Keywords

Internal Audit; Internal Audit; Risk Management; Governance; Internal Control; Structured Literature Review

Introduction

Background

Far before the Institute of Internal Auditors (IIA) was established and the first professional standards promulgated, the internal audit has become an interesting subject to study(Table 1). Behrend & Eulerich pointed out a noticeable growing interest in internal audit research, as seen from the publication of articles in accounting journals in 1926 and 2016. The peak of the research growth on the internal audit occurred in the last decade (2005-2016), triggered by the endorsement from the new regulation Sarbanes-Oxley Act of 2002 (SOX) in the United States as well as Canada with its Bill 198 (Behrend & Eulerich, 2019; Roussy & Perron, 2018).

Table 1 Previous Literature Review Related To Internal Audit
Researchers	Focus	Limitation
(Gramling et al., 2004)	Role of IA in Governance. IA is the resource for all three other organs (management, AC, EA).	It was limited to the governance aspect, excluding risk management and control.
(Hass et al., 2006)	Scope of internal auditing & skillsets of internal auditors changes caused by the environment in America	Limited to the American setting
(Cooper et al., 2006)	The development of IA practices in the Asia Pacific, by chronologically looking at regional literature	Limited to the Asia Pacific setting and very few research reports to be reviewed
(Allegrini et al., 2006)	The literature review on internal auditing in Europe	Limited to European setting and the studies are selected subjectively.
(Lenz & Hahn, 2015)	Micro and macro factors influenced IA effectiveness. IA self-assessment and stakeholders’ perspective.	Limited to IA quality theme
(Al-akra et al., 2016)	Independence and objectivity, IA role in consulting activities	Limited to MENA countries setting and only in the IA structure and mindset theme
(Roussy & Perron, 2018)	The multiple roles of IA, IA quality, and the practice of internal auditing	Structured review but subjectively theme selected to be synthesized
(Behrend & Eulerich, 2019)	The bibliometric analysis of published research on the evolution of IA theme (1926–2016)	Structured review based on limited source (5 journals)

Behrend & Eulerich, some researchers have sought to synthesize knowledge from internal audit research. Table 1 shows the literature review published on leading business, financial, and accounting journals in the last two decades. As seen in the table, very few literature reviews are conducted in a systematic way. This situation can be understandable given the accounting literature review in a structured and systematic way yet much developed (Massaro et al., 2016). Besides, the studies are also limited to specific regional settings and themes. Thus, there are many opportunities to create syntheses from various directions of other aspects of internal audit.

This essay will be continuing what Gramling has done (2004) with an extended range of time up to 2019. The consideration is that Gramling's work has been reasonably robust for many of the subsequent internal audit studies. This study will use a structured literature review approach, as suggested by Massaro et al. The reviewed theme will also be expanded from the role of internal audit in governance, coupled with the role in risk management and internal control. This additional scope considers the definition of internal auditing released in 1999, stating the nature of the internal audit work is to evaluate and improve the efficacy of governance, risk management, and control processes (Coetzee & du Bruyn, 2001; IIA, 2017).

Purpose of the Study

This study intends to reveal insights from the two last decades of literature under the theme of the internal audit nature of work. This study also criticizes the literature as an emerging, developing, or maturing topic and suggests future research paths.

Novelty

As seen in Table 1, it has yet to be found credible future research paths under the theme of the internal audit nature of work. The methodology used in this study, structured literature review, is also a new approach in the field of accounting.

Theoretical Framework

Previous Literature Theory

Previous researchers have conducted some literature reviews. There is at least eight literature reviews in the field of internal audit reported in the leading business, financial, and accounting journals over the last two decades. Below are the syntheses of their research.

Gramling et al., (2004) became the most influential in this period, with many researchers cited the results of their seminal work to further develop knowledge in the subject of internal audit. The theme Gramling highlighted is the role of the internal audit as one of the four corporate governance pillars, in addition to management, audit committee, and external auditor. Grambling’s governance framework is the procedures and activities that the organization uses to ensure that risk has been mitigated and controlled so that the management report is accurate for stakeholders. They pointed out how IA quality is so essential that it can be a reliable source for all three other corporate governance pillars. Based on the review, Gramling suggested further studies on the quality of IA, related to the determinant of its factors, measurements, objectivity, professionalism, and demand-side quality. However, this internal audit quality theme seems still interesting to be studied to date (Roussy & Perron, 2018). In line with the quality of internal audit, the demand-side and supply-side approaches are also used in the theme of internal audit effectiveness (Lenz & Hahn, 2015).

For the European setting, the role of internal audit in corporate governance has also been pointed out, in addition to roles in compliance (Allegrini et al., 2006). At the same time, in Asia, the debate still revolved around the proper role of the internal audit, whether the internal audit will perform a traditional role in financial audits or expand to risk assurance. Whether the consulting assignment will be an impairment of objectivity and independence or not (Cooper et al., 2006). This impairment debate seems to occur in an internal audit with a low maturity environment. There was such a debate in the MENA region at an almost equal level of maturity (Al-akra et al., 2016).

However, in America, where internal audit has reached adequate maturity, the issues reviewed are around the internal audit scope and internal auditor skillsets affected by considerable environmental changes. The Sarbanes-Oxley Act regulation affected internal audit demand with a relatively high increase. Nevertheless, this increase is more aimed at assurance tasks, which can reduce the attention of internal audit on strategic or high-risk issues facing the organization (Hass et al., 2006).

Internal Audit Nature of Work

In 1999 IIA promulgated a new definition of internal auditing, which still in effect today. In that definition, two essential things changed. First, there are consulting activities as additional to existing assurance activities. Secondly, there is additional scope of works. Previously, the internal audit scope evaluates the process and structure of internal control; since then, internal audit must also evaluate risk management and governance processes (IIA, 2017). The addition of this scope is unequivocally stated in the standard for the professional practice of internal auditing 2100–Nature of Work.

This study uses the GRC framework stated by IIA. IIA defined governance as “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the organization's activities toward the achievement of its objectives”, risk management as “a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives”, while control as “any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved” (IIA, 2017).

