Next Article in Journal
Can ESG Integration Enhance the Stability of Disruptive Technology Stock Investments? Evidence from Copula-Based Approaches
Previous Article in Journal
Turnover by Non-CEO Executives in Top Management Teams and Escalation of Commitment
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 17
Issue 5
10.3390/jrfm17050196
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Factors Affecting the Implementation of Risk-Based Internal Auditing

by
Abdulwahab Mujalli
Department of Accounting and Finance, College of Business, Jazan University, Jazan 45142, Saudi Arabia
J. Risk Financial Manag. 2024, 17(5), 196; https://doi.org/10.3390/jrfm17050196
Submission received: 23 March 2024 / Revised: 27 April 2024 / Accepted: 5 May 2024 / Published: 11 May 2024
(This article belongs to the Topic Risk Management in Public Sector)
Browse Figures
Review Reports Versions Notes

Abstract

:
This paper aims to investigate the factors affecting risk-based internal audit (RBIA) implementation in public sector organizations in Saudi Arabia. This paper utilized 234 usable answered questionnaires from internal audit managers, internal auditors, accountants, and executives working in Saudi public sector agencies. The gathered data were analyzed by applying partial least squares–structural equation modeling (PLS-SEM). Results show that management support, internal auditor role, risk management system, and training in risk management all positively and significantly influence the RBIA. Improved internal auditing procedures and an efficient internal monitoring system will significantly curtail any risks impeding the organization’s goals, diminish the temptation to fabricate financial data or statistics, and enhance the accuracy of financial reporting/statements. Moreover, this study’s results have crucial implications for managers of public sector organizations, heads of internal audit departments, internal auditors, and accountants seeking to improve the reliability of internal audits and other aspects of financial information. Published research on what variables are influencing RBIA implementation is scarce. This study adds to the nascent literature by focusing on Saudi Arabian public sector organizations, establishing empirical variables based on an in-depth review of the relevant research and conducting an empirical investigation of the factors associated with RBIA implementation in the Saudi economy. By concentrating on public sector organizations in Saudi Arabia, this paper sheds light on other nations with comparable systems for governance policies and processes in their government-run entities.

1. Introduction

Business failures represent a significant challenge many organizations face in recognizing the dangers that could arise from pursuing strategic endeavors (Drogalas and Siopi 2017). Given the threat that risks pose to an organization’s sustainability or viability, effectively managing these risks is of the utmost importance. Shifts in organizational circumstances, the entities, and technological advances and changes in regulatory/legislative structures have significantly altered the functions and methods of internal auditing (Chaudhari 2017; Abidin 2017). Ultimately, adopting and implementing RBIA processes will expand the range of internal audits to encompass comprehensive monitoring of all organizational activities and tasks (Lois et al. 2021; Stojanović and Andrić 2016). Basically, structured RBIA processes will reinforce the supervisory responsibilities carried out by internal auditors and enhance the accuracy of what has been audited for documenting official business transactions.
In a similar vein, there has been a transition in the internal audit from procedures to work risks, making the latter a central aspect of proper business governance (Benli and Celayir 2014; Dinçer and Hacioğlu 2016; Mujalli 2024). Simultaneously, modifications in regulatory frameworks and the implementation of new standards in risk management, internal audit, and organizational governance mean that there is now an interplay between internal audit and risk management. This has been made possible by a systematic and structured audit methodology known as RBIA (Jankensgård 2019; Wilkinson and Coetzee 2015). RBIA involves evaluating the whole organization’s risk management framework to examine how well management identifies, evaluates, manages, and monitors risks so that risk-based control plans can be established (Coetzee and Lubbe 2014; Kabuye et al. 2017; Raiborn et al. 2017; Abidin 2017).
Comprehending the goals and strategies of work tasks and bringing them into line with the workplace’s goals and overall activities (Chaudhari 2017; Coetzee and Lubbe 2014; Lois et al. 2021; Abidin 2017) involves determining, measuring, and prioritizing the dangers for the organization. Doing so contributes to more effective and cost-efficient holistic risk management practices (Castanheira et al. 2009; Lois et al. 2021), and internal auditors turn their attention to what will happen in the future (Petridis et al. 2021). Namely, they will prioritize “high-risk” areas when preparing internal audit plans and accounts (Sarens et al. 2012; Nickell and Roberts 2014; Abidin 2017). To accomplish this, internal auditors must have specialized knowledge in risk management and financial control matters (Abidin 2017).
RBIA implementation emerges from the constraints of compliance-related audits, efficiency in operations, and the financial statements’ reliability (Chaudhari 2017). This is because what is very important is the evaluation of organizational goals, risks, and audits (Burton et al. 2012) and assuring the efficiency of internal controls and risk management operations (Abbas and Iqbal 2012; Bozkus Kahyaoglu and Caliyurt 2018; Spira and Page 2003). This results in more efficient audit resource allocation and repeatedly enhances the internal audit function’s added value (Almagrashi et al. 2023; Lois et al. 2021; Sheehan 2010). It achieves this by elevating the quality of audit work, enhancing how sound operations are carried out, and assisting the organization’s long-term sustainability and success (Coetzee and Lubbe 2014; Lois et al. 2021; Sarens et al. 2012; Sheehan 2010; Abidin 2017).
The motivation for this study lies in the little research on internal auditing, as prior studies were mainly informed by institutional theory and the notion that internal auditing validity can enhance what organizations accomplish. This contention rests on the underlying supposition of the effectiveness of internal auditing (Al-Twaijry et al. 2003; Eulerich et al. 2022). The present literature on this subject recommends that the effectiveness of internal audits might not consistently be effective as it often depends on the particular dynamics of both the country and the organization (Erasmus and Coetzee 2018; Turetken et al. 2020). Consequently, most prior research has tested if there is a direct link between internal auditor characteristics and their procedures’ effectiveness (Endaya and Hanefah 2016; Erasmus and Coetzee 2018; Turetken et al. 2020). Numerous international studies have tested the internal audit’s wider role at the organizational level (Alqudah et al. 2019; Alzeban and Gwilliam 2014; Khongmalai et al. 2010; Khongmalai and Distanont 2017; Thompson and Alleyne 2023; Zuckweiler et al. 2016) as well as its association with enterprise risk management (Alazzabi et al. 2023; De Zwaan et al. 2011; Drogalas and Siopi 2017).
There are a handful of studies on factors that influence RBIA implementation. Prior studies mainly concentrated on the processes of risk evaluation throughout audit planning (Castanheira et al. 2009; Koutoupis and Tsamis 2009; Wang et al. 2023). A few research studies offer theoretical models for RBIA implementation (Coetzee and Lubbe 2014), yet not much has been published on the link between the RBIA application effect on organizational performance (Apreku-Djan et al. 2022; Kirogo et al. 2014) and specific organizational factors (Lois et al. 2021; Abidin 2017). For this reason, more research is necessary, as stated by many scholars (Alrawad et al. 2023; Apreku-Djan et al. 2022; Benli and Celayir 2014; Drogalas and Siopi 2017; Endaya and Hanefah 2016; Grima et al. 2023; Mujalli and Almgrashi 2020). For instance, Grima et al. (2023) and Park et al. (2019) point out insufficient empirical work has been conducted on internal auditing. Similarly, Coetzee and Lubbe (2014), Lois et al. (2021), Turetken et al. (2020), and Abidin (2017) have specified the necessity for more research to empirically test the factors affecting RBIA implementation.
Moreover, as IIA recognizes the significance of comprehending the global situation of internal auditing (Turetken et al. 2020), investigating internal audits in emerging nations will contribute valuable practical insights into this subject. There is an absence of comprehensive research on the factors that affect the RBIA in public sector organizations. While numerous studies have focused on these factors in the private sector, there has been limited examination of them in the public sector. Examples of studies in the RBIA that have concentrated mainly on the private sector are Abdullatif and Kawuq (2015), Apreku-Djan et al. (2022), Ayagre (2014), Drogalas and Siopi (2017), Kirogo et al. (2014), Koutoupis and Tsamis (2009), Lois et al. (2021), Wang et al. (2023), and Abidin (2017). Only restricted research on RBIAs in the public sector has been published. There are variations in the standard of internal auditing in the public and private sectors regarding their size, technology, competency, proficiency, legal regulations, and culture (Goodwin 2004; Nerantzidis et al. 2022). Results derived from the private sector cannot be immediately applied to the public sector. Hence, it is imperative to ascertain the occurrences of RBIA implementation within the public sector environment. According to the argument made above, the following research question is formulated:
RQ1. 
To what extent do various identified factors influence RBIA implementation in public sector organizations in Saudi Arabia?
This study makes significant contributions to the literature. First, it shows that internal auditing practices greatly vary from country to country, with some procedures being mandatory or voluntary, depending on the legislation. Previous empirical work on internal audits has predominantly concentrated on the European, Malaysian, American, and other advanced economic settings. By exploring what is happening in the public sector organizations in Saudi Arabia, this study expands the knowledge base to include the mandatory milieu in an economy that is becoming more powerful as it develops. Secondly, previous empirical research has mainly tested the effects of organization-specific characteristics on RBIA implementation. This study is one of the first to deem risk management, internal control systems, management support, and risk management training as aspects of empirical research that help measure the impact of internal monitoring tools on RBIA implementation in Saudi Arabia.
These above factors are chosen to test the RBIA implementation as recommended by several studies (Abdullah and Al-Araj 2011; Arena and Azzone 2009; Drogalas and Siopi 2017; Lois et al. 2021; Sarens et al. 2012; Sarens and De Beelde 2006; MetricStream 2018; Abidin 2017). These factors could focus on the real problems shaping RBIA implementation in Saudi public sector organizations. Consequently, the present study aims to investigate the influence of risk management and associated training, internal control systems, management support, and the internal auditor role on RBIA implementation in these organizations. Thirdly, while earlier studies on this topic primarily chose a qualitative method, this work offers quantitative-based empirical results to substantiate the qualitative findings documented in prior research. Fourthly, prior empirical research on RBIA implementation primarily concentrated on risk evaluation-type activities during audit planning. Insufficient attention was paid to the RBIA implementation processes through the whole gamut of the internal audit procedure, which this paper seeks to rectify.
The remainder of the paper is structured as follows. Section 2 deals with the literature review to determine the possible factors associated with RBIA implementation and what the research hypotheses are based on. Section 3 explains the methodology and how each variable is chosen and measured. Section 4 is the analysis of the results. Section 5 discusses the empirical results of the current study, and finally, Section 6 concerns the implications of the findings, limitations, suggestions for future research, and conclusion.

