Professional Documents
Culture Documents
Sarens 2006
Sarens 2006
www.emeraldinsight.com/0268-6902.htm
Internal auditors’
Internal auditors’ perception perception in risk
about their role in risk management
management
63
A comparison between US
and Belgian companies
Gerrit Sarens and Ignace De Beelde
Faculty of Economics and Business Administration,
Department of Accounting and Corporate Finance,
Ghent University, Ghent, Belgium
Abstract
Purpose – The purpose of this paper is to describe and compare in a qualitative way how internal
auditors perceive their current role in risk management within US and Belgian companies.
Design/methodology/approach – In order to get adequate data, Chief audit executives from 10
different companies were interviewed and relevant documents were analyzed.
Findings – In the Belgian cases, internal auditors’ focus on acute shortcomings in the risk
management system creates opportunities to demonstrate their value. Internal auditors are playing a
pioneering role in the creation of a higher level of risk and control awareness and a more formalized
risk management system. In the US cases, internal auditors’ objective evaluations and opinions are a
valuable input for the new internal control review and disclosure requirements mentioned in the
Sarbanes Oxley Act.
Research limitations/implications – Given the qualitative nature of this study, generalization to
all Belgian and US companies is not possible. The time specific character of the subject is an
opportunity for future longitudinal research.
Practical implications – In Belgium, the internal auditing profession is actually in a kind of “transition
phase”. In order to survive this transition phase, internal auditors need to assume a “teaching role”
vis-à-vis the different management levels to make them aware of their responsibilities in risk management.
After this transition period, internal auditors will be able to focus more on their core activities.
Originality/value – In addition to a number of quantitative studies, this paper extends in a
qualitative and comparative way the understanding of the specific role of internal auditors in risk
management within US and Belgian companies.
Keywords Auditors, Auditing, Risk management, United States of America, Belgium
Paper type Research paper
A first draft of this paper was presented at the 3rd European Academic Conference on Internal
Audit and Corporate Governance, 7-8 April 2005 (Cass Business School, London).
A second draft of this paper was presented at the 28th Annual Conference of the European
Accounting Association, 18-20 May 2005 (Gothenburg).
The authors appreciate the comments and suggestions on earlier drafts of this paper received
from Andrew Chambers (London South Bank University), Mahbub Zaman (University of
Managerial Auditing Journal
Manchaster), Rogier Deumes (University of Maastricht), Abigail Levrau (Vlerick Leuven Gent Vol. 21 No. 1, 2006
Management School), Tom Baelden (Vlerick Leuven Gent Management School), Ann pp. 63-80
q Emerald Group Publishing Limited
Vanstraelen (University of Antwerp and University of Maastricht) and Patricia Everaert 0268-6902
(Ghent University). DOI 10.1108/02686900610634766
MAJ Introduction
21,1 By stating that the internal audit activity should evaluate and contribute to the
improvement of risk management, control and governance, The Institute of Internal
Auditors, IIA (2004) recognizes the assurance and consulting role of internal auditors
in corporate governance. Until now, no empirical research on the role of internal
auditors in risk management (including internal control) has been conducted within a
64 Belgian context. In this study, we elaborate in more detail how internal auditors
perceive their current role in risk management within the specific Belgian context,
where internal auditing is still a relatively young profession and where many (large)
companies have recently established an internal audit function. Moreover, it is
important to notice that the Belgian environment is different from the Anglo American
environment where the internal auditing profession is more developed and where listed
companies are subject to more stringent corporate governance regulations. By
incorporating four Belgian subsidiaries of US listed companies in this study, we are
able to investigate the influence of the Sarbanes Oxley Act (2002) on internal auditing
practices and compare this with internal auditing practices in an emerging corporate
governance context. Therefore, this study is a response to Scarbrough et al.’s (1998) call
for studies to be undertaken in different jurisdictions with different corporate
governance requirements.
