the role of internal auditing in moments of truth
TRANSCRIPT
THE ROLE OF INTERNAL AUDITING IN MOMENTS OF TRUTH Aantal woorden/ Word count: 21.829
Brecht Bergs Studentennummer/ Student number: 01407829 Promotor/ Supervisor: Prof. dr. Gerrit Sarens Masterproef voorgedragen tot het bekomen van de graad van: Master’s Dissertation submitted to obtain the degree of:
Master of Science in Business Engineering Academiejaar/ Academic year: 2017 – 2018
PERMISSION
Ondergetekende verklaart dat de inhoud van deze masterproef mag geraadpleegd en/of
gereproduceerd worden, mits bronvermelding.
I declare that the content of this Master’s Dissertation may be consulted and/or reproduced,
provided that the source is referenced.
Naam student/name student: Brecht Bergs
Handtekening/signature
I
Preface
Writing a master’s dissertation is the closure of every master’s degree and my case is no exception.
With this text I’m wrapping up five years of university, a lot of classes, even more group
assignments and a large pile of coursebooks. Did I become so much more intelligent than five years
ago? Do I have a large amount of knowledge piled up in the back of my head? I sure hope so, but
more importantly, I feel like a different person. I strongly believe that university has raised me to
levels that I would otherwise never have reached. Not only did I learn to think critically, I’ve
adopted a more analytical way of approaching problems, thinking about the underlying
mechanisms that explain our world and that make every problem fall apart into more simple
particles. I’ve learned to work together in a group of people with different talents and different
visions but with the same objective. And now, I’ve experienced how it is to complete a 2-year
project on my own, without any coursebook to guide me, and no available solution for the problem
that I wanted to solve.
A master’s dissertation is like every project. There are ups and there are downs, sometimes you
feel like you haven’t made any progress for weeks, and the next moment, your head is bursting
with ideas and insights, coming so fast at you that you don’t even have the time to write everything
on a piece of paper. I really hope that my research might prove useful to someone, giving them
inspiration or sparking new questions that are waiting for an answer.
I would like to express my gratitude towards my supervisor, Gerrit Sarens, for guiding me through
this experience. I strongly believe that he found the perfect balance between giving me the
freedom to do my own research and exploring my ideas, while also providing me with a framework,
keeping track of time and telling me when I was running out, but also pointing at new things to
look into when I was at a dead end with some of my ideas.
Furthermore, I would also like to thank the participants of my interviews for their time and interest
in my research. Not only did they help me getting the information I need, they have also motivated
me to dig into the data, trying to find patterns and how they are connected.
II
Table of contents
Preface .......................................................................................................................................... I
Table of contents ......................................................................................................................... II
List of abbreviations .................................................................................................................... IV
List of illustrations ........................................................................................................................ V
Research questions ..................................................................................................................... VI
Introduction ................................................................................................................................. 1
Literature review .......................................................................................................................... 3
Origin of auditing....................................................................................................................... 3 Historical perspective ............................................................................................................. 3 Agency theory ........................................................................................................................ 3
Development of internal auditing .............................................................................................. 4 Early stages ............................................................................................................................ 5 Industrial revolution ............................................................................................................... 6 The Institute of Internal Auditors............................................................................................ 7 Sarbanes-Oxley Act ................................................................................................................. 7
Definition of internal audit ......................................................................................................... 9 Independent and objective ................................................................................................... 10 Assurance and consultancy................................................................................................... 11 Add value and improve an organization’s operations ........................................................... 12 Helps to accomplish objectives ............................................................................................. 13 Risk management, control and corporate governance .......................................................... 14
Effectiveness of the IAF ............................................................................................................ 17 Subjectivity of effectiveness ................................................................................................. 18
Source 1: Point of view ...................................................................................................... 18 Source 2: Expectations of management (stakeholders) ..................................................... 19
Measuring effectiveness ....................................................................................................... 19 Drivers of effectiveness ........................................................................................................ 20
Independence and objectivity ........................................................................................... 20 Support by top management............................................................................................. 20 Audit committee (AC) ........................................................................................................ 21
III
Other ................................................................................................................................ 22
Research analysis ....................................................................................................................... 24
Profile of the participants ........................................................................................................ 24
Methodology ........................................................................................................................... 25
Limitations of the methodology ............................................................................................... 26
Reported moments of truth and the role of internal audit ........................................................ 26
Attributes of the consulting cluster .......................................................................................... 34
Characteristics of IAFs in consulting cluster .............................................................................. 36 Going beyond reviewing and reporting ................................................................................. 38 Proactive approach............................................................................................................... 42 Partnership with (top) management ..................................................................................... 44 Audit plan ............................................................................................................................. 47 Alignment with strategy and vision of organization .............................................................. 49 Independency....................................................................................................................... 51
Conclusion .................................................................................................................................. 54
References ................................................................................................................................. VII
Appendix ..................................................................................................................................... XI
IV
List of abbreviations
AC: Audit Committee
IA: Internal Auditing
IAF: Internal Audit Function
IIA: The Institute of Internal Auditors
SEC: Securities and Exchange Commission
SOX: Sarbanes-Oxley
V
List of illustrations
Charts Chart 1: Number of reported moments by each IAF .................................................................... 27 Chart 2: Number of sources by each moment ............................................................................. 28 Chart 3: Measures for independency as explicitly expressed by IAFs with role in moments of truth ................................................................................................................................................... 52
Dendrograms
Dendrogram 1: Similarity of IAFs based on coding of reported moments .................................... 29 Dendrogram 2: Cases based on attributes................................................................................... 35
Tables
Table 1: Activities of the participants as described throughout the interview ............................. 39 Table 2: Overview of the participants, their department and the organization (a) ....................... XI Table 3: Overview of the participants, their department and the organization (b) ....................... XI Table 4: Overview of the participants, their department and the organization (c) ....................... XII Table 5: Detailed overview of the moments of truth, the role of internal audit and the corresponding IAFs .................................................................................................................... XVI Table 6: Overview of the change as discussed in the interviews .................................................. XX
Project maps
Project map 1: Relationships between the two roles and the cases ............................................ 33 Project map 2: Cases with a positive perception towards improvement ..................................... 40 Project map 3: Perception of IAF ................................................................................................. 44 Project map 4: Characteristics of audit plan and link with cases .................................................. 47 Project map 5: Overview of the links between moments of truth and the role (Consulting role as we will describe it later) ............................................................................................................ XVII Project map 6: Overview of the links between moments of truth and the role (Assurance role as we will describe it later) ........................................................................................................... XVIII
Figures
Figure 1: The Three Lines of Defense Model (The IIA, 2013) ........................................................ 22
VI
Research questions
a. Does internal audit have a role in moments of truth in Belgian companies?
b. What is the role of internal audit in moments of truth in Belgian companies?
c. What are the characteristics of an internal audit department that is involved in moments
of truth?
1
Introduction
Does the world actually know how to use internal auditing? Internal audit has changed a lot since
its origin, making it a whole different profession than it used to be, adding new activities and
increasing its scope throughout the years. The function has always tried to react to changing
environments and changing needs of its stakeholders. A part of the value of the profession should
definitely be credited to this flexibility in role and activities. It seems like companies keep on finding
new ways to use internal audit, just adding more roles to the function or applying new approaches.
However, it appears that recently two trends have become a certainty: first, the perception of
internal audit is improving significantly and therefore internal audit is moving closer to
management, and second, the function is partly becoming an internal consultant.
This evolution gave rise to our research and research questions. If the function has become an
internal consultant that is perceived as a partner of the management, does the function then also
have a role in critical moments for the company? If so, what exactly is the role of the function in
those moments of truth? And at last, if we do find that some IAFs are involved in those moments,
what are possible characteristics that can explain why they are involved? Note that we deliberately
choose to not include financial institutions in our research. The reason is that those internal audit
departments are much more regulated, and they have not experienced the same evolution. This
is evolution is the fundamental idea behind our research and therefore it would simply be a waste
of time.
To our knowledge, there has not been conducted any research regarding the role of internal audit
in those moments of truth. The evolution of internal audit towards a more strategic role has been
documented but our research aims to obtain a list of moments in which internal audit can be
useful, a range of corresponding roles to add value to the moment and an overview of aspects that
should be considered when the function wants to take this role in those moments.
The first part of our literature follows the history of internal audit chronologically. We start by
looking for potential reasons and needs that explained the development of the function. This gives
2
a good idea of the goal(s) of the profession. As we have said before in the introduction, the function
has changed a lot during its history, evolving continuously based on the needs of the stakeholders.
We have listed and discussed the most important events and evolutions up until the definition as
it is now. We have analyzed and reviewed the different parts of the definition. This part of our
literature has proved to be specifically important for our research, since it discusses the added
value of the function, as well as the trend towards internal consultancy and a strategic role of
internal audit.
Adding value has become increasingly important for internal audit and is closely linked to the
consulting role of the function. Since the evolution towards internal consultancy gave rise to our
research questions, we wanted to look into the added value. The value of internal audit is hard to
measure since it cannot be expressed as a monetary value. We used effectiveness as an
approximation of the added value because one can’t add value when it isn’t effective. The
perception of the stakeholders regarding this effectiveness will be very important. In our literature
review, we have looked for certain drivers of effectiveness that can be used to measure the added
value.
We deliberately choose to not include moments of truth in our literature review. First of all, there
is not a lot of academic literature that covers this subject, and especially not in combination with
internal audit. Furthermore, the list of these moments could become very large, of which a large
part might even be useless for our research, and we would still have not included everything,
maybe even moments that would be useful to us.
3
Literature review
Origin of auditing
Historical perspective
In his book, Brown (1971) discusses the close relationship between accounting and auditing1 in
their initial stages. Both professions originate from the development of the system in which one
person is given the responsibility over someone else’s property. The former is expected to report
on his actions, which is a task of accounting, in order for the principal to get information about the
use of the resources. The owner of the funds, on the other hand, is recommended to establish
some kind of independent verification of the information provided. This verification has been
defined as auditing.
Historically, this system was used by governments for formally keeping record of their receipts and
disbursements, as well as the collection of taxes. As there were some concerns about the
competency and integrity of the officials, a system of verification was developed, which consisted
for example of two independent officials recording the same transactions, or giving an oral
presentation of their accounts (Brown, 1971; Porter, Simon, & Hatherly, 2014).
Agency theory
The agency theory is often used as a conceptual framework for internal audit in the academic
literature. Nevertheless, some researcher question the adequacy of the theory for internal audit
(Mihret, 2014; Spraakman, 1997), which suggests that the framework has some flaws.
The agency theory focuses on the relationship between the owners of the resources (principals)
and the people in charge of managing these resources (agents). The theory states that there might
arise different kind of problems from the contractual separation of agent and principal, mainly
because both parties could have different objectives. In order to reach their own goals, agents are
1 In the early stages of auditing, there was no clear distinction between internal and external auditing. Until the part where we discuss the separation of both professions, we will use the term “auditing” or “internal audit” even though it also applies to external auditing
4
likely to take the opportunity to maximize their own utility at every cost, even if they have to act
against the objectives of the principals. Principals will take actions in order to limit the agent’s
capability of doing so, while agents want to prove their loyalty towards the principals (Adams,
1994; Jensen & Meckling, 1976).
Jensen and Meckling (1976) translate these problems into agency costs, which consists of
monitoring costs for the principal, such as audit fees, bonding costs for the agent and a residual
loss of value due to actions of the agent against the objectives of the principal. These costs should
be interpreted as a loss of utility for a party, and not just a cash outflow. For example, due to the
separation, the agent will also lose a part of the non-monetary benefits he would have when he
was the only claimholder. The general idea behind the agency theory is a trade-off for the principal
between the cost of controlling the agent and the cost of compensating the agent through bonuses
based on the company’s performance (Paletta & Alimehmeti, 2016).
In order to obtain a state of optimality, neither the agent, nor the principal should be able to
increase their utility at the expense of the other. Both principal and agent will face contracting
costs to reach this state, since they will both limit their maximum utility. These costs are connected
to the audit function and both parties will have to pay a part of these costs, since it will limit both
their capacity of maximising their own utility (Adams, 1994). We can expect the audit function to
increase the value of the company, since it will reduce the costs that are related to the separation
of principal and agent (Watts & Zimmerman, 1983).
Notice that the theory above can be extended to a wide range of contracts between “agents” and
“principals”, such as the relationship between equity owners and senior management, but also
between senior management and employees (Jensen & Meckling, 1976).
Development of internal auditing
The activities and responsibilities of the (internal) audit function have changed a lot since its early
stages, making it a whole different profession than it used to be. Even though the verification of
activities is still an important aspect of the practice, the width and depth of the profession have
increased significantly (Venables & Impey, 1991). Internal audit has experienced a continuous
evolution, reacting to changes in the demand of the environment and the stakeholders. However,
5
it is possible to distinguish a couple of external events that have led to an important revolution or
a series of changes in a short period of time.
Early stages
As discussed in the part of the historical origin of auditing, the function was mainly used by
governments in the beginning of its development. The objective of auditing was twofold:
governments were concerned that their officials would make mistakes during the process, but also
that there was a possibility some of them were corrupt and would commit fraud when given the
opportunity (Porter et al., 2014; Whittington, 1992).
Since most companies used to be just small businesses where the owner was also the manager
and was closely involved in the daily operations, the audit function was only scarcely represented
in private firms. Exceptions were railroad companies, the army and overseas trading companies.
