Next Article in Journal
Financial Literacy in Contexts of Vulnerability: Determinants Among Women Horticulturists in Guinea-Bissau
Previous Article in Journal
Regulation, Disclosure, and the Displacement of Internal Governance in Saudi Banks
Previous Article in Special Issue
Enhancing Auditor Judgment Quality: A Review of Evidence from Experimental Research
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 18
Issue 12
10.3390/jrfm18120707
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

From Compliance to Strategic Partnerships: The Role of Internal Audit in Enterprise Risk Management and Opportunities for Future Research

by
Porschia Nkansa
1,*,
Dereck Barr-Pulliam
2 and
Kimberly Walker
3
1
Department of Accounting, California State University, Los Angeles, CA 90032, USA
2
School of Accountancy, University of Louisville, Louisville, KY 40208, USA
3
Department of Accounting and Information Systems, Virginia Tech, Blacksburg, VA 24061, USA
*
Author to whom correspondence should be addressed.
J. Risk Financial Manag. 2025, 18(12), 707; https://doi.org/10.3390/jrfm18120707
Submission received: 25 August 2025 / Revised: 27 November 2025 / Accepted: 3 December 2025 / Published: 11 December 2025
(This article belongs to the Special Issue Judgment and Decision-Making Research in Auditing)
Browse Figure
Versions Notes

Abstract

Implementing enterprise risk management (ERM) helps organizations identify, assess, and manage emerging risks. As global ecosystems face intensifying environmental, social and governance (ESG) pressures—including climate risks, regulatory demands for sustainability reporting and stakeholder expectations for ecosystem protection —the internal audit function (IAF) plays an increasingly critical role in helping organizations monitor and respond to these risks. Internal auditors’ expertise supports risk identification and assessment, though management maintains responsibility for risk management and control. Using the Committee of Sponsoring Organizations’ (COSO) ERM framework, we review 77 studies across 23 journals published between 2004 and 2024. Prior research primarily examines internal audit’s assurance and consulting roles, with considerably less attention given to activities that compromise independence. While evidence suggests that internal audit quality enhances risk management effectiveness, uncertainty remains about boundaries for consulting activities and technology-enabled assurance. Our synthesis highlights limited empirical insight into internal audit’s strategic partnership role in ERM and identifies future research opportunities for scholars, practitioners and standard setters.

1. Introduction

Enterprise risk management (ERM) is a critical component of modern governance, designed to help organizations identify, assess, manage and monitor existing and emerging risks. Although boards of directors hold ultimate responsibility for risk oversight, day-to-day coordination is delegated to management and supporting functions—including the internal audit function (IAF). The IAF plays an important role in providing assurance on the effectiveness of ERM processes while maintaining its objectivity across both its assurance and consulting activities (IIA, 2009). This delegation structure positions the IAF as a key participant in ERM, provided that its involvement does not compromise its objectivity in either assurance or consulting roles (IIA, 2009). Consistent with professional standards, the IAF’s ERM-related work should focus on providing independent assurance over the design and operating effectiveness of ERM processes and procedures. Growing ESG pressures—such as climate-related risks, new sustainability reporting requirements and expectations for ecosystem stewardship (COSO, 2017; IIA, 2020)—heighten the importance of internal audit’s role in organizational risk monitoring. Further, stakeholders expect transparent and credible risk management practices (COSO, 2004, 2013, 2017).
Organizations face increasing pressure from both internal and external stakeholders to identify and manage financial, operational, social, ethical and environmental risks, as well as to explain how these risks are monitored and mitigated (COSO, 2004, 2011, 2013; IIA, 2009). Many organizations adopt an ERM approach because it offers a structured and efficient way to identify potential events, assess risks relative to appetite and provide reasonable assurance regarding the achievement of strategic objectives. Although management is primarily responsible for ERM, the IAF plays an essential monitoring role by leveraging its deep knowledge of business processes, internal controls and risk exposures to provide insights and recommendations (Gramling & Myers, 2006). Since the IAF effectively provides a window into the organization (Tapestry Networks, 2004), understanding its role in ERM is integral.
This study synthesizes two decades of post-2004 research on the IAF’s involvement in ERM. Although several prior literature reviews examine aspects of internal auditing (e.g., Cohen et al., 2004; Gramling et al., 2004; Brown et al., 2007; Messier et al., 2011; Bame-Aldred et al., 2013; Rose et al., 2013; Brown-Liburd et al., 2015; Kotb et al., 2020), they focus on topics such as external auditor reliance, technology adoption or internal audit as a management training ground and therefore do not provide a unified assessment of the IAF’s role specifically within ERM. To address this gap, we conduct a comprehensive search of the accounting and risk management literatures and identify 77 studies across 23 journals that relate to internal auditors’ ERM involvement. Guided by the Institute of Internal Auditors’ (IIA, 2009) ERM role framework (see Figure 1), we classify each study into one of three categories: (1) core internal audit roles involving ERM-related assurance activities, (2) legitimate consulting roles with safeguards and (3) roles internal auditors should not undertake because they are management responsibilities. Then, we identify subthemes within each category. We also incorporate emerging judgment and decision-making research on risk assessment, technology use, fraud detection and reporting decisions, as these behavioral insights are essential for understanding the IAF’s influence on ERM effectiveness. Collectively, these efforts support our two objectives: (1) to provide a structured synthesis of ERM-related internal audit research published between 2004 and 2024, and (2) to identify gaps, themes and opportunities for future inquiry. Accordingly, this review is guided by two research questions: (1) What have we learned about the IAF’s role in ERM? and (2) What do we still need to learn about how internal auditors support, evaluate and influence ERM processes?
Our study is important for several reasons. First, it provides the first unified and updated synthesis of research published between 2004 and 2024 on the IAF’s role in ERM. By organizing the literature according to the IIA ERM role framework (IIA, 2009), which aligns closely with COSO’s “Enterprise Risk Management—Integrating with Strategy and Performance” (COSO, 2017), our review bridges previously fragmented research streams into a single, structured framework. Second, taking an ERM approach to risk management strengthens the company’s identification, management and monitoring of risks that could negatively affect its ability to accomplish its core objectives. Our review reveals three overarching insights: (1) most studies examine assurance and consulting roles, with comparatively less attention to activities that threaten internal audit independence; (2) the IAF’s potential as a strategic partner in risk management remains underexplored; and (3) empirical evidence on technology-enabled assurance and cross-functional collaboration is limited.
Another important aspect of this study is that it provides a view into the judgment and decision-making research in internal auditing related to ERM. Internal auditors use risk focus, risk analysis techniques, risk judgments and risk assessments to make decisions about their organizations’ ERM objectives, processes, activities and outcomes. Internal auditors can apply risk focus to determine how to balance assurance and consulting roles (Barr-Pulliam et al., 2024). Risk analysis techniques that internal auditors utilize to make evaluations about ERM may involve certain testing methods, governance software and auditing technology. Internal auditor judgments in the ERM environment could relate to different types of risk judgments (e.g., accounting risk, internal control risk, financial misstatement risk, fraud risk). Finally, internal auditors’ assessments guide their reporting decisions and the content of their disclosures in the ERM setting.
In the remainder of the paper, we first briefly describe the research coverage and knowledge provided by prior internal audit literature reviews in Section 2. Next, we describe ERM and then our methodological approach in Section 3. Third, we assign and synthesize the post-2004 internal audit research along with the roles the IAF plays in ERM in Section 4. Lastly, we end with Section 5.

2. Background

2.1. Committee of Sponsoring Organizations (COSO) and Enterprise Risk Management (ERM)

The general COSO framework assists companies in developing and maintaining flexible systems of internal control. It identifies five components of enterprise risk management: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, & reporting (COSO, 2017). The framework updates previous COSO frameworks by connecting strategy, risk and performance (COSO, 2017). COSO specifically defines ERM as “a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). Lastly, the COSO integrated framework provides a cogent structure to identify opportunities for the IAF to add value to the company by leveraging its operational knowledge and experience to provide high-quality assurance on the operating effectiveness of internal controls, to help ensure high financial reporting quality and to ensure that ERM advises organizational strategy and performance.

2.2. The Role of the Internal Audit Function (IAF) in the ERM Framework

The core internal audit role concerning ERM is to provide objective assurance to the company’s board on the effectiveness of risk management (IIA, 2009). Effective ERM allows firms to benefit from an unified approach to risk management that changes the focus of managing risk from mainly defensive to progressively offensive and strategic (Liebenberg & Hoyt, 2003). Driven by several corporate financial reporting scandals and companies’ and stakeholders’ demand for greater oversight of critical risks, there is accelerated need for companies to carry out ERM initiatives (Beasley et al., 2006). As noted in Figure 1, we use the ERM framework as outlined in the IIA ERM position paper (IIA, 2009) to explore how current research contributes to knowledge.
In 1999, the IIA introduced a definition of the IAF as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” (IIA, 2000). This definition repositions the focus of the IAF from assurance to value-added and strives to move internal auditing towards an elevated identity with standards-driven methods (Bou-Raad, 2000; Krogstad et al., 1999). Specifically, the internal audit role requires the internal auditor to identify and assess the risks of the company. The IIA upholds that “the internal auditing process provides assurance to management and the audit committee that risks to the organization are understood and managed appropriately” (IIA, 2000).
Risk management is an essential element of corporate governance. Managers are responsible for initiating and steering the risk management framework on behalf of the board (IIA, 2009). In contrast, the internal auditing professional standards require internal auditors to adopt a risk-based approach methodology that links internal auditing to an organization’s overall risk management framework. Furthermore, internal auditors are responsible for assuring that the company appropriately manages organizational risks. Therefore, the IAF is vested in the success of an organization’s ERM process because it affects its roles and responsibilities (IIA, 2017). The IAF supports enterprise resilience by helping organizations identify risk factors and risk changes.
The COSO ERM framework suggests that the IAF should “assist management and the board of directors or audit committee by examining, evaluating, reporting on and recommending improvements to the adequacy and effectiveness of the entity’s enterprise risk management” (COSO, 2004, 2017). However, this framework does not specify the extent of internal audit involvement in ERM or specific activities that internal audit should perform when engaging in ERM activities. The lack of specificity creates conflicting views regarding the IAF’s role(s) in ERM. Some suggest that ERM traditional risk owners, such as the line of business managers and risk officers, monitor entity risks. Further, these proponents suggest that the internal auditing role in ERM should focus specifically on the last component in COSO’s ERM framework–monitoring (Beasley et al., 2006). The rationale behind this logic is that internal audit should take a back seat to preserve the checks and balances that the audit function provides (Banham, 2004). Others believe that the IAF plays a critical role in overseeing risk, given the internal auditor’s expertise and focus on risks and internal controls.
Under both views, the IAF is in a unique position to assist with various ERM activities because “[i]nternal auditors and risk managers share some knowledge, skills and values. Both, for example, understand corporate governance requirements, have project management, analytical and facilitation skills, and value having a healthy balance of risk rather than extreme risk-taking or avoidance behaviors” (IIA, 2009). We posit that the IAF provides value to an organization by engaging in certain organizational ERM activities as outlined in the internal audit ERM framework (IIA, 2009). Internal audit ERM activities can include: championing the establishment of ERM, introducing ERM to organizations, coordinating ERM activities and consolidating the reporting on risks. We rely on the internal audit ERM framework to examine those activities and the associated benefits and consequences.

3. Methodology

3.1. Identification Process

For this review, we examine both experimental and archival studies published from 2004 to 2024 to identify all research that relates to the role of internal auditing in ERM (IIA, 2009). We search keywords individually and in groups such as “internal audit,” “enterprise risk management,” “ERM,” “risk,” and “compliance.” We include accounting, auditing and risk management journals that publish research on IA topics. We summarize the count of identified papers by the journal of publication, methodology and category (across the three categories discussed in the IIA’s position paper regarding ERM) (IIA, 2009) in Table 1.
We identify a total of 77 studies in 23 journals (see Panel A of Table 1). From these studies, we hand collect the research question(s), methodology and main findings of each study. Next, we assign each study to one of the three categories discussed in the IIA position paper regarding ERM (IIA, 2009). The three categories are: (1) core internal audit roles regarding ERM, (2) legitimate internal audit roles with safeguards, and (3) roles internal audit should not undertake; and we identify sub-themes within each category (IIA, 2009). Core internal audit roles regarding ERM represent the assurance activities that internal auditors perform during the risk management process. Legitimate internal audit roles with safeguards comprise the consulting roles that internal auditors may carry out in the ERM process. Further, roles internal audit should not undertake are roles that are the responsibility of company management.
To enhance the rigor of our literature review, we followed a structured multi-stage approach designed to ensure validity, reliability and replicability. We searched multiple databases, including Scopus, Web of Science, and leading accounting, auditing and risk management journals, using combinations of the keywords: “internal audit”, “enterprise risk management”, “ERM”, “risk” and “compliance.” We included studies that examined or provided implications for the internal audit function within the ERM context and were published between 2004 and 2024. We excluded studies that do not discuss internal audit/auditing/auditors or managing risks/risk management. Each author independently reviewed the abstracts and full texts of potentially relevant studies to verify their alignment with the IIA’s framework (IIA, 2009). We then categorized each study into one of the three IIA framework-based roles: (1) core internal audit roles, (2) legitimate internal audit roles with safeguards, and (3) roles internal audit should not undertake. Discrepancies in classification were discussed until full consensus was reached about the studies’ categories. Finally, we triangulated findings across qualitative, experimental, archival and mixed-methods studies to strengthen construct validity and ensure a comprehensive synthesis of the literature. Although our multi-stage approach was wide-ranging and thorough, a couple of methodological limitations could be study selection error (missing studies that meet our criteria) and category imprecision (classifying studies in the incorrect category).
We focus our review on both quantitative and qualitative research. This approach allows us to take advantage of the strengths and address the limitations of each methodological approach. As a result, this approach allows us to triangulate interesting research questions. Quantitative research, especially archival methods, allows us to identify associations between and among various IAF characteristics. Qualitative research is typically exploratory and helps researchers: (1) gain an understanding of underlying reasons, opinions and motivations behind specific questions, and generate hypotheses and (2) explore whether and to what extent the associations, identified in quantitative research, between and among various IAFs exist. Currently, access to quantitative data that characterizes or measures activities of the IAF, such as budget data or audit report opinions, is limited. As a result, apart from a few studies that use the IIA’s GAIN data,1 much of the extant IAF research is experimental. Consistent with this notion and noted in Panel B of Table 1, we identify six archival studies versus 65 combined experimental (includes qualitative and survey methods) and mixed methods studies published across 23 journals between 2004 and 2024.2
Our literature review shows that the least amount of research explores the roles internal audit should not undertake category (15 studies covered in this review) compared to the core internal audit roles regarding ERM category (34 studies covered in this review), and legitimate internal audit roles with safeguards category (28 studies covered in this review). The literature on the core internal audit roles category delves into topics regarding outsourcing, internal control deficiencies, IAF quality, internal audit reliance, information security and management misconduct. The literature on the legitimate internal audit roles category explores topics such as advocacy, internal audit contribution to the external audit fee, fraud risk assessments, internal auditors’ relationship with information systems professionals and information technology governance. Lastly, the prohibited roles category examines independence, objectivity, the IAF as a rotational management program and continuous auditing. Overall, these findings mirror both distinctive limitations as well as notable opportunities to explore internal audit from emerging topics.

3.2. The Difference from Prior Internal Audit Literature Reviews

Cohen et al. (2004) and Gramling et al. (2004) categorize research in progress or published before 2004 related to the IAF serving in its corporate governance role. These literature reviews categorize research along the four “cornerstones” of the governance framework or in the context of a corporate governance “mosaic,” respectively. Subsequent IA literature reviews take a more fragmented approach and examine specific topics such as external auditor reliance on the IAF (Bame-Aldred et al., 2013), the use of advanced technology to enhance the efficiency and effectiveness of IAF assurance processes (e.g., Brown-Liburd et al., 2015), continuous auditing in accounting information systems research (Eulerich & Kalinichenko, 2018), post-Sarbanes Oxley Act literature (Roussy & Perron, 2018) and post-Enron literature (Kotb et al., 2020). Our approach provides a unifying framework that is developed per internal auditing standards and reflects the shifting focus of the IAF from a compliance to a more strategic partnership viewpoint.

