Lately, the role of internal audit is viewed with great importance in the context of the supervisory mechanisms of corporate governance, which is a direct result of requests for more effective corporate governance and the need for control. Corporate governance foundation may be considered through the four cornerstones: Audit Committee, Executive Management, Internal Auditors and External Auditors. Internal audit contributes to corporate governance effectiveness through relations and communication with other cornerstones. It is believed that by providing assurance on the effectiveness of risk management, control and governance processes, internal audit is becoming a "key cornerstone" underlying the effective management. This paper analyzes how internal audit contributes to strengthening the governance processes through its relation with the primary beneficiaries, managers and the Audit Committee. The Audit Committee, focused on oversight of financial reporting, controls and risk management, relies on internal audit to assist in carrying out its responsibilities. Also, internal audit provides advice to managers at all levels and information related to the effectiveness of the internal control and risk management processes as well as other important services. It may be concluded that internal audit activities, through its impact on other participants in governance, affect the quality of corporate governance. Internal audit is an important factor in achieving effective governance and is considered as an "integral part of corporate governance mosaic".
The need for more effective corporate governance, driven by corporate-accounting scandals at the beginning of the 21st century, both in the US and Europe, highlighted the importance of corporate governance internal mechanisms. In this regard, special importance is placed on internal audit, which shifted its initial focus from the examination of appropriateness and reliability of accounting and financial controls and developed into a proactive activity that assess effectiveness of internal controls, enterprise risk management and corporate governance. The development of internal audit scope of work, as well as the emergence of new approaches to the conceptualization of the internal audit process had an influence on the perception of its position in the company. Its role has evolved from the company "policeman" to activity that actively contributes to the creation of value added and provides company in achieving company’s objectives.
Internal audit contribution can be seen on several levels: helps management in accomplishing their responsibilities related to control and risks; acts as an advisory function, which monitors risks, identifies weaknesses in the internal control system in order to assist with the implementation of the risk management process (Spira & Page, 2003; Allegrini & D'Onza, 2006; Page & Spira, 2004; Sarens & DeBeelde, 2006a, Sarens & DeBeelde, 2006b), helps the audit committee and external auditors in fulfilling their responsibilities (Goodwin, 2003; Gramling et. al. 2004 ). Internal audit has a unique role in corporate governance because it is responsible for the oversight of risk management processes and helps to ensure the reliability of financial reporting (Gramling et al., 2004, Carcello et al., 2005, Cohen, et al. 2004).
This paper analyses the internal audit relation with the management and the Audit committee and the means through which internal audit contributes to strengthening the corporate governance.
Understanding the importance of internal audit is not possible without understanding the broader context within which it operates – the concept of corporate governance. Therefore, the analysis of the need for internal audit should be preceded by analysis of basic guidelines of the corporate governance concept.
According to Cadbury Committee, corporate governance can be defined as “the system by which companies are directed and controlled" (The Committee on the Financial Aspects of Corporate Governance, 1992:2.5). "Boards of directors are responsible for the governance of their companies (...) The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship" (The Committee on the Financial Aspects of Corporate Governance, 1992:section 2.5). Shleifer & Vishny (1997: 397) see corporate governance as a system by which "suppliers of finance to corporation assure themselves of getting a return on their investment." Monks & Minow (2001, cited in Hermanson & Rittenberg 2003:26) define corporate governance as "relationship among various participants in determining the direction and performance of corporations." According to Gillan & Starks (1998, cited in Gillan, 2005) corporate governance is a system of rules, laws and mechanisms that control the processes and operations of the company .According to the Organisation for Economic Cooperation and Development (OECD) Principles of Corporate Governance (2004), corporate governance " involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring" (Organization for Economic Cooperation and Development, 2004:11).
The complexity of interests, requirements and processes within the company significantly affect its business operations, as well as the efficiency and effectiveness of the management processes. It is this complexity that justifies the importance of corporate governance and the fact that "successful companies need efficient corporate governance" (Tipurić (ed.), 2008:4). Empirical studies provide strong evidence that corporate governance is linked to the company’s performance monitored through financial indicators, rate of innovation, market share, customer satisfaction and employee and other indicators (Tschopp 2005:24-25, quoted in Tipurić (ed.), 2008:8).
