THE ROLE OF THE INTERNAL AUDITING DEPARTMENT IN ORGANIZATIONS: A CASE STUDY OF SELECTED BANKS IN ENUGU STATE

CHAPTER ONE: INTRODUCTION

1.1 Background of Study

The internal auditing department is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations (Institute of Internal Auditors [IIA], 2017). Internal auditing helps organizations accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (IIA, 2020). Unlike external auditors who focus primarily on financial statement accuracy for external stakeholders, internal auditors serve the organization itself, providing ongoing, real-time assessments across all operational, financial, and compliance areas (Pickett, 2018). In the banking sector, where public trust and regulatory compliance are paramount, the internal auditing department functions as a critical line of defence against financial loss, fraud, regulatory sanctions, and reputational damage (Chambers, 2019).

The role of internal auditing has evolved significantly over recent decades, moving from a predominantly compliance-focused “watchdog” function to a value-adding “consultant” and strategic partner (Rittenberg, Johnstone, and Gramling, 2019). Historically, internal audit was perceived as a fault-finding department that examined transactions after the fact and reported errors to management (Sawyer, 2018). Today, leading internal audit functions adopt a risk-based approach, anticipating problems before they occur, evaluating controls in real time, and providing forward-looking advice on process improvement, risk mitigation, and strategic alignment (IIA, 2020). This evolution has been driven by regulatory reforms (such as the Sarbanes-Oxley Act and its international equivalents), corporate scandals (Enron, WorldCom, and more recently, banking failures), and the increasing complexity of organizational operations (Deloitte, 2021).

In the Nigerian banking industry, the internal auditing department has gained particular prominence following the banking crisis of 2009, which led to the removal of eight bank chief executive officers, significant capital injections by the Central Bank of Nigeria (CBN), and widespread regulatory reforms (Sanusi, 2019). Post-crisis investigations revealed that internal control weaknesses, risk management failures, and ineffective internal audit functions contributed significantly to the crisis (Ogbechie and Adekunle, 2019). Many of the distressed banks had internal audit departments that were understaffed, under-resourced, lacked independence, or failed to report material weaknesses to the board audit committee (Soludo, 2019). Consequently, the CBN issued revised corporate governance guidelines mandating stronger internal audit functions, direct reporting lines to audit committees, and minimum qualifications for chief audit executives (CBN, 2020).

The banking sector in Enugu State, located in the South-East geopolitical zone of Nigeria, provides an important context for studying the role of internal auditing departments (Chukwu, 2020). Enugu is a major commercial hub serving the surrounding states of Abia, Anambra, Ebonyi, and Imo, with a concentration of banks including all major deposit money banks (e.g., First Bank, UBA, Access Bank, Zenith Bank, GTBank, Fidelity Bank, and others) as well as microfinance banks (Nwankwo, 2020). These banks operate branches, regional offices, and in some cases, zonal headquarters in Enugu, employing thousands of staff and serving millions of customers (CBN, 2023). The internal auditing departments of these banks face unique challenges related to the business environment in Enugu, including infrastructural deficits, security concerns, and the prevalence of informal economic activities (Ezeani, 2019).

The core functions of the internal auditing department in banks encompass multiple interrelated activities (IIA, 2017). Financial auditing involves verifying the accuracy and completeness of financial transactions, account balances, and financial reports, ensuring that they conform to accounting standards (International Financial Reporting Standards) and regulatory requirements (Pickett, 2018). Operational auditing evaluates the efficiency and effectiveness of banking operations, including teller operations, customer service, loan processing, account opening, and cash management (Rittenberg et al., 2019). Compliance auditing ensures that the bank adheres to laws, regulations, and internal policies, including anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations, know-your-customer (KYC) requirements, and CBN prudential guidelines (CBN, 2020).

Risk management auditing evaluates whether the bank has identified its key risks (credit risk, liquidity risk, operational risk, market risk, reputational risk) and has implemented adequate controls to mitigate those risks (Basel Committee on Banking Supervision, 2019). Internal auditors assess the design and operating effectiveness of risk management frameworks, including loan underwriting standards, collateral valuation procedures, credit approval authorities, and risk monitoring systems (KPMG, 2020). Fraud auditing is a specialized area focused on detecting and preventing fraudulent activities, including employee fraud (misappropriation of funds, theft, payroll fraud), management fraud (financial statement manipulation, loan fraud), and external fraud (forged instruments, identity theft, cyber fraud) (ACFE, 2022). Internal auditors use data analytics, surprise audits, and forensic techniques to identify red flags (Wolfe and Hermanson, 2018).

Information technology (IT) auditing has become increasingly important as banks digitize their operations (Ernst and Young, 2021). IT auditors evaluate the security, integrity, and availability of banking systems, including core banking applications, online banking platforms, mobile banking apps, ATM networks, and payment gateways (IIA, 2020). They assess controls over access, change management, business continuity, disaster recovery, and cybersecurity (Deloitte, 2021). With the rise of cyber threats targeting financial institutions, IT auditing is now a core competency of modern internal audit departments (PwC, 2022). In Nigerian banks, where digital banking adoption has accelerated rapidly, the demand for IT audit skills exceeds supply (Ogbechie and Adekunle, 2019).

The organizational structure and reporting lines of the internal auditing department are critical to its effectiveness (Chambers, 2019). The IIA standards require that the chief audit executive (CAE) report functionally to the board audit committee and administratively to the chief executive officer (IIA, 2017). Functional reporting to the audit committee includes approval of the audit plan, audit budget, audit charter, and CAE appointment or removal; direct access to the audit committee chair; and the ability to communicate findings without management filtering (Rittenberg et al., 2019). Administrative reporting to the CEO includes day-to-day operational matters, budget administration, and personnel management (Pickett, 2018). This dual reporting line protects internal audit independence while ensuring operational alignment with the organization (IIA, 2020). In Nigerian banks, the CBN Code of Corporate Governance mandates this structure (CBN, 2020).