4. Literature Review & Synthesis

4.1. Category 1: Core Internal Audit Roles—Assurance Activities

Section 4.1 outlines the internal audit literature that is categorized as Core Internal Audit Roles—Assurance Activities. Section 4.2 outlines the internal audit literature that is categorized as Legitimate Internal Audit Roles with Safeguards—Consulting Activities. Section 4.3 outlines the internal audit literature that is categorized as Roles Internal Audit Should Not Take—Role Duality. Each section has themes and a summary table that displays panels for: research themes and subthemes (Panel A), research summary (Panel B) and future research directions (Panel C).
The first internal audit role we explore within the ERM framework directly relates to the IAF’s core role—assurance activities. According to the International Standards for the Professional Practice of Internal Auditing, the IAF can and should perform assurance activities (IIA, 2009). Despite the changing role of the IAF, Nagy and Cenker (2002) suggest that the traditional role of the IAF should not diminish in favor of the new “consulting” and value-added directive. The traditional attestation function of internal audit continues to provide value to organizations over time because internal auditors share critical insights derived from their experiences with management. In this section, we review and discuss themes within internal audit research using the broad categories outlined in the IIA position paper (IIA, 2009).

4.1.1. What Have We Learned?

Table 2 provides a detailed summary of research themes and subthemes (Panel A), the cited papers that examine the core internal audit roles (assurance activities) (Panel B), as well as a list of future research directions (Panel C). We use the five assurance activities that support the core internal audit roles to identify several themes that emerge from this literature. These themes focus on the interactions between the IAF and management (including the board) and external auditors when assessing and managing risk. We also focus on how the IAF utilizes technology and continuous monitoring to manage risk. Internal auditors serve as a valued resource to management (e.g., Carcello et al., 2018) by assuring the stakeholders that management effectively mitigates risk. However, despite its resources and expertise, the IAF is forced to deploy a silo approach when performing its duties to maintain independence and objectivity, in fact and in appearance. To maintain an appropriate level of independence, the IAF must restrict its level of interaction with stakeholders. Furthermore, the third line of defense outlined in the IIA’s Three Lines Model defense framework3 restricts the role that IAs play in the ERM setting (IIA, 2020). Consequently, this type of organizational structure can hinder internal auditors from achieving ERM objectives (Kleffner et al., 2003) by focusing exclusively on assurance related activities.
Theme 1—Risk Management Processes, the IAF and External Auditors’ Reliance Decisions
One of the most critical roles that the board plays within an organization is to provide internal audit oversight. We define assurance as the board’s ability to gain confidence and certainty from management or other sources (such as the IAF) that the company’s risk management processes are effective. Furthermore, according to Banham (2004), regulators and other corporate governance proponents have placed many expectations on boards for risk oversight. For example, the New York Stock Exchange’s governance rules suggest that risk responsibility lays with the audit committee. One way that the IAF may help the board achieve its risk management objectives is through outsourcing arrangements and the assessment of organizations’ internal controls.
Many studies focus on sourcing arrangements of the external auditor’s decision to rely on the work of the IAF because these types of decisions have become increasingly important because of Section 404 of the Sarbanes-Oxley Act (SOX) and PCAOB Auditing Standard No. 2. The practice of outsourcing all or some of the IAF to an independent third party can lend to substantial benefits over maintaining an employee only IAF. Prawitt et al. (2012) provide evidence that companies that outsource at least some portion of their IAF to their big public accounting firm external auditor had lower accounting risk. Similarly, Glover et al. (2008) examine whether external auditors are sensitive to differences in internal auditors’ sourcing arrangements by investigating external auditors’ willingness to rely on the work of outsourced or in-house internal auditors. The authors find that external auditors are more likely to rely on the work of outsourced rather than in-house internal auditors when inherent risk is high compared to when inherent risk is low. These findings provide evidence that the IAF’s expertise and knowledge reduce the overall risk of potentially fraudulent or misleading financial reporting. Through a field study, Bhattacharjee et al. (2016) observe how external auditors assess client-level misstatement risk (inherent risk and control risk) and account subjectivity when utilizing internal auditors. These findings indicate that external auditors increase their internal audit reliance when account subjectivity increases across moderate misstatement risk. However, external auditors decrease their internal audit reliance when account subjectivity increases across higher misstatement risk. Recent evidence Barr-Pulliam et al. (2024) further clarifies how external auditors’ reliance decisions depend on the perceived purpose of the internal audit function (as assurance-oriented or advisory-oriented).
Some external auditors rely on the work of internal auditors to assess the effectiveness of management’s internal controls over financial reporting. Petherbridge and Messier (2016) explore how the PCAOB inspection process affects external auditors’ reliance on the IAF. The findings suggest that when the PCAOB inspection focuses on both effectiveness and efficiency, the reliance that external auditors place on the IAF is not associated with engagement risk. On the other hand, when the PCAOB inspection process focuses on effectiveness, the external auditors place more reliance on the IAF when engagement risk is low opposed to when it is high. These results suggest that internal auditors’ expertise is useful when assessing a company’s risk management processes. A 2018 study also provides evidence that the use of an IAF for companies that disclose firm-specific information related to internal audit pay lower external audit fees than companies that do not provide firm-specific internal audit disclosures (Axén, 2018). The study’s findings suggest a connection between more informative internal audit disclosures, higher IAF quality (with improved risk management processes) and lower external audit fees.
In summary (and displayed in Table 2, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) in-house versus outsourced internal auditors, (2) internal audit reliance and (3) internal audit reporting and reporting lines. For in-house versus outsourced internal auditors, the literature reveals that there are benefits of lowering accounting risk for United States (U.S.) public companies that outsourced their IAF to external auditors. For internal audit reliance, studies show that the level of different types of risk influences international and U.S. external auditor reliance decisions on in-house versus outsourced internal auditors. U.S. external auditors’ reliance decisions are also affected by PCAOB inspection focus. Differences in auditing standards and regulatory climates could be reasons for the variations in international and U.S. external auditor reliance decisions. For internal audit reporting and reporting lines, evidence for international public companies highlights that firm-specific internal audit disclosures provide the benefit of lowering external audit costs.
Theme 2—Risk Management Processes, the IAF and Risk Management Effectiveness
Prior research suggests a positive relationship between the effectiveness of the IAF and a company’s risk management processes. Graham and Bedard (2015) explore the association between IAF quality and tax disclosures using archival data. The study uses an external auditor assessment of the IAF as a proxy for IAF quality and findings show a negative relation between IAF quality and both the occurrence and severity of tax internal control deficiencies. The findings suggest that higher IAF quality helps to improve the operating effectiveness of tax-related internal controls. Stefaniak et al. (2012) extend this line of research by contrasting internal and external auditors’ evaluation of the severity of information technology-related internal control deficiencies in comparison to management’s reporting preferences for the same controls. The results show that internal auditors are less likely to agree with management’s preferred position relative to external auditors when assessing internal control deficiencies. Steinbart et al. (2018) provide evidence that the quality of the relationship between the IAF and information security functions is positively associated with: (1) the number of reported internal control weaknesses, (2) the number of reported incidents of noncompliance, and (3) the number of information security incidents detected before and after they cause material harm to organizations.
Some research articles focus specifically on internal audit assurance and consulting services that have implications for risk management effectiveness. First, information technology (IT) is intricately intertwined with the components of the ERM framework and has implications for how well organizations manage risk. The increased use of IT is not only advantageous to organizations but also poses additional risks. Internal auditors use IT to improve the persuasiveness and quality of audit evidence in that it improves its sufficiency and appropriateness (IIA, 2017). For example, Bierstaker et al. (2006) find that firewalls, virus protection, password protection, internal control review, and internal control improvement are usually used by the IAF to defend against fraud. Related to IT security and privacy, Weidenmier and Ramamoorti (2006) explore how the IAF performs compliance assessments related to security and privacy. The research questions examined are important because privacy and security help ensure data integrity that supports the risk and compliance components of the ERM process. The study concludes that the IAF should be more involved with periodic assessment of an organization’s security and privacy provisions. Related to information security, Steinbart et al. (2013) survey information security professionals and find that the perceived quality of the relationship between information security and internal audit is positively associated with perceptions about the overall effectiveness of information security.
Second, different organizational characteristics have implications for the IAF’s evaluation of risk management effectiveness. In examining IAF risk maturity, both D’Onza et al.’s (2020) (from a risk management perspective) and Slapničar et al.’s (2022) (from a cybersecurity risk management perspective) studies imply that when organizations implement an enterprise risk management system, IAF maturity increases to align with organizations’ increasing risks which benefits the IAF’s risk management effectiveness. In investigating internal audit effectiveness, Grima et al. (2023) find a positive association between the IAF incorporating risk management into the internal audit approach and internal audit effectiveness. In examining the three lines of defense, Tawfik et al.’s (2023) findings indicate a positive relationship between the IAF, its assurance of risk management effectiveness and strengthening companies’ corporate governance. In examining risk management practices, Grebe and Marx (2023) find a relationship between banks’ risk culture and the IAF’s assessment of the effectiveness and efficiency of operational risk management.
In summary (and displayed in Table 2, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit maturity (2) internal audit quality, (3) internal controls, (4) perceptions of internal audit, (5) relationships with other functions, (6) risk management and (7) technology. For internal audit maturity, there is global evidence that internal audit maturity is associated with risk management maturity. For internal audit quality, research for unregulated industries uncovers that internal audit quality has an effect on tax internal control deficiencies. For internal controls, there are U.S. differences in leniency between internal auditors and external auditors when evaluating internal control deficiencies. These differences between the two auditor groups could stem from advocacy incentives and organizational proximity. For perceptions of internal audit, there is U.S.-based evidence that information security professionals’ perceptions of internal auditors’ expertise and scope affect their professional assessments. For relationships with other functions, studies show that the quality of the relationship between the IAF and information security functions is beneficial for internal control and compliance reporting, and harmful incident detection for U.S. companies. In a similar advantageous vein, internal auditors at global companies leverage other functions and technology to combat fraud. For risk management, evidence illustrates that risk management in both global and international settings is associated with audit effectiveness, stronger corporate governance and banks’ risk culture. Despite some positive outcomes for other subthemes, for technology, however, one study calls for increased IAF involvement in information technology related to security and privacy.
Theme 3—Management of Key Risks, the IAF and Financial Reporting Risk
The next area of research in this stream is the internal auditors’ ability to assess financial reporting risk and financial reporting quality. For example, both Prawitt et al. (2009) and Ege (2015) develop and test a standards-based measure of IAF quality to examine the association with various proxies for financial reporting quality. While Prawitt et al. (2009) focus on traditional earnings management measures as the proxy for financial reporting risk such as accruals, Ege (2015) extends their work to examine other types of management misconduct including financial reporting fraud, bribery and misleading disclosure practices. Both studies find a negative association between internal audit quality and financial reporting risk suggesting that internal auditing can be effective in reducing aggressive accounting behavior by management. These studies also suggest that internal audit’s focus on financial reporting is illustrative of the previously mentioned offensive and strategic approach to internal audit’s role in ERM (Liebenberg & Hoyt, 2003). Later, Mat Ludin et al. (2017) find that internal audit quality moderates the relationship between CEO’s locus of control and risk management implementations, suggesting that strengthening internal audit quality can assist governmental organizations in accelerating risk management activities. In an Oman setting, Gebrayel et al. (2018) find that an IAF presence (a corporate governance mechanism that monitors organizational risks) is positively related to a company’s financial reporting quality. In a United Kingdom setting, Ismael and Roberts (2018) find a significant association between the existence of an IAF and companies’ level of internal risks. In a survey setting, Mutschmann et al. (2022) find that outsourced internal audits are effective in curtailing the financial reporting manipulation of managers who possess dark triad personality traits which positively affects financial reporting quality.
In summary (and displayed in Table 2, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit quality and (2) in-house versus outsourced internal auditors. For both the internal audit quality and in-house versus outsourced internal auditors subthemes, international literature from the public sector and U.S.-based literature showcase how internal audit quality and outsourced internal auditors can sway certain personality traits of executives and dark triad personality traits of managers. This influence can positively affect risk management implementation and financial reporting quality.
Theme 4—Management of Key Risks, the IAF’s Use of Technology and Continuous Monitoring
Lastly, there is research that focuses on the IAF’s use of technology to: (1) increase the frequency of assurance and (2) identify and assess risk. Continuous monitoring allows managers to continually evaluate business processes for compliance to and departures from performance benchmarks and effectiveness standards. In contrast, continuous auditing lets internal auditors continually gather data that supports auditing activities (Coderre et al., 2005; Eulerich & Kalinichenko, 2018). This distinction between continuous monitoring and continuous auditing is an important delineation in that it reflects responsibility for identification and response to risk (the managers’ role) and the evaluation of the risk management process (the IAF’s role).
There are three studies that discuss factors related to using continuous auditing to increase the frequency of assurance. First, Gonzalez et al. (2012b) surveyed internal auditors to understand the pace of adoption and use of continuous auditing in practice. Relying on the Unified Theory of Acceptance and Use of Technology (UTAUT) framework, the study identifies several factors that underlie internal auditors’ intentions to use continuous auditing. These factors include company-specific factors like revenue and country of domicile, as well as internal auditors’ perceptions of effort expectancy and social influence. Interestingly, the study finds regional differences that suggest internal auditors that are domiciled in North America are more likely to use continuous auditing due to higher social influence to do so. Alternatively, Middle Eastern internal auditors are more likely to use continuous auditing under a specific mandate to do so. Second, Garven and Scarlata (2021) find a positive association between IAF size and the extent of use of sophisticated audit technologies in a governmental and nonprofit setting. Third, S. Islam and Stafford (2022) document that the factors that are related to the IAF’s adoption of data analytics are data-specific IT knowledge, critical thinking skills, CAE business knowledge, fraud detection responsibility and technologically advanced cultures.
Despite noting a less-than-ideal use of continuous auditing (e.g., Gonzalez et al., 2012a), contemporaneous research suggests avenues where it can be useful in an ERM setting. There are seven studies that examine using continuous auditing to identify and assess risk. First, Trudell (2014) documents a case study example of the IAF’s use of a company’s governance, risk and compliance software to practice three lines of defense risk convergence for risk assessments. Second, M. S. Islam et al. (2018) show that the IAF’s comprehensive risk assessment is positively associated with security/cybersecurity audits, but IAF competencies need to be improved to create an effective security/cybersecurity ERM program. Third, Moffitt (2018) develops an audit analytic tool that helps internal auditors uncover a malicious software code that represents an organizational risk. Fourth, Barr-Pulliam (2019) examines whether continuous auditing improves audit quality by examining the IAF’s perceptions of the likelihood that managers will manipulate earnings and the likelihood that auditors report said behavior when they identify it. The study’s findings suggest that the perceived likelihood of earnings manipulation is least likely when the IAF both employs continuous auditing and functionally separates its dual role. Fifth, Codesso et al. (2020) describe how internal auditors use continuous auditing to provide continuous control monitoring and continuous data assurance that reduces tax compliance risk for a large retail company. Sixth, Eulerich et al. (2020) illustrate how the importance of data analytics has a positive influence on the use of continuous auditing information in the IAF’s risk-based audit planning. Finally, Eulerich et al. (2023) show that internal auditors use technology-based audit techniques to find more significant audit risk factors.
In summary (and displayed in Table 2, Panel A), the judgment and decision-making research in auditing subtheme related to this theme’s studies is technology. For continuous auditing, studies with a global perspective provide evidence that the use of continuous auditing is influenced by: (1) internal auditors’ perceptions of effort and social influence and (2) data analytics. An international study describes the effect continuous auditing has on compliance risk. A U.S.-focused study finds that the IAF’s use of continuous auditing has a positive effect on earnings manipulation. While global research seems to discuss perceptions, international and U.S. literature provide more direct effects of continuous auditing on risk and earnings. For data analytics, global evidence details how certain factors are associated with the IAF’s data analytics adoption. International-based research provides an example of how an audit analytic tool can help internal auditors with a malicious code. The global perspective seeks to explore the “what” related to data analytics, while the international perspective seeks to explore the “how” related to data analytics. Other U.S.-based research outlines benefits that technology provides including governance model risk convergence, audit risk factor identification and audit technology sophistication in the government and nonprofit settings.

4.1.2. What Do We Still Need to Learn?

Based on what we have learned about core internal audit roles in entities’ enterprise risk management, we identify five gaps in the literature that can be examined in future studies. First, despite the extensive research that explores the characteristics of the IAF, it is still unclear which approach the IAF should adopt when working with management and the board/audit committee to provide optimal risk management services. Therefore, we urge future researchers to explore the interactions among the IAF, audit committee, management and external auditors to gain insight into which IAF roles and responsibilities provide value to the organization without threatening independence and objectivity within the ERM setting. Second, another area that can be explored is developing and validating internal audit proxies not yet explored by previous literature. There is scant internal audit literature that explores risk management audit proxies and information technology audit proxies. Third, there are only a few studies that focus on how organizations use audit technologies to provide assurance and protect and safeguard data (e.g., Walker et al., 2019). For example, researchers can explore how various fraud technologies (i.e., heat maps, machine learning and cybersecurity technology) and robotic process automation affect internal auditors’ ability to assess and respond to fraud and ERM risk. Fourth, advances in audit technologies impact the value and evolution of the internal auditors’ skill set. There are benefits for an organization to employ internal auditors from various professional and technical backgrounds, but no study has empirically studied these benefits and associated costs. Future research should explore how evolving skill-set requirements affect internal auditors’ ability to use advanced technologies when performing ERM activities. Lastly, there is an opportunity for researchers to explore how internal auditors’ involvement with ERM affects the auditor reporting component of The Center for Audit Quality audit quality indicators (CAQ, 2016). Archambeault et al. (2008) was one of the first studies to explore the need for internal audit reporting and their study spotlights benefits associated with internal audit disclosures. Future research could explore how organizations’ disclosure of IAF involvement with ERM activities affect stakeholders’ judgments and decision-making. We propose future research directions in Panel C of Table 2.