Structured Literature Review

The Structure Literature Review (SLR) is generally conducted in the areas that embrace positivist views and quantitative approaches. Therefore, in the field of accounting and auditing, this approach is rarely performed. However, the accounting and auditing fields can reap the advantages of a systematic and structured approach in conducting review literature, i.e., transparency, objectivity, validity, reliability, and rigor (Massaro et al., 2016).

Methods

To summarize the internal audit knowledge developed in the past twenty years, we review the internal audit articles published in leading business, finance, and accounting journals between 1999 and 2019 using SLR. The year 1999 is chosen because, in that year, IIA promulgated a new definition of internal auditing, which still in effect to the present (IIA, 2017).

The SLR adopts a multimethod and multi-theoretical approach based on the ten steps of Massaro et al. (2016), as described in Table 2. This approach is expected to ensure a high level of transparency and replication. However, due to the research journey, the steps do not have to be performed consecutively. To make it flexible, unlimited creativity and intuition, avoid ignoring exciting research directions and overcome the weaknesses of overly rigid rules, the steps can be iterative during the research process (Easterby-Smith et al., 2015).

Table 2 Ten Steps of SLR Suggested by Massaro Et Al. (2016)
No	Steps Suggested	Our Steps
1	Write the literature review protocol.	First of all, we develop and agree on SLR protocol between researchers
2	Specify the questions that the literature review wants to answer.	We define our SLR objectives by start identifying what is known about the IA nature of work, what is the insight and related critique over there to suggest relevant research paths.
3	Determine the study type and do a comprehensive literature search.	We set several criteria for performing our search as follows:
		• Time period: 1999 to 2019 (literature after new definition of IA).
		• Database: directly on the Q1 Scopus-indexed journal websites.
		• The keyword "internal audit"; "internal auditing"; and "internal auditor" in article title.
4	Measure the impact of the article.	We use Scopus Citescore rating to measure the impact of a journal, and the sum of citation per year in the Scopus, Crossref, Google Scholar, and Microsoft Academic to measure the impact of an article.
5	Set the analytical framework.	Unit analysis is an article. We separate high-impact articles from those that do not have a high impact. For high-impact articles, we analyze articles that discuss themes related to the IA nature of work. Furthermore, we classify it by theoretical grounding to get the emergence of existing knowledge.
6	Establish reliability of literature review.	Each article is analyzed by at least two researchers. Both researchers implement the analytical framework and discuss any differences in the analysis result, to reach consensus.
7	The validity test of the literature review.	We implement various steps to assure the validity of our SLR, for example:
		• Article search using keywords that are consistent in the unambiguous part of the article title; where all researchers can ensure the article is included in the research framework.
		• The number of articles per year and per journal is measured based on descriptive statistics from research information system files that are consistently applied throughout all the articles.
		• Describe it in a table and or chart
8	The data is coded using developed frameworks.	At this stage, we use VosViewer software to dig themes by analyzing keywords provided by the authors of the articles. Themes emerging from the VosViewer analysis will be compared to the framework developed in step 5
9	Develop insights and criticism by analyzing data sets.	We use Voyant-tools software to analyze the content of selected articles and get insights from the themes of IA nature of work. Then the researchers give criticism to the literature being in emerging, developing, and maturing.
10	Develop future research paths and questions.	This section is dedicated to developed research pathways and research questions under the IA nature of work theme.

Results and Findings

Descriptive Statistics

We have searched articles with the keywords "internal audit," "internal auditing," or "internal auditor" in influential journals in the field of business, finance, and accounting published from 1999 to 2019. We determine the journal's influence by the criteria included in the Q1 ranking of the Citescore Scopus Index. Based on these search criteria, we found a total of 258 articles. Figure 1 shows an increasing trend in the publication of articles in internal audit from 1999 to 2019. Meanwhile, Table 3 shows the frequency distribution of the 258 articles in those journals.

Based on the Research Information System (RIS) file of those 258 articles, we noted 605 keywords. We analyze the interrelationship between articles based on the occurrence of these keywords using Vosviewer software, whose results can be seen in Figure 2. The figure shows the top 13 keywords that appear by setting a threshold of 10 occurrences. There are at least 4 clusters depicted in various colors. The first green cluster is articles that discuss internal audit and audit committees. The second cluster in blue is articles discussing internal audit sourcing. Third cluster with keyword study. In comparison, the fourth cluster in red discusses the subject of internal audit with governance, internal control, and risk management (GRC themes). This cluster is the most dominant internal audit theme in the last two decades and is a key theme in the internal audit nature of work.

We analyzed the internal audit nature of work cluster and found at least 90 articles covering governance, risk, and internal control topics (GRC themes). We measure the impact of these 90 articles based on the number of citations counted on Google Scholar, Crossref, Microsoft Academic, and Scopus websites. Considering the impact of the recent articles, we also consider citations per year to measure the level of influence of an article. Based on these criteria, we got 28 articles to be analyzed in-depth further. In summary, it can be described as follows:

Number of IA articles in Q1 Journals : 258

Number of IA articles covering GRC themes : 90

Number of impactful IA articles on GRC themes: 28

Table 3 Frequency Distribution Of 258 Internal Audit Articles In Leading Journals Between 1999-2019
No	Journal Name	Frequency	Percent	Cumulative Percent
1	Managerial Auditing Journal	97	37.6	37.6
2	International Journal of Auditing	53	20.5	58.1
3	Auditing: A Journal of Practice & Theory	20	7.8	65.9
4	Accounting Horizons	11	4.3	70.2
5	Meditari Accountancy Research	10	3.9	74
6	International Journal of Accounting Information Systems	9	3.5	77.5
7	Contemporary Accounting Research	8	3.1	80.6
8	Accounting Review	6	2.3	82.9
9	Accounting and Finance	5	1.9	84.9
10	Critical Perspectives on Accounting	5	1.9	86.8
11	Accounting, Organizations and Society	4	1.6	88.4
12	Journal of International Accounting, Auditing and Taxation	4	1.6	89.9
13	Accounting and Business Research	3	1.2	91.1
14	Accounting, Auditing and Accountability Journal	3	1.2	92.2
15	Accounting Forum	2	0.8	93
16	Corporate Governance	2	0.8	93.8
17	Journal of Accounting and Public Policy	2	0.8	94.6
18	Journal of Accounting Research	2	0.8	95.3
19	Journal of Accounting, Auditing and Finance	2	0.8	96.1
20	Accounting History Review	1	0.4	96.5
21	Accounting, Auditing & Accountability Journal	1	0.4	96.9
22	British Accounting Review	1	0.4	97.3
23	Corporate Governance: An International Review	1	0.4	97.7
24	European Accounting Review	1	0.4	98.1
25	Financial Accountability & Management	1	0.4	98.4
26	Financial Accountability and Management	1	0.4	98.8
27	Journal of Accounting Education	1	0.4	99.2
28	Journal of Accounting Literature	1	0.4	99.6
29	Management Accounting Research	1	0.4	100
	Total	258	100

