International Journal of Auditing

Int. J. Audit. 13: 43–60 (2009)

Identifying Organizational Drivers

of Internal Audit Effectiveness
Marika Arena and Giovanni Azzone
Politecnico di Milano, Italy

This study attempts to understand the organizational drivers of

internal audit effectiveness in the light of recent changes in the
‘mission’ of internal auditing and its central role in corporate
governance. On the basis of data from 153 Italian companies,
our survey shows that the effectiveness of internal auditing is
influenced by: (1) the characteristics of the internal audit team,
(2) the audit processes and activities, and (3) the organizational
links. Internal audit effectiveness increases in particular when
the ratio between the number of internal auditors and
employees grows, the Chief Audit Executive is affiliated to
the Institute of Internal Auditors, the company adopts control
risk self-assessment techniques, and the audit committee is
involved in the activities of the internal auditors.

Key words: Internal audit, audit committee, corporate

governance, audit quality

SUMMARY hypotheses following the latest literature. The data

In recent years, the role of internal auditing (IA)
in corporate governance has received increasing
attention, due to its links to the internal control-risk
management system. Internal auditors have
exploited this renewed interest by transforming
their functions and extending their areas of
involvement to risk management, control and
governance processes. Such changes have had the
aim of increasing the value added by IA to
organizations. However, this change also requires
a redesigning of IA processes, competencies and
roles.
This study provides empirical evidence of the
organizational choices that could help improve the
effectiveness of IA. We have defined how to
measure IA effectiveness and identified research
Correspondence to: Marika Arena, Dipartimento di Ingegneria
Gestionale, Politecnico di Milano, Piazza Leonardo da Vinci, 32,
Milan, Italy. Email: marika.arena@polimi.it
used to test the hypotheses were collected through
a questionnaire, which was sent to 364 Italian
companies, and a response rate of 47% was obtained.
The data analysis showed that IA effectiveness
is influenced by: (1) the characteristics of the IA
team, (2) the audit processes and activities, and (3)
the organizational links. IA effectiveness increases
in particular when: the ratio between the number
of internal auditors and employees grows, the
Chief Audit Executive is affiliated to the Institute
of Internal Auditors (IIA), the company adopts
control risk self-assessment techniques, and the
audit committee is involved in the activities of the
internal auditors.
These results have both practical and theoretical
implications. The paper first suggests that IA
professional bodies should re-design the set of
skills and competencies needed for their
profession, consistent with the evolution that is
currently taking place in the role of IA within
organizations. Furthermore, particular attention

ISSN 1090-6738
© 2009 Blackwell Publishing Ltd, 9600 Garsington Rd, Oxford OX4 2DQ,
UK and Main St., Malden, MA 01248, USA.
44
should be paid to defining the organizational
position of the IA unit, since this can influence
its effectiveness. On the theoretical side, this
paper highlights the limitations of studying IA
effectiveness on its own and highlights the need
to consider the diverse set of organizational links
which could influence internal auditing.
INTRODUCTION
Over the last few years, scholars and practitioners
have acknowledged that internal auditing (IA)
should undergo a major change in order to ‘add
more value’ to a company. For this reason, IA
has been extending its area of involvement, from
more traditional accounting and financial control,
to operational control and to risk management
and corporate governance (Institute of Internal
Auditors, 1999; Spira & Page, 2003). Recent
contributions have stressed how IA can act to
achieve this aim. First, it can make line managers
conscious of their responsibility concerning risks
and controls (see, for instance, COSO, 2004; the
Turnbull Report, 1999). Second, it can act as a
consultant that monitors risks, identifies
weaknesses in control systems and facilitates the
implementation of enterprise risk management
(ERM) (Leithhead, 1999; Lindow & Race, 2002; Spira
& Page, 2003; Matyjewicz & D’Arcangelo, 2004; Page
& Spira, 2004; Beasley et al., 2005; Sarens & De
Beelde, 2006a; Fraser & Henry, 2007). Third, it can
aid the audit committee (AC) and external auditors
in their duties, especially when the AC is in charge
of monitoring the internal control system
(Goodwin, 2003; Gramling et al., 2004; Mat Zain &
Subramaniam, 2007).
Empirical evidence of the efforts of IA to take
on these new roles has been provided in research
from different countries. In the USA and Australia,
recent research has highlighted a paradigmatic
shift in the activities performed by internal
auditors, which is coherent with the definition of
the IIA1 (see, for instance, Bou-Raad, 2000; Nagy &
Cenker, 2002; Cooper et al., 2006; Hass et al., 2006;
Burnaby & Hass, 2008). In Europe, the situation is
still very diversified. However, there are several
signs of the IA attempting to extend its area of
involvement (see, for instance, Melville, 2003;
Paape et al., 2003; Sarens & De Beelde, 2006a).
According to the results of the recent CBOK project,
over the last few years, IA activities in European
companies have increasingly been focusing on
consulting, governance, IT and management
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
audits, while reducing resources used for
compliance and financial audits (Allegrini et al.,
2008). In Italy, where this research was carried out,
the same trend is being followed (see, for instance,
Allegrini & D’Onza, 2003; Arena et al., 2006).
This change in the ‘mission’ of IA should lead
companies to a simultaneous and consistent
‘redesigning’ of its processes, skills and roles.
Unfortunately, there is still a lack of knowledge
about the organizational dimensions a company
should act on and how it should modify them in
order to improve the ‘added value’ of IA.
This paper is an attempt to help answer these
questions, through the analysis of the organizational
drivers that influence the effectiveness of IA. We
have defined how to measure such IA effectiveness
and identified research hypotheses according to
the state of the art in the literature (see next section).
The data used to test the hypotheses were collected
through a questionnaire, which was sent to 364
Italian companies and a response rate of 47% was
obtained.
The paper is structured as follows. The next
section contains the research hypotheses. The
following section presents the research
methodology, defines the main variables and how
to measure them and also clarifies how the survey
was conducted. Then the main results are described
and the final section discusses the results and their
implications.
FORMULATING THE HYPOTHESES
The conceptual model tested in this work is
summarized in Figure 1. The effectiveness of IA
is linked to three sets of items that group the
main organizational dimensions: resources and
competencies of an IA team, activities and
processes performed and organizational role. These
dimensions emerged in prior research as relevant
elements that characterize an IA unit (see, for
instance, Cooper et al., 1996; Al-Twaijry et al., 2003;
Paape et al., 2003; Tettamanzi, 2003; Kwon & Banks,
2004) and potentially have an impact on IA
effectiveness, as discussed below.
Resources and competencies of the internal
audit team
A preliminary condition for IA to be able to do its
duties is the availability of a sufficiently large
number of skilled professionals (see, for instance,
Turnbull, 1999).
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness
Resources and
competencies of an
IA team
Processes and
activities:
Involvement of IA in
risk management
Organizational role:
level of interaction
between IA and AC
Figure 1: The model.
The size of an IA team, one of the key criteria
used by external auditors to evaluate its quality
(see, for instance, Felix et al., 2001; Al-Twaijry et al.,
2004, Mat Zain et al., 2006), clearly determines the
amount of time that internal auditors can dedicate
to auditing activities. Furthermore, in a larger
team, there could be a higher rotation of auditors,
which could lead to more objectivity. Gul &
Subramaniam (1994) showed that when auditors
are more acquainted with auditees they are less
objective in the case of managerial conflicts.
Hence, we can formulate the first research
hypothesis:
H1: IA effectiveness is positively related to the
size of the IA team.
Auditors’ competencies are also potentially
relevant and are taken into account by external
auditors to determine their reliance on IA work
(Gibbs & Schroeder, 1979; Clark et al., 1981; Messier
& Schneider, 1988; Maletta, 1993; Gramling &
Myers, 1997; Felix et al., 2001; Al-Twaijry et al.,
2004). Skilled auditors are more able to provide
advice to improve the internal control system
(Brody et al., 1998; Mat Zain et al., 2006), to complete
audits, to find consistent solutions based on
previous experiences and to deal with complex and
conflicting situations (Flesher & Zanzig, 2000; Mat
Zain et al., 2006).
© Blackwell Publishing Ltd. 2009
45
+
+ IA
Effectiveness
+
The auditors’ competencies can also increase the
effectiveness of the IA team by improving the
recognition of their role within the organization.
Previous studies underlined that line managers
often believe that internal auditors do not have
enough knowledge to provide useful help
(Griffiths, 1999; Van Peursem, 2004, 2005) and, if
this is the case, they do not take into account their
advice, hence reducing the effectiveness of IA (Van
Peursem, 2004, 2005).
According to this, we can formulate the second
research hypothesis:
H2: IA effectiveness is positively related to the
competencies of the internal auditors.
Processes and activities: involvement of IA
in risk management
The change in perspective of IA over the last few
years has already been discussed. Roughly
speaking, we can distinguish between a ‘traditional
internal audit’, focused on compliance and
monitoring, and a ‘new internal audit’, which is
focused on improving corporate performance
(Bou-Raad, 2000). ‘Traditional IA’ examines
whether line managers, in trying to reach their
objectives, respect corporate boundaries (Simons,
1994) and it could, in the short term, reduce
efficiency and profitability, i.e. the main
Int. J. Audit. 13: 43–60 (2009)
46
performances that measure the results of line
managers. Owing to its links to risk management,
‘new IA’ helps managers understand what could
prevent them from reaching expected targets
(see, for instance, COSO, 2004; Matyjewicz &
D’Arcangelo, 2004; Beasley et al., 2005; Jackson,
2005). According to the IIA Position Statement
(2004), the core role of IA in ERM is to ‘provide
objective assurance to the board on the
effectiveness of an organization’s ERM activities to
help ensure key business risks are being managed
appropriately and that the system of internal
control is operating effectively’. Furthermore,
internal auditors can provide consulting services to
assist the organization in identifying, evaluating,
and implementing risk management
methodologies and controls to address significant
risks (Practice Advisory 2110-1). However, there
are also some roles that internal auditors should
not undertake, because they could impair their
objectivity and independence, such as setting the
risk appetite or taking decisions on risk responses,
etc. (For a discussion on the role of IA in ERM, see
the IIA Position Statement, 2004.)
While recognizing the need for internal auditors
to avoid inappropriate involvement in risk
management, there is evidence in the literature
of the benefits related to internal auditors’
participation in certain risk management tasks.
In fact, by monitoring the internal control system
implanted to manage risks, the IA can provide
feedback concerning the effectiveness of such
controls, and therefore help managers to reach their
objectives. Sawyer (2003) underlines that an effort to
clarify the link between risks and controls improves
the quality of audit reports. De La Rosa (2005) claims
there is a need for integration between audit reports
and ERM results so that auditors can help line
managers to understand the weaknesses of internal
controls and hence improve communication
between auditors and auditees (Melville, 1999). A
few analyses concerning managers’ expectations
towards IA confirm this point. Griffiths (1999)
underlines that several Chief Finance Officers
(CFOs) consider risk management as one of the
most important activities of IA, even though there is
general dissatisfaction about the capacity of internal
auditors in this field. Analysing CEOs’ and CFOs’
perceptions of the role of IA, Sarens & De Beelde
(2006b) stress that top managers expect internal
auditors to assist them to formalize risk
management systems and to create a reasonable
level of awareness about risks and controls.
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
Hence, we can formulate the third research
hypothesis:
H3: IA effectiveness is positively related to the
involvement of internal auditors in risk
management.
Organizational role: interaction between
internal audit and the audit committee
The position of IA in an organization is bounded; it
is a corporate unit that should have a large amount
of autonomy and independence in order to
perform its activities in a proper manner. A key
decision about the organizational role of IA
concerns its relationship with the audit committee
(AC).
Growing interest in corporate governance has
lead a few scholars to explore such a link (see, for
instance, Scarbrough et al., 1998; Goodwin & Yeo,
2001; Raghunandan et al., 2001, Goodwin, 2003). IA
and the AC are two different control bodies: IA
operates within the organization, while the AC is
made up of members of the Board of Directors.
These two bodies, however, have related purposes:
one of the objectives of the AC is to monitor and
evaluate the internal control system, which is also
the primary goal of the IA team (see, for instance,
COSO, 1992; Blue Ribbon Committee, 1999;
Combined Code, 2003).
A real interaction between IA and AC is very
important for both (Raghunandan et al., 1998;
Bishop et al., 2000; Goodwin, 2003) and, in fact,
many guidelines and standards (BRC, 1999; SEC,
IIA, 2000) promote such cooperation. Furthermore,
some scholars stress its importance for the
performance of audit committees (see, for instance,
Raghunandan et al., 1998).
Focusing on IA, the interaction with the AC
makes information exchange and data availability
easier (Raghunandan et al., 1998; Bishop et al., 2000;
Walker, 2004; Mat Zain et al., 2006). The AC
monitoring of IA could also help identify problems
in IA itself and offer opportunities for
improvement.
If IA reports to the AC, its role within the
organization is also reinforced and the
communication of managerial problems to the top
levels of the company is helped (Braiotta, 1999;
Goodwin & Yeo, 2001). Professional standards
underline that ‘The chief audit executive should
report to a level within the organization that
allows the internal audit activity to fulfil its
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness 47