4.2. Category 2: Legitimate Internal Audit Roles with Safeguards—Consulting Activities

The second ERM internal auditing role describes activities internal auditors can perform with legitimate safeguards. Overall, the IIA position paper (IIA, 2009) cautions that when internal auditors undertake legitimate consulting activities, safeguards should be in place. Legitimate IA roles with safeguards represent appropriate consulting internal audit activities related to enterprise-wide risk management (as shown in Figure 1). In this section of the discussion, we focus on the safeguards that could help internal auditors to maintain their independence and objectivity in this role. Examples of consulting activities include: (1) making internal audit tools and techniques available to management for analyzing risks and controls, (2) serving as a champion for introducing ERM to the organization, (3) providing ERM advice, (4) coaching the organization through the development of an ERM framework, (5) monitoring and reporting on risks, and (6) supporting management in mitigating risk. The key to maintaining independence and objectivity in a consulting role is to avoid any situations where the IAF assumes management responsibility by managing risks. Safeguards that ensure the compatibility of consulting and assurance roles include clarifying management’s responsibility for risk management, documenting the nature of the IAF’s responsibilities in the internal audit charter, obtaining audit committee approval and complying with professional standards.

4.2.1. What Have We Learned?

Table 3 lists research themes and subthemes (Panel A), summarizes research that discusses factors related to the IAF serving in a consulting role (Panel B) and includes future research directions (Panel C). In this section, we discuss several themes that emerge from this literature. Previous studies have explored consulting roles that include: (1) facilitating identification and evaluation of risks, (2) coordinating ERM activities, (3) consolidated reporting on risks, and (4) maintaining and developing the ERM framework (see Figure 1). We organize the business risks related to the identification and evaluation of risks into financial statement risk, fraud risk, internal control risk and other risks (e.g., social media and information technology risks). We organize the business risks related to consolidated reporting into financial statement risk, information technology and information systems risk, and other risks (e.g., fraud and internal control risks).
Theme 1—Facilitating Identification and Evaluation of Risks
  • Financial Statement Risk
Prior research provides evidence of internal auditors facilitating the identification of financial statement risks. Ahlawat and Lowe (2004) discuss internal auditors facilitating the evaluation of financial statement risk. The authors examine research questions related to the employer advocacy of in-house versus outsourced internal auditors. In the study, 66 internal auditors make judgments regarding inventory obsolescence and write-down. The results of the study show that heightened advocacy exists in the judgments of in-house and outsourced internal auditors. Although the extent of advocacy was less severe for outsourced auditors. Abbott et al. (2012) extend this research by examining the influence of IA assistance on external audit timeliness through the extent of external audit delay. The authors note that regulatory guidance allows external auditors to use high-quality IAF assistance for areas of increased risk. The study explores the idea of internal auditors assisting external auditors in identifying financial statement risk and suggests that IA assistance may result in audit cost savings as well as greater audit efficiencies. Relatedly, Burton et al. (2012) test whether IAF sourcing arrangements (in-house or outsourced) affect managers’ perceptions of IAF quality. In the experiment, participants review a case scenario that describes the IAF auditor report. This report details the consequences and recommendations of a machinery maintenance decision. The participants are managers who make differential decisions based on the internal auditors’ presentation and report the extent of their reliance on the presentation. The authors find that managers are more likely to rely on the preference-inconsistent recommendations of in-house internal auditors when their recommendations are quantified as opposed to non-quantified.
Overall, this research provides evidence of the internal auditors’ role in risk management related to financial statements. Specifically, internal auditors improve the risk management process by providing high-quality assistance to external auditors (Abbott et al., 2012), making recommendations regarding balance sheet risk (Burton et al., 2012) and evaluating balance sheet risk (Ahlawat & Lowe, 2004). Additionally, Ahlawat and Lowe’s (2004) findings suggest that safeguards must be in place to ensure that internal auditors keep an objective mindset when making judgments that affect financial statements.
  • Fraud Risk
Four studies explore internal auditors facilitating the identification of fraud risk. The studies provide evidence of internal auditors’ role in risk management involving fraud risk and show that internal auditors can act as a central point for monitoring and reporting on fraud risk (Carpenter et al., 2011; Boyle et al., 2015; Nkansa, 2024) and its materiality (DeZoort & Harrison, 2018). Safeguards must also be present when internal auditors consult on fraud risk management. The results of Boyle et al. (2015) and DeZoort and Harrison (2018) support the notion that safeguards must be in place to mitigate negative implications associated with the auditor’s responsibility for detecting fraud and the IAF’s reporting relationships on internal auditors’ objectivity.
  • Internal Control Risk
Three studies explore internal auditors facilitating the identification of internal control risk. Malaescu and Sutton (2015) evaluate external auditors’ reliance on the IAF’s work when the IAF uses advanced audit testing methods. The study also examines how this reliance affects budgeted (external) audit hours. The results show that external auditors are willing to rely more on IA work in a continuous audit environment than in a traditional periodic auditing environment. This phenomenon intensifies when the previous year’s audit report on the effectiveness of internal controls attests that controls were operating effectively. Relatedly, Farkas and Hirsch (2016) surveyed 141 external auditors asking them to: (1) assess the quality of the IAF based on competence, work performance, and objectivity and (2) rate the extent of reliance on internal control testing performed by the IAF. Results show that external auditors are less likely to rely on the IAF when they perceive failure to detect a significant control deficiency.
Boyle et al. (2015) take a different approach. The authors investigate the effects of the type of report that internal auditors issue (descriptive versus assurance-focused) and the reporting structure of the IAF (to management or the audit committee) on internal auditors’ control risk assessments. Participants include 108 practicing auditors who provide higher control risk assessments when they issue an assurance-focused report and report to the audit committee.
  • Other Risks
There are two studies that investigate internal auditors facilitating the identification of other risks. Relating to social media risk, Demek et al. (2018) is a survey including internal auditors revealing that social media risk management is affected by organizations’ social media use, the perceived risk of use, social media policy implementation and social media training and technical controls. The study’s findings suggest that organizations may follow social media policies without following established risk management processes and that internal auditors can combat this finding by being more involved in the process. Relating to information technology risk, A. L. Nuijten et al. (2023) provide evidence that personal IT risk preferences affect internal auditors’ perception of IT risks. The study involves an experiment with 70 internal auditors and its evidence implies that poor risk management contributes to IT failures.
In a full overview summary (and displayed in Table 3, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit assistance, (2) internal audit reliance, (3) internal audit reporting and reporting lines, (4) in-house versus outsourced internal auditors, (5) perceptions of internal audit and (6) risk management. For internal audit assistance, evidence from U.S. internal audit executives discusses a benefit that internal auditors can provide to risk identification. For internal audit reliance, findings from an international audit firm perspective detail how external auditors’ reliance decisions are affected by the presence of technology. For internal audit reporting and reporting lines, a study about U.S. companies reveals that internal auditors’ risk assessments are influenced by audit reporting and reporting to the audit committee. For in-house versus outsourced internal auditors, U.S.-based research shows that advocacy exists in both types of internal auditors’ judgments and that managers rely more on recommendations from in-house internal auditors. Recurring causes for these effects from a previous theme could be advocacy incentives and organizational proximity. For perceptions of internal audit, a study of U.S. external auditors states that perceptions of internal auditors’ work performance are shaped by deficiency detection. For risk management, research with a global viewpoint focuses on internal auditor accountability. International research finds that poor risk management is associated with technology failures. U.S. studies investigating this subtheme examine environmental/organizational factors that affect risk identification and risk management. The global attention on accountability, in comparison to other national contexts, is in step with global environmental, social and corporate governance initiatives.
Theme 2—Coordinating ERM Activities
Two studies describe different aspects of internal auditors’ coordinating ERM activities. A qualitative study by Roussy (2015) examines how internal auditors perceive, express, manage and resolve role conflicts they encounter in their daily work. Interviews with 42 internal auditors focus on how they coordinate the risk management process into assurance activities. Findings suggest conflicts between operational engagements and consultancy or assurance engagements. Further, internal auditors signaled potential threats to independence as they balance the differing demands of audit committee members, IA managers and auditee managers. These findings underscore how critical it is for internal auditors to ground themselves in the Professional Practices Framework (IIA, 2017), which details requirements applicable to both assurance and consulting activities. Bantleon et al. (2021) survey 415 CAEs to inquire about challenges coordinating three lines of defense (TLoD) activities and provide evidence that companies that are more inclined to not have TLoD implementation challenges are those where: (1) the IAF, chief executive level and the supervisory board have a good relationship and (2) IAFs have a heightened focus on assurance activities.
In summary (and displayed in Table 3, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit roles and role conflicts and (2) relationships with other functions. For internal audit roles and role conflicts, international literature describes how internal auditors experience role conflicts in their daily activities. For relationships with other functions, another international perspective pinpoints benefits for the governance models at private and public companies where the IAF has a good relationship with executives and the supervisory board.
Theme 3—Consolidated Reporting on Risks
  • Financial Statement Risk
Carcello et al. (2005) examine how company investment in the IAF affects its ability to provide assurance that assists in the company’s risk identification and mitigation. The study uses publicly available financial data for 217 companies and matches this data with surveys completed by each company’s CAE. That is, CAEs report data on risks associated with the company’s financial condition and performance, such as leverage, stock, and debt issuances, inventory and operating cash flows. The results provide some of the first evidence that total IA budgets are negatively associated with company risk, positively associated with the company’s ability to pay for monitoring and positively associated with high audit quality indicators. Prawitt et al. (2011) also use survey data from CAEs, but focus on the association between and among IAF quality, company risk factors (e.g., inherent risk, leverage, complexity, foreign sales), as well as external audit quality—specifically audit fees and the likelihood the company receives a going-concern opinion. The study develops a composite standards-based measure of IAF quality using Statement on Auditing Standards (SAS) No. 65 and finds that IAF quality is associated with lower unexpected external audit fees.
Christ et al. (2015) take a qualitative approach whereby they interview 11 CAEs and two audit committee chairpersons about the benefits and risks of using the IAF as a rotational management program (or management training ground). Similar to Prawitt et al. (2011), this study uses mixed methods to develop a dataset that includes interview responses and company-level performance data related to financial reporting quality. The key finding is that the rotation of IAs can undermine the IAF’s ability to monitor financial reporting quality. Abbott et al. (2016) extend this line of research by surveying 227 CAEs who provide information on IAF qualifications and activities (including risk management activities). Using a similar IAF quality measure as Prawitt et al. (2009), the authors deconstruct quality into its primary components (competence and independence) following DeAngelo (1981). The results show that both elements of IAF quality are necessary antecedents to effective financial reporting-related risk monitoring by the IAF. Lastly, Barr-Pulliam (2019) conducts an experiment in which 188 internal auditors assess the likelihood of occurrence and their willingness to report incidences of earnings manipulation. Findings suggest internal auditors perceive a lower level of earnings manipulation when the IAF employs continuous auditing and functionally aligns is dual roles.
In summary, these studies document the internal auditors’ role in consolidated reporting on financial statement risk. Findings from these studies provide support for how this reporting relates to investment in internal auditing (Carcello et al., 2005), external audit fees (Prawitt et al., 2011), financial reporting quality (Christ et al., 2015; Abbott et al., 2016) and earnings manipulation (Barr-Pulliam, 2019). Christ et al. (2015) recommend implementing compensating controls to mitigate the negative effect of the rotation of internal auditors on the IAF’s ability to monitor financial reporting quality. Examples of compensating controls are the consistency of IAF leadership and supervision, audit committee oversight and management oversight. These compensating controls safeguard the IAF’s involvement in the ERM consulting role of consolidated reporting on risks.
  • Information Technology and Information Systems Risk
IT risks also fall within the IAF’s purview. In a qualitative study, Steinbart et al. (2012) investigate the nature of the relationship between information security and IAF activities. Both internal auditors and one chief information technology officer (with an outsourced IAF) participated in semi-structured interviews. Analysis of the data suggests that a good relationship between information security and the IAF can improve risk management. One internal auditor noted that “the relationship adds value by ensuring that the IT Audits are taking into account high risk areas…” (Steinbart et al., 2012, p. 238).
Héroux and Fortin (2013) further examine the relationship between the IAF and the IT department using survey data. The study provides descriptive evidence on IAF involvement in IT governance and explores how specific IAF characteristics affect the level of involvement. Also, the study examines the extent to which the IAF focus has evolved from traditional (e.g., focusing on accounting and financial control) to strategic (e.g., a holistic focus on governance). 130 highly experienced internal auditors participated in the study by reporting on risk factors, risk assessment techniques and risk management methods of their IAFs. The results of the study first suggest that the IAF has only partially evolved to a more strategic focus. Further, the results show that the level of IT competence within the IAF (e.g., IT audit experience, IT personnel and IT training/certification) and the nature and extent of interaction between the IAF and board of directors both positively and negatively influence the level of involvement that the IAF has in various aspects of IT governance.
Related to IT systems risks, Roussy and Rodrigue’s (2018) interviews of CAEs and experienced auditors reveal that CAEs employ impression management techniques in annual accountability reports to the audit committee. The accountability reports include an annual plan, follow-up on annual plan implementation, an engagements summary and performance measurements. The study’s results raise concerns about internal auditors’ objectivity and effectiveness in a consulting role. Focusing on information systems risks, A. Nuijten et al. (2019) interview senior internal auditors about their deaf effect experiences working with managers on large information systems projects. The deaf effect is when managers are not open to receiving the risk warnings of internal auditors. The study provides evidence that when internal auditors report risks to managers, the internal auditors experience the deaf effect from managers for risk monitoring systems and risk governance systems.
In summary, these studies document the internal auditors’ role in consolidated reporting on IT and information systems risk. Findings from these studies provide support for how this reporting involves information security risk management (Steinbart et al., 2012), IT governance risk management (Héroux & Fortin, 2013), IT systems risk reporting (Roussy & Rodrigue, 2018) and information systems risk warnings (A. Nuijten et al., 2019). However, CAE impression management and managers’ proneness to the deaf effect present barriers for IA reporting effectiveness. Taken together, the findings of these studies suggest that the IAF can play a more significant role in IT and information systems governance, which could directly enhance ERM.
  • Other Risks
Coram et al. (2008) focus on fraud risk in a unique survey that assesses whether organizations with an IAF are more likely to detect and self-report fraud than those without IAFs. Chief financial officers of 324 organizations reported fraud data in response to the 2004 KPMG Fraud Survey. Responses include the amount of detected and self-reported fraud and whether the organization has an in-house or outsourced IAF. Results suggest that organizations with IAFs are indeed more likely to detect and self-report fraud than organizations without an IAF, which could decrease fraud risk in those organizations.
Focusing on internal control risk, Abbott et al. (2010) investigate whether audit committee oversight affects the nature of the IAF’s activities. Based on practice guidelines and the relative incentives of company management and the audit committee, the authors predict that when the audit committee provides greater oversight, the IAF will tend to focus more on internal controls relative to other IAF activities such as risk management, financial statement audits or fraud audits. Using a survey of 134 CAEs from Fortune 1000 companies, the authors construct a composite measure of audit committee oversight based on the three critical facets of the audit committee/IA relationship (reporting duties, termination rights, and budgetary control). Results are consistent with expectations and show a positive association between the audit committee oversight measure and the portion of the IAF budget allocated to internal control type assurance activities. Interestingly, CAEs allocated one of the lowest amounts of resources to risk management-specific assurance activities.
In a full overview summary (and displayed in Table 3, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit assistance, (2) internal audit budget, (3) internal audit contribution, (4) internal audit reporting and reporting lines, (5) internal audit rotation, (6) internal audit quality, (7) risk management and (8) technology. For internal audit assistance, a study about U.S. public companies states that internal audit assistance may provide audit cost savings benefits and improvement in audit efficiency. For internal audit budget, studies for U.S. public companies detail several organizational factors that are related to the IAF budget. For internal audit contribution, evidence for public companies also emphasizes the benefit of audit cost savings related to internal audit contribution. For internal audit reporting and reporting lines, international evidence uncovers some impression management (at public and parapublic organizations) and deaf effect experience (at various types of companies) drawbacks associated with internal auditor reporting to the audit committee and managers respectively. These negative outcomes could be attributed to environmental factors like organizational structure or tone at the top. For internal audit rotation, U.S.-based evidence describes how internal auditor rotation could have a negative effect on monitoring financial reporting quality. While relatedly, for internal audit quality, U.S.-based evidence also purports that competence and independence are essential for IAF monitoring of financial reporting. For risk management, international and U.S. studies showcase the benefits that the IAF and good relationships with other professionals have on managing risks. For technology, U.S. literature outlines the positive effect that continuous auditing has on earnings manipulation whereas international literature states that internal audit involvement in information technology governance is still evolving. So, there can be more empirical investigation of internal audit consulting activities and ERM technology effects in the global landscape.
Theme 4—Maintaining and Developing the ERM Framework
Three studies detail internal auditor involvement in maintaining and developing the ERM framework. In one qualitative study, Sarens and De Beelde (2006a) conduct a qualitative study that describes and compares how internal auditors perceive their current role in risk management within U.S. and Belgian companies. Ten CAEs at large manufacturing and service companies located in Belgium participated in semi-structured interviews that focused on topics such as the development stage of the risk management system, the potential role of the IAF in implementing and improving a formal risk management system, and risk management through internal controls. For companies with operations in the U.S. and Belgium, results indicate that the internal auditors’ consulting role in risk management focuses on the improvement of the transparency and documentation of the risk management process (which is strongly influenced by SOX disclosure requirements). In a second qualitative study, Sarens and De Beelde (2006b) further investigate the relationship between internal audit and C-Suite management to understand what internal auditors perceive as their role in ERM. Semi-structured interviews with highly experienced internal auditors suggest that internal auditors expect C-Suite management to be the first mover in documenting the risk management process. Additionally, they find that internal auditors are aware of their pioneering role in formalizing risk management and they indicate that this role ranges from creating awareness to being actively involved in the documentation process. In a longitudinal case study, Jemaa (2022) details how internal auditors introduce ERM within their organizations through risk mapping. The study uncovers that company managers were not using the risk maps for action plans or company business units were not aware of the company’s risk mapping. The internal audit department reported that risk mapping resulted in inefficiency within the organization and made recommendations to improve the company’s internal control and risk management systems.
In summary (and displayed in Table 3, Panel A), the judgment and decision-making research in auditing subtheme related to this theme’s studies is risk management. Studies about both international and U.S. companies mention the awareness and activities that encompass internal auditors’ role in risk management. One international study about a private firm brings attention to an internal audit ERM procedure that actually contributes to organizational inefficiency. This negative outcome could be due to a misalignment with firm risk strategy or organizational imbalance for risk responsibility.