The Role of Internal Audit in Governance

As mentioned in the theoretical framework, the nature of internal audit work is its role in governance, risk management, and control processes. Over the past two decades, at least 14 impactful articles discussed the role of internal audit in organizational governance. Table 4 shows a summary of the theme.

Table 4 Role Of Internal Audit In Governance
Author(s) and Year	Research Issue(s)	Method(s)	Result(s)
(Paape et al., 2003)	The Relationship of the IA and governance in the EU	Survey to 105 CAEs of listed companies in EU.	Not all public companies have internal audits and audit committees.
			Not all CAEs have awareness about and understand their role in corporate governance.
(Gramling et al., 2004)	The role of IA in corporate governance	Literature review.	The IA is a resource for the three other cornerstones responsible for corporate governance: the audit committee, external auditors, and senior management. IA can be a resource when it has quality.
	The relationship of the IA with other corporate governance cornerstones
(Zain et al., 2006)	The relationship between audit committee, IA, and their contribution to financial statement audits	Survey to CAE of 76 Malaysian listed companies.	There is evidence of a positive relationship between the IA contribution to financial report audits and independence, accounting/audit knowledge, and IA reviews of the audit committee.
			There is also a positive relationship between the IA contribution to auditing financial statements to the size, experience, and time availability of internal auditors, as well as the closeness of its relationship with external auditors.
(Goodwin-Stewart & Kent, 2006)	The association of IA with strong corporate governance, risk management, and control processes	Archival study of 450 Australian listed companies' data drawn from the Queensland University-KPMG Database.	The use of the IA is insignificantly associated with strong corporate governance, although the IA has strong associations with the commitment to implement risk management.
(Abbott et al., 2007)	The association between IA outsourcing with corporate governance and audit quality	Survey of 219 Chief Internal Auditors and from relevant archival proxy statements	Routine IA activities outsourcing to external auditors are less likely to happen in a company with strong audit committee governance. However, that is not the case with non-routine activities. Outsourcing routine and non-routine activities to parties other than external auditors are not related to audit committees' effectiveness.
(Prawitt et al., 2009)	The association between IA Quality and Earnings Management	Archival study with 528 firm-year observations of GAIN benchmark survey and Compustat	Earnings management is negatively associated with IA quality. Where the companies maintain a higher IA quality, there is a lower abnormal accrual.
(Christopher et al., 2009)	The relationship of the IA independence with management and the audit committee	Survey to 34 CAEs of Australian corporate sector.	In relation to management, there is a potential threat to the IA's independence from using the IA as a career steppingstone, budget approval by the CEO or CFO, and making the IA a management "partner."
(Roussy, 2013)	IA roles in the governance of public sector organization	Semi-structured in-depth interviews with 42 experienced internal auditors in Australia	In relation to audit committees, potential threats come from not all CAE reporting lines to the audit committee, and not all audit committees have the authority to appoint and dismiss CAE.
			The IA has two roles in governance: a protector role and a helper role. The first is divided into the keeper of secrets and protective shield; The second is divided into a supporter of organizational performance and guide.
			The IA considers their primary role is to serve the top manager rather than serve the audit committee. Internal auditing is not in the role of governance watchdog as desired by regulators.
(Ege, 2015)	The effect of IA quality to deter management misconduct	Archival study with 1,398 firm-years data representing 617 unique firms in the US	The IA quality is negatively related to the possibility of management misconduct.
			Companies that commit violations have a low quality of IA in the year of the violation.
(Trotman & Trotman, 2015)	The IA's role in GHG emissions and energy reporting	Interviews with 29 audit committees, senior accountants, internal auditors, and partners of accounting firms.	The role of IA in GHG emissions and energy reporting is consistent with three governance theories (agency, resource dependence, and institutional theory), where effective monitoring is essential. However, these theories are not entirely able to explain the results of the study.
(Soh & Bennie, 2015)	The role of IA in ESG assurance and consulting	Survey of 100 CAE and IA service provider partners in Australia	Governance aspects are the main issue, then social and environmental issues, in IA assurance and consulting assignments. However, in the next five years, it is believed that environmental issues will be increasingly important and require the development of internal auditor skills and expertise.
(Mihret & Grant, 2017)	The IA's role in governance in a Foucauldian analysis	Conceptual paper	The research develops a conceptual formulation of internal auditing. Within management's preconceived frameworks, it is an ex-post assurance about the execution of economic activities. It is also ex-ante advisory services to improve the rationality of economic activities as well as accompanying controls.

The expansion of the scope of internal audit in the definition of internal auditing (The Institute of Internal Auditors, 1999), which broadened the nature of work, was well evaluated by Nagy & Cenker (2002). Their study showed that the additional scope, although responded to variously, was not a problem for internal audit practitioners as long as they did not abandon their traditional role in the internal control field. Gramling (2004) also found that the role of internal audit in governance has been around; even the internal audit has served as a resource for the other three pillars of governance within the company. However, Paape (2003) found that not all CAEs aware of their role in governance and have adequate knowledge of regulation in that field.