It is necessary for the management of a company to understand the risks that the company faces on a daily basis. This implies the need for establishing different control procedures and means that could signal the achieved level of performance, draw attention to the possible corrective measures and provide feedback to management and senior management in an aggregated form. Internal audit activity has great significance in these processes and has become an irreplaceable part of corporate governance practice since it provides information on the effectiveness of management processes (Ruud, 2003:74; Reding et al. 2007:3-5; Hermanson & Rittenberg 2003:31).
Large corporate accounting scandals (Enron, WorldCom and others) which shook the US at the beginning of the new century have sparked serious doubts about the corporate governance effectiveness, in particular its mechanisms established in order to ensure monitoring and control. In response to the scandals, in July 2002 The Public Company Accounting Reform and Investor Protection Act was passed, known as the Sarbanes-Oxley Act (SOX). SOX marked the beginning of a comprehensive accounting reform for companies in the public interest, registered with the US Securities and Exchange Commission (SEC). Internal auditors, traditionally specialists for internal control, but until then not very respected within the company, attracted the attention of governing bodies that had new requirements relating to the provision of assurance for good corporate governance practices (Spira & Page, 2003). In fact, in recent years there is an increasing emphasis on the importance of effective corporate governance for the success of the company. As a result, reliable and timely financial reporting, effective internal controls and risk management are gaining in importance, which affects the development of internal mechanisms of corporate governance that have responsibilities related to those areas.
Corporate governance mechanisms that are present in this regard in the accounting and auditing literature are external audit, internal audit, and independent committees, including the audit committee (Anderson et al.1993; Blue Ribbon Committee, 1999; Institute of Internal Auditors 2003, quoted in Coram, et al., 2007:6, The Committee on the Financial Aspects of Corporate Governance, 1992), and Cohen et al. (2004:88) describes the dynamic interaction between these mechanisms as a "corporate governance mosaic".
According to the new, revised, definition of internal auditing for the 21st Century, by the (Global) Institute of Internal Auditors, "internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes".
In this definition there are contained two main internal audit activities: assurance and consulting services. Assurance services are defined as "an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization“(Anderson & Dahle, 2009:23). They can be divided into four basic stages and include: testing, determining the state and effectiveness, informing and communicating results and providing recommendations for improvement (Sarens & De Beelde, 2006a:45).Consulting services are defined as "advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility" (Anderson & Dahle, 2009:23).
It is important to clearly define the differences between these two services which are manifested in their basic features. Assurance services include three parties: the internal auditor, the process owner and a customer in the assurance process (usually management, senior management or audit committee). The purpose of assurance services is to assess the adequacy of internal controls, risk management processes and corporate governance, as well as testing the compliance with laws and regulations. This process results in recommendations and conclusions. There is also follow up on internal audit recommendations. The purpose of the consulting services is to provide counsel regarding efficiency and effectiveness and help to create a corrective action or implement new controls. These services are agreed between two parties, the internal auditor and the client, usually operational management (Anderson & Dahle, 2009:29).
By providing assurance and consulting services, internal audit provides value added to the company (The Institute of Internal Auditors, 2012). The company’s objectives are framework for defining the internal audit objectives and this direct link is basis for understanding the relationship in which the internal audit activity is focused on helping the company to achieve its goals (Reading et al., 2007:1-3).
In order to facilitate the understanding of the internal audit role to its customers, the Institute of Internal Auditors formed a value proposition consisting of the basic elements which internal audit combines to provide value added to the company, and they include "assurance, insight, and objectivity". According to this proposition, the importance of internal audit arises from the need of governing bodies and management who "rely on internal auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes" (The Institute of Internal Auditors, 2012).
Some authors (Coram, et al., 2008; Archambeault, et al., 2008; Hermanson, et al., 2008) consider that great importance and responsibility in the post Sarbanes-Oxley era is placed on internal audit as the key mechanism of corporate governance which should be part of the solution for the problems of control, reporting and ethics in the company. Emphasizing the importance of internal audit, as an internal mechanism of corporate governance, was also noted with regulatory bodies, including the New York Stock Exchange (NYSE). It requires that all listed companies (from 2003) establish an internal audit. This represented a major shift in the internal auditing regulation, considering that this was the first time that the internal audit activity was incorporated into the regulations that related to the private companies, not just for financial institutions (Paape, 2007, p.82).