responsibilities’ (Attribute Standard 1110, IIA,

Table 1: List of different industries involved in the
2000). This is also acknowledged by CEOs. In an study
Australian survey, Cooper et al. (1994) claimed that
more than a half of the interviewed CEOs stated Industry No. of % of
that the IA had to report to the audit committee. respondents respondents
Other studies mention that a close link between Bank and Insurance 43 28.1
the AC and IA can promote the role of the latter Automotive 4 2.6
within the organization (Goodwin & Yeo, 2001; Aviation 1 0.7
Raghunandan et al., 2001; Goodwin, 2003), increase Building 4 2.6
its opportunity to suggest improvement actions Chemicals and Drugs 6 3.9
Distribution 5 3.3
and to see them implemented in practice (unsolved Electric and optical 6 3.9
problems would in fact be communicated to the AC appliance
and then to the CEO). Fashion and luxury 4 2.6
Hence, our last research hypothesis is: Food and drinks 7 4.6
Glass 1 0.7
H4: IA effectiveness is positively related to a Health care 1 0.7
close link between the IA and the audit Holding 5 3.3
committee. Hotels and catering 2 1.3
ICT 10 6.5
Mechanical 7 4.6
RESEARCH METHOD Media and entertainment 7 4.6
Metal sector 2 1.3
Sampling and conduct of survey Oil and gas 6 3.9
Paper production 2 1.3
The data collection was based on a survey of the
Plant engineering 3 2.0
largest companies in Italy. The initial sample Publishing 3 2.0
targeted the top 300 Italian companies Real estate 1 0.7
(Mediobanca, 20032) and included a few financial Rubber 2 1.3
holdings. To make the sample more consistent, Textile 4 2.6
we replaced the holding companies with their Transport 7 4.6
operational subsidiaries, ending up with 364 Utilities 10 6.5
Total respondents 153 100.0
organizations, competing in a wide range of
activities (manufacturing, bank and insurance,
utilities, etc.). The resulting sample was also
diversified in terms of listing choices and included the questionnaire. The respondents had the option
both listed and unlisted organizations. of answering an e-mailed electronic copy of the
The survey design was based on questions that questionnaire or a hard copy, sent by fax. After the
could be easily answered by the target-respondents first contact, the researchers made two reminder
(the CAEs) and which would limit possible phone calls.
framing effects. In order to develop the tool for A total of 170 questionnaires were collected, with
the data collection correctly, the questions an overall response rate of 47%, but 17 were
were previously discussed with some CAEs to excluded because some questions had not been
understand how the respondents would interpret answered, leading to an actual response rate of 42%
the questions. In addition, the questionnaire (153 usable questionnaires). The respondents’
was first tested in some companies before being distribution, in terms of industry field, is presented
distributed to the whole sample; the pilot test led to in Table 1.
a few changes in order to make the questions more Two procedures were used to assess the
understandable. non-response bias. First, a control of the ‘reasons
Before delivering the questionnaires, telephone for non-response’ was performed (see Krumwiede,
calls were used to confirm whether the companies 1998). This information was collected through
had an IA department. Sixty organizations from the follow-up phone calls, in which it was asked why
initial sample had no IA unit and were excluded the CAE decided not to participate in the study.
from the study. In the remaining companies, the Table 2 shows that the most frequent motivation for
researchers contacted the CAEs to present the the lack of response was related to the lack of time
research objectives and arrange the delivery of (28%) or to the location of the audit department in

© Blackwell Publishing Ltd. 2009 Int. J. Audit. 13: 43–60 (2009)