Strengthening Gramling's findings, the internal audit, together with external auditors, became a mainstay resource for audit committees in contributing better financial reporting (Zain, 2006), reducing earning management (Prawitt, 2009), preventing financial reporting fraud (Asare, 2008), and preventing management misconduct (Ege. 2015). Nevertheless, the relationship pattern of the four pillars of governance (audit committee, management, external auditor, and internal auditor) has vulnerabilities when interests become asymmetrical. The double reporting line from internal audit to senior management and audit committee in certain situations can put internal audit in a dilemma situation, whether it will tend to be a helper for management or protector for the benefit of the audit committee (Christopher, 2009) (Roussy, 2013). The position then becomes one option, whether the audit committee and management will outsource the internal audit. Although internal audit outsourcing will also bring its own complexity regarding its effectiveness, it relates to its provider, whether an external auditor or other than an external auditor (Abbott, 2007).

The theme of research on the role of internal audit in governance that thick with agency theory in the 2000 decade seems to be shifting more widely in the next decade and the future. Greater attention to global issues such as sustainability, climate change, and social safety encourages governance research, including the role of internal audit, into the framework of stakeholder theory. Trotman (2015) has seen the role of internal audit begin to surface for the field of environmental governance. Similarly, Soh (2015) concluded that internal audit should immediately take a more significant role in ESG issues.

The Role of Internal Audit in Risk Management

Similar to governance, risk management was also added to the internal audit nature of work after the IIA established the definition of internal auditing in 1999. From 1999 to 2019, we found at least 12 impactful articles discussing the role of internal audit in the organization's risk management process. Table 5 shows a summary of the theme. The theme of internal audit role in risk management discussed along with other roles is summarized in Table 7.

Table 5 Role Of Internal Audit In Risk Management
Author(s) and Year	Research Issue(s)	Method(s)	Result(s)
(Sarens & De Beelde, 2006a)	Perception of internal auditors about their role in risk management	Interview with 10 CAEs in the US and Belgium	In Belgium, internal auditors focused on the weaknesses of critical risk management systems, pioneering in creating more advanced and more formal risk management and control systems.
			In the US, the purpose of internal auditors' evaluation and opinion is a valuable input in the new control and disclosure system under the Sarbanes Oxley Act regulations.
(Norman et al., 2010)	The effect of internal audit reporting lines on fraud risk assessment	Experiment (172 internal experienced internal auditors in the US) and survey	Internal auditors have a perception of personal threats when they report matters related to high severity of fraud risk to the audit committee directly, as opposed to management. This perception causes auditors to reduce the level of risk in their risk assessment
(de Zwaan et al., 2011)	The effect of internal audit involvement in enterprise risk management	Experiment (117 certified internal auditors in Australia)	Internal auditors are involved in auditing the ERM, but some also carry out activities that may impair their objectivity.
			The high internal involvement of auditors in the ERM influences willingness to report deficiencies in risk management procedures to the audit committee. Strong internal audit relationship with audit committee has no effect on willingness to report

Sociologically, the discourse of risk management and internal control had developed before the establishment of a new definition of internal auditing. Since the end of the 1999 decade and the beginning of the 2000 decade, some researchers see risk management as a paradigm-shifting and further development of internal control (Selim & McNamee, 1999) (Spira & Page, 2003). Regulators and standard-setting bodies also see this as a convergence between internal control and risk management. COSO (The Committee of Sponsoring Organizations), among others, spawned an ERM framework that mainly includes internal control components and principles (COSO, 2004). In such a context, it is not surprising that internal audit practitioners do not dispute the additional scope of this risk management as long as the traditional roles of internal audit are not abandoned (Nagy & Cenker, 2002)

As a new role, many bring up differences in practice in different regions. In the US, the role of internal audit in risk management is not much different from the role in internal control, especially in the context of internal control improvements governed by the Sarbanes Oxley Act. Meanwhile, in the EU, more specifically in Belgium, internal audits evaluate risk management to find weaknesses and strengthen them to a more robust and formal system (Sarens & De Beelde, 2006a). This role is in line with the expectations of senior management, who expect a more supportive role from internal audit in the risk management process (Sarens & De Beelde, 2006b). The same expectation of the audit committee to obtain a level of comfort from internal audit in ensuring the company has mitigated the risk adequately (Sarens et al., 2009)

While senior management and audit committees expect a more significant role in risk management, the internal auditor needs to pay attention to the threat of potential impairment to objectivity. High involvement in ERM is proven to cause an internal audit to be less likely to report weaknesses in the risk management process to the audit committee (de Zwaan et al., 2011). In line with that, internal auditors have a perception of personal threats when they report matters related to high levels of fraud risk directly to the audit committee, compared to management. This perception causes internal auditors to reduce their risk assessment level (Norman et al., 2010). Declining willingness to report and too low risk assessment jeopardize internal audit position in controlling fraud risk. Because the effective internal audit becomes a pillar in preventing, detecting, and reporting fraud risk (Coram et al., 2008) (Asare et al., 2008), including accounting fraud risk (Prawitt et al., 2012)

By the development of the business that increasingly leads to the digital world, the role of internal audit in risk management in recent years has also evolved towards IT risk, especially IT Security in the cyber world, both in consulting and assurance activities (Islam et al., 2018)(Stafford et al., 2018) (Steinbart et al., 2018)(Bozkus Kahyaoglu &Caliyurt, 2018).

The Role of Internal Audit in Internal Control

In contrast to governance and risk management, the role of internal audit in internal control is quite maturing. Nevertheless, the interest of researchers to deepen knowledge in this role is still relatively high. Over the past two decades, we found at least 12 impactful articles discussing the theme of the role of internal audit in internal control. Table 6 shows a summary of the theme. The theme of IA's role in internal control discussed along with other themes is summarized in Table 7.

