Professional Documents
Culture Documents
Are Internal Audits Associated With Reductions in Perceived Risk?
Are Internal Audits Associated With Reductions in Perceived Risk?
Joseph V. Carcello
University of Tennessee
jcarcell@utk.edu
Marc Eulerich
University of Duisburg-Essen
marc.eulerich@uni-due.de
Adi Masli
University of Kansas
amasli@ku.edu
David A. Wood
Brigham Young University
davidwood@byu.edu
March 2020
We thank the editor, Rick Hatfield, two anonymous reviewers, and Drew Allen, Jace Garrett,
Rani Hoitash, Nathan Mecham, and Doug Prawitt for helpful comments and suggestions on this
paper. We also thank Patrick Whalen for his research assistance. Adi Masli thanks the financial
assistance from the Koch Fellowship.
Abstract
We examine whether internal auditing provides value to organizations by reducing risk. We
compare the changes in risks between audited business units and matched non-audited units
within the same company. This design allows us to isolate the importance of an internal audit
while holding constant changes in risk due to the organization and time period. Based on ratings
from the heads of audited and non-audited units, we find that managers of audited units perceive
a greater decline in risk as well as a greater increase in performance compared to managers of
non-audited units. We also find that companies that have had a quality assurance review and are
used as a management training ground are associated with greater reductions in risk and
improved overall performance. Our study contributes to the academic literature by documenting
a new facet of internal audit benefits—risk reduction—and internal audit characteristics that
increase risk reduction.
Key Words: Internal Audit, Risk Management, Management Training Ground, Quality
Assurance Reviews
Since the 2008 financial crisis, companies have increasingly focused on how to improve
all facets of risk management.1 For example, Deloitte reports that 92 percent of sampled
companies now have an enterprise risk management program, up from only 59 percent in 2008
(Deloitte 2015). Despite the increased attention on risk management, companies worldwide
continue to fall short in managing risk effectively. According to Aon’s recent 2019 Global Risk
Management study, risk readiness of organizations is at its lowest level in 12 years. Many
organizations also report that they are less prepared now in managing risk than they have ever
been. Considering this backdrop, it is important to study how organizations can enhance their
While prior research shows that effectively managing risk enhances firm value, improves
firm operating performance, and provides strategic advantages (Hoyt and Liebenberg 2011;
McShane, Nair, and Rustambekov 2011; Beasley, Branson, and Pagach 2015), there is relatively
little research on what governance mechanisms can improve risk management within
organizations. Our paper extends the literature by examining how one key governance
mechanism, the internal audit function (IAF), can help improve risk management in
organizations. By doing so, we provide further meaningful evidence on the organizational value
of internal auditing.
The IAF often plays an active role in the risk management process. International
standards by the Institute of Internal Auditors (IIA) require the IAF to be involved in risk
1
Risk is defined by COSO as “the possibility that an event will occur and adversely affect the achievement of
objectives” (COSO 2013). The updated 2017 enterprise risk management framework by COSO further suggests that
organizations attain many benefits from integrating risk management throughout the entity, such as increasing
opportunities, reducing negative surprises, and improving resource deployment and enterprise resiliency (COSO
2017).
management and the top three areas that stakeholders want from internal audit also relate to risk
management (IIA 2009; Andersen 2016). Indeed, the important role that internal audit plays in
assessing a company’s risk management process is one of the primary reasons that the NASDAQ
proposed requiring all listed companies to maintain an IAF (SEC 2013; Protiviti 2013). Thus, an
internal audit is designed to reduce the risks that companies face. To date, little research has
Although the IAF is designed to improve risk management, there are several reasons why
it may not be effective in reducing risk. First, the business community does not highly support
investing in internal auditing. The head of the IIA, Richard Chambers notes that internal audit
often does not have enough resources to cover all significant risks and can thus overlook key
risks (Chambers 2013). Second, even if internal audit has sufficient resources, it still may not
reduce risk. For example, internal audit originally developed focusing primarily on financial
reporting matters and may have less experience focusing on other areas, like operations and
compliance (Bailey, Gramling, and Ramamoorti 2003). Also, research suggests that relevant
stakeholders (e.g., management, audit committee, etc.) are generally dissatisfied with IAFs (Lenz
and Hahn 2015) and internal audit struggles to attract highly-qualified individuals into the
profession (Murphy 2013; Burton, Starliper, Summers, and Wood 2015; Bartlett, Kremin,
Saunders, and Wood 2016, 2017). Combined, these factors suggest that even though the internal
audit is designed to reduce risk, whether it does or not in practice is an important empirical
question to study.
Another key motivation of this research is to study different characteristics of the IAF
that may be associated with the ability to reduce risk. Internal audit can vary significantly in how
IAFs—including the reporting relation of the head of internal audit, the use of quality assurance
reviews (QARs) to enhance internal audit quality, and the use of the IAF as a management
training ground (MTG)—to see if these characteristics are associated with IAFs ability to reduce
risk.
We study the association between internal auditing and the ability to reduce risk by
studying perceived risk reductions using a unique design. Specifically, we conduct a survey of
chief audit executives (CAEs) for various multinational companies from Germany.2 We ask the
CAEs to identify units in their organization that had recently received an internal audit and a
matched-pair unit that had not received an internal audit but was similar on multiple attributes.
