Research Article: 2021 Vol: 25 Issue: 2S
Setyo Wibowo, IPB University
Noer Azam Achsani, IPB University
Arif Imam Suroso, IPB University
Hendro Sasongko, Hendro Sasongko
Internal Audit, Risk Management, Combined Assurance, Risk Oversight, Agency Theory
In a VUCA world, the board as a governing body of an organization has to see the risk management process more stringently. Their risk oversight is based on various assurance providers, which can be categorized into three lines of defence. As the third line of defense, internal audit needs to coordinate the combined assurance of the three to avoid gaps and overlaps, but little is known on this role. This study uses binary logistic regression to explore factors associated with internal audit involvement in the organization’s combined risk management assurance. We use 906 data samples drawn from the common body of knowledge survey performed by the Institute of Internal Auditors Global in 2015. We found that the use of technology, risk management maturity, frequency of management’s risk assessment, three lines of defense model adoption, and coordination with the external auditor are significantly associated with the formal combined assurance implementation. The study results fill the gap in combined assurance knowledge and are beneficial to the internal and external audit practitioners, board of directors and senior management, regulators, and standard-setting bodies.
Organizations face four situations based on how much information they know and how capable they are to predict the outcome of the action taken. These four quadrants are (1) volatility (high knowledge-high capability), (2) uncertainty (high knowledge-low capability), (3) complexity (low knowledge-low capability, and (4) ambiguity (low knowledge-high capability) (Bennett & Lemoine, 2014). In these four increasing situations, the VUCA, board as a governing body in an organization, needs to oversee the risk management process in the organization in a more stringent way (Kuznik, 2015). Unfortunately, boards are not involved in the daily operation of the organizations. They have to rely on the assurance provided by many parties, especially to the Internal Auditors (IA), whose function is to evaluate and improve the efficacy of the risk management process (Sarens et al., 2009).
Many regulators in various countries have adopted Three Lines of Defense (TLOD) framework to strengthen good governance. This framework divides the assurance providers into three categories: the first line of defense, the second line of defense, and the third line of defense (FERMA & ECIIA, 2010). The implementation of TLOD, which is done with each line runs independently, potentially causing a gap or overlap in the whole risk oversight process. A survey conducted by OCEG showed that in an organization with a low level of maturity in the application of combined assurance between the three, each line would work in a silo. Consequently, as revealed in the results of the survey, there are difficulties in providing assurance, overlapping costs, lack of control in ensuring compliance and risk management, as well as difficulties in the data reconciliation (OCEG, 2017).
In the Standard 2050 and supplemental guidance issued by IIA, internal auditors are required to coordinate the three lines of assurance in order to avoid gaps and overlaps (IIA, 2018). Nevertheless, little is known about the role of internal audit in the combined assurance. It is necessary to study further what factors are significantly associated with their involvement in the effectiveness of combined assurance. The study of the combined assurance and internal audit also became further research suggested by previous researchers (Lenz & Sarens, 2012) (Engelbrecht et al., 2018). This study intends to explore the factors in the Internal Audit Function (IAF), which empirically significant in the role of internal audit in the combined assurance of risks. This study fills a gap in the literature on the role of IAF in that particular approach and gives a contribution to the practice of combined assurance coordination by the internal auditor.
Risk Oversight, Combined Assurance, and Internal Audit
The board has an overarching responsibility to determine the strategy of the organization and to agree on the desired level of risk that goes with it. Board also has the task of overseeing the implementation of strategic and operational risk management. Management, on the other hand, is responsible for developing and implementing operational and strategic risk management to align with the strategy set by the board (ICGN, 2015). COSO also puts risk oversight by this board as the first principle in its risk management framework (COSO, 2017).
King Report IV defines combined assurance as a model to involve and optimize all assurance activities so that, altogether, it encourages effective control environments, strengthens the integrity of the information that supports decision making by management and board, and external reporting of organizations (IoD, 2016). In the TLOD framework initiated by FERMA and ECIIA, three parties assure the process of risk management. In the first line, assurance is done internally by operational management and internal controls. Risk management and other compliance functions give assurance in the second line. Then, the internal auditor and External Auditor (EA) conduct the third line of assurance (FERMA & ECIIA, 2011). Given that an internal auditor is a party in the organizations that, among its functions, perform the assurance of the risk management process and have a direct reporting line to the audit committee of the board, the board mainly relies on their oversight in risk management to the internal auditors (IIA, 2018). Figure 1 shows the theoretical framework of this study.