2. Literature Review and Hypothesis Development

2.1. Internal Auditing in Public Sector Organizations

Current internal auditing has been developed based on effectiveness, efficiency, and economy (Alqudah et al. 2019). Chambers (1992) defined effectiveness as implementing the work correctly, efficiency as implementing the work well, and economy as implementing the work at a low cost. Nevertheless, according to Lenz and Hahn (2015), if internal auditing is not practical, the economic efficiency of the service becomes unimportant. In other words, even the least important areas can be audited efficiently. Therefore, the important aspect of achieving the objectives is implementing work efficacy (Alzeban and Gwilliam 2014). Hence, the goals of internal auditors in public sector organizations ought to be consistent with the set objectives of their organizations to achieve favorable results that enhance organizational efficiency and productivity (Alqudah et al. 2019). Implementing an efficient internal auditing process can help the organization accomplish its goals by evaluating compliance with rules and regulations, procedures, and legislation, improving the system of internal control efficiency and checking asset protection measures (Alqudah et al. 2019; Anugraheni et al. 2022; Hassan et al. 2019; Nerantzidis et al. 2022). Conversely, Al-Twaijry et al. (2003) pointed out that an organization lacking efficient internal auditing experiences significant difficulties implementing its operations. Therefore, implementing the internal auditor’s efficacy is highly desirable as it can facilitate advancement in the everyday activities of organizations in the public sector (Alqudah et al. 2019).

2.2. Risk-Based Internal Audit

Using RBIA processes emphasizes the significance of recognizing the inherent risks within the plan or strategy and assessing the sufficiency and efficiency of measures taken to mitigate such risks (Chaudhari 2017; Coetzee and Lubbe 2014; Lois et al. 2021). Selim and McNamee (1999) argue that the structured approach to RBIA should integrate risk management practices, including (1) risk identification, (2) risk communication, and (3) risk management. It is not just the annual audit planning process but something involving every stage of individual audit engagement, such as planning, implementation (performing the actual work), and reporting. This holistic approach ensures comprehensive reporting on the impact of risk mitigation measures, ultimately safeguarding and realizing organizational objectives.
The structured RBIA can be implemented by aligning auditable areas with an organization’s broader activities and objectives, incorporating risk evaluation into annual and individual audit planning, efficiency of risk and control procedures, and their evaluation (Coetzee and Lubbe 2014). Effective implementation of the RBIA allows internal auditing to function well and offer trusted answers on any discrepancies between corporate strategy, daily operations, and financial outcomes (Lois et al. 2021). This includes assessing the status of action plans and attaining objectives, identifying and addressing unmanaged risks and critical issues, and pinpointing weaknesses in governance, control procedures, and risk management tasks. Adopting a comprehensive method for the RBIA could improve the effectiveness and productivity of auditing and also guarantee that internal auditing resources are used as effectively as possible, leading to a more concentrated effort on executing audit tasks (Coetzee and Lubbe 2014; Lois et al. 2021).

2.3. Management Support

Supporting internal auditors by giving authority or support to management can serve as a foundation for providing the essential resources to carry out their responsibilities efficiently. When internal auditors are adequately supported by senior management, they can secure the vital resources required to do their jobs properly and thoroughly. This support should enable internal auditing departments to recruit qualified personnel or provide ongoing training and development to current staff (Alzeban and Gwilliam 2014; Alqudah et al. 2019). Research by Chang et al. (2019) has confirmed that a well-empowered internal auditing department with a substantial team size can improve internal audit performance. Moreover, the Institute of Public Sector Internal Auditors (ISPPIA) emphasizes the importance of internal auditors reporting to executive management about any constraints in budgets or scope that impede or compromise their duties (IIA 2017).
Not only does the support of top management play a critical role in enabling internal auditors to accomplish a high level of effectiveness in the organization (Alqudah et al. 2019; Alzeban and Gwilliam 2014; Lenz et al. 2017), according to the resource-based perspective, when an organization is fully resourced, it can significantly improve the efficiency of its internal auditors (Alzeban and Gwilliam 2014; Alqudah et al. 2019). upport includes involvement in internal auditing planning, responding to reports generated by internal auditing, employing enough qualified staff, and allocating sufficient budgets for internal audit tasks (Alqudah et al. 2019).
Prior studies have consistently affirmed that having an effective management system is a pivotal factor in determining internal auditors’ ability to implement their duties effectively (Alqudah et al. 2019; Alzeban and Gwilliam 2014; Chang et al. 2019). Consequently, supporting internal auditors is essential to accomplish their objectives, ultimately leading to enhanced implementation of the RBIA and showing how efficient it is. According to this argument, the following hypothesis is proposed:
H1. 
Management support has a significant and positive influence on RBIA implementation.

2.4. The Internal Auditors’ Role

The move to embrace the RBIA is extensively acknowledged as a positive outcome closely associated with risk management (Alazzabi et al. 2023; Drogalas and Siopi 2017; Stojanović and Andrić 2016). While the internal auditors’ roles may differ worldwide and seem to be contingent on the effectiveness of the mechanisms that govern risk management, the emphasis on enhancing internal auditing practices in tandem with control or monitoring processes establishes an additional structure to the system of risk management (Abidin 2017). Internal auditors play an extremely vital role in contributing to the organization’s good functioning through audits and incorporating risk evaluation results into annual audit tasks. Specifically, internal auditors are tasked with classifying inherent risks within up-and-running and strategic activities to tailor their audits correspondingly (Lois et al. 2021).
By concentrating on strategic risks and delivering timely perceptions to senior management, internal auditing can provide added value to the business (Alqudah et al. 2019). A crucial obligation for internal auditors is to conduct comprehensive audits demonstrating a good comprehension of strategic goals and the daily but vital business functions (Alzeban and Gwilliam 2014; IIA 2017; Lois et al. 2021). A few years ago, research conducted by the company MetricStream (2018) recommended that internal auditors place a greater emphasis on assessing the performance of risk management and systems of internal control. This emphasis aimed to enhance consciousness of possible risks, line up internal auditing functions with operational strategies, enhance control procedures, and boost overall operational effectiveness. With this argument in mind, the following hypothesis is posited for testing:
H2. 
The internal auditors’ role has a significant and positive influence on RBIA implementation.

