New Frontiers For Internal Audit Research MEI 2023

New Frontiers for Internal Audit Research*
MARGARET H. CHRIST, University of Georgia†

MARC EULERICH, University of Duisburg-Essen
RONJA KRANE, University of Duisburg-Essen
DAVID A. WOOD, Brigham Young University
ABSTRACT
Internal audit provides useful and valuable services to organizations, and academic
research has established its importance in improving corporate governance. However, the
body of internal audit research is still relatively small. Indeed, there are many emerging,
lesser-known topics and practitioners would like guidance. The primary focus of this
paper is to make specific recommendations for future research based on surveys, inter-
views, and discussions with practitioners. We identify three broad areas for additional
academic research: innovation in information technology, staffing and personnel develop-
ment, and agile auditing. In each area, we describe current practices and discuss the rele-
vant accounting literature, noting gaps where additional inquiry is needed. We also
provide a list of testable research ideas to help inform academics about practice-relevant
research questions that would not only add to the academic literature, but would benefit
practitioners who seek guidance. We hope this paper will inspire more academic research
that investigates important internal audit questions.
Keywords: internal audit, innovation, innovative practices, research opportunities
NOUVELLES FRONTIÈRES DANS LE DOMAINE DE LA RECHERCHE SUR

L’AUDIT INTERNE

RESUM
E
L’audit interne fournit des services utiles et précieux aux organismes, et la recherche a
mis en lumière son importance pour l’amélioration de la gouvernance d’entreprise.
Toutefois, le corpus de recherche sur l’audit interne est encore relativement restreint. En
fait, il existe plusieurs thèmes émergents et moins connus sur lesquels les praticiens
aimeraient obtenir des orientations. Le but principal de la présente étude est de formuler
des recommandations précises pour la recherche à venir, recommandations fondées sur
des enquêtes, entrevues et discussions avec des praticiens. Nous cernons trois grands
domaines nécessitant davantage de recherche : innovation en technologie de
l’information, dotation de personnel et perfectionnement professionnel, et audit agile.
Pour chaque domaine, nous décrivons les pratiques actuelles et examinons la littérature
comptable pertinente, tout en relevant les lacunes sur lesquelles il est nécessaire de se
* Accepted by Leslie Berger. We are grateful to Jared Moon for his helpful comments and suggestions and
Benjamin Fligge for his research assistance. We also appreciate the assistance, insight, and research participants
provided by the Institute of Internal Auditors (IIA) — Germany, IIA — Netherlands, and IIA — North America.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021) pages 449–475 © CAAA/ACPC

doi:10.1111/1911-3838.12272
450 ACCOUNTING PERSPECTIVES / PERSPECTIVES COMPTABLES
pencher davantage. Nous dressons aussi une liste des idées de recherche testables afin
d’informer les chercheurs des questions de recherche pertinentes pour la pratique qui,
non seulement enrichiraient la littérature savante, mais profiteraient également aux
praticiens en quête d’orientations. Nous espérons que la présente étude suscitera
davantage de recherche portant sur d’importantes questions d’audit interne.
Mots-clés : audit interne, innovation, pratiques novatrices, occasions de recherche
1. INTRODUCTION
Empirical research supports the idea that internal auditing is a central pillar of good
corporate governance (Gramling et al. 2004; Anderson and Christ 2014). Indeed, the inter-
nal audit function (IAF) acts as an important defense against organizational risks and is an
integral part of an organization’s accounting information system. However, compared to
other aspects of corporate governance such as the audit committee and external auditor,
the practice of internal auditing has received relatively little academic attention. For exam-
ple, DeFond and Zhang (2014, 278) state that “internal audit research is still in its
infancy.” Behrend and Eulerich (2019, 126) assert that there is “a notable scarcity of stud-
ies in the leading accounting journals that investigate practices or processes of the [internal
audit] function on a micro level,” and Roussy and Perron (2018, 345) explain that internal
audit research is “far from comprehensive.” While certain internal auditing topics have
received academic attention (e.g., the use of the IAF as a management training ground), a
host of topics, especially those related to new and emerging internal audit activities using
technology, remain unexamined. The primary purpose of this paper is to encourage future
internal audit research by highlighting fruitful areas for academic inquiry based on impor-
tant current and emerging trends in the profession.1 To this end, we forgo a traditional lit-
erature review and instead draw from surveys, interviews, and discussions with internal
audit professionals to identify important areas for future academic inquiry.
Our goal is to encourage practice-relevant research. Much of the existing internal audit
research focuses on a few specific areas that may not be highly relevant to internal audit
practice. For example, Behrend and Eulerich (2019) report that 35% of internal audit-related
articles published in the top accounting journals relate to the IAF’s contribution to external
audits and the resulting implications for external audit fees and quality. However, less than
0.3% of the articles published over the same time period in the practitioners’ journal Internal
Auditor explicitly deal with the topic of external audit, suggesting a large gap between what
academics have studied and what practicing internal auditors value. Given the calls by many
academics for more practice-relevant research (Basu 2012; Moser 2012; Wood 2016; Sum-
mers and Wood 2017; Dechow et al. 2018; Kaplan 2019; Burton et al. 2021a, 2021b;
Rajgopal 2020), this paper helps guide researchers to address important questions that can
impact both practice and advanced theoretical knowledge.
1. This study expands on the 2003 monograph produced by the Institute of Internal Auditors’ Research
Foundation (IIARF) that spurred academic research (IIARF 2003). Though the IIARF monograph con-
tains many research questions that are still worthy of study, the profession has changed significantly
since 2003, creating a host of new questions academics can address to produce relevant research.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

NEW FRONTIERS FOR INTERNAL AUDIT RESEARCH 451
While data availability and access to research participants can hinder academics’ abil-
ity to investigate practice-relevant questions, another important contributing factor is that
many academics are simply unaware of the many new and emerging issues facing inter-
nal auditors today. The internal audit profession is evolving rapidly as technological
advances have allowed for significant changes in the way organizations conduct business.
Thus, we seek to guide future research by identifying those internal audit practice areas
that would be valuable to address.
In this paper, we develop a series of research questions, informed by surveys con-
ducted with 56 internal audit practitioners and informal discussions with internal audit
standard setters, chief audit executives (CAEs), academics, and other stakeholders that
interact with internal auditors (e.g., audit committee members, business executives, etc.).
The practitioners we consulted work in both public and private companies, large and
small IAFs, and diverse industries. These surveys and conversations provide a broad-
based overview of important current issues facing practicing internal auditors.
We organize our findings into the following three broad areas for future research: infor-
mation technology (IT), staffing and personnel development, and agile auditing. We discuss
the practical implications of recent advances in each of these areas, describe existing research
that may relate, note gaps in the prior literature, and make specific recommendations for
future research. Overall, our investigation reveals that IAFs are forced to realign their prac-
tices because of new audit objectives and evolving risks that develop due to the rapidly
changing macro environment and technological innovation. We also identify unanswered
questions about the value of the IAF and its relationship with various stakeholders. Thus, we
conclude that rigorous academic study of new and emerging internal audit practices and
responsibilities can help the internal audit profession be proactive, add value, and stay one
step ahead of the risks emerging in today’s business environment. This paper should be of
interest to academics concerned with the responsibilities of the IAF and how they are evolv-
ing in light of technological advances. We highlight important, practice-relevant areas for
research in hopes of encouraging academics to conduct impactful research on internal
auditing that will also advance our theoretical understanding of internal audit practices.
In addition to stimulating academic research, a second goal of this paper is to provide
insight to practitioners on how the practice of internal audit has changed. Because IAF practices
vary widely among companies, benchmarking one’s own IAF against others is often challeng-
ing. As a result, internal auditors may be unaware of new and innovative internal audit practices
that would benefit their organizations. Thus, insights from our survey and interviews will also
inform practitioners seeking to incorporate new and innovative practices into their IAFs.
The remainder of this paper is structured as follows. We forgo a traditional literature
section as our intention is to highlight areas for which existing research is lacking.2 Thus,
2. See Behrend and Eulerich (2019) for a bibliometric analysis of all internal audit publications in the top
six accounting journals and Roussy and Perron (2018) for a structured review of current internal
auditing literature published between 2005 and 2017. We also refer readers to Gramling et al. (2004),
Bame-Aldred et al. (2013), Lenz and Hahn (2015), and Eulerich and Eulerich (2020), who provide fur-
ther reviews of different aspects of past internal audit research.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

