The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0268-6902.htm

Risk-based
Factors associated with internal auditing
the adoption of risk-based
internal auditing
79
Nuno Castanheira
Montepio, Lavra, Portugal Received 31 October 2008
Lúcia Lima Rodrigues Revised 9 May 2009
Accepted 5 July 2009
School of Economics and Management, University of Minho,
Braga Codex, Portugal, and
Russell Craig
Department of Accounting and Information Systems,
College of Business and Economics, University of Canterbury,
Christchurch, New Zealand

Abstract
Purpose – The purpose of this paper is to analyse company-specific factors associated with adoption of
risk-based auditing. It seeks to explore the role of internal auditing in enterprise risk management (ERM).
Design/methodology/approach – Findings are drawn from a questionnaire survey, sent in 2006,
to all 96 chief internal auditors who were members of the Institute of Portuguese Internal Auditors.
Findings – In planning an annual schedule of audits, the adoption of a risk-based approach is
statistically significant in international firms ( p # 0.05) and companies listed on the Portuguese stock
market ( p # 0.10). There is a strong (but not significant) association between risk-based annual audit
planning and entities which are private, in the finance sector, and large. In planning each audit
engagement, adoption of a risk-based approach is correlated positively with entity size. Internal
auditing is more proactive in the implementation of ERM in smaller organisations, and is more
important in the finance industry and the private sector.
Practical implications – A better understanding emerges of factors associated with the adoption of
risk-based auditing, together with an enhanced appreciation of the role of internal auditing in ERM.
Originality/value – The paper reveals the specific characteristics of companies that are associated
with the adoption of risk-based approaches in the internal audit process. It is the first paper published
about risk-based internal auditing in Portugal.
Keywords Internal auditing, Risk management, Portugal
Paper type Research paper

Introduction
The origins of internal auditing were in ancient times (Chun, 1997). However, it was not
until the 1940s that the practice of internal auditing began to assume an important role
in organizational strategy and management ( Jin’e and Dunjia, 1997; Dittenhofer, 2001).
The professionalization of internal auditing has continued steadily since then. Managerial Auditing Journal
Vol. 25 No. 1, 2010
Chapters of the Institute of Internal Auditors (IIA) (the internal audit profession’s pp. 79-98
recognized authority and principal educator) have been established around the world, q Emerald Group Publishing Limited
0268-6902
including in Portugal. The Instituto Português de Auditores Internos (IPAI) DOI 10.1108/02686901011007315
MAJ (the Institute of Portuguese Internal Auditors) was accredited as Chapter 253 of the IIA
25,1 in 1992. The standards provided by IIA are the only formal guidance for the internal
auditing profession in Portugal. The establishment of the IPAI was prompted by hope
that it would help develop best practice techniques in internal auditing in Portugal,
facilitate the training of Portuguese internal auditors, and promote dialogue with
internal auditors in other countries.
80 For many years, internal auditing in Portugal was confined to assisting
organizations safeguard assets and check established control procedures. The main
focus was on monitoring and control. Internal auditors were tolerated, but were not
deemed essential in organizational control (Spira and Page, 2003). However, the
emergence of new business risks has compelled many organizations to reformulate
strategies and to elevate the status of internal auditing (Szpirglas, 2006). Thus,
risk-based internal auditing has emerged as an important contributor to effective risk
management (Allot, 1996). This has accorded internal auditors a more influential role
in organizations (Krogstad et al., 1999), including in Portugal.
We analyse company-specific factors associated with the adoption of risk-based
auditing in Portugal and explore the role of internal auditing in enterprise risk
management (ERM) in that country. After outlining previous relevant literature on
internal auditing, risk assessment and ERM, we develop research hypotheses, outline
key variables, report results, engage in discussion, and make some concluding
remarks.

Literature review
The focus of internal audit work has shifted over the last decade from systems-based
auditing to process-based auditing to risk-based auditing (IIA – UK and Ireland, 2003).
Internal auditors have responded strongly to management concerns about business
risks (Selim and McNamee, 1999, p. 159). The work of internal auditors has shifted
from being control-driven to being business risk-driven. Lindow and Race (2002) noted
that internal auditors should play a key role in monitoring a company’s risk profile.

Risk-based internal auditing

Risk-based internal auditing focuses on strategic analysis and business process
evaluation (Lorenzo, 2001; Gronli and Xystros, 1999; Campbell et al., 2006); and on
assessing the goals, risks and controls that must coalesce for an organization’s success
(Rivenbark, 2000). By identifying, assessing, and monitoring a company’s risk, internal
auditing helps assure that resources are adequate and focused on priorities (Kunkel,
2004). Generally, risk-based auditing assesses areas of heightened risk (Griffiths, 2006),
and, importantly, conducts continuous risk assessments (O’Regan, 2002; Maynard,
1999; Marks, 2001). The knowledge gained from a comprehensive annual risk
assessment, as well as from risk assessments undertaken at the outset of every internal
audit engagement, should be shared with management and the board (Jackson, 2005).
Allegrini and D’Onza (2003) reported that 25 percent of the top 100 companies listed
on the Italian Stock Exchange performed traditional compliance activities and
generally followed an audit cycle approach in the annual audit planning process.
In 67 percent of their responding companies, internal auditors adopted the model
proposed by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO, 2004) and mainly applied operational auditing and the risk-based approach at
the macro level (annual audit planning). In a few large companies (8 percent), auditors Risk-based
applied risk-based approaches both at the macro level and the micro level (individual internal auditing
audit assignments).
In January 2005, a study of the development of internal auditing practices in Ireland
by the IIA – UK and Ireland (2005) and KPMG Ireland, concluded that 89 percent of
heads of internal audit use a risk-based method when preparing annual internal audit
plans; 93 percent use a risk-based method in their internal audit assignments; 81
81 percent liaise with divisional or business heads when compiling their internal
auditing plans; 72 percent perform their work in accordance with international
standards; and 32 percent are responsible for compliance or risk management.
The study concluded that while a large proportion of organisations adopt best practice
approaches, there is scope for improvement.

