Journal of Economic and Administrative Sciences

The role of internal auditing in risk management: evidence from banks in Jordan
Modar Abdullatif Shatha Kawuq
Article information:
To cite this document:
Modar Abdullatif Shatha Kawuq , (2015),"The role of internal auditing in risk management: evidence
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

from banks in Jordan", Journal of Economic and Administrative Sciences, Vol. 31 Iss 1 pp. 30 - 50
Permanent link to this document:
http://dx.doi.org/10.1108/JEAS-08-2013-0025
Downloaded on: 31 January 2016, At: 07:59 (PT)
References: this document contains references to 50 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 335 times since 2015*
Users who downloaded this article also downloaded:
Joseph Beams, Yun-Chia Yan, (2015),"The effect of financial crisis on auditor conservatism: US
evidence", Accounting Research Journal, Vol. 28 Iss 2 pp. 160-171 http://dx.doi.org/10.1108/
ARJ-06-2013-0033
Andrew D. Chambers, Marjan Odar, (2015),"A new vision for internal audit", Managerial Auditing
Journal, Vol. 30 Iss 1 pp. 34-55 http://dx.doi.org/10.1108/MAJ-08-2014-1073
Giuseppe D'Onza, Rita Lamboglia, Roberto Verona, (2015),"Do IT audits satisfy senior manager
expectations?: A qualitative study based on Italian banks", Managerial Auditing Journal, Vol. 30 Iss
4/5 pp. 413-434 http://dx.doi.org/10.1108/MAJ-07-2014-1051

Access to this document was granted through an Emerald subscription provided by emerald-
srm:272736 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald
for Authors service information about how to choose which publication to write for and submission
guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as
well as providing an extensive range of online products and additional customer resources and
services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the
Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for
digital archive preservation.

*Related content and download information correct at time of

download.

JEAS
31,1
30
Received 28 August 2013
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)
Revised 27 January 2014
Accepted 18 February 2014
Journal of Economic and
Administrative Sciences
Vol. 31 No. 1, 2015
pp. 30-50
© Emerald Group Publishing Limited
1026-4116
DOI 10.1108/JEAS-08-2013-0025
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1026-4116.htm
The role of internal auditing in
risk management: evidence from
banks in Jordan
Modar Abdullatif and Shatha Kawuq
Department of Accounting, Middle East University, Amman, Jordan
Abstract
Purpose – The purpose of this paper is to explore the current practices of internal auditors in banks in
Jordan regarding risk management, especially the risks they are most involved in dealing with, the
nature of their responses in the presence of these risks, and appropriateness (according to the Institute
of Internal Auditors (IIA), 2009a) of these responses.
Design/methodology/approach – A questionnaire surveyed views of internal auditors about their
roles in risk management. It asked about 20 different types of risks, and, for each individual risk, how
internal auditors would respond in its presence.
Findings – The role of internal auditors in risk management in banks in Jordan was found to be
limited. The risks that internal auditors were most involved in managing were those related to
compliance, while the risks least dealt with by internal auditors included those related to the Jordanian
economy and culture. Also, most of the respondents reported that they did undertake some
inappropriate roles in dealing with the risks.
Practical implications – The findings suggest the possibility that internal auditors are not aware of
the importance of several types of risks and of the appropriate roles for internal auditors in risk
management. Therefore, increasing awareness of these issues is very important.
Originality/value – The research topic is relatively new and very under-researched in the Jordanian
environment. This study is therefore likely to significantly contribute to the knowledge about how
internal auditing operates in a developing country context that differs significantly from the contexts
where professional internal auditing standards were issued.
Keywords Risk management, Banks, Jordan, Internal auditing, ISPPIA
Paper type Research paper
1. Introduction
Risk management is a very important process in banks and many other kinds of
organisations. Recently, the involvement of internal auditors in the risk management
process of companies and other organisations has significantly increased (Castanheira
et al., 2010). This involvement has been formally included in the International
Standards for the Professional Practice of Internal Auditing (ISPPIA), issued by the
Institute of Internal Auditors (IIA). The IIA is an international professional association
based in the USA. According to its web site [1], the IIA defines itself as “the internal
audit profession’s global voice, recognised authority, acknowledged leader, chief
advocate, and principal educator”. Generally, its “members work in internal auditing,
risk management, governance, internal control, information technology audit, education,
and security”. Its general mission “is to provide dynamic leadership for the global
profession of internal auditing”. In order to achieve its mission, the IIA issues the ISPPIA.
The researchers thank participants in the 16th International Business Research Conference
(Dubai, UAE, 12-13/4/2012) and the fourth Scientific Conference of the Faculty of Economics and
Administrative Sciences - Applied Science Private University (Amman, Jordan, 30/4-1/5, 2012) for
the comments on earlier versions of the paper.
 ISPPIA consist of “statements of basic requirements for the professional practice of Internal
internal auditing and for evaluating the effectiveness of its performance”, interpretations, auditing
and glossary terms[2]. In addition, the IIA issued a position paper (IIA, 2009a) on the
roles that internal auditors should, could, or should not assume in enterprise risk
in risk
management (ERM). management
While ISPPIA were designed to be applied internationally, hence their title, it is
possiblze that the nature of the context of each country might affect the quality of 31
application of international professional standards. The particular setting of this
study, Jordan, is a developing country with a small economy. Most of the Jordanian
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