2.5. Training in Risk Management

Due to the interconnected nature of the internal audit and risk management as an outcome of RBIA implementation, offering training in risk management serves as a means for the internal audit to enhance its value to organizations (Lois et al. 2021). This is accomplished by shaping an audit framework that centers on risk management (Abidin 2017). Consequently, internal auditors gain the expertise to comprehend the factors affecting the performance of their workplace, determine possible risk sources, and work well with their line managers to guarantee the effective execution of their recommended measures (Alazzabi et al. 2023; Lois et al. 2021). However, the absence of appropriate training and qualifications among internal auditors hinders them from taking on new roles and responsibilities (H. Alqudah et al. 2023; Abidin 2017). Consequently, this deficiency diminishes the quality of internal audit and risk management procedures, and this influences the delivery of assertions and consulting services concerning monitoring, evaluating, and enhancing these procedures (Lois et al. 2021; Abidin 2017). Training internal auditors in risk management helps them generate accurate information concerning risk detection and evaluation, such as fraud detection. This, in turn, supports the appropriate RBIA implementation, which is a formalized, consultative approach (Abidin 2017; Castanheira et al. 2009; Drogalas and Siopi 2017). In their work, Rae and Subramaniam (2008) discovered that one of the most significant organizational elements positively associated with the quality of internal control processes is the degree of training in risk management provided to staff members. It is logical to assume that employees trained in risk management are better equipped to detect threats arising from deficiencies in internal controls (Lam 2014). According to the previous arguments, the following hypothesis is formulated:
H3. 
Training in risk management has a significant and positive influence on RBIA implementation.

2.6. Risk Management System

Implementing a risk management system identifies possible risks and simplifies audit planning within the organization, therefore enhancing risk awareness (Coetzee and Lubbe 2014; Spira and Page 2003). As Koutoupis and Tsamis (2009) emphasized, the control frameworks underscore the necessity of creating robust and operational risk management mechanisms. Within such a regulated framework, the internal audit function can actively support and oversee risk management processes while helping management detect threats to the organization’s strategic goals. This, in turn, contributes to enhancing internal audit planning tools with the goal of raising workplace performance (Chaudhari 2017; Lois et al. 2021). Obviously, the formation of a risk management mechanism must include established tasks for internal auditors and risk managers or, better yet, the creation of distinct internal audit and risk management units with comprehensible tasks and duties (Alazzabi et al. 2023; De Zwaan et al. 2011; Lam 2014; Stojanović and Andrić 2016; Abidin 2017). Building on this foundation, Lois et al. (2021), Abidin (2017), and Ayagre (2014) demonstrate a significant level of engagement with the RBIA in risk management. Based on this rationale, the following hypothesis is made:
H4. 
The risk management system has a significant and positive influence on RBIA implementation.

2.7. Internal Control System

The RBIA appears to be closely associated with implementing a structured system of internal controls, which fosters an atmosphere of audit realization in the organization (Ayagre 2014; Chaudhari 2017; Spira and Page 2003). Both audits and systems of internal control are structured to ensure responsibility and proper oversight (Abidin 2017). Internal auditors take a leading role in the establishment of a more structured system of risk management (Abidin 2017). More precisely, the internal control system guides the concentration of the internal audit by offering recommendations that improve risk management and related activities to promote awareness of control (Fernández-Laviada 2007; Abidin 2017). Furthermore, the standardization of internal control systems, which necessitates continuous monitoring, as well as the organization’s approach to risk-related issues and internal audits, leads to better awareness of risk and control (Sarens et al. 2012). Based on this approach to the topic, below is the proposed hypothesis:
H5. 
The internal control system has a significant and positive influence on RBIA implementation.
The hypothesized framework or the current research framework is presented in the following Figure 1.

3. Methodology

3.1. Questionnaire and Variable Measurement

This paper employed a five-point Likert scale because it is deemed appropriate to accomplish higher mean scores, maintain measurement reliability, and represent the most proper scale (Dawes 2008). Similarly, a five-point Likert scale clarifies respondents when answering the questionnaire, offering them choices (Hinkin 1995). Previous studies conducted in similar contexts have successfully employed a five-point Likert scale and obtained favorable results (Almagrashi et al. 2023; Alzeban and Gwilliam 2014; Lois et al. 2021; Ta and Doan 2022). The risk-based internal auditing (RBIA) implementation as the dependent variable demonstrating the degree to which the RBIA is executed was assessed according to the degree to which the RBIA enables the internal audit to meet shareholders’ needs and demands and contribute to a better comprehending of periodic evaluations of internal audit procedures and the extent to which the RBIA leads to a more effective determination of resources of internal auditing. These were all measured by respondents ranking the four items as adopted with amendments from Castanheira et al. (2009), Coetzee and Lubbe (2014), Lois et al. (2021), and Abidin (2017). Furthermore, they were all subjected to a five-point Likert scale with answers ranging from 1 = strongly disagree to 5 = strongly agree.
The independent variables investigated were management support to implement risk-based internal auditing, the internal auditors’ role in risk management, risk management training, the risk management system, and the internal control system. The role of the internal auditor in risk management was measured using six variables based on work by Drogalas and Siopi (2017), Lois et al. (2021), and Sarens and De Beelde (2006). Comprehending the strategic objectives and operational goals entailed the inclusion of risk evaluation outcomes in annual internal audit plans, the evaluation of inherent risks threatening the purposes of key functions of business and the following amendment of audits, timely information for senior management concerning threats to the sustainability of the organization, evaluation, and the assessment of reports concerning the efficiency of the internal control system and risk management.
The risk management system was measured using three variables, which were adopted by Abidin (2017), Crawford and Stein (2002), and Woods (2007). It is measured by assessing the level at which the existing procedures and accountabilities of the risk management system are recognized in the organization, namely by the current risk manager or an isolated risk management unit in the organization. Meanwhile, the internal control system was measured by three variables adopted from Fernández-Laviada (2007), Sarens and De Beelde (2006), and Abidin (2017). It is measured by identifying the setting up of efficient control systems wherein management has codified all business risks that need to be eradicated, an organizational culture that increases control consciousness, and ongoing monitoring of internal control mechanisms.
Risk management training was measured by three variables borrowed from Arena and Abdullah and Al-Araj (2011), Arena and Azzone (2009), and Lois et al. (2021). The formation of an audit culture depends on risk management and the establishment of good insights concerning the documentation and assessment of work-related risks in addition to enhancing the quality of internal auditing and risk management. Meanwhile, management support was measured by four variables adopted from Alqudah et al. (2019), Alzeban and Gwilliam (2014), and Ta and Doan (2022). The support given by top management to internal auditors is measured in terms of the auditors’ anticipation, internal auditors’ executed tasks and accountabilities, an adequate organization budget enabling the internal auditing department to implement audit plans, and the internal auditors obtaining adequate training as advocated by top management.

3.2. Data Collection Procedure

The research design utilized for the current study is cross-sectional, utilizing primary data gathered through a questionnaire survey form. In this survey, all respondents answered the same questions under identical conditions (Babbie 2020; Madawaki et al. 2022; Mujalli et al. 2022; Saunders et al. 2019). Sekaran and Bougie (2016) deem the questionnaire the most crucial and effective technique for gathering data. Moreover, Oppenheim (2000) highlights one of the benefits of using a questionnaire: letting participants independently contemplate their responses and answers more instantaneously than what is produced in interviews. Furthermore, Saunders et al. (2019) suggest that a questionnaire survey makes it possible to collect substantial information from a targeted population sample. The current work incorporates a significant population, and a considerable quantity of data needs to be gathered from public sector agencies in Saudi Arabia to examine what is affecting the implementation of the RBIA.
A pre-test was undertaken before the distribution of questionnaires to participants. The objective of the pre-test was to verify factor validity, ensuring the survey content was clearly stated as valid and that the questions were logical and coherent. Nine people were chosen, with four having worked as internal auditors in public sector organizations while the other five had experience as academics in accounting and auditing majors. The pre-test comments help in refining the survey’s content. When administering the pre-test, the researcher sent survey questionnaires to those who responded. Less than half (241) of the 500 questionnaires were returned. The current study utilized only 234 survey questionnaires out of these 241 for the final analysis because 7 questionnaires contained erroneous values. Table 1 summarizes the demographic profiles of the respondents. Mostly, they were between the ages of 30 and 39, with 26.3% female and 73.7% male. It was evident that 69.2% of those who participated in filling out the survey questionnaires had a bachelor’s degree, 51.3% of the respondents are internal auditors, and 34.6% have been on the job for 5 to 9 years.

3.3. Common Method Bias

The researcher gathered data from respondents using a questionnaire that covered both exogenous and endogenous constructs. This technique could lead to common method bias (CMB), as pointed out recently (Madawaki et al. 2022), especially concerning behavioral studies, which often arises in self-reported surveys, as noted by (Podsakoff et al. 2003). To reduce the impact of CMB, researchers can use procedural and statistical approaches. To ensure data security, we guarantee respondents’ privacy and anonymity during data collection (Rehman et al. 2022). Furthermore, the researcher informed respondents that the questionnaire was error-free and written in simple language (Podsakoff et al. 2003). From a statistical perspective, Herman’s single factor was utilized to measure CMB and explained 32.191% of the total variance, less than the standardized value of 50%. Another method used to measure CMB was full collinearity, where scholars found that if the value of full collinearity or VIF is below 5, the data are free from CMB issues (Podsakoff et al. 2003). Table 2 shows that all latent constructs have full collinearity of less than 5, meaning CMB does not influence the data.

