Are Internal Audits Associated with Reductions in Perceived Risk?

Joseph V. Carcello
University of Tennessee
jcarcell@utk.edu

Marc Eulerich
University of Duisburg-Essen
marc.eulerich@uni-due.de

Adi Masli
University of Kansas
amasli@ku.edu

David A. Wood
Brigham Young University
davidwood@byu.edu

March 2020

We thank the editor, Rick Hatfield, two anonymous reviewers, and Drew Allen, Jace Garrett,
Rani Hoitash, Nathan Mecham, and Doug Prawitt for helpful comments and suggestions on this
paper. We also thank Patrick Whalen for his research assistance. Adi Masli thanks the financial
assistance from the Koch Fellowship. 

Electronic copy available at: https://ssrn.com/abstract=2970045

 Are Internal Audits Associated with Reductions in Perceived Risk?

Abstract
We examine whether internal auditing provides value to organizations by reducing risk. We
compare the changes in risks between audited business units and matched non-audited units
within the same company. This design allows us to isolate the importance of an internal audit
while holding constant changes in risk due to the organization and time period. Based on ratings
from the heads of audited and non-audited units, we find that managers of audited units perceive
a greater decline in risk as well as a greater increase in performance compared to managers of
non-audited units. We also find that companies that have had a quality assurance review and are
used as a management training ground are associated with greater reductions in risk and
improved overall performance. Our study contributes to the academic literature by documenting
a new facet of internal audit benefits—risk reduction—and internal audit characteristics that
increase risk reduction.

Key Words: Internal Audit, Risk Management, Management Training Ground, Quality
Assurance Reviews

Electronic copy available at: https://ssrn.com/abstract=2970045

 INTRODUCTION

Since the 2008 financial crisis, companies have increasingly focused on how to improve

all facets of risk management.1 For example, Deloitte reports that 92 percent of sampled

companies now have an enterprise risk management program, up from only 59 percent in 2008

(Deloitte 2015). Despite the increased attention on risk management, companies worldwide

continue to fall short in managing risk effectively. According to Aon’s recent 2019 Global Risk

Management study, risk readiness of organizations is at its lowest level in 12 years. Many

organizations also report that they are less prepared now in managing risk than they have ever

been. Considering this backdrop, it is important to study how organizations can enhance their

risk management endeavors.

While prior research shows that effectively managing risk enhances firm value, improves

firm operating performance, and provides strategic advantages (Hoyt and Liebenberg 2011;

McShane, Nair, and Rustambekov 2011; Beasley, Branson, and Pagach 2015), there is relatively

little research on what governance mechanisms can improve risk management within

organizations. Our paper extends the literature by examining how one key governance

mechanism, the internal audit function (IAF), can help improve risk management in

organizations. By doing so, we provide further meaningful evidence on the organizational value

of internal auditing.

The IAF often plays an active role in the risk management process. International

standards by the Institute of Internal Auditors (IIA) require the IAF to be involved in risk

1
Risk is defined by COSO as “the possibility that an event will occur and adversely affect the achievement of
objectives” (COSO 2013). The updated 2017 enterprise risk management framework by COSO further suggests that
organizations attain many benefits from integrating risk management throughout the entity, such as increasing
opportunities, reducing negative surprises, and improving resource deployment and enterprise resiliency (COSO
2017).

Electronic copy available at: https://ssrn.com/abstract=2970045

management. The IIA specifically lists different core roles internal audit plays in enterprise risk

management and the top three areas that stakeholders want from internal audit also relate to risk

management (IIA 2009; Andersen 2016). Indeed, the important role that internal audit plays in

assessing a company’s risk management process is one of the primary reasons that the NASDAQ

proposed requiring all listed companies to maintain an IAF (SEC 2013; Protiviti 2013). Thus, an

internal audit is designed to reduce the risks that companies face. To date, little research has

investigated the effect of the IAF on corporate risk outcomes.

Although the IAF is designed to improve risk management, there are several reasons why

it may not be effective in reducing risk. First, the business community does not highly support

investing in internal auditing. The head of the IIA, Richard Chambers notes that internal audit

often does not have enough resources to cover all significant risks and can thus overlook key

risks (Chambers 2013). Second, even if internal audit has sufficient resources, it still may not

reduce risk. For example, internal audit originally developed focusing primarily on financial

reporting matters and may have less experience focusing on other areas, like operations and

compliance (Bailey, Gramling, and Ramamoorti 2003). Also, research suggests that relevant

stakeholders (e.g., management, audit committee, etc.) are generally dissatisfied with IAFs (Lenz

and Hahn 2015) and internal audit struggles to attract highly-qualified individuals into the

profession (Murphy 2013; Burton, Starliper, Summers, and Wood 2015; Bartlett, Kremin,

Saunders, and Wood 2016, 2017). Combined, these factors suggest that even though the internal

audit is designed to reduce risk, whether it does or not in practice is an important empirical

question to study.

Another key motivation of this research is to study different characteristics of the IAF

that may be associated with the ability to reduce risk. Internal audit can vary significantly in how

Electronic copy available at: https://ssrn.com/abstract=2970045

it is implemented from one organization to another. We study several key characteristics of

IAFs—including the reporting relation of the head of internal audit, the use of quality assurance

reviews (QARs) to enhance internal audit quality, and the use of the IAF as a management

training ground (MTG)—to see if these characteristics are associated with IAFs ability to reduce

risk.

We study the association between internal auditing and the ability to reduce risk by

studying perceived risk reductions using a unique design. Specifically, we conduct a survey of

chief audit executives (CAEs) for various multinational companies from Germany.2 We ask the

CAEs to identify units in their organization that had recently received an internal audit and a

matched-pair unit that had not received an internal audit but was similar on multiple attributes.

We ask the CAE to match the units as closely as possible and we specifically mention matching

based on the nature of the audited unit (subsidiary, plant, etc.), scope, size, and geographic

footprint of the unit; and the risk level and performance of the unit. After identifying the pairs of

matched units, the CAEs distributed the survey to managers of both audited and non-audited

units for their participation. Thus, we have responses from three groups: (1) heads of units that

were audited by internal audit, (2) heads of units that were not audited by internal audit, and (3)

the CAE themselves.

We asked the heads of these various units to rate various risks at two points in time. We

then compare how the matched unit’s perceived risk changed for units that were audited by the

IAF and those that were not. We supplement the analysis using responses from CAEs for a larger

2
Although we sample IAFs in Germany, we believe the results should generalize to the U.S. and other developed
countries. Internal auditing in Germany is similar to internal auditing in the U.S. in that internal auditing is required
or recommended as a best practice in both countries (e.g., AktG and MaRisk in Germany; SEC 2013 in the United
States), internal auditing has existed in both countries for a significant amount of time (IIA founded in the U.S. in
1941, German IIA founded in 1958), and internal auditors in both countries follow the global IIA “International
Professional Practice Framework”, standards and best practices, which are the same across the world.

Electronic copy available at: https://ssrn.com/abstract=2970045

sample of companies—after showing that CAEs assess perceived risks of business units similarly

to how the heads of both audited and non-audited business units assess themselves (see

Appendix B).

We analyze 21 pairs of responses by the managers of audited and matched non-audited

units and 48 pairs of responses by CAEs about audited and non-audited units. Across both

samples, our results show that internal audit is associated with reductions in the perceived overall

risk faced by business units and that perceived overall risk reduction is greater when managers

implement more of the recommendations given by the IAF.

As previously mentioned, we also build and test hypotheses related to several IAF

characteristics that may impact the IAF and perceived risk relation. We find that IAFs that have a

QAR are associated with greater reductions in perceived risk than IAFs that have not had the

review. In addition, IAFs that are used as a MTG are associated with greater reductions in

perceived risk than IAFs that are not used as a MTG. However, we do not find that having the

head of internal audit report to the audit committee is associated with perceived risk.

Our results also show that managers perceive greater improvement in the performance of

their area after an audit. This finding is particularly salient for units audited by internal audits

that have had a recent QAR and are used as a MTG. When we examine specific types of

perceived risk—including risk related to financial matters, operational matters, and compliance

matters—we find that internal audit is associated with reductions in perceptions of operating risk.

Finally, we find some evidence of spillover effects. That is, when an internal audit conducts

operational audits, unit managers also perceive improvements in financial risk but not in

Electronic copy available at: https://ssrn.com/abstract=2970045

compliance risk.3 Finally, we document that CAEs themselves perceive that audited units

experience greater declines in overall risk compared to non-audited units.