48 M. Arena and G. Azzone

advocate the need to measure IA effectiveness (for

Table 2: Reasons for not answering
instance, Barrett, 1986; Sawyer, 1995; Dittenhofer,
Reasons for No. of % of 2001; KPMG, 2004; Van Gansberghe, 2005; Mihret
not answering non-respondents non-respondents & Yismaw, 2007; Ridley & D’Silva, 2008), there is
Lack of time 38 28.36% no generally acknowledged or operational measure
Lack of interest 3 2.24% for this purpose.
Centralized 27 20.15% The different approaches can be divided into
audit three main sets: process measures, output
department measures and outcome measures.
IA Department 2 1.49% Process measures are based on the evaluation
recently
introduced of the quality of IA procedures, such as the level
Not known 43 32.09% of compliance with IIA standards or the ability
Not applicable 8 5.97% to plan, execute and communicate audit findings
Privacy 5 3.73% (for instance Spraakman, 1997; Wang, 1997; Fadzil
Difficult 4 2.99% et al., 2005). Though this approach was adopted
contingent frequently in the previous literature, it suffers from
situation
Other 4 2.99% a major limitation as it is based on the hypothesis
Total 134 100.00% that IA activity is effective if IA procedures are
carried out properly, without considering the needs
of the main stakeholders in each individual audit
(Lampe & Sutton, 1994). This is in contrast with
a different parent company (20%). Only a few the current trend that stresses the relevance of
companies indicated that they were not interested value-added activities and indicates stakeholders’
in the project or considered the questionnaire satisfaction as one of the critical performance
unsuitable for their company. Some 32% of the categories for IA activities (see, for instance, the
non-respondents did not provide any feedback on Practice Advisory 1311-2).
their failure to answer. Output measures appear more consistent with
As suggested by Oppenheim (1966), the the need to consider the changing expectations
existence of a non-response bias was further tested of IA customers, as well as the relevance of
by comparing the responses of the early and late value-added activities in shaping performance
respondents. The existence of statistical differences indicators (Frigo, 2002). Among the possible
between the two groups of companies was tested indicators, particular attention has been paid to the
applying the chi-square test (categorical variables) ability of IA to respond to auditees’ needs (see, for
and the t-test (continuous variables). There was no instance, Barrett, 1986; Frigo, 2002; Ziegenfuss,
significant evidence of a response bias. Finally, a 2000). In this context, a recent work by Ziegenfuss
possible source of bias could be related to the (2000) has highlighted that the survey results
choice of the sample frame (the list of the top Italian of auditee satisfaction and the percentage of
companies), and some caution should therefore be recommendations that are implemented are the
taken when extending these results to other performance measures considered by the CAE
countries. to be most suitable to evaluate IA effectiveness.
The first measure, though potentially interesting,
can be hard to apply to an extensive survey, as
Measures and statistical analysis it requires the involvement of a representative
sample of auditees for each company. The latter
Dependent variable
measure also suffers from some limitations, as
The dependent variable was IA effectiveness. In it is at least partially beyond IA control and does
general, effectiveness can be defined as the capacity not account for qualitative differences between
to obtain results that are consistent with targets or, recommendations (Salierno, 2000). However, it
as Dittenhofer (2001) points out in different words, appears more suitable for collecting data from an
‘the achievement of the internal auditing process extensive study.
is when internal auditing performs in such a way Finally, there are outcome measures which tackle
so as to accomplish the task described by the the impact of a certain output of the audit process.
internal auditing objective’. Though several parties According to Dittenhofer (2001), ‘when evaluating

© Blackwell Publishing Ltd. 2009 Int. J. Audit. 13: 43–60 (2009)

Identifying Organizational Drivers of Internal Audit Effectiveness
the effectiveness of the internal auditing operation,
a positive response would be given when the
internal auditor: (1) audits the achievement of the
auditees’ objectives and finds no problems, and no
problems surface following the audit; or (2) audits
and finds problems; and (3) recommends solutions
to the problems; and the solutions resolve the
problems’. From this statement it is clear that
outcome measures address a wide range of aspects,
i.e. all the elements on which audit activities have
an impact. These include both efficiency and
effectiveness of the audited processes and
corporate results. At a process level, for example,
the impact of IA activities has been related to cost
savings generated by the implementation of
suggested recommendations (see, for instance,
Cashell & Aldhizer III, 2002). At a corporate level,
outcome measures can address the IA contribution
to corporate performance, such as profit, growth, or
share price; or its role in the avoidance of corporate
failures. Though such an approach appears
potentially interesting, as confirmed by recent
practitioners’ literature (see, for instance,
Blackburn, 2004), measuring outcomes involves
inherent difficulties. The main problems are related
to the existence of a delay between the time when a
certain action is taken and when its impact is
comprehensible. Furthermore, the contribution of
each item (i.e., IA intervention) may not be isolated
easily (see, for instance, Smith, 1995; Perrin, 1998;
Heinrich, 2002).
Based on the above considerations, IA
effectiveness was measured, in this study, as the
percentage of recommendations suggested by
the internal auditors and actually implemented
by the auditees. Though this solution suffers from
the previously discussed limitations, the choice
appears more consistent with the objectives of this
paper, that is, to address IA impact, while avoiding
the problems related to outcome measures.
The percentage of recommendations
implemented by the auditees was measured
through a four point Likert-type item (%IMP).
Here, 1 corresponds to a low level of
implementation of actions suggested by the
internal auditors (below 20%), 2 is a medium–low
level of implementation (between 20% and 50%),
3 is a medium–high level of implementation
(between 50% and 80%) and 4 indicates a high level
of implementation of suggested actions (more than
80%).
Table 3 presents the descriptive statistics for the
dependent variable.
© Blackwell Publishing Ltd. 2009
49
Table 3: Descriptive statistics: percentage of
recommendations suggested by internal auditors
and actually implemented by the auditees
Implemented No. %
recommendations
(%IMP)
1 (<20%) 12 7.84
2 (20% < n < 50%) 29 18.95
3 (50% < n < 80%) 69 45.10
4 (>80%) 43 28.10
Total 153 100.00
Independent variables
The list of independent variables and their
descriptive statistics are presented in Tables 4 and
5. The constructs investigated in this research
include: (1) the size of the IA units, (2) the internal
auditors’ competencies, (3) the involvement of the
internal auditors in activities supporting risk
management processes, and (4) the level of
interaction between the IA and AC.
In order to measure the size of an IA unit,
reference was made to two variables. First, the
number of internal auditors (NIAS), which was
also used in prior research as an indicator of
the resources potentially available to the IA
departments (see, for instance, Goodwin & Yeo,
2001; Goodwin, 2003; Paape et al., 2003; Carcello et
al., 2005; Goodwin-Stewart & Kent, 2006; Mat Zain
et al., 2006). A logarithmic transformation was
applied to improve the reliability of the measure
and reduce collinearity when performing the
regression analysis (see, for instance, Mat Zain et
al., 2006).3
Second, we adopted the ratio between the
number of internal auditors and the number of
employees in the analysed companies (RATIO).
The adoption of a relative measure provides a more
significant indication of the resources that are
actually available for IA activities (see also Makosz
& McCuaig, 1990).
The second construct refers to internal auditors’
competencies. Here, three variables were adopted:
the membership of the Chief Audit Executive
(CAE) to the Institute of Internal Auditors (IIA), the
achievement of professional certification issued
by the IIA (CERT_IIA) and the achievement of
Certified Public Accountant certification by the
internal auditors (CERT_CPA).
The IIA plays a relevant role in the education and
training of internal auditors by organizing courses,
Int. J. Audit. 13: 43–60 (2009)
50 M. Arena and G. Azzone

Table 4: Descriptive statistics

No. Min Max Mean Std.
deviation
lnNIAS (ln (no. of internal auditors)) 153 0.00 6.40 1.66 1.24
RATIO (no. of internal auditors/no. of employees) 153 0.00 0.13 0.01 0.01
CERT_IIA (no. of internal auditors with IIA 153 0.00 1.00 0.07 0.17
certification / no. of employees)
CERT_CPA (no. of internal auditors with CPA 153 0.00 1.00 0.09 0.22
certification / no. of employees)
IIA (membership of the CAE to the IIA) 153 0.00 1.00 0.65 0.48
lnRM (ln (% of FTE used for risk assessment + 1)) 153 0.00 4.26 2.12 1.03
CRSA (adoption of CRSA techniques) 153 0.00 1.00 0.62 0.49
FSCAC (AC factor score) 153 -1.16 1.36 0.00 1.00
FREQAC (frequency of meetings between IA and AC) 153 0.00 5.00 1.78 1.59
lnSALE (ln (sales)) 153 16.10 25.18 20.95 1.57
IND (industry) 153 0.00 1.00 0.28 0.45
LIST (listing) 153 0.00 1.00 0.50 0.50

