AUDITING: A JOURNAL OF PRACTICE & THEORY American Accounting Association

Vol. 39, No. 3 DOI: 10.2308/ajpt-19-036

August 2020
pp. 55–73

Are Internal Audits Associated with Reductions in Perceived

Risk?
Joseph V. Carcello
The University of Tennessee

Marc Eulerich
University of Duisburg-Essen

Adi Masli
The University of Kansas

David A. Wood
Brigham Young University
SUMMARY: We examine whether internal auditing provides value to organizations by reducing risk. We compare the
changes in risks between audited business units and matched non-audited units within the same company. This
design allows us to isolate the importance of an internal audit while holding constant changes in risk due to the
organization and time period. Based on ratings from the heads of audited and non-audited units, we find that
managers of audited units perceive a greater decline in risk as well as a greater increase in performance compared
to managers of non-audited units. We also find that companies that have had a quality assurance review and are
used as a management training ground are associated with greater reductions in risk and improved overall
performance. Our study contributes to the academic literature by documenting a new facet of internal audit
benefits—risk reduction—and internal audit characteristics that increase risk reduction.
Keywords: internal audit; risk management; management training ground; quality assurance reviews.

I. INTRODUCTION
ince the 2008 financial crisis, companies have increasingly focused on how to improve all facets of risk management.1

S For example, Deloitte (2015) reports that 92 percent of sampled companies now have an enterprise risk management
program, up from only 59 percent in 2008. Despite the increased attention on risk management, companies worldwide
continue to fall short in managing risk effectively. According to Aon’s recent 2019 Global Risk Management study, risk
readiness of organizations is at its lowest level in 12 years (AON 2019). Many organizations also report that they are less
prepared now in managing risk than they have ever been. Considering this backdrop, it is important to study how organizations
can enhance their risk management endeavors.
While prior research shows that effectively managing risk enhances firm value, improves firm operating performance, and
provides strategic advantages (Hoyt and Liebenberg 2011; McShane, Nair, and Rustambekov 2011; Beasley, Branson, and

We thank Richard C. Hatfield (editor), two anonymous reviewers, and Drew Allen, Jace Garrett, Rani Hoitash, Nathan Mecham, and Doug Prawitt for
helpful comments and suggestions on this paper. We also thank Patrick Whalen for his research assistance. Professor Masli thanks the Koch Fellowship for
financial assistance.
Editor’s note: Accepted by Richard C. Hatfield, under the Senior Editorship of Christopher P. Agoglia.
Submitted: March 2019
Accepted: March 2020
Published Online: April 2020

1
Risk is defined by COSO (2013) as ‘‘the possibility that an event will occur and adversely affect the achievement of objectives.’’ The updated 2017
enterprise risk management framework by COSO (2017) further suggests that organizations attain many benefits from integrating risk management
throughout the entity, such as increasing opportunities, reducing negative surprises, and improving resource deployment and enterprise resiliency.
55
56 Carcello, Eulerich, Masli, and Wood

Pagach 2015), there is relatively little research on what governance mechanisms can improve risk management within
organizations. Our paper extends the literature by examining how one key governance mechanism, the internal audit function
(IAF), can help improve risk management in organizations. By doing so, we provide further meaningful evidence on the
organizational value of internal auditing.
The IAF often plays an active role in the risk management process. International standards by the Institute of Internal
Auditors (IIA) require the IAF to be involved in risk management. The IIA (2009) specifically lists different core roles that
internal audit plays in enterprise risk management, and the top three areas that stakeholders want from internal audit also relate
to risk management (Anderson 2016). Indeed, the important role that internal audit plays in assessing a company’s risk
management process is one of the primary reasons that the NASDAQ proposed requiring all listed companies to maintain an
IAF (SEC 2013; Protiviti 2013). Thus, an internal audit is designed to reduce the risks that companies face. To date, little
research has investigated the effect of the IAF on corporate risk outcomes.
Although the IAF is designed to improve risk management, there are several reasons why it may not be effective in
reducing risk. First, the business community does not highly support investing in internal auditing. The head of the IIA, Richard
Chambers (2013) notes that internal audit often does not have enough resources to cover all significant risks and can thus
overlook key risks. Second, even if internal audit has sufficient resources, it still may not reduce risk. For example, internal
audit originally developed focusing primarily on financial reporting matters and may have less experience focusing on other
areas, like operations and compliance (Bailey, Gramling, and Ramamoorti 2003). Also, research suggests that relevant
stakeholders (e.g., management, audit committee) are generally dissatisfied with IAFs (Lenz and Hahn 2015), and internal audit
struggles to attract highly qualified individuals into the profession (Murphy 2013; Burton, Starliper, Summers, and Wood 2015;
Bartlett, Kremin, Saunders, and Wood 2016, 2017). Combined, these factors suggest that even though the internal audit is
designed to reduce risk, whether it does in practice is an important empirical question to study.
Another key motivation of this research is to study different characteristics of the IAF that may be associated with the
ability to reduce risk. Internal audit can vary significantly in how it is implemented from one organization to another. We study
several key characteristics of IAFs—including the reporting relation of the head of internal audit, the use of quality assurance
reviews (QARs) to enhance internal audit quality, and the use of the IAF as a management training ground (MTG)—to see if
these characteristics are associated with IAF’s ability to reduce risk.
We study the association between internal auditing and the ability to reduce risk by studying perceived risk reductions
using a unique design. Specifically, we conduct a survey of chief audit executives (CAEs) for various multinational companies
from Germany.2 We ask the CAEs to identify units in their organization that had recently received an internal audit and a
matched-pair unit that had not received an internal audit but that was similar on multiple attributes. We ask the CAEs to match
the units as closely as possible and we specifically mention matching based on the nature of the audited unit (subsidiary, plant,
etc.), scope, size, and geographic footprint of the unit, and the risk level and performance of the unit. After identifying the pairs
of matched units, the CAEs distributed the survey to managers of both audited and non-audited units for their participation.
Thus, we have responses from three groups: (1) heads of units that were audited by internal audit, (2) heads of units that were
not audited by internal audit, and (3) the CAEs themselves.
We asked the heads of these various units to rate various risks at two points in time. We then compare how the matched
unit’s perceived risk changed for units that were audited by the IAF and those that were not. We supplement the analysis using
responses from CAEs for a larger sample of companies—after showing that CAEs assess perceived risks of business units
similarly to how the heads of both audited and non-audited business units assess themselves (see Appendix B).
We analyze 21 pairs of responses by the managers of audited and matched non-audited units and 48 pairs of responses by
CAEs about audited and non-audited units. Across both samples, our results show that internal audit is associated with
reductions in the perceived overall risk faced by business units and that perceived overall risk reduction is greater when
managers implement more of the recommendations given by the IAF.
As previously mentioned, we also build and test hypotheses related to several IAF characteristics that may impact the IAF
and perceived risk relation. We find that IAFs that have a QAR are associated with greater reductions in perceived risk than
IAFs that have not had the review. In addition, IAFs that are used as a MTG are associated with greater reductions in perceived
risk than IAFs that are not used as a MTG. However, we do not find that having the head of internal audit report to the audit
committee is associated with perceived risk.

2
Although we sample IAFs in Germany, we believe the results should generalize to the U.S. and other developed countries. Internal auditing in Germany
is similar to internal auditing in the U.S. in that internal auditing is required or recommended as a best practice in both countries (e.g., AktG and
MaRisk in Germany; SEC [2013] in the United States), internal auditing has existed in both countries for a significant amount of time (IIA was founded
in the U.S. in 1941, German IIA was founded in 1958), and internal auditors in both countries follow the global IIA ‘‘International Professional Practice
Framework,’’ standards and best practices, which are the same across the world.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 57