4. Data Processing and Analysis of Results

In academic research, the PLS-SEM technique is becoming more widely recognized and applied, especially in work requiring complicated models that interact with several latent constructs (Chin 1998; Hair et al. 2019; Ockey and Choi 2015; Shmueli et al. 2019). One of PLS-SEM’s main advantages is its ability to efficiently handle these complicated models, making it ideal for exploratory research where relationships between variables might not yet be well established (Hair et al. 2019). Compared to traditional statistical methods, PLS-SEM does not need data with a normal distribution, increasing its applicability and usefulness when analyzing real-world datasets that frequently deviate from normalcy (Hair et al. 2019). Additionally, this method is beneficial for studies with limited sample sizes since it produces reliable findings without needing the large sample sizes that are usually connected with covariance-based SEM (CB-SEM) approaches (Chin 1998).
PLS-SEM is highly regarded for its efficacy in predictive modeling, which makes it an excellent choice for studies that seek to predict findings or determine the main drivers of target constructs (Hair et al. 2019). Moreover, its ability to support formative and reflective constructs is also a significant advantage over CB-SEM, which mainly concentrates on reflective constructs (Kock 2015; Shmueli et al. 2019). Another crucial component of PLS-SEM’s emphasis on maximizing the explained variation of dependent constructs is a vital aspect of utilized research, where it is essential for understanding the variance in significant constructs (Hair et al. 2019). Furthermore, the user-friendly interfaces of PLS-SEM methods, for example, SmartPLS, make them more accessible and interpretable (Hair et al. 2019; Ogbeibu et al. 2020; Shmueli et al. 2019). These features collectively create PLS-SEM as a robust and adaptable analysis method for diverse research contexts.

4.1. Measurement Model Results

Figure 2 and Table 2 show the analysis measurement model results for the internal auditors’ role, the internal control system, management support, risk-based internal auditing, risk management, and risk management training. The assessment utilized a variety of metrics—factor loadings, variance inflation factor (VIF), Cronbach’s alpha (Cα), composite reliability (rho_c), and average variance extracted (AVE)—to verify the data’s reliability and validity. The factor loadings, which demonstrate the associations between items and their respective constructs, ranged from 0.602 to 0.971. This range highlights various relationships, and Hair et al. (2019) stated that the AVE value must be equal to or more than 0.50. The VIF values, deployed to assess multicollinearity, were found to be below the established threshold of 5, as suggested by Kock (2015), subsequently demonstrating negligible worries in this area.
Concerning internal consistency, as recommended by Hair et al. (2019), the researcher assessed Cronbach’s alpha (CA) values, seeking values higher than 0.7. Table 3 shows that all constructs have CA alpha values greater than 0.7, with metrics varying from 0.790 to 0.916. Nevertheless, due to underestimation problems, Cronbach’s alpha has drawn criticism. For this reason, it is recommended that rho_Alpha be evaluated in addition to CA. For confirmatory purposes (Hair et al. 2019), rho values should exceed 0.7, and this requirement is met by the acceptable rho_Alpha values shown in Table 2 for all constructs, where metrics varied from 0.876 to 0.936. In this way, robustness and reliability were affirmed. In terms of convergent validity, a construct is deemed to have it when the AVE values surpass the standard benchmark of 0.5 (Hair et al. 2019). Table 2 shows that all reflective measures fulfill the lowest requirement, with the AVE values ranging from 0.559 to 0.829, guaranteeing their convergent validity and indicating strong reliability and validity of the analyzed constructs. This comprehensive evaluation thus supports the overall soundness and robustness of the measurement model devised for this research.
Table 3 summarizes the assessment of the discriminant validity of the all the constructs. The study utilized two distinct methods: the heterotrait–monotrait (HTMT) ratio and the Fornell–Larcker criterion. The HTMT ratios are considerably lower than the conventional cutoff of 0.85 (Henseler et al. 2015), indicating a high degree of discriminant validity between the constructs. This recommends that these constructs be discrete and that disparate phenomena be evaluated. At the same time, the analysis utilizing the Fornell–Larcker criterion, which includes a comparative assessment of the AVE’s square root values for all constructs against the inter-construct correlations, substantiates this discriminant validity. The AVE’s square root values for all constructs (shown as diagonal elements) exceed the matching off-diagonal values in the corresponding rows and columns. This observation aligns with the criteria suggested by Fornell and Larcker (1981). The outcomes displayed in Table 3 robustly confirm that the constructs are fulfilled. This distinction highlights the robustness and consistency of the measurement model, guaranteeing that every construct contributes to the overall analytical framework.

4.2. Structural Model

The research entailed examining and validating five direct hypotheses, employing path coefficients and statistical significance as measures through SmartPL.S. Figure 3 and Table 4 display the findings resulting from the structural model, concentrating on the influence of several factors on RBIA implantation. The data analysis supported four out of the five hypotheses under investigation. The first hypothesis posited a significant impact of MS on the RBIA. The data corroborated this with a path coefficient of 0.176, a T statistic of 2.691, and a p value of 0.007. The second hypothesis suggested that the IAR positively influences the RBIA. The data validated this hypothesis, as reflected in a path coefficient of 0.155 and a p value of 0.031. Similarly, the third and fourth hypotheses, which proposed significant positive impacts of RMT and RMS on the RBIA, respectively, were confirmed. This is evidenced by path coefficients of 0.228 and 0.281 and p values below 0.001 for both hypotheses. Contrastingly, the fifth hypothesis, which theorized a positive influence of the ICS on the RBIA, did not find support in the data. This lack of support is illustrated by a relatively low path coefficient of 0.032 and a non-significant p value of 0.596, pointing out that the ICS does not have a significant influence on the RBIA as per the data gathered.

4.3. The Explanatory and Predictive Power of the Model

In Table 5, the R-square value for the RBIA is reported to be 0.402, implying that about 40.2% of the variance in the dependent variable is accounted for by the model. This proportion is a moderate indicator of the model’s explanatory power. Accompanying this, the adjusted R-square value, recorded at 0.389, offers a slightly refined estimate, considering the number of predictors incorporated into the model. Hair et al. (2019) recommend that an R-square value in the vicinity of 0.40 is generally perceived as moderate, denoting the model aligns reasonably well with the empirical data. Furthermore, the model’s predictive relevance is gauged through the Q2 value of 0.239, derived using the formula 1—SSE/SSO, where SSE equals 712.661 and SSO stands at 936.000. The Q2 value surpassing 0, as in this instance, is strongly suggestive of the model’s predictive capacity for the dependent variable (Chin 1998). It is essential to recognize that the benchmarks for both R-square and Q2 values are not rigidly fixed and may vary depending on the particular context of the study and the model’s intricacies. Even lower values might be deemed acceptable in scenarios involving complex models or disciplines where prediction is inherently challenging (Hair et al. 2019).
The subsequent analysis focuses on the effect size (f2), which quantifies the influence of an independent variable on a dependent variable in the model. Cohen (1992) categorizes influence size as small (0.02), medium (0.15), and large (0.35). These classifications assist in ascertaining the magnitude of relationships between latent constructs in the structural model. Table 5 reveals that the effect sizes for the model’s latent constructs range from small to moderate. This range implies that the interconnections between independent and dependent variables are significant, contributing meaningfully to the explanation of variance within the model. These effect size values further reinforce the model’s reliability, highlighting its robustness in capturing the dynamics of the studied phenomena.
To evaluate the measurement framework robustness, the researcher applied the PLS predict methodology, following the suggestion of Sarstedt et al. (2019). Thus, the researcher suggested an advanced calculation procedure tailored to enhance the predictive relevance evaluation of research models in the context of PLS-SEM (Shmueli et al. 2019). This method emphasizes the need to initially calculate the Q2 values of the latent variables (LVs). A Q2 value greater than zero is a prerequisite before calculating the individual items. The proposed procedure delineates a nuanced approach to interpreting a model’s predictive power based on its items’ PLS-LM values. Specifically, if the PLS-LM of a minority or fewer items is smaller, the low predictive power is indicated here. Conversely, if the PLS-LM of all items is higher, it suggests predictive power is absent. In contrast, a lower PLS-LM value for all items suggests greater or higher predictive power in the model. In the context of this study, as presented in Table 6, the PLS-LM of all items is found to be lower, and the Q2 predict is greater than zero, which collectively points to a higher predictive power for the model. Furthermore, the study identifies that the Q2 value for the RBIA stands at 0.239, notably higher than zero. This value signifies a substantial predictive power at the construct level, thereby affirming the robustness and effectiveness of the model in capturing and predicting the dynamics associated with the RBIA. As a result, the predictive relevance and accuracy of the measurement framework can be reliably established, aligning with the results of Shmueli et al. (2019).