conferences and seminars (Lewington, 1996;
Dunlop & Hassall, 1997; O’Regan, 2001). The IIA is
open to all individuals involved in internal auditing
and related issues, therefore membership is not
selective. However, the participation of the CAE in
the IIA may be a sign of the inclination of the audit
unit towards training activities and competency
development. The variable adopted here (IIA) was
given a value of 1 when the CAE was a member of
the IIA and a value of 0 otherwise.
Similarly, professional certification may be
related to the level of competencies of an IA unit
(see, for instance, Kalbers & Fogarty, 1995; Fadzil et
al., 2005). In particular, two different types of
certification appear relevant: (1) certifications
issued by the IIA (in particular CIA) which identify
specific IA competencies, and (2) CPA certification,
which refers to broader accounting competencies.
Previous research has highlighted the relevance of
professional certification, though with contrasting
results. Myers & Gramling (1997) highlighted that
CIA certification (Certified Internal Auditor) is
considered a sign of professional competency by
the CAE, though it is not recognized by line
managers to any extent. The authors also reported
on cases where CPA certification is given more
importance than CIA certification (see also Cooper
et al., 1996; Al-Twaijry, 2003). Similarly, Kalbers &
Fogarty (1995) highlighted a still limited diffusion
of certification: in their study, 52.6% of the
responding internal auditors had no accounting
certification, 28.8% were CPAs and only 7.7% were
CIAs. In European countries, the situation is also
differentiated. In Belgium, only 33% of the internal
auditors within an IA department have one or more
IA-related certifications (IIA Belgium, 2006), and in
Greece the majority of internal auditors in listed
organizations are not certified (Koutoupis, 2006).
Though this measure is consistent with previous
research, it suffers from some limitations as it
neglects non-accounting qualifications such as IT
or technical skills which are now becoming more
critical.
Finally, the variables adopted in this analysis are
CERT_IIA and CERT_CPA, which were computed
as the ratio between the number of internal
auditors with a certain certification and the overall
number of internal auditors in the IA unit. Tables 4,
5 and 6 present the relevant descriptive statistics
and correlation analysis.
The level of involvement of the IA in activities
to help the risk management process is measured
by two variables: the adoption of control risk
self-assessment techniques (CRSA) and the
percentage of time employed by the internal
auditors to carry out risk assessment.
Control self-assessment (CSA) techniques are
defined as processes ‘where auditors and
management work cooperatively to set and
evaluate standards for control through workshop
and discussion’ (Jordan, 1995; Melville, 1999). Prior
research pointed out that the adoption of these
techniques contributed to a shift in the focus of
IA activities from monitoring to a continuous and
systemic review of the system of internal controls,
aimed at identifying and managing enterprise risk
(McCuaig, 1998; Melville, 1999). The adoption of
CSA/CRSA techniques is a measure of the level of

© Blackwell Publishing Ltd. 2009 Int. J. Audit. 13: 43–60 (2009)

© Blackwell Publishing Ltd. 2009
Table 5: Correlation analysis
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
(1) lnNIAS 1 0.170* -0.011 -0.304** 0.280** -0.143 0.080 0.182* 0.113 0.374** 0.264** 0.106
(2) RATIO 1 -0.119 -0.078 -0.141 -0.003 -0.164* 0.050 0.059 -0.203* 0.354** -0.212**
(3) CERT_IIA 1 -0.099 0.180* 0.111 0.108 0.001 -0.024 0.227** -0.231** 0.024
Identifying Organizational Drivers of Internal Audit Effectiveness

(4) CERT_CPA 1 -0.086 0.007 0.172* 0.127 0.188* -0.238** -0.202* 0.114
(5) IIA 1 -0.083 0.043 0.079 0.106 0.459** -0.147 0.142
(6) lnRM 1 0.064 0.015 0.016 -0.017 -0.110 -0.048
(7) CRSA 1 0.254** 0.301** 0.046 0.039 0.140
(8) FSCAC 1 0.836** 0.072 0.065 0.323**
(9) FREQAC 1 0.102 0.149 0.310**
(10) lnSALE 1 -0.256** 0.163*
(11) IND 1 -0.193*
(12) LIST 1

Int. J. Audit. 13: 43–60 (2009)

51
52
Table 6: Frequencies (dummy variables)
No. % FSCAC
Membership of the CAE to the IIA (IIA)
0 (No) 54 35.29
1 (Yes) 99 64.71
Adoption of CRSA techniques (CRSA)
0 (No) 58 37.90
1 (Yes) 95 62.10
Listing (LIST)
0 (Unlisted firm) 76 49.67
1 (Listed firm) 77 50.33
Industry (IND)
0 (Manufacturing and 110 71.90
utilities)
1 (Financial service 43 28.10
providers)
collaboration and interaction between internal
auditors and managers in monitoring and
enhancing the internal control/risk management
system. The variable used here (CRSA) was given a
value of 1 when the company had implemented
CSA/CRSA techniques and a value of 0 otherwise.
A second variable is the percentage of time (Full
Time Equivalent), employed in risk assessment
activities (RM). Prior research adopted percentages
of time to explore the tasks in which internal
auditors were engaged (see, for instance, Paape et
al., 2003).4
A logarithmic transformation was applied to
enhance the reliability of the measure and reduce
collinearity, which could affect the reliability of the
regression analysis.
Finally, the level of interaction between IA and
the audit committee was measured using two
variables: the frequency of AC meetings with the
CAE and the level of participation of the AC in the
monitoring and reviewing of IA work.
The frequency of meetings between the AC and
IA has often been used in prior research to measure
the relationship between the two bodies (see, for
instance, Goodwin & Yeo, 2001; Goodwin, 2003;
Goodwin-Stewart & Kent, 2006; Mat Zain et al.,
2006). In this paper, the frequency of the meetings
between the CAE and AC was measured using a
numeric variable (FREQAC) where 0 = no meeting
between the CAE and the AC, 1 = one meeting per
year between the CAE and the AC, 2 = two
meetings per year between the CAE and the AC,
3 = three meetings per year between the CAE and
the AC and 4 = four or more meetings per year
between the CAE and the AC.
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
Table 7: Factor analysis and Cronbach’s alpha
Component
Involvement of the AC in the 0.959
monitoring and controlling of the
IA activities
Involvement of the AC in the review 0.935
of the IA reports
Involvement of the AC in the 0.951
definition of the audit plan
Cronbach’s alpha 0.943
The level of participation of the AC in IA
activities was measured using multiple survey
items. As no consensual scales were readily
available in the literature, we developed three items
to deal with different interaction ‘phases’ between
the IA and the AC: identification of the IA unit’s
objectives and the definition of the audit plan;
monitoring and controlling of the audit activities;
and review of IA reports. The level of involvement
of the AC in these activities was measured
on a five-point Likert scale, with the lowest value
being 1 and the highest value 5. A confirmatory
factor analysis highlighted that these items can be
grouped into one (with 92.51% of variance
explained); furthermore the reliability analysis
showed satisfactory results (Cronbach’s
alpha = 0.943). Henceforth, reference is made to the
resulting item (FSCAC); the related statistics are
shown in Table 7.
Some control variables were included in the
model in order to verify the relevance of the
contextual factors that can influence the results
of the analysis. The control variables were the
company’s size, the type of industry and listing.
Size has been used as a control variable in
previous research dealing with IA organization
and IA effectiveness (Goodwin-Stewart & Kent,
2006; Mat Zain et al., 2006; Coram et al., 2008). Size
was measured according to the sales (SALE). A
logarithmic transformation was applied to improve
the reliability of the measure and to reduce
collinearity when performing the regression
analysis.
Industry was included to take into account the
possible role of different normative requirements
concerning IA in different industries. In Italy, as
in some other countries, banks and insurance
companies are the only organizations where IA
activities are regulated by law. The sample
companies were accordingly divided into two
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness 53

