Auditor and auditee perceptions of internal auditing practices in a company in the energy sector

Lélis, Débora Lage Martins; Pinheiro, Laura Edith Taboada

doi:10.1590/S1519-70772012000300006

Abstracts

Internal auditing activities have experienced a great deal of expansion and appreciation in recent years. The objective of this study was to evaluate the perceptions of internal auditors and auditees regarding the internal auditing practices of a Brazilian company in the energy sector. The study, conducted as a case study with the use of primary sources, analyzed different aspects of internal auditing activities, including auditor training and the characteristics associated with good auditing work. Internal auditors and auditees indicated the level of preparation of the auditor, the quality of the auditing recommendations, and risk orientation as the factors with the greatest influence on the quality of internal auditing services, supporting findings in the literature. The studied groups also had positive perceptions regarding the contribution of internal auditing to improvements in process performance, internal control structures, and the company's management of risk, which are relevant indicators in the evaluation of the quality of internal auditing services. The study revealed that auditors and auditees had different perceptions of the evaluation of auditee behavior. The perceptions of auditors and auditees regarding the use of good internal auditing practices are, in most cases, coherent with the quality attributes cited in the literature, indicating the presence of these attributes in the evaluation of internal auditing service quality.

Internal auditing; Auditee; Risk-based auditing; Auditing practices

A atividade de auditoria interna tem passado por significativa expansão e valorização nos últimos anos. O objetivo do estudo foi avaliar a percepção de auditores internos e auditados em relação às práticas de auditoria interna de uma empresa brasileira do setor energético. A pesquisa, um estudo de caso com a utilização de fontes primárias, analisou diferentes aspectos da atividade de auditoria interna, incluindo a capacitação dos auditores e características associadas a um bom trabalho de auditoria. Auditores internos e auditados apontaram a preparação do auditor, a qualidade das recomendações de auditoria e a orientação para o risco como os fatores de maior influência sobre a qualidade do serviço de auditoria interna, corroborando o disposto na literatura. Também apresentaram percepção positiva sobre a contribuição da auditoria interna para a melhoria do desempenho dos processos, a melhoria da estrutura de controles internos e a melhoria da gestão de riscos da empresa, indicadores relevantes na avaliação da qualidade do serviço de auditoria interna. A pesquisa revelou uma considerável divergência perceptiva entre auditores e auditados no que tange à avaliação do comportamento dos auditados, que possuem uma percepção mais positiva sobre esse aspecto em comparação com os auditores. A percepção do uso de boas práticas de auditoria interna por auditores e auditados está, na maioria dos casos, coerente com os atributos de qualidade citados na literatura, indicando a presença desses atributos na avaliação da qualidade do serviço de auditoria interna.

Auditoria interna; Auditado; Auditoria baseada em riscos; Práticas de auditoria

ARTICLES

Auditor and auditee perceptions of internal auditing practices in a company in the energy sector

Débora Lage Martins Lélis^I; Laura Edith Taboada Pinheiro^II

^IMaster of Department of Accounting Sciences, Federal University of Minas Gerais. E-mail: deboralml@yahoo.com.br

^IIProfessor of Accounting Sciences, Federal University of Minas Gerais. E-mail: ltaboada@face.ufmg.br

ABSTRACT

Internal auditing activities have experienced a great deal of expansion and appreciation in recent years. The objective of this study was to evaluate the perceptions of internal auditors and auditees regarding the internal auditing practices of a Brazilian company in the energy sector. The study, conducted as a case study with the use of primary sources, analyzed different aspects of internal auditing activities, including auditor training and the characteristics associated with good auditing work. Internal auditors and auditees indicated the level of preparation of the auditor, the quality of the auditing recommendations, and risk orientation as the factors with the greatest influence on the quality of internal auditing services, supporting findings in the literature. The studied groups also had positive perceptions regarding the contribution of internal auditing to improvements in process performance, internal control structures, and the company's management of risk, which are relevant indicators in the evaluation of the quality of internal auditing services. The study revealed that auditors and auditees had different perceptions of the evaluation of auditee behavior. The perceptions of auditors and auditees regarding the use of good internal auditing practices are, in most cases, coherent with the quality attributes cited in the literature, indicating the presence of these attributes in the evaluation of internal auditing service quality.

Keywords: Internal auditing. Auditee. Risk-based auditing. Auditing practices.

1 INTRODUCTION

The expansion of markets and emergence of large organizations generate the need for stronger business structures that include norms and procedures for the management and operation of corporate processes and effective monitoring mechanisms to reduce dependence on managerial supervision. Since this historic expansion and the substitution of family companies by large organizations, internal auditing activities have spread within organizations.

Castanheira (2007) asserts that since this expansion, internal auditing has already experienced two paradigm shifts and is now within a third paradigm. The first paradigm, which was dominant for a long period of time, focused on observation and accounting. In 1941, the practice of contemporary professional internal auditing, with its concept of a "system of internal controls", began through the foundation of the Institute of Internal Auditors (IIA) and the publication of the first book on internal auditing, Victor Brink's Modern Internal Auditing. The second paradigm (control) therefore emerged and can still be found in auditing processes. Today, however, internal auditing incorporates a new paradigm that is based on the overview of processes with a focus on business risks and corporate governance practices, thereby allowing internal auditing to make new contributions to companies.

The IIA considers internal auditing to help organizations achieve their objectives through a systematic and disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and corporate governance practices.

This new orientation of internal auditing focuses on partnership rather than punishment, thereby requiring and causing significant changes in the behaviors and perceptions of auditors and auditees. It is natural that years of detective work, policing, and punitive practices have created a certain undesirable legacy for modern internal auditing, forming a barrier between auditors and auditees and preventing new auditing practices from being adequately communicated by internal auditors and understood by audited departments.

The identification of auditor and auditee perceptions regarding current internal auditing practices is relevant to determining whether the internal auditing guidelines presented by the IIA (2010) are practiced and whether the ability of internal auditing to improve processes may serve as an indicator of the quality of auditing activities.

The discussion of the role of quality attributes in auditing activities, based on the evaluation of the presence of these attributes and auditor and auditee perceptions of quality, provides an important contribution to the literature, given that few articles discussing this topic have been published. The present study will help to reduce this gap that exists in the literature. The primary research question is the following: What are auditor and auditee perceptions regarding internal auditing practices? The following represent secondary questions: a) Which internal auditing characteristics do auditors and auditees associate with the quality of this service? and b) Which attributes of internal auditing quality and which individual characteristics of internal auditors are observed in the analyzed company? The objective of this study was to analyze the perceptions of auditors and auditees regarding the internal auditing practices of a Brazilian company in the energy sector and to verify whether the presence of some internal auditing quality characteristics indicated in the literature are positively perceived in relation to the effectiveness of internal auditing.