In this study, we interviewed Chief audit executives in 10 different large
manufacturing and service companies located in Belgium and collected relevant
documents in order to provide an adequate qualitative view of the role of internal
auditors in risk management and marked differences between Belgian companies
(emerging corporate governance context) and Belgian subsidiaries of US companies
(established corporate governance context).
This paper is structured as follows. The next section outlines the necessary
theoretical background on risk management. The third section deals with the role of
internal auditors in risk management and gives an overview of the existing
empirical studies in this area. The fourth section focuses on the methodology,
followed by the fifth section with the results of our interviews and document
analysis. The final section formulates conclusions, discusses the practical
implications and outlines some major limitations of this study combined with
suggestions for future research.
Methodology
The motivations for this study reflect a desire to enrich and extend our understanding
of the specific role of internal auditors in risk management. The relative lack of
68 qualitative and descriptive research in this area indicates that our research approach
was an appropriate and even indispensable way to investigate this topic. Moreover,
Vinten (1996) stimulates the use of qualitative research, as this is more in tune with the
nature of the profession.
The selection of the companies for this study was theoretically driven, not by a
concern of representativeness, as we did not want to generalize the findings to other
settings. More specifically, the selection of the companies was based on two criteria.
Previous research and anecdotal evidence has revealed that the total amount of
potential wealth transfers, and thus the related benefits from undertaking monitoring,
increases with firm size. Moreover, the opportunity to obtain economies of scale
through the establishment of an internal audit department also increases with firm size
(Chow, 1982; Parkinson, 2004). Therefore, we controlled for firm size and selected
companies with at least 1,000 employees. Furthermore, we included four subsidiaries of
US companies listed on the New York Stock Exchange, because of our interest in
specific differences between Belgian companies (called hereafter “the Belgian cases”)
and US linked companies (called hereafter “the US cases”). It is important to notice that
we did not take into account the age and size of the internal audit department when
selecting companies. Table I gives an overview of the ten companies:
Similar to Page and Spira (2004) in the UK, we conducted in depth interviews with
the Chief audit executive in each of the 10 companies. The interviews lasted from 60 to
90 minutes, were tape recorded and transcribed immediately after the interview took
place[2]. The valuable insights from six preliminary interviews formed a basis to
develop a more structured and focused interview guide for this specific study on the
role of internal audit in risk management.
After explaining the purpose of this study, the interview started with some general
questions about the number of internal auditors, the functional and administrative
reporting relationships, the content of the audit charter, the input for the audit
planning, the distribution of working time and the disclosure of risk and internal
control statements. The next part of the interview focused on the stage of development
of the risk management system and the possible role of internal auditors in the
implementation or improvement of a formal risk management system. The major part
of the interview dealt with the specific role of internal auditors in risk assessment, risk
management through internal controls and risk and internal control communication.
We were interested in the purpose of their involvement and asked for specific
examples. To round off the interview, their expectations for the (near) future were
discussed.
In order to triangulate the interview data, we used archival data, like the internal
audit charter, the audit committee charter, the internal audit planning, risk and control
assessment questionnaires, risk and control assessment reports (e.g. matrices), internal
audit reports, audit quality surveys and risk and internal control disclosures from the
annual report (where applicable), obtained from the interviewees.
Company Origin Sector Employeesa Listing Age IA function Number of internal auditorsb
1 Belgium Manufacturing .10,000 Euronext Brussels 10 years (mature) 7 (medium-sized audit shop)
2 US Manufacturing .10,000 New York Stock Exchange 25 years (mature) 120 (large audit shop)
3 Belgium Services .10,000 Euronext Brussels 10 years (mature) 20 (large audit shop)
4 Belgium Manufacturing 5,000-10,000 Euronext Brussels 7 years (relatively mature) 2 (small audit shop)
5 US Manufacturing .10,000 New York Stock Exchange 10 years (mature) 6 (medium-sized audit shop)
6 US Services .10,000 New York Stock Exchange 30 years (mature) 50 (large audit shop)
7 US Services .10,000 New York Stock Exchange 35 years (mature) 14 (large audit shop)
8 Belgium Manufacturing 1,000-5,000 Euronext Brussels 15 years (mature) 1 (small audit shop)
9 Belgium Manufacturing 1,000-5,000 Euronext Brussels 2 years (start-up) 2 (small audit shop)
10 Belgium Services 1,000-5,000 Euronext Brussels 3 years (start-up) 1 (small audit shop)
Notes: aThis refers to the number of employees in those entities that fall under the working area of the internal auditors; bFor subsidiaries of US
companies internal auditors often performs audits in several (Western) European entities
management
Internal auditors’
companies
Overview of the
perception in risk
69
Table I.