Table 8: Ordered logit regression model

Variables Coefficients Standard z Significance
errors P > |z|
lnSALE (ln (sales)) -0.101 0.152 -0.66 0.507
IND (industry) -0.263 0.574 -0.46 0.647
LIST (listing) 0.016 0.386 0.04 0.968
lnNIAS (ln (no. of internal auditors)) -0.194 0.196 -0.99 0.322
RATIO (no. of internal auditors/no. of employees) 84.908 26.275 3.23 0.001
CERT_IIA (no. of internal auditors with IIA certification/ -0.436 0.983 -0.44 0.657
no. of employees)
CERT_CPA (no. of internal auditors with CPA 0.021 0.937 0.02 0.982
certification/no. of employees)
IIA (membership of the CAE to the IIA) 1.321 0.415 3.18 0.001
lnRM (ln (% of FTE used for risk assessment + 1)) 0.021 0.169 0.13 0.900
CRSA (adoption of CRSA techniques) 1.518 0.416 3.65 0.000
FSCAC (AC factor score) 1.345 0.363 3.71 0.000
FREQAC (frequency of meetings between IA and AC) 0.538 0.234 2.30 0.022
LR chi2 = 134.38
Prob > chi2 = 0.000
Pseudo R2 = 0.358

groups: IND was given a value of 1 if the firm was
a bank or an insurance company and 0 otherwise.
The last control variable encompasses listing
choices. Listed companies, though not required to
adopt IA units, have more precise requirements
with respect to internal controls. This could
influence the set of activities performed as well as
their effectiveness (see, for instance, Allegrini &
D’Onza, 2003). Listing was measured using a
dichotomous variable (LIST) which was given a
value of 1 if the company was listed and 0 otherwise.
Table 5 also presents the descriptive statistics
and the correlation analysis for the control variable.
Some of the correlations appear to be high, which
raises the possibility of multicollinearity. Therefore,
particular attention was paid to this issue in the
data analysis.
The model
In order to explore the research hypotheses, we
adopted an ordinal logit regression model, since
the dependent variable is a Likert-scale item.
Standard tests were performed to verify the
reliability of the model and these provided
acceptable results concerning the underlying
assumptions (Long & Freese, 2006). The
approximate likelihood-ratio test suggests that the
proportional odds assumption was not violated
(chi2 = 27.10, p = 0.30).
The following regression model was tested:
% IMPi = b0 i + b1lnNIASi + b2 RATIOi + b3CERT_IIAi +
b4CERT_CPAi + b5 IIAi + b6lnRMi +
b7 CRSAi + b8 FREQACi + b9 FSCACi +
b10lnSALEi + b11INDi + b12 LISTi + ei
The first and the second variables, lnNIAS and
RATIO, were used to explore the first research
hypothesis (H1), CERT_IIA, CERT_CPA, and IIA
were used to test the second research hypothesis
(H2), lnRM and CRSA were used to explore the third
research hypothesis (H3). Finally, FREQAC and
FSCAC were used to test the last hypothesis (H4).
The following section reports the results of the
statistical analysis. A sensitivity analysis was also
performed in order to test the reliability of the
proposed model.
RESULTS
Table 8 presents the results of the regression
analysis carried out on the percentage of
recommendations suggested by the internal
auditors and actually implemented by the auditees.
The regression model is statistically significant
(LR chi2 = 134.38; p < 0.00, pseudo R2 = 0.36).
Unexpectedly, the data analysis shows that none of
the control variables are related to the effectiveness
of the IA unit. Instead, the regression analysis made
it possible to at least partially validate the
previously formulated hypotheses.
As far as the first research hypothesis is
concerned, the statistical analysis showed a positive

© Blackwell Publishing Ltd. 2009 Int. J. Audit. 13: 43–60 (2009)