Table 6 Role Of Internal Audit In Internal Control
Author(s) and Year	Research Issue(s)	Method(s)	Result(s)
(Fadzil et al., 2005)	The effect of internal auditing practices on internal control system effectiveness	Archival study of 812 listed companies at Bursa Malaysia	Internal audit management, auditor proficiency, and objectivity review significantly affect the monitoring component in internal control. The scope and performance of internal audit have a significant effect on information and communication components.
			Internal management and audit performance, program audit, audit reports significantly affect the risk assessment component. Audit performance and audit reports have a significant impact on the control activities component.
(Lin et al., 2011)	The role of the IA in the disclosure of material weaknesses	Archival study of 214 firms (from GAIN, EDGAR, Compustat, CRSP, Audit Analytics, CDA/Spectrum)	Material control weakness disclosures are negatively associated with the degree to which the IA uses quality assurance techniques into fieldwork, audits activities on financial reporting, the education level of the IA, and monitors the corrective action of previously identified control problems.
			Material control weakness disclosures are positively associated with external-internal auditor coordination and IA practice of grading, suggesting that these activities increase the effectiveness of Section 404 compliance processes.
(Christ et al., 2015)	The effect of rotational internal audit programs on financial reporting quality	Semi-structured interviews (11 CAE and two audit committee chairmen) and archival study	The use of a rotational staffing model for the IA has lessened financial reporting quality significantly than companies that do not. But, there are compensating controls identified from the interviews (e.g., audit committee oversight, consistency of IA leadership or supervision, and management direction and oversight) that can decrease this adverse financial reporting effect.
(Oussii & Boulila Taktak, 2018)	The impact of IA on internal control quality	Survey to 59 CAEs from Tunisian listed companies	The current study's findings reveal that internal control quality is associated significantly and positively with internal audit quality, IA competence, the follow-up process, control assurance level, and the audit committee's review of the internal audit program and results.

A thorough mapping of internal audit attributes to internal control has been demonstrated by several researchers who tested the association between internal audit quality and five components in internal control (Fadzil et al., 2005) (Lin et al., 2011) (Lin et al., 2011) (Oussii &Boulila Taktak, 2018). Nevertheless, research into the role of internal audit in internal control focuses more on internal control for financial reporting purposes (Prawitt et al., 2012) (Christ et al., 2015).

The Role of Internal Audit in GRC

The substance of the three themes, regardless of the framework, standards, or regulations used, is a theme that is coincident. Therefore, Mitchell uses the acronym GRC to discuss all three themes in one integrated theme (Mitchell, 2007). Although not explicitly using the term GRC, many impactful research results are related to governance, risk, or control at once. This approach is quite reasonable considering internal control is an essential part of risk management, and risk management is a significant part of corporate governance (COSO, 2013). Table 7 shows the summary of the GRC theme.

Table 7 Role of Internal Audit in GRC
Author(s) and Year	Research Issue(s)	Method(s)	Result(s)
(Nagy & Cenker, 2002)	The shifting in the overall scope of internal audit	Structured interview (11 internal audit directors)	While there are additions to the scope of internal audit with risk management and governance aspects, the traditional role of internal audit as control evaluator should not be abandoned.
(Allegrini & D'Onza, 2003)	The role of internal auditing in risk assessment and risk-based audit approach	Survey of Top 100 listed companies at Italian Stock Exchange	While 25% of the respondents perform compliance audits and use an audit-cycle approach for annual planning, 67% of respondents adopt the COSO model and carry out operational auditing and macro risk assessment. The remaining 8% of respondents perform the risk-based approach both at macro and micro levels.
(Spira & Page, 2003)	The changing role of IA in risk management as the reinvention of internal control	Conceptual paper	This paper analyses the sociological changes and convergence of internal control and risk management. Internal auditors who traditionally evaluate internal control are encouraged to improve professionalism by improving competence in risk management.
(Asare et al., 2008)	The association between IA fraud risk judgments and audit effort decisions with fraudulent financial reporting	Experiment based on 60 internal auditors' responses	Internal auditors' assessments on fraud risk are responsive to management incentives and variations in the quality of the audit committee.
			Internal auditors' targeted audit hours are subject to variations in management's misreport of financial information but are not subject to variations in audit committee quality.
(Sarens & De Beelde, 2006b)	The Expectations and Perceptions between Internal Audit and Senior Management	Case studies (5 companies in Belgium)	The senior management has a significant expectation on internal audit. The hope revealed from this study, among others, is the supporting role in the monitoring and improvement of risk management and internal control.
(Sarens et al., 2009)	Internal audit as a comfort provider to the audit committee on internal control issues	Case studies (4 Belgian Companies)	Internal auditors' particular skills in internal control and risk management, joined with fitting relational and social abilities, empower them to comfort the audit committee. The entire degree of comfort to the audit committee can be upgraded through a joint review approach among internal and external auditors.
(Coram et al., 2008)	The effect of Internal audit existence on the level of misappropriation of assets fraud	Archival study and survey of 491 organizations in Australia and New Zealand	The study concluded that organizations that have the IA can detect and report fraud in greater possibility than organizations that do not have an IA.
(Prawitt et al., 2012)	The effect of outsourced IA on the risk of misleading or fraudulent financial reporting	Archival study of 334 firm-year observations from 159 companies in GAIN benchmark data	Prior to the SOX, IA outsourcing to external auditors was significantly associated with lower accounting risk compared to when it is entirely in-house or outsourced to non-external auditors.
(Stafford et al., 2018)	The role of IA in information security policy compliance	Case study and depth interviews	ERM benefits from the internal audit that identifies technology users who feel immune to cyber threats and exploits or feel that workplace urgency overrides a prudent solution to formal cybersecurity policies.

Discussion and Conclusion

The Massaro SLR Framework (2016), as cited in point 9 of Table 2 above, states that in a structured literature review, researchers develop insights based on code created from grounding theory then criticize the literature identified in the review whether included in emerging, developing, and maturing. Based on that, we suggest future research paths.

Developed Insights and Critiques

Internal Audit Existence

The fundamental question before questioning how IA's role in GRC is, "does the company see the need for an internal audit?". In reality, not all regulators require public companies to own the internal audit. In countries or regions where the existence of the internal audit is not mandatory, for example, in the EU, not all companies have an internal audit (Paape et al., 2003). The existence of internal audit can be performed in-house or outsourced. Outsourcing the internal audit, particularly to external auditors for the internal audit's routine activities, can lead to governance complications (Abbott et al., 2007). The Sarbanes Oxley Act prohibits this practice, but on the contrary, Prawitt may point out that outsourcing the internal audit's routine activities to EA lowers accounting risk (Prawitt et al., 2012). Although more literature shows the effect of the internal audit's existence on GRC, as further outlined below, some show mixed research results. Goodwin-Stewart obtained the result that the existence of the internal audit is not significantly related to the strength of governance, although it relates significantly to the implementation of risk management (Goodwin-Stewart &Kent, 2006). With mixed results and the need to update the adoption of IA's existence globally, this theme is still developing.

