assurance services in the traditional areas are prevalent in the IAFs whereas advisory and consulting services are less frequent. Carcello et al. (2017) find that IA improves risk management; while Lin et al. (2011) document in their study that IA helps to improve internal control systems. Oussii and Taktak (2018) show also a positive effect from IA on the quality of the internal control system. In this context, stricter environmental regulations and rising expectations for corporate sustainability have become a very recent subject for the internal control topic. Trotman and Trotman (2015) find that IA plays an important role in the disclosure and reporting of greenhouse emissions and energy consumption, however they state that this topic will get even more attention in the future.

Altogether, this stream of research tries to identify positive financial effects of internal auditing, since it is more than a “cost center” and creates value in different areas.

2.2.4 Internal auditing and support of the external auditor

Furthermore, the work of the IA can also lead to a change in the costs of the external audit (Felix et al. 2001). Abbott et al. (2012) in particular substantiate this in the course of their study. They identify that the performance of IA increases the efficiency of the overall audit volume, which benefits both, the company and the external audit firms. But there is no consistent position in the literature on what this change looks like or whether it is exclusively positive or negative from an organizational perspective. On the one hand, it is argued that the effectiveness of IA leads to a reduction in the costs of the external audit, especially if IA covers areas of work relevant to the audit from an external perspective, such as accounting or fraud prevention and identification (Abbott et al. 2012; Ho and Hutchinson 2010). On the other hand, there have been studies which have concluded that this relationship is not correct, as organizations may view the work of internal auditors and external auditors as complementary rather than substitutes (Singh and Newby 2010). Accordingly, a strong internal audit function in an organization implies a high level of risk and audit awareness on the part of management and thus a greater willingness to pay for the external audit in order to strengthen the overall control environment (Alzeban and Sawan 2016; Singh and Newby 2010). Other papers focus on the collaboration of internal and external auditors and look for success factors (e.g. Al-Twaijry et al. 2004).

A huge body of research covers the effects of internal auditing on the external auditor. Internal auditing could influence external audit fees and the external audit quality. Other papers address the reliance decision of the external auditor and look for factors that could impair this reliance.

2.2.5 Internal auditing and fraud detection

A further added value of the work of IA, especially through its assurance activities, is its impact on the issue of fraud. According to this, an effective IA has a positive influence on the prevention and identification of fraud from the company’s perspective. This influence increases the more responsibility the IA assumes in this area and the more training the internal auditors complete in this area (Drogalas et al. 2017). While the prevention and identification of fraud cases can be achieved through direct action by internal audit, the indirect influence of promoting the ethical culture in organizations is also part of this added value (Ma’ayan and Carmeli 2016). In this context, Asiedu and Deffor (2017) have highlighted the influence of IA on corruption in public city, municipal and district administrations in Ghana and found that IA reduces corruption. Coram et al. (2008) find a positive correlation between IA and the detection of fraud, which strengthens the internal control system.

Studies about internal auditing and fraud focus on the traditional understanding of an internal auditor. Someone who looks for irregularities in the organization made by a fraudster. Although this seems to be one of the origins of internal auditing, fraud detection and prevention is still a topic with relevance for organisations around the world.

2.2.6 Internal auditing and training of future managers

Other papers discuss the value of the IA through the implementation of a so-called Management Training Ground (MTG) (Carcello et al. 2018). But the added value provided by an MTG setting is controversial in the literature. The fact that this concept is frequently used in practice can be interpreted as a positive added value from the management perspective (Rose et al. 2013). Carcello et al. (2018) found that one of the reasons for implementing an MTG approach is that confidence in the auditors’ recommendations is higher when the internal audit is used as an MTG, as the natural talent and organization-specific knowledge of the auditors is more pronounced in an MTG environment. In conclusion, increased confidence in the recommendations of the internal auditors can be seen as an increased willingness to implement them, which in turn strengthens the potential added value that can be achieved through internal auditing. Another reason for the increase in value added by Internal Audit as an MTG is the opportunity for auditors to deepen their knowledge of the organization in which they operate and to gain experience in leadership skills (Bond 2011; Rose et al. 2013). However, according to the literary discussion, this added value is also countered by the negative effects of using Internal Audit as an MTG environment, which could counteract the added value of Internal Audit in its role as an auditing body. These include the declining quality of financial reporting, which can only be offset by compensatory controls (Christ et al. 2012). It would also offset the potential effect described above that internal audit could reduce the cost of external audit, as organisations pay higher audit costs when their internal audit is used as an MTG (Messier et al. 2011). This may be related to the fact that in such a case, the confidence of auditors in the objectivity and independence of the auditors and their performance is lower (Rose et al. 2013). Most of prior MTG studies focus on the effects of MTG on the reliance decision of external auditors and often operationalize IA activities in the context of financial audits. Nevertheless, in most of the European countries, IAFs typically cover a much broader range of activities and do not necessarily focus on internal controls and financial audit. In sum, we find a dominant position of US research papers in the field of internal audit, which might lead to differences in the understanding and valuation of IA.