Our results also show that managers perceive greater improvement in the performance of their area after an audit. This
finding is particularly salient for units audited by internal audits that have had a recent QAR and are used as a MTG. When we
examine specific types of perceived risk—including risk related to financial matters, operational matters, and compliance
matters—we find that internal audit is associated with reductions in perceptions of operating risk. Finally, we find some
evidence of spillover effects. That is, when an internal audit conducts operational audits, unit managers also perceive
improvements in financial risk but not in compliance risk.3 Finally, we document that CAEs themselves perceive that audited
units experience greater declines in overall risk compared to non-audited units.
Our paper makes four primary contributions to the literature. First, given the significant focus on risk by organizations,
regulators, and even the U.S. Congress, we provide an important finding about how organizations can enhance risk
management. Specifically, we find support for the valuable role of internal audit in reducing perceived risk. Our work should be
of interest to various corporate stakeholders. For example, managers and boards of directors ought to assess whether their IAFs
are functioning effectively to address risk. External auditors ought to evaluate how their client’s IAF contributes to the risk
management process. Considering the positive effects of internal auditing on risk management, regulators should continue
weighing all of the benefits and costs of mandating internal audits for publicly traded companies.
Second, we demonstrate a heretofore unexamined way internal auditing adds value to organizations—by reducing
perceptions of risk. Although prior research examines internal audit’s role in the financial reporting process, to our knowledge,
we are among the first to demonstrate that internal audit can also benefit an organization in improving operational and overall
risk. This adds an important finding to the developing body of internal audit research, especially considering that many business
professionals question the value that internal auditing brings to an organization and that research on internal audit is ‘‘still in its
infancy’’ (DeFond and Zhang 2014).
Third, our paper provides evidence that certain IAF design choices can have a larger effect on reducing perceived risk.
Specifically, IAFs that have had a recent QAR, and are used as a management training ground, are associated with greater
reductions in perceived risk. The findings related to MTG are especially noteworthy given that the majority of prior research
finds that using the IAF as a MTG bears negative outcomes: it is associated with higher audit fees (Messier, Reynolds, Simon,
and Wood 2011; Ho and Hutchinson 2010) and worse financial reporting quality (Christ, Masli, Sharp, and Wood 2015). Our
findings show that the MTG structure can have important benefits to the risk management of an organization and that having a
QAR is especially valuable.
The fourth contribution of this study is our unique design. Prior studies largely investigate the effect of internal
audits on company-wide outcomes, such as financial reporting quality, audit fees, and internal controls reported at the
overall firm level. Within a company, not all units are audited by the IAF. In this study, we can examine the direct
effects of internal audit across business units within the same company. We observe that CAEs are relatively similar in
assessing how heads of business units perceive their unit. This is important for future research as it suggests that future
researchers can survey the CAE and not business unit heads to gather relevant risk-related and internal auditing-related
data. This should simplify data collection efforts for future researchers, which will hopefully spur more research in
internal auditing.

II. LITERATURE REVIEW AND HYPOTHESES

One way that internal audit can add value to organizations is to reduce risk. Indeed, the definition of internal auditing
promulgated by the IIA (2013) states that one objective of internal auditors is ‘‘to evaluate and improve the effectiveness of risk
management.’’ There is only a limited amount of research on the impact of internal auditing on risk management.4 Sarens and
De Beelde (2006) interviewed CAEs from ten different companies to compare how internal auditors perceive their role in risk
management within U.S. and Belgian companies. The study by Beasley, Clune, and Hermanson (2006) shows that several
factors are associated with the impact of enterprise risk management on internal audit activities, such as CAE tenure and
direction from the CFO and audit committee. de Zwaan, Stewart, and Subramaniam (2011) find that higher internal audit

3
Our discussions with internal audit practitioners in Germany reveal that an operational audit is one of the most common types of audit. During an
operational audit, internal auditors often discover risks in non-operational areas. Internal auditors often make formal or informal suggestions to improve
in these areas, which would suggest that an operational audit could have potentially positive spillover effects on reducing risk in other non-operational
areas.
4
Prior research has shown that internal audit improves internal controls and financial reporting quality (Prawitt, Smith, and Wood 2009; Lin,
Pizzini, Vargus, and Bardhan 2011; Prawitt, Sharp, and Wood 2012; Ege 2015; Christ et al. 2015; Abbott, Daugherty, Parker, and Peters 2016;
Barr-Pulliam 2017, 2018, 2019; Bills, Huang, Lin, and Wood 2019), reduces fraud (Beasley, Carcello, Hermanson, and Lapides 2000; Coram,
Ferguson, and Moroney 2008), lowers external audit fees (Felix, Gramling, and Maletta 2001; Gramling, Maletta, Schneider, and Church 2004;
Abbott, Parker, and Peters 2012; Prawitt, Sharp, and Wood 2011; Messier et al. 2011), and improves financial performance (Burton, Emmett,
Simon, and Wood 2012; Jiang, Messier, and Wood 2020). However, these studies do not directly study risk and the ability of internal audit to
reduce risk.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
58 Carcello, Eulerich, Masli, and Wood

involvement in enterprise risk management influences the internal auditor’s willingness to report a breakdown in risk
procedures to the audit committee.
The demand for internal audit to add value in risk management is underscored in the 2015 Global Internal Audit Common
Body of Knowledge (CBOK). Stakeholders were asked what areas should be in the scope of internal audit beyond traditional
assurance work. The resounding response from stakeholders was ‘‘risk.’’ In particular, the top three areas that stakeholders want
from internal audit are (1) identify known and emerging risk areas (85 percent), (2) facilitate and monitor risk management
practices by operational management (78 percent), and (3) identify appropriate risk management frameworks, practices, and
processes (78 percent) (Anderson 2016). The role that internal auditing is expected to play in risk management continues to
increase in importance, as highlighted by the recent 2019 release of a new practice guide by the IIA designed to help CAEs
provide satisfactory levels of assurance and advice over the effectiveness of risk management processes and strategies.5 This
practice guide further affirms the profession’s stance that internal auditing can add value to the organization by improving risk
management.
Internal audit can reduce risk in several ways. As explained in the IIA’s (2009) position paper on internal auditing
and enterprise-wide risk management, internal auditing provides value by giving objective assurance on the effectiveness
of risk management. The position paper details five internal audit roles that are considered core to risk management,
which are (1) giving assurance on the risk management process, (2) giving assurance that risks are correctly evaluated,
(3) evaluating risk management processes, (4) evaluating the reporting of key risks, and (5) reviewing the management
of key risks (IIA 2009). Beyond these core roles, internal audit also has legitimate roles that can be undertaken with
certain safeguards, such as coaching management in responding to risks and developing risk management strategies (IIA
2009).
IIA international standards also tout the internal audit’s role in risk management. With regard to planning engagements, the
CAE must establish a risk-based plan to determine the priorities of internal audit activity (IIA 2016). IPPF Standard 2120 on
risk management further mandates that the IAF evaluate the effectiveness and contribute to the improvement of risk
management processes (IIA 2016). Specifically, internal audit must evaluate risk exposures related to issues such as operations,
financial reporting, and safeguarding of assets, address risks consistent with engagement objectives, and communicate relevant
risk information across the organization in a timely manner.
Although the internal audit is designed to add value by improving risk management, there are a few possible
impediments to achieving this objective. First, to be effective, the IAF requires sufficient resources to perform its work.
Often viewed as a cost-center, IAFs can struggle to receive the funding they need to be successful. For example, the
NASDAQ (2013) proposed a rule that would require all companies listed on its exchange to establish an IAF by December
31, 2013.6 In response to the proposed rule, the NASDAQ received 16 letters voicing an opinion about the proposed rule. Of
the 16 letters, 13 indicated opposition to the new rule and the most common reasons were that the benefits of having an IAF
do not outweigh the costs. Without sufficient funding, the IAF may not be able to impact risk management in a meaningful
way.
Second, and somewhat related to the first point, to be successful the IAF must have sufficient ability to have a meaningful
effect on risk management. Internal auditors may lack the ability because of lack of experience working with risk management
(Bailey et al. 2003), negative stigma about the profession (Murphy 2013; Burton et al. 2015; Bartlett et al. 2016, 2017;
Eulerich, Kremin, Saunders, and Wood 2020)7, lack of expertise in risk management, or insufficient organizational clout to
make a meaningful difference.
Internal auditing’s role in risk management is a relatively underexplored research area, but an important area to investigate
given the focus by the profession on internal audit reducing risk. Given the significant attention on internal auditing improving
risk management, notwithstanding the potential reasons internal audit may not have an influence, we would expect that, on
average, internal auditing will be associated with improvements in reducing risk at organizations. This leads to our first
hypothesis:
H1: Internal audits are associated with reductions in perceived risk after the audited period.
As mentioned, certain features of the IAF may strengthen the effect of internal auditing on reducing perceived risk. We
consider three situations where the effect of internal auditing on perceived risk is likely to be moderated by other important