in section 2, we describe our research method. In section 3, we describe the areas that are
likely to be fruitful for future research and develop testable research questions. We con-
clude with discussion in section 4.
2. METHOD
We collected data in two phases. First, we interviewed and surveyed 56 practicing
internal auditors about current trends and innovations in the internal auditing profession.
Second, we held informal conversations with numerous leaders of the internal auditing
profession, including internal audit standard setters, heads of IAFs at diverse organiza-
tions throughout the world, and business professionals who regularly interact with inter-
nal auditors (e.g., audit committee members, business executives, etc.).3 Following the
guidance from Power and Gendron (2015), we mobilized our network of professional
internal auditors and standard setters to obtain our survey respondents and interviewees.
In phase 1, we conducted interviews and surveys in which we asked respondents to
describe any changes to the IAF that have been recently implemented (in the last three
years) or would be implemented in the near future, as well as their IAF’s level of pre-
paredness for these changes.4 We also asked about the measures used to ensure they were
equipped to respond to technological innovations and future challenges, including their
level of involvement in the decision to implement changes. Most questions were open-
ended, allowing participants to expand upon any areas if they preferred to.
The majority of our 56 participants work in the financial sector (32.1%), while 8.9%
of participants work in IT, 7.1% for companies in the public sector, and 7.1% for compa-
nies supplying public utilities like energy, gas, and water.5 A total of 37.5% of our partic-
ipants work for publicly listed companies. Company sizes vary from only 36 employees
to 500,000 with a mean of 53,148 employees. However, the sizes of the IAFs our partici-
pants work in vary from just 1 full-time internal auditor to 240 with a mean of 30 full-
time auditors being part of a company’s IAF. Participants have an average of 19.5 years
of work experience overall and have worked in internal auditing for an average of
11 years. Over half (52.1%) of our participants are vice presidents of internal audit,
CAEs, or heads of corporate internal audit, and 12.5% are senior-level auditors. As
intended, the results of these surveys provide a broad overview of the current state of the
internal audit profession and allow us to identify specific issues and emerging technolo-
gies that affect how internal auditors conduct their work.
In phase 2, we sought to gain deeper insights into the current and emerging trends
identified in phase 1. To this end, we held discussions with additional practitioners,
including internal audit standard setters, internal audit practitioners of various levels of
3. We received appropriate approval for use of human participants from our institutions.
4. All surveys took place at a national Institute of Internal Auditors (IIA) conference in May 2018, where
participants were randomly asked to participate in this research project.
5. Of the remaining participants, 5.4% of participants work in each of the chemical industry, trade, logis-
tics, mechanical engineering, and health care, 3.6% work in the automotive and the real estate sector,
and 10.6% in an industry other than the above-mentioned options.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

experience, academics with expertise in internal auditing, and professionals who interact
with internal auditors (e.g., audit committee members, business executives, etc.). We
used our survey results to guide these discussions and probed our interviewees about
their experiences with the innovations and changes that emerged from phase 1.
We gathered, coded, and analyzed survey responses, notes, and additional informa-
tion material received from practitioners (e.g., documents and presentations). We coded
interviews and supporting documentation in a two-step process. First, we simply coded
each activity as an innovation to the profession. Second, we categorized the identified
innovations and developments into one of the three categories used in the following
section to present our findings. We only included innovations in the final paper if every
researcher on our team agreed that what was reported by a participant was relevant to
both internal audit practice and future research. Following Barrett et al. (2005, 2), the
analysis “is not intended to celebrate the empirical detail” but rather to identify new and
emerging issues for study. Valuable insights to guide additional research investigation
are provided through this data collection procedure, including surveys, interviews, and
discussions.
3. AREAS FOR FUTURE RESEARCH

Through our interviews and surveys, we identify three broad subject areas of relevance
for internal audit practitioners that provide fruitful avenues for future research: IT,
staffing and personnel development, and agile auditing. For each of these areas, internal
audit practitioners revealed important changes to the structure of the IAF or the way
internal audit activities are executed. Each of these areas is in the midst of considerable
change, at least in part because of the rapidly evolving technological environment and
business landscape. We describe these changes and the related opportunities for research
below.
Information Technology
The first broad area for inquiry that emerges from our interviews and surveys is the
impact of IT on the IAF. Technological innovation is transforming all aspects of the busi-
ness landscape, and its effects on the internal audit profession are considerable. Internal
auditors today can use a wide variety of technological tools, in combination with tradi-
tional audit methodologies, to carry out their audit work. In addition, they are responsible
for auditing the many aspects of the organization that use or are affected by emerging
technologies. Organizations are rapidly adopting new technologies, and it is critical that
we understand the benefits these technological innovations generate, as well as the risks
and challenges they may pose. Rigorous academic research can provide important
insights to help organizations navigate these advancements.
Our interviewees and survey respondents provided many examples of technological
changes that are affecting the IAF. Their responses largely echo a recent report by
Deloitte that finds that technological innovations and IT-related risks comprise 6 of the
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

top 10 “high-impact” areas through which internal audit adds value to their organizations
(Deloitte 2019).6 We address each topic provided by our interviewees below.
Data Analytics and Automation

Data analytics and automation are becoming increasingly important throughout organiza-
tions. Their proliferation can impact the IAF in two distinct ways. First, IAFs are
adopting data analytics and automation to augment or replace traditional audit techniques,
thereby drastically changing the way internal auditors carry out their responsibilities.
Second, the organization that the IAF is responsible for auditing is also rapidly adopting
these new technologies, and the IAF must adapt its procedures to accurately assess the
risk and controls in light of these changes. We discuss each of these sequentially in the
discussion that follows.
The internal auditors from our interviews describe numerous new technological tools,
procedures, and data sources they use to conduct their audits. For example, IAFs have
begun, or are considering, implementing data analytics, data mining applications, process
mining, robotic process automation (RPA), and artificial intelligence (AI). However,
empirical research on the technological tools used by internal auditing is very limited.
There is a growing stream of empirical research examining the use of data analytics
by external auditors (e.g., Jans et al. 2014; Perols et al. 2017; Jans and Hosseinpour 2019;
Salijeni et al. 2019; Austin et al. 2021). However, research regarding internal auditors’ use
of such technologies is lacking. In addition, there are several important differences between
internal and external auditors that could limit the generalizability of the external auditor
findings to an internal audit setting. First, internal auditors are not subject to the same stan-
dards and rules as the external auditor (e.g., PCAOB inspections); thus, many internal audi-
tors adopted data analytics earlier and use them for a broader spectrum of activities than
external auditors, including consulting activities and audits focused on strategic risk. Sec-
ond, the internal auditor works for the same organization as their client, so it is possible
that some of the data limitations and concerns that exist for the external auditor do not exist
for internal auditors, allowing them greater access to data. However, working for the same
organization as the client likely introduces other dynamics worthy of examination. For
example, in some organizations, management may exert pressure on its internal auditors to
use analytics to promote an agenda or obscure negative results (Miller and
Rittenberg 2016). Third, many internal auditors formally include consulting-type activities
within the scope of their charter (Anderson and Christ 2014). Thus, internal auditors are
better able to provide operations-based insights that they may discover in the course of
their regular audit activities than are external auditors (Austin et al. 2021), which could fur-
ther enhance the value added by the IAF to the organization. Fourth, compared to external
audit firms that are able to invest significant financial resources in technology and hire
teams of dedicated IT specialists, most IAFs face considerable resource and personnel con-
straints. Thus, it is more difficult to develop the expertise necessary to effectively
6. These innovations and technology-related risks include automated auditing, RPA, AI, auditing techno-
logical disruptors, continuous risk assessment, cybersecurity, and data privacy.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

implement data analytics, and adoption of innovative techniques can be slow. Fifth, IAFs
can include a broad variety of different specialists and experts—for example, combining
financial and nonfinancial expertise. Thus, IAFs can allocate the existing resources more
freely to solve specific problems than external auditors can.
Data analytics techniques are often lauded because they allow users to analyze larger
and more diverse collections of data to more effectively identify unexpected or unusual
relationships (Austin et al. 2021). However, we note that our participants reported that
most internal audit analyses currently rely solely on traditional, internal company data
(e.g., data from the company enterprise resource planning (ERP) system) rather than
combining traditional data with external data sources. Therefore, it is likely that many
IAFs could better leverage data analytics to evaluate organizational risks if they also con-
sidered additional, more novel data sources. A few innovative IAFs are at the preliminary
stage of using more data from external sources. For example, one CAE described inte-
grating weather data into analysis to evaluate insurance claims in local branches and
stores. Another CAE reported incorporating external data (e.g., the global corruption
index) as a part of the risk evaluation or within the risk-based audit planning. Research
examining the use of external data and/or unstructured data, including its relative effec-
tiveness and how to weigh its importance, would be informative.
While data analytics surely provides many benefits, much is unknown about how
individuals perceive, understand, and interpret the results. Furthermore, as new technolo-
gies are implemented within the audit, it is likely that users will have varied skill levels
and expertise. Thus, there is risk that internal auditors may misinterpret or misuse the
analytics. For example, one concern with data analytics is that results may identify more
exceptions than auditors could reasonably test. While it is possible that they could exhibit
dysfunctional behavior when testing exceptions, it is not certain and additional research
focused on internal auditors’ behavior will be important.
Additional research is also needed to examine other similarly dysfunctional activities
that could occur as internal auditors rely more consistently on data analytics. For exam-
ple, do new tools introduce greater likelihood of internal auditors making unethical deci-
sions, such as prematurely signing off on work if they do not fully understand the tool,
or sabotaging results so that a tool appears incapable of replacing them?
Furthermore, one of the most useful forms of data analytics is the data visualization
used to interpret and disseminate findings. By illustrating the data, users can easily see
the patterns, relationships, and anomalies that exist. However, when relying on visualiza-
tions, users are susceptible to a variety of cognitive and perceptual biases (see Wall
et al. 2018) that can result in misinterpretation. In addition to unconscious biases, users’
known biases can influence the way data is sorted, filtered, and presented. Thus, visuali-
zations can be manipulated to highlight specific results or tell a desired story. Prior
research finds that internal auditors are often subjected to political pressure by executives
in their organization, including receiving direction to omit or modify audit findings and
only audit certain areas (Miller and Rittenberg 2016; Eulerich, Kremin, et al. 2021).
Therefore, there is risk that visualizations could be used to mislead stakeholders. Future
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

