The expectations and perceptions in this case are strongly influenced by the fact that the internal audit function had been in existence only one year. The internal auditor reports administratively to the CEO. The CEO is aware that the internal audit function still is not fully accepted by everyone in the company. He is convinced that it is not easy to install such a function, as this requires a change of mentality which will take a few years:
Starting such a function is not easy. (. . .) We will have to work to change the mentality. I think this will take three to four years . . . it is a long-term investment. (CEO)
Therefore, he expects the internal auditor to spend enough time and effort on the promotion and marketing of his function. Furthermore, he finds it very important that the internal auditor becomes acquainted with the company, in order to become fully accepted, especially by senior management.
Besides these general expectations, the CEO also has more specific expectations with regard to the internal auditor. First, the CEO expects the internal auditor to compensate for the loss of control that arises from the recent growth of the company through foreign acquisitions. This was clearly the major driver to install the internal audit function:
We are a growing company. Our growth almost exclusively is based on foreign acquisitions, which leads to a potential loss of control, as well as to cultural problems. (. . .) The internal auditor should be located between the corporate level and the local network. They then should conduct audits in our local network and report their findings to us. (CEO)
Second, the CEO wants the internal auditor to become a supporting function in those activities that receive high management priority (e.g. future acquisitions). Therefore, together with the executive committee, he attempts to strongly influence the internal audit agenda. The internal auditor is aware that he will have to adapt his agenda to the expectations of the CEO, in order to become accepted. To some extent, the internal auditor is prepared to play the expected management supporting role in order to get this support and, therefore, to receive input pertaining to his audit planning from the CEO and other senior managers. However, he does not want to service a purely consulting function for senior management, as he wants to maintain sufficient autonomy to determine his own agenda. As soon as senior management has accepted his function, the internal auditor expects productive discussions with them on his findings, conclusions and recommendations, which should improve their relationship. To date, these discussions have not taken place.
Third, the CEO wants the internal auditor to approach risk management from a broader, company-wide perspective, complementary to local managers who have a more focused view on the specific risks of their division. More specifically, the internal auditor is expected to complete a company-wide risk map. Furthermore, the CEO expects the internal auditor to create, through his work, a reasonable level of risk awareness within the company. However, given the corporate culture that stimulates risk-taking, the CEO wants the internal auditor to avoid creating too much risk awareness, which would temper the company's growth. In other words, he expects the internalauditor to work ‘in line with the existing corporate culture’.
The internal auditor is convinced that he has to play a pioneering role in the introduction of a more formal way of risk management within the company. Nevertheless, he perceives senior management as not giving the right signals to operational management, as they stimulate uncontrolled and extreme risk-taking behaviour. Besides, senior management has a rather averse attitude towards internal controls. Therefore, he expects senior management to change their attitude towards risk management and internal control. More specifically, senior management must start thinking about a clear and specific risk and control strategy:
A consistent strategy with regards to control and the internal control system should be designed by management. (Internal audit presentation to the audit committee)
That is a fundamental objective that I have to meet: getting management to start thinking about a control strategy. (Internal auditor)
Furthermore, senior management is expected to formulate clear policies and procedures, in order to indicate what is acceptable to achieve objectives:
There are no policies that define the perimeter within which the strategic objectives must be reached. (Internal audit presentation to the audit committee)
He is convinced that this is necessary to create a supportive environment for internal audit:
I can not work in an organisation that does not say what is acceptable and what is not, while striving to meet objectives. (Internal auditor)
Although the CFO and the Chief Operations Officer are aware of the importance of formalising risk management and internal controls, the internal auditor knows that convincing the CEO will be a fundamental step. He wants to make it clear to him that he will support senior management in this process. It is important to note that the audit committee supports the internal auditor. Contrary to senior management, the audit committee is more aware of the importance of risk management, especially as a crucial decision-supporting tool.
Given the overall status of the risk management system and the averse attitude of senior management towards internal control, the audit committee expects the internal auditor to focus on improving internal controls in high-risk areas, to follow up closely on his recommendations, and even to support management with the implementation of these recommendations:
More active follow-up of his recommendations definitely would create added value for the company. (Head of the audit committee)
Overall, we can conclude that the audit committee has similar expectations vis-à-vis the internal auditor with respect to his role in risk management and internal control. In contrast to senior management, the audit committee is more supportive of the internal auditor in his attempts to start formalising risk management and internal controls. Furthermore, the head of the audit committee is convinced that, although just recently appointed, the internal auditor is going in the right direction.