We ask the CAE to match the units as closely as possible and we specifically mention matching
based on the nature of the audited unit (subsidiary, plant, etc.), scope, size, and geographic
footprint of the unit; and the risk level and performance of the unit. After identifying the pairs of
matched units, the CAEs distributed the survey to managers of both audited and non-audited
units for their participation. Thus, we have responses from three groups: (1) heads of units that
were audited by internal audit, (2) heads of units that were not audited by internal audit, and (3)
We asked the heads of these various units to rate various risks at two points in time. We
then compare how the matched unit’s perceived risk changed for units that were audited by the
IAF and those that were not. We supplement the analysis using responses from CAEs for a larger
2
Although we sample IAFs in Germany, we believe the results should generalize to the U.S. and other developed
countries. Internal auditing in Germany is similar to internal auditing in the U.S. in that internal auditing is required
or recommended as a best practice in both countries (e.g., AktG and MaRisk in Germany; SEC 2013 in the United
States), internal auditing has existed in both countries for a significant amount of time (IIA founded in the U.S. in
1941, German IIA founded in 1958), and internal auditors in both countries follow the global IIA “International
Professional Practice Framework”, standards and best practices, which are the same across the world.
to how the heads of both audited and non-audited business units assess themselves (see
Appendix B).
units and 48 pairs of responses by CAEs about audited and non-audited units. Across both
samples, our results show that internal audit is associated with reductions in the perceived overall
risk faced by business units and that perceived overall risk reduction is greater when managers
As previously mentioned, we also build and test hypotheses related to several IAF
characteristics that may impact the IAF and perceived risk relation. We find that IAFs that have a
QAR are associated with greater reductions in perceived risk than IAFs that have not had the
review. In addition, IAFs that are used as a MTG are associated with greater reductions in
perceived risk than IAFs that are not used as a MTG. However, we do not find that having the
head of internal audit report to the audit committee is associated with perceived risk.
Our results also show that managers perceive greater improvement in the performance of
their area after an audit. This finding is particularly salient for units audited by internal audits
that have had a recent QAR and are used as a MTG. When we examine specific types of
perceived risk—including risk related to financial matters, operational matters, and compliance
matters—we find that internal audit is associated with reductions in perceptions of operating risk.
Finally, we find some evidence of spillover effects. That is, when an internal audit conducts
operational audits, unit managers also perceive improvements in financial risk but not in
Our paper makes four primary contributions to the literature. First, given the significant
focus on risk by organizations, regulators, and even the U.S. Congress, we provide an important
finding about how organizations can enhance risk management. Specifically, we find support for
the valuable role of internal audit in reducing perceived risk. Our work should be of interest to
various corporate stakeholders. For example, managers and boards of directors ought to assess
whether their IAFs are functioning effectively to address risk. External auditors ought to evaluate
how their client’s IAF contributes to the risk management process. Considering the positive
effects of internal auditing on risk management, regulators should continue weighing all of the
benefits and costs of mandating internal audits for publicly traded companies.
audit’s role in the financial reporting process, to our knowledge, we are among the first to
demonstrate that internal audit can also benefit an organization in improving operational and
overall risk. This adds an important finding to the developing body of internal audit research,
especially considering that many business professionals question the value that internal auditing
brings to an organization and that research on internal audit is “still in its infancy” (DeFond and
Zhang 2014).
Third, our paper provides evidence that certain IAF design choices can have a larger
effect on reducing perceived risk. Specifically, IAFs that have had a recent QAR, and are used as
3
Our discussions with internal audit practitioners in Germany reveal that an operational audit is one of the most
common type of audit. During an operational audit, internal auditors often discover risks in non-operational areas.
Internal auditors often make formal or informal suggestions to improve in these areas, which would suggest that
operational audit could have potentially positive spillover effects on reducing risk in other non-operational areas.
findings related to MTG are especially noteworthy given that the majority of prior research find
that using the IAF as a MTG bears negative outcomes: it’s associated with higher audit fees
(Messier, Reynolds, Simon, and Wood 2011; Ho and Hutchinson 2010) and worse financial
reporting quality (Christ, Masli, Sharp, and Wood 2015). Our findings show that the MTG
structure can have important benefits to the risk management of an organization and that having
The fourth contribution of this study is our unique design. Prior studies largely
investigate the effect of internal audits on company-wide outcomes, such as financial reporting
quality, audit fees, and internal controls reported at the overall firm level. Within a company, not
all units are audited by the IAF. In this study, we can examine the direct effects of internal audit
across business units within the same company. We observe that CAEs are relatively similar in
assessing how heads of business units perceive their unit. This is important for future research as
it suggests that future researchers can survey the CAE and not business unit heads to gather
relevant risk-related and internal auditing related data. This should simplify data collection
efforts for future researchers, which will hopefully spur more research in internal auditing.
One way internal audit can add value to organizations is to reduce risk. Indeed, the
definition of internal auditing promulgated by the IIA states that one objective of internal
auditors is “to evaluate and improve the effectiveness of risk management” (IIA 2013). There is
only a limited amount of research on the impact of internal auditing on risk management.4 Sarens
4
Prior research has shown that internal audit improves internal controls and financial reporting quality (Prawitt,
Smith, and Wood 2009; Lin, Pizzini, Vargus, and Bardhan 2011; Prawitt, Sharp, and Wood 2012; Ege 2015; Christ
et al. 2015; Abbott, Daughtery, Parker, and Peters 2016; Barr-Pulliam 2017, 2018, 2019; Bills, Huang, Lin, and
auditors perceive their role in risk management within US and Belgian companies. The study by
Beasley, Clune, and Hermanson (2006) shows that several factors are associated with the impact
of enterprise risk management on internal audit activities, such as CAE tenure and direction from
the CFO and audit committee. DeZwaan, Stewart, and Subraniam (2011) find that higher internal
audit involvement in enterprise risk management influences the internal auditor’s willingness to
The demand for internal audit to add value in risk management is underscored in the
2015 Global Internal Audit Common Body of Knowledge (CBOK). Stakeholders were asked
which areas should be in the scope of internal audit beyond traditional assurance work. The
resounding response from stakeholders was “risk.” In particular, the top three areas that
stakeholders want from internal audit are (1) identify known and emerging risk areas (85%), (2)
facilitate and monitor risk management practices by operational management (78%), and (3)
identify appropriate risk management frameworks, practices, and processes (78%) (Anderson
2016). The role that internal auditing is expected to play in risk management continues to
increase in importance, as highlighted by the recent 2019 release of a new practice guide by the
IIA designed to help CAEs provide satisfactory levels of assurance and advice over the
effectiveness of risk management processes and strategies.5 This practice guide further affirms
the profession’s stance that internal auditing can add value to the organization by improving risk
management.