5. Empirical Results and Discussion

The emphasis is on the change from rules and compliance to efficiency and strategic planning, which has, in turn, led to a growing recognition that meaningful corporate governance mechanisms must strategically resolve relevant disputes. From an agency standpoint, the necessity for operational monitoring of exposure to inherent organization strategy risks has underlined the significance of internal auditing and RBIA processes. The function of internal auditing’s role is to meet the requirement for monitoring management’s behaviors/actions and evaluating the efficiency of organizational mechanisms. In light of this, the internal audit function has recently primarily embraced the risk-based internal auditing strategy as the preferred methodology. Adopting a methodical and disciplined internal auditing method ought to enable internal audit tasks to be efficiently executed. Prior research primarily focused on key success factors related to risk assessment during the audit planning phase (Allegrini and D’onza 2003; Benli and Celayir 2014; Castanheira et al. 2009; Drogalas et al. 2021; Drogalas and Siopi 2017; Koutoupis and Tsamis 2009). In contrast, as proposed by other scholars (Abidin 2017; Coetzee and Lubbe 2014; Lois et al. 2021; Wilkinson and Coetzee 2015), this study empirically examines the factors linked to RBIA implementation processes throughout all activities of internal auditing, incorporating planning, implementation, and reporting.
This study examined the impact of top management support, the internal auditors’ role in risk management, risk management training, and internal control systems. In this regard, the findings confirm that top management support significantly influences RBIA implementation. This result aligns with other studies (Alqudah et al. 2019; Alzeban and Gwilliam 2014; Endaya and Hanefah 2016). Alqudah et al. (2019) assert the need for sufficient internal resources to accomplish more significant efficiency. In such a scenario, the performance of internal auditors can be perceived as being determined by senior management adequately empowering them. Alzeban and Gwilliam (2014) discovered that senior management support is a crucial driver of the effectiveness of internal auditing. Once the internal auditing departments in the Saudi Arabian public sector organizations receive support from senior management, this will lead to efficiently performing the duties and accountabilities of internal auditing based on risk management effectiveness. Hence, prioritizing improving the efficiency of internal auditors becomes essential as it guarantees proper resource allocation and the organization’s commitment.
The finding of the role of internal auditors in risk management exerts a significant influence on RBIA implementation. This finding is consistent with other studies (Abdullatif and Kawuq 2015; Lois et al. 2021; MetricStream 2018). As Abdullatif and Kawuq (2015) discovered, internal auditors appear to reasonably comprehend essential workplace strategies and tasks, although there is room for enhancement. MetricStream (2018) recommended that internal auditors typically report to top management about risks threatening the organization’s viability, so this issue should be emphasized. Thus, substantial endeavors are underway to enhance the monitoring, evaluation, and reporting of the amount and efficiency of risk management and the mechanism of internal control. This enables internal auditing to meet its enlarged role by promoting control consciousness and reinforcing an honest, trusted, and dependable risk management mechanism (MetricStream 2018).
The finding for risk management training significantly influences RBIA implementation, and it is consistent with what Lois et al. (2021) reported. The competency of internal auditing plays a vital role in the RBIA implementation process. Managers in Saudi Arabian public sector agencies believe that training in risk management contributes to developing an audit environment concentrating on risk management, establishing accurate insights concerning risk management, and improving internal auditing quality and the procedures of risk management. All of these simplify and make RBIA implementation suitable, and it is evident that the implementation is well established.
The finding of risk management is that it has a significant influence on RBIA implementation, and it concurs with prior studies (Abidin 2017; Coetzee and Lubbe 2014; Lois et al. 2021; Sarens et al. 2009). The risk management process enhances risk consciousness and a risk-concentrated culture. Creating a structured framework for risk management duties and processes encourages management to take accountability or responsibility for more efficient practices in risk management (Goodwin-Stewart and Kent 2006). A more risk-averse culture supports the department’s administration to consider risk exposure in all decisions and actions. The findings support the view expressed by Abidin (2017) and Lois et al. (2021) that an updated system incorporating risk management encourages a resilient risk-taking milieu and offers a solid basis for the RBIA’s implementation.
Thus, there is room for supporting the internal audit’s concentration on vital risks and the sufficiency of risk management procedures, which are essential for appropriate RBIA implementation. It also seems that the public sector organizations in Saudi Arabia have adequate procedures for creating a standardized risk management system. It is obvious that substantial enhancements are required to explicitly state the duties and accountabilities as well as procedures of the risk management mechanism. This requires the presence of a risk management-type administrator or a separate risk management unit within the department, as noted by Crawford and Stein (2002), and operates in such a way that it facilitates the internal auditors’ role in supporting risk management policies (Woods 2007).
The last finding relates to the internal control system and has an insignificant influence on RBIA implementation. It is consistent with other research (Abidin 2017; Lois et al. 2021; Sarens et al. 2009). They highlight the weakness of risk-identification control systems and the lack of a robust control setting in Saudi public sector organizations. Nevertheless, in organizations, ongoing monitoring of the internal control mechanism is an encouraging outcome. As Fernández-Laviada (2007) emphasizes, the concentration should be on enhancing internal control systems and creating a workplace that prioritizes control and risk.
Moreover, the absence of a substantial influence of the internal control system on the RBIA can be attributed to various variables, such as the particular characteristics and intricacies of Saudi Arabia’s public sector organization context. Internal control systems in Saudi Arabia’s public sector organizations frequently encounter obstacles like inflexible structures, legislative limitations, and varied interests of stakeholders. These issues might restrict their ability to support RBIA procedures effectively. Furthermore, resource limitations, the culture of the organization, and political pressures may additionally impact the development and incorporation of risk-based techniques in public sector organizations.

6. Implications, Limitations, Recommendation Avenue for Future Research, and Conclusion

In short, the findings support the anticipation from previous studies. There is a significant relationship between management support, the internal auditors’ role in risk management, risk management training, the risk management system, and risk-based internal auditing implementation. More importantly, the study found no significant connection between the internal control system and the RBIA in Saudi Arabia’s public sector organizations. However, this finding appears to emphasize the significance of taking contextual variables and organizational dynamics into account when executing risk-based auditing practices in Saudi Arabia’s public sector organizations. Moving forward, I acknowledge the necessity for additional investigation to examine and comprehend the particular obstacles and enablers of the RBIA in the public sector environment. By obtaining a more thorough understanding of these aspects, further studies can offer practical suggestions and tactics for improving the efficiency and relevance of RBIA procedures in public sector organizations.
These research findings have important implications for regulatory authorities and the profession of internal auditing in Saudi Arabian public sector organizations. They provide valuable insights into adopting a comprehensive and structured approach to risk-based auditing by internal auditors. Embracing a more structured approach to the RBIA can improve the internal auditors’ ability to mitigate inherent risks in strategic requirements and business processes effectively. This, in turn, can lead to an enhanced quality of work within internal audit teams, reinforcing more operative monitoring tasks. From a practical and societal viewpoint, establishing an operational internal monitoring system and achieving higher-quality internal auditing work that can help reduce risks hindering the attainment of organizational goals is highly desired. It can also reduce the temptation to manipulate financial information and enhance the quality and integrity of financial reports and statements.
The current study possesses specific limitations that create avenues for future research. To enhance the findings’ generalizability, given that all participants in this study work in Saudi Arabian public sector organizations, further research should be carried out to explore factors associated with the RBIA’s implementation in countries where diverse cultural backgrounds or circumstances are evident and regulatory/legislative rules greatly determine the RBIA’s implementation and practices. Moreover, future research could investigate whether these findings differ from industry to industry.
In summary, this empirical study, following the present literature, underscores the implications of the RBIA’s implementation as a structured approach. This approach enables internal auditors to offer valid consulting services and assertions of financial matters regarding the appropriate risk management strategy and the internal control system. It should be noted that, ultimately, organizational accountability rests with the management.

Funding

This research received no external funding.