4.2.2. What Do We Still Need to Learn?

The studies mentioned above inform the internal auditing literature on four of the seven consulting roles (facilitating identification and evaluation of risks, coordinating ERM activities, consolidated reporting on risks, and maintaining and developing the ERM framework) depicted in Figure 1 (IIA, 2009). However, the three consulting roles in Figure 1–which include coaching management in responding to risks, championing the establishment of ERM and developing a risk management (RM) strategy for board approval—are identified as gaps in the literature and we provide specific opportunities for future internal auditing research. Related to coaching management in responding to risk, we propose that future research extends Burton et al. (2012) by examining the effect of IAF sourcing arrangements on this role and whether managerial ERM support influences IAF actions related to this role (IIA, 2009; North Carolina State University’s ERM Initiative and Protiviti, 2017). In the IAF role described as championing the establishment of ERM, we suggest that future research extend prior studies by testing whether IAF compensating controls (Christ et al., 2015) and role conflicts (Roussy, 2015) influence internal auditors in this particular capacity. Lastly, concerning developing an ERM strategy for board approval, we recommend that future research explores how internal auditors’ C-Suite expectations [extending Sarens and De Beelde (2006b)], threats to independence [extending Roussy (2015)] and enterprise risk mapping [extending Jemaa (2022)] impact how well they can help the board to improve its risk management responsibilities. We propose future research directions in Panel C of Table 3.

4.3. Category 3: Roles Internal Audit Should Not Take—Role Duality

The third ERM role outlines activities that internal auditors should not undertake. As presented in Figure 1, internal auditors should not take on roles such as setting the risk appetite, providing management-level assurance on risks or implementing risk responses on management’s behalf. The prior two sections discuss the IAF’s role in providing assurance and consulting activities to organizations. This section includes roles that have characteristics of assurance and or consulting but present potential concerns for independence, objectivity or otherwise for internal auditors. As in prior sections, this section begins with a synthesis of what we have learned from extant research, then discusses what we still need to learn and concludes with a list of future research questions.

4.3.1. What Have We Learned?

Table 4 outlines research themes and subthemes (Panel A), details a summary of research on roles the IAF should not take (Panel B) and presents future research directions (Panel C). This summary illustrates how the majority of prior research categorized into this section focuses on factors affecting IAF independence and objectivity and the use of the IAF as a management training ground (MTG). Figure 1 illustrates six specific categories of ERM related roles that the IAF should not take. These roles include: (1) setting the risk appetite, (2) imposing risk management processes, (3) providing management-level assurance on risks, (4) making decisions regarding risk responses, (5) implementing risk responses on management’s behalf and (6) accepting or providing accountability for risk management. While the research we synthesize does not explicitly mention these roles, the importance of independence and objectivity applies to all six categories. In contrast, the use of the IAF as a MTG particularly applies to categories 1, 2, 3 and 5.
Theme 1—Internal Audit’s General Involvement in ERM
De Zwaan et al. (2011) and Nair et al. (2024) are two of few studies that explicitly examines IAF involvement in ERM. De Zwaan et al. (2011) conclude that higher involvement in ERM decreases auditors’ willingness to report a breakdown in risk procedures to the audit committee. Nair et al.’s (2024) findings suggest that restricting internal auditors to an advisory role does not impair their independence or objectivity. Other studies examine factors or settings such as the IAF responsibility for a company’s fraud hotline, auditor incentives, conflicts related to internal auditors’ role duality, sourcing of the IAF and use of rotational management programs. Also, while the IAF is an independent and objective organization within the company, serving as the channel by which employees report fraud presents a direct conflict with the IAF’s risk mitigation role (Kaplan & Schultz, 2007) and potentially activates prohibited roles (see Figure 1) such as taking on accountability for risk management and implementing risk responses on management’s behalf. Further, such a role could elevate the IAF from the control assessor to the control owner, which at a minimum, impairs independence in appearance.
In summary (and displayed in Table 4, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit reporting and reporting lines and (2) internal audit quality. For internal audit reporting and reporting lines, there is evidence from an international perspective that the level of internal audit involvement in ERM and a strong relationship with the audit committee impact internal auditors’ risk procedure reporting at private and public sector organizations. For internal audit quality, U.S.-based research shows that IAF quality does not have an influence on fraud reporting to certain channels. Both studies raise concerns about how certain internal audit characteristics can influence risk reporting and reporting intentions.
Theme 2—The Internal Audit Function’s Dual Role, Assurance and Consulting Related to ERM
A significant amount of prior research focuses on internal auditors’ dual role as providers of assurance and consulting services. This research notes that compliance work such as SOX Section 404 may be a threat to the long-term reputation of the IAF and the profession as a whole because some auditors assist in the documentation and later testing of controls (Nagy & Cenker, 2007). This level of involvement inappropriately shifts responsibility for risk identification, mitigation and response from management to the IAF. When the IAF’s dual roles are not clearly defined or when they present conflicts with professional obligations, threats to objectivity ensue (Ahmad & Taylor, 2009). Early IA research describes implications such as an escalation of commitment (Plumlee, 1985) whereby auditors inappropriately assess the operating effectiveness of internal controls in their assurance role when they previously consulted on the design of those same internal controls. One way to increase perceived objectivity is to outsource the IAF. However, that approach presents company management with a conundrum whereby they must make a tradeoff between independence and objectivity of the IAF and the efficiencies potentially gained by greater external audit reliance on the work of the IAF or use of internal auditors in their substantive testing. The latter could potentially reduce audit fees while simultaneously improving the quality of controls and substantive testing by the external auditor (Munro & Stewart, 2010).
In summary (and displayed in Table 4, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) internal audit roles and role conflicts and (2) internal audit reliance. Regarding internal audit roles, research on U.S. public companies recounts the shift of internal audit scope to operational activities. Regarding roles and role conflicts, an international study of public companies exposes that internal audit independence is affected by organizational pressures and organizational/professional conflicts. Collectively, both studies support the notion that internal auditors should exercise caution with shifting internal audit roles and balancing organizational and professional expectations. For internal audit reliance, an international study brings to light that internal audit involvement in consulting influences external auditor reliance decisions which presents some tradeoff effects for company managers.
Theme 3—Use of the Internal Audit Function as a MTG, Implications for ERM
A second significant focus of the prior IA literature is on the use of the IAF as a rotational management program or management training ground (MTG). Companies, as early as 1990, report use of MTGs (PricewaterhouseCoopers, 2000) and follow one of three approaches:
  • Hire externally but directly into the IAF. This approach focuses on new college graduates and or experienced hires with the implicit intent of promoting these individuals into management positions outside the IAF after a predetermined amount of time (Oxner & Kusel, 1996). These cycles range between two and five years
  • Rotate existing non-IAF employees of the company into the IAF as a path to senior management positions after the IAF rotation (Chadwick, 1995)
  • Cycle “career” auditors within the IAF into the operations of the company for a specified amount of time to increase domain or task-specific experience (Christ et al., 2015; Burton et al., 2015).
Proponents of approaches 1 and 2 tout the benefits, which include increased breadth and depth of knowledge of the company (Reeve, 1990; Sawyer, 1996; Pickett, 2010) and better internal control knowledge (Ridley, 1997). This knowledge should improve the effectiveness of all corporate and operational functions, as well as the effectiveness of the control environment. On the one hand, contemporaneous auditing research suggests management may be more likely to rely on recommendations from internal auditors in a MTG (Carcello et al., 2018). On the other hand, opponents believe these programs potentially harm the IAF in that participants could be less inclined to report issues they identify which allows internal auditors to ingratiate themselves to management for fear that it could jeopardize promotion, especially when the management of the function under audit could become the internal auditor’s boss (Wood & Wilson, 1989; Chadwick, 1995; Gramling et al., 2010). Discussions related to the third method specifically relate to implications for hiring new auditors into the IAF (e.g., Burton et al., 2015). In each of these scenarios, a blurred line could emerge between the IAF and management similar to the concerns raised in Plumlee (1985) and similar research (e.g., Church & Schneider, 1992). When internal auditors rotate into management positions, they bring with them the knowledge and expertise related to internal controls and could make more significant contributions to ERM because they are better able to understand the operations and controls of the company. If internal auditors enter into management positions in an area where they previously provided either consulting or assurance work, the concerns raised in prohibited roles that internal auditors should not take—particularly imposing risk management processes, providing management-level assurance on risks, and implementing risk responses on management’s behalf—are activated when they move into their new management roles. The remainder of the discussion describes what we have learned about MTGs.
Messier et al. (2011) is one of the first studies to examine the MTG phenomenon directly.4 The authors use archival data obtained from the 2000 to 2005 GAIN survey database to examine whether the use of a MTG affects external audit fees and the external auditor’s perception of the IAF. However, they also supplement the archival data with an experiment using 43 external auditors to understand the “why” in their archival results. The archival data suggest that external auditors indeed charge higher fees when companies use the IAF as a MTG. In contrast, the experimental data suggest that the pattern of archival results is a function of external auditors’ perceptions that the MTG phenomenon impairs only objectivity.5
Rose et al. (2013) test the assertion of decreased objectivity identified in Messier et al. (2011). They experiment with 74 internal auditors to assess their willingness to report identified aggressive behavior. As a potential mitigating factor, the study examines whether increasing the power of the board of directors has intended or unintended effects for IAF objectivity. The results suggest that internal auditors are more likely to side with management, thus be less objective in a MTG relative to a no MTG setting. Further, the results suggest that increasing the power of the audit committee of the board of directors has unintended consequences in that it further decreases the objectivity of internal auditors. Hoos et al. (2018) extend this study by examining whether the CAE is reporting to senior management versus the audit committee moderates the effectiveness of a MTG. In an experiment with 79 internal auditors in the gaming industry, they find an interactive effect such that when the IAF is not a MTG, risk assessments do not significantly differ by reporting line. Consistent with Rose et al. (2013), they find that when the IAF is a MTG, internal auditors’ risk assessments and investment recommendations align more with management preferences when the CAE reports to senior management relative to the audit committee.
Christ et al. (2015), like Messier et al. (2011), use multiple methods to examine their research questions. Their study extends Messier et al. (2011) and Rose et al. (2013) in two ways to examine the effect of the use of a MTG on broadly defined accounting risk. First, they conduct semi-structured interviews with 11 CAEs and two audit committee chairpersons. In this first stage, the interviews help to develop a framework on how the use of the IAF as a MTG affects financial reporting quality. Next, they examine the applicability of the framework using archival data (from the IIARF GAIN database). They predict and find that companies that use the IAF as a MTG have lower financial reporting quality relative to companies that do not use the IAF as a MTG. Like Rose et al. (2013), they explore several potential compensating controls identified from the interviews that could improve rather than further degrade the effect of IAF quality on financial reporting quality. Compensating controls with positive effects include consistency of leadership within the IAF, the presence of audit committee oversight, and management’s oversight and direction. However, in Hoos et al.’s (2018) experimental case study with 79 internal auditor participants, it is revealed that (when the IAF is used as a MTG) internal auditors’ risk assessments coincide with management’s preferences when auditors report to senior management versus the audit committee. Subsequently, Carcello et al.’s (2020) study showcases that companies that are used as a MTG are beneficial to organizations’ ERM. Their surveys of 37 CAEs provide evidence that companies that are used as MTGs are associated with higher reductions in risk and improved overall operating performance.
In summary (and displayed in Table 4, Panel A), the judgment and decision-making research in auditing subthemes related to this theme’s studies are: (1) financial reporting quality, (2) internal audit budget, (3) internal audit quality, (4) internal audit reliance, (5) internal audit reporting and reporting lines, (6) perceptions of internal audit and (7) risk management. Overall, the studies indicate that internal auditors’ play a critical role in ensuring the operating effectiveness of internal controls within an organization and can add value to management. It is vital to ensure that the IAF can operate independently and provide objective assurance and consulting services to management. Doing so will ensure effective risk management. Despite mixed implications, prior research documents the widespread use of a MTG (e.g., Sarens & De Beelde, 2006a, 2006b; Christopher et al., 2009; Abbott et al., 2010). Prior research also highlights the costs and benefits of rotational management programs. It suggests mitigating controls to balance these consequences, such as rotating internal auditors into management positions where they had no prior role in the audit and implementing cool-off periods before rotation into management roles.

4.3.2. What Do We Still Need to Learn?

Even though prior research has provided useful insights regarding roles the IAF plays and the roles the IAF should not play when the firm focuses on ERM, there is still much to learn. Given the widespread use of rotational management programs and the focus on infusing more technology into the audit (e.g., Brown-Liburd et al., 2015), future research could begin by considering how the use of a MTG affects both interpersonal and intrapersonal decisions and the specific benefits the company could accrue. For example, our prior discussion suggested that rotating internal auditors into management positions, especially where they had a prior assurance or consulting role, could impair their independence and effectively shift some of management’s ERM responsibilities to the IAF (e.g., Plumlee, 1985). To our knowledge, the prior research has focused on implications for the IAF but provides little insight into how internal auditors perform when they are in management roles. We encourage future research that examines: (1) how managers who previously participated in a MTG make financial reporting and operational decisions and (2) whether pressure from managers affects internal auditors’ objectivity while in a MTG.
Regarding the first future research area, Bowlin et al. (2009) find that managers with prior experience as external auditors are more sensitive to control mechanisms that punish them for aggressive financial reporting compared to managers with no external audit experience. The results suggest that these effects are particularly salient when the manager was a diligent auditor and when the auditor did not work for the firm where he or she took the new job (e.g., a Deloitte auditor accepts a job at a company audited by KPMG). In an IA setting, internal auditors typically take on new roles within the same company. However, it remains an empirical question of whether perceived threats to objectivity and or independence persist once the internal auditor takes on the new role. In light of findings that use of a MTG could have both functional and dysfunctional effects, it would also be worthwhile to consider how experience in a MTG could affect managers’ financial reporting decisions. Whether this opportunity helps firms to not only attract and develop but also to retain high-quality managers (e.g., Burton et al., 2015) and the impact of a MTG on firm value are important factors to use as controls in the analysis.
Further, it is important to understand how the use of a MTG affects the quality of relationships between managers, the IAF and external auditors. The hallmarks of the IAF are its objectivity and business acumen. Together, these characteristics enable firms to effectively and efficiently identify and respond to current and emerging risks. It is when these critical traits are in jeopardy either due to: (1) social pressure threats from management; (2) economic interest threats when internal auditors receive incentive compensation from the company; or (3) self-review threats when internal auditors review work they consulted with management to develop (Stewart & Subramaniam, 2010) that companies may experience diminishing returns on investments in an IAF. The use of MTGs could exacerbate these threats and these diminishing returns could have negative implications for ERM. We summarize these future research directions in Table 4, Panel C.