Our paper makes four primary contributions to the literature. First, given the significant

focus on risk by organizations, regulators, and even the U.S. Congress, we provide an important

finding about how organizations can enhance risk management. Specifically, we find support for

the valuable role of internal audit in reducing perceived risk. Our work should be of interest to

various corporate stakeholders. For example, managers and boards of directors ought to assess

whether their IAFs are functioning effectively to address risk. External auditors ought to evaluate

how their client’s IAF contributes to the risk management process. Considering the positive

effects of internal auditing on risk management, regulators should continue weighing all of the

benefits and costs of mandating internal audits for publicly traded companies.

Second, we demonstrate a here-to-for unexamined way internal auditing adds value to

organizations—by reducing perceptions of risk. Although prior research examines internal

audit’s role in the financial reporting process, to our knowledge, we are among the first to

demonstrate that internal audit can also benefit an organization in improving operational and

overall risk. This adds an important finding to the developing body of internal audit research,

especially considering that many business professionals question the value that internal auditing

brings to an organization and that research on internal audit is “still in its infancy” (DeFond and

Zhang 2014).

Third, our paper provides evidence that certain IAF design choices can have a larger

effect on reducing perceived risk. Specifically, IAFs that have had a recent QAR, and are used as

3
Our discussions with internal audit practitioners in Germany reveal that an operational audit is one of the most
common type of audit. During an operational audit, internal auditors often discover risks in non-operational areas.
Internal auditors often make formal or informal suggestions to improve in these areas, which would suggest that
operational audit could have potentially positive spillover effects on reducing risk in other non-operational areas.

Electronic copy available at: https://ssrn.com/abstract=2970045

a management training ground are associated with greater reductions in perceived risk. The

findings related to MTG are especially noteworthy given that the majority of prior research find

that using the IAF as a MTG bears negative outcomes: it’s associated with higher audit fees

(Messier, Reynolds, Simon, and Wood 2011; Ho and Hutchinson 2010) and worse financial

reporting quality (Christ, Masli, Sharp, and Wood 2015). Our findings show that the MTG

structure can have important benefits to the risk management of an organization and that having

a QAR is especially valuable.

The fourth contribution of this study is our unique design. Prior studies largely

investigate the effect of internal audits on company-wide outcomes, such as financial reporting

quality, audit fees, and internal controls reported at the overall firm level. Within a company, not

all units are audited by the IAF. In this study, we can examine the direct effects of internal audit

across business units within the same company. We observe that CAEs are relatively similar in

assessing how heads of business units perceive their unit. This is important for future research as

it suggests that future researchers can survey the CAE and not business unit heads to gather

relevant risk-related and internal auditing related data. This should simplify data collection

efforts for future researchers, which will hopefully spur more research in internal auditing.

LITERATURE REVIEW AND HYPOTHESES

One way internal audit can add value to organizations is to reduce risk. Indeed, the

definition of internal auditing promulgated by the IIA states that one objective of internal

auditors is “to evaluate and improve the effectiveness of risk management” (IIA 2013). There is

only a limited amount of research on the impact of internal auditing on risk management.4 Sarens

4
Prior research has shown that internal audit improves internal controls and financial reporting quality (Prawitt,
Smith, and Wood 2009; Lin, Pizzini, Vargus, and Bardhan 2011; Prawitt, Sharp, and Wood 2012; Ege 2015; Christ
et al. 2015; Abbott, Daughtery, Parker, and Peters 2016; Barr-Pulliam 2017, 2018, 2019; Bills, Huang, Lin, and

Electronic copy available at: https://ssrn.com/abstract=2970045

and De Beelde (2006) interviewed CAEs from 10 different companies to compare how internal

auditors perceive their role in risk management within US and Belgian companies. The study by

Beasley, Clune, and Hermanson (2006) shows that several factors are associated with the impact

of enterprise risk management on internal audit activities, such as CAE tenure and direction from

the CFO and audit committee. DeZwaan, Stewart, and Subraniam (2011) find that higher internal

audit involvement in enterprise risk management influences the internal auditor’s willingness to

report a breakdown in risk procedures to the audit committee.

The demand for internal audit to add value in risk management is underscored in the

2015 Global Internal Audit Common Body of Knowledge (CBOK). Stakeholders were asked

which areas should be in the scope of internal audit beyond traditional assurance work. The

resounding response from stakeholders was “risk.” In particular, the top three areas that

stakeholders want from internal audit are (1) identify known and emerging risk areas (85%), (2)

facilitate and monitor risk management practices by operational management (78%), and (3)

identify appropriate risk management frameworks, practices, and processes (78%) (Anderson

2016). The role that internal auditing is expected to play in risk management continues to

increase in importance, as highlighted by the recent 2019 release of a new practice guide by the

IIA designed to help CAEs provide satisfactory levels of assurance and advice over the

effectiveness of risk management processes and strategies.5 This practice guide further affirms

the profession’s stance that internal auditing can add value to the organization by improving risk

management.

Wood 2019), reduces fraud (Beasley, Carcello, Hermanson and Lapides 2000; Coram, Ferguson, and Moroney
2008), lowers external audit fees (Felix, Gramling, and Maletta 2001; Gramling et al. 2004; Abbott, Parker, and
Peters 2012; Prawitt, Smith, and Wood 2011; Messier et al. 2011), and improves financial performance (Burton,
Starliper, Summers, and Wood 2012; Jiang, Messier, and Wood 2020). However, these studies do not directly study
risk and the ability of internal audit to reduce risk.
5
See the press release via https://global.theiia.org/news/Pages/The-IIA-Releases-New-Practice-Guide-on-Assessing-
the-Risk-Management-Process.aspx.

Electronic copy available at: https://ssrn.com/abstract=2970045

 Internal audit can reduce risk in several ways. As explained in the 2009 IIA position

paper on internal auditing and enterprise-wide risk management, internal auditing provides value

by giving objective assurance on the effectiveness of risk management (IIA 2009). The position

paper details five internal audit roles that are considered core to risk management, which are: (1)

giving assurance on the risk management process, (2) giving assurance that risks are correctly

evaluated, (3) evaluating risk management processes, (4) evaluating the reporting of key risks,

and (5) reviewing the management of key risks (IIA 2009). Beyond these core roles, internal

audit also has legitimate roles that can be undertaken with certain safeguards, such as coaching

management in responding to risks and developing risk management strategies (IIA 2009).

IIA international standards also tout the internal audit’s role in risk management. With

regard to planning engagements, the CAE must establish a risk-based plan to determine the

priorities of internal audit activity (IPPF Standard 2010). IPPF Standard 2120 on Risk

Management further mandates that the IAF evaluate the effectiveness and contribute to the

improvement of risk management processes. Specifically, internal audit must evaluate risk

exposures related to issues such as operations, financial reporting, and safeguarding of assets,

address risks consistent with engagement objectives, and communicate relevant risk information

across the organization in a timely manner.

Although the internal audit is designed to add value by improving risk management, there

are a few possible impediments to achieving this objective. First, to be effective, the IAF requires

sufficient resources to perform its work. Often viewed as a cost-center, IAFs can struggle to

receive the funding they need to be successful. For example, in 2013, the NASDAQ proposed a

rule that would require all companies listed on its exchange to establish an IAF by December 31,

Electronic copy available at: https://ssrn.com/abstract=2970045

2013.6 In response to the proposed rule, the NASDAQ received 16 letters voicing an opinion

about the proposed rule. Of the 16 letters, 13 indicated opposition to the new rule and the most

common reasons were that the benefits of having an IAF do not outweigh the costs. Without

sufficient funding, the IAF may not be able to impact risk management in a meaningful way.

Second, and somewhat related to the first point, to be successful the IAF must have

sufficient ability to have a meaningful effect on risk management. Internal auditors may lack the

ability because of lack of experience working with risk management (Bailey et al. 2003),

negative stigma about the profession (Murphy 2013; Burton et al. 2015; Bartlett et al. 2016,

2017; Eulerich, Kremin, Saunders, and Wood 2020)7, lack of expertise in risk management, or

insufficient organizational clout to make a meaningful difference.

Internal auditing’s role in risk management is a relatively underexplored research area,

but an important area to investigate given the focus by the profession on internal audit reducing

risk. Given the significant attention on internal auditing improving risk management,

notwithstanding the potential reasons internal audit may not have an influence, we would expect

that, on average, internal auditing will be associated with improvements in reducing risk at

organizations. This leads to our first hypothesis:

H1: Internal audits are associated with reductions in perceived risk after the audited
period.