Internal Audit Quality

Gramling (2004) concluded in 2003 that internal audit quality is vital to realizing IA's role in Governance. Our study reinforces that from the literature that evolved over the next two decades. Internal audit quality is a prerequisite to be able to provide a high level of comfort to the audit committee (Sarens et al., 2009), earning management is reduced (Prawitt et al., 2009), management misconduct is reduced (Ege, 2015), and the quality of internal control is increasing (Oussii &Boulila Taktak, 2018). Many dimensions of internal audit quality have been discussed, both from the supply side and demand side. The results of the study have been relatively stable, so we assess this topic as maturing.

Internal Audit Independence & Objectivity

One of the essential aspects that distinguish internal audit from other activities or functions within the organization is its nature to be organizationally independent and personally objective (IIA, 2017). In the context of the internal audit's role in the GRC, it is crucial to examine whether the role would trap the internal audit in a not ideal situation. In the role of governance helper (Roussy, 2013), where the internal audit will likely act as a management partner, it will potentially threaten its independence and objectivity (Christopher et al., 2009). Christopher also discovers this threat when the internal audit becomes a steppingstone of a management career and when organizationally, the internal audit budget is approved by the CFO or CEO. Independence and objectivity are increasingly tricky in the role of internal audit governance, which has dual reporting to senior management and audit committees in reporting fraud risk assessment. In situations where the internal audit is involved in the ERM and should report fraud risks, internal audit tends to reduce their risk assessment level (de Zwaan et al., 2011; Norman et al., 2010).

Since the new definition of internal auditing includes consulting as activities other than assurance, the potential impairment of independence and objectivity continues to be questioned. Since then, various research has been conducted for this theme with mixed results (Ahlawat &Lowe, 2004; Brody &Lowe, 2000; Chen et al., 2017; Goodwin &Yeo, 2001; Mohd Hanafi &Stewart, 2015; Rose et al., 2013; Stewart & Subramaniam, 2010). IIA itself as the standard-setting body of the internal profession of auditors chooses the position that consulting activities, as long as it is carried out objectively, does not interfere with objectivity at the time of assurance activities (IIA, 2017). Considering the development of such literature and practice, we categorize this theme as maturing.

Internal Audit Partners

Internal audit, together with external auditors, audit committees, and senior management, is known as the cornerstones of governance. The three parties of the internal audit are also actually beneficiaries of internal audit (Gramling et al., 2004; Sarens et al., 2009; Sarens &De Beelde, 2006b). The positive interaction of the four cornerstones is also proven to strengthen a company's GRC, including improving the quality of reporting (Zain et al., 2006). Nevertheless, the scientific literature has not captured the practice that has evolved since 2009 in governance cornerstones. Since 2009, FERMA and ECIIA have launched three lines of defense model of governance (FERMA &ECIIA, 2010, 2011). Many standard-setting bodies quickly adopted this model in various countries, including the Basel Committee and the global IIA (Basel Committee on Banking Supervision, 2012; IIA, 2013). With this model, cornerstones in GRC are no longer just senior management, audit committee, external auditor, and internal auditor, but coupled with line management as the first line and risk management or compliance function as the second line. In the third line are internal and external auditors. Study on three lines of defense or combined assurance of all three lines is quite a lot (Davies &Zhivitskaya, 2018; Decaux &Sarens, 2015; Luburi?, 2017; Masegare, 2018; Mutevhe, 2019), but there has been no study that has a significant effect. Thus, we categorize the discussion of this theme as emerging.

Internal Audit GRC Role

In the GRC theme, the most widely conducted study was on the relationship between internal audit and audit committee as a representative of shareholder interests, which was then matched with the pattern of IA's relationship with senior management (Ege, 2015; Roussy, 2013). Within the agency theory framework, the senior management interests are not aligned with the shareholders’ interests, and the existence of internal audit can be explained in this theory as bonding cost or monitoring cost (Adams, 1994). We see the themes in the internal audit, the audit committee, and senior management relationships are already at the maturing stage.

Studies that have also been conducted are related to the influence of internal audit with the quality of financial reporting, possible earning management, and internal control in financial reporting (Christ et al., 2015; Oussii & Boulila Taktak, 2018; Prawitt et al., 2009; Sarens &De Beelde, 2006a). Control over the risk of fraud (Asare et al., 2008; Coram et al., 2008; Norman et al., 2010), including broader internal control studies (Fadzil et al., 2005; Lin et al., 2011) also pretty much conducted so that it has entered the maturing stage. Meanwhile, the role of internal audit in the cyber and digital world, such as IT governance, IT control, or IT security, is increasingly evident, both in the role of assurance and consulting (Stafford et al., 2018). Similarly, the role of internal audit on environmental issues such as GHG emission or ESG is also getting stronger (Soh & Martinov-Bennie, 2018; Trotman &Trotman, 2015). These themes are, of course, still at the emerging or developing stage.

Future Research Paths

Based on the discussion above, conclusions in the form of themes related to the nature of work internal audit along with critics and future research paths we present in Table 8:

Table 8 Insights, Critiques, and Future Research Paths
Themes	Insights	Critiques	Future research paths
IA Existence	Not all public companies have IA.	Developing	Governance regulations and practices are constantly changing in all corners of the world. Research is needed from time to time on the adoption of IA in various regions.
	IA Outsourcing has mixed results.	Developing	IA outsourcing needs to be further investigated for motives other than the economy.
IA Quality	IA quality has a significant impact on the company's GRC.	Maturing	With the attributes of IA’s quality remain unchanged, the study results so far have been closed to consensus.
IA Independence & Objectivity	Independence and objectivity impairment are committed in a more IA involving role.	Maturing	With the attributes of IA’s independence and objectivity remain unchanged, the study results have been closed to consensus.
IA Partner	Relationships with audit committees, senior management, and external auditors are relatively stable results.	Maturing	With the relation of the IA and the three cornerstones of governance remain unchanged, the study results so far have been closed to consensus.
	Relationships with other assurance providers.	Emerging	Little is known in the relationships between IA and the other assurance provider in the three lines of defense model, especially in combining the efforts of all three lines.
IA GRC Role	Financial reporting risk and control	Maturing	With financial reporting regulations remain unchanged, the study results so far have been closed to consensus.
	Fraud risk and control	Developing	Expectations of IA's role in fraud need to be clarified, especially with IA’s responsibility is not a fraud examiner.
	IT governance, risk, control	Developing	The IA involvement must follow the complexity and risks arising from the increasing use of technology. Little is known about this theme.
	Environmental and Social Governance	Emerging	The world is increasingly aware of the social responsibility and externalities of the business. They must pay attention not only to the profit but also to the people and planet. The internal audit position is not well known in this theme.