ERM and the role of internal auditing in its implementation

ERM is a dynamic, integrated risk management approach that firms use to minimize
their level of risk (Busman and Zuiden, 1998). ERM is:
[. . .] a structured, consistent and continuous process across the whole organization for
identifying, assessing, deciding on responses to, and reporting internally on, opportunities
and threats that affect the achievement of its objectives (Matyjewicz and D’Arcangelo, 2004,
p. 7).
ERM looks holistically at all the risks an organization faces, and considers how those
risks affect the accomplishment of goals. ERM is a tool which seeks to better handle
risks and to achieve the greatest gains at the lowest cost (Chapman, 2001).
Once deployed, ERM permits companies to assess risk continually, and to identify
the steps and resources needed to overcome or mitigate risk (Funston, 2003). Many
companies have understood the need to implement an ERM process and to introduce a
strong risk management culture to improve the effectiveness of risk management.
An Ernst and Young study in 2001, reported by Verschoor (2002), concluded that only
16 percent of 50 surveyed organizations had real pervasive risk management
processes. In a survey of 200 risk management executives, Banham (2004) reported
that 41 percent were implementing some form of ERM and that 84 percent believed
that ERM could help lower a company’s cost of capital. Beasley et al. (2005, pp. 521-2)
found that implementation of ERM was related positively with the presence of a chief
risk officer (CRO), board independence, apparent support of the CEO and CFO for
ERM, presence of a Big Four auditor, entity size, and entity membership in the
banking, education, or insurance industries.
Fuente and Vega (2003) argued that risk management in non-finance companies is
characterized by the absence of techniques that allow inherent risks to be managed.
In contrast, risk management in finance companies has developed strongly over recent
years, mainly because existing regulation encourages banks to strengthen control and
risk management systems (Alzuela, 2003). With the benefit of hindsight, given the
implosion of major financial institutions throughout the world in 2008, those risk
management systems appear to have been inadequate.
Standards and Practice Advisories provided by the IIA encourage the involvement
of internal audit in ERM, such as Practice Advisory 2100-3: Internal Auditing’s Role in
the Risk Management Process and Practice Advisory 2100-4: Internal Auditing’s Role
in Organizations without a Risk Management Process. The latter, issued in March 2001,
MAJ provides internal auditors with guidance in determining their role in entities that do
25,1 not have an established risk management process (IIA, 2001). The practice advisory
points out that although risk management is a key responsibility of management,
internal auditors can assist the organization in identifying, evaluating, and
implementing risk management and controls to address those risks. Such a
proactive role in assisting with the initial establishment of a risk management process
82 supplements traditional assurance activities. The IIA Position Paper titled The Role of
Internal Auditing in Entreprise-wide Risk Management (IIA, 2009) also argues that
internal audit activity is well qualified to promote the implementation the ERM,
especially in the early stages of its introduction.
As a consequence, the role of internal auditors is developing and being extended.
There is an evolving proactive role for internal auditors in assisting organizations with
the initial establishment of ERM. In Australia, companies such as Southcorp and
Qantas have encouraged internal auditors to assess whether risk management
frameworks are operating effectively (Bou-Raad, 2000). An expanding interest in ERM
has been revealed too in a survey by Merkley and Miccolis (2002). Their 130
respondents, from a broad spectrum of Canadian industries, indicated that ERM was
usually led by staff in the internal auditing area; that 49 percent of respondents had
implemented (or were implementing) ERM; that 89 percent had applied risk-based
internal auditing in individual audits; and that 32 percent involved internal auditing in
ERM. In five major organizations which have implemented ERM programs
successfully (FirstEnergy, General Motors, WalMart, Unocal and Canada Post),
internal auditors had a varied and beneficial role in each (Walker et al., 2003).
A study of 11 big North-American companies concluded that most internal audit
directors use sophisticated risk models to identify potential problem areas (Nagy and
Cenker, 2002). In a comparison of internal auditing practices between Belgium and the
USA, Sarens and de Beelde (2006) found that the role of internal auditors in risk
management is time-specific, and changes quickly. In Belgium, internal auditors have
pioneered an awareness of a higher level of risk and have developed more formalized
risk management systems. In the USA, objective opinions of internal auditors provide
valuable input for the internal control review and disclosure requirements of the
Sarbanes-Oxley Act 2002.
In 2005, a IIA Research Foundation study examined the extent to which internal
audit functions adhere to the ERM roles recommended in the IIA paper, The Role of
Internal Auditing in Enterprise-wide Risk Management (Gramling and Myers, 2006,
p. 54). Approximately, 90 percent of the 361 responses were from the USA and Canada.
The internal audit function was primarily responsible for ERM-related activities in
36 percent of the respondents’ organizations. In 27 percent, the primary responsibility
belonged to a CRO who was not part of the internal audit function. On average,
financial industry audit departments were found to have greater responsibility for core
activities than manufacturing industry audit departments.

Research method and hypotheses

We identify specific characteristics associated with the adoption of risk-based auditing
by Portuguese entities. A mailed questionnaire survey (available on request from the
first author) was addressed to chief internal auditors in Portugal. All addressees were
members of the IPAI. They were thought likely to understand the importance of
risk-based internal auditing and to have access to updated information on risk-based Risk-based
auditing. Closed questions were used to avoid ambiguous interpretation, to make internal auditing
answer coding easier, and to facilitate statistical analysis. Of the 96 questionnaires
mailed, 59 usable responses (61 percent) were received. x 2-tests confirmed that the
sample was representative of the population in terms of listing status, industry sector
(finance or non-finance) and company type (public or private). However, confirmation
of representativeness was not possible for size and internationalization because of the 83
lack of reliable data.
We identify likely reasons why internal auditors prefer risk-based approaches over
procedures-driven approaches (Colbert and Alderman, 1995) and possible reasons for
the involvement of internal auditing in ERM.

Size
Risk-based internal auditing contributes to effective risk management (McNamee and
Selim, 1998). In a study of the voluntary use of internal audit in Australian companies,
Goodwin-Stewart and Kent (2006) concluded that internal auditing was associated
strongly with company size and the effort applied to risk management:
H1. There is a positive association between risk-based approaches for planning
the annual schedule of audits (macro level) and the size of an organization.
H2. There is a positive association between risk-based approaches for planning
each individual audit engagement (micro level) and the size of an
organization.
We also explore whether internal auditors adopt a proactive, consulting role in
assisting with the initial establishment of a risk management process. Additionally we
study if this consulting role is associated with the size of an organization; and whether
risk-based approaches supplement activities traditionally provided by internal
auditors (Goodwin-Stewart and Kent, 2006; Jackson, 2005; IIA, 2004). The IIA in the
International Professional Practices Framework, through the Practice Advisory
2100-4: Internal Auditing’s Role in Organizations without a Risk Management Process,
states that:
If requested, internal auditors can play a proactive role in assisting with the initial
establishment of a risk management process for the organization. A more proactive role
supplements traditional assurance activities with a consultative approach to improving
fundamental processes.
Because a large organization can better integrate ERM into its broader governance
processes, this suggests that internal auditing does not need to be part of such an
integration process. However, smaller organizations do not have as many resources,
and an internal auditor seems likely to take a more active role in ERM ( Jackson, 2005;
Gramling and Myers, 2006):
H3. There is a negative association between the proactive role of internal auditing
in the implementation of ERM and the size of an organization.
H4. The involvement of internal auditing in ERM is related positively with the
size of an entity.
MAJ Industry
25,1 Industry membership seems likely to affect the type of approach used to develop
internal auditing. Zárate (2001) argues that the finance industry is more mature in
terms of business risk management, and that firms in this industry have a higher
propensity to apply risk-based approaches in developing internal auditing, possibly
because they are also required to comply with the Basel II Accord requirements:
84 H5. The number of firms applying risk-based approaches for planning the annual
schedule of audits is greater in the finance industry than in non-finance industries.
H6. The number of firms applying risk-based approaches for planning each individual
audit engagement is greater for firms in the finance industry than for firms not in
the finance industry.
We also test whether a proactive role by internal auditors in the implementation of
ERM is related to industry sector. Since no previous literature exists on this matter, we
contend that the fulfillment of a proactive role by an internal auditor is likely to be
independent of a firm’s industry membership (null hypothesis). This approach is
considered consistently in hypotheses H7, H11, H15 and H19:
H7. There is no association between a proactive role of internal auditing in the
implementation of ERM and industry membership.
Because the finance sector usually has a higher exposure to risk than other sectors, and
because financial institutions have to comply with the Basel II Accord, there is a
greater possibility that firms in that sector will implement ERM (IIA – UK and Ireland,
2003). Consistent with the findings of Gramling and Myers (2006) that finance industry
audit departments have greater responsibility for core activities than manufacturing
industry audit departments, there seems likely to be a greater internal auditing
involvement in ERM in the finance industry:
H8. The involvement of internal auditing in ERM is related positively to
membership of the finance industry.