In this company, the internal audit function has existed for more than 15 years, but has always been performed by a single internal auditor. The most recent internal auditor had been appointed six months before the case study took place. The internal auditor reports administratively to the CEO. According to the CEO, internal auditors have always been accepted within the company, thanks to their practice-oriented way of working, close to the people in the field. The CEO perceives his relationship with the internal auditor as strong. Furthermore, the CEO and CFO both attach great importance to promoting the internal audit function within the company:
When this internal auditor was engaged, we sent a note to everyone in the company to make sure that they all know the role of internal audit and what is expected from them as a reaction to his work. (CEO)
Thanks to the open communication about his function, the internal auditor is convinced that everyone in the company perceives his role in the same way.
Data analysis reveals four specific expectations of the CEO regarding the current internal auditor. First, he expects the internal auditor to perform independent evaluations of systems and procedures, in order to provide him with a sufficient level of assurance. The internal auditor confirms that an important part of the added value of his work results from his provision of assurance regarding internal controls to senior management and the audit committee.
Second, the internal auditor is expected to be a continuous improvement tool, focused on improving the effectiveness and efficiency of processes and procedures. The internal auditor stresses that, besides his assurance role, he clearly operates as a management assistant in improving processes and procedures. This is confirmed by the recently-updated internal audit charter:
The overall objective of the program of internal audit is (i) to assist all levels of management in the effective discharge of their responsibilities by providing independent analysis, appraisals, advice and recommendations concerning the activities reviewed; and (ii) to assist management in obtaining the company's goals and objectives. Internal auditing is an advisory function having independent status within the company. (Internal audit charter)
The CEO confirms that the internal auditor meets these two expectations. Thanks to his work, the efficiency of some specific processes has clearly improved. Therefore, the CEO wants internal audit to focus even more on continuous improvement through the engagement of an additional internal auditor:
It is because we saw all these improvements, that we are thinking about hiring an additional junior auditor. (. . .) We reviewed the internal audit tasks and decided that we want to extend this more toward continuous improvement. (CEO)
Third, the CEO expects the internal auditor to play a role in the formalisation of the risk management system, for example by coordinating the development of a centralised risk database. Inspired by his working experience in external audit, the internal auditor agrees that he wants to become actively engaged in the evolution towards more formalisation:
I am used to working in a very formal environment, where everything is well-documented. (Internal auditor)
More specifically, he will indicate the weaknesses in the current risk management approach, provide recommendations based upon his experience within other companies and even assist management by providing them with tools to implement these recommendations.
Fourth, the CEO expects the internal auditor to actively collaborate with the external auditor, but leaves it up to him to determine the extent of this role. The internal auditor confirms that he closely collaborates with the external auditor through the provision of input for each others' audit planning and the exchange of audit reports. His background as an external auditor definitely has benefited this collaboration. In the new internal audit charter, the internal auditor clearly includes that:
The internal audit department will liaise with the external auditors to foster a cooperative working relationship, reduce the incidence of duplication of effort, ensure appropriate sharing of information, and ensure coordination of the overall audit effort. The internal audit department will make available to the external auditors all internal audit working papers, programs, flow charts and reports. (Internal audit charter)
While constructing his audit planning, the internal auditor expects the CEO and CFO to indicate high-risk areas on which to focus his work, as he still lacks sufficient knowledge about the company. The CEO agrees that he, as well as the CFO, have a strong influence on the internal audit planning by suggesting specific topics to include and asking the internal auditor to reserve sufficient time for ad hoc requests during the year. Before every audit, the CEO and CFO can also suggest specific issues they want to have included in that specific audit. Furthermore, the CEO and CFO are both actively interested in the internal audit reports and the follow-up of recommendations. They have monthly meetings with the internal auditor to discuss the internal audit work and the reactions of operational management to it. If necessary, they intervene to help the implementation of his recommendations which the internal auditor feels is important.