They recognised the value of (internal) auditing a lot earlier than regular companies, with
responsibilities reaching a lot further than just verifying financial statements (Porter et al., 2014;
Ramamoorti, 2003).
Hence, from the point of view of the agency theory, there were no agency costs in the regular
firms, which explains why they did not use an (internal) audit function. Since there were no
regulations about the use of auditing at that moment, the companies that did have an audit
function had voluntarily established it. This an important observation since it suggests that auditing
would also have been developed without governmental regulation. Based on the agency theory,
these companies must have been experiencing agency costs and relied on the audit profession to
add value to the company by providing the organisation with adequate tools for reducing these
costs (Watts & Zimmerman, 1983). In the next section, we will see that these companies were
actually ahead of their time because they were exposed to agency costs that other firms would
only start to experience in a later stage of the development of capitalism.
6
Industrial revolution
The roots of auditing go back a lot further than the Industrial Revolution of the 19th century, with
some traces going back as far as 4000 B.C. (Brown, 1971). Nevertheless, in academic literature, the
Industrial Revolution is considered to be a keystone moment in the history and development of
auditing and internal auditing. Due to the fact that the function barely changed or developed
between 4000 B.C. and the 19th century, this century is sometimes considered as the true origin of
auditing. More importantly, from this moment on, there will also be a clear distinction between
internal and external audit (Cascarino & van Esch, 2007; Porter et al., 2014).
The Industrial Revolution completely changed the way companies used to operate, resulting in an
enormous increase in the number, size and complexity of business transactions. The managers
that used to lead small companies where they were closely involved in the daily operations
struggled to keep up with the increasing amount of information they had to deal with, while also
being more remote from the actual activities of the firm. Therefore, the management had a critical
need for an independent function to help them control the organisation and reach its objectives.
An independent internal auditing function was established within the company with the
responsibility of providing a solution for these problems (Cascarino & van Esch, 2007; Ramamoorti,
2003; Venables & Impey, 1991). Shortly after its establishment, internal audit started executing
operational audit activities, in which it would provide assurance to the management about the
efficiency and effectiveness of the operations (Whittington, 1992).
If we return to the companies that already used auditing before the Industrial Revolution, as
discussed in the previous section, we clearly see that their activities were geographically
widespread. We could expect the remoteness of the manager from the actual operations to be an
important variable for the need for internal auditing. Furthermore, Whittington (1992) notices that
reliable information about the operations was of crucial importance in these types of companies.
Another important result of the Industrial Revolution was the rise of large capitalist firms and the
corresponding separation of owner and manager (Porter et al., 2014; The Editors of Encyclopaedia
Britannica, 2018). There is a direct link to the agency theory and agent costs as we have discussed
earlier.
7
The Institute of Internal Auditors
Another important moment in the development of the profession was the establishment of The
Institute of Internal Auditors in 1941. When the IIA was established in New York, their scope was
limited to internal audit functions within the US. Later, when companies started to grow into
multinationals, the ideas and knowledge of the IIA spread throughout the world (Cascarino & van
Esch, 2007).
In the years following the establishment of the IIA, the body managed to contribute to the
recognition of internal auditing as an independent function, rather than an extension of external
auditing (Ramamoorti, 2003).
The mission of the IIA is to provide a global framework for the professional practice of the internal
audit function, as well as the promotion and development within organisations (The Institute of
Internal Auditors, n.d.). The institute provides a global body of knowledge for practitioners by
issuing definitions and standards, as well as guiding research and education (Cascarino & van Esch,
2007; Ramamoorti, 2003). Whittington (1992) states that “the growth of IIA has paralleled the
recognition of IA as an essential control function in all types of organisations.”
The institute is not a regulatory body and the application of their standards and ideas is voluntary.
Nevertheless, they are a recognized authority for the professional practice of internal auditing and
their standards and statements are implemented in a vast amount of organisations (Ramamoorti,
2003).
Sarbanes-Oxley Act
In the aftermath of a couple of major corporate and accounting scandals in the US, such as Enron
and WorldCom, the US government issued the Sarbanes-Oxley Act. The Act focused on publicly
traded firms, as well as the SEC and some private held companies. The bill tried to restore the
confidence of investors by forcing companies to improve the accuracy and reliability of their
financial reporting. Sarbanes-Oxley promotes risk management and corporate governance
processes, but also regulates the establishment of an internal audit department within these
organizations (D. R. Hermanson & Rittenberg, 2003; Sarbanes & Oxley, 2002).
8
After the Sarbanes-Oxley Act, the internal audit profession experienced a high growth in their
scope and resources, since they were specialized in governance, risk management and internal
control, which happened to be the key areas of the Act (D. Hermanson, Ivancevich, & Ivancevich,
2008).
The management of a company is responsible for meeting the requirements of the Act by
establishing adequate processes. The internal audit can have a supporting role in ensuring that the
organization is compliant with the regulations. The profession should offer assurance to the
management, but without impairing their objectivity and independency, since these are also part
of the Act (Institute of Internal Auditors, 2004).
Prior to SOX, the approach adopted by the IAF was moving away from giving assurance to the
management towards a more consulting role within the organization. However, due to the
obligation of companies to comply with SOX, they had to spend a significant amount of time and
resources into meeting these regulatory requirements. The IAF was in the perfect position to assist
management in this matter since they had the required expertise and knowledge. As a result, the
organizations expected the function to offer support in complying with SOX. In the following years,
the function had to move back to its role as provider of assurance services, now with a focus on
compliance audit (Hass, Abdolmohammadi, & Burnaby, 2006; Sarens & De Beelde, 2006a).
Nevertheless, the IIA did not adapt its definition, which signifies that, possibly after complying with
the SOX, the IAF should continue to provide the organization with consulting services and keep the
same long-term orientation as it had before the SOX.
The implementation of the SOX requirements is not a one-time project and should rather be seen
as a continuous process. Sufficient attention should be paid to the ongoing improvement of the
established processes (Karagiannis, Mylopoulos, & Schwab, 2007).
Section 404 of the SOX Act has been very important for the IAF, since it requires every company
that is subject to the SOX Act to include an internal control report in their annual report. In this
internal control report, the responsibility of the management has to be stated regarding their duty
to establish and maintain an adequate system of internal control. Furthermore, the report should
also (internally) assess the effectiveness of the internal control that has been established.
9
Therefore, the SOX forces the top level of an organization to be aware of the risks that the company
is facing (Karagiannis et al., 2007; Sarbanes & Oxley, 2002; Sneller & Langendijk, 2007).
Definition of internal audit
Before defining the internal audit profession, it is crucial to notice that the function and its
responsibilities are defined by the expectations of the management of a certain organization.
Therefore, “definition” should be interpreted as “description”, rather than setting out the direction
and orientation of the profession. As a result, we might also experience a lot of diversity in the
established definition, according to the firm that is being viewed (Nagy & Cenker, 2002).
In this text, we will apply the definition issued by The Institute of Internal Auditors, because it is a
general definition that is open to interpretation. Furthermore, the definition is considered to be a
good representation of the current practice of internal audit. The definition issued by the IIA in
1999 is as follows (Institute of Internal Auditors, 1999):
“Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”
One could extract some core characteristics of internal auditing that are recurring in most
organizations. Some could also be viewed as minimum requirements for a good practice of the
function.
o Independent and objective
o Assurance and consultancy
o Add value and improve an organization’s operations
o Helps to accomplish objectives
o Risk management, control and corporate governance
10
Independent and objective
Independency and objectivity are two crucial factors for an effective and value-adding practice of
the profession (D’Onza, Selim, Melville, & Allegrini, 2015). Due to the fact that an internal auditor
is an employee of the organization that he or she is reviewing, their objectivity and independency
are often questioned. Another aspect that might jeopardize the objectivity of the internal auditor
is their dual role of providing assurance services, as well as advisory activities to management.
Therefore, particular attention should be paid to ensure that both requirements are met (Stewart
& Subramaniam, 2010).
The IIA has put forward an interpretation of both concepts in their International Standards for the
Professional Practice of Internal Auditing:
“Independence is the freedom from conditions that threaten the ability of the internal audit activity
to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of
independence necessary to effectively carry out the responsibilities of the internal audit activity,
the chief audit executive has direct and unrestricted access to senior management and the board.
This can be achieved through a dual-reporting relationship. Threats to independence must be
managed at the individual auditor, engagement, functional, and organizational levels.” (The
Institute of Internal Auditors, 2016)
“Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements
in such a manner that they believe in their work product and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their judgment on audit matters to
others.” (The Institute of Internal Auditors, 2016)
Stewart et al. (Stewart & Subramaniam, 2010) remark that objectivity is a mindset, while
independency should safeguard the situation in which the auditor can perform his work objectively
and without impaired judgments.
Venables & Impey (1991) state that independency can be guaranteed when the role of the internal
auditor is limited to observing and recommending to the management, but that it should not be
11
the auditor’s decision to change anything to the subjects of their audit. Furthermore, the function
should be separated from all management functions and is recommended to be integrated at the
highest level in the organization’s structure (Bou-Raad, 2000; De Beelde, 2008; Venables & Impey,
1991). Finally, the independence can be secured when the internal audit function reports to both
the (top) management, as well as the audit committee (Allegrini et al., 2006).
Assurance and consultancy
There has been a clear trend in the activities of the IAF in which it is moving away from its
traditional role of providing assurance towards a more proactive role of advising the management
about improvements for the processes of the organization (Bou-Raad, 2000; Nagy & Cenker, 2002;
Ramamoorti, 2003; Tang, Yang, & Gan, 2017). The broadening of the scope has given the function
the opportunity to re-assess its responsibilities within a changing environment (Selim, Woodward,
& Allegrini, 2009).
Even though internal auditing continues to add value to the company through providing assurance
services, these activities, and especially financial audit, are now perceived to be part of
responsibilities of the external auditor (Nagy & Cenker, 2002).
Both the assurance and consulting role of the IAF will focus on the key areas of risk management,
internal control and corporate governance. While assurance services will focus on examining the
adequacy of the systems designed for these areas, the advisory role will try and recommend
improvements regarding efficiency and effectiveness of operations (Anderson, 2003; Bou-Raad,
2000; The Institute of Internal Auditors, 2016). The consulting activities can include internal control
design and implementation, but also business process (re)design (Tang et al., 2017). A main
difference between both approaches is that assurances assumes a reactive and protective role,
while advisory focusses on a proactive and activating role in which the internal auditor becomes a
partner of the management (Bou-Raad, 2000; Selim et al., 2009; Venables & Impey, 1991).
Many researchers have raised their concerns about including consulting activities in the scope of
the IAF, since it may influence the ability of the internal auditor to remain independent and
12
objective. These crucial aspects could be impaired because in their consulting role, the auditors
are supposed to work closely together with the management. Furthermore, the combination of
increasing responsibilities and a more competitive environment might put the function under
pressure, which could also be unfavorable (Ahmad & Taylor, 2009; Joe Christopher, Sarens, Leung,
& Christopher, 2009; Stewart & Subramaniam, 2010; The Institute of Internal Auditors, 2016).
Research has showed that some internal auditors tend to perform their consulting role as
providing advisory in the best interests of their employer, instead of giving objective feedback
(Brody & Lowe, 2000). As we have mentioned in the previous section, independency and
objectivity can be ensured when the advisory role of the IAF is limited to suggesting improvements,
without taking any management responsibilities.
Add value and improve an organization’s operations
There are several approaches to measure the value that the IAF is adding to the organization. The
most widely used approach, measures the perception of internal audit providers regarding their
contributing to the improvement of the operations. Other approaches include, among others, the
level of satisfaction of the stakeholders and compliance with the professional standards (D’Onza
et al., 2015).
The expectations of the IAF can vary significantly when looking at different groups of stakeholders.
For example, the audit committee will focus more on assurance regarding risk and control, while
operational management will seek advice about efficiency and effectiveness of (operational)
controls. The internal auditor has to allocate the available resources in order to meet a wide range
of demands of stakeholders, which can be conflicting (Anderson, 2003; Selim et al., 2009; The IIA
Research Foundation, 2003).
The IAF will perform both its assurance and consulting activities with the objective to add value to
the company and improve its operations. The focus for these activities consist of three key areas:
risk management, internal control and corporate governance, which span the whole company (D.
13
Hermanson et al., 2008). The contribution of the IAF to the evaluation of internal controls and risk
management are important factors for the added value of the profession (D’Onza et al., 2015).
For the IAF to be perceived as a value adding function within the company, it is crucial that its
strategy is in line with the demands of their stakeholders. Therefore, the internal auditor is
required to have significant knowledge about the company and the environment (Ernst & Young,
2012; Hass et al., 2006). Especially the consulting role of the IAF has increased the perception of a
value-adding function within the organization. Advisory has given the profession a more positive
image within the company since it is now more considered as a partner, rather than a watchdog
(Selim et al., 2009). Furthermore, an important factor that increases the perceived value of the IAF
is the flexibility of the profession in their roles and activities. In the past, the function has adapted
a lot by expanding its scope and reacting to a changing environment and different demands from
its stakeholders (Allegrini et al., 2006; Bou-Raad, 2000; Hass et al., 2006).