As mentioned, certain features of the IAF may strengthen the effect of internal auditing

on reducing perceived risk. We consider three situations where the effect of internal auditing on

perceived risk is likely to be moderated by other important factors: the reporting relationship of

6
The proposed NASDAQ rule was patterned after the NYSE rule adopted in 2013 that required listed companies to
have an IAF.
7
For example, Eulerich et al. (2020) find that negative views of the internal audit profession are related to less
ability to add value, less influence in the organization, more resistance to implementing internal audit
recommendations, and more pressure to change audit findings.

Electronic copy available at: https://ssrn.com/abstract=2970045

the head of the IAF, whether the IAF has had a recent QAR, and whether the IAF is used as a

MTG.

One of the reasons internal audit may not influence risk management is that internal audit

does not have sufficient clout in an organization to make a difference. If internal audit is deemed

more important in an organization, they are likely to have a greater effect on the organization.

One key factor that demonstrates the importance of internal audit in the organization is to whom

the head of internal audit reports. If the head of internal audit reports to the audit committee, the

IAF likely holds a more prominent role in an organization. For example, Anderson, Christ,

Johnstone, and Rittenberg (2012) find that more interactions with the audit committee is

associated with larger (i.e., more resourced) IAFs. Abbott, Parker, and Peters (2010) find that

IAFs that have greater oversight by the audit committee relative to management are associated

with a greater focus on internal control activities—which includes risk management. Boyle et al.

(2015) find that internal auditors that report to the audit committee provide more conservative

fraud risk assessments and control risk assessments than when they report to management.

If internal auditors assess risk higher, they are more likely to do more diligent testing and

provide recommendations to reduce risk to acceptable levels. Thus, we expect that internal

auditors that report to the audit committee will be associated with greater reductions in perceived

risk, as stated formally in the following hypothesis.

H2: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF reports to the audit committee than
when the IAF reports to management.

The effectiveness and efficiency of internal audit activities likely affect the IAF’s ability

to improve risk management. According to internal audit standards, “the chief audit executive

must develop and maintain a quality assurance and improvement program that covers all aspects

10

Electronic copy available at: https://ssrn.com/abstract=2970045

of the internal audit activity” (Standard 1300). As part of the QAR process, an IAF must be

reviewed externally to make sure the function is complying with standards and is operating

efficiently and effectively. Prior research has shown that having a QAR contributes to a high-

quality IAF and the previously cited benefits of having a high-quality IAF (Christ, et al. 2015;

Dejnaronk, Little, Mujtaba, and McClelland 2015).

In our setting, a QAR provides an impetus for an IAF to improve its efficiency and

effectiveness. Thus, IAFs that have had a recent QAR should be better at performing their tasks

mentioned leading up to H1 than IAFs that have not had a recent QAR. This leads to our third

hypothesis:

H3: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF has had a QAR than when the IAF has
not had the review.

The use of the IAF as a MTG can also affect the IAF’s ability to improve risk

management. Prior research has found that MTG internal auditors are less objective and have

less internal auditing skills but have more natural ability and knowledge of the company than

non-MTG internal auditors (Messier et al. 2011; Christ et al. 2015; Carcello et al. 2018; Hoos,

Messier, Smith, and Tandy 2018). Prior research has found that these differences lead to a

“mixed-bag” of whether this practice is a positive or negative for organizations. For example,

using the IAF as a MTG is associated with external auditors charging higher fees (Messier,

Reynolds, Simon, and Wood 2011; Ho and Hutchinson 2010), reductions in financial reporting

quality (Christ et al. 2015), and favoring management in reporting risks and recommendations

(Hoos et al. 2018). However, on the positive side, using the IAF as a MTG leads to increased

reliance by managers on recommendations from MTG internal auditors (Carcello, Eulerich,

Masli, and Wood 2018).

11

Electronic copy available at: https://ssrn.com/abstract=2970045

 MTG internal auditors have different incentives than non-MTG internal auditors.

MTG internal auditors want to impress management to increase the likelihood of being

promoted out of the IAF. One way to impress management is to add value by identifying

and mitigating risks the company faces—thus making it more likely management

achieves its objectives. In this vein, Hoos et al. (2018) find that MTG internal auditors are

more likely to assess risks and make recommendations in line with what management

prefers relative to what the audit committee prefers. Thus, in combination, the superior

natural ability of MTG internal auditors, higher organizational expertise, and the

incentive to impress management, likely combine such that MTG internal auditors are

likely to be associated with greater reductions in perceived risk than non-MTG internal

auditors. We test this logic in the following hypothesis:

H4: The association between internal audits and reductions in perceived risk after
the audited period is stronger when the IAF is used as a MTG than when the IAF is
not used as a MTG.

METHODOLOGY

Sample Selection

To test our hypotheses, we gathered a unique dataset. Specifically, we evaluate real-

world perceptions of the effect of internal audits on risk. We are unable to directly measure risk,

so we study stakeholder perceptions of risk.8 To collect the relevant data, we surveyed 461 CAEs

belonging to the IIA in Germany.9 The Germany chapter of the IIA assisted us in administering

8
As a limitation, we acknowledge the possibility that demand type effects could drive the results.
9
The German Accounting Modernization Act from 2009 requires boards and audit committees from listed
companies to evaluate the effectiveness of the IAF. This requirement is broadly accepted as the (legal) mandatory
need for the implementation of an IAF. The act covers all German stock corporations and private firms with a
comparable size and structure (German Accounting Modernization Act 2009).

12

Electronic copy available at: https://ssrn.com/abstract=2970045

the survey but the authors had complete control over the design of the survey instrument.10 The

use of human subjects was approved for this study. From this group, 37 CAEs from different

companies responded, a response rate of 8 percent. Not all CAEs responded to each question. We

include all possible responses for analysis for each question.

The survey asked the CAEs to do two things. First, each CAE was asked to select three

out of the ten largest audits of the prior year (measured by the auditor days spent) and select a

unit that was not audited but similar to the audited unit in as many ways as possible, including

the six criteria listed below, to serve as a control sample. The CAE was then asked to forward a

survey to the heads of these six units (3 audited units and 3 units that were not audited) asking

them to fill out the survey and return it to the researchers. The second task the CAEs were asked

to perform was to provide their evaluation of the same six units and provide details about the

company and the IAF. The primary analyses make use of data from unit managers. Managers’

perceptions of risk represent perceptions that come directly from the customers of internal audit.

A secondary dataset, used in supplementary analyses, compiles the perceptions of the CAEs.

This dataset is larger as not all unit heads chose to respond. We also note that for most

companies, we did not necessarily get responses for all six (3 audited and 3 non-audited) units as

requested.

The request to the CAEs included criteria for matching audited and non-audited units.11

The six criteria we provided to the CAEs include:

1. Nature of the audited unit (subsidiary, process, plant, etc.)

10
The authors had complete control over the design of the questions included for analysis for this project. We note
that the IIA had additional purposes for this survey and thus many questions other than those relevant to this study
were asked of participants.
11
The choice of which criteria to request for matching was made after discussing with practitioners and the German
IIA about how units are selected for audit. These groups said that the selection process is multi-faceted negotiation
between the audit committee, management, and the CAE. They identified several of these factors as the most
important attributes in that discussion. We added additional matching criteria to make the comparisons as similar as
possible.

13

Electronic copy available at: https://ssrn.com/abstract=2970045

 2. Whether the audited unit was or was not a company-wide unit
3. Size of the audited unit in the year of the audit
4. Risk level of the audited unit in the year of the audit
5. Performance level of the audited unit in the year of the audit
6. Geographic area of the audited unit in the year of the audit

For example, assuming the CAE selected for inclusion in our study a 2013 audit of a

foreign country-based subsidiary with $5 billion in total assets that had high risk and

performance was average. The CAEs would be expected to select a different subsidiary located

in the same country (or a similar country); with total assets as close to $5 billion as possible;

whose risk level was high; and performance was average.

Table 1 provides data about the responses from managers of the business units. Panel A

shows that we had at most 4 pairs from one company and that we had a total of 21 pairs from 10

different companies with manager responses. Panel B shows a comparison of the units that were

selected and not selected by the CAE. The data show that the audited and non-audited units were

similar on the nature of audit (e.g., subsidiary, process, etc.), the scope of the audit (company-

wide versus not), the beginning risk of the unit, and the performance of the unit in the previous

year.12 Based on extensive discussion with the IIA, we chose not to gather data about the size of

the audited unit as this was deemed more sensitive information than the other requests (i.e., the

IIA was worried about possible ex-post identification of units through matching).