MAJ While interview data may enhance construct validity by studying phenomena in their
21,1 natural context, it is suggested by Lillis (1999) to use a systematic analytical protocol to
enhance the reliability of our results. More specifically, we referred to the most
important steps from the analytical protocol suggested by Miles and Huberman (1994).
First, all interview transcripts and archival documents were coded. Next, we structured
and summarized the insights of each company in order to get an overview of the most
70 remarkable insights. These insights were submitted to an IIA round table for early
feedback[3]. The “translation” of these insights into a standardized and comparable
matrix was an important tool to facilitate cross company analysis. Finally, we
compared the ten companies in order to discover certain patterns and reassure
ourselves that conclusions from one company were not idiosyncratic.
The fifth section discusses in detail the results of our empirical work, structured
around the differences between both corporate governance contexts.
Empirical results
General insights on risk management systems in the US cases
In all US cases, we see a well developed risk management system and a high overall
focus on risks and internal controls. In these cases, the risk management methodology
is formalized, standardized, transparent and documented. On the one hand, these
companies use their own developed risk assessment methodology, in most cases
consisting of questionnaires resulting in a company specific risk matrix. On the other
hand, the internal control methodology is to a large extent based on the COSO
framework (1992), as strongly recommended by the SOX act. As a consequence of the
strong SOX influence, there is a higher level of risk and control awareness in these
companies. Most people in the US cases are convinced that “without a good internal
control system, you are not able to reach your business objectives, that is simply
impossible”. All board, audit committee and management responsibilities related to
risk management and internal controls are clearly defined in and communicated
through internal control policies, audit committee charters, company websites (intranet
and internet) and annual reports. Moreover, all these US companies (recently)
developed, in most cases at high corporate level, separate risk management functions
independent from the internal audit function. These functions focus on the most
important strategic and financial risks and are often involved in risk assessment
activities.
The specific role of internal auditors in risk management in the Belgian cases
After analyzing the six Belgian cases, it becomes clear that in four cases the internal
audit department can be considered as a “small audit shop” consisting of only one or
two internal auditors. It is stressed by the interviewees that limited resources (e.g.
budget for personnel, operational costs and training) are an important constraint for
their possibilities to play a significant role in risk management: “when you don’t get
enough resources, you will never be able to work thoroughly”. Although internal
auditors have good and ambitious intentions, it is hard to convince people in these
organizations of the value of the internal audit function. This can be linked with the
fact that internal auditing is a relatively “new” profession in Belgium, especially
when compared with the US or UK. The majority of (large) Belgian companies have
recently created an internal audit function (cf. cases nine and ten). As a consequence
of recent changes in national and international corporate governance regulations the
internal audit function gets now more attention and support from the board and
management, which certainly creates new opportunities for them to become a
significant player.
Although until now there is no obligation for companies listed on Euronext Brussels
to disclose internal control statements, in four of the six Belgian cases the board
(including the audit committee) and top management are preparing themselves for
compliance with such disclosure requirements in the (near) future. In these cases,
internal auditors are (again) playing a pioneering role. Internal auditors have recently
started, similar to their US colleagues, to sporadically provide overall assessments and
reports on the internal control system in order to anticipate these future disclosures
and create more awareness for this topic on behalf of top management and the board.
