An Examination of Internal Audit Function Size: Evidence From U.S. Government and Nonprofit Sectors

CURRENT ISSUES IN AUDITING American Accounting Association
Vol. 15, No. 1 DOI: 10.2308/CIIA-2019-505

Spring 2021
pp. A38–A56
An Examination of Internal Audit Function

Size: Evidence from U.S. Government and
Nonprofit Sectors
Sarah A. Garven
Audrey N. Scarlata
Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Middle Tennessee State University
SUMMARY: We examine factors associated with internal audit function (IAF) size in U.S.
government and nonprofit (GNP) entities. Our results, based on responses from 345 GNP
participants, indicate several factors related to organizational characteristics, IAF
characteristics, IAF responsibilities, and information technology (IT) tools and audit
activities that are associated with IAF size. Specifically, we find IAF size is positively
associated with: (1) mandated IAFs, (2) activity related to audits of general IT risks, (3)
use of a rotational staffing model, (4) degree of fraud detection responsibility, (5) conduct
of performance audits, (6) extent of sophisticated audit technologies, (7) organization
size, (8) opportunity to receive a bonus, and (9) age of the IAF. IAF size is negatively
related to (1) extent of access to records and property appropriate for the performance of
audits, (2) nonprofit organizations, (3) healthcare institutions, and (4) educational
institutions. Additional analysis reveals variation between large and small organizations.
Keywords: internal audit; government and nonprofit sectors; staffing; corporate
governance.
We thank workshop participants at the 2019 AAA Southeast Region meeting and the 2019 Ohio Region meeting for
helpful comments.
The Internal Audit Foundation granted access to the Common Body of Knowledge (CBOK) 2015 Global Internal Audit
Practitioner Survey on conditions of anonymity and confidentiality. Although the data were provided by the Foundation,
the views expressed in this study are those of the author and do not necessarily present positions or opinions of the
Foundation.
Sarah A. Garven and Audrey N. Scarlata, Middle Tennessee State University, Jones College of Business, Department
of Accounting, Murfreesboro, TN, USA.
Editor’s note: Accepted by Lisa Milici Gaynor.
Submitted: November 2019

Accepted: June 2020
Published Online: June 2020
A38
Garven and Scarlata A39
I. INTRODUCTION
G
overnment and nonprofit (GNP) organizations are major economic forces in our society
(Freeman, Shoulders, McSwain, and Scott 2018). Nonprofits (NPOs) employ over 10
percent of the workforce, receive over $330 billion in private contributions, hold more than
$5 trillion in assets, and contribute over $900 billion to the U.S. economy (McKeever 2015;
McKeever and Gaddy 2016). State and local governments report over $2.9 trillion in general
revenues and employ over 14 million full-time and almost 5 million part-time employees (U.S.
Census Bureau 2015a; U.S. Census Bureau 2015b). Collectively, the GNP sector accounts for
over a third of all U.S. economy expenditures (Freeman et al. 2018). Despite the importance of
GNPs to the U.S. economy, there has been limited investigation of their internal audit functions
(IAFs) beyond examining the effects of their presence or absence in an organization.

Differing legal, political, and social environments exist between GNP organizations and for-
profit entities (T. Patton, S. Patton, and Ives 2019). GNPs seek to provide services to their
constituencies, rather than increase shareholders’ wealth, and their resource providers (donors
and taxpayers) do not expect to receive benefits commensurate to the resources they provide
(Reck and Lowensohn 2016; Patton et al. 2019). GNPs must not only report on the inflows and
outflows of these resources, but also demonstrate accountability for them (Patton et al. 2019). The
GNP sector’s focus on demonstrating efficiency and effectiveness in service delivery as well as
ensuring compliance with donor restrictions and laws results in a much broader degree of
accountability required for GNPs than for for-profits (Patton et al. 2019).
The lack of residual claimants in the GNP sector does not ensure that GNP organizations will
be free from agency conflicts (Krishnan, M. Yetman, and R. Yetman 2006; Vermeer, Styles, and
Patton 2010). Government officials and nonprofit management may not always act in their
constituents’ best interests, thus necessitating the use of monitoring mechanisms to reduce
agency losses (Krishnan et al. 2006; Vermeer et al. 2010). As noted by Vermeer (2008), the need
for monitoring may be even more critical in the GNP sector due to the absence of shareholder
oversight. It is unlikely that donors and taxpayers invest the same level of vigilance in monitoring as
do shareholders (Vermeer 2008).
Given the significance of the GNP sector to the U.S. economy as well as the increasing call for
accountability (Garven, Beck, and Parsons 2018; Aikins 2013), it is important to consider the
sector’s response to monitoring demands. One such response is to invest resources into the IAF
(Carcello, Hermanson, and Raghunandan 2005a; Vermeer, Raghunandan, and Forgione 2006).
Such a response demonstrates a high level of commitment to preserving the public’s trust that
donations and tax dollars are being used for their intended purpose and to ensure the entity is
accomplishing its objectives. As suggested by Anderson, Christ, Johnstone, and Rittenberg
(2012), a greater commitment to corporate governance will likely result in a greater investment in
the IAF.
A considerable amount of research has examined factors associated with organizations’
investment in the IAF (measured by IAF staff or budget size) in the U.S. for-profit sector (Carcello
et al. 2005a; Barua, Rama, and Sharma 2010; Carcello, Hermanson, and Raghunandan 2005b;
Anderson et al. 2012) and the for-profit sector of other countries (Goodwin-Stewart and Kent 2006;
Gronewold and Heerlein 2009; Sarens and Abdolmohammadi 2011; Alhajri 2017). Due to
extensive differences between the GNP and for-profit sectors (including purpose, monitoring
needs, and stakeholders), the GNP sector is a unique environment in which to study investment in
internal auditing. We extend prior IAF investment research by examining four sets of factors
associated with IAF staff size in the U.S. GNP sector. These factor sets include organizational
Current Issues in Auditing

Volume 15, Number 1, 2021
characteristics, IAF characteristics, IAF responsibilities, and information technology (IT) tools and
audit activities.
Using responses from 345 GNP participants in the Common Body of Knowledge (hereafter,
CBOK) 2015 Global Internal Auditor Practitioner Survey administered by the Institute of Internal
Auditors Research Foundation, we provide evidence that GNP IAF size is associated with
variables in all four sets of factors. These variables include organization size, IAF mandate, NPOs,
organizations classified as healthcare and educational institutions, IAF age, opportunity to receive
a bonus, use of a rotational staffing model, extent of access to records and property appropriate for
the performance of audits, degree of fraud detection responsibility, conduct of performance audits,
extent of activity related to audits of general IT risks, and extent of use of sophisticated audit
technologies. We also examine large and small organizations separately and find, among larger

organizations, organizational characteristics such as size and industry have a strong association
with IAF size. For smaller organizations, more characteristics specific to the IAF itself, such as the
opportunity to receive a bonus, use of a rotational staffing model, and extent of access to records
and property appropriate for the performance of audits, have a strong association.
From an academic perspective, this paper adds to the internal audit, corporate governance,
and GNP sector literature. Our model includes several factors of IAF size not previously examined,
including degree of fraud detection responsibility, degree of fraud prevention responsibility, extent
of access to records and property appropriate for the performance of audits, and opportunity to
receive a bonus. Additionally, our examination of large and small organizations separately has not
previously been done in the context of IAF size. From a practice standpoint, our results provide
insights to organizations on factors that are associated with IAF size. Our descriptive results can
assist GNP organizations in comparing their IAFs with those of others across the nation and our
empirical model can be used as a benchmark for GNP management in evaluating the size of their
IAFs. As a result, our results may serve to initiate a discussion among management about the
adequacy of their IAF.
II. BACKGROUND AND THEORY DEVELOPMENT