5. Concluding Comments

This study examines internal audit research since 2004 that provides a snapshot of literature germane to internal auditing’s role in ERM (IIA, 2009). We organize the literature into three categories: (1) core internal audit roles concerning ERM, (2) legitimate internal audit roles with safeguards, and (3) roles internal auditors should not undertake within ERM. This study contributes to the literature by: (1) providing a cohesive review of research that intersects the topics of internal auditing and enterprise risk management, (2) pinpointing gaps in the literature, and (3) offering suggestions for future research topics in this coupled area. Our literature review spans all research methodologies; however, we note a dearth of research using archival methods in internal auditing due to limited sources of data apart from the IIA’s proprietary databases.
Most of the publications in our study illuminate factors affecting core internal audit roles regarding ERM and legitimate internal audit roles with safeguards. Our literature review shows that the least amount of research focuses on roles internal audit should not undertake. We identify potential avenues for future research, however, in each of the three categories.
Concerning core internal audit roles, we focus on the IAF’s primary assurance role. We propose fruitful avenues for research that examine how: (1) the IAF collaborates with management and (2) the technology skillset of internal auditors could affect their ERM-related assurance activities. Our legitimate roles with safeguards category focuses on the IAF’s consulting role. A breadth of research, especially examining consolidated reporting on risks, currently exists. However, we believe future research could examine how the IAF could add value in this role by increasing management’s competence in risk identification and response in areas such as cybersecurity.
Lastly, we present suggestions for future research examining roles the IAF should not take. Extant research illuminates potential independence and objectivity concerns when the IAF serves in its dual role (as a provider of both assurance and consulting) as well as when the IAF is a MTG. While we understand the implications for internal auditors in these settings, it is less clear what the long-term implications of a MTG, for example, have on inter- and intra-personal relationships when internal auditors transition into their management roles. Further, future research could examine both qualitative and quantitative implications for companies. Burton et al. (2015) examine how using the IAF as a MTG or as a consulting services provider affects companies’ ability to recruit new internal auditors. However, we propose future research that takes the next step to understand how experience in a MTG affects companies’ ability to attract and retain high-quality managers.
Additionally, we summarize articles that showcase judgment and decision-making research in internal auditing related to ERM. Internal auditors use risk analysis techniques, judgments and assessments to make decisions about their organizations’ ERM objectives, processes, activities and outcomes. Some examples of risk analysis techniques that internal auditors utilize to make decisions related to ERM are advanced audit testing methods, continuous auditing and sophisticated auditing technology. Examples of internal auditor judgments in the ERM setting include financial statement risk judgments and fraud risk judgments. Finally, internal auditors’ assessments guide their decisions to report organizations’ internal control deficiencies, internal control weaknesses and incidents of noncompliance in the risk management realm.
The results of our review have implications for scholars, regulators and practitioners. We provide directions for research that we hope will lead to fruitful avenues for other academics to explore and to expand the existing internal audit literature. Our synthesis shows regulators the specific ways that standard-setting has improved the professional practice of internal audit and exactly which factors contribute to this progression. Internal audit practitioners can see the various aspects of how their efforts contribute to the overall corporate governance process, specifically to enterprise risk management. The results of prior studies underscore that internal audit contributes most effectively to ERM when it focuses on assurance and evaluation activities that strengthen governance transparency, promote accountability and improve risk management quality. Finally, the results of our review have relevance for an international audience. Internal audit and ERM practices increasingly operate within globalized regulatory environments, multinational corporate structures and internationally harmonized standards (such as COSO and the IIA’s Professional Practice framework). Since many of the studies we review draw on cross-country samples or examine practices outside of the United States, our synthesis spotlights how internal audit roles manifest across diverse institutional, cultural and governance systems.
Additionally, the expanding scope of environmental, social and governance (ESG) responsibilities introduces new opportunities—and risks—for the IAF. Table 5 provides a practical guide for practitioners, summarizing internal audit and ESG activities identified in the literature as either value-enhancing or independence threats. For each area, the table outlines recommended actions that internal audit leaders and audit committees can take to strengthen ERM and ESG alignment while safeguarding objectivity and independence. One limitation of our study is that despite our comprehensive search of the literature, some studies that examine internal auditing and ERM may not be included. A second limitation is that the literature remains uneven across contexts, methodologies and theoretical perspectives. While our synthesis suggests significant advances and contributions to internal audit research, we believe that more work is necessary to reflect the evolving role of the IAF.

Author Contributions

Conceptualization, methodology, validation, formal analysis, data curation and writing (original draft preparation, review and editing): P.N., D.B.-P. and K.W. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this review. Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

COSOCommittee of Sponsoring Organizations of the Treadway Commission
ERMEnterprise risk management
ESGEnvironmental, social and governance
IAInternal audit
IAFInternal audit function
IIAInstitute of Internal Auditors
MTGManagement training ground
PCAOBPublic Company Accounting Oversight Board
SOXSarbanes-Oxley Act
TLoDThree lines of defense (model)
U.S.United States

Notes

1
The IIA conducts surveys of its practitioners through its research foundation and practitioners such as Protiviti. The Global Audit Information Network (GAIN) survey is a comprehensive annual benchmarking study with chief audit executives (CAEs) in 17 industries and 44 countries. It helps CAEs benchmark their organizations based on several qualitative and quantitative dimensions. The Common Body of Knowledge (CBOK) is a broad and the world’s largest ongoing study of the profession and includes a practitioner and a stakeholder survey. Data are proprietary.
2
Of the 77 studies, we identified 20 mixed-method studies employing experimental and survey methods.
3
The Three Lines Model is a governance framework endorsed by the IIA. The framework describes the roles and responsibilities for an organization’s management to effectively manage risk (IIA, 2020).
4
This assertion applies to the set of research journals included in our review. We acknowledge that other journals, especially international journals, may contain studies that examine the MTG phenomenon.
5
Throughout this paper, we use the terms independence and objectivity interchangeably.

