SEARCH

SEARCH BY CITATION

Keywords:

  • internal audit;
  • senior management;
  • CEO;
  • CFO;
  • audit committee;
  • relationship;
  • expectations;
  • perceptions;
  • case studies;
  • Belgium

Abstract

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

This study, based upon Belgian case studies, provides a qualitative assessment of the relationship between internal audit and senior management, analysing the expectations and perceptions of both parties. We found that senior management's expectations have a significant influence on internal audit and that internal audit, generally, is able to meet most of these expectations. Senior management wants internal audit to compensate for the loss of control they experience resulting from increased organisational complexity. Senior management expects internal audit to fulfil a supporting role in the monitoring and improvement of risk management and internal control, and wants them to monitor the corporate culture. Furthermore, they expect internal audit to be a training ground for future managers. On the other hand, internal audit expects senior management to take the first steps in the formalisation of the risk management system. They are looking for senior management support, as this benefits their overall acceptance.


SUMMARY

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

This study aims to contribute to the literature by investigating the relationship between internal audit and senior management (CEOs and CFOs). More specifically, we provide a qualitative analysis of their expectations and perceptions with regard to each other. In addition, we take into account the influence of the audit committee. Our conclusions are based upon five case studies within Belgian companies.

We found that, on the one hand, senior management's expectations have a significant influence on internal audit. Internal audit, on the other hand, is able to meet most of these expectations leading to the management support they need.

Senior management expects internal audit: (1) to compensate for management's loss of control resulting from increased organisational complexity; (2) to be the safeguard of the corporate culture through personal contacts with people in the field; (3) to be a supportive function in the monitoring and improvement of the risk management and internal control system; (4) to be a training ground for future managers; and (5) to collaborate actively with the external auditor to increase total audit coverage.

Given the fact that a formalised risk management and internal control system is considered to be a more supportive environment, internal audit expects senior management to take the first steps in the process of formalising the risk management system.

Furthermore, we found that the overall acceptance and appreciation of internal audit within the company is strongly dependent upon the support they receive from senior management. Therefore, internal audit actively seeks this support by promoting and communicating their added value. We also found indications that this support is related to the maturity of the internal audit function.

When taking into account the influence of the audit committee, we can conclude that, although the audit committee also has a strong influence on internal audit, its expectations are more or less similar to those of senior management. Therefore, internal audit, in most cases, is able to meet the expectations of both ‘clients’.

INTRODUCTION

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

Internal auditors are rock stars now. This is their day in the sun . . .

(Bruce Nolop, an American CFO, in Handy & Paterson, 2005, p. 48)

Stakeholders of organisations increasingly are demanding that boards and executive management apply accepted governance principles, adhere to sound risk management, and demonstrate publicly that they are in control of their organisations. The definition of internal auditing provided by the Institute of Internal Auditors (IIA) includes references both to assurance and to consulting activities directed at the governance, risk management and internal control processes. Consequently, an internal audit activity that fulfils this definition is uniquely positioned to support the board and management as an essential component of their governance mechanisms (ECIIA, 2005). Moreover, Carcello et al. (2005) found indications that, thanks to this enhanced focus on corporate governance, effective oversight and sound internal controls, the importance assigned to internal auditing by management has increased. Furthermore, they suggest that senior management's expectations of the internal audit function have changed in profound ways.

Additionally, it has been found that an expectations gap arises when audit customers (including senior management) do not recognise the value of the internal audit (IA) function. In order to function effectively, internal auditors and the customers of audit services should possess a similar understanding of what makes internal auditing a value-adding activity. Failure to reach this understanding could result in the perception that internal audit is simply an obstacle to achieving organisational objectives. This can result in underutilised audit services and ignored audit recommendations (Flesher & Zanzig, 2000).

In academic research, most empirical work related to internal audit's relationship with other organisational parties deals with the relationship between internal audit and the audit committee (e.g. Raghunandan et al., 1998; 2001; Spira, 1999; Goodwin & Yeo, 2001; Goodwin, 2003). Even though, in practice, internal audit regularly interact with senior management (CEO and/or CFO) with respect to day-to-day activities, academic research on this relationship is very limited. Therefore, and given the importance of contemporary corporate governance requirements, this study, based on five Belgian case studies, aims to understand the relationship between internal audit and senior management (CEO and CFO). More specifically, this paper provides a qualitative assessment of each side's expectations and perceptions with regard to the other. In order to obtain more thorough insights into this relationship, we also take into account the influence of the audit committee, another important player in corporate governance, on this relationship.

For each case study, we conducted semi-structured interviews with the internal auditor or head of internal audit, the CEO and/or CFO and, where possible, the head of the audit committee. Moreover, we sought access to relevant, often confidential documents to support the insights we gleaned from these interviews.

This paper is structured as follows. The next section briefly describes the institutional context of this study. The third section reviews relevant literature and formulates the research questions. The fourth section outlines some methodological aspects. The fifth section presents the insights we gleaned from each individual case study and formulates cross-case insights. The last section summarises and discusses the conclusions of this study.

INSTITUTIONAL CONTEXT

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

European companies face a challenging environment characterised by significant change, changes which include the globalisation of markets, the modernisation of communication technologies, and the enlargement of the European Union (EU), to name but a few. In such an environment, companies should benefit from a regulatory framework that encourages efficiency and competitiveness, while fostering sound and transparent corporate governance practices. It is with that aim in mind that the European Commission, in 2003, launched the Action Plan on Modernising Company Law and Enhancing Corporate Governance in the European Union. The plan is currently being implemented by the EU Commission through various legal initiatives aimed at improving governance and strengthening stakeholders' rights. In Belgium, there were three separate sets of rules drawn up by different authorities (1998), that needed to be updated and consolidated (Belgian Corporate Governance Committee, 2004).

At the initiative of the Banking, Finance and Insurance Commission (BFIC), Euronext Brussels and the Federation of Belgian Enterprises (FEB-VBO), a committee was established to draft a single code of best practice on corporate governance for all listed companies. The committee's aim was to draft a code aligned with international practice and EU recommendations. The comments received regarding its first draft, together with recent EU Commission initiatives, helped the committee to finalise the code, which was published on 9 December 2004 (the so-called Code Lippens). The code is based upon a ‘comply or explain’ system, which allows companies to deviate from the provisions of the code when their specificities so justify, subject to providing adequate explanation (Belgian Corporate Governance Committee, 2004).

On 21 September 2005, a corporate governance code for non-listed companies (the so-called Code Buysse) was launched, in order to meet the specific needs of this significant group of companies.

LITERATURE REVIEW AND RESEARCH QUESTIONS

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

This section provides necessary background information on the responsibilities of senior management in corporate governance, risk management and internal control, as well as on the two-way relationship between internal audit and senior management. This section also provides insights from previously-published research on the relationship between internal audit and senior management, and also illustrates the need to take into account the influence of the audit committee when studying this relationship.

Responsibilities of senior management in corporate governance, risk management and internal control

Investigating national and international corporate governance guidelines and best practices, it becomes clear that good governance requires that the board of directors is responsible for applying high ethical standards; for guiding strategy and risk policy; for monitoring corporate performance; and for ensuring that appropriate systems of internal control are in place, including adequate identification and management of risks. The board often sets up an audit committee to assist in fulfilling its monitoring responsibilities, with respect to control in the broadest sense (cf. UK Combined Code, 2003; Belgian Corporate Governance Committee, 2004).

Selim and McNamee (1999) point out that risk management starts with a risk assessment, whereby the organisation (management) attempts to estimate the probable consequences of threats and opportunities (risk identification, measurement and prioritisation), followed by risk management, wherein decisions need to be made about how to manage the perceived consequences of that risk. It seems clear that a framework of internal controls is a key response to managing risks. The first version of the UK Turnbull Report (1999) can be considered to be one of the first public documents in the EU that clearly emphasises the relationship between internal controls and risk management. Finally, risk communication deals with articulating the results of the previous two components to the interested shareholders, both within and outside the organisation.

The system of internal control comprises those elements of an organisation (including its resources, systems, processes, culture and structure) that support people in the achievement of the organisation's objectives. They facilitate the effective and efficient operation of companies, by enabling them to respond appropriately to significant risks. This includes safeguarding assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed. Furthermore, internal controls help to ensure the quality of internal and external reporting. Finally, internal controls help to ensure compliance with applicable laws, regulations and internal policies (COSO Framework, 1992).