Helps to accomplish objectives
As we have already discussed, the demand for an internal audit function rose when companies
became larger and more complex. Therefore, most companies have a large set of corporate
objectives, policies and operational targets. The internal audit function is supposed to support
management in giving assurance on the implementation of all aspects of corporate objectives and
policies in the lower levels of the organization. If needed, the internal auditor can give advice to
management in their reports for better implementation (Venables & Impey, 1991). As a
consequence of the increase in advisory services, the IAF has positioned itself into a more strategic
role in the company. Business objectives have gained increased attention in the daily practices and
the IAF will strengthen the company as a whole (Allegrini et al., 2006; Bou-Raad, 2000). Internal
control will be an important tool in aligning with the business objectives, since its definition (see
further) states that internal control should pay attention to the effectiveness of operations (Spira
& Page, 2003).
14
Risk management, control and corporate governance
The internal audit function will try to add value to the organization by contributing to a more
effective risk management, (internal) control and corporate governance within the organization.
These three concepts are linked to each other, since an adequate internal control system can be
seen as a specific part of risk management, while both are key elements of the corporate
governance framework (Sarens & De Beelde, 2006a; Spira & Page, 2003).
The Committee of Sponsoring Organizations (COSO) has defined risk management as follows:
“A process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives” (Beasley, Hancock,
& Branson, 2009)
Selim and McNamee (1999) proposed a framework to analyze the way in which companies are
managing their risks that consists of risk assessment, risk management and risk communication. In
their opinion, the risk management deals with the decisions that have to be made concerning the
assessed risks and the consequences they might have for the success of the company. An
organization can deal with these risks by controlling, sharing/transferring, and/or
avoiding/diversifying them.
Risk management will try to combine the overall and operational objectives of the company with
the daily risks the organization is facing, in order to manage those risks correctly and add value
(Sarens & De Beelde, 2006a; Selim & McNamee, 1999). Since taking risk is inherent to doing
business, their management will be an important concern of every company. Companies have to
make decisions continuously and at every level of the organizations. Within a changing
environment and with more complex businesses, a significant amount of attention should be paid
to aligning risk management with corporate objectives. An integration of the risk management
throughout the organization will lead to a faster growth and better performance (COSO, 2017).
15
Clearly, the IAF can assist the management and make significant contributions to the
implementation of risk management at all levels of the entity (Spira & Page, 2003). However, in
order to successfully complete this task, the internal auditors are supposed to have a good
understanding of the risks and the environment of the organization (Sarens & De Beelde, 2006a).
In the COSO framework, internal control has been defined as:
“Internal control is a process, effected by an entity’s board of directors, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance.” (COSO, 2013)
In the light of increasing complexity and size of the organizations, the practice of (internal) auditing
quickly transformed from checking all transactions to verifying samples, because the examination
of every transaction was considered to be both impossible and unnecessary (Jeppesen, 1998).
Modern practice the IAF focuses on the verification of internal control procedures, which is a risk
management tool, within the organization regarding adequacy and effectiveness. An important
objective within the COSO framework (2013) is to provide the management with more reliable
information that is used in their decision-making process. The need for such information, with a
focus on assurance services, has emerged particularly from the increase in technology (Bou-Raad,
2000; Ramamoorti, 2003; Venables & Impey, 1991). Other objectives include improving the
efficiency and effectiveness of the operations, and the compliance with laws, regulations and
policies (COSO, 2013).
COSO (2013) also suggest five components of internal control: control environment, risk
assessment, control activities, information and communication, and monitoring activities.
From the point of view of agency theory, applied to the relationship between manager and
employee, but also between board and management, internal control can be seen as a monitoring
mechanism that contributes to a decline in agency costs (Jensen & Meckling, 1976).
16
The internal control is a responsibility of the management and they rely on internal auditors to
examine and evaluate the adequacy and effectiveness of the internal control procedures (M.
Wood Company, n.d.; Sarens & De Beelde, 2006a).
The Organization for Economic Co-operation and Development (OECD) has defined corporate
governance as:
“A set of relationships between a company’s management, its board, its shareholders and
other stakeholders. Corporate governance also provides the structure through which the
objectives of the company are set, and the means of attaining those objectives and
monitoring performance are determined. Good corporate governance should provide
proper incentives for the board and management to pursue objectives that are in the
interests of the company and shareholders and should facilitate effective monitoring,
thereby encouraging firms to use resources more efficiently” (Organisation for Economic
Co-operation and Development Council, 1999).
Gramling et al. (2004) state that there are four groups that represent the stakeholders in a
company, which are the external auditor, the audit committee, management and the IAF. The
IAF will have a supporting role for the other “cornerstones”, due to their position and expertise
within the company. The role of the IAF in corporate governance can be seen as a monitoring
role, relating to the agency theory, or as a “tone at the top”, in which the management defines
the responsibilities and work domain of the corporate governance mechanisms (J. Cohen,
Krishnamoorthy, & Wright, 2002).
The IIA states that good corporate governance provides an overview of risk and control
processes, which is a responsibility of the management, for the stakeholders of the firm. The
goal is to ensure that the organization meets its strategic objectives and to ensure that
company value is preserved (D. R. Hermanson & Rittenberg, 2003; Rezaee, 2007). As we
17
discussed before, an effective risk management and internal control framework are key
drivers for good corporate governance.
A good corporate governance directly creates value for the company, since it is associated
with higher profits and less risk (Rezaee, 2007).
The IAF can contribute in transforming corporate governance from a regulation from above to
a regulation from inside. Within this new approach, risk management will have a crucial role
(Spira & Page, 2003). The IAF directly contributes to good corporate governance through
improving the quality of information, as well as the overall performance of the organization
(Gramling, Maletta, Schneider, & Church, 2004).
Effectiveness of the IAF
As we have discussed in the previous section, the scope of the IAF has broadened a lot in the last
decade. The quantification of the added value and effectiveness of the function remain unclear
since the profession has a supporting role and their activities can’t be related directly to
(monetary) value. Nevertheless, the stakeholders of the IAF expect the profession to continue to
be relevant and a valuable part of the organization. Therefore, added value and effectiveness are
important factors for the position and future of internal auditing in the organization (D’Onza et al.,
2015; Lenz & Hahn, 2015). We connect effectiveness to added value, since being efficient in an
ineffective manner is simply a waste of resources and does not add value for the stakeholders
(Lenz & Hahn, 2015).
After the financial crisis of 2008, this has become an increasing important topic, because research
has revealed that there is some disappointment about the function among key stakeholders (Ernst
& Young, 2012).
Clearly, the function can only add value when it is performing its activities effectively. In this
section, we will review the effectiveness of the IAF and try to extract some general drivers of
effectiveness from the academic literature. However, it should be noted that the academic
literature regarding this subject is rather limited.
18
In this text, we will consider effectiveness to be the degree in which the function is able to obtain
results that are consistent with the objectives of its stakeholders, as premised in the audit plan
(Arena & Azzone, 2009; IIA Professional Practices Committee, 2016; Soh & Martinov-Bennie,
2011).
Subjectivity of effectiveness
Internal auditing is an ambiguous concept that is highly dependent of its environment, while the
environment itself is also subject to a lot of changes. There is no single definition to cover all roles,
activities and perceptions of the function. Therefore, one should take into account the context of
a particular IAF in order to express an opinion about its effectiveness.
The subjectivity stems from both the point of view (inside-out vs outside-in) as from the definition
of the activities by the management of the company.
Source 1: Point of view
There are two possible ways to approach the effectiveness and added value of the IAF, which will
influence the evaluation. First, one could consider the effectiveness from the perception of the
provider, the IAF itself, which is also known as the “supply-side perspective”. Otherwise, the
effectiveness of the IAF can be assessed through the perception of the stakeholders, generally
management and audit committee. This side is known as the “demand-side perspective” (Lenz &
Hahn, 2015).
Especially, the demand-side perspective is considered to be the most important one of the two
and is used frequently in academic literature. This approach considers the expectations of the
stakeholders of the IAF and it is an obvious assumption that the function can only perform well if
they meet these expectations. In the supply-side perspective, the effectiveness of the IAF is often
approached by comparing the characteristics of the department to a couple of standards (A. Cohen
& Sayag, 2010).
Depending on the chosen perspective, different degrees of importance are given to determinants
of effectiveness.
19
Source 2: Expectations of management (stakeholders)
As we have discussed extensively, the role and activities of the IAF are highly dependent of the
context and the expectations of the stakeholders, which differ across different situations.
Therefore, it will be difficult to apply the same general metrics of effectiveness to every IAF. This
implies that the effectiveness of the IAF is a subjective topic that should be approached with an
appropriate degree of human interpretation.
Furthermore, the IAF has to remain loyal to both its profession as to its organization
(conceptualized by the cosmopolitan-local distinction). These sides can be conflicting and where
the IAF is positioned between these two depends on the internal auditors. Nevertheless, this
decision might have an influence on the drivers of effectiveness (A. Cohen & Sayag, 2010).
Measuring effectiveness
The performance of the function used to be evaluated regarding its compliance with the standards
of the IIA. However, the outcome of the activities should not be neglected and therefore other
evaluation processes are preferred. These processes should contain the function’s support for the
achievement of the auditee’s objectives (Dittenhofer, 2001). Furthermore, attention should be
paid to the stakeholders of the IAF since the effectiveness can depend on the group of people that
is relying on the work of the IAF (Soh & Martinov-Bennie, 2011).
In their paper, Arena and Azzone (2009) have quantified the effectiveness of the IAF by getting the
percentage of recommendations that have been implemented by the auditees. Other metrics
include the completion of the audit plan and the time spent on establishing the audit report (Soh
& Martinov-Bennie, 2011).
Clearly, before establishing processes to measure the effectiveness, which we consider to be the
degree in which the function is able to obtain results that are consistent with the objectives of its
stakeholders, these objectives should be determined (Dittenhofer, 2001).
20
Drivers of effectiveness
Even though some factors of the effectiveness of the IAF are depending on the context, it is
possible to distinguish a couple of general drivers that are frequently recurring in academic
literature and in the daily practices. Nevertheless, one should keep in mind the subjectivity of these
drivers and the possibility of other significant factors.
Independence and objectivity
Independency and objectivity go back as far as the history of auditing and have been part of the
creation of the profession. They have been main characteristics of auditing from the beginning,
and they have always been the most important weapon of an internal auditor. This is also
represented by the large number of standards, ethics and definition in which they have been
included, in order to make sure that close attention is paid to their safeguarding. We have already
explained that in the academic literature, these two factors are closely related to adding value and
being effective (D’Onza et al., 2015). Since we have defined effectiveness as the degree in which
stakeholders’ expectations are met, we will use the perception of the stakeholders regarding the
objectivity and independence of the profession to be a key driver of effectiveness. To ensure
independence, the IAF should be able to report to levels of management in a way that there is no
interference when performing their duties. Furthermore, the function should have free access to
records and employees of the company (Alzeban & Gwilliam, 2014; A. Cohen & Sayag, 2010; Getie
Mihret & Wondim Yismaw, 2007).
Support by top management
The support by (top) management for the IAF is an obvious driver for effectivity. After all, internal
auditing has a supporting role for management, but it is the decision of the management to rely
on and to implement the recommendations suggested by the function (Tang et al., 2017; Venables
& Impey, 1991).
Furthermore, the support by the management is an important factor for acceptance of the IAF in
the organization and it is an important driver in every process of the organization (A. Cohen &
Sayag, 2010; Sarens & De Beelde, 2006b; Stewart & Subramaniam, 2010). More importantly, the
21
management, i.e. the board represented by the audit committee, is also in charge of the resources
that are allocated to the IAF (A. Cohen & Sayag, 2010; Getie Mihret & Wondim Yismaw, 2007). It
is recommended to establish an appropriate reporting line between the IAF and the management
(Alzeban & Gwilliam, 2014; Soh & Martinov-Bennie, 2011).
Again, the demand and support by top management for the function can be explained using the
arguments that have been put forward by the agency theory (Adams, 1994; Getie Mihret &
Wondim Yismaw, 2007).
Audit committee (AC)
The AC and the IAF are two separate entities within the organization. They are connected by the
fact that the audit committee will use internal auditing to reach their objective of monitoring and
evaluating the internal controls of the company (Arena & Azzone, 2009). Their connection has been
conceptualized by the Three Lines of Defense-model, in which internal audit acts as the third line
of defense and has a direct reporting line to the audit committee. A visual concept of this model
can be found in Figure 1 below (The Institute of Internal Auditors, 2013). A close interaction
between the two entities is important, which is also reflected in the number of standards regarding
this matter (Arena & Azzone, 2009; Lenz & Hahn, 2015). The interaction is supposed to increase
the availability of data for the IAF, as well as identify problems and seize opportunities. The
researchers suggest that there might also be a link to the previous driver, since involvement of the
AC might result in managers to be more willing to implement the suggestions of the IAF (Arena &
Azzone, 2009; Soh & Martinov-Bennie, 2011).
The CAE can play an important role in the effectiveness of the IAF. This person could improve the
relationship of the stakeholders with the function, while he or she can also defend and support
the function in difficult situations. The CAE will need support from the AC to perform these
activities in an appropriate manner (Soh & Martinov-Bennie, 2011). Arena & Azzone (2009) found
out that the affiliation of the CAE to the standards of the IIA might be perceived as a driver of
effectiveness of the IIA.
22
Another research suggests that an effective AC can also make a significant difference in the
independence of the IAF, which is another driver of internal audit effectiveness (Stewart &
Subramaniam, 2010).
Other
Another frequently recurring driver for the effectiveness of the IAF is the availability of resources.