In this study, the quality of internal auditing should be understood as the achievement of the objectives of internal auditing activities as defined by the IIA (2010), such as adding value and improving processes, thus delimiting the factors of quality and good practices evaluated in this study.

The results of the study contribute to increasing the knowledge on internal auditing, especially regarding the factors that impact the good practice of this type of auditing. It is worth noting that, in terms of the practical implications of the study, the findings may be useful for professional organizations by helping them in issuing internal auditing norms and for internal auditors by providing a performance benchmark that allows them to improve the effectiveness of their operations and contribute to the process of generating useful and reliable information for internal and external users.

2 THEORETICAL FRAMEWORK

Even though agency theory is usually not incorporated into the large majority of publications on internal auditing, it should be related to the nature and origin of auditing activity. Matos (2001) has indicated that agency theory is an important tool for monitoring and reducing agency conflicts. The evaluation and verification of internal auditing activities are only justified by the existence of a task delegation relationship, in which one person transfers responsibility for the execution of a certain activity to another person.

Ramamoorti (2003) observes that the IIA has considerably expanded the declaration of the responsibilities of internal auditing, which currently includes (i) reviewing and evaluating the quality, appropriateness, and application of accounting, financial, and operational controls; (ii) determining the extent of the fulfillment of established policies, plans, and procedures; (iii) determining the extent to which the company's activities are correctly registered and protected against damage or loss of any nature; (iv) determining the reliability of the accounting data and of other data generated within the organization; and (v) evaluating the performance of managers in fulfilling their defined responsibilities.

According to Morais and Martins (1999), internal auditing constitutes a continuous, complete, and independent function that is developed by internal organizational stakeholders with the goal of verifying the existence, fulfillment, effectiveness, and optimization of internal controls, thereby contributing to the accomplishment of organizational objectives. Although this definition does not directly mention financial verification and instead focuses on internal controls, it still does not cover other important areas of auditing activity.

This new pattern of auditing responsibilities has been incorporated into the IIA's (2010) definition of these activities. According to the institute, internal auditing is an independent and objective activity that offers evaluation and consulting services and has the objective of adding value and improving an organization's operations. Independence is a characteristic of the field of internal auditing and depends on its position within the company's hierarchy. The institute recommends that the auditing division of a company be linked to its board of directors instead of to its president or chief financial officer because this would allow for more independence. Objectivity is a characteristic of auditors and is achieved by adopting a professional zeal towards the work, obeying specific methodologies, paying attention to objectives, and conducting impartial analysis.

In Brazil, the norms and standards applicable to internal auditing are issued by the Federal Accounting Council (Conselho Federal de Contabilidade CFC) and address the professional and technical factors related to internal auditing activities. The professional norm dictated by the CFC via CFC Resolution no. 781/95 (NBC PI 01) establishes that internal auditors, regardless of their functional positions, should preserve their professional autonomy. The technical norm (NBC TI 01), approved through CFC Resolution no. 986/03 and applicable to public and private legal entities, discusses the objectives of internal auditing, auditing planning, documentation, risks, procedures, sampling, and reporting. However, there is little conflict with the IIA guidelines because few aspects discussed by the institute are not considered in the Brazilian norms issued by the CFC.

Thus, according to international rule 1100 of the IIA, the field of internal auditing should be subordinate to a hierarchical organizational level that allows it to fulfill its responsibilities without interference in the definition of scope, execution of the work, and communication of the results. Hass, Abdolmohammadi, and Burnaby (2006) and Gramling, Maletta, Schneider, and Church (2004), among others, highlight the importance of internal auditing for corporate governance, which, according to the Brazilian Institute of Corporate Governance (Instituto Brasileiro de Governança Corporativa IBGC, 2004), is the system by which companies are directed and monitored, encompassing contracts with related parties. According to Sarens (2009), it is noteworthy that, mainly motivated by attention to good governance practices and as a result of regulations such as the Sarbanes-Oxley Act (SOX), internal auditing has established its position within the field of corporate governance. More specifically, Sarens and De Beelde (2006) highlight the monitoring function and the improvement of risk management and internal control processes, which have become important contributions of internal auditing to corporate governance by aiming to reduce agency conflict.

In addition to evaluating the specific risk management practices of companies, many areas of auditing currently perform activities that are related to the requirements of the Sarbanes-Oxley Act, which may include, in addition to the evaluation of the design and execution of the internal controls on financial statements, advisory support for the areas responsible for controls in the design of action plans to close the gaps between the existing control structure and the structure demanded by American law.

The area that each auditing function covers is dependent on several factors, including the maturity of the auditing area and the interest of top management in the benefits derived from the results of internal auditing projects. Auditing activities encompass a sequence of phases that are executed through procedures that are generally based on norms and standards and use support tools that are specific to each type of work. Internal auditing activities may be grouped into three macro-phases: planning, field service, and reporting and monitoring.

The management of the auditing division is responsible for the design of the work plan, which is generally done annually or over the medium term. The IIA (2010) recommends that the periodic planning of auditable processes and units consider the risks inherent to each process and that this planning be formally approved by the division to which the internal auditing will be functionally subordinate. In the execution of the periodic plan, it is the responsibility of the internal auditor to plan and execute the auditing work under the direction and approval of supervisors (IIA, 2010). Planning consists of the definition of the objectives, scope, and resources to be used, in addition to the time needed to perform the project when this has not been defined in the periodic planning. During the planning stage, the risk management and internal control systems inherent to the audited process should be analyzed. At the end of the planning phase, the work program, which should include the tests, sampling techniques, and auditing documentation, as well as collection, analysis, and interpretation processes, is formulated.

In the field work phase, specific work procedures are necessary for each different type of activity. These procedures, which may follow local or international standards, could be internally defined by the company or could be a mixture of both types of standards. The procedures must be capable of obtaining sufficient and relevant evidence to accomplish the auditing objectives. Substantive tests or tests of internal control design and effectiveness may be performed, depending on the extent of testing required to obtain sufficient results for the project.

In the third phase, the auditing report, which communicates the findings and recommendations proposed by the auditing division or the action plans agreed upon with the audited division, is prepared. Among the possible types of auditing recommendations applicable to evaluations of internal controls, Ratliff, Wallace, Summers, McFarland, and Loebbecke (1996) state the following: (i) not modifying the control system if it is adequate for organizational needs; (ii) improving the internal control system, modifying unsatisfactory controls, or creating new controls, and (iii) reducing the risk levels of certain processes for which there is no possibility of implementing or improving controls through insurance.