The relationship between the internal auditing department and the audit committee is particularly important (Macey and O’Hara, 2019). The audit committee, a subcommittee of the board of directors composed primarily of independent non-executive directors, oversees internal audit, external audit, financial reporting, and internal controls (IIA, 2017). The CAE typically meets privately with the audit committee at each meeting (executive session) without management present, allowing the CAE to raise sensitive issues (Chambers, 2019). The audit committee reviews and approves the internal audit plan, reviews audit findings and management responses, monitors the resolution of audit issues, and evaluates the CAE’s performance (Deloitte, 2021). An engaged, competent audit committee significantly enhances internal audit effectiveness (KPMG, 2020).

Despite the recognized importance of internal auditing, the function faces numerous challenges in Nigerian banks (Nwankwo, 2020). Budget constraints are a persistent issue, with internal audit departments often receiving less funding than other functions (e.g., sales, operations, IT). During economic downturns, audit budgets may be cut even as audit risk increases (Ogunleye and Adebayo, 2021). Staffing shortages are common, with internal audit departments struggling to attract and retain qualified personnel, particularly those with specialized skills in IT auditing, data analytics, and forensic accounting (Ernst and Young, 2021). Training gaps exist because internal auditors require continuous professional development to keep pace with changing regulations, technologies, and banking products (IIA, 2020). Many Nigerian banks invest insufficiently in internal audit training (Ogbechie and Adekunle, 2019).

Independence challenges arise when internal auditors are perceived as too close to management, or when they are assigned non-audit duties that conflict with their assurance role (Pickett, 2018). In some banks, internal auditors are rotated through operational roles, which can compromise their objectivity when they later audit those areas (Rittenberg et al., 2019). Technology gaps are a significant issue, as many internal audit departments still rely on manual auditing techniques, sampling rather than data analytics, and paper-based work papers (Deloitte, 2021). Banks with sophisticated IT systems may have internal audit departments that lack the tools and skills to audit those systems effectively (PwC, 2022). Resistance from management is another challenge; managers may view internal auditors as adversaries rather than partners, withholding information or failing to implement audit recommendations (Chambers, 2019).

The effectiveness of the internal auditing department is typically measured by multiple indicators (IIA, 2020). Audit plan completion assesses whether the department completes the planned audits within the budgeted time and resources. Finding acceptance rate measures the percentage of audit recommendations that management agrees to implement. Implementation rate tracks the percentage of agreed recommendations that are actually implemented within agreed timeframes. Stakeholder satisfaction surveys management and the audit committee regarding the quality, timeliness, and relevance of internal audit work (KPMG, 2020). Regulatory examination results provide external validation of internal audit effectiveness; banks with strong internal audit functions typically receive better regulatory ratings (CBN, 2020). Fraud loss reduction is a more direct but difficult-to-measure outcome (ACFE, 2022).

Empirical research on internal auditing in Nigerian banks is limited, and studies focusing specifically on Enugu State are even rarer (Chukwu, 2020). Most existing Nigerian banking research has focused on financial performance, credit risk, capital adequacy, or customer satisfaction, with limited attention to the internal audit function (Uche and Ehikioya, 2020). Studies that do examine internal audit tend to be broad surveys covering multiple industries, making it difficult to isolate banking-specific findings (Adelakun and Olaoye, 2021). The geographic concentration on Enugu State is justified because Enugu is a major banking centre in the South-East, yet has received less research attention than Lagos or Abuja (Ezeani, 2019).

The selection of banks for this case study includes a mix of tier-1 banks (large, systemically important banks with national presence), tier-2 banks (medium-sized banks), and microfinance banks (serving lower-income customers and small businesses) (CBN, 2023). This diversity enables comparative analysis of how internal audit functions differ across bank sizes, ownership structures, and business models. Specific banks selected (anonymized for confidentiality as Bank A, Bank B, Bank C, Bank D, and Bank E) represent this range. The inclusion of microfinance banks is particularly important because they face different risks (smaller loans, less sophisticated controls, higher exposure to informal sector) and have different internal audit resources compared to large commercial banks (Nwankwo, 2020).

From a theoretical perspective, this study is supported by three theories: Agency Theory (Jensen and Meckling, 1976), which explains internal audit as a mechanism to reduce information asymmetry between principals (shareholders, boards) and agents (management, employees); Institutional Theory (DiMaggio and Powell, 1983), which explains why banks adopt certain internal audit practices due to regulatory pressures, professional norms, and isomorphic forces; and Contingency Theory (Donaldson, 2019), which suggests that the optimal internal audit approach depends on contingent factors such as bank size, complexity, risk profile, and environment. These theories together provide a comprehensive framework for understanding the role of internal auditing departments in selected banks in Enugu State.

In summary, the internal auditing department plays a vital role in banks, encompassing financial, operational, compliance, risk management, fraud, and IT auditing. The effectiveness of internal audit depends on its independence, resourcing, skills, technology, and relationship with the audit committee. Nigerian banks, particularly following the 2009 crisis, have strengthened their internal audit functions, but challenges remain. Enugu State provides a relevant and under-researched geographic context for studying internal audit in banking. This study aims to empirically investigate the role of internal auditing departments in selected banks in Enugu State, generating insights for banking management, audit practitioners, regulators, and researchers.

1.2 Statement of Problems

Despite the critical role that internal auditing departments play in ensuring financial integrity, risk management, regulatory compliance, and fraud prevention in banks, evidence suggests that internal audit effectiveness in many Nigerian banks remains suboptimal. Persistent issues include high rates of fraud and forgeries (despite internal audit presence), regulatory sanctions for non-compliance with CBN guidelines, loan portfolio deterioration, operational losses, and weak risk management practices. In Enugu State specifically, bank customers and regulators have reported incidents of internal control failures leading to financial losses. Preliminary investigations suggest that internal audit departments in some Enugu-based banks are understaffed, under-resourced, lack independence, use outdated audit methodologies, and face resistance from management when reporting adverse findings. Furthermore, there is a lack of empirical research documenting the actual role, activities, effectiveness, and challenges of internal auditing departments in banks operating in Enugu State. The problem this study addresses is the gap between the theoretical role of internal auditing departments (as defined by professional standards) and the practical reality of their functioning in selected banks in Enugu State, with the aim of identifying factors that enhance or inhibit internal audit effectiveness.