We also measured three additional pieces of information: the perception of internal audit

held by the manager of the unit, the financial education of the manager, and whether the manager

was new or not (being in the position for 3 years or less). We note that the first two variables did

12
We note that there is a single company-wide business unit not matched to a company-wide business unit. But, for
this one particular case, the CAE still matched well based on the five other criteria. We note that the CAEs matched
the units based on data for the year of the audit. In Table 1 Panel B, we capture levels of risk and performance for
the year prior to the audit (based on available data).

14

Electronic copy available at: https://ssrn.com/abstract=2970045

not differ between groups but that managers of audited units were more likely to be new than

non-audited units.13 The insignificant difference in the variable IA Value to Manager is

particularly noteworthy. This variable is equal to one if the manager fully agrees with the

statement that internal audit adds value and zero otherwise. It does not seem that one group of

managers is more biased towards or against internal audit than the other group. Based on all of

the evidence, we conclude that the match provided by the CAEs appears to be unbiased and

accomplish our objective of matching two relatively similar units for comparison.

We also provide descriptive statistics for the number of IA recommendations, the number

of implemented IA recommendations, and the proportion of internal audit recommendations that

were implemented by managers (Ratio of Implemented IA Recommendations). The descriptive

statistics reported are based on 20 audited units for which we obtained complete data on internal

audit recommendations. On average, IA provided approximately 25 recommendations to audited

units and audited managers implemented 20 recommendations.

Table 1, Panel C provides descriptive statistics about the ten companies that provided

manager responses for the test and control observations. The descriptive statistics show that these

are large companies with average revenues of approximately 12.8 billion Euros and

approximately 90,000 employees. The sample includes publicly traded and private companies.

All but one company have an audit committee and eight of the ten companies have Big N

auditors. The companies, on average, have 38 internal auditors and an internal audit budget of

approximately 5.3 million Euros. The IAFs have a strong focus on assurance-related tasks (87

percent of their focus is on auditing). Nearly one-third of the internal audit staff hold a specific

certification in internal audit and have an average of nine years of experience. Internal auditors,

13
We note that this difference may indicate that there is some type of additional risk in these units. We are not able
to identify what that risk is, and encourage future research in this area.

15

Electronic copy available at: https://ssrn.com/abstract=2970045

on average, spend 27 and 29 days for in-house training and out-of-house training, respectively.

Half of the internal audit departments recently underwent a QAR. Seven out of the ten

companies use the IAF as a MTG and 40 percent of the IAFs report to the audit committee.14

Models and Variable Measurement

We asked managers of both audited and non-audited units to rate the level of perceived

risk within their respective units. We asked participants to rate the perceived risk level for both

the period before and after the audit was conducted so that we could observe a change in

perceived risk over the same period of time. The managers of the non-audited units had to

evaluate the perceived risk for the prior year (comparable to the year prior to the audit of the

audited unit) and after one year (comparable to the year after the audit of the audited unit). The

respondents provided an overall rating of perceived risk. For perceived risk, respondents rated

the risk level using a five-point scale labeled (1) very low; (2) low, (3) medium, (4) high, and (5)

very high.

Risk may change over the period because of factors not associated with internal audit.

For example, risk for the entire company may have declined due to policies implemented

throughout the organization. These company-wide changes would manifest in both the audited

and the non-audited group. For internal audit to have a significant impact, the decline in risk for

the audited group should be greater than the decline in risk for the non-audited group. We test

this possibility by comparing responses from the heads of the audited and non-audited units. The

design holds constant other company-wide factors that could impact risk.

For our primary analyses, we run the following linear regression model:

Overall Risk = 0 + 1 Audited + 2 After + 3 Audited * After + j Controls +  

14
We recognize that the percentage of IAFs that report to the audit committee is lower than in other studies. This
should not bias our results, but future studies should examine how reporting relations differ in various countries.

16

Electronic copy available at: https://ssrn.com/abstract=2970045

 The dependent variable is perceived overall risk (Overall risk). The variable Audited is

defined as one if the observation relates to an audited unit and zero if the observation relates to a

non-audited unit. As mentioned, we capture the perceived risk level both before and after the

audit. The variable After is defined as one if the observation relates to the period after the audit

and zero if the observation relates to the period before the audit. The interaction variable Audited

* After is our variable of interest. A negative and significant interaction term would suggest that

the audited unit managers perceive lower overall risk after the audit compared to non-audited

unit managers.

For the analysis of the manager’s responses, since the matching appears to be done

according to our request, additional control variables should not be needed as the audited and

non-audited units should be similar on the variables important for determining perceived risk.

However, since we cannot directly assess all components of the quality of the match, we

supplement the analyses by adding several additional unit-level control variables. The unit-level

control variables include financial background of the manager (Manager Financial Education),

tenure of the manager (Manager is New), and whether the manager fully agrees with the

statement that IA provides value (IA Value to Manager). We also control for the performance

level of the unit (Performance). Company-wide control variables are controlled for by adding

firm indicators to the model (i.e., an indicator variable for each unique company). These firm

indicator variables control for all other factors at the company level (e.g., firm size, culture,

governance structures, etc.). See Appendix A for the definition of variables used in the models.

To test the remaining hypotheses (H2 to H4), we run the following linear regression

models:

Overall Risk = 0 + 1 Audited REPORT AC + 2 Audited NO REPORT AC + 3 After +

17

Electronic copy available at: https://ssrn.com/abstract=2970045

 4 Audited REPORT AC * After + 5 Audited NO REPORT AC * After +
j Controls +  


To test Hypothesis 2, we run Equation (2). For this equation, we rerun Equation (1)

splitting Audited into two variables: (i) Audited REPORT AC, an indicator variable indicating

whether the audited unit is audited by an IAF where the CAE reports to the audit committee and

(ii) Audited NO REPORT AC, an indicator indicating whether the audited unit is audited by an

IAF where the CAE does not report to the audit committee. In essence, we distinguish audited

units that were audited by an IAF that reports to the audit committee from audited units that were

audited by an IAF that does not report to the audit committee. Hypothesis 2 suggests that the

negative coefficient for the interaction term Audited REPORT AC * After will be lower than the

negative coefficient for the interaction term Audited NO REPORT AC * After.

Overall Risk = 0 + 1 Audited QAR + 2 Audited NO QAR + 3 After +

4 Audited QAR * After + 5 Audited NO QAR * After + j Controls +  
     

To test Hypothesis 3, we run Equation (3). For this equation, we rerun Equation (1)

splitting Audited into two variables: (i) Audited QAR, an indicator variable indicating whether the

audited unit is audited by an IAF that had a QAR in recent years and (ii) Audited NO QAR, an

indicator indicating whether the audited unit is audited by an IAF that did not have a QAR in

recent years. In this specification, we distinguish units audited by an IAF with a recent QAR

from units audited by an IAF without a recent QAR. Hypothesis 3 suggests that the negative

coefficient for interaction term Audited QAR * After will be lower than the negative coefficient

for the interaction term Audited NO QAR * After.

Overall Risk = 0 + 1 Audited MTG + 2 Audited NO MTG + 3 After +

4 Audited MTG * After + 5 Audited NO MTG * After + j Controls +  
(4)

18

Electronic copy available at: https://ssrn.com/abstract=2970045

 To test Hypothesis 4, we run Equation (4). For this equation, we rerun Equation (1)

splitting Audited into two variables: (i) Audited MTG, an indicator variable indicating whether

the audited unit is audited by an IAF that is used as a MTG and (ii) Audited NO MTG, an

indicator indicating whether the audited unit is audited by an IAF that is not used as a MTG.

Here, we differentiate units audited by an IAF used as a MTG from units audited by an IAF not

used as a MTG. Hypothesis 4 suggests that the negative coefficient for the interaction term

Audited MTG * After will be lower than the negative coefficient for the interaction term Audited

NO MTG * After.

RESULTS

Table 2 provides the results examining the influence of the internal audit on manager’s

perception of changes in overall risk. Panel A of Table 2 provides univariate results. We

compare the overall risk ratings in the before period for the audited and non-audited units. We

find statistically similar risk ratings in the before period between the audited (3.000) and non-

audited units (2.905), which provides more assurance that the match by the CAE was performed

without bias. In the after period, we find that the risk rating for audited units (2.238) is

significantly lower than the risk rating for non-audited units (2.762), which is consistent with

internal auditing reducing risk through its work.