Boynton, Johnson, and Kell (2002) indicate that one of the goals of the evaluation of risk and control is to help the auditor determine the risk that the divulged financial information contains errors or material misstatements. This position is supported by the Public Company Accounting Oversight Board (PCAOB, 2007), a private entity under the supervision of the Securities and Exchange Commission (SEC) that was created in 2002 by the Sarbanes-Oxley Act. This act, which defines 5 procedures for the evaluation of the design and effectiveness of the internal controls of organizations in its Auditing Standard (AS), asserts that risk evaluation is the basis of the entire auditing process and supports all subsequent testing procedures.

To increase the productivity of internal auditing, criteria and standards may be defined to be automatically verified through computerized systems that are configured to alert the auditors when a particular event occurs. This procedure greatly contributes to achieving business objectives and characterizes the term continuous auditing. Aquino, Silva, and Vasarhelyi (2008) report that this type of auditing, in addition to optimizing the auditors' time, is appropriate for situations in which there are clear controls, risks, and critical events that should automatically be monitored and communicated to the auditors.

Upon analyzing the threats and opportunities faced by internal auditing given changes in organizational processes, Spira and Page (2003) report that the field for auditing activity is promising because internal auditors may be useful to stakeholders and other parties involved in the risk management process, thus becoming essential to companies.

According to the American Institute of Certified Public Accountants (AICPA, 1972), internal controls comprise the organizational plan and all procedures adopted by a company to protect its assets, verify the accuracy of its accounting data, improve its operational efficiency, and promote compliance with established administrative guidelines.

Aiming for application in the field of internal auditing, the IIA (2010) asserts that an internal control system represents a set of activities and control components used by an organization to achieve its objectives and goals. In this regard, the definition of control presented by the institute consists of any action adopted by management, the board, or other interested parties with the objective of improving the probability that objectives and goals will be achieved. The controls may be (i) preventative, preventing undesirable events from occurring; (ii) detective, identifying and correcting undesirable events after their occurrence; or (iii) direct, encouraging the occurrence of and directing desirable events. Furthermore, controls may be automatic or manual, according to the way in which they are executed and their dependence on automated systems or manual execution procedures.

With regard to accounting disclosure, the Treadway Commission (1987) released a report that emphasized the importance of internal controls in the reduction of fraudulent financial disclosures. This report also asserted that all public companies should maintain structured internal controls over financial statements that could reasonably ensure the detection of fraud before their publication.

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1994), internal control is a process that results from the actions of a committee of directors, managers, and others in a company to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial information, and compliance with applicable laws and regulations. The COSO presents five elements of internal control structures: control environment, risk evaluation, control activities, information and communication, and monitoring.

Applicable to Information Technology (IT) processes, the Information Technology Governance Institute (ITGI) developed the Control Objectives for Information and Related Technology (COBIT). First published in 1996, COBIT also uses the conceptual basis of the COSO, and together with other standards such as the Information Technology Infrastructure Library (ITIL) and norm ISO/IEC 17799, it provides the main guidelines adopted in systems auditing.

COBIT is business-oriented, providing detailed information for the management of IT processes based on business objectives because it is designed to help the management team evaluate risks and control IT investment in an organization. Through COBIT, users may guarantee the good management of the IT services they depend on, and the auditors can access recommendations to evaluate the level of IT management and provide advice on the organization's internal controls.

In recent years, risk management has become prominent within organizations, given that it is through this process that the threats to achieving organizational goals and strategic objectives may be managed and reduced. The focus on risk management, with the use of a variety of techniques to identify and evaluate risks, does not only facilitate the definition of internal controls but also is aligned with the change in the debate on corporate governance from the focus on the quality of financial reporting to the concept that corporate governance mechanisms should not constrain the company's business activities. Spira and Page (2003, p. 652) assert that "the redefinition of internal control as risk management emphasizes its relationship with the formulation of strategy and characterizes internal control as support for the organization."

In 2009, the IIA approved a new International Standards of Practices for the Professional Exercise of Internal Auditing. The main changes in relation to the previous version, which was approved in 1999, are related to the grouping of norms and standards into different categories according to the degree to which they are mandatory and improvements in the institute's own process, such as the definition of a minimum period of three years in which norms should be reviewed. Some outdated elements were eliminated in the new version, whereas others were combined or modified in scope.

With the new publication, all of the norms, standards, and guidelines adopted by the IIA began to be classified as either mandatory or strongly recommended for the good practice of internal auditing. Mandatory items must to be followed when companies wish to follow the norms and standards of the IIA and publicize that they follow these standards.

Before the Sarbanes-Oxley Act, internal auditing activities focused on detection rather than prevention. Roth (2002) stressed that based on this law, internal auditors have changed their approach from confrontation to partnership and from control to risk and started focusing on advisory activities. According to Hass, Abdolmohammadi, and Burnaby (2006), these changes are necessary to react to the complex external and internal environment of modern organizations, which is caused by the impact of regulation, technology, and other factors. Krell (2005) asserts that the success of internal auditing activities and companies in general currently depends on the evaluation of organizational risks. In this regard, internal auditors must be capable not only of evaluating the risks of their organizations but also of performing complete risk analyses, including analyses of the auditing activities themselves. To this end, internal auditors need to have a high level of logic, critical thinking, analytical, and decision-making skills.

A model for the evaluation of internal auditing practices should consider control, risk, and governance processes. Rossiter (2007) suggests that the evaluation of internal auditing practices should consider the following aspects: (i) adequacy of the main standard, objectives, policies, and procedures of the internal auditing activities; (ii) adherence to the standards and ethical code of the IIA; (iii) contribution to the corporate governance, risk management, and internal control processes; (iv) compliance with the applicable laws, regulations, and industrial or governmental standards; (v) continuous improvement of the auditing activities and the adoption of best practices; and (vi) operational improvement and addition of value to the company.

According to Beckmerhagen, Berg, Karapetrovic, and Willborn (2004), effective auditing can be described according to reliability of findings, added value, and client satisfaction, although it may be very difficult to measure added value. Few studies have been identified that are related to the perceived quality of internal auditing activities, including Elliott, Dawson, and Edwards (2007); Deloitte (2007); and Arena and Azzone (2009).

Elliot, Dawson, and Edwards (2007) gathered opinions from auditors and auditees on some aspects of auditing activities to investigate and understand the reasons for which internal auditing is sometimes perceived as not adding value to the company.

In this study, auditors and auditees at AWE Plc., a British nuclear energy company, were asked to complete a questionnaire that considered qualitative aspects of internal auditing activities. The responses indicated that the internal auditing process is very well known and generally perceived as necessary. However, there was no consensus regarding the benefits and added value generated by internal auditing. This case study revealed that one of the reasons for the low perceived effectiveness and added value related to internal auditing are the actions that the audited management is responsible for, indicating a weakness in the important interface between auditors and auditees, which is essential for the implementation of improvements. Without coordinated action between the auditor and the auditees, auditing work does not go beyond issuing an audit report and is therefore limited to the detection of failures without generating corrections and improvements that could add value and improve the company's operations.