Academic literature suggests that the function will not be able to deliver the required quality when
there are not enough resources available. Both the number of internal auditors compared to the
number of auditees, as well as the competence and training of internal auditors are supposed to
have a positive influence on the effectiveness (Alzeban & Gwilliam, 2014; Arena & Azzone, 2009;
Soh & Martinov-Bennie, 2011). The amount of resources made available for the IAF is a decision
of the board of the organization and therefore, this driver can be linked to the support by
management. Nevertheless, Cohen & Sayag (2010) state that the organizational setting and
characteristics are more important drivers for the effectiveness than the characteristics of the IAF
itself.
Furthermore, in some academic papers, a difference can be found between the IAF in public and
private companies. In these papers, it is suggested that the IAF is more effective in private held
Figure 1: The Three Lines of Defense Model (The IIA, 2013)
23
companies (A. Cohen & Sayag, 2010). However, there is no conclusive proof and some researchers
did not find any correlation between the sector and the effectiveness.
Many drivers are linked to each other and some drivers can even be considered to be part of
another driver. It is up to the researcher to decide how far he or she will go in distinguishing
different determinants.
24
Research analysis
Profile of the participants
We conducted a total of 12 separate interviews in companies with a headquarter in Belgium. Of
those 12 participants, 5 interviewees have the function of internal auditor, while the other 7
interviewees were the manager of their internal audit department.
We purposely did not interview any internal auditor of a financial institution. We did so because
we believe that the internal audit function in these organizations is mainly focused on compliance
and providing assurance, while they are also more bound to regulations. This suggests that the
activities and the role of these functions differs a lot from internal audit in non-financial
organizations, but also that they will not be involved in the moments of truth.
We have included an overview of the characteristics of the participants, their department and the
organization in Table 1.a and Table 1.b of the Appendix. As the reader can see in the tables, we
have had the opportunity to interview organizations with different attributes and from a wide
range of industries. A lot of the organizations are quoted on the stock market, which implies that
they are bound to certain regulations regarding their internal audit department. However, in most
cases, these are rather soft regulations, which are definitely not comparable to the degree of SOX
or the regulations regarding financial institutions. The impact of SOX on the activities and
perception of internal audit has been discussed in our literature review, but only a few of our
participants have been impacted by these regulations. Nevertheless, some participants have
discussed the negative influence of SOX on both the activities (“checking rules and ticking
checkboxes”), often from their experiences in the Big Four, and have stressed the contrast with
the function as how they described it during the interview.
25
Methodology
As most large organizations in Belgium have an internal audit department, we selected our
participants based on a list of the largest Belgian companies. Next, we tried to get in contact with
an employee of the internal audit department through the general e-mail address of the company,
the personal e-mail address of an employee of the department, or through LinkedIn.
The interviews lasted between 20 minutes and 1 hour and 10 minutes, with most interviews lasting
around 40 minutes. In the majority of the interviews, an introduction was given by the participant
about how internal auditing is done within their organization, before moving on to the
questionnaire as it is included in the Appendix. During the interview, additional questions have
been asked based on the answers of the participants. The interviews were conducted and
transcribed in Dutch. The coding and analysis, however, have been done in English.
Due to the lack of preceding research about moments of truth and the role of internal audit, we
decided to not define any moments of truth before starting our interviews and asking the
participants for examples. During the interviews we let the participants describe moments that
they considered to fit our definition of moments of truth and also asked them about their role at
those moments. The definition was proposed as “a moment in which the management of the
company has to make a decision or is supposed to take action, and the outcome will have an
(significant) impact on the future of the organization”. Furthermore, we also asked the participants
about audits that they had recently done, in order to also include those moments that would fit
the definition but were not yet mentioned by the participant when asked what they consider to
be a moment of truth. As the interviews proceeded, we continued to ask the participants to
describe moments that they think were connected to the research, but also started to ask them
about moments that were identified in the previous interviews that we conducted.
For the analysis, we used NVIVO 11 Pro to code, explore and visualize the transcriptions of our
interviews. This software has proved to be very useful, since there were large differences between
the cases, which resulted in a wide range of information. In the beginning of our analysis, we solely
focused on the moments of truth and the roles as they have been discussed within the interviews.
After being able to identify some patterns within this data, we decided to move on to the general
26
information that has been provided by the participants about their department and their activities.
We used every information that was available to us to identify, analyze and extract patterns across
the cases to conclude our analysis with a set of characteristics that might explain why some cases
were involved in moments of truth and others weren’t. The evolution that some participants have
described during their interview gave rise to the determination of those characteristics.
Limitations of the methodology
An important limitation of the methodology as described above is the fact that by simply asking
the participants what they considered to be moments of truth, we were only able to identify
moments that were top of mind. This results in the observation that some participants might have
been involved in other moments, but those were not mentioned during the interview. We tried
tackling (a part) of this problem by questioning the participants about moments that were
mentioned in other interviews.
Furthermore, some participants who indicated that they are involved in moments of truth, noted
that they have only recently started to do so. Since the moments of truth in a company are not
manifold, we should be aware that the list of moments and the participants that are involved can
also be limited due to the fact that some moments simply have not yet occurred in some cases. If
the moment has not occurred, the participant will not have had the opportunity to be involved,
even though the department would be involved.
Finally, we have interviewed organizations with a wide range of attributes as discussed in the
section about the profile of the participants. Therefore, we should be aware of the fact that we
cover a wide range of organizations with only a small sample, and some attribute values have only
been represented by one single participant.
27
Reported moments of truth and the role of internal audit
As mentioned in the section about the methodology of our analysis, we asked the participants for
examples of moments of truth in which the internal audit department was involved in any way.
Therefore, we started our analysis by listing the reported moments of truth and the role that
internal audit has had. We refer to Table 5 in the Appendix for an overview of the reported
moments and roles. Clearly, a wide range of moments and roles have been reported during our
interviews. In abovementioned tables and in Project map 5 and 6 of the Appendix, we can see
clearly that some moments only have one link to a unique role for internal audit. This is due to the
fact that some moments have only been reported in one interview, and therefore only one role
has been discussed. More interestingly, we can see that other moments have implied a different
role for internal audit, which could indicate that the internal audit functions are dealing in a
different way and with different task in the same moment of truth. Furthermore, it is also visible
that some roles are applied to more than one moment, which could indicate that there are some
established roles for internal audit within the organizations that are applied to multiple types of
moments of truth.
Chart 1: Number of reported moments by each IAF
28
The chart above, Chart 1, shows which internal audit functions have reported the most moments
of truth. Without getting into details, this figure shows that IAF3 and IAF11 have reported the most
moments of truth in which they were involved, shortly followed by IAF 9 and 12. Even though the
chart does not provide a lot of information, we expect those four functions to be important for our
research. IAF 7 did not report a single moment of truth and is therefore not involved in any way in
moments of truth.
As we can see on Chart 2 above, some moments have been reported very often, such as
acquisitions, new IT-system and new process or product, while others have only been discussed
once.
The fact that a lot of the moments have been reported in only a small amount of the interviews,
due to no involvement of internal audit or due to the fact that the organization has not experienced
the moment, can have an impact on our research. We should be aware that some functions might
have a similar role in moments of truth but are perceived as different in the data because they
simply have not been exposed to the same moments of truth, even though the roles seem to be
Chart 2: Number of sources by each moment
29
established in some organizations. Dendrogram 1 below shows which IAFs have reported similar
moments during the interview.
Until now we have only looked at some general information about the moments of truth and the
role of internal audit. Table 5 of the Appendix displays a detailed overview of all moments of truth,
the different roles that have been linked to that moment by the internal auditors, and the list of
IAFs that have reported that combination. In total, there have been reported 10 moments and 14
roles, leading to 22 combinations.
After a first screening of the list, a distinction can be made between two different types of reported
moments:
1. Moment in which a decision has to be made or action should be taken that will change the
course of activities/operations of the company in the future
2. Moment in which a decision has to be made or action should be taken as a reaction to an
incident in order to get the processes of the company back under control
Dendrogram 1: Similarity of IAFs based on coding of reported moments
30
These two types are the result of the distinction that was already implied by the definition of
moments of truth as it was presented to the participants.
We considered the moments internal incident and external incident to be moments of the second
type, while the others (acquisitions, divestments, code of conduct, joint venture or strategic
participation, new IT-system, new process or product, new standards and regulations, and
centralization and standardization) belong to the first type of moment.
The first type of moments has a more direct link to the strategy of the company and therefore is
rather focused on long-term actions, while the second moment tends to have a more reactive
nature and a focus on short-term actions. Since the second type of moment tends to be more
linked to the role of internal audit as we would expect it to be, we will be more interested in
researching the roles in the first type of moments. Nevertheless, if we look at the roles in the
second type, we can also see that there are some proactive roles of internal audit that go beyond
analyzing and reporting, which indicates that these moments are also worth looking into. In order
to tackle fraud, for example, one of our participants noted that the top management of the
company now expects internal audit to also spend time on auditing the management of the
subsidiaries regarding ethics, governance, etc. to specifically reduce the risk for fraud. This clearly
is a more proactive role for internal auditing than just investigating the potential case of corruption
as has been described in other interviews.
As we have discussed above, a first distinction can be made in the list of moments and roles based
on the characteristics of the moments. However, if we look more closely, a more interesting
distinction can be made in the roles of internal audit at those moments.
On the one hand, we have a set of roles that can be assigned to regular audit activities, while on
the other hand we have a set of roles that have an internal consultant nature, indicated in bold in
Table 5 of the Appendix.
It is important to know that by saying ‘internal consultant” we do not refer to internal audit being
involved in the decision-making process of the company at those moments. By using this term, we
31
refer to the role of internal audit as internal advisor of the management, but always as a facilitating
function and never by taking a certain position in the decision.
The selection has been made based on the following characteristics of the reported roles:
‘Regular audit’ roles:
• Significant amount of time between the end of the moment and the beginning of the
internal audit activity
• Reviewing and reporting: providing assurance to management
• No request by management
‘Moment’ roles:
• There is an overlap in time between the internal audit activity and the moment of truth
(either just before the moment when the management already intents to do something or
during the implementation of the moment as part of the tactical layer)
• The activities go beyond reviewing and reporting. Internal audit tries to suggest certain
actions that are meant to improve and add value to the process. There is a direct and
immediate contribution to (the design of) the process
• There is often a direct request by the management, most of the time ad hoc (not included
in audit plan)
The separation of these two roles in our data shows a striking similarity with the separation of the
role of internal audit as assurance provider and as internal consultant in the way we discussed it
in our literature review. There we mentioned that assurance gives internal audit a reactive and
protective nature, which is expressed in our data by roles that are situated after the moment of
truth and that are focused on reviewing and reporting to the management. The consulting
activities of internal audit tend to be proactive and activating. In our data, this is shown by a role
of internal audit that is situated just before or at the moment itself and by a role that is focused
on improving and adding value to the organization. Furthermore, the literature postulates that the
32
consulting role of internal audit contributes significantly to the perception of internal audit as a
partner of the management. Since we have identified the request of the management as a
characteristic of the second role of internal audit in moments of truth, we could interpret this as
an expression of management perceiving internal audit as a partner.
Since the analogy between the roles at moments of truth that were identified in our data upholds
for most of the characteristics of the roles identified in the literature review, we will from now on
refer to them as “assurance role in moments of truth” and “consulting role in moments of truth”
respectively. The corresponding groups of cases will be referred to as “assurance cluster” and
“consulting cluster”. Due to the direct link between the consulting role in a moment of truth and
the moment itself, we consider the consulting roles in moments of truth to be the genuine roles in
moment of truth, which are the main subject of this research.
We stated in our literature review that the perceived added value of internal audit by its
stakeholders increases as the function demonstrates flexibility in its roles. Obviously, being
involved in moments of truth with a consulting role and acting on request of management (ad hoc)
requires some flexibility from the function and its employees. Therefore, we could expect that the
perception of added value is higher in the group of IAFs that are active in the moments of truth
compared to the IAFs that aren’t. We will look more closely into the perception of the IAFs of our
interviews below.
Another interesting observation from our literature review is that researchers have stated that the
consulting activities have led to a more strategic role of internal audit. Clearly, the moments of
truth that have been identified in our interviews are closely related to the strategy of the
organization and therefore the IAFs in the consulting cluster have a strategic role. However, as it
was also stressed and explained to us in a couple of interviews, this does not imply that internal
audit is positioned in the strategic layer of the organization. When the organization is interpreted
as a three-layer pyramid, with a strategic layer on top, an operational layer on the bottom and a
tactical layer in between, internal audit is always situated in the tactical layer. Therefore, internal
audit will never state, for example, that the company should do a certain acquisition. In this specific
moment of truth, it is possible that the function provides the management with objective
33
information that will help them to take the right decision, but most of the time internal audit will
assist in implementing the strategic decisions into the operational layer.
Earlier, we raised the issue that different cases may have gone through completely different
moments of truth and the potential bias in their corresponding roles. Since the IAFs in each of our
clusters appear to be from all over the dendrogram that was displayed, we are confident that the
categorization of a case into a cluster does not depend on the kind of moments it has experienced.
This is also connected to the fact that this categorization has been done based on the underlying
characteristics of the roles and not the moment itself.