5
See the press release at https://global.theiia.org/news/Pages/The-IIA-Releases-New-Practice-Guide-on-Assessing-the-Risk-Management-Process.
aspx.
6
The proposed NASDAQ rule was patterned after the NYSE (n.d.) rule adopted in 2013, which required listed companies to have an IAF.
7
For example, Eulerich et al. (2020) find that negative views of the internal audit profession are related to less ability to add value, less influence in the
organization, more resistance to implementing internal audit recommendations, and more pressure to change audit findings.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 59

factors: the reporting relationship of the head of the IAF, whether the IAF has had a recent QAR, and whether the IAF is used as
a MTG.
One of the reasons internal audit may not influence risk management is that internal audit does not have sufficient clout in
an organization to make a difference. If internal audit is deemed more important in an organization, they are likely to have a
greater effect on the organization. One key factor that demonstrates the importance of internal audit in the organization is to
whom the head of internal audit reports. If the head of internal audit reports to the audit committee, the IAF likely holds a more
prominent role in an organization. For example, Anderson, Christ, Johnstone, and Rittenberg (2012) find that more interactions
with the audit committee is associated with larger (i.e., more resourced) IAFs. Abbott, Parker, and Peters (2010) find that IAFs
that have greater oversight by the audit committee relative to management are associated with a greater focus on internal control
activities—which includes risk management. Boyle, DeZoort, and Hermanson (2015) find that internal auditors that report to
the audit committee provide more conservative fraud risk assessments and control risk assessments than when they report to
management.
If internal auditors assess risk higher, they are more likely to do more diligent testing and provide recommendations to
reduce risk to acceptable levels. Thus, we expect that internal auditors that report to the audit committee will be associated with
greater reductions in perceived risk, as stated formally in the following hypothesis.
H2: The association between internal audits and reductions in perceived risk after the audited period is stronger when the
IAF reports to the audit committee than when the IAF reports to management.
The effectiveness and efficiency of internal audit activities likely affect the IAF’s ability to improve risk management.
According to internal audit standards, ‘‘the chief audit executive must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity’’ (IIA 2012). As part of the QAR process, an IAF
must be reviewed externally to make sure the function is complying with standards and is operating efficiently and effectively.
Prior research has shown that having a QAR contributes to a high-quality IAF and the previously cited benefits of having a
high-quality IAF (Christ et al. 2015; Dejnaronk, Little, Mujtaba, and McClelland 2016).
In our setting, a QAR provides an impetus for an IAF to improve its efficiency and effectiveness. Thus, IAFs that have had
a recent QAR should be better at performing their tasks mentioned leading up to H1 than IAFs that have not had a recent QAR.
This leads to our third hypothesis:
H3: The association between internal audits and reductions in perceived risk after the audited period is stronger when the
IAF has had a QAR than when the IAF has not had the review.
The use of the IAF as a MTG can also affect the IAF’s ability to improve risk management. Prior research has found that
MTG internal auditors are less objective and have less internal auditing skills but have more natural ability and knowledge of
the company than non-MTG internal auditors (Messier et al. 2011; Christ et al. 2015; Carcello, Eulerich, Masli, and Wood
2018; Hoos, Messier, Smith, and Tandy 2018). Prior research has found that these differences lead to a ‘‘mixed-bag’’ of whether
this practice is a positive or negative for organizations. For example, using the IAF as a MTG is associated with external
auditors charging higher fees (Messier et al. 2011; Ho and Hutchinson 2010), reductions in financial reporting quality (Christ et
al. 2015), and favoring management in reporting risks and recommendations (Hoos et al. 2018). However, on the positive side,
using the IAF as a MTG leads to increased reliance by managers on recommendations from MTG internal auditors (Carcello et
al. 2018).
MTG internal auditors have different incentives than non-MTG internal auditors. MTG internal auditors want to impress
management to increase the likelihood of being promoted out of the IAF. One way to impress management is to add value by
identifying and mitigating risks the company faces—thus making it more likely management achieves its objectives. In this
vein, Hoos et al. (2018) find that MTG internal auditors are more likely to assess risks and make recommendations in line with
what management prefers relative to what the audit committee prefers. Thus, in combination, the superior natural ability of
MTG internal auditors, higher organizational expertise, and the incentive to impress management likely combine such that
MTG internal auditors are likely to be associated with greater reductions in perceived risk than non-MTG internal auditors. We
test this logic in the following hypothesis:
H4: The association between internal audits and reductions in perceived risk after the audited period is stronger when the
IAF is used as a MTG than when the IAF is not used as a MTG.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
60 Carcello, Eulerich, Masli, and Wood

III. METHODOLOGY

Sample Selection
To test our hypotheses, we gathered a unique dataset. Specifically, we evaluate real-world perceptions of the effect of
internal audits on risk. We are unable to directly measure risk, so we study stakeholder perceptions of risk.8 To collect the
relevant data, we surveyed 461 CAEs belonging to the IIA in Germany.9 The Germany chapter of the IIA assisted us in
administering the survey, but the authors had complete control over the design of the survey instrument.10 The use of human
subjects was approved for this study. From this group, 37 CAEs from different companies responded, a response rate of 8
percent. Not all CAEs responded to each question. We include all possible responses for analysis for each question.
The survey asked the CAEs to do two things. First, each CAE was asked to select three out of the ten largest audits of the prior
year (measured by the auditor days spent) and select a unit that was not audited but similar to the audited unit in as many ways as
possible, including the six criteria listed below, to serve as a control sample. The CAE was then asked to forward a survey to the
heads of these six units (three audited units and three units that were not audited) asking them to fill out the survey and return it to
the researchers. The second task the CAEs were asked to perform was to provide their evaluation of the same six units and provide
details about the company and the IAF. The primary analyses make use of data from unit managers. Managers’ perceptions of risk
represent perceptions that come directly from the customers of internal audit. A secondary dataset, used in supplementary analyses,
compiles the perceptions of the CAEs. This dataset is larger as not all unit heads chose to respond. We also note that for most
companies, we did not necessarily get responses for all six (three audited and three non-audited) units as requested.
The request to the CAEs included criteria for matching audited and non-audited units.11 The six criteria we provided to the
CAEs include:
1. Nature of the audited unit (subsidiary, process, plant, etc.)
2. Whether the audited unit was or was not a company-wide unit
3. Size of the audited unit in the year of the audit
4. Risk level of the audited unit in the year of the audit
5. Performance level of the audited unit in the year of the audit
6. Geographic area of the audited unit in the year of the audit
For example, assuming the CAE selected for inclusion in our study a 2013 audit of a foreign-country-based subsidiary with
$5 billion in total assets that had high risk and whose performance was average, then the CAEs would be expected to select a
different subsidiary located in the same country (or a similar country) with total assets as close to $5 billion as possible, whose
risk level was high, and whose performance was average.
Table 1 provides data about the responses from managers of the business units. Panel A shows that we had at most four
pairs from one company and that we had a total of 21 pairs from ten different companies with manager responses. Panel B
shows a comparison of the units that were selected and not selected by the CAE. The data show that the audited and non-
audited units were similar on the nature of audit (e.g., subsidiary, process), the scope of the audit (company-wide versus not),
the beginning risk of the unit, and the performance of the unit in the previous year.12 Based on extensive discussion with the
IIA, we chose not to gather data about the size of the audited unit as this was deemed more sensitive information than the other
requests (i.e., the IIA was worried about possible ex post identification of units through matching).
We also measured three additional pieces of information: the perception of internal audit held by the manager of the unit,
the financial education of the manager, and whether the manager was new (being in the position for three years or less). We
note that the first two variables did not differ between groups but that managers of audited units were more likely to be new

8
As a limitation, we acknowledge the possibility that demand type effects could drive the results.
9
The German Accounting Modernization Act (2009) requires boards and audit committees from listed companies to evaluate the effectiveness of the
IAF. This requirement is broadly accepted as the (legal) mandatory need for the implementation of an IAF. The Act covers all German stock
corporations and private firms with a comparable size and structure (German Accounting Modernization Act 2009).
10
The authors had complete control over the design of the questions included for analysis for this project. We note that the IIA had additional purposes for
this survey and thus many questions other than those relevant to this study were asked of participants.
11
The choice of which criteria to request for matching was made after discussing with practitioners and the German IIA about how units are selected for
audit. These groups said that the selection process is a multifaceted negotiation between the audit committee, management, and the CAE. They
identified several of these factors as the most important attributes in that discussion. We added additional matching criteria to make the comparisons as
similar as possible.
12
We note that there is a single company-wide business unit not matched to a company-wide business unit. But, for this one particular case, the CAE still
matched well based on the five other criteria. We note that the CAEs matched the units based on data for the year of the audit. In Table 1, Panel B we
capture levels of risk and performance for the year prior to the audit (based on available data).