The survey performed by Deloitte (2007) portrayed the internal auditing situation in Brazil. With regard to the level of confidence in internal auditing, managers and auditors had similar perceptions that reveal a large degree of confidence in auditing activities. Among the benefits generated by internal auditing, the study revealed its ability to identify business risks and improve the efficiency of internal processes, suggesting that auditors operate with a focus on risk management and that managers perceive this.

Arena and Azzone (2009) study 153 Italian companies to identify the main indicators of internal auditing effectiveness. The authors' findings revealed that internal auditing effectiveness is influenced by the characteristics of the auditing team, the auditing activities and processes, and the relationships between internal auditing and other areas within the organization. The authors observed that the quality of internal auditing improves with greater auditor/employee ratios if the auditing manager is affiliated with the IIA, if the company adopts self-evaluation techniques of risks and controls, and when the auditing committee is involved in auditing activities.

Because this study has the objective of evaluating the operations of internal auditing practices through the analysis of their attributes, it is necessary to design a model to analyze these practices that considers the aspects to be surveyed through the formulated collection instruments. However, there are no consolidated models for the evaluation of internal auditing practices or quality, although the studies by Elliott, Dawson, and Edwards (2007) and Arena and Azzone (2009) partially provide the foundation for the formulation of the collection instruments of this study.

Arena and Azzone (2009) developed their research hypotheses, proxies, and dummies based on previous studies, as presented in Table 1.

Thumbnail

Considering the results of their study, Arena and Azzone (2009) suggest that the internal auditing divisions of companies should redefine the set of abilities and competencies that are necessary for the exercise of the profession, monitoring the current evolution in the role of internal auditing within organizations.

Cohen and Sayag (2010) explore the relationship of professional and organizational characteristics with the performance of internal auditors and analyze how internal auditing effectiveness may be generated through these factors. The personal and corporate characteristics were analyzed with regard to their ability to influence auditing performance indicators. Matarneh (2011) study the determinants of internal auditing quality in banks in Jordan, revealing that internal auditors in Jordanian banks consider the performance, competence, and objectivity of professionals to be the factors that have the greatest influence on the quality of the internal auditing.

Another study that is somewhat similar to this study and that was also performed in Brazil, is that of Carmona, Pereira, and Santos (2010), who analyze the perceptions of managers regarding the capability of internal auditors to adapt to the changes that have occurred in the insurance market since the introduction of the Sarbanes-Oxley Act. The study of Pepinelli, Dutra, and Alberton (2011) investigate the perception of auditors in relation to the behavioral competencies of independent auditors. With regard to the individual characteristics of internal auditors required to meet the current demands of internal auditing functions, the studies by Sarens (2009) enumerate that technical factors, such as education, training, and certifications, impact the quality of internal auditing activities. Sarens (2009) also indicates behavioral characteristics, such as interpersonal relationships and communication abilities, as significant in determining the quality of internal auditing.

3 METHODOLOGICAL PROCEDURES

A case study was performed to analyze the perceptions of auditors and auditees of the internal auditing practices in a Brazilian company in the energy sector, comparing some of the findings with the results from previous studies on the same topic, to contribute to the consolidation of academic knowledge in this area of study.

The factors associated with good internal auditing practices, which comprise the main content explored in the present study, were defined after analyzing the criteria used in previous studies, especially Elliott, Dawson, and Edwards (2007); Deloitte (2007); and Arena and Azzone (2009). The auditing and auditor characteristics discussed in the cited studies were qualitatively and comparatively analyzed, with the most cited items in the referenced literature being selected for observation. The findings of these studies proved to be most revealing and in some cases, provided combinations of similar items. The individual characteristics of auditors associated with internal auditing quality used in the present study are essentially derived from those characteristics discussed in the study by Sarens (2009). The technical characteristics were evaluated separately, and behavioral abilities were evaluated within the aspects examined by the questionnaire.

The study uses primary sources and a deductive logic approach. The use of different data collection instruments and broad access to primary sources, including those used to confirm the researcher's understanding, allowed for the motivations of the results obtained through the applied primary collection instruments to be clarified and to be compared within the theoretical framework.

With regard to how the problem is approached, the study is supported by qualitative analysis of the data. According to Castro (2002), qualitative research seeks to observe reality, identify facts, and analyze the phenomena that affect the company instead of simply describing or recording phenomena. In addition, this type of research generally does not involve statistical analysis. Richardson (1999) further adds that qualitative research describes the complexity of a particular problem, analyzes the interaction among the researched variables, and obtains a greater richness of details in the results.

The case study method is applied to situations in which the variables of interest are greater in number than the data points. Therefore, case studies are based on several sources of evidence that are subjected to triangulation. The characteristics indicated by Yin (2005) for an exemplary case study are found in this study, which uses several sources of evidence, a database organized with accurate evidence, and connections between the accurate information and the conclusions of the study.

The decision for this research to employ a single case study, rather than multiple studies, is justified by several factors. Limitations in time and resources, cited by Yin (2005), influenced the decision to analyze a single case study. However, the determinants of this choice are related to the need for broad access to the researched company to allow for the use of different research methods and collection instruments and for the researcher to return for confirmation of the initial findings. It is not easy for a researcher to have this type of access to multiple companies.

The Energy Company of Minas Gerais (Companhia Energética de Minas Gerais CEMIG) possesses a robust normative apparatus, with policies, procedural instructions, and technical instructions that are applicable to several types of business activities. In 2006, the company went through a restructuring of its internal controls to adhere to the Sarbanes-Oxley Act, with the active participation of internal auditing professionals in the project to comply with the American law, called Project CEMIG-SOX. The auditors participated in mapping processes, defining controls, proposing remediation plans, and testing the design and effectiveness of the controls. At the end of 2008, the company's internal auditing department began a project with the objective of certifying its internal auditors through the IIA with Certified Internal Auditor (CIA) certification.

The researched company has an internal auditing department that satisfies the required conditions to test the theory; in addition, it allowed the researcher to participate as an observer. Both of these factors significantly motivated the choice for a single study. From the detailed analysis of the phenomena that have occurred in the researched company, the knowledge base regarding the determinants of the perceived quality of internal auditing activities can be expanded.

Data collection occurred through questionnaires, semi-structured interviews, documental analysis, and participant observation.

4 ANALYSIS OF RESULTS

CEMIG generates, transmits, and distributes of electricity and energy solutions. The CEMIG group is formed by 65 companies and 15 consortia (as of August, 2011) and is controlled by a holding company that has assets and businesses in several Brazilian states. It also has investments in natural gas distribution and data transmission and is building an electricity transmission line in Chile.