The nodes Assurance and Consulting contain the roles in moments of truth as they have been
defined earlier. Project map 1 clearly shows that the cases in the assurance cluster have no link
with consulting roles, since we have defined them to be cases that don’t have a (consulting) role
in moments of truth. On the other hand, the majority of the cases in the consulting cluster also
Project map 1: Relationships between the two roles and the cases
34
have assurance roles in moments of truth. Therefore, it appears that the consulting activities of
internal audit, or the role in moments of truth as we have considered them, is an extension of the
audit activities compared to the assurance role. IAFs in the consulting cluster therefore have a
wider range of tasks in moments of truth than the IAFs in the assurance cluster.
Attributes of the consulting cluster
After investigating the moments of truth and the corresponding roles, we want to take a closer
look at what might be possible attributes and characteristics of the organizations and departments
that distinguish the cases that have a role in moments of truth and those that don’t. The attributes
used are the same as the ones presented in the section about participant profile above.
The attributes have been selected because we expect that they might have an influence on how
internal audit is being done within that company. First of all, the maturity of both the internal audit
function as well as of the organization itself might imply that they have evolved a lot and have
been able to find a perfect match between the services of internal auditing and the needs of the
organization. This could result in a more advanced, aligned and involved audit department, as we
have seen that there is a general trend of the internal audit profession towards internal
consultancy due to changing environments and changing needs of stakeholders.
Furthermore, we have discussed in our literature review that one of the explanations for the need
for internal auditing was the growing size of operations and transactions within companies after
the Industrial Revolution of the 19th century, as well as the increasing remoteness of managers
from the operations. Therefore, we might expect that when the need for internal audit is higher,
the function will also be more elaborated, even though these needs relate to a period in the history
of internal audit in which it was only focused on providing assurance. We tried to capture these
needs into attributes such as number of employees, turnover, international character, and
network of subsidiaries.
In the literature, the private or public character of an organization has been put forward as a
possible driver of effectiveness of the internal audit function. Even though evidence has been very
poor regarding the significance of this attribute, we also included it in our set.
35
Finally, we have also included if the organization is quoted on the stock exchange. Even though
our participants are mainly quoted on European markets, and therefore are not impacted by SOX,
the stock market quotation still obliges them to be compliant with certain regulations.
Interestingly, when we look for possible explaining attributes across IAFs and organizations, there
appears to be not a single one. This is displayed in Dendrogram 2 showed below in which the
attributes are clustered based on similarities of attributes. There is clearly a lack of clusters and
the cases are spread throughout the dendrogram, sometimes even comparable with cases from
the other type of cluster up until the last level.
Nevertheless, we have to make a comment on at least one type of attributes of the participants.
Out of the 12 interviews, only 2 IAFs did not have an audit manager and the function only consisted
of 1 person, obviously the one that has been interviewed. One of those two interviewees, more
specifically IAF8, has explained to us that they believe that the presence of a manager could bring
a lot of added value to the function. They have put in the following way: “I believe that if you have
a couple of people working in the internal audit department, you can let them do all of the field
work, while you can draw conclusion from above, and then you are a lot more capable of taking a
strategic position”. Nevertheless, IAF8 is part of our consulting cluster while other departments,
Dendrogram 2: Cases based on attributes
36
that do have a manager, are not included in this group. Therefore, an audit manager is not a
determining factor for a role in moments of truth, it is just plausible that it adds value to the role
of the function in these moments.
Another interesting statement is one about the expectations for the future that has been
expressed in an interview. The participant has put forward that they expect the internal audit
function to split in the future. One part of the team would be focused on auditing ethics,
governance and management controls, while the other part would continue auditing processes
but with more sophisticated tools. Both teams would require a different set of specific skills, which
implies that internal audit will have to consist of at least two complementary persons. Although
the size of the audit department does not appear to be a determining attribute, there might be a
limit, i.e. two persons, for the internal audit function to have a significant value-adding role in
moments of truth.
In the literature, availability resources have been put forward as a driver of effectiveness. Since
the size of the audit department does not appear to have an influence on the role in moments of
truth, expect for the comments above, we did not receive signals that the resources, which is partly
represented by the number of employees, are a driver of effectiveness in moments of truth.
Characteristics of IAFs in consulting cluster
Since the attributes of the internal audit departments and the organizations do not appear to have
any significant impact on the role of IAFs in moments of truth, we will have to look further.
As we have discussed earlier, the roles in moments of truth show striking similarities with the
consulting role of internal audit as it has been put forward in the literature. This observation
already provides us with certain characteristics that the IAFs are supposed to have:
1. The activities of the IAF go beyond reviewing and reporting. The function should be
concerned with finding improvements and adding value
2. Proactive approach to problems instead of a reactive
3. Partnership with (top) management
37
In the majority of the interviews, a (recent) change of the audit department has been discussed.
Since we have determined that the role in moments of truth is rather an extension of the regular
assurance activities of the function, we believe that these changes will give us useful information
about the evolution to a broader scope, which includes moments of truth. Out of these changes,
of which a detailed overview is included in Table 6 of the Appendix, we repeatedly recognize the
characteristics from the list above (beyond auditing and reporting, proactive approach,
partnership with management based on trust), which confirms that these characteristics are
definitely worth looking into. Furthermore, we also see some other changes that might be
interesting for our research:
4. Audit plan: risk-based and flexible (ad hoc assignments)
5. Alignment with strategy of the organization and alignment with business
6. Lose a part of their independency in order to have more impact
Since most of these 6 characteristics appear to have a profound impact on the way internal audit
is performed, they might prove to be crucial in explaining why some IAFs are involved in moments
of truth and others aren’t.
However, these characteristics should definitely not be interpreted as isolated factors. They are all
closely connected with each other, fitting into the same concept and evolution, and part of an
interactive process. The partnership of the management, for example, will be the result of internal
audit focusing on being proactive, adding value and being aligned with the strategy and the
business, while this same partnership will also increase the ability of the IAF to add value and be
involved in important events. Furthermore, a flexible risk-based audit plan is part of attempting to
audit aspects that are perceived to be important for the business, which improves the business
alignment.
38
Going beyond reviewing and reporting
As we have discussed in the previous section, the role of internal audit in moments of truth is
actually the consulting role of internal audit as it has been described in the literature. In this section
we will look more closely to this role and give an overview of how this has been expressed in our
data for the function in general. In our literature review, we have discussed the fact that internal
audit will add value through both its assurance as consulting activities. However, especially the
consulting activities will increase the perception of added value. Therefore, we will use this to look
for IAFs that go beyond reviewing and reporting.
In the literature review, we have discussed that it is hard to measure the added value of internal
audit because one can’t value this in terms of money. Therefore, the best way to measure the
value is by looking at the perception of the internal audit providers regarding their contribution to
the improvements of the processes.
To get an idea about how participants perceived their activities, we generated a list of how they
described their activities as internal auditor throughout the interviews, both in moments of truth
as in general.
39
Table 1: Activities of the participants as described throughout the interview
Table 1 shows that the internal auditors have mentioned a wide range of activities. However, we
cannot expect that the participants have talked about everything they do, as is also visible in the
fact that a lot of activities have only been mentioned in a few cases. This is due to the fact that we
have not explicitly asked them to give a list of all of their activities, except for their activities in
moments of truth, since this was the subject of the interview.
Nevertheless, we believe that we can extract some information about how they perceive their role
in the organizations. As can be seen in the table, 4 participants have explicitly talked about the
activity of making recommendations in which they suggest some kind of process improvement.
This has been displayed more detailed in Project map 2 below. The 4 cases are the following: IAF3,
IAF6, IAF11, and IAF12. Those participants expressed that they have the objective to not just report
40
what has been done wrong or what has to change, but also think further about how and where
the processes can be improved. IAF12 would even go to the extreme in which they would “put all
the good things they have uncovered in their backpack and then spread it across the organization
like a little bee”.
Project map 2: Cases with a positive perception towards improvement
Another way to find which cases are focused on an attitude of improving the organization, we also
ran a query with connected words, i.e. improve, solution, value, better, progress, etc. This has
resulted in the observation that IAF4 might be added to this list, even though it is not included in
the consulting cluster, because they will report to the audit committee with a solution they have
discussed with the management already included. Furthermore, we have also observed that IAF9
will always try to approach an audit with the idea to give an objective opinion and try to find
improvements together with the business, which is exactly the kind attitude that we are looking
for in this section.
Three of the cases that were included in the consulting cluster, IAF2, IAF5 and IAF8 are not part of
the set of cases that are focused on improving. However, as we can see in Table 5 of the Appendix,
those IAFs are also engaged in activities that go beyond reviewing and reporting.
41
In addition, IAF2 had only reported one moment of truth in which they have a role, configuration
of the code of ethics, while IAF8 had been established only 6 months before the interview.
Therefore, we believe that they could also apply to this characteristic and there are strong signals
that when an IAF goes beyond reviewing and reporting in their daily activities, they are likely to be
involved in moments of truth.
The role of internal consultant, both in moments of truth as in daily activities, was perceived as a
win-win situation by participant IAF9. They stated that internal audit has a perfect position in the
organization to do this kind of activities. First of all, internal audit is probably the department with
the most extensive knowledge of the processes and interactions within the company and they
have widespread internal network. “It would be a shame to not use this knowledge and expertise”.
Furthermore, these activities also give the internal auditor another perspective of the organization
and gives them expertise that they can use in their audit role. The mentioned audit manager would
even take on the role of interim manager if this was needed by the organization, again with the
same objectives of adding a lot of value to the company and gathering knowledge for their future
audit activities. Nevertheless, this was an extreme case of internal consultancy by the internal
auditor and an extensive amount of measures were taken together with the board, the
management, the audit committee and the external auditor in order to guard their independency
and objectivity.
Before moving to the next section, we want to stress that by stating that IAFs have a role that goes
beyond reviewing and reporting, we are referring to the situation in which internal audit performs
what has been described as internal consulting activities, but as an extension of traditional audits
with the objective of providing assurance to the board or management. These consulting activities
should be approached with the following attitude, as proposed by IAF11: “What you are about to
do know, we think it’s better to also include this, but it’s up to you. We give you this
recommendation, but we don’t even want to know how you use it in your decisions”. In other
interviews of the consulting cluster, the same comments were made regarding this issue. The
internal consultancy activities of the IAFs in the moments of truth are always meant to be with a
42
facilitating nature, it’s up to the management what they will do with the recommendations that
have been made. Internal audit will never take part in the discussions of the strategic layer. Once
the management has the intention to do something, internal audit can be requested to provide
them with information that assists them in taking the decision, but again, this is exclusively
analyzing, reporting and suggesting.
Proactive approach
When an IAF approaches their activities with the attitude as described in the previous section, we
can expect that they apply a proactive approach, since the assurance activities are by definition
reactive and the consulting activities are proactive. However, we will look more into the
characteristic of a proactive approach to strengthen the assumption that IAFs in the consulting
cluster have a more proactive approach than IAFs in the assurance cluster. If we can find a link
between the cases in the consulting cluster and a proactive approach towards their activities in
the organization in general, we know that this might be a characteristic that explains why some
IAFs are involved in moments of truth.
In Table 1 about the activities, in the section about Going beyond reviewing and reporting, one can
see that two participants have described a part of their activities as Identifying and auditing
unknown issues and Identifying and reporting risks for future issues. These IAFs, respectively IAF11
and IAF4, clearly have a proactive approach in which they are thinking ahead for the organization
and already try and act on future issues. Again, we see that IAF4 has a characteristic that we would
apply to the consulting cluster, even though the IAF did not indicate that they have a role in
moments of truth. We do have to be aware however, that in the case of IAF4 this proactive
approach is limited to reporting to the audit committee, while other IAFs that are mentioned in
this section the proactive approach results in some kind of action of the audit department. This
will prove to be an important difference.
Furthermore, IAF3 has indicated in their interview that when they are auditing a certain process
or system and they receive signals that something else is not as it is supposed to be within that
43
process or entity, they will look into this even though it is not part of their audit planning at that
time. The participant also invests a lot of effort in continuing to be on top of the affairs within the
organization, such as making sure that they are included in certain discussions and arranging
meetings with managers when they get some new information from within the business. Thus,
they are always ahead of things that are happening within the organization which allows them to
have a proactive position. The same attitude has been confirmed in IAF6 since they also have
frequent meetings with the management, so called “coordination meetings”, to get information
about the state of affairs. IAF1 has also indicated that they spend a lot of time in developing and
maintaining their network within the organization. This allows them to be informed by matters as
they are happening and also suggests that they do not only have a reactive approach since this will
obviously be taken into account within current audits, even though they are not in the consulting
cluster. However, this might be a less formal and structural approach than IAF3, and the direct
actions that are being taken on this specific information are less apparent, which again is an
important detail, just like in IAF4 as discussed earlier in this section.
Other examples include auditing the management in order to tackle the possibility of fraud and
suggesting new type of activities such as management audit before the takeover and strategic risk
assessments by IAF5.
Except for some interviews, i.e. IAF10 and IAF7, we can find signals that they are trying to be
proactively integrated within the company and staying ahead of future issues. This indicates that
most IAFs apply to this characteristic and it does not have a very strong explanatory power for the
reason why some IAFs have a role in moments of truth as the previous characteristic. However,
we have already remarked that the details can be important for this characteristic. When looking
into the proactive approach of an IAF, we should not only take into account if they think about the
future, but also if they act on this information since we have observed that IAFs of the consulting
cluster tend to act in a proactive way.
44
Partnership with (top) management
In this section we will address both the relationship with (top) management as well as the general
perception of the audit department throughout the different cases. The latter links to the section
Going beyond reviewing and reporting since the perception of the audit department by the
organization is also a measure for the added value of internal audit.