Private sector or public sector

Private sector firms seem more likely to be affected by the internationalization of
business activity, high levels of competition and the scarcity of resources, than public
sector firms. This suggests that risk management will be more effective in
privately-held organizations than in publicly held organizations. Goodwin (2004) found
a weak significant difference between the public and private sectors with regard to
financial risk management. A total of 50 percent of private sector internal audit
functions were involved with this type of risk management, compared to 33 percent of
public sector internal audit functions ( p ¼ 0.068). Thus, we assume privately-held
organizations are more likely to apply risk-based approaches in developing internal
auditing than publicly held organizations:
H9. There is a positive association between risk-based approaches for planning
the annual schedule of audits and whether the organization is privately held.
H10. There is a positive association between risk-based approaches for planning each
individual audit engagement and whether the organization is privately held.
We also hypothesize that a proactive role by internal auditing is independent of Risk-based
whether the organization is private or public: internal auditing
H11. There is no association between a proactive role of internal auditing in the
implementation of ERM and whether the organization is privately held or
publicly held.
Goodwin (2004) did not find any other statistically significant differences between the 85
two sectors. As a consequence, we hypothesize that it is unlikely that internal auditing
was involved in ERM:
H12. Internal auditing involvement in ERM is not related to whether an
organization is located in the public sector or in the private sector.

Internationalization
We explore contention that firms belonging to international groups have a greater
exposure to risk; and that they are more likely to implement methods which contribute
to effective risk management (such as risk-based auditing) (McNamee and Selim, 1998):
H13. There is a positive association between risk-based approaches for planning
the annual schedule of audits and internationalization of a firm.
H14. There is a positive association between risk-based approaches for planning
each individual audit engagement and internationalization of a firm.
Similarly, we explore whether a proactive role by internal auditors in the
implementation of ERM is related to the internationalization of a firm:
H15. There is no association between the proactive role of internal auditing in the
implementation of ERM and internationalization of a firm.
We contend that firms belonging to international groups have a greater exposure to
risk diversity and stronger incentives to manage risk maturity. Thus, the possibility
that they implement ERM is stronger – as is the possibility of internal auditing being
involved in ERM:
H16. The involvement of internal auditing in ERM is related positively with the
internationalization of a firm.

Listed companies
Listed companies usually have mature risk management as a consequence of close
scrutiny by stock exchange regulators. In Portugal, listed companies are subject to
stringent regulations issued by the Portuguese Stock Exchange regulator – Comissão
do Mercado de Valores Mobiliários. Therefore, we believe that they are more likely to
implement risk-based approaches in the development of internal auditing:
H17. There is a positive association between risk-based approaches for planning
the annual schedule of audits and listing on the Portuguese Stock Exchange.
H18. There is a positive association between risk-based approaches for planning
each individual audit engagement and listing on the Portuguese Stock
Exchange.
MAJ Similarly, we explore whether a proactive role by internal auditors in the
25,1 implementation of ERM is related to listing on the Portuguese Stock Exchange:
H19. There is no association between the proactive role of internal auditing in the
implementation of ERM and listing on the Portuguese Stock Exchange.
Because of agency problems and closer scrutiny by market regulators, we contend that
86 listed companies have better risk management and will be more likely to implement
ERM:
H20. The involvement of internal auditing in ERM is related positively with listing
on the Portuguese Stock Exchange.

Variables
To measure company size, we selected “turnover”, “total assets” and “average number
of employees.” Factor analysis revealed that total assets were not related with turnover
or with the average number of employees. We used logarithms of the original variables
because there was a strong correlation between the three original variables (see Table I;
p ¼ 0.000). Consequently, we used Principal Components Analysis (PCA) to compose a
measure that reflected several dimensions of company size. The Kaiser-Myer-Olkin
measure of sampling adequacy (0.655) and Bartlett’s test of sphericity
(significance ¼ 0.000) confirmed the use of PCA. The three original variables are
summarized by PCA into an index which reflects company size. The index computed
explained 75 percent of the total variance.
Using the values of the PCA size variable, entities were classified into three groups
of approximately equal number: small (n ¼ 17), intermediate (n ¼ 18), and big
(n ¼ 17). Seven entities were not categorized because they did not identify any of the
three size variables. Therefore, of the 59 respondents, only 52 were considered in tests
of the first four hypotheses. Two industry sectors were considered: finance (32 percent
of respondents) and non-finance (68 percent). Approximately, one-third of respondents
were employed in publicly held organizations and two thirds were in privately held
organizations. About 63 percent of respondents represented firms belonging to an
international group. Approximately, 24 percent were companies listed on the
Portuguese stock exchange.

Average number of workers Turnover Total assets

Average number of workers 1

Significance
Turnover 0.588 * 1
Significance 0.000
Total assets 0.490 * 0.774 * 1
Table I. Significance 0.000 0.000
Pearson’s correlation
matrix Note: *Significant correlation at: p , 0.001
Results: descriptive analysis Risk-based
Planning annual internal audits internal auditing
The auditing universe (or domain of responsibility) for 56 percent of respondents was
composed of at least 20 separate auditable organizational sub-units. Only 12 percent
had an audit universe of between 100 and 500 units. For about 40 percent of entities,
the extent of the auditing universe is determined by an autonomous and independent
strategy developed by the internal audit planning process. About half of the 87
respondents relied on strategic planning processes to improve the efficiency of
risk-based approaches in internal audit planning. A total of 46 percent of entities
completed a review of their auditing universe during the course of one year, consistent
with the recommendations of the IIA (2004). Only about 20 percent reviewed their
auditing universe over more than two years (Table II).
In 63 percent of entities, a risk-based approach was used for planning annual
audits; 12 percent relied on a cyclic approach (consistent with Allegrini and D’Onza,
2003; and IIA – UK and Ireland, 2005); and 19 percent used a combined cyclic

Frequency Percentage

How many auditable units does the audit universe have?