CEMIG is a mixed capital publicly held corporation that is controlled by the Government of Minas Gerais and listed on the São Paulo Stock Exchange (BM&FBOVESPA), the New York Stock Exchange (NYSE), and the Latin American Stock Market in Euros (Mercado de Valores Latinoamericanos en Euros LATIBEX), in Madrid. The company has been listed on the Dow Jones Sustainability Index for ten years and is the only Latin American electric company included in this international index. The company is also one of three Brazilian companies included in the Global Dow index, which was launched in November of 2008 in the United States with the objective of serving as a reference for global markets, similarly to the Dow Jones Industrial Average index in New York. The Global Dow index includes 150 companies from 25 countries that are considered to be global leaders in their sectors of operation.

The present study was performed in the internal auditing department of CEMIG, which serves the companies of CEMIG Distribution (CEMIG Distribuição) and CEMIG CEMIG Generation and Transmission (Geração e Transmissão) and their subsidiaries and joint ventures. The information relevant to the characterization of the researched internal auditing activities was obtained through documental analysis of statutes, memoranda, auditing reports, and work papers, in addition to responses to semi-structured interviews conducted with the department's managers.

The main analyzed documents include a) the Organization Manual (statute) of the Internal Auditing and Internal Control Management Superintendent; b) the Triennial Auditing Plan; c) the Internal Auditing Instructions, which define the department's work methodology; d) memoranda produced by the department for several purposes, mainly relating to (i) communication of the annual plan to the president, (ii) auditing notifications, and (iii) nonconformities that were discovered and reported prior to the emission of the reports; e) auditing reports and SOX Internal Control Tests performed by the department in 2007, 2008, and 2009, having randomly selected four reports and four tests from each area related to different processes; f) work papers and auditing score sheets related to the auditing reports and SOX tests that were analyzed; and g) minutes of the managerial meetings of the division.

Currently, the technical team of the studied internal auditing department is composed of 24 internal auditors, an auditing manager, and an auditing superintendent. Of this group, 42% are administrators, 33% are accountants, 8% are electrical engineers, and 16% are geographers, systems analysts, or technicians.

The questionnaires on the perceptions of the auditors and auditees were formulated, responded to, and stored using the survey site Makesurvey. The questionnaire on the perception of the auditees was sent to 140 auditees and generated a total of 83 responses, which is equal to a 59% response rate. The questionnaire on the perception of the auditors was sent to 22 internal auditors who were currently allocated in auditing jobs and generated 20 responses, leading to a response rate of 91%. The greater response rate of the questionnaires sent to internal auditors is attributed to the fact that the results of the study are of particular interest to the auditors. In addition, the researcher is also an internal auditor in the researched company, which is believed to have contributed to the greater participation of the researcher's colleagues in the study.

With regard to the auditees who responded, a reasonable distribution of the respondents per area was verified. The auditees who operate in the Finance, Comptroller, Information Technology, Supplies, Human Resources, and Management areas correspond to 64% of the respondents. With regard to experience, 68% possess more than six years in the area in which they work. In relation to the exercised function, 43% of respondents occupy managerial positions, and 54% are responsible for the specific controls required for SOX certification. A high level of education was also observed among the responding auditees, with 72% having earned graduate degrees. With regard to the frequency of auditing, 90% are audited at least once a year.

The profile of the internal auditors who responded to the research reveals that 45% of them possess more than six years of experience in their activity. With regard to specific training, 40% of the respondents were in the process of obtaining CIA certification, 30% of respondents had already taken some tests, and 10% were participating in the CIA study group. The CIA is the main certification available for the internal auditing profession and is recognized internationally.

The company has a continuing education program that foresees the need for specific training according to the area of operation and professional level of internal auditors and whose results indicate good performance. The auditor job description requires the ability to fluently read English because a large part of auditing standards and practices emanate from international organizations, such as the IIA, and are formulated in English. To encourage improvements in this ability, the internal auditing department reimburses auditors for English language courses. In addition, all of the auditors who operate in the SOX process received extensive training in the year the law was implemented in Brazil, 2006, and have received complementary training throughout the following years.

The perceptions of the auditors and auditees regarding the main items related to good internal auditing practices are summarized in Table 2, which presents the responses as percentages. For each investigated item, the auditors and auditees had five response alternatives, in addition to being able to declare themselves unfit to answer, in which case they were not included in the calculation of the percentage. Of the five response options, two were essentially positive (e.g.: yes; often) and two negative (e.g.: no; rarely), and one indicated partial acceptance or acceptance with reservations (e.g.: sometimes; moderately). Table 2 combines the percentages of positive and negative responses and presents the intermediate option as "neutral", listing all of the investigated items in alphabetical order. In the analysis of the results, an attempt was made to follow the order of the cited aspects. However, this was not possible with all items; given the similar behavior of some items, some of the analysis was grouped.

Thumbnail

With regard to acceptance of the deficiencies found by the auditor (item 1), the study found considerable discrepancies between the perceptions of the auditors and those of the auditees. Whereas 88% of auditees perceived this item positively, which indicates not having reported any inconvenience in relation to the reported deficiencies, 60% of the auditors, whose responses are grouped between the negative and neutral perceptions, reported strong or moderate inconvenience of the auditees in relation to the indicated deficiencies. A considerable divergence in perception was also observed between auditors and auditees with regard to the behavior of the auditee in relation to the analysis of the causes of the deficiencies by the auditee (item 3) and to the effort to solve the reported problems (item 8). The auditees also positively perceived these questions, which was not the case for the large majority of the auditors. The adequacy of the conducted work (item 2) also displayed significant variation in perceptions: 50% positive perception by the auditors compared to 86% by the auditees. Inadequate performance of auditing work was associated with responses in which the auditors assert that their main objectives during an audit are to identify fraud or simply evaluate the fulfillment of current instructions and controls. These objectives, which do not aim to improve processes, identify and reduce relevant unmitigated risks, or identify and correct situations that impede the realization of organizational strategies, are limited to observing the persistence of the status quo and cannot be associated with well-conducted internal auditing work. These failures in the performance of the work were not perceived by the auditees. Only 58% of auditors claimed that they analyzed process risks when preparing for an auditing assignment (item 13) and selected the identification and mitigation of risks as their main objectives in the performance of an auditing assignment. Similarly, the documental analysis revealed strong risk guidance in the periodic planning and prioritization of the work but without the possibility of considering process risks during the preliminary survey, formulating the test programs, or executing the tests in a suitable manner.

In contrast to the results found by Elliott, Dawson, and Edwards (2007), the comparison of the auditor and auditee responses in this study revealed a somewhat more rigorous standard on behalf of the auditors, rather than the auditees, in relation to internal auditing practices. The perception of the auditors regarding the effectiveness of internal auditing (item 5) was reasonably worse than the perception of the auditees, perhaps due to the greater knowledge of auditing best practices and of the practices that can be effectively applied in their work environment. The divergence between the subjective perception of the auditors and their attitudes may be apparent to these auditors, which explains why the perception of effectiveness in auditing was relatively worse than the perception of the auditees.