research could examine the extent to which visualizations improve or distort the results
of internal audits and how they are used by stakeholders.
An additional opportunity for IAFs to leverage emerging technology is to implement
a continuous audit approach. Continuous auditing is defined as “the combination of
technology-enabled ongoing risk and control assessments” (IIA 2020) and has been
described as “close-to-real-time-assurance.” This technology and approach would stream-
line basic audit processes and help the IAF to allocate the existing resources to relevant
risk areas. Although the concept of continuous auditing has been discussed for decades
in the internal and external audit practice, its implementation has not been particularly
widespread and it has not generated the significant benefits predicted. However, with the
proliferation of data analytics, automation, and machine learning, continuous auditing is
becoming a more achievable goal. Some prior research has examined the continuous
audit approach (Shin et al. 2013; Li et al. 2016; Eulerich and Kalinichenko 2018), but
given the new opportunities for implementation in practice, there remains a need for
future research that explores the effectiveness of this practice to reduce risk.
In addition to data analytics, participants described an increasing use of and interest
in automation, with a particular focus on RPA. Possible RPA applications range from
basic automation of a manual task to complex cognitive automation. Examples of RPA
by early adopting IAFs include automating basic tasks, such as downloading and storing
email attachments (Eulerich, Pawlowski, et al. 2021), to more advanced techniques, such
as conducting photo forensic investigations to detect fraudulent behavior.
Although some prior research has examined Big 4 accounting firms’ use of RPA for
conducting external audits (Cooper et al. 2019, 2021), very little research has explored
RPA in internal auditing. In one notable exception, Eulerich, Pawlowski, et al. (2021)
use a design-science approach to develop and test a framework for the implementation of
RPA bots in internal auditing. Nevertheless, there is no larger body of empirical research,
although RPA is touted as having significant benefits in cost savings, efficiency, and
overall quality of operations. However, many of the internal auditors we interviewed
want guidance on how to implement RPA and a better understanding of its costs and
benefits. More importantly, they want to know how RPA influences stakeholders’ percep-
tions of the IAF. One CAE we interviewed suggested that adopting innovative technol-
ogy early increases the credibility of the IAF because they are perceived as cutting-edge
by the rest of the organization. Other departments are then more likely to look to the IAF
for insights and advice when exploring innovative technologies themselves. On the other
hand, because one of the purported benefits of RPA is increased efficiency, practitioners
want to know how it will affect internal audit budgets and, in particular, whether
implementing RPA will cause stakeholders to cut internal audit budgets or redeploy those
resources to expand internal auditing activities (and what factors influence those deci-
sions). Again, limited evidence from external auditors and their clients suggests that these
parties have diverging views on the effect of increased technology on external audit fees.
Clients express a desire for increased efficiency to lead to lower audit fees. The external
audit firms, on the other hand, argue that audit fees will remain stable or potentially even
increase in the near future as they recoup their tremendous investment in technology. For
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

IAFs, the client is the same organization that would have allowed the increased invest-
ment in technology, so there may be a more explicit expectation to recoup the investment
through reductions in the internal audit budget (e.g., personnel costs, etc.) or through
value-added services and consulting projects.
Survey and interview respondents indicated explicit interest in academic research
related to data analytics and automation. However, they also expressed a general desire
for help in understanding all of the emerging technologies used by internal auditors to
carry out their audit plans. Eulerich, Masli, et al. (2021) find that IAFs that use technol-
ogy-based audit techniques are more efficient and effective and that stakeholders rely
more on their work. Since internal auditors face limited budgets and can have difficulty
attracting and retaining technology talent, understanding what technologies benefit the
IAF before they choose to invest is important. A few studies have examined the effec-
tiveness of a few specific technologies such as drones for asset measurement and inven-
tory audits (Christ et al. 2021) and process mining (e.g., Jans et al. 2014); however, both
studies mainly focus on the implementation in external audit settings and leave many
other tools unexamined. Academic researchers who study emerging technology can there-
fore provide key insights to help IAFs identify what technologies have potential and
which ones should be avoided because they do not provide enough value.
We turn now to how the IAF is affected by the use of data analytics and automation
more broadly throughout the organization. A recent survey of Fortune 1000 companies
finds that 99% of reporting firms have invested significantly in data and AI, with 62%
reporting investments greater than $50 million (Bean 2021). Importantly, organizations
often adopt technologies without sufficiently considering the risks they may pose to the
organization or whether the IAF is equipped to audit them (Christ et al. 2019). As organi-
zations adopt new and emerging technologies for use within operations, it is incumbent
upon the internal auditors to both understand the myriad new risks that may accompany
these changes and to develop appropriate testing protocols to ensure risks are controlled.
Christ et al. (2019) provide evidence that IAFs involved in the decision to implement
technological innovation believe they are better prepared to audit that innovation and mit-
igate related risks than IAFs who were not involved in the decision-making process.
However, more research is needed to understand whether the IAF’s involvement results
in more effective implementation and deployment of emerging technologies. Relatedly,
Christ et al. (2019) note that many companies do not invite the IAF to have a “seat at the
table” when strategic decisions about technology and innovation are made. As a result,
IAFs can be caught unaware and the company is left exposed to unexpected risk.
Research is needed to explore the risks (and responses to the risks) of an organization
moving faster into data analytics and technology than its internal auditors can handle.
Another significant concern as organizations implement data analytics is that often
the organizations do not have a centralized data analytics function. Instead, each depart-
ment or division may develop and implement analytics on their own. As a result, organi-
zations will not have a shared data language, the ability to leverage analytics across
departments, a formalized plan for vetting and evaluating the effectiveness of the analyt-
ics, or a consistent plan for continuity if the current analytics champion leaves the
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

organization. These shortcomings represent a lack of a data governance program and cre-
ate significant risk for the organization. It also creates considerable challenges for the
IAF who is charged with evaluating the data analytics conducted throughout the com-
pany and the decisions made based on those analytics’ results. Academic research could
consider the factors that contribute to effective data governance programs as well as the
implications of an ineffective program.
Finally, as other technological advancements such as RPA, AI, and machine learning
are adopted throughout the organization, the IAF must be able to effectively audit these
practices. These technologies help organizations complete tasks more quickly and with-
out human intervention. However, this creates new risk for the organization because any
errors programmed into the technology would be repeated rapidly, often without easy
identification. Several auditors we interviewed discussed this emerging audit area and
explained that they currently did not have internal auditors on staff who could carefully
scrutinize the coding and programming underlying the employed bots and AI. However,
these internal auditors were confident that they had well-designed audit methodologies
that would allow them to assess the appropriateness of the organization’s process for
designing, testing, and implementing these technologies. Future academic research should
examine whether IAFs can effectively audit these technologies by focusing on the pro-
cess and the output, without explicit knowledge of the coding that underlies the
activities.
In summary, data analytics and emerging technologies create new opportunities and
challenges for internal auditors. Future research should consider the specific topics we
described above in an effort to address the following broad research questions:
RESEARCH QUESTION 1. How does the use of data analytics and automation by the IAF
transform the internal audit process?
RESEARCH QUESTION 2. How does the use of data analytics and automation by the
organization change the organization’s risks and the IAF’s audit approach?
Remote Auditing
As the availability of data in digital format and the application of data analytics have
increased, it has created the opportunity for the IAF to conduct “remote audits”
(i.e., perform audit processes without being physically present at the audit site). Although
IAFs were just beginning to explore remote auditing for cost savings and reduced travel
time, the COVID-19 pandemic forced most audit functions to conduct at least some audit
work remotely—ready or not.
The primary difference between remote audits and traditional audits is that remote
audits lack face-to-face interaction (Eulerich, Wagener, et al. 2021). This changes the inter-
personal dynamic between the auditor and auditee in critical ways that can affect audit
quality. External audit research has just begun to investigate the effects a lack of face-to-
face interactions can have on audit outcomes. For example, Saiewitz and Kida (2018) and
Bennett and Hatfield (2018) find that external auditors will elicit higher-quality responses
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
from clients in person compared to email. Furthermore, Saiewitz and Kida (2018) find that
clients perceive in-person requests to be more important and urgent than email requests
and that external auditors will question aggressive client responses more in person than via
email, suggesting that in-person interactions are important for audit quality. However, Car-
lisle (2021) and Hawkins (2021) report that external auditors will also be more persuaded
by clients in person than via email, suggesting that the differences in auditing effectiveness
using in-person versus email communication are complex. These external audit studies pro-
vide interesting insights upon which future research should build. It is possible that some
of the identified effects may generalize to an internal audit setting. However, it is also
likely that the relationship between the client and the internal auditor may deviate in impor-
tant ways because the internal auditor is (generally) an employee of the same organization.
Perhaps this shared identity as coworkers could help overcome some of the interpersonal
limitations that might otherwise arise when face-to-face interaction is limited. Thus, further
research in this area focused on internal auditors would be fruitful.
Although prior research has compared email to in-person communication, it has not
considered other remote audit tools, such as online conference platforms (e.g., Zoom or
Skype), which allow auditors and clients to see each other and interact in real time during
online interviews. Thus, it is unclear if auditees’ disclosure behavior, auditors’ skepti-
cism, and the likelihood of follow-up questions in these situations would be more similar
to face-to-face interactions or email communications. There is some prior research that
shows auditees are more likely to disclose information to a virtual interviewer (i.e., an
avatar) than to a human internal auditor (Pickard et al. 2020); however, in the case of
remote auditing, the auditee is still interacting with and disclosing to another live human.
Thus, it is unclear that the results from this prior research would generalize more broadly
to remote auditing as it is conducted today.
In addition to information disclosure, there are many other avenues for investigat-
ing differences between remote and in-person audits. For example, do auditors gather,
interpret, and share data in the same way if they do not have personal interaction with
the auditee? Do managers change their behavior if they know they will receive a
remote versus in-person audit? Prior research on psychological distance could help
inform development of a model for testing how the distance of the auditor influences
the behavior of the auditee (some research has examined how spatial distance impacts
the external auditor; e.g., see Limor 2014). While it is clear that remote audits are
likely here to stay now as a result of the COVID-19 disruption, it is still necessary for
research to examine whether this shift in practice impacts audit quality. If research
does find that remote auditing diminishes professional skepticism or has other nega-
tive effects that diminish audit quality, research will be needed to examine how to
redesign audit procedures to better address these risks. Thus, future research should
address the following question regarding how audits will be transformed as they are
conducted using remote technology:
RESEARCH QUESTION 3. How do the quality, effectiveness, and efficiency of remote

internal audits differ from internal audits conducted using traditional, face-to-face
methods?
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
Cybersecurity and Data Privacy