In recent years, the IAF has become an important and useful corporate governance
monitoring mechanism (Sarens and Abdolmohammadi 2011). It plays a critical role in the
organization’s success through its performance of assurance services, which serve in supporting
the governance structure (Anderson et al. 2017). Additionally, the function adds value by
identifying emerging risks and delivering business insights (KPMG 2017) and it serves all types of
organizations, from private and publicly-traded companies to government and nonprofit
organizations (Anderson et al. 2017).
GNP internal auditors are in a unique position and face unique challenges as compared to
their counterparts in the for-profit sector. For example, studies find compensation for NPO
executives and workers is substantially lower on average than their for-profit counterparts (Panel
on the Nonprofit Sector 2005) and retaining audit staff in the public sector is problematic due to
government pay scales and insufficient funding (compared to their non-public sector counterparts)
(Piper 2015). Also, public sector internal auditors must balance satisfying the needs of their CEOs,
boards of directors, regulators, and managers with being accountable to politicians and the public
(Piper 2015). Nonprofit internal auditors, too, must not only serve the needs of their internal
stakeholders, but also be accountable to donors and grantors, the IRS, the respective state from
which their organization receives legal existence, and the public (Garven 2012).

Thousands of nonprofits compete for scarce resources and are commonly judged on what
proportion of these resources are dedicated to providing programs that fulfill the organization’s
mission, i.e., the program ratio (Garven, Hofmann, and McSwain 2016). Resources spent on the
IAF are considered administrative expenses. Although these resources are arguably key to helping
the organization accomplish its mission, they do not directly contribute to increasing a nonprofit’s
program ratio. This may result in the reluctance of some NPOs to funnel considerable amounts of
resources into the IAF. Governments, too, faced with ‘‘increasingly constrained public sector
budgets’’ (Aikins 2017, 1), may also be reluctant to spend considerable resources on activities that
do not provide direct service to citizens. As noted in a 2018 report by the Oregon Secretary of
State, the IAF is one of the first functions agencies cut in many states experiencing financial
difficulties (Richardson 2018). Thus, our study examines factors associated with GNP

organizations’ investment in IAF staff.
Organizational Characteristics
The organizational characteristics we examine include: (1) organization size, (2) industry
classification (education, healthcare, and other), (3) type of entity (nonprofit or governmental), and
(4) whether an IAF is mandated. Larger GNP organizations are more complex and thus may be
scrutinized by the public more (Vermeer et al. 2006; C. Edmonds, J. Edmonds, B. Vermeer, and T.
Vermeer 2017), and hospitals and educational institutions are often subject to much more
complexity and regulation in their operations as compared to other types of organizations
(Vermeer et al. 2006). This increased complexity and scrutiny of operations may result in an
increased level of audit work, as well as adoption of stronger monitoring mechanisms (Beattie,
Goodacre, Pratt, and Stevenson 2001; Vermeer et al. 2006, Vermeer, Raghunandan, and
Forgione 2009). Thus, we expect a positive association between organization size and GNP
entities that are hospitals or educational institutions and IAF size.
As noted earlier, both governments and nonprofits may be reluctant to expend significant
resources on the IAF as these expenditures are not service-related. For nonprofits, such
expenditures lower their program ratio, a common measure of nonprofit efficiency, and research
has found a positive association between the program ratio and donations (Weisbrod and
Dominguez 1986; Posnett and Sandler 1989; Callen 1994; Tinkelman 1999; Okten and Weisbrod
2000; M. Yetman and R. Yetman 2013). Thus, nonprofits that are viewed as financially inefficient
risk a loss of donations, upon which many depend. Governments, however, which depend on
taxes, will normally continue operations even if they are deemed inefficient or ineffective
(Freeman et al. 2018). Thus, the need to demonstrate financial efficiency may be stronger for
nonprofits than governments. As such, we posit nonprofits may invest fewer resources into their
IAFs compared to governments and we expect a negative association between nonprofit
organizations and IAF size.
Certain organizations are required by law or regulation to have an IAF in place. For example,
within the public sector, there is often a mandatory requirement to have an IAF, the banking and
financial services industry has a general global requirement to have an IAF, and companies and
parent companies listed on the New York Stock Exchange are required to maintain an IAF
(Allegrini, D’Onza, Melville, Sarens, and Selim 2011; Sarens and Abdolmohammadi 2011).
Because organizations mandated to have an IAF operate in highly regulated environments and
typically face greater compliance risks, it is likely they will invest more in their IAF (Sarens and
Abdolmohammadi 2011). Examining Belgian companies, Sarens and Abdolmohammadi (2011)

find a mandate for the IAF is positively associated with IAF size. Consistent with prior research, we
expect a positive association between IAF mandate and IAF size.
IAF Characteristics
The IAF characteristics we examine include: (1) extent of access to property and records
appropriate for the performance of audit activities, (2) use of a rotational staffing model, (3)
opportunity to receive a bonus, and (4) IAF age. An IAF’s charter should ‘‘[authorize] access to
records, personnel, and physical properties relevant to the performance of engagements’’
(Interpretation to IIA Standard 1000: Purpose, Authority, and Responsibility) (IIA 2016). Greater
ease of access to such property and records will likely result in staffing efficiencies with the IAF

being able to achieve its objectives with a smaller staff. Thus, we expect extent of access to
relevant property and records to be negatively related to IAF size.
A staff rotation program involves staff being rotated through the IAF as part of training them for
management in other parts of the organization. Benefits of this type of program include increasing
the number of internal audit ambassadors throughout the organization and helping address any
skills gaps (Deloitte 2016). Consistent with the findings of Anderson et al. (2012), we expect the
use of a rotational staffing model to be associated with larger IAF size. As noted by Anderson et al.
(2012), it is likely IAFs with this type of staffing strategy are larger due to having staff with little
internal audit experience and experiencing constant turnover.
DeZoort, Houston, and Reisch (2000) note the opportunity for internal auditors to receive a
bonus from the organization may serve as a recruitment and retention tool and could also result in
cost savings. Successful recruitment and retention will help ensure IAFs are operating at full
staffing capacity and using bonuses to supplement budgeted salaries could allow GNPs to hire
more people into the IAF since they will have less in budgeted salaries and can then choose to pay
the bonus when there is a surplus. On the other hand, DeZoort et al. (2000) also note that the
opportunity to receive a bonus can increase the IAF’s productivity and effectiveness; this increased
productivity and effectiveness could result in staffing efficiencies, with fewer staff needed. Due to
these competing possibilities, we do not make a directional prediction regarding the opportunity to
receive a bonus and IAF size.
Sarens, Allegrini, D’Onza, and Melville (2011) test whether IAF size is significantly different
between three clusters of IAFs based on age and find that the size of the IAF is positively related to
the age of the IAF. They suggest that the longer the IAF has existed, the more time the IAF has
had to prove it is a value-added function, and thus the more time the organization has benefited
from the IAF’s services and supported expanding the IAF (Sarens et al. 2011). Based on this
argument, we expect a positive association between IAF age and IAF size.
IAF Responsibilities
The IAF responsibilities we examine include: (1) degree of fraud prevention responsibility, (2)
degree of fraud detection responsibility, and (3) conduct of performance audits. Fraud is one of the
top risks organizations face (Anderson et al. 2017) and internal auditors ‘‘are increasingly being
asked to play a key role in preventing, deterring, and detecting fraud in for-profit, governmental,
and nonprofit organizations globally’’ (Anderson et al. 2017, 8–28). Fraud prevention and detection
activities conducted by internal audit may include whistleblower hotline monitoring, fraud
investigation, fraud awareness training, audits of internal controls related to fraud prevention or
detection, and fraud risk assessment facilitation (Araj 2015). As these activities require a

