Amsterdam Business School
The internal auditor in major project advisory
A case study in a large audit firm, focused on infrastructure projectsName: Sanne Hooijberg Student number: 10428275
Thesis supervisor: prof. dr. B.G.D. (Brendan) O'Dwyer Date: June 19, 2016
Word count: 16633
MSc Accountancy & Control, specialization Accountancy Faculty of Economics and Business, University of Amsterdam
Statement of Originality
This document is written by student Sanne Hooijberg who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
Abstract
Contributing to the development of the role of the internal auditor, this study analyses how the internal auditor can add value in Dutch major infrastructure projects and more specifically, how they assume a role and cope with conflicts. An in-depth case study is performed by interviewing internal auditors of a big 4 firm in the Dutch setting. The purpose of this study is to research a new possible area for internal auditors using role theory and coping with role conflict. Through a qualitative research method the research question is answered.
The results of the interviews show that the interviewees described the Dutch infrastructure market as being hard to work in. Reflecting this on role theory, the focal person is the internal auditor and the context is the Dutch major infrastructure market. The internal auditors receive signals from the internal parties, contracting and contractor, and external parties, people and organizations outside of the project but with interest in the outcome. As with the study of Roussy (2013), the interviewees undertake a protector role and the helper role, being a protective shield and guide for contracting parties and protective shield and supporter of organizational performance for contractors. On the contrary, the sub-role of being a protector namely being a keeper of secrets for the (project) managers towards the organization, is not found in this study.
Relating to coping with role conflicts, two type of conflicts can arise, namely internal and external. Internal project problems arise when the two parties do sent the same signals and as a result the internal auditor faces an inter-sender role conflict, which is resolved by structural role redefinition. External projects arise because the internal parties and external parties sent different signals which results in an ethical conflict for the internal auditor. This is resolved by resignation.
The reason for studying this subject is the increasing attention for the role of the internal auditor in the Dutch market. This study offers an insight in how the internal auditors develop their own perception of the role they are required to perform in order to meet the role expectations based on the signals received. The added value of the internal auditor in the normal course of business is already proven but in the major infrastructure market there definitely is potential.
Contents
1 Introduction ... 6
2 Theory ... 11
2.1 The changing role of the internal auditor ... 11
2.2 Role theory ... 13
2.3 Role conflict ... 15
2.4 Effectiveness of the internal audit ... 16
2.5 Infrastructure projects ... 17 3 Research method ... 21 3.1 Research method ... 21 3.2 Research design ... 22 3.2.1 Interviewees ... 22 3.2.2 Interviews ... 23 3.2.3 Interview analysis ... 23 4 Findings ... 25
4.1 The (traditional) internal auditors role ... 25
4.2 Major infrastructure projects ... 27
4.3 Possible roles ... 30
4.3.1 Contracting or contractor party ... 30
4.3.2 Role internal auditor contracting party ... 33
4.3.3 Role internal auditor contractor ... 33
4.4 Possible conflicts ... 34
4.4.1 independency ... 34
4.4.2 internal and external conflicts ... 37
5 Discussion and conclusion ... 40
5.1 Linking previous literature ... 40
5.2 Conclusion ... 42
5.3 Future research ... 43
5.4 Limitations ... 44
6. References... 45
1 Introduction
The role of the internal auditor is changing. In the literature it is said that the role of the internal auditor is shifting to a more pro-active one. According to Yung (2011) the internal auditors can fulfill two roles towards the board of an organization and senior management, namely objectively assess the risk management program and effectiveness or provide a consulting and advising role by identifying, evaluating or supporting the implementation of risk management methodologies. The second role is a role more suitable for the modern day world. Sobel (2011) states that the business world is more complex than ever due to new, evolving and emerging risks. In his research, it is said that organizations are giving risk management more consideration, but the implementation of an effective risk management system takes time and discipline. To successfully fulfill this process, the internal auditor can play an important role. The usefulness of internal auditing has yet to be studied according to Archembeault, Dezoort and Holt (2008). They state that little is known about the roles internal auditors undertake and how they perform in their job. In a more recent study from D’onza, Selim, Melville and Allegrini (2015) a more in-depth research is conducted into the usefulness of the internal auditor. They find that there is a positive and significant relationship between the internal audit function’s capability to add value to the organization and the independence and objectivity of the internal auditor, the compliance with the code of ethics and the internal auditor’s contribution to the evaluation and effectiveness of internal controls and risk management. Roussy (2013) performed a study to understand the governance roles of internal auditor in public sector organizations in Quebec. She used the role theory of Katz and Kahn (1966) as a theoretical framework and perceived two broad roles the internal auditor undertakes namely, the protector and the helper role. Furthermore, she observed a difference between the perceived role of the internal auditor by the regulatory bodies and the actual role they undertake. This is an unexpected outcome compared to earlier literature, which in general stated that internal auditors are totally independent or not and their role depends on this (Ahmed & Taylor, 2009).
A benefit mentioned by Xiandong (1997) of having an internal auditor is that the company is provided with sufficient, timely, accurate and useful information. This is helpful for decision-making and avoiding inadequate or bad decision caused by false, inaccurate, incomplete information. Despite this benefit, Brody and Lowe (2000) explain that the emphasis on advising activities creates new problems. There are concerns regarding the ability of internal auditors to stay independent and objective. They research whether internal auditors view their consulting role as a way to provide objective feedback to management or to provide solutions
that are in the best interest of the company. Brody and Lowe (2000) examine whether the objectivity depends on their company’s role as buyer or seller in an acquisition setting. To conduct their research they set up an experiment with 55 internal auditors. The results suggest that the buyer or seller role of the company influenced internal auditor judgments. From this the authors conclude that the internal auditors are likely to assume the position that is in the best interest of the company, which is why they question the independence and objectivity of the internal auditor in the new role. Bou-Raad (2000) also questioned this independence problem. However, he states that it remains the management’s decision to accept or reject the recommendations of the internal auditor on the control procedures. On top of that, Bou-Raad (2000) also thinks that internal auditors need to address the boundaries of acceptable behavior and not engage in activities that will likely undermine the professional independence and objectivity. Thus, there are several roles the auditor should and should not undertake. For example, the internal auditor should never take over the role of the managers of the company. The internal auditors can give advice, but in the end it’s the management that makes the decision. Hall (1972) developed the model of coping with role conflict, which treats the role a person undertakes as a plural concept and is associated to a specific role with sub-identities, which can conflict with each other. The effectiveness of a role depends on how an individual reacts to role conflicts. Building further on this model, Grover (1993) determined that coping strategies determine the roles that are effectively performed. The roles the internal auditor performs, depend on several actors and should carefully be evaluated since it can challenge the objectivity and independence.