Conclusion

This SLR has systematically interrogated 258 internal audit articles from 29 leading journals in business, finance, and accounting published between 1999 and 2019 based on Massaro (2016) framework. There are 90 articles related to the theme of internal audit’s nature of work. We synthesized only the 28 articles that had an incredibly significant impact to reveal insights, critiques, and future research paths shown in Table 8. We hope the results of this SLR can help internal audit researchers advance the knowledge, especially in the theme of nature of work internal audit.

References

1. Abbott, L.J., Parker, S., Peters, G.F., & Rama, D.V. (2007). Corporate governance, audit quality, and the Sarbanes-Oxley Act: Evidence from internal audit outsourcing. Accounting Review, 82(4), 803–835.
2. Adams, M.B. (1994). Agency theory and the internal audit. Managerial Auditing Journal, 9(8), 8–12.
3. Ahlawat, S.S., & Lowe, D.J. (2004). An examination of internal auditor objectivity: In-house versus outsourcing. Auditing: A Journal of Practice & Theory, 23(2), 147–158.
4. Al-akra, M., Abdel-qader, W., & Billah, M. (2016). Internal auditing in the Middle East and north: A literature review. Journal of International Accounting, Auditing, and Taxation, 26, 13–27.
5. Allegrini, M., & D’Onza, G. (2003). Internal auditing and risk assessment in large Italian companies: An empirical survey. International Journal of Auditing, 7(3), 191–208.
6. Allegrini, M., D’Onza, G., Paape, L., Melville, R., & Sarens, G. (2006). The european literature review on internal auditing. Managerial Auditing Journal, 21(8), 845–853.
7. Asare, S.K., Davidson, R.A., & Gramling, A.A. (2008). Internal auditors’ evaluation of fraud factors in planning an audit: The importance of audit committee quality and management incentives. International Journal of Auditing, 12(3), 181–203.
8. Basel Committee on Banking Supervision. (2012). Bank for international settlement: The internal audit function in banks.
9. Behrend, J., & Eulerich, M. (2019). The evolution of internal audit research: A bibliometric analysis of published documents (1926–2016). Accounting History Review, 29(1), 103–139.
10. Bozkus Kahyaoglu, S., & Caliyurt, K. (2018). Cybersecurity assurance process from the internal audit perspective. Managerial Auditing Journal, 33(4), 360–376.
11. Brody, R.G., & Lowe, D.J. (2000). The new role of the internal auditor: Implications for internal auditor objectivity. International Journal of Auditing, 4(2), 169–176.
12. Chen, L.H., Chung, H.H.S., Peters, G.F., & Wynn, J.P.J. (2017). Does incentive-based compensation for chief internal auditors impact objectivity? An external audit risk perspective. Auditing: A Journal of Practice & Theory, 36(2), 21–43.
13. Christ, M.H., Masli, A., Sharp, N.Y., & Wood, D.A. (2015). Rotational internal audit programs and financial reporting quality: Do compensating controls help? Accounting, Organizations and Society, 44, 37–59.
14. Christopher, J., Sarens, G., & Leung, P. (2009). A critical analysis of the independence of the internal audit function: Evidence from Australia. Accounting, Auditing and Accountability Journal, 22(2), 200–220.
15. Coetzee, G.P., & du Bruyn, R. (2001). The relationship between the new IIA Standards and the internal auditing profession. Meditari Accountancy Research, 9(1), 61–79.
16. Cooper, B.J., Leung, P., & Wong, G. (2006). The Asia Pacific literature review on internal auditing. Managerial Auditing Journal, 21(8), 822–834.
17. Coram, P., Ferguson, C., & Moroney, R. (2008). Internal audit, alternative internal audit structures, and the level of misappropriation of assets fraud. Accounting and Finance, 48(4), 543–559.
18. COSO. (2004). Enterprise Risk Management: Integrated Framework. 1–125.
19. COSO. (2013). Internal Control—Integrated Framework. The Committee of Sponsoring Organizations of the Treadway Commission.
20. Davies, H., & Zhivitskaya, M. (2018). Three Lines of defence: A robust organising framework, or just lines in the sand? Global Policy, 9, 34–42.
21. de Zwaan, L., Stewart, J., & Subramaniam, N. (2011). Internal audit involvement in enterprise risk management. Managerial Auditing Journal, 26(7), 586–604.
22. Decaux, L., & Sarens, G. (2015). Implementing combined assurance: insights from multiple case studies. Managerial Auditing Journal, 30(1), 56–79.
23. Easterby-Smith, M., Thorpe, R., & Jackson, P. (2015). Management & Business Research (5^th Edition). SAGE Publications, Inc.
24. Ege, M.S. (2015). Does internal audit function quality deter management misconduct? Accounting Review, 90(2), 495–527.
25. Fadzil, F.H., Haron, H., & Jantan, M. (2005). Internal auditing practices and internal control system. Managerial Auditing Journal, 20(8), 844–866.
26. FERMA, & ECIIA. (2010). Guidance on the 8^th EU Company law directive “monitoring the effectiveness of internal control , internal audit and risk management systems” Guidance for boards and audit committees. In Guidance for boards and audit committees.
27. FERMA, & ECIIA. (2011). Guidance on the 8^th EU company law directive: Part 2. Guidance for boards and audit committees.
28. Goodwin-Stewart, J., & Kent, P. (2006). The use of internal audit by Australian companies. Managerial Auditing Journal, 21(1), 81–101.
29. Goodwin, J., & Yeo, T.Y. (2001). Two factors affecting internal audit independence and objectivity: Evidence from Singapore. International Journal of Auditing, 5(2), 107–125.
30. Gramling, A., Maletta, M., Schneider, A., & Church, B. (2004). The role of the internal audit function in corporate governance. Journal of Accounting Literature, 23, 194–244.
31. Hass, S., Abdolmohammadi, M.J., & Burnaby, P. (2006). The Americas literature review on internal auditing. Managerial Auditing Journal, 21(8), 835–844.