Obviously, even though this characteristic will strongly enable the role of the IAF in moments of
truth, we should rather approach this as a result of the other characteristics. When the IAF exhibits
characteristics like adding value, being proactive and focusing on topics that matter to the
management, we can expect them to appeal to management.
Nevertheless, this partnership is something that should be earned by the IAF and we will have a
look at how this is expressed within our data.
Project map 3: Perception of IAF
45
Again, we can find a clear distinction between the IAFs that are involved in moments of truth
(consulting cluster) and IAFs that aren’t (assurance cluster). This indicates that the perception of
internal audit within an organization has an influence on the role of internal audit in moments of
truth. As we mentioned, this should be approaches as a two-way interaction, since we can expect
that internal audit will be involved in moments of truth if the management perceives them to be
valuable. On the other hand, this involvement will also improve the perception of internal audit
because they get more opportunities to add value and the management gets the opportunity to
closely experience what internal audit does.
The best indication that management/the business perceives internal audit as a “sparring partner”,
like it has been described by IAF9, is that in some cases the management approaches internal audit
to request their assistance. Those cases are IAF3, IAF8, IAF11 and IAF12 and those are cases that
have a high degree of involvement in moments of truth, as well as a strong performance in the
other characteristics that we identified.
When asked about what had changed the reputation of inspector to partner, participant IAF11
responded “Communicate, communicate, communicate”. Their vision was strongly focused on
communicating with their stakeholders. First of all, they would inform the whole organization
about what internal audit is, what they can do for them, but also what they should not expect from
internal audit. Furthermore, during their audits they will also make sure to give enough feedback
in order to inform the auditee about what is happening but also giving them the opportunity to
give comments if something has been interpreted wrongly. Afterwards, the adequate people
would also get a copy of the report, so they know what is being said about them. Since this was
one of the IAFs in which the business would contact internal audit for assistance and is one of the
IAFs that is most strongly involved in moments of truth, this vision might be important if the
function wants to be involved in moments of truth.
Interestingly, IAF4 has indicated that they focus on adding value and improving the organization,
but this has not been confirmed in the perception of the business. Within their organization,
operational management tends to perceive internal audit as additional effort. Therefore, since
46
IAF4 also does not have a role in moments of truth but has some of the characteristics of those
IAFs, the perception of the IAF to add value might be an important factor in explaining why some
IAFs have a role in moments of truth and others don’t.
In the interviews with IAF3, IAF6, IAF9 and IAF11, the participants have explained that they have a
close relationship with top C-level management within the organization. In those cases, the CEO
perceives the function as highly value-adding, wants to be frequently reported about the findings
the function has made within an audit and encourages the function to improve and align with the
business and/or is highly accessible for a (informal) discussion with internal audit. This informal
close relationship has also been observed in IAF1. However, it was explained that this is partly due
to the fact that both the audit manager as top management have been working together for a
large amount of time within the organization.
Even though a close relationship with top management is established within the majority of the
cases that have a significance role in moments of truth, this seems to be a less important
characteristic in explaining the reason behind the role in moments of truth than the relationship
with business management, as well as their perception. Again, there is a strong correlation
between the relationship with top management and the role in moments of truth, but other
factors should be taken into account since they might also explain the relationship.
Now that we have discussed the characteristics that are connected to the consulting role of
internal audit, we see that the IAFs that appeared to have a consulting role in moments of truth
also have this role in general. This might imply that when an IAF takes on the role of internal
consultant, they have a high probability of being involved in moments of truth.
47
Audit plan
In our interviews we have identified a couple of characteristics of the audit plan:
• Risk-based: the audit plan is based on the most crucial risks, with processes/entities with a
high risk being audited first
• Cyclical: the same entities/processes are audited with a fixed frequency in order to have a
cycle in which every entity/process is audited once
• Materiality-based: Processes/entities with a high materiality are audited more frequently,
often as an extension of a risk-based audit
• Process-level: the audit plan consists of process audits
• Entity-level: the audit plan consists of entity audits
• Flexibility: there is some flexibility included in the audit plan in order to be able to perform
audits on request of management during the year (ad hoc assignments)
Project map 4: Characteristics of audit plan and link with cases
48
Project map 4 on the previous page displays how the characteristics of the audit plan are
established within the different IAFs. There is no information available of the audit planning in
IAF2.
This project map does not exhibit a clear distinction between the consulting cluster (upper) and
the assurance cluster (lower) which indicates that the audit plan is not a factor that uniquely drives
the role in moments of truth.
Nevertheless, there are a couple of characteristics that seem to be more prominently present in
the consulting cluster.
Every IAF in the consulting cluster has a risk-based audit plan, while only half of the assurance
cases have a risk-based audit. Therefore, we can expect that a risk-based audit plan contributes to
the role of internal audit in moments of truth. However, we do not believe that this risk-based
audit plan is directly linked to the role in moments of truth, since these moments are often ad hoc
and therefore not included in the audit plan. As we mentioned earlier, the characteristics of the
IAFs that could explain their role in moments of truth are highly interactive. A risk-based audit
rather contributes to the role in moments of truth by its contribution to business alignment and
partnership with management, as well as adapting a certain proactive approach. This was also
confirmed in the interviews because one of the participants explicitly adapted their audit planning
to a risk-based audit plan with the objective to get closer to the daily processes and the strategy
of the organization. Furthermore, their objective of adopting a risk-based audit plan was also to
increase the added value of auditing because then you focus on the most important aspects of the
organization. This has been confirmed in multiple other interviews as well by cases that have a
risk-based audit plan.
Since this type of planning requires a risk assessment, which has to be done through close
interactions with management, we can expect that a risk-based audit plan also contributes to the
partnership with management. Finally, by focusing on risks that have been forecasted by the
management, internal audit implicitly adopts a proactive approach in their audit plan. In
conclusion, as we have discussed above, a risk-based audit plan does not have a direct link to the
49
role in moments of truth but should rather be considered as an influence on the other
characteristics of the consulting cluster.
Most of the cases in our interviews, and especially the cases in the consulting cluster, have
indicated that there is a clear tendency towards a higher amount of ad hoc assignments by the
management or that this is already established. Therefore, it is not possible anymore to plan the
audits completely for the coming year. They have to include some kind of margin and flexibility
that is available for these assignments, which is mostly reflected in audit projects that have a rather
low priority or can easily be rescheduled and done in between projects because they do not require
the auditor to travel. Obviously, this links directly with the role in moments of truth since these
assignments are almost exclusively ad hoc.
An interesting vision has been explained to us in one of the interviews. Although a cyclical audit
plan is often considered to be a traditional way of setting up an audit plan and most companies
obviously use risks to plan their audits, IAF3 deliberately combines their risk-based audit plan with
a cyclical plan. The reason behind this was the fact that by doing a cyclical audit plan and frequently
auditing every part of the organization, the internal auditor closely gets in touch with the whole
business, or as they would say “It is important that the locals know who you are and it enables to
build a trust-based relationship”.
Alignment with strategy and vision of organization
In this section we will address both the alignment with the strategy as with the business in general
of the IAFs in our interviews. This also implies that the function has to be able to adapt together
with the strategy and the business of the organization.
One of the best techniques to align the audit department with the business is to establish a risk-
based audit plan. This ensures the audit department to focus on the aspects that have the highest
50
risk, which is important for the business, but also implies close contact with management as it
requires their assistance to elaborate this type of audit plan.
As IAF6 has said “The world is changing rapidly and everyone within the company, including us, has
to be agile. If the market is changing, the world is changing, and the company is changing, then we
have to change too”. They have improved their agility through their audit plan but are also hiring
external experts to add to their team for certain audits in order to be better aligned with the
business and be able to deliver a higher added value during their audits. These external experts
were also mentioned during the interview with IAF11 but has not been explicitly discussed by other
participants. In the section about the attributes of the IAFs we talked about the fact that the size,
and as an extension resources, does not appear to have a direct link to the role in moments of
truth, expect for some basic requirements. Nevertheless, the availability of money to hire external
experts is also a part of the availability of resources. Since these experts have been related to the
ability of aligning with the business, we can expect that this part of the resources does have an
influence on the role in moments of truth.
During the interview with the only participant that was not able to mention any connection
between moments of truth and the internal audit department, and actually also did not apply to
the characteristics that we have put forward, the following statement has been noted: “Those
people [the internal auditors] are coming here to tell us what to do, and they don’t even know the
processes”. Clearly, there is some issue regarding the business alignment in this IAF, and the
perception of the audit function, and this stresses the importance of an alignment with the
business if the IAF wants to be involved in moments of truth.
For the strategic alignment, it has been apparent during the interviews that a lot of internal
auditors, of both the consulting as the assurance cluster, are informally informed about the
strategy of the company. A more formal discussion regarding this information was also present in
some cases. When the internal audit department would establish their risk-based audit plan, these
cases would also be informed about strategic risks, especially IAF1, IAF5, IAF6 and IAF11. Other
51
IAFs have also reported that they are a lot more closely connected to the strategy and strategic
layer of the company. Therefore, the alignment with strategy appears to be a general trend within
audit, and not just a characteristic of the consulting cluster even though we closely related
moments of truth to strategy.
Independency
“For me, it is all about impact. How can we make sure that we have everything under control? If
we have to be less independent at times, so be it” – IAF3
In the literature, internal audit is always described as “an independent function …”. The
independency and objectivity of the function is being included in every standard we can find about
internal audit and often identified as the most important one to guarantee an effective function.
However, there has been a general trend, as was also identified in the previous sections, in which
the internal audit department moves towards the management and the business, especially in
their consulting role. Many papers deal with concerns regarding the independency of the internal
audit functions that take on consulting roles within their organizations.
We have asked our participants about how they feel about their independency. Except for one IAF,
IAF8, all participants stated that they do not believe there are issues regarding their independency
and objectivity, even though they had experienced a trend in which they have become more
closely involved with management. Furthermore, our participants did not put forward that
management would try and breach this independency when requesting ad hoc assistance of
internal audit. IAF1 would describe this as: “Involved from a content point of view, independent in
the evaluation”. In the case of IAF8, being less independent was addressed to the fact that the
department only existed for 6 months. However, the person has previous experience in auditing
and would make sure that the function will become more independent over time.
However, there is still the quote at the beginning of this section. This statement was made by one
of the IAFs involved in moments of truth. The participant was referring to the situation in which
52
they would frequently meet with management to discuss the state of affairs within the
organization in order to stay on top. These meetings, that have also been recorded in other
interviews, as well as accepting ad hoc assignments by management imply that the internal audit
department might have to give up some of their independency if they want to participate in this
role. This does not imply that the IAFs that are involved in moments of truth are less independent
than others, but in our interviews with those IAFs we have recorded more measures to guard the
independency of the function. Moreover, IAF4 had a very strong focus on guarding their
independency and had a distant attitude towards ad hoc assignments. Even though this IAF had
some characteristics that are similar to IAFs involved in moments of truth, IAF4 had no involvement
at all. Therefore, we believe that this might be an important characteristic of IAFs involved in
moments of truth.
The next chart, Chart 3, shows the measures of the IAFs in the consulting cluster to guard their
independency. These can be interpreted as guidelines when taking on a role in moments of truth.
Chart 3: Measures for independency as explicitly expressed by IAFs with role in moments of truth
53
Chart 3 gives an idea of what has been mentioned explicitly by the IAFs in the consulting cluster,
however, this should not be interpreted as an exhaustive list as well as the number of cases for
each measure is probably not complete. Again, this represents the measures that are top of mind
or are extracted from other parts of the interview, as we did not explicitly ask our participants to
list those items.
From this section, it is important to remember that objectivity is a mindset and independency
comes from the situation and the position of internal audit. From this point of view, both factors
are not breached when an IAF is involved in moments of truth. Those IAFs still perceive themselves
to be objective and independent, and the organization shares this opinion. The literature has
stated that it is crucial for the independency and objectivity of internal audit that the function is
limited to observing, recommending and suggesting, but they should not be able to change
anything that is subject of their audits. This has been stressed multiple times during the interviews
with IAFs that are involved in a consulting role, and hence in moments of truth, which proves that
the auditors are well aware of their limits. Other measures that the literature has put forward,
such as a dual-reporting role to management and audit committee, integration at the highest level
of the organization, and direct and unrestricted access to top management and board, are all
present in the IAFs.
However, when an IAF wants to be involved within moments of truth, they can no longer be
completely separated from the management of the organization. They have to build their (risk-
based) audit plan in collaboration with management since they know what risks lie ahead, they
should accept ad hoc assignments directly from the management, but with approval of the AC, and
finally they have to work together closely with management during their role in moments of truth.
This is an interesting observation since the perception of internal audit as an independent and
objective entity within the organization has been put forward as an important driver of
effectiveness, and hence add value. However, our data shows that when the function wants to add
value, which is closely linked to consulting activities and a role in moments of truth, they have to
give up a part of this independency.