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 61

TABLE 1
Description of Companies Providing Responses by Business Unit Managers

Panel A: Sample of Audited and Non-Audited Unit Pairs

Number of Percent of
Company ID Pairs Total Pairs
Company ID No. 1 4 19.05%
Company ID No. 2 1 4.76%
Company ID No. 3 2 9.52%
Company ID No. 4 3 14.29%
Company ID No. 5 2 9.52%
Company ID No. 6 1 4.76%
Company ID No. 7 2 9.52%
Company ID No. 8 3 14.29%
Company ID No. 9 2 9.52%
Company ID No. 10 1 4.76%
Total 21
Ten different companies provided manager responses. Within the ten companies, 21 pairs of audited and non-audited units provided manager responses.

Panel B: Characteristics of Matched Audited Units and Non-Audited Units

Audited Non-Audited p-value
Unit Unit for
Variable (n ¼ 21) (n ¼ 21) Diff.
Nature of the Unit
Subsidiary 6 6
Process 6 6
Plant/Store/Branch 1 1
Other 8 8
Company Wide 9 8
Overall Risk Before Audit Year 3.000 2.905 0.629
Overall Performance Before Audit Year 0.190 0.381 0.676
IA Value to Manager 0.238 0.333 0.506
Manager Financial Education 0.523 0.476 0.765
Manager is New 0.429 0.143 0.041
Raw Number of IA Recommendations 24.6 NA
Raw Number of Implemented IA Recommendations 19.95 NA
Ratio of Implemented IA Recommendations 0.839 NA
In this panel, we display a comparison of unit characteristics between audited and non-audited units.

(continued on next page)

than non-audited units.13 The insignificant difference in the variable IA Value to Manager is particularly noteworthy. This
variable is equal to 1 if the manager fully agrees with the statement that internal audit adds value, and 0 otherwise. It does not
seem that one group of managers is more biased toward or against internal audit than the other group. Based on all of the
evidence, we conclude that the match provided by the CAEs appears to be unbiased and to accomplish our objective of
matching two relatively similar units for comparison.
We also provide descriptive statistics for the number of IA recommendations, the number of implemented IA
recommendations, and the proportion of internal audit recommendations that were implemented by managers (Ratio of
Implemented IA Recommendations). The descriptive statistics reported are based on 20 audited units for which we obtained
complete data on internal audit recommendations. On average, IA provided approximately 25 recommendations to audited
units and audited managers implemented 20 recommendations.

13
We note that this difference may indicate that there is some type of additional risk in these units. We are not able to identify what that risk is, and
encourage future research in this area.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
62 Carcello, Eulerich, Masli, and Wood

TABLE 1 (continued)
Panel C: Descriptive Statistics of Companies (n ¼ 10) That Provided Manager Responses
Variable Mean Std. Dev.
Company Characteristics
Revenues (in millions of euros) 12,774.6 19,124.4
Employees 89,765.1 150,083.4
Public Listing 0.40 0.52
Audit Committee 0.90 0.32
Supervisory Board Members (n ¼ 8) 13.50 4.17
Big N Auditor 0.80 0.42
IAF Characteristics
IAF Employees 37.95 58.69
IAF Budget (in thousands of euros) 5,274.3 8,310.2
IAF Certification 0.32 0.32
Focus on Auditing 0.87 0.10
In-House Training (days) 27.40 23.96
Out-of-House Training (days) 29.40 19.04
QAR 0.50 0.53
IAF Staff Experience (years) 9.40 5.08
IA Used as MTG 0.70 0.48
IA Reports to AC 0.40 0.516
In this panel, we provide descriptive statistics about the ten companies that provided responses by managers of audited and non-audited units.

Table 1, Panel C provides descriptive statistics about the ten companies that provided manager responses for the test and
control observations. The descriptive statistics show that these are large companies with average revenues of approximately
12.8 billion euros and approximately 90,000 employees. The sample includes publicly traded and private companies. All but
one company have an audit committee, and eight of the ten companies have Big N auditors. The companies, on average, have
38 internal auditors and an internal audit budget of approximately 5.3 million euros. The IAFs have a strong focus on
assurance-related tasks (87 percent of their focus is on auditing). Nearly one-third of the internal audit staff hold a specific
certification in internal audit and have an average of nine years of experience. Internal auditors, on average, spend 27 and 29
days for in-house training and out-of-house training, respectively. Half of the internal audit departments recently underwent a
QAR. Seven out of the ten companies use the IAF as a MTG, and 40 percent of the IAFs report to the audit committee.14

Models and Variable Measurement

We asked managers of both audited and non-audited units to rate the level of perceived risk within their respective units.
We asked participants to rate the perceived risk level for both the period before and after the audit was conducted so that we
could observe a change in perceived risk over the same period of time. The managers of the non-audited units had to evaluate
the perceived risk for the prior year (comparable to the year prior to the audit of the audited unit) and after one year (comparable
to the year after the audit of the audited unit). The respondents provided an overall rating of perceived risk. For perceived risk,
respondents rated the risk level using a five-point scale labeled (1) very low, (2) low, (3) medium, (4) high, and (5) very high.
Risk may change over the period because of factors not associated with internal audit. For example, risk for the entire
company may have declined due to policies implemented throughout the organization. These company-wide changes would
manifest in both the audited and the non-audited group. For internal audit to have a significant impact, the decline in risk for the
audited group should be greater than the decline in risk for the non-audited group. We test this possibility by comparing
responses from the heads of the audited and non-audited units. The design holds constant other company-wide factors that
could impact risk.
For our primary analyses, we run the following linear regression model:
Overall Risk ¼ a0 þ a1 Audited þ a2 After þ a3 Audited  After þ aj Controls þ e ð1Þ

14
We recognize that the percentage of IAFs that report to the audit committee is lower than in other studies. This should not bias our results, but future
studies should examine how reporting relations differ in various countries.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 63

The dependent variable is perceived overall risk (Overall Risk). The variable Audited is defined as 1 if the observation
relates to an audited unit, and 0 if the observation relates to a non-audited unit. As mentioned, we capture the perceived risk
level both before and after the audit. The variable After is defined as 1 if the observation relates to the period after the audit, and
0 if the observation relates to the period before the audit. The interaction variable Audited  After is our variable of interest. A
negative and significant interaction term would suggest that the audited unit managers perceive lower overall risk after the audit
compared to non-audited unit managers.
For the analysis of the manager’s responses, since the matching appears to be done according to our request, additional
control variables should not be needed as the audited and non-audited units should be similar on the variables important for
determining perceived risk. However, since we cannot directly assess all components of the quality of the match, we
supplement the analyses by adding several additional unit-level control variables. The unit-level control variables include
financial background of the manager (Manager Financial Education), tenure of the manager (Manager is New), and whether
the manager fully agrees with the statement that IA provides value (IA Value to Manager). We also control for the performance
level of the unit (Performance). Company-wide control variables are controlled for by adding firm indicators to the model (i.e.,
an indicator variable for each unique company). These firm indicator variables control for all other factors at the company level
(e.g., firm size, culture, governance structures). See Appendix A for the definition of variables used in the models.
To test the remaining hypotheses (H2 to H4), we run the following linear regression models:
Overall Risk ¼ b0 þ b1 Audited REPORT AC þ b2 Audited NO REPORT AC þ b3 After þ b4 Audited REPORT AC  After
þ b5 Audited NO REPORT AC  After þ bj Controls þ e
ð2Þ
To test H2, we run Equation (2). For this equation, we rerun Equation (1) splitting Audited into two variables: (1) Audited
REPORT AC, an indicator variable indicating whether the audited unit is audited by an IAF where the CAE reports to the audit
committee, and (2) Audited NO REPORT AC, an indicator indicating whether the audited unit is audited by an IAF where the
CAE does not report to the audit committee. In essence, we distinguish audited units that were audited by an IAF that reports to
the audit committee from audited units that were audited by an IAF that does not report to the audit committee. H2 suggests that
the negative coefficient for the interaction term Audited REPORT AC  After will be lower than the negative coefficient for the
interaction term Audited NO REPORT AC  After.
Overall Risk ¼ v0 þ v1 Audited QAR þ v2 Audited NO QAR þ v3 After þ v4 Audited QAR  After þ v5 Audited NO QAR
 After þ vj Controls þ e
ð3Þ
To test H3, we run Equation (3). For this equation, we rerun Equation (1) splitting Audited into two variables: (1) Audited
QAR, an indicator variable indicating whether the audited unit is audited by an IAF that had a QAR in recent years, and (2)
Audited NO QAR, an indicator indicating whether the audited unit is audited by an IAF that did not have a QAR in recent years.
In this specification, we distinguish units audited by an IAF with a recent QAR from units audited by an IAF without a recent
QAR. H3 suggests that the negative coefficient for interaction term Audited QAR * After will be lower than the negative
coefficient for the interaction term Audited NO QAR * After.
Overall Risk ¼ d0 þ d1 Audited MTG þ d2 Audited NO MTG þ d3 After þ d4 Audited MTG  After þ d5 Audited NO MTG
 After þ dj Controls þ e
ð4Þ
To test H4, we run Equation (4). For this equation, we rerun Equation (1) splitting Audited into two variables: (1) Audited
MTG, an indicator variable indicating whether the audited unit is audited by an IAF that is used as a MTG, and (2) Audited NO
MTG, an indicator indicating whether the audited unit is audited by an IAF that is not used as a MTG. Here, we differentiate
units audited by an IAF used as a MTG from units audited by an IAF not used as a MTG. H4 suggests that the negative
coefficient for the interaction term Audited MTG  After will be lower than the negative coefficient for the interaction term
Audited NO MTG  After.