Cadbury Committee (1992:pt. 4.39) considers the establishment of the internal audit as "good practice" for the company because regular oversight of key controls and procedures carried out by the internal audit "is an integral part of a company’s system of internal control and helps to ensure its effectiveness". Moeller (2009: 4) considers internal audit as control within the company whose basic function is evaluating and determining the effectiveness of other controls. Namely, management must monitor processes in order to have information on the degree of accomplishment and compliance with the planned actions, which is achieved through control. Internal audit is one mean of the control in the company, and the difference in regard to other means of control is in its essential role - evaluating other controls in the company (Moeller, 2009:4).
Institute of Internal Auditors in 2006 published a position paper regarding the role of internal audit in corporate governance. According to that document, internal audit has a dual role: to support management and position as a partner to management in the company as a help in organizing and monitoring control system for effective corporate governance. By providing assurance on the effectiveness of risk management, control and governance processes, internal audit is becoming a "key cornerstone" underlying the effective management of the company (The Institute of Internal Auditors, 2006). A similar position was taken by Gramling and Hermanson (2006) who consider that internal audit is a resource of information, opinions, counsels and expertise for the Board and the audit committee. Gramling et al. (2004) expand this perspective, adopting an approach under which the corporate governance consists out of four cornerstones. Along with internal audit they additionally include external audit, audit committee and executive management. Internal audit contributes to corporate governance through interaction with these other participants. The internal and external audit are traditionally associated but along with growing demands related to corporate governance, this relationship is even more profound. External auditors may rely on the internal audit work in carrying out part of their activities, because internal auditors have more thorough understanding of business processes and the risks that the company faces which can help external auditors to be more effective and efficient. The audit committee, focused on oversight of financial reporting, controls and risk management, relies on internal audit to assist in carrying out its responsibilities. Also, internal audit provides advice to managers at all levels and information related to the effectiveness of the internal control and risk management processes as well as other important services.
Ruud (2003:86) consider that internal audit "can contribute to effective governance in several ways:
- it can assist in the identification of risk factors, the analysis of the consequences, as well as in
- assisting management in the prioritization of risk management and control systems,
- add assurance that the risk management processes in fact are functioning as intended
- (...) through consulting services, the internal audit function can furthermore assist management and the board by improving risk management and control processes."
Similarly, Porter (2008) discusses the importance of internal audit along with the external audit and the audit committee, as tripartite audit functions to ensure corporate accountability. Corporate accountability relates to the management responsibility regarding the efficient and effective use of company's resources as well as social efficient and effective corporate governance. Author concludes that internal audit role and responsibilities developed in parallel with those of management. Scope of internal audit activities, primarily concentrated around assessing the effectiveness of internal controls related to financial reporting, expanded to assessing all other categories of internal controls, those related to ensuring the efficiency and effectiveness of business operations and compliance with applicable laws and regulations. Lately, the scope of internal audit work also includes providing assurance regarding the risk management, fraud detection and helping with the ethical aspects of the company.
In the context of providing value added to the company, European Confederation of Institutes of Internal Auditing (ECIIA) (2005:37) consider internal audit contribution is in providing independent and objective assessment to the audit committee and executive management regarding the quality of internal controls and a comprehensive review of the company's risks. It allows them to have a look (opinion) from the another perspective, compared to the one that they already have.