Data Availability Statement

The datasets used during the current study are available from the corresponding author upon reasonable request.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. Abbas, Qaisar, and Javid Iqbal. 2012. Internal control system: Analyzing theoretical perspective and practices. Middle-East Journal of Scientific Research 12: 530–38. [Google Scholar]
  2. Abdullah, K. A., and R. Al-Araj. 2011. Traditional Audit versus Business Risk Audit: A Comparative Study–Case of Jordan. European Journal of Economics, Finance and Administrative Sciences 40: 74–91. [Google Scholar]
  3. Abdullatif, Modar, and Shatha Kawuq. 2015. The role of internal auditing in risk management: Evidence from banks in Jordan. Journal of Economic and Administrative Sciences 31: 30–50. [Google Scholar] [CrossRef]
  4. Abidin, Nor Hafizah Zainal. 2017. Factors influencing the implementation of risk-based auditing. Asian Review of Accounting 25: 361–75. [Google Scholar] [CrossRef]
  5. Alazzabi, Waled Younes E., Hasri Mustafa, and Ahmed Ibrahim Karage. 2023. Risk management, top management support, internal audit activities and fraud mitigation. Journal of Financial Crime 30: 569–82. [Google Scholar] [CrossRef]
  6. Allegrini, Marco, and Giuseppe D’onza. 2003. Internal auditing and risk assessment in large Italian companies: An empirical survey. International Journal of Auditing 7: 191–208. [Google Scholar] [CrossRef]
  7. Almagrashi, Ahmad, Abdulwahab Mujalli, Tehmina Khan, and Osama Attia. 2023. Factors determining internal auditors’ behavioral intention to use computer-assisted auditing techniques: An extension of the UTAUT model and an empirical study. Future Business Journal 9: 74. [Google Scholar] [CrossRef]
  8. Alqudah, Hamza, Abdalwali Lutfi, Shadi habis abualoush Mohammad Zakaria Al Qudah, Ahmad Farhan Alshira’h, Mohammed Amin Almaiah, Mahmaod Alrawad, and Magdy Tork. 2023. The impact of empowering internal auditors on the quality of electronic internal audits: A case of Jordanian listed services companies. International Journal of Information Management Data Insights 3: 100183. [Google Scholar] [CrossRef]
  9. Alqudah, Hamza Mohammad, Noor Afza Amran, and Haslinda Hassan. 2019. Factors affecting the internal auditors’ effectiveness in the Jordanian public sector: The moderating effect of task complexity. EuroMed Journal of Business 14: 251–73. [Google Scholar] [CrossRef]
  10. Alrawad, Mahmaod, Abdalwali Lutfi, Mohammed Amin Almaiah, Adi Alsyouf, Akif Lutfi Al-Khasawneh, Akif Lutfi Al-Khasawneh, Nazar Ali Ahmed, Ahmad M. AboAlkhair, and Magdy Tork. 2023. Managers’ perception and attitude toward financial risks associated with SMEs: Analytic hierarchy process approach. Journal of Risk and Financial Management 16: 86. [Google Scholar] [CrossRef]
  11. Al-Twaijry, Abdulrahman A.M., John A Brierley, and David R. Gwilliam. 2003. The development of internal audit in Saudi Arabia: An institutional theory perspective. Critical Perspectives on Accounting 14: 507–31. [Google Scholar] [CrossRef]
  12. Alzeban, Abdulaziz, and David R. Gwilliam. 2014. Factors affecting the internal audit effectiveness: A survey of the Saudi public sector. Journal of International Accounting, Auditing and Taxation 23: 74–86. [Google Scholar] [CrossRef]
  13. Anugraheni, Erika Pristiwati, Erma Setiawati, and Rina Trisnawati. 2022. Analysis of Risk-Based Internal Audit Planning Implementation and Its Impact on Audit Quality: Case Study at the Inspectorate of Surakarta, Indonesia. Journal of Economics and Business 17. [Google Scholar] [CrossRef]
  14. Apreku-Djan, Paul Kwasi, Francis Ameyaw, Frank Ameko Ahiale, Maxwell Owusu, and Isaac Kofi Oppong Apreku. 2022. The Effect of Risk-Based Auditing on Value-Based Financial Performance of Banks in Ghana. Journal of Academic Research in Business and Social Sciences 12: 903–28. [Google Scholar] [CrossRef] [PubMed]
  15. Arena, Marika, and Giovanni Azzone. 2009. Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing 13: 43–60. [Google Scholar] [CrossRef]
  16. Ayagre, Philip. 2014. The adoption of risk based internal auditing in developing countries: The case of Ghanaian companies. European Journals of Accounting Auditing and Finance Research 2: 52–65. [Google Scholar]
  17. Babbie, Earl. 2020. The Practice of Social Research. Boston: Cengage Learning. [Google Scholar]
  18. Benli, Vahit Ferhan, and Duygu Celayir. 2014. Risk based internal auditing and risk assessment process. European Journal of Accounting Auditing and Fianance Research 2: 1–16. [Google Scholar]
  19. Bozkus Kahyaoglu, Sezer, and Kiymet Caliyurt. 2018. Cyber security assurance process from the internal audit perspective. Managerial Auditing Journal 33: 360–76. [Google Scholar] [CrossRef]
  20. Burton, F. Greg, Scott A. Emett, Chad A Simon, and David A. Wood. 2012. Corporate managers’ reliance on internal auditor recommendations. Auditing: A Journal of Practice & Theory 31: 151–66. [Google Scholar]
  21. Castanheira, Nuno, Lúcia Lima Rodrigues, and Russell Craig. 2009. Factors associated with the adoption of risk-based internal auditing. Managerial Auditing Journal 25: 79–98. [Google Scholar] [CrossRef]
  22. Chambers, Andrew D. 1992. Effective Internal Audits: How to Plan and Implement. Boston: Pitman Publishing. [Google Scholar]
  23. Chang, Yu-Tzu, Hanchung Chen, Rainbow K. Cheng, and Wuchun Chi. 2019. The impact of internal audit attributes on the effectiveness of internal control over operations and compliance. Journal of Contemporary Accounting & Economics 15: 1–19. [Google Scholar]
  24. Chaudhari, C. A. Shiva. 2017. A Guide to Risk Based Internal Audit System in Banks. Chennai: Notion Press. [Google Scholar]
  25. Chin, Wynne W. 1998. The partial least squares approach to structural equation modeling. Modern Methods for Business Research 295: 295–336. [Google Scholar]
  26. Coetzee, Philna, and Dave Lubbe. 2014. Improving the efficiency and effectiveness of risk-based internal audit engagements. International Journal of Auditing 18: 115–25. [Google Scholar] [CrossRef]
  27. Cohen, Jacob. 1992. Statistical power analysis current directions. Psychological Science 1: 98–101. [Google Scholar]
  28. Crawford, Margaret, and William Stein. 2002. Auditing Risk Management: Fine in Theory but who can do it in Practice? International Journal of Auditing 6: 119–31. [Google Scholar]
  29. Dawes, John. 2008. Do data characteristics change according to the number of scale points used? An experiment using 5-point, 7-point and 10-point scales. International Journal of Market Research 50: 61–104. [Google Scholar] [CrossRef]
  30. De Zwaan, Laura, J. Jenny Stewart, and Nava Subramaniam. 2011. Internal audit involvement in enterprise risk management. Managerial Auditing Journal 26: 586–604. [Google Scholar] [CrossRef]
  31. Dinçer, Hasan, and Ümit Hacioğlu. 2016. Risk Management, Strategic Thinking and Leadership in the Financial Services Industry: A Proactive Approach to Strategic Thinking. Berlin: Springer. [Google Scholar]
  32. Drogalas, George, and Stiliani Siopi. 2017. Risk management and internal audit: Evidence from Greece. Risk Governance & Control: Financial Markets & Institutions 7: 104–10. [Google Scholar]
  33. Drogalas, George, Michail Nerantzidis, Dimitrios Mitskinis, and Ioannis Tampakoudis. 2021. The relationship between audit fees and audit committee characteristics: Evidence from the Athens Stock Exchange. International Journal of Disclosure and Governance 18: 24–41. [Google Scholar] [CrossRef]
  34. Endaya, Khaled Ali, and Mustafa Mohd Hanefah. 2016. Internal auditor characteristics, internal audit effectiveness, and moderating effect of senior management. Journal of Economic and Administrative Sciences 32: 160–76. [Google Scholar] [CrossRef]
  35. Erasmus, Lourens, and Philna Coetzee. 2018. Drivers of stakeholders’ view of internal audit effectiveness: Management versus audit committee. Managerial Auditing Journal 33: 90–114. [Google Scholar] [CrossRef]