The research about MTG apply a common practice: Using the internal audit function as a perfect place to develop employees to future managers. Since an internal auditor has to understand internal controls, risk management and good governance in the organization, identify weaknesses and look for potential improvements, an internal auditor is trained to improve the governance and processes in a company.

2.2.7 Role models

Although there is a clear and precise definition of what IA is and should do, the actual role IA has within an organization is also important (see e.g. Roussy and Perron 2018). The role an organization assigns IA can either focus on advisory, meaning IA is expected to establish productive relationships both with the management of an organization as well as with other stakeholders (Arena and Azzone 2009; Van Peursem 2005), or IA’s role focuses on assurance for the audit committee and CEO/CFO. In this case, the IA has primarily the responsibility to audit the effectiveness of the internal control system, the risk management and the governance processes from an independent, and thus objective, position (Van Peursem 2005). While there are still negative stereotypes of internal auditors (e.g. Eulerich et al. 2019), especially the Global IIA promotes a more positive role model of IA. Richard Chambers, the president of the IIA, suggests the role of IA to be a “trusted advisor”. Nevertheless, depending on the specific stakeholder (CEO/CFO; Audit Committee; Auditee; External Auditor, Regulator; etc.) the expected role model of IA may vary significantly. Furthermore, IA’s self-perception and the stakeholders’ perception of IA’s role may differ.

Soh and Martinov-Bennie (2011) show that while heads of IA see the focus of their department’s activities on advisory, AC members emphasize IA’s assurance function. The authors also argue that the role of IA is complex and constantly evolving, and therefore cannot be limited to a mere governance oversight function. Comparable findings are offered by Lenz and Sarens (2012) as they state that there is not one single truth for IA’s role and value creation because of the numerous different stakeholders IA serves. Sarens et al. (2009) call IA a “comfort provider” of the AC, as the latter expects IA to be “guard of the corporate culture” and to act as a communication instance between the AC and the operational level. Roussy (2013) describes IA as “protector” and “helper” for the organization and the organization’s management. As a protector it guards the management regarding risks, fraud cases or inefficiencies, and as a helper it supports the management by giving recommendations to improve organizational performance.

Carcello et al. (2005) show that IA adjusts as organizational or environmental circumstances change. For instance, if actual and perceived risks increase, IA will most likely be assigned the function of a “risk management expert” (Vinnari and Skaerbaek 2014) because it is familiar with the internal control processes of an organization (Spira and Page 2003).

IA as a “comfort provider” also supports the AC by auditing and evaluating risk management, internal controls and governance processes (Soh and Martinov-Bennie 2011). As part of its audit and advisory activities, IA can monitor risks, identify weaknesses in the control systems, facilitate the implementation of enterprise risk management, and raise awareness of these issues among management at the same time (Arena and Azzone 2009). It thus has the ability to support management and the board in achieving their objectives (Goodwin and Yeo 2001). Through personal contact with employees, IA can also help to maintain, shape and improve the corporate culture (Sarens and De Beelde 2006).