It is the role of management to implement board policies on risk and internal control. In fulfilling its responsibilities, management should identify and evaluate the risks faced by the company for consideration by the board, and it should design, operate and monitor a suitable system of internal control which implements the policies adopted by the board (cf. Belgian Corporate Governance Committee, 2004; UK Turnbull Guidance, 2005). In other words, management must decide if the identified risks are at an acceptable level; and, if they are not, management must take action to respond to those risks. Management is responsible for establishing the framework of internal controls as part of its management of risks, and for keeping that framework up-to-date as risks change. Management also operates the controls and, most importantly, should strive to assure itself that the controls are working effectively, by undertaking regular review activities (continuous monitoring) and receiving periodic reports (separate monitoring) from their own departments. This assurance activity is an essential part of a good control framework. Following recent scandals, and as part of measures to improve governance, management is required to demonstrate that it is fulfilling its responsibilities with respect to the system of internal control. Therefore, not only does management need to have effective controls and to assure itself that these controls exist, it also must be able to demonstrate these facts to third parties: to the board, to statutory audit and even to the general public (ECIIA, 2005).

Note that all employees have some responsibility for internal control, as part of their accountability for achieving objectives. They, collectively, should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces (cf. UK Turnbull Guidance, 2005).

Internal audit as support for senior management

Senior management and the board may desire objective assurance and advice on risks and controls. An adequately resourced internal audit function may provide such assurance and advice (UK Turnbull Guidance, 2005).

A professional internal audit activity will supplement senior management's actions, by providing independent and objective assurance on the effectiveness of the organisation's governance processes, how well it manages all kinds of risks, and whether internal control processes are operating, as required, to manage risks to an acceptable level. In other words, the CEO receives an independent and objective assurance on the quality of internal controls from someone other than the CFO or line managers, and/or the CFO receives independent and objective assurance on the quality of internal controls from someone other than the line managers and decentralised finance staff. Furthermore, internal audit can play a key role in monitoring a company's risk profile and identifying areas in which to improve risk management processes. Internal auditors also support management by providing consulting services, which contribute to the establishment of sound risk management processes, by facilitating management's efforts to improve the system of internal control, and by giving advice on the implications of organisational changes to that system (Leithhead, 2000; Lindow & Race, 2002; Spira & Page, 2003; Page & Spira, 2004; ECIIA, 2005).

Even before the recent changes in corporate governance guidelines, a number of finance directors, surveyed in a study by Griffiths (1999), already recognised the major challenge for internal audit to lead the corporate governance agenda, which provides an opportunity for them to directly support senior management's requirements and responsibilities in this regard. A more recent study, by Page and Spira (2004), concludes that internal auditors generally view corporate governance guidelines – such as, for example, the first UK Turnbull Report (1999) – as beneficial to their cause, and reported that internal auditors claim that these guidelines have helped to alter perceptions of internal audit in a positive way, such that operating departments frequently sought the advice of internal audit when implementing new or changed processes. Furthermore, Goodwin-Stewart & Kent (2006) found evidence that companies with an integrated risk management framework are more likely to use internal audit. Additionally, their study confirms that internal audit is complementary to other risk management mechanisms, such as a designated risk manager.

Besides their significant assurance and consulting role in risk management, internal control and corporate governance, internal audit can also act as a support for management in terms of reviewing operational efficiency, investigating outcomes of financial initiatives, and providing knowledge of business activities (Cooper et al., 1996). Furthermore, internal audit is sometimes asked to work with senior management in various other (ad hoc) activities of the organisation, such as, for example, acquisitions, mergers and systems development and implementation (Brody & Lowe, 2000). The rationale is that more can be accomplished through review, providing advice up front to management to assist it in setting business objectives (Bou-Raad, 2000).

Senior management as support for internal audit

Besides the valuable supportive role that internal audit can play for senior management, a solid and constructive relationship with senior management is also critical for effective functioning of the internal audit activity (ECIIA, 2005). More specifically, Attribute Standard 1110 of the International Standards for the Professional Practice of Internal Auditing (2004) stipulates that ‘the chief audit executive should report to a level within the organization that allows the internal audit activity to accomplish its responsibilities’. The related Practice Advisory 1110-2 recommends that, besides having a functional reporting relationship with the audit committee, the Chief Audit Executive (CAE) must have an administrative reporting relationship with senior management (preferably the CEO or another executive with sufficient authority) in order to achieve appropriate support to accomplish internal audit's day-to-day activities. In general, this support should include positioning the function and the CAE in the organisation's structure in such a manner that affords appropriate stature for the function within the organisation (e.g. unrestricted access to staff, information and documentation).

Additionally, certain Performance Standards (2010, 2020, 2060) address more specific means by which senior management can support internal audit. It is mentioned that the CAE should consider the input of senior management (CEO/CFO) during internal audit planning (see also Doyon, 1996; Hubbard, 2000). Thus, senior management can support internal audit by giving them specific input (requests), which often reflects high-risk areas or important business opportunities. The CAE, in turn, should inform senior management of the internal audit planning and resource requirements, including significant interim changes, both for review and approval. The CAE should also report periodically to senior management on the internal audit activity's purpose, authority, responsibility and performance relative to its plan (see also Leithhead, 2000). Furthermore, different levels of management, including senior management, should commit to providing prompt responses to recommendations from internal audit, to monitoring the implementation of action plans, and to keeping internal audit informed of plans, of changes to the risk and internal control profile of the organisation, and of major changes to the organisation's policies and procedures.

Figure 1 presents an overview of the two-way relationship that should exist between senior management and internal audit.

image

Figure 1. Relationship between internal audit and senior management.

Download figure to PowerPoint

The relationship between senior management and internal audit: insights from previous studies

Due to an often strong direct or indirect relationship between internal audit and the CEO and/or CFO, as suggested above, it is reasonable to expect that senior management is in a position to exert a significant influence over internal audit. Although Griffiths (1999) argues that financial directors' expectations of internal audit are significant in relation to their role and development, the number of empirical studies that have investigated the relationship between senior management and internal audit is limited.

Although the audit committee should be responsible for the (re)appointment and dismissal of the CAE, McHugh & Raghunandan (1994) found that, especially in large companies, CFOs often have the authority to hire (31% of the companies) and fire (29%) the CAE. If the hiring/firing authority is vested with the audit committee, but senior management continues to have authority over the budget and evaluation of the internal audit department, internal audit remains highly ‘dependent’ upon the CEO and/or CFO.

An early Australian study, by Cooper et al. (1994), revealed a number of inconsistencies among CEOs and internal audit managers about the areas covered by internal audit. The areas which were most strongly supported by CEOs were not necessarily those in which internal audit managers indicated they spent a proportionate amount of their time. For example, there are clear differences in the perceptions of CEOs with respect to the audit of financial areas, compared with the reality reported by internal audit managers. The authors conclude that the role and scope of internal auditors within organisations require clarification between management and internal audit departments. The gap between CEOs' understanding of the extent of audit coverage and the time, in fact, being devoted to these areas can truly be bridged only by closer consultation within organisations (see also Mathews et al., 1995). Similarly, Galloway (1995) points out that managers may restrict the internal audit's role to that of evaluating internal controls over traditional areas such as accounting and finance.

Cooper et al. (1996) examined CEOs' perceptions with respect to internal audit in Australia, Malaysia and Hong Kong. The majority of the CEOs in their study perceived that internal audit had a consultative/participative approach. A large proportion of CEOs from all three countries believe in the traditional internal audit role of providing an independent appraisal of the internal control system. However, there was growing support for the more participative processes of an independent review of operational efficiency, and of management effectiveness. Given that CEOs in all three countries regarded EDP operations as a major area they perceived was being covered by internal audit, the internal audit managers in their study appear to be offering less than best practice in this respect.

Ridley & D'Silva (1997), comparing and contrasting senior managers' perceptions of internal audit value, also found that most senior managers saw internal audit in its traditional role of providing assurance through investigation, checks and assessment. Some recognised a widening internal audit scope into new roles as consultants and advisers, particularly into controls associated with information technology and management performance. Remarkably, the pattern of management perceptions of the value derived from internal audit contributions was different between CEOs and CFOs. More CEOs than CFOs saw growth in the value of reports to regulators and reports on environmental issues. More CFOs than CEOs saw growth in the value of reports on internal control.

Contrary to what is recommended by the IIA, Griffiths' study (1999), which involved 92 FTSE 200 companies, confirms actual practices, whereby in more than half of the responding companies (59%) internal audit reports directly and administratively to the CFO. This percentage is even higher if we take into account indirect reporting relationships with CFOs. Moreover, his study reveals that financial directors' perception of internal audit is by no means universally positive. The main concern was that the function was too low key and basic (and, therefore, insufficiently operationally or business risk oriented) or that the function was lacking in skills (or had a poor mix of skills and staff). In line with the views of financial directors in his study, internal audit needs to become much more business (risk) and operationally oriented; it also needs to be more proactive, responsive and innovative, and to enhance the skills within the function, as well as the quality of its staff. In general, providing a more constructive contribution, via involvement in the assessment and management of business risk, would enhance financial directors' perception of the internal audit function. More specifically, managing the control and risk self-assessment process, or having significant involvement in its delivery, provides an opportunity for internal audit to directly support the financial directors' requirements and responsibilities in this regard.