  36. Eulerich, Marc, Martin Wagener, and David A. Wood. 2022. Evidence on internal audit quality from transitioning to remote audits because of COVID-19. Journal of Information Systems 36: 219–34. [Google Scholar] [CrossRef]
  37. Fernández-Laviada, Ana. 2007. Internal audit function role in operational risk management. Journal of Financial Regulation and Compliance 15: 143–55. [Google Scholar] [CrossRef]
  38. Fornell, Claes, and David F. Larcker. 1981. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18: 39–50. [Google Scholar] [CrossRef]
  39. Goodwin, Jenny. 2004. A comparison of internal audit in the private and public sectors. Managerial Auditing Journal 19: 640–50. [Google Scholar] [CrossRef]
  40. Goodwin-Stewart, Jenny, and Pamela Kent. 2006. The use of internal audit by Australian companies. Managerial Auditing Journal 21: 81–101. [Google Scholar] [CrossRef]
  41. Grima, Steven, Peter J. Baldacchino, Simon Grima, Murat Kizilkaya, Norbert Tabone, and Lauren Ellul. 2023. Designing a Characteristics Effectiveness Model for Internal Audit. Journal of Risk and Financial Management 16: 56. [Google Scholar] [CrossRef]
  42. Hair, F. Hair, Jeffrey J. Risher, Marko Sarstedt, and Christian M. Ringle. 2019. When to use and how to report the results of PLS-SEM. European Business Review 31: 2–24. [Google Scholar] [CrossRef]
  43. Hassan, Adewale Samuel, Daniel Francois Meyer, and Sebastian Kot. 2019. Effect of institutional quality and wealth from oil revenue on economic growth in oil-exporting developing countries. Sustainability 11: 3635. [Google Scholar] [CrossRef]
  44. Henseler, Jörg, Christian M. Ringle, and Marko Sarstedt. 2015. A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science 43: 115–35. [Google Scholar] [CrossRef]
  45. Hinkin, Timothy R. 1995. A review of scale development practices in the study of organizations. Journal of Management 21: 967–88. [Google Scholar] [CrossRef]
  46. IIA. 2017. International Standards for The Professional Practice of Internal Auditing (STANDARDS). Available online: https://www.theiia.org/ (accessed on 1 July 2023).
  47. Jankensgård, Håkan. 2019. A theory of enterprise risk management. Corporate Governance: The International Journal of Business in Society 19: 565–79. [Google Scholar] [CrossRef]
  48. Kabuye, F., S. K. Nkundabanyanga, J. Opiso, and Z. Nakabuye. 2017. Internal audit organisational status, competencies, activities and fraud management in the financial services sector. Managerial Auditing Journal 32: 924–44. [Google Scholar] [CrossRef]
  49. Khongmalai, Orapan, and Anyanitha Distanont. 2017. Corporate governance model in Thai state-owned enterprises: Structural equation modelling approach. Corporate Governance: The International Journal of Business in Society 17: 613–28. [Google Scholar] [CrossRef]
  50. Khongmalai, Orapan, John C.S. Tang, and Sununta Siengthai. 2010. Empirical evidence of corporate governance in Thai state-owned enterprises. Corporate Governance: The International Journal of Business in Society 10: 617–34. [Google Scholar] [CrossRef]
  51. Kirogo, Francis K., Solomon Ngahu, and Juma Wagoki. 2014. Effect of risk-based audit on financial perfomance: A survey of insurance companies in Nakuru town, Kenya. Stratford Peer Reviewed Journals and Book Publishing 1: 1–13. [Google Scholar] [CrossRef]
  52. Kock, Ned. 2015. Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of E-Collaboration (Ijec) 11: 1–10. [Google Scholar] [CrossRef]
  53. Koutoupis, Andreas G., and Anastasios Tsamis. 2009. Risk based internal auditing within Greek banks: A case study approach. Journal of Management & Governance 13: 101–30. [Google Scholar]
  54. Lam, James. 2014. Enterprise Risk Management: From Incentives to Controls. Hoboken: John Wiley & Sons. [Google Scholar]
  55. Lenz, Rainer, and Ulrich Hahn. 2015. A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities. Managerial Auditing Journal 30: 5–33. [Google Scholar] [CrossRef]
  56. Lenz, Rainer, Gerrit Sarens, and Florian Hoos. 2017. Internal audit effectiveness: Multiple case study research involving chief audit executives and senior management. Edpacs 55: 1–17. [Google Scholar] [CrossRef]
  57. Lois, Petros, George Drogalas, Michail Nerantzidis, Ifigenia Georgiou, and Eleni Gkampeta. 2021. Risk-based internal audit: Factors related to its implementation. Corporate Governance: The International Journal of Business in Society 21: 645–62. [Google Scholar] [CrossRef]
  58. Madawaki, Abdulkadir, Aidi Ahmi, and Halimah Nasibah Ahmad. 2022. Internal audit functions, financial reporting quality and moderating effect of senior management support. Meditari Accountancy Research 30: 342–72. [Google Scholar] [CrossRef]
  59. Mujalli, Abdulwahab. 2024. The influence of E-auditing adoption on internal audit department performance amid COVID-19 in Saudi Arabia. Cogent Business & Management 11: 2295608. [Google Scholar]
  60. Mujalli, Abdulwahab, and Ahmed Almgrashi. 2020. A Conceptual Framework for Generalised Audit Software Adoption in Saudi Arabia by Government Internal Auditing Departments using an Integrated Institutional Theory-TOE Model. Paper presented at 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Gold Coast, Australia, December 16–18; pp. 1–8. [Google Scholar]
  61. Mujalli, Abdulwahab, Tehmina Khan, and Ahmed Almgrashi. 2022. University Accounting Students and Faculty Members Using the Blackboard Platform during COVID-19; Proposed Modification of the UTAUT Model and an Empirical Study. Sustainability 14: 2360. [Google Scholar] [CrossRef]
  62. Nerantzidis, Michail, Michail Pazarskis, George Drogalas, and Stergios Galanis. 2022. Internal auditing in the public sector: A systematic literature review and future research agenda. Journal of Public Budgeting, Accounting & Financial Management 34: 189–209. [Google Scholar]
  63. Nickell, Erin Burrell, and Robin W. Roberts. 2014. Organizational legitimacy, conflict, and hypocrisy: An alternative view of the role of internal auditing. Critical Perspectives on Accounting 25: 217–21. [Google Scholar] [CrossRef]
  64. Ockey, Gary J., and Ikkyu Choi. 2015. Structural equation modeling reporting practices for language assessment. Language Assessment Quarterly 12: 305–19. [Google Scholar] [CrossRef]
  65. Ogbeibu, Samuel, Jude Emelifeonwu, Abdelhak Senadjki, James Gaskin, and Jari Kaivo-oja. 2020. Technological turbulence and greening of team creativity, product innovation, and human resource management: Implications for sustainability. Journal of Cleaner Production 244: 118703. [Google Scholar] [CrossRef]
  66. Oppenheim, Abraham Naftali. 2000. Questionnaire Design, Interviewing and Attitude Measurement. London: Bloomsbury Publishing. [Google Scholar]
  67. Park, Hyun-Young, Ho-Young Lee, and Jin Wook Kim. 2019. Investment in internal auditing and governance characteristics: Evidence from statutory internal auditors in South Korea. Managerial Auditing Journal 34: 627–52. [Google Scholar] [CrossRef]
  68. Petridis, Konstantinos, Georgios Drogalas, and Eleni Zografidou. 2021. Internal auditor selection using a TOPSIS/non-linear programming model. Annals of Operations Research 296: 513–39. [Google Scholar] [CrossRef]
  69. Podsakoff, Philip M., Podsakoff Scott B. MacKenzie, Jeong-Yeon Lee, and Nathan P. Podsakoff. 2003. Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology 88: 879. [Google Scholar] [CrossRef] [PubMed]
  70. Rae, Kirsty, and Nava Subramaniam. 2008. Quality of internal control procedures: Antecedents and moderating effect on organisational justice and employee fraud. Managerial Auditing Journal 23: 104–24. [Google Scholar]
  71. Raiborn, Cecily, Janet B. Butler, Kasey Martin, and Mina Pizzini. 2017. The internal audit function: A prerequisite for Good Governance. Journal of Corporate Accounting & Finance 28: 10–21. [Google Scholar]