54
relationship between the resources available to the
IA unit and the percentage of actions implemented
by their auditees. In other words, the ratio between
the number of internal auditors and the number
of company employees (RATIO) was positively
related to the IA effectiveness (z = 3.23, p < 0.00).
The analysis, instead, did not show any relationship
between the overall number of internal auditors
and IA effectiveness. This result is sound if we take
into account that the relative measure adopted
in this research (RATIO) allows the resources used
to perform the IA activities to be compared with
the auditable universe. According to these
considerations, it can be concluded that the first
research hypothesis is at least partially confirmed
by the data analysis.
The second research hypothesis relates to the
competencies of the IA units. In this case, the
regression analysis highlighted a positive
relationship between the membership of the CAE
to the Italian chapter of the IIA (IIA) and the
percentage of implemented actions (z = 3.18,
p < 0.00). The data analysis, instead, did not
show any link between the percentage of
recommendations enacted by managers and the
employment of internal auditors with professional
certification. Hence, again, the research hypothesis
is partially supported.
The third hypothesis concerns the level of
involvement of the IA in activities supporting the
risk management process. The statistical analysis
showed contrasting results. The percentage of
actions implemented by the auditees is positively
related to the implementation of CRSA techniques
(z = 3.65, p < 0.00). The data, instead, do not provide
evidence of the existence of any relationship with
the percentage of time employed for risk
assessment activities on IA effectiveness.
Finally, the last research hypothesis concerns the
level of interaction between the internal auditors
and the audit committee. Both the frequency of
meetings between the AC and the CAE and the
level of involvement of the AC in IA activities are
positively related to the percentage of implemented
actions (z = 2.30, p < 0.02 and z = 3.71, p < 0.00,
respectively).
Sensitivity analysis
A sensitivity analysis, where different variables
were introduced and removed, was performed to
verify the reliability of the regression model.
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
First, the regression was run after removing
highly correlated variables, one by one, in order
to verify their influence on the significance of
other variables included in the model. The same
procedure was reiterated by removing the control
variables. Though this analysis resulted in small
changes in the coefficient, there were no differences
in the significant variables.
Since the factor score for AC involvement in
IA activities (FSCAC) was highly correlated to the
frequency of meetings (FREQAC), we combined
the items included in FSCAC with the variable
FREQAC through a factor analysis. The regression
model was run replacing the two variables with the
new factor score, which was significant at p < 0.00,
but no relevant changes in the other variables were
shown.
Third, we ran the regression model adding the
early/late respondent variable in order to further
verify the existence of a response bias. This variable
was not significant in determining the percentage
of recommendations implemented by the auditees,
nor did it modify the significance of any other
variables previously included in the model.
Fourth, we verified whether outsourcing could
affect the link between the effectiveness of IA and
the number of IA staff. We added a dichotomous
variable (OUT) which was given a value of 1 if the
company uses outsourced IA services, at least
partially and 0 otherwise. The variable did not
influence IA effectiveness. While small changes in
the coefficients were recorded, there were no
relevant differences in the significant variables.
Finally, we added an AGE variable, to measure
the age of the IA unit. We adopted a dichotomous
variable which was given a value of 0 where the IA
unit was established within the last five years and
1 otherwise. This variable could be used as an
indicator of the experience of the function, at least
in relation to the firm context. The regression
analysis was not affected by the introduction of this
new variable: the data did not provide any evidence
concerning the significance of the AGE variable and
there were no significant changes in the other
variables.
DISCUSSION AND CONCLUSIONS
Among the different systems adopted by
companies to ensure sound corporate governance,
IA has recently gained high attention due to its
links with the internal control-risk management
system (see, for instance, Power, 2007). Internal
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness
auditors have exploited this renewed interest, by
transforming their function and extending their
area of involvement to risk management, control
and governance processes. Such a shift has the
purpose of increasing the value added by IA to
respond to the specific needs of the organizations.
However, this change also means that the IA
processes, competencies and roles need to be
modelled accordingly in order to increase the
ability of IA to respond to the needs of the
organization and thus enhance its effectiveness.
Starting from this consideration, the paper has
analysed the organizational dimensions a company
should act on to improve IA effectiveness. The data
used to test the hypotheses were collected through
a questionnaire which was sent to 364 Italian
companies, generating a response rate of 47%.
The test of the hypotheses showed that the
effectiveness of IA is influenced by several
organizational dimensions (characteristics of the
IA team, processes and activities, organizational
links). The percentage of implemented suggestions
increases when:
• the ratio between the number of internal
auditors and the employees is higher;
• the CAE is affiliated to the Institute of Internal
Auditors;
• the company adopts CRSA techniques;
• the audit committee is involved in the activities
of the internal auditors.
These conclusions may be of help in the design
of IA within specific organizations in order to
improve its effectiveness. However, a systemic
analysis of these results could help to better
understand their relevance, implications and
limitations.
First, the paper clarifies the fact that the
structural characteristics of an IA unit may
influence its effectiveness. The positive role of the
ratio between the number of internal auditors and
the employees, in particular, indicates how
important it is for IA to have sufficient resources
compared to the auditable universe. This result may
appear somewhat trivial. However, it can influence
future decisions on whether to increase the share of
budget and staff dedicated to IA, a step which
many companies are currently pursuing, due to
recent financial scandals (Carcello et al., 2005;
Goodwin-Stewart & Kent, 2006).
The second set of results concerns those elements
which could contribute to IA effectiveness by
enhancing its legitimation at both top levels and for
line managers. Here, two elements appear critical:
© Blackwell Publishing Ltd. 2009
55
IA positioning, and in particular its relationship
with the AC, and the interaction with line
managers.
At top levels, we have confirmed the positive
impact of a close link between IA and the AC on
IA effectiveness. This finding extends the results
of other researchers, who have testified the role
of such a link in improving the ‘traditional
performance’ of IA (quality of the reports,
efficiency in data analysis, completeness in
identifying non-compliance). The involvement of
the AC in the activities of internal auditors may be
proof of the commitment of the organization to
auditing and increase the credibility of auditors
and leading line managers to be more active in
implementing their suggestions.
At a middle management level, the legitimation
of internal auditors is closely related to the
changing role of the IA, which increasingly acts as
a consultant within an organization. This changing
role is highlighted in the study through the positive
relationship between IA effectiveness and the
adoption of CRSA. This technique requires the
direct involvement of line managers and their
active role in risk identification and monitoring
(Melville, 1999), while internal auditors mainly
play a facilitating role. On the one hand, this type
of interaction encourages internal auditors to
cooperate with managers and to focus on
operational activities, thus legitimating the
auditors’ role at a middle management level. On
the other hand, it poses the problem of balancing
internal auditors’ active participation in CRSA with
their monitoring role, in order not to impair their
objectivity and independence. Our results confirm
the opportunity that internal auditors have, as a
professional body, to increase their involvement in
activities which support the risk management
process in order to improve the added value of
their work. Some caution should, however, be
taken to avoid inappropriate involvement in tasks
that the managers are responsible for. The lack
of correlation between IA effectiveness and the
share of time that the auditors dedicate to risk
management could appear to be in contrast with
this result. However, although the adoption of
CRSA is an objective measure of the attitude of a
company towards risk management, we measured
time allocation according to a self-assessment by
the CAE. For this reason, the data could be
unreliable and could induce a bias in the analysis.
Furthermore, as we previously mentioned, we did
not distinguish between assurance and consulting
Int. J. Audit. 13: 43–60 (2009)
56
services, which could also introduce a bias into the
analysis.
These results lead to some implications which
could be relevant at both a practical and theoretical
level. The relevance of the organizational links
on influencing IA effectiveness suggests the
importance of the proper positioning of the IA unit,
a point which has also been debated by other
scholars. Furthermore, the relevance of the
organizational links highlights the importance of
studying IA within its organizational realm,
considering the whole set of relations that could
influence it. Most previous research has studied
IA on its own, or focused on the relationship
between IA and AC or IA and the external audit.
However, to the authors’ knowledge, there are
very few studies that simultaneously consider
the interactions with different actors of the
organization, including senior and middle
managers (see, for instance, Sarens & De Beelde,
2006b) and none that address IA effectiveness. In
our opinion, this constitutes a potential limitation
to the complete understanding of IA effectiveness.
Finally, the third set of results highlights the
relevance of properly designing IA competencies.
The changing role of internal auditors has
determined the creation of new skills to perform
activities that are more closely related to risk
management and corporate governance. However,
risk management requires different competencies