For audited units, the overall risk in the after period (2.238) is significantly lower (p <

0.01) than the before period (3.000). The change in overall risk for audited units is -0.762. For

non-audited, the overall risk in the after period (2.762) is also significantly lower (p < 0.10) than

the before period (2.905). The change in overall risk for the non-audited units is -0.143. While

both audited and non-audited units experience decreases in risk, the risk decrease for audited

units (-0.762) is larger in magnitude compared to the risk decrease for non-audited units (-0.143).

19

Electronic copy available at: https://ssrn.com/abstract=2970045

The univariate difference for the change in perceived overall risk between audited and non-

audited units (-0.619) is significantly different from zero (p < 0.01). In sum, we find univariate

evidence that managers of audited units, compared to non-audited managers, perceive greater

declines in risk.

Panel B of Table 2 provides the results for Equation 1. The dependent variable for Model

1 and Model 2 is Overall Risk. The coefficient for Audited * After is negative (-0.497) and

significant (p < 0.01), suggesting that managers of audited units perceive lower overall risk after

the audit than managers of non-audited units, controlling for other factors that may influence

risk. In Model 2, we replace the variable Audited with Implemented Recommendations, which is

the number of implemented IA recommendations relative to total number of IA

recommendations. The coefficient for Implemented Recommendations * After is also negative (-

0.623) and significant (p < 0.01), suggesting that managers that implemented more of internal

audit’s recommendations perceive lower overall risk after the audit.15

Table 3 provides the results for Equation (2), (3), and (4). The dependent variable for

Model 1, Model 2, and Model 3 is Overall Risk. The coefficients for Audited REPORT AC *

After and Audited NO REPORT AC * After are both negative and significant (p < 0.05).

However, there is no statistical difference between the two interaction term coefficients,

suggesting that managers of audited units perceive similar decreases in overall risk after the audit

regardless of whether the internal audit reports to the audit committee. Thus, hypothesis 2 is not

supported.

15
In untabulated analyses, we examine perceptions of particular risks (i.e., operating, financial, and compliance
risks). Managers that received operational focused audits perceive a greater decline in operating risks than managers
of non-audited units. There also appears to be some spillover effects as those same managers also perceive greater
declines in financial risks compared to their non-audited counterparts.

20

Electronic copy available at: https://ssrn.com/abstract=2970045

 The lack of support for H2 is consistent with the counter-intuitive finding of both

Norman, Rose, and Rose (2010) and Hoos et al. (2018) who both find that having internal audit

report to the audit committee is associated with lower assessments of risk likely because the

internal auditors want to appear like they are doing their jobs to reduce risk well. We encourage

future research on this important topic.

The coefficients for Audited QAR * After and Audited NO QAR *After are both negative

and significant (p < 0.05). However, the coefficient for the interaction term Audited QAR * After

(-0.677) is significantly lower (p = 0.05) than that for the interaction term Audited NO QAR *

After (-0.234). This suggests that managers who are audited by internal audit with a recent QAR

perceive greater decreases in risk compared to managers who are audited by internal audit

without a QAR, a finding consistent with hypothesis 3.

The coefficient for Audited MTG * After is negative and significant (p < 0.01). Further,

the coefficient for the interaction term Audited MTG * After (-0.631) is significantly lower (p <

0.05) than that for the interaction term Audited NOT MTG * After (-0.110). This suggests that

managers who are audited by an internal audit being used as a MTG perceive greater decreases

in risk compared to managers who are audited by an internal audit not being used as a MTG, a

finding consistent with hypothesis 4.16

In sum, we find that managers of audited units perceive greater decreases in overall risk

compared to managers of units that did not get an audit. This effect is further strengthened when

the IAF has gone through a recent QAR and is used as a training ground for future managers.

16
One limitation of this analysis is that we do not know how many of the managers that responded to our survey had
previously been in internal audit. Although it is possible that managers may have previously been in internal audit,
we believe it is unlikely to bias our results since managers in both the audited and non-audited group could have
come from the internal audit and we have no theoretical reason to believe one of these groups would answer in a
more biased manner than the other. Furthermore, when we compare how audited managers of MTG firms perceive
the value of IA relative to those of non-MTG firms, we observe no significant differences.

21

Electronic copy available at: https://ssrn.com/abstract=2970045

Supplemental Analyses

Improvements in Performance

While our main analyses center on perceived risk, we also examine whether the area

being evaluated improved its performance. We asked unit managers to rate the overall

performance of their area for the time period before and after the audit (or equivalent time period

in case of non-audited managers). The respondents rated the performance level using a seven-

point scale with higher values suggesting better performance.17

We re-run Equations (1) to (4), changing the dependent variable to Overall Performance

and including Overall Risk as a control variable. In addition, because the focus is on changes in

unit performance, we set the sample to include audited units that received operations focused

audits and their matched non-audited units. Table 4 displays the results. The coefficient for

Operations Audited * After is positive (0.488) and significant (p < 0.10), suggesting that

managers of audited units perceive higher performance after the audit than managers of non-

audited units. When we examine differences in internal audit characteristics (i.e., reporting to

audit committee, QAR, and MTG), we find that managers who are audited by an internal audit

with a recent QAR perceive greater performance improvements compared to managers who are

audited by an internal audit without a QAR (p < 0.01). Additionally, managers who are audited

by an internal audit being used as a MTG perceive greater performance improvements compared

to managers who are audited by an internal audit not being used as a MTG (p < 0.05).

17
The scale was labeled (-3) significantly below average (-2) moderately below average (-1) slightly below average
(0) average (1) slightly above average (2) moderately above average and (3) significantly above average.

22

Electronic copy available at: https://ssrn.com/abstract=2970045

Investigating the CAEs’ Perspectives

We examine the responses of CAEs about their perception of changes in risk.18 Panel A

of Table 5 provides univariate results. In the sample, there are 48 pairs of audited and matched

non-audited units. The univariate difference for the change in perceived overall risk between

audited and non-audited units (-0.395) is significantly different from zero (p < 0.01).

Linear regression results are similar to the H1 findings (see Panel B of Table 5).19 That is,

results indicate that CAEs perceive greater declines in overall risk for audited units compared to

non-audited units. In an untabulated analysis, however, we do not find that IAF reporting to the

audit committee, QAR, or IAF use as a MTG differentially affects CAE perceptions of risk

changes.

CONCLUSION

Because of a dynamic and uncertain business environment, organizations need to manage

risk to be successful. Although the IIA explicitly defines the IAF as a provider of assurance and

consulting services to add value to organizations through an improvement of risk management,

the benefit and value of IAFs in this domain have not been tested. Our results show an internal

audit reduces the perceived risks of the audited units more compared to non-audited units. We

also present evidence suggesting that audited units perceive greater improvements in

performance relative to non-audited units.

Our results extend previous research on the benefits of internal audit and provide

evidence of the IAF’s ability to fit its definitional charge of adding value to the organization by

reducing perceived risk. These findings should be of use to internal auditors trying to

18
The observations in these analyses are based on available and complete CAE responses about overall risk ratings.
19
Company-wide control variables are controlled for by adding firm fixed effects to the model. Due to data
limitations, we do not control for unit-level variables in the CAE model.

23

Electronic copy available at: https://ssrn.com/abstract=2970045

demonstrate the value they add to an organization and secure sufficient resources for their

function. Our study also contributes by demonstrating that CAEs and heads of business units

assess risk and changes in risk similarly (see Appendix B for full details). This is a useful finding

in that future research should be able to economize surveying techniques and focus on only one

group—as both groups provide similar responses. This should encourage future research as it

makes it less onerous to gather samples of perceptions of risk.

Our study is subject to certain limitations. First, we measure the perception of risk and

not whether actual risk changes. Future studies that can measure the actual risk a business unit

faces would make a significant contribution to the literature. Second, we recognize that the

choice of which units to audit still results in endogeneity concerns. Certain units may be selected

to an audit that are somehow different than the units that were not selected for an audit. We try to

mitigate this by providing guidance on the most important variables the CAE should match the

audited and non-audited units. However, we are unable to ascertain statistically the quality of this

match and whether it controls for all possible endogeneity concerns.