Incidents related to cybersecurity are escalating in impact and frequency (ISACA 2016, 5),
and IAFs are hard pressed to adjust their audit routines to ensure adequate risk management.
In its 2019 Risk in Focus report, the European Confederation of Institutes of Internal Audi-
tors (ECIIA)7 reports that interviewed CAEs believe cybersecurity is the number one risk fac-
ing organizations (ECIIA 2019). Cybersecurity risk has increased largely because companies
are relying more on cloud service providers to host their data than in the past, which has led
to tremendous attacks in recent years (e.g., BBC 2021). In the same ECIIA report, 56% of
organizations reported that they had a data breach caused by one of their vendors in 2019.
Indeed, the highly publicized cyberattacks perpetrated using SolarWinds technology pro-
grams highlights not only how highly susceptible organizations are to cyber threats, but also
how difficult it is to detect them (Jibilian and Canalees 2021). Internal auditors report they
are increasingly involved in cybersecurity protection and audits. As stated in the ECIIA
report, “cybersecurity risk is here to stay and the third line of defense [internal auditors] will
be expected to provide assurance on the internal management of this risk for the foreseeable
future, if not indefinitely” (ECIIA 2019, 6).8
Most of the practitioners we interviewed acknowledged that cybersecurity risk cre-
ates challenges for the IAF. Internal auditors must identify effective methods for
assessing and auditing cybersecurity risk and gain expert knowledge and sufficient
resources. However, interviewees note that it can be very difficult and expensive to find
staff with the requisite expertise and experience because the job market for cybersecurity
experts is very competitive. Our respondents indicate they do not have a solution to this
problem, which makes this an excellent area for study. How can the IAF assess and audit
cybersecurity without hiring expensive experts? If internal audit is not able to hire
experts, how significant are the risks to the organization and to the legitimacy of
the IAF?
Furthermore, the Internet of Things (IoT) represents an increasing cybersecurity
threat. IoT is the term given to the interconnectedness of electronic devices to the Internet
and to each other (e.g., digital activity trackers, smart TVs, etc.). Internal audit must also
consider the IoT as a new audit risk area. One head of IT audit estimates that organiza-
tions are most likely unaware of or widely underestimate the number of interconnected
devices in a company. Because the IoT covers everything from cell phones to printers to
vending machines, new risks are constantly introduced into the organizations, and often
7. The ECIIA is an international association of internal audit professionals throughout Europe. It aims to
be “the consolidated voice for the profession of internal auditing in Europe” and to promote the role of
internal audit and good corporate governance (see https://www.eciia.eu/ for more information).
8. The “three lines of defense” model was developed by the IIA to “help organizations identify structures
and processes that best assist the achievement of objectives and facilitate strong government and risk
management” (IIA 2020, 1). In this model, organization management can have “first line” and “second
line” roles which constitute delivery of product and services, and risk management, respectively. Inter-
nal auditing is usually described as the “third line” and provides independent and objective assurance
of the effectiveness of governance and risk management processes. See https://global.theiia.org/about/
about-internal-auditing/Public%20Documents/Three-Lines-Model-Updated.pdf.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

these risks are not readily apparent. For example, an interviewee stated that many of the
IoT devices have passwords, but the default passwords often are not changed. These
default passwords are sometimes available online, potentially allowing a hacker to have
easy entrance into the company’s IT systems. Thus, the cybersecurity threats are multi-
plied through the IoT, and often company employees and internal auditors have not fully
considered the risks associated with these changes. Practitioners would benefit from aca-
demics helping to identify and quantify the risks associated with cybersecurity,
particularly IoT.
An additional concern closely related to cybersecurity is privacy. The European
Union passed the General Data Protection Regulation (GDPR), which has far-reaching
implications. It applies to all companies in the EU as well as any organization that has
data about European citizens. Thus, it effectively applies to almost all companies in the
world. The GDPR attaches large fines to privacy violations (i.e., fines can be as much as
4% of global revenues); therefore, companies are very interested in managing privacy
risks, and internal audit often plays an important part in helping assess and mitigate these
risks. There are multiple open questions in this area. For example, it is not clear if data
privacy and protection is a first-, second-, or third-line responsibility. Furthermore, in
combination with the cybersecurity risks, data privacy is heavily driven by IT systems
and automated processes. Thus, the IAF has to give assurance that all processes and sys-
tems are managed well and secured.
Some research suggests that internal audit can be effective in helping improve infor-
mation security. For example, Steinbart et al. (2018) find that a good working relation-
ship between the IAF and the company’s information security function improves
information security outcomes, such as the detection of security incidents. More research
is needed to better understand how the IAF can support the IT security initiatives of other
functions in the organization. Especially through the implementation of new IT technolo-
gies, IT systems, and IT applications, the risks within the organizations dramatically
increase. Thus, understanding the given IT architecture, upcoming technologies, and
potential risks and controls is relevant for the future internal auditor and, consequently,
internal audit research.
Furthermore, investigating which skills and resources the IAF needs to be able
to adequately address today’s risks related to cybersecurity and data privacy could
generate insights on whether the IAF staffing mix should be composed in favor of
subject experts or generalists. Thus, we pose the following question for future
research:
RESEARCH QUESTION 4. How can internal auditors evaluate and mitigate the level of IT
and cybersecurity risks present in their organization?
Staffing and Personnel Development

The second broad area that emerges from our survey and interviews relates to new and
significant trends in IAF staffing and personnel development. The professionals we
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
interviewed often reminded us that auditing is a “people business” and the IAF’s
employees are its most important asset. Our interviews revealed several trends and
changes to the IAF staffing model and personnel development that are important for
inquiry.
Audit Rotation
Survey participants and interviewees noted that the internal auditor’s occupational profile
is undergoing significant changes. Despite these changes, it seems that fewer profes-
sionals are choosing to become career internal auditors, as IAF employee turnover hap-
pens more frequently and the management training ground (MTG) concept is getting
more and more important.
One common IAF staffing model uses the IAF as an MTG, whereby personnel rotate
through internal audit to gain exposure to a wide swath of the organization and to learn
about risk and control before beginning a management position in company operations.
Quite a bit of academic research has studied this strategy and the literature yields mixed
results regarding this practice. Research shows that using the IAF as an MTG yields rec-
ruiting benefits (Burton et al. 2014), greater reliance on internal auditor recommendations
(Carcello et al. 2018), and improved risk management (Carcello et al. 2020). However,
research also shows lower financial reporting quality (Christ et al. 2015; Abbott
et al. 2016; Bills et al. 2021), increased external audit fees (Messier et al. 2011), reduced
objectivity (Norman et al. 2010; Hoos et al. 2018), and reduced efficiency in operations
(Anderson et al. 2012).
Although the use of the IAF as an MTG appears relatively well researched, there are
still important questions to address, and survey respondents and interviewees indicate that
this practice is growing more prevalent. They also note that the way the MTG is
implemented can vary widely among organizations, which is a nuance that prior aca-
demic literature has rarely been able to tease out. For example, some companies hire staff
directly into the IAF in an MTG position with the intent to rotate them out after a set
period of time. Alternatively, other organizations take existing employees and rotate them
into internal audit for a period before rotating them into management positions outside of
internal audit. The different paths through the IAF are likely to serve different purposes
for the organizational mission and could have different effects on company performance
and IAF effectiveness. For example, Ege et al. (2021) show that companies that employ
managers with internal audit experience are less likely to participate in real earnings man-
agement. Thus, internal audit experience appears to have an important effect on individ-
uals long after they leave the IAF. Companies that use the MTG model also vary widely
in the amount of time employees spend within the IAF—ranging from a few weeks
(which we discuss later as a “guest” auditor) to several years. In addition, in some IAFs
all staff are rotational positions, while in others there is a mix of rotational and career
auditors. Finally, one of the most controversial decisions related to the IAF as an MTG is
how the CAE position is staffed. In some organizations, this position is also a rotational
position—pulling employees out of operations to run the IAF rather than promoting a
seasoned auditor. While using an operational manager to fill the CAE position can be
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
beneficial in terms of operational knowledge and personnel capital, it can come at the
expense of a deep understanding of risk, control, and audit procedures.
When considering this rotational staffing model along with the proliferation of
technology-based risks and data-driven auditing approaches (as described in the previous
section), it is clear that the IAF may be particularly vulnerable because of the lack of
long-term, qualified (IT) experts. Furthermore, the planned rotation can reduce the moti-
vation of internal auditors to learn new technologies or topics, since their work in the
IAF is limited to a short period of their career. Research should extend the MTG litera-
ture by examining how rotational staffing models might also impede internal auditors’
effectiveness with respect to identifying and mitigating technology-related risk and per-
forming audit activities.
One potential solution to the lack of specialized knowledge that has been adopted by
some organizations is to recruit employees from the company’s global talent pool to fill
temporary auditor positions. One company we interviewed calls this the “Global Audit
Experience Program,” claiming it offers an opportunity for knowledge sharing and net-
working between auditors and nonauditors. The program, which starts with a weeklong
introductory training, offers temporary auditors the opportunity to participate in up to
three audits over the course of two years. Participants remain in their current position
within the company, but are available for a maximum of nine weeks of active auditing at
a time. The program aims to increase the company-wide network of employees involved
in internal auditing and provides learning opportunities for the temporary guest auditors
and the regular internal auditors through sharing of business experience and expert and
functional knowledge. Furthermore, temporary auditors learn about the importance of
identifying and considering the risks in their day-to-day operations and should develop
an appreciation for the control mechanism that can mitigate undesirable risk. This can
help improve the organization’s risk profile overall. In addition, employees develop an
awareness of and appreciation for the IAF and its mission. Such programs might help to
foster the IAFs preferred role as a trusted advisor and business partner (Chambers 2017),
which we will discuss further in future sections.
Even without a formalized program, many IAFs invite experts from the organization
to act as guest auditors for specific audits. Such in-house cosourcing arrangements carry
the advantage of fostering relationships between employees who might not previously
have considered the other party to be a colleague. The goal of working with a guest audi-
tor is to transfer knowledge on both sides; guest auditors help tackle specific audits by
providing in-depth knowledge about day-to-day operations while simultaneously learning
about the IAF’s mission and methods. Thus, it enhances mutual understanding and helps
build cross-functional networks that can be relied upon for future knowledge sharing.
In the context of IT, guest auditors can reduce existing and/or potential barriers
between the different governance functions (e.g., IAF and IT, IT security, etc.). Further-
more, the IAF can transfer knowledge from the other departments, which is relevant to
those in the IAF. Future research in this area could investigate the relationships and
knowledge networks of internal auditors and assess how auditors establish and use their
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