from compliance; it needs auditors who are able
to understand the main drivers of business
performance, to deal with different sources of risk,
to involve line managers and increase their
confidence in risks and controls. Hence, it is
not surprising that our results on internal
auditors’ competencies, even though apparently
counterintuitive, confirm what was reported in
Gramling & Myers (1997), who claimed that
auditors’ professional certification (CIA in
particular) does not influence the perceptions of
line managers and their willingness to implement
suggestions. A possible explanation for this is that
professional certification, in general, is based on
‘traditional skills’ and does not guarantee an
improvement in ‘new competencies’. The positive
impact of the affiliation of the CAE to the IIA does
not rule out this conclusion; it represents more a
measure of the interest of CAEs in updating their
information and knowledge (and again, this is
consistent with a greater interest in risk
management than in compliance) than of the level
of competencies of the IA team.
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
The discussion on the results of the study
highlights its main limitations.
First, the research used the survey method for
data collection. This method prevents the
possibility of explaining and giving details on the
questions to the respondents and may therefore not
ensure high external validity because the researcher
is unable to completely control how the
respondents interpret the questions. From this
point of view, the nature of the study should be
considered exploratory and its results could be
further verified and dealt with in depth using more
intensive research methods.
Second, the survey was carried out in Italy and
the data collected can be considered representative
of large Italian organizations, but some caution
should be applied when extending these results to
other contexts, with different legislative settings or
levels of development of IA. In Italy, for instance,
IA is a relatively new discipline and there are no
legislative requirements for Italian companies to
establish IA units or to perform IA activities (with
financial service providers being the only
exception).
Furthermore, the analysis of the results has
clarified that some of the data used in this research
are too aggregated to obtain a clear picture of certain
issues. One point concerns the processes and
activities that internal auditors carry out. As our
study confirms the opportunity for involvement of
internal auditors in risk management, we believe
that it would be useful, in future studies, to refer
to a clear framework of the different activities that
the IA performs in risk management (for instance,
the IIA Position Statement), in order to understand
where the role of IA is more critical. For this
purpose, a more reliable measure of time dedicated
to each activity should be used rather than the CAE
self-assessment.
Another problem concerns the definition of the
competencies of internal auditors. We used the
employment of certified auditors within the IA unit
as a proxy. The research, however, shows that
this is not directly linked to IA effectiveness. We do
not believe that this is due to the irrelevance of
competencies, but rather to the fact that our
definition of competencies, even though in line
with other scholars, is not consistent with present
requirements. Hence, future research should start
from a more detailed analysis of the competencies
that are theoretically required of internal auditors,
in order to understand which specific skills can
influence their effectiveness.
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness
This latter comment leads, in our opinion, to a
final implication of the paper. It, in fact, suggests
that IA professional bodies should re-design the set
of skills and competencies that are needed for their
profession, consistently with the evolution that is
taking place in the role of internal auditing in
organizations.
ACKNOWLEDGEMENTS
The authors wish to thank the editor and the two
anonymous reviewers for their comments and
advice.
NOTES
1. Internal auditing is an independent, objective
assurance and consulting activity designed to
add value and improve an organization’s
operations. It helps an organization accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control,
and governance processes (IIA, 2000).
2. Mediobanca is the leading investment bank in
Italy and its Research Department is a highly
specialized centre for financial analysis and
research. The annual editions of the Top Italian
Companies constitutes the most authoritative and
complete classification of the main Italian
corporations.
3. However, this measure is based on
self-evaluation by the CAE and we did not
distinguish between assurance and consulting
activities in relation to risk assessment and its
use can therefore be open to criticism.
4. Consistent with this choice, the descriptive
statistics show the logarithmic transformation of
the NIAS variable. The minimum value reported
is zero, which corresponds to one internal
auditor (since ln 1 = 0).
REFERENCES
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2003), ‘The development of internal audit in Saudi
Arabia: an institutional theory perspective’, Critical
Perspective on Accounting, Vol. 14, No. 5, pp. 507–31.
Al-Twaijry, A. A. M., Brierley, J. A. & Gwilliam, D. R.
(2004), ‘An examination of the relationship between
internal and external audit in the Saudi Arabian
corporate sector’, Managerial Auditing Journal, Vol.
19, No. 7, pp. 929–45.
© Blackwell Publishing Ltd. 2009
57
Allegrini, M. & D’Onza, G. (2003), ‘Internal auditing
and risk assessment in large Italian companies: an
empirical survey’, International Journal of Auditing,
Vol. 7, No. 3, pp. 191–208.
Allegrini, M., D’Onza, G., Melville, R., Paape, L. &
Sarens, G. (2008), ‘CBOK Europe: A State of the Art
of the Internal Audit Profession in Europe’. Paper
presented at the First Global Academic Conference
on Internal Auditing and Corporate Governance,
20–22 April, Rotterdam.
Arena, M., Arnaboldi, M. & Azzone, G. (2006),
‘Internal audit in Italian organizations: a multiple
case study’, Managerial Auditing Journal, Vol. 21, No.
3, pp. 275–92.
Barrett, M. J. (1986), ‘Measuring internal auditing
performance’, Internal Auditing, Vol. 2, pp. 30–35.
Beasley, M. S., Clune, R. & Hermanson, D. R. (2005),
‘ERM: a status report’, The Internal Auditor, Vol. 62,
No. 1, pp. 67–73.
Bishop, W. G. III, Hermanson, D. R., Lapides, P. D. &
Rittenberg, L. E. (2000), ‘The year of the audit
committee’, The Internal Auditor, Vol. 57, No. 2, pp.
46–51.
Blackburn, S. D. (2004), ‘How effective is your internal
audit function?’, Online available: www.in2itive.biz
Blue Ribbon Committee (BRC) on Improving the
Effectiveness of Corporate Audit Committees
(1999), Report and Recommendations of the Blue Ribbon
Committee on Improving the Effectiveness of Audit
Committees. New York: NYSE and NASD.
Bou-Raad, G. (2000), ‘Internal auditors and a
value-added approach: The new business regime’,
Managerial Auditing Journal, Vol. 15, No. 4, pp. 182–
6.
Braiotta, L. (1999), The Audit Committee Handbook, 3rd
edn. New York: John Wiley.
Brody, R. G., Golen, S. P. & Reckers, P. M. J. (1998),
‘An empirical investigation of the interface between
internal and external auditors’, Accounting and
Business Research, Vol. 28, No. 3, pp. 160–72.
Burnaby, P. & Hass, S. (2008), ‘A Global Summary
of the Common Body of Knowledge 2006 US
Respondents Compared to Non-US Respondents’,
Paper presented at the First Global Academic
Conference on Internal Auditing and Corporate
Governance, 20–22 April, Rotterdam.
Carcello, J. V., Hermanson, D. R. & Raghunandan, K.
(2005), ‘Changes in internal auditing during the
time of the major US accounting scandals’,
International Journal of Auditing, Vol. 9, No. 2, pp.
117–27.
Cashell, J. D. & Aldhizer III, G. R. (2002), ‘An
examination of internal auditors’ emphasis on value
added services’, Internal Auditing, Vol. 17, No. 5,
pp. 19–31.
Clark M. W., Gibbs T. E. & Schroeder, R. G. (1981),
‘How CPAs evaluate internal auditors’, CPA Journal,
Vol. 51, pp. 10–15.
Combined Code (2003), The Combined Code on
Corporate Governance, London: Financial Reporting
Council.
Int. J. Audit. 13: 43–60 (2009)
58
Committee of Sponsoring Organizations of the
Treadway Commission (COSO) (1992), Internal
Control-Integrated Framework, New York: Coopers
and Lybrand.
Committee of Sponsoring Organizations of the
Treadway Commission (COSO) (2004), Enterprise
Risk Management-Integrated Framework, New York:
COSO.
Cooper, B. J., Leung, P. & Mathews, C. (1994), ‘Internal
audit: An Australian profile’, Managerial Auditing
Journal, Vol. 9, No. 3, pp. 13–19.
Cooper, B. J., Leung, P. & Mathews C. M. H. (1996),
‘Benchmarking – a comparison of internal audit in
Australia, Malaysia and Hong Kong’, Managerial
Auditing Journal, Vol. 11, No. 1, pp. 23–29.
Cooper, B. J., Leung, P. & Wong, G. (2006), ‘The Asia
Pacific literature review on internal auditing’,
Managerial Auditing Journal, Vol. 21, No. 8, pp.
822–34.
Coram, P., Ferguson, C. & Moroney, R. (2008),
‘Internal audit, alternative internal audit structures
and the level of misappropriation of assets fraud’,
Accounting & Finance, Vol. 48, No. 4, pp. 543–
59.
De La Rosa, S. (2005), ‘ERM-based audit reports’, The
Internal Auditor, Vol. 62, No. 6, pp. 73–76.
Dittenhofer, M. (2001), ‘Internal audit effectiveness: an
expansion of present methods’, Managerial Auditing
Journal, Vol. 16, No. 8, pp. 443–50.
Dunlop, A. & Hassall, T. (1997), ‘Learning never
stops’, Internal Auditing, October, pp. 22–23.
Fadzil, F. H., Haron, H. & Jantan, M. (2005), ‘Internal
auditing practices and internal control system’,
Managerial Auditing Journal, Vol. 20, No. 8, pp.
844–66.
Felix, W. L., Gramling, A. A. & Maletta, M. J. (2001),
‘The contribution of internal audit as a determinant
of external audit fees and factors influencing this
contribution’, Journal of Accounting Research, Vol. 39,
No. 3, pp. 513–25.
Flesher, D. L. & Zanzig, J. S. (2000), ‘Management
accountants express a desire for change in the
functioning of internal auditing’, Managerial
Auditing Journal, Vol. 15, No. 7, pp. 331–7.
Fraser, I. & Henry, W. (2007), ‘Embedding risk
management: Structures and approaches’,
Managerial Auditing Journal, Vol. 22, No. 4, pp.
392–409.
Frigo, M. L. (2002), A Balanced Scorecard Framework for
Internal Auditing Departments, Altamonte Springs,
FL: The Institute of Internal Auditors Research
Foundation.
Gibbs, T. E. & Schroeder, R. G. (1979), ‘Evaluating
the competence of internal audit departments’, in
Symposium on Auditing Research HI. Urbana:
University of Illinois, pp. 207–225.
Goodwin, J. (2003), ‘The relationship between the
audit committee and the internal audit function:
Evidence from Australia and New Zealand’,
International Journal of Auditing, Vol. 7, No. 3, pp.
263–78.
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
Goodwin, J. & Yeo, T. Y. (2001), ‘Two factors affecting
internal audit independence and objectivity:
Evidence from Singapore’, International Journal of