A recent study by Van Peursem (2005) found that internal audits are conducted in an environment of close and, sometimes, dependent associations with management, which makes their independence from management structurally at risk. She found that those who seem to be able to meet their own expectations are also those who most carefully balance the sometimes conflicting interests of their managers with the interests of their profession. Essentially, a key issue is that internal audit would assume whatever position is in the best interests of their employer and would be reluctant to counter management, irrespective of the consequences (Van Peursem, 2004).

What about the relationship between internal audit and the audit committee?

An effective audit committee can strengthen the position of internal audit, by acting as an independent forum for internal audit to raise matters affecting management (Goodwin & Yeo, 2001). Therefore, the IIA (2004) strongly insists that, besides reporting administratively to the CEO or its equivalent, the CAE should report functionally to the audit committee or its equivalent, which is critical to good corporate governance. In other words, the functional reporting line for internal audit is the ultimate source of its independence and authority.

According to Practice Advisory 1110-2 of the IIA (2004), reporting functionally means that the audit committee or its equivalent would:

  • approve the overall charter of the internal audit function;
  • approve the internal audit risk assessment and related audit plan;
  • receive communications from the CAE on the results of internal audit activities or other matters that the CAE deems necessary, including private meetings with the CAE without management present;
  • approve all decisions regarding the appointment or removal of the CAE;
  • approve the annual compensation and salary adjustment of the CAE, including an annual review of his or her performance;
  • make appropriate inquiries of management and the CAE to determine whether scope or budgetary limitations exist that might impede the ability of the internal audit function to execute its responsibilities.

It becomes clear that studying the relationship between internal audit and senior management without taking into account the influence and interests of the audit committee can result in only partial insights, as the audit committee can exert a considerable influence on internal audit practices.

Research questions

This study attempts to formulate qualitative answers to the following research questions and, thereby, tries to extend the literature on the relationship between internal auditors and senior management, taking into account the potential influence of the audit committee.

  • Research question 1: What does senior management expect the role of internal audit to be?

  • Research question 2: Does internal audit meet the expectations of senior management?

  • Research question 3: What does internal audit expect from senior management?

  • Research question 4: Does senior management meet the expectations of internal audit?

  • Research question 5: How does the audit committee affect the relationship between internal audit and senior management?

METHODOLOGY

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

Complementary to the existing research in this area, which is based primarily upon quantitative data (e.g. Cooper et al., 1994; McHugh & Raghunandan, 1994; Cooper et al., 1996; Ridley & D'Silva, 1997; Griffiths, 1999) and similar to the recent study by Van Peursem (2005), this study uses a wide range of qualitative data, in order to achieve more in-depth insights into the dynamic relationship between internal audit and senior management.

Contrary to large-sample studies that provide a generalisable set of findings related to a few pre-determined constructs, in-depth case studies produce much more detailed information, but about a limited number of people and cases (Patton, 2002). In this study, we focus on understandability, given the limited amount of in-depth knowledge on the relationship between internal audit and senior management. The inability to generalise from the data gathered in case studies to some larger population is often cited as a major weakness of case study research (Shaughnessy & Zechmeister, 1985). Schofield (1990) argues that, instead of producing a standardised set of results that any other researcher in the same situation or studying the same issue would have produced, the goal of case study research is to produce a coherent and illuminating description of, and perspective on, a situation that is based on, and consistent with, detailed study of that situation.

The selection of the five companies (cases) for this study was partially theoretically driven and partially based upon experience with internal audit in Belgium. Previous research indicates a positive relationship between firm size and the establishment of the internal audit function (e.g. Chow, 1982); therefore, we controlled for firm size and selected companies with at least 1,000 employees. Furthermore, all five companies operate on an international scale (Europe, USA, Asia and Middle East). All companies, except Case A, were listed on Euronext Brussels at the time of the case study. Every company had an audit committee that consisted of a majority of non-executive directors and which met three to six times in 2005. Inspired by previous research on internal audit in Belgium (cf. Sarens & De Beelde, 2006a, 2006b), we also took into account the age of the internal audit function, as well as the number of internal auditors. Related to the first parameter, we included four companies with a mature internal audit function (having existed for more than five years) and one company that only recently had created an internal audit function (in 2004). Related to the second parameter, we selected four companies with a small internal audit department (fewer than five internal auditors) and one company with a larger internal audit department (five or more internal auditors). Table 1 presents an overview of the five cases.

Table 1. Overview of the five cases
 Case ACase BCase CCase DCase E
Number of employees (2005)2,000–5,0001,000–2,0002,000–5,000>10,0002,000–5,000
Turnover (2005)>1 billion Eur<500 million Eur500 million–1 billion Eur>1 billion Eur500 million–1 billion Eur
ListingNon-listedEuronext BrusselsEuronext BrusselsEuronext BrusselsEuronext Brussels
SectorServicesServicesManufacturingManufacturingServices
International dimension14 locations within EuropeActive in 11 European countries36 sites in Europe, Middle East, Asia and USActive in 120 countries in Europe, US, Latin America and AsiaActive in 14 countries in Europe, Middle East and Asia
Age IA function1 year>15 years16 years>20 years13 years
Number of internal auditors111103
Audit committee
Number of members43353
Number of non-executive members2 (50%)3 (100%)3 (100%)3 (60%)3 (100%)
Number of independent members2 (50%)2 (67%)2 (67%)1 (20%)1 (33%)
Number of meetings34635

For each case, we conducted a semi-structured interview (60 to 120 minutes) with the internal auditor (in Cases A, B and C) or the head of internal audit (in Case D and E) and with the CEO (in Cases A, B and E) or the CFO (in Cases C and D), depending on the reporting relationship. In four of the five companies (Cases A–D), we were able to arrange an interview with the head of the audit committee. Although it was impossible to interview an audit committee member in Case E, we received some relevant documents from the Chief Internal Auditor, as well as his impressions on the influence of the audit committee. Note that all interviews were conducted independent of each other, such that, for example, the answers of the CEO were not taken as input for the interview with the head of internal audit at that company. All interviews were tape-recorded and transcribed immediately after the interview had taken place. The interview instrument, containing guiding questions, was developed based upon the research questions, the literature review, and our experience with the internal audit profession in Belgium, and can be found in Appendix 1. In order to support the interview data and enhance the reliability of our conclusions, we obtained copies of a considerable amount of archival material such as the internal audit charter and the internal audit planning, and even more confidential documents like internal audit reports, internal presentations, and audit committee meeting reports. Only one company (Case B) was reluctant to release these kinds of documents. Table 2 presents an overview of all collected data.

Table 2. Overview of the qualitative data
 Case ACase BCase CCase DCase E
Interviews○ CEO○ CEO○ CFO○ CFO○ CEO
○ Internal Auditor○ Internal Auditor○ Internal Auditor○ Internal Audit Manager○ Chief Internal Auditor
○ Head of the audit committee○ Head of the audit committee○ Head of the audit committee○ Head of the audit committee 
Documents○ Internal audit charter ○ Internal audit planning ○ Internal audit report ○ Report audit committee meeting ○ Internal audit presentation to audit committee ○ Control matrices○ Internal audit charter○ Corporate Governance Charter ○ Report audit committee meeting ○ Management letter external auditor ○ Internal audit reports ○ Internal audit planning ○ Follow-up document○ Code of Ethics ○ Business Control Guide ○ Internal audit planning ○ Internal audit presentation ○ Intranet pages on internal audit○ Internal audit charter ○ Presentation audit methodology ○ Internal audit planning ○ Overview audits conducted ○ Internal audit report ○ Internal audit presentation to audit committee ○ Audit committee charter ○ Agenda audit committee meeting

Analysis of these qualitative data was based upon the analytical protocol recommended by Miles & Huberman (1994). More specifically, all interview transcripts and documents were coded. Next, the most important observations were summarised for each company (within-case analysis) and sent back to the interviewees to obtain their confirmation. They were asked to react openly and add new comments, if necessary. These adjusted insights were translated into standardised matrices that facilitated the discovery of patterns through cross-case analysis.

EMPIRICAL RESULTS

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

In this section, we will outline the major insights from each case study (within-case analysis), followed by an overview of the cross-case analysis.