company-wide connections. Different measures and programs that involve nonauditors in

the IAF’s work should be researched regarding their potential to improve the risk and
control profile of the organization, spread knowledge and awareness throughout the orga-
nization, improve relationships with stakeholders, and decrease stigma associated with
the IAF.
Of course, when considering these varied staffing models that use company person-
nel as temporary or rotational audit staff, it is important to also consider whether the
auditors can remain independent and objective. Although the IIA standards offer addi-
tional guidance on how to secure independence and objectivity for internal auditors com-
ing from specific functions, the rotational approach can create situations in which the
internal auditor has to audit the prior/future function where they have/will work(ed). This
would normally lead to an impairment of objectivity and independence. Thus, research
addressing the following questions is needed to understand if and how audits can con-
tinue if varied staffing models are used:
RESEARCH QUESTION 5. What are the effects of novel IAF staffing arrangements, such
as guest auditors?
RESEARCH QUESTION 6. What are the strengths and weaknesses of using various rota-
tional staffing models (e.g., MTG) in the IAF?
Recruitment from Multidisciplinary Backgrounds

As organizations embrace more technology and become more digitized, IAFs are pressed
to recruit staff from multidisciplinary backgrounds with cutting-edge knowledge and
skills. Gone are the days when a traditional accounting education and business acumen
are sufficient for internal auditors. Just as external auditors are increasingly looking for
new hires with a STEM background (E&Y 2017, 11), internal audit also needs to recruit
candidates with the appropriate skill set for business processes and audit procedures that
are becoming more and more driven by IT and data. The increased need for IT audit spe-
cialists is currently met by focusing on IT expertise during recruitment as opposed to
retraining already hired auditors. This trend suggests that the generalists in the profession
might face limited career opportunities in the future (KPMG 2009; Kotb et al. 2014;
Deloitte 2019).
Research opportunities are plentiful in this area as questions regarding the costs and
benefits of hiring specialists, possibly with little to no experience as auditors, remain
unanswered. Indeed, this is a basic question faced by both internal and external
auditors—is it better to hire a technologist and teach them auditing or to hire an auditor
and teach them technology?
In addition, in many external audit firms there are dedicated teams of data scientists
who develop and run the sophisticated data analytics tests, which are then reviewed by
the external auditors. This works well because audit firms are typically large enough to
have centralized analytics functions, and similar analytics can be used for multiple clients
due to the relative homogeneity of external audit work. Many IAFs, however, may not
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
be large enough to support a centralized function. Furthermore, internal audit work varies
widely from project to project; therefore, it is likely that individualized data analytics
would have to be developed for each project within the audit plan. Thus, research is
needed to understand how IT specialists are deployed within IAFs and the effectiveness
of the various staffing arrangements. Perhaps as the reliance on technology and the desire
for more technology-enabled solutions increases, organizations will increase the use of
third-party specialists to conduct internal audits. Relatedly, team dynamics and audit cli-
ent interactions will likely be affected by team configurations, which should also be
investigated. We encourage research related to the following question:
RESEARCH QUESTION 7. What are the effects and implications of hiring generalist ver-
sus specialist internal auditors, especially considering their IT expertise?
Knowledge Sharing
To meet the challenge of providing company-wide assurance in an increasingly complex,
dynamic, and technology-driven business environment, IAFs must have the relevant
knowledge for each audit at their disposal. Often the IAF does not have these resources
in-house and must employ other staffing arrangements (e.g., outsourcing or cosourcing;
see also Glover et al. 2008; Burton et al. 2012; Abdolmohammadi 2013). In addition to
traditional joint audits which involve external service providers, audits are also conducted
in close cooperation with functions traditionally described as having “second line roles,”
such as risk management and compliance (Behrend and Eulerich 2021). Utilizing organi-
zational personnel in the IAF with expertise in compliance and risk management can
improve the assurance level of work provided by the IAF, since those employees can
externalize their prior experience to the internal audit colleagues. Furthermore, this prac-
tice actively promotes the exchange of information and collaboration between various
governance functions and overcomes the potential problems of separate governance
functions.
Survey and interview participants also described the use of internal audit staffing
pools to ensure adequate knowledge for each audit assignment. While being functionally
assigned to a specific team in the IAF, individual auditors can be freely allocated to other
audit engagements outside their functional division. Thus, depending on the required
competence profile or resources for a specific audit (e.g., language skills or technological
experience), internal auditors can or cannot be staffed on these audits. This audit staff
pool allows for increased flexibility and efficient utilization of available audit personnel,
which is especially helpful when dealing with ad hoc audit engagements. Having a pool
of auditors to choose from allows the IAF to draw from a wide variety of skills and
expertise in order to arrive at the ideal staffing for each audit.
While practitioners emphasize the importance of sourcing arrangements that enhance
the IAF’s knowledge base within the company, such as insourcing, cosourcing, or staff
pooling, academic literature has focused primarily on the consequences and implications
of outsourcing the IAF (e.g., James 2003; Ahlawat and Lowe 2004), often with a specific
focus on its effect on the external auditors’ reliance decision (e.g., Glover et al. 2008;
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
Brandon 2010; Desai et al. 2011; Bierstaker et al. 2012). Studies investigating the effects
of various in-company sourcing arrangements and the ways to enhance and facilitate
knowledge transfer between the IAF and other functions/departments would be of great
relevance to practitioners and represent new and interesting avenues for academic
inquiry.
In addition, as Roussy and Perron (2018, 377) note, “The very nature of internal
auditors’ teamwork and interactions with one another remains unexplored.” Thus,
research that focuses on the processes inside the IAF itself would be worthwhile—for
example, by investigating the dynamics within these constantly changing audit teams or
the particularities of team building in an environment that is characterized by high
employee fluctuation. Furthermore, although internal audit is described as a global pro-
fession with a single, unifying set of standards, research on internal audit teams around
the globe rarely generates identical results (e.g., Eulerich and Ratzinger-Sakel 2018).
Indeed, internal auditors are influenced by their organizational and geographical cultures.
This creates additional challenges when audit teams comprise auditors from different
geographical areas, which is common in multinational organizations. Although training
and annual meetings might mitigate the potential differences in a global audit team, it is
still unknown if the combination of individual knowledge and culture affect the audit out-
come. In addition, it would be important to understand whether the culture of the individ-
ual auditors completing an audit project influences the extent to which the CAE or other
stakeholders (e.g., management or the board of directors) relies on the audit work
performed.
Based on insights from participants regarding knowledge sharing, we suggest the
following research question for future exploration:
RESEARCH QUESTION 8. What staffing arrangements (e.g., outsourcing, cosourcing, in-

house, MTG, etc.) best facilitate learning, growth, and improvements in IAF
effectiveness?
Value Proposition and Perceived Value