#20 33 56
.20 and #50 9 15
.50 and #100 9 15
.100 and #500 7 12
Not answered 1 2
The audit universe is determined
From strategic plans of the organization 29 49
By the chief auditor independently of the organization’s strategy 23 39
Other 5 9
Not answered 2 3
How often is the audit universe reviewed?
#1 year 27 46
.1 year and # 2 years 17 29
.2 years and # 3 years 7 12
.3 years 5 8
Not answered 3 5
Planning annual schedules of audits uses a
Risk-based approach 37 63
Cycle-based approach 7 12
Mixed approach 11 19
Not answered 4 6
Three major risk factors taken into account in risk-based auditing are
Adequacy of internal controls 39 83
Monetary materiality 38 80
Complexity of operations 23 50
Last audit date 14 30
Degree of modification or stability 11 23
Asset liquidity 6 13 Table II.
Human resource capacity 3 6 Planning annual
Other 7 15 internal audits
MAJ and risk-based approach. In our testing of hypotheses, the latter companies are
25,1 considered in the group that uses risk-based approaches.
In their planning, about 80 percent of respondents considered monetary materiality
and the quality of internal controls, and about 50 percent considered the complexity of
operations. Other audit planning considerations included the date of the last audit
(30 percent), the degree of stability (23 percent), active liquidity (13 percent), and the
88 quality of human resources (6 percent). Some other risk factors mentioned included
performance indicators, image and reputation, and requirements of regulatory
authorities.
In regard to the audit resources devoted to an operational audit, compliance audit,
financial audit and other audit-related activities, it was found that operational audit
generally requires most resourcing (37 percent of audit resources), with compliance
audit second (16 percent) (Table III). The amount of audit resources devoted to risk
assessment (14 percent) reveals the relative relevance of this kind of activity. Internal
audit departments allocate a small amount of resources to review the reliability of
public financial statements (, 10 percent). Financial audit seems to be considered the
sole responsibility for external auditors in Big 4 firms.

Planning individual audit engagements

The most important audit objective was to assess the adequacy and effectiveness of the
internal control system (58 percent). For only 3 percent was the audit objective to
evaluate how business risks were managed. Nevertheless, about 37 percent of entities
stated that their audit objective was mixed. This indicated concurrent assessment by
management of the business risks and the effectiveness of internal control systems.
In our hypotheses testing these 22 companies are considered in the group that uses
risk-based approaches (Table IV).
Audit programs were used to test control activities in about 46 percent of entities.
In 3 percent of entities, audit programs tested business risk management activities; and
in 48 percent the audit program was designed to simultaneously test business risk
management activities.
Of respondents, 49 percent reported the findings and recommendations of their
internal auditing in terms of internal control; 8 percent did so in terms of risk
management; and 41 percent did so in terms of internal control and risk management.
In our hypothesis testing these 24 entities are included in the group that reports in
terms of risk management.

Mı́nimum Máximum Mean Standard deviation

Annual internal audit planning is devoted to:

Operational audit 0 80 37.46 21.592
Compliance audit 0 60 15. 87 12.474
Risk assessment 0 100 13.98 16.969
IT audit 0 70 12.56 13.180
Financial audit for public financial statements 0 50 9.29 12.741
Table III. Special projects 0 35 5.4 6.935
Planning annual Fraud investigation 0 25 3.92 5.705
internal audits Other 0 41 1.52 6.223
 Risk-based
Frequency Percentage
internal auditing
Audit objective of each auditing action is
To assess the way management deals with risk in the work unit 2 3
To assess the adequacy and effectiveness of the internal control system 34 58
Mixed 22 37
Not answered 1 2 89
Auditing program is designed to test
Control activities 27 46
Risk management activities 2 3
Mixed 28 48
Not answered 2 3
Auditing is reported to management in terms of
Internal control 29 49
Risk management 5 8
Mixed 24 41
Not answered 1 2
Risk categories used in the auditing report
No risk categories 28 48
Between 1 and 5 risk categories 18 31
Between 6 and 10 risk categories 10 17
More than 10 risk categories 2 3
Not answered 1 1
Each audit engagement is prepared using
Risk-based approach 2 3
Control-based approach 36 61 Table IV.
Mixed approach 14 24 Planning individual
Not valid 7 12 audit engagements

Of respondents, 48 percent did not use any risk categories in the audit report, 31 percent
used between one and five, 17 percent used between six and ten, and 3 percent used
more than ten. However, only two groups are considered in the subsequent
hypothesis – those which use risk categories and those which do not.
For an entity to be regarded as using a risk-based approach in planning each
individual audit engagement, the whole audit process should be based on three risk
management concepts: the audit objective is to assess how management deals with risk
in the auditable unit; the audit is designed to test risk management techniques; and the
audit is reported to management in terms of risk management principles (McNamee,
1997). A total of 61 percent of entities used a control-based approach in the individual
audit process, but only 3 percent (in the finance sector) adopted a risk-based approach.
However, about 24 percent used mixed approaches in the development of individual
audit processes.

The role of internal auditing in risk management

A quarter of respondents said that they had already implemented ERM – and another
quarter were in the process of doing so. About 44 percent of respondents had not
implemented ERM (Table V).
To test hypotheses H3, H7, H11, H15 and H19, we combined the entities that
had implemented formal risk management processes with those for which the
implementation process was occurring.
MAJ
Frequency Percentage
25,1
ERM implementation?
Yes 15 25
Implementation process is occurring 15 25
No 26 44
90 Not answered 3 6
If ERM is implemented, what is the role played by internal auditing in the implementation?
A proactive role, supporting the initial establishment of ERM 9 60
Other 5 33
Not answered 1 7
Role of internal auditing in ERM?
When there is no ERM, it brings this to management’s attention along with
suggestions for establishing such a process 17 35
Assumes a dynamic role, supporting the initial establishment of ERM 9 19
Audits ERM as part of the audit program 15 31
A dynamic and continuous involvement in ERM 6 13
It manages and coordinates ERM 4 8
No intervention 11 23
Risk management department?
Yes 25 42
No 34 58
How frequently does the person responsible for the audit department work with the person responsible
for the risk management department?
The person responsible for the audit area is also the person responsible for
the risk area 5 20
Never 2 8
Table V. Not frequently 6 24
The role of internal Regularly 9 36
auditing in risk Often 2 8
management Very often 1 4

In nine entities with ERM, internal auditing was proactive and supported the
implementation of ERM; and in five others, internal auditing assumed another role,
such as monitoring and providing advice on the implementation of risk management
processes. Respondents indicated that internal audit promotes the establishment of
ERM (35 percent); dynamically supports the initial establishment of ERM (19 percent);
audits ERM as part of the audit program (31 percent); and has a dynamic and
continuous involvement in ERM (13 percent). A total of 23 percent said internal audit
had no involvement in ERM; and 42 percent indicated that their entity had a risk
management department. A total of 65 percent of finance companies have a risk
department. About a third of the managers in charge of such departments regularly
interact with the audit department. In five entities, the manager in charge of the risk
management department was also the manager in charge of the audit department.