1.3 Aim of the Study

The specific aim of this research work is to examine the role of the internal auditing department in selected banks in Enugu State, with a view to understanding how internal audit functions contribute to risk management, fraud prevention, regulatory compliance, and operational effectiveness, and to identify challenges and recommendations for improvement.

1.4 Objectives of the Study

1. To determine the effect of internal audit independence on the effectiveness of fraud detection and prevention in selected banks in Enugu State.
2. To assess the impact of internal audit coverage of loan portfolios on the level of non-performing loans in selected banks in Enugu State.
3. To examine the relationship between internal audit compliance testing and the bank’s adherence to Central Bank of Nigeria (CBN) regulatory requirements.
4. To evaluate the influence of internal audit recommendations on management’s implementation of corrective actions in selected banks in Enugu State.
5. To investigate the challenges (budget, staffing, technology, training, management support) facing internal auditing departments in selected banks in Enugu State.

1.5 Research Questions

1. What is the effect of internal audit independence on the effectiveness of fraud detection and prevention in selected banks in Enugu State?
2. How does internal audit coverage of loan portfolios impact the level of non-performing loans in selected banks in Enugu State?
3. What is the relationship between internal audit compliance testing and the bank’s adherence to Central Bank of Nigeria (CBN) regulatory requirements?
4. How do internal audit recommendations influence management’s implementation of corrective actions in selected banks in Enugu State?
5. What are the challenges (budget, staffing, technology, training, management support) facing internal auditing departments in selected banks in Enugu State?

1.6 Research Hypotheses

Hypothesis One

• H₀ (Null): Internal audit independence has no significant effect on the effectiveness of fraud detection and prevention in selected banks in Enugu State.
• H₁ (Alternative): Internal audit independence has a significant effect on the effectiveness of fraud detection and prevention in selected banks in Enugu State.

Hypothesis Two

• H₀ (Null): Internal audit coverage of loan portfolios has no significant impact on the level of non-performing loans in selected banks in Enugu State.
• H₁ (Alternative): Internal audit coverage of loan portfolios has a significant impact on the level of non-performing loans in selected banks in Enugu State.

Hypothesis Three

• H₀ (Null): There is no significant relationship between internal audit compliance testing and the bank’s adherence to Central Bank of Nigeria (CBN) regulatory requirements.
• H₁ (Alternative): There is a significant relationship between internal audit compliance testing and the bank’s adherence to Central Bank of Nigeria (CBN) regulatory requirements.

Hypothesis Four

• H₀ (Null): Internal audit recommendations have no significant influence on management’s implementation of corrective actions in selected banks in Enugu State.
• H₁ (Alternative): Internal audit recommendations have a significant influence on management’s implementation of corrective actions in selected banks in Enugu State.

Hypothesis Five

• H₀ (Null): There are no significant challenges (budget, staffing, technology, training, management support) facing internal auditing departments in selected banks in Enugu State.
• H₁ (Alternative): There are significant challenges (budget, staffing, technology, training, management support) facing internal auditing departments in selected banks in Enugu State.

1.7 Justification of the Study

This study is justified on several grounds. First, despite the recognized importance of internal auditing in banks, empirical research focusing specifically on Enugu State banks is extremely limited, creating a geographic knowledge gap. Second, Enugu State is a major commercial and banking centre in South-East Nigeria, yet most banking research concentrates on Lagos or Abuja, leaving the South-East under-researched. Third, the banking environment in Enugu presents unique characteristics (including the prevalence of microfinance banks, the informal economy, and specific security challenges) that may affect internal audit practices differently than other regions. Fourth, the study includes a mix of large commercial banks and microfinance banks, enabling comparative analysis across different bank types and sizes. Fifth, the findings will inform bank management (on how to strengthen internal audit departments), internal audit practitioners (on best practices and common pitfalls), regulators (on areas requiring supervisory attention), and academics (on theory testing and extension in a Nigerian context).

1.8 Significance of the Study

The findings of this research will be significant to several stakeholders. To bank management and boards of directors of banks operating in Enugu State, the study will provide evidence-based insights on how to structure, resource, and position internal audit departments for maximum effectiveness, including the importance of independence, audit coverage priorities, and follow-up on recommendations. To internal audit practitioners (chief audit executives, internal audit managers, and staff) in Enugu banks, the study will offer benchmarks for comparing their own practices with peer banks, identify common challenges and solutions, and highlight areas for professional development. To banking regulators, including the Central Bank of Nigeria (CBN) and the Nigeria Deposit Insurance Corporation (NDIC), the findings will illuminate systemic weaknesses in internal audit across Enugu banks, potentially informing examination procedures, regulatory guidance, or enforcement actions. To the Institute of Internal Auditors (IIA) Nigeria, the study will contribute to the body of knowledge on internal audit practice in Nigerian banking, supporting continuing professional development (CPD) programmes and practice advisories. To academic researchers in auditing, banking, and corporate governance, the study will provide primary empirical data from an under-researched geographic context, testing and potentially extending agency theory, institutional theory, and contingency theory.

1.9 Scope of the Study

The scope of this study is delimited to the role of internal auditing departments in selected banks operating in Enugu State, Nigeria. The study focuses on five selected banks representing different tiers: two tier-1 commercial banks (large, systemically important banks with national presence and branches in Enugu), two tier-2 commercial banks (medium-sized banks), and one microfinance bank (serving lower-income customers and small businesses in Enugu). The study examines the internal audit function along multiple dimensions: independence and reporting lines, audit coverage of key risk areas (particularly loan portfolio and fraud), compliance testing and regulatory adherence, influence of audit recommendations on management actions, and challenges facing internal audit departments (budget, staffing, technology, training, management support). The study covers the period from 2019 to 2023 (five years), capturing recent practices and challenges. The study does not extend to internal audit in other financial institutions (insurance companies, pension fund administrators, finance houses) in Enugu State, nor does it cover banks headquartered outside Enugu that do not have significant operations in Enugu. The study relies on primary data (questionnaires and interviews) from internal audit staff, management, and audit committee members (where accessible), as well as secondary data (bank annual reports, regulatory filings), but does not include direct observation of internal audit fieldwork or access to confidential audit reports beyond what respondents voluntarily share.

