1. Introduction
Organization is always faced with business risks. Changes in the business environment have generated new risks and forced organization to modify governance, risk management, control, and supervision processes. Minimizing the impact of risk will maintain business sustainability and the organization's success (Widianingsih et al., 2023). Business changes and risks faced by the organization also create a need for internal auditors. Internal audit plays a role in carrying out supervision and helping to control and handle the negative impacts of risks that exist in the organizational. Internal audit is part of the organizational's governance structure to provide support for good corporate governance.
The distribution of internal audit services covers all organizational divisions to manage, control and supervise the impact of business risks that threaten the achievement of organizational goals and objectives (Drogalas & Siopi, 2017; Drogalas et al., 2020; Grant & Visconti, 2006; Karagiorgos et al., 2010; Κοutoupis & Tsamis, 2009; KPMG, 2007; Lemon & Tatum, 2003). Risk in auditing means that the auditor accepts a certain level of uncertainty which can cause losses to the Company so that it requires a response in carrying out the audit. Now, Organizations must to report on what they are doing to identify and mitigate sustainability risks. The distribution of internal audit functions has provided wider coverage for risk assessment, audit planning, and internal audit implementation (Khanna & Kaveri, 2008; Koutoupis & Tsamis 2009; Coetzee & Lubbe, 2014).
Internal audit helps management ensure the adequacy of internal control through supervision, minimizing the impact of risks such as fraud risk, credit risk and reputation risk. The main purpose of internal audit is to assist work units in the corporation's operational activities to manage risk by identifying problems, suggesting improvements that add value to the corporation. The risk is the possibility that an event/action will fail or negatively affect the corporation's ability to achieve business goals. The risk in auditing means that the auditor accepts a certain level of uncertainty that can cause losses to the Corporation so that it requires a response in conducting an audit. The risk-based audit procedures underscore the importance of identifying risks inherent in strategic plans, testing and reporting on the adequacy and effectiveness of risk mitigation procedures (Coetzee & Lubbe, 2014).
The main objective of internal audit is to assist the Company's operational activities, manage risks by identifying problems, suggesting improvements that provide added value to the company. The distribution of internal audit activities primarily focuses on areas in divisions or departments that have significant risks. (Griffiths, 2005; Hafizah, 2017; Koutoupis & Tsamis, 2009; Sarens et al., 2012). Auditor characteristics are expected to be able to increase the role of internal auditors effectively (Arena & Azzone, 2009; Alzeban & Sawan, 2015; Chang, et. al., 2019; Mihret & Yismaw, 2007; Lenz & Hahn, 2015). Effectivenessinternal audit viewsthat all business activities, especially those containing business risks, need to be mapped. Several factorssuch as corporation size, regulation, type of industry and culture will encourage the adoption of a risk-based internal audit process in the corporations (Koutoupis &Tsamis, 2009).
Bednareck (2018) argues that the effectiveness of internal audit is important because it will ensure the reliability of internal audit results, the active involvement of internal auditors in the company's governance system (Martino, et al., 2019) and requires risk management through risk management (Coetzee & Lubbe, 2014). The internal audit function is distributed in management, risk control and supervision activities as well as suggestions for improvements throughout the company's business lines, which has opened research opportunities regarding the effectiveness of internal audit. This research offers first, a direction for future internal audit effectiveness research. Second, this research maps the factors that influence the effectiveness of internal audit. This research was conducted using the systematic literature review (SLR) research method. The systematic literature review (SLR) method is used to evaluate the results of empirical research related to the effectiveness of internal audit and analyze them.
2. Literature Review
IIA (2017) defines internal audit as an independent and objective assurance and consulting activity designed to add value and improve operational of corporation. Internal audit helps an organization or corporation achieve its goals through a systematic and regular approach in evaluating and improving the effectiveness of risk management, control, and governance processes. Internal audits help save money, protect reputation, and pave the way for achieving corporate goals. In short, internal audit identifies risks that can keep the organization from achieving its strategic goals and objectives, alerts management to business processrisks, and proactively recommends improvements to help reduce risk. According to the IIA number 1100 standard, the internal audit activity must be independent and objective in carrying out its duties. Internal audit ensures that the corporation has performed effectively and efficiently.
The effectiveness of the internal audit function according to (Dittenhofer, 2001; Mihret & Yismaw, 2007) is measured by the ability of internal auditors to disclose and communicate findings and recommendations that are followed up by the management of corporation. According to Pickett (2010), Internal auditors must possess the knowledge, skill, and other competencies needed to perform their individual responsibilities. Research by Soh and Martinov (2011) proves that having the right people with sufficient skills to carry out the internal audit function is important for corporations. Management commitment and management support to use recommendations on audit results will strengthen the overall effectiveness of internal audit (Mihret & Yismau, 2007; Cohen & Sayag, 2010).