significant time commitment and redirect internal audit resources away from other important audit
activities (Araj 2015), we expect organizations heavily involved in fraud prevention and detection to
be associated with larger staffs, possibly even having dedicated fraud specialists on staff. Thus,
we expect a positive relationship between an IAF’s responsibilities related to the prevention and
detection of fraud and IAF size.
Deloitte’s ‘‘Internal Audit Insights 2018’’ report identifies operational risk assurance as a high-
impact area of focus for IAFs. The report notes operational (or performance) audits ‘‘focus mainly
on nonfinancial assets and processes’’ and ‘‘aim to determine how performance aligns with
management’s expectations, identify areas to be investigated, and propose enhancements’’
(Deloitte 2018, 13). The report further mentions the orientation of many internal auditors is toward
financial processes and performance, and IAFs should dig deeper into assessing operational

efficiency, effectiveness, and risk management. Anderson et al. (2012) note audit committees and
management often want the IAF to be involved in more than financial statement compliance and
mention that prior literature (Anderson and Svare 2011; IIA 2009) suggests more involvement is
needed from IAFs with respect to providing reviews of operations. Similar to conducting fraud
detection and prevention activities, conducting performance audits also requires a large time
commitment and redirects internal audit resources away from other important audit activities.
Thus, we expect organizations heavily involved in conducting performance audits to be associated
with larger staffs and posit a positive relationship between an IAF’s responsibility related to
conduct of performance audits and IAF size.
IT Tools and Audit Activity

The IT tools and audit activities we examine include: (1) extent of use of sophisticated audit
technologies, (2) extent of activity related to audits of general IT risks, and (3) extent of activity
related to audits of IT privacy and security compliance. As noted in the CBOK report ‘‘Staying a
Step Ahead: Internal Audit’s Use of Technology,’’ internal auditors are now under pressure to
adapt to new technologies (Cangemi 2015). From one perspective, greater usage of sophisticated
audit technology should result in increased efficiencies (Anderson et al. 2012; Cangemi and
Singleton 2003; KPMG 2017; PWC 2018) which then would result in the need for fewer staff
(Anderson et al. 2012). A competing possibility, noted in Anderson et al. (2012), is that a large
investment in auditing technology may indicate an organization has a stronger commitment to
internal audit and desires greater coverage, thus broadening the range of internal audit
responsibilities and tasks covered. Thus, one might expect a greater investment in technology
to be associated with a larger IAF. Due to differing possibilities, we make no directional prediction
regarding extent of use of sophisticated audit technologies and IAF size.
Similar to Anderson et al. (2012) we look at two types of IT audit activity: general and
security-specific. On one hand, as IT-related audits may require specialized skills and expertise
beyond that of internal auditors performing other audit activities (Anderson et al. 2012), we
might expect a positive association between extent of IT-related audit activity and IAF size. On
the other hand, due to the supply of skilled IT auditors unable to keep pace with the demand
(Anderson et al. 2017), GNP IAFs may find themselves forced to ‘‘do more with the same (or
with less)’’ (Deloitte 2016, 27), ask for assistance from other departments, or hire external
service providers who have the needed IT competencies (Anderson et al. 2017). Given
competing viewpoints, we make no directional prediction regarding extent of IT audit activity and
IAF size.

TABLE 1
Sample Selection
Number of Global Government and Nonprofit Organizations 3,647
Less: Non-U.S. organizations (2,881)
Less: Respondents who do not work as internal auditors within the (17)
organization where employed
Less: Observations with missing data (404)
Final Sample 345

III. RESULTS
Data and Sample
Our data, taken from the results of the Common Body of Knowledge (CBOK) 2015 Global
Internal Audit Practitioner Survey, are provided by the Institute of Internal Auditors Research
Foundation (IIARF). The CBOK is the largest study of the internal audit profession in the world. An
online survey link was emailed to IIA members and posted on the IIA’s website, with survey
responses collected from February 2, 2015 until April 1, 2015 (Araj 2015). Approximately 14,500
practitioners across 150 North American chapters as well as 166 countries participated in the
survey (IIA 2015).
Of the approximately 14,500 practitioners that participated in the survey, 3,647 were from
GNP organizations. Since U.S. GNP organizations are the focus of our study, we narrow our
sample to U.S. respondents. Thus, we removed 2,881 non-U.S. observations. Because we only
wish to include observations in which the respondent indicated he/she works as an internal auditor
within the organization where employed, 17 additional observations were removed. An additional
404 observations were dropped due to missing responses, resulting in a final sample of 345 (see
Table 1).1
Empirical Model
We estimate the relationship between various organizational characteristics, IAF character-

istics, IAF responsibilities, and IT tools and audit activities on IAF size as follows:
IAF SIZE ¼ b0 þ b1 ORG SIZE þ b2 IND EDUC þ b3 IND HLTH þ b4 NPO þ b5 MANDATE
þ b6 ACCESS þ b7 ROTATE þ b8 BONUS þ b9 IAF AGE þ b10 PREV FRAUD
þ b11 DET FRAUD þ b12 PERF AUDIT þ b13 IT TOOLS þ b14 IT GENRISK
þ b15 IT SECURITY þ e
Regression variables are defined below. Pearson correlations are calculated in Table 2, Panels A
and B. Only one correlation exceeds 0.50 (the correlation between IT_GENRISK and IT_
1
Using statistical software, we examined the data on various organizational variables simultaneously to
determine if people from the same organization completed the survey in our sample. The results did not return
any duplicate observations; thus, we feel confident that our sample is composed of only one response per
organization.

TABLE 2
Pearson Correlation Coefficients
Panel A: IAF_SIZE—ROTATE
IAF_SIZE ORG_SIZE IND_EDUC IND_HLTH NPO MANDATE ACCESS ROTATE
ORG_SIZE 0.410**
IND_EDUC 0.095 0.129*
IND_HLTH 0.012 0.276** 0.188**
NPO 0.130* 0.039 0.077 0.358**
MANDATE 0.224** 0.002 0.029 0.258** 0.423**
ACCESS 0.026 0.098 0.027 0.039 0.051 0.027