A previous study conducted by Decaux and Sarens showed factors in IAF adopting combined assurance. There are factors significantly associated with the adoption of combined assurance, namely: the committee that conducts risk management oversight, risk management maturity, the number of assurance providers, risk-based internal audit and compliance to internal audit standards, board independence, CEO duality, Big-4 external auditors, organizational complexity, listed organizations, and leveraged organization (Decaux & Sarens, 2015).
This study complements the work that Decaux and Sarens have done by continuing it on other factors that theoretically can associate with the IAF involvement in combined assurance.
IA Input
This study investigates the association between input dimensions in IAF with the implementation of combined assurance. The input dimension can be seen from the indicators as follows: IAF size (number of staff), experience or age of IAF, IAF budget, use of technology and data analytics, and resource portions used in assurance and consulting assignments. Previous studies showed that the IAF size relates to the IAF mission. IAF that has a mission to evaluate risk management, for example, will have a larger size compared to the IAF, which is only focused on financial accounting audit (Anderson et al., 2012). Previous studies have also shown IAF age parallel with its maturity, its capabilities, and also related to the involvement of its more complex assignments (Sarens et al., 2011). Meanwhile, the influence of technology use in internal audit assignments is based on the research of (Kim et al., 2009) and the use of data analytic by internal audit based on research (Li et al., 2018). It is expected that inputs are positively and significantly related to the application of combined assurance. Thus we formulate the research questions as follows:
RQ1 Is the size of the IAF significantly associated with the adoption of the combined assurance model?
RQ2 Is the age of IAF significantly associated with the adoption of the combined assurance model?
RQ3 Is the IAF budget adequacy significantly associated with the adoption of the combined assurance model?
RQ4 How does the IAF strategy on resources associate with the adoption of the combined assurance model?
RQ5 Is the use of technology in IAF significantly associated with the adoption of the combined assurance model?
IA Process and Risk Management
In addition to inputs, essential dimensions in IAF are process and output (Trotman & Duncan, 2018). This study explores the association between the process dimensions in IAF with the adoption of combined assurance, particularly in the aspect of risk management. Indicators of this IAF process dimension can be seen in the use of risk-based internal audit planning, the involvement of IAF in risk assessment and its frequency, and the maturity of the ERM. Many previous studies have demonstrated influential factors in internal audit concerning the risk-based internal audit and the IAF role in the ERM (Coetzee & Lubbe, 2014; Castanheira et al., 2010; Lenz et al., 2014). It is expected that the IAF process with regard to risk management is positively and significantly related to the adoption of combined assurance. Thus we formulate the following research questions:
RQ6 Is the use of the risk-based internal audit methodology significantly related to the adoption of the combined assurance model?
RQ7 How does the organizational risk assessment associate with the adoption of the combined assurance model?
RQ8 Is the more frequent risk assessment significantly associated with the adoption of the combined assurance model?
RQ9 Is the involvement of IAF in ERM significantly associated with the adoption of the combined assurance model?
RQ10 Is the risk management process maturity significantly associated with the adoption of the combined assurance model?
IA Reporting Line
The IA reporting line is very pivotal in the IAF’s independence and objectivity. Within the three lines of defense framework, the IAF has not only a reporting line to senior management but also a direct reporting line to the board. Many previous studies have demonstrated reporting lines that support independence, and so does the support of objectivity (Christopher et al., 2009; Abbott et al., 2016; Hoos et al., 2018). IAF independence and objectivity are expected to support the effectiveness of its role as the coordinator of combined assurance. Thus we formulate the research questions as follows:
RQ11 How does CAE’s administrative reporting line associate with the adoption of the combined assurance model?
RQ12 How does CAE’s functional reporting line associate with the adoption of the combined assurance model?
RQ13 Is the existence of an audit committee or equivalent significantly associated with the adoption of the combined assurance model?
RQ14 Is the more frequent meeting between the Audit Committee and CAE significantly associated with the adoption of the combined assurance model?