Finally, as a third limitation, in seeking participants, the letter we sent to internal auditors

contained wording that may have biased participants.20 We view it as unlikely that this

influenced our results because (1) it would be difficult to follow the stringent matching criteria

we laid out and still select a biased sample, (2) we had multiple different groups who have

different perceptions of internal audit respond to our survey and the results were consistent

20
The specific wording stated: “The purpose of this research project is to evaluate the effectiveness and value added
from the organization’s internal audit function (IAF). We are interested in changes in performance and risk of units
audited in 2013, as well as determining which company and internal audit characteristics explain improved
performance or reduced risk.”

24

Electronic copy available at: https://ssrn.com/abstract=2970045

groups,21 and (3) the results do not always show that internal audit improves risk. For example,

we did not find evidence that internal audit reduces compliance risk. If respondents were biased

to show internal audit is valuable, we should see similar results across all dependent variables.

We encourage continued research in internal audit. We show that managers perceive

improvements in overall risk after an audit by internal auditors. We also attempt to shed light on

how internal audit can beneficially affect the management of specific risks, such as financial risk

and compliance risk. Due do data limitations, we are not able to build conclusive inferences on

this front. We urge future research to investigate how internal audit can assist the management of

particular risks, particularly financial risk and compliance risk.

Finally, while the internal audit research has not yet approached the volume of external

audit research in demonstrating that internal audit matters, the body of knowledge about internal

audit research is growing. From this study and other research, it appears that internal audit can

add significant value to organizations and that business leaders do not yet fully appreciate the

benefits of internal auditing. Future research will hopefully shed light on why this is the case and

continue testing the value that internal auditing adds to companies and society.

21
Relatedly, the CAE respondents have the greatest incentive to make internal audit appear favorably and yet the
descriptive statistics show that CAEs were less likely to suggest internal audit improved compliance risk or
operating risk relative to the managers who were audited (though this difference is not statistically significant, see
Appendix B).

25

Electronic copy available at: https://ssrn.com/abstract=2970045

 References

Abbott, L. J., S. Parker, and G. F. Peters. 2012. Audit fee reductions from internal audit-provided
assistance: The incremental impact of internal audit characteristics. Contemporary
Accounting Research 29 (1): 94-118.

Abbott, L. J., B. Daughtery, S. Parker, and G. F. Peters. 2016. Internal audit quality and financial
reporting quality: The joint importance of independence and competence. Journal of
Accounting Research 54 (1): 3-40.

Anderson, D. 2016. Relationships and Risk. Can be accessed via:

https://www.iia.nl/SiteFiles/Publicaties/IIARF%20CBOK%20%20Stakeholder%20%20R
elationships%20and%20Risk%20March%202016_5.pdf.
Anderson, U. L., M. H. Christ, K. M. Johnstone, and L. E. Rittenberg. 2012. A post-SOX
examination of factors associated with the size of internal audit functions. Accounting
Horizons 26 (2): 167-191.

Bailey, A. D., A. A. Gramling, and S. Ramamoorti (Eds.). 2003. Research Opportunities in

Internal Auditing. Institute of Internal Auditors Research Foundation.

Barr-Pulliam, D. 2017. The Relationship between Internal Audit Assurance Frequency and
Earnings Manipulation Intent and Behavior: A Theory of Planned Behavior Approach.
Working Paper, University of Louisville.

Barr-Pulliam, D. 2018. The Joint Effects of the Internal Audit Function’s Use of Continuous
Auditing and its Use as a Management Training Ground on Managerial Discretion in
Financial Reporting. Working Paper, University of Louisville.

Barr-Pulliam, D. 2019. The Effects of Continuous Auditing and role duality on the incidence and
likelihood of reporting management opportunism. Management Accounting Research 44:
44-56.

Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2016. External auditors’ perceptions of
and willingness to work in outsourced and in-house internal audit functions. Accounting
Horizons 30 (1): 143-156.

Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2017. Factors influencing recruitment
of non-accounting business professionals into internal auditing. Behavioral Research in
Accounting 29 (1): 119-130.

Beasley, M., B. Branson, and D. Pagach. 2015. An analysis of the maturity and strategic impact
of investments in ERM. Journal of Accounting and Public Policy 34 (3): 219-243.

Beasley, M., J. Carcello, D. Hermanson and P. D. Lapides. 2000. Fraudulent financial reporting:
Consideration of industry traits and corporate governance mechanisms. Accounting
Horizons 14: 441-454.

26

Electronic copy available at: https://ssrn.com/abstract=2970045

Beasley, M. S., R. Clune, and D. Hermanson. 2006. The impact of enterprise risk management
on the internal audit function. Journal of Forensic Accounting 1-20.

Bills, K. L., H. W. Huang, Y. H. Lin, and D. A. Wood. 2019. Internal audit turnover, financial
reporting quality and audit risk assessment. Working Paper Michigan State University,
National Cheng-Kung University, Monash University, and Brigham Young University.

Boyle, D. M., F. T. DeZoort, and D. R. Hermanson. 2015. The effects of internal audit report
type and reporting relationship on internal auditors’ risk judgments. Accounting Horizons
29 (3): 695-718.

Burton, G. F., M. W. Starliper, S. L. Summers, and D. A. Wood. 2015. The effects of using the
internal audit function as a management training ground or as a consulting services
provider in enhancing the recruitment of internal auditors. Accounting Horizons 29: 115-
140.

Burton, G. F., S. A. Emett, C. A. Simon, and D. A. Wood. 2012. Corporate managers’ reliance
on internal auditor recommendations. Auditing: A Journal of Practice & Theory 31: 151-
166.

Carcello, J. V., M. Eulerich, A. Masli, and D. A. Wood. 2018. The value to management of using
the internal audit function as a management training ground. Accounting Horizons 32 (2):
121-140.

Chambers, R. 2013. NASDAQ hesitates in its quest to mandate internal audit. Internal Auditor.

Christ, M. H., A. Masli, N. Y. Sharp, and D. A. Wood. 2015. Rotational internal audit programs
and financial reporting quality: Do compensating controls help? Accounting,
Organizations and Society 44: 37-59.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal
Control — Integrated Framework Executive Summary. Accessible via
https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2017. Enterprise
Risk Management: Integrating with Strategy and Performance. Accessible via
https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-
Performance-Executive-Summary.pdf.
Coram, P., C. Ferguson, and R. Moroney. 2008. Internal audit, alternative internal audit
structures and the level of misappropriation of fraud. Accounting & Finance 48: 543-559.

DeFond, M., and J. Zhang. 2014. A review of archival auditing research. Journal of Accounting
and Economics 58: 275-326.

27

Electronic copy available at: https://ssrn.com/abstract=2970045

Deloitte. 2015. Cybersecurity: The changing role of audit committee and internal audit.
Available at https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-
cyber-security-changing-role-in-audit-noexp.pdf

Dejnaronk, J., Little, H. T., Mujtaba, B. G., & McClelland, R. (2015). Factors Influencing the
Effectiveness of the Internal Audit Function in Thailand. In Proceedings of Conference:
Business and Social Sciences Research Conference: Research for Development,
Bangkok, Thailand.

DeZoort, F.T., and D. R. Hermanson. 2013. Comment letter on SR-NASDAQ-2013-032. May

10.

DeZwaan, L., J. Stewart, and N. Subramaniam. 2011. Internal audit involvement in enterprise
risk management. Managerial Auditing Journal 26 (7): 586-604.

Ege, M. 2015. Does internal audit function quality deter management misconduct? The
Accounting Review 90: 495-527.

Eulerich, M. J. Kremin, K. K. Saunders, and D. A. Wood. 2020. Internal audit stigma awareness
and internal audit outcomes: Stuck between a rock and a hard place. Working Paper,
University of Duisburg-Essen, Portland State University, University of Nebraska at
Lincoln, and Brigham Young University.

Felix, W. L., Jr., A. A. Gramling, and M. J. Maletta. 2001. The contribution of internal audit as a
determinant of external audit fees and factors influencing this contribution. Journal of
Accounting Research 39: 513-534.

German Accounting Modernization Act 2009 (§107 3.2 AktG).

Gramling A. A., M. J. Maletta, A. Schneider, and B. K. Church. 2004. The role of the internal
audit function in corporate governance: A synthesis of the extant internal auditing
literature and directions for future research. Journal of Accounting Literature 23: 194-
244.

Gramling, A. A., I. Nuhoglu, and D. A. Wood. 2013. A descriptive study of factors associated
with the internal audit function having an impact: Comparisons between organizations in
a developed and an emerging economy. Turkish Studies. 14: 581-606.