businesses are relatively small and closely held, mainly owned by families. This
governance system generally applies even to a large number of public listed
companies in Jordan, including banks, who tend to have a small number of large
shareholders dominating their executive management, in addition to numerous
small shareholders. In general, corporate governance systems in Jordanian companies
are weak, with limited transparency and disclosure of financial information (Abdullatif
and Al-Khadash, 2010). The nature of the Jordanian companies and particularly their
governance system would possibly make the application of the internal auditing function,
and particularly its role in risk management, different from that in more-developed
countries, where companies tend to be significantly larger and have more-developed
corporate governance, internal auditing, and risk management practices. By covering the
role of internal auditing in risk management in the Jordanian context, and by covering how
internal auditors in banks in Jordan deal with 20 different potential risks that face banks
(including the degree of engagement with management of the risk and the appropriateness,
according to IIA, 2009a, of the responses to its presence), this study aims to significantly
contribute to our knowledge.
The banking sector in Jordan was chosen as a setting for this study given that
banks tend to be relatively larger institutions, be public listed companies, have more
sophisticated operations and procedures, deal with significantly larger numbers of
clients, and be under more public scrutiny than entities in other sectors. Therefore, it
is generally expected that banks are likely to apply internal auditing standards. In fact,
Shaqqour (2000) and Kawuq (2010), using questionnaire surveys about the application of
procedures included in ISPPIA, reported some compliance (83 and 81 per cent
respectively) by banks in Jordan with the general guidelines on procedures to be
applied by internal auditors. However, Shaqqour (2000) did not cover the role of
internal auditors in risk management, while Kawuq (2010) covered it broadly as part
of other procedures. This study aims to extend the contribution of these studies
by emphasising in significant detail the particular role of internal auditors in risk
management in banks in Jordan.
Therefore, this study aims to explore the role of the internal auditing function in the
risk management process in banks in Jordan. In particular, it aims to answer the following
questions:
(1) To what extent are internal auditors involved in risk management?
(2) Which risks facing the bank are internal auditors most involved in managing?
(3) How appropriately (according to IIA, 2009a) do internal auditors respond to
risks that need to be managed?
(4) Does the personal background of internal auditors affect their perceptions on
the issues mentioned above?
 JEAS The remainder of this paper is organised as follows. First, literature and empirical
31,1 studies on internal auditing and its role in risk management are reviewed. Then, an
introduction to the banking sector in Jordan is presented. This is followed by an
illustration of the research method used, and a presentation and discussion of the
study’s findings. Finally, conclusions and practical implications of the findings are
discussed.
32
2. Literature review
2.1 Risk management and the role of internal auditing in it
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

Risk can be interpreted as exposure to a proposition of which the outcome is

uncertain (Holton, 2004). Multiple types of risks face organisations when conducting
their business, and these risks need to be adequately managed. Pike et al. (2012)
classify these risks into externally driven risks and internally driven risks.
Externally driven risks include financial risks (including risks related to accounting
standards, interest rates, foreign exchange, and credit) and marketplace risks
(including risks related to the economic environment, technology developments,
competition, customer demand, and regulatory requirements). Internally driven
risks include internal risks related to controls and the control environment, fraud,
liquidity, investments, information technology systems, and human resources (Pike
et al., 2012). Moeller (2007, 2009) classifies risks that need to be managed into
strategic risks, operational risks (including risks related to processes, compliance,
and human resources), finance risks (including risks related to treasury, credit,
and trading), and information risks (financial, operational, and technological).
Chapman (2006) classifies risks into internal influences (financial, operational, and
technological) and external influences (economic, environmental, legal, political,
market, and social risks). These examples of classifications of risks show that banks,
among other organisations, need to manage multiple risks, including financial risks
and other internal and external risks.
ERM can be defined as “the process the board of directors and management use to
set strategy, identify events that may affect the entity, assess and manage risk, and
provide reasonable assurance that the company achieves its objectives and goals”
(Romney and Steinbart, 2012, p. 207). ERM addresses four categories of management
objectives, which are strategic high-level goals, effectiveness and efficiency of operations,
reliability of reporting, and compliance with applicable rules and regulations (Gelinas and
Dull, 2008). ERM is comprised of eight components, which are the internal environment
(company culture), objective setting, event identification, risk assessment, risk response,
control activities, information and communication, and monitoring (Romney and
Steinbart, 2012). A risk management process typically involves identifying, analysing,
evaluating, and treating risks (Pike et al., 2012). The pace of change in business means
that this risk management process needs to be dynamic and regularly reviewed (Merna
and Al-Thani, 2008).
Risk management is primarily the responsibility of directors and senior managers.
However, internal auditors also have a role in consulting and providing assurance on
risk management (Stewart and Subramaniam, 2010). This role for internal auditors is
predicted to increase in importance in the future (Burnaby and Hass, 2009). The change
of systems and processes in organisations is too big for traditional compliance-based
internal auditing to absorb, the fact that leads to the necessity that internal auditing
includes a risk management focus (Spira and Page, 2003). Therefore, it is important that
internal auditors understand well their role in the risk management process.
 The IIA (2009a) illustrates many roles internal auditors might perform regarding Internal
risk management. It classifies these roles into core roles that internal auditors should auditing
perform, roles that internal auditors could perform under the presence of some conditions,
and roles that they should not perform as the roles undermine their duties as internal
in risk
auditors. Core roles relate to providing objective assurance on the appropriateness and management
effectiveness of risk management. Examples of the core roles include evaluating and giving
assurance on the risk management processes and the accuracy of risk estimation. Permitted 33
roles (in the presence of appropriate safeguards designed to ensure independence and
objectivity) mainly include consulting management on matters related to risk management.
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

Finally, roles that internal auditors must not undertake mainly relate to taking responsibility
for decision making on risk management, such as setting the risk appetite, taking decisions
on risk management processes and implementing them on management’s behalf, and being
accountable for risk management (IIA, 2009a).
Therefore, the internal audit function must contribute to the improvement of risk
management in the organisation while retaining its independent assurance role
(Pickett, 2011). ISPPIA insist that internal auditors be independent and objective. Such
a freedom from bias has to exist to a degree that ensures sufficient distancing of the
internal audit function from the operation it reviews (Pickett, 2011).