IA Coordination with EA
IIA provides Standard 2050 and related supplemental guidance as a basis for the professional practice of combined assurance coordination. According to this standard, IAF should coordinate with other assurance providers, both external and internal, of the organization. In this context, IAF has a very close partnership with external auditors. This study investigates the relationship between IAF and external auditor, both in the process of internal audit planning and the support of internal audit in the work of external auditor and its impact on the implementation of combined assurance. Many studies have been conducted on the subject of coordination between internal and external auditors in fraud risk management (Wang & Fargher, 2017); internal auditors support the work of external auditors both in reducing the working hours; and reduction of fees. In a broader sense, the previous studies also examined trust relationships and cooperations in the context of the TLOD model (Lee, 2016; Mat Zain et al., 2015; Axén, 2018; Morais & Franco, 2019). Based on the above discussion, the following research questions are then formulated:
RQ15 Is the more time spent by internal audit to support external audit works significantly associated with the adoption of the combined assurance model?
RQ16 Is the input from the external auditor in the internal audit plan significantly associated with the adoption of the combined assurance model?
RQ17 Is consultation with external auditors significantly associated with the adoption of the combined assurance model?
RQ18 Is supporting external auditors significantly associated with the adoption of the combined assurance model?
Three Lines of Defense (TLOD)
Three lines of defense model initiated by FERMA and ECIIA in 2011 (FERMA & ECIIA, 2011) and began popular since widely adopted by many parties, including the Basel Committee on Banking Supervision in 2012 (Basel Committee on Banking Supervision, 2012) (Al-Matari et al., 2016) and the IIA Global in 2013 (IIA, 2013). In this model, IAF becomes the third line of defense, which conducts the assurance of the risk management and compliance works on the second line. IAF also evaluates the assurance made by operational management as the first line so that IAF should not directly under the function of risk management, compliance, or finance (Chambers & Odar, 2015). With the application of the TLOD model, there is still a possibility of two directions, where the combined assurance can either be segregated or otherwise coordinated. Hence, we formulate the following research questions:
RQ19 How does the implementation of three lines of defense associate with the implementation of the combined assurance model?
Control Variables
We believe that organization’s assets and revenues are essential drivers to implement a combined assurance approach (Sasongko & Marota, 2016). However, in this study, we focused on the perspective of the internal audit, so we treat the organization’s assets and revenues in the control variables. There are several previous research used assets and revenues in the control variables (Abbott et al., 2016; Mazza & Azzali, 2015).
Sample
The data to be used in this research is secondary data derived from the Internal Auditing Common Body of Knowledge (CBOK) Survey in 2015. CBOK survey is the world’s largest survey on IAF conducted by the Global Institute of Internal Auditors (IIA) Research Foundation once every five years. Total respondents who participated in the CBOK 2015 are 14,518 practitioners from 166 countries in eight different geographical areas across various industries, sizes, and jurisdictions.
There are no specific restrictions on the characteristics of the respondents included in this study. We cover the respondents who fill in the questions completely according to the variables investigated in this study, which are 906 internal audit practitioners across the world as the sample. However, we exclude any outliers’ value that may affect the results of the investigation. There are also no restrictions on the geographical and regional aspects since the research questions are related to global professional issues. Nevertheless, we compare the models between regions to enrich the discussion.
Variable Definition and Empirical Model
The dependent variable in this study is the formal implementation of the combined assurance model by organizations. IA Combined Assurance represents this variable. The information of this variable is obtained from CBOK 2015 question number 77 (Q77), which asks if the respondent’s organization has implemented a formal combined assurance model. We categorize the “Yes” response with code 1, which means that the organization has adopted the formal model of combined assurance. In contrast, the other option is categorized as “No,” with code 0, which means that the organization does not or has not implemented the formal combined assurance model.
We include a total of 21 determinants derived from the research questions in our study as independent variables. Table 1 in the appendix shows the complete definition and measurement of the variables used in this study. To summarize all the variables involved, we build a model in this study as follows:
Table 1 Assumptions Testing |
||
---|---|---|
Assumption | Testing | Criteria |
Non-Multicollinearity | Collinearity Diagnostic: | |
- |