ROTATE 0.263** 0.001 0.096 0.102 0.022 0.116* 0.046
BONUS 0.182** 0.001 0.205** 0.227** 0.397** 0.052 0.039 0.150**
IAF_AGE 0.341** 0.251** 0.118* 0.048 0.082 0.130* 0.038 0.066
PREV_FRAUD 0.057 0.06 0.001 0.057 0.118* 0.019 0.008 0.013
DET_FRAUD 0.095 0.004 0.07 0.055 0.041 0.036 0.012 0.088
PERF_AUDIT 0.297** 0.089 0.186** 0.118* 0.319** 0.244** 0.086 0.166**
IT_TOOLS 0.351** 0.188** 0.032 0.077 0.032 0.044 0.056 0.229**
IT_GENRISK 0.321** 0.121* 0.074 0.118* 0.185** 0.019 0.07 0.103
IT_SECURITY 0.293** 0.114* 0.107* 0.117* 0.185** 0.042 0.071 0.179**
Panel B: BONUS—IT_GENRISK
BONUS IAF_AGE PREV_FRAUD DET_FRAUD PERF_AUDIT IT_TOOLS IT_GENRISK
IAF_AGE 0.004
PREV_FRAUD 0.083 0.033
DET_FRAUD 0.029 0.012 0.480**
PERF_AUDIT 0.055 0.053 0.086 0.024
IT_TOOLS 0.197** 0.098 0.072 0.048 0.154**
IT_GENRISK 0.242** 0.095 0.009 0.051 0.05 0.420**
IT_SECURITY 0.260** 0.155** 0.069 0.056 0.042 0.435** 0.720**
**, * Indicate correlation is significant at the 0.01 and 0.05 levels, respectively (two-tailed).
SECURITY is 0.72) and an analysis of variance inflation factors (VIFs) in the model does not
indicate problems with multicollinearity. All VIFs are less than ten, with a high of 2.32.
The variables are defined as follows (See Appendix A for original CBOK survey questions):
IAF_SIZE ¼ natural log of full-time equivalent employees in IAF;
ORG_SIZE ¼ natural log of employees in organization;
IND_EDUC ¼ 1 if organization industry classification is Educational Services, 0 otherwise;
IND_HLTH ¼ 1 if organization industry classification is Health Care and Social Assistance, 0
otherwise;
NPO ¼ 1 if organization type is nonprofit organization (not related to government), 0 otherwise;
MANDATE ¼ 1 if IAF is mandated, 0 otherwise;
ACCESS ¼ IAF’s extent of access to records and property appropriate for the performance of
audits (1 ¼ None of the time; 2 ¼ Some of the time; 3 ¼ Most of the time; 4 ¼ All of the
time);

ROTATE ¼ 1 if there is a process to rotate staff through IAF, 0 otherwise;

BONUS ¼ 1 if bonus opportunity, 0 otherwise;
IAF_AGE ¼ natural log of age of IAF in years;
PREV_FRAUD ¼ IAF’s degree of responsibility related to preventing fraud (1 ¼ None of the
responsibility; 2 ¼ Some of the responsibility; 3 ¼ Most of the responsibility; 4 ¼ All of the
responsibility);
DET_FRAUD ¼ IAF’s degree of responsibility related to detecting fraud (1 ¼ None of the
responsibility; 2 ¼ Some of the responsibility; 3 ¼ Most of the responsibility; 4 ¼ All of the
responsibility);
PERF_AUDIT ¼ 1 if IAF conducted performance audits in the past year, 0 otherwise;
IT_TOOLS ¼ mean extent of activity for IAF related to use of 11 IT tools and techniques (1 ¼

None, 2 ¼ Minimal, 3 ¼ Moderate, 4 ¼ Extensive);
IT_GENRISK ¼ extent of IAF activity related to audits of general IT risks (1 ¼ None, 2 ¼
Minimal; 3 ¼ Moderate; 4 ¼ Extensive); and
IT_SECURITY ¼ mean extent of IAF activity related to audits of six IT security areas (1 ¼
None, 2 ¼ Minimal, 3 ¼ Moderate, 4 ¼ Extensive).
Descriptive Statistics
Table 3 provides descriptive statistics for the final sample. Internal audit size is measured as
the log of the number of full-time equivalent employees and has a mean of 1.88 (or about 7
employees).
Average organization size (also a logged value) is 7.53 (or about 1,900 employees). Fourteen
percent of the sample are in the educational services industry, 18 percent are in the healthcare
industry, and the remaining 68 percent are classified as ‘‘Other’’ (e.g., finance and insurance,
utilities, arts, entertainment, and recreation). Thirty percent of the sample consist of nonprofit
organizations and an IAF is mandated for 45 percent.
IAF Characteristics
The mean for extent of access to records and property appropriate for performing audits is
3.48, which translates to the IAF having access most of the time. A mere 12 percent of
organizations have a process in place to rotate employees through the IAF as part of
management training. The low usage of rotational programs is consistent with findings from the
Deloitte 2016 Global Chief Audit Executive Survey and may be attributed to barriers such as a
lack of support from senior management and a common view that an internal audit rotation is
not a career accelerator (Deloitte 2016). Although paying bonuses to internal auditors is viewed
by some as a possible threat to an internal auditor’s independence (DeZoort et al. 2000;
McLeod 2014), approximately 32 percent of internal auditors in the sample are eligible to
receive one. The average age of the IAF is 2.82 (logged value) which translates to
approximately 17 years.
The sample mean for preventing fraud is 1.85, which translates to IAFs having, on average,
some of the responsibility for preventing fraud. The sample mean for detecting fraud is 2.11, which
indicates that IAFs also have some of the responsibility for detecting fraud. Almost half (48
percent) of sample IAFs reported doing a performance audit in the last year.

TABLE 3
Descriptive Statistics (n ¼ 345)
25th 75th Std.
Variable Name Mean Median Min Pctl. Pctl. Max Dev.
Dependent Variable
IAF_SIZE 1.88 (1.79) 0.00 1.10 2.48 4.61 1.18
Independent Variables
ORG_SIZE 7.53 (7.60) 4.32 6.31 8.70 10.36 1.64
IND_EDUC 0.14 (0.00) 0.00 0.00 0.00 1.00 0.35

IND_HLTH 0.18 (0.00) 0.00 0.00 0.00 1.00 0.38
NPO 0.30 (0.00) 0.00 0.00 1.00 1.00 0.46
MANDATE 0.45 (0.00) 0.00 0.00 1.00 1.00 0.50
IAF Characteristics
ACCESS 3.48 (4.00) 1.00 3.00 4.00 4.00 0.68
ROTATE 0.12 (0.00) 0.00 0.00 0.00 1.00 0.32
BONUS 0.32 (0.00) 0.00 0.00 1.00 1.00 0.47
IAF_AGE 2.82 (3.00) 1.10 2.30 3.40 3.91 0.77
PREV_FRAUD 1.85 (2.00) 1.00 1.00 2.00 4.00 0.64
DET_FRAUD 2.11 (2.00) 1.00 2.00 2.00 4.00 0.55
PERF_AUDIT 0.48 (0.00) 0.00 0.00 1.00 1.00 0.50
IT Tools and Audit Activities
IT_TOOLS 2.30 (2.36) 1.00 1.73 2.91 4.00 0.75
IT_GENRISK 2.74 (3.00) 1.00 2.00 3.00 4.00 0.85
IT_SECURITY 2.23 (2.17) 1.00 1.67 3.00 4.00 0.78

Investment in audit technology is measured as the mean extent of use of 11 technology tools
and techniques, with a 3.0 indicating moderate use. The sample mean is 2.30, indicating less
than moderate use. Untabulated results indicate the most extensively used tools/techniques are
electronic workpapers (mean ¼ 3.02) and a software tool for data mining (mean ¼ 2.59). The least
extensively used tools/techniques are an automated tool for internal quality assessments (mean
¼ 1.77) and continuous/real-time auditing (mean ¼ 1.92). Table 3 shows the sample mean for
extent of audit activity related to general IT risks is 2.74 (on a scale where a 3.0 indicates
moderate activity), thus indicating slightly less than moderate activity. Lastly, the sample mean
for extent of audit activity related to privacy and security is 2.23, indicating slightly more than
minimal activity. Untabulated results indicate the most extensive audit activity related to privacy
and security takes place in the audits of the physical security of major data centers (mean ¼
2.55). Audits of the cybersecurity of the organization’s electronically held information come in
second but still with only slightly more than minimal activity (mean ¼ 2.40) on average and with
only about 10 percent of IAFs indicating extensive activity. With cybersecurity risks constantly on
the rise and security breaches constantly in the news, these audits represent an opportunity for
GNP IAFs to create value for the organization by preserving and increasing stakeholder trust. An
audit area that appears to get the least attention relates to employees’ usage of social media