Case A

The expectations and perceptions in this case are strongly influenced by the fact that the internal audit function had been in existence only one year. The internal auditor reports administratively to the CEO. The CEO is aware that the internal audit function still is not fully accepted by everyone in the company. He is convinced that it is not easy to install such a function, as this requires a change of mentality which will take a few years:

Starting such a function is not easy. (. . .) We will have to work to change the mentality. I think this will take three to four years . . . it is a long-term investment. (CEO)

Therefore, he expects the internal auditor to spend enough time and effort on the promotion and marketing of his function. Furthermore, he finds it very important that the internal auditor becomes acquainted with the company, in order to become fully accepted, especially by senior management.

Besides these general expectations, the CEO also has more specific expectations with regard to the internal auditor. First, the CEO expects the internal auditor to compensate for the loss of control that arises from the recent growth of the company through foreign acquisitions. This was clearly the major driver to install the internal audit function:

We are a growing company. Our growth almost exclusively is based on foreign acquisitions, which leads to a potential loss of control, as well as to cultural problems. (. . .) The internal auditor should be located between the corporate level and the local network. They then should conduct audits in our local network and report their findings to us. (CEO)

Second, the CEO wants the internal auditor to become a supporting function in those activities that receive high management priority (e.g. future acquisitions). Therefore, together with the executive committee, he attempts to strongly influence the internal audit agenda. The internal auditor is aware that he will have to adapt his agenda to the expectations of the CEO, in order to become accepted. To some extent, the internal auditor is prepared to play the expected management supporting role in order to get this support and, therefore, to receive input pertaining to his audit planning from the CEO and other senior managers. However, he does not want to service a purely consulting function for senior management, as he wants to maintain sufficient autonomy to determine his own agenda. As soon as senior management has accepted his function, the internal auditor expects productive discussions with them on his findings, conclusions and recommendations, which should improve their relationship. To date, these discussions have not taken place.

Third, the CEO wants the internal auditor to approach risk management from a broader, company-wide perspective, complementary to local managers who have a more focused view on the specific risks of their division. More specifically, the internal auditor is expected to complete a company-wide risk map. Furthermore, the CEO expects the internal auditor to create, through his work, a reasonable level of risk awareness within the company. However, given the corporate culture that stimulates risk-taking, the CEO wants the internal auditor to avoid creating too much risk awareness, which would temper the company's growth. In other words, he expects the internalauditor to work ‘in line with the existing corporate culture’.

The internal auditor is convinced that he has to play a pioneering role in the introduction of a more formal way of risk management within the company. Nevertheless, he perceives senior management as not giving the right signals to operational management, as they stimulate uncontrolled and extreme risk-taking behaviour. Besides, senior management has a rather averse attitude towards internal controls. Therefore, he expects senior management to change their attitude towards risk management and internal control. More specifically, senior management must start thinking about a clear and specific risk and control strategy:

A consistent strategy with regards to control and the internal control system should be designed by management. (Internal audit presentation to the audit committee)

That is a fundamental objective that I have to meet: getting management to start thinking about a control strategy. (Internal auditor)

Furthermore, senior management is expected to formulate clear policies and procedures, in order to indicate what is acceptable to achieve objectives:

There are no policies that define the perimeter within which the strategic objectives must be reached. (Internal audit presentation to the audit committee)

He is convinced that this is necessary to create a supportive environment for internal audit:

I can not work in an organisation that does not say what is acceptable and what is not, while striving to meet objectives. (Internal auditor)

Although the CFO and the Chief Operations Officer are aware of the importance of formalising risk management and internal controls, the internal auditor knows that convincing the CEO will be a fundamental step. He wants to make it clear to him that he will support senior management in this process. It is important to note that the audit committee supports the internal auditor. Contrary to senior management, the audit committee is more aware of the importance of risk management, especially as a crucial decision-supporting tool.

Given the overall status of the risk management system and the averse attitude of senior management towards internal control, the audit committee expects the internal auditor to focus on improving internal controls in high-risk areas, to follow up closely on his recommendations, and even to support management with the implementation of these recommendations:

More active follow-up of his recommendations definitely would create added value for the company. (Head of the audit committee)

Overall, we can conclude that the audit committee has similar expectations vis-à-vis the internal auditor with respect to his role in risk management and internal control. In contrast to senior management, the audit committee is more supportive of the internal auditor in his attempts to start formalising risk management and internal controls. Furthermore, the head of the audit committee is convinced that, although just recently appointed, the internal auditor is going in the right direction.

Case B

In this company, the internal audit function has existed for more than 15 years, but has always been performed by a single internal auditor. The most recent internal auditor had been appointed six months before the case study took place. The internal auditor reports administratively to the CEO. According to the CEO, internal auditors have always been accepted within the company, thanks to their practice-oriented way of working, close to the people in the field. The CEO perceives his relationship with the internal auditor as strong. Furthermore, the CEO and CFO both attach great importance to promoting the internal audit function within the company:

When this internal auditor was engaged, we sent a note to everyone in the company to make sure that they all know the role of internal audit and what is expected from them as a reaction to his work. (CEO)

Thanks to the open communication about his function, the internal auditor is convinced that everyone in the company perceives his role in the same way.

Data analysis reveals four specific expectations of the CEO regarding the current internal auditor. First, he expects the internal auditor to perform independent evaluations of systems and procedures, in order to provide him with a sufficient level of assurance. The internal auditor confirms that an important part of the added value of his work results from his provision of assurance regarding internal controls to senior management and the audit committee.

Second, the internal auditor is expected to be a continuous improvement tool, focused on improving the effectiveness and efficiency of processes and procedures. The internal auditor stresses that, besides his assurance role, he clearly operates as a management assistant in improving processes and procedures. This is confirmed by the recently-updated internal audit charter:

The overall objective of the program of internal audit is (i) to assist all levels of management in the effective discharge of their responsibilities by providing independent analysis, appraisals, advice and recommendations concerning the activities reviewed; and (ii) to assist management in obtaining the company's goals and objectives. Internal auditing is an advisory function having independent status within the company. (Internal audit charter)

The CEO confirms that the internal auditor meets these two expectations. Thanks to his work, the efficiency of some specific processes has clearly improved. Therefore, the CEO wants internal audit to focus even more on continuous improvement through the engagement of an additional internal auditor:

It is because we saw all these improvements, that we are thinking about hiring an additional junior auditor. (. . .) We reviewed the internal audit tasks and decided that we want to extend this more toward continuous improvement. (CEO)

Third, the CEO expects the internal auditor to play a role in the formalisation of the risk management system, for example by coordinating the development of a centralised risk database. Inspired by his working experience in external audit, the internal auditor agrees that he wants to become actively engaged in the evolution towards more formalisation:

I am used to working in a very formal environment, where everything is well-documented. (Internal auditor)

More specifically, he will indicate the weaknesses in the current risk management approach, provide recommendations based upon his experience within other companies and even assist management by providing them with tools to implement these recommendations.

Fourth, the CEO expects the internal auditor to actively collaborate with the external auditor, but leaves it up to him to determine the extent of this role. The internal auditor confirms that he closely collaborates with the external auditor through the provision of input for each others' audit planning and the exchange of audit reports. His background as an external auditor definitely has benefited this collaboration. In the new internal audit charter, the internal auditor clearly includes that:

The internal audit department will liaise with the external auditors to foster a cooperative working relationship, reduce the incidence of duplication of effort, ensure appropriate sharing of information, and ensure coordination of the overall audit effort. The internal audit department will make available to the external auditors all internal audit working papers, programs, flow charts and reports. (Internal audit charter)

While constructing his audit planning, the internal auditor expects the CEO and CFO to indicate high-risk areas on which to focus his work, as he still lacks sufficient knowledge about the company. The CEO agrees that he, as well as the CFO, have a strong influence on the internal audit planning by suggesting specific topics to include and asking the internal auditor to reserve sufficient time for ad hoc requests during the year. Before every audit, the CEO and CFO can also suggest specific issues they want to have included in that specific audit. Furthermore, the CEO and CFO are both actively interested in the internal audit reports and the follow-up of recommendations. They have monthly meetings with the internal auditor to discuss the internal audit work and the reactions of operational management to it. If necessary, they intervene to help the implementation of his recommendations which the internal auditor feels is important.

Data analysis reveals that the relationship between the internal auditor and the audit committee is very superficial in both directions. On one hand, the audit committee does not provide significant input for the internal audit planning. On the other hand, the internal auditor communicates with the audit committee very superficially, which makes active follow-up by the audit committee almost impossible. Besides, the audit committee is not convinced of the potential added value of the internal auditor, especially because they do not perceive him as independent:

The internal auditor is working for management and is strongly influenced by management, so there still is an independence problem. We rely on the external auditor. They are the only source of neutral information on the internal control system. (Head of the audit committee)

It is becoming clear that in this case, the internal auditor mainly operates in a management supporting role, based upon a close two-way relationship with senior management. The audit committee does not have any significant influence on the internal audit agenda, which makes it easier for the internal auditor to meet the expectations of senior management as his only important ‘client’.