As the previous discussion has shown, IAFs are continually striving to develop or recruit
the right talent mix to respond to the evolving risks that emerge as their organizations
embrace technological innovation. As such, stakeholders’ perceptions of and relation-
ships with the IAF are increasingly important. Many IAFs strive to be considered “trusted
advisors,” not organizational “watch dogs” (Chambers 2017). PricewaterhouseCoopers
(PwC 2016, 2) describes an IAF acting as a trusted advisor as “providing value-added
services and proactive strategic advice to the business well beyond the effective and effi-
cient execution of the audit plan.” This requires IAF staff to possess the right attitude,
behavior, knowledge, skills, and experience to be able to assess and mitigate risks, create
business value through process optimization, prevent deterioration of value through the
safeguarding of assets, and pinpoint hidden business potential. For this purpose, some
IAFs place a stronger focus on the functional expertise of the IAF or implement and fos-
ter a new audit culture that stresses a solution-oriented approach focused on good, trustful
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
relationships with audit clients with the goal of adding value for the IAF’s stakeholders.
For example, one CAE we interviewed described his IAF’s contribution as providing
transparency and support specifically for the C-suite in helping management control the
risks faced by the company when implementing new projects or strategies. Relatedly,
many auditors indicated that their IAFs were much more effective at mitigating risks
when they had a “seat at the table” when strategy was discussed. Even though an effec-
tive IAF should not have influence over the strategies implemented by the organization,
it can be very advantageous for the IAF to provide input on the risk and control consider-
ations needed when beginning a new endeavor.
However, there is scant academic research on these issues, probably in part because
it is difficult to observe and measure stakeholder perceptions such as trust. Furthermore,
it is inherently difficult to measure the value of the IAF because its perceived value likely
differs among stakeholders depending on their needs, expectations, and experiences
(Eulerich and Eulerich 2020). In the past, studies have investigated the IAF and its qual-
ity in relation to earnings management, disclosure of material weaknesses, management
misconduct, or financial reporting quality (Prawitt et al. 2009; Lin et al. 2011; Prawitt
et al. 2012; Ege 2015; Abbott et al. 2016; Bills et al. 2021) and focused on the relation-
ship with external auditors and their reliance on the IAF (see Felix et al. 2001; Prawitt
et al. 2011; Abbott et al. 2012; Bame-Aldred et al. 2013). But in many organizations, the
IAF provides assurance on much more than financial reporting; thus, the bigger questions
regarding whether the IAF adds value to the organization remain unanswered. Research
focused on the perceived value, relationships, and interactions with company internal
and/or external stakeholders therefore is overdue. To this end, it will be necessary to
identify concrete measures that can enhance trust between the IAF and its various stake-
holders and to examine the ways in which the IAF’s view of itself differs from or aligns
with the views of its stakeholders (see Trotman and Duncan 2018 for work in this area).
Moreover, an investigation of which activities are seen as value-adding, along with the
development of new concepts to measure added value, would be relevant.
As described, many IAFs strive to add value to the organization and be perceived as
a strategic partner. This relationship can have many benefits to both parties, most notably
that it can allow the IAF advanced knowledge of and input to strategic decisions that
may have implications for organizational risk and audit effectiveness. However, organiza-
tions must be mindful of the IAF’s need to remain independent and objective in all
regards. That is, the IAF cannot audit a process if it was instrumental in the implementa-
tion of that process. So, many auditors describe simply being in the room where deci-
sions are being made as the preferred strategy (Christ et al. 2019).
Discussions of IAF value often lead naturally to considerations of IAF size. As IAFs
take on more and varied responsibilities, (e.g., cybersecurity and privacy, auditing tech-
nological innovation, etc.), it seems likely that IAFs are clamoring for larger staff.
Indeed, in a post-SOX examination of IAF size, Anderson et al. (2012) find that having
an IT-focused mission is positively associated with using sophisticated audit technolo-
gies, among other factors. On the other hand, of course, audit technologies, including
RPA, could allow audit departments to become more efficient—executing audits with the
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

same or larger scopes with fewer auditors. Furthermore, the raw size of the IAF does not
say anything about its qualification or quality. Especially with respect to technology-
related risks and tools, it is likely more important to consider the certifications and exper-
tise of the individual internal auditors rather than the numbers. Thus, there is a need for
new IAF size research in light of these significant changes.
Questions of how IAF size relates to IAF value are also complicated by the varied
nature of IAF missions (Anderson and Christ 2014). For example, some companies inten-
tionally employ a small IAF instead of continually striving for a larger budget and
employee base. One CAE explained his approach as explicitly focusing on “bigger
issues,” meaning that the IAF is mostly concerned with major threats to the continuing
existence of the company and subsequently established a comparatively higher material-
ity threshold. It follows that certain entities within the company are not included in the
audit plan because they do not meet the materiality threshold. With the mindset of focus-
ing on overarching systems and processes rather than on individual, small-scale risks, a
limited number of internal audit staff can audit a multi-billion-dollar company. For exam-
ple, this CAE takes the view that incorrect travel expense reports are not a material threat
to the company, while strategic risks, such as missing the development of the right prod-
ucts or conducting unfavorable acquisitions, have the potential to cause material damage
if they are not managed appropriately. At this company, the IAF thus displays a strong
strategic focus and relies on a capable second line of defense to reduce the time and
effort required to spend on operative risks. Given these divergent views on the appropri-
ate focus and size of the IAF, future research examining the effectiveness of these models
would be useful.
Thus, we recommend the following broad research questions be considered for future
examination:
RESEARCH QUESTION 9. What factors and IAF characteristics are most highly valued by
stakeholders?
RESEARCH QUESTION 10. How can IAF value be measured effectively?
RESEARCH QUESTION 11. What is the “right size” of an IAF given the technological
changes that have occurred in the last decade?
Agile Auditing
IIA standards require that the IAF’s effectiveness and effiency be assessed and related
improvement opportunities be identified regularly (e.g., Standard 1300: Quality Assur-
ance and Improvement Program). The need to comply with the standards, coupled with
economic concerns and resource constraints, seem to have prompted many of our partici-
pants to focus on increasing audit effectiveness and efficiency. Thus, the third broad area
we raise for further academic inquiry relates to IAFs’ use of agile auditing techniques.
Respondents indicated that they want to focus resources on content-related audit
work, so they are streamlining their functions using lean techniques. In particular, many
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)
respondents mentioned taking an agile approach to auditing, where tasks are divided into
comparatively short phases of work and audit plans are frequently reassessed and
adapted. Agile has been a “hot topic” for internal auditors for the past several years. It
borrows principles from software development, focusing on short sprints and the ability
to pivot to different projects as needed. This approach allows the IAF to be more respon-
sive to the needs of the organization, which can make it more of a value-adding function.
However, this methodology is a far cry from the traditional administration of an annual
audit plan that schedules audit activities based on preset priorities at the beginning of the
year. Participants describe a steep learning curve associated with implementing agile
methodologies and indicate that effective implementation requires a different mindset
among the audit staff.
Some participants also describe using Scrum methods for iterative processes,
suggesting that IAFs are willing to think outside of the box to improve their audit effi-
ciency and effectiveness.9 In addition, participants described standardizing audit docu-
ments (e.g., an audit planning memorandum, audit checklists, templates for audit
documentation, etc.) to increase efficiency while simultaneously ensuring a uniform audit
process across a firm’s internal audit locations and enhancing the traceability of the steps
performed during an audit. Standardized and centralized templates that do not leave much
room for interpretation should help auditors save valuable time while achieving compara-
ble, high-quality results. However, these templates may also cause individuals to adopt a
“checkbox” mentality and not engage in deep thinking on difficult problems.
Research is needed to investigate how agile and lean approaches change the IAF’s
work and explore the potential of such methods for improving the profession. Questions
regarding the actual gains in efficiency and the trade-off between standardization and a
possible loss of flexibility should be addressed. For this purpose, the ongoing debate sur-
rounding internal audit effectiveness should be complemented by studies investigating
measures of IAF efficiency, as both concepts go hand in hand. Thus, we propose the fol-
lowing question:
RESEARCH QUESTION 12. What factors are associated with IAFs’ use of agile
(or similar) audit methodologies, and what are the effects of using such
methodologies?
4. DISCUSSION AND CONCLUSION

The motivation for this study is to expand knowledge and understanding of the IAF by dis-
cussing innovations that IAFs are implementing now or in the not-too-distant future. Our
hope is that discussing these innovations will spur further research about the IAF. By sur-
veying and interacting with internal audit practitioners, we identified areas of importance to
the profession—namely, IT, staffing and personnel development, and agile auditing—which
are currently undergoing significant changes and thus warrant rigorous academic study.
9. Scrum is a framework that individuals can use to address complex adaptive problems. For a discussion
of Scrum, see https://www.scrum.org/resources/what-is-scrum.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Research should aim to inform and shape practice by providing valuable insights that
can be acted upon. However, among the highly ranked general interest journals, there is
a noticeable deficit of research studying internal audit. Despite repeated calls for more
research, only a limited number of studies from the past 15 years have focused explicitly
on internal auditing. Furthermore, many of the published studies view internal auditing
as a factor mainly to be studied in relation to external auditing. We propose that internal
auditing should be considered a worthy research topic in and of itself, as little is known
about the dynamics within the IAF, the relationships to other internal audit stakeholders,
and their effects on the company. At the same time, we acknowledge the difficulty
researchers face in generating or accessing data on internal auditing. In contrast to exter-
nal auditors, many of which work for the Big 4 audit firms, internal auditors are not con-
centrated in large numbers in a handful of well-known companies. This presents a
challenge when trying to find potential survey respondents and participants for experi-
ments. In addition, as there are no regulations requiring companies to disclose informa-
tion on their IAFs, and internal auditors themselves do not issue publicly available
opinions, a lack of archival data further hampers research efforts. Since the existing
research is insufficient to demonstrate the potential usefulness and impact of the internal
audit profession, regulators likely have no incentive to change disclosure requirements
and ensure that companies are taking a conscious look at their existing and nonexisting
IAFs. We encourage researchers to conduct field studies, experimental, survey, design
science, and interview studies to remedy the shortage of archival data. This type of
research also forces researchers to reach out and connect with internal audit practi-
tioners—which also provides the opportunity to listen to practitioners’ experiences, opin-
ions, and concerns—so that, hopefully, not only will research inspire practice, but
practice will also guide research.
Our findings are of value to practicing internal auditors as well as to academic
researchers as they enable internal auditors throughout the world and across industries to
understand new and innovative practices with the potential to add value and increase the
stature of the profession. Academic researchers can benefit from the insights provided on
the current state of the art in internal audit as they open up new research avenues. Fur-
thermore, in-depth study of the advantages and disadvantages of innovative internal audit
practices can in turn be useful to internal auditors and standard setters, who will benefit
from understanding current developments and innovations to determine the future of
internal auditing.
DATA AVAILABILITY STATEMENT

