Search results

This purpose of this paper is to investigate how to implement a combined assurance program.

This paper uses qualitative data obtained through semi-structured interviews with six multinationals at different stages of combined assurance implementation maturity.

The paper finds that organizations are still learning through combined assurance implementation because no organization seems to have attained a mature combined assurance program. Nevertheless, our descriptive findings reveal that a successful combined assurance implementation follows six important components.

One limitation of this study is that, as the organizations studied are at different stages of combined assurance program implementation, data may have comparability issues. Another limitation is that different interviewees were studied from one case to another.

The results have implications both for organizations that do not yet have a combined assurance program in place and for those currently at the implementation stage. It has also implications for chief audit executives who are good candidates to lead a combined assurance implementation and for regulators, as the study describes combined assurance as an important accountability mechanism that helps boards and audit committees exercise their oversight role properly.

The study is the first to address combined assurance implementation. It complements the study of the Institute of Internal Auditors UK and Ireland (2010), which identifies the reasons for failed attempts to coordinate assurance activities, by illustrating combined assurance implementation through six international case studies of organizations at different combined assurance implementation stages.

The purpose of this paper is to investigate and discuss potential reasons why the internal auditing (IA) profession has been marginalized in the governance debate on solutions after the financial crisis that started in 2007, also noting recent studies questioning the value of IA's work. The key aim of this paper is to make readers aware of ambiguities concerning the ultimate customer of IA and its core business, and to stimulate critical reflection thereon.

The conceptual discussion of this paper is based on an objective review of relevant literature, both practitioner and academic.

Positioning IA as agent to the board/audit committee and, at the same time, as partner to management is challenging in practice. The IA function should clarify the customer dimension in its organizational context. Furthermore, this paper argues for a consolidation of internal audit around its core function of providing assurance when seeking to establish IA as a profession.

Practitioners will benefit as this paper demands fundamental questions to be addressed in the organizational context, about the ultimate customer and the core business of the IA service rendered. The Institute of Internal Auditors will benefit from this paper and subsequent discussions in academia and practice, supporting its pursuit to gain universal recognition for IA as a profession.

This paper may open a new research area in IA that addresses a more critical way of evaluating IA practices.

This paper aims to recognise the importance of informal processes within corporate governance and complement existing research in this area by investigating factors associated with the existence of informal interactions between audit committees and internal audit functions and in providing directions for future research.

To examine the existence and drivers of informal interactions between audit committees and internal audit functions, this paper relies on a questionnaire survey of chief audit executives (CAEs) in the UK from listed and non‐listed, as well as financial and non‐financial, companies. While prior qualitative research suggests that informal interactions do take place, most of the evidence is based on particular organisational setting or on a very small range of interviews. The use of a questionnaire enabled the examination of the existence of internal interactions across a relatively larger number of entities.

The paper finds evidence of audit committees and internal audit functions engaging in informal interactions in addition to formal pre‐scheduled regular meetings. Informal interactions complement formal meetings with the audit committee and as such represent additional opportunities for the audit committees to monitor internal audit functions. Audit committees' informal interactions are significantly and positively associated with audit committee independence, audit chair's knowledge and experience, and internal audit quality.

The results demonstrate the importance of the background of the audit committee chair for the effectiveness of the governance process. This is possibly the first paper to examine the relationship between audit committee quality and internal audit, on the existence and driver of informal interactions. Policy makers should recognize that in addition to formal mechanisms, informal processes, such as communication outside of formal pre‐scheduled meetings, play a significant role in corporate governance.

This paper aims to analyse the relationship between the senior management and the information technology (IT) auditing undertaken in Italian banks, focusing specifically on the internal IT auditing. The purpose of this paper is to investigate senior executives’ expectations regarding IT auditing, the techniques IT auditors apply to meet these expectations, the degree to which senior managers are satisfied with the auditing and the expectation gap.

We conducted 22 interviews with senior managers and IT auditors of seven Italian banks, comprising large and small financial institutions, to gain data for our analysis.

We found that overall, the IT auditors’ contributions satisfy senior managers, even though they still see room for improvement. They expect more support for the IT governance processes, specifically for the alignment between IT investments and business needs and between IT risk management and the value that IT resources provide. In addition, they want IT auditors to focus more strongly on IT security. To meet these expectations, IT auditors would have to improve their technical and non-technical skills. These skills will allow them to expand their activities, to be more proactive and to take on effective roles in IT governance processes.

This study contributes to the existing literature by providing insights into the internal audit function’s evolving role and into banks’ IT audit activities. It also provides a valuable insight into senior management’s expectations regarding the role IT audit activities should play to support the profession and the banking policymakers, thus providing a better understanding of IT audit activities and improving these activities’ role.

This article attempts to examine audit committee composition and structure affecting and leading to enhanced audit committee performance, with due regard for the principles of good governance and international best practices. The article recommends the ideal composition and structure of the audit committee to assist committees to meet their requirements, to ensure optimal performance and to improve the effectiveness of their oversight of financial reporting and corporate governance. The framework developed could also be used as a guideline in the selection and recruitment process for audit committees. The requirements are based on the regulatory requirements of the King II Report on Corporate Governance in South Africa (2002), the Companies Amendment Act 20 of 2004, the Corporate Laws Amendment Bill (2006), the Public Finance Management Act (PFMA), the JSE Limited requirements, the Blue Ribbon Committee Report (1999) and the Sarbanes‐ Oxley Act of 2002 in the USA.