IV. RESULTS
Table 2 provides the results examining the influence of the internal audit on manager’s perception of changes in overall
risk. Panel A of Table 2 provides univariate results. We compare the overall risk ratings in the before period for the audited and
non-audited units. We find statistically similar risk ratings in the before period between the audited (3.000) and non-audited
units (2.905), which provides more assurance that the match by the CAE was performed without bias. In the after period, we

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
64 Carcello, Eulerich, Masli, and Wood

TABLE 2
Internal Audits and Changes in Risk

Panel A: Changes in Overall Risks

Audited Non-Audited
Manager Manager
Overall Risk n Unit n Unit Difference p-value
Before 21 3.000 21 2.905 0.095 0.629
After 21 2.238 21 2.762 0.524 , 0.01
Difference 0.762 0.143
p-value , 0.01 0.083
Change in Overall Risk 21 0.762 21 0.143 0.619 , 0.01
In this panel, we present univariate comparisons of overall risk between audited and non-audited units. We display overall risk before and after the audit
period as well as the change in the overall risk.

Panel B: Linear Regression Results

Overall Risk
Model 1 Model 2
Pred. Coeff. Coeff.
Sign (p-value) (p-value)
Audited ? 0.068
(0.695)
Implemented Recommendations ? 0.073
(0.747)
After ? 0.021 0.020
(0.739) (0.727)
Audited  After  0.497
(0.003)
Implemented Recommendations  After  0.623
(0.000)
Manager Financial Education ? 0.338 0.317
(0.312) (0.332)
Manager is New ? 0.001 0.054
(0.996) (0.791)
IA Value to Manager ? 0.209 0.224
(0.474) (0.437)
Performance ? 0.160 0.147
(0.018) (0.041)
Intercept 2.735 2.726
(0.000) (0.000)
Firm Indicators Included Included
Number of Observations 84 80
Adjusted R2 0.534 0.545
We had 21 pairs of audited and non-audited units that provided manager responses about overall risk. The sample totals 84 to account for before and after
audit observations. For Model 2, the sample goes down to 80 because there is one pair of observations that did not provide data on the number of IA
recommendations. The p-values are in parentheses. p-values are two-tailed unless predicted (one-tailed).
See Appendix A for variable definitions.

find that the risk rating for audited units (2.238) is significantly lower than the risk rating for non-audited units (2.762), which is
consistent with internal auditing reducing risk through its work.
For audited units, the overall risk in the after period (2.238) is significantly lower (p , 0.01) than the before period
(3.000). The change in overall risk for audited units is 0.762. For non-audited units, the overall risk in the after period (2.762)
is also significantly lower (p , 0.10) than the before period (2.905). The change in overall risk for the non-audited units is

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 65

0.143. While both audited and non-audited units experience decreases in risk, the risk decrease for audited units (0.762) is
larger in magnitude compared to the risk decrease for non-audited units (0.143). The univariate difference for the change in
perceived overall risk between audited and non-audited units (0.619) is significantly different from 0 (p , 0.01). In sum, we
find univariate evidence that managers of audited units, compared to non-audited managers, perceive greater declines in risk.
Panel B of Table 2 provides the results for Equation (1). The dependent variable for Model 1 and Model 2 is Overall Risk.
The coefficient for Audited  After is negative (0.497) and significant (p , 0.01), suggesting that managers of audited units
perceive lower overall risk after the audit than managers of non-audited units, controlling for other factors that may influence
risk. In Model 2, we replace the variable Audited with Implemented Recommendations, which is the number of implemented IA
recommendations relative to total number of IA recommendations. The coefficient for Implemented Recommendations  After
is also negative (0.623) and significant (p , 0.01), suggesting that managers that implemented more of internal audit’s
recommendations perceive lower overall risk after the audit.15
Table 3 provides the results for Equations (2), (3), and (4). The dependent variable for Model 1, Model 2, and Model 3 is
Overall Risk. The coefficients for Audited REPORT AC  After and Audited NO REPORT AC  After are both negative and
significant (p , 0.05). However, there is no statistical difference between the two interaction term coefficients, suggesting that
managers of audited units perceive similar decreases in overall risk after the audit regardless of whether the internal audit
reports to the audit committee. Thus, H2 is not supported.
The lack of support for H2 is consistent with the counter-intuitive finding of both Norman, A. Rose, and J. Rose (2010) and
Hoos et al. (2018), who both find that having internal audit report to the audit committee is associated with lower assessments
of risk likely because the internal auditors want to appear like they are doing their jobs to reduce risk well. We encourage future
research on this important topic.
The coefficients for Audited QAR  After and Audited NO QAR  After are both negative and significant (p , 0.05).
However, the coefficient for the interaction term Audited QAR  After (0.677) is significantly lower (p ¼ 0.05) than that for
the interaction term Audited NO QAR  After (0.234). This suggests that managers who are audited by internal audit with a
recent QAR perceive greater decreases in risk compared to managers who are audited by internal audit without a QAR, a
finding consistent with H3.
The coefficient for Audited MTG  After is negative and significant (p , 0.01). Further, the coefficient for the interaction
term Audited MTG  After (0.631) is significantly lower (p , 0.05) than that for the interaction term Audited NO MTG  After
(0.110). This suggests that managers who are audited by an internal audit being used as a MTG perceive greater decreases in
risk compared to managers who are audited by an internal audit not being used as a MTG, a finding consistent with H4.16
In sum, we find that managers of audited units perceive greater decreases in overall risk compared to managers of units that
did not get an audit. This effect is further strengthened when the IAF has gone through a recent QAR and is used as a training
ground for future managers.

Supplemental Analyses
Improvements in Performance
While our main analyses center on perceived risk, we also examine whether the area being evaluated improved its
performance. We asked unit managers to rate the overall performance of their area for the time period before and after the audit
(or equivalent time period in case of non-audited managers). The respondents rated the performance level using a seven-point
scale with higher values suggesting better performance.17
We rerun Equations (1) to (4), changing the dependent variable to Overall Performance and including Overall Risk as a
control variable. In addition, because the focus is on changes in unit performance, we set the sample to include audited units
that received operations-focused audits and their matched non-audited units. Table 4 displays the results. The coefficient for
Operations Audited  After is positive (0.488) and significant (p , 0.10), suggesting that managers of audited units perceive
higher performance after the audit than managers of non-audited units. When we examine differences in internal audit

15
In untabulated analyses, we examine perceptions of particular risks (i.e., operating, financial, and compliance risks). Managers that received operations-
focused audits perceive a greater decline in operating risks than managers of non-audited units. There also appears to be some spillover effects as those
same managers also perceive greater declines in financial risks compared to their non-audited counterparts.
16
One limitation of this analysis is that we do not know how many of the managers that responded to our survey had previously been in internal audit.
Although it is possible that managers may have previously been in internal audit, we believe it is unlikely to bias our results since managers in both the
audited and non-audited group could have come from the internal audit, and we have no theoretical reason to believe one of these groups would answer
in a more biased manner than the other. Furthermore, when we compare how audited managers of MTG firms perceive the value of IA relative to those
of non-MTG firms, we observe no significant differences.
17
The scale was labeled (3) significantly below average, (2) moderately below average, (1) slightly below average, (0) average, (1) slightly above
average, (2) moderately above average, and (3) significantly above average.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
66 Carcello, Eulerich, Masli, and Wood