Ho, S., and M. Hutchinson. 2010. Internal audit department characteristics/activities and audit
fees: Some evidence from Hong Kong firms. Journal of International Accounting,
Auditing and Taxation 19 (2): 121-136.
Hoos, F., W. F. Messier, J. L. Smith, and P. R. Tandy. 2018. An experimental investigation of
the interaction effect of management training ground and reporting lines on internal
auditor’s objetivity. International Journal of Auditing. 22 (2): 150-163.

28

Electronic copy available at: https://ssrn.com/abstract=2970045

Hoyt, R.E., and A. P. Liebenberg. 2011. The value of enterprise risk management. Journal of
Risk and Insurance 78 (4): 795-822.

Institute of Internal Auditors. 2009. IIA Position Paper: The Role of Internal Auditing in
Enterprise-Wide Risk Management. Available at: https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%2
0in%20Enterprise%20Risk%20Management.pdf

Institute of Internal Auditors. 2013. Comment letter on SR-NASDAQ-2013-032. March 28.

Jiang, L., W. F. Messier, and D. A. Wood. 2020. The association between internal audit
operations-related services and firm operating performance. Auditing: A Journal of
Practice & Theory Forthcoming.

Lenz, R., and U. Hahn. 2015. A synthesis of empirical internal audit effectiveness literature
pointing to new research opportunities. Managerial Auditing Journal 30 (1): 5-33.

Lin, S., M. Pizzini, M. Vargus, and I. R. Bardhan. 2011. The role of the internal audit function in
the disclosure of material weaknesses. The Accounting Review 86: 287-323.

McShane, M.K., A. Nair, and E. Rustambekov. 2011. Does enterprise risk management increase
firm value? Journal of Accounting, Auditing & Finance 26 (4): 641-658.

Messier, W. F., Jr., J. K. Reynolds, C. A. Simon, and D. A. Wood. 2011. The effect of using the
internal audit function as a management training ground on the external auditor’s reliance
decision. The Accounting Review 86: 2131-2154.

Murphy, M. 2013. Internal Audit Staffs Need to Foresee Talent Shortages: CEB. Available at:
http://blogs.wsj.com/cfo/2013/01/17/internal-audit-staffs-need-to-foresee-talent-
shortages-ceb/

NASDAQ 2013-032. Available at: https://www.sec.gov/rules/sro/nasdaq/2013/34-69030.pdf

Norman, C. S., A. M. Rose, and J. M. Rose. 2010. Internal audit reporting lines, fraud risk
decomposition, and assessments of fraud risk. Accounting, Organizations and Society. 25
(5): 546-557.

NYSE Listing Manual. Available at: http://nysemanual.nyse.com/LCM/Sections/

Prawitt, D. F., N. Y. Sharp, and D. A. Wood. 2012. Internal audit outsourcing and the risk of
misleading or fraudulent financial reporting: Did Sarbanes-Oxley get it wrong?
Contemporary Accounting Research 29: 1109-1136.

Prawitt, D. F., J. L. Smith, and D. A. Wood. 2009. Internal audit quality and earnings
management. The Accounting Review 84 (4): 1255-1280.

29

Electronic copy available at: https://ssrn.com/abstract=2970045

Prawitt, D. F., J. L. Smith, and D. A. Wood. 2011. Reconciling archival and experimental
research: Does internal audit contribution affect the external audit fee?’ Behavioral
Research in Accounting 23: 187-206.

Protiviti. 2013. SEC Flash Report – NASDAQ withdraws proposed internal audit function rule
with intent to resubmit it. May 15.

Sarens, G., and I. De Beelde. 2006. Internal auditors’ perception about their role in risk
management: A comparison between US and Belgian companies. Managerial Auditing
Journal 21 (1): 63-80.

U.S. Securities and Exchange Commission. 2013. Notice of filing of proposed rule change to
require that listed companies have an internal audit function. March 4. Release No. 34-
69030; SR-NASDAQ-2013-032.

30

Electronic copy available at: https://ssrn.com/abstract=2970045

 Table 1. Description of Companies Providing Responses by Business Unit Managers

Panel A. Sample of Audited and Non-Audited Unit Pairs

Company ID Number of Pairs % of Total Pairs

Company ID #1 4 19.05%
Company ID #2 1 4.76%
Company ID #3 2 9.52%
Company ID #4 3 14.29%
Company ID #5 2 9.52%
Company ID #6 1 4.76%
Company ID #7 2 9.52%
Company ID #8 3 14.29%
Company ID #9 2 9.52%
Company ID #10 1 4.76%
Total 21
Ten different companies provided manager responses. Within the ten companies, 21 pairs
of audited and non-audited units provided manager responses.

Panel B. Characteristics of Matched Audited Units and Non-Audited Units

p-value
Audited Unit Non-Audited Unit for
Variable (n= 21) (n=21) Diff.
Nature of the Unit
Subsidiary 6 6
Process 6 6
Plant/Store/Branch 1 1
Other 8 8
Company Wide 9 8
Overall Risk Before Audit Year 3.000 2.905 0.629
Overall Performance Before Audit Year 0.190 0.381 0.676
IA Value to Manager 0.238 0.333 0.506
Manager Financial Education 0.523 0.476 0.765
Manager is New 0.429 0.143 0.041
Raw # of IA Recommendations 24.6 N/A
Raw # of Implemented IA
Recommendations 19.95 N/A
Ratio of Implemented IA
Recommendations 0.839 N/A
In this panel, we display a comparison of unit characteristics between audited and non-
audited units.

Panel C. Descriptive Statistics of Companies (n=10) that Provided Manager Responses

Variable Mean Std. Dev.

31

Electronic copy available at: https://ssrn.com/abstract=2970045

Company Characteristics
Revenues (in millions of Euros) 12,774.6 19,124.4
Employees 89,765.1 150,083.4
Public Listing 0.40 0.52
Audit Committee 0.90 0.32
Supervisory Board Members (n=8) 13.50 4.17
Big N Auditor 0.80 0.42
IAF Characteristics
IAF Employees 37.95 58.69
IAF Budget (in thousands of Euros) 5,274.3 8,310.2
IAF Certification (%) 0.32 0.32
Focus on Auditing (%) 0.87 0.10
In-house Training (days) 27.40 23.96
Out-house Training (days) 29.40 19.04
QA Review 0.50 0.53
IAF Staff Experience (years) 9.40 5.08
IA used as MTG 0.70 0.48
IA Reports to AC 0.40 0.516
In this panel, we provide descriptive statistics about the ten companies that provided
responses by managers of audited and non-audited units.

32

Electronic copy available at: https://ssrn.com/abstract=2970045

 Table 2. Internal Audits and Changes in Risk
Panel A. Changes in Overall Risks
Audited Non Audited
Overall Risk n Manager Unit n Manager Unit Difference p-value
Before 21 3.000 21 2.905 0.095 0.629
After 21 2.238 21 2.762 -0.524 < 0.01
Difference -0.762 -0.143
p-value < 0.01 0.083

p-value
Change in Overall Risk 21 -0.762 21 -0.143 -0.619 < 0.01

In this table, we present univariate comparisons of overall risk between audited and non-audited
units. We display overall risk before and after the audit period as well as the change in the
overall risk.

33

Electronic copy available at: https://ssrn.com/abstract=2970045

Panel B. Linear Regression Results
Overall Risk
Pred. Model 1 Model 2
Sign coef/p-value coef/p-value
Audited ? 0.068
(0.695)
Implemented Recommendations ? 0.073
(0.747)
After ? -0.021 -0.020
(0.739) (0.727)
Audited * After - -0.497
(0.003)
Implemented Recommendations * After - -0.623
(0.000)
Manager Financial Education ? 0.338 0.317
(0.312) (0.332)
Manager is New ? 0.001 0.054
(0.996) (0.791)
IA Value to Manager ? 0.209 0.224
(0.474) (0.437)
Performance ? -0.160 -0.147
(0.018) (0.041)
Intercept 2.735 2.726
(0.000) (0.000)
Firm Indicators Included Included
Number of observations 84 80
Adjusted R2 0.534 0.545
We had 21 pairs of audited and non-audited units that provided manager responses
about overall risk. The sample totals 84 to account for before and after audit
observations For Model 2, the sample goes down to 80 because there is one pair of
observations that did not provide data on the number of IA recommendations. The p-
values are in parentheses. p-values are two-tailed unless predicted (one-tailed). See the
Variable Appendix for variable definitions.