1.10 Definition of Terms

Internal Auditing Department: An independent, objective assurance and consulting function established within an organization to evaluate and improve the effectiveness of risk management, control, and governance processes, staffed by internal auditors who report functionally to the board audit committee.

Internal Audit Independence: The freedom of internal auditors from conditions that threaten their ability to carry out audit responsibilities objectively, including organizational reporting lines (functional reporting to the audit committee), protection from management interference, and absence of non-audit duties that create self-review threats.

Fraud Detection: The identification of fraudulent activities (including misappropriation of assets, corruption, loan fraud, and financial statement fraud) through internal audit procedures such as transaction testing, data analytics, reconciliations, surprise audits, and whistle-blower investigations.

Fraud Prevention: The proactive activities designed to deter fraud, including fraud risk assessments, anti-fraud control design and testing, fraud awareness training, ethical culture promotion, and background checks on employees.

Loan Portfolio Audit Coverage: The extent and depth of internal audit testing applied to the bank’s loan portfolio, including loan origination, underwriting, approval, documentation, collateral valuation, classification, and provisioning for loan losses.

Non-Performing Loan (NPL): A loan where the borrower has failed to make scheduled principal or interest payments for 90 days or more, or where payment is otherwise considered doubtful, expressed as a percentage of total loans.

Compliance Testing: Internal audit procedures designed to verify whether the bank is adhering to applicable laws, regulations (including CBN prudential guidelines, AML/CFT requirements, KYC rules), and internal policies.

Regulatory Requirements: The rules, guidelines, circulars, and prudential standards issued by the Central Bank of Nigeria (CBN) and the Nigeria Deposit Insurance Corporation (NDIC) with which banks must comply.

Audit Committee: A subcommittee of the board of directors, composed primarily of independent non-executive directors, responsible for overseeing financial reporting, internal controls, internal audit, external audit, and regulatory compliance.

Corrective Actions: Actions taken by management in response to internal audit findings and recommendations to address identified control weaknesses, process deficiencies, or non-compliance issues.

Tier-1 Bank: In the Nigerian banking context, a systemically important bank with large asset base (typically over ₦1 trillion), extensive branch network, significant market share, and high regulatory capital.

Microfinance Bank (MFB): A bank licensed by the CBN to provide financial services (loans, savings, payments) to low-income individuals, micro-enterprises, and small businesses, typically with smaller transaction sizes and less complex operations than commercial banks.

Chief Audit Executive (CAE): The highest-level internal audit position within the organization, responsible for the overall management of the internal audit department, including audit planning, staffing, reporting, and liaison with the audit committee.

Data Analytics in Auditing: The use of statistical, computational, and pattern-recognition techniques to analyse large volumes of transaction data, identify anomalies, test controls continuously, and provide audit evidence, enabling more efficient and effective audits compared to traditional sampling.

Risk-Based Auditing: An audit approach that prioritizes audit resources (time, staff, budget) on the areas of the organization with the highest risk exposure, rather than auditing all areas equally or on a fixed rotation.

CHAPTER TWO: LITERATURE REVIEW

2.1 Theoretical Review

This study is anchored on three supporting theories that provide a robust theoretical foundation for understanding the role of internal auditing departments in organizations, specifically in the banking sector. These theories are Agency Theory, Institutional Theory, and Contingency Theory. Each theory offers distinct but complementary insights into why internal auditing exists, how it is shaped by external pressures, and how it should be adapted to organizational context.

2.1.1 Agency Theory

Agency Theory, developed by Jensen and Meckling (1976) and subsequently refined by Eisenhardt (1989), provides the foundational theoretical justification for the existence of internal auditing in organizations. The theory addresses the relationship between principals (owners, shareholders, boards of directors) and agents (managers, employees) who are delegated to act on the principal’s behalf. The central problem in agency relationships is the divergence of interests between principals and agents, coupled with information asymmetry—the fact that agents typically possess more information about their actions, efforts, and decisions than principals do (Jensen and Meckling, 2019). This divergence can lead to agency costs, including shirking (agents exerting less effort than desired), self-dealing (agents pursuing personal benefits at the principal’s expense), moral hazard (agents taking excessive risks because they do not bear the full consequences), and adverse selection (agents hiding their true abilities or intentions during hiring) (Eisenhardt, 2019).

In the banking context, the principal-agent problem is particularly acute and multi-layered (Macey and O’Hara, 2019). At the first level, shareholders (principals) delegate authority to bank management (agents) to manage the bank’s operations, loan portfolio, investments, and risk exposures. Management may pursue growth, bonuses, or empire-building that does not maximize shareholder value (Boot and Thakor, 2020). At the second level, senior management (principals) delegate authority to branch managers, loan officers, and traders (agents) who make day-to-day decisions. These front-line employees may originate risky loans to meet volume targets, conceal trading losses, or misappropriate customer funds (Nwankwo, 2020). At the third level, the bank as a whole (agent) interacts with depositors and regulators (principals) who rely on the bank to safeguard deposits and comply with regulations (CBN, 2020). Each layer of agency relationship creates information asymmetry and potential for opportunistic behaviour (Uche and Ehikioya, 2020).