Wood 2019), reduces fraud (Beasley, Carcello, Hermanson and Lapides 2000; Coram, Ferguson, and Moroney
2008), lowers external audit fees (Felix, Gramling, and Maletta 2001; Gramling et al. 2004; Abbott, Parker, and
Peters 2012; Prawitt, Smith, and Wood 2011; Messier et al. 2011), and improves financial performance (Burton,
Starliper, Summers, and Wood 2012; Jiang, Messier, and Wood 2020). However, these studies do not directly study
risk and the ability of internal audit to reduce risk.
5
See the press release via https://global.theiia.org/news/Pages/The-IIA-Releases-New-Practice-Guide-on-Assessing-
the-Risk-Management-Process.aspx.
paper on internal auditing and enterprise-wide risk management, internal auditing provides value
by giving objective assurance on the effectiveness of risk management (IIA 2009). The position
paper details five internal audit roles that are considered core to risk management, which are: (1)
giving assurance on the risk management process, (2) giving assurance that risks are correctly
evaluated, (3) evaluating risk management processes, (4) evaluating the reporting of key risks,
and (5) reviewing the management of key risks (IIA 2009). Beyond these core roles, internal
audit also has legitimate roles that can be undertaken with certain safeguards, such as coaching
management in responding to risks and developing risk management strategies (IIA 2009).
IIA international standards also tout the internal audit’s role in risk management. With
regard to planning engagements, the CAE must establish a risk-based plan to determine the
priorities of internal audit activity (IPPF Standard 2010). IPPF Standard 2120 on Risk
Management further mandates that the IAF evaluate the effectiveness and contribute to the
improvement of risk management processes. Specifically, internal audit must evaluate risk
exposures related to issues such as operations, financial reporting, and safeguarding of assets,
address risks consistent with engagement objectives, and communicate relevant risk information
Although the internal audit is designed to add value by improving risk management, there
are a few possible impediments to achieving this objective. First, to be effective, the IAF requires
sufficient resources to perform its work. Often viewed as a cost-center, IAFs can struggle to
receive the funding they need to be successful. For example, in 2013, the NASDAQ proposed a
rule that would require all companies listed on its exchange to establish an IAF by December 31,
about the proposed rule. Of the 16 letters, 13 indicated opposition to the new rule and the most
common reasons were that the benefits of having an IAF do not outweigh the costs. Without
sufficient funding, the IAF may not be able to impact risk management in a meaningful way.
Second, and somewhat related to the first point, to be successful the IAF must have
sufficient ability to have a meaningful effect on risk management. Internal auditors may lack the
ability because of lack of experience working with risk management (Bailey et al. 2003),
negative stigma about the profession (Murphy 2013; Burton et al. 2015; Bartlett et al. 2016,
2017; Eulerich, Kremin, Saunders, and Wood 2020)7, lack of expertise in risk management, or
but an important area to investigate given the focus by the profession on internal audit reducing
risk. Given the significant attention on internal auditing improving risk management,
notwithstanding the potential reasons internal audit may not have an influence, we would expect
that, on average, internal auditing will be associated with improvements in reducing risk at
H1: Internal audits are associated with reductions in perceived risk after the audited
period.
As mentioned, certain features of the IAF may strengthen the effect of internal auditing
on reducing perceived risk. We consider three situations where the effect of internal auditing on
perceived risk is likely to be moderated by other important factors: the reporting relationship of
6
The proposed NASDAQ rule was patterned after the NYSE rule adopted in 2013 that required listed companies to
have an IAF.
7
For example, Eulerich et al. (2020) find that negative views of the internal audit profession are related to less
ability to add value, less influence in the organization, more resistance to implementing internal audit
recommendations, and more pressure to change audit findings.
MTG.
One of the reasons internal audit may not influence risk management is that internal audit
does not have sufficient clout in an organization to make a difference. If internal audit is deemed
more important in an organization, they are likely to have a greater effect on the organization.
One key factor that demonstrates the importance of internal audit in the organization is to whom
the head of internal audit reports. If the head of internal audit reports to the audit committee, the
IAF likely holds a more prominent role in an organization. For example, Anderson, Christ,
Johnstone, and Rittenberg (2012) find that more interactions with the audit committee is
associated with larger (i.e., more resourced) IAFs. Abbott, Parker, and Peters (2010) find that
IAFs that have greater oversight by the audit committee relative to management are associated
with a greater focus on internal control activities—which includes risk management. Boyle et al.
(2015) find that internal auditors that report to the audit committee provide more conservative
fraud risk assessments and control risk assessments than when they report to management.
If internal auditors assess risk higher, they are more likely to do more diligent testing and
provide recommendations to reduce risk to acceptable levels. Thus, we expect that internal
auditors that report to the audit committee will be associated with greater reductions in perceived
H2: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF reports to the audit committee than
when the IAF reports to management.
The effectiveness and efficiency of internal audit activities likely affect the IAF’s ability
to improve risk management. According to internal audit standards, “the chief audit executive
must develop and maintain a quality assurance and improvement program that covers all aspects
10
reviewed externally to make sure the function is complying with standards and is operating
efficiently and effectively. Prior research has shown that having a QAR contributes to a high-
quality IAF and the previously cited benefits of having a high-quality IAF (Christ, et al. 2015;
In our setting, a QAR provides an impetus for an IAF to improve its efficiency and
effectiveness. Thus, IAFs that have had a recent QAR should be better at performing their tasks
mentioned leading up to H1 than IAFs that have not had a recent QAR. This leads to our third
hypothesis:
H3: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF has had a QAR than when the IAF has
not had the review.