34

Electronic copy available at: https://ssrn.com/abstract=2970045

Table 3. IA Characteristics and Changes in Overall Risk
Overall Risk
Pred. Model 1 Model 2 Model 3
Sign coef/p-value coef/p-value coef/p-value
Audited REPORT AC ? 0.161
(0.320)
Audited NO REPORT AC ? 0.012
(0.961)
Audited QAR ? 0.131
(0.628)
Audited NO QAR ? -0.037
(0.866)
Audited MTG ? -0.011
(0.957)
Audited NOT MTG ? 0.295
(0.113)
After ? -0.016 -0.032 -0.031
(0.801) (0.579) (0.631)
Audited REPORT AC * After - -0.532
(0.011)
Audited NO REPORT AC * After - -0.472
(0.028)
Audited QAR * After - -0.677
(0.003)
Audited NO QAR * After - -0.234
(0.038)
Audited MTG * After - -0.631
(0.000)
Audited NOT MTG * After - -0.110
(0.253)
Manager Financial Education ? 0.350 0.342 0.345
(0.298) (0.320) (0.234)
Manager is New ? 0.018 0.015 0.024
(0.933) (0.946) (0.901)
IA Value to Manager ? 0.210 0.211 0.184
(0.477) (0.500) (0.525)
Performance ? -0.167 -0.146 -0.147
(0.008) (0.032) (0.029)
Intercept 2.729 2.725 2.732
(0.000) (0.000) (0.000)
Firm Indicators Included Included Included
Number of observations 84 84 84
Adjusted R2 0.521 0.532 0.564
Hypotheses Tests: p-value for difference in
0.858 0.050 0.018
interaction coefficients
We had 21 pairs of audited and non-audited units that provided manager responses about overall risk. The sample
totals 84 to account for before and after audit observations. The p-values (two-tailed) are in parentheses. p-values
are two-tailed unless predicted (one-tailed). See the Variable Appendix for variable definitions.

35

Electronic copy available at: https://ssrn.com/abstract=2970045

Table 4. Supplemental Analyses: Operation Focused Audits and Changes in Overall Performance
Performance
Pred. Model 1 Model 2 Model 3 Model 4
Variable Sign coef/p-value coef/p-value coef/p-value coef/p-value
Operations Audited ? 0.039
(0.918)
Operations Audited REPORT AC ? 0.696
(0.044)
Operations Audited NO REPORT AC ? -0.466
(0.317)
Operations Audited QAR ? 0.017
(0.977)
Operations Audited NO QAR ? 0.125
(0.782)
Operations Audited MTG ? -0.222
(0.662)
Operations Audited NOT MTG ? 0.760
(0.141)
After ? 0.631 0.630 0.649 0.635
(0.003) (0.005) (0.003) (0.003)
Operations Audited * After + 0.488
(0.073)
Operations Audited REPORT AC * After + 0.648
(0.080)
Operations Audited NO REPORT AC *
+ 0.392
After
(0.220)
Operations Audited QAR * After + 1.027
(0.020)
Operations Audited NO QAR * After + -0.108
(0.609)
Operations Audited MTG * After + 0.811
(0.041)
Operations Audited NOT MTG * After + -0.364
(0.829)
Manager Financial Education ? 0.091 0.329 -0.006 0.102
(0.869) (0.568) (0.992) (0.843)
Manager is New ? -0.747 -0.536 -0.818 -0.742
(0.102) (0.219) (0.053) (0.085)
IA Value to Manager ? 0.197 0.252 0.090 0.181
(0.698) (0.562) (0.865) (0.726)
Overall Risk ? -0.672 -0.676 -0.557 -0.646
(0.203) (0.157) (0.263) (0.228)
Intercept 2.361 2.210 2.113 2.285
(0.052) (0.061) (0.052) (0.065)
Firm Indicators Included Included Included Included
Number of observations 76 76 76 76
Adjusted R2 0.350 0.385 0.360 0.355
p-value for difference in interaction
0.724 0.008 0.022
coefficients
In the sample, there are 19 audited units (out of 21 audited units) that had an audit with an operational focus and data on
performance. The p-values (two-tailed) are in parentheses. p-values are two-tailed unless predicted (one-tailed). See the
Variable Appendix for variable definitions.

36

Electronic copy available at: https://ssrn.com/abstract=2970045

 Table 5. Supplemental Analyses: CAE Perspective on Changes in Risk
Panel A. Univariate Differences in Changes in Risks

Audited Non Audited

n Manager Unit n Manager Unit Difference p-value
 Overall Risk 48 -0.583 48 -0.188 -0.395 <0.01
In the sample, CAEs provided an assessment of changes in overall risk for 48 pairs of audited and
non-audited units.
 

Panel B. Linear Regression Results

Overall Risk
Pred.
Sign coef/p-value
Audited ? 0.313
(0.009)
After ? -0.188
(0.037)
Audited * After - -0.396
(0.003)
Intercept 3.063
(0.000)
Firm Indicators Included
Number of observations 192
Adjusted R2 0.441
CAEs provided responses about overall risk for 48 pairs of audited and non-audited units
that provided manager responses about overall risk. The sample totals 192 to account for
before and after audit observations. The p-values are in parentheses. P-values are two-
tailed unless predicted (one-tailed). See the Variable Appendix for variable definitions.

37

Electronic copy available at: https://ssrn.com/abstract=2970045

 Appendix A
Definition of Variables Included in the Regression Models

Variable Name Definition

One if the observation relates to the period after the audit;
After
zero otherwise
One if the observation relates to a response about an
Audited
audited unit; zero about a non-audited unit
One if the observation relates to a response about a unit
Audited REPORT AC
audited by IAF that reports to AC; zero otherwise
One if the observation relates to a response about a unit
Audited NO REPORT AC
audited by IAF that does not report to AC; zero otherwise
One if the observation relates to a response about a unit
Audited QAR
audited by IAF that had a recent QAR; zero otherwise
One if the observation relates to a response about a unit
Audited NO QAR audited by IAF that had not had a recent QAR; zero
otherwise
One if the observation relates to a response about a unit
Audited MTG
audited by IAF that is used as a MTG; zero otherwise
One if the observation relates to a response about a unit
Audited NO MTG
audited by IAF that is not used as a MTG; zero otherwise
One if the manager fully agrees to the statement that IA
IA Value to Manager adds value to a unit when audited; zero otherwise Answers
can scale from 1 (Fully Disagree) to 7 (Fully Agree).
Number of IA recommendations that were implemented
Implemented Recommendations divided by total number of IA recommendations (the value
is zero for responses about non-audited units)
One if the unit manager has financial/accounting
Manager Financial Education
background; zero otherwise
One if the unit manager has been in the position for <= 3
Manager is New
years; zero otherwise
One if the observation relates to a response about an
Operations Audited audited unit that had an operating focused audit; zero
otherwise.
Overall Risk  Overall risk (scale of 1/very low to 5/very high)
Overall Performance (scale of -3/ significantly below
Performance
average to +3/significantly above average)

38

Electronic copy available at: https://ssrn.com/abstract=2970045

 Appendix B
Comparison of Responses between CAE and Heads of Audited and Non-Audited Units

Panel A: Comparison of Responses for CAE and Heads of Audited Units

CAE Manager
Risk Item Mean Mean Difference p-value
 Operating Risk -0.429 -0.786 0.357 0.266
 Financial Risk -0.555 -0.333 -0.222 0.347
 Compliance Risk  -0.3 -0.5 0.2 0.168
 Overall Risk -0.643 -0.5 -0.143 0.165

All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each
measure, we had the following n: 14 pairs for change in operating risk, 9 pairs for change in
financial risk, 10 pairs for change in compliance risk, and 14 pairs for change in overall risk.
Please see Variable Appendix for variable definitions.

Panel B: Comparison of Responses for CAE and Heads of Non-Audited Units

CAE Manager
Risk Item Mean Mean Difference p-value
 Operating Risk -0.091 0 -0.091 0.588
 Financial Risk -0.091 0.091 -0.182 0.167
 Compliance Risk  -0.1 -0.2 0.1 0.678
 Overall Risk 0 -0.077 0.077 0.585

All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each
measure, we had the following n: 11 pairs for change in operating risk, 11 pairs for change in
financial risk, 10 pairs for change in compliance risk, and 13 pairs for change in overall risk.
Please see Variable Appendix for variable definitions.

39

Electronic copy available at: https://ssrn.com/abstract=2970045