According to IIA, (2017) the effectiveness of internal audit can be seen from two sides, namely the supply side and the demand side. The supply side consists of factors such as Competence of the Internal Audit (IA) department, Size of the Internal Audit (IA) department, Organizational settings, Scope limitations, Compliance with applicable standards, Management training ground, Auditee attributes, Internal Audit (IA) independence, Internal Audit (IA) objectivity, conduct risk consulting, Outsourcing Internal Audit (IA), Quality of audit work, Chief audit executive's leadership style. While the demand side consists of factors such as Management support for Internal Audit (IA), Interaction between Internal Audit (IA) and external audit, Cooperation with the audit committee, Information and communication, Existence of a follow-up process, Supportive control environment, Cultural dimensions.
Risk is a deviation between expected results and actual results (Arena et al., 2006). Evenly distributing risk control and monitoring in each business line will help the company maintain its business continuity. The Corporation's business process risks require control, supervision and handling so that they do not have a negative impact on the achievement of the Corporation's goals. Some of the risks contained in the corporation are operational risk, reputation risk, compliance risk, legal risk, and strategic risk which are risks that are interrelated with one another. Effectiveness internal audit approach emphasizes that auditors begin to allocate resourcesto high-risk areas in conducting audits. If risks are not identified and assessed, then the internal auditor is required to work closely with business management to provide information about this (Griffiths, 2005; Kumaat, 2011).
The functions of an internal auditor are distributed across management structure, business objectives, organizational changes, high-risk areas or divisions or departments and management concerns regarding risks and outcomes when assessing risks. Risk assessment must be considered at all levels in the business organizational structure as well as in the activities of subsidiaries. The effectiveness internal audits are highly dependent on the influence of internal monitoring mechanisms such as audit committees, internal audit attributes, and risk management and internal control systems (Abidin, 2017). Mihret and Khan (2013) conceptualize internal audit as a party that provides ex post assurance and consulting services to improve company efficiency and effectiveness.
3. Methodology
This research method uses a systematic literature review (SLR). The systematic literature review (SLR) method focuses on certain issues, organizes relevant literature into a collection of findings in a coherent and comprehensive manner and reconstructs it into new knowledge (de Geus et al., 2020; Massaro et al., 2016). Sources of data come from journals, websites, and books. This research analyzestrends in the distribution of risk-based internal audit monitoring and supervision that are carried out effectively and published in reputable journals. The research was carried out using a three-step approach that has been carried out by previous research (Alhossini et al., 2021; Nerantzidis et al., 2020). We seek and identify, collect, and analyze studies on the characteristics of internal audit and their impact on the effectiveness internal audit. The first stage, designing the formulation of the problem which is the focus of attention in this research. Furthermore, we collect published research esearch method uses a systematic literature review publication articles consisting of:
⦁ Google scholar (http://googlescholar.com),
⦁ Scopus (http://scopus.com),
⦁ Science direct (http://Sciencedirect.com),
⦁ Emerald Insight (http://www.emeraldinsight.com)
The electronic media above is the main electronic machine for searching and identifying published articles, ensuring that all published research results meet publication quality requirements (Nerantzidis et al., 2020). Then we conducted a search in the Scopus, google scholar, science direct and emerald insight database using the keywords “Internal audit”, “Effectiveness of Internal Audit”, "Characteristics of Internal Auditors", “Risk”.
In the second step, we review titles, keywords, abstracts, and exclude irrelevant studies such as proceedings and books. We only take reputable and quality journals (Kubicek & Machek, 2019). In the third stage, we take quoted or cited studies. In the third step, we examine the impact of published articles based on the number of citations on Google Scholar. In the final stage, we perform data extraction by recording: author, year of publication, journal, research location, citation, research approach, research method, data source, theory, review of research themes and variables.
4. Result
In the results and discussion section, the researcher will summarize the results of data tracking by mapping and analyzing research trends on the effectiveness internal audit. Our search results, based on the keywords, obtained preliminary data of 1200 articles published in international journals and Scopus indexed international journals. We are eliminated 558 articles published in international journals. We also eliminated 319 articles as books (non-academic), magazine articles, and publications without bibliographic information. Then, 300 articles such as thesis or dissertations were eliminated from this research data. The final data screening obtained 23 articles for analysis. There are 12 (52%) articles published in international journals indexed Scopus Q1, 8 (35%) articles in Scopus Q2, 1 (4%) article in Scopus Q3, and 2 (9%) articles in Scopus Q4 (Figure 1). Our search results found that there were 23 articles on the effectiveness internal audit that were mostly published in the Managerial Auditing Journal, namely 5 articles, and the International Journal of Auditing, namely 5 articles (Table 1).
