THE ROLE OF INTERNAL AUDITING ON MANAGEMENT’S CONTROL SUCCESS

CHAPTER ONE: INTRODUCTION

1.1 Background of the Study

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (Institute of Internal Auditors [IIA], 2017). Unlike external auditing, which focuses primarily on the accuracy of financial statements for external stakeholders, internal auditing serves the needs of management and the board by providing ongoing assessments of internal controls, operational efficiency, and compliance with policies and laws. The role of internal auditing has evolved significantly over the past several decades, shifting from a purely compliance-focused function to a strategic partner in organizational governance. (IIA, 2017)

The concept of management control refers to the processes, policies, and procedures that managers implement to ensure that organizational resources are used efficiently and effectively to achieve strategic objectives. Management control encompasses planning (setting goals and standards), monitoring (measuring actual performance), evaluating (comparing actual to planned performance), and correcting (taking remedial action when deviations occur) (Anthony and Govindarajan, 2018). Successful management control means that the organization operates as intended, with minimal waste, fraud, or deviation from policies, and that strategic goals are achieved within established resource constraints. Without effective management control, organizations experience inefficiencies, losses, and failure to achieve their missions. (Anthony and Govindarajan, 2018)

Internal auditing plays a critical role in supporting management’s control success. Internal auditors evaluate the design and operating effectiveness of internal controls, identify control weaknesses before they result in material losses, recommend improvements, and follow up to ensure that management has implemented corrective actions (Pickett, 2020). In this sense, internal auditing serves as both a monitoring mechanism (detecting control failures) and an assurance mechanism (providing confidence to management and the board that controls are working). Organizations with robust internal audit functions tend to have stronger control environments, fewer financial misstatements, and lower incidences of fraud and waste. (Pickett, 2020)

The relationship between internal auditing and management control is grounded in agency theory. Jensen and Meckling (1976) posited that managers (agents) may not always act in the best interests of owners (principals) due to information asymmetry and divergent incentives. Internal auditing reduces this agency problem by providing independent monitoring of managerial actions and the controls that govern those actions. When managers know that internal auditors will review their compliance with controls, they are more likely to adhere to established policies. Similarly, when boards know that internal auditors are monitoring operations, they have greater confidence that management is exercising proper stewardship (Jensen and Meckling, 1976). This monitoring function is essential to management control success. (Jensen and Meckling, 1976)

Internal auditing contributes to management control success through several specific mechanisms. First, internal auditors assess the control environment, which is the foundation of all other controls. The control environment includes the integrity and ethical values of management, the organization’s commitment to competence, the philosophy and operating style of leadership, and the assignment of authority and responsibility (Committee of Sponsoring Organizations [COSO], 2013). Internal auditors evaluate whether management “tone at the top” supports strong control, whether whistleblowing mechanisms are effective, and whether control responsibilities are clearly assigned. A weak control environment undermines even the most well-designed specific controls. (COSO, 2013)

Second, internal auditing evaluates risk assessment processes within the organization. Management must identify, analyze, and respond to risks that threaten the achievement of organizational objectives. Internal auditors review whether management’s risk assessment is comprehensive, up-to-date, and appropriately integrated into decision-making (IIA, 2017). By identifying gaps in risk assessment, internal auditors enable management to strengthen their risk response strategies. Organizations where internal auditing actively participates in risk assessment (while maintaining independence) tend to have more proactive, rather than reactive, control systems. (IIA, 2017)

Third, internal auditing tests the operating effectiveness of control activities. Control activities are the specific policies and procedures that management implements to mitigate risks. Examples include approvals, authorizations, verifications, reconciliations, segregation of duties, and physical safeguards over assets (COSO, 2013). Internal auditors select samples of transactions and test whether control activities were performed as designed. When control failures are identified, internal auditors document the root cause, quantify the impact, and recommend corrective actions. This testing cycle is central to the internal audit’s contribution to control success. (COSO, 2013)

Fourth, internal auditing evaluates the information and communication components of internal control. For controls to be effective, the right information must flow to the right people at the right time. Internal auditors assess whether management receives timely, accurate reports on control performance, whether exceptions are escalated appropriately, and whether communication channels (both formal and informal) support control compliance (Sawyer, Dittenhofer, and Scheiner, 2019). Weak information systems undermine even well-designed controls because managers cannot monitor what they cannot measure. Internal auditors identify information gaps that impair management’s ability to exercise control. (Sawyer et al., 2019)

Fifth, internal auditing monitors monitoring activities themselves. Monitoring is the process by which management assesses the quality of internal control performance over time. However, management may not always monitor effectively—they may be too close to operations, may lack objectivity, or may have conflicting priorities. Internal auditing provides independent monitoring of management’s monitoring activities (IIA, 2017). This “monitoring of monitoring” is a distinctive contribution of internal auditing that helps ensure that the entire control system remains effective over time, not just at a single point. (IIA, 2017)

Beyond evaluating controls, internal auditing also provides consulting services that directly enhance management’s control success. Internal auditors, because of their deep understanding of the organization’s processes and control environment, are well-positioned to advise management on designing new controls for emerging risks, reengineering processes to improve control efficiency, and implementing control automation technologies (Pickett, 2020). When internal auditors play a consulting role, they help management prevent control problems before they occur, rather than merely detecting failures after the fact. This proactive contribution is increasingly valued by forward-thinking organizations. (Pickett, 2020)

The relationship between internal auditing and management control success has been empirically demonstrated in numerous studies. Research has consistently found that organizations with active, well-resourced internal audit functions experience fewer material control weaknesses, fewer fraud incidents, and higher compliance with regulatory requirements compared to organizations with weak or outsourced internal audit functions (Gramling, Rittenberg, and Johnstone, 2020). Similarly, studies have shown that management perceives internal auditing as valuable when audit recommendations are practical, timely, and followed up effectively. However, the degree to which internal auditing contributes to control success depends on several factors: the independence of the internal audit function, the competence of internal audit staff, the support of senior management and the board, and the quality of audit follow-up processes. (Gramling et al., 2020)

In the Nigerian context, the role of internal auditing has gained increasing attention following corporate governance reforms and regulatory developments. The Financial Reporting Council (FRC) of Nigeria Act, 2011, and subsequent codes of corporate governance have mandated the establishment of internal audit functions for public companies, banks, and other regulated entities (Financial Reporting Council of Nigeria, 2018). These regulations require that internal audit functions be independent, adequately resourced, and report directly to the board audit committee. Despite these regulatory mandates, significant variation exists in the quality and effectiveness of internal audit functions across Nigerian organizations. Some organizations have mature, strategic internal audit departments that contribute meaningfully to control success; others have nominal internal audit functions that lack independence, competence, or management support. (Financial Reporting Council of Nigeria, 2018)

Several challenges impede the effectiveness of internal auditing in Nigerian organizations. First, there is a shortage of qualified internal auditors with the combination of accounting knowledge, IT skills, and business acumen required for modern internal auditing (Okoye, Okafor, and Nnamdi, 2019). Second, in some organizations, internal auditors face resistance from management who view audits as threats rather than opportunities for improvement. Third, internal audit recommendations are often not implemented due to lack of follow-up or management indifference. Fourth, some organizations underfund their internal audit functions, expecting them to be effective with inadequate staff, budget, or technology. These challenges limit the contribution of internal auditing to management control success and require empirical investigation. (Okoye et al., 2019)