Auditing, Vol. 5, No. 2, pp. 107–25.
Goodwin-Stewart, J. & Kent, P. (2006), ‘The use of
internal audit by Australian companies’, Managerial
Auditing Journal, Vol. 21, No. 1, pp. 81–101.
Gramling, A. A. & Myers, P. M. (1997), ‘Practitioners’
and users’ perceptions of the benefits of certification
of internal auditors’, Accounting Horizons, Vol. 11,
No. 1, pp. 39–53.
Gramling, A. A., Maletta, M. J., Schneider, A. &
Church, B. K. (2004), ‘The role of the internal audit
function in corporate governance: A synthesis of the
extant internal auditing literature and directions
for future research’, Journal of Accounting Literature,
Vol. 23, pp. 194–244.
Griffiths, P. (1999), ‘Understanding the expectations
of finance directors towards internal audit and its
future’, Managerial Auditing Journal, Vol. 14, No. 9,
pp. 489–96.
Gul, F. A. & Subramaniam, N. (1994), ‘Audit
committee, gifts and discounts, familiarity as
factors affecting internal auditors’ professional
objectivity’, The Review of Business Studies, Vol. 3,
No. 1, pp. 88–99.
Hass, S., Abdolmohammadi, M. J. & Burnaby, P.
(2006), ‘The Americas literature review on internal
auditing’, Managerial Auditing Journal, Vol. 21, No. 8,
pp. 835–44.
Heinrich, C. J. (2002), ‘Outcomes-based performance
management in the public sector: Implications for
government accountability and effectiveness’, Public
Administration Review, Vol. 62, No. 6, pp. 712–25.
Institute of Internal Auditors (IIA) (1999), Definition
of Internal Auditing, Altamonte Springs, FL: The
Institute of Internal Auditors.
Institute of Internal Auditors (2000), Professional
Internal Auditing Standards: Standards for the
Professional Practice of Internal Auditing and Statement
of Responsibilities of Internal Auditors, Altamonte
Springs, FL: Institute of Internal Auditors.
Institute of Internal Auditors Belgium (2006), ‘Internal
Audit in Belgium: The Shaping of Internal Audit
Today and the Future Expectations – Survey
Results’, Brussels: The Institute of Internal Auditors
Belgium, available at: www.iiabel.be.
Institute of Internal Auditors UK and Ireland (2004),
The role of internal audit in enterprise-wide risk
management, Position Statement, London.
Jackson, R. A. (2005), ‘Role play’, The Internal Auditor,
Vol. 62, No. 2, p. 44.
Jordan, J. (1995), Control Self Assessment: Making the
Right Choice, Altamonte Springs, FL: Institute of
Internal Auditors.
Kalbers, L. P. & Fogarty, T. J. (1995), ‘Professionalism
and its consequences: A study of internal auditors’,
Auditing: A Journal of Practice and Theory, Vol. 14, No.
1, pp. 64–86.
Koutoupis, A. (2006), ‘Corporate Governance and
Business Risk Management Regulations and Best
Int. J. Audit. 13: 43–60 (2009)
Identifying Organizational Drivers of Internal Audit Effectiveness
Practices Impact on Internal Controls and Internal
Audit Activities within Greek Publicly Listed
Enterprises’, Paper presented at the Fourth
European Academic Conference on Internal Audit
and Corporate Governance, London.
KPMG (2004), Building a success model for internal audit:
The balanced scorecard. Available online at: http://
www.kpmg.com.sg/publications/ras_Building
ASuccess.pdf.
Krumwiede, K. (1998), ‘The implementation stages of
activity-based costing and the impact of contextual
and organisational factors’, Journal of Management
Accounting Research, Vol. 10, pp. 239–77.
Kwon, I. G. & Banks, D. W. (2004), ‘Factors related to
the organizational and professional commitment of
internal auditors’, Managerial Auditing Journal, Vol.
19, No. 5, pp. 606–22.
Lampe, J. C. & Sutton, S. G. (1994), ‘Evaluating the
work of internal audit: a comparison of standards
and empirical evidence’, Accounting and Business
Research, Vol. 24, Autumn, pp. 335–48.
Leithhead, B. S. (1999), ‘Managing change and size
risks’, The Internal Auditor, Vol. 56, No. 6, pp. 68–69.
Lewington, D. (1996), ‘2020 vision’, Managerial
Auditing Journal, Vol. 11, No. 7, pp. 3–11.
Lindow, P. E. & Race, J. D. (2002), ‘Beyond traditional
audit techniques’, Journal of Accountancy, Vol. 194,
No. 1, pp. 28–33.
Long, J. S. & Freese, J. (2006), Regression Models for
Categorical Dependent Variables, Using Stata, Rev.
edn. College Station, TX: Stata Press.
Makosz, P. & McCuaig, B. W. (1990), ‘Ripe for
renaissance’, Internal Auditor, December.
Maletta, M. J. (1993), ‘An examination of auditors’
decisions to use internal auditors as assistants: The
effect of inherent risk’, Contemporary Accounting
Research, Vol. 9, No. 2, pp. 508–26.
Matyjewicz, G. & D’Arcangelo, J. R. (2004), ‘ERM-
based auditing’, Internal Auditing, Vol. 19, No. 6,
pp. 4–18.
Mat Zain, M. & Subramaniam, N. (2007), ‘Internal
auditor perceptions on audit committee
interactions: A qualitative study in Malaysian public
corporations’, Corporate Governance: An International
Review, Vol. 15, No. 5, pp. 894–908.
Mat Zain, M., Subramaniam, N. & Stewart, J. (2006),
‘Internal auditors’ assessment of their contribution
to financial statement audits: The relation with
audit committee and internal audit function
characteristics’, International Journal of Auditing, Vol.
10, No. 1, pp. 1–18.
McCuaig, B. W. (1998), ‘Auditing assurance and CSA’,
The Internal Auditor, June.
Mediobanca (2003), Le principali società italiane,
Available online at: www.mbres.it.
Melville, R. (1999), ‘Control self assessment in the
1990s: The UK perspective’, International Journal of
Auditing, Vol. 3, No. 3, pp. 191–206.
Melville, R. (2003), ‘The contribution internal auditors
make to strategic management’, International Journal
of Auditing, Vol. 7, No. 3, pp. 209–22.
© Blackwell Publishing Ltd. 2009
59
Messier, W. F. & Schneider, A. (1988), ‘A hierarchical
approach to the external auditor’s evaluation of
the internal auditing function’, Contemporary
Accounting Research, Vol. 4, Spring, pp. 337–53.
Mihret, D. G. & Yismaw, A. W. (2007), ‘Internal audit
effectiveness: An Ethiopian public sector case
study’, Managerial Auditing Journal, Vol. 22, No. 5,
pp. 470–84.
Myers, P. M. & Gramling, A. A. (1997), ‘The perceived
benefits of certified internal auditor designation’,
Managerial Auditing Journal, Vol. 12, No. 2, pp. 70–79.
Nagy, A. L. & Cenker, W. J. (2002), ‘An assessment
of the newly defined internal audit function’,
Managerial Auditing Journal, Vol. 17, No. 3, pp. 130–7.
O’Regan, D. (2001), ‘Genesis of a profession: Towards
professional status for internal auditing’, Managerial
Auditing Journal, Vol. 6, No. 4, pp. 215–27.
Oppenheim, A. N. (1966), Questionnaire Design and
Attitude Measurement, London: Heinemann.
Paape, L., Scheffe, J. & Snoep, P. (2003), ‘The
relationship between the internal audit function and
corporate governance in the EU – A survey’,
International Journal of Auditing, Vol. 7, No. 3, pp.
247–62.
Page, M. & Spira, L. F. (2004) The Turnbull Report,
Internal Control and Risk Management: The Developing
Role of Internal Audit, The Institute of Chartered
Accountants of Scotland.
Perrin, B. (1998), ‘Effective use and misuse of
performance measurement’, American Journal of
Evaluation, Vol. 19, No. 3, pp. 367–79.
Power, M. (2007), Organized Uncertainty, Designing
a World of Risk Management, Oxford: Oxford
University Press.
Raghunandan, K., Rama, D. & Scarbrough, P. (1998),
‘Accounting and auditing knowledge level of
Canadian audit committees: Some empirical
evidence’, Journal of Internal Accounting, Auditing
and Taxation, Vol. 7, No. 2, pp. 181–94.
Raghunandan, K., Read, W. J. & Rama, D. V. (2001),
‘Audit committee composition, “gray directors”,
and interaction with internal auditing’, Accounting
Horizons, Vol. 15, No. 2, pp. 105–18.
Ridley, J. & D’Silva, K. (2008), ‘Explorations into
“Cutting Edge” Internal Auditing since 1941’, Paper
presented at the First Global Academic Conference
on Internal Auditing and Corporate Governance,
20–22 April, Rotterdam.
Salierno, D. (2000), ‘The right measures’, The Internal
Auditor, Vol. 57, No. 1, pp. 41–46.
Sarens, G. & De Beelde, I. (2006a), ‘Internal auditors’
perception about their role in risk management: A
comparison between US and Belgian companies’,
Managerial Auditing Journal, Vol. 21, No. 1, pp. 63–80.
Sarens, G. & De Beelde, I. (2006b), ‘The relationship
between internal audit and senior management:
A qualitative analysis of expectations and
perceptions’, International Journal of Auditing, Vol.
10, No. 3, pp. 219–41.
Sawyer, L. B. (1995), ‘An internal audit philosophy’,
The Internal Auditor, August, pp. 46–55.
Int. J. Audit. 13: 43–60 (2009)
60
Sawyer, L. B. (2003), Sawyer’s Internal Auditing. The
Practice of Modern Internal Auditing, Altamonte
Springs, FL: Institute of Internal Auditors, Inc.
Scarbrough, D. P., Rama, D. V. & Raghunandan, K.
(1998), ‘Audit committee composition and
interaction with internal auditing: Canadian
evidence’, Accounting Horizons, Vol. 12, No. 1, pp.
51–62.
Simons, R. (1994), ‘How new top managers use control
systems as levers of strategic renewal’, Strategic
Management Journal, Vol. 15, pp. 169–89.
Smith, P. (1995), ‘Performance indicators and
outcomes in the public sector’, Public Money &
Management, Vol. 15, No. 4, pp. 13–16.
Spraakman, G. (1997), ‘Transaction cost economics:
A theory of internal audit’, Managerial Auditing
Journal, Vol. 17, No. 7, pp. 323–30.
Spira, L. F. & Page, M. (2003), ‘Risk management: The
reinvention of internal control and the changing
role of internal audit’, Accounting, Auditing and
Accountability Journal, Vol. 16, No. 4, pp. 640–61.
Tettamanzi, P. (2003), Internal Auditing: Evoluzione
storica, stato dell’arte e tendenze di sviluppo. Italia e
Regno Unito a confronto. Milan: Egea.
Turnbull (1999), Internal Control: Guidance for Directors
of Listed Companies Incorporated in the United
Kingdom, London: Institute of Chartered
Accountants in England and Wales.
Van Gansberghe, C. N. (2005), ‘Internal auditing in
the public sector: A consultative forum in Nairobi,
Kenya, shores up best practices for government
© Blackwell Publishing Ltd. 2009
M. Arena and G. Azzone
audit professionals in developing nations’, Internal
Auditor, Vol. 62, No. 4, pp. 69–73.
Van Peursem, K. (2004), ‘Internal auditors’ role and
authority: New Zealand evidence’, Managerial
Auditing Journal, Vol. 19, No. 3, pp. 378–93.
Van Peursem, K. (2005), ‘Conversations with internal
auditors: The power of ambiguity’, Managerial
Auditing Journal, Vol. 20, No. 5, pp. 489–512.
Walker, R. G. (2004), ‘Gaps in guidelines on audit
committees’, Abacus, Vol. 40, No. 2, pp. 157–92.
Wang, X. (1997), ‘Development trends and future
prospects of internal auditing’, Managerial Auditing
Journal, Vol. 12, No. 4/5, pp. 200–4.
Ziegenfuss, D. E. (2000), ‘Measuring performance’,
The Internal Auditor, Vol. 57, No. 1, pp. 36–40.
AUTHOR PROFILES
Marika Arena is researcher at Politecnico di
Milano, Italy. She received her PhD from
Politecnico di Milano in 2007. Her research
interests are in internal auditing and management
accounting.
Giovanni Azzone is professor of management
control systems at Politecnico di Milano, Italy. His
research interests include performance evaluation
in public sectors, management accounting and
strategic management and internal auditing.
Int. J. Audit. 13: 43–60 (2009)