TABLE 4
Multivariate Regression Results
IAF SIZE ¼ b0 þ b1 ORG SIZE þ b2 IND EDUC þ b3 IND HLTH þ b4 NPOt þ b5 MANDATE
þ b6 ACCESS þ b7 ROTATE þ b8 BONUS þ b9 IAF AGE þ b10 PREV FRAUD
þ b11 DET FRAUD þ b12 PERF AUDIT þ b13 IT TOOLS þ b14 IT GENRISK
þ b15 IT SECURITY þ e
Model 1 Model 2 Model 3

Full Sample Large Small
(n ¼ 345) (n ¼ 177) (n ¼ 168)

Pred.
Variable Sign Coeff. p-value Coeff. p-value Coeff. p-value
Constant ? 0.9810 , 0.0001 4.0223 , 0.0001 0.5669 0.3765
ORG_SIZE þ 0.2320 , 0.0001 0.4574 , 0.0001 0.0564 0.3423
IND_EDUC þ 0.3290 0.0094 0.4458 0.0021 0.3507 0.0926
IND_HLTH þ 0.2614 0.0705 0.6955 0.0003 0.3023 0.2290
NPO 0.2027 0.0473 0.0505 0.4044 0.3420 0.0127
MANDATE þ 0.1816 0.0389 0.0538 0.7067 0.3292 0.0108
IAF Characteristics
ACCESS 0.0873 0.0922 0.1451 0.1448 0.2457 0.0065
ROTATE þ 0.4302 0.0058 0.0188 0.9218 0.8437 0.0001
BONUS ? 0.3516 0.0041 0.2030 0.1581 0.4923 0.0112
IAF_AGE þ 0.2937 , 0.0001 0.2024 0.0079 0.3762 , 0.0001
PREV_FRAUD þ 0.0169 0.4158 0.0679 0.4847 0.0936 0.4414
DET_FRAUD þ 0.1242 0.0850 0.1488 0.0892 0.0303 0.8310
PERF_AUDIT þ 0.3113 0.0013 0.2575 0.0383 0.3279 0.0083
IT_TOOLS ? 0.2049 0.0029 0.0388 0.6679 0.3617 0.0005
IT_GENRISK ? 0.2332 0.0019 0.3056 0.0007 0.2090 0.0669
IT_SECURITY ? 0.0273 0.7490 0.0184 0.8579 0.2094 0.0989
Adjusted R2 0.4321 0.3982 0.4529
p-values are one-tailed when the coefficient is in the predicted direction and two-tailed when the coefficient is not in the predicted
direction or there was no predicted direction. n ¼ 345.
(mean ¼ 1.95), with less than minimal activity on average and less than 4 percent of IAFs
indicating extensive activity.
Multivariate Analysis
Table 4, Model 1 reports our full sample regression results. The model is statistically
significant at the p , 0.001 level with an adjusted R2 of 0.4321.
Consistent with expectations and with Anderson et al. (2012), Goodwin-Stewart and Kent
(2006), and Gronewold and Heerlein (2009) we find organization size is positively associated with

IAF size (p , 0.0001). These results are possibly due to the increased complexity and scrutiny of
operations these organizations face, which may result in an increased level of audit work, fueling
the need for a larger staff. Contrary to expectations, compared to organizations classified as
‘‘Other,’’ organizations classified as educational institutions or healthcare institutions are negatively
associated with IAF size (p ¼ 0.0094 and p ¼ 0.0705, respectively). A possible explanation for
these results is a recent decrease in funding to these two industries, stemming from declines in
state appropriations for public education and declines in federal money for healthcare as a result of
the Affordable Care Act (Woodhouse 2015). This, coupled with an increased focus on providing
direct value-added services to combat consumer criticism over rising prices (Woodhouse 2015),
may result in their IAFs having to make do with less. NPOs in the sample, compared to the
governmental organizations, are negatively associated with IAF size (p ¼ 0.0473). The need to

maintain a high program ratio may make nonprofits particularly hesitant to invest money into the
IAF as opposed to other types of organizations, including governmental entities. Consistent with
Sarens and Abdolmohammadi (2011), we find organizations for which IAFs are mandated are
positively associated with IAF size (p ¼ 0.0389). These organizations typically operate in highly
regulated environments and may be subject to greater compliance risk, requiring the need for a
larger IAF.
IAF Characteristics
We find extent of access to records and property appropriate for the performance of audits is
negatively associated with IAF size (p ¼ 0.0922), suggesting greater access leads to staffing
efficiencies. Consistent with Anderson et al. (2012) results, we find rotating employees through the
IAF is positively associated with IAF size (p ¼ 0.0058). Thus, IAFs with this type of staffing strategy
likely require larger staffs due to the inexperience of staff and constant staff turnover (Anderson et
al. 2012). Providing bonuses is also positively associated with IAF size (p ¼ 0.0041). It appears
using bonuses (which are not permanent and are paid at the discretion of the organization) may
allow GNPs to hire more internal auditors as doing so can result in these organizations budgeting
less in salaries (which are permanent). Lastly, IAF age is also positively associated with IAF size (p
, 0.0001), suggesting IAF maturity plays a role in staffing.
The IAF responsibilities we examined show mixed results. Preventing fraud is not associated
with IAF size (p ¼ 0.4158) but detecting fraud is positively associated (p ¼ 0.0850). As noted by
Anderson et al. (2017), the costs of preventing various frauds from occurring often exceed the
benefits, thus organizations typically will implement a mixture of both preventive and detective
controls. Our results could indicate IAFs involved heavily in fraud detection may be subject to a
higher level of audit work than IAFs tasked with a high level of responsibility for fraud prevention,
possibly due to the performance of fewer prevention activities, many of which can be prohibitively
high. Conducting performance audits is positively associated with IAF size (p ¼ 0.0013). These
types of audits require a significant time commitment and suggest a need for significant internal
audit resources.
Consistent with Anderson et al. (2012), we find a positive relationship between IAF size and
investment in audit technology (p ¼ 0.0029). Anderson et al. (2012) purport that a large investment
in auditing technology may indicate an organization has a stronger commitment to internal audit
and desires greater internal audit coverage, requiring significant audit resources to perform these
additional audit tasks. Also, in line with Anderson et al. (2012), we find a positive relationship

between the extent of IT general risk audit activity (p ¼ 0.0019), but no association between extent
of IT privacy and security compliance audit activity, and IAF size (p ¼ 0.7490). We posit these
differing audit activity results may be related to a supply of talent. As noted in Anderson et al.
(2017, 7–6), all internal auditors are expected to understand ‘‘the IT risks that threaten the
achievement of their organizations’ business objectives.’’ Thus, organizations involved extensively
in IT general risk audits may find it easier to supply the required extra staff they need. Alternatively,
audits of privacy and security compliance likely require the use of auditors with IT expertise, which
are in short supply and high demand. Thus, to supply the IT talent they need, many organizations
may have to go outside the function to find those with the required IT skills.
Additional Analysis