TABLE 3
IA Characteristics and Changes in Overall Risk
Overall Risk
Model 1 Model 2 Model 3
Pred. Coeff. Coeff. Coeff.
Sign (p-value) (p-value) (p-value)
Audited REPORT AC ? 0.161
(0.320)
Audited NO REPORT AC ? 0.012
(0.961)
Audited QAR ? 0.131
(0.628)
Audited NO QAR ? 0.037
(0.866)
Audited MTG ? 0.011
(0.957)
Audited NO MTG ? 0.295
(0.113)
After ? 0.016 0.032 0.031
(0.801) (0.579) (0.631)
Audited REPORT AC  After  0.532
(0.011)
Audited NO REPORT AC  After  0.472
(0.028)
Audited QAR  After  0.677
(0.003)
Audited NO QAR  After  0.234
(0.038)
Audited MTG  After  0.631
(0.000)
Audited NO MTG  After  0.110
(0.253)
Manager Financial Education ? 0.350 0.342 0.345
(0.298) (0.320) (0.234)
Manager is New ? 0.018 0.015 0.024
(0.933) (0.946) (0.901)
IA Value to Manager ? 0.210 0.211 0.184
(0.477) (0.500) (0.525)
Performance ? 0.167 0.146 0.147
(0.008) (0.032) (0.029)
Intercept 2.729 2.725 2.732
(0.000) (0.000) (0.000)
Firm Indicators Included Included Included
Number of Observations 84 84 84
Adjusted R2 0.521 0.532 0.564
Hypotheses Tests: p-value for difference 0.858 0.050 0.018
in interaction coefficients
We had 21 pairs of audited and non-audited units that provided manager responses about overall risk. The sample totals 84 to account for before and after
audit observations. The p-values (two-tailed) are in parentheses. p-values are two-tailed unless predicted (one-tailed).
See Appendix A for variable definitions.

characteristics (i.e., reporting to audit committee, QAR, and MTG), we find that managers who are audited by an internal audit
with a recent QAR perceive greater performance improvements compared to managers who are audited by an internal audit
without a QAR (p , 0.01). Additionally, managers who are audited by an internal audit being used as a MTG perceive greater
performance improvements compared to managers who are audited by an internal audit not being used as a MTG (p , 0.05).

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 67

TABLE 4
Supplemental Analyses
Operations-Focused Audits and Changes in Overall Performance
Performance
Model 1 Model 2 Model 3 Model 4
Pred. Coeff. Coeff. Coeff. Coeff.
Variable Sign (p-value) (p-value) (p-value) (p-value)
Operations Audited ? 0.039
(0.918)
Operations Audited REPORT AC ? 0.696
(0.044)
Operations Audited NO REPORT AC ? 0.466
(0.317)
Operations Audited QAR ? 0.017
(0.977)
Operations Audited NO QAR ? 0.125
(0.782)
Operations Audited MTG ? 0.222
(0.662)
Operations Audited NO MTG ? 0.760
(0.141)
After ? 0.631 0.630 0.649 0.635
(0.003) (0.005) (0.003) (0.003)
Operations Audited  After þ 0.488
(0.073)
Operations Audited REPORT AC  After þ 0.648
(0.080)
Operations Audited NO REPORT AC  After þ 0.392
(0.220)
Operations Audited QAR  After þ 1.027
(0.020)
Operations Audited NO QAR  After þ 0.108
(0.609)
Operations Audited MTG  After þ 0.811
(0.041)
Operations Audited NO MTG  After þ 0.364
(0.829)
Manager Financial Education ? 0.091 0.329 0.006 0.102
(0.869) (0.568) (0.992) (0.843)
Manager is New ? 0.747 0.536 0.818 0.742
(0.102) (0.219) (0.053) (0.085)
IA Value to Manager ? 0.197 0.252 0.090 0.181
(0.698) (0.562) (0.865) (0.726)
Overall Risk ? 0.672 0.676 0.557 0.646
(0.203) (0.157) (0.263) (0.228)
Intercept 2.361 2.210 2.113 2.285
(0.052) (0.061) (0.052) (0.065)
Firm Indicators Included Included Included Included
Number of Observations 76 76 76 76
Adjusted R2 0.350 0.385 0.360 0.355
p-value for difference in interaction coefficients 0.724 0.008 0.022
In the sample, there are 19 audited units (out of 21 audited units) that had an audit with an operational focus and data on performance. The p-values (two-
tailed) are in parentheses. p-values are two-tailed unless predicted (one-tailed).
See Appendix A for variable definitions.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
68 Carcello, Eulerich, Masli, and Wood

TABLE 5
Supplemental Analyses
CAE Perspective on Changes in Risk

Panel A: Univariate Differences in Changes in Risks

Audited Non-Audited
n Unit n Unit Difference p-value
DOverall Risk 48 0.583 48 0.188 0.395 , 0.01
In the sample, CAEs provided an assessment of changes in overall risk for 48 pairs of audited and non-audited units.

Panel B: Linear Regression Results

Overall Risk
Pred. Coeff.
Sign (p-value)
Audited ? 0.313
(0.009)
After ? 0.188
(0.037)
Audited  After  0.396
(0.003)
Intercept 3.063
(0.000)
Firm Indicators Included
Number of Observations 192
Adjusted R2 0.441
CAEs provided responses about overall risk for 48 pairs of audited and non-audited units that provided manager responses about overall risk. The sample
totals 192 to account for before and after audit observations. The p-values are in parentheses. p-values are two-tailed unless predicted (one-tailed).
See Appendix A for variable definitions.

Investigating the CAEs’ Perspectives

We examine the responses of CAEs about their perception of changes in risk.18 Panel A of Table 5 provides univariate
results. In the sample, there are 48 pairs of audited and matched non-audited units. The univariate difference for the change in
perceived overall risk between audited and non-audited units (0.395) is significantly different from 0 (p , 0.01).
Linear regression results are similar to the H1 findings (see Panel B of Table 5).19 That is, results indicate that CAEs
perceive greater declines in overall risk for audited units compared to non-audited units. In an untabulated analysis, however,
we do not find that IAF reporting to the audit committee, QAR, or IAF used as a MTG differentially affects CAEs’ perceptions
of risk changes.

V. CONCLUSION
Because of a dynamic and uncertain business environment, organizations need to manage risk to be successful. Although
the IIA explicitly defines the IAF as a provider of assurance and consulting services to add value to organizations through an
improvement of risk management, the benefit and value of IAFs in this domain have not been tested. Our results show an
internal audit reduces the perceived risks of the audited units more compared to non-audited units. We also present evidence
suggesting that audited units perceive greater improvements in performance relative to non-audited units.

18
The observations in these analyses are based on available and complete CAE responses about overall risk ratings.
19
Company-wide control variables are controlled for by adding firm fixed effects to the model. Due to data limitations, we do not control for unit-level
variables in the CAE model.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 69

Our results extend previous research on the benefits of internal audit and provide evidence of the IAF’s ability to fit its
definitional charge of adding value to the organization by reducing perceived risk. These findings should be of use to internal
auditors trying to demonstrate the value they add to an organization and secure sufficient resources for their function. Our study
also contributes by demonstrating that CAEs and heads of business units assess risk and changes in risk similarly (see
Appendix B for full details). This is a useful finding in that future research should be able to economize surveying techniques
and focus on only one group—as both groups provide similar responses. This should encourage future research as it makes it
less onerous to gather samples of perceptions of risk.
Our study is subject to certain limitations. First, we measure the perception of risk and not whether actual risk changes.
Future studies that can measure the actual risk a business unit faces would make a significant contribution to the literature.
Second, we recognize that the choice of which units to audit still results in endogeneity concerns. Certain units may be selected
to an audit that are somehow different than the units that were not selected for an audit. We try to mitigate this by providing
guidance on the most important variables with which the CAE should match the audited and non-audited units. However, we
are unable to ascertain statistically the quality of this match and whether it controls for all possible endogeneity concerns.
Finally, as a third limitation, in seeking participants, the letter we sent to internal auditors contained wording that may have
biased participants.20 We view it as unlikely that this influenced our results because (1) it would be difficult to follow the
stringent matching criteria we laid out and still select a biased sample, (2) we had different groups with varying perceptions of
internal audit respond to our survey, and the results were consistent across the groups,21 and (3) the results do not always show
that internal audit improves risk. For example, we did not find evidence that internal audit reduces compliance risk. If
respondents were biased to show internal audit is valuable, we should see similar results across all dependent variables.
We encourage continued research in internal audit. We show that managers perceive improvements in overall risk after an
audit by internal auditors. We also attempt to shed light on how internal audit can beneficially affect the management of specific
risks, such as financial risk and compliance risk. Due to data limitations, we are not able to build conclusive inferences on this
front. We urge future research to investigate how internal audit can assist the management of particular risks, particularly
financial risk and compliance risk.
Finally, while the internal audit research has not yet approached the volume of external audit research in demonstrating that
internal audit matters, the body of knowledge about internal audit research is growing. From this study and other research, it
appears that internal audit can add significant value to organizations and that business leaders do not yet fully appreciate the
benefits of internal auditing. Future research will hopefully shed light on why this is the case and continue testing the value that
internal auditing adds to companies and society.