The use of the IAF as a MTG can also affect the IAF’s ability to improve risk
management. Prior research has found that MTG internal auditors are less objective and have
less internal auditing skills but have more natural ability and knowledge of the company than
non-MTG internal auditors (Messier et al. 2011; Christ et al. 2015; Carcello et al. 2018; Hoos,
Messier, Smith, and Tandy 2018). Prior research has found that these differences lead to a
“mixed-bag” of whether this practice is a positive or negative for organizations. For example,
using the IAF as a MTG is associated with external auditors charging higher fees (Messier,
Reynolds, Simon, and Wood 2011; Ho and Hutchinson 2010), reductions in financial reporting
quality (Christ et al. 2015), and favoring management in reporting risks and recommendations
(Hoos et al. 2018). However, on the positive side, using the IAF as a MTG leads to increased
11
MTG internal auditors want to impress management to increase the likelihood of being
promoted out of the IAF. One way to impress management is to add value by identifying
and mitigating risks the company faces—thus making it more likely management
achieves its objectives. In this vein, Hoos et al. (2018) find that MTG internal auditors are
more likely to assess risks and make recommendations in line with what management
prefers relative to what the audit committee prefers. Thus, in combination, the superior
natural ability of MTG internal auditors, higher organizational expertise, and the
incentive to impress management, likely combine such that MTG internal auditors are
likely to be associated with greater reductions in perceived risk than non-MTG internal
H4: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF is used as a MTG than when the IAF is
not used as a MTG.
METHODOLOGY
Sample Selection
world perceptions of the effect of internal audits on risk. We are unable to directly measure risk,
so we study stakeholder perceptions of risk.8 To collect the relevant data, we surveyed 461 CAEs
belonging to the IIA in Germany.9 The Germany chapter of the IIA assisted us in administering
8
As a limitation, we acknowledge the possibility that demand type effects could drive the results.
9
The German Accounting Modernization Act from 2009 requires boards and audit committees from listed
companies to evaluate the effectiveness of the IAF. This requirement is broadly accepted as the (legal) mandatory
need for the implementation of an IAF. The act covers all German stock corporations and private firms with a
comparable size and structure (German Accounting Modernization Act 2009).
12
use of human subjects was approved for this study. From this group, 37 CAEs from different
companies responded, a response rate of 8 percent. Not all CAEs responded to each question. We
The survey asked the CAEs to do two things. First, each CAE was asked to select three
out of the ten largest audits of the prior year (measured by the auditor days spent) and select a
unit that was not audited but similar to the audited unit in as many ways as possible, including
the six criteria listed below, to serve as a control sample. The CAE was then asked to forward a
survey to the heads of these six units (3 audited units and 3 units that were not audited) asking
them to fill out the survey and return it to the researchers. The second task the CAEs were asked
to perform was to provide their evaluation of the same six units and provide details about the
company and the IAF. The primary analyses make use of data from unit managers. Managers’
perceptions of risk represent perceptions that come directly from the customers of internal audit.
A secondary dataset, used in supplementary analyses, compiles the perceptions of the CAEs.
This dataset is larger as not all unit heads chose to respond. We also note that for most
companies, we did not necessarily get responses for all six (3 audited and 3 non-audited) units as
requested.
The request to the CAEs included criteria for matching audited and non-audited units.11
10
The authors had complete control over the design of the questions included for analysis for this project. We note
that the IIA had additional purposes for this survey and thus many questions other than those relevant to this study
were asked of participants.
11
The choice of which criteria to request for matching was made after discussing with practitioners and the German
IIA about how units are selected for audit. These groups said that the selection process is multi-faceted negotiation
between the audit committee, management, and the CAE. They identified several of these factors as the most
important attributes in that discussion. We added additional matching criteria to make the comparisons as similar as
possible.
13
For example, assuming the CAE selected for inclusion in our study a 2013 audit of a
foreign country-based subsidiary with $5 billion in total assets that had high risk and
performance was average. The CAEs would be expected to select a different subsidiary located
in the same country (or a similar country); with total assets as close to $5 billion as possible;
Table 1 provides data about the responses from managers of the business units. Panel A
shows that we had at most 4 pairs from one company and that we had a total of 21 pairs from 10
different companies with manager responses. Panel B shows a comparison of the units that were
selected and not selected by the CAE. The data show that the audited and non-audited units were
similar on the nature of audit (e.g., subsidiary, process, etc.), the scope of the audit (company-
wide versus not), the beginning risk of the unit, and the performance of the unit in the previous
year.12 Based on extensive discussion with the IIA, we chose not to gather data about the size of
the audited unit as this was deemed more sensitive information than the other requests (i.e., the
IIA was worried about possible ex-post identification of units through matching).
We also measured three additional pieces of information: the perception of internal audit
held by the manager of the unit, the financial education of the manager, and whether the manager
was new or not (being in the position for 3 years or less). We note that the first two variables did
12
We note that there is a single company-wide business unit not matched to a company-wide business unit. But, for
this one particular case, the CAE still matched well based on the five other criteria. We note that the CAEs matched
the units based on data for the year of the audit. In Table 1 Panel B, we capture levels of risk and performance for
the year prior to the audit (based on available data).
14
particularly noteworthy. This variable is equal to one if the manager fully agrees with the
statement that internal audit adds value and zero otherwise. It does not seem that one group of
managers is more biased towards or against internal audit than the other group. Based on all of
the evidence, we conclude that the match provided by the CAEs appears to be unbiased and
accomplish our objective of matching two relatively similar units for comparison.
We also provide descriptive statistics for the number of IA recommendations, the number
statistics reported are based on 20 audited units for which we obtained complete data on internal
Table 1, Panel C provides descriptive statistics about the ten companies that provided
manager responses for the test and control observations. The descriptive statistics show that these
are large companies with average revenues of approximately 12.8 billion Euros and
approximately 90,000 employees. The sample includes publicly traded and private companies.