Based on journal publishers, the results obtained for the publication of research on the effectiveness internal audits were mostly carried out on Emerald publishers with 7 articles and John Wiley and Sons Ltd with 5 articles (Table 2). We also see an impact on research publications related to the effectiveness of internal audit based on the number of citations, namely 4392 citations starting in 2008 with 4 citations, in 2009 with 15 citations, in 2010 with 17, in 2011 with 34, in 2012 with 55, in 2013 with 77, in 2014 with 122, in 2015 with 192, in 2016 with 245, in 2017 with 232, in 2018 with 384, in 2019 with 343, in 2020 with 421, in 2021 with 524, in 2022 with 612, and in 2023 with 329 citations. The number of citations tends to increase every year, with the highest number of citations in 2022 of 612 citations (Figure 2). The distribution of citations for each journal shows that the managerial auditing journal has the highest number of citations, namely 1736 citations, then the international journal of auditing with 1090 citations and the Australian Accounting Review with 701 citations (Figure 3).
The results of the study also show the type of research, namely 17 studies using a quantitative approach, 3 studies using a qualitative approach and 3 studies using a mixed method. The research methods used include surveys, observations, experiments, phenomenology, interviews, literature studies. The results of the study provide an overview of several theories used such as agency theory (Mihret & Yismaw, 2007; Arena & Azzone, 2009; Soh & Martinov, 2011; Alzeban & Gwilliam, 2014; D'Onza et al., 2015; Lenz et al., 2017; Oussii & Taktak, 2018; Carcelo et al., 2020; Dzikirullah et al., 2020; Ibrani et al., 2020; Garven & Scarlata, 2020). Agency theory can be used in this kind of research because it is able to explain how the supervisory role in reducing agency problems so that it can improve the implementation of risk-based internal audits to be more effective.
Research using Institutional Theory (Elbardan et al., 2016), Institutional Theory explains that to fulfill their needs, humans need to work together with others so it is necessary to control behavior so that an organization can achieve common goals. This theory can be used to explain how good cooperation between internal audit and stakeholders can increase the effectiveness of organizational governance. Well-established cooperation between management, risk management and internal auditors will enable risk-based internal audit activities to run effectively to achieve corporate objectives. Stakeholders’ theory is used in research by (Erasmus & Coetzee, 2018). Resource-based theory is used in research of Alqudah et al. (2019), and clinical governance theory in Van Gelderen et al. (2017).
5. Discussion
The Common Body of Knowledge (CBOK) by the Institute of Internal Auditors (IIA) in 2010, provides 3 indicators for the competence of internal auditors as follows: (1) Knowledge, (2) Behavioral skills and technical skills, (3) Dimensions of general competencies, (4) Communication skills, ability to identify problems and theirsolutions. Indicators of internal audit effectiveness can be categorized based on process, output, and outcome (Arena & Azzone, 2009). The process indicator is to evaluate the auditor's performance such as the ability to prepare audit plans, carry out audit work and communicate audit findings. The output indicator is alignment with the expectations of stakeholders or accommodating the needs of stakeholders. The outcome indicator is the impact of the internal audit process being able to provide added value to the Corporation.
According to Cohen and Sayag (2010), top management support includes providing the support needed by internal audit, a comparison between the number of internal auditors and audit work that has been planned and must be completed, the budget provided for the internal audit department, adequate support for training and development internal audit staff. Management support for internal audit includes responses to audit findings, commitment to strengthening internal audit, and resources for the internal audit department (Alzeban & Gwilliam, 2014; Mihret & Yismau, 2007). When management fully supports the activities carried out by the internal audit unit, it will provide confidence and ease of accessfor the internal audit team in carrying out the monitoring and control process. Management support also facilitates the implementation of recommendations and follow-up of risk-based internal audit results to be immediately responded to within the organization.