As our interviewees expect that a next revision of the recently published Belgian Code
on Corporate Governance[4] will contain more clear requirements for internal control
disclosures, the importance of the assurance role of internal auditors in Belgium is
expected to increase in the (near) future.
Concerning the evolution towards a greater financial focus in the internal audit Internal auditors’
work, the six Belgian cases can be divided into two categories. In a first group of three perception in risk
cases, we do not see an important shift in the internal auditors’ work. These
interviewees stressed that in the past, present and future they look at all segments of management
internal controls, including procedures and controls related to financial reporting and
financial controls. In a second group, we generally see an enhanced attention to the
quality of the financial reporting. Similarly to the majority of US cases, these internal 75
auditors have recently paid more attention to financial and accounting aspects. This
shift can be considered as a part of their pioneering role in relation to expected
disclosure requirements in the (near) future.
For the Belgian cases, internal auditors’ consulting role in risk management can be
linked to the global stage of development of the risk management system. In the two
cases with a (strongly) formalized risk management system, internal auditors’
consulting role in risk management is very limited. In the four other cases without a
(completely) formalized risk management system on corporate level, their consulting
role is much more elaborated. In these cases, internal auditors’ proactive involvement
in the development and improvement of internal controls is considered as an important
aspect of their pioneering role. Internal auditors play a valuable role because they
actively enhance risk and control awareness on behalf of the management. They
should realize that internal control is an integral part of their responsibilities, because
“some management levels do not realize that they are responsible for internal controls.
Currently, this is one of the major stumbling blocks”. By focusing on these acute
shortcomings, internal auditors have great opportunities to demonstrate their value in
the short run by enhancing the level of formalization, standardization, transparency
and documentation. Their attention to the link between risks and internal controls
makes them an important player in risk management. Especially in those Belgian cases
without a formalized and standardized risk management system, risk and internal
control communication is a crucial aspect of internal auditors’ pioneering role.
Table II summarizes the general and country specific roles of internal auditors in
risk assessment, risk management and risk and internal control communication.
The final section of this paper summarizes the most important conclusions,
discusses the implications of our results for the internal audit profession, mentions
some limitations of this study and ends with suggesting interesting topics for future
research in this area.
Notes
1. GAIN, which stands for Global Audit Information Network, is a network of Chief audit
executives who share benchmarking data and receive periodic benchmarks for similar audit
activities. The audit functions pay a fee to belong to GAIN and therefore are not random
members. However, the IIA has worked diligently to keep costs down and therefore the
GAIN database is fairly representative of their constituency. For further information, please
visit: www.theiia.org/index.cfm?doc_id ¼ 4865.
2. These steps in the data collection procedure were performed by research assistants. They
had the necessary background on the research topic and were sufficiently briefed in advance
related to the specific objectives of this study. A closed interview guide was used in order to
minimize interviewer bias. Moreover, interviews were transcribed literally so no information
could get lost.
3. The researcher actively contributed to a round table on risk management in small audit Internal auditors’
shops organized by the Belgian chapter of the IIA (18 January, 2005).
perception in risk
4. A first draft of the Belgian Code on Corporate governance, the so-called Code Lippens, was
published on the 18th of June 2004. After a successful public consultation period, the final management
version was published on the 9th of December 2004. The full text of this Code can be found
at: www.commissiecorporategovernance.be.
79
References
Allegrini, M. and D’Onza, G. (2003), “Internal auditing and risk assessment in large Italian
companies: an empirical survey”, International Journal of Auditing, Vol. 7 No. 3,
pp. 191-208.
Cenker, W.J. and Nagy, A.L. (2004), “Section 404 implementation. Chief audit executives navigate
uncharted waters”, Managerial Auditing Journal, Vol. 19 No. 9, pp. 1140-7.
Chambers, A.D. (2000), “Internal audit and risk management: impact on internal audit –
development or revolution?”, Internal Control Newsletter, No. 32, pp. 3-7.