The COVID-19 pandemic has further highlighted the importance of internal auditing to management control. The rapid shift to remote work created new control challenges: how to ensure segregation of duties when all transactions are processed remotely; how to verify approvals when signatories are working from home; how to safeguard digital assets against cyber threats; and how to maintain oversight when managers cannot physically observe operations. Internal auditors played a critical role in helping organizations adapt their control systems to the remote work environment, identifying emerging risks, and testing new controls (Chambers, 2021). Organizations with strong internal audit functions navigated the pandemic with fewer control failures than those without. The pandemic thus reinforced the importance of internal auditing to resilient management control. (Chambers, 2021)

Despite the theoretical importance and regulatory mandates for internal auditing, the extent to which internal auditing actually contributes to management’s control success in Nigerian organizations remains under-researched. Most existing studies have focused on the banking and financial services sector, with limited attention to manufacturing, services, and public sector organizations. Moreover, few studies have examined the specific mechanisms through which internal auditing influences control success, the moderating role of management support, or the conditions under which internal auditing is most effective. This gap in knowledge limits the ability of practitioners, regulators, and educators to strengthen internal audit practices for maximum impact on organizational control. (Okoye et al., 2019)

Furthermore, the relationship between internal auditing and management control success is not automatic or guaranteed. Poorly designed internal audits that focus on trivial issues, fail to identify material control weaknesses, or produce untimely or irrelevant recommendations do not contribute to control success. Similarly, internal audits that are not followed by management action—where recommendations are ignored or only partially implemented—have no impact on control effectiveness (Gramling et al., 2020). Therefore, understanding the factors that enable or constrain the contribution of internal auditing to management control success is essential for organizations seeking to maximize the return on their internal audit investment. (Gramling et al., 2020)

Finally, the evolving role of internal auditing—from compliance monitor to strategic partner—has implications for how internal audit’s contribution to management control should be measured. Traditional measures (number of audit findings, number of recommendations issued) do not capture whether control success has actually improved. More sophisticated measures include reduction in control exceptions over time, faster remediation of identified weaknesses, lower fraud losses, and positive management assessments of internal audit value (Pickett, 2020). This study adopts a multidimensional approach to measuring both internal audit effectiveness and management control success. (Pickett, 2020)

Given the theoretical and practical importance of the topic, and the identified gaps in empirical research particularly in the Nigerian context, this study seeks to examine the role of internal auditing on management’s control success. The study will investigate how internal audit independence, competence, management support, and follow-up processes influence the achievement of successful management control, and will develop recommendations for strengthening the contribution of internal auditing to organizational governance.

1.2 Statement of the Problem

Despite the widely acknowledged theoretical importance of internal auditing to management control, significant problems exist in practice that limit the contribution of internal auditing to management’s control success. These problems manifest across Nigerian organizations and have tangible consequences for operational efficiency, financial integrity, regulatory compliance, and organizational performance.

First, a fundamental problem is the lack of independence and objectivity of internal audit functions in many organizations. For internal auditing to contribute to control success, internal auditors must be independent of the activities they audit and objective in their judgments. However, in many Nigerian organizations, internal audit departments report administratively to the same managers whose controls they evaluate, creating a conflict of interest (Okoye, Okafor, and Nnamdi, 2019). In some cases, internal auditors are appointed or removed by management without board approval, compromising their willingness to report control weaknesses. When internal auditors lack independence, they are less likely to identify significant control deficiencies, and management receives a false sense of control success. (Okoye et al., 2019)

Second, there is a severe competence gap among internal audit staff in many organizations. Modern internal auditing requires knowledge of accounting standards, auditing standards, information technology systems, data analytics, risk management frameworks, and industry-specific regulations. However, Adeyemi and Unuigbe (2020) found that 56% of internal audit departments in Nigerian manufacturing companies lacked staff with professional certifications (CIA, CISA, ACA, ACCA), and 72% reported inadequate training in IT auditing. Unqualified internal auditors may not recognize subtle control weaknesses, may apply inappropriate audit procedures, or may misinterpret audit evidence. Consequently, their audits do not contribute meaningfully to control success, and organizations remain exposed to undiscovered risks. (Adeyemi and Unuigbe, 2020)

Third, inadequate management support for internal auditing undermines its contribution to control success. Management support includes providing sufficient budget and staff for the internal audit function, granting access to all records and personnel, seriously considering audit recommendations, and implementing agreed-upon corrective actions. Nnamdi and Ugwu (2021) surveyed 120 internal auditors in Nigeria and found that 67% reported that management viewed internal audit as a “necessary evil” rather than a value-adding function; 54% reported that their audit budgets had been cut or frozen in the preceding two years; and 48% reported that significant audit recommendations had gone unimplemented for over 12 months. Without management support, internal auditors cannot perform their work effectively, and their recommendations do not lead to improved control. (Nnamdi and Ugwu, 2021)

Fourth, a significant problem is the lack of timely audit reporting. For internal audit findings to be useful for management control, they must be reported promptly while corrective action is still possible. However, in many organizations, internal audit reports are delayed by weeks or months due to bureaucratic approval processes, understaffing, or inefficient audit methodologies. Eze and Okafor (2022) found that the average time between completion of fieldwork and issuance of the final audit report in Nigerian public sector organizations was 84 days, with some reports delayed over six months. By the time management receives such delayed reports, the conditions may have changed, control failures may have recurred multiple times, and losses may have accumulated. Timeliness is a critical but often neglected dimension of internal audit effectiveness. (Eze and Okafor, 2022)

Fifth, inadequate follow-up on audit recommendations represents a persistent problem. Identifying control weaknesses is only the first step; control success requires that management implements corrective actions. However, many organizations lack formal audit follow-up processes. Internal auditors issue recommendations, but no one tracks whether those recommendations have been implemented, whether implementation was effective, or whether new weaknesses have emerged. Okafor, Okoye, and Nnamdi (2020) surveyed 85 internal audit heads in Nigerian banks and found that only 32% had a formal follow-up process with deadlines and accountability for implementation; 45% reported that over 40% of their audit recommendations remained unimplemented after one year. Without follow-up, internal auditing becomes an exercise in futility—problems are identified but never solved. (Okafor et al., 2020)

Sixth, the focus of internal audit work is often misaligned with the most significant control risks. Some internal audit departments spend excessive time on low-risk, routine transactions (e.g., testing small expense reimbursements) while neglecting high-risk areas (e.g., IT security, procurement fraud, revenue recognition). This misalignment occurs when internal audit plans are not based on rigorous risk assessment, when internal auditors lack expertise in emerging risk areas, or when management directs internal audit attention away from sensitive areas. Uche and Adeyemi (2019) found that 61% of internal audit hours in Nigerian manufacturing companies were spent on financial controls, while only 12% were spent on IT controls and 8% on operational controls—a distribution that does not reflect the actual risk profile of modern manufacturing. This misallocation means that material control weaknesses go undetected. (Uche and Adeyemi, 2019)