In their study, D’Onza et al. (2015) identify four factors that are positively related to the creation of value by IA: IA’s independence and objectivity, compliance with the IIA’s Code of Conduct, IA’s contribution in assessing the effectiveness of internal controls, and IA’s contribution in assessing the effectiveness of the risk management system. The independence and objectivity of the IAF and its contribution to assessing and improving internal controls and the risk management system have a positive impact on the added value that IA generates for the organization. The authors confirm that the added value generated by IA depends on its active role in strengthening the effectiveness of internal controls and the risk management system. They also highlight the importance of complying with the IIA Code of Conduct in creating value. In this way, IA is able to demonstrate to its stakeholders that its work and its results are carried out at a professional level. Mihret and Woldeyohannis (2008) note that for companies facing strict regulatory requirements, IA adds more value by performing compliance audits instead of advisory activities. It is interesting to see, that some authors derive a potential role for the IA based on their empirical findings, while others develop a role model, based on theory or prior practical experience.

Based on the different areas where IA can be used, the described models show the variety of potential roles IA has to present. While some IAs focus on one specific role, others try to create their own role model merging two or more aspects.

2. 3 How to measure value creation

The existing literature extensively discusses how IA’s added value could actually be defined and how to measure it accurately. There is a considerable long list of quantitative and qualitative determinants as well as approaches using a combination of both to systematically categorize various determinants.

2.3.1 Quantitative determinants and measurability

In order to measure the value creation and the effectiveness of the IA department, a performance measurement system can be used. The system consists of a set of metrics, which quantify the effectiveness and the efficiency of IA’s actions and hence its value creation (Rupšys and Boguslauskas 2007). In this context, the corresponding literature discusses various key performance indicators (KPI) (Eulerich and Lenz 2020).

First, the number of completed IA actions, i.e. audits and audit reports, can be used to measure IA performance (Soh and Martinov-Bennie 2011; Ziegenfuss 2000). Besides completed IA actions, the implementation of recommendations from IA to senior management are also regarded as an indicator of IA performance (Dumitrescu et al. 2014; Soh and Martinov-Bennie 2011; Ziegenfuss 2000). Both indicators can be interpreted in absolute terms or as a ratio comparing planning and actual numbers for a defined observation period (Boţa-Avram and Palfi 2009; Savčuk 2007; Soh and Martinov-Bennie 2011).

Second, the qualification and skills of auditors in the department is regarded to have strong influence on the added value created by IA. Thereby, the qualification and skills of auditors could either be recorded simply by the number of existing certification (Boţa-Avram and Palfi 2009), or otherwise the average time spent on trainings serves a as measure (Rupšys and Boguslauskas 2007).

Third, value creation can also be linked to senior management’s demand for IA services, as this means additional activity for the IA department (Rupšys and Boguslauskas 2007). Vice versa also recommendations made by IA or IA’s proactive addressing of risks and process improvements should be considered as a possible figure giving information about value creation by the department (Roussy and Brivot 2016; Soh and Martinov-Bennie 2011).

Fourth, the quality of the IA department’s operational work can be measured by hours of actual field work (Rupšys and Boguslauskas 2007). Furthermore, a detailed report describes whether planned time slots for audits, administrative activities etc. are complied with (Boţa-Avram and Palfi 2009).

Finally, the effect of IA actions on a company’s standard KPIs, like e.g. EBITDA (Earnings before Interest, Depreciation and Amortization) or liquidity, can be used to measure value creation as well (Lenz and Hahn 2015).

2.3.2 Qualitative determinants and measurability

For those determinants that are not collectable via metrics, a different approach is needed. In order to include qualitative determinants into the list of factors that impact the value creation of IA, techniques like e.g. interviews, post-engagement surveys, or 360 degree feedback are possible approaches to gain information.

Soh and Martinov-Bennie (2011) consider the relationship of IA with the audit committee (AC) and the senior management as crucial for creating added value. In particular, they refer to appropriately designed reporting lines and to the support offered to IA as being decisive for IA’s performance. Thereby, the AC could support IA by reviewing and approving audit planning, audit budget, audit objectives or the use of external resources, thus ensuring that the IA department is adequately equipped. Furthermore, the AC’s support to the Chief Audit Executive (CAE) is assumed to positively influence the performance of the whole IA department, whereas Soh and Martinov-Bennie (2011) especially emphasize the otherwise isolated role of CAEs.