All but one company have an audit committee and eight of the ten companies have Big N
auditors. The companies, on average, have 38 internal auditors and an internal audit budget of
approximately 5.3 million Euros. The IAFs have a strong focus on assurance-related tasks (87
percent of their focus is on auditing). Nearly one-third of the internal audit staff hold a specific
certification in internal audit and have an average of nine years of experience. Internal auditors,
13
We note that this difference may indicate that there is some type of additional risk in these units. We are not able
to identify what that risk is, and encourage future research in this area.
15
Half of the internal audit departments recently underwent a QAR. Seven out of the ten
companies use the IAF as a MTG and 40 percent of the IAFs report to the audit committee.14
We asked managers of both audited and non-audited units to rate the level of perceived
risk within their respective units. We asked participants to rate the perceived risk level for both
the period before and after the audit was conducted so that we could observe a change in
perceived risk over the same period of time. The managers of the non-audited units had to
evaluate the perceived risk for the prior year (comparable to the year prior to the audit of the
audited unit) and after one year (comparable to the year after the audit of the audited unit). The
respondents provided an overall rating of perceived risk. For perceived risk, respondents rated
the risk level using a five-point scale labeled (1) very low; (2) low, (3) medium, (4) high, and (5)
very high.
Risk may change over the period because of factors not associated with internal audit.
For example, risk for the entire company may have declined due to policies implemented
throughout the organization. These company-wide changes would manifest in both the audited
and the non-audited group. For internal audit to have a significant impact, the decline in risk for
the audited group should be greater than the decline in risk for the non-audited group. We test
this possibility by comparing responses from the heads of the audited and non-audited units. The
design holds constant other company-wide factors that could impact risk.
For our primary analyses, we run the following linear regression model:
14
We recognize that the percentage of IAFs that report to the audit committee is lower than in other studies. This
should not bias our results, but future studies should examine how reporting relations differ in various countries.
16
defined as one if the observation relates to an audited unit and zero if the observation relates to a
non-audited unit. As mentioned, we capture the perceived risk level both before and after the
audit. The variable After is defined as one if the observation relates to the period after the audit
and zero if the observation relates to the period before the audit. The interaction variable Audited
* After is our variable of interest. A negative and significant interaction term would suggest that
the audited unit managers perceive lower overall risk after the audit compared to non-audited
unit managers.
For the analysis of the manager’s responses, since the matching appears to be done
according to our request, additional control variables should not be needed as the audited and
non-audited units should be similar on the variables important for determining perceived risk.
However, since we cannot directly assess all components of the quality of the match, we
supplement the analyses by adding several additional unit-level control variables. The unit-level
control variables include financial background of the manager (Manager Financial Education),
tenure of the manager (Manager is New), and whether the manager fully agrees with the
statement that IA provides value (IA Value to Manager). We also control for the performance
level of the unit (Performance). Company-wide control variables are controlled for by adding
firm indicators to the model (i.e., an indicator variable for each unique company). These firm
indicator variables control for all other factors at the company level (e.g., firm size, culture,
governance structures, etc.). See Appendix A for the definition of variables used in the models.
To test the remaining hypotheses (H2 to H4), we run the following linear regression
models:
17
To test Hypothesis 2, we run Equation (2). For this equation, we rerun Equation (1)
splitting Audited into two variables: (i) Audited REPORT AC, an indicator variable indicating
whether the audited unit is audited by an IAF where the CAE reports to the audit committee and
(ii) Audited NO REPORT AC, an indicator indicating whether the audited unit is audited by an
IAF where the CAE does not report to the audit committee. In essence, we distinguish audited
units that were audited by an IAF that reports to the audit committee from audited units that were
audited by an IAF that does not report to the audit committee. Hypothesis 2 suggests that the
negative coefficient for the interaction term Audited REPORT AC * After will be lower than the
To test Hypothesis 3, we run Equation (3). For this equation, we rerun Equation (1)
splitting Audited into two variables: (i) Audited QAR, an indicator variable indicating whether the
audited unit is audited by an IAF that had a QAR in recent years and (ii) Audited NO QAR, an
indicator indicating whether the audited unit is audited by an IAF that did not have a QAR in
recent years. In this specification, we distinguish units audited by an IAF with a recent QAR
from units audited by an IAF without a recent QAR. Hypothesis 3 suggests that the negative
coefficient for interaction term Audited QAR * After will be lower than the negative coefficient
18
splitting Audited into two variables: (i) Audited MTG, an indicator variable indicating whether
the audited unit is audited by an IAF that is used as a MTG and (ii) Audited NO MTG, an
indicator indicating whether the audited unit is audited by an IAF that is not used as a MTG.
Here, we differentiate units audited by an IAF used as a MTG from units audited by an IAF not
used as a MTG. Hypothesis 4 suggests that the negative coefficient for the interaction term
Audited MTG * After will be lower than the negative coefficient for the interaction term Audited
NO MTG * After.
RESULTS
Table 2 provides the results examining the influence of the internal audit on manager’s
compare the overall risk ratings in the before period for the audited and non-audited units. We
find statistically similar risk ratings in the before period between the audited (3.000) and non-
audited units (2.905), which provides more assurance that the match by the CAE was performed
without bias. In the after period, we find that the risk rating for audited units (2.238) is
significantly lower than the risk rating for non-audited units (2.762), which is consistent with
For audited units, the overall risk in the after period (2.238) is significantly lower (p <
0.01) than the before period (3.000). The change in overall risk for audited units is -0.762. For
non-audited, the overall risk in the after period (2.762) is also significantly lower (p < 0.10) than
the before period (2.905). The change in overall risk for the non-audited units is -0.143. While
both audited and non-audited units experience decreases in risk, the risk decrease for audited
units (-0.762) is larger in magnitude compared to the risk decrease for non-audited units (-0.143).
