Internal audit’s involvement in enterprise-wide risk management
This thesis by publication examines the involvement of the internal audit function (IAF) in enterprise-wide risk management (ERM). The thesis consists of three papers based on a sequential mixed methods design comprising a survey in Stage 1 and semi-structured interviews in Stage 2, both conducted with the chief audit executives (CAE). The thesis aims to further our understanding of ERM by investigating the following three central research questions:
1) What is the current extent and effectiveness of internal audit's involvement in ERM-related roles and how are they expected to change in future? (Paper One)
2) What is the impact of various governance, risk management, and IAF factors on the level of IAF’s involvement in ERM-related roles? (Paper Two)
3) How relevant and appropriate is the three lines of defence model in relation to internal audit’s involvement in ERM? (Paper Three)
Paper 1 undertakes comprehensive investigation into the IAF's involvement in various ERM-related roles, including core assurance roles, legitimate consulting roles, and inappropriate management roles. By conducting an online survey with Australian CAEs representing a cross section of organisational types, size, sectors, and industries, this paper presents important empirical evidence on the IAF' s post global financial crisis practices in ERM regarding: 1) the IAF' s current extent of involvement in ERM; 2) expected future changes; and 3) the effectiveness of the IAF's ERM-related roles. The results of this study indicate that, despite consensus as to the value of internal audit's involvement in ERM, internal auditors spend only a limited to moderate amount of time on most of the ERM-related assurance and consulting roles. Internal audit's efforts and effectiveness tend to be skewed towards assurance relative to consulting roles, with the focus being on assessing the management of key risks, a trend that is expected to continue over the coming years. Participants are found to assume some extent of management responsibilities in ERM, raising potential concern as to the appropriateness of such roles in current internal audit practice and impact of such involvement on the IAF's dependence and objectivity.
Paper 2 investigates how the IAF's extent of involvement in ERM is associated with various organisational factors. By adopting a contingency theory perspective, three categories of organisational and IAF factors (i.e., governance, risk management, and IAF attributes) are investigated in terms of their correlation with the extent of IAF involvement in ERM-related assurance, consulting, and management roles using a multi-regression model. Data was collected utilising an online survey questionnaire with Australian CAEs representing a cross section of organisational types, size, sectors, and industries. The results indicate that senior management support for the IAF's involvement in ERM is a significant driver for the IAF's involvement in ERM. In-house IAFs have significantly higher involvement in ERM relative to outsourced IAFs. Other risk management factors (e.g., risk maturity, existence of risk function) and IAF characteristics (e.g., IAF age, budget) examined were found to be significantly associated with the IAF's ERM-related roles, although the influence of these factors do not apply uniformly across different types of roles.
Paper 3 investigates internal audit's involvement in risk management, specifically within the context of the three lines of defence (TLOD) model. A stakeholder theory perspective was adopted to analyse the qualitative data collected using semi-structured interviews with 12 internal audit practitioners at the CAE or partner level (for external providers of internal auditing services). The results suggest that the TLOD model is generally perceived as a robust and appropriate model for assigning roles and responsibilities in relation to risk management across the key stakeholders, including the IAF. However, several challenges were reported regarding the application of this model, especially in relation to the IAF' s involvement in ERM, relating to the lack of: 1) clarity and understanding of the roles across the three lines; 2) risk maturity in the organisation; and 3) communication, coordination, and collaboration across key governance parties. The findings of this study confirm the practice of 'blurring oflines', with the IAF performing advisory and management ERM roles in practice. However, participants suggested that 'blurring of lines' should not be the norm but rather a temporary solution in the organisation's transition phase towards higher levels of risk maturity. The results also indicate that internal auditors' independence was greatly valued by participants, with several safeguards being adopted by the IAF to protect its independence when there was danger of 'blurring of lines' in ERM.