Erasmus and Coetzee (2018) empirically analyze the AC’s and the senior management’s perception of the IA department and factors that influence IA’s performance. From the senior management’s point of view, the key ingredient for IA’s success is that IA work is not restricted. Only if IA can access human and other resources as well as every area and process within a company that is of interest within the scope of IA activity, IA will be able to fulfil its assigned role and to potentially uncover fraudulent behavior. Moreover, the auditors’ competence level together with a professional attitude is considered an important factor for IA’s performance (Erasmus and Coetzee 2018). From the AC’s point of view the positioning of IA within the organization as well as the roles assigned to IA are crucial for the IA department’s success. An optimal positioning of IA ensures that the department is a respected part of the organization, which is of great importance since it facilitates collaboration with other departments. An elaborate design of the IA department’s roles, guarantees that the range of IA’s activities is best suited to the organization’s needs (Erasmus and Coetzee 2018).

Furthermore, Soh and Martinov-Bennie (2011) show that the individual expertise of auditors is an important factor. Especially competencies in the field of accounting and IT positively influence the IA department’s performance. Regarding the CAE, his ability to cooperate with stakeholders is an important asset (Van Staden and Steyn 2009).

2.3.3 Combined approaches

One approach to combine quantitative and qualitative determinants that effect IA’s value creation is using a balanced scorecard (Rupšys and Boguslauskas 2007). In line with the balanced scorecard for corporate management (see the whole work of Kaplan and Norton), Frigo (2002) together with The IIA Research Foundation has developed a balanced scorecard which is applicable for IA. His approach considers quantitative as well as qualitative determinants in the following four dimensions: the AC’s view of IA, the processes within the function, innovation and capacity, and the auditees’ view. Frigo (2002) introduces an instrument, which is flexible and easy to apply, and which incorporates different perspectives into one framework (Boţa-Avram and Palfi 2009; Rupšys and Boguslauskas 2007). Another approach which combines quantitative and qualitative determinants is the input-process-output scheme, which helps to categorize IA’s work according to three different phases: input (e.g. experience, knowledge, skills), process (e.g. audit planning, field work, reports), and output (e.g. satisfaction, inquiries) (Rupšys and Boguslauskas 2007). The IIA published an additional IPPF Practice Guide “Measuring Internal Audit Effectiveness and Efficiency” in December 2010, that updates the original scorecard approach and discusses the benefits and challenges of the implementation. Furthermore, the IIA Netherlands (2016) offer in their report “Measuring the effectiveness of the internal audit function” a toolkit for practitioners that can help to transfer the IIA scorecard approach to their companies.

2.3.4 IA ambition model

In order to meet the needs of various stakeholders, a working group from the IIA Netherlands developed the Internal Audit Ambition Model (IA AM). The model is an excellent tool for self-reflection, internal validation of compliance, and definition of the level of ambition of the IA department. It also helps to communicate with the Board of Directors, and in particular the AC, since it measures both, the achieved level as well as the ambition. Furthermore, if CAEs are willing to share the data, it can also be used as a benchmarking tool. Six topics are included in the IA AM: “Services and role of IA”, “Professional processes”, “Performance measurement and accountability”, “Personnel Management”, “Organization and relations”, and “Governance structures”. “Performance measurement and accountability” thereby refers to all information needed to manage, conduct, and control IA’s activities and thus to eventually determine its performance. This includes the objectives of the IA department, budget for the audit plan, and alignment of the plan with the organization’s strategy.

2.3.5 IIA quality assessment

As already mentioned, there is a multitude of expectations placed on the IA department. Satisfying different stakeholders’ needs and acting as a modern, standard-compliant IA function can be a major challenge. The International Professional Practice Framework (IPPF) of the IIA (IIA 2020) therefore considers this issue in Standards 1300 to 1312, and offers both internal (self-) assessments and external quality assessments as a solution. Moreover, each audit has to follow a formal and structured process to ensure its quality. This process should be carefully designed, using competencies and professional diligence, and should ideally be continuously refined. The concept of quality starts with the organizational design of the IA department, i.e. the inherent processes, (IT-)systems, and the recruitment of qualified staff. Furthermore, the alignment process of the audit charter, policies, and procedures should be a quality feature to be controlled as well as IA’s contribution to the improvement of governance, risk management, and internal controls. All of these aspects are covered in the so-called Quality Assurance and Improvement Program (IIA 2012).