32. IIA. (2013). IIA position paper: The three lines of defense in effective risk management and control. The institute of internal auditors.
33. IIA. (2017). International standards for the professional practices of internal auditing. The institute of internal auditors.
34. Islam, M.S., Farah, N., & Stafford, T.F. (2018). Factors associated with security/cyber security audit by internal audit function: An international study. Managerial Auditing Journal, 33(4), 377–409.
35. Lenz, R., & Hahn, U. (2015). A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities. Managerial Auditing Journal, 30(1), 5–33.
36. Lin, S., Pizzini, M., Vargus, M., & Bardhan, I.R. (2011). The role of the internal audit function in the disclosure of material weaknesses. Accounting Review, 86(1), 287–323.
37. Luburi?, R. (2017). Strengthening the three lines of defence in terms of more efficient operational risk management in central banks. Journal of Central Banking Theory and Practice, 6(1), 29–53
38. Masegare, P. (2018). Implementing value-added combined assurance interventions for South African organizations. Journal of Management & Administration, 1, 129–149.
39. Massaro, M., Dumay, J., & Guthrie, J. (2016). On the shoulders of giants: undertaking a structured literature review in accounting. Accounting, Auditing and Accountability Journal, 29(5), 767–801.
40. Mihret, D.G., & Grant, B. (2017). The role of internal auditing in corporate governance: A Foucasuldian analysis. Accounting, Auditing and Accountability Journal, 30(3), 699–719.
41. Mitchell, S.L. (2007). GRC360: A framework to help organizations drive principled performance. International Journal of Disclosure and Governance, 4(4), 279–296.
42. Mohd Hanafi, H., & Stewart, J. (2015). The effect of incentive-based compensation on internal auditors’ perceptions of objectivity. International Journal of Auditing, 19(1), 37–52.
43. Mutevhe, T. (2019). Implementing combined assurance in organizations to enable boards to exercise risk oversight. University of Pretoria.
44. Nagy, A.L., & Cenker, W.J. (2002). An assessment of the newly defined internal audit function. Managerial Auditing Journal, 17(3), 130–137.
45. Norman, C.S., Rose, A.M., & Rose, J.M. (2010). Internal audit reporting lines, fraud risk decomposition, and assessments of fraud risk. Accounting, Organizations and Society, 35(5), 546–557.
46. Oussii, A.A., & Boulila Taktak, N. (2018). The impact of internal audit function characteristics on internal control quality. Managerial Auditing Journal, 33(5), 450–469.
47. Paape, L., Scheffe, J., & Snoep, P. (2003). The relationship between the internal audit function and corporate governance in the Eu-a survey. International Journal of Auditing, 7(3), 247–262.
48. Prawitt, D.F., Sharp, N.Y., & Wood, D.A. (2012). Internal audit outsourcing and the risk of misleading or fraudulent financial reporting: Did sarbanes-oxley get it wrong? Contemporary Accounting Research, 29(4), 1109–36.
49. Prawitt, D.F., Smith, J.L., & Wood, D.A. (2009). Internal audit quality and earnings management. Accounting Review, 84(4), 457–473.
50. Rose, A.M., Rose, J.M., & Norman, C.S. (2013). Is the objectivity of internal audit compromised when the internal audit function is a management training ground? Accounting and Finance, 53(4), 1001–1019.
51. Roussy, M. (2013). Internal auditors’ roles: From watchdogs to helpers and protectors of the top manager. Critical Perspectives on Accounting, 24(7–8), 550–571.
52. Roussy, M., & Perron, A. (2018). New perspectives in internal audit research: A structured literature review. Accounting Perspectives, 17(3), 345–385.
53. Sarens, G., & De Beelde, I. (2006a). Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies. Managerial Auditing Journal, 21(1), 63–80.
54. Sarens, G., & De Beelde, I. (2006b). The relationship between internal audit and senior management: A qualitative analysis of expectations and perceptions. International Journal of Auditing, 10(3), 219–241.
55. Sarens, G., De Beelde, I., & Everaert, P. (2009). Internal audit: A comfort provider to the audit committee. British Accounting Review, 41(2), 90–106.
56. Selim, G., & McNamee, D. (1999). The risk management and internal auditing relationship: Developing and validating a model. International Journal of Auditing, 3(3), 159–174.
57. Soh, D.S.B., & Bennie, N.M. (2015). Internal auditors’ perceptions of their role in environmental, social, and governance assurance and consulting. Managerial Auditing Journal, 30(1), 80–111.
58. Soh, D.S.B., & Martinov-Bennie, N. (2018). Factors associated with internal audit’s involvement in environmental and social assurance and consulting. International Journal of Auditing, 22(3), 404–421.
59. Spira, L.F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640–661.
60. Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal, 33(4), 410–424.
61. Steinbart, P.J., Raschke, R.L., Gal, G., & Dilla, W.N. (2018). The influence of a good relationship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society, 71, 1–15.
62. Stewart, J., & Subramaniam, N. (2010). Internal audit independence and objectivity: Emerging research opportunities. Managerial Auditing Journal, 25(4), 328–360.
63. Trotman, A.J., & Trotman, K.T. (2015). Internal audit’s role in GHG emissions and energy reporting: Evidence from audit committees, senior accountants, and internal auditors. Auditing: A Journal of Practice & Theory, 34(1), 199–230.
64. Zain, M.M., Subramaniam, N., & Stewart, J. (2006). Internal auditors’ assessment of their contribution to financial statement audits: The relation with audit committee and internal audit function characteristics. International Journal of Auditing, 10(1), 1–18.