Data analysis reveals that the relationship between the internal auditor and the audit committee is very superficial in both directions. On one hand, the audit committee does not provide significant input for the internal audit planning. On the other hand, the internal auditor communicates with the audit committee very superficially, which makes active follow-up by the audit committee almost impossible. Besides, the audit committee is not convinced of the potential added value of the internal auditor, especially because they do not perceive him as independent:
The internal auditor is working for management and is strongly influenced by management, so there still is an independence problem. We rely on the external auditor. They are the only source of neutral information on the internal control system. (Head of the audit committee)
It is becoming clear that in this case, the internal auditor mainly operates in a management supporting role, based upon a close two-way relationship with senior management. The audit committee does not have any significant influence on the internal audit agenda, which makes it easier for the internal auditor to meet the expectations of senior management as his only important ‘client’.
In this company, the internal audit function has existed for 16 years and has, similar to Case B, always been performed by one internal auditor. The current internal auditor has performed this function for two years and reports administratively to the CFO. Although the CFO notes that the current internal auditor generally is accepted and perceived positively within the company, thanks to his constructive way of working, he has to admit that the current internal auditor still has limited maturity and experience in the business. The CFO does not rule out that this can have an impact on the perception of his work. The internal auditor agrees that, contrary to how it is with senior management, among those at the lower levels of the company, he is still perceived as a police officer focused on finding problems and mistakes:
Last week, I was at our Australian subsidiary and their first reaction was: there is the ABC [name of the company] police. (Internal auditor)
Fortunately, in most cases this is just the initial reaction, which is precipitated by ignorance about the role of internal audit. As soon as people know what the internal auditor is doing and what they can expect from him, their perception changes. The expertise of the current internal auditor is limited to financial, accounting and organisational areas, which has an impact on the scope of the audit planning. However, audits outside these areas can be delegated to people with more detailed expertise. The internal auditor would prefer to hire an additional internal auditor, but he is not sure whether senior management would be keen on this.
The major expectation of the CFO vis-à-vis the internal auditor can be summarised as a detailed and focused control of processes and procedures to investigate whether they are adequate and correctly followed. He expects the internal auditor to provide him with feedback on this (assurance), as well as with sufficient recommendations to improve the processes and procedures. The core task of internal audit, as described by the internal auditor, corresponds more or less with this expectation. He describes his work as focused on evaluating the internal controls, especially because they have an important influence on financial reporting, in order to provide assurance on these controls and recommendations to improve them. Thus, his primary focus is on the internal controls. Improving the processes, from a broader point of view, is rather a secondary objective.
More specifically, the CFO expects the internal auditor to base his work on personal contacts with people in the field:
I expect the internal auditor to base his work on personal contacts with the people who are audited . . . we do not have a culture to arrange such things by mail or email . . . he has to do his work on site. (CFO)
The internal auditor agrees that the most important aspect of an audit is listening to the people, giving them the opportunity to raise issues, and provide their opinions. Furthermore, the internal auditor perceives himself as a facilitator for whistle-blowing, especially for financial people. However, the CFO is not convinced of this role, given the internal auditor's limited maturity and experience with the company.
The CFO perceives his relationship with the internal auditor as constructive. Together with the CEO, he is involved with the development of the internal audit planning. Their input is primarily based on the monthly business review meetings they have with lower management, combined with their own risk assessments. The internal auditor confirms that every internal audit planning is discussed with the CEO and CFO, in order to ensure that all proposed audits are relevant in their eyes. Furthermore, the internal auditor is satisfied that the CEO and CFO pay sufficient attention to his recommendations and their follow-up. The CFO confirmed that they pay attention to the results of the internal audit work during their business review meetings. He agrees that the internal audit reports meet his expectations and that they create a certain level of risk and control awareness within the company. Besides, the CFO is convinced that the work of the internal auditor adds value to the company, although only on a limited scale:
There are value adding aspects in his audit reports, but no world-shaking things . . . but he adds value. They are perceived like that by most people in the company. (CFO)
Although the CFO does not express any expectations about the role of the internal auditor in risk management, the internal auditor expects senior management to start formalising their risk management in a more professional way, as well as documenting the internal control system:
Policies and procedures . . . most of them are rather common sense and informal, which does not mean that they are not working well, but there is still room for improvement. It is mainly because top management still prefers to arrange things rather informally. (Internal auditor)
Nonetheless, he is convinced that the company is not yet ready for this. Remarkably, he does not see an important role for himself in this formalisation process, which probably can be explained by his limited capacities (resources and expertise).