Internal auditing is a key mechanism for reducing agency costs across these multiple layers (IIA, 2017). Internal auditors act as independent monitors on behalf of the ultimate principals (shareholders and the board audit committee), gathering information about agent behaviour at all levels, evaluating the adequacy of controls, detecting deviations from policies, and reporting findings to the board (Chambers, 2019). By reducing information asymmetry, internal audit enables principals to better assess whether agents are acting in their best interests (Pickett, 2018). Agency Theory explains several features of internal audit design: the need for independence from management (to avoid the auditor becoming an agent of the agent), direct reporting to the audit committee (to ensure principals receive unfiltered information), and the use of risk-based auditing (to focus monitoring resources on areas where agency problems are most severe) (Rittenberg, Johnstone, and Gramling, 2019).

Agency Theory also explains the scope of internal audit activities (IIA, 2020). Financial auditing addresses the risk that agents might misstate financial results to mislead principals about performance (Jensen and Meckling, 2019). Operational auditing addresses the risk that agents might waste resources or operate inefficiently (Pickett, 2018). Compliance auditing addresses the risk that agents might violate laws or regulations, exposing the principal to fines or reputational damage (CBN, 2020). Fraud auditing directly addresses the risk that agents might steal from the principal (ACFE, 2022). Risk management auditing addresses the risk that agents might take excessive or inappropriate risks (Basel Committee, 2019). Agency Theory thus provides a unifying rationale for the diverse activities of internal audit departments.

A limitation of Agency Theory is its relatively pessimistic view of human motivation, assuming that agents are primarily self-interested and opportunistic (Eisenhardt, 2019). In reality, many bank employees and managers are motivated by professional ethics, intrinsic satisfaction, loyalty, and public service values (Wolfe and Hermanson, 2018). Moreover, Agency Theory pays limited attention to the costs of monitoring: internal audit itself is expensive, and at some point, the marginal cost of additional audit coverage may exceed the marginal benefit of reduced agency costs (Rittenberg et al., 2019). Nevertheless, Agency Theory remains the dominant framework for understanding corporate governance and internal control systems, and this study adopts it as a primary theoretical lens.

2.1.2 Institutional Theory

Institutional Theory, developed by DiMaggio and Powell (1983) and built upon the work of Meyer and Rowan (1977) and Scott (2014), provides a complementary lens to Agency Theory. While Agency Theory focuses on rational, economic calculations (principals designing monitoring systems to control self-interested agents), Institutional Theory emphasizes the role of external pressures, norms, and taken-for-granted beliefs in shaping organizational structures and practices (DiMaggio and Powell, 1983). Organizations adopt certain practices not necessarily because they are efficient or effective, but because they confer legitimacy, social acceptance, and survival advantages in their institutional environment (Scott, 2014).

Institutional Theory identifies three mechanisms of isomorphism (pressure toward similarity) that explain why organizations in the same field tend to adopt similar structures and practices (DiMaggio and Powell, 1983). Coercive isomorphism arises from formal and informal pressures exerted by other organizations upon which an organization depends, and by societal expectations. In banking, coercive pressures include regulations from the Central Bank of Nigeria (CBN), examination requirements from the Nigeria Deposit Insurance Corporation (NDIC), and legal mandates (e.g., the Banks and Other Financial Institutions Act). These coercive forces compel banks to establish internal audit departments with specific reporting lines, qualifications, and audit coverage (CBN, 2020). Non-compliant banks face fines, license restrictions, or revocation (Sanusi, 2019).

Mimetic isomorphism arises from uncertainty: when organizational goals are ambiguous or technologies are poorly understood, organizations model themselves after other organizations perceived as successful or legitimate (DiMaggio and Powell, 1983). In Nigerian banking, smaller or newer banks may mimic the internal audit structures and practices of larger, established banks (e.g., First Bank, UBA, Zenith Bank) that are perceived as industry leaders (Ogbechie and Adekunle, 2019). Banks may also adopt practices promoted by professional bodies such as the Institute of Internal Auditors (IIA) Nigeria, which disseminates best practices and standards (IIA, 2017). Consultants and audit firms also spread practices across banks (KPMG, 2020).

Normative isomorphism arises from professionalization: the collective struggle of members of an occupation to define their work conditions and methods (DiMaggio and Powell, 1983). Internal auditing has become a professionalized field with formal education requirements (e.g., accounting or finance degrees), professional certifications (Certified Internal Auditor, CIA; Certified Public Accountant, CPA; Certified Fraud Examiner, CFE), and professional associations (IIA, 2020). Internal auditors share common training, attend similar conferences, read the same professional literature, and move between banks, carrying normative expectations about what internal audit should look like (Pickett, 2018). This normative pressure homogenizes internal audit practices across banks, even in the absence of regulation or efficiency gains (Chambers, 2019).

Institutional Theory is particularly relevant to this study because banks in Enugu State operate within a highly institutionalized environment (Chukwu, 2020). The CBN regulates all banks uniformly, regardless of location, imposing the same internal audit requirements on a bank in Enugu as on a bank in Lagos (CBN, 2020). Professional expectations (IIA standards) are national and international, not local. Banks in Enugu are therefore likely to have internal audit departments that look similar on paper (same titles, same reporting lines, same audit areas) to banks elsewhere, even if their actual effectiveness differs (Ezeani, 2019). Institutional Theory helps explain why banks adopt certain internal audit practices (legitimacy seeking) and why those practices may become decoupled from actual operations (the gap between formal structure and day-to-day reality) (Meyer and Rowan, 1977).

A limitation of Institutional Theory is its tendency to underemphasize agency and strategic choice; organizations are not passive recipients of institutional pressures but can resist, manipulate, or selectively adopt practices (Scott, 2014). Moreover, Institutional Theory says less about which practices are actually effective; legitimacy and efficiency do not always align (DiMaggio and Powell, 1983). This study therefore combines Institutional Theory with Agency Theory (which emphasizes effectiveness and efficiency) and Contingency Theory (which emphasizes adaptation to context).

2.1.3 Contingency Theory

Contingency Theory, developed by organizational theorists such as Lawrence and Lorsch (1967) and later applied to management control systems by Otley (2016) and Donaldson (2019), posits that there is no single “best way” to design organizations, structures, or control systems. Instead, the optimal design depends on contingent factors specific to each organization and its environment, including organizational size, technology, strategy, culture, and environmental uncertainty (Donaldson, 2019). Effective organizations achieve “fit” between their structures (including internal audit) and the contingent factors they face.