The Institute of Internal Auditors Research Foundation (IIARF) in 2007 published a study the Common Body of Knowledge (CBOK), which was part of the ongoing research on the practice of internal auditing throughout the world in order to create a comprehensive database, containing information on the global state of internal audit profession. The study included 9,366 members of the Institute of Internal Auditors around the world which at the time represented the most extensive study ever conducted in the field of internal auditing. Respondents were assessing, among other, in what areas was their activity most present, and what areas they believed would be more in focus of their work in the future. The four highest rated areas the respondents believed that were most within the scope of their work were: fraud prevention (69% of respondents), risk management (66.6% of respondents), oversight of compliance regarding the implementation of relevant legislation (64% of respondents) and corporate governance (52.2% of respondents). These were also the areas that they presumed to be in focus of their work in the next three years (The Institute of Internal Auditors Research Foundation, 2007). Maximizing the value of the internal audit is imperative and necessary condition of its adaptation to changing business environment. According to the study on the state of the internal audit profession, internal audit in the near future needs to expand the scope of its activities outside the traditional areas and towards corporate governance, risk management, assessing the achievement of strategic plans and ethics (Alkafaji, et al., 2010:25-26).
It can be concluded that internal audit activities include assessment of the effectiveness of internal controls and risk management which directly affects the quality of corporate governance. Internal audit is an important factor in achieving effective corporate governance and is considered "an integral part of the corporate governance mosaic" (Cohen, et al., 2004:35) and “continuing contributor to the development of corporate governance practices worldwide, (...) a strong international player in corporate governance across all sectors" (D 'Silva & Ridley, 2007:114).
Basic characteristics of the relationship between internal audit and management can be established from the internal audit definition. According to Definition, internal audit is guided by the philosophy of added value, helping to improve the business processes through an independent and objective evaluation of the risk management, control and corporate governance effectiveness. Internal audit is an independent source of unbiased advice to governing bodies in the company, who are key holders of corporate governance with the responsibility to establish and maintain effective risk management and internal control system. In this regard, management, specially its highest levels, seek internal audit to provide assurance on the effectiveness of risk management, primarily in terms of risk identification and monitoring, effectiveness and efficiency of organizational processes, as well as their control. In this context, since its early days internal audit is often mentioned as “the eyes and ears of management" (Hermanson & Rittenberg, 2003:33).
The importance of internal audit for fulfilling responsibilities of governing structures is manifested mainly in large organizations with complex operations, where managers are not able to monitor all activities themselves. When there is inadequate monitoring, activities are often less effective and efficient, and it is necessary to design surrogate function to provide assessment that management could depend upon (Sawyer, et al., 2003:34). It is important to emphasize that the responsibility for corporate governance, risk management and internal controls remains on management and internal audit takes advisory role by providing valuable information related to these areas. Assisting in the decision-making process by providing or confirming information on which it is based, helping to identify and minimize risk and monitor activities that management cannot monitor themselves Sawyer, et al. (2003: 35-36) consider some of the most significant internal audit contributions to management.
As a necessary condition to achieve its maximum value, in addition to possessing the characteristics of integrity and credibility, constructive relationship between internal audit and management is also usually emphasized. ECIIA (2005: 42) consider it essential for the achievement of effective internal audit activity. Administrative (not functional) responsibility of the chief audit executive to the executive management is a joint stand point of academic debates in the context of strengthening the internal audit independence. The constructive relationship with management should also enable the chief audit executive to reach the information necessary for the proper conduct of internal audit activities, unhindered access to other employees and required documentation. ECIIA (2005: 42) emphasizes the importance of establishing a balanced relationship, not overly friendly, based on mutual trust, which is in the interest of the company. Such a relationship should be constantly built through regular interaction and cooperation, which should result in substantial and useful internal audit results, presented in the final report.
Mutual communication and interaction greatly influences the perception of the management regarding the internal audit value. According to a study conducted by Birkett et al. (1999, cited in Sarens & De Beelde, 2006c) management perception on the internal audit role affects the activities carried out by internal auditors. The conclusion of this study was that the lack of awareness among management about the role of internal audit results in lack of cooperation during the internal audit activities and the lack of implementation of internal audit recommendations. Due to this, it can be assumed that the management perception on internal audit is directly related with the level of support that they will provide to internal audit, in terms of enabling resources as well as in other aspects of support. This is also supported with the research conducted by Rupšys & Boguslauskas (2007:13), according to which management perception about the internal audit status in the company is in correlation with the level of implementation of internal audit recommendations.