Chow, C.W. (1982), “The demand for external auditing: size, debt and ownership influences”, The
Accounting Review, Vol. 57 No. 2, pp. 272-91.
Committee of the Sponsoring Organizations of the Treadway Commission (1992), Internal
Control Integrated Framework (COSO Report), AICPA, New York, NY.
KPMG (1999), “Transforming internal audit from its compliance role into a strategic
organizational tool”, available at: www.kpmg.com
KPMG (2002), “Corporate governance in Europe: survey 2001/2002”, available at: www.kpmg.
com
Krogstad, J.L., Ridley, A.J. and Rittenberg, L.E. (1999), “Where we’re going”, Internal Auditor,
Vol. 56 No. 5, pp. 26-33.
Leung, P., Cooper, B.J. and Robertson, P. (2003), The Role of Internal Audit in Corporate
Governance, The Institute of Internal Auditors Research Foundation, RMIT University,
Australia.
Lillis, A.M. (1999), “A framework for the analysis of interview data from multiple field research
sites”, Accounting and Finance, Vol. 39 No. 1, pp. 79-105.
Maijoor, S. (2000), “The internal control explosion”, International Journal of Auditing, Vol. 4 No. 1,
pp. 101-9.
Miles, M.B. and Huberman, A.M. (1994), Qualitative Data Analysis, 2nd ed., Sage Publications,
London.
Morgan, G. (1979), “Internal audit role conflict: a pluralist view”, Managerial Finance, Vol. 5 No. 2,
pp. 160-70.
Paape, L., Scheffe, J. and Snoep, P. (2003), “The relationship between the internal audit function
and corporate governance in the EU – a survey”, International Journal of Auditing, Vol. 7
No. 3, pp. 247-62.
Page, M. and Spira, L.F. (2004), The Turnbull Report, Internal Control and Risk Management:
The Developing Role of Internal Audit, The Institute of Chartered Accountants of Scotland.
Parkinson, M. (2004), “A strategy for providing assurance”, Internal Auditor, Vol. 61 No. 6,
pp. 63-8.
Power, M. (2004), “The nature of risk: the risk management of everything”, Balance Sheet, Vol. 12
No. 5, pp. 19-28.
MAJ PricewaterhouseCoopers (2005), “Eight annual global CEO survey”, available at: www.
pwcglobal.com
21,1 Sarbanes Oxley Act (2002), 170th Congress of the United States of America, at the Second
Session, 23rd of January 2002.
Scarbrough, D.P., Rama, D.V. and Raghunandan, K. (1998), “Audit committee composition and
interaction with internal auditing: Canadian evidence”, Accounting Horizons, Vol. 12 No. 1,
80 pp. 51-62.
Selim, G. and McNamee, D. (1999a), “Risk management and internal auditing: what are the
essential building blocks for a successful paradigm change”, International Journal of
Auditing, Vol. 3 No. 2, pp. 147-55.
Selim, G. and McNamee, D. (1999b), “Risk management and internal auditing relationship:
developing and validating a model”, International Journal of Auditing, Vol. 3 No. 3,
pp. 159-74.
Spira, L.F. and Page, M. (2003), “Risk management: the reinvention of internal control and the
changing role of internal audit”, Accounting, Auditing & Accountability Journal, Vol. 16
No. 4, pp. 640-61.
The Institute of Chartered Accountants in England and Wales (1999), “Internal control: guidance
for directors on the combined code (The Turnbull Report)”, available at: www.frc.org.uk/
corporate/internalcontrol.cfm
The Institute of Internal Auditors (2004), “International standards for the professional practice of
internal auditing”, available at: www.theiia.org/?doc_id ¼ 1499
UK Financial Reporting Council (1998), “The combined code on corporate governance”, available
at: www.frc.org.uk/corporate/combinedcode.cfm
Vinten, G. (1996), Internal Audit Research: The First Half Century, Certified Accountants
Educational Trust, London.
Corresponding author
Gerrit Sarens is the corresponding author.