Results: research hypotheses

The small sample size and the dichotomous nature of the variables rendered
multivariate analysis infeasible. Research hypotheses were analyzed using the x 2-test.
Since we were dealing with dichotomous and ordinal variables, the F-coefficient was
used to determine the degree of association.
Size Risk-based
H1 is not supported. However, Table VI shows that the larger the size of entities, the internal auditing
more likely they are to apply risk-based approaches in annual audit planning (75, 89,
100 percent, respectively). All large entities adopt risk-based auditing.
For the risk-based approach at the micro level, the audit objective in large
companies is to assess the way business risk is managed ( p ¼ 0.008). Although not
statistically significant, large entities are more likely to test risk management activity 91
(75 percent), report findings and recommendations on risk management (69 percent),
and use risk categories in their reports (75 percent). The dynamic role of internal
auditors in the implementation of ERM is apparent from their general support for the
implementation of ERM in the internal auditing of small organizations. There is a
negative (but not significant) correlation between the size of entities and the proactive
role of internal auditing in the implementation of ERM, consistent with Espersen (cited
by Jackson, 2005), the suggestion of the Basel Committee on Banking Supervision
(2003) and Gramling and Myers (2006). Medium size entities are most involved in ERM,
inconsistent with H4.

Industry
Irrespective of industry, firms make extensive use of risk-based approaches for
planning their annual schedule of audits (Table VII). However, in the finance industry,
firms generally adopt risk-based approaches (94 percent).
In terms of micro level auditing, it is not evident that firms in the finance industry
differ from those in non-finance industries. However, in 68 percent of finance
companies ( p ¼ 0.093) auditing is reported to management in risk management terms.

Size
Small Medium Large Total

H1 Application of risk-based auditing in Yes Frequency 12 (75) 16 (89) 15 (100) 43 (88)

annual planninga No Frequency 4 (25) 2 (11) 0 (0) 6 (12)
H2 Audit objective: to assess the way Yes Frequency 5 (29) 5 (28) 12 (75) 22 (43)
business risks are managedb No Frequency 12 (71) 13 (72) 4 (25) 29 (57)
The audit program is designed to test risk Yes Frequency 8 (47) 8 (44) 12 (75) 28 (55)
management activityc No Frequency 9 (53) 10 (56) 4 (25) 23 (45)
Auditing reports to management in risk Yes Frequency 6 (35) 8 (44) 11 (69) 25 (49)
management termsd No Frequency 11 (65) 10 (56) 5 (31) 26 (51)
Use of risk categories in the audit reporte Yes Frequency 7 (41) 8 (44) 12 (75) 27 (53)
No Frequency 10 (59) 10 (56) 4 (25) 24 (47)
H3 Dynamic role supporting the Yes Frequency 5 (83) 7 (54) 5 (56) 17 (61)
implementation of risk managementf No Frequency 1 (17) 6 (46) 4 (44) 11 (39)
H4 Involvement of internal auditing in the Yes Frequency 4 (24) 10 (56) 5 (29) 19 (36)
formal risk management processg No Frequency 13 (76) 8 (44) 12 (71) 33 (64)
Notes: aThe x 2-test was not performed since all large companies following a risk-based approach
engaged in annual audit planning; bx 2 ¼ 9.66; prob. ¼ 0.008; df ¼ 2; F ¼ 0.435; cx 2 ¼ 3.83;
prob. ¼ 0.148; df ¼ 2; F ¼ 0.274; dx 2 ¼ 3.93; prob. ¼ 0.141; df ¼ 2; F ¼ 0.277; ex 2 ¼ 4.59;
prob. ¼ 0.101; df ¼ 2; F ¼ 0.300;fx 2 ¼ 1.644; prob. ¼ 0.439; df ¼ 2; F ¼ 0.242;gx 2 ¼ 4.420; Table VI.
prob. ¼ 0.110; df ¼ 2; F ¼ 0.292; the parentheses values are in percentage Tests of size hypotheses
MAJ
Industry
25,1 Finance Non-finance Total

H5 Application of risk-based auditing in annual Yes Frequency 17 (94) 31 (84) 48 (87)

planninga No Frequency 1 (6) 6 (16) 7 (13)
H6 Audit objective: assess the way business risksYes Frequency 7 (37) 17 (44) 24 (41)
92 are managedb No Frequency 12 (63) 22 (56) 34 (59)
Audit program is designed to test risk Yes Frequency 11 (61) 19 (49) 30 (53)
management activityc No Frequency 7 (39) 20 (51) 27 (47)
Audit reports to management in risk Yes Frequency 13 (68) 16 (41) 29 (50)
management termsd No Frequency 6 (32) 23 (59) 29 (50)
Use risk categories in the audit reporte Yes Frequency 13 (68) 17 (44) 30 (52)
No Frequency 6 (32) 22 (56) 28 (48)
H7 Dynamic support of the implementation of Yes Frequency 6 (46) 12 (71) 18 (60)
risk management processesf No Frequency 7 (54) 5 (29) 12 (40)
H8 Internal audit involvement in the formal risk Yes Frequency 9 (47) 11 (28) 20 (34)
management processg No Frequency 10 (53) 29 (73) 39 (66)
Notes: ax 2 ¼ 0.465; prob. ¼ 0.495; df ¼ 1; F ¼ 0.150; bx 2 ¼ 0.042; prob. ¼ 0.837; df ¼ 1;
Table VII. F ¼ 2 0.064; cx 2 ¼ 0.343; prob. ¼ 0.558; df ¼ 1; F ¼ 0.115; dx 2 ¼ 2.818; prob. ¼ 0.093; df ¼ 1;
Tests of industry F ¼ 0.257; ex 2 ¼ 2.239; prob. ¼ 0.135; df ¼ 1; F ¼ 0.233; fx 2 ¼ 1.833; prob. ¼ 0.176; df ¼ 1;
hypotheses F ¼ 2 0.247;gx 2 ¼ 2.269; prob. ¼ 0.132; df ¼ 1; F ¼ 0.196; the parentheses values are in percentage

There is a slightly increased (but not statistically significant) tendency for the internal
audit process of non-finance industry companies to have a dynamic role in the
implementation of a risk management process. Almost half of the firms in the finance
industry had internal audit involvement in risk management. This was approximately
double that of non-finance firms, consistent with Gramling and Myers (2006). The
difference was not statistically significant.