19
audited units (-0.619) is significantly different from zero (p < 0.01). In sum, we find univariate
evidence that managers of audited units, compared to non-audited managers, perceive greater
declines in risk.
Panel B of Table 2 provides the results for Equation 1. The dependent variable for Model
1 and Model 2 is Overall Risk. The coefficient for Audited * After is negative (-0.497) and
significant (p < 0.01), suggesting that managers of audited units perceive lower overall risk after
the audit than managers of non-audited units, controlling for other factors that may influence
risk. In Model 2, we replace the variable Audited with Implemented Recommendations, which is
0.623) and significant (p < 0.01), suggesting that managers that implemented more of internal
Table 3 provides the results for Equation (2), (3), and (4). The dependent variable for
Model 1, Model 2, and Model 3 is Overall Risk. The coefficients for Audited REPORT AC *
After and Audited NO REPORT AC * After are both negative and significant (p < 0.05).
However, there is no statistical difference between the two interaction term coefficients,
suggesting that managers of audited units perceive similar decreases in overall risk after the audit
regardless of whether the internal audit reports to the audit committee. Thus, hypothesis 2 is not
supported.
15
In untabulated analyses, we examine perceptions of particular risks (i.e., operating, financial, and compliance
risks). Managers that received operational focused audits perceive a greater decline in operating risks than managers
of non-audited units. There also appears to be some spillover effects as those same managers also perceive greater
declines in financial risks compared to their non-audited counterparts.
20
Norman, Rose, and Rose (2010) and Hoos et al. (2018) who both find that having internal audit
report to the audit committee is associated with lower assessments of risk likely because the
internal auditors want to appear like they are doing their jobs to reduce risk well. We encourage
The coefficients for Audited QAR * After and Audited NO QAR *After are both negative
and significant (p < 0.05). However, the coefficient for the interaction term Audited QAR * After
(-0.677) is significantly lower (p = 0.05) than that for the interaction term Audited NO QAR *
After (-0.234). This suggests that managers who are audited by internal audit with a recent QAR
perceive greater decreases in risk compared to managers who are audited by internal audit
The coefficient for Audited MTG * After is negative and significant (p < 0.01). Further,
the coefficient for the interaction term Audited MTG * After (-0.631) is significantly lower (p <
0.05) than that for the interaction term Audited NOT MTG * After (-0.110). This suggests that
managers who are audited by an internal audit being used as a MTG perceive greater decreases
in risk compared to managers who are audited by an internal audit not being used as a MTG, a
In sum, we find that managers of audited units perceive greater decreases in overall risk
compared to managers of units that did not get an audit. This effect is further strengthened when
the IAF has gone through a recent QAR and is used as a training ground for future managers.
16
One limitation of this analysis is that we do not know how many of the managers that responded to our survey had
previously been in internal audit. Although it is possible that managers may have previously been in internal audit,
we believe it is unlikely to bias our results since managers in both the audited and non-audited group could have
come from the internal audit and we have no theoretical reason to believe one of these groups would answer in a
more biased manner than the other. Furthermore, when we compare how audited managers of MTG firms perceive
the value of IA relative to those of non-MTG firms, we observe no significant differences.
21
Improvements in Performance
While our main analyses center on perceived risk, we also examine whether the area
being evaluated improved its performance. We asked unit managers to rate the overall
performance of their area for the time period before and after the audit (or equivalent time period
in case of non-audited managers). The respondents rated the performance level using a seven-
We re-run Equations (1) to (4), changing the dependent variable to Overall Performance
and including Overall Risk as a control variable. In addition, because the focus is on changes in
unit performance, we set the sample to include audited units that received operations focused
audits and their matched non-audited units. Table 4 displays the results. The coefficient for
Operations Audited * After is positive (0.488) and significant (p < 0.10), suggesting that
managers of audited units perceive higher performance after the audit than managers of non-
audited units. When we examine differences in internal audit characteristics (i.e., reporting to
audit committee, QAR, and MTG), we find that managers who are audited by an internal audit
with a recent QAR perceive greater performance improvements compared to managers who are
audited by an internal audit without a QAR (p < 0.01). Additionally, managers who are audited
by an internal audit being used as a MTG perceive greater performance improvements compared
to managers who are audited by an internal audit not being used as a MTG (p < 0.05).
17
The scale was labeled (-3) significantly below average (-2) moderately below average (-1) slightly below average
(0) average (1) slightly above average (2) moderately above average and (3) significantly above average.
22
We examine the responses of CAEs about their perception of changes in risk.18 Panel A
of Table 5 provides univariate results. In the sample, there are 48 pairs of audited and matched
non-audited units. The univariate difference for the change in perceived overall risk between
audited and non-audited units (-0.395) is significantly different from zero (p < 0.01).
Linear regression results are similar to the H1 findings (see Panel B of Table 5).19 That is,
results indicate that CAEs perceive greater declines in overall risk for audited units compared to
non-audited units. In an untabulated analysis, however, we do not find that IAF reporting to the
audit committee, QAR, or IAF use as a MTG differentially affects CAE perceptions of risk
changes.
CONCLUSION
risk to be successful. Although the IIA explicitly defines the IAF as a provider of assurance and
the benefit and value of IAFs in this domain have not been tested. Our results show an internal
audit reduces the perceived risks of the audited units more compared to non-audited units. We
also present evidence suggesting that audited units perceive greater improvements in
Our results extend previous research on the benefits of internal audit and provide
evidence of the IAF’s ability to fit its definitional charge of adding value to the organization by
reducing perceived risk. These findings should be of use to internal auditors trying to
18
The observations in these analyses are based on available and complete CAE responses about overall risk ratings.