54
Conclusion
In this text, we researched the role of internal audit in moments of truth. After we listed the
moments and roles that have been reported during the 12 interviews that we conducted, we were
able to determine two different types of roles in those moments. Since there is only a direct
connection between the role of internal audit and the moment itself in the second type, we will
consider this type to be the genuine role in moments of truth. This immediately answers our first
research question, since we now know that internal audit does in fact have a role in moments of
truth. If we look more closely, we can see that this role shows a striking similarity with the role of
internal audit as internal consultant. Therefore, we can state internal audit acts as an internal
consultant in moments of truth, which answers our second research question. Furthermore, some
of the cases that have reported a role in moments of truth of the second type, i.e. the genuine role
in moments of truth, have also reported roles of the first type, which were considered as regular
audit activities. Therefore, the role in moments of truth should be seen as an extension of the audit
activities. Interestingly, most cases of the consulting cluster were able to report multiple moments
in which they were involved, which indicates that the role is established within the organization
and not just a one-time action.
After carefully selecting some of the attributes about the internal audit department, the
organization and the participant, we could quickly determine that they do not explain why some
IAFs are involved in moments of truth and others don’t.
We decided to also look at some general characteristics of the audit functions, based on the
characteristics of the role of internal consultant and the change within their department that some
of participants have reported. These characteristics include: Going beyond reviewing and
reporting, the function should be concerned with finding improvements and adding value; A
proactive approach instead of a reactive; partnership with (top) management; Audit plan, mostly
risk-based and flexible; Alignment with strategy and vision of the organization; and Willing to give
up some of the independency.
55
These characteristics should definitely not be interpreted as separated elements. They are all
closely connected to each other, fitting into the same concept and part of a highly interactive
process.
We have found some strong indications that an attitude of the IAF that wants to improve the
organization and add value has a positive influence on the involvement of internal audit in
moments of truth. Furthermore, thinking proactively about the future and then acting accordingly
has also been put forward in our data as an important characteristic of the IAFs. The partnership
with the management and the positive perception of the organization about internal audit are
significantly better in the consulting cluster than in the assurance cluster. However, even though
we believe that these aspects do improve the ability of internal audit to add value in moments of
truth, they should rather be interpreted as a result of the other characteristics.
Now that we have discussed the characteristics that are connected to the consulting role of
internal audit, we see that the IAFs that have a (consulting) role in moments of truth appear to this
role in general. This might imply that when an IAF takes on the role of internal consultant, it’s
highly probable that they are involved in moments of truth.
The audit plan of the IAFs that are involved in moments of truth has provided us with some
interesting information. Most of the cases had a risk-based audit plan, so there is no direct link
between a risk-based audit plan and a role in moments of truth. However, this type of audit plan
does contribute to all other characteristics which makes it important for the role in moments of
truth anyway. These moments, however, are often ad hoc and therefore not included in the audit
plan. Therefore, including flexibility in the audit plan to perform ad hoc activities on request of the
management has proven to be very important for having a role in moments of truth. A cyclical
audit plan could contribute to building partnerships with the business and for that reason it might
be useful for IAFs that are looking for partnerships, but it is not directly linked to the role in
moments of truth.
56
Obviously, moments of truth are closely connected to the strategy of the organization, and
therefore we might expect that alignment with the strategy is a distinctive characteristic of the
IAFs involved in moments in truth. However, partly because of the widespread use of a risk-based
audit plan which has the objective to align with the strategy and the business, we did not find any
difference between both clusters of IAFs based on their alignment.
Maybe the most interesting finding of our research has been the fact that internal audit has to give
up some of its independency when they want to be involved in moments of truth. We do not claim
that internal audit has to lose its independency and objectivity. Most of the requirements that
have been put forward to obtain and guard an independent and objective function are still present
in IAFs acting as internal consultant. However, an internal audit function that takes on the role of
internal consultant, and hence is involved in moments of truth, is expected to be closely integrated
into the business and with the management, while the isolated position of the function within the
company has always been an important aspect of its independency.
This implies a contradiction because on the one hand, the literature has put forward that the
independency is crucial for an effective and value-adding function, but on the other hand, the
internal consulting activities, and the role in moments of truth, are considered to add a lot of value
and make the function effective. The latter, however, requires the function to give up a part of its
independent position.
Internal audit is no longer the independent and isolated profession as it used to be. They have to
work closely together with other departments, using their wide range of expertise and knowledge
in consulting activities and during moments that the company needs it, i.e. the moments of truth.
This role does not make it easier for the internal auditors since they have to be flexible and have
to be able to react on the needs of the management in moments of truth. Nevertheless, we expect
that internal audit will continue to focus on this consulting role and their role in moments of truth.
It does not only make it more interesting for the internal auditors, they also get the opportunity
to directly contribute to the improvement and progress of the organization, which is also highly
appreciated by the business itself.
VII
References
Adams, M. (1994). Agency Theory and the Internal Audit. Managerial Auditing Journal, 9(8), 8–12. Retrieved from https://doi.org/10.1108/02686909410071133
Ahmad, Z., & Taylor, D. (2009). Commitment to independence by internal auditors: the effects of role ambiguity and role conflict. Managerial Auditing Journal, 24(7), 899–925. Retrieved from https://doi.org/10.1108/02686900910994827
Allegrini, M., D ’onza, G., Paape, L., Melville, R., Sarens, G., & D ’, G. (2006). The European literature review on internal auditing. Managerial Auditing Journal Managerial Auditing Journal Iss Managerial Auditing Journal, 21(8), 845–853. Retrieved from https://doi.org/10.1108/0268690061070378712
Alzeban, A., & Gwilliam, D. (2014). Factors affecting the internal audit effectiveness: A survey of the Saudi public sector. Journal of International Accounting, Auditing and Taxation, 23(2), 74–86. https://doi.org/10.1016/J.INTACCAUDTAX.2014.06.001
Anderson, U. (2003). Chapter 4 Assurance and consulting services. In Research opportunities in internal auditing. Altamonte Springs: The Institute of Internal Audotors.
Arena, M., & Azzone, G. (2009). Identifying Organizational Drivers of Internal Audit Effectiveness. International Journal of Auditing, 13(1), 43–60. https://doi.org/10.1111/j.1099-1123.2008.00392.x
Beasley, M., Hancock, B., & Branson, B. (2009). Strengthening Enterprise Risk Management for Strategic Advantage. Retrieved from https://www.coso.org/documents/COSO_09_board_position_final102309PRINTandWEBFINAL_000.pdf
Bou-Raad, G. (2000). Internal auditors and a value-added approach: the new business regime. Managerial Auditing Journal Managerial Auditing Journal Iss Managerial Auditing Journal, 15(5), 182–187. Retrieved from https://doi.org/10.1108/02686900010322461
Brody, R. G., & Lowe, D. J. (2000). The New Role of the Internal Auditor: Implications for Internal Auditor Objectivity. International Journal of Auditing, 4(2), 169–176. https://doi.org/10.1111/1099-1123.00311
Brown, R. (1971). A History of Accounting and Accountants. New York: A.M. Kelley. Cascarino, R., & van Esch, S. (2007). Internal Auditing: An Integrated Approach (Second).
Lansdowne: Juta and Co Ltd. Cohen, A., & Sayag, G. (2010). The Effectiveness of Internal Auditing: An Empirical Examination of
its Determinants in Israeli Organisations. Australian Accounting Review, 20(3), 296–307. https://doi.org/10.1111/j.1835-2561.2010.00092.x
Cohen, J., Krishnamoorthy, G., & Wright, A. (2002). Corporate Governance and the Audit Process. Contemporary Accounting Research, 19(4), 573–594. https://doi.org/10.1506/983M-EPXG-4Y0R-J9YK
COSO. (2013). Internal Control — Integrated Framework. Retrieved from https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf
COSO. (2017). Enterprise Risk Management Integrating with Strategy and Performance. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-
VIII
Strategy-and-Performance-Executive-Summary.pdf D’Onza, G., Selim, G. M., Melville, R., & Allegrini, M. (2015). A Study on Internal Auditor
Perceptions of the Function Ability to Add Value. International Journal of Auditing, 19(3), 182–194. https://doi.org/10.1111/ijau.12048
De Beelde, I. (2008). Financiële audit. Gent: Academia Press. Dittenhofer, M. (2001). Internal auditing effectiveness: an expansion of present methods.
Managerial Auditing Journal, 16(8), 443–450. Retrieved from https://doi.org/10.1108/EUM0000000006064
Ernst & Young. (2012). The Future of Internal Audit is Now, Increasing Relevance by Turning Risk into Results. New York. Retrieved from https://www.eycom.ch/en/Publications/20120718-The-future-of-internal-audit-is-now/download
Getie Mihret, D., & Wondim Yismaw, A. (2007). Internal audit effectiveness: an Ethiopian public sector case study. Managerial Auditing Journal, 22(5), 470–484. https://doi.org/10.1108/02686900710750757
Gramling, A., Maletta, M., Schneider, A., & Church, B. (2004). The Role of the Internal Audit Function in Corporate Governance: a Synthesis of the Extant Internal Auditing Literature and Directions for Future Research. Journal Of Accounting Literature, 23, 194–244. Retrieved from https://search.proquest.com/docview/216303617?pq-origsite=gscholar
Hass, S., Abdolmohammadi, M. J., & Burnaby, P. (2006). The Americas literature review on internal auditing. Managerial Auditing Journal, 21(8), 835–844. https://doi.org/10.1108/02686900610703778
Hermanson, D., Ivancevich, D., & Ivancevich, S. (2008). Building an Effective Internal Audit Function: Learning from SOX Section 404 Reports. Review of Business, 28(2), 13–28.
Hermanson, D. R., & Rittenberg, L. E. (2003). Internal audit and organizational governance. Research opportunities in internal auditing. Altamonte Springs: The Institute of Internal Auditors.
IIA Professional Practices Committee. (2016). Measuring the Effectiveness of the Internal Audit Function Practical tools for internal auditors. Amsterdam. Retrieved from https://www.iia.nl/SiteFiles/vakpub/IIA_Bro A4 Effectiviteitsmeting IAF ENG DIGITAL.pdf
Institute of Internal Auditors. (1999). Definition of Internal Auditing. Retrieved from https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx
Institute of Internal Auditors. (2004). Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act. Altamonte Springs.
Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics, 3(4), 305–360. https://doi.org/10.1016/0304-405X(76)90026-X
Jeppesen, K. K. (1998). Reinventing auditing, redefining consulting and independence. European Accounting Review, 7(3), 517–539. https://doi.org/10.1080/096381898336402
Joe Christopher, A., Sarens, G., Leung, P., & Christopher, J. (2009). A critical analysis of the independence of the internal audit function: evidence from Australia. Accounting, Auditing & Accountability Journal Managerial Auditing Journal Managerial Auditing Journal, 22(5), 200–220. Retrieved from https://doi.org/10.1108/09513570910933942
IX
Karagiannis, D., Mylopoulos, J., & Schwab, M. (2007). Business Process-Based Regulation Compliance: The Case of the Sarbanes-Oxley Act. In 15th IEEE International Requirements Engineering Conference (RE 2007) (pp. 315–321). IEEE. https://doi.org/10.1109/RE.2007.15
Lenz, R., & Hahn, U. (2015). A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities. Managerial Auditing Journal, 30(1), 5–33. https://doi.org/10.1108/MAJ-08-2014-1072
M. Wood Company. (n.d.). The Role of Internal Audit in Complying with Sarbanes-Oxley. Retrieved from http://www.mwoodco.com/value/Internal_Audit_7-03.pdf
Mihret, D. G. (2014). How can we explain internal auditing? The inadequacy of agency theory and a labor process alternative. Critical Perspectives on Accounting, 25(8), 771–782. https://doi.org/10.1016/j.cpa.2014.01.003
Nagy, A. L., & Cenker, W. J. (2002). An assessment of the newly defined internal audit function. Managerial Auditing Journal, 17(3), 130–137. https://doi.org/10.1108/02686900210419912
Organisation for Economic Co-operation and Development Council. (1999). OECD Principles of Corporate Governance. Retrieved from http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=C/MIN(99)6&docLanguage=En
Paletta, A., & Alimehmeti, G. (2016). SOX Disclosure and the Effect of Internal Controls on Executive Compensation. Journal of Accounting, Auditing & Finance, 1–19. https://doi.org/10.1177/0148558X16630445
Porter, B., Simon, J. B., & Hatherly, D. J. (2014). Principles of External Auditing (4th ed.). Chichester: John Wiley & Sons.