An analysis of some audit committee meeting reports and the internal audit planning reveals that the audit committee also has a significant influence on the internal auditor's agenda:
If they provide input, all the rest has to wait. (. . .) If they do not feel okay with the planning, then it definitely should be modified. (Internal auditor)
Despite the strong influence of the audit committee, we could not identify any conflict between their expectations and the expectations of senior management. They also attach great importance, for example, to the communication skills of the internal auditor and his open and friendly attitude towards people in the field. It appears that the internal auditor is able to meet the expectations of both ‘clients’, as his agenda reflects the priorities of both.
In this company, the internal audit department has existed for more than 20 years and recently increased from seven to ten internal auditors. The internal audit manager reports administratively to the CFO. Both the CFO and the internal audit manager agree that internal audit is appreciated and positively perceived within the company. This has increased significantly over the last three years, thanks to the support internal audit receives from senior management, which has increased the level of awareness regarding their work. Besides his significant influence on the internal audit agenda through involvement in annual risk assessments and specific ad hoc requests during the year (note that these represent 25% of the annual audit planning), the CFO openly reacts to audit reports and supports the internal audit findings and recommendations. He clearly shows to everyone that he perceives internal audit as an important function. Senior management also supported the recent appointment of three additional internal auditors. Furthermore, internal audit has improved the communication of their added value to the company significantly, especially through their risk assessments, audit reports and meetings, all of which has enhanced the acceptance of their function:
By performing risk analyses, we show them the risks they are exposed to . . . this really helped us to receive recognition, especially within the older business units. (Internal audit manager)
Additionally, the CFO and internal audit manager confirm that the corporate scandals of the last decade and the resulting legislative initiatives (especially the US Sarbanes-Oxley Act) have had a positive impact on the level of attention to controls in general and to internal audit more specifically. Furthermore, they agree that two recent small fraud cases within the company contributed positively to the acceptance of internal audit:
I am not happy that this happens, but it is good to have such cases, that shake people awake and prove the benefit of having an internal audit function. (. . .) You could argue that they could have given signs that this was going to happen. (CFO)
Overall, the CFO expects the internal audit department to be an adequate training ground for future potential managers, where they can work for two or three years and collect relevant expertise and knowledge about the company. To date, he is satisfied with the rotation of the internal auditors. Conversely, the internal audit manager is less happy with the high degree of rotation:
Currently, I do not have enough people with audit experience and company experience. This is becoming a problem. (. . .) Internal audit is a kind of fishing pond full of high potential, but they can't empty it completely. (Internal audit manager)
We were able to distinguish two additional specific expectations of the CFO with regard to internal audit. First, he expects internal audit to be a supportive function for management, instead of a pure control function. More specifically, he expects internal audit to support management in risk identification, risk assessment and risk management, as well as in monitoring and improving risk management and internal controls. It seems that the current internal audit programme, which focuses on overall internal control reviews, meets the expectations of the CFO. It is interesting to note that the internal audit department has developed its own approach to evaluating the internal control system, which enables internal audit to perform a more thorough evaluation and provide a higher level of assurance. Moreover, the internal audit manager stresses that it is more important for them to assist management via improvements in internal controls than by formulating mere opinions about them. Internal audit also reserves a certain amount of their work time to become engaged as advisors in consulting projects. By playing this supportive role, they are able to meet this important expectation of senior management. This is clearly communicated through the company intranet:
Internal Audit's services are available to all divisions and may provide useful support in a wide variety of business processes. (Company intranet)
With respect to internal controls, the CFO expects internal audit to play an active role in the implementation of a uniform internal control system within the whole company, thereby taking into account the cultural and human differences between the various subsidiaries. The internal audit manager agrees that the department regularly provides training and advice in local procedure development and, thereby, monitors and contributes actively to the application of standardised policies and procedures. Furthermore, the CFO expects internal audit to create the necessary level of control awareness. The internal audit manager is convinced that internal audit's work contributes to a higher level of control awareness, especially among non-financial managers. In this context, internal audit also wrote the Company Guide to Business Control that concisely summarises all policies and procedures at a group level; the guide was distributed to all management levels.
