Making A Difference Through Internal Audit Leadership and Enterprise Risk Management
Making A Difference Through Internal Audit Leadership and Enterprise Risk Management
Making A Difference Through Internal Audit Leadership and Enterprise Risk Management
e- ISSN: 2321-5933, p-ISSN: 2321-5925. Volume 9, Issue 2 Ver.1 (Mar-Apr .2018), PP 52-60
www.iosrjournals.org
Abstract: The classical view of the internal audit practices has to be rejuvenated. It is not about only to
perform the traditional audit, but in addition, it has a broader view and a farer role in making a difference to
organizations’ strategic objectives. Moreover, it is differentiated than what everyone knows about external
auditors (CPA’s) who perform financial and accounting audit, despite their indispensable important roles in
monitoring towards compliance, efficiency and effectiveness. The internal auditing is an independent, objective
assurance and a consulting activity designed to add value and improve an organization’s operations. Internal
audit has many types such as compliance audit, operational audit, financial audit, information system audit,
economy and efficiency audit, environmental audit and so forth. The manner is like the case of the evolution
and the transformation from the classical view of the human resource management to the new perspective of
the important role of human resource professionals as strategic partners, the internal audit has to be
transformed into a strategic advisor and demonstrating its leadership and expanded vision thoroughly within
the enterprise risk management, corporate governance and internal control. Accordingly, the research will
delve into evidences and analytical facts and theories that should deliver a better understanding and add
changes to stakeholders’ expectations.
Key Words: Internal Audit, Leadership, Strategy, Risk Management, Corporate Governance, Internal Control.
----------------------------------------------------------------------------------------------------------------------------- ----------
Date of Submission: 12-03-2018 Date of acceptance: 27-03-2018
----------------------------------------------------------------------------------------------------------------------------- ----------
I. Introduction
Statement Of The Problem
Internal auditing role is rarely participating in setting and executing strategies. In a fast-changing
business environment and as organizations are facing more risks than ever, stakeholders should be more aware
and well educated on emerging risks and how to manage risks in order to protect the business from downfalls
that might impede its strategic objectives. Thus, CEO’s are becoming more concerned about the wide range of
risks and the overregulation threats, in addition to uncertainties derived from geopolitical factors. Furthermore,
CEO’s are facing tremendous challenges in managing their businesses due to the fact that today’s customers and
stakeholders are increasingly demanding from them to tackle more complex future problems especially in a
complex global marketplace.
Senior organizational leaders and regulators are strongly endorsing internal audit leaders to refocus
their efforts on regulatory compliance issues. The expansion of globalization, capital markets, the evolving
regulatory environment, and technology are forcing companies to undertake strategies incorporated with
entering new markets, expanding into new industries, launching new product lines, new business models, and
cost reduction strategies. Nevertheless, this issue conveys new and more-complex risks that companies’ risk
management functions and internal audit, must understand and proactively address and therefore, companies
must capitalize on new opportunities.
Senior leaders and directors for organizations of all sizes are debating about enterprise risk
management and how to make it more involved. “This new-found interest in abandoning traditional risk
management and embracing an enterprise-wide risk management approach has naturally led to several questions
regarding who are supposed to be the architects, implementers, managers and overseers of the entire process.”
(J. Hall, 2007). A risk-based approach is used by internal auditors which easily provide an interest in the
enterprise risk management (ERM) process. Professional organizations and thought leaders are controverting the
role of the internal audit in integrated strategic initiatives and thus internal auditors barely have a seat at the
strategic table because the function is blurred as a lack of capabilities or technical skills as a major role beyond
risk assessment and mitigation. Therefore, the internal audit and ERM roles must be advocated to expand,
assess, and communicate its strategic value to organizations.
III. Limitations
Due to the time constrain, the thesis is not supported with surveys and interviews by Lebanese internal
audit practitioners and business leaders about the internal audit leadership especially in the Lebanese
organizations. However, the internal audit function in Lebanon is still in the evolving process and it is rarely
applied with professionalism except in the banking sector. Therefore, the surveys and statistical data are
collected from various case studies and publications performed by some of the big four known audit companies.
The enterprise risk management has a more traditional ways of managing risks. “ERM calls for high-
level oversight of the company’s entire risk portfolio, rather than having many different individual managers
overseeing specific risks in isolation” (J. Hall, 2007). Furthermore, the internal audit is expected to support more
strategic business objectives and therefore the efforts in ERM activities are more diligently through risk
identification and prioritization, alignment of people, processes, systems with business strategy, defining the
critical KPI’s, analyzing and quantifying risk factors in new ventures and strategies and understanding these
risks among different projects.
- Management has identified, assessed and responded to risks above and below the risk appetite
- The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
- Where residual risks are not in line with the risk appetite, action is being taken to remedy that
- Risk management processes, including the effectiveness of responses and the completion of actions, are
being monitored by management to ensure they continue to operate effectively.