Private/public sector
Although H9 is not supported, Table VIII shows that the private sector had a greater
proportion of entities adopting a risk-based approach at the macro level.
At the micro level, private sector firms evaluated the way business risks are managed
more deeply. They were more disposed to test risk management activities, report the
findings and recommendations in terms of risk management, and use risk categories when
reporting audit results. But these relationships were not statistically significant.
The proactive role of internal auditing in the implementation of ERM in public
sector entities was 67 percent, whereas in private sector entities, it was 59 percent.
Table VIII shows that internal audit of the majority of public sector entities does not
have any kind of involvement in ERM.

Internationalization
Most internationalized entities used risk-based approaches for planning their annual
schedule of audits (Table IX). The x 2-test is significant ( p ¼ 0.019), with a F
association of 0.374. H13 is accepted.
When considering the risk-based approach at the micro level, entities differ in how
they use risk categories in their internal auditing report: more internationalized entities
used risk categories ( p ¼ 0.008). On the other hand, although not statistically
 Risk-based
Private/public
sector internal auditing
Public Private Total

H9 Application of risk-based auditing in annual Yes Frequency 13 (81) 34 (92) 47 (89)

planninga No Frequency 3 (19) 3 (8) 6 (11)
H10 Audit objective is to assess the way business risksYes Frequency 6 (35) 18 (46) 24 (43) 93
are managedb No Frequency 11 (65) 21 (54) 32 (57)
Audit program is designed to test risk management Yes Frequency 7 (41) 23 (60) 30 (54)
activityc No Frequency 10 (59) 15 (40) 25 (46)
Audit reports to management in risk management Yes Frequency 8 (47) 20 (51) 28 (50)
termsd No Frequency 9 (53) 19 (49) 28 (50)
Use of risk categories in the audit resultse Yes Frequency 6 (35) 23 (59) 29 (52)
No Frequency 11 (65) 16 (41) 27 (48)
H11 Dynamic role supporting the implementation of risk Yes Frequency 2 (67) 16 (59) 18 (60)
f
management No Frequency 1 (33) 11 (41) 12 (40)
H12 Internal audit involvement in the formal risk Yes Frequency 3 (18) 17 (43) 20 (35)
management processg No Frequency 14 (82) 23 (57) 37 (65)
Notes: ax 2 ¼ 0.42; prob. ¼ 0.515; df ¼ 1; F ¼ 2 0.154; bx 2 ¼ 0.21; prob. ¼ 0.644; df ¼ 1;
F ¼ 2 0.101; cx 2 ¼ 1.08; prob. ¼ 0.299; df ¼ 1; F ¼ 2 0.180; dx 2 ¼ 0.00; prob. ¼ 1.00; df ¼ 1; Table VIII.
F ¼ 2 0.039; ex 2 ¼ 1.80; prob. ¼ 0.180; df ¼ 1; F ¼ 2 0.218; fx 2 ¼ 0.062; prob. ¼ 0.804; df ¼ 1; Tests of private sector or
F ¼ 0.045; gx 2 ¼ 3.235; prob. ¼ 0.072; df ¼ 1; F ¼ 2 0.238; the parentheses values are in percentage public sector hypotheses

Internationalization Yes No Total

H13 Application of risk-based auditing in annual Yes Frequency 33 (97) 15 (71) 48 (87)
planninga No Frequency 1 (3) 6 (29) 7 (13)
H14 Audit objective is to assess the way business risksYes Frequency 18 (50) 6 (27) 24 (41)
are managedb No Frequency 18 (50) 16 (73) 34 (59)
Audit program is designed to test risk management Yes Frequency 20 (57) 10 (46) 30 (53)
activityc No Frequency 15 (43) 12 (54) 27 (47)
Auditing reports to management in risk Yes Frequency 21 (58) 8 (36) 29 (50)
management termsd No Frequency 15 (42) 14 (64) 29 (50)
Use of risk categories in the audit reportse Yes Frequency 24 (67) 6 (27) 30 (52)
No Frequency 12 (33) 16 (73) 28 (48)
H15 Dynamic role supporting the implementation of risk Yes Frequency 13 (57) 5 (71) 18 (60)
managementf No Frequency 10 (43) 2 (29) 12 (40)
H16 Internal auditing involvement in the formal risk Yes Frequency 14 (38) 6 (27) 20 (34)
g
management process No Frequency 23 (62) 16 (73) 39 (66)
Notes: ax 2 ¼ 5.54; prob. ¼ 0.019; df ¼ 1; F ¼ 0.374; bx 2 ¼ 2.05; prob. ¼ 0.153; df ¼ 1; F ¼ 0.224; Table IX.
c
x 2 ¼ 0.35; prob. ¼ 0.557; df ¼ 1; F ¼ 0.114; dx 2 ¼ 1.83; prob. ¼ 0.176; df ¼ 1; F ¼ 0.213; Tests of
e 2
x ¼ 6.98; prob. ¼ 0.008; df ¼ 1; F ¼ 0.383; fx 2 ¼ 0.497; prob. ¼ 0.481; df ¼ 1; F ¼ 2 0.129; internationalization
g 2
x ¼ 0.687; prob. ¼ 0.407; df ¼ 1; F ¼ 0.108; the parentheses values are in percentage hypotheses

significant, entities which belong to international groups are more likely to assess the
way business risk is managed, to test risk management activities, and to report
findings and recommendations in terms of risk management.
The proactive role of the internal auditing in the implementation of ERM was lesser
in internationalized entities (57 percent) than in entities not belonging to international
MAJ firms (71 percent). However, H15 is accepted. The majority of internal auditing
25,1 departments (whether internationalized or not) were not involved in ERM.

Listed companies
Irrespective of listing status on the Portuguese stock exchange, firms make extensive
use of risk-based approaches for planning the annual schedule of audits (Table X).
94 However, listed companies generally adopt risk-based approaches (92 percent).
When considering the risk-based approach at the micro level, listed companies
are more likely to assess how business risks are managed, test risk management
activities ( p ¼ 0.021), and report findings and recommendations in terms of risk
management.
The proactive role of the internal auditing in the implementation of ERM in listed
companies was 56 percent, whereas in non listed companies, it was 62 percent.
A majority of internal auditing departments, irrespective of listing status was not
involved in ERM. H21 is rejected.