2.2 Empirical evidence

Several international studies focused on the application of ISPPIA. Concerning the use
and compliance with ISPPIA, Sadler et al. (2008) reported on a survey on ISPPIA use
and compliance in many countries. Their findings showed that about 82 per cent of
respondents claimed to use ISPPIA, and that the industries that reported the highest
use of ISPPIA were trade services, professional services, and building and construction.
About 57 per cent of respondents reported full compliance with ISPPIA, and about 28
per cent reported partial compliance, with regulations on quality assurance and
improvement programmes reported as the least complied with. Reasons for not using
ISPPIA included perceptions that they do not add value, lack of adequate staff, and the
time consumed in compliance.
As for factors affecting the use of ISPPIA, Abdolmohammadi (2009) found that
factors positively associated with the use of ISPPIA include length of IIA membership
and length of training. He also found that factors of cost of use, inadequate internal
auditing staff, and ISPPIA not being perceived to add value are negatively associated
with ISPPIA compliance. Similarly, Arena and Azzone (2009) found that internal audit
effectiveness in Italian companies increases when the ratio of internal auditors to
employees grows, the chief audit executive is affiliated with the IIA, and the audit
committee is involved in the activities of internal auditing.
Soh and Martinov-Bennie (2011) studied the internal auditing role and effectiveness
in Australia. They found that internal auditing effectiveness significantly expanded
and was refocused within the corporate governance system, while performance
evaluation mechanisms of internal auditing have not evolved at the same level, thus
making it difficult to assess the extent internal auditing is meeting expectations of
shareholders.
Sarens and Abdolmohammadi (2011) studied factors associated with convergence
towards best practices of internal auditing. They found that convergence to US best
practices is quicker in emerging countries than in developed countries. They suggested
that this is possibly due to lack of well-established internal auditing practices,
liberalisation of financial markets (including attracting foreign investors), and new
 JEAS corporate governance laws in emerging countries. These results are relatively similar
31,1 to those of Marais et al. (2009), who compared ISPPIA compliance in South Africa with
that in other countries, and found that the compliance with ISPPIA in South Africa is
generally higher than that in more developed countries.
Regarding the role of internal auditing in risk management, the IIA (2009b, cited by
Sobel, 2011) surveyed the status of internal auditing and its role in risk management. Some
34 of the main findings of this survey were that audit committees do not sufficiently look to
internal auditors to provide advice on risk management, and that only about one quarter
of the internal auditors surveyed said that they had primary responsibilities for risk
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

management. The main roles of internal auditors identified by the survey were to informally
provide consulting and advice on risk management, to facilitate the identification and
evaluation of key risks, and to participate in the identification of emerging risks. Sobel (2011)
concluded that there are opportunities for internal auditors to be more involved in providing
assurance on risk management, evaluating strategic risks, and educating management and
audit committees on risk and risk management concepts.
Fraser and Henry (2007) interviewed officers in UK companies and external auditors
on issues related to embedding risk management in companies. Particularly regarding
internal auditors, they recommended that internal audit and risk management
functions should be split in order to clarify internal audit roles and preserve internal
audit independence.
Sarens and De Beelde (2006) found that in both the USA and Belgium, internal
auditors have a significant role in risk management. However, in Belgium they tend to
have a more significant role in educating managers on risk and control awareness and
formalisation of the risk management system. To the contrary, the role of internal
auditors in the USA is affected by the Sarbanes-Oxley Act requirements, and focuses
on financial reporting controls and transparency and documentation of risk
management processes and compliance with disclosure requirements. In Australia,
de Zwann et al. (2011) found that internal auditors are involved in ERM, but a high
involvement in ERM has a negative impact on the auditors’ willingness to report a
breakdown in risk procedures to the audit committee. In addition, Sarens and
Christopher (2010) undertook a comparative study between Australian and Belgian
companies regarding the focus on risk management and internal control in corporate
governance guidelines and the level of development of risk management and internal
control. They found that the weaker focus in corporate governance guidelines on risk
management and internal control led to a lower development of these functions in
Belgian companies, compared to their Australian counterparts.
As for factors affecting the adoption of a risk-based internal audit approach,
Castanheira et al. (2010) found that in Portugal, the use of risk-based internal auditing is
positively related to the entity being international, listed on the Portuguese stock
market, large, and in the financial sector. In Italy, Allegrini and D’Onza (2003) found a
positive relation between company size and adoption of a risk-based approach to
internal auditing. On a relatively related topic, Beasley et al. (2008) reported that ERM
has greatest impact on internal audit activities when the organisation’s ERM process is
more completely in place, the internal audit activity in ERM is more supported by the
chief financial officer (CFO) and the audit committee, the CFO has a longer tenure, and
the organisation is in the banking or the education industry.
Studies on internal auditing in Jordan are generally limited in number, and their
general aim was to survey, using questionnaires, the practical applications of ISPPIA in
Jordan. As mentioned earlier in this paper, Shaqqour (2000) and Kawuq (2010) reported
 reasonable compliance by banks in Jordan with the procedures required by ISPPIA. Internal
Elshqairat (2007) and Suwaidan and Abu Zreiq (2013) reported similar levels of auditing
compliance in the public sector and the electricity sector, respectively. However,
Suwaidan and Abu Zreiq (2013) reported some limitations in applying ISPPIA in
in risk
Jordanian electricity companies in the areas of applying due professional care and management
quality assurance, while Kawuq (2010) reported that compliance levels were higher for
assurance services than for consulting services. None of these studies emphasised in 35
detail the role of internal auditing in risk management, a contribution this study aims to
provide to extant Jordanian studies. This study covers the role of internal auditing in
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