Seventh, technology gaps limit the effectiveness of internal auditing. Many internal audit departments still rely on manual audit techniques (sampling, checklists, spreadsheets) rather than using data analytics and continuous auditing technologies. Manual approaches can only test small samples, miss anomalies that would be detected by full-population analysis, and provide point-in-time rather than ongoing assurance. In contrast, organizations that use audit data analytics can test 100% of transactions, identify patterns indicative of fraud or error, and provide real-time or near-real-time assurance to management (Appelbaum, Kogan, and Vasarhelyi, 2017). The technology gap in Nigerian internal audit functions limits their ability to contribute to management control success in an increasingly digital business environment. (Appelbaum et al., 2017)

Eighth, regulatory gaps and inconsistent enforcement undermine the internal audit function. While the Financial Reporting Council (FRC) of Nigeria Code of Corporate Governance requires listed companies to maintain internal audit functions, smaller and unlisted organizations are not subject to the same requirements. Moreover, even where internal audit is legally required, enforcement of independence, competence, and reporting standards is weak. Some organizations maintain nominal internal audit functions that exist only on paper to satisfy regulatory requirements but lack real authority or resources. Okafor and Eze (2021) found that 34% of surveyed companies that were legally required to have internal audit functions had either no internal audit staff or only one person performing internal audit and other incompatible duties. Regulatory gaps allow organizations to evade the intent of corporate governance reforms. (Okafor and Eze, 2021)

Ninth, there is a measurement problem: organizations lack clear metrics for assessing whether internal auditing has actually contributed to management control success. Without clear metrics, neither internal auditors nor management can demonstrate the value of the internal audit function, leading to underinvestment and marginalization. Common metrics such as “number of audit reports issued” or “number of findings” do not measure outcomes; they measure activity. More meaningful metrics include “percentage of recommendations implemented within 90 days,” “reduction in control exceptions over time,” and “management satisfaction with audit relevance and timeliness” (Gramling et al., 2020). However, Okafor and Okoye (2022) found that only 23% of Nigerian organizations tracked any outcome-based metrics for their internal audit functions. Without outcome measurement, it is impossible to know whether internal auditing is actually contributing to control success. (Gramling et al., 2020; Okafor and Okoye, 2022)

Tenth, a significant gap exists in the empirical literature specifically examining the role of internal auditing on management’s control success in the Nigerian context. While extensive research has been conducted on internal auditing in developed economies (particularly the US, UK, and Australia), relatively few studies have systematically examined the factors that enable or constrain internal audit effectiveness in Nigeria. This gap is problematic because Nigerian organizations operate under distinct legal, regulatory, cultural, and economic conditions that may affect the role of internal auditing differently than in developed economies. For example, the prevalence of family-owned businesses, weaker enforcement of corporate governance codes, and different fraud risk profiles may create unique challenges for internal auditing in Nigeria (Okoye et al., 2019). Without context-specific empirical evidence, policy recommendations for strengthening internal auditing in Nigeria lack a data-driven foundation. (Okoye et al., 2019)

Therefore, the central problem this study seeks to address can be stated as: Despite the theoretical and regulatory importance of internal auditing to management control success, significant problems of independence, competence, management support, timeliness, follow-up, risk focus, technology, regulation, and measurement limit the contribution of internal auditing to management control success in Nigerian organizations. The extent and nature of these problems, and the specific mechanisms through which internal auditing influences control success, have not been systematically documented in the Nigerian context. This study addresses this gap by empirically examining the role of internal auditing on management’s control success.

1.3 Aim of the Study

The aim of this study is to critically examine the role of internal auditing in achieving management’s control success, with a view to identifying the specific ways in which internal audit independence, competence, management support, follow-up processes, and risk focus contribute to the effectiveness of internal controls, risk management, and governance processes in Nigerian organizations.

1.4 Objectives of the Study

The specific objectives of this study are to:

1. Examine the relationship between internal audit independence and management’s perception of control success in organizations.
2. Assess the effect of internal audit competence (professional qualifications, experience, training) on the quality of audit recommendations and subsequent control improvements.
3. Determine the extent to which management support (budget, access, authority) influences the ability of internal audit to identify and report material control weaknesses.
4. Evaluate the relationship between timely audit reporting and the implementation of corrective actions by management.
5. Investigate the effect of formal follow-up processes on the completion rate of audit recommendations.
6. Assess the alignment between internal audit work plans and the most significant control risks facing organizations.
7. Examine the challenges limiting the contribution of internal auditing to management control success and propose practical recommendations for strengthening internal audit effectiveness.

1.5 Research Questions

The following research questions guide this study:

1. What is the relationship between internal audit independence and management’s perception of control success?
2. How does internal audit competence affect the quality of audit recommendations and subsequent control improvements?
3. To what extent does management support influence the ability of internal audit to identify and report material control weaknesses?
4. What is the relationship between timely audit reporting and the implementation of corrective actions by management?
5. How do formal follow-up processes affect the completion rate of audit recommendations?
6. To what extent are internal audit work plans aligned with the most significant control risks facing organizations?
7. What challenges limit the contribution of internal auditing to management control success, and what recommendations can be proposed to strengthen internal audit effectiveness?

1.6 Research Hypotheses

Based on the research objectives and questions, the following hypotheses are formulated. Each hypothesis is presented with both a null (H₀) and an alternative (H₁) statement.

Hypothesis One

• H₀₁: There is no significant relationship between internal audit independence (administrative and functional reporting lines) and management’s perception of control success.
• H₁₁: There is a significant relationship between internal audit independence (administrative and functional reporting lines) and management’s perception of control success.

Hypothesis Two

• H₀₂: Internal audit competence (professional certifications, years of experience, continuous training) does not significantly affect the quality of audit recommendations issued.
• H₁₂: Internal audit competence (professional certifications, years of experience, continuous training) significantly affects the quality of audit recommendations issued.

Hypothesis Three

• H₀₃: There is no significant relationship between management support for internal auditing (budget adequacy, access authority, recommendation implementation) and the effectiveness of internal controls over time.
• H₁₃: There is a significant relationship between management support for internal auditing (budget adequacy, access authority, recommendation implementation) and the effectiveness of internal controls over time.

Hypothesis Four

• H₀₄: Timeliness of internal audit reporting does not significantly influence the rate of corrective action implementation by management.
• H₁₄: Timeliness of internal audit reporting significantly influences the rate of corrective action implementation by management.

Hypothesis Five

• H₀₅: Formal follow-up processes for audit recommendations have no significant effect on the completion rate of corrective actions within a specified timeframe.
• H₁₅: Formal follow-up processes for audit recommendations have a significant effect on the completion rate of corrective actions within a specified timeframe.

Hypothesis Six

• H₀₆: There is no significant relationship between the adoption of risk-based audit planning and the detection of material control weaknesses.
• H₁₆: There is a significant relationship between the adoption of risk-based audit planning and the detection of material control weaknesses.