Conclusions
Most prior literature on aspects of internal auditing has focused on empirical evidence
from the Anglo-American world. The evidence we report from Portugal, a “Latin”
European country with a code law heritage, should be timely and facilitate
comparisons of internal auditing practices in other domains. More importantly,
the evidence we adduce reveals how company-specific factors are associated with the
adoption of risk-based auditing. Our evidence should aid understanding of factors
associated with the adoption of risk-based internal auditing, both in annual audit
planning, and in planning and executing individual audits. Knowledge of these factors
should help stakeholders to assess the nature of their engagement with particular types

Listed
Yes No Total

H17 Application of risk-based auditing in the annual Yes Frequency 12 (92) 36 (86) 48 (87)
planninga No Frequency 1 (8) 6 (14) 7 (13)
H18 Audit objective is to assess the way business risksYes Frequency 8 (62) 16 (36) 24 (41)
are managedb No Frequency 5 (38) 29 (64) 34 (59)
Audit program is designed to test risk management Yes Frequency 11 (85) 19 (43) 30 (53)
activityc No Frequency 2 (15) 25 (57) 27 (47)
Auditing reports to management in risk Yes Frequency 10 (77) 19 (42) 29 (50)
management termsd No Frequency 3 (23) 26 (58) 29 (50)
Use of risk categories in the audit reportse Yes Frequency 5 (38) 25 (56) 30 (52)
No Frequency 8 (62) 20 (44) 28 (48)
H19 Dynamic role supporting the implementation of risk Yes Frequency 5 (56) 13 (62) 18 (60)
managementf No Frequency 4 (44) 8 (38) 12 (40)
H20 Internal auditing involvement in the formal risk Yes Frequency 6 (43) 14 (31) 20 (34)
management processg No Frequency 8 (57) 31 (69) 39 (66)
Notes: ax 2 ¼ 0.389; prob. ¼ 0.883; df ¼ 1; F ¼ 0.084; bx 2 ¼ 2.81; prob. ¼ 0.175; df ¼ 1; F ¼ 0.220;
c
Table X. x 2 ¼ 6.91; prob. ¼ 0.021; df ¼ 1; F ¼ 0.348; dx 2 ¼ 4.86; prob. ¼ 0.059; df ¼ 1; F ¼ 0.289;
e 2
Tests of listing status x ¼ 1.18; prob. ¼ 0.440; df ¼ 1; F ¼ 2 0.143; fx 2 ¼ 0.106; prob. ¼ 1.000; df ¼ 1; F ¼ 0.059;
g 2
hypotheses x ¼ 0.657; prob. ¼ 0.626; df ¼ 1; F ¼ 0.106; the parentheses values are in percentage
of entities: other things equal, stakeholders should prefer to engage with entities which Risk-based
have a higher propensity to adopt risk-based internal auditing and ERM practices. internal auditing
Our literature review highlights the active role that internal audit should take in the
implementation of risk management, especially in small firms. The importance of
strong monitoring of risk exposures and risk management practices by business
entities was highlighted starkly in 2008 following the financial implosion of several
major US investment banks (Bear Stearns, Lehman Brothers, and Merrill Lynch). 95
The implementation of a formal process of risk management (ERM) by an entity helps
it to obtain an overview of the different risks (and risk interdependencies) to which
they are exposed, reduces the reaction time of a business to risk-related issues, creates
a positive culture of risk, and improves the process of risk mitigation. Risk-based
internal auditing helps companies to practice effective risk management because it
incorporates principles of risk management throughout the audit process, both in the
annual planning process, and in planning each audit engagement.
Our results show that 82 percent of entities use a risk-based approach in annual
audit planning; and 31 percent applied this approach in planning each audit
engagement. In most entities, individual audits are control-based, and not risk oriented.
Approximately, half of the entities reviewed their audit universe annually, thereby
improving the effectiveness of the risk-based approach in the annual planning process.
About half had implemented a formal risk management process (ERM) or were
doing so; in about 60 percent of entities, internal auditing performed a dynamic role in
the implementation of ERM. In five entities the manager in charge of the risk
management department was also the manager in charge of the audit department.
In such organizations, the IIA (2009) recommends that there needs to be a clear
strategy and timeline for passing responsibility for these services to members of the
management team.
The adoption of risk-based auditing is related positively with entity size. Macro level
risk-based auditing is statistically significant in international firms ( p # 0.05); and in
listed companies ( p # 0.10). The application of macro level risk-based auditing is
strong (but not significant) in private firms, and entities in the finance industry. The
findings for the finance industry are consistent with explanations of the broader
risk-based internal auditing activities observed in finance institutions. Such activities
are prompted by a higher maturity of business risk management in these institutions
(Zárate, 2001), by regulations issued by external supervising institutes (such as the
Portuguese Central Bank), and by Basel II Accord requirements.
In implementing a formal risk management process, there is a tendency for internal
auditing to assume a proactive role in smaller organizations – probably because
smaller entities do not have as many resources as larger entities, and therefore are
more likely to require internal auditing to take an active role in ERM. There is a
negative (but not significant) correlation between the proactive role of internal auditing
in ERM and the size of entities, finance industry firms and the internationalization of
companies. The proactive role of internal auditing seems to be independent of whether
the company is in the private sector or the public sector, and whether it is listed on the
Portuguese Stock Exchange. There is a tendency for the involvement of internal
auditing in ERM to be more evident in finance firms and in private sector firms.
Most of the Portuguese organizations represented still follow the control
paradigm, thereby reducing the potential contribution of internal auditors to risk
MAJ management activities. To meet stakeholder expectations, there are strong grounds for
25,1 internal auditing in Portugal to adopt a risk-based approach. Ongoing pressure from
stakeholders to mitigate risk seems likely to be influential in the development of internal
auditing in the future (McNamee and Selim, 1998). However, many entities do not seem
to have a sufficiently expert internal audit function to respond fully to the challenge.
This advances two broad challenges for the IPAI: first, to be a more effective advocate of
96 internal auditing in the business community in Portugal; and second, to maintain
international best practice standards in its professional accreditation procedures and
continuing professional development activities.
Our portrait of internal auditing in Portugal is subject to the general limitations of
the questionnaire survey method, including respondent fatigue and measurement bias.
To facilitate statistical analysis, we did not use open-ended questions. A more refined
understanding of motives and practices would have been obtained by complementing
the survey results with interviews of respondents. Additionally, the sample size
precludes extrapolation of conclusions to all Portuguese entities.
Similar explorations of risk-based auditing in other national settings and regulatory
frameworks and cultures, should help to develop better global understanding of the
determinants of risk-based internal auditing and patterns of professional internal
auditing practice. There seems particular merit in investigating how risk-based
auditing affects the achievement of business aims; how the performance of consultancy
services affects auditors’ independence; and how risk-based internal auditing practice
increases the probability of fraud in developing countries that do not have codes of
auditing practice.