In the context of internal auditing, Contingency Theory suggests that the role, scope, methodology, and resource allocation of the internal audit department should vary depending on several contingent factors (Christopher, Sarens, and Leung, 2017). Bank size is a critical contingency: a large tier-1 bank with hundreds of branches, thousands of employees, and complex operations requires a larger internal audit department with specialized teams (e.g., credit audit, IT audit, fraud audit, treasury audit) and sophisticated audit technologies (Ernst and Young, 2021). A small microfinance bank with a single branch, a few employees, and simple operations may have one internal auditor (or outsource the function) using basic audit procedures (Nwankwo, 2020). A one-size-fits-all internal audit model would be inappropriate; Contingency Theory explains why different banks should have different internal audit structures (Deloitte, 2021).

Organizational complexity is another contingency: banks with multiple subsidiaries (e.g., a bank with a mortgage subsidiary, a stockbroking subsidiary, and a microfinance subsidiary) need internal audit coverage of each entity and coordination across the group (PwC, 2022). Risk profile matters: a bank with a large corporate loan portfolio faces different credit risks than a bank focused on retail or microfinance lending; internal audit must allocate coverage accordingly (KPMG, 2020). Technology adoption is a contingency: banks with advanced core banking systems, online banking, mobile apps, and extensive automation need IT audit skills that a less technologically sophisticated bank does not (IIA, 2020). Environmental uncertainty (e.g., economic depression, regulatory changes, competitive intensity) affects internal audit priorities and frequency (Ogunleye and Adebayo, 2021).

Contingency Theory also explains variation in internal audit effectiveness across banks (Christopher et al., 2017). A bank may have a well-staffed, well-resourced internal audit department that would be effective for a large complex bank, but if that department exists in a small, simple bank, it may be overkill (wasteful and bureaucratic). Conversely, a small audit department that works well for a microfinance bank would be completely inadequate for a tier-1 bank (Pickett, 2018). Contingency Theory predicts that banks that achieve “fit” between their internal audit design and their contingent factors will outperform (on risk management, compliance, fraud prevention) those that do not (Otley, 2016).

For this study, Contingency Theory supports the inclusion of multiple bank types (tier-1, tier-2, microfinance) to capture variation in contingent factors (size, complexity, risk profile, technology). The theory also suggests that the same internal audit practice (e.g., annual audit plan, audit committee reporting frequency, use of data analytics) may be appropriate for one bank but not for another, and that researchers should not expect uniform findings across all banks (Donaldson, 2019). Contingency Theory thus complements Agency Theory (which focuses on universal monitoring needs) and Institutional Theory (which focuses on isomorphic pressures) by emphasizing the need for context-sensitive adaptation.

Integration of the Three Theories

The three theories are complementary and collectively provide a robust theoretical framework for this study. Agency Theory explains the fundamental rationale for internal auditing (monitoring to reduce agency costs) and the importance of independence and reporting lines. Institutional Theory explains why banks adopt certain internal audit structures and practices (coercive, mimetic, and normative pressures for legitimacy) and why formal structures may decouple from actual operations. Contingency Theory explains why the optimal internal audit design varies across banks (depending on size, complexity, risk profile, technology) and why a practice effective in one bank may be ineffective in another. Together, these theories support the study’s examination of the role of internal auditing departments in selected banks in Enugu State, recognizing that internal audit serves a monitoring function (Agency), is shaped by external pressures (Institutional), and must be adapted to bank-specific contingencies (Contingency).

2.2 Conceptual Framework

The conceptual framework for this study is a schematic representation of the relationship between the independent variables (characteristics and practices of the internal auditing department) and the dependent variables (outcomes of internal audit effectiveness), with moderating variables (bank-specific contingencies) influencing these relationships. The framework, grounded in the three supporting theories (Agency, Institutional, Contingency), posits that internal audit characteristics influence internal audit outcomes, but the strength and nature of these relationships depend on bank context. Below is a detailed discussion of the independent, dependent, and moderating variables.

Independent Variables (Internal Audit Department Characteristics and Practices)

The independent variables in this study are the features of the internal auditing department that are theorized to influence its effectiveness. These are derived from the IIA standards (IIA, 2017) and the auditing literature.

1. Internal Audit Independence: This refers to the organizational freedom of the internal audit department from conditions that threaten objectivity. Key indicators include: whether the chief audit executive (CAE) reports functionally to the audit committee (not just administratively to management), whether the CAE has direct access to the audit committee chair, whether internal auditors are prohibited from auditing areas where they previously worked (cooling-off period), whether audit resources are controlled by the audit committee rather than management, and whether internal auditors are permitted to raise issues without fear of retaliation (IIA, 2020). This variable is measured by responses to questions about reporting lines, access to the audit committee, protection from management interference, and existence of whistle-blower protections.
2. Audit Coverage of Key Risk Areas: This refers to the extent and depth to which the internal audit department audits the bank’s highest-risk processes and functions. In banking, key risk areas include: loan portfolio (credit risk), treasury operations (market and liquidity risk), fraud prevention and detection, compliance with CBN regulations, information technology and cybersecurity, and cash management (operational risk) (Basel Committee, 2019). This variable is measured by the percentage of audit hours allocated to each risk area, the frequency of audits (continuous, quarterly, annually, biennially), and the depth of testing (e.g., sample sizes, use of data analytics).
3. Compliance Testing Rigour: This refers to the thoroughness and frequency with which internal audit tests the bank’s adherence to applicable laws, regulations, and internal policies. Key compliance areas include: anti-money laundering (AML) and combating the financing of terrorism (CFT) requirements, know-your-customer (KYC) rules, CBN prudential guidelines (e.g., capital adequacy, liquidity, loan classification and provisioning), consumer protection regulations, and internal bank policies (CBN, 2020). This variable is measured by the number of compliance tests performed, the scope of each test (e.g., percentage of transactions tested), the frequency of testing (continuous, periodic), and the number and severity of compliance exceptions identified.
4. Influence of Audit Recommendations: This refers to the degree to which management accepts and implements internal audit recommendations. Even the best internal audit work has no value if management ignores the findings (Chambers, 2019). Key indicators include: recommendation acceptance rate (percentage of recommendations that management agrees to implement), implementation rate (percentage of agreed recommendations actually implemented within agreed timeframes), time lag between audit report and implementation, and management’s attitude toward internal audit (resistant, cooperative, or proactive) (Pickett, 2018). This variable is measured by survey responses from auditors about management responsiveness, review of audit tracking data (where accessible), and audit committee minutes.
5. Internal Audit Department Resources: This refers to the budget, staffing, technology, and training available to the internal audit department. Adequate resources are necessary for internal audit to perform its mandate effectively (IIA, 2017). Key indicators include: audit budget as a percentage of bank operating expenses, number of internal audit staff relative to bank size (e.g., staff per branch or per employee), staff qualifications (e.g., percentage with CIA, CPA, CFE certifications), investment in audit technology (e.g., data analytics software, continuous auditing tools, audit management systems), and training hours per auditor per year (Ernst and Young, 2021). This variable is measured by responses to questions about budget adequacy, staffing levels, technology access, and training frequency.