Second, the CFO is striving for total risk coverage, through more active collaboration between internal and external audit in order to have the highest possible level of assurance on the reliability of financial reporting, and the CFO expects internal audit to play an active role in the realisation of this ambitious goal. The internal audit manager confirms that, when drawing up the audit planning, they attempt to achieve broader risk coverage. Besides covering high-risk areas, upon which they traditionally focus, they also take into account lower-risk areas. This is confirmed by an analysis of the received copies of the risk assessment matrix and audit planning. Furthermore, internal audit also works, together with the external auditor, on a coverage chart (who audits what) with the intention of auditing more areas. Internal audit is also strengthening its relationship with the external auditor by providing them with copies of all audit reports and exchanging all relevant information, as input for the audit planning (in both directions). By doing this, they are on the right track to meet this second CFO expectation.
In contrast to Case B, the relationship between internal audit and the audit committee is very extensive, based upon formal discussions of the audit planning and audit results, as well as regular informal meetings between the head of the audit committee and the internal audit manager. Similar to Case C, the influence of the audit committee on internal audit is strong. The audit committee's expectations vis-à-vis internal audit are very similar to the expectations of senior management. Overall, the audit committee wants assurance regarding the compliance of the company with its overall policies and procedures, as stipulated in the Code of Conduct and Guide to Business Control. Furthermore, the audit committee attaches great importance to the advisory and assistive role of internal audit in the improvement of processes and internal controls. Finally, they also promote more intensive collaboration between the internal and external audit functions. It appears, then, that internal audit is able to meet the expectations of both ‘clients’. This is confirmed by the CFO and the head of the audit committee, both of whom are satisfied with the work of internal audit.
Internal audit has existed as an independent function in this company for 13 years and currently is staffed with three internal auditors. The Chief Internal Auditor reports administratively to the CEO. Overall, the CEO is convinced that internal audit currently is perceived within the company as supportive and value adding. According to the Chief Internal Auditor, his department has been more valued over the last three years thanks to its more systematic and professional approach. More specifically, internal audit started to develop their cycle-based audit planning in a more formalised way with the intention of providing an ‘in control statement’ combined with a more systematic way of reporting and following-up on the implementation of their recommendations. The Chief Internal Auditor also admits that, thanks to the new senior management team and especially the new CEO, the level of attention paid to internal audit in general, and their audit reports more specifically, has increased significantly, which led to some important improvements within the company:
I have received some positive echoes from local managers: thanks to the recommendations of internal audit, a process of change has been started . . . that is nice to hear. (Chief Internal Auditor)
The CEO agrees that he is satisfied with internal audit. He sometimes provides input for the audit planning and is actively following up on the recommendations of internal audit, by putting them on the agenda of his business meetings with local divisions, an important way ‘to make things happen’:
If necessary, I pick up the phone and ask the local manager why he did not react to the recommendations. (CEO)
Again, this illustrates the crucial importance of senior management support for the acceptance and impact of internal audit within a company.
Similar to the CFO in Case D, the CEO expects the internal audit department to be a training ground for future mangers who can be of great value in other functions. Contrary to Case D, the Chief Internal Auditor considers this to be a valuable attribute of his department. Recently, one of his internal auditors moved to another department, and the Chief Internal Auditor is convinced that he will take the internal audit philosophy with him and will actively contribute to improving the processes and internal controls within his new department.
Data analysis reveals four more specific expectations of the CEO vis-à-vis internal audit. First, and similar to Case A, the CEO clearly expects internal audit to compensate, through their work, for the loss of control that has resulted from the rapid growth of the company through many international acquisitions:
I have no problem with decentralisation, but this also means that you have the right to control them. You can control through reports, but also through those things that are not emerging in the reports and that is where internal audit comes in. (. . .) Internal audit has to make sure that I sleep soundly. (CEO)
The Chief Internal Auditor confirms that, given the growth that has occurred through acquisitions, the creation of a uniform reference framework of policies has always been an important priority for his department.
Second, the CEO expects the internal audit department, staffed with people who know the business, to focus their monitoring work on processes and procedures. The Chief Internal Auditor agrees that the internal auditor's major objective is to provide assurance to management via performance of operational audits. More specifically, they want to make sure that processes and related internal controls are effective and efficient and that relevant and important risks are identified and managed. Moreover, they always look at the effect of the processes under review on financial reporting. In order to be able to provide this assurance to management, internal audit actively collaborates with the external auditor, for example, through the development of a common reporting protocol.