Some Performance Standards (2010; 2020; 2060), which are part of the International Standards for the Professional Practice of Internal Auditing, define areas internal auditors should communicate with management such as risk assessment, implementation of internal audit plans and internal audit performance. Anderson & Dahle (2009:106) emphasize the importance of reporting on risk exposures, issues related to internal control and corporate governance. These are key issues for the internal audit role since ensuring transparency and effectiveness of those areas and sharing information is an important part of contribution to effective corporate governance. During meetings with senior management internal auditors can also obtain feedback on perceptions related to their performance, as well as analyze ways they can provide further assistance.
Relationship between internal audit and management is to some extent theoretically defined, but there is limited number of empirical studies on the characteristics of that relationship in practice.
Several studies, undertaken in late '90s of the 20th century, showed the traditional understanding of internal audit as an appraisal activity, but also recognized some of its modern characteristics that still had not sufficiently overcome. Ridley & D'Silva (1997, cited in D'Silva & Ridley, 2007) have analyzed perception of senior management with respect to the internal audit contribution to control, risk assessment, company performance and the overall governance. According to results, respondents were homogeneous in recognizing the importance of internal audit contribution to the corporate governance. However, analyzing its contribution in other areas did not provide such uniform results. In fact, some felt that internal audit creates value as a management consulting activity in the area of risk and control, with a wide range of responsibilities related to assurance engagements and assessing compliance. Others have recognized internal audit as a partner to management, while others pointed out its connection with the audit committee. Most, therefore, considered that the greatest contribution of internal audit was in the performance of its traditional activities, while some also recognized the importance of its consulting role. According to the findings of Griffith (1999, cited in Sarens & De Beelde, 2005:12) who analyzed the opinions of financial directors, internal audit was generally perceived as insufficiently focused on the business and the risks that arise from it. The need to improve internal auditors’ skills was also stressed out, as well as the need for their greater contribution in providing added value.
However, since the late '90s there have been many changes in the context of corporate governance and mechanisms that ensure its effectiveness. The results of some more recent studies have shown that the assurance and consulting services provided by internal audit have been recognized as valuable contributions to good governance practices at the highest level of organizational structures in many companies (D'Silva & Ridley, 2007).
According to a survey conducted by Sarens & De Beelde in 2005, on a sample of managers of Belgian companies, managers expect internal audit to focus on business and compensate the loss of control which occurred as a result of increased business complexity. The way to do so is through monitoring business units and contributing to the development of a unique system of internal controls. Managers also expressed high expectations for internal audit with regard to their experience with business risks, internal control and other related areas, and expressed the need for further development of the internal audit activity as a "tool for improvement". Research also pointed out some areas where internal audit in particular should demonstrate its value: providing assurance of risk management process, internal control and risk assessment, where internal audit was expected to develop data bases of operational risks. Active involvement as a consulting activity in strategically important projects is also highlighted as part of internal audit future scope of work.
One of recent research in this context was conducted in 2011 (PWC, 2012). Analysis of the respondents’ attitudes (senior management and members of the audit committee) confirmed the requirements for the internal audit inclusion in the risk management processes. Respondents stressed out internal auditors special value regarding their ability to identify risks, evaluate their threat and make recommendations about the processes and controls for their management (PWC, 2012:12). Research has shown that the traditional internal audit activities related to the audit of financial controls and compliance continue to have the highest position in the context of expectations from internal audit activity (88% of respondents ranked these activities among the top three). However, these were immediately followed by expectations regarding the assurance activities on risk management and internal controls (82% of respondents ranked these activities among the top three), which stressed out the internal audit importance in monitoring key business risks. Internal audit recommendations related to internal control considered being important, but many respondents pointed out the need for a more detailed assessment within this area that would allow analysis of its impact on business operations. The results suggested the need for continuous adjustment of internal audit to requirements of its customers, as a necessary precondition to meet their expectations.
Audit committees are an integral part of the corporate governance internal mechanisms, whose responsibility is primarily related to ensuring the quality of financial reporting and oversight of audit processes. In the context of the corporate governance mechanisms, audit committee has an oversight function (Soltani, 2009:93). Although there are several theories related to the audit committee and its role in corporate governance (Beasley, et al., 2009), the dominant perspective in the accounting field that considers its role is explained by the agency theory. According to the agency theory, audit committee has an oversight function, acting independently from the executive management in order to prevent their opportunistic action in a way that is not in the best interests of the principal (shareholders).