Hypothesis Seven

• H₀₇: Organizations with internal audit functions that use data analytics and continuous auditing techniques do not have significantly fewer control exceptions than those using traditional audit methods.
• H₁₇: Organizations with internal audit functions that use data analytics and continuous auditing techniques have significantly fewer control exceptions than those using traditional audit methods.

Hypothesis Eight

• H₀₈: There is no significant difference in management control success between organizations with internal audit functions that report functionally to the board audit committee versus those that report administratively to management.
• H₁₈: There is a significant difference in management control success between organizations with internal audit functions that report functionally to the board audit committee versus those that report administratively to management.

1.7 Significance of the Study

This study holds significance for multiple stakeholders as follows:

For Internal Auditors and Internal Audit Departments:
The study provides empirical evidence of the specific factors that make internal auditing effective in contributing to management control success. Internal auditors can use these findings to benchmark their own practices against identified success factors, advocate for improved independence and resources, and design audit processes that maximize their impact on organizational control. The study also provides guidance on outcome-based metrics that internal auditors can use to demonstrate their value to management and the board.

For Senior Management and Executives:
Managers who are responsible for organizational control will gain insights into how internal auditing can support—rather than threaten—their management objectives. The study highlights the importance of management support for internal auditing, including providing adequate resources, granting access, and acting on audit recommendations. Management may use the findings to justify investment in internal audit capacity and to establish more productive relationships with internal auditors.

For Boards of Directors and Audit Committees:
Board members and audit committee members have fiduciary responsibility for oversight of internal controls and risk management. This study provides evidence-based guidance on the characteristics of effective internal audit functions (independence, competence, reporting lines, follow-up processes) that boards should look for when evaluating their own internal audit arrangements. The findings also inform board decisions regarding internal audit charter approvals, audit plan reviews, and follow-up on significant audit findings.

For Regulators and Policymakers:
The Financial Reporting Council of Nigeria, the Central Bank of Nigeria, the National Insurance Commission, and other sector regulators will find empirical data on the current state of internal audit practice in Nigerian organizations, including gaps and challenges. Regulators may use the findings to refine internal audit requirements in corporate governance codes, develop guidance on internal audit effectiveness, and target enforcement efforts on organizations with the weakest internal audit practices.

For Professional Accounting and Auditing Bodies:
The Institute of Internal Auditors (IIA) Nigeria, the Institute of Chartered Accountants of Nigeria (ICAN), and the Association of Certified Fraud Examiners (ACFE) can use the study findings to identify competency gaps among internal auditors, design continuing professional development (CPD) programs that address those gaps, and advocate for stronger internal audit standards. The study also identifies areas where professional guidance is needed (e.g., data analytics for internal auditors, audit follow-up best practices).

For Academics and Researchers:
This study contributes to the literature on internal audit effectiveness, particularly in the developing economy context of Nigeria. It provides a theoretical framework (grounded in agency theory, COSO internal control framework, and IIA standards) and empirical baseline that can be extended by future research. The hypotheses developed can be tested in different sectors, across different organizational sizes, or using longitudinal designs. The study also identifies research gaps worthy of further investigation.

For External Auditors:
External auditors rely on the work of internal auditors when planning their own audits (under ISA 610). The study findings help external auditors assess the effectiveness of client internal audit functions, determining the extent to which they can rely on internal audit work. Organizations with strong internal audit functions may experience more efficient external audits, while those with weak functions may face expanded audit procedures.

For the Nigerian Economy:
Strong internal controls reduce organizational losses from fraud, error, and inefficiency. When internal auditing contributes to management control success, organizations across the Nigerian economy—from banks to manufacturers to government agencies—operate more efficiently, retain more resources, and are less vulnerable to financial scandals. Strengthening internal auditing thus has positive ripple effects on the broader economy, including enhanced investor confidence, reduced corruption, and more efficient allocation of resources.

1.8 Scope of the Study

The scope of this study is defined by the following parameters:

Content Scope: The study focuses on the role of internal auditing on management’s control success. Specifically, it examines internal audit independence, competence, management support, timeliness of reporting, follow-up processes, risk-based audit planning, and the use of technology (data analytics). Management control success is measured by the effectiveness of internal controls (as assessed by internal audit findings and remediation), reduction in control exceptions over time, and management perceptions of control effectiveness. The study does not examine external auditing, financial statement auditing, or other assurance functions outside of internal audit.

Geographic Scope: The study is conducted in Lagos State and the Federal Capital Territory (Abuja), Nigeria. These locations are selected because they contain the highest concentration of large organizations (multinational corporations, banks, manufacturing companies, government agencies) that are most likely to have established internal audit functions. Findings may be generalizable to other urban centers in Nigeria but may require caution in generalizing to rural areas or very small organizations that may lack formal internal audit functions.

Organizational Scope: The study targets organizations that have established internal audit functions. This includes listed companies (subject to FRC Code of Corporate Governance), banks and financial institutions (subject to CBI and NDIC regulations), insurance companies, manufacturing companies, telecommunications companies, and selected public sector organizations (ministries, departments, and agencies with internal audit units). The study excludes very small organizations (e.g., sole proprietorships, small partnerships) that do not have internal audit functions, as the research questions are not applicable to them.

Respondent Scope: Within each participating organization, respondents include internal audit heads/directors (for their perspective on audit processes and challenges), chief financial officers or finance managers (for their perspective on the value of internal audit), and audit committee chairs or board members (for their perspective on oversight and independence). Multiple respondents per organization provide triangulation and reduce single-source bias.

Time Scope: The study collects cross-sectional data during a specified period [e.g., six months]. However, respondents are asked to reflect on audit processes and outcomes over the preceding two to three years to provide a longer-term perspective on the relationship between internal auditing and control success. This retrospective approach allows assessment of control trends (e.g., improvement or deterioration over time).

Theoretical Scope: The study is grounded in agency theory (Jensen and Meckling, 1976), the COSO (2013) internal control framework, and the International Professional Practices Framework (IIA, 2017) for internal auditing. These theories provide the conceptual lens for understanding the monitoring role of internal auditing and the conditions under which it contributes to control success.