3. Discussion and conclusion

Despite the great number of determinants discussed to measure the outcome effect of IA and thus the added value, the actual value created and its origin must be considered in an organization specific manner. The value created by IA has to be evaluated in context of positioning and status of the IA department within the organization. Among others, the access to resources, the support IA receives within the organization, the organization’s objectives and the organization’s strategies significantly defines the environment IA operates in and thus influences IA’s performance (Arena and Azzone 2009; Mihret and Woldeyohannis 2008).

In the overall context of corporate governance and internal auditing, the issue of creating added value plays a central role. This literature review shows possible dimensions how internal audit can create added value through its services and how this can be measured.

A review of the literature has shown that added value through internal auditing is a multi-dimensional construct. A possible summarizing and complementary formulation to the general definition of the IIA for the definition of value added by internal audit could therefore be as follows:

The added value of internal auditing is the creation of value for its stakeholders by enabling them to counteract the possible effects of risks along the value chain, and by enabling cost savings by implementing optimization potentials and strengthening corporate governance, thus strengthening confidence in the integrity of the company.

We identify quantitative and qualitative determinants for measuring and assessing value added at the first level. It has been shown that a large number of possible indicators are found in the literature, which partly overlap and partly complement each other when comparing the individual sources. As a quantitative indicator, the degree of implementation of the audit plan in particular was given priority, while special importance was attached to the competence and satisfaction of internal audit stakeholders in the area of qualitative indicators.

At the second level, combined approaches, like the balanced scorecard, the IA ambition model or the IPPF external assessment were discussed as possible approaches for incorporating the identified determinants into an overall system for control and evaluation.

In sum, internal auditing is considered to be of great importance in the process of establishing good corporate governance, for example by creating value in the areas of internal controls, risk management and governance processes. Furthermore, based on the advisory activities of the IAF, additional value can be created by improvement of processes and information to support management decisions. However, there are influencing factors that can weaken the potential added value of internal auditing, especially in the case of an unsuitable positioning within the organization. The results of this paper contribute to the current discussion by presenting and structuring the overall research streams and practical discussion of the added value of internal auditing. Nevertheless, it should be noted that the results are subject to limitations due to the still insufficient investigation of individual determinants and the lack of an analyses of best practice concepts.

Due to the increasing focus of organizations on assessing their functions on the basis of their value creation, it can be assumed that our discussion will be continued in the future and is currently covered in a forthcoming report of the IIA Research Foundation (Eulerich and Lenz 2020). A special role will be played by the increase in value added through digitalization and automation, which are not only capable of bringing about lasting changes in operational processes but also in the auditing and consulting services provided by Internal Audit.

Dr. Anna Eulerich is working in the corporate planning function of a global automotive supplier company. She earned her phd in micro-economics at the University Duisburg-Essen.

Prof. Dr. Marc Eulerich, CIA, holds the chair for internal auditing at the University Duisburg-Essen. He has published multiple articles in the field of internal audit and corporate governance. E-mail: marc.eulerich@uni-due.de