Audit committees do not carry out function of company's management and are not directly accountable to the owners (shareholders).The final outcome of their work results in reports and recommendations to the Board (governing body) and its activities are mainly described with the terms "oversight", "assess" and "review", while their function is advisory and reactive in nature (Spira, 2003:182).
Audit committees are relevant mechanism of corporate governance, and reasons for their growing global acceptance are, according to Turley & Zaman (2004), potential benefits in various aspects of corporate governance. In fact, some authors consider that the existence of audit committees contributes to the relationship between governing bodies, investors and auditors and helps in discharging Boards responsibilities. Another aspect is their impact on external audit, internal control and internal audit and in recent years some emphasize their importance in the context of the financial reporting quality and improvement of company performance. Spira (1998:30) based analysis of their development on a global level and states that audit committee were established to strengthen the credibility of financial reporting, especially regarding the independence of the external auditors but their purpose and objectives cannot be uniquely determined.
In general, Audit committees have a range of duties from different areas like financial reporting, corporate governance and corporate (internal) control (The Institute of Internal Auditors, 2002). Mohiuddin & Karbhari (2010:105) argue that, although the primary activity of the audit committee is to support the Board of Directors in carrying out their responsibilities related to the oversight of financial reporting and interaction with internal and external audit, their responsibilities also extend to several areas and include internal control, risk management and the compliance with legislation and regulations (for benefits of establishing an audit committee see Spira, 1998).
Audit committee responsibilities can be classified as followed (Spencer Pickett, 1997, quoted in Tušek, 2007):
- audit committee must take into consideration financial activities of the organization, in particular the costs,
- audit committee should oversee the process of financial statements auditing as well as the internal auditing process,
- audit committee must take into consideration the annual report and the auditor's report on the financial statements which are an integral part of the annual report,
- audit committee must also take into consideration the adequacy of the internal control system,
- audit committee must be involved in the meetings and discussions with external and internal auditors.
When considering audit committee’s responsibility regarding internal audit (more on that Tušek, 2006:85-115), Wolnizer states out following (1995, cited in Mohiuddin & Karbhari, 2010:107):
- „evaluate the independence and competence of internal audit function;
- discuss with the chief of internal auditors about internal audit reports, effectiveness of internal controls and problems in performing the internal audit;
- review the scope of internal audits planned for the year;
- review management's response to internal auditors' recommendations;
- review and approve internal audit budget;
- review the relationship between internal and external auditors and coordination of their work and
- appoint and dismiss the head of internal audit (chief audit executive).”
Along with the change of the institutional framework and rules on capital markets, which have been developed in response to numerous scandals and the collapse of some world largest corporations, new audit committee roles were highlighted, especially after enacting the Sarbanes-Oxley Act. Along with Sarbanes-Oxley Act there are some additional requirements relating to the audit committee new roles and responsibilities. Some of these rules extend audit committee responsibilities on risk management and encourage governing bodies to establish oversight over risk management process through delegation of supervisory duties to audit committees (Beasley, 2008). For example, rules for companies listed on New York Stock Exchange (New York Stock Exchange, 2003:11) require audit committees discuss policies related to risk assessment procedures and means of risk responses. Although the risk assessment and risk management is the responsibility of the governing bodies in the company, the role of the audit committee is to discuss guidelines and policies of governing bodies regarding these topics, as well as discuss on significant financial risks and their management.
In order to properly carry out its responsibilities, the audit committee must rely on internal audit work. Although the agency theory implies that the establishment of the audit committee reduces information asymmetry between owners and management, some authors (Raghunandan et. al., 1998, 2001, quoted in Sarens, et al., 2009:91) consider that the audit committee is faced with the information asymmetry resulting from "principal/ agent" position between the audit committee and operational level (which also includes the lower management) in the company. The audit committee, in the role of principal, mostly composed of non-executive and independent members, often has no sufficient information on specific aspects of risk management and internal control which consequently reduces its ability to discharge duties. In this context, internal audit may be considered as a mechanism that reduces the information asymmetry between the audit committee and the operational level management in the company. This understanding of mutual relationship is supported by the Institute of Internal Auditors (IIA) according to which the level of their good cooperation significantly affects the effective discharge of the audit committee responsibilities regarding governing bodies, shareholders and other stakeholders (The Institute of Internal Auditors, 2002).