Requests for data may be made to the authors.
REFERENCES
Abbott, L. J., B. Daugherty, S. Parker, and G. F. Peters. 2016. Internal audit quality and financial
reporting quality: The joint importance of independence and competence. Journal of Account-
ing Research 54 (1): 3–40.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Abbott, L. J., S. Parker, and G. F. Peters. 2012. Audit fee reductions from internal audit-provided
assistance: The incremental impact of internal audit characteristics. Contemporary Accounting
Research 29 (1): 94–118.
Abdolmohammadi, M. 2013. Correlates of co-sourcing/outsourcing of internal audit activities.
Auditing: A Journal of Practice & Theory 32 (3): 69–85.
Ahlawat, S. S., and D. J. Lowe. 2004. An examination of internal auditor objectivity: In-house
versus outsourcing. Auditing: A Journal of Practice & Theory 23 (2): 147–58.
Anderson, U., M. H. Christ, K. Johnstone, and L. Rittenberg. 2012. A post-SOX examination of
the factors associated with the size of internal audit functions. Accounting Horizons 26 (2):
167–91.
Anderson, U. L., and M. H. Christ. 2014. Internal audit. In The Routledge Companion to Auditing,
edited by D. Hay, W. R. Knechel, and M. Willekens, 230–39. Abingdon, UK: Routledge.
Austin, A., T. Carpenter, M. Christ, and C. Nielson. 2021. The data analytics journey: Interactions
among auditors, managers, regulation, and technology. Working paper, University of Georgia.
Bame-Aldred, C. W., D. M. Brandon, W. F. Messier, L. E. Rittenberg, and C. M. Stefaniak.
2013. A summary of research on external auditor reliance on the internal audit function.
Auditing: A Journal of Practice 32 (S1): 251–86.
Barrett, M., D. Cooper, and K. Jamal. 2005. Globalization and the coordination of work in multi-
national audits. Accounting, Organizations and Society 30 (1): 1–24.
Basu, S. 2012. How can accounting researchers become more innovative? Accounting Horizons
26 (4): 851–70.
BBC. 2021. US companies hit by “colossal” cyber-attack, BBC, July 3, https://www.bbc.com/
news/world-us-canada-57703836
Bean, R. 2021. Why is it so hard to become a data-driven company? Harvard Business Review,
February 5, https://hbr.org/2021/02/why-is-it-so-hard-to-become-a-data-driven-company
Behrend, J., and M. Eulerich. 2019. The evolution of internal audit research: A bibliometric analy-
sis of published documents (1926–2016). Accounting History Review 29 (1): 103–39.
Behrend, J., and M. Eulerich. 2021. Breaking the barrier—On the use of joint audits in the inter-
nal audit profession. Working paper, University of Duisburg-Essen.
Bennett, G. B., and R. C. Hatfield. 2018. Staff auditors’ proclivity for computer-mediated commu-
nication with clients and its effect on skeptical behavior. Accounting, Organizations and Society
68: 42–57.
Bills, K. L., H. W. Huang, Y. H. Lin, and D. A. Wood. 2021. Internal auditor turnover, financial
reporting quality, and audit risk assessment. Working paper, Michigan State University,
National Cheng-Kung University, Monash University, and Brigham Young University.
Bierstaker, J., L. Chen, M. H. Christ, M. Ege, and N. Mintchik. 2012. Obtaining assurance for
financial statement audits and control audits when aspects of the financial reporting process
are outsourced. Auditing: A Journal of Practice & Theory 32 (SP1): 209–50.
Brandon, D. M. 2010. External auditor evaluations of outsourced internal auditors. Auditing: A
Journal of Practice & Theory 29 (2): 159–73.
Burton, F. G., S. A. Emett, C. A. Simon, and D. A. Wood. 2012. Corporate managers’ reliance on
internal auditor recommendations. Auditing: A Journal of Practice & Theory 31 (2): 51–166.
Burton, F. G., M. W. Starliper, S. L. Summers, and D. A. Wood. 2014. The effects of using the
internal audit function as a management training ground or as a consulting services provider
in enhancing the recruitment of internal auditors. Accounting Horizons 29 (1): 115–40.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Burton, F. G., S. L. Summers, T. J. Wilks, and D. A. Wood. 2021a. Do we matter? The attention
policy makers, academics, and the general public give to accounting research. Issues in
Accounting Education 36 (1): 1–22.
Burton, F. G., S. L. Summers, T. J. Wilks, and D. A. Wood. 2021b. Creating relevance of
accounting research (ROAR) scores to evaluate the relevance of accounting research to prac-
tice. Accounting Horizons, forthcoming.
Carcello, J. V., M. Eulerich, A. Masli, and D. A. Wood. 2018. The value to management of using
the internal audit function as a management training ground. Accounting Horizons 32 (2):
121–40.
Carcello, J. V., M. Eulerich, A. Masli, and D. A. Wood. 2020. Are internal audits associated with
reductions in perceived risk? Auditing: A Journal of Practice and Theory 39 (3): 55–73.
Carlisle, M. 2021. Auditors’ evaluation of evidence: The effect of communication channel and
management competence information. Working paper, Case Western Reserve University.
Chambers, R. 2017. Trusted Advisors: Key Attributes for Outstanding Internal Auditors.
Altamonte Springs, FL: IAA.
Christ, M. H., S. Emett, S. Summers, and D. A. Wood. 2021. Prepare for takeoff: Improving audit
efficiency and effectiveness with drone-enabled inventory audit procedures. Review of
Accounting Studies, forthcoming. https://link.springer.com/content/pdf/10.1007/s11142-020-
09574-5.pdf
Christ, M. H., M. Eulerich, and D. A. Wood. 2019. Internal auditors’ response to disruption
and innovation. Altamonte Springs, FL: IIAF. http://theiia.mkt5790.com/Responseto
DisruptiveInnovation
Christ, M. H., A. Masli, N. Y. Sharp, and D. A. Wood. 2015. Rotational internal audit programs
and financial reporting quality: Do compensating controls help? Accounting, Organizations
and Society 44: 37–59.
Cooper, L. A., D. K. Holderness, T. Sorensen, and D. A. Wood. 2019. Robotic process automa-
tion in public accounting. Accounting Horizons 33 (4): 15–35.
Cooper, L. A., D. K. Holderness, T. Sorensen, and D. A. Wood. 2021. Perceptions of robotic pro-
cess automation in Big 4 public accounting firms: Do firm leaders and lower-level employees
agree? Journal of Emerging Technologies in Accounting, forthcoming.
Dechow, P., B. Ezzell, T. Harris, P. Healy, R. Kaplan, R. Lambert, R. Libby, P. Munter, R.
Sloan, R. Swieringa, D. A. Wood, and T. Yohn 2018. AAA Research Relevance Task Force:
Recommendations, https://aaahq.org/Portals/0/documents/Task-Force/2018%20Research%
20Relevance%20Task%20Force%20Report.pdf?ver=2018-07-26-135928-413
DeFond, M., and J. Zhang. 2014. A review of archival auditing research. Journal of Accounting
and Economics 58 (2–3): 275–326.
Deloitte. 2019. Internal audit insights 2019—High-impact areas of focus, https://www2.deloitte.
com/content/dam/Deloitte/de/Documents/risk/Internal%20Audit%20High%20Impact%
20Areas%20of%20Focus%20Jan%202019%20Final.pdf
Desai, N. K., G. J. Gerard, and A. Tripathy. 2011. Internal audit sourcing arrangements and reli-
ance by external auditors. Auditing: A Journal of Practice & Theory 30 (1): 149–71.
E&Y (Ernst & Young). 2017. Audit quality: A globally sustainable approach, https://www.ey.
com/Publication/vwLUAssets/ey-thumbnail-audit-quality-a-globally-sustainable-approach/
$File/ey-audit-quality-a-globally-sustainable-approach.pdf
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

ECIIA (European Confederation of Institutes of Internal Auditing). 2019. Risk in focus 2019—
Hot topics for internal auditors, https://www.eciia.eu/wp-content/uploads/2019/02/Risk-in-
Focus_2019.pdf
Ege, M. S. 2015. Does internal audit function quality deter management misconduct? The
Accounting Review 90 (2): 495–527.
Ege, M. S., T. A. Seidel, M. Sterin, and D. A. Wood. 2021. The influence of management’s inter-
nal and external audit experience on real earnings management. Working paper, Texas A&M
University, Brigham Young University, Texas State University, and Brigham Young
University.
Eulerich, A., and M. Eulerich. 2020. What is the value of internal auditing? A literature review on
qualitative and quantitative perspectives. Maandblad voor Accountancy en Bedrijfseconomie
94 (3/4): 83–92.
Eulerich, M., and A. Kalinichenko. 2018. The current state and future directions of continuous
auditing research: An analysis of the existing literature. Journal of Information Systems 32
(3): 31–51.
Eulerich, M., J. Kremin, K. K. Saunders, and D. A. Wood. 2021. Internal audit stigma awareness
and internal audit outcomes: Stuck between a rock and a hard place. Working paper, Univer-
sity of Duisburg-Essen, Portland State University, University of Nebraska-Lincoln, and Bri-
gham Young University.
Eulerich, M., A. Masli, J. Pickerd, and D. A. Wood. 2021. The use of technology-based audit
techniques and its impact on audit outcomes. Working paper, University of Duisburg-Essen,
University of Kansas, University of Mississippi, and Brigham Young University.
Eulerich, M., J. Pawlowski, N. J. Waddoups, and D. A. Wood. 2021. Using robotic process auto-
mation for audit tasks: Use cases and framework guidance for evaluation. Contemporary
Accounting Research, forthcoming.
Eulerich, M., and N. Ratzinger-Sakel. 2018. The effects of cultural dimensions on the internal
audit function—A worldwide comparison of internal audit characteristics. Corporate Ownership &
Control 15 (3–1): 217–29.
Eulerich, M., M. Wagener, and D. A. Wood. 2021. Evidence on internal audit effectiveness from
transitioning to remote audits because of COVID-19. Working paper, University of Duisburg-
Essen and Brigham Young University.
Felix, W. L., Jr., A. A. Gramling, and M. J. Maletta. 2001. The contribution of internal audit as a
determinant of external audit fees and factors influencing this contribution. Journal of
Accounting Research 39 (3): 513–34.
Glover, S. M., D. F. Prawitt, and D. A. Wood. 2008. Internal audit sourcing arrangement and the
external auditor’s reliance decision. Contemporary Accounting Research 25 (1): 193–213.
Gramling, A. A., M. J. Maletta, A. Schneider, and B. K. Church. 2004. The role of the internal
audit function in corporate governance: A synthesis of the extant internal auditing literature
and directions for future research. Journal of Accounting Literature 23: 194–244.
Hawkins, E. M. 2021. When auditors’ skeptical judgments do not lead to skeptical actions. Working
paper, Clemson University.
Hoos, F., W. F. Messier Jr., J. L. Smith, and P. R. Tandy. 2018. An experimental investigation of
the interaction effect of management training ground and reporting lines on internal auditors’
objectivity. International Journal of Auditing 22 (2): 150–63.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