The internal auditor has a more improved role in organizations as a whole but the role of the internal auditor in major projects is a less researched topic. This is a possible new area for the internal auditor. Normally the internal auditor objectively assesses the risk management program and effectiveness or has a consulting and advising role by identifying, evaluating or supporting the implementation of risk management methodologies from the day-to-day organizational processes (Yung, 2011). With major advisory projects, the internal auditor advises management on a big projects, which is not part of the normal course of business. This is represented in figure 1.
Figure 1. Major projects of an organization Organization’s life time
Core business
Major project Non-core
For major projects, there are stakeholders involved who usually are not. But also, the organization faces other risks and different controls to manage those risks. Major projects are a broad topic, it contains IT projects like implementing a whole new system in an organization but also building a new school for example. To narrow down, this paper will focus on infrastructure projects in the Dutch context for several reasons. First of all, infrastructure projects could have a considerable impact on society (Eijgenraam, Koopman, Tang, & Verster, 2000), which means that there is a substantial amount of stakeholders. Furthermore, Eijgenraam et al. (2000) argue that the economic effects of those projects are hard to predict which makes it difficult to make a social responsible decision. But, decisions have to be made and are bound to have major risks regarding future developments and effects among many others. Under these circumstances there is need for a reliable and relevant form of information. Flyvbjerg did a lot of research on infrastructure projects and states that there is surprisingly little reliable knowledge about the performance of big infrastructure projects in terms of actual costs, benefits and risks (Flyvbjerg, Skamris Holm, & Buhl, 2003). Their research shows that substantial cost escalation is common use. Cost estimates have not improved and over the past 70 years cost escalations have not decreased. Cost estimates used in decision-making for infrastructure projects are systematically and significantly misleading. This results into large financial risks. However, such risks are typically ignored in decision-making (Flybjerg et al., 2003).
An important aspect of a successful infrastructure project is information (Flyvbjerg, 2005). As he stated in his article, the main problem in major infrastructure development is the lack of information or misinformation about costs, benefits and risks. Those projects are almost always very complex and a lot of individuals with different interests participate in them. For example, the government wants to build a bridge and hires a contractor to do this. Through a bidding process a contractor is hired who searches for engineers, architects, suppliers, construction workers and so on. A lot of information streams are present and it is important that this information reaches the right people at the right time to make sure the project does not exceeds the limits of money and time. As Flyvbjerg (2005) mentions in his results, misinformation is due to deliberately misrepresented costs, benefits and risks by the contractors to increase the possibility to overbid the competition.
It is interesting to research the possibility of reducing those problems. As stated earlier, infrastructure projects are hard to complete between the boundaries of time and money but furthermore, they contain many stakeholders with different demands. If the internal auditor has
a role in the infrastructure project, how does he or she deals with the different stakeholders and be a valuable asset for the organization. Therefore, the question central in this paper is:
How does the internal auditor develop an own perception of the role required to perform to meet the role expectations and cope with role conflicts in the Dutch infrastructure market?
This paper will contribute to the existing literature on the role of the internal auditor by providing an insight on how the internal auditor can possibly improve the decision making and risk assessment on major infrastructure projects, while dealing with different circumstances than in the normal course of business. Furthermore, to narrow down the study, this study only focuses on the Dutch context of infrastructure projects. There is a change in the process of those projects what makes it an interesting context. In the early 2000’s there was a big scandal in the construction industry in the Netherlands. According to Slaats (2016) this has caused more distance between the governmental organizations that put the project in the market and the market itself. There are more rules and more risks for the contractor and the competition is fierce. Slaats noticed that during the tender procedure, the contracting party registers a financially too tight number, which can be a source of many risks. The current form of contracts offers little space to fit customers’ needs and other stakeholders early in the process. Another reason for doing this study in the Dutch context is the Dutch Corporate Governance Monitoring Report of 2016. This report is published every year and studies the compliance of Dutch listed firms to the corporate governance code. In 2016, for the first time, there is specific emphasis on the internal audit function, which means the internal audit function is becoming more important and possibly can expand to more areas, like major infrastructure projects.
This study is aimed at getting an in-depth knowledge of how internal auditors deal with their possible role in major infrastructure projects. Interpreting interviews performs the research. In total, seven semi-structured interviews are conducted with employees of a big 4 firm, who all have an interest in major project advisory and have relevant working experience in operational and internal auditing. Through an internship place at a big 4 firm, access to interviewees is provided,. Furthermore, by attending a special major project advisory training in this big 4 firm, not only useful knowledge is gained but also possible participants are approached for an interview. The questions during the interview focused on the interviewees’ perception of their role and their activities and strategies to deal with role conflicts in the major infrastructure in de Dutch setting.