Case C

In this company, the internal audit function has existed for 16 years and has, similar to Case B, always been performed by one internal auditor. The current internal auditor has performed this function for two years and reports administratively to the CFO. Although the CFO notes that the current internal auditor generally is accepted and perceived positively within the company, thanks to his constructive way of working, he has to admit that the current internal auditor still has limited maturity and experience in the business. The CFO does not rule out that this can have an impact on the perception of his work. The internal auditor agrees that, contrary to how it is with senior management, among those at the lower levels of the company, he is still perceived as a police officer focused on finding problems and mistakes:

Last week, I was at our Australian subsidiary and their first reaction was: there is the ABC [name of the company] police. (Internal auditor)

Fortunately, in most cases this is just the initial reaction, which is precipitated by ignorance about the role of internal audit. As soon as people know what the internal auditor is doing and what they can expect from him, their perception changes. The expertise of the current internal auditor is limited to financial, accounting and organisational areas, which has an impact on the scope of the audit planning. However, audits outside these areas can be delegated to people with more detailed expertise. The internal auditor would prefer to hire an additional internal auditor, but he is not sure whether senior management would be keen on this.

The major expectation of the CFO vis-à-vis the internal auditor can be summarised as a detailed and focused control of processes and procedures to investigate whether they are adequate and correctly followed. He expects the internal auditor to provide him with feedback on this (assurance), as well as with sufficient recommendations to improve the processes and procedures. The core task of internal audit, as described by the internal auditor, corresponds more or less with this expectation. He describes his work as focused on evaluating the internal controls, especially because they have an important influence on financial reporting, in order to provide assurance on these controls and recommendations to improve them. Thus, his primary focus is on the internal controls. Improving the processes, from a broader point of view, is rather a secondary objective.

More specifically, the CFO expects the internal auditor to base his work on personal contacts with people in the field:

I expect the internal auditor to base his work on personal contacts with the people who are audited . . . we do not have a culture to arrange such things by mail or email . . . he has to do his work on site. (CFO)

The internal auditor agrees that the most important aspect of an audit is listening to the people, giving them the opportunity to raise issues, and provide their opinions. Furthermore, the internal auditor perceives himself as a facilitator for whistle-blowing, especially for financial people. However, the CFO is not convinced of this role, given the internal auditor's limited maturity and experience with the company.

The CFO perceives his relationship with the internal auditor as constructive. Together with the CEO, he is involved with the development of the internal audit planning. Their input is primarily based on the monthly business review meetings they have with lower management, combined with their own risk assessments. The internal auditor confirms that every internal audit planning is discussed with the CEO and CFO, in order to ensure that all proposed audits are relevant in their eyes. Furthermore, the internal auditor is satisfied that the CEO and CFO pay sufficient attention to his recommendations and their follow-up. The CFO confirmed that they pay attention to the results of the internal audit work during their business review meetings. He agrees that the internal audit reports meet his expectations and that they create a certain level of risk and control awareness within the company. Besides, the CFO is convinced that the work of the internal auditor adds value to the company, although only on a limited scale:

There are value adding aspects in his audit reports, but no world-shaking things . . . but he adds value. They are perceived like that by most people in the company. (CFO)

Although the CFO does not express any expectations about the role of the internal auditor in risk management, the internal auditor expects senior management to start formalising their risk management in a more professional way, as well as documenting the internal control system:

Policies and procedures . . . most of them are rather common sense and informal, which does not mean that they are not working well, but there is still room for improvement. It is mainly because top management still prefers to arrange things rather informally. (Internal auditor)

Nonetheless, he is convinced that the company is not yet ready for this. Remarkably, he does not see an important role for himself in this formalisation process, which probably can be explained by his limited capacities (resources and expertise).

An analysis of some audit committee meeting reports and the internal audit planning reveals that the audit committee also has a significant influence on the internal auditor's agenda:

If they provide input, all the rest has to wait. (. . .) If they do not feel okay with the planning, then it definitely should be modified. (Internal auditor)

Despite the strong influence of the audit committee, we could not identify any conflict between their expectations and the expectations of senior management. They also attach great importance, for example, to the communication skills of the internal auditor and his open and friendly attitude towards people in the field. It appears that the internal auditor is able to meet the expectations of both ‘clients’, as his agenda reflects the priorities of both.

Case D

In this company, the internal audit department has existed for more than 20 years and recently increased from seven to ten internal auditors. The internal audit manager reports administratively to the CFO. Both the CFO and the internal audit manager agree that internal audit is appreciated and positively perceived within the company. This has increased significantly over the last three years, thanks to the support internal audit receives from senior management, which has increased the level of awareness regarding their work. Besides his significant influence on the internal audit agenda through involvement in annual risk assessments and specific ad hoc requests during the year (note that these represent 25% of the annual audit planning), the CFO openly reacts to audit reports and supports the internal audit findings and recommendations. He clearly shows to everyone that he perceives internal audit as an important function. Senior management also supported the recent appointment of three additional internal auditors. Furthermore, internal audit has improved the communication of their added value to the company significantly, especially through their risk assessments, audit reports and meetings, all of which has enhanced the acceptance of their function:

By performing risk analyses, we show them the risks they are exposed to . . . this really helped us to receive recognition, especially within the older business units. (Internal audit manager)

Additionally, the CFO and internal audit manager confirm that the corporate scandals of the last decade and the resulting legislative initiatives (especially the US Sarbanes-Oxley Act) have had a positive impact on the level of attention to controls in general and to internal audit more specifically. Furthermore, they agree that two recent small fraud cases within the company contributed positively to the acceptance of internal audit:

I am not happy that this happens, but it is good to have such cases, that shake people awake and prove the benefit of having an internal audit function. (. . .) You could argue that they could have given signs that this was going to happen. (CFO)

Overall, the CFO expects the internal audit department to be an adequate training ground for future potential managers, where they can work for two or three years and collect relevant expertise and knowledge about the company. To date, he is satisfied with the rotation of the internal auditors. Conversely, the internal audit manager is less happy with the high degree of rotation:

Currently, I do not have enough people with audit experience and company experience. This is becoming a problem. (. . .) Internal audit is a kind of fishing pond full of high potential, but they can't empty it completely. (Internal audit manager)

We were able to distinguish two additional specific expectations of the CFO with regard to internal audit. First, he expects internal audit to be a supportive function for management, instead of a pure control function. More specifically, he expects internal audit to support management in risk identification, risk assessment and risk management, as well as in monitoring and improving risk management and internal controls. It seems that the current internal audit programme, which focuses on overall internal control reviews, meets the expectations of the CFO. It is interesting to note that the internal audit department has developed its own approach to evaluating the internal control system, which enables internal audit to perform a more thorough evaluation and provide a higher level of assurance. Moreover, the internal audit manager stresses that it is more important for them to assist management via improvements in internal controls than by formulating mere opinions about them. Internal audit also reserves a certain amount of their work time to become engaged as advisors in consulting projects. By playing this supportive role, they are able to meet this important expectation of senior management. This is clearly communicated through the company intranet:

Internal Audit's services are available to all divisions and may provide useful support in a wide variety of business processes. (Company intranet)

With respect to internal controls, the CFO expects internal audit to play an active role in the implementation of a uniform internal control system within the whole company, thereby taking into account the cultural and human differences between the various subsidiaries. The internal audit manager agrees that the department regularly provides training and advice in local procedure development and, thereby, monitors and contributes actively to the application of standardised policies and procedures. Furthermore, the CFO expects internal audit to create the necessary level of control awareness. The internal audit manager is convinced that internal audit's work contributes to a higher level of control awareness, especially among non-financial managers. In this context, internal audit also wrote the Company Guide to Business Control that concisely summarises all policies and procedures at a group level; the guide was distributed to all management levels.

Second, the CFO is striving for total risk coverage, through more active collaboration between internal and external audit in order to have the highest possible level of assurance on the reliability of financial reporting, and the CFO expects internal audit to play an active role in the realisation of this ambitious goal. The internal audit manager confirms that, when drawing up the audit planning, they attempt to achieve broader risk coverage. Besides covering high-risk areas, upon which they traditionally focus, they also take into account lower-risk areas. This is confirmed by an analysis of the received copies of the risk assessment matrix and audit planning. Furthermore, internal audit also works, together with the external auditor, on a coverage chart (who audits what) with the intention of auditing more areas. Internal audit is also strengthening its relationship with the external auditor by providing them with copies of all audit reports and exchanging all relevant information, as input for the audit planning (in both directions). By doing this, they are on the right track to meet this second CFO expectation.