The auditing recommendations (item 14) were considered to be of good quality by the vast majority of the auditors and auditees, as were the characteristics related to the reported results (item 16). However, some inconsistencies can be observed between auditor responses to questions of a more subjective nature, such as whether the audit may improve the risk management of the company (item 10), with a 72% positive perception, and their responses to direct questions on certain types of behaviors or practices, such as whether risks are considered during the work planning stage (item 2), with only a 50% positive response. The perception of the auditors proved to be much more positive in relation to subjective questions than to questions of a practical nature.

In terms of the formalization and precedence of the auditing notification (item 6), the negative perception included responses of not receiving any notification prior to the beginning of the work or of informal receipt of this notification, for example via telephone, by the auditees. Formalized notifications that were sent less than one week prior to the beginning of the audit were perceived as neutral, and notifications that were sent more than one week in advance were positively perceived. Whereas all auditors claimed to send formal notifications prior to beginning their work, 18% of auditees did not receive these notifications, which does not represent an important and significant variation, especially considering that notifications are always destined for the supervisors of the audited departments and may not reach all the audited respondents. The documental analysis confirmed the perception of the auditors of always sending formal notifications prior to beginning assignments.

There was convergence between the perceptions of the auditors and those of the auditees in relation to the atmosphere during the assignments (item 7), which was perceived as cordial, open, and positive by 90% of auditees.

The auditees perceived the internal auditors to be well prepared (item 13). However, the percentage of auditors who analyzed risk or strategic objectives to prepare for assignments did not constitute a significant majority, demonstrating much room for improvement in how auditors prepare for assignments, despite the positive perception of auditees related to this item. Although 88% of auditees affirmed that auditors were prepared, a significant majority of auditors again did not indicate that the identification and mitigation of risks or the correction of situations that inhibit the achievement of organizational strategy, which are essential for improving processes and adding value to the company, were among their main auditing objectives (only 58% said that yes, they are prepared).

The analysis of the contribution to strategic alignment (item 15) demonstrates a negative or partial perception among the auditors that is greater than that of the auditees, at 32% and 20%, respectively.

Auditors and auditees had a positive perception of the contribution of internal auditing to improving internal control structures (item 9), risk management (item 10), and process performance (item 11), with these indicators being relevant to the evaluation of the internal auditing practices of the company. The advisory activity of the internal auditing was positively perceived by auditors and auditees. Although a small group of auditees did not consider internal auditing to be a good source of advisory activity (item 4), this did not affect their evaluations of the effectiveness of internal audits (item 5), which indicates that the advisory function is not yet perceived by the auditees of the researched company as an activity inherent to the internal auditing function. Internal auditing activities are not able to produce process improvements and add value to the company without the assistance of the audited department. The final objectives of the internal auditing activity are achieved through the execution of the agreed upon action plans for the correction of the discovered deficiencies and the implementation of improvements; as previously discussed, the auditors perceived little effort from the auditees to solve the detected problems (item 8). In terms of monitoring by the auditors of the execution of action plans by auditees (item 12), despite the questionnaires revealing high percentages on both sides, the documental analysis indicated monitoring only in the last year of the three researched departments and not for all auditing assignments.

The survey did not ask for the percentage of recommendations that were effectively implemented, especially due to the subjectivity of the response to this type of question in light of the nonexistence of reliable measurement instruments. However, the divergent perceptions between the auditors and auditees in relation to the attitudes of auditees prior to the implementation of the action plans revealed a problem for the auditing process. The perception of the auditor indicates the presence of factors that inhibit the implementation of action plans by the auditee. In light of these factors, monitoring by the auditor of the execution of these action plans becomes even more necessary for internal auditing to achieve its main objectives.

It has been observed that auditors know the internal auditing best practices and agree with their ability to contribute to internal auditing quality but do not necessarily practice them. Therefore, the positive perception of the best internal auditing practices touches upon the impossibility of implementing these practices without the faithful observation of some principles, such as the consideration of risk (surveyed in item 2), the timeliness of informal communications (item 17) and reports (item 18, in which 45% of auditors had negative perceptions as a function of long delays), and the monitoring of the execution of the agreed upon action plans (item 12), thus indicating opportunities for improvement of internal auditing.

Throughout the study, the effects of the Sarbanes-Oxley Act on internal auditing activities became clear. The researched company has met the requirements of the law since 2006. The documental analysis revealed that the requirements of the law have led auditors to perform their work with greater methodological rigor in order to obey international standards. In addition, the Sarbanes-Oxley Act expanded the area of operation of internal auditing, whose main activity in many areas of the company is related to support procedures for the review of internal controls and tests of controls for financial statements.

5 FINAL CONSIDERATIONS

The scope of the general research objective to analyze the perceptions of auditors and auditees in relation to internal auditing practices required the survey, discussion, and understanding of these perceptions as well as their comparison to the literature review and to the theory presented in the theoretical framework. The detailed analysis of the secondary questions also generated fundamental information to respond to the main research question and to achieve the goal of the study.

With regard to the identification of the internal auditing characteristics that the auditors and auditees associated with auditing quality, the main relevance of this objective for the research lies in the fact that, although the literature has proposed that several characteristics and attributes of auditing services and of internal auditors are associated with the auditing quality, the researched group's concept of internal auditing quality may vary in relation to the literature as a function of its consideration of different attributes and characteristics in forming its perception of quality in this service. Internal auditors and auditees indicated auditor preparation, the quality of recommendations, and guidance for risk as the factors with the greatest influence on the quality of internal auditing services. These three factors support the findings in the literature in relation to the quality attributes of internal auditing: among other authors, the individual characteristics of the auditor, which comprise their preparation for auditing work, are largely discussed by Sarens (2009); the quality of the recommendations was indicated as essential by Elliott, Dawson, and Edwards (2007); and guidance for risk as intrinsic to the nature of internal auditing activities was indicated the IIA (2010).

The study has proposed some quality attributes that are present in the internal auditing division and the individual internal auditors of the researched company. In relation to the individual characteristics of the auditors, as guided by the studies by Sarens (2009), the survey of information on education, experience, training, CIA certification status, and the objectives of assignments all allow for a mapping of the qualifications of these auditors. The data for education and training received by the group are good. In relation to experience, however, a high standard deviation is perceived in the experience of the group, which includes very young auditors and others who have decades of experience. With regard to CIA certification, only 30% of the respondents are in the certification process stage in which they have already taken some sort of test, whereas the others have not yet taken their first test, even while participating in the study group. The standard deviation in the experience of the auditors and the existence of homogenous groups in the certification process and outside of this process generate different perceptive standards within the group of auditors for some of the questions analyzed in this study.