References

  • Abbott LJ, Parker S, Peters GF (2012) Audit Fee Reductions from Internal Audit-Provided Assistance: The incremental impact of internal audit characteristics. Contemporary Accounting Research 29(1): 94–118. https://doi.org/10.1111/j.1911-3846.2011.01072.x
  • Al-Jaifi HA, Al-Rassas AH, AL-Qadasi AA (2017) Corporate governance strength and stock market liquidity in Malaysia. International Journal of Managerial Finance 13(5): 592–610. https://doi.org/10.1108/IJMF-10-2016-0195
  • Al-Twaijry A, Bierley J, Gwilliam D (2004) An examination of relationship between internal and external audit in the Saudi Arabian corporate sector. Managerial Auditing Journal 19(7): 929–944. https://doi.org/10.1108/02686900410549448
  • Alzeban A, Sawan N (2016) The relationship between adherence of internal audit with standards and audit fees. Journal of Financial Reporting & Accounting 14(1): 72–85. https://doi.org/10.1108/JFRA-04-2015-0048
  • Anderson U, Christ M, Johnstone K, Rittenberg L (2012) A Post-SOX examination of factors associated with the size of internal audit functions. Accounting Horizons 26(2): 167–191. https://doi.org/10.2308/acch-50115
  • Archambeault D, DeZoort FT, Holt T (2008) The need for internal auditor report to external stakeholders to improve governance transparency. Accounting Horizons 22(4): 375–388. https://doi.org/10.2308/acch.2008.22.4.375
  • Asiedu KF, Deffor EW (2017) Fighting corruption by means of effective internal audit function: Evidence from the Ghanaian Public Sector. International Journal of Auditing 21(1): 82–99. https://doi.org/10.1111/ijau.12082
  • Boţa-Avram C, Palfi C (2009) Measuring and assessment of internal audit’s effectiveness. Annals of the University of Oradea, Economic Science Series 18(3): 784–790.
  • Carcello J, Eulerich M, Masli A, Wood D (2017) Are internal audits associated with reductions in operating, financial reporting, and compliance risk? https://doi.org/10.2139/ssrn.2970045
  • Carcello JV, Eulerich M, Masli A, Wood DA (2018) The value to management of using the internal audit function as a management training ground. Accounting Horizons 32(2): 121–140. https://doi.org/10.2308/acch-52046
  • Christ MH, Masli A, Sharp NY, Wood DA (2012) Using the internal audit function as a management training ground: Is the monitoring effectiveness of internal auditors compromised? SSRN Electronic Journal. https://doi.org/10.2139/ssrn.1946518
  • D´Onza G, Selim G, Melville R, Allegrini M (2015) A study on internal auditor perceptions of the function ability to add value. International Journal of Auditing 19: 182–194. https://doi.org/10.1111/ijau.12048
  • Drogalas G, Pazarskis M, Anagnostopoulou E, Papachristou A (2017) The effect of internal audit effectiveness, auditor responsibility and training in fraud detection. Journal of Accounting and Management Information Systems 16(4): 434–454. https://doi.org/10.24818/jamis.2017.04001
  • Dumitrescu D, Bobiţan N, Costuleanu C (2014) Measuring internal audit performance (KPIs). Ovidius University Annals, Series Economic Sciences 14(1): 597–601.
  • Eulerich M, Kremin J, Saunders KK, Wood DA (2019) Internal audit stigma awareness and internal audit outcomes: Stuck between a rock and a hard place. Working Paper. SSRN. https://doi.org/10.2139/ssrn.3070404
  • Eulerich M, Lenz R (2020) Defining, Measuring and Communicating the Value of Internal Auditing, The Institute of Internal Auditors Research Foundation, Altamonte Springs (forthcoming).
  • Felix Jr. WL, Gramling AA, Maletta MJ (2001) The contribution of internal audit as a determinant of external audit fees and factors influencing this contribution. Journal of Accounting Research 39(3): 513–534. https://doi.org/10.1111/1475-679X.00026
  • Frigo ML (2002) A balanced scorecard framework for internal auditing departments. Institute of Internal Auditors Research Foundation (Altamonte Springs, FL, USA).