In contrast to Case B, the relationship between internal audit and the audit committee is very extensive, based upon formal discussions of the audit planning and audit results, as well as regular informal meetings between the head of the audit committee and the internal audit manager. Similar to Case C, the influence of the audit committee on internal audit is strong. The audit committee's expectations vis-à-vis internal audit are very similar to the expectations of senior management. Overall, the audit committee wants assurance regarding the compliance of the company with its overall policies and procedures, as stipulated in the Code of Conduct and Guide to Business Control. Furthermore, the audit committee attaches great importance to the advisory and assistive role of internal audit in the improvement of processes and internal controls. Finally, they also promote more intensive collaboration between the internal and external audit functions. It appears, then, that internal audit is able to meet the expectations of both ‘clients’. This is confirmed by the CFO and the head of the audit committee, both of whom are satisfied with the work of internal audit.

Case E

Internal audit has existed as an independent function in this company for 13 years and currently is staffed with three internal auditors. The Chief Internal Auditor reports administratively to the CEO. Overall, the CEO is convinced that internal audit currently is perceived within the company as supportive and value adding. According to the Chief Internal Auditor, his department has been more valued over the last three years thanks to its more systematic and professional approach. More specifically, internal audit started to develop their cycle-based audit planning in a more formalised way with the intention of providing an ‘in control statement’ combined with a more systematic way of reporting and following-up on the implementation of their recommendations. The Chief Internal Auditor also admits that, thanks to the new senior management team and especially the new CEO, the level of attention paid to internal audit in general, and their audit reports more specifically, has increased significantly, which led to some important improvements within the company:

I have received some positive echoes from local managers: thanks to the recommendations of internal audit, a process of change has been started . . . that is nice to hear. (Chief Internal Auditor)

The CEO agrees that he is satisfied with internal audit. He sometimes provides input for the audit planning and is actively following up on the recommendations of internal audit, by putting them on the agenda of his business meetings with local divisions, an important way ‘to make things happen’:

If necessary, I pick up the phone and ask the local manager why he did not react to the recommendations. (CEO)

Again, this illustrates the crucial importance of senior management support for the acceptance and impact of internal audit within a company.

Similar to the CFO in Case D, the CEO expects the internal audit department to be a training ground for future mangers who can be of great value in other functions. Contrary to Case D, the Chief Internal Auditor considers this to be a valuable attribute of his department. Recently, one of his internal auditors moved to another department, and the Chief Internal Auditor is convinced that he will take the internal audit philosophy with him and will actively contribute to improving the processes and internal controls within his new department.

Data analysis reveals four more specific expectations of the CEO vis-à-vis internal audit. First, and similar to Case A, the CEO clearly expects internal audit to compensate, through their work, for the loss of control that has resulted from the rapid growth of the company through many international acquisitions:

I have no problem with decentralisation, but this also means that you have the right to control them. You can control through reports, but also through those things that are not emerging in the reports and that is where internal audit comes in. (. . .) Internal audit has to make sure that I sleep soundly. (CEO)

The Chief Internal Auditor confirms that, given the growth that has occurred through acquisitions, the creation of a uniform reference framework of policies has always been an important priority for his department.

Second, the CEO expects the internal audit department, staffed with people who know the business, to focus their monitoring work on processes and procedures. The Chief Internal Auditor agrees that the internal auditor's major objective is to provide assurance to management via performance of operational audits. More specifically, they want to make sure that processes and related internal controls are effective and efficient and that relevant and important risks are identified and managed. Moreover, they always look at the effect of the processes under review on financial reporting. In order to be able to provide this assurance to management, internal audit actively collaborates with the external auditor, for example, through the development of a common reporting protocol.

Third, the CEO wants internal audit to safeguard the corporate culture, especially because of their regular personal contacts with people in the field:

They hang around in the divisions of the company and sometimes they have particular feelings about certain topics . . . although they do not have hard data to support these suppositions, these feelings often are of great interest to me. (CEO)

This is a major driver for the CEO to have regular informal contacts with the Chief Internal Auditor.

Fourth, and given the importance of acquisitions for the growth of the company, the CEO expects the internal audit department to play a value-adding role in due diligence work. He perceives their judgement and advice to be invaluable, particularly because they know the business very well. Therefore, internal audit always has a member on any ad hoc composed acquisition teams. The Chief Internal Auditor confirms that the internal auditors spend, on average, 15% of their annual work time on due diligence work. More generally, the CEO expects that internal audit's advisory role in strategically important projects will become more prominent in the future. Similarly, the Chief Internal Auditor has clear intentions of focusing more on assisting and supporting management, by playing a proactive consultative role, which will make management more capable of anticipating potential problems.

Similar to Cases A and C, the Chief Internal Auditor expects senior management to pay more attention to the integration and formalisation of the risk management policy, as this currently is rather fragmented throughout the company. Internal audit regularly signals this shortcoming, which recently led to increased awareness, as several departments put particular aspects of risk management into practice. Because the Chief Internal Auditor is convinced that the risk management policy is still far from well-structured at the corporate level, he is prepared to assist management in this process, without assuming any responsibility for it.

Although we were not able to interview any audit committee member, the Chief Internal Auditor provided us with some relevant insights. According to him, the audit committee prefers that internal audit focuses less on due diligence work and more on operational audit work, which contrasts with the expectations of senior management. Consequently, the Chief Internal Auditor would prefer to extend his department in order to be able to meet the expectations of both senior management and the audit committee. Furthermore, the Chief Internal Auditor expects more active and business-oriented input from the audit committee, as their input has remained very limited until now. With respect to follow-up of internal audit's findings, the audit committee focuses its attention only on high-risk areas and, to some extent, ignores the ongoing operational findings. Based upon these limited indications, it appears that internal audit's relationship with the audit committee is less intensive than their relationship with senior management, probably due to some conflicting expectations.

Cross-case analysis

In three of the five cases, internal audit reports administratively to the CEO; in the two remaining cases, to the CFO. Cross-case analysis reveals five general expectations of senior management vis-à-vis internal audit. First, senior management expects internal audit to compensate for the loss of control that results from the increased corporate complexity that, in turn, is the result of growth through mergers and acquisitions internationally, as well as the continuous trend towards decentralisation. Second, and contrary to Galloway's findings (1995), they expect internal audit to serve a supporting function, instead of a pure control function. The meaning of this role depends upon the specific case and will be summarised below. Third, senior management sometimes wants internal audit to be a training ground for staff with high management potential. It is understandable that internal audit departments consisting of several internal auditors are better able to cope with a high rotation rate and, consequently, to meet this expectation. Note that internal audit's perception of its role as a training ground is not uniformly positive. Fourth, senior management expects internal audit to be the safeguard of the corporate culture and, consequently, attach great importance to the personal contacts the internal auditors have during their work with people in the company. Therefore, they expect internal auditors to have appropriate communications skills. Sometimes, they even expect internal audit to be a facilitator for whistle-blowing. Fifth, we also find indications that, in some cases, senior management expects internal audit to actively collaborate with the external auditor in order to increase the total audit coverage. Internal audit confirms that they attach more importance to this collaboration and, therefore, actively exchange their audit planning and reports in order to make their work complementary to the work of the external auditor.

When looking into the specific meaning of the supporting role senior management expects internal audit to play, we could distinguish several areas. First, and similar to what was reported in Cooper et al. (1996), senior managers expect internal audit to evaluate, in an independent way, the effectiveness and efficiency of processes in general, and of internal controls more specifically, in order to provide them with a sufficient level of assurance, which supports them in fulfilling their growing monitoring responsibilities. Internal audit confirms that they still focus on the provision of assurance, primarily with respect to internal controls, to their different ‘clients’, which include senior management.

Second, and in addition to the provision of assurance, senior management expects internal audit to actively contribute to improving the effectiveness and efficiency of the internal controls and processes. Internal audit agrees that they spend a significant proportion of their time and effort supporting management by providing recommendations, assisting management with the implementation of these recommendations, and performing ad hoc consultative work in strategically important projects (e.g. acquisitions), often as the result of specific management demand (cf. Ridley & D'Silva, 1997; Brody & Lowe, 2000). Furthermore, they actively contribute to the development and implementation of a uniform and standardised internal control system throughout the several subsidiaries of the company, thereby attempting to compensate for the loss of control experienced by senior management. Internal audit is convinced that this role adds value to their company.