Dependent Variables (Internal Audit Effectiveness Outcomes)

The dependent variables in this study are the outcomes that indicate how well the internal audit department is fulfilling its role. These are the benefits that banks derive from having an internal audit function.

1. Fraud Detection and Prevention Effectiveness: This refers to the success of internal audit in identifying fraud (detection) and reducing the incidence of fraud (prevention). Indicators include: number of fraud incidents detected by internal audit (as opposed to by management, customers, or regulators), value of fraud losses prevented or recovered, percentage of fraud incidents that were first identified by internal audit, time lag between fraud occurrence and detection, and results of fraud risk assessments (ACFE, 2022). This variable is measured by reported fraud statistics (where available) and auditor/management perceptions of fraud risk reduction.
2. Loan Portfolio Quality (Non-Performing Loans): This refers to the health of the bank’s loan portfolio, with lower non-performing loans (NPLs) indicating better credit risk management. Internal audit contributes to loan quality by auditing loan origination, underwriting, approval, documentation, collateral valuation, classification, and provisioning (PwC, 2022). Indicators include: NPL ratio (non-performing loans as a percentage of total loans), loan loss provision adequacy, frequency of loan classification errors identified by audit, and number of audit findings related to credit processes (KPMG, 2020). This variable is measured by bank financial reports (NPL ratios) and audit findings.
3. Regulatory Compliance Level: This refers to the degree to which the bank adheres to CBN and NDIC regulations, as evidenced by regulatory examination ratings, fines or sanctions, and internal audit findings. Banks with strong internal audit compliance testing typically have fewer regulatory violations (CBN, 2020). Indicators include: regulatory examination rating (satisfactory, needs improvement, unsatisfactory), number and value of regulatory fines or sanctions, number of compliance audit findings with high severity, and timeliness of remediation of compliance issues (Deloitte, 2021). This variable is measured by regulatory reports (where accessible) and internal audit compliance testing results.
4. Implementation of Corrective Actions: This refers to management’s track record of acting on internal audit recommendations. High implementation rates indicate that internal audit is influencing bank operations and risk management (Chambers, 2019). Indicators include: recommendation acceptance rate, implementation rate within agreed timeframes, number of repeat findings (audit issues that were previously identified but not corrected, or that recur after correction), and audit committee satisfaction with management’s responsiveness (IIA, 2020). This variable is measured by audit tracking data and survey responses from auditors and audit committee members.
5. Overall Audit Effectiveness (Composite): This is a composite measure combining the above dimensions, reflecting the internal audit department’s overall contribution to the bank’s risk management, control, and governance. This variable is measured by stakeholder perceptions (audit committee satisfaction ratings, management satisfaction ratings), external validation (regulatory exam ratings of internal audit), and professional assessments (e.g., quality assurance review results) (Pickett, 2018).

Moderating Variables (Bank-Specific Contingencies)

Consistent with Contingency Theory (Donaldson, 2019), the relationship between internal audit characteristics and effectiveness is moderated by bank-specific factors:

• Bank size (total assets, number of branches, number of employees): Larger banks require more extensive audit coverage and may face more complex risks.
• Bank type (tier-1 commercial, tier-2 commercial, microfinance): Different bank types have different risk profiles, regulatory requirements, and resources.
• Audit committee quality (independence, financial expertise, meeting frequency, engagement): A strong audit committee amplifies the effectiveness of internal audit.
• Regulatory intensity (frequency of CBN/NDIC examinations, enforcement actions): High regulatory pressure may increase management’s responsiveness to audit recommendations.
• Technology maturity (core banking system sophistication, data analytics capabilities): Enables more efficient and effective auditing.

Diagrammatic Representation (Described in Text):

The conceptual framework can be visualized as follows:

Independent Variables (Internal Audit Characteristics) → Dependent Variables (Effectiveness Outcomes) → Ultimate Impact

Independent Variables:

• Internal Audit Independence
• Audit Coverage of Key Risk Areas (loan portfolio, fraud, compliance, IT, cash)
• Compliance Testing Rigour
• Influence of Audit Recommendations
• Internal Audit Department Resources (budget, staff, technology, training)

Dependent Variables:

• Fraud Detection and Prevention Effectiveness
• Loan Portfolio Quality (lower NPLs)
• Regulatory Compliance Level
• Implementation of Corrective Actions
• Overall Audit Effectiveness

Moderating Variables (Contingencies):

• Bank size (tier-1, tier-2, microfinance)
• Bank type (commercial vs. microfinance)
• Audit committee quality
• Regulatory intensity
• Technology maturity

Ultimate Impact (implied but not directly measured):

• Reduced bank losses (fraud, loan defaults, fines)
• Improved bank reputation and stakeholder confidence
• Lower bank failure risk

The moderating variables are shown as intersecting the pathways between each independent variable and the dependent variables, indicating that the strength and direction of relationships depend on bank context.