In general, the perception of the quality of internal auditing by the auditors and auditees is coherent with the quality attributes cited in the literature and observed in the internal auditing activities of the researched company, indicating the good predictive ability of these attributes for the evaluation of the quality of internal auditing services and supporting the findings of Elliott, Dawson, and Edwards (2007); Deloitte (2007); and Arena and Azzone (2009).

Seeking to expand the knowledge base of the quality of internal auditing services, it is suggested that future studies relate the observed quality attributes to internal audit effectiveness, in addition to proposing and testing new models to evaluate internal auditing service quality.

Other important topics in this subject area deserving of more in-depth research include the impact of the Sarbanes-Oxley Act on internal auditing activities, the effects of the extent and quality of the normative apparatus of the corporation on auditing work, and the difficulties of completely implementing the good internal auditing practices indicated by the relevant institutes.

References

American Institute of Certified Public Accountants. (1972). AU Section 110: responsabilities and functions of the independent auditor New York.
Aquino, C. E. M., Silva, W. L., & Vasarhelyi, M. A. (2008). Moving toward continuous auditing. The Internal Auditor, Altamonte Springs, 65 (4), 27-29.
Arena, M., & Azzone, G. (2009, Feb.). Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing, Chichester, 13 (1), 43-60.
Beckmerhagen, I. A., Berg, H. P., Karapetrovic, S. V., & Willborn, W. O. (2004, Jan./Feb.). On the effectiveness of quality management system audits. The TQM Magazine, 16 (1), 14-24.
Boynton, W. C., Johnson, R. N., & Kell, W. G. (2002). Auditoria São Paulo: Atlas.
Carmona, E., Pereira, A. C., & Santos, M. R. (2010, Abril). A Lei Sarbanes-Oxley e a percepção dos gestores sobre as competências do auditor interno. Gestão & Regionalidade, São Caetano do Sul, 26 (76), 63-74.
Castanheira, N. (2007). Auditoria interna baseada no risco Dissertação de mestrado em Contabilidade e Auditoria, Escola de Economia e Gestão, Universidade do Minho, Portugal.
Castro, J. M. (2002). Métodos e técnicas de pesquisa: manual prático Belo Horizonte: MPA PUC- Minas, Fundação Dom Cabral.
Cohen, A., & Sayag, G. (2010). The effectiveness of internal auditing: an empirical examination of its determinants in Israeli organizations. Australian Accounting Review, 54 (20), issue 3, 296-307.
Committee of Sponsoring Organizations of the Treadway Commission. (1994). Internal control integrated framework (2 v.). New York.
Deloitte. (2007). Auditoria interna no Brasil São Paulo: Deloitte Touche Tohmatsu.
Elliott, M., Dawson, R., & Edwards, J. (2007). An improved process model for internal auditing. Managerial Auditing Journal, Bradford, 22 (6), 552-565.
Gramling, A. A., Maletta, M. J., Schneider, A., & Church, B. K. (2004). The role of the internal audit function in corporate governance. Journal of Accounting Literature, Gainesville, 23 (n), 194-244.
Hass, S., Abdolmohammadi, M. J., & Burnaby, P. (2006). The Americas literature review on internal auditing. Managerial Auditing Journal, Bradford, 21 (8), 835-844.
Instituto Brasileiro de Governança Corporativa. (2004). Código das melhores práticas de governança corporativa (3. ed.). Recuperado em 22 novembro, 2008, de http://www.ibgc.org.br
Krell, E. (2005, Ago). Is Sarbanes-Oxley compromising internal audit? Business Finance Recuperado em 19 janeiro, 2010, de http://businessfinancemag.com/article/sarbanes-oxley-compromising-internal-audit-0801
López; J. Á. P., Pérez, M. O., & López, A. V. P. (2004, Nov.). Cómo preservar la objetividad del auditor interno. Revista Eletrônica de Ciência Administrativa, Campo Largo, 3 (2).
Matarneh, G. (2011). Factor determining the internal audit quality in banks: empirical evidence from Jordan. International Research Journal of Finance and Economics, issue 73, 99-108.
Matos, J. A. (2001). Theoretical foundations of corporate governance Princeton: Princeton University Press.
Morais, G., & Martins, I. (1999). Auditoria interna Lisboa: Áreas.
Pepinelli, R. C. C., Dutra, M. H., & Alberton, L. (2011). A percepção dos auditados em relação às competências comportamentais dos auditores independentes: um estudo empírico na região da grande Florianópolis/SC. Anais do Congresso USP de Controladoria e Contabilidade, São Paulo, SP, Brasil, 11.
Public Company Accounting Oversight Board. (2007). Auditing standard 5 Recuperado em 14 agosto, 2007, de http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx
Ramamoorti, S. (2003). Internal auditing: history, evolution, and prospects. In Bailey, A. D., Gramling, A. A., & Ramamoorti, S. Research opportunities in internal auditing (pp. 1-23). Altamonte Springs: The Institute of Internal Auditors Research Foundation.
Ratliff, R. L., Wallace, W. A., Summers, G. E., McFarland, W. G., & Loebbecke, J. K. (1996). Internal auditing: principles and techniques (2nd ed.). Altamont Springs: Institute of Internal Auditors.
Resolução do Conselho Federal de Contabilidade n. 781/1995 (1995). NBC PI 01 - Normas Profissionais do Auditor Interno. Recuperado em 23 fevereiro, 2010, de http://www.cfc.org.br/sisweb/sre/docs/RES_781.doc
Resolução do Conselho Federal de Contabilidade n. 986/2003 (2003). NBC T 12 Auditoria Interna. Recuperado em 23 fevereiro, 2010, de http://www.cfc.org.br/sisweb/sre/docs/RES_986.doc
Richardson, R. (1999). Pesquisa social: métodos e técnicas (3. ed.). São Paulo: Atlas.
Rossiter, C. (2007, Aug./Sept.). Top 10 priorities for internal audit in a changing environment. Bank Accounting & Finance, Boston, 20 (5), 34-35.
Roth, J. (2002). Adding value: seven roads to success Altamonte Springs: The Institute of Internal Auditors Research Foundation.
Sarens, G. (2009, Mar). Internal auditing research. International Journal of Auditing, Chichester, 13 (1), 1-7.
Sarens, G., & De Beelde, I. (2006, Nov.). The relationship between internal audit and senior management: an analysis of expectations and perceptions. International Journal of Auditing, Chichester, 10 (3), 219-41.
Spira, L. F., & Page, M. (2003). Risk management: the reinvention of internal control and the changing role of internal audit. Accounting Auditing & Accountability Journal, Bradford, 16 (4), 640-661.
The Institute of Internal Auditors (EUA). (2010). International professional practices framework Recuperado em 26 janeiro, 2010, de http://www.theiia.org/guidance/standards-and-guidance/
Treadway Commission. (1987). Report of the national commission on fraudulent financial reporting New York: American Institute of Certified Public Accountants.
Yin, R. K. (2005). Estudo de caso (3. ed.) Porto Alegre: Bookman.