Third, and depending on the status of the risk management system, senior management often expects internal audit to assist with the formalisation of the risk management system. Moreover, senior management expects internal audit's work to create a sufficient level of risk and control awareness within the company, taking into account the overall corporate culture and attitudes towards risk and control. Besides their own role in risk management, internal audit expects senior management, which has the final operational responsibility for risk management, to take the first steps in this formalisation process, by changing their own (often averse) attitudes towards risk management and internal control and by giving the right signals and stimuli to the lower management levels. As also suggested by Goodwin-Stewart & Kent (2006), internal audit appears to be convinced that a formalised risk management and internal control system is a more supportive environment in which to work. Internal audit is, in most cases, convinced of their own (pioneering) role in formalising risk management (see also Sarens & De Beelde, 2006a). This role differs from case to case, and ranges from creating awareness to becoming actively involved in the formalisation process.

The cross-case analysis clearly indicates that the acceptance and appreciation of the internal audit function within the company is strongly dependent upon the support of senior management. In other words, the extent to which senior management supports the internal audit function has a strong signalling function within the company. More specifically, this support is translated into the input senior management provides for the annual internal audit planning, the number of ad hoc requests senior managers have during the year, the attention they pay to the outcomes of internal audit work, the way they follow up on internal audit's recommendations and resulting action plans, and their support for an expansion of the internal audit function through the engagement of additional internal auditors. It should be clear that these are indicators of the strength of the relationship between internal audit and senior management. Consequently, internal auditors, who are actively looking for senior management support, expect to receive input from the CEO and CFO on a regular basis, as well as to have productive discussions with senior management on the results and follow-up of their work. Furthermore and complementary to senior management's support, internal audit's own efforts to promote their function through, for example, more explicit communication regarding their added value, also augment the acceptance of their function. Similar to Carcello et al. (2005), we found indications that the recent corporate scandals and resultant increased attention for corporate governance, have contributed to an increase in the overall level of appreciation for internal audit. Even some small fraud cases at company level can enhance the level of attention paid to internal audit's work. The cross-case analysis also suggests that the acceptance and appreciation of internal audit by senior management is influenced by the maturity of the internal audit function. In Case A, the young internal audit function was confronted by some ignorance about the role of internal audit, which necessitates the promotion of the function through clear and intensive communication (cf. also Cooper et al., 1994).

Similar to Griffiths' findings (1999), it becomes clear that senior management's expectations have a significant influence on internal audit. Contrary to Cooper et al. (1994), the cross-case analysis did not reveal significant inconsistencies between senior management's expectations and the actual internal audit work. Furthermore, and contrary to Griffiths (1999), most CEOs and CFOs are satisfied with the work of internal audit in their company. In other words, internal audit is more or less able to meet the expectations of senior management and, in most cases, receives the support they expected from senior management in return.

When studying the relationship between internal audit and senior management, we also took into account the influence of the audit committee. In four of the five cases, internal audit appears to have a relatively close relationship with the audit committee, reflected by a limited but significant influence of the audit committee on the internal audit agenda. In three of these four cases, the audit committee and senior management have more or less the same expectations with respect to internal audit. Overall, the audit committee also expects internal audit to support management by providing assurance, combined with sufficient attention to their advising and assistive roles in improving processes and internal controls. These similar expectations make it easier for internal audit to meet the expectations of both ‘clients’. In only one case did we find indications of some conflicting expectations, although this was based only upon comments provided by the Chief Internal Auditor, without confirmation by any audit committee member.

CONCLUSIONS AND DISCUSSION

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

This study focused on the relationship between internal audit and senior management, by investigating qualitatively their expectations and perceptions with respect to each other. Based on extended data analysis, we can conclude that senior management's expectations have a significant influence on internal audit. Overall, internal audit is able to meet most of these expectations, which makes senior management support them. Additionally, in most cases, internal audit is able to meet the expectations of the audit committee, expectations that more or less are in line with those of senior management.

When investigating the expectations of CEOs and CFOs in this study, it became clear that they expect internal audit to compensate for their loss of control resulting from increased organisational complexity. Given that, in three of the five cases, the internal audit function is performed by a single internal auditor, it is probably not easy for them to meet this lofty expectation. Expansion of the internal audit function or collaboration with other individuals (e.g. controllers) would not seem to be a superfluous luxury. Given internal audit's contacts with people in the field, senior management also wants internal audit to be the safeguard of the corporate culture. Moreover, they expect internal audit to collaborate actively with the external auditor in order to increase total audit coverage. We are convinced that further research on this collaboration would reveal interesting insights.

Overall, senior management expects internal audit to serve a supportive function by (1) providing independent assurance on the effectiveness and efficiency of processes and internal controls; (2) actively contributing to improving of processes and internal controls; and (3) assisting with the formalisation of the risk management system. In most cases, internal audit is able to meet these expectations by focusing on the provision of assurance combined with sufficient recommendations and the performance of ad hoc consultative work. Furthermore, they actively contribute to the development and implementation of a uniform and standardised internal control system and the creation of a sufficient level of risk and control awareness throughout the company. With respect to the formalisation of the risk management system, internal audit expects senior management to take the first steps in this process, by changing their own attitudes and giving the right signals and stimuli to lower management levels. A formalised risk management and internal control system is considered to be a more supportive environment for internal audit. Because many companies only recently initiated this formalisation process, an interesting research opportunity exists to monitor the changing role of internal audit through this formalisation process.

Moreover, it became clear that larger internal audit departments, those staffed with more than one internal auditor, are expected to be training grounds for future managers. Contrary to senior management, internal audit managers do not always like this idea, given the resulting high rate of rotation within their staff. Further research can go deeper into the motivations behind recruiting former internal auditors as managers and possible ways for management to convince an internal audit department to become a ‘school’ for management prospects.

We conclude that the acceptance and appreciation of internal audit within the company is strongly dependent on the support they get from senior management reflected by their input for the internal audit planning, their ad hoc requests during the year, their follow-up on the outcomes of the internal audit work and their support for an extension of the internal audit function. It became clear that internal audit is actively looking for this management support and combines it with their own efforts to promote the function, taking into account the maturity of the internal audit function within the company. Furthermore, the enhanced attention to corporate governance and sometimes fraud cases within the company have also contributed to an increase in the appreciation of internal audit.

In Belgium, internal auditing is a relatively young profession. Therefore, it would be interesting to conduct the same in-depth study in other countries, where the internal audit profession is more mature, to see whether such studies lead to the same conclusions. Given that case studies do not lead to generalisable results, a large-scale study, using, for example a questionnaire, might be used to validate the insights of this study. This study focused on the interactions between internal audit and people in high positions in the organisational hierarchy. Investigating how people at other organisational levels (e.g. middle and operational management levels) look upon internal audit would complement this study. It is probable that difficulties related to the ignorance of the internal audit function would be more prominent at lower operational levels.

ACKNOWLEDGEMENTS

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

Earlier drafts of this paper have been presented and discussed at the PhD Workshop of the Third EARNET Symposium (Amsterdam, 27 October 2005), the Doctoral Colloquium of the EAA (Dublin, 19–21 March 2006), and the Fourth European Academic Conference on Internal Audit and Corporate Governance (London, 5–7 April 2006). Special thanks to Jan Mouritsen (Copenhagen Business School), Michael Shields (Michigan State University) and Alfred Wagenhofer (University of Graz). Furthermore, we appreciate the comments provided by Mahbub Zaman (University of Manchester), Laura F. Spira (Oxford Brookes University), Jeffrey Ridley (London South Bank University), Ann Vanstraelen (University of Antwerp and University of Maastricht), Johan Christiaens (Ghent University) and Patricia Everaert (Ghent University).