We perform separate regressions on large and small organizations (using the median of
organization size as the cut-off ), as it is possible that the independent variable associations with
IAF size may vary across organization size in ways that cannot be fully revealed by including an
organization size regression variable. Interestingly, the results indicate that more of the factors of
interest are associated with small size organizations than large size organizations. The results,
reported in Models 2 and 3 of Table 4, reveal that similar to the full sample, IND_EDUC, PERF_
AUDIT, IAF_AGE, and IT_GENRISK are significant in both the large and small size regressions,
and PREV_FRAUD is insignificant. However, ORG_SIZE, IND_HLTH, and DET_FRAUD are
significant for the large size group but not the small size group, and NPO, MANDATE, ACCESS,
ROTATE, BONUS, IT_TOOLS, and IT_SECURITY are significant for the small size group but not
the large size group. Overall, results suggest that for larger organizations, organizational
characteristics such as size and industry type have a strong association with IAF size. For smaller
organizations, characteristics specific to the IAF, such as the opportunity to receive a bonus, use of
a rotational staffing model, and extent of access to records and property appropriate for the
performance of audits, are strongly related to IAF size.
IV. CONCLUSIONS AND LIMITATIONS

This study examines factors associated with the size of IAFs in U.S. GNP entities. We find IAF
size is associated with various organizational characteristics, IAF characteristics, IAF responsi-
bilities, and IT tools and audit activities. Our results complement prior literature and reveal that
variables not previously examined are associated with GNP IAF size. To our knowledge, the IAF’s
degree of fraud detection responsibility, degree of fraud prevention responsibility, extent of access
to records and property appropriate for the performance of audits, and opportunity to receive a
bonus, have not been studied in this context. Of the four new variables of interest, we find
associations with IAF size for all but one of the variables. Additionally, we investigate the model for
small and large organizations separately and find considerable variability in the results. Future
research could further investigate the new variables introduced in this study as well as the
differences found between the associations of the variables with IAF size for small and large
organizations.
Our study has implications for GNP management, CAEs, and boards. The insights provided
may be useful in discussions about maximizing the value the IAF provides to the organization.
Additionally, the study may raise discussions about IAF staffing and hiring strategies, the role of
the IAF in anti-fraud efforts, pros and cons of overhead spending, and how GNP IAFs can balance
increasing expectations with increasingly constrained resources.

Some limitations of our study should be noted. An inherent limitation of using ‘‘off-the-rack’’
survey data is that we were unable to examine certain variables that should be related to IAF size,
such as those related to outsourcing and audit committees.2 Thus, we encourage future
researchers to examine the effects of these variables as well as others on the current model.
Additionally, our sample includes only a small number of U.S. GNP participants who chose to
participate in the CBOK survey. Thus, caution is warranted in inferring how the variables examined
relate to the broader set of GNP organizations. As with all survey research, we do not have the
ability to ensure the questions were answered accurately and by the appropriate person (Garven et
al. 2016). Finally, although our study provides insights into factors associated with GNP IAF size, it
does not identify which IAF factors relate to organizational efficiency or improved organizational
performance, nor does it identify the ‘‘right’’ sized IAF for any particular organization. We invite

future research to examine these valuable lines of research.
REFERENCES
Aikins, S. 2013. Government internal auditors: The determinants of quality supervisory review of audit documentation.
International Journal of Public Administration 36 (10): 673–685. https://doi.org/10.1080/01900692.2013.791309
Aikins, S. 2017. An investigation of the relationships between time invested in government internal audit projects and
audit outcomes. Journal of Accounting and Finance 17 (7): 159–173.
Alhajri, M. 2017. Factors associated with the size of internal audit functions: Evidence from Kuwait. Managerial
Auditing Journal 32 (1): 75–89. https://doi.org/10.1108/MAJ-12-2015-1289
Allegrini, M., G. D’Onza, R. Melville, G. Sarens, and G. Selim. 2011. What’s Next for Internal Auditing? Report IV.
Altamonte Springs, FL: Institute of Internal Auditors Research Foundation.
Anderson, R., and J. Svare. 2011. Imperatives for Change: The IIA’s Global Internal Audit Survey in Action. Altamonte
Springs, FL: Institute of Internal Auditors Research Foundation.
Anderson, U., M. Christ, K. Johnstone, and L. Rittenberg. 2012. A post-SOX examination of factors associated with
the size of internal audit functions. Accounting Horizons 26 (2): 167–191. https://doi.org/10.2308/acch-50115
Anderson, U., M. Head, S. Ramamoorti, C. Riddle, M. Salamasick, and P. Sobel. 2017. Internal Auditing: Assurance &
Advisory Services. Lake Mary, FL: Internal Audit Foundation.
Araj, F. 2015. Responding to Fraud Risk: Exploring where Internal Auditing Stands. Altamonte Springs, FL: The
Institute of Internal Auditors Research Foundation.
Barua, A., D. V. Rama, and V. Sharma. 2010. Audit committee characteristics and investment in internal auditing.
Journal of Accounting and Public Policy 29 (5): 503–513. https://doi.org/10.1016/j.jaccpubpol.2010.09.001
Beattie, V., A. Goodacre, K. Pratt, and J. Stevenson. 2001. The determinants of audit fees: Evidence from the
voluntary sector. Accounting and Business Research 31 (4): 243–274. https://doi.org/10.1080/00014788.2001.
9729619
Callen, J. 1994. Money donations, volunteering, and organizational efficiency. Journal of Productivity Analysis 5 (3):
215–228. https://doi.org/10.1007/BF01073908
Cangemi, M. 2015. Staying a Step Ahead: Internal Audit’s Use of Technology. Altamonte Springs, FL: Institute of
Internal Auditors Research Foundation.
Cangemi, M., and T. Singleton. 2003. Managing the Audit Function: A Corporate Audit Department Procedures Guide.
Hoboken, NJ: John Wiley & Sons, Inc.
Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005a. Factors associated with U.S. public companies’
investment in internal auditing. Accounting Horizons 19 (2): 69–84. https://doi.org/10.2308/acch.2005.19.2.69
2
Anderson et al. (2012) examine size of the audit committee, number of audit committee meetings, number of
audit committee meetings in which the CAE attends, if the audit committee approves the IAF’s budget, the
percentage of internal audit activities outsourced to third parties, and the percentage of internal audit activities
outsourced to other departments. Sarens and Abdolmohammadi (2011) look at audit committee activity and the
proportion of independent board members. Goodwin-Stewart and Kent (2006) examine directors’ shareholdings
and number of audit committee meetings. Alhajri (2017) examines audit committee size.

Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005b. Changes in internal auditing during the time of the
major U.S. accounting scandals. International Journal of Auditing 9 (2): 117–127. https://doi.org/10.1111/j.1099-
1123.2005.00273.x
Deloitte. 2016. Evolution or irrelevance? Internal audit at a crossroads. Available at: https://fdocuments.in/document/
evolution-or-irrelevance-deloitte-us-audit-consulting-2018-05-22.html
Deloitte. 2018. Internal audit insights 2018: High-impact areas of focus. Available at: https://www2.deloitte.com/
content/dam/Deloitte/global/Documents/Audit/gx-audit-high-impact-areas.pdf
DeZoort, F.T., R. Houston, and J. Reisch. 2000. Incentive-based compensation for internal auditors. The Internal
Auditor (June): 43–46.
Edmonds, C., J. Edmonds, B. Vermeer, and T. Vermeer. 2017. Does timeliness of financial information matter in the
governmental sector? Journal of Accounting and Public Policy 36 (2): 163–176. https://doi.org/10.1016/j.
jaccpubpol.2017.02.002
Freeman, R. J., C. D. Shoulders, D. N. McSwain, and R. B. Scott. 2018. Governmental and Nonprofit Accounting:

Theory and Practice. New York, NY: Pearson.
Garven, S. 2012. Are audit-related factors associated with financial reporting quality in nonprofit organizations? Ph.D.
Dissertation, The University of Alabama.
Garven, S., A. Beck, and L. Parsons. 2018. Are audit-related factors associated with financial reporting quality in
nonprofit organizations? Auditing: A Journal of Practice & Theory 37 (1): 49–68. https://doi.org/10.2308/ajpt-
51819
Garven, S., M. A. Hofmann, and D. McSwain. 2016. Playing the numbers game: Program ratio management in
nonprofit organizations. Nonprofit Management & Leadership 26 (4): 401–416. https://doi.org/10.1002/nml.
21201
Goodwin-Stewart, J., and P. Kent. 2006. The use of internal audit by Australian companies. Managerial Auditing
Journal 21 (1): 81–101. https://doi.org/10.1108/02686900610634775
Gronewold, U., and A. Heerlein. 2009. The Staff Capacity of the Internal Audit Function of German Corporations.
Paper Presented at the Midyear Meeting of the Auditing Section of the American Accounting Association, St.
Petersburg, FL, January 15–17.
Institute of Internal Auditors (IIA). 2009. Adding Value to the Organization. Altamonte Springs, FL: Institute of Internal
Auditors.
Institute of Internal Auditors (IIA). 2015. Common Body of Knowledge (CBOK) resource exchange. Available at:
https://na.theiia.org/iiarf/Pages/Common-Body-of-Knowledge-CBOK.aspx
Institute of Internal Auditors (IIA). 2016. International Standards for the Professional Practice of Internal Auditing. Lake
Mary, FL: Institute of Internal Auditors.
KPMG. 2017. Key risks for internal audit: 16 key risks for internal audit to consider in 2017/18. Available at: https://
assets.kpmg/content/dam/kpmg/be/pdf/2017/Key_risks_for_internal_audit.pdf
Krishnan, R., M. Yetman, and R. Yetman. 2006. Expense misreporting in nonprofit organizations. The Accounting
Review 81 (2): 399–420.
McKeever, B. 2015. The nonprofit sector in brief 2015: Public charities, giving, and volunteering. Available at: https://
www.urban.org/research/publication/nonprofit-sector-brief-2015-public-charities-giving-and-volunteering
McKeever, B., and M. Gaddy. 2016. The nonprofit workforce: By the numbers. The Nonprofit Quarterly 24 (October).
Available at: https://nonprofitquarterly.org/2016/10/24/nonprofit-workforce-numbers/
McLeod. T. 2014. Should auditors receive bonuses? Available at: http://www.mcleodgovernance.com/weekly-wrap-
9th-october-2014/
Okten, C., and B. A. Weisbrod. 2000. Determinants of donations in private nonprofit markets. Journal of Public
Economics 75 (2): 255–272.
Panel on the Nonprofit Sector. 2005. Strengthening transparency, governance, and accountability of charitable
organizations. A report to Congress and the nonprofit sector on governance, transparency, and accountability.
Convened by Independent Sector. Available at: https://www.lawrenceassociates.com/pdfs/Panel%20on%20
the%20Nonprofit%20Secto_Final_Report.pdf
Patton, T. K., S. R. Patton, and M. Ives. 2019. Accounting for Governmental & Nonprofit Organizations. Westmont, IL:
Cambridge Business Publishers.
Piper, A. 2015. Auditing the Public Sector: Managing Expectations, Delivering Results. Altamonte Springs, FL:
Institute of Internal Auditors Research Foundation.
Posnett, J., and T. Sandler. 1989. Demand for charity donations in private non-profit markets. Journal of Public
Economics 40 (2): 187–200.

PricewaterhouseCoopers (PWC). 2018. Moving at the speed of innovation: The foundational tools and talents of
technology-enabled internal audit. Available at: https://www.pwc.co.uk/audit-assurance/assets/pdf/moving-at-
the-speed-of-innovation.pdf
Reck, J. L., and S. L. Lowensohn. 2016. Accounting for Governmental & Nonprofit Entities. New York, NY: McGraw-
Hill Education.
Richardson, D. 2018. Opportunities exist to increase the impact of state agency internal audit functions. Available at:
https://sos.oregon.gov/audits/Documents/2018-25.pdf
Sarens, G., and M. Abdolmohammadi. 2011. Monitoring effects of the internal audit function: Agency theory versus
other explanatory variables. International Journal of Auditing 15 (1): 1–20. https://doi.org/10.1111/j.1099-1123.
2010.00419.x
Sarens, G., M. Allegrini, G. D’Onza, and R. Melville. 2011. Are internal auditing practices related to the age of the
internal audit function? Managerial Auditing Journal 26 (1): 51–64. https://doi.org/10.1108/02686901111090835
Tinkelman, D. 1999. Factors affecting the relation between donations to not-for-profit organizations and an efficiency

ratio. Research in Governmental and Nonprofit Accounting 10: 135–161.
U.S. Census Bureau. 2015a. 2015 State & local government finance historical datasets and tables: US summary &
Alabama-Mississippi. Available at: https://www.census.gov/data/datasets/2015/econ/local/public-use-datasets.
html
U.S. Census Bureau. 2015b. 2015 ASPEP datasets & tables: State and local government employment data. Available
at: https://www.census.gov/data/datasets/2015/econ/apes/annual-apes.html
Vermeer, T. 2008. Market for former Andersen clients: Evidence from government and non-profit sectors. Journal of
Accounting and Public Policy 27 (5): 394–408. https://doi.org/10.1016/j.jaccpubpol.2008.07.001
Vermeer, T., K. Raghunandan, and D. Forgione. 2006. The composition of nonprofit audit committees. Accounting
Horizons 20 (1): 75–90. https://doi.org/10.2308/acch.2006.20.1.75
Vermeer, T., K. Raghunandan, and D. Forgione. 2009. Audit fees at U.S. non-profit organizations. Auditing: A Journal
of Practice & Theory 28 (2): 289–303. https://doi.org/10.2308/aud.2009.28.2.289
Vermeer, T. E., A. K. Styles, and T. K. Patton. 2010. Are local governments adopting optimistic actuarial methods and
assumptions for defined benefit pension plans? Journal of Accounting and Public Policy 36: 163–176.
Weisbrod, B., and N. Dominguez. 1986. Demand for collective goods in private nonprofit markets: Can fundraising
expenditures help overcome free-rider behavior? Journal of Public Economics 30 (1): 83–96. https://doi.org/10.
1016/0047-2727(86)90078-2
Woodhouse, K. 2015. Health care and higher ed: The two industries differ in key ways but face several similar and
pressing challenges. Available at: https://www.insidehighered.com/news/2015/07/20/health-care-and-higher-
education-face-similar-challenges-and-transformations
Yetman, M., and R. Yetman. 2013. Do donors discount low-quality accounting information? The Accounting Review 88
(3): 1041–1067. https://doi.org/10.2308/accr-50367