Publication Dates

Publication in this collection
11 Dec 2012
Date of issue
Dec 2012

History

Received
02 Nov 2011
Accepted
16 Oct 2012

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

[1] American Institute of Certified Public Accountants. (1972). AU Section 110: responsabilities and functions of the independent auditor New York.

[2] Aquino, C. E. M., Silva, W. L., & Vasarhelyi, M. A. (2008). Moving toward continuous auditing. The Internal Auditor, Altamonte Springs, 65 (4), 27-29.

[3] Arena, M., & Azzone, G. (2009, Feb.). Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing, Chichester, 13 (1), 43-60.

[4] Beckmerhagen, I. A., Berg, H. P., Karapetrovic, S. V., & Willborn, W. O. (2004, Jan./Feb.). On the effectiveness of quality management system audits. The TQM Magazine, 16 (1), 14-24.

[5] Boynton, W. C., Johnson, R. N., & Kell, W. G. (2002). Auditoria São Paulo: Atlas.

[6] Carmona, E., Pereira, A. C., & Santos, M. R. (2010, Abril). A Lei Sarbanes-Oxley e a percepção dos gestores sobre as competências do auditor interno. Gestão & Regionalidade, São Caetano do Sul, 26 (76), 63-74.

[7] Castanheira, N. (2007). Auditoria interna baseada no risco Dissertação de mestrado em Contabilidade e Auditoria, Escola de Economia e Gestão, Universidade do Minho, Portugal.

[8] Castro, J. M. (2002). Métodos e técnicas de pesquisa: manual prático Belo Horizonte: MPA PUC- Minas, Fundação Dom Cabral.

[9] Cohen, A., & Sayag, G. (2010). The effectiveness of internal auditing: an empirical examination of its determinants in Israeli organizations. Australian Accounting Review, 54 (20), issue 3, 296-307.

[10] Committee of Sponsoring Organizations of the Treadway Commission. (1994). Internal control integrated framework (2 v.). New York.

[11] Deloitte. (2007). Auditoria interna no Brasil São Paulo: Deloitte Touche Tohmatsu.

[12] Elliott, M., Dawson, R., & Edwards, J. (2007). An improved process model for internal auditing. Managerial Auditing Journal, Bradford, 22 (6), 552-565.

[13] Gramling, A. A., Maletta, M. J., Schneider, A., & Church, B. K. (2004). The role of the internal audit function in corporate governance. Journal of Accounting Literature, Gainesville, 23 (n), 194-244.

[14] Hass, S., Abdolmohammadi, M. J., & Burnaby, P. (2006). The Americas literature review on internal auditing. Managerial Auditing Journal, Bradford, 21 (8), 835-844.

[15] Instituto Brasileiro de Governança Corporativa. (2004). Código das melhores práticas de governança corporativa (3. ed.). Recuperado em 22 novembro, 2008, de http://www.ibgc.org.br

[16] Krell, E. (2005, Ago). Is Sarbanes-Oxley compromising internal audit? Business Finance Recuperado em 19 janeiro, 2010, de http://businessfinancemag.com/article/sarbanes-oxley-compromising-internal-audit-0801

[17] López; J. Á. P., Pérez, M. O., & López, A. V. P. (2004, Nov.). Cómo preservar la objetividad del auditor interno. Revista Eletrônica de Ciência Administrativa, Campo Largo, 3 (2).

[18] Matarneh, G. (2011). Factor determining the internal audit quality in banks: empirical evidence from Jordan. International Research Journal of Finance and Economics, issue 73, 99-108.

[19] Matos, J. A. (2001). Theoretical foundations of corporate governance Princeton: Princeton University Press.

[20] Morais, G., & Martins, I. (1999). Auditoria interna Lisboa: Áreas.

[21] Pepinelli, R. C. C., Dutra, M. H., & Alberton, L. (2011). A percepção dos auditados em relação às competências comportamentais dos auditores independentes: um estudo empírico na região da grande Florianópolis/SC. Anais do Congresso USP de Controladoria e Contabilidade, São Paulo, SP, Brasil, 11.

[22] Public Company Accounting Oversight Board. (2007). Auditing standard 5 Recuperado em 14 agosto, 2007, de http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx

[23] Ramamoorti, S. (2003). Internal auditing: history, evolution, and prospects. In Bailey, A. D., Gramling, A. A., & Ramamoorti, S. Research opportunities in internal auditing (pp. 1-23). Altamonte Springs: The Institute of Internal Auditors Research Foundation.

[24] Ratliff, R. L., Wallace, W. A., Summers, G. E., McFarland, W. G., & Loebbecke, J. K. (1996). Internal auditing: principles and techniques (2nd ed.). Altamont Springs: Institute of Internal Auditors.

[25] Resolução do Conselho Federal de Contabilidade n. 781/1995 (1995). NBC PI 01 - Normas Profissionais do Auditor Interno. Recuperado em 23 fevereiro, 2010, de http://www.cfc.org.br/sisweb/sre/docs/RES_781.doc

[26] Resolução do Conselho Federal de Contabilidade n. 986/2003 (2003). NBC T 12 Auditoria Interna. Recuperado em 23 fevereiro, 2010, de http://www.cfc.org.br/sisweb/sre/docs/RES_986.doc

[27] Richardson, R. (1999). Pesquisa social: métodos e técnicas (3. ed.). São Paulo: Atlas.

[28] Rossiter, C. (2007, Aug./Sept.). Top 10 priorities for internal audit in a changing environment. Bank Accounting & Finance, Boston, 20 (5), 34-35.

[29] Roth, J. (2002). Adding value: seven roads to success Altamonte Springs: The Institute of Internal Auditors Research Foundation.

[30] Sarens, G. (2009, Mar). Internal auditing research. International Journal of Auditing, Chichester, 13 (1), 1-7.

[31] Sarens, G., & De Beelde, I. (2006, Nov.). The relationship between internal audit and senior management: an analysis of expectations and perceptions. International Journal of Auditing, Chichester, 10 (3), 219-41.

[32] Spira, L. F., & Page, M. (2003). Risk management: the reinvention of internal control and the changing role of internal audit. Accounting Auditing & Accountability Journal, Bradford, 16 (4), 640-661.

[33] The Institute of Internal Auditors (EUA). (2010). International professional practices framework Recuperado em 26 janeiro, 2010, de http://www.theiia.org/guidance/standards-and-guidance/

[34] Treadway Commission. (1987). Report of the national commission on fraudulent financial reporting New York: American Institute of Certified Public Accountants.

[35] Yin, R. K. (2005). Estudo de caso (3. ed.) Porto Alegre: Bookman.