1.9 Definition of Terms

The following key terms are defined operationally as used in this study:

Term	Definition
Internal Auditing	An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (IIA, 2017).
Management Control	The processes, policies, and procedures that managers implement to ensure that organizational resources are used efficiently and effectively to achieve strategic objectives, including planning, monitoring, evaluating, and correcting performance (Anthony and Govindarajan, 2018).
Management Control Success	The state in which internal controls are operating effectively, risk management processes are adequate, control exceptions are low and declining over time, audit recommendations are implemented promptly, and management and the board have confidence in the control environment.
Internal Audit Independence	The freedom of the internal audit function from conditions that threaten the ability to carry out internal audit responsibilities in an unbiased manner, including administrative reporting lines, access to the board audit committee, and protection from management interference.
Internal Audit Competence	The knowledge, skills, and abilities of internal audit staff, including professional certifications (CIA, CISA, ACA, ACCA), years of relevant experience, continuing professional education, and proficiency in audit methodologies, data analytics, and relevant regulations.
Audit Recommendation	A formal suggestion issued by internal auditors to management for improving internal controls, reducing risk, or enhancing operational efficiency, typically including a description of the finding, associated risk, recommended action, responsible party, and implementation deadline.
Audit Recommendation Implementation Rate	The percentage of audit recommendations that have been fully implemented (corrective action taken and control weakness resolved) by management within a specified timeframe (e.g., 90 days, 180 days, 12 months).
Audit Follow-Up Process	A formal, systematic process by which internal auditors track the status of management actions on audit recommendations, verify that corrective actions have been implemented effectively, and escalate unresolved issues to senior management or the audit committee.
Risk-Based Audit Planning	An approach to developing the internal audit plan that prioritizes audit activities based on the significance of risks to the organization, allocating more audit resources to higher-risk areas and processes.
Data Analytics (Audit Data Analytics)	The use of technology-enabled techniques (data extraction, analysis, visualization) to examine large populations of transactions, identify anomalies and patterns indicative of control weaknesses or fraud, and provide continuous or near-continuous assurance

CHAPTER TWO: LITERATURE REVIEW

2.1 Introduction

This chapter presents a comprehensive review of literature relevant to the role of internal auditing on management’s control success. The review is organized into five main sections. First, the conceptual framework section defines and explains the key constructs: internal auditing, management control, management control success, and the dimensions of internal audit effectiveness. Second, the theoretical framework section examines the theories that underpin the role of internal auditing in organizational control, including agency theory, stewardship theory, the COSO internal control framework, and the IIA’s International Professional Practices Framework (IPPF). Third, the empirical review section synthesizes findings from previous studies on the relationship between internal auditing and management control success, including factors such as independence, competence, management support, follow-up processes, and technology adoption. Fourth, the regulatory framework section examines the statutory and professional requirements for internal auditing in Nigeria. Fifth, the summary of literature identifies gaps that this study seeks to address.

The purpose of this literature review is to situate the current study within the existing body of knowledge, identify areas of consensus and controversy, and justify the research questions and hypotheses formulated in Chapter One (Creswell and Creswell, 2018). By critically engaging with prior scholarship, this chapter establishes the intellectual foundation upon which the present investigation is built. (Creswell and Creswell, 2018)

2.2 Conceptual Framework

2.2.1 The Concept of Internal Auditing

Internal auditing is defined by the Institute of Internal Auditors (IIA) as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” (IIA, 2017, p. 4). This definition contains several critical elements. First, independence and objectivity require that internal auditors be free from conditions that threaten their ability to perform their work impartially. Second, assurance and consulting describe the dual role of internal auditing: providing independent assessments of controls (assurance) and advising management on improvements (consulting). Third, adding value means that internal auditing should produce benefits that exceed its costs. Fourth, systematic and disciplined approach distinguishes internal auditing from informal or ad hoc reviews; internal auditors follow professional standards and methodologies. (IIA, 2017)

The scope of internal auditing is broad, encompassing financial, operational, compliance, and information technology audits. Financial audits examine the reliability of financial reporting, safeguarding of assets, and compliance with accounting standards. Operational audits evaluate the efficiency and effectiveness of business processes. Compliance audits assess adherence to laws, regulations, contracts, and internal policies. Information technology audits review IT controls, data security, and system integrity (Sawyer, Dittenhofer, and Scheiner, 2019). This broad scope distinguishes internal auditing from external auditing, which focuses primarily on financial statement accuracy. The comprehensiveness of internal auditing makes it particularly relevant to management control success across all organizational domains. (Sawyer et al., 2019)

Internal auditing has evolved significantly over time. Historically, internal auditing was primarily a compliance function focused on detecting errors and fraud. The “traditional” internal auditor was often viewed as a “watchdog” or “policeman” who reported control violations to management. However, beginning in the 1990s, the profession shifted toward a more value-adding, consulting-oriented model. The modern internal auditor is expected to be a strategic partner who helps management identify risks, design efficient controls, and achieve organizational objectives (Pickett, 2020). This evolution is reflected in the IIA’s definition, which explicitly includes consulting activities alongside assurance. The shift has implications for how internal auditing contributes to management control success: rather than merely detecting failures, modern internal auditing helps prevent failures through proactive advice. (Pickett, 2020)

The internal audit function is typically governed by an internal audit charter approved by the board audit committee. The charter defines the purpose, authority, and responsibility of the internal audit function, including reporting lines, access to records and personnel, and the scope of audit activities (IIA, 2017). A well-designed charter establishes the independence of internal auditing by requiring that the chief audit executive report functionally to the audit committee (for oversight) and administratively to the CEO (for day-to-day operations). Many organizations also establish a quality assurance and improvement program (QAIP) that includes internal and external assessments of the internal audit function’s conformance with IIA standards. These governance mechanisms are intended to ensure that internal auditing is positioned to contribute effectively to management control. (IIA, 2017)

2.2.2 The Concept of Management Control

Management control is a fundamental function of management that ensures organizational resources are used effectively and efficiently to achieve strategic objectives. Anthony and Govindarajan (2018) define management control as “the process by which managers influence other members of the organization to implement the organization’s strategies.” Management control encompasses the systems, processes, and behaviors that align individual actions with organizational goals. It operates at multiple levels: strategic planning (setting long-term direction), management control (ensuring mid-term objectives are met), and task control (ensuring specific transactions are executed correctly). (Anthony and Govindarajan, 2018)

The management control process consists of four interrelated stages. First, planning: managers set goals, develop strategies, and establish performance standards. Second, monitoring: managers measure actual performance against plans, using financial and non-financial metrics. Third, evaluating: managers analyze variances between actual and planned performance, identifying root causes of deviations. Fourth, correcting: managers take action to address deviations, either by adjusting operations (if performance is off-track) or by revising plans (if assumptions have changed) (Merchant and Van der Stede, 2017). Each stage of this cycle requires reliable information; without accurate, timely data, managers cannot plan, monitor, evaluate, or correct effectively. Internal auditing contributes to management control by assessing the quality of the information and processes at each stage. (Merchant and Van der Stede, 2017)

Management control is distinct from, but related to, internal control. Internal control refers to the specific policies and procedures that management implements to mitigate risks and achieve objectives. It is a subset of management control. Management control is broader, encompassing not only internal controls but also the design of incentive systems, performance measurement frameworks, resource allocation processes, and organizational structure (Anthony and Govindarajan, 2018). For example, a performance bonus system is a management control mechanism (it influences behavior) but is not typically classified as an internal control. Internal auditing evaluates both internal controls and the broader management control system, although the primary focus of internal audit is on the adequacy and effectiveness of internal controls. (Anthony and Govindarajan, 2018)

Management control success is achieved when the organization operates as intended, with minimal deviations from plans, efficient use of resources, compliance with policies and laws, and achievement of strategic objectives. Indicators of management control success include: low rates of control exceptions (transactions that violate policies); rapid detection and correction of errors; minimal fraud losses; high compliance with regulatory requirements; positive audit outcomes; and management confidence that operations are under control (Merchant and Van der Stede, 2017). Conversely, management control failure is indicated by frequent control violations, undetected errors accumulating over time, fraud losses, regulatory sanctions, and management surprise when problems surface. Internal auditing plays a critical role in detecting and preventing control failures. (Merchant and Van der Stede, 2017)

2.2.3 Key Dimensions of Internal Audit Effectiveness in Relation to Management Control

This section explains the specific dimensions of internal audit effectiveness that are most directly related to management control success, as identified in the professional literature and prior empirical research.