IIA (Institute of Internal Auditors). 2020. The IIA’s three lines model: An update of the three lines
of defense, https://global.theiia.org/about/about-internal-auditing/Public%20Documents/
Three-Lines-Model-Updated.pdf
IIARF (Institute of Internal Auditors Research Foundation). 2003. Research Opportunities in
Internal Auditing. Altamonte Springs, FL: IIARF.
ISACA. 2016. State of cybersecurity: Implications for 2016, https://www.isaca.org/cyber/
Documents/state-of-cybersecurity_res_eng_0316.pdf
James, K. L. 2003. The effects of internal audit structure on perceived financial statement fraud
prevention. Accounting Horizons 17 (4): 315–27.
Jans, M., M. G. Alles, and M. A. Vasarhelyi. 2014. A field study on the use of process mining of
event logs as an analytical procedure in auditing. The Accounting Review 89 (5): 1751–73.
Jans, M., and M. Hosseinpour. 2019. How active learning and process mining can act as Continu-
ous Auditing catalyst. International Journal of Accounting Information Systems 32: 44–58.
Jibilian, I., and K. Canalees. 2021. The US is readying sanctions against Russia over the
SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and
why it’s such a big deal. Business Insider Online, April 15, https://www.businessinsider.com/
solarwinds-hack-explained-government-agencies-cyber-security-2020-12
Kaplan, R. S. 2019. Reverse the curse of the top-5. Accounting Horizons 33 (2): 17–24.
Kotb, A., A. Sangster, and D. Henderson. 2014. E-business internal audit: The elephant is still in
the room! Journal of Applied Accounting Research 15 (1): 43–63.
KPMG. 2009. KPMG’s 2009 IT internal audit survey: The status of IT audit Europe, the Middle
East and Africa, https://www.iia.nl/SiteFiles/130678_IT_audit_survey_WEB_accessible.pdf
Lenz, R., and U. Hahn. 2015. A synthesis of emperical internal audit effectiveness literature
pointing to new research opportunities. Managerial Auditing Journal 30 (1): 5–33.
Li, P., D. Y. Chan, and A. Kogan. 2016. Exception prioritization in the continuous auditing environ-
ment: A framework and experimental evaluation. Journal of Information Systems 30 (2): 135–57.
Limor, R. M. 2014. Do social biases impede auditor reliance on specialists? Toward a theory of
social similarity. University of South Florida, Graduate Theses and Dissertations, https://
scholarcommons.usf.edu/etd/5062
Lin, S., M. Pizzini, M. Vargus, and I. R. Bardhan. 2011. The role of the internal audit function in
the disclosure of material weaknesses. The Accounting Review 86 (1): 287–323.
Messier, W. F., K. Reynolds, C. A. Simon, and D. A. Wood. 2011. The effect of using the inter-
nal audit function as a management training ground on the external auditor’s reliance deci-
sion. The Accounting Review 86 (6): 2131–54.
Miller, P. K., and L. E. Rittenberg. 2016. The Politics of Internal Auditing. Altamonte Springs,
FL: IIARF.
Moser, D. V. 2012. Is accounting research stagnant? Accounting Horizons 26 (4): 845–50.
Norman, C. S., A. M. Rose, and J. M. Rose. 2010. Internal audit reporting lines, fraud risk
decomposition, and assessments of fraud risk. Accounting, Organizations and Society 35 (5):
546–57.
Perols, J. L., R. M. Bowen, C. Zimmermann, and B. Samba. 2017. Finding needles in a haystack:
Using data analytics to improve fraud prediction. The Accounting Review 92 (2): 221–45.
Pickard, M. D., R. Schuetzler, J. Valacich, and D. A. Wood. 2020. Innovative accounting inter-
viewing: A comparison of real and virtual accounting interviewers. The Accounting Review
95: 339–66.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Power, M., and Y. Gendron. 2015. Qualitative research in auditing: A methodological roadmap.
Auditing: A Journal of Practice and Theory 34 (2): 147–65.
Prawitt, D. F., N. Y. Sharp, and D. A. Wood. 2011. Reconciling archival and experimental
research: Does internal audit contribution affect the external audit fee? Behavioral Research
in Accounting 23 (2): 187–206.
Prawitt, D. F., N. Y. Sharp, and D. A. Wood. 2012. Internal audit outsourcing and the risk of mis-
leading or fraudulent financial reporting: Did Sarbanes-Oxley get it wrong? Contemporary
Accounting Research 29 (4): 1109–36.
Prawitt, D. F., J. L. Smith, and D. A. Wood. 2009. Internal audit quality and earnings manage-
ment. The Accounting Review 84 (4): 1255–80.
PwC (PricewaterhouseCoopers). 2016. The eight attributes: Delivering internal audit excellence as
stakeholders expect more, https://www.pwc.ru/ru/riskassurance/assets/internal-audit/effective-
internal-audit-functions-en.pdf
Rajgopal, S. 2020. Integrating practice into accounting research. Management Science 67 (9):
5430–54.
Roussy, M., and A. Perron. 2018. New perspectives in internal audit research: A structured litera-
ture review. Accounting Perspectives 17 (3): 345–85.
Salijeni, G., A. Samsonova-Taddei, and S. Turley. 2019. Big data and changes in audit technol-
ogy: Contemplating a research agenda. Accounting and Business Research 49 (1): 95–119.
Saiewitz, A., and T. Kida. 2018. The effects of an auditor’s communication mode and profes-
sional tone on client responses to audit inquiries. Accounting, Organizations and Society 65:
33–43.
Shin, I. H., M. G. Lee, and W. Park. 2013. Implementation of the continuous auditing system in
the ERP-based environment. Managerial Auditing Journal 28 (7): 592–627.
Steinbart, P. J., R. L. Raschke, G. Gal, and W. N. Dilla. 2018. The influence of a good relation-
ship between the internal audit and information security functions on information security
outcomes. Accounting, Organizations and Society 71: 15–29.
Summers, S. L., and D. A. Wood. 2017. An evaluation of the general vs. specialist nature of top
accounting journals. Accounting Horizons 31 (2): 105–24.
Trotman, A. J., and K. R. Duncan. 2018. Internal audit quality: Insights from audit committee
members, senior management, and internal auditors. Auditing: A Journal of Practice & Theory
37 (4): 235–59.
Wall, E., L. M. Blaha, C. L. Paul, K. Cook, and A. Endert. 2018. Four perspectives on human
bias in visual analytics. In Cognitive Biases in Visualizations, edited by G. Ellis, 29–42.
Berlin: Springer.
Wood, D. A. 2016. Comparing the publication process in accounting, economics, finance, man-
agement, marketing, psychology, and the natural sciences. Accounting Horizons 30 (3):
341–61.
AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Copyright of Accounting Perspectives is the property of Canadian Academic Accounting
Association and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.

New Frontiers For Internal Audit Research MEI 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

New Frontiers For Internal Audit Research MEI 2023

Uploaded by

Copyright:

Available Formats

New Frontiers for Internal Audit Research*

MARGARET H. CHRIST, University of Georgia†

NOUVELLES FRONTIÈRES DANS LE DOMAINE DE LA RECHERCHE SUR

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021) pages 449–475 © CAAA/ACPC

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

3. AREAS FOR FUTURE RESEARCH

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Data Analytics and Automation

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

RESEARCH QUESTION 3. How do the quality, effectiveness, and efﬁciency of remote

Cybersecurity and Data Privacy

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

Stafﬁng and Personnel Development

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

company-wide connections. Different measures and programs that involve nonauditors in

Recruitment from Multidisciplinary Backgrounds

RESEARCH QUESTION 8. What stafﬁng arrangements (e.g., outsourcing, cosourcing, in-

Value Proposition and Perceived Value

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

RESEARCH QUESTION 10. How can IAF value be measured effectively?

4. DISCUSSION AND CONCLUSION

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

DATA AVAILABILITY STATEMENT

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

You might also like

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021) pages 449–475 © CAAA/ACPC

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)

AP Vol. 20 No. 4 — PC vol. 20, n 4 (2021)