REFERENCES
Abbott, L. J., S. Parker, and G. F. Peters. 2010. Serving two masters: The association between audit committee internal audit oversight
and internal audit activities. Accounting Horizons 24 (1): 1–24.
Abbott, L. J., S. Parker, and G. F. Peters. 2012. Audit fee reductions from internal audit-provided assistance: The incremental impact of
internal audit characteristics. Contemporary Accounting Research 29 (1): 94–118. https://doi.org/10.1111/j.1911-3846.2011.01072.
x
Abbott, L. J., B. Daugherty, S. Parker, and G. F. Peters. 2016. Internal audit quality and financial reporting quality: The joint importance
of independence and competence. Journal of Accounting Research 54 (1): 3–40. https://doi.org/10.1111/1475-679X.12099
Anderson, D. 2016. Relationships and risk. Available at: https://www.iia.nl/SiteFiles/Publicaties/IIARF%20CBOK%20%20Stakeholder
%20%20Relationships%20and%20Risk%20March%202016_5.pdf
Anderson, U. L., M. H. Christ, K. M. Johnstone, and L. E. Rittenberg. 2012. A post-SOX examination of factors associated with the size
of internal audit functions. Accounting Horizons 26 (2): 167–191. https://doi.org/10.2308/acch-50115
AON. 2019. Aon’s 2019 global risk management survey. Available at: https://aon.mediaroom.com/2019-04-29-Aon-reports-risk-
readiness-drops-to-lowest-level-in-12-years
Bailey, A. D., A. A. Gramling, and S. Ramamoorti, eds. 2003. Research Opportunities in Internal Auditing. Altamonte Springs, FL:
Institute of Internal Auditors Research Foundation.

20
The specific wording stated: ‘‘The purpose of this research project is to evaluate the effectiveness and value added from the organization’s internal audit
function (IAF). We are interested in changes in performance and risk of units audited in 2013, as well as determining which company and internal audit
characteristics explain improved performance or reduced risk.’’
21
Relatedly, the CAE respondents have the greatest incentive to make internal audit appear favorably and yet the descriptive statistics show that CAEs
were less likely to suggest internal audit improved compliance risk or operating risk relative to the managers who were audited (although this difference
is not statistically significant, see Appendix B).

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
70 Carcello, Eulerich, Masli, and Wood

Barr-Pulliam, D. 2017. The relationship between internal audit assurance frequency and earnings manipulation intent and behavior: A
theory of planned behavior approach. Working paper, University of Louisville.
Barr-Pulliam, D. 2018. The joint effects of the internal audit function’s use of continuous auditing and its use as a management training
ground on managerial discretion in financial reporting. Working paper, University of Louisville.
Barr-Pulliam, D. 2019. The effects of continuous auditing and role duality on the incidence and likelihood of reporting management
opportunism. Management Accounting Research 44: 44–56. https://doi.org/10.1016/j.mar.2018.10.001
Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2016. Attracting applicants for in-house and outsourced internal audit positions:
Views from external auditors. Accounting Horizons 30 (1): 143–156. https://doi.org/10.2308/acch-51309
Bartlett, G. D., J. Kremin, K. Saunders, and D. A. Wood. 2017. Factors influencing recruitment of non-accounting business professionals
into internal auditing. Behavioral Research in Accounting 29 (1): 119–130. https://doi.org/10.2308/bria-51643
Beasley, M., B. Branson, and D. Pagach. 2015. An analysis of the maturity and strategic impact of investments in ERM. Journal of
Accounting and Public Policy 34 (3): 219–243. https://doi.org/10.1016/j.jaccpubpol.2015.01.001
Beasley, M. S., R. Clune, and D. Hermanson. 2006. The impact of enterprise risk management on the internal audit function. Journal of
Forensic Accounting 2006: 1–20.
Beasley, M., J. Carcello, D. Hermanson, and P. D. Lapides. 2000. Fraudulent financial reporting: Consideration of industry traits and
corporate governance mechanisms. Accounting Horizons 14 (4): 441–454. https://doi.org/10.2308/acch.2000.14.4.441
Bills, K. L., H. W. Huang, Y. H. Lin, and D. A. Wood. 2019. Internal audit turnover, financial reporting quality and audit risk
assessment. Working paper, Michigan State University, National Cheng Kung University, Monash University, and Brigham Young
University.
Boyle, D. M., F. T. DeZoort, and D. R. Hermanson. 2015. The effects of internal audit report type and reporting relationship on internal
auditors’ risk judgments. Accounting Horizons 29 (3): 695–718. https://doi.org/10.2308/acch-51110
Burton, G. F., S. A. Emett, C. A. Simon, and D. A. Wood. 2012. Corporate managers’ reliance on internal auditor recommendations.
Auditing: A Journal of Practice & Theory 31 (2): 151–166. https://doi.org/10.2308/ajpt-10234
Burton, G. F., M. W. Starliper, S. L. Summers, and D. A. Wood. 2015. The effects of using the internal audit function as a management
training ground or as a consulting services provider in enhancing the recruitment of internal auditors. Accounting Horizons 29 (1):
115–140. https://doi.org/10.2308/acch-50925
Carcello, J. V., M. Eulerich, A. Masli, and D. A. Wood. 2018. The value to management of using the internal audit function as a
management training ground. Accounting Horizons 32 (2): 121–140. https://doi.org/10.2308/acch-52046
Chambers, R. 2013. NASDAQ hesitates in its quest to mandate internal audit. Available at: https://iaonline.theiia.org/blogs/chambers/
2013/Pages/NASDAQ-Hesitates-in-Its-Quest-to-Mandate-Internal-Audit.aspx
Christ, M. H., A. Masli, N. Y. Sharp, and D. A. Wood. 2015. Rotational internal audit programs and financial reporting quality: Do
compensating controls help? Accounting, Organizations and Society 44: 37–59. https://doi.org/10.1016/j.aos.2015.05.004
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal Control—Integrated Framework:
Executive summary. Available at: https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2017. Enterprise risk management: Integrating with
strategy and performance: Executive summary. Available at: https://www.coso.org/Documents/2017-COSO-ERM-Integrating-
with-Strategy-and-Performance-Executive-Summary.pdf
Coram, P., C. Ferguson, and R. Moroney. 2008. Internal audit, alternative internal audit structures and the level of misappropriation of
fraud. Accounting & Finance 48 (4): 543–559. https://doi.org/10.1111/j.1467-629X.2007.00247.x
DeFond, M., and J. Zhang. 2014. A review of archival auditing research. Journal of Accounting and Economics 58 (2/3): 275–326.
https://doi.org/10.1016/j.jacceco.2014.09.002
Dejnaronk, J., H. T. Little, B. G. Mujtaba, and R. McClelland. 2016. Factors influencing the effectiveness of the internal audit function in
Thailand. Journal of Business and Policy Research 11 (2): 80–93. https://dx.doi.org/10.21102/jbpr.2016.12.112.05
Deloitte. 2015. Global risk management survey, ninth edition. Available at: https://www2.deloitte.com/content/dam/Deloitte/ru/
Documents/financial-services/ru-global-risk-management-survey-9th-edition.pdf
de Zwaan, L., J. Stewart, and N. Subramaniam. 2011. Internal audit involvement in enterprise risk management. Managerial Auditing
Journal 26 (7): 586–604. https://doi.org/10.1108/02686901111151323
Ege, M. 2015. Does internal audit function quality deter management misconduct? The Accounting Review 90 (2): 495–527. https://doi.
org/10.2308/accr-50871
Eulerich, M., J. Kremin, K. K. Saunders, and D. A. Wood. 2020. Internal audit stigma awareness and internal audit outcomes: Stuck
between a rock and a hard place. Working paper, University of Duisburg-Essen, Portland State University, University of
Nebraska–Lincoln, and Brigham Young University.
Felix, W. L., Jr., A. A. Gramling, and M. J. Maletta. 2001. The contribution of internal audit as a determinant of external audit fees and
factors influencing this contribution. Journal of Accounting Research 39 (3): 513–534. https://doi.org/10.1111/1475-679X.00026
German Accounting Modernization Act. 2009. (§107 3.2 AktG).
Gramling, A. A., M. J. Maletta, A. Schneider, and B. K. Church. 2004. The role of the internal audit function in corporate governance: A
synthesis of the extant internal auditing literature and directions for future research. Journal of Accounting Literature 23: 194–244.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 71