The results of research conducted by Mihret and Yismaw (2007) state that the effectiveness of the internal audit function is influenced by: (1) Internal audit quality, namely: staff expertise, scope of service, audit planning, observation and control as well as effective communication; (2) Management support, namely: responses to audit findings and commitment to strengthen internal audit; (3) Organizational arrangements, namely: organizational profile, internal organization, internal audit department policies and procedures and budget; (4) Policies and procedures for auditing, namely: auditee's expertise, auditee's attitude towards internal audit and auditee's cooperation with internal audit. D'Onza et al. (2015) stated that the effectiveness internal audit will be seen from the number of findings that are verified and communicated to management. Audit findings are obtained in accordance with auditing standards and audit procedures used. D`Onza et al. (2015) said that the encouragement of internal audit activities will provide different added values for developed countries and developing countries, the financial industry and or non-financial industries.
Distribution of the effectiveness internal audit from internal audit quality such asinternal audit size (Dzikirullah et al., 2020), or personal auditor attributes such as independence, competence, ethics, and expertise (Yee et al., 2008; Lenz et al., 2017; Alzeban & Gwilliam, 2014). The effectiveness internal audit will improve an organization's internal control and governance practices (Chang et al., 2019; Turetken et al., 2020). Internal auditors must have independence, objectivity, management support, work experience, critical thinking skills, and competency certification (Eulerich et al., 2018; Dzikirullah et al., 2020). A free position, not bound by the interests of any party, and no intervention from any party in carrying out audit duties and responsibilities as well as efforts to maintain the credibility of the internal auditor profession (D'Onza et al., 2015) is an attitude of independence that internal auditors (Dejnaronk et al., 2016). Internal auditors must always act independently so that they are free from interference, whether fear or intervention that could influence their judgment. The availability of reference documents regarding the right to access information on organizational records and assets, the position, function and structure of the internal audit organization, and the scope of internal audit are things that need to be considered in independence. The literature agrees that a lack of independence will affect the effectiveness of internal audit (Alzeban & Gwilliam, 2014; D'Onza et al., 2015; Eulerich et al., 2018).
The Competencies are key and general requirements that must be met to be able to carry out internal audits effectively (Dellai et al., 2016). Literature studies on competency look at competency aspects of internal auditor experience, educational qualifications, percentage of internal auditors who have certification, and the number of training hours required to carry out internal audit tasks (Mihret & Yismaw, 2007; D'Onza et al., 2015; Lenz et al., 2017). The analysis of the literature also obtained responses to the processes and results of the internal audit in the form of audit findings, follow-up on recommendations will increase the effectiveness internal audit (Oussii & Taktak, 2018).
Bantleon et al. (2020) uses a three lines defence model to see the effectiveness of internal audit. The three lines of defence model highlights the need for coordination between the governance function, risk management, internal audit function with external auditors is needed to achieve the effectiveness internal audit. The organization will distribute various efforts to minimize the impact of risks through control, supervision, and monitoring mechanisms. Risk management and risk mitigation are carried out by the risk management division (Badara & Saidin, 2014) which is able to encourage the implementation of internal audits to be more effective.
The effectiveness internal audit implementation is also determined from the use of information technology that supportsinternal audit duties(Elbardan et al., 2016; Garven & Scarlata, 2020; Eulerich et al., 2023). Technological advances have exposed companies to cyber risks, so companies have taken action to create audit systems. A technology-based audit system makes the implementation of the internal audit process more effective (Lois et al., 2020). Leadership is also a concern in risk-based internal audit activities (Erasmus & Coetzee, 2018; Martino et al., 2019). An internal auditor must have leadership skills including personal skills, managerialskills, and educational abilities. Leadership will strengthen the attitude of internal auditors in disclosing and reporting audit findings so that internal audits can run effectively.
6. Conclusion and Implications
This study used the systematic literature review (SLR) method. Researchers analyzed research trends on the effectiveness internal audits over a period of 16 years. Researchers conducted an analysis of 23 articles published in Scopus indexed journals. Literature studies that have been carried out show that the effectiveness of internal audit can reduce the negative impact of risk through the distribution of supervision throughout the company. The effectiveness internal audit will improve corporate governance and provide added value to the organization.
In terms of research methods, the effectiveness internal audit tends to use survey methods with research instruments in the form of questionnaires and very few uses experimental methods. Then in terms of the type of research conducted, it tends to use quantitative and qualitative approaches, while the use of a mix method is rarely used. Carrying out internal audits spread across each division or department will reduce the negative effects of business risks. The results of observations and analysis carried out by researchers found that effective implementation of internal audits is influenced by management support, internal auditor attributes such as independence and competence. Risk management, and leadership of the head of internal audit are factors that are still rarely researched. This research is only based on the publication of empirical study results and limits certain types of publications.