- Risks, responses and actions are being properly classified and reported.
delivering future value through assessing future governance, risk management and control and improving
business performance and thus enhancing value.
together could delineate the proper business model, and thus a strategy formulation would fit the overall mission
statement of the organization.
VII. Methodology
Based on a qualitative research method, the data collection is done through several articles and case
studies used from several top big four audit firms and other professional organizations. The articles are
supported by statistical data gathered from surveys made by Ernst & Young on the impact of the recession and
financial crisis on internal auditing in the Irish companies and how pressing is the need to improve the internal
audit functions, in addition to the strength of risk management’s impact on their long-term earnings
performance. The topic is supported also by descriptive statistics and analysis that critically analyze the main
subject, such as unlocking the strategic value of internal audit by Ernst & Young and the ultimate study of the
2016 study of PWC’s annual survey results concerning the internal audit professionals, “Leadership matters:
Advancing toward true north as stakeholders expect more.” Furthermore, the multiple case studies have
comparative examinations of different organizations. The comparative information could support the study and
make it more valuable, whereas the information remains qualitative and extend boundaries of knowledge. “Yin
(1989, 2003) does not differentiate between the use of single case studies, and the use of multiple case studies.
He sees such research as a key way to discover answers to the questions; how and why.” (R. Wright, 2009 ; Yin
1989, 2003)
A case study is one of the many methods used to do a research, which involves an investigation of an
organization made by an external observer or a researcher. Depending on the type of the research question, the
researchers or the investigators way of control over the actual events and their perspectives, case studies are
adopted as an efficient research strategy to understand a complex phenomenon. However, one of its
disadvantages is that the information available in the case are bounded to the case and findings become more
difficult to justify them statistically even if the case contains statistical analysis such as those used in this thesis,
the bias factor can never be dismissed. Despite, the data gathered from a case study is rich in general and has
more details and focusable insight on the topic under analysis. In addition, multiple cases can add evidences and
comparative examinations and an in depth critical analysis. Briefly, “The case study allows an investigation to
retain the holistic and meaningful characteristics of real-life events-such as individual life cycles, organizational
and managerial processes, neighborhood change, international relations, and the maturation of industries.” (R.
Yin, 2003)
The Process:
According to Yen (2003), there are various forms of case studies that can be used as explorative,
descriptive or explanatory tools. Therefore, the phenomena under investigation should answer questions of
“what”, “how” and “why”, thus an effective design should depict the critical elements of the case, starting with
the questions of the study, the propositions, its units analysis, data linkage and findings interpretation.
Internal audit leaders in Ireland have different perspectives, as the data in the previous section revealed,
some believe that their strategy should align the business strategy, and others believe that it should be
independent. In fact, an internal audit strategy should be designed for three to five years’ timeframe, delineate a
road map that fit the overall organization’s strategy, considering stakeholders expectations and compliance,
enterprise risk management, KPI’s, talent people, training, developing skills, processing new techniques, new
technology requirements and so forth. It is obvious how much interesting the ERM for the Irish companies,
quarter of them believe that it has a strong impact, however, there are larger organizations that have their ERM
functions independent from the internal audit functions, whereas it should be aligned for a better convergence in
managing risks as depicted in Thus, both functions complete each other and avoid gaps in governance, risk and
compliance.
Furthermore, data analytics is a tool that permits the internal auditor to generate better insights to
processes and thus a broader audit coverage which enhance skills in identifying inefficiencies, errors and risks.
Data analytics is vital to meaningful communication with management and audit committee and it enhances the
follow up of reported recommendations and findings by the internal audit. The below figure depicts the
analytical basics on controls and its impact on the organization.