2.3 Summary of Literature Review in a Tabular Format

The table below summarizes key empirical and theoretical literature relevant to the role of internal auditing departments in organizations, with specific attention to banking and the Nigerian context. The table highlights strengths, weaknesses, limitations, and gaps of each study.

Author(s) and Year	Focus of Study	Strength	Weakness	Limitation	Gap Identified
Jensen and Meckling (1976, 2019)	Agency Theory (foundational)	Seminal theoretical framework	Assumes self-interested agents; pessimistic	Original context: corporate finance	Application to internal auditing not fully specified
DiMaggio and Powell (1983)	Institutional isomorphism	Powerful explanation of organizational similarity	Underemphasizes agency and resistance	Focus on adoption, not effectiveness	Link to internal audit outcomes unclear
Lawrence and Lorsch (1967); Donaldson (2019)	Contingency Theory	Recognizes contextual variation	Can lead to excessive relativism	General organizational theory	Banking-specific contingency factors not identified
IIA (2017, 2020)	International Standards for Internal Auditing	Authoritative professional standards	Not specific to banking	Generic across industries	Banking-specific implementation guidance lacking
Chambers (2019)	Lessons learned on the audit trail	Practical insights from experienced CAE	Anecdotal; limited empirical basis	Not Nigeria-specific	Enugu State context not addressed
Pickett (2018)	Internal Auditing Handbook	Comprehensive textbook coverage	Generic; not Nigeria-specific	Limited banking focus	No Enugu State application
Rittenberg, Johnstone, and Gramling (2019)	Auditing textbook (general)	Comprehensive US-focused	Not Nigeria or banking specific	Developed country context	Nigerian banking internal audit not covered
Sawyer (2018)	Sawyer’s internal auditing (classic)	Historical and practical coverage	Dated in parts; pre-digital	Not updated for modern banking	Contemporary issues (cyber, data analytics) missing
ACFE (2022)	Report to the Nations (fraud survey)	Large-scale global fraud data	Banking is one sector among many	Limited Nigeria data	Nigeria banking fraud patterns unknown
KPMG (2020)	Banking industry audit committee report	Practitioner; timely	Not peer-reviewed	Limited methodological detail	Academic validation needed
PwC (2022)	Banking in volatile economy: internal audit	Practitioner guidance; recent	Not peer-reviewed; consultancy perspective	Limited to PwC client experience	Independent empirical research needed
Deloitte (2021)	Banking and capital markets outlook	Industry outlook; practitioner	Broad trends; not deep audit focus	No primary data	Internal audit specifics missing
Ernst and Young (2021)	Global internal audit survey	Large-scale survey (global)	Banking is one sector; limited Nigeria representation	Aggregated across industries	Nigeria-specific banking audit data needed
Sanusi (2019)	Banking reform and Nigerian economy	Insider perspective on 2009 crisis	Authoritative (ex-CBN Governor)	Focus on policy, not internal audit	Role of internal audit in crisis not examined
Soludo (2019)	Consolidating Nigerian banking industry	Insider perspective (ex-CBN Governor)	Historical; policy focus	No internal audit content	Gap on internal audit during consolidation
Nwankwo (2020)	Bank management in Nigeria (textbook)	Comprehensive Nigerian banking coverage	Generic management; limited audit focus	One chapter on controls, not internal audit specifically	Enugu State banks not studied
Ogbechie and Adekunle (2019)	Internal audit effectiveness in Nigerian banks	Directly relevant; Nigerian banks	Limited sample; pre-2016 data	Cross-sectional; single time period	Post-2016 data (including current practices) needed
Uche and Ehikioya (2020)	Banking stability in Nigeria	Nigerian banking stability focus	Macro perspective; not organizational	Limited micro (bank-level) data	Internal audit as stability factor not examined
CBN (2020, 2023)	Prudential guidelines; Code of CG	Official regulatory standards	Regulatory compliance focus	Not research; descriptive	No analysis of internal audit compliance in Enugu
Basel Committee (2019)	Principles for risk data aggregation	International banking standards	Not Nigeria-specific; not audit-specific	Generic principles	Implementation in Nigerian banks unknown
Macey and O’Hara (2019)	Corporate governance of banks	Banking governance theory	Limited internal audit discussion	Focus on boards, not audit function	Internal audit governance role underexplored
Boot and Thakor (2020)	Banking and financial stability	Theoretical; reputation focus	No internal audit variable	Purely theoretical	Empirical testing needed
Christopher, Sarens, and Leung (2017)	Contingency theory in internal audit	Academic; theory application	Small sample; not banking-specific	Limited generalizability	Banking sector application needed
Otley (2016)	Contingency theory and management control	Theoretical review	Conceptual; no primary data	Not audit-specific	Application to internal audit needed
Scott (2014)	Institutional theory (text)	Comprehensive theoretical treatment	Broad; not banking-specific	No empirical data	Application to Nigerian banking internal audit needed
Meyer and Rowan (1977)	Institutionalized organizations	Seminal theoretical article	Conceptual only	No empirical testing	Decoupling in Nigerian banks unexplored
Eisenhardt (1989, 2019)	Agency theory assessment and review	Methodologically rigorous	Limited to principal-agent framing	Underplays other organizational factors	Integration with institutional/contingency needed
Chukwu (2020)	Banking sector development in Enugu	Geographic relevance; Enugu focus	Descriptive; no internal audit content	No audit variables	Gap on internal audit in Enugu banks
Ezeani (2019)	Business environment and banking in Enugu	Enugu-specific context	No internal audit focus	Environmental, not organizational	Internal audit practices not examined
Wolfe and Hermanson (2018)	Fraud diamond	Extension of fraud triangle	Widely cited; conceptual	Limited empirical validation in banking	Banking sector validation needed