References
Allegrini, M. and D’Onza, G. (2003), “Internal auditing and risk assessment in large Italian
companies: an empirical survey”, International Journal of Auditing, Vol. 7, pp. 191-208.
Allot, A. (1996), “The emerging role of internal audit”, Management Accounting, January,
pp. 60-1.
Alzuela, J.M.B. (2003), “La gestión de riesgos en entidades financieras”, Partida Doble, December,
pp. 62-5.
Banham, R. (2004), “Enterprising views of risk management”, Journal of Accountancy, Vol. 197
No. 6, pp. 65-71.
Basel Committee on Banking Supervision (2003), Sound Practices for the Management and
Supervision of Operational Risk: Background, BCBS, Basel.
Beasley, M.S., Clune, R. and Hermanson, D.R. (2005), “Enterprise risk management: an empirical
analysis of factors associated with the extent of implementation”, Journal of Accounting &
Public Policy, Vol. 24, pp. 521-31.
Bou-Raad, G. (2000), “Internal auditors and a value-added approach: the new business regime”,
Managerial Auditing Journal, Vol. 15 No. 4, pp. 182-7.
Busman, E.R. and Zuiden, P.V. (1998), “The challenge ahead: adopting an enterprise-wide
approach to risk”, Risk Management, January, pp. 14-17.
Campbell, M., Adams, G.W., Campbell, D.R. and Rose, M.P. (2006), “Internal audit can deliver
more value”, Financial Executive, January/February, pp. 44-7.
Chapman, C. (2001), “The big picture”, The Internal Auditor, Vol. 58 No. 3, pp. 30-7.
Chun, C. (1997), “On the functions and objectives of internal audit and their underlying Risk-based
conditions”, Managerial Auditing Journal, Vol. 12 Nos 4/5, pp. 247-50.
internal auditing
Colbert, J. and Alderman, C. (1995), “A risk-driven approach to the internal audit”, Managerial
Auditing Journal, Vol. 10 No. 2, pp. 38-44.
COSO (2004), Enterprise Risk Management – Integrated Framework, Committee of Sponsoring
Organizations, New York, NY, September 29.
Dittenhofer, M. (2001), “Internal auditing effectiveness: an expansion of present methods”, 97
Managerial Auditing Journal, Vol. 16 No. 8, pp. 443-50.
Fuente, L. and Vega, G. (2003), “La gestión de riesgos en empresas no financieras”, Partida Doble,
December, pp. 54-60.
Funston, R. (2003), “Creating a risk-intelligent organization”, The Internal Auditor, Vol. 60 No. 2,
pp. 59-63.
Goodwin, J. (2004), “A comparison of internal audit in the private and public sectors”, Managerial
Auditing Journal, Vol. 19 No. 5, pp. 640-50.
Goodwin-Stewart, J. and Kent, P. (2006), “The use of internal audit by Australian companies”,
Managerial Auditing Journal, Vol. 21 No. 1, pp. 81-101.
Gramling, A. and Myers, P. (2006), “Internal auditing’s role in ERM”, The Internal Auditor,
Vol. 62 No. 2, pp. 52-8.
Griffiths, D. (2006), Risk Based Internal Auditing: An Introdution, available at: www.internalaudit.
biz (accessed February 12, 2008).
Gronli, M.J. and Xystros, C. (1999), “Elevating internal audit”, Traffic World, August, p. 40.
IIA (2001), Practice Advisory 2100-4: Internal Auditing’s Role in Organization without a Risk
Management Process, Institute of Internal Auditors, Altamonte Springs, FL, available at:
www.iia.org.au/content/Practice%20Advisories%20in%20full%20June%202006.pdf
IIA (2004), International Standards for the Professional Practice of Internal Auditing, Institute of
Internal Auditors, Altamonte Springs, FL.
IIA (2009), IIA Position Paper: The Role of IA in ERM, Institute of Internal Auditors, Altamonte
Springs, FL, available at: www.theiia.org/download.cfm?file¼62465
IIA – UK and Ireland (2003), Risk Based Internal Auditing, Institute of Internal Auditors,
Altamonte Springs, FL, available at: www.iia.org.uk
IIA – UK and Ireland (2005), Internal Audit 2005. A Survey of Current Practice in Ireland,
Institute of Internal Auditors, Altamonte Springs, FL, available at: www.iia.org.uk
Jackson, R.A. (2005), “Role play”, The Internal Auditor, Vol. 62 No. 2, pp. 44-51.
Jin’e, Y. and Dunjia, L. (1997), “Performance audit in the service of internal audit”, Managerial
Auditing Journal, Vol. 12 Nos 4/5, pp. 192-5.
Krogstad, J.L., Ridley, A.J. and Rittenberg, L.E. (1999), “Where we’re going”, The Internal
Auditor, October, pp. 26-33.
Kunkel, J. (2004), “The changing role of internal audit”, Chain Store Age, September, pp. 4-5.
Lindow, P.E. and Race, J.D. (2002), “Beyond traditional audit techniques”, Journal of
Accountancy, July, pp. 28-33.
Lorenzo, M.J.P. (2001), “La auditorı́a interna orientada a los processos”, Partida Doble,
July/August, pp. 78-85.
McNamee, D. (1997), “Risk based auditing”, The Internal Auditor, Vol. 54 No. 4, pp. 22-7.
McNamee, D. and Selim, G. (1998), Risk Management: Changing the Internal Auditor’s Paradigm,
The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
MAJ Marks, N. (2001), “The new age of internal auditing”, The Internal Auditor, December, pp. 44-9.
25,1 Matyjewicz, G. and D’Arcangelo, J.R. (2004), “ERM-based auditing”, Internal Auditing,
November/December, pp. 4-18.
Maynard, G.R. (1999), “Embracing risk”, The Internal Auditor, February, pp. 24-8.
Merkley, B.W. and Miccolis, J.A. (2002), “Getting left behind”, Risk Management, April,
pp. 28-50.
98 Nagy, A.L. and Cenker, W.J. (2002), “An assessment of the newly defined internal audit function”,
Managerial Auditing Journal, Vol. 17 No. 3, pp. 130-7.
O’Regan, D. (2002), “The CPA’s transition to the world of internal auditing”, The CPA Journal,
August, pp. 11-13.
Rivenbark, W.C. (2000), “Embracing risk-based auditing in local government”, Government
Finance Review, June, pp. 17-20.
Sarens, G. and de Beelde, I. (2006), “Internal auditors’ perception about their role in risk
management: a comparison between US and Belgian companies”, Managerial Auditing
Journal, Vol. 21 No. 1, pp. 63-8.
Selim, G. and McNamee, D. (1999), “The risk management and internal auditing
relationship: developing and validating a model”, International Journal of Auditing,
Vol. 3, pp. 159-74.
Spira, L.F. and Page, M. (2003), “Risk management: the reinvention of internal control and the
changing role of internal audit”, Accounting, Auditing & Accountability Journal, Vol. 16
No. 4, pp. 640-61.
Szpirglas, M. (2006), “Gestion des risques et quiproquos”, Revue Française de Gestion, February,
pp. 67-88.
Verschoor, C.C. (2002), “Audit committees focus on risk management”, Internal Auditing,
July/August, pp. 27-32.
Walker, P.L., Shenkir, W.G. and Barton, T.L. (2003), “ERM in practice”, The Internal Auditor,
Vol. 60 No. 4, pp. 51-5.
Zárate, F.C.O. (2001), “La gestión de riesgos: un enfoque práctico”, Partida Doble, July/August,
pp. 64-76.

Corresponding author
Russell Craig can be contacted at: russell.craig@canterbury.ac.nz

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints