Internal auditing competence profile: an empirical analysis
Arena, M. (*), Azzone, G., Ciceri, M.
Politecnico di Milano
Dipartimento di Ingegneria Gestionale
Politecnico di Milano
Dipartimento di Ingegneria Gestionale
Piazza Leonardo da Vinci 32
0039 02 23994070
Please do not quote without authors’ permission
The problem of defining a competence profile of internal auditors has become particularly relevant in recent
years due to the evolution of the role of Internal Auditing (IA) within the organization and the broadening of
the range of IA stakeholders.
Originally, IA was introduced as a monitoring mechanism aimed at protecting company assets and ensuring
reliable accounting information. In the following years, however, internal auditors tried to extend their areas
of involvement beyond financial auditing and compliance, to include operational auditing, risk management
and consulting activities (Bou-Raad, 2000; Spira & Page, 2003; IIA UK and Ireland, 2008; 2009, Arena &
Azzone, 2009). More recently, financial scandals and the related reforms attracted new attention on IA as
one of the fundamental components of corporate governance, in conjunction with external auditors, top
management and the audit committee (Ebaid, 2011). IA has been increasingly looked at as a possible
response to external pressure of reducing information asymmetry between top management and external
stakeholders (Spira & Page, 2003).
These changes had a double impact on internal auditors’ work. On the one hand, the range of activities
performed by the internal auditors was broadened, with an increasing involvement of internal auditors in
issues such as sustainability, technology, projects. On the other hand, the nature of the activities performed
changed with the introduction of consulting activities in addition to assurance services. These changes
naturally called for an enlargement of internal auditors’ competences, to ensure their ability to deal with
issues that goes beyond the traditional areas of financial auditing and compliance (Abdolmohammadi et al.,
2006; Burnaby & Hass, 2009).
The original focus on internal controls over financial reporting has in fact resulted in competences not
completely coherent with the new needs of the organizations, with potential impacts on the effectiveness of
IA activities concerning the risk assessment process, IA plan development, IA quality and audit coverage
(Ernst & Young, 2008). From a technical perspective, the development of the ability to evaluate and test
internal controls, audit and assess complex IT environments and address both enterprise-wide risk and
governance issues has become essential for internal auditors in addition to traditional financial competences.
From a managerial perspective, internal auditors should be able to “think beyond the project” and have the
business knowledge and confidence to engage in substantive conversations with senior management, middle
management and the audit committee (PricewaterhouseCoopers, 2007).
An appropriate skills set not only allows internal auditors a better understanding of what adds greater value
to the company, but also increases their credibility, trust and respect towards them, which contributes to the
effectiveness of the IA function (Ramamoorti, 2003; Turner, 2007). Therefore, internal auditors are expected
not only to acquire new skills and tools, but also to adopt new attitudes and practices required to effectively
play the new role (Senapalh, 2000).
This enlargement of IA competences, however, is in contrast with some concrete difficulties that the internal
auditors have to face. On the one hand, the CAEs themselves consider the lack of competences and
capabilities to be one of their primary challenges (PricewaterhouseCoopers, 2007), though they give great
importance to education, training and competence development (Bou-Raad, 2000; Venter & du Bruyn, 2002;
Rittenberg & Anderson, 2006; Steyn & Plant, 2009).
On the other hand, some empirical research showed that IA stakeholders often consider internal auditors
insufficiently knowledgeable to provide useful help (Griffiths, 1999; Van Peursem, 2004; 2005). In
particular, managers lament internal auditors’ lack of technical skills, their inability to clearly communicate
findings, and the perception of a limited benefit resulting from the implementation of the recommendations
received (Hunton & Wright, 1995; Flesher & Zanzig, 2000). Others believe that internal auditors have the
capabilities to assess risk management processes and report their opinions, but are not able to identify and
report in a reasonable time the problems that threaten the efficiency of these systems (Leech, 2009; Bota-
In this context, the paper aims to: (1) analyze the evolution of internal auditors’ competences in response to
the change role of the IA role, (2) identify key drivers influencing the development of a specific competence
profile at the organizational level.
To answer to these objectives, we relied on the model proposed by Cheetham & Chivers (1998) and we
applied it to the IA. The application of the model is based on data collected through a case study method,
with interviews performed with the CAEs of 14 Italian companies operating in 4 main industries (energy,
manufacturing, financial services and IT)
The paper contributes to the current literature in different ways. This work is one of the few paper that deals
with the problem of IA competence from an academic perspective. The current literature mainly focused on
external auditing (e.g.: Abdolmohammadi & Shanteau, 1992; Abdolmohammadi et al., 2004; Bonner &
Lewis, 1990; Bonner & Pennington, 1991; Libby & Luft, 1993; Libby & Tan, 1994; Tan & Libby, 1997;
Tan, 1999); but very few academic studies have addressed the case of IA (Abdolmohammadi, 2009).
However, the research findings from the external auditing field cannot be automatically transposed to the IA
sphere, due to some significant distinctions. Firstly, the objectives of internal and external auditors, and the
work which they do, are different. The aim of external auditors is to formulate an opinion as to whether
financial statements are free of material misstatement, while the task of internal auditors is to assist senior
management and the board of directors with evaluating and managing risks, assessing compliance with laws
and regulations, and evaluating operational efficiency (e.g. Eilifsen, Messier, Glover, & Prawitt, 2006).
Secondly, internal audits are conducted within a single entity, and there are hierarchical links between the IA
function and other parts of the organization (such as management, or the board of directors/audit committee).
The external auditing literature does not consider these specificities, suggesting a need for further research.
The second contribution of the paper deals with the methodology adopted. Most of current works on IA
competence move from a pre-defined list of competencies and tested it through a survey method (Vinten,
2004; Abdolmohammadi et al., 2006; Ernst &Young, 2008; PricewaterhouseCoopers, 2007, 2008, 2010;
Protiviti, 2011). In this paper, we move from a competence model, that is widely adopted in the competence
literature, and we applied it to the case of the IA, complementing quantitative analysis with a case study
method. This approach allowed us to analyze more in details the motivations at the basis of the development
of a specific competence profile for IA and the factors influencing it.
The reminder of the paper is articulated as follows. Section 2 presents the Cheetham & Chivers (1998)
model, that we propose as a valuable model to analyse IA competences. Section 3 discusses the method used
for data collection and analysis. Section 4 describes the findings of the study and we conclude in section 5.
The model selected for the development of the study is the “holistic model of professional competence”
proposed by Cheetham & Chivers (1998) (in Figure 1). The model was elaborated with the aim of bringing
together in a single holistic model the coherent elements among the approaches suggested before by various
Figure 1: Holistic model of professional competence (source: Cheetham & Chivers (1998))
Cheetham e Chivers’s model consists of four key components, that are thought to be strictly intertwined:
knowledge/cognitive competence, functional competence, personal or behavioural competence,
values/ethical competence. Knowledge/cognitive competence has been defined by the authors as the
possession of appropriate work-related knowledge and the ability to put this to effective use. Functional
competence is defined as the ability to perform a range of work-based tasks effectively to produce specific