This study aims to examine the extent to which external auditors (EAs) use the work of the internal audit function (IAF) based on the purpose of its primary activities. The authors rely on attribution theory, which suggests that individuals search for meaning when an event occurs. In this setting, the authors explore how the overall (assurance vs advisory) or specific (e.g. risk management and evaluating internal controls) focus of IAF activities influences perceived EA reliance on the IAF’s work.

The authors first explore the research question with data extracted from a broad, longitudinal survey conducted triennially by the national chapters of the Institute of Internal Auditors in Austria, Germany and Switzerland. The data includes responses from 2014, 2017 and 2020 administrations of the survey. The authors conduct a parallel survey with practicing EAs attending two training sessions of a European office of a global network firm. Hypotheses were tested using ordered logistic regression.

Among the chief audit executive (CAE) participants, the authors observe that a balanced or primarily assurance-related purpose of the IAF, relative to a primarily advisory-related purpose, is associated with higher perceived EA reliance. The authors observe similar perceptions of the extent of reliance among the EA participants.

With a unique data set of practicing internal auditors from three countries, coupled with a sample of EAs, to the best of the authors’ knowledge, this study is the first to examine differences in EA reliance across the IAF’s primary roles. The study relies on data from three European countries, which differs from prior EA reliance literature with a largely North American focus. Further, comparison between perceptions of EAs and CAEs is a novel approach and this paper’s findings suggest that perceptions of CAEs could be a reliable proxy for EA-intended behavior.

The purpose of this study is to explore whether various organizational, internal audit function and audit committee factors are associated with internal audit investment in audit technology.

The responses from 213 public and private company chief audit executives (CAEs) from seven Anglo-culture countries are analyzed from the Common Body of Knowledge (CBOK) 2015 Global Internal Auditor Practitioner Survey on specific questions addressing internal audit use of audit technology.

The results indicate that several of the studied factors are associated with investment in internal auditing technology, and taken together, suggest that CAE power may be the key driver in the technology investment decision. Furthermore, the data show that internal audit functions are not fully embracing the use of information technology (IT) tools and techniques, with average usage of ten of the eleven tools and techniques examined below moderate levels.

The results have implications for CAEs, boards and management when making resource allocation decisions. For example, the findings can be used in benchmarking an appropriate investment in internal audit technology, as well as identifying specific internal audit technology areas where further investment may be warranted. Additionally, insights provided by this study can facilitate a discussion about the value internal audit can add by increasing its investment in audit technology.

This study contributes to prior literature on internal auditing by filling a gap related to internal audit investment in audit technology, examining countries that are similar in culture rather than limiting the study to one country, and using several factors that have not been previously examined in prior internal audit investment-related literature. Additionally, the findings pointing to the important role CAE power appears to play in the internal audit technology investment decision provide several interesting new research avenues.

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit.

For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF).

The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit.

This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

The purpose of this paper is to assess whether internal audit role and reporting relationships affect investor perceptions of disclosure credibility.

The experiment involved a 2 × 2 design with internal audit role and reporting relationship randomly assigned among 84 MBA students serving as proxies for nonprofessional investors.

The results indicate that participants perceived disclosure credibility to be significantly higher when the Chief Audit Executive reported functionally to the audit committee and administratively to the CEO (versus both strategically and administratively to the CFO). The results reveal no significant differences in perceived disclosure credibility from the differing audit roles (i.e. primarily assurance versus primarily consulting).

The findings contribute to the internal audit and corporate governance literatures by providing further evidence of the importance of internal audit in investor judgement and decision making.

The purpose of this paper is to explore the nature and characteristics of internal audit function in Egyptian listed firms and assess its ability to fulfill its role in corporate governance.

The study has been carried out through a questionnaire survey that aims to explore the internal audit function in Egyptian listed firms from four main aspects: insourcing or outsourcing arrangements of the internal audit function; organizational setting; activities; and interaction with external auditors.

The findings of the study reveal that a large proportion of Egyptian listed firms have internal audit function, but internal audit function in these firms is less matured. Internal audit function has low levels of organizational independence, management support, and qualification of internal audit staff. Also, the results reveal that internal audit function is still focused on financial audit and internal controls compliance and has not yet moved towards the expanded new role explained in Institute of Internal Auditors's new definition. Finally, the results indicate that there is a weak level of interaction between internal and external auditors in Egypt. These results suggest that internal audit function in Egyptian listed firms, in its current status, faces many difficulties that affect negatively its effectiveness in corporate governance.

The findings of the study create doubt about internal audit's role as a corporate governance mechanism in Egyptian firms and, therefore, indicate that extensive efforts should be made to enhancing the internal audit profession in Egypt. The results of the study should be considered by regulators in Egypt in order to begin the necessary actions for legally pending the Egypt Code of Corporate Governance issued in October 2005 and in order to begin the necessary actions for developing the internal audit profession. However, owing to relatively small sample size, these finding should be interpreted with caution.

This paper contributes to the understandings of the nature and characteristics of internal audit function by empirically exploring the nature and characteristics of internal audit function in Egypt, as an emerging market.