Third, the CEO wants internal audit to safeguard the corporate culture, especially because of their regular personal contacts with people in the field:
They hang around in the divisions of the company and sometimes they have particular feelings about certain topics . . . although they do not have hard data to support these suppositions, these feelings often are of great interest to me. (CEO)
This is a major driver for the CEO to have regular informal contacts with the Chief Internal Auditor.
Fourth, and given the importance of acquisitions for the growth of the company, the CEO expects the internal audit department to play a value-adding role in due diligence work. He perceives their judgement and advice to be invaluable, particularly because they know the business very well. Therefore, internal audit always has a member on any ad hoc composed acquisition teams. The Chief Internal Auditor confirms that the internal auditors spend, on average, 15% of their annual work time on due diligence work. More generally, the CEO expects that internal audit's advisory role in strategically important projects will become more prominent in the future. Similarly, the Chief Internal Auditor has clear intentions of focusing more on assisting and supporting management, by playing a proactive consultative role, which will make management more capable of anticipating potential problems.
Similar to Cases A and C, the Chief Internal Auditor expects senior management to pay more attention to the integration and formalisation of the risk management policy, as this currently is rather fragmented throughout the company. Internal audit regularly signals this shortcoming, which recently led to increased awareness, as several departments put particular aspects of risk management into practice. Because the Chief Internal Auditor is convinced that the risk management policy is still far from well-structured at the corporate level, he is prepared to assist management in this process, without assuming any responsibility for it.
Although we were not able to interview any audit committee member, the Chief Internal Auditor provided us with some relevant insights. According to him, the audit committee prefers that internal audit focuses less on due diligence work and more on operational audit work, which contrasts with the expectations of senior management. Consequently, the Chief Internal Auditor would prefer to extend his department in order to be able to meet the expectations of both senior management and the audit committee. Furthermore, the Chief Internal Auditor expects more active and business-oriented input from the audit committee, as their input has remained very limited until now. With respect to follow-up of internal audit's findings, the audit committee focuses its attention only on high-risk areas and, to some extent, ignores the ongoing operational findings. Based upon these limited indications, it appears that internal audit's relationship with the audit committee is less intensive than their relationship with senior management, probably due to some conflicting expectations.
In three of the five cases, internal audit reports administratively to the CEO; in the two remaining cases, to the CFO. Cross-case analysis reveals five general expectations of senior management vis-à-vis internal audit. First, senior management expects internal audit to compensate for the loss of control that results from the increased corporate complexity that, in turn, is the result of growth through mergers and acquisitions internationally, as well as the continuous trend towards decentralisation. Second, and contrary to Galloway's findings (1995), they expect internal audit to serve a supporting function, instead of a pure control function. The meaning of this role depends upon the specific case and will be summarised below. Third, senior management sometimes wants internal audit to be a training ground for staff with high management potential. It is understandable that internal audit departments consisting of several internal auditors are better able to cope with a high rotation rate and, consequently, to meet this expectation. Note that internal audit's perception of its role as a training ground is not uniformly positive. Fourth, senior management expects internal audit to be the safeguard of the corporate culture and, consequently, attach great importance to the personal contacts the internal auditors have during their work with people in the company. Therefore, they expect internal auditors to have appropriate communications skills. Sometimes, they even expect internal audit to be a facilitator for whistle-blowing. Fifth, we also find indications that, in some cases, senior management expects internal audit to actively collaborate with the external auditor in order to increase the total audit coverage. Internal audit confirms that they attach more importance to this collaboration and, therefore, actively exchange their audit planning and reports in order to make their work complementary to the work of the external auditor.
When looking into the specific meaning of the supporting role senior management expects internal audit to play, we could distinguish several areas. First, and similar to what was reported in Cooper et al. (1996), senior managers expect internal audit to evaluate, in an independent way, the effectiveness and efficiency of processes in general, and of internal controls more specifically, in order to provide them with a sufficient level of assurance, which supports them in fulfilling their growing monitoring responsibilities. Internal audit confirms that they still focus on the provision of assurance, primarily with respect to internal controls, to their different ‘clients’, which include senior management.