Bishop (2000, cited in Sarens & De Beelde, 2006d:9), gave an overview of supporting roles that internal audit can have in relation to the audit committee and they include providing:
- general assistance,
- assistance in financial reporting
- assistance regarding risk and controls.
General assistance includes facilitating the flow of information or conducting special projects or investigations, if requested by the audit committee. Assistance regarding financial reporting is related to supporting the audit committee in its assessment of compliance with internal and external requirements concerning financial reporting, providing support in assessing the quality of financial reporting and information on the state of internal controls through quarterly reports. Also, one of the internal audit tasks in this regard is to ensure that members of the audit committee receive reports that include timely and relevant information on company performance. Assistance about risks and controls relate to the provision of support in the assessment of whether the company meet its goals concerning control, to provide information that will assist the audit committee in monitoring the control environment in the company and provide information of need when monitoring company's key financial and business risks.
One of the prerequisites to make benefit from relation between internal audit and the audit committee is the existence of effective mutual communication and interaction. That type of relationship can strengthen the position of internal audit as internal source of information that provides audit committee an insight into the evolving business challenges and climate in relation to internal control (Deloitte, 2012:6). In order to fully rely on the internal audit results and findings, the audit committee must first of all assess the quality of internal audit activities as well as the criteria on which they are based upon. In this context, it is necessary to periodically assess the internal audit activities in order to gain insight into the adequacy of their performance, as well as the adequacy of used resources.
Sarens, et al. (2009) conducted a case study in order to identify the reasons that affect the audit committee to seek the support from internal audit and also to analyze internal audit characteristics that make it appropriate provider of support in this context. Symbols of support were observed through the internal audit reports, oral presentations, informal contacts and private meetings. The analysis resulted in the following conclusions: audit committees that were more concerned about issues regarding risk management and internal controls, and their supervisory responsibilities in these areas, encouraged with discomfort resulted from information asymmetry, have seek more support from internal audit. Internal audit was perceived as a communicator between the audit committee and operational levels of management. According to research, internal auditor’s unique knowledge (especially specific practical knowledge related to risk management and internal control) allows them to support the audit committee. Similar, results of research conducted by Grant Thornton LLP's Advisory Services (2011:11) on more than three hundred chief audit executives, showed that almost all respondents (95% of them) consider that internal audit is useful to the audit committee, especially in the areas related to risk and general efforts related to strengthening oversight of corporate governance.
A symbiotic relationship between internal audit and the audit committee is also supported by research results of the Pulse of the Profession report, conducted by the Audit Executive Center in 2012 (IIARF, 2013:6-7).The survey was conducted among five hundred chief audit executives, and most of them described that relationship in positive terms. A majority of respondents considered (76%) that there is open dialogue and two-way communication, that audit committees clearly communicate their support internal audit and the Board (72%) and seek advice from internal audit (50%). Regarding the activities internal audit is undertaking in order to assists audit committee in discharging their duties, the majority of respondents pointed out the following: conducting continuous risk assessments (75%), assisting in the preparation of meeting topics and related materials (71%), conducting special confidential investigation and providing opinions on management performance related to internal controls and the adequacy of the corrective action (70%).
Internal Audit, as an internal monitoring mechanism in the system of corporate governance has special significance. For company's management is undoubtedly of great importance information of the extent to which things are "under control”. Internal audit, in this regard, has a special importance through its advisory role and providing relevant information to governing bodies, audit committee and other customers. Internal audit is not an end in itself but provides support to the company in achieving its objectives, through support to its customers, primarily management and the audit committee.
To be successful and justify their existence and activities, internal auditors must always adapt to conditions from their work environment through development of new audit services and approaches. There are two main approaches to developing internal audit activity. Internal auditors will in future act subsequently, evaluating the effects of past events and the achieved results but it is becoming more important to take preventive action, where internal audit provides assistance and support to its customers in predicting future risks and proposes adequate system of internal controls.