risk management in a context different from those where the above international
studies were conducted. It is unique in that it concentrates particularly on the role of
internal auditing in risk management, ranks multiple risks according to the degree
of internal auditors’ involvement in managing them, and evaluates the appropriateness
(according to IIA, 2009a) of the responses of internal auditors to the risks. In doing so,
this study has a significant potential to contribute to our knowledge.

3. Banks in Jordan
The service sector is dominant in the Jordanian economy. It includes financial services,
communication, education and health, among other services. In particular, the financial
system of Jordan accounts for about 17 per cent of Jordan’s gross domestic product, and
the growth of Jordan’s local banks witnessed their total assets almost double in value
between 2001 and 2008 to become about 2,709 million Jordanian Dinars (about US
$3,800 million) (Al-Jarrah, 2012). In 2010, 25 banks operated in Jordan (Association of
Banks in Jordan, 2011). These banks generally undertake both commercial and
investment banking activities. Four banks in Jordan specialise in Islamic banking. The
majority of banks operating in Jordan are Jordanian public listed companies, but there
is a significant number of foreign (Arab and western) banks as well. In general,
Jordanian banks are modern institutions and have relations with major foreign banks.
The financial statements of Jordanian banks are prepared under International
Financial Reporting Standards (IFRS), and most are audited by major international
audit firms, which are required to use International Standards on Auditing (Siam and
Abdullatif, 2011). Although all Jordanian banks are classified as public listed
companies, most are closely held, with major shareholders or their direct relations
occupying top executive management posts. This system of corporate governance
arguably limits the demand for quality external auditing (Abdullatif and Al-Khadash,
2010) and, arguably, to some extent, internal auditing, due to reduced agency costs.
Nevertheless, banks are one of the most sophisticated industries that are likely to be
most interested in risk management and internal auditing (see e.g. the findings of
Beasley et al., 2008; Castanheira et al., 2010, on the higher likelihood of adopting risk-
based internal auditing in banks compared to other institutions).
The Central Bank of Jordan (CBJ) was established in 1964 as a government-owned
body. According to its web site[3], the objectives of the CBJ are “to maintain monetary
stability in the Kingdom, to ensure the convertibility of the Jordanian Dinar, and to
promote the sustained growth of the Kingdom’s economy in accordance with the
general economic policy of the government”. These objectives imply that the CBJ
perform many functions and roles, including maintaining the safety of the Jordanian
banking system[4]. Through this particular role, and given the importance of internal
auditing for all types of organisations, including banks, the CBJ has been concerned
with ensuring that all banks in Jordan are internally audited to a satisfactory level.
 JEAS In doing so, its “Corporate Governance Code for Banks in Jordan” (Central Bank of
31,1 Jordan (CBJ), 2007) insists on applying international best practices of corporate
governance. The code explicitly mentions the internal audit function as part of the
corporate governance system. While the code does not mention ISPPIA by name, they
are widely perceived as the international best practice (Pickett, 2011). Therefore, it can
be concluded that ISPPIA would likely be supported by CBJ for application in the
36 internal auditing of banks in Jordan. The CBJ (2007) code requires that internal auditors
conduct risk-focused audits, especially on compliance and financial reporting issues.
The code also requires that the bank have a risk management department responsible
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

for analysing risks, developing methods for measuring and controlling them,
recommending limits, providing information on the bank’s risk profile to senior
management and the board of directors, and providing risk information for use in the
bank’s public statements and reporting (CBJ, 2007, pp. 21, 22).
Apart from the CBJ (2007) code, no other Jordanian financial regulation aimed at
public listed companies explicitly mentions internal auditing or risk management in
detail. The Banking Law (Hashemite Kingdom of Jordan (HKJ), 2000) is concerned with
licensing banks, their organisation and management, conditions for operations,
financial statements, inspection by the CBJ, and liquidation. Other regulatory
authorities related to the operations of banks in Jordan are the Jordan Securities
Commission (JSC) and the Amman Stock Exchange (ASE). The former is a regulatory
and monitoring authority that supervises Jordanian public listed companies (including
all Jordanian banks), while the latter is an authority that deals directly with listing
companies and trading in their shares. Their main regulation is the Securities Law
(HKJ, 2002), which is concerned with issues related to the JSC, disclosure, and listing
public listed companies. The Corporate Governance Guide issued by the JSC (2007),
mainly covers issues related to the board of directors, shareholders, audit committees,
disclosure, and transparency. While they cover in some detail certain corporate
governance aspects, the regulations mentioned in this paragraph virtually do not
mention internal auditing. It can be therefore argued that internal auditing is not
sufficiently regulated in Jordan. This is exacerbated by the lack of a professional
association for internal auditors in Jordan. This lack of sufficient regulation of internal
auditing in Jordanian banks makes the exploration of the role of their internal auditors
in risk management potentially interesting.
Given this background, the banking sector in Jordan was chosen as the research
population for this study. In the particular case of internal auditing in this sector, while
the banks are likely to adopt ISPPIA and apply some sort of risk-based internal
auditing, the actual level of compliance with ISPPIA in the areas of risk management
and corporate governance might be limited due to several factors. These factors include
the relatively small number of staff with international internal auditing certificates, the
nature of the corporate governance system (including the low agency costs), lack of
sufficient local regulation of internal auditing, and the cost-benefit analysis for full
compliance with ISPPIA. This makes the study of the particular role of internal
auditors in risk management in banks in Jordan an issue arguably worth attention and
analysis.

4. The research method

This study used a questionnaire survey. This method was justified by the need to
collect information from as many individuals as possible, given the lack of publicly
available information on the research topic. In addition to personal background
 questions, the questionnaire covered 20 different potential risks that might face banks Internal
in Jordan. These risks were selected after reviewing relevant literature (e.g. Chapman, auditing
2006; Moeller, 2007, 2009). The researchers selected the 20 risks taking into account the
probable relevance of these risks to the Jordanian business context, the governance and
in risk
operations of banks in Jordan, and the banking industry in general. management
For each of the 20 risks, the respondents were asked to determine the procedures that the
internal auditing department in their bank is likely to perform in the presence of that risk. 37
The questionnaire provided six suggested procedures that can be applied by the internal
auditing department, and the respondent was asked to determine which of these six
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

procedures was applied in the presence of each of the 20 potential risks. Generally based on
the IIA (2009a) (with some rewording and detail to ensure specification and clarification of
the issue to the questionnaire respondents), the first three suggested procedures are core
roles of internal auditors regarding risk management. These roles include evaluating the
identification of the risks determined by the bank’s management and their relevance to
the desired risk appetite, evaluating the accuracy of the bank management’s valuation of the
risks, and evaluating the effectiveness of the bank management’s responses to the risks.
The fourth suggested procedure is an acceptable role under certain safeguards. It is
providing consultancy on identifying, estimating, and responding to risks. Finally, the
last two suggested procedures are unacceptable roles. These are setting the risk appetite
and making decisions on responses to risks. The respondent was told that what was
required was what actually happens at the bank, regardless of the legal or professional
requirements that the bank should abide with.
The six responses were listed in the same order for each risk, rather than being
randomised. While this might lead to some bias in the results, it was considered
necessary in order to make the time needed to fill the questionnaire shorter, given the
need to encourage a higher response rate. The questionnaire used a Likert scale with
seven choices (1 for strong disagreement and 7 for strong agreement) for the questions
regarding the risks and the related procedures. The use of such a relatively long scale
was chosen as it is likely to be better for ranking the risks according to their importance
(Abdullatif, 2013). The researchers chose to use the scale for ranking the risks given
that directly asking for ranking the 20 risks is a difficult request that may reduce the
response rate and possibly reduce the reliability of the findings, due to the apparent
difficulty of reliably ranking 20 items. An optional open-ended question was added at
the end of the questionnaire, asking the respondent to add anything relevant to the
study topic, but no useful responses were received on this question.
The study population was defined as internal auditors of sufficient experience in risk
management from all banks operating in Jordan[5]. The researchers selected a sample
of five individuals from each bank. They considered this number reasonable and
representative (in some cases possibly 100 per cent representative of the defined
population) given the relatively small number of such individuals in most of the banks in
Jordan[6]. The researchers distributed the questionnaires (in Arabic) to the banks
personally, and collected them personally at a later date. This method is likely to produce a
higher response rate, compared to using post or e-mail, without weakening the results due
to researcher interference with subjects (Abdullatif, 2013). It was considered the best option
given the need for a reasonable sample size, as the population itself is small. The banks
were asked to administer the questionnaire to internal auditors with sufficient experience
to deal with risk management issues (see footnote 5). Individuals receiving the
questionnaires were briefed on the study objectives and the questionnaire contents.
In addition, the introduction page of the questionnaire was lengthy in its discussion of the
 JEAS study objectives and the details of the questionnaire, in order to give the respondents the
31,1 needed information that enables them to reliably give their responses.
While the researchers intended to cover all of the banks operating in Jordan, several
of these declined to participate in the study, while a few asked to receive less than five
questionnaires. In particular, the researchers attempted to distribute questionnaires to
26 banks operating in Jordan. From these, only 17 banks accepted to participate in the
38 study (one asked to receive only two questionnaires). The researchers managed to
distribute 82 questionnaires, and received 39 usable responses from only nine banks,
resulting in a response rate of about 48 per cent. While the relatively small number of
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

responses is arguably a limitation for the study, the researchers made a big effort to
collect as many questionnaires as possible. Also, given the small size of the population
itself, the sample size is arguably representative of the population, especially since the
banks that did not participate do not differ systematically in terms of important
characteristics relative to participating banks.

5. Findings and discussion

5.1 Characteristics of the study sample
The study sample consisted of internal auditors from banks operating in Jordan.
Virtually all of the respondents are expected to be Jordanian nationals, regardless of the
banks they work for. The majority of respondents were between 25 and 40 years old,
had five or more years of internal auditing experience, held job ranks of department
head or higher, and had a university degree. In general, the sample of respondents can
arguably be considered appropriate as a source of information on the research topic.
Table I summarises the respondents’ background.