Using role theory and coping with role conflicts analyzes the results of the interviewees. Role theory arose in the late 1920s and is concerned with patterns of human conduct and focus on persons and their behaviors (Biddle, 2013). According to Biddle (2013) a lot of different forms of role theory emerged because it is used in diverse sciences. The basis of this study is the research result of Roussy (2013), who used the role theory of Katz and Kahn (1966). In this theory, there is a focal person who develops an own perception of the role required to perform to meet the role expectations. He or she receives signals from one or more sent roles and performs a range of roles, a role set. Role theory suggests that an organizational environment affects the expectations of humans about their role behavior. Within economic disciplines like the audit firm used for this study, role theory can be informative about the behavioral aspects of humans in the market. But its contribution should not be seen fundamental as is more seeks to provide the basis for the theory foundation (Biddle, 2013). However, to the opposite of the external auditor, the internal auditor may be more a supporting profession as mentioned earlier by Xiandong (1997). In here, role theory embodies a more central role. Performing internal audits involves role behaviors on the part of the focal person and the sent roles within a context of demand and ethics. The role set of Katz and Kahn (1966) does not require consistent various roles, because of this role theory might draw attention to role conflicts which can arise when signals sent to the focal person are perhaps not clear, not direct or easily translated to actions of when the focal person does not accept the signals. Hall (1972) developed a model of coping with role conflict using three strategies. Using role theory and the theory of coping with role conflicts to better understand the own perceived role and behavior is also emphasized by Ahmed and Taylor (2009). Also studying the behavior of internal auditors in the specific contexts they operate using a qualitative research method deserves more attention according to them. The foundation of this study is based on the role theory of Katz and Kahn (1966), the model of coping with role conflict of Hall (1972) and the recommendations of Ahmed and Taylor (2009).
The paper is structured as follows. In chapter two the role of the internal auditor is outlined and how this role changed over the years. Furthermore, a context is given regarding the infrastructure projects. The next chapter describes the research method. After that, in chapter four the findings from the interviews are described, followed by a discussion in chapter five. At the end a conclusion is provided and suggestions for future research are made.
2 Theory
This chapter discusses previous literature related to internal auditing. Paragraph 2.1 describes the role of the internal auditor. Paragraph 2.2 describes the role theory. The following paragraph, 2.3, provides a description of effective internal audit. As a final point, paragraph 2.4 presents a description on infrastructure projects.
2.1 The changing role of the internal auditor
As already mentioned in the introduction, the role of the internal auditor has changed a lot and is still changing. According to the IIA (2009) there are several roles the internal auditor should not undertake. Figure 2 represents a range of activities which the internal auditor should consider doing and more important, should not do. The key factor is determining whether doing a certain activity will influence the independence and objectivity.
Figure 2. Roles the internal auditor should and should not undertake The activities on the left are assurance activities, which the internal auditor can and should perform at least at a certain minimum. The center of the figure represents consulting roles, which the internal auditor may undertake but not always. It is important to consider with every activity if the independence and objectivity is violated. The right side of the figure shows activities connected to actually managing the risk. This is the job of the management and not
of the internal auditor, who should never undertake one of those activities. According to Yung (2011) the internal auditors previous roles used to be the ones on the left side of the figure but nowadays it’s also the ones in the center. Spira and Page (2003) support this in their paper in which they trace the development of internal auditing. They conduct a literature review and state that historically, internal audit has been viewed as a monitoring function. The internal audit function was viewed as necessary for the organization but not able to help achieving major organizational objectives. One important factor that changed the internal audit was the move to outsourcing. The literature review of Spira and Page (2003) suggests that there was a need for a risk management approach by top management and a desire to view internal auditing as an integrated way, which caused a driving force towards a broader role of the internal auditor. The need for independence however, prevented this for a long time. The IIA (n.d.) describes independence and objectivity as follows:
‘’ Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made ‘’
In the introduction the study of Brody and Lowe (2000) is mentioned in which they also question the independency and objectivity of the internal auditor. Although their study shows that there are negative unintended results from the new undertaken roles, they emphasize that it is important for internal auditors to continue demonstrating their value to their organization. However, this should not be their main objective, which always has been maintaining an independent and objective attitude. Earlier research from Plumlee (1985) also raised the question if internal auditors could stay objective in certain situations. For example, if the internal auditor assists in the design of a control system and also has to audit this control system, could this lead to an undesirable situation. He performed an experiment in which he provided selected audit staff with a narrative about a hypothetical firm, a flowchart and a form of documenting. The audit staff was asked to design a control system and later, they needed to assess those and the ones others made. Plumlee (1985) came to the following conclusions: internal auditors who review their own work are more able to identify the strengths of the control system, those who are familiar with the type of control system are better able to identify weaknesses and an internal auditor who is not familiar with the type of control system has little ability to process specific knowledge. From this results can be concluded that it is desirable that the internal auditor has specific knowledge of the type of control system but can’t be too
close to the project as this may cause them to miss weaknesses in the system. There are two types of independence, namely independence in mind and in appearance. Being independent in mind is the state of mind that permits the provision of an unbiased opinion while independence in appearance means that a reasonable, informed third party having knowledge of all relevant information concludes that someone acts with integrity, objectivity and professional skepticism (Lexion, n.d.).
The next section provides an insight in the study of Roussy (2013), who used the role theory of Katz and Kahn (1966) and the model of coping with role conflicts of Hall (1972) to understand the role of internal auditors in public sector organizations.
2.2 Role theory
The paper of Roussy (2013) is based on a Canadian setting. Roussy noticed that governance regulations at that time were not designed to regulate the activities of internal auditors. As a result of that, the role of the internal auditor remains largely unknown, especially in the public sector. The government of the state Quebec made the commitment to reinforce internal auditing to reassure citizens on the sound management in the aftermath of the financial crisis in the early 2000s. Roussy (2013) figured that an analysis of the role of the internal auditor in the public sector will provide an insight into what extend the trust of the regulatory bodies and other stakeholders in the internal auditor is justified. To research this, she centered her paper on the question what kind of roles internal auditors perform in the public sectors.
Through 42 in-depth interviews among experienced internal auditors in public organizations, Roussy (2013) gained more understanding by focusing on the personal perspectives of the internal auditors on their roles, activities and assignments in their jobs and the strategies they use to cope with role conflicts. To analyze those interviews she used the theoretical framework of the role theory by Katz and Kahn (1966). Roussy (2013) obtained three conclusions from her research. First, she observed two key roles namely the role of protector, which is subdivided into the roles of protective shield and keeper of secrets, and the role of helper, which is subdivided into supporter of organizational performance and guide. In figure 3 the roles are briefly explained.
Protector:
Aim to protect the managers etc. from potential obstacles and pitfalls
Helper:
Protective shield: to protect the role sender and the organization from external threats and/or to lessen the impact of these
Supporting organizational performance: promoting recourse optimization
Keeper of secrets: when protection is pushed to the extreme, internal auditor’s act as secret keeper
Guide: acting as guide when one or all role senders are faced with a new situation
Figure 3. Roles of the internal auditor according to Roussy (2013) This analysis is different from the usually observed roles in earlier literature, which involves two roles: the role of auditor operating independently from top management and the role from of consultant. According to Roussy (2013) this rigorous difference is caused by the definition used to characterize the role. The reality is that the work of the internal auditor is far more subtle and complex.
The second conclusion of Roussy (2013) is that internal auditors developed a more subtle conception of independence that she named ‘grey independence’. This grey independence enables internal auditors to cope with a conflict without feeling that they don’t comply with the code of ethics.
Her final conclusion states that internal auditors perceive themselves working in the service of the top manager and the organization. This is a surprising observation given the many laws, regulations and studies aimed at enhancing the importance of the internal audit function of being a watchdog and working for and reporting to the audit committee, and not to the top management. Roussy (2013) explains that internal auditors tend to protect and support the audit committee but only insofar this does not prevent them from providing support and protection to the top management. This is caused by the bigger impact of personal and organizational factors on the roles performed than legal and regulatory factors.
The overall conclusion of Roussy (2013) is as following: internal auditors operate as members of the management team instead of members of the monitoring and oversight team. Her study is conducted in the public sector of Quebec. As paragraph 2.4 described, infrastructure projects mainly take place in the public sector. Furthermore, Roussy (2013) performs the study because of the regulatory changes which now require public sector organizations to have an internal audit function and give more responsibilities to the internal auditor. Given the coming changes in the Dutch Corporate Governance requirements (Dutch Corporate Governance Commission, 2016) which also put more emphasis on the internal
auditor, the article of Roussy (2013) is useful for this study and the conclusions form a basis to perform the interviews and interpret those.
The role theory used by Roussy (2013) is developed in 1966 by Katz and Kahn and used in many studies after that. Role theory proposes that behavior is guided with expectations held by the individual and by other people. The expectations are correlated with different roles individuals perform or enact in their day-to-day activities. The individual is called the focal person, in the study of Roussy (2013) represented by the internal auditors, and the other people involved have a sent role. The focal person receives signals from one or more role senders and develops an own perception of the role he or she is required to perform in order to meet the perceived role expectations hold by the role senders. Katz and Kahn (1966) state that role theory may be useful to draw the attention to potential conflicts between the different roles of the focal person and for identifying potential areas of freedom created by the organizational context. This is because the concept of role set has the benefit of not permitting consistency among different roles (Hall, 1972). Coping with role conflict is explained in the next part.
2.3 Role conflict
Coping with multiple sender roles who each send different signals can cause role conflicts (Hall, 1972). This is not unusual for internal auditors since they have to comply with different rules and expectations from different stakeholders. A role conflict occurs according to Katz and Kahn (1966) when compliance with a specific role would make compliance to another role more difficult. They make a distinguishing between four types of role conflicts, related to the source, which are represented in table 1.
Type of conflict Sources
Inter-sender role conflict Different role senders Intra-sender role conflict Same role sender
Inter-role conflict Two roles performed by the same individual
Ethical conflict Received expectations of a role and the ethical values of the role receiver
Hall (1972) developed a model of coping with role conflict that consists of three strategies that individuals can undertake if they have a role conflict. These three strategies are represented in table 2.
Strategy Description
Structural role redefinition
Negotiation of roles with the role sender(s)
Aims to change environmental factors to modify or reduce the role sender’s expectations or seek to solve the problem with role senders
Personal role definition Involves a change in attitude of focal person when conflict is faced
Reactive role behavior/resignation
Involves a passive strategy of resignation defined as a defense strategy rather, since the focal person does nothing about the role conflict.
Table 2. Three strategies to cope with role conflict The role theory of Katz and Kahn (1966) describes how an individual is required to perform a wide range of roles, which may or may not be in conflict and is in the literature (Wiersma, 1994) referenced to the model of coping with role conflict of Hall (1972). Roussy (2013) came to an unexpected conclusion when she compared her results with earlier research. The typology used by earlier studies (Ahmad & Taylor, 2009) involves two roles: the watchdog and the consultant. The watchdog independently operates from top management and the consultant does not. Roussy (2013) concluded that the roles are more nuanced. She found a protector and a helper role for the internal auditors. The protector role is further subdivided into a protective shield and keeper of secrets while the helper role is subdivided into supporting organizational performance and a guide. Adding to that Ahmad and Taylor (2009) also argued that increasing role conflicts decrease the importance internal auditors grant to independence, which Roussy (2013) also does not agree with. She provides as counter-argument that internal auditors value the importance of independency more even though the many conflicts.
2.4 Effectiveness of the internal audit
The possibility of a role for the internal auditor in infrastructure projects depends on how effective the internal auditor can be in this area. A basic definition of effectiveness is the degree
to which established objectives are achieved (IIA, 2010). According to the IIA (2010), this general description can be applied to internal audit effectiveness. Mihret and Yismaw (2007) add that the internal audit is effective if it meets the intended outcome.
The purpose of the study of Mihret and Yismaw (2007) is identifying factors that impact the effectiveness of the internal audit services. Four factors are argued which influence the effectiveness namely, the internal audit quality, management support, organizational setting and attributes of the auditee. Internal audit effectiveness should be viewed as a dynamic process, shaped by those four factors and their interaction. Through questionnaires, interviews and documentation reviews in a higher education institution in Ethiopia, Mihret and Yisaw (2007) concluded that audit quality and management support significantly influence audit effectiveness. Also organizational setting, except for the budget of the company provided to the internal audit, enables effective internal audit and only the attributes of the auditees do not have a significant influence. Analyzing the role of the internal auditor in infrastructure projects, these results have to be taken in account.
Internal audit quality is a key factor to internal audit effectiveness and is determined by the capability to provide useful findings and recommendations. The added value to the organization has to be proven (Sawyer, 1995). According to Mihret and Yismaw (2007) internal audit quality is a function of the extent to which audits are planned, executed and communicated in a desired way, the level of staff expertise and the scope of services provided. If the information provided by the internal audit is not used, the effectiveness remains low even though the information provided is a result from high audit quality. Therefore Mihret and Yismaw (2007) argue that management support influences internal audit effectiveness. The organizational setting provides the context in which the internal auditor operates (Mihret & Yismaw, 2007). This covers the organizational profile, internal organization, budget and the policies and procedures. The last factor, the auditee attributes, relate to the capability of the auditee to meet its intended objectives. Attributes affecting the effectiveness of the audit include skills of the auditees to meet the organizational sub-targets efficiently and effectively, their attitude towards the internal audit; and the level of cooperation provided to the auditor (Mihret & Yismaw, 2007).
2.5 Infrastructure projects
In this section the possible roles in infrastructure projects and challenges for the internal auditor are viewed.
Serpella et al. (2014) state that one of the major roles undertaken by a project manager is the risk management of a project. An effective and efficient risk management approach requires knowledge and experience. They conclude that risk management in major projects is still ineffective which is mainly caused by lack of knowledge. The IIA (2015) defines risk as ‘’the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in term of impact and likelihood’’.
There are several areas of possibilities for the internal auditor in major projects. They can prevent and detect cost and schedule overruns, fraud, waste and abuse, enable the right information at the right time to facilitate corrective action required to keep projects on track, understand the main risks and threats to the project and provides mitigating measures and establish a set of appropriate project controls, policies and procedures based on industry best practices (Huibers, 2009). Huibers (2009) divided possible roles in three areas: assurance roles, advising roles and participating roles. In table 3, some examples from Huibers (2009) are displayed.
Type of role Example Description
Assurance Project-reviews Reviews in different phases of the project Project-results Review on the quality and documentation
of the deliverables
Review after go-live Judgement on the effectivity of the internal control design
Advising Advisory on the program and project management
Advise on project design and risk management
Advise on content Answer questions and propose alternatives without involvement in the decision process
Reflection Asking reflection question
Coach/trainer Facilitate training related to specific areas like risk management
Participating Proactive expert Using specific knowledge (for example on infrastructure projects) and actively
use this to propose alternative solutions and form recommendations
Project/process coordination Coordination of project activities Documentation of control
measures
Support the documentation of control measures
Proactive partner role Not only identify risks but also translate these into business issues with relevant recommendations
Table 3. Examples of roles of the internal auditor in major projects
According to Huibers (2009), the questions remains how to fulfill this proactive role, which is more related to management activities and the controller role without thereby losing independence. He performed interviews with Chief Audit Executives from Dutch multinationals. The common vision is that the internal auditor can add value to an organization when he or she is involved in the project from the beginning in a proactive way. This does not have to be conflicting with the independent position of the internal auditor. The paper of Huibers (2009) points out several roles for the internal auditor but also highlights the challenge to stay away from the management activities and to remain independent. His study is based at major projects in general. The following section describes the importance and challenges of infrastructure projects.
Infrastructure projects support countries all over the world according to the Business Monitor International (BMI) (2015). In developed economies, like the Netherlands there is a need to upgrade or replace ageing infrastructure. In developing economies there is need to build new infrastructure to facilitate economic growth. Adding to that, more emphasis will be placed on infrastructure because of three factors namely, economic growth, population growth and urbanization. According to forecasts of the BMI (2015), economic growth will increase global trade and economic development and will require infrastructure expansion and modernization. Also, the world’s population is on pace to pass the nine billion in the next 20 years which means there are more than two billion new people to feed, fuel, house and transport. Lastly, urbanization forecasts predict that by 2030, six out of ten people will live in the big cities, resulting in an increase in demand for power, water and transportation services (UNFPA, n.d). These economic and social factors give rise to more risks and demands for
they want to spend 75 billion on 175 infrastructure projects by 2028 (Giebels, 2016). This puts more pressure on the government to make sure the infrastructure projects stay between the limits of time and money since the Dutch population do not want their tax money to go to waste. To successfully build infrastructure projects, a Dutch governmental organization, Rijkswaterstaat, provided a conceptual framework (Rijkswaterstaat, 2001). They came up with four points which should be considered when starting an infrastructure project:
1. The project leader is the source of all planning information and should be up to date on all decisions and changes. With his team he sets up a planning which is his responsibility and he provides insight on how the project continues.
2. All planning products should be developed in an uniform manner and comply with uniform standards.
3. There should be margins in the planning. Margins (buffers) and risks should be explicitly visible, which should be clear to which risks the project leader is responsible and which are not.
4. Assumptions and principles should be clearly recorded in a logbook. The accuracy must be indicated.
It should be clear that the project leader/management is primarily responsible for these tasks and not the internal auditor.
3 Research method
This chapter describes how the research is conducted. The first section explains the research method used and the second section the research design.
3.1 Research method
The objective of this study is to obtain an in-depth understanding of the behavior of internal auditors in the Dutch major infrastructure market, in which role conflicts can emerge. In their research Ahmed and Taylor (2009) emphasize the need for qualitative research on the behavior of internal auditors using role theory. As they argue that a qualitative case study approach could be used to explore the internal auditor’s behavior in their field in contexts where role ambiguity or conflict is found to exist. In order to reach the objective, a qualitative research method is performed. While quantitative research is aimed at explaining or defining what is seen in the field, qualitative research aims to describe the field as a social reality using observations (Roethlisberger & Dickson, 1949). Also, qualitative research describes the point of view of the participants, instead of the point of view of the researcher. In this study, the opinions of the internal auditors are central, which contributed to the decision to do qualitative research. During a 5 month period, interviews with internal auditors in a big 4 firm in the Netherlands were carried out. The interviews were semi-structured and focused on obtaining the viewpoints of the interviewees on their role in infrastructure projects and the conflicts in this context. An advantage of interviews is the opportunity of the interviewee to tell their stories and share their point of view (Crabtree & Miller, 1995). Lather (1992) adds to this that through these stories and opinions the interviewees explain their views of reality which makes it possible to understand the actions of the interviewees better.
In the period between February 2016 and June 2016 the research was conducted. At the Internal Audit, Risk and Compliance Services (IARCS) department, where seven employees were interviewed. As mentioned earlier in the introduction, conducting this study and interviewing internal auditors in the Netherlands is due to the increased focus on the internal auditor and the conflicts which can emerge in the infrastructure market in the Dutch context.
3.2 Research design
This paragraph will give background information about the interviewees, and how the interviews were conducted. The last part of this paragraph explains how the interviews were analyzed.
3.2.1 Interviewees
The interviewees are employees of a big 4 firm who have experience in performing internal audits. Since there is no definition of an internal auditor, the internal auditing definition is used for searching participants with relevant experience and knowledge. Furthermore, it is important that the interviewees have an interest in major project advisory. To find the interviewees, I attended a major project advisory training in the big 4 firm where I had access to due to an internship. This was a voluntary training and the participants were asked to be interviewed for my study. As Malsch and Salterio (2016) describe in their paper on qualitative research, it if often thought that more is better which would mean that there should be as many interviews as possible conducted. However, their counterpoint is that in field research there is no need to search for statistical significance but instead an understanding of those with field specific knowledge to provide an useful insight in the field being investigated. Consequently, it is not necessary to conduct as much interviews as possible but rather find individuals that have the requested expertise to interview until no new insights are forthcoming (Malsch & Salterio, 2016). Seven participants were interviewed, their knowledge and experience in the internal audit field and interest in major project advisory has resulted in useful and interesting interviews. Only one female was interviewed since some knowledge of the infrastructure market is required and this remains a ‘men world’.
Table 4 provides an overview of the interviewees, their gender, function and duration of the interview.
Interviewee Code Gender Function Duration interview
1 D1 Male Director 42:06
2 P1 Male Partner 46:50
3 SC1 Male Senior consultant 34:14
4 P2 Male Partner 47:13
6 C1 Female Consultant 26:13
7 C2 Male Consultant 34:44
Table 4. Code, gender and function of the interviewees and the duration of their interview.
3.2.2 Interviews
The interviews are semi-structured, this leaves room for discussion and topics, which are not covered in the interview but can provide an interesting view. Furthermore, the questions will be open-ended. By doing this the interviewee can give his or her own opinion and perception. To make sure important comments are not forgotten, all interviews are recorded.
To determine that the interviews are structured and aimed at getting the right data, the question are divided in four themes which each contain possible questions, these questions do not have to be asked in this precise way but provide a direction. The themes that arose from the literature and theory are: the (traditional) internal auditor role, major infrastructure projects, possible roles and possible conflicts. To provide the interviewee with enough time to give a detailed answer, each theme only has two questions. This is represented in Appendix A. During the interview, some questions desired more elaboration and resulted in other questions which were asked.
The duration of the interviews ranged from 25 minutes to 47 minutes. The average interview duration is around 40 minutes. Due to time restriction, one interview was only 26 minutes. Higher ranked employees had in general more to tell. A possible explanation for this is their more extensive experience than the lower ranked employees. The interviews were held in Dutch, since this is the main language of all interviewees and of myself. By doing the interviews in Dutch, this provided a more open conversation instead of looking for words. The interviewees could explain themselves more easily which provided a better insight in their perception.
3.2.3 Interview analysis
In the invitation email to the interviewees, it was explained that the interviews would be recorded. All the interviewees gave permission to do this. Using the analysis process of Huberman and Miles (1994) three distinct though somewhat overlapping phases were undertaken. These phases are: data reduction; data display and data interpretation. Each phase is explained below.
Data reduction is aimed at identifying key themes and patterns in the evidence, in this study the answers on the interview questions, collected. To do this in a clear and structured manner, the interviews were transcribed. According to O’dwyer (2004), by doing this yourself you get a better feeling and understanding of the data and you are forced to think about the data. From the transcriptions and the theory used, key themes were formed and a matrix was made in which the key themes were linked to the interviewees. The matrix summarizes the open codes identified by each interviewee providing a short description. In the data display phase, the matrix is examined (O’dwyer, 2004) and initially coded themes were removed as they lacked in data or importance which made them irrelevant. The final matrix, which is used for the last phase of the data analyses process is included in appendix B.
The last phase, data interpretation, includes the conclusion drawing. First, a descriptive representation of the key findings was prepared (O’dwyer, 2004). Both the themes initially identified as the unidentified themes were included in this description. In this study, this part is done in chapter four together with coupling the findings with the theory.
4 Findings
In this chapter a descriptive analysis of the data is presented. The interviews provided several perceptions and opinions on how the employees obtain a perception on their role in major infrastructure projects. The findings are separated in four themes namely, the traditional internal auditor role, major infrastructure projects, possible roles and possible conflicts. The themes are illustrated with quotes from the interviewees. Even though all the interviewees agreed to be recorded, I use codes instead of their real names allowing them to remain anonymous.
4.1 The (traditional) internal auditors role
The first theme provides an insight in how the interviewees view their current role. This is interesting because this is researched and explained in earlier research a lot and similarities and differences between the literature and the findings provide valuable insights. When asked how the role of the internal auditor has emerged, a clear description is given by a partner:
(P1) ‘’ The internal auditor actually originated from the internal accountant as an extension
of the external auditor. (…). The internal accountant carried out activities, which the external auditor relied on. (…) At one time, the external auditor became more independent and the service of the internal accountant was no longer necessary and the internal audit function emerged. Internal accountants focuses on financial figures and processes. The internal auditor focus on operational processes. The internal accountants looks back and the internal audit is more forward looking ‘’
The older employees, were the only ones who could give a historical description of the emergence of the role of the internal auditor. Their age and many years with the company, both over 20 years, could be a plausible explanation for this. The other interviewees all gave the same or similar description about the role of the internal auditor, but this was shorter than the given answer above.
To get a more detailed answer on the role of the internal auditor instead of only a description, I asked the interviewees how they add value in their position, several interviewees indicated that an important aspect of the job is defining and mitigating risks:
(C1) ‘’ When you perform an internal audit, risks will come up in your analysis and you help
the client with how they can mitigate the risks or actually remove the risks. In the end you try to help the company by recognizing as many risks as possible and mitigate those ‘’
Another interviewee confirms this but states that this is not his main job, even though it is an important aspect:
(C2) ‘’ As internal auditor you go to companies with a reference model and define the
processes, how they should work, how they really work and how you can improve this ‘’
Another task of the internal auditor which was named was providing relevant and reliable operational information. As one partner states:
(P2) ‘’ One major benefit of this company is having all the knowledge in the same building.
Our accountants provide financial information while our internal auditors provide the client with operational information ‘’
Other answers were in line with these, providing operational information, information on risks and advice on how to optimize processes.
When looking at earlier literature on the role of the internal audit and especially relate to figure 2, it can be said that figure 2 is aimed at risk activities. Optimizing the risk systems came back in the interviews as mentioned by Yung (2011) who states that the internal auditor objectively assesses the risk management program and effectiveness or provide a consulting and advising role by identifying, evaluating or supporting the implementation of risk management methodologies of the daily organizational processes. However, optimizing the processes was also mentioned by interviewees but not explicitly in the literature reviewed. It can be concluded that the view on the role of the internal auditor is still focused on the risk systems but internal auditors themselves have a broader perception on their role.
Another task of the department is setting up internal audit functions in the companies. Instead of performing the internal audit themselves, the employees use their internal audit expertise to set up a new department. In this case, the interviewees help with hiring a team who work for that company. All the interviewees however, are outsourced. Setting up a new department is not the role which is researched in this study but could be a benefit for contracting or contractors parties.
4.2 Major infrastructure projects
In order to switch to the infrastructure topic, first the question was asked how the interviewees describe major advisory projects in their own words. The relevance of asking the interviewees their opinion on what is a major project and what defines this is to make sure they have a basic understanding of the topic. As already mentioned in paragraph three, interviewing those with field specific knowledge provides an useful insight in the field being investigated. An interviewee described major projects in the following words:
(P1) ‘’ Major projects are projects which are not in line with the daily course of business. A
school needs to educate children and is not involved in daily major projects. (example building
a road) in the end you reintegrate (the project) in the normal course of business but the project
takes a long time, costs a lot of money and there is a risk that in the end, it fails‘’
Almost all interviewees described major projects as a project which is not in line with the core business of the company but is necessary to conduct the core business. However, from the quote above and the relation to figure 1, in this figure the integration of the major project into the normal course of business is also a part of the project and should not be overlooked. Adjusting figure 1 gives a better overview to what major projects are according to the interviewee and is represented in figure 4.
Figure 4. Major projects illustrated After this I asked what makes major projects different from the day to day activities, an interviewee answered:
(P1) ‘’ A company can make pretty good estimations on what the daily risks are but with major
projects they suddenly face risks on something they know nothing about ‘’
It became clear to me that some interviewees had more knowledge of the topic than others. For instance, the higher ranked employees (the partners, directors and senior staff) could provide a more extended description and more examples than the lower ranked employees (consultants). Also, because all interviewees attended a short major project training in the company, they had the same underlying understanding of the topic. Two interviewees, one who had worked within
Organization’s life time Core business
construction companies and another who worked with the infrastructure market for years, gave a more extensive description of their definition of major projects. They already formulated it in the context of infrastructure projects while other employees highlighted that for example converting to a new IT system could also be a major project.
After the interviewee described the major project market, I zoomed in on infrastructure projects. One interviewee described these projects as being very close to asset management: (SM1) ‘’ Something people seem to forget is asset management, which begins with major
infrastructure projects. (…) when the bridge is there, the major infrastructure project is ‘done’, but it is not going to be in this state forever and the asset management part begins. It’s not just building something and forget about it, infrastructure needs updates, which also take effort, time and money ‘’
A few interviewees viewed infrastructure projects and construction projects as very similar but one interviewee names a difference, which was also mentioned earlier by Eijgenraam et al. (2000), as they say that infrastructure projects have a considerable impact on society.
(D1) ‘’ Infrastructure projects and construction projects are much alike but infrastructure
projects have a lot of influences from outside of the project. People who have an interest in the project all have to say something and this is more the case for infrastructure than construction projects ‘’
Following this, I asked if the interviewees could explain why the infrastructure market needed their help and why conflicts can emerge. Five of the seven interviewees stated by themselves that a big problem in the infrastructure market is the culture. Problems such as cost escalations are not uncommon and have not improved over the last 70 years (Flybjerg et al., 2003). A possible explanation of this could be the though culture of the infrastructure market. As the interviewees describe it:
(D1) ‘’ The construction market is a men world, (…) asking for help or admitting you were
wrong is not common and may cause many problems ‘’
(P2) ‘’ In my opinion, the construction market faces three issues, one, the buildings, bridges
etcetera are very hard to value, two, it is a sector which involves a lot of money of sometimes even billions and three, it is a small world ‘’
(P1) ‘’ Construction companies have a very small profit, this means that when the costs are
Since five interviewees addressed the culture and also explain why there is such a culture, it can be said that the culture in this market plays a significant factor in deciding which role to undertake.