References

  1. Abbott, L. J., Daugherty, B., Parker, S., & Peters, G. F. (2016). Internal audit quality and financial reporting quality: The joint importance of independence and competence. Journal of Accounting Research, 54(1), 3–40. [Google Scholar] [CrossRef]
  2. Abbott, L. J., Parker, S., & Peters, G. F. (2010). Serving two masters: The association between audit committee internal audit oversight and internal audit activities. Accounting Horizons, 24(1), 1–24. [Google Scholar] [CrossRef]
  3. Abbott, L. J., Parker, S., & Peters, G. F. (2012). Internal audit assistance and external audit timeliness. Auditing: A Journal of Practice & Theory, 31(4), 3–20. [Google Scholar] [CrossRef]
  4. Ahlawat, S. S., & Lowe, D. J. (2004). An examination of internal auditor objectivity: In-house versus outsourcing. Auditing: A Journal of Practice & Theory, 23(2), 147–158. [Google Scholar] [CrossRef]
  5. Ahmad, Z., & Taylor, D. (2009). Commitment to independence by internal auditors: The effects of role ambiguity and role conflict. Managerial Auditing Journal, 24(9), 899–925. [Google Scholar] [CrossRef]
  6. Archambeault, D. S., DeZoort, F. T., & Holt, T. P. (2008). The need for an internal auditor report to external stakeholders to improve governance transparency. Accounting Horizons, 22(4), 375–388. [Google Scholar] [CrossRef]
  7. Axén, L. (2018). Exploring the association between the content of internal audit disclosures and external audit fees: Evidence from Sweden. International Journal of Auditing, 22(2), 285–297. [Google Scholar] [CrossRef]
  8. Bame-Aldred, C. W., Brandon, D. M., Messier, W. F., Rittenberg, L. E., & Stefaniak, C. M. (2013). A summary of research on external auditor reliance on the internal audit function. Auditing: A Journal of Practice & Theory, 32(Suppl. S1), 251–286. [Google Scholar] [CrossRef]
  9. Banham, R. (2004). Enterprising views of risk management. Journal of Accountancy, 197(6), 65–71. [Google Scholar]
  10. Bantleon, U., d’Arcy, A., Eulerich, M., Hucke, A., Pedell, B., & Ratzinger-Sakel, N. V. (2021). Coordination challenges in implementing the three lines of defense model. International Journal of Auditing, 25(1), 59–74. [Google Scholar] [CrossRef]
  11. Barr-Pulliam, D. (2019). The effect of continuous auditing and role duality on the incidence and likelihood of reporting management opportunism. Management Accounting Research, 44, 44–56. [Google Scholar] [CrossRef]
  12. Barr-Pulliam, D., Eulerich, M., & Ratzinger-Sakel, N. (2024). The effect of the internal audit function’s perceived assurance versus advisory purpose on the external auditor’s reliance decision. Managerial Auditing Journal, 39(2), 138–165. [Google Scholar] [CrossRef]
  13. Beasley, M. S., Clune, R., & Hermanson, D. (2006). The impact of enterprise risk management on the internal audit function. Journal of Forensic Accounting, 1–26. [Google Scholar]
  14. Bhattacharjee, S., Maletta, M. J., & Moreno, K. K. (2016). The role of account subjectivity and risk of material misstatement on auditors’ internal audit reliance judgments. Accounting Horizons, 30(2), 225–238. [Google Scholar] [CrossRef]
  15. Bierstaker, J. L., Brody, R. G., & Pacini, C. (2006). Accountants’ perceptions regarding fraud detection and prevention methods. Managerial Auditing Journal, 21(5), 520–535. [Google Scholar] [CrossRef]
  16. Bou-Raad, G. (2000). Internal auditors and a value-added approach: The new business regime. Managerial Auditing Journal, 15(4), 182–187. [Google Scholar] [CrossRef]
  17. Bowlin, K. O., Hales, J., & Kachelmeier, S. J. (2009). Empirical evidence of how prior experience as an auditor influences managers’ strategic reporting decisions. Review of Accounting Studies, 14(1), 63–87. [Google Scholar] [CrossRef]
  18. Boyle, D. M., DeZoort, F. T., & Hermanson, D. R. (2015). The effects of internal audit report type and reporting relationship on internal auditors’ risk judgments. Accounting Horizons, 29(3), 695–718. [Google Scholar] [CrossRef]
  19. Brown, C. E., Wong, J. A., & Baldwin, A. A. (2007). A review and analysis of the existing research streams in continuous auditing. Journal of Emerging Technologies in Accounting, 4, 1–28. [Google Scholar] [CrossRef]
  20. Brown-Liburd, H., Issa, H., & Lombardi, D. (2015). Behavioral implications of big data’s impact on audit judgment and decision making and future research directions. Accounting Horizons, 29(2), 451–468. [Google Scholar] [CrossRef]
  21. Burton, F. G., Emett, S. A., Simon, C. A., & Wood, D. A. (2012). Corporate managers’ reliance on internal auditor recommendations. Auditing: A Journal of Practice & Theory, 31(2), 151–166. [Google Scholar] [CrossRef]
  22. Burton, F. G., Starliper, M. W., Summers, S. L., & Wood, D. A. (2015). The effects of using the internal audit function as a management training ground or as a consulting services provider in enhancing the recruitment of internal auditors. Accounting Horizons, 29(1), 115–140. [Google Scholar] [CrossRef]
  23. Carcello, J. V., Eulerich, M., Masli, A., & Wood, D. A. (2018). The value to management of using the internal audit function as a management training ground. Accounting Horizons, 32(2), 121–140. [Google Scholar] [CrossRef]
  24. Carcello, J. V., Eulerich, M., Masli, A., & Wood, D. A. (2020). Are internal audits associated with reductions in perceived risk? Auditing: A Journal of Practice & Theory, 39(3), 55–73. [Google Scholar] [CrossRef]
  25. Carcello, J. V., Hermanson, D. R., & Raghunandan, K. (2005). Factors associated with U.S. public companies’ investment in internal auditing. Accounting Horizons, 19(2), 69–84. [Google Scholar] [CrossRef]
  26. Carpenter, T. D., Reimers, J. L., & Fretwell, P. Z. (2011). Internal auditors’ fraud judgments: The benefits of brainstorming in groups. Auditing: A Journal of Practice & Theory, 30(3), 211–224. [Google Scholar] [CrossRef]
  27. Center for Audit Quality (CAQ). (2016). Audit quality indicators: Journey and path ahead. Available online: https://www.thecaq.org/audit-quality-indicators-journey-and-path-ahead (accessed on 2 January 2019).
  28. Chadwick, W. E. (1995). Tough questions, tougher answers. Internal Auditor, 52(6), 63–65. [Google Scholar]
  29. Christ, M. H., Masli, A., Sharp, N. Y., & Wood, D. A. (2015). Rotational internal audit programs and financial reporting quality: Do compensating controls help? Accounting, Organizations and Society, 44, 37–59. [Google Scholar] [CrossRef]
  30. Christopher, J., Sarens, G., & Leung, P. (2009). A critical analysis of the independence of the internal audit function: Evidence from Australia. Accounting, Auditing & Accountability Journal, 22(2), 200–220. [Google Scholar] [CrossRef]
  31. Church, B. K., & Schneider, A. (1992). Internal auditor involvement in internal control system design: Is objectivity impaired? Journal of Applied Business Research, 8(4), 15–24. [Google Scholar] [CrossRef]
  32. Coderre, D., Verver, J. G., & Warren, J. D., Jr. (2005). Continuous auditing: Implications for assurance, monitoring, and risk assessment. In Global technology audit guide (pp. 1–34). The Institute of Internal Auditors. [Google Scholar]
  33. Codesso, M., de Freitas, M. M., Wang, X., de Carvalho, A., & da Silva Filho, A. A. (2020). Continuous audit implementation at Cia. Hering in Brazil. Journal of Emerging Technologies in Accounting, 17(2), 103–118. [Google Scholar] [CrossRef]
  34. Cohen, J. R., Krishnamoorthy, G., & Wright, A. (2004). The corporate governance mosaic and financial reporting quality. Journal of Accounting Literature, 23, 87–152. Available online: https://ssrn.com/abstract=1086743 (accessed on 1 December 2016).
  35. Committee of Sponsoring Organizations (COSO) of the Treadway Commission. (2004). Enterprise risk management: Integrated framework. Available online: https://www.coso.org/guidance-erm (accessed on 1 December 2016).
  36. Committee of Sponsoring Organizations (COSO) of the Treadway Commission. (2011). Embracing enterprise risk management: Practical approaches for getting started. Available online: https://www.coso.org/guidance-erm (accessed on 20 April 2017).
  37. Committee of Sponsoring Organizations (COSO) of the Treadway Commission. (2013). Internal control: Integrated framework. Available online: https://home.kpmg.com/content/dam/kpmg/pdf/2016/05/2750-New-COSO-2013-Framework-WHITEPAPER-V4.pdf (accessed on 1 December 2016).
  38. Committee of Sponsoring Organizations (COSO) of the Treadway Commission. (2017). Enterprise risk management: Integrating strategy and performance. Available online: https://www.coso.org/guidance-erm (accessed on 28 March 2018).
  39. Coram, P., Ferguson, C., & Moroney, R. (2008). Internal audit, alternative internal audit structures and the level of misappropriation of assets fraud. Accounting & Finance, 48, 543–559. [Google Scholar] [CrossRef]
  40. DeAngelo, L. (1981). Auditor size and audit quality. Journal of Accounting and Economics, 3(3), 183–199. [Google Scholar] [CrossRef]
  41. Demek, K. C., Raschke, R. L., Janvrin, D. J., & Dilla, W. N. (2018). Do organizations use a formalized risk management process to address social media risk? International Journal of Accounting Information Systems, 28, 31–44. [Google Scholar] [CrossRef]
  42. DeZoort, F. T., & Harrison, P. D. (2018). Understanding auditors’ sense of responsibility for detecting fraud within organizations. Journal of Business Ethics, 149, 857–874. [Google Scholar] [CrossRef]
  43. De Zwaan, L., Stewart, J., & Subramaniam, N. (2011). Internal audit involvement in enterprise risk management. Managerial Auditing Journal, 26(7), 586–604. [Google Scholar] [CrossRef]
  44. D’Onza, G., Sarens, G., & DeSimone, S. (2020). Factors that influence the internal audit function’s maturity. Accounting Horizons, 34(4), 57–74. [Google Scholar] [CrossRef]
  45. Ege, M. S. (2015). Does internal audit function quality deter management misconduct? The Accounting Review, 90(2), 495–527. [Google Scholar] [CrossRef]
  46. Eulerich, M., Georgi, C., & Schmidt, A. (2020). Continuous auditing and risk-based audit planning–An empirical analysis. Journal of Emerging Technologies in Accounting, 17(2), 141–155. [Google Scholar] [CrossRef]
  47. Eulerich, M., & Kalinichenko, A. (2018). The current state and future directions of continuous auditing research: An analysis of the existing literature. Journal of Information Systems, 32(3), 31–51. [Google Scholar] [CrossRef]
  48. Eulerich, M., Masli, A., Pickerd, J., & Wood, D. A. (2023). The impact of audit technology on audit task outcomes: Evidence for technology-based audit techniques. Contemporary Accounting Research, 40(2), 981–1012. [Google Scholar] [CrossRef]
  49. Farkas, M. J., & Hirsch, R. M. (2016). The effect of frequency and automation of internal control testing on external auditor reliance on the internal audit function. Journal of Information Systems, 30(1), 21–40. [Google Scholar] [CrossRef]
  50. Garven, S. A., & Scarlata, A. N. (2021). An examination of internal audit function size: Evidence from U.S. government and nonprofit sectors. Current Issues in Auditing, 15(1), A38–A56. [Google Scholar] [CrossRef]
  51. Gebrayel, E., Jarrar, H., Salloum, C., & Lefebvre, Q. (2018). Effective association between audit committees and the internal audit function and its impact on financial reporting quality: Empirical evidence from Omani listed firms. International Journal of Auditing, 22(2), 197–213. [Google Scholar] [CrossRef]
  52. Glover, S. M., Prawitt, D. F., & Wood, D. A. (2008). Internal audit sourcing arrangement and the external auditor’s reliance decision. Contemporary Accounting Research, 25(1), 193–213. [Google Scholar] [CrossRef]
  53. Gonzalez, G. C., Sharma, P. N., & Galletta, D. (2012a). Factors influencing the planned adoption of continuous monitoring technology. Journal of Information Systems, 26(2), 53–69. [Google Scholar] [CrossRef]
  54. Gonzalez, G. C., Sharma, P. N., & Galletta, D. F. (2012b). The antecedents of the use of continuous auditing in the internal auditing context. International Journal of Accounting Information Systems, 13(3), 248–262. [Google Scholar] [CrossRef]
  55. Graham, L., & Bedard, J. C. (2015). Internal control deficiencies in tax reporting: A detailed view. Accounting Horizons, 29(4), 917–942. [Google Scholar] [CrossRef]
  56. Gramling, A. A., Jenkins, J. G., & Taylor, M. H. (2010). Policy and research implications of evolving independence rules for public company auditors. Accounting Horizons, 24(4), 547–566. [Google Scholar] [CrossRef]
  57. Gramling, A. A., Maletta, M. J., Schneider, A., & Church, B. K. (2004). The role of the internal audit function in corporate governance: A synthesis of the extant internal auditing literature and directions for future research. Journal of Accounting Literature, 23, 94–244. [Google Scholar]
  58. Gramling, A. A., & Myers, P. M. (2006). Internal auditing’s role in ERM: As organizations lay their enterprise risk groundwork, many auditors are taking on management’s oversight responsibilities, new research finds. Internal Auditor, 63(2), 52–58. [Google Scholar]
  59. Grebe, G. P. M., & Marx, J. (2023). The perceived relationship between risk culture and operational risk management practices of Ghanaian banks. Journal of Risk and Financial Management, 16(9), 407. [Google Scholar] [CrossRef]
  60. Grima, S., Baldacchino, P. J., Grima, S., Kizilkaya, M., Tabone, N., & Ellul, L. (2023). Designing a characteristics effectiveness model for internal audit. Journal of Risk and Financial Management, 16(2), 56. [Google Scholar] [CrossRef]
  61. Héroux, S., & Fortin, A. (2013). The internal audit function in information technology governance: A holistic perspective. Journal of Information Systems, 27(1), 189–217. [Google Scholar] [CrossRef]
  62. Hoos, F., Messier, W. F., Jr., Smith, J. L., & Tandy, P. R. (2018). An experimental investigation of the interaction effect of management training ground and reporting lines on internal auditors’ objectivity. International Journal of Auditing, 22(2), 150–163. [Google Scholar] [CrossRef]
  63. Institute of Internal Auditors (IIA). (2000). Internal auditing: Adding value across the board. IIA. [Google Scholar]
  64. Institute of Internal Auditors (IIA). (2009). IIA position paper: The role of internal auditing in enterprise-wide risk management. IIA. [Google Scholar]
  65. Institute of Internal Auditors (IIA). (2017). International standards for the professional practice of internal auditing. IIA. [Google Scholar]
  66. Institute of Internal Auditors (IIA). (2020). The IIA’s three lines model. IIA. [Google Scholar]
  67. Islam, M. S., Farah, N., & Stafford, T. F. (2018). Factors associated with security/cybersecurity audit by internal audit function. Managerial Auditing Journal, 33(4), 377–409. [Google Scholar] [CrossRef]
  68. Islam, S., & Stafford, T. (2022). Factors associated with the adoption of data analytics by internal audit function. Managerial Auditing Journal, 37(2), 193–223. [Google Scholar] [CrossRef]
  69. Ismael, H. R., & Roberts, C. (2018). Factors affecting the voluntary use of internal audit: Evidence from the UK. Managerial Auditing Journal, 33(3), 288–317. [Google Scholar] [CrossRef]
  70. Jemaa, F. (2022). Recoupling work beyond COSO: A longitudinal case study of enterprise-wide risk management. Accounting, Organizations and Society, 103, 101369. [Google Scholar] [CrossRef]
  71. Kaplan, S. E., & Schultz, J. J. (2007). Intentions to report questionable acts: An examination of the influence of anonymous reporting channel, internal audit quality, and setting. Journal of Business Ethics, 71(2), 109–124. [Google Scholar] [CrossRef]
  72. Kleffner, A. E., Lee, R. B., & McGannon, B. (2003). The effect of corporate governance on the use of enterprise risk management: Evidence from Canada. Risk Management and Insurance Review, 6(1), 53–73. [Google Scholar] [CrossRef]
  73. Kotb, A., Elbardan, H., & Halabi, H. (2020). Mapping of internal audit research: A post-Enron structured literature review. Accounting, Auditing & Accountability Journal, 33(8), 1969–1996. [Google Scholar] [CrossRef]
  74. Krogstad, J. L., Anthony, J. R., & Rittenberg, L. E. (1999). Where we’re going. Internal Auditor, 56(6), 28–33. [Google Scholar]
  75. Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6(1), 37–52. [Google Scholar] [CrossRef]
  76. Malaescu, I., & Sutton, S. G. (2015). The reliance of external auditors on internal audit’s use of continuous audit. Journal of Information Systems, 29(1), 95–114. [Google Scholar] [CrossRef]
  77. Mat Ludin, K. R., Mohamed, Z. M., & Mohd-Saleh, N. (2017). The association between CEO characteristics, internal audit quality, and risk-management implementation in the public sector. Risk Management, 19(4), 281–300. [Google Scholar] [CrossRef]
  78. Messier, W. F., Reynolds, J. K., Simon, C. A., & Wood, D. A. (2011). The effect of using the internal audit function as a management training ground on the external auditor’s reliance decision. The Accounting Review, 86, 2131–2154. [Google Scholar] [CrossRef]
  79. Moffitt, K. C. (2018). A framework for legacy source code audit analytics. Journal of Emerging Technologies in Accounting, 15(2), 67–75. [Google Scholar] [CrossRef]
  80. Munro, L., & Stewart, J. (2010). External auditors’ reliance on internal audit: The impact of sourcing arrangements and consulting activities. Accounting & Finance, 50(2), 371–387. [Google Scholar] [CrossRef]
  81. Mutschmann, M., Hasso, T., & Pelster, M. (2022). Dark triad managerial personality and financial reporting manipulation. Journal of Business Ethics, 181, 763–788. [Google Scholar] [CrossRef]
  82. Nagy, A. L., & Cenker, W. J. (2002). An assessment of the newly defined internal audit function. Managerial Auditing Journal, 17(3), 130–137. [Google Scholar] [CrossRef]
  83. Nagy, A. L., & Cenker, W. J. (2007). Internal audit professionalism and Section 404 compliance: The view of chief audit executives from Northeast Ohio. International Journal of Auditing, 11(1), 41–49. [Google Scholar] [CrossRef]
  84. Nair, A. S., Nair, P., & Agrawal, A. (2024). Examining the synergy between enterprise risk management and internal auditing. New Challenges in Accounting and Finance, 12, 1–13. [Google Scholar] [CrossRef]
  85. Nkansa, P. (2024). Does external auditor coordination influence internal auditor effort? Advances in Accounting, 65, 100684. [Google Scholar] [CrossRef]
  86. North Carolina State University’s ERM Initiative and Protiviti. (2017). Executive perspectives on top risks 2018. North Carolina State University and Protiviti. [Google Scholar]
  87. Nuijten, A., Keil, M., Sarens, G., & Van Twist, M. (2019). Partners or opponents: Auditor-manager relationship dynamics following the deaf effect in information system projects. Managerial Auditing Journal, 34(9), 1073–1100. [Google Scholar] [CrossRef]
  88. Nuijten, A. L., Keil, M., & Zwiers, B. (2023). Internal auditors’ perceptions of information technology-related risks: A comparison between general auditors and information technology auditors. Journal of Information Systems, 37(1), 67–83. [Google Scholar] [CrossRef]
  89. Oxner, T. H., & Kusel, J. (1996). Trends in the job market. Internal Auditor, 53(3), 20–28. [Google Scholar]
  90. Petherbridge, J., & Messier, W. F., Jr. (2016). The impact of PCAOB regulatory actions and engagement risk on auditors’ internal audit reliance decisions. Journal of Accounting and Public Policy, 35(1), 3–18. [Google Scholar] [CrossRef]
  91. Pickett, K. S. (2010). The internal auditing handbook. John Wiley & Sons, Inc. [Google Scholar]
  92. Plumlee, R. D. (1985). The standard of objectivity for internal auditors: Memory and bias effects. Journal of Accounting Research, 23(2), 683–699. [Google Scholar] [CrossRef]
  93. Prawitt, D. F., Sharp, N. Y., & Wood, D. A. (2011). Reconciling archival and experimental research: Does internal audit contribution affect the external audit fee. Behavioral Research in Accounting, 23(2), 187–206. [Google Scholar] [CrossRef]
  94. Prawitt, D. F., Sharp, N. Y., & Wood, D. A. (2012). Internal audit outsourcing and the risk of misleading or fraudulent financial reporting: Did Sarbanes-Oxley get it wrong? Contemporary Accounting Research, 29(4), 1109–1136. [Google Scholar] [CrossRef]
  95. Prawitt, D. F., Smith, J. L., & Wood, D. A. (2009). Internal audit quality and earnings management. The Accounting Review, 84(4), 1255–1280. [Google Scholar] [CrossRef]
  96. PricewaterhouseCoopers (PwC). (2000). PricewaterhouseCoopers 2000 state of the internal audit profession study: Continuous auditing gains momentum. PricewaterhouseCoopers. [Google Scholar]
  97. Reeve, J. T. (1990). Internal audit in the year 2000. Internal Auditor, 47(1), 15–22. [Google Scholar]
  98. Ridley, A. J. (1997, June). The underutilized internal auditor. IIA Issues and Answers. Director’s Monthly. [Google Scholar]
  99. Rose, A. M., Rose, J. M., & Norman, C. S. (2013). Is the objectivity of internal audit compromised when the internal audit function is a management training ground? Accounting & Finance, 53(4), 1001–1019. [Google Scholar] [CrossRef]
  100. Roussy, M. (2015). Welcome to the day-to-day of internal auditors: How do they cope with conflicts? Auditing: A Journal of Practice & Theory, 34(2), 237–264. [Google Scholar] [CrossRef]