19
Company-wide control variables are controlled for by adding firm fixed effects to the model. Due to data
limitations, we do not control for unit-level variables in the CAE model.
23
function. Our study also contributes by demonstrating that CAEs and heads of business units
assess risk and changes in risk similarly (see Appendix B for full details). This is a useful finding
in that future research should be able to economize surveying techniques and focus on only one
group—as both groups provide similar responses. This should encourage future research as it
Our study is subject to certain limitations. First, we measure the perception of risk and
not whether actual risk changes. Future studies that can measure the actual risk a business unit
faces would make a significant contribution to the literature. Second, we recognize that the
choice of which units to audit still results in endogeneity concerns. Certain units may be selected
to an audit that are somehow different than the units that were not selected for an audit. We try to
mitigate this by providing guidance on the most important variables the CAE should match the
audited and non-audited units. However, we are unable to ascertain statistically the quality of this
Finally, as a third limitation, in seeking participants, the letter we sent to internal auditors
contained wording that may have biased participants.20 We view it as unlikely that this
influenced our results because (1) it would be difficult to follow the stringent matching criteria
we laid out and still select a biased sample, (2) we had multiple different groups who have
different perceptions of internal audit respond to our survey and the results were consistent
20
The specific wording stated: “The purpose of this research project is to evaluate the effectiveness and value added
from the organization’s internal audit function (IAF). We are interested in changes in performance and risk of units
audited in 2013, as well as determining which company and internal audit characteristics explain improved
performance or reduced risk.”
24
we did not find evidence that internal audit reduces compliance risk. If respondents were biased
to show internal audit is valuable, we should see similar results across all dependent variables.
improvements in overall risk after an audit by internal auditors. We also attempt to shed light on
how internal audit can beneficially affect the management of specific risks, such as financial risk
and compliance risk. Due do data limitations, we are not able to build conclusive inferences on
this front. We urge future research to investigate how internal audit can assist the management of
Finally, while the internal audit research has not yet approached the volume of external
audit research in demonstrating that internal audit matters, the body of knowledge about internal
audit research is growing. From this study and other research, it appears that internal audit can
add significant value to organizations and that business leaders do not yet fully appreciate the
benefits of internal auditing. Future research will hopefully shed light on why this is the case and
continue testing the value that internal auditing adds to companies and society.
21
Relatedly, the CAE respondents have the greatest incentive to make internal audit appear favorably and yet the
descriptive statistics show that CAEs were less likely to suggest internal audit improved compliance risk or
operating risk relative to the managers who were audited (though this difference is not statistically significant, see
Appendix B).
25
Abbott, L. J., S. Parker, and G. F. Peters. 2012. Audit fee reductions from internal audit-provided
assistance: The incremental impact of internal audit characteristics. Contemporary
Accounting Research 29 (1): 94-118.
Abbott, L. J., B. Daughtery, S. Parker, and G. F. Peters. 2016. Internal audit quality and financial
reporting quality: The joint importance of independence and competence. Journal of
Accounting Research 54 (1): 3-40.
Barr-Pulliam, D. 2017. The Relationship between Internal Audit Assurance Frequency and
Earnings Manipulation Intent and Behavior: A Theory of Planned Behavior Approach.
Working Paper, University of Louisville.
Barr-Pulliam, D. 2018. The Joint Effects of the Internal Audit Function’s Use of Continuous
Auditing and its Use as a Management Training Ground on Managerial Discretion in
Financial Reporting. Working Paper, University of Louisville.
Barr-Pulliam, D. 2019. The Effects of Continuous Auditing and role duality on the incidence and
likelihood of reporting management opportunism. Management Accounting Research 44:
44-56.
Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2016. External auditors’ perceptions of
and willingness to work in outsourced and in-house internal audit functions. Accounting
Horizons 30 (1): 143-156.
Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2017. Factors influencing recruitment
of non-accounting business professionals into internal auditing. Behavioral Research in
Accounting 29 (1): 119-130.
Beasley, M., B. Branson, and D. Pagach. 2015. An analysis of the maturity and strategic impact
of investments in ERM. Journal of Accounting and Public Policy 34 (3): 219-243.
Beasley, M., J. Carcello, D. Hermanson and P. D. Lapides. 2000. Fraudulent financial reporting:
Consideration of industry traits and corporate governance mechanisms. Accounting
Horizons 14: 441-454.
26
Bills, K. L., H. W. Huang, Y. H. Lin, and D. A. Wood. 2019. Internal audit turnover, financial
reporting quality and audit risk assessment. Working Paper Michigan State University,
National Cheng-Kung University, Monash University, and Brigham Young University.
Boyle, D. M., F. T. DeZoort, and D. R. Hermanson. 2015. The effects of internal audit report
type and reporting relationship on internal auditors’ risk judgments. Accounting Horizons
29 (3): 695-718.
Burton, G. F., M. W. Starliper, S. L. Summers, and D. A. Wood. 2015. The effects of using the
internal audit function as a management training ground or as a consulting services
provider in enhancing the recruitment of internal auditors. Accounting Horizons 29: 115-
140.
Burton, G. F., S. A. Emett, C. A. Simon, and D. A. Wood. 2012. Corporate managers’ reliance
on internal auditor recommendations. Auditing: A Journal of Practice & Theory 31: 151-
166.
Carcello, J. V., M. Eulerich, A. Masli, and D. A. Wood. 2018. The value to management of using
the internal audit function as a management training ground. Accounting Horizons 32 (2):
121-140.
Chambers, R. 2013. NASDAQ hesitates in its quest to mandate internal audit. Internal Auditor.
Christ, M. H., A. Masli, N. Y. Sharp, and D. A. Wood. 2015. Rotational internal audit programs
and financial reporting quality: Do compensating controls help? Accounting,
Organizations and Society 44: 37-59.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal
Control — Integrated Framework Executive Summary. Accessible via
https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2017. Enterprise
Risk Management: Integrating with Strategy and Performance. Accessible via
https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-
Performance-Executive-Summary.pdf.
Coram, P., C. Ferguson, and R. Moroney. 2008. Internal audit, alternative internal audit
structures and the level of misappropriation of fraud. Accounting & Finance 48: 543-559.
DeFond, M., and J. Zhang. 2014. A review of archival auditing research. Journal of Accounting
and Economics 58: 275-326.
27
Dejnaronk, J., Little, H. T., Mujtaba, B. G., & McClelland, R. (2015). Factors Influencing the
Effectiveness of the Internal Audit Function in Thailand. In Proceedings of Conference:
Business and Social Sciences Research Conference: Research for Development,
Bangkok, Thailand.
DeZwaan, L., J. Stewart, and N. Subramaniam. 2011. Internal audit involvement in enterprise
risk management. Managerial Auditing Journal 26 (7): 586-604.
Ege, M. 2015. Does internal audit function quality deter management misconduct? The
Accounting Review 90: 495-527.
Eulerich, M. J. Kremin, K. K. Saunders, and D. A. Wood. 2020. Internal audit stigma awareness
and internal audit outcomes: Stuck between a rock and a hard place. Working Paper,
University of Duisburg-Essen, Portland State University, University of Nebraska at
Lincoln, and Brigham Young University.
Felix, W. L., Jr., A. A. Gramling, and M. J. Maletta. 2001. The contribution of internal audit as a
determinant of external audit fees and factors influencing this contribution. Journal of
Accounting Research 39: 513-534.
Gramling A. A., M. J. Maletta, A. Schneider, and B. K. Church. 2004. The role of the internal
audit function in corporate governance: A synthesis of the extant internal auditing
literature and directions for future research. Journal of Accounting Literature 23: 194-
244.
Gramling, A. A., I. Nuhoglu, and D. A. Wood. 2013. A descriptive study of factors associated
with the internal audit function having an impact: Comparisons between organizations in
a developed and an emerging economy. Turkish Studies. 14: 581-606.
Ho, S., and M. Hutchinson. 2010. Internal audit department characteristics/activities and audit
fees: Some evidence from Hong Kong firms. Journal of International Accounting,
Auditing and Taxation 19 (2): 121-136.
Hoos, F., W. F. Messier, J. L. Smith, and P. R. Tandy. 2018. An experimental investigation of
the interaction effect of management training ground and reporting lines on internal
auditor’s objetivity. International Journal of Auditing. 22 (2): 150-163.
28
Institute of Internal Auditors. 2009. IIA Position Paper: The Role of Internal Auditing in
Enterprise-Wide Risk Management. Available at: https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%2
0in%20Enterprise%20Risk%20Management.pdf
Jiang, L., W. F. Messier, and D. A. Wood. 2020. The association between internal audit
operations-related services and firm operating performance. Auditing: A Journal of
Practice & Theory Forthcoming.
Lenz, R., and U. Hahn. 2015. A synthesis of empirical internal audit effectiveness literature
pointing to new research opportunities. Managerial Auditing Journal 30 (1): 5-33.
Lin, S., M. Pizzini, M. Vargus, and I. R. Bardhan. 2011. The role of the internal audit function in
the disclosure of material weaknesses. The Accounting Review 86: 287-323.
McShane, M.K., A. Nair, and E. Rustambekov. 2011. Does enterprise risk management increase
firm value? Journal of Accounting, Auditing & Finance 26 (4): 641-658.
Messier, W. F., Jr., J. K. Reynolds, C. A. Simon, and D. A. Wood. 2011. The effect of using the
internal audit function as a management training ground on the external auditor’s reliance
decision. The Accounting Review 86: 2131-2154.
Murphy, M. 2013. Internal Audit Staffs Need to Foresee Talent Shortages: CEB. Available at:
http://blogs.wsj.com/cfo/2013/01/17/internal-audit-staffs-need-to-foresee-talent-
shortages-ceb/
Norman, C. S., A. M. Rose, and J. M. Rose. 2010. Internal audit reporting lines, fraud risk
decomposition, and assessments of fraud risk. Accounting, Organizations and Society. 25
(5): 546-557.
Prawitt, D. F., N. Y. Sharp, and D. A. Wood. 2012. Internal audit outsourcing and the risk of
misleading or fraudulent financial reporting: Did Sarbanes-Oxley get it wrong?
Contemporary Accounting Research 29: 1109-1136.
Prawitt, D. F., J. L. Smith, and D. A. Wood. 2009. Internal audit quality and earnings
management. The Accounting Review 84 (4): 1255-1280.
29
Protiviti. 2013. SEC Flash Report – NASDAQ withdraws proposed internal audit function rule
with intent to resubmit it. May 15.
Sarens, G., and I. De Beelde. 2006. Internal auditors’ perception about their role in risk
management: A comparison between US and Belgian companies. Managerial Auditing
Journal 21 (1): 63-80.
U.S. Securities and Exchange Commission. 2013. Notice of filing of proposed rule change to
require that listed companies have an internal audit function. March 4. Release No. 34-
69030; SR-NASDAQ-2013-032.
30
31
32
p-value
Change in Overall Risk 21 -0.762 21 -0.143 -0.619 < 0.01
In this table, we present univariate comparisons of overall risk between audited and non-audited
units. We display overall risk before and after the audit period as well as the change in the
overall risk.
33
34
35
36
37
38
All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each
measure, we had the following n: 14 pairs for change in operating risk, 9 pairs for change in
financial risk, 10 pairs for change in compliance risk, and 14 pairs for change in overall risk.
Please see Variable Appendix for variable definitions.
All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each
measure, we had the following n: 11 pairs for change in operating risk, 11 pairs for change in
financial risk, 10 pairs for change in compliance risk, and 13 pairs for change in overall risk.
Please see Variable Appendix for variable definitions.
39