Another crucial part of the process is the tender procedure. I did not explicitly asked about this but I knew this could be a troubling part since Flyvbjerg (2005) already stated that misinformation in infrastructure projects is largely caused by wrongly calculated costs, benefits and risks in an effort of the contractor to overbid the competition. This problem was mentioned by three interviewees by themselves and I asked them to further explain why this is an crucial process. For instance, one interviewee explained the tender procedure as:
(D1) ‘’ The tender procedure starts with, for example Rijkswaterstaat who makes plans for a
new infrastructure project. This can take years. The project is almost always too big for one company so different companies will need to work together. The process of hiring someone to do the project usually takes one year or maybe even longer, this is time consuming but also costs a lot of money already and in the end only one can win. Because of this, construction companies can be tempted to present a plan with too opportunistic assumptions just to get the project. Another aspect which makes the process difficult is that the construction period can take up years so in the tender procedure you make agreements on something which can take place over five years for example. A lot of estimations and the competition element can be troubling ‘’
From this, a few aspects can be derived which were also mentioned by the other interviewees namely, the tender procedure usually takes a long time and a significant amount of money is already spend in this phase. Furthermore, estimations are made for future costs and planning or as Flyvbjerg (2005) mentioned deliberately misrepresented, which can be opportunistic and can afterwards cause problems. This is also highlighted in the following quote:
(C2) ‘’ A big difference between the contractor and the contracting party already emerges in
the tender procedure. The strategy of the contracting party is to keep the price as low as possible while the constructor wants to have the highest price possible ‘’
This difference made by the consultant made me realize that that there are two sides the internal auditor could be on and not everyone assumed the same side or made a distinction right from the beginning. To make a clear distinction I asked every interviewee how their view was on the different sides of the contract. It is important to make it clear which side the interviewee is talking about, especially for the possible roles and conflicts further in the interview, since
this can differ. Only one interviewee explained by itself the importance of knowing in which side of the contract you are:
(C2) ‘’ Infrastructure projects are mainly from Rijkswaterstaat, it begins there with the
questions ‘who is your client?’. Is it Rijkswaterstaat, or the contractor company ‘’
From this it can be concluded that the approach of the internal auditor depends for who he or she works for. This is further highlighted in the next paragraph.
4.3 Possible roles
In this section a more extensive analysis is provided on the possible roles. As was mentioned earlier the roles Roussy (2013) found in her research are the helper and the protector role. An analysis of the answers of the interviewees can reveal if they have more in common with these findings or to those of earlier literature (Ahmad & Taylor, 2009) which divides the role in acting independent from the management or as a consultant and not independent of the management. Section 4.3.1 is a descriptive analysis of the view of the internal auditors on their role for the contracting or contractor party and is followed by section 4.3.2 which is a more in-depth analysis related to earlier found results.
4.3.1 Contracting or contractor party
Each interviewee was asked how they think they can play a part in infrastructure projects. In the previous paragraph it became clear that it is important to distinct working for the construction company or working for the contracting company. One interviewee provided an answer for both:
(D1) ‘’ How do companies become in control and how do they know where they spend money
on and not too much money. How do they make sure the right people are at the right place. How do they make sure they choose the right project which is a good fit to the company. We are good in telling afterwards where it went wrong but I think we can also be good at structuring construction companies. Regarding the contracting parties.. we can help mainly with the reporting issues like where do you want to report on, what is the reporting quality, how do you make sure that the right things are in the reports. We can help on both sides ‘’
Other interviewees first gave their opinion about one side and when I asked about the other side they sometimes could give an answer but needed some time to think about this. For example, an interviewee first gave his insight on the role for the contractor:
(C2) ‘’ The best thing to do is being there during the project, preventive controlling. Then you
will look at how the control works, how to control it and what risks there are ‘’
When asked about possibilities for working for the contracting party, the same interviewee said this is also a potential role:
(C2) ‘’ I think that mainly project control as a whole is a good role for us, looking at the
financial aspect and the progress in time. We will put controls in place and look at this in an independent manner, without personal win ‘’
However, another interviewee assumed that when I asked which role we could play, he was on the side of the contracting company for the following reason:
(SC1) ‘’ It is questionable if we can consider the infrastructure project as a major project for
the construction company. Building bridges and buildings is their main job and is what they do but major projects is more non-core business. (…) For the construction company it is important to consider that the contractor works with a lot of subcontractors and keeping them all in place and on track is important. For the contracting party we can help with getting this right on the front of the project. Everything needs to be worked out into details in the contracts and design ‘’
Almost all interviewees stated they have knowledge on doing work afterwards, which means coming in when thing are already out of control, but coming in at an earlier point is where a lot of value can be added.
(SC1) ‘’ You can say something afterwards about all the phases the project went through and
everything (resources) that was available and if it was used. You can try to determine the total picture and where it went wrong. (…). Is something wrongly estimated or did something go wrong during the project? ‘’
Although almost all interviewees state that coming in before the project, is the best position, one interviewee highlights the problem with this in the infrastructure market:
(P1) ‘’ You can come in at the front to think about the strategy, risks and help with setting up
a team. (…) That would be professional from a market party to do this in advance but this isn’t reality since in the first instance the party think they can do it themselves and during the project they discover there are aspects they did not think through ‘’
One interviewee however, stated that doing work afterwards doesn’t necessarily means that they need to correct things already out of control:
(P2) ‘’ Of course we would like to come in, in the front and we have some experience with
coming in afterwards when the mistakes have happened but after that, after the fraud or something and after the reports are completed and we told them how the processes can be changed and be better, we can monitor them and help them staying on the right track ‘’
As was mentioned in the previous section, infrastructure projects have a big social aspect as they involve more stakeholders who have an interest and an opinion on the infrastructure project. When asked about the stakeholders, all interviewees could name a few. Examples provided by an interviewee are:
(P1) ‘’ First you have people on the project who you have to consider, this is relatively simple.
Second, there are a lot of external parties, a lot of times politics are involved. (…) But also national and regional governments, interest groups, local residents, safety departments etcetera. They are more difficult to control ‘’
Every project is different and has different stakeholders. The political and social role is therefore different every time and desires attention.
The last aspect discussed of the role they perform is staying independent, one interviewee mentioned this by himself and the other all confirmed this is a delicate issue and you should always keep in mind you should be independent and have an objective view. This is not only for yourself but is also beneficial for the client. As mentioned earlier before by an interviewee , he thinks they can look at the control in an independent manner and adds to this: (C2) ‘’ People always look at their own work in a more positive manner and possibly we see
in our own work more chances than an objective look of someone who states that something is wrong, or too opportunistic and it should be more accurate. By doing this, the project can be better controlled since the information is more accurate ‘’
This is consistent with the research of Plumlee (1985) in which he concluded that the internal auditor can’t be too close to the project as this may lead to missing weaknesses in the system.
The issue of being and staying independent is further discussed in section 4.4. In the next sub-section, an analysis is made of which role the internal auditor undertakes for the contracting party and the following sub-section for the contractor using the role theory of Katz and Kahn (1966) and Roussy (2013) who developed two roles for the internal auditors namely as helper and protector.