5.2 Degree of internal auditors’ involvement in risk management

Table II lists the 20 risks that were covered in this study. For each risk, respondents
were asked about their audit firm’s responses in the presence of the risk. The table

Age Education
Under 25 years 7 First university degree 31
25-30 years 14 Postgraduate diploma 1
31-40 years 12 Master degree 7
41-50 years 5 Total 39
Above 50 years 1
Total 39 Job rank
New employee 6
Experience in internal auditing Assistant to department head 4
Under 5 years 13 Department head 8
5-10 years 17 Supervisor 5
11- 15 years 4 Assistant director 10
16-20 years 1 Director 1
Above 20 years 3 Higher than director 1
Total 38 Total 35
Possession of international certificate in internal
or external auditing
Table I. Yes 9
Personal background No 27
of the respondents Total 36
 Risks related to Averagea R1 R2 R3 R4 R5 R6
Internal
auditing
1- Compliance with laws and regulations 5.531b 5.76 5.34 6.00 5.68 5.24 5.24 in risk
related to the bank’s work 1.209c 1.384 1.632 1.336 1.397 1.700 1.685
2- Compliance with the bank’s internal 5.478 5.59 5.74 5.95 5.66 4.71 5.24
management
policies and regulations 1.413 1.482 1.464 1.541 1.457 1.944 1.881
3- Compliance with the required financial 5.454 5.55 5.55 5.78 5.95 4.89 4.95 39
reporting standards 1.273 1.446 1.519 1.475 1.290 1.680 1.692
4- Effectiveness of bank’s operations 5.414 5.50 5.50 5.66 5.86 5.06 5.24
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

(including internal control on them) 1.431 1.466 1.447 1.729 1.475 2.057 1.684
5- Nature and contents of the required 5.360 5.54 5.59 5.59 5.59 4.79 4.81
financial reporting standards 1.246 1.315 1.371 1.292 1.371 1.809 1.956
6- Nature and contents of the required 5.287 5.39 5.41 5.82 5.46 4.79 5.00
governmental laws and regulations 1.328 1.516 1.464 1.315 1.626 1.794 1.792
7- Information technology and electronic 5.145 5.33 5.23 5.50 5.59 4.62 4.49d*
banking 1.179 1.420 1.266 1.428 1.464 1.844 1.848
8- Granting loans and client default 5.127 5.15 5.24 5.61 5.03 4.72 5.08
1.361 1.582 1.460 1.462 1.755 1.685 1.660
9- Corporate governance of the bank 5.075 5.11 5.18 5.37 5.32 4.84 4.63*
1.280 1.485 1.468 1.514 1.491 1.685 1.951
10- The bank’s work environment 4.991 5.13 4.82 5.33 5.21 4.79 4.44*
1.222 1.196 1.335 1.325 1.711 1.720 2.036
11- The bank’s objectives and strategies 4.958 4.87 4.92 5.26 5.21 4.86 4.81
for achieving them 1.289 1.695 1.689 1.349 1.212 1.719 1.596
12- Investment portfolios 4.863 4.90 4.90 5.08 5.00 4.72 4.59*
1.419 1.651 1.569 1.458 1.556 1.746 1.902
13- The nature and reasonableness of the 4.833 4.81 5.03 5.00 4.95 4.32* 4.41*
bank’s performance measures 1.303 1.543 1.253 1.528 1.747 1.933 1.817
14- Interest rates for deposits, loans, and 4.733 4.97 4.85 5.00 4.89 4.44* 4.33*
investments 1.383 1.646 1.565 1.376 1.556 1.651 1.752
15- Human resources 4.680* 4.71 4.59 4.85 5.00 4.26* 4.62
1.463 1.769 1.712 1.740 1.611 1.831 1.741
16- The availability of financial resources 4.623* 4.74 4.82 4.82 4.95 4.18* 4.34*
1.544V 1.697 1.554 1.668 1.538 2.011 2.017
17- Foreign currency rates 4.577* 4.67 4.77 4.79 4.77 4.18* 4.28*
1.532 1.691 1.677 1.689 1.662 1.775 1.806
18- The Jordanian economy 4.573* 4.59 4.72 4.77 4.72 4.28* 4.36*
1.252 1.352 1.337 1.495 1.297 1.669 1.630
19- Efficiency of pricing the bank’s 4.387* 4.62* 4.59* 4.51* 4.49* 4.13* 4.21*
services 1.808 1.900 1.874 1.938 1.931 1.905 2.002
20- The Jordanian society and culture 4.268* 4.18* 4.41* 4.41* 4.58 3.97* 3.95*
1.412 1.537 1.499 1.428 1.638 1.547 1.894
Notes: R1, evaluate the identification of risks by bank management and their relevance to the desired
risk appetite; R2, evaluate the accuracy of the risk value estimation calculated by bank management;
R3, evaluate the effectiveness of procedures performed by bank management in response to the risks;
R4, provide consulting to bank management on identifying, estimating, and responding to
risks; R5, determine the desired risk appetite; R6, make decisions on procedures for responding to risks.
a
Average, (R1+R2+R3+R4+R5+R6)/6; bvalues of means, 7 ¼ strongly agree and 1 ¼ strongly Table II.
disagree; camounts in bold are means and amounts in italics are standard deviations; dmeans with Means and standard
* are not statistically significantly different from the midpoint value of 4 ( p values of 0.05 or above deviation of views of
using a one sample t-test) internal auditors
 JEAS gives the mean results for each response and an average for the six responses for each
31,1 risk. The mean figures are based on a value scale of 1 for strong disagreement and 7 for
strong agreement.
As for the degree of internal auditors’ involvement in risk management, according to
the “average” column in Table II, it can be seen that the average level of audit response
to identified risks for all of the 20 risks was 4.968. This indicates only slight agreement on
40 the existence of risk management roles for internal auditors. The highest average score
by any risk was 5.531, which is lower than the “moderately agree” score of 6, while
the lowest average score was 4.268, which is near the “neutral” score of 4. The fact that
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