Independence and Objectivity: Independence is the freedom from conditions that threaten the ability of the internal audit function to carry out its responsibilities in an unbiased manner. The IIA (2017) requires that internal auditors be independent of the activities they audit and that they maintain objectivity in their judgments. Independence is achieved through organizational reporting lines: the chief audit executive should report functionally to the board audit committee (for oversight) and administratively to the CEO (for operations). Objectivity requires that internal auditors have no direct operational responsibility for the areas they audit and that they disclose any potential conflicts of interest. Without independence, internal auditors may be reluctant to report significant control weaknesses, undermining management’s ability to achieve control success (Pickett, 2020). (IIA, 2017; Pickett, 2020)

Competence: Competence refers to the knowledge, skills, and abilities of internal audit staff. The IIA requires that internal auditors possess the knowledge and skills to perform their responsibilities professionally, including proficiency in auditing standards, accounting, information technology, risk management, and the specific industry in which the organization operates (IIA, 2017). Competence is demonstrated through professional certifications such as Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), and chartered accountancy (ACA, ACCA). Competent internal auditors are more likely to identify subtle control weaknesses, use appropriate audit methodologies, and produce relevant, practical recommendations. Incompetent internal auditors may miss significant risks, produce erroneous findings, or recommend ineffective controls (Gramling, Rittenberg, and Johnstone, 2020). (IIA, 2017; Gramling et al., 2020)

Management Support: Management support refers to the degree to which senior management and the board allocate resources to internal auditing, grant access to records and personnel, take audit findings seriously, and implement audit recommendations. Management support is essential for internal audit effectiveness because without it, internal auditors cannot perform their work (no access, no budget), their findings are ignored, and control weaknesses persist (Nnamdi and Ugwu, 2021). Conversely, organizations where management values internal audit tend to have stronger control environments, as the presence of an active internal audit function signals that management is serious about control. The relationship between management support and internal audit effectiveness is reciprocal: effective internal audits earn management respect and support, which in turn enables more effective audits. (Nnamdi and Ugwu, 2021)

Timeliness of Reporting: For internal audit findings to be useful for management control, they must be reported promptly while corrective action is still possible. Audit reports that are delayed by weeks or months lose their relevance: conditions may have changed, errors may have recurred multiple times, and losses may have accumulated (Eze and Okafor, 2022). Timeliness requires efficient audit processes: well-defined fieldwork procedures, efficient evidence gathering, streamlined report review and approval processes, and a culture that prioritizes speed without sacrificing quality. Organizations that measure and incentivize timeliness tend to have more effective internal audit contributions to control success. (Eze and Okafor, 2022)

Follow-Up Processes: A formal follow-up process ensures that audit recommendations are implemented by management. The IIA Standard 2500 requires that chief audit executives establish a follow-up process to monitor and ensure that management actions have been effectively implemented (IIA, 2017). An effective follow-up process includes: tracking of recommendations with target dates; reminder systems for overdue actions; verification that corrective actions have been implemented and are operating effectively; escalation of unresolved issues to senior management or the audit committee; and reporting on recommendation completion rates to the board. Without follow-up, even the best audit recommendations go unimplemented, and internal auditing has no impact on management control success (Okafor, Okoye, and Nnamdi, 2020). (IIA, 2017; Okafor et al., 2020)

Risk-Based Audit Planning: Risk-based audit planning means that the internal audit plan is developed based on a systematic assessment of organizational risks, with more audit resources allocated to higher-risk areas. The IIA Standard 2010 requires that the chief audit executive establish a risk-based plan to determine the priorities of the internal audit activity (IIA, 2017). Risk-based planning ensures that internal audit attention is directed to the areas where control weaknesses would cause the greatest harm, rather than spreading audit resources evenly across low-risk and high-risk areas alike. Organizations that adopt risk-based audit planning are more likely to detect material control weaknesses before they result in significant losses (Uche and Adeyemi, 2019). (IIA, 2017; Uche and Adeyemi, 2019)

Use of Technology (Data Analytics): The use of audit data analytics (ADA) and continuous auditing technologies enhances the ability of internal auditing to detect control exceptions. Traditional audit methods test only small samples of transactions; data analytics can test 100% of transactions, identify anomalies and patterns, and provide real-time or near-real-time assurance (Appelbaum, Kogan, and Vasarhelyi, 2017). For example, instead of testing a sample of 50 expense reimbursements, an internal auditor using data analytics can analyze all 10,000 expense reimbursements processed during the year, flagging those that violate policy (e.g., duplicate submissions, out-of-policy amounts, weekend submissions). Technology-enabled internal audit functions are better positioned to contribute to management control success in the digital age. (Appelbaum et al., 2017)

2.3 Theoretical Framework

This section presents the theories that provide the conceptual lens for understanding the role of internal auditing on management’s control success. Four theories/frameworks are discussed: agency theory, stewardship theory, the COSO internal control framework, and the IIA’s International Professional Practices Framework (IPPF).

2.3.1 Agency Theory

Agency theory, developed by Jensen and Meckling (1976), is the most widely cited theoretical foundation for internal auditing. Agency theory posits that a corporation is a nexus of contracts between principals (shareholders) and agents (directors and managers). The principal delegates decision-making authority to the agent, but the agent may pursue self-interest (e.g., excessive compensation, empire building, shirking, fraud) rather than maximizing principal value. This divergence of interests creates agency costs, which include monitoring costs (expenditures to oversee the agent), bonding costs (expenditures by the agent to assure the principal), and residual loss (the value lost despite monitoring) (Jensen and Meckling, 1976). (Jensen and Meckling, 1976)

Agency theory identifies several mechanisms for reducing agency costs, including performance-based compensation, board oversight, external auditing, and internal auditing. Internal auditing serves as a monitoring mechanism that reduces information asymmetry between principals and agents. Managers (agents) have more information about their actions and the state of internal controls than shareholders (principals) or boards can observe directly. Internal auditors, as independent monitors, gather information about control effectiveness and report it to the board and audit committee, reducing the information advantage of management (Adams, 1994). When managers know that internal auditors will review their compliance with controls, they are more likely to adhere to policies (a deterrent effect). When deviations occur, internal auditors detect them and report them, enabling corrective action (a detection effect). (Adams, 1994)