APPENDIX A
Variable Mapping
Data were obtained from the CBOK 2015 Global Internal Audit Practitioner Survey (Lake Mary,
Florida, U.S.: The Internal Audit Foundation). Question numbers and wording are provided below.
Visit www.theiia.org/CBOK for more information. The views in this study reflect the researchers’
opinions and are not intended to represent the position or policies of The IIA or the Internal Audit
Foundation.
Question
Variable Name Number Question Wording
Dependent Variable

IAF_SIZE Q41SPECIFIED Approximately how many fulltime equivalent employees make
up your internal audit department?
Independent Variables
ORG_SIZE Q29_1 For the entire organization in which you work, what was the
approximate total number of full-time equivalent employees
as of the end of the last fiscal year?
IND_EDUC and Q28 What is the primary industry classification(s) of the organization
IND_HLTH for which you work (or your primary client if you are a
service provider)?
1 ¼ ‘‘Agriculture, Forestry, Fishing and Hunting’’; 2 ¼
‘‘Mining, Quarrying, and Oil and Gas Extraction’’; 3 ¼
‘‘Utilities’’; 4 ¼ ‘‘Construction’’; 5 ¼ ‘‘Manufacturing’’; 6 ¼
‘‘Wholesale Trade’’; 7 ¼ ‘‘Retail Trade’’; 8 ¼ ‘‘Transportation
and Warehousing’’; 9 ¼ ‘‘Information’’; 10 ¼ ‘‘Finance and
Insurance’’; 11 ¼ ‘‘Real Estate and Rental and Leasing’’; 12
¼ ‘‘Professional, Scientific, and Technical Services’’; 13 ¼
‘‘Management of Companies and Enterprises’’; 14 ¼
‘‘Administrative and Support and Waste Management and
Remediation Services’’; 15 ¼ ‘‘Educational Services’’; 16 ¼
‘‘Health Care and Social Assistance’’; 17 ¼ ‘‘Arts,
Entertainment, and Recreation’’; 18 ¼ ‘‘Accommodation and
Food Services’’; 19 ¼ ‘‘Other Services (except Public
Administration)’’; 20 ¼ ‘‘Public Administration’’
NPO Q24 What is the type of organization for which you currently work?
1 ¼ ‘‘Privately held (non-listed) organization’’; 2 ¼ ‘‘Publicly
traded (listed) organization’’; 3 ¼ ‘‘Public sector (including
federal, regional, and local government, government
agencies, and government-owned organizations)’’; 4 ¼ ‘‘Not-
for-profit organization (not related to government)’’; 5 ¼
‘‘Other’’
MANDATE Q97 Is the existence of an internal audit department mandated by
law for your organization?
1 ¼ ‘‘Yes’’; 2 ¼ ‘‘No’’
(continued on next page)

APPENDIX A (continued)
Question
IAF Characteristics
ACCESS Q86 In your opinion, to what extent does the internal audit
department at your organization have complete and
unrestricted access to employees’ property and records as
appropriate for the performance of audit activities?
1 ¼ ‘‘All of the time’’; 2 ¼ ‘‘Most of the time’’; 3 ¼ ‘‘Some of
the time’’; 4 ¼ ‘‘None of the time’’
ROTATE Q45 Does your organization have a process in place to rotate staff

through the internal audit department as part of training them
for management in other parts of the organization?
1 ¼ ‘‘No’’; 2 ¼ ‘‘Yes, an informal process’’; 3 ¼ ‘‘Yes, a
formal process’’
BONUS Q49 Do you have the opportunity to receive a bonus from your
employer? 1¼ ‘‘Yes’’; 2¼ ‘‘No’’
IAF_AGE Q39SPECIFIED Approximately how many years has the internal audit
department been in place at your organization?
PREV_FRAUD Q69 What degree of responsibility does internal audit have for
preventing fraud in your organization?
1 ¼ ‘‘All of the responsibility’’; 2 ¼ ‘‘Most of the
responsibility’’; 3 ¼ ‘‘Some of the responsibility’’; 4 ¼ ‘‘None
of the responsibility’’
DET_FRAUD Q71 What degree of responsibility does internal audit have for
detecting fraud in your organization?
1 ¼ ‘‘All of the responsibility’’; 2 ¼ ‘‘Most of the
responsibility’’; 3 ¼ ‘‘Some of the responsibility’’; 4 ¼ ‘‘None
of the responsibility’’
PERF_AUDIT Q87 In the past calendar year, did your internal audit department
conduct performance audits (or value-for-money audits)?
1 ¼ ‘‘Yes’’; 2 ¼ ‘‘No’’
(continued on next page)

APPENDIX A (continued)
Question
IT_TOOLS Q134_A_1 to What is the extent of activity for your internal audit department
A_11 related to the use of the following information technology (IT)
tools and techniques? 1 ¼ ‘‘None’’; 2 ¼ ‘‘Minimal’’; 3 ¼
‘‘Moderate’’; 4 ¼ ‘‘Extensive’’, or ‘‘Not applicable/I don’t know’’
1. A software or a tool for internal audit risk assessment.
2. An automated tool for internal audit planning and
scheduling.

3. A software or tool for data mining.
4. An automated tool for data analytics.
5. Computer-assisted audit technique (CAAT).
6. Continuous/real-time auditing.
7. Electronic workpapers.
8. Flowchart or process mapping software.
9. Internal quality assessments using an automated tool.
10. An automated tool to monitor and track audit remediation
and follow up.
11. An automated tool to manage the information collected by
internal audit.
IT_GENRISK Q127_A_1 For information technology (IT) security in particular, what is
the extent of the activity for your internal audit department
related to the following areas?
1 ¼ ‘‘None’’; 2 ¼ ‘‘Minimal’’; 3 ¼ ‘‘Moderate’’; 4 ¼
‘‘Extensive’’, or ‘‘Not applicable/I don’t know’’
1. Audits of general information technology (IT) risks.
IT_SECURITY Q127_A_2 to 2. Audits of the cybersecurity of your organization’s
A_7 electronically held information.
3. Audits of the physical security of your organization’s major
data centers.
4. Audits of the management, use, and access of mobile
devices owned by individuals or your organization.
5. Audits of the organization’s procedures for how employees
use social media.
6. Audits of the security of your organization’s internal intranet.
7. Audits of the security of your organization’s external
websites.


An Examination of Internal Audit Function Size: Evidence From U.S. Government and Nonprofit Sectors

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Examination of Internal Audit Function Size: Evidence From U.S. Government and Nonprofit Sectors

Uploaded by

Copyright:

Available Formats

CURRENT ISSUES IN AUDITING American Accounting Association

Vol. 15, No. 1 DOI: 10.2308/CIIA-2019-505

An Examination of Internal Audit Function

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Submitted: November 2019

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

II. BACKGROUND AND THEORY DEVELOPMENT

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

IT Tools and Audit Activity

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Data and Sample

We estimate the relationship between various organizational characteristics, IAF character-

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

ROTATE ¼ 1 if there is a process to rotate staff through IAF, 0 otherwise;

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

IT Tools and Audit Activities

Current Issues in Auditing

Model 1 Model 2 Model 3

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

IV. CONCLUSIONS AND LIMITATIONS

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

Downloaded from http://publications.aaahq.org/cia/article-pdf/15/1/A38/56230/i1936-1270-15-1-a38.pdf by guest on 27 March 2024

Current Issues in Auditing

You might also like