the standard deviations for responses R1 to R6 ranged between 1.196 and 2.057, arguably
not high for a scale of seven choices, indicates that the level of engagement of internal
auditors in risk management is generally relatively low. This suggests the need for
greater education of internal auditors on their expected role in risk management.
In order to further analyse the degree of internal auditors’ involvement in risk
management, Table III compares the views of local and foreign banks in Jordan on
issues listed in Table II, while Table IV compares the individual views of each of the
nine banks involved in the study on these issues. It can be seen from Table III that
internal auditors from both local and foreign banks have relatively similar views (no
statistically significant differences), while responses reported in Table IV show that
internal auditors in banks do differ to some extent in terms of their level of involvement
in risk management. However, information reported in Table IV should be analysed
with care, due to the small size of the samples per banks (ranging between two and five
individuals from each), the fact that makes performing statistical tests of differences
among the banks unreliable.

5.3 Risks internal auditors were most involved in managing

The above findings show that the level of involvement in risk management by internal
auditors in banks in Jordan is generally low. Nevertheless, it is interesting to find which
risks were ranked as highest and lowest in terms of the degree of involvement of
internal auditors in their management. Table II lists the risks according to this degree,
based on the average performance of the six suggested procedures in the table. Tables
IV and III extend this data by analysing differences among individual banks, and
between local and foreign banks. It can be seen that the rankings are generally similar
at both aggregate and individual bank levels, and when comparing local banks and
foreign ones. Therefore, the following analysis of findings is mainly based on the
average responses of all respondents.
Tables II-IV shows that the risks that were most dealt with by the auditors were
those related to compliance with internal and external laws and regulations and
financial reporting standards. Risks related to the contents of regulations and
financial reporting standards and risks related to the effectiveness of the bank’s
operations and to information technology were also dealt with by internal auditors
to a level higher than most other risks. This result probably indicates that the
main focus of the internal auditors is in the area of compliance, as they might fear
that noncompliance may cause the bank negative legal and financial consequences.
In addition to compliance issues, the issues of effectiveness of operations and
information technology are arguably important due possibly to the risks of entering
the electronic banking era. These include possibilities of increased fraud and other
computer abuse problems that need to be better controlled (Boczko, 2012; Romney
and Steinbart, 2012).
 All Local Foreign p-
Internal
Risks related to banks banks banks valueb auditing
in risk
1- Compliance with laws and regulations related to the 5.531c 5.446 5.905 0.406
bank’s work 1.209d 1.271 0.854 management
2- Compliance with the bank’s internal policies and 5.478 5.387 5.944 0.508
regulations 1.413 1.485 0.905
3- Compliance with the required financial reporting 5.454 5.378 5.833 0.349 41
standards 1.273 1.325 0.978
4- Effectiveness of bank’s operations (including internal 5.414 5.327 5.762 0.901
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

control on them) 1.431 1.575 0.517

5- Nature and contents of the required financial reporting 5.360 5.242 5.972 0.264
standards 1.246 1.316 0.499
6- Nature and contents of the required governmental laws 5.287 5.207 5.619 0.483
and regulations 1.328 1.363 1.212
7- Information technology and electronic banking 5.145 5.145 5.143 0.393
1.179 1.295 0.424
8- Granting loans and client default 5.127 5.129 5.119 0.895
1.361 1.324 1.632
9- Corporate governance of the bank 5.075 4.984 5.476 0.719
1.280 1.400 0.279
10- The bank’s work environment 4.991 4.903 5.381 0.734
1.222 1.326 0.438
11- The bank’s objectives and strategies for achieving them 4.958 4.983 4.857 0.506
1.289 1.332 1.180
12- Investment portfolios 4.863 4.896 4.714 0.659
1.419 1.434 1.449
13- The nature and reasonableness of the bank’s performance 4.833 4.844 4.778 0.609
measures 1.303 1.375 0.958
14- Interest rates for deposits, loans, and investments 4.733 4.796 4.452 0.473
1.383 1.419 1.276
15- Human resources 4.680 4.661 4.762 0.664
1.463 1.586 0,781
16- The availability of financial resources 4.623 4.640 4.548 0.835
1.544 1.589 1.433
17- Foreign currency rates 4.577 4.646 4.262 0.474
1.532 1.551 1.515
18- The Jordanian economy 4.573 4.594 4.476 0.754
1.252 1.258 1.317
19- Efficiency of pricing the bank’s services 4.387 4.398 4.333 0.649
1.808 1.882 1.509
20- The Jordanian society and culture 4.268 4.220 4.476 0.820
1.412 1.506 1.317
Notes: Comparing local Jordanian banks with foreign banks operating in Jordan. aFigures are based Table III.
on the average values (see “average” column in Table II); bp-value based on Mann-Whitney test, Means and standard
comparing local and foreign banks; values of means, 7 ¼ strongly agree and 1 ¼ strongly disagree; deviation of views of
c
d
amounts in bold are means and amounts in italics are standard deviations internal auditorsa