REFERENCES

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix
  • Belgian Corporate Governance Committee (2004), Belgian Code on Corporate Governance, available at: http://www.commissiecorporategovernance.be
  • Bou-Raad, G. (2000), ‘Internal auditors and a value-added approach: the new business regime’, Managerial Auditing Journal, Vol. 15, No. 4, pp. 1826.
  • Brody, R. G. & Lowe, D. J. (2000), ‘The new role of the internal auditor: implications for internal auditor objectivity’, International Journal of Auditing, Vol. 4, No. 2, pp. 16976.
    Direct Link:
  • Carcello, J. V., Hermanson, D. R. & Raghunandan, K. (2005), ‘Changes in internal auditing during the time of the major US accounting scandals’, International Journal of Auditing, Vol. 9, No. 2, pp. 11727.
  • Chow, C. W. (1982), ‘The demand for external auditing: size, debt and ownership influences’, The Accounting Review, Vol. 57, No. 2, pp. 27291.
  • Committee of the Sponsoring Organizations of the Treadway Commission (1992), Internal Control Integrated Framework (COSO Report), New York: AICPA.
  • Cooper, B. J., Leung, P. & Mathews, C. (1994), ‘Internal audit: an Australian profile’, Managerial Auditing Journal, Vol. 9, No. 3, pp. 1319.
  • Cooper, B. J., Leung, P. & Mathews, C. (1996), ‘Benchmarking – a comparison of internal audit in Australia, Malaysia and Hong Kong’, Managerial Auditing Journal, Vol. 11, No. 1, pp. 2329.
  • Doyon, M. (1996), ‘Tuned-in to management’, Internal Auditor, Vol. 53, No. 6, pp. 3641.
  • European Confederation of Institutes of Internal Auditing (2005), Position Paper: Internal Auditing in Europe.
  • Financial Reporting Council (2003), The Combined Code on Corporate Governance, available at: http://www.frc.org.uk
  • Financial Reporting Council (2005), Internal Control: Revised Guidance for Directors on the Combined Code (Turnbull Guidance), available at: http://www.frc.org.uk
  • Flesher, D. L. & Zanzig, J. S. (2000), ‘Management accountants express a desire for change in the functioning of internal auditing’, Managerial Auditing Journal, Vol. 15, No. 7, pp. 3317.
  • Galloway, D. (1995), Internal Auditing: A Guide for the New Auditor, Altamonte Springs, FL: The Institute of Internal Auditors.
  • Goodwin, J. (2003), ‘The relationship between the audit committee and the internal audit function: Evidence from Australia and New Zealand’, International Journal of Auditing, Vol. 7, No. 3, pp. 26378.
  • Goodwin, J. & Yeo, T. Y. (2001), ‘Two factors affecting internal audit independence and objectivity: Evidence from Singapore’, International Journal of Auditing, Vol. 5, No. 2, pp. 10725.
    Direct Link:
  • Goodwin-Stewart, J. & Kent, P. (2006), ‘The use of internal audit by Australian companies’, Managerial Auditing Journal, Vol. 21, No. 1, pp. 81101.
  • Griffiths, P. (1999), ‘Understanding the expectations of finance directors towards internal audit and its future’, Managerial Auditing Journal, Vol. 14, No. 9, pp. 48996.
  • Handy, N. & Paterson, J. (2005), ‘Internal audit: the new rock and roll’, Accountancymagazine.com, January, pp. 4849.
  • Hubbard, L. D. (2000), ‘Audit planning’, Internal Auditor, Vol. 57, No. 4, pp. 2021.
  • Leithhead, B. S. (2000), ‘In touch with the top’, Internal Auditor, Vol. 57, No. 6, pp. 6769.
  • Lindow, P. E. & Race, J. D. (2002), ‘Beyond traditional audit techniques’, Journal of Accountancy, Vol. 194, No. 1, pp. 6869.
  • Mathews, C., Cooper, B. J. & Leung, P. (1995), ‘CEOs' perceptions of internal audit in Australia’, Internal Auditing, Vol. 10, No. 4, pp. 6164.
  • McHugh, J. & Raghunandan, K. (1994), ‘Hiring and firing the chief internal auditor’, Internal Auditor, Vol. 51, No. 4, pp. 3439.
  • Miles, M. B. & Huberman, A. M. (1994), Qualitative Data Analysis, 2nd edn, London: Sage Publications.
  • Page, M. & Spira, L. F. (2004), The Turnbull Report, Internal Control and Risk Management: The Developing Role of Internal Audit, Edinburgh: The Institute of Chartered Accountants of Scotland.
  • Patton, M. Q. (2002), Qualitative Research and Evaluation Methods, 3rd edn, Thousand Oaks, CA: Sage Publications.
  • Raghunandan, K. R., Rama, D. V. & Scarbrough, D. P. (1998), ‘Accounting and auditing knowledge level of Canadian audit committees: Some empirical evidence’, Journal of International Accounting, Auditing and Taxation, Vol. 7, No. 2, pp. 18194.
  • Raghunandan, K. R., Read, W. J. & Rama, D. V. (2001), ‘Audit committee composition, gray directors, and interaction with internal auditing’, Accounting Horizons, Vol. 15, No. 2, pp. 10518.
  • Ridley J. & D'Silva K. (1997), ‘Perceptions of internal audit value’, IIA-UK Internal Auditing Journal, July, pp. 1214.
  • Sarens, G. & De Beelde, I. (2006a), ‘Internal auditors' perception about their role in risk management: A comparison between US and Belgian companies’, Managerial Auditing Journal, Vol. 21, No. 1, pp. 6380.
  • Sarens, G. & De Beelde, I. (2006b), ‘Building a research model for internal auditing: insights from literature and theory specification cases’, International Journal of Accounting, Auditing and Performance Evaluation, Vol. 3, No. 4, pp. 45270.
  • Schofield, J. W. (1990), ‘Increasing the generalizability of qualitative research’. In Eisner, E. W. & Peshkin, A. (eds), Qualitative Inquiry in Education, pp. 20132, New York: Teachers College Press.
  • Selim, G. & McNamee, D. (1999), ‘Risk management and internal auditing: what are the essential building blocks for a successful paradigm change? International Journal of Auditing, Vol. 3, No. 2, pp. 14755.
    Direct Link:
  • Shaughnessy, J. J. & Zechmeister, E. B. (1985), Research Methods in Psychology, New York: Knopf.
  • Spira, L. F. (1999), ‘Ceremonies of governance: Perspectives on the role of the audit committee’, Journal of Management and Governance, Vol. 3, No. 3, pp. 23160.
  • Spira, L. F. & Page, M. (2003), ‘Risk management: the reinvention of internal control and the changing role of internal audit’, Accounting, Auditing & Accountability Journal, Vol. 16, No. 4, pp. 64061.
  • The Institute of Internal Auditors (2004), International Standards for the Professional Practice of Internal Auditing, available at: http://www.theiia.org/?doc_id=1499
  • Van Peursem, K. (2004), ‘Internal auditors' role and authority: New Zealand evidence’, Managerial Auditing Journal, Vol. 19, No. 3, pp. 37893.
  • Van Peursem, K. (2005), ‘Conversations with internal auditors: The power of ambiguity’, Managerial Auditing Journal, Vol. 20, No. 5, pp. 489512.

AUTHOR PROFILES

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

Gerrit Sarens is PhD researcher in Business Economics. He is carrying out research in internal auditing and corporate governance and has published articles in Managerial Auditing Journal; the International Journal of Accounting, Auditing and Performance Evaluation; and Audit, Control and Governance (Kluwer) and contributed to several position papers published by IIA Belgium. He is an active volunteer of the IIA Belgium.

Ignace De Beelde is Professor of Auditing and Head of the Department of Accounting and Corporate Finance. He is carrying out research in auditing and the historical development of accounting and auditing. He has published articles in the International Journal of Accounting; Accounting, Organizations and Society; Accounting, Business and Financial History; Accounting Historians Journal; Accounting History; and Economic and Industrial Democracy.

Appendix

  1. Top of page
  2. Abstract
  3. SUMMARY
  4. INTRODUCTION
  5. INSTITUTIONAL CONTEXT
  6. LITERATURE REVIEW AND RESEARCH QUESTIONS
  7. METHODOLOGY
  8. EMPIRICAL RESULTS
  9. CONCLUSIONS AND DISCUSSION
  10. ACKNOWLEDGEMENTS
  11. REFERENCES
  12. AUTHOR PROFILES
  13. Appendix

APPENDIX 1: Interview Instrument

Guiding Questions for the CEO or CFO and the Head of the Audit Committee
  • Overall, how do you perceive internal audit within your company?
  • What is, in your opinion, the core task of internal audit?
  • How does your company approach risk management?
  • What is, in your opinion, the role of internal audit in risk management?
  • Does the role of internal audit in risk management add value to your company?
  • What is, in your opinion, the role of internal audit with respect to internal controls?
  • To what extent do you have influence on the agenda of internal audit?
  • How do you perceive your relationship with internal audit?
  • Does your relationship with internal audit meet your expectations?
  • Overall, does internal audit meet your expectations?
Guiding Questions for the Internal Auditor or the Head of Internal Audit
  • To whom do you report functionally?
  • To whom do you report administratively?
  • Overall, how is internal audit perceived within your company?
  • What is, in your company, the core task of internal audit?
  • How does your company approach risk management?
  • What is, in your company, the role of internal audit in risk management?
  • Does the role of internal audit in risk management add value to your company?
  • What is, in your company, the role of internal audit with respect to internal controls?
  • To what extent does senior management (CEO and/or CFO) influence the agenda of internal audit?
  • How do you perceive the influence of senior management?
  • Does the relationship with senior management meet your expectations?
  • To what extent does the audit committee influence the agenda of internal audit?
  • How do you perceive the influence of the audit committee?
  • Does the relationship with the audit committee meet your expectations?