Ramamoorti, S. (2003). Chapter 1 Internal Auditing : History , Evolution , and Prospects. In Research opportunities in internal auditing (pp. 1–23). Florida: The Institute of Internal Auditors Research Foundation. Retrieved from https://na.theiia.org/iiarf/Public Documents/Chapter 1 Internal Auditing History Evolution and Prospects.pdf
Rezaee, Z. (2007). Corporate governance post-Sarbanes-Oxley : regulations, requirements, and integrated processes. John Wiley & Sons. Retrieved from https://books.google.be/books?hl=nl&lr=&id=Ri64D_PzyVEC&oi=fnd&pg=PR5&dq=Internal+Audit’s+Role+in+Corporate+Governance:+Sarbanes-Oxley+Compliance+pdf&ots=6_HrC0p7w-&sig=2X31Xb2cY6TE3YO6wZc49txmyw4#v=onepage&q&f=false
Sarbanes, P., & Oxley, M. Sarbanes-Oxley Act (2002). 107th United States Congress. Sarens, G., & De Beelde, I. (2006a). Internal auditors’ perception about their role in risk
management. Managerial Auditing Journal, 21(1), 63–80. https://doi.org/10.1108/02686900610634766
Sarens, G., & De Beelde, I. (2006b). The Relationship between Internal Audit and Senior Management: A Qualitative Analysis of Expectations and Perceptions. International Journal of Auditing, 10(3), 219–241. https://doi.org/10.1111/j.1099-1123.2006.00351.x
Selim, G., & McNamee, D. (1999). Risk Management and Internal Auditing: What are the Essential Building Blocks for a Successful Paradigm Change? International Journal of Auditing, 3(2), 147–155. https://doi.org/10.1111/1099-1123.00055
Selim, G., Woodward, S., & Allegrini, M. (2009). Internal Auditing and Consulting Practice: A
X
Comparison between UK/Ireland and Italy. International Journal of Auditing, 13(1), 9–25. https://doi.org/10.1111/j.1099-1123.2008.00395.x
Sneller, L., & Langendijk, H. (2007). Sarbanes Oxley Section 404 Costs of Compliance: a case study. Corporate Governance: An International Review, 15(2), 101–111. https://doi.org/10.1111/j.1467-8683.2007.00547.x
Soh, D. S. B., & Martinov-Bennie, N. (2011). The internal audit function: Perceptions of Internal Audit Roles, Effectiveness and Evaluation. Managerial Auditing Journal, 26(7), 605–622. https://doi.org/10.1108/02686901111151332
Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal. https://doi.org/10.1108/09513570310492335
Spraakman, G. (1997). Transaction cost economics: a theory for internal audit? Managerial Auditing Journal, 12(7), 323–330. https://doi.org/10.1108/02686909710180670
Stewart, J., & Subramaniam, N. (2010). Internal audit independence and objectivity: emerging research opportunities. Managerial Auditing Journal, 25(1), 328–360. Retrieved from https://doi.org/10.1108/02686901011034162
Tang, F., Yang, L., & Gan, H. (2017). Internal auditors’ reputation and managers’ reliance decision. Managerial Auditing Journal Managerial Auditing Journal Managerial Auditing Journal, 32(7), 768–787. Retrieved from https://doi.org/10.1108/MAJ-04-2016-1366
The Editors of Encyclopaedia Britannica. (2018). Industrial Revolution | Definition, Facts, & Summary | Britannica.com. Retrieved from https://www.britannica.com/event/Industrial-Revolution
The IIA Research Foundation. (2003). Internal Audit Reporting Relationships: Serving Two Masters. Altamonte Springs. Retrieved from https://na.theiia.org/iiarf/Public Documents/Internal Audit Reporting Relationships Serving Two Masters.pdf
The Institute of Internal Auditors. (n.d.). About The Institute of Internal Auditors. Retrieved from https://na.theiia.org/about-us/Pages/About-The-Institute-of-Internal-Auditors.aspx
The Institute of Internal Auditors. (2013). IIA Position Paper: The three lines of defense in effective risk management and control. Altamonte Springs, Florida. Retrieved from https://global.theiia.org/standards-guidance/Public Documents/PP The Three Lines of Defense in Effective Risk Management and Control.pdf
The Institute of Internal Auditors. (2016). International Standards for the Professional Practice of Internal Auditing (Standards).
Venables, J. S. R., & Impey, K. W. (1991). Internal audit. Butterworths. Watts, R. L., & Zimmerman, J. L. (1983). Agency Problems, Auditing, and the Theory of the Firm:
Some Evidence. Journal of Law & Economics, 26. Retrieved from http://heinonline.org/HOL/Page?handle=hein.journals/jlecono26&id=625&div=37&collection=journals
Whittington, O. R. (1992). Principles of Auditing (10th ed.). Homewood: Irwin.
XI
Appendix Table 2 and 3: Overview of the participants, their department and the organization
IAF Participant Department
Years of experience
Maturity Size Manager
IAF1 18 11-20 3-5 Yes IAF2 11 20+ 1-2 No IAF3 9 11-20 3-5 Yes IAF4 33 20+ 6-10 Yes IAF5 15 11-20 6-10 Yes IAF6 9 - 2 11-20 3-5 Yes IAF7 2 11-20 6-10 Yes IAF8 0,5 0-2 1-2 No IAF9 10 6-10 1-2 Yes IAF10 2 + 10 No information 1-2 Yes IAF11 7 No information 10+ Yes IAF12 4 20+ 6-10 Yes
Table 2: Overview of the participants, their department and the organization (a)
IAF Organization
Industry Sector Turnover Number of employees
IAF1 Image-forming systems
Private €1 – 5 billion 10.000+
IAF2 Water treatment Public 0 - €500 million 1.001-5.000 IAF3 Screens, projectors,
led-lighting Private €1 – 5 billion 1.001-5.000
IAF4 Production of steel wire
Private €1 – 5 billion 10.000+
IAF5 Heating, cooling, ventilation
Private €1 – 5 billion 5.001-10.000
IAF6 Natural gas Private €1 – 5 billion 1.001-5.000 IAF7 Railways
infrastructure Public €500 million –
1 billion 10.000+
IAF8 Dredging Private €1 – 5 billion 5.001-10.000 IAF9 Cinema Private 0 - €500 million 1.001-5.000 IAF10 Holding Private €1 – 5 billion 1.001-5.000 IAF11 Telecommunication Private €5 billion + 10.000+ IAF12 Precious metals Private €1 – 5 billion 5.001-10.000
Table 3: Overview of the participants, their department and the organization (b)
XII
Table 4: Overview of the participants, their department and the organization (c)
IAF Organization
International character
Founding year Stock exchange Network of subsidiaries
IAF1 Multinational Before 1900 Quoted Extensive IAF2 Regional 1976-2000 Not quoted None IAF3 Multinational 1926-1950 Quoted Extensive IAF4 Multinational Before 1900 Quoted Extensive IAF5 Multinational 1951-1975 Quoted Extensive IAF6 Just exceeding
national borders After 2000 Quoted Limited
IAF7 National After 2000 Not quoted None IAF8 Multinational 1926-1950 Not quoted Limited IAF9 Multinational 1976-2000 Quoted Limited IAF10 Just exceeding
national borders 1901-1925 Not quoted Extensive
IAF11 National 1926-1950 Quoted Extensive IAF12 Multinational 1901-1925 Quoted Extensive
Table 4: Overview of the participants, their department and the organization (c)
XIII
Questionnaire – translated into English
Part I: Internal audit function
1. When was the internal audit department established within your organization?
2. What is the size of the department in terms of number of employees?
3. What is your role within the department?
4. How many years of experience do you have?
5. How do you plan the audits for the next period? Do you have some examples of recent
audits?
6. In general, internal audit is supposed to be focusing on internal control, risk management,
and corporate governance. Is one of those scopes stronger represented within the activities
of your department?
7. Do you report to the audit committee or top management? Does it make a difference
regarding the type of information?
Part II: Moments of truth
1. Do you have any recent examples of important moments for the company in which internal
audit was involved?
2. How would you describe the relationship with management and audit committee in those
moments? Do you think of this relationship as proactive in which you would take initiative,
or was it rather on request of the management?
3. Do you feel like management more often requests the assistance of internal audit in those
strategic activities, which results in internal audit being more involved in those moments
of truth?
4. Do you believe that internal audit manages to perform its activities in an objective way in
those moments?
XIV
5. Were there enough resources available in said moments?
6. Did the internal audit department make recommendations in those moments? If yes, what
percentage has been accepted/implemented?
7. Organizations are facing changes and developments more often than they used to be. Knowing this, how do you see the role of internal audit evolving in the future?
XV
Table 5: Detailed overview of the moments of truth, the role of internal audit and the
corresponding IAFs
Moment of truth Role of internal audit IAFs Acquisition Due diligence: financial audit of balance sheets, stocks,
etc. (as part of the due diligence-team) IAF3, IAF6, IAF9, IAF12
Internal control diagnostics: Reviewing the internal control structure to make sure that the required standards regarding internal control and governance are present and effective; flag gaps
IAF4, IAF6, IAF10, IAF11, IAF12
Auditing ethics, management controls, compliance management and governance of a potential takeover before the decision has been made to do this. Giving the management an opinion about the current situation, but also flag what should be looked at if the acquisition is done
IAF5
Centralization and standardization
Follow-up of the progress through audits IAF11 Part of the team that designs and implements the new system. Internal audit focusses on establishing appropriate internal controls and governance (e.g. control procedures for segregation of duty)
IAF9
Code of conduct Designing the code of conduct/code of ethics, which is then discussed, adapted and approved by management
IAF2, IAF8
Divestment Due diligence: financial audit of balance sheets, stocks, etc. (as part of the due diligence-team)
IAF3, IAF12
External incident (lawsuit, hacking)
Reviewing internal controls: providing assurance to management that the internal controls are effective and prevent the external incident from happening again in the future (e.g. limitation of liability-clause in sales contracts)
IAF3
Analyzing the incident (systems affected, impact) and suggesting improvements for future
IAF11
Internal incident (fraud, unexpected fail of procedures, management reshuffle)
Regularly auditing the management of entities/processes regarding ethics and governance, specifically to tackle potential cases of fraud
IAF5
Forensic audit: investigating a potential case of fraud or corruption
IAF9, IAF12
Analyzing the incident and suggesting improvements IAF12 Joint venture or strategic participation
Part of the team that designs and implements the new system. Internal audit focusses on establishing
IAF3
XVI
appropriate internal controls and governance (e.g. control procedures for segregation of duty) Internal control diagnostic: Reviewing the internal control structure to make sure that the required standards regarding internal control and governance are present and effective; flag gaps
IAF6
New IT-system (SAP, automatization, etc)
Part of the team that designs and implements the new system. Internal audit focusses on establishing appropriate internal controls and governance (e.g. control procedures for segregation of duty)
IAF3
Suggesting control procedures that should be included in a new process or system, evaluating the current draft and highlighting possible gaps and improvements (regarding effectiveness and efficiency of internal controls)
IAF5, IAF8, IAF11
Auditing the existing system and identifying what has been done wrong to be able to include recommendations in new system (recommendations are linked to the existing system and not the new system)
IAF10
New process or product Post-mortem audit: Evaluation of the new process or product after it has been completed in order to get an opinion about what has been done correctly, what has been done wrong and what can be learned from this experience
IAF1
Internal control diagnostics: Reviewing the internal control structure to make sure that the required standards regarding internal control and governance are present and effective; flag gaps
IAF6, IAF9
Suggesting control procedures that should be included in a new process or system, evaluating the current draft and highlighting possible gaps and improvements (regarding effectiveness and efficiency of internal controls)
IAF8, IAF11, IAF12
Development, implementation and follow-up of the new process (role of project manager)
IAF9
New standards (ISO) and regulations (GDPR)
Assisting other departments in the organization with their knowledge of risks and internal controls (Mapping risks and corresponding internal controls)
IAF3, IAF11
Table 5: Detailed overview of the moments of truth, the role of internal audit and the corresponding IAFs
XVII
Project map 5: Overview of the links between moments of truth and the role (Consulting role
as we will describe it later)
Project map 5: Overview of the links between moments of truth and the role (Consulting role as we will describe it later)
XVIII
Project map 6: Overview of the links between moments of truth and the role (Consulting role
as we will describe it later)
Project map 6: Overview of the links between moments of truth and the role (Assurance role as we will describe it later)
XIX
Table 6: Overview of the change as discussed in the interviews
IAF Old situation New situation 2 Advising role towards management, trust-based
Ad hoc assignments Positive attitude towards internal audit
3 One person, function was not taken seriously by the business Cyclical audit Entity-based audits Reputation of police-officer
Moved away from the reputation of police-officer a long time ago Becoming less independent to have more impact Risk-based audit plan (annual assessment with risk department)
4 Standard self-audits (queries) 5 Focused on operational process controls
Executing the audit plan as it was drafted at the beginning and nothing else High level audit, entity-based
Management audits Assistance required by management (ad hoc) to suggest improvements for the design Activities that are closer to strategic aspect, such as strategic risk assessments Assistance required to suggest controls for new process Flexible audit plan (room for ad hoc) Management-audit as extension of regular audit Thorough audits if there seems to be a certain risk (=risk-based audit)
6 Cyclical audit plan (of processes and entities) Focus on reviewing the effectiveness of internal control Recommendations to make sure improvements are implemented Sampling
Focusing on more specific domains Hiring external experts for certain audits Time for preparation has increased significantly Risk-based audit plan, rather than process-based Closer link to business and daily operations, as well as vision and strategy of company Focus on added value Using new audit tools (data analytics, continuous auditing) Being efficient and flexible
7 Internal point of contact for external auditor Assurance provider 8 Reviewing expenses and cash register
When an error was determined, the person had made a mistake Not taken seriously throughout the organization
When an error is determined, the person has not made a mistake, but the processes are not effective, or management has not communicated sufficiently to the business Perceived as value-adding
9 Traditional audit activities (assurance) Mapping processes
Advisory (“internal consulting”) Wide scope (from business projects to acquisitions)
XX
Reviewing effectiveness (coverage of risks and internal controls)
Follow-up of recommendations Partnership with management Focus on efficiency
10 Entity-based audit plan Processes have been centralized, therefore audits too Process-based audit plan
11 Internal auditors are perceived as police officers. If you would get a bad comment from them, management would not be pleased. Therefore, people did not like to be part of an audit Assurance provider (controlling and reporting to AC and board)
Perceived as partner within the organization More proactive approach during audits Clear communication with stakeholders Focusing on risks that are perceived to be important by the business
12 Accusative and critical (“why didn’t you get this?...”) Trying to find improvements together with business Table 6: Overview of the change as discussed in the interviews