  101. Roussy, M., & Perron, A. (2018). New perspectives in internal audit research: A structured literature review. Accounting Perspectives, 17(3), 345–385. [Google Scholar] [CrossRef]
  102. Roussy, M., & Rodrigue, M. (2018). Internal audit: Is the ‘third line of defense’ effective as a form of governance? An exploratory study of the impression management techniques chief audit executives use in their annual accountability to the audit committee. Journal of Business Ethics, 151, 853–869. [Google Scholar] [CrossRef]
  103. Roychowdhury, S., & Srinivasan, S. (2019). The role of gatekeepers in capital markets. Journal of Accounting Research, 57(2), 295–322. [Google Scholar] [CrossRef]
  104. Sarens, G., & De Beelde, I. (2006a). Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies. Managerial Auditing Journal, 21(1), 63–80. [Google Scholar] [CrossRef]
  105. Sarens, G., & De Beelde, I. (2006b). The relationship between internal audit and senior management: A qualitative analysis of expectations and perceptions. International Journal of Auditing, 10(3), 219–241. [Google Scholar] [CrossRef]
  106. Sawyer, L. B. (1996). The practice of modern internal auditing (4th ed.). The Institute of Internal Auditors. [Google Scholar]
  107. Slapničar, S., Vuko, T., Čular, M., & Drašček, M. (2022). Effectiveness of cybersecurity audit. International Journal of Accounting Information Systems, 44, 100548. [Google Scholar] [CrossRef]
  108. Stefaniak, C. M., Houston, R. W., & Cornell, R. M. (2012). The effects of employer and client identification on internal and external auditors’ evaluations of internal control deficiencies. Auditing: A Journal of Practice & Theory, 31(1), 39–56. [Google Scholar] [CrossRef]
  109. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2012). The relationship between internal audit and information security: An exploratory investigation. International Journal of Accounting Information Systems, 13(3), 228–243. [Google Scholar] [CrossRef]
  110. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2013). Information security professionals’ perceptions about the relationship between the information security and internal audit functions. Journal of Information Systems, 27(2), 65–86. [Google Scholar] [CrossRef]
  111. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good relationship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society, 71, 15–29. [Google Scholar] [CrossRef]
  112. Stewart, J., & Subramaniam, N. (2010). Internal audit independence and objectivity: Emerging research opportunities. Managerial Auditing Journal, 25(4), 328–360. [Google Scholar] [CrossRef]
  113. Szabo, S., & Webster, J. (2021). Perceived greenwashing: The effects of green marketing on environmental and product perceptions. Journal of Business Ethics, 171(4), 719–739. [Google Scholar] [CrossRef]
  114. Tapestry Networks. (2004, July 6). The internal auditor’s perspective. InSights. [Google Scholar]
  115. Tawfik, O. I., Durrah, O., & Aljawhar, K. A. (2023). The role of the internal auditor in strengthening the governance of economic organizations using the three lines of defense model. Journal of Risk and Financial Management, 16(7), 341. [Google Scholar] [CrossRef]
  116. Trudell, C. (2014). Internal audit’s role in the risk assessment process at KeyCorp. Journal of Risk Management in Financial Institutions, 7(4), 370–374. [Google Scholar] [CrossRef]
  117. Walker, K., Brown-Liburd, H., & Lewis, A. (2019). The emergence of data analytics in auditing: Perspectives from internal and external auditors through the lens of institutional theory. Working paper. Virginia Tech and Rutgers University. [Google Scholar]
  118. Weidenmier, M. L., & Ramamoorti, S. (2006). Research opportunities in information technology and internal auditing. Journal of Information Systems, 20(1), 205–219. [Google Scholar] [CrossRef]
  119. Wood, D. J., & Wilson, J. A. (1989). Roles and relationships in internal auditing. The Institute of Internal Auditors Research Foundation. [Google Scholar]
Jrfm 18 00707 g001
Figure 1. Internal Auditing’s Role in ERM (IIA, 2009). The figure illustrates the different ERM activities that internal auditors should and should not undertake.
Figure 1. Internal Auditing’s Role in ERM (IIA, 2009). The figure illustrates the different ERM activities that internal auditors should and should not undertake.
Jrfm 18 00707 g001
Table 1. Paper Summaries.
Table 1. Paper Summaries.
Panel A: Journal Citation Count by Category
JournalAbbreviationCore IA RolesLegitimate IA RolesProhibited RolesTotal
Accounting HorizonsAH34310
Accounting & FinanceA&F-123
Accounting, Auditing & Accountability JournalAAAJ--11
Accounting, Organizations, and SocietyAOS1214
Advances in AccountingAIA-1-1
Auditing: A Journal of Practice & TheoryAJPT1517
Behavioral Research in AuditingBRIA-1-1
Contemporary Accounting ResearchCAR3--3
Current Issues in AuditingCIIA1--1
International Journal of Accounting Information SystemsIJAIS22-4
International Journal of AuditingIJA2215
Journal of Accounting and Public PolicyJAPP1--1
Journal of Accounting ResearchJAR-1-1
Journal of Business EthicsJBE1214
Journal of Emerging Technologies in AccountingJETA3--3
Journal of Information SystemsJIS24-6
Journal of Risk and Financial ManagementJRFM3--3
Journal of Risk Management in Financial InstitutionsJRMFI2--2
Management Accounting ResearchMAR11-2
Managerial Auditing JournalMAJ52310
New Challenges in Accounting and FinanceNCAF--11
Risk ManagementRM1--1
The Accounting ReviewTAR2-13
TOTAL 34281577
Panel A reports paper counts by journal and ERM category based on the IIA’s 2009 framework (IIA, 2009).
Panel B: Paper Count by Methodology and Category
MethodologyCore IA RolesLegitimate IA RolesProhibited RolesTotal
Archival6--6
Case study32-5
Experimental79520
Exploratory1--1
Mixed48416
Qualitative1517
Survey124518
TOTAL34281577
Panel B reports paper counts by methodology and ERM category based on the IIA’s 2009 framework (IIA, 2009). Mixed and experimental methodologies also include surveys and qualitative approaches, where applicable.
Table 2. Core Internal Audit Roles—Assurance Activities.
Table 2. Core Internal Audit Roles—Assurance Activities.
Panel A—Research Themes and Subthemes
Themes
  • Theme 1—Risk Management Processes, the IAF and External Auditors’ Reliance Decisions
  • Theme 2—Risk Management Processes, the IAF and Risk Management Effectiveness
  • Theme 3—Management of Key Risks, the IAF and Financial Reporting Risk
  • Theme 4—Management of Key Risks, the IAF’s Use of Technology and Continuous Monitoring
Subthemes related to Judgment and Decision-Making Research in Auditing
  • In-house versus outsourced internal auditors
  • Internal controls
  • Internal audit function maturity
  • Perceptions of internal audit
  • Internal audit quality
  • Relationships with other functions
  • Internal audit reliance
  • Risk management
  • Internal audit reporting and reporting lines
  • Technology
Panel B—Research Summary
ERM Activity—Risk Management Processes
TitleAuthor(s)PublicationYearMethodologyMain Findings
Accountants’ Perceptions Regarding Fraud Detection and Prevention MethodsBierstaker, Brody, and PaciniManagerial Auditing Journal2006SurveyFirewalls, virus protection, password protection and internal control review were usually used to combat fraud. Specifically, using forensic accountants and digital analysis were used less than any other anti-fraud method but had the highest effectiveness ratings.
Research Opportunities in Information Technology and Internal AuditingWeidenmier and RamamoortiJournal of Information Systems2006ExploratoryThe IAF should be more involved in organizations’ security and privacy activities.
Internal Audit Sourcing Arrangement and the External Auditor’s Reliance DecisionGlover, Prawitt, and WoodContemporary Accounting Research2008ExperimentalExternal auditors are more likely to rely on the work of outsourced rather than in-house internal auditors when inherent risk is high. Further, external auditors rely more on internal auditors’ work for objective tasks when inherent risk is high than subjective tasks.
Internal Audit Outsourcing and the Risk of Misleading or Fraudulent Financial Reporting: Did Sarbanes-Oxley Get It Wrong?Prawitt, Sharp, and WoodContemporary Accounting Research2012MixedCompanies that outsourced a portion of their IAF to external auditors were associated with lower accounting risk compared to companies that did not outsource their IAF.
The Effects of Employer and Client Identification on Internal and External Auditors’ Evaluations of Internal Control DeficienciesStefaniak, Houston, and CornellAuditing: A Journal of Practice & Theory2012ExperimentalInternal auditors are less lenient than external auditors when evaluating internal control deficiencies. For example, internal auditors are more likely to support management’s preferred position to a lesser extent.
Information Security Professionals’ Perceptions about the Relationship between the Information Security and Internal Audit FunctionsSteinbart, Raschke, Gal, and DillaJournal of Information Systems2013QualitativeInformation security professionals’ (ISP) perceptions about internal auditors’ technical expertise and the scope of internal auditors’ review of information security are positively associated with ISP assessment.
Internal Control Deficiencies in Tax Reporting: A Detailed ViewGraham and BedardAccounting Horizons2015ArchivalInternal control deficiencies in tax reporting are less likely to be remedied between discovery and fiscal year-end. They are more likely to be severe and to have caused a financial misstatement.
The Role of Account Subjectivity and Risk of Material Misstatement on Auditors’ Internal Audit Reliance JudgmentsBhattacharjee, Maletta, and MorenoAccounting Horizons2016ExperimentalThere is a positive (negative) relationship between internal audit reliance and account subjectivity when misstatement risk is moderate (high).
The Impact of PCAOB Regulatory Actions and Engagement Risk on Auditors’ Internal Audit Reliance DecisionsPetherbridge and MessierJournal of Accounting and Public Policy2016ExperimentalWhen PCAOB inspections focus on both effectiveness and efficiency, external auditors’ reliance on the IAF is not influenced by engagement risk. However, when PCAOB inspections focus solely on effectiveness, the external auditors are more likely to rely more on the IAF when engagement risk is low compared to when engagement risk is high.
Exploring the Association between the Content of Internal Audit Disclosures and External Audit Fees: Evidence from SwedenAxénInternational Journal of Auditing2018ArchivalThe use of an IAF for companies that disclose firm-specific information related to internal audit pay lower external audit fees than companies that do not provide firm-specific internal audit disclosures.
The Influence of a Good Relationship between the Internal Audit and Information Security Functions on Information Security OutcomesSteinbart, Raschke, Gal and DillaAccounting, Organizations and Society2018SurveyThe quality of the relationship between the IAF and information security functions is positively related to reporting internal control weaknesses, reporting incidents of noncompliance, and information security incidents detections.
Factors that Influence the Internal Audit Function’s MaturityD’Onza, Sarens and DeSimoneAccounting Horizons2020SurveyOrganizations’ risk management maturity is positively associated with IAF maturity.
Effectiveness of Cybersecurity AuditSlapničar, Vuko, Čular and DraščekInternational Journal of Accounting Information Systems2022SurveyCybersecurity risk management (including IAF audit engagements) is positively associated with cybersecurity audit effectiveness.
Designing a Characteristics Effectiveness Model for Internal AuditS. Grima, Baldacchino, S. Grima, Kizilkaya, Tabone and EllulJournal of Risk and Financial Management2023MixedThere is a positive relationship between the IAF incorporating risk management into the internal audit approach and internal audit effectiveness.
The Role of the Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense ModelTawfik, Durrah and AljawharJournal of Risk and Financial Management2023SurveyThere is a positive association between the IAF, its assurance of risk management effectiveness and strengthening companies’ corporate governance.
The Perceived Relationship between Risk Culture and Operational Risk Management Practices of Ghanaian BanksGrebe and MarxJournal of Risk and Financial Management2023SurveyThere is a significant relationship between banks’ risk culture and the IAF’s assessment of the effectiveness and efficiency of operational risk management.
The Effect of the Internal Audit Function’s Perceived Assurance vs. Advisory Purpose on the External Auditor’s Reliance DecisionBarr-Pulliam, Eulerich, and Ratzinger-SakelManagerial Auditing Journal2024ExperimentWhen the IAF is viewed as assurance-oriented, external auditors are more likely to rely on its work. When the IAF is perceived as advisory-oriented, external auditors reduce reliance due to concerns about independence and objectivity.
ERM Activity—Management of Key Risks
TitleAuthor(s)PublicationYearMethodologyMain Findings
Internal Audit Quality and Earnings ManagementPrawitt, Smith, and WoodThe Accounting Review2009ArchivalThere is a moderate relationship between IAF quality and earnings management. The authors measure IAF by experience, certification, objectivity, time on financial audits, training and size.
The Antecedents of the Use of Continuous Auditing in the Internal Auditing ContextGonzalez, Sharma and GallettaInternational Journal of Accounting Information Systems2012ExperimentalA survey of 210 global internal auditors suggests that internal auditors’ perceptions of effort expectancy and social influence drive intent to use continuous auditing.
Internal Audit’s Role in the Risk Assessment Process at KeyCorpTrudellJournal of Risk Management in Financial Institutions2014Case studyThe study provides an example of the IAF’s use of a company’s governance, risk and compliance software to implement three lines of defense risk convergence for risk assessments.
Does Internal Audit Function Quality Deter Management Misconduct?EgeThe Accounting Review2015ArchivalThe relationship between IAF quality and the likelihood of management misconduct is negative.
The Association between CEO Characteristics, Internal Audit Quality and Risk-Management Implementation in the Public SectorLudin, Mohamed and Mohd-SalehRisk Management2017SurveyInternal audit quality moderates the relationship between CEOs’ locus of control and the implementation of risk management in public sector organizations.
Effective Association between Audit Committees and the
Internal Audit Function and its Impact on Financial Reporting
Quality: Empirical Evidence from Omani Listed Firms		Gebrayel, Jarrar, Salloum and LefebvreInternational Journal of Auditing2018ArchivalAn IAF presence is positively associated with companies’ financial reporting quality.
Factors Associated with Security/
Cybersecurity Audit by Internal Audit Function: An International Study		Islam, Farah and StaffordManagerial Auditing Journal2018SurveyThe IAF’s comprehensive risk assessment is positively related to security/cybersecurity audits.
Factors Affecting the Voluntary
Use of Internal Audit: Evidence
from the UK		Ismael and RobertsManagerial Auditing Journal2018ArchivalThere is a significant relationship between IAF existence and companies’ level of internal risks.
A Framework for Legacy Source Code Audit AnalyticsMoffittJournal of Emerging Technologies in Accounting2018Case studyProvides an audit analytic tool that helps internal auditors uncover malicious software code that affects organizational risk.
The Effect of Continuous Auditing and Role Duality on the Incidence and Likelihood of Reporting Management OpportunismBarr-PulliamManagement Accounting Research2019ExperimentalManagers are less likely to manipulate earnings when the IAF uses continuous auditing.
Continuous Audit Implementation at Cia. Hering in BrazilCodesso, Freitas, Wang, de Carvalho and de Silva FilhoJournal of Emerging Technologies in Accounting2020Case studyInternal auditors use continuous auditing to provide continuous control monitoring and continuous data assurance that decreases tax compliance risk.
Continuous Auditing and Risk-Based Audit Planning—An Empirical AnalysisEulerich, Georgi and SchmidtJournal of Emerging Technologies in Accounting2020SurveyData analytics has a favorable influence on the use of continuous auditing information in the IAF’s risk-based audit planning.
An Examination of Internal Audit Function Size: Evidence from U.S. Government and Nonprofit SectorsGarven and ScarlataCurrent Issues in Auditing2021SurveyThere is a positive relationship between IAF size and the extent of use of sophisticated audit technologies in a governmental and nonprofit setting.
Factors Associated with the
Adoption of Data Analytics by
Internal Audit Function		Islam and StaffordManagerial Auditing Journal2022MixedFactors that are associated with the IAF’s adoption of data analytics are: data-specific information technology knowledge, critical thinking skills, CAE business knowledge, fraud detection responsibility and technologically advanced cultures.
Dark Triad Managerial Personality and Financial Reporting ManipulationMutschmann, Hasso and PelsterJournal of Business Ethics2022SurveyOutsourced internal audits reduce the financial reporting manipulation of managers who possess dark triad personality traits which positively affects financial reporting quality.
The Impact of Audit Technology on Audit Task Outcomes: Evidence for Technology-Based Audit TechniquesEulerich, Masli, Pickerd and WoodContemporary Accounting Research2023MixedInternal auditors utilize technology-based audit techniques to identify more significant audit risk factors.
Panel C—Future Research Directions
The IAF Collaboration with Management
  • What specific activities can the IAF perform to help management and the board meet their ERM objectives while maintaining an acceptable level of objectivity and independence?
  • How does the IAF’s involvement in ERM-related activities affect overall audit quality?
Information Technology
  • How and to what extent should the IAF use innovative technologies?
  • What other experience and skillsets should auditors possess to engage in ERM related activities effectively?
Reporting
  • How will investors and stakeholders react if companies disclose the IAF involvement with ERM activities on the audit report?
Panel A summarizes key research themes and subthemes identified in the internal audit ERM literature. Panel B summarizes papers that examine internal audit’s core assurance activities. Panel C outlines future research directions informed by gaps identified in the literature.
Table 3. Legitimate Internal Audit Roles with Safeguards—Consulting Activities.
Table 3. Legitimate Internal Audit Roles with Safeguards—Consulting Activities.
Panel A—Research Themes and Subthemes
Themes
  • Theme 1—Facilitating Identification and Evaluation of Risks
    Financial Statement Risk, Fraud Risk, Internal Control Risk, Other Risks (Social Media Risk and Information Technology Risk)
  • Theme 2—Coordinating ERM Activities
  • Theme 3—Consolidated Reporting on Risks
    Financial Statement Risk, Information Technology and Information Systems Risk, Other Risks (Fraud Risk and Internal Control Risk)
  • Theme 4—Maintaining and Developing the ERM Framework
Subthemes related to Judgment and Decision-Making Research in Auditing
  • In-house versus outsourced internal auditors
  • Internal audit reporting and reporting lines
  • Internal audit assistance
  • Internal audit roles and role conflicts
  • Internal audit budget
  • Internal auditor rotation
  • Internal audit contribution
  • Perceptions of internal audit
  • Internal audit function existence
  • Relationships with other functions
  • Internal audit quality
  • Risk management
  • Internal audit reliance
  • Technology
Panel B—Research Summary
ERM Activity—Facilitating Identification and Evaluation of Risks
TitleAuthor(s)PublicationYearMethodologyMain Findings
An Examination of Internal Auditor Objectivity: In-house versus OutsourcingAhlawat and LoweAuditing: A Journal of Practice & Theory2004ExperimentalSignificant advocacy exists in in-house and outsourced internal auditors’ judgements.
Internal Auditors’ Fraud Judgments: The Benefits of Brainstorming in GroupsCarpenter, Reimers, and FretwellAuditing: A Journal of Practice & Theory2011ExperimentalInternal auditors who brainstorm in groups identify more quality fraud risks.
Serving Two Masters: The Association Between Audit Committee Internal Audit Oversight and Internal Audit ActivitiesAbbott, Parker, and PetersAccounting Horizons2010MixedThis study suggests the idea of internal auditors assisting external auditors in identifying financial statement risk.
Corporate Managers’ Reliance on Internal Auditor RecommendationsBurton, Emmett, Simon, and WoodAuditing: A Journal of Practice & Theory2012ExperimentalManagers are more likely to rely on the preference-inconsistent recommendations of in-house internal auditors.
The Effects of Internal Audit Report Type and Reporting Relationship on Internal Auditors’ Risk JudgmentsBoyle, DeZoort, and HarrisonAccounting Horizons2015ExperimentalInternal auditors report higher fraud risk assessments in an internal audit report and to the audit committee.