While it is expected that banks would consider the risk of noncompliance, given the
large range of regulations and standards they have to follow, it is interesting to note
that internal auditors were not involved to a relatively high degree in the management
of several bank-specific and country/international risks. Examples of the former
include risks related to credit default or to the bank’s objectives, strategies, and
 JEAS Risks related to B1 L B2 L B3 L B4 L B5 L B6 L B7 L B8 F B9 F
31,1 1- Compliance with laws
and regulations related 5.167b 6.500 6.444 4.933 5.867 5.267 6.367 4.133 5.667
to the bank’s work 0.882c 0.360 0.536 1.832 0.758 0.573 0.361 1.596 0.471
2- Compliance with the
bank’s internal policies 5.933 6.500 5.556 4.933 6.067 5.233 6.458 2.792 6.083
42 and regulations 1.004 0.638 0.788 1.832 0.548 0.325 0.551 1.548 0.118
3- Compliance with the
required financial 5.625 6.167 6.250 4.900 6.200 4.042 6.200 4.467 5.833
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

reporting standards 1.003 0.593 0.354 1.786 0.758 1.022 0.431 1.556 0.471
4- Effectiveness of bank’s
operations (including 5.056 6.542 5.833 4.933 6.333 5.767 6.033 2.900 6.250
internal control on them) 0.918 0.534 0.000 1.832 0.408 0.630 0.274 0.925 1.061
5- Nature and contents of
the required financial 5.267 6.292 6.500 4.667 5.467 4.583 6.133 3.792 6.250
reporting standards 0.713 0.438 0.441 1.528 1.255 0.419 0.342 1.781 0.118
6- Nature and contents of the
required governmental 5.514 6.444 6.444 4.633 5.400 4.367 6.100 3.917 5.667
laws and regulations 1.066 0.481 0.347 1.583 1.065 0.681 0.879 2.007 0.471
7- Information technology 5.033 6.417 5.722 4.867 5.600 5.133 5.200 3.250 5.250
and electronic banking 0.908 0.630 0.752 1.816 0.548 0.298 0.447 1.500 0.354
8- Granting loans and 5.067 6.500 6.667 4.467 5.467 4.933 5.333 3.567 5.667
client default 0.887 0.491 0.000 1.426 1.255 0.805 1.904 0.596 1.886
9- Corporate governance 5.250 6.208 6.167 4.667 5.467 4.967 5.533 3.000 5.167
of the bank 0.739 0.629 0.333 1.581 1.255 0.532 0.217 1.173 1.179
10- The bank’s work 5.600 5.917 5.944 4.700 4.867 4.300 5.400 3.208 5.500
environment 0.787 0.096 0.096 1.552 1.108 0.953 0.535 1.652 0.471
11- The bank’s objectives
and strategies for 5.417 6.042 6.083 4.767 5.400 4.267 4.933 3.533 6.000
achieving them 0.726 0.629 1.061 1.746 1.342 0.902 1.176 0.893 0.000
12- Investment portfolios 4.933 6.042 6.444 4.667 5.433 3.833 4.500 3.767 5.250
0.871 0.750 0.192 1.667 0.703 1.700 1.708 1.331 1.061
13- The nature and
reasonableness of the
bank’s performance 5.292 6.125 6.222 4.733 5.000 4.000 5.125 3.042 4.167
measures 0.725 0.686 0.192 1.657 1.369 0.817 0.516 0.821 1.179
14- Interest rates for
deposits, loans, and 5.100 6.833 5.611 4.233 5.200 3.800 4.367 3.000 5.500
investments 0.760 0.167 0.855 1.392 1.095 0.931 1.547 1.557 0.707
15- Human resources 5.400 5.542 5.556 4.867 4.467 4.800 4.767 2.125 4.500
0.641 0.985 0.631 1.835 1.440 1.023 0.955 1.315 2.121
16- The availability of 4.867 6.417 6.250 4.133 4.867 2.933 4.467 4.333 4.750
financial resources 0.721 0.726 0.118 1.406 1.552 1.953 1.664 0.817 1.768
17- Foreign currency rates 5.233 6.083 5.278 4.233 4.800 2.733 4.233 3.933 6.250
0.608 0.481 0.585 1.392 1.643 1.690 1.839 0.855 1.061
18- The Jordanian economy 5.033 6.042 5.111 4.233 4.800 3.400 4.533 3.767 5.000
0.415 0.344 1.018 1.392 1.095 1.158 1.592 1.267 0.236
19- Efficiency of pricing the 4.767 6.042 6.417 4.200 3.967 1.750 4.400 4.500 4.583
bank’s services 0.805 0.516 0.118 1.386 2.709 1.500 1.677 1.247 2.003
20- The Jordanian society 5.167 5.667 5.389 4.300 3.800 2.833 4.633 3.083 3.667
Table IV. and culture 0.486 0.471 1.273 1.529 1.789 1.143 1.114 0.833 0.707
Means and standard Notes: Comparing individual banks. B, bank; L, local; F, foreign. aFigures are based on the average
deviation of views of values (see “average” column in Table II); for values of means, 7 ¼ strongly agree and 1 ¼ strongly
b
a c
internal auditors disagree; amounts in bold are means and amounts in italics are standard deviations
 performance evaluation. Of particular concern also are risks related to corporate Internal
governance. Given that the corporate governance system in Jordanian banks is a auditing
predominantly closely held system, with a number of dominant shareholders assuming
top managerial roles, there are risks of limited transparency and of abuse of power
in risk
(Solomon, 2010). Nevertheless, this risk was not perceived as having a high priority management
level by the internal auditors, possibly due to the dominance of the closely held
governance system in Jordanian banks and other companies. 43
Examples of macro-level risks include risks related to interest rates, currency prices,
investment portfolios, economy conditions, and local culture preferences. These risks
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

should be adequately managed as they are important to many major decisions of the
bank. Examples of such financial decisions include diversifying investment portfolios