  • Gramling A, Maletta M, Schneider A, Church B (2004) The role of the internal audit function in corporate governance: A synthesis of the extant internal audit literature and directions for future research. Journal of Accounting Literature 23(1): 194–244.
  • Ho S, Hutchinson M (2010) Internal audit department characteristics/activities and audit fees: Some evidence from Hong Kong firms. Journal of International Accounting, Auditing & Taxation 19(2): 121–136. https://doi.org/10.1016/j.intaccaudtax.2010.07.004
  • Jiang L, Messier Jr. WF, Wood DA (2016) The association between internal audit operations-related services and firm operating performance. Auditing: A Journal of Practice & Theory, Forthcoming. https://doi.org/10.2308/ajpt-52565
  • Lenz R, Hahn U (2015) A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities. Managerial Auditing Journal 30(1): 5–33. https://doi.org/10.1108/MAJ-08-2014-1072
  • Leung P, Cooper BJ, Perera L (2011) Accountability structures and management relationships of internal audit: An Australian study. Managerial Auditing Journal 26(9): 794–816. https://doi.org/10.1108/02686901111171457
  • Lin S, Pizzini M, Vargus M, Bardhan IR (2011) The role of internal audit in the disclosure of material weaknesses. The Accounting Review 86(1): 287–323. https://doi.org/10.2308/accr.00000016
  • Ma’ayan Y, Carmeli A (2016) Internal audits as a source of ethical behavior, efficiency, and effectiveness in work units. Journal of Business Ethics 137(2): 347–363. https://doi.org/10.1007/s10551-015-2561-0
  • Messier Jr. WF, Reynolds JK, Simon CA, Wood DA (2011) The effect of using the internal audit function as a management training ground on the external auditor’s reliance decision. The Accounting Review 86(6): 2131–2154. https://doi.org/10.2308/accr-10136
  • Mihret DG (2014) How can we explain internal auditing? The inadequacy of agency theory and a labor process alternative. Critical Perspectives on Accounting 25(8): 771–782. https://doi.org/10.1016/j.cpa.2014.01.003
  • Rose AM, Rose JM, Norman CS (2013) Is the objectivity of internal audit compromised when the internal audit function is a management training ground? Accounting & Finance 53(4): 1001–1019. https://doi.org/10.1111/acfi.12025
  • Roussy M (2013) Internal auditors´ roles: From watch dogs to helpers and protectors of the top manager. Critical Perspectives on Accounting 24(7–8): 550–571. https://doi.org/10.1016/j.cpa.2013.08.004
  • Rupšys R, Boguslauskas V (2007) Measuring performance of internal auditing: Empirical evidence. Kompensavimo Ir Pašalpų Vidinis Auditas: Gamybos Sistemų Užduotys Ir Rizika. Engineering Economics 55(5): 9–15.
  • Ruud FT (2003) The internal audit function: An integral part of organizational governance. In: Bailey A, Gramling A, Ramamoorti S (Eds) Research opportunities in internal auditing. The Institute of Internal Auditors (Altamonte Springs), 73–96.
  • Sarens G, De Beelde I (2006) The relationship between internal audit and senior management: A qualitative analysis of expectations and perceptions. International Journal of Auditing 10(3): 219–241. https://doi.org/10.1111/j.1099-1123.2006.00351.x
  • Soh DSB, Martinov-Bennie N (2011) The internal audit function: Perceptions of internal audit roles, effectiveness and evaluation. Managerial Auditing Journal 26(7): 605–622. https://doi.org/10.1108/02686901111151332
  • Spira LF, Page M (2003) Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal 16(4): 640–661. https://doi.org/10.1108/09513570310492335
  • Trotman AJ, Trotman KT (2015) Internal audit´s role in GHG emissions and energy reporting: Evidence from audit committees, senior accountants and internal auditors. Auditing: A Journal of Practice & Theory 34(1): 199–230. https://doi.org/10.2308/ajpt-50675
  • Vinnari E, Skaerbaek P (2014) The uncertainties of risk management: A field study on risk management internal audit practices in a Finnish municipality. Accounting, Auditing & Accountability Journal 27(3): 489–526. https://doi.org/10.1108/AAAJ-09-2012-1106