Second, and in addition to the provision of assurance, senior management expects internal audit to actively contribute to improving the effectiveness and efficiency of the internal controls and processes. Internal audit agrees that they spend a significant proportion of their time and effort supporting management by providing recommendations, assisting management with the implementation of these recommendations, and performing ad hoc consultative work in strategically important projects (e.g. acquisitions), often as the result of specific management demand (cf. Ridley & D'Silva, 1997; Brody & Lowe, 2000). Furthermore, they actively contribute to the development and implementation of a uniform and standardised internal control system throughout the several subsidiaries of the company, thereby attempting to compensate for the loss of control experienced by senior management. Internal audit is convinced that this role adds value to their company.
Third, and depending on the status of the risk management system, senior management often expects internal audit to assist with the formalisation of the risk management system. Moreover, senior management expects internal audit's work to create a sufficient level of risk and control awareness within the company, taking into account the overall corporate culture and attitudes towards risk and control. Besides their own role in risk management, internal audit expects senior management, which has the final operational responsibility for risk management, to take the first steps in this formalisation process, by changing their own (often averse) attitudes towards risk management and internal control and by giving the right signals and stimuli to the lower management levels. As also suggested by Goodwin-Stewart & Kent (2006), internal audit appears to be convinced that a formalised risk management and internal control system is a more supportive environment in which to work. Internal audit is, in most cases, convinced of their own (pioneering) role in formalising risk management (see also Sarens & De Beelde, 2006a). This role differs from case to case, and ranges from creating awareness to becoming actively involved in the formalisation process.
The cross-case analysis clearly indicates that the acceptance and appreciation of the internal audit function within the company is strongly dependent upon the support of senior management. In other words, the extent to which senior management supports the internal audit function has a strong signalling function within the company. More specifically, this support is translated into the input senior management provides for the annual internal audit planning, the number of ad hoc requests senior managers have during the year, the attention they pay to the outcomes of internal audit work, the way they follow up on internal audit's recommendations and resulting action plans, and their support for an expansion of the internal audit function through the engagement of additional internal auditors. It should be clear that these are indicators of the strength of the relationship between internal audit and senior management. Consequently, internal auditors, who are actively looking for senior management support, expect to receive input from the CEO and CFO on a regular basis, as well as to have productive discussions with senior management on the results and follow-up of their work. Furthermore and complementary to senior management's support, internal audit's own efforts to promote their function through, for example, more explicit communication regarding their added value, also augment the acceptance of their function. Similar to Carcello et al. (2005), we found indications that the recent corporate scandals and resultant increased attention for corporate governance, have contributed to an increase in the overall level of appreciation for internal audit. Even some small fraud cases at company level can enhance the level of attention paid to internal audit's work. The cross-case analysis also suggests that the acceptance and appreciation of internal audit by senior management is influenced by the maturity of the internal audit function. In Case A, the young internal audit function was confronted by some ignorance about the role of internal audit, which necessitates the promotion of the function through clear and intensive communication (cf. also Cooper et al., 1994).
Similar to Griffiths' findings (1999), it becomes clear that senior management's expectations have a significant influence on internal audit. Contrary to Cooper et al. (1994), the cross-case analysis did not reveal significant inconsistencies between senior management's expectations and the actual internal audit work. Furthermore, and contrary to Griffiths (1999), most CEOs and CFOs are satisfied with the work of internal audit in their company. In other words, internal audit is more or less able to meet the expectations of senior management and, in most cases, receives the support they expected from senior management in return.
When studying the relationship between internal audit and senior management, we also took into account the influence of the audit committee. In four of the five cases, internal audit appears to have a relatively close relationship with the audit committee, reflected by a limited but significant influence of the audit committee on the internal audit agenda. In three of these four cases, the audit committee and senior management have more or less the same expectations with respect to internal audit. Overall, the audit committee also expects internal audit to support management by providing assurance, combined with sufficient attention to their advising and assistive roles in improving processes and internal controls. These similar expectations make it easier for internal audit to meet the expectations of both ‘clients’. In only one case did we find indications of some conflicting expectations, although this was based only upon comments provided by the Chief Internal Auditor, without confirmation by any audit committee member.