XI. Conclusion
The roadmap of any business strategy is then meeting the transformational influencers, improvers and
advisors of the organizational ultimate business partners. Engaging stakeholders to enable the internal audit
leadership and pull the trigger to sourcing talent in order to generate deep business insights and an
understanding of the ultimate root causes inclusively. Effective communication and risk-based adoption improve
the organization cognition and understanding of the current and emerging risks and nonetheless to proactively
addressing the thematic issues. “96% of very effective leaders inspire stakeholder trust and confidence that risks
are covered, which is risk management functions’ ultimate responsibility.” (PWC, 2016)
References
[1]. B. Pine, 2008, “A risk-based approach to auditing financial statements”, Viewed on May 4, 2016:
[2]. http://www.accaglobal.com/content/dam/acca/global/PDF-students/2012s/sa_feb08_pine.pdf
[3]. D. Ketchen and J. Short, 2016, “Mastering Strategic Management”, Viewed on May 3, 2016:
[4]. http://catalog.flatworldknowledge.com/bookhub/reader/3085?e=ketchen_1.0-ch01_s02
[5]. Ernst & Young, 2013, “Matching Internal Audit talent to organizational needs”, Viewed on May 1, 2016:
[6]. http://www.ey.com/Publication/vwLUAssets/Matching_Internal_Audit_talent_to_business_needs/$FILE/Matching_Internal_Audit_t
alent_to_organizational_needs.pdf
[7]. Ernst & Young, 2011, “Internal audit’s evolving role: a proactive catalyst of business improvement”, Viewed on May 1, 2016:
[8]. http://www.tapestrynetworks.com/upload/Tapestry_EY_ACLN_InSights_Apr11.pdf
[9]. Ernst & Young, 2013, “Unlocking the strategic value of internal audit”, Viewed on 1 May, 2016:
[10]. http://www.shinnihon.or.jp/services/advisory/risk-advisory/global-contents/pdf/2013-10-16-10-en.pdf
[11]. Ernst & Young, 2014, “Staying relevant: The evolving role of Internal Audit in Ireland”, Viewed on May 1, 2016:
[12]. http://www.ey.com/Publication/vwLUAssets/Staying_relevant_-_The_evolving_role_of_Internal_Audit_in_Ireland/$FILE/EY-
Staying-relevant-The-evolving-role-of-Internal-Audit-in-Ireland.pdf
[13]. Institute of Internal Auditors, 2014, “Risk based internal auditing”, Viewed on May 5, 2016:
[14]. https://global.theiia.org/standards-guidance/topics/Documents/201501GuidetoRBIA.pdf
[15]. Institute of Internal Auditors, 2013, “IIA Position Paper: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK
MANAGEMENT AND CONTROL”, Viewed on May 1, 2016:
[16]. https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%
20and%20Control.pdf
[17]. J. Hall, 2007, “Internal Auditing and ERM: Fitting in and Adding Value”, Viewed on 1 May, 2016:
[18]. https://na.theiia.org/about-us/Public%20Documents/Sawyer_Award_2007.pdf
[19]. KPMG, 2007, “The Evolving Role of the Internal Auditor”, Viewed on 2 May, 2016:
[20]. https://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Documents/role-ia-O-0707.pdf
[21]. K. Favaro (2012), “Strategy: An Executive Definition”, Viewed April 13, 2016:
[22]. http://www.strategy-business.com/article/cs00002?gko=d59c2
[23]. M. van Buul, 2010, “Successful Strategy Implementation A job for the Internal Auditor?”, Viewed on May 2, 2016:
[24]. http://www.iia.nl/SiteFiles/Succesful%20Strategy%20Implementation%20-
%20A%20job%20for%20the%20Internal%20Auditor.pdf
[25]. Powers Resources Corporation, 2013, Internal Audit Basics 7 th edition, PRC, Canada.
[26]. Protiviti (2006), “Top Priorities for Internal Audit in a Changing Environment”, Viewed April 13, 2016:
[27]. http://www.protiviti.com/en-US/Documents/White-Papers/Internal-Audit/Top_Priorities_for_Internal_Audit.pdf
[28]. PricewaterhouseCoopers, 2009, “Building a Strategic Internal Audit Function” Viewed on May 3, 2016:
[29]. http://www.pwccn.com/webmedia/doc/633931124239643628_ia_strategy_10step_sep2009.pdf
[30]. PricewaterhouseCoopers, 2013, “Oxford City Council Internal Audit Risk Assessment and Plan 2013/2014”, Viewed on May 3,
2016:
[31]. http://mycouncil.oxford.gov.uk/documents/s14108/PWC%20Audit%20Plan.pdf
[32]. PricewaterhouseCoopers, 2003, “Ten steps to a strategically focused internal audit function”, Viewed on May 1, 2016:
[33]. https://www.pwc.be/en/systems-process-assurance/pwc-strategic-internal-audit.pdf
[34]. R. Wright, 2009, “Internal Audit, Internal Control and Organizational Culture”, Viewed on May 5, 2016:
[35]. http://vuir.vu.edu.au/1989/1/R-M-Wright-Thesis-2009.pdf
[36]. R. Yin, 2003, “CASE STUDY RESEARCH Design and Methods Second Edition”, Viewed on May 6, 2016:
[37]. http://www.madeira-edu.pt/LinkClick.aspx?fileticket=Fgm4GJWVTRs%3D&tabid=3004
[38]. T. Hatherell, 2016, “Internal Audit: Trends and Challenges”, Viewed on May 2, 2016:
[39]. http://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu_internal-audit-trends-challenges_06102014.pdf
[40]. W. Watts (2014), “Making Internal Audit More Strategic How Changing Its Role Makes It More Valuable to the Organization”,
Viewed April 15, 2016”
[41]. https://www.crowehorwath.net/uploadedfiles/crowe-horwath-
global/tabbed_content/making%20internal%20audit%20more%20strategic%20white%20paper_risk15927.pdf
[42]. Wharton University, 2002, “What Went Wrong at WorldCom?”, Viewed on May 2, 2016:
[43]. http://knowledge.wharton.upenn.edu/article/what-went-wrong-at-worldcom/
Hussein Nabulsi, Ph.D. “Making a Difference through Internal Audit Leadership and
Enterprise Risk Management.” IOSR Journal of Economics and Finance (IOSR-JEF) , vol. 9,
no. 2, 2018, pp. 52-60.