Ho, S., and M. Hutchinson. 2010. Internal audit department characteristics/activities and audit fees: Some evidence from Hong Kong
firms. Journal of International Accounting, Auditing & Taxation 19 (2): 121–136. https://doi.org/10.1016/j.intaccaudtax.2010.07.
004
Hoos, F., W. F. Messier, Jr., J. L. Smith, and P. R. Tandy. 2018. An experimental investigation of the interaction effect of management
training ground and reporting lines on internal auditor’s objectivity. International Journal of Auditing 22 (2): 150–163. https://doi.
org/10.1111/ijau.12110
Hoyt, R. E., and A. P. Liebenberg. 2011. The value of enterprise risk management. The Journal of Risk and Insurance 78 (4): 795–822.
https://doi.org/10.1111/j.1539-6975.2011.01413.x
Institute of Internal Auditors (IIA). 2009. IIA position paper: The role of internal auditing in enterprise-wide risk management. Available
at: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%
20Enterprise%20Risk%20Management.pdf
Institute of Internal Auditors (IIA). 2012. International Standards for the Professional Practice of Internal Auditing (Standards). Lake
Mary, FL: IIA.
Institute of Internal Auditors (IIA). 2013. Comment letter on SR-NASDAQ-2013-032. March 28. Available at: https://www.sec.gov/
comments/sr-nasdaq-2013-032/nasdaq2013032-24.pdf
Institute of Internal Auditors (IIA). 2016. International Standards for the Professional Practice of Internal Auditing. Lake Mary, FL: IIA.
Jiang, L., W. F. Messier, Jr., and D. A. Wood. 2020. The association between internal audit operations-related services and firm operating
performance. Auditing: A Journal of Practice & Theory 39 (1): 101–124. https://doi.org/10.2308/ajpt-52565
Lenz, R., and U. Hahn. 2015. A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities.
Managerial Auditing Journal 30 (1): 5–33. https://doi.org/10.1108/MAJ-08-2014-1072
Lin, S., M. Pizzini, M. Vargus, and I. R. Bardhan. 2011. The role of the internal audit function in the disclosure of material weaknesses.
The Accounting Review 86 (1): 287–323. https://doi.org/10.2308/accr.00000016
McShane, M. K., A. Nair, and E. Rustambekov. 2011. Does enterprise risk management increase firm value? Journal of Accounting,
Auditing & Finance 26 (4): 641–658. https://doi.org/10.1177%2F0148558X11409160
Messier, W. F., Jr., J. K. Reynolds, C. A. Simon, and D. A. Wood. 2011. The effect of using the internal audit function as a management
training ground on the external auditor’s reliance decision. The Accounting Review 86 (6): 2131–2154. https://doi.org/10.2308/
accr-10136
Murphy, M. 2013. Internal audit staffs need to foresee talent shortages: CEB. Available at: https://blogs.wsj.com/cfo/2013/01/17/
internal-audit-staffs-need-to-foresee-talent-shortages-ceb/
NASDAQ. 2013. SR-NASDAQ-2013-032. Available at: https://www.sec.gov/rules/sro/nasdaq/2013/34-69030.pdf
Norman, C. S., A. M. Rose, and J. M. Rose. 2010. Internal audit reporting lines, fraud risk decomposition, and assessments of fraud risk.
Accounting, Organizations and Society 35 (5): 546–557. https://doi.org/10.1016/j.aos.2009.12.003
NYSE n.d. NYSE listed company manual. Available at: https://nysemanual.nyse.com/LCM/Sections/
Prawitt, D. F., J. L. Sharp, and D. A. Wood. 2011. Reconciling archival and experimental research: Does internal audit contribution affect
the external audit fee? Behavioral Research in Accounting 23 (2): 187–206. https://doi.org/10.2308/bria-10065
Prawitt, D. F., N. Y. Sharp, and D. A. Wood. 2012. Internal audit outsourcing and the risk of misleading or fraudulent financial reporting:
Did Sarbanes-Oxley get it wrong? Contemporary Accounting Research 29 (4): 1109–1136. https://doi.org/10.1111/j.1911-3846.
2012.01141.x
Prawitt, D. F., N. Y. Smith, and D. A. Wood. 2009. Internal audit quality and earnings management. The Accounting Review 84 (4):
1255–1280. https://doi.org/10.2308/accr.2009.84.4.1255
Protiviti. 2013. SEC Flash Report—NASDAQ withdraws proposed internal audit function rule with intent to resubmit it. Available at:
https://www.protiviti.com/CH-en/insights/nasdaq-withdraws-proposed-internal-audit-function-rule-intent-resubmit-it
Sarens, G., and I. De Beelde. 2006. Internal auditors’ perception about their role in risk management: A comparison between U.S. and
Belgian companies. Managerial Auditing Journal 21 (1): 63–80. https://doi.org/10.1108/02686900610634766
Securities and Exchange Commission (SEC). 2013. Notice of Filing of Proposed Rule Change to Require That Listed Companies Have
an Internal Audit Function. March 4. Release No. 34-69030; SR-NASDAQ-2013–032. Washington, DC: GPO.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
72 Carcello, Eulerich, Masli, and Wood

APPENDIX A
Definition of Variables Included in the Regression Models
Variable Name Definition
After 1 if the observation relates to the period after the audit; 0 otherwise.
Audited 1 if the observation relates to a response about an audited unit; 0 about a non-audited unit.
Audited REPORT AC 1 if the observation relates to a response about a unit audited by IAF that reports to the AC; 0
otherwise.
Audited NO REPORT AC 1 if the observation relates to a response about a unit audited by IAF that does not report to the AC;
0 otherwise.
Audited QAR 1 if the observation relates to a response about a unit audited by IAF that had a recent QAR; 0
otherwise.
Audited NO QAR 1 if the observation relates to a response about a unit audited by IAF that had not had a recent
QAR; 0 otherwise.
Audited MTG 1 if the observation relates to a response about a unit audited by IAF that is used as a MTG; 0
otherwise.
Audited NO MTG 1 if the observation relates to a response about a unit audited by IAF that is not used as a MTG; 0
otherwise.
IA Value to Manager 1 if the manager fully agrees to the statement that IA adds value to a unit when audited; 0
otherwise. Answers can scale from 1 (fully disagree) to 7 (fully agree).
Implemented Recommendations Number of IA recommendations that were implemented divided by total number of IA
recommendations (the value is 0 for responses about non-audited units).
Manager Financial Education 1 if the unit manager has a financial/accounting background; 0 otherwise.
Manager is New 1 if the unit manager has been in the position for  3 years; 0 otherwise.
Operations Audited 1 if the observation relates to a response about an audited unit that had an operations-focused audit;
0 otherwise.
Overall Risk Overall risk (on a scale of 1 ¼ very low to 5 ¼ very high).
Performance Overall performance (on a scale of 3 ¼ significantly below average to þ3 ¼ significantly above
average).

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Are Internal Audits Associated with Reductions in Perceived Risk? 73

APPENDIX B
Comparison of Responses between CAE and
Heads of Audited and Non-Audited Units

Panel A: Comparison of Responses for CAE and Heads of Audited Units

CAE Manager
Risk Item Mean Mean Difference p-value
DOperating Risk 0.429 0.786 0.357 0.266
DFinancial Risk 0.555 0.333 0.222 0.347
DCompliance Risk 0.3 0.5 0.2 0.168
DOverall Risk 0.643 0.5 0.143 0.165
All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each measure, we had the following n: 14 pairs for change in
operating risk, 9 pairs for change in financial risk, 10 pairs for change in compliance risk, and 14 pairs for change in overall risk. Please see Appendix A
for variable definitions.

Panel B: Comparison of Responses for CAE and Heads of Non-Audited Units

CAE Manager
Risk Item Mean Mean Difference p-value
DOperating Risk 0.091 0 0.091 0.588
DFinancial Risk 0.091 0.091 0.182 0.167
DCompliance Risk 0.1 0.2 0.1 0.678
DOverall Risk 0 0.077 0.077 0.585
All p-values are two-tailed. Paired t-tests were conducted to test differences in means. For each measure, we had the following n: 11 pairs for change in
operating risk, 11 pairs for change in financial risk, 10 pairs for change in compliance risk, and 13 pairs for change in overall risk. Please see Appendix A
for variable definitions.

Auditing: A Journal of Practice & Theory

Volume 39, Number 3, 2020
Copyright of Auditing: A Journal of Practice & Theory is the property of American
Accounting Association and its content may not be copied or emailed to multiple sites or
posted to a listserv without the copyright holder's express written permission. However, users
may print, download, or email articles for individual use.