Agency theory also explains the optimal reporting lines for the internal audit function. If internal audit reports only to management, the agent (management) is monitoring itself, which does not reduce agency costs. Therefore, agency theory predicts that internal audit should report functionally to the board audit committee (representing principals) to ensure independence. Empirical studies have confirmed that internal audit functions that report to the audit committee have greater perceived independence and are associated with stronger internal controls (Gramling et al., 2020). The Nigerian Code of Corporate Governance (FRC, 2018) reflects this agency theory logic by requiring that internal audit report functionally to the audit committee. (FRC, 2018; Gramling et al., 2020)

Agency theory further explains management resistance to internal auditing. Managers may resist internal audit because audits expose control weaknesses that reflect poorly on management performance. Some managers may limit internal audit access, pressure auditors to suppress negative findings, or fail to implement audit recommendations. This resistance is a manifestation of agency costs: managers prioritize their own interest (avoiding embarrassment) over the principal’s interest (effective controls) (Adams, 1994). Understanding this dynamic is essential for designing internal audit governance structures that overcome management resistance. This study, grounded in agency theory, examines the conditions under which internal auditing successfully reduces agency costs by contributing to management control success. (Adams, 1994)

2.3.2 Stewardship Theory

Stewardship theory, developed by Donaldson and Davis (1991), offers an alternative perspective to agency theory. Stewardship theory argues that managers are inherently motivated to act in the best interests of the principals because they derive satisfaction from achieving organizational goals and acting as responsible stewards of entrusted resources. Unlike agency theory’s assumption that managers are self-interested and require monitoring, stewardship theory suggests that managers will act responsibly when they are empowered, trusted, and given autonomy (Donaldson and Davis, 1991). The role of internal auditing in this framework is not primarily a monitoring mechanism (detecting and deterring managerial misbehavior) but an enabling mechanism that helps managers fulfill their stewardship responsibilities more effectively. (Donaldson and Davis, 1991)

From a stewardship perspective, internal auditing contributes to management control success by providing managers with independent, objective information that helps them manage better. Rather than viewing internal auditors as “police” sent to catch mistakes, stewardship-oriented managers view internal auditors as “partners” who help identify risks, redesign processes, and improve efficiency. Davis, Schoorman, and Donaldson (1997) argue that when organizations adopt a stewardship philosophy, they tend to have more open communication, higher trust, and greater information sharing—all of which enable internal auditors to perform more effectively. In such organizations, management voluntarily seeks internal audit input and implements recommendations promptly because they value the contribution to their own performance. (Davis et al., 1997)

Stewardship theory is particularly relevant to the consulting role of internal auditing. The IIA’s definition explicitly includes consulting as an internal audit activity alongside assurance. Consulting engagements (e.g., advising on the design of a new financial system, facilitating a risk assessment workshop, providing training on internal controls) help management prevent control problems before they occur. In a stewardship framework, internal auditors proactively offer advice because they share management’s commitment to organizational success, not because they are required to do so by audit mandate (Pickett, 2020). Organizations that embrace this stewardship model tend to have higher internal audit utilization rates and greater perceived audit value. (Pickett, 2020)

The stewardship perspective has implications for how internal audit effectiveness should be measured. Agency theory would emphasize detection metrics (number of findings, fraud uncovered, control violations identified). Stewardship theory would emphasize prevention metrics (controls designed before implementation, risks identified before losses occur, improvement in processes). Both perspectives are valid and complementary; effective internal audit functions balance assurance (agency) and consulting (stewardship) roles. This study draws on both agency and stewardship theories to provide a comprehensive understanding of the role of internal auditing on management control success (Davis et al., 1997). (Davis et al., 1997)

2.3.3 The COSO Internal Control Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the most widely accepted framework for internal control. The COSO Internal Control—Integrated Framework (2013) defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance” (COSO, 2013, p. 3). The framework identifies five interrelated components of internal control, which this study uses as a theoretical lens for understanding management control success. (COSO, 2013)

Component One: Control Environment. The control environment is the set of standards, processes, and structures that provide the foundation for internal control across the organization. It includes the integrity and ethical values of management, the board’s oversight responsibility, the commitment to competence, the organizational structure, and the assignment of authority and responsibility. The control environment is often described as “tone at the top”—the attitudes and actions of senior management that influence the control consciousness of all employees (COSO, 2013). Internal auditing evaluates the control environment by assessing whether management demonstrates commitment to integrity, whether whistleblowing mechanisms are effective, and whether control responsibilities are clearly assigned. A weak control environment undermines all other controls, regardless of how well they are designed. (COSO, 2013)

Component Two: Risk Assessment. Risk assessment is the identification and analysis of risks to achieving the entity’s objectives, forming the basis for determining how risks should be managed. Management must specify objectives with sufficient clarity to enable risk identification, analyze the likelihood and impact of risks, and consider the potential for fraud. Risks may arise from internal factors (e.g., personnel turnover, system failures) and external factors (e.g., regulatory changes, economic conditions) (COSO, 2013). Internal auditing evaluates management’s risk assessment processes, identifying gaps where risks have not been identified or analyzed. Internal auditors also perform their own risk assessment to develop the audit plan, prioritizing areas with the highest residual risk. (COSO, 2013)

Component Three: Control Activities. Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks are carried out. Control activities include approvals, authorizations, verifications, reconciliations, segregation of duties, physical safeguards over assets, and IT controls (e.g., access restrictions, system change controls). Control activities may be preventive (designed to prevent errors or fraud from occurring) or detective (designed to identify errors or fraud after they have occurred) (COSO, 2013). Internal auditing tests the operating effectiveness of control activities by selecting samples of transactions and verifying that controls were performed as designed. When control activities are ineffective, internal auditors issue recommendations for remediation. (COSO, 2013)

Component Four: Information and Communication. Information is necessary for the entity to carry out internal control responsibilities. Management must obtain relevant, quality information from internal and external sources to support the functioning of other control components. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication enables personnel to understand their control responsibilities; external communication enables stakeholders to understand the entity’s control environment (COSO, 2013). Internal auditing evaluates whether the information used for control purposes is accurate, complete, and timely, and whether communication channels (both formal and informal) support effective control. Weak information systems undermine control success because managers cannot monitor what they cannot measure. (COSO, 2013)

Component Five: Monitoring Activities. Monitoring is the process by which management assesses the quality of internal control performance over time. Monitoring includes ongoing evaluations (built into business processes and performed in real-time) and separate evaluations (periodic audits and reviews). Management must evaluate and communicate internal control deficiencies in a timely manner to those responsible for corrective action, and to senior management and the board as appropriate (COSO, 2013). Internal auditing provides independent monitoring of management’s monitoring activities (monitoring of monitoring). Internal auditors also serve as a key separate evaluation mechanism, providing independent assurance that the entire internal control system is operating effectively. (COSO, 2013)

The COSO framework is directly relevant to this study because management control success is largely defined by the effectiveness of the five COSO components. An organization with a strong control environment, robust risk assessment, well-designed control activities, effective information and communication, and active monitoring has achieved management control success. Conversely, deficiencies in any COSO component indicate control weaknesses. Internal auditing evaluates each COSO component and contributes to their improvement. This study uses the COSO framework as a theoretical lens for operationalizing management control success (COSO, 2013). (COSO, 2013)