The Reliance of External Auditors on Internal Audit’s Use of Continuous AuditMalaescu and SuttonJournal of Information Systems2015ExperimentalExternal auditors are willing to rely more on internal audit work in a continuous audit environment.
The Effect of Frequency and Automation of Internal Control Testing on External Auditor Reliance on the IAFFrakas and HirschJournal of Information Systems2016ExperimentalExternal auditors perceive IAF’s failure to detect a significant deficiency as poor work performance.
Do Organizations Use a Formalized Risk Management Process to Address Social Media Risk?Demek, Raschke, Janvrin and DillaInternational Journal of Accounting Information Systems2018SurveySocial media risk management is influenced by organizations’ social media use, the perceived risk of use, social media policy implementation, and social media training and technical controls.
Understanding Auditors’ Sense of Responsibility for Detecting
Fraud Within Organizations		DeZoort and HarrisonJournal of Business Ethics2018ExperimentalAccountable internal auditors report higher responsibility for fraud detection.
Internal Auditors’ Perceptions of Information Technology-Related Risks: A Comparison Between General Auditors and Information Technology AuditorsNuijten, Keil and ZweirsJournal of Information Systems2023ExperimentalPoor risk management results in IT failures.
Does External Auditor Coordination Influence Internal Auditor Effort?NkansaAdvances in Accounting2024SurveyThe levels of external auditor coordination and fraud risk affect internal auditor effort.
ERM Activity—Coordinating ERM Activities
TitleAuthor(s)PublicationYearMethodologyMain Findings
Welcome to the Day-to-Day of Internal Auditors: How Do They Cope with Conflicts?RoussyAuditing: A Journal of Practice & Theory2015QualitativeInternal auditors experience role conflicts.
Coordination Challenges in Implementing the Three Lines of Defense ModelBantleon, d’Arcy, Eulerich, Hucke, Pedell and Ratzinger-SakelInternational Journal of Auditing2021SurveyCompanies that do not have three lines of defense implementation challenges are those where: (1) the IAF has a good relationship with chief executives and the supervisory board and (2) the IAF has an increased focus on assurance activities.
ERM Activity—Consolidated Reporting on Risks
TitleAuthor(s)PublicationYearMethodologyMain Findings
Factors Associated with U.S. Public Companies’ Investment in Internal AuditingCarcello, Hermanson, and RaghunandanAccounting Horizons2005MixedTotal internal audit budgets are related to several company factors.
Internal Audit, Alternative Internal Audit Structures and the Level of Misappropriation of Assets FraudCoram, Ferguson, and MoroneyAccounting & Finance2008MixedOrganizations with IAFs are more likely to detect and self-report fraud.
Serving Two Masters: The Association Between Audit Committee Internal Audit Oversight and Internal Audit ActivitiesAbbott, Parker, and PetersAccounting Horizons2010MixedThere is a positive relationship between audit committee oversight and the IAF budget.
Reconciling Archival and Experimental Research: Does Internal Audit Contribution Affect the External Audit FeePrawitt, Sharp, and WoodBehavioral Research in Auditing2011MixedThere is a negative relationship between archival proxies for internal audit contribution and external audit fees.
Internal Audit Assistance and External Audit TimelinessAbbott, Parker, and PetersAuditing: A Journal of Practice & Theory2012MixedInternal audit assistance may result in audit cost savings and greater audit efficiency.
The Relationship Between Internal Audit and Information Security: An Exploratory InvestigationSteinbart, Raschke, Gal, and DillaInternational Journal of Accounting Information Systems2012QualitativeA good relationship between internal auditors and information systems professionals is perceived to improve risk management.
The Internal Audit Function in Information Technology Governance: A Holistic PerspectiveHéroux and FortinJournal of Information Systems2013SurveyInternal audit involvement in IT governance is still evolving.
Rotational Internal Audit Programs and Financial Reporting Quality: Do Compensating Controls Help?Christ, Masli, Sharp, and WoodAccounting, Organizations and Society2015MixedThe rotation of internal auditors may harm the IAF’s ability to monitor financial reporting quality.
Internal Audit Quality and Financial Reporting Quality: The Joint Importance of Independence and CompetenceAbbott, Daugherty, Parker, and PetersJournal of Accounting Research2016MixedThe presence of competence and independence is essential for effective IAF monitoring of financial reporting.
Internal Audit: Is the ‘Third Line of Defense’ Effective as a Form of Governance? An Exploratory Study of the Impression Management Techniques Chief Audit Executives Use in Their Annual Accountability to the Audit CommitteeRoussy and RodrigueJournal of Business Ethics2018QualitativeCAEs use impression management techniques in annual accountability reports (about IT systems risks) to the audit committee.
The Effect of Continuous Auditing and Role Duality on the Incidence and Likelihood of Reporting Management OpportunismBarr-PulliamManagement Accounting Research2019ExperimentalInternal auditors perceive that earnings manipulation is less likely to occur when the IAF uses continuous auditing.
Partners or Opponents
Auditor-Manager Relationship Dynamics following the Deaf Effect in Information
System Projects		Nuijten, Keil, Sarens and van TwistManagerial Auditing Journal2019Case studyWhen internal auditors report risks for risk monitoring systems and risk governance systems to managers, the internal auditors experience the deaf effect from the managers.
ERM Activity—Maintaining and Developing the ERM Framework
TitleAuthor(s)PublicationYearMethodologyMain Findings
Internal Auditors’ Perception about Their Role in Risk Management: A Comparison Between US and Belgian CompaniesSarens and De BeeldeManagerial
Auditing
Journal		2006aQualitativeInternal auditors’ consulting role in risk management focuses on transparency and documentation.
The Relationship Between Internal Audit and Senior Management: A Qualitative Analysis of Expectations and PerceptionsSarens and De BeeldeInternational
Journal of Auditing		2006bQualitativeInternal auditors are aware of their pioneering role in formalizing risk management.
Recoupling Work Beyond COSO: A Longitudinal Case Study of Enterprise-wide Risk ManagementJemaaAccounting, Organizations and Society2022Case studyInternal auditors’ introduction of ERM through risk mapping leads to organizational inefficiency and internal auditors suggest improving the risk management system.
Panel C—Future Research Directions
Coaching Management in Responding to Risks
  • Do IAF sourcing arrangements (in-house versus outsourced) affect internal auditors’ ability to coach management in responding to risks?
  • Do management’s endorsement and support (disapproval and discouragement) of ERM influence (hinder) internal auditors’ ability to coach management in responding to risks?
Championing Establishment of ERM
  • Do compensating controls (the consistency of IAF leadership and supervision, audit committee oversight and management oversight) contribute to the IAF’s effective championing of ERM within organizations?
  • Do internal auditors experience role conflicts (the conflict between providing assurance services versus consulting services) when championing establishing ERM?
Developing Risk Management (RM) Strategy for Board Approval
  • Do internal auditors’ expectations of the C-Suite’s risk management responsibilities positively or negatively influence their development of RM for board approval?
  • Do internal auditors experience threats to their independence based on differing demands (to the board of directors, audit committee members, internal audit managers and or auditee managers) as they develop a RM strategy for board approval?
  • What organizational factors contribute to utilization of enterprise risk mapping?
Panel A summarizes key research themes and subthemes identified in the internal audit ERM literature. Panel B summarizes papers that examine internal audit’s consulting and other activities. Panel C outlines future research directions informed by gaps identified in the literature.
Table 4. Roles Internal Audit Should not Undertake—Role Duality.
Table 4. Roles Internal Audit Should not Undertake—Role Duality.
Panel A—Research Themes and Subthemes
Themes
  • Theme 1—Internal Audit’s General Involvement in ERM
  • Theme 2—The Internal Audit Function’s Dual Role, Assurance and Consulting Related to ERM
  • Theme 3—Use of the Internal Audit Function as a MTG, Implications for ERM
Subthemes related to Judgment and Decision-Making Research in Auditing
  • Financial reporting quality
  • Internal audit reporting and reporting lines
  • Internal audit assistance
  • Internal audit roles and role conflicts
  • Internal audit budget
  • Perceptions of internal audit
  • Internal audit quality
  • Risk management
  • Internal audit reliance
Panel B—Research Summary
Internal Audit’s General Involvement in ERM
TitleAuthor(s)PublicationYearMethodologyMain Findings
Intentions to Report Questionable Acts: An Examination of the Influence of Anonymous Reporting Channel, Internal Audit Quality, and SettingKaplan and SchultzJournal of Business Ethics2007ExperimentalIAF quality does not affect the likelihood of reporting fraud to non-anonymous channels.
Internal Audit Involvement in Enterprise Risk Managementde Zwaan, Stewart, and SubramaniamManagerial Auditing
Journal		2011ExperimentalHigh involvement in ERM impacts the perceptions of internal auditors’ willingness to report a breakdown in risk procedures to the audit committee, whereas a strong relationship with the audit committee does not. Lastly, some IAFs engage in ERM activity that could compromise objectivity.
Examining the Synergy Between Enterprise Risk Management and Internal Audit FunctionsA. Nair, P. Nair, and AgrawalNew Challenges in Accounting and Finance2024SurveyWhen internal audit is restricted to an advisory role, internal auditors’ involvement in ERM does not threaten their independence or objectivity.
The Internal Audit Function’s Dual Role, Assurance and Consulting Related to ERM
TitleAuthor(s)PublicationYearMethodologyMain Findings
An Assessment of the Newly Defined Internal Audit FunctionNagy and CenkerManagerial Auditing
Journal		2007Qualitative11 IAF directors describe vast differences in viewpoints and objectives. However, a theme among them is that there has been a definite shift in the overall scope of internal audit towards operational activities.
Commitment to Independence by Internal Auditors: The Effects of Role Ambiguity and Role ConflictAhmad and TaylorManagerial Auditing
Journal		2009SurveyInternal audit commitment to independence is affected by: (1) ambiguity in the exercise of authority by the IAF and time pressure and (2) conflict between internal auditors’ values and expectations from management and their profession.
External Auditors’ Reliance on Internal Audit: The Impact of Sourcing Arrangements and Consulting ActivitiesMunro and StewartAccounting & Finance2010ExperimentalInvolvement in consulting impacts reliance on work already undertaken and the use of internal auditors as assistants for control evaluation.
Use of the Internal Audit Function as a Management Training Ground, Implications for ERM
TitleAuthor(s)PublicationYearMethodologyMain Findings
A Critical Analysis of the Independence of the Internal Audit Function: Evidence from AustraliaChristopher, Sarens, and LeungAccounting, Auditing & Accountability Journal2009SurveyThe threats to IAF independence from management include: using the IAF as an MTG, having the CEO or CFO approve the IAF budget and audit plan, and considering the IAF as a “partner.”
The threats to IAF independence from the audit committee include: CAEs not reporting functionally to the audit committee; the audit committee not having sole responsibility for appointing, dismissing and evaluating the CAE; and not having all or at least one accounting expert on the audit committee.
Serving Two Masters: The Association Between Audit Committee Internal Audit Oversight and Internal Audit ActivitiesAbbott, Parker, and PetersAccounting Horizons2010MixedThere is a strong, positive association between a measure of audit committee oversight and the amount of IAF budget allocated to internal-controls-based activities.
The Effect of Using the Internal Audit Function as a Management Training Ground on the External Auditor’s Reliance DecisionMessier, Reynolds, Simon, and WoodThe Accounting Review2011MixedThe study uses archival data, which suggests that external auditors charge higher fees to companies that use the IAF as an MTG.
The study conducts an experiment, and findings suggest that external auditors perceive internal auditors employed in an IAF that is an MTG to be less objective but not less competent than internal auditors employed in an IAF not used as an MTG.
Is the Objectivity of Internal Audit Compromised When the Internal Audit Function is a Management Training Ground?A. Rose, J. Rose, and NormanAccounting & Finance2013ExperimentalInternal auditors are less objective in an MTG versus a non-MTG. Further, empowering the audit committee further decreases the objectivity of internal auditors because the board’s power can have unintended consequences on internal auditors’ behavior.
The Effects of Using the Internal Audit Function as a Management Training Ground or as a Consulting Services Provider in Enhancing the Recruitment of Internal AuditorsBurton, Starliper, Summers, and WoodAccounting Horizons2015SurveyJob applicants with business experience are less likely to apply for IA positions. Interest increases when the position advertises the combination of (1) participation in an MTG and (2) work mostly related to consulting services rather than assurance services. Participants in the study believe that other business professionals have negative stereotypes of internal audit.
Rotational Internal Audit Programs and Financial Reporting Quality: Do Compensating Controls Help?Christ, Masli, Sharp, and WoodAccounting, Organizations and Society2015MixedCompanies using the IAF as an MTG have significantly lower financial reporting quality than companies that do not. However, compensating controls such as consistency of IAF leadership or supervision, audit committee oversight, and management oversight and direction can reduce this adverse financial reporting effect.
The Value to Management of Using the Internal Audit Function as a Management Training GroundCarcello, Eulerich, Masli, and WoodAccounting Horizons2018MixedSurveys of 355 CAEs who perceive senior management to be more likely to use recommendations from MTG internal auditors than non-MTG internal auditors. Experimental results suggest this greater reliance is due to perceptions that MTG internal auditors have more natural ability.
An Experimental Investigation of the Interaction Effect of Management Training Ground and Reporting Lines on Internal Auditors’ ObjectivityHoos, Messier, Smith, and TandyInternational Journal of Auditing2018ExperimentalThe study suggests (1) when the IAF is not (is) an MTG, IAs’ risks assessments are not different by reporting line (align with management’s preferences); (2) when the IAF is a MTG, internal auditors provide investment recommendations consistent with management’s preferences; (3) internal auditors provide more favorable recommendations to the audit committee than to management.
Are Internal Audits Associated with Reductions in Perceived
Risk?		Carcello, Eulerich, Masli and WoodAuditing: A Journal of Practice & Theory2020SurveyCompanies that are used as MTGs are associated with larger reductions in risk and more advanced operating performance.
Panel C—Future Research Directions
Inter- and Intra-Personal Implications of a MTG
  • What are the future implications on managers’ financial reporting and operational decision making once they leave the IAF?
  • What is the effect of manager-imposed pressure on auditors’ objectivity in a MTG?
  • What is the effect of a MTG on the relationships between and among internal auditors, management and external auditors?
Firm Benefits
  • Does the use of a MTG help firms to attract, develop and retain high-quality managers?
  • What are the benefits to the value of firms when the IAF is a MTG?
Panel A summarizes key research themes and subthemes identified in the internal audit ERM literature. Panel B summarizes papers that examine roles internal audit should not take due to their dual roles in the company. Panel C outlines future research directions informed by gaps identified in the literature.
Table 5. Internal Audit Activities in ERM: Evidence-Based Recommendations and Practical Implications.
Table 5. Internal Audit Activities in ERM: Evidence-Based Recommendations and Practical Implications.
Category/AreaExamples of Internal Audit ActivitiesRecommended Practical Actions for Practitioners
ERM—Value-enhancing/Good Practice
-
Risk identification and assessment (Prawitt et al., 2012; Slapničar et al., 2022)
-
Assurance over risk-management processes (Grima et al., 2023; Tawfik et al., 2023)
-
Evaluation of ERM design and effectiveness (D’Onza et al., 2020)
-
Coordination across the Three Lines Model (Grebe & Marx, 2023)
-
Embed ERM evaluation in annual audit plans and risk-based assurance maps
-
Use audit results to advise the board on risk-appetite alignment
-
Facilitate cross-line communication without assuming ownership of risk decisions
-
Document boundaries between advisory input and assurance work in the audit charter
ERM—Independence Risks/Caution Areas
-
Leading or owning ERM implementation (IIA, 2009)
-
Setting risk appetite or tolerance (IIA, 2009)—Serving as a “management-training ground” (MTG)
-
Performing extensive consulting beyond advisory scope (Barr-Pulliam et al., 2024)
-
Avoid taking responsibility for risk management design or operation
-
Establish approval protocols distinguishing audit oversight from management functions
-
Communicate advisory boundaries formally to the audit committee
-
Rotate staff between assurance and consulting only under independence safeguards
ESG—Environmental (E)
-
Verifying greenhouse-gas (GHG) emissions and energy-use reporting (Szabo & Webster, 2021)
-
Reviewing environmental risk registers and compliance with sustainability regulations (Nair et al., 2024)
-
Validate data quality without owning collection processes
-
Include environmental-risk metrics in the audit universe and report weaknesses to the board or sustainability committee
ESG—Social (S)
-
Assessing workplace safety, diversity and human rights compliance programs
-
Evaluating supply chain due-diligence processes for social risk exposure
-
Integrate social risk controls into assurance engagements
-
Use analytics to detect anomalies in safety or diversity metrics while maintaining confidentiality
ESG—Governance (G)
-
Providing assurance on ethics, anti-corruption, and board governance frameworks, consistent with the gatekeeping role described by Roychowdhury and Srinivasan (2019)
-
Assessing ESG reporting governance and disclosure accuracy
-
Review governance structures overseeing ESG disclosures
-
Focus recommendations on governance effectiveness, not policy design, to preserve independence
ESG—Cross-Cutting Integration
-
Mapping ESG risks within ERM frameworks
-
Coordinating assurance across the Three Lines of Defense model
-
Position ESG assurance within the IAF’s risk-based plan
-
Collaborate with risk and compliance units through defined communication channels to avoid role overlap
Table 5 integrates evidence from 77 studies (2004–2024) and emerging ESG research to provide practical guidance for internal audit leaders and boards on maximizing ERM and ESG assurance value while safeguarding independence.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Nkansa, P.; Barr-Pulliam, D.; Walker, K. From Compliance to Strategic Partnerships: The Role of Internal Audit in Enterprise Risk Management and Opportunities for Future Research. J. Risk Financial Manag. 2025, 18, 707. https://doi.org/10.3390/jrfm18120707

AMA Style

Nkansa P, Barr-Pulliam D, Walker K. From Compliance to Strategic Partnerships: The Role of Internal Audit in Enterprise Risk Management and Opportunities for Future Research. Journal of Risk and Financial Management. 2025; 18(12):707. https://doi.org/10.3390/jrfm18120707

Chicago/Turabian Style

Nkansa, Porschia, Dereck Barr-Pulliam, and Kimberly Walker. 2025. "From Compliance to Strategic Partnerships: The Role of Internal Audit in Enterprise Risk Management and Opportunities for Future Research" Journal of Risk and Financial Management 18, no. 12: 707. https://doi.org/10.3390/jrfm18120707

APA Style

Nkansa, P., Barr-Pulliam, D., & Walker, K. (2025). From Compliance to Strategic Partnerships: The Role of Internal Audit in Enterprise Risk Management and Opportunities for Future Research. Journal of Risk and Financial Management, 18(12), 707. https://doi.org/10.3390/jrfm18120707

Article Metrics

Back to TopTop