Appendix 1

Overview of relevant literature

Category Authors Year Findings
Corporate Governance Chambers and Odar 2015 IA does not assume a pure governance oversight role
Corporate Governance Anderson et al. 2012 Factors driving the investment into the IAF are driven by the governance structure.
Corporate Governance Sarens and Abdolmohammadi 2011 IA as a monitoring role
Corporate Governance Archambeault et al. 2008 IA reporting improves governance transparency
Corporate Governance Goodwin-Stewart and Kent 2006 IA as an instrument to reduce audit fees
Corporate Governance Gramling et al. 2004 Literature review
Corporate Governance Leung et al. 2011 IR does not sufficiently assume the role of governance oversight
External Audit Abbott et al. 2012 Increases the efficiency of the overall testing needs
External Audit Al-Twaijry et al. 2004 Cost savings for both the company and external auditors
External Audit Felix et al. 2001 Cost savings for the company
External Audit Singh and Newby 2010 Findings show a reduction of audit fees when internal audit is in place.
External Audit Ho and Hutchinson 2010 External auditors rely on internal auditing and charge lower audit fees.
External Audit Alzeban and Sawan 2016 Higher external audit fees are charged when the IAF does not follow the IIA standards
Fraud Coram et al. 2008 Detects fraud, strengthens internal control system
Fraud Asiedu and Deffor 2017 IA as a tool to fight against fraud and corruption
Fraud Drogalas et al. 2017 IA as a fraud detection instrument
Fraud Ma‘ayan and Carmeli 2016 IA can improve the ethical behavior in companies
Literature Review Behrend and Eulerich 2019 Literature review covering 90 years of internal audit reseearch
Literature Review Roussy and Perron 2018 Literature review
Literature Review Roussy and Brivot M 2016 Literature review
Literature Review Lenz and Hahn 2015 Identifying macro and micro factors that influence the perceived value of internal auditing.
Measurement Ziegenfuss 2000 Transfer of the traditional BSC approach to internal auditing
Measurement Boţa-Avram and Palfi 2009 Discussion of usable measures for IAF effectiveness.
Measurement Easmus and Coetzee 2018 Discussion of drivers of stakeholder expectations about the value of IA
Measurement Rupšys and Boguslauskas 2007 How to measure the efficiency of the IAF
Measurement Savčuk 2007 How to measure the efficiency of the IAF
Measurement Van Staden and Steyn 2009 CAEs as the main success factor of high quality IAFs
Measurement Frigo 2002 Transfer of the traditional BSC approach to internal auditing
MTG Carcello et al. 2018 Strengthens management confidence in their work
MTG Bond 2011 IA can add additional value through the implementation of an MTG environment
MTG Christ et al. 2012 Effects of MTG might influence the judgment of internal auditors
MTG Messier et al. 2011 Negative effects of MTG environment on the reliance decision.
MTG Rose et al. 2013 Effects of MTG on thee objectivity and judgment of internal auditors
Performance Oussii and Taktak 2018 Positive effects of IA on ICS quality
Performance Carcello et al. 2017 Improves risk management
Performance Jiang et al. 2016 Economic benefits
Performance Trotman and Trotman 2015 IA in sustainability issues
Performance Mihret 2014 The IA as a control mechanism
Performance Lin et al. 2011 Improves the control system
Performance Al-Jaifi et al. 2017 IA as a part of the overall governance structure helps to improve stock market liquidity
Performance Prawitt et al. 2009 Reduction of earnings management when IAF is in place
Role Models Roussy and Perron 2018 Multiple roles help to characterize the current and future research
Role Models D`Onza et al. 2015 Strengthens the effectiveness of internal controls and risk management
Role Models Vinnari and Skaerbaek 2014 Central role in risk management
Role Models Roussy 2013 IA as protector and helper of the management
Role Models Lenz and Sarens 2012 No clear role for IA
Role Models Soh and Martinov-Bennie 2011 IA self-assessment: IA as advisor, assessment of the audit committee: IA as auditor; supports the audit committee in achieving its tasks
Role Models Arena and Azzone 2009 Identifies weaknesses in the ICS, facilitates ERM, sensitizes management
Role Models Sarens et al. 2009 IA as „comfort provider“ of the Audit Committee
Role Models Mihret and Woldeyohannis 2008 Added value must be defined in the context of the company
Role Models Sarens and DeBeelde 2006 Improves, shapes and maintains the corporate culture
Role Models Goodwin and Yeo 2001 Supports the management and the board of directors in achieving their goals
Role Models Spira and Page 2003 Identifying the role model of internal auditing in enterprise risk management
Role Models Eulerich et al. 2019 internal auditors still havee a negative stigma and stakeeholders see negative effects
Role Models Goodwin and Yeo 2001 AC relationship and MTG environment as drivers of independence and objectivity
Role Models Van Peursem 2005 Different role models of internal auditors affect their work.