2.3.4 The IIA’s International Professional Practices Framework (IPPF)

The Institute of Internal Auditors (IIA) has developed the International Professional Practices Framework (IPPF) , which constitutes the authoritative guidance for the internal audit profession. The IPPF consists of mandatory guidance (core principles, definition of internal auditing, code of ethics, and standards) and recommended guidance (implementation guidance and supplementary guidance) (IIA, 2017). The IPPF provides a theoretical and professional framework for understanding how internal auditing should be practiced to achieve effectiveness, including contributing to management control success. (IIA, 2017)

The Core Principles for the Professional Practice of Internal Auditing articulate what effective internal auditing looks like. The ten core principles include: demonstrates integrity; demonstrates competence and due professional care; is objective and free from undue influence; aligns with the strategies, objectives, and risks of the organization; is appropriately positioned and adequately resourced; demonstrates quality and continuous improvement; communicates effectively; provides risk-based assurance; is insightful, proactive, and future-focused; and promotes organizational improvement (IIA, 2017). These principles directly relate to internal audit effectiveness and, by extension, to internal audit’s contribution to management control success. For example, the principle of being “insightful, proactive, and future-focused” aligns with the stewardship perspective that internal auditing should prevent problems, not merely detect them. (IIA, 2017)

The Attribute Standards (Standards 1000-1300) address the characteristics that organizations and internal auditors should possess. These include: purpose, authority, and responsibility (Standard 1000); independence and objectivity (Standard 1100); proficiency and due professional care (Standard 1200); and quality assurance and improvement programs (Standard 1300). The Performance Standards (Standards 2000-2600) describe the nature of internal audit activities and provide criteria against which the quality of audit services can be evaluated. These include: managing the internal audit activity (Standard 2000); nature of work (Standard 2100); engagement planning (Standard 2200); performing the engagement (Standard 2300); communicating results (Standard 2400); and monitoring progress (Standard 2500) (IIA, 2017). (IIA, 2017)

Standard 2500 (Monitoring Progress) is particularly relevant to management control success. It requires that “the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.” Implementation Guidance to Standard 2500 explains that the follow-up process should include: tracking of management action plans with target dates; verification that corrective actions have been implemented; escalation of unresolved issues; and reporting on follow-up results to senior management and the board (IIA, 2017). As noted in the conceptual framework, follow-up processes are critical to ensuring that audit recommendations lead to improved control. Without follow-up, internal auditing cannot demonstrate contribution to management control success. (IIA, 2017)

The IPPF also addresses the consulting role of internal auditing. Practice Advisory 1000.C1 states that “the nature of consulting services may vary significantly from assurance services and should be clearly defined and understood by the parties involved.” Consulting services may include advisory services (providing advice on proposed changes), facilitation services (helping management work through decisions), and training services (building internal audit capacity). The IPPF emphasizes that even when performing consulting services, internal auditors must maintain objectivity and not assume management responsibility (IIA, 2017). This study uses the IPPF as a theoretical and professional benchmark for assessing whether internal audit practices in Nigerian organizations align with international standards, and whether alignment (or lack thereof) affects contribution to management control success. (IIA, 2017)

2.4 Empirical Review

This section reviews empirical studies that have examined the relationship between internal auditing and management control success. The review is organized thematically: internal audit independence, internal audit competence, management support, timeliness and follow-up, and technology adoption.

2.4.1 Internal Audit Independence and Management Control Success

A substantial body of empirical research has examined the relationship between internal audit independence and the effectiveness of internal controls. Abbott, Parker, and Peters (2010) studied the relationship between internal audit reporting lines and the likelihood of material control weaknesses in US public companies. Analyzing data from 1,200 companies, the study found that companies where the internal audit function reported functionally to the audit committee (rather than to the CFO or CEO) had a significantly lower likelihood of material control weaknesses (odds ratio = 0.56, p < 0.01). The study concluded that functional reporting to the audit committee enhances internal audit independence, which in turn improves the detection and remediation of control weaknesses. (Abbott et al., 2010)

In the Nigerian context, Okoye, Okafor, and Nnamdi (2019) surveyed 150 internal auditors and finance managers across manufacturing, banking, and public sector organizations. The study found that only 38% of internal audit functions reported functionally to the audit committee; the remainder reported to the CFO (32%), CEO (18%), or another senior manager (12%). Using regression analysis, the study found a significant positive relationship between audit committee reporting and perceived internal audit effectiveness (β = 0.47, p < 0.001). Organizations with audit committee reporting also had significantly higher rates of audit recommendation implementation (67% vs. 43%, p < 0.01). The study concluded that organizational reporting lines are a critical determinant of internal audit’s contribution to control success. (Okoye et al., 2019)

Christopher, Sarens, and Leung (2009) conducted a qualitative study of internal audit functions in 15 Australian public sector organizations, examining the challenges to independence. Thematic analysis of interview transcripts revealed that internal auditors frequently faced pressure from management to suppress or soften negative findings. In organizations where internal audit reported to the audit committee, auditors felt more empowered to report control weaknesses without fear of retaliation. However, even with formal audit committee reporting, informal pressure from powerful executives could still compromise objectivity. The study concluded that independence requires not only appropriate reporting lines but also a culture that supports speaking up. (Christopher et al., 2009)

2.4.2 Internal Audit Competence and Management Control Success

The relationship between internal audit competence and control outcomes has been examined extensively. Arena and Azzone (2009) studied 200 internal audit functions in Italian companies, examining the effect of auditor competence on audit quality. Competence was measured by the percentage of auditors with professional certifications (CIA, CISA, or accounting qualifications) and hours of continuing professional education. The study found that competence was significantly associated with the identification of material control weaknesses (r = 0.52, p < 0.001) and with the quality of audit recommendations (as rated by management). Organizations with competent internal audit staff were also more likely to adopt risk-based audit planning (odds ratio = 3.2, p < 0.01). (Arena and Azzone, 2009)

In Nigeria, Adeyemi and Unuigbe (2020) surveyed 120 internal audit departments in manufacturing companies, examining the competence gap in internal audit practice. The study found that only 28% of internal audit staff held any professional certification; 72% had no certification. The most common certification was ACA (22%), followed by CIA (4%) and CISA (2%). The study found a significant correlation between the presence of certified staff and management’s perception of audit value (r = 0.61, p < 0.001). Organizations with certified internal auditors reported fewer control exceptions in subsequent audits (t = 3.4, p < 0.01). The study recommended that organizations invest in professional certification for internal audit staff. (Adeyemi and Unuigbe, 2020)

Alzeban and Gwilliam (2014) conducted a cross-country study of internal audit effectiveness in Saudi Arabia and the UK, examining competence as a moderator of the relationship between management support and audit effectiveness. Using survey data from 300 chief audit executives, the study found that competence significantly moderated the relationship: organizations with both high management support and high auditor competence had the highest audit effectiveness. However, in organizations with high management support but low auditor competence, audit effectiveness was only marginally better than organizations with low support and low competence. The study concluded that competence is an essential condition for internal audit effectiveness; management support alone cannot compensate for incompetent auditors. (Alzeban and Gwilliam, 2014)