  72. Rehman, Shafique Ur, Stefano Bresciani, Khurram Ashfaq, and Gazi Mahabubul Alam. 2022. Intellectual capital, knowledge management and competitive advantage: A resource orchestration perspective. Journal of Knowledge Management 26: 1705–31. [Google Scholar] [CrossRef]
  73. Sarens, Gerrit, and Ignace De Beelde. 2006. Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies. Managerial Auditing Journal 21: 63–80. [Google Scholar] [CrossRef]
  74. Sarens, Gerrit, Ignace De Beelde, and Patricia Everaert. 2009. Internal audit: A comfort provider to the audit committee. The British Accounting Review 41: 90–106. [Google Scholar] [CrossRef]
  75. Sarens, Gerrit, Mohammad J. Abdolmohammadi, and Rainer Lenz. 2012. Factors associated with the internal audit function’s role in corporate governance. Journal of Applied Accounting Research 13: 191–204. [Google Scholar] [CrossRef]
  76. Sarstedt, Marko, Joseph F. Hair, Jr., Jun-Hwa Cheah, Jan-Michael Becker, and Christian M. Ringle. 2019. How to specify, estimate, and validate higher-order constructs in PLS-SEM. Australasian Marketing Journal 27: 197–211. [Google Scholar] [CrossRef]
  77. Saunders, Mark, Philip Lewis, and Adrian Thornhill. 2019. Understanding research philosophy and approaches to theory development. In Research Methods for Business Students, Chapter 4, 8th ed. London: Pearson Education, pp. 128–71. [Google Scholar]
  78. Sekaran, Uma, and Roger Bougie. 2016. Research Methods for Business: A Skill Building Approach. Hoboken: John Wiley & Sons. [Google Scholar]
  79. Selim, Georges, and David McNamee. 1999. The risk management and internal auditing relationship: Developing and validating a model. International Journal of Auditing 3: 159–74. [Google Scholar]
  80. Sheehan, Norman T. 2010. A risk-based approach to strategy execution. Journal of Business Strategy 31: 25–37. [Google Scholar] [CrossRef]
  81. Shmueli, Galit, Marko Sarstedt, Joseph F. Hair, Jun-Hwa Cheah, Hiram Ting, Santha Vaithilingam, and Christian M. Ringle. 2019. Predictive model assessment in PLS-SEM: Guidelines for using PLSpredict. European Journal of Marketing 53: 2322–47. [Google Scholar] [CrossRef]
  82. Spira, Laura F., and Michael Page. 2003. Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal 16: 640–61. [Google Scholar]
  83. Stojanović, Tamara, and Mirko Andrić. 2016. Internal auditing and risk management in corporations. Strategic Management 21: 31–42. [Google Scholar]
  84. MetricStream. 2018. State of Internal Audit 2018-Impact and Opportunities, MetricStream Research. Available online: https://info.metricstream.com/Internal-Audit-2018-Impact-and-Opportunities.html? (accessed on 1 July 2023).
  85. Ta, Thu Trang, and Thanh Nga Doan. 2022. Factors affecting internal audit effectiveness: Empirical evidence from Vietnam. International Journal of Financial Studies 10: 37. [Google Scholar] [CrossRef]
  86. Thompson, Renée M., and Philmore Alleyne. 2023. Role of a board of directors and corporate governance in a state-owned enterprise. Corporate Governance: The International Journal of Business in Society 23: 478–92. [Google Scholar] [CrossRef]
  87. Turetken, Oktay, Stevens Jethefer, and Baris Ozkan. 2020. Internal audit effectiveness: Operationalization and influencing factors. Managerial Auditing Journal 35: 238–71. [Google Scholar] [CrossRef]
  88. Wang, Xiong, Fernando A. F. Ferreira, and Pengyu Yan. 2023. A multi-objective optimization approach for integrated risk-based internal audit planning. Annals of Operations Research 1–30. [Google Scholar] [CrossRef] [PubMed]
  89. Wilkinson, Naomi, and Philna Coetzee. 2015. Internal audit assurance or consulting services rendered on governance: How does one decide. Journal of Governance and Regulation 4: 186–200. [Google Scholar] [CrossRef]
  90. Woods, Margaret. 2007. Linking risk management to strategic controls: A case study of Tesco plc. International Journal of Risk Assessment and Management 7: 1074–88. [Google Scholar] [CrossRef]
  91. Zuckweiler, Kathryn M., Kirsten M. Rosacker, and Suzanne K. Hayes. 2016. Business students’ perceptions of corporate governance best practices. Corporate Governance 16: 361–76. [Google Scholar] [CrossRef]
Jrfm 17 00196 g001
Figure 1. Research framework.
Figure 1. Research framework.
Jrfm 17 00196 g001
Jrfm 17 00196 g002
Figure 2. Measurement model.
Figure 2. Measurement model.
Jrfm 17 00196 g002
Jrfm 17 00196 g003
Figure 3. Structural model.
Figure 3. Structural model.
Jrfm 17 00196 g003
Table 1. Demographic profiles of respondents.
Table 1. Demographic profiles of respondents.
Demographic ItemsFrequencyPercentage
Gender
Male16570.5%
Female6929.5%
Age
29 or below135.6%
Between 30 and 397532.1%
Between 40 and 4914059.8%
50 or more62.6%
Education level/qualification
Diploma or below3213.7%
Bachelor’s degree16269.2%
Master’s degree3213.7%
PhD83.4%
Job title
Manager of the internal audit department239.8%
Assistant manager of the internal audit department229.4%
Internal auditor12051.3%
Department manager3113.2%
Accountant2912.4%
Employee93.8%
Employment history
Less than 5 years4519.2%
5 to 9 years8134.6%
10 to 14 years6829.1%
15 or above4017.1%
Table 2. Measurement model results.
Table 2. Measurement model results.
ItemsFactor LoadingsVIFrho_cAVE
Internal Auditors’ RoleIAR10.7691.8840.8410.8820.559
IAR20.8522.808
IAR30.7842.143
IAR40.8281.898
IAR50.6021.446
IAR60.6101.451
Internal Control SystemICS10.8583.4130.9160.9360.829
ICS20.9712.847
ICS30.8993.761
Management SupportMS10.7921.9110.8440.8950.682
MS20.8492.318
MS30.8522.255
MS40.8081.819
Risk-Based Internal AuditingRBIA10.8171.5980.8130.8760.640
RBIA20.8112.036
RBIA30.8132.080
RBIA40.7571.453
Risk Management SystemRMS10.9152.3870.8420.9040.759
RMS20.8401.811
RMS30.8572.046
Risk Management TrainingRMT10.8181.4440.7900.8770.703
RMT20.8441.877
RMT30.8541.923
Notes: AVE = average variance extracted; VIF = variance inflation factor; rho_c = composite reliability; Cα = Cronbach’s alpha.
Table 3. Discriminant validity.
Table 3. Discriminant validity.
IARICSMSRBIARMSRMT
Heterotrait–monotrait ratio
IAR
ICS0.124
MS0.6160.047
RBIA0.5610.0820.517
RMS0.6380.0790.4790.611
RMT0.4990.0710.3680.5320.379
Fornell–Larcker criterion
IAR0.747
ICS0.1090.911
MS0.534−0.0050.826
RBIA0.5010.0840.4450.800
RMS0.5520.0840.4140.5130.871
RMT0.4120.0530.3080.4350.3120.839
Notes: IAR = internal auditors’ role, ICS = internal control system, MS = management support, RBIA = risk-based internal audit, RM = risk management, RMT = risk management training.
Table 4. Hypotheses testing results.
Table 4. Hypotheses testing results.
RelationshipPathT Statisticsp ValuesF-SquareStatus
MS → RBIA0.1762.6910.007 **0.035H1: Supported
IAR → RBIA0.1552.1550.031 **0.022H2: Supported
RMT → RBIA0.2283.4460.001 **0.070H3: Supported
RMS → RBIA0.2813.5270.000 ***0.188H3: Supported
ICS → RBIA0.0320.5300.5960.002H4: Not Supported
Note: Significance level ** p < 0.05 and *** p < 0.01.
Table 5. Coefficient of determination and predictive relevance.
Table 5. Coefficient of determination and predictive relevance.
R-SquareR-Square AdjustedSSOSSEQ2 (=1 − SSE/SSO)
RBIA0.4020.389936.000712.6610.239
Table 6. PLS predict Assessment.
Table 6. PLS predict Assessment.
PLSLMPLS-LM
Q2 PredictRMSEMAERMSEMAERMSEMAE
RBIA10.3170.6610.4840.6790.512−0.018−0.028
RBIA20.1810.9600.7051.0250.758−0.065−0.053
RBIA30.1441.0570.8511.0840.861−0.028−0.010
RBIA40.2300.8220.6070.8480.628−0.026−0.021
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Mujalli, A. Factors Affecting the Implementation of Risk-Based Internal Auditing. J. Risk Financial Manag. 2024, 17, 196. https://doi.org/10.3390/jrfm17050196

AMA Style

Mujalli A. Factors Affecting the Implementation of Risk-Based Internal Auditing. Journal of Risk and Financial Management. 2024; 17(5):196. https://doi.org/10.3390/jrfm17050196

Chicago/Turabian Style

Mujalli, Abdulwahab. 2024. "Factors Affecting the Implementation of Risk-Based Internal Auditing" Journal of Risk and Financial Management 17, no. 5: 196. https://doi.org/10.3390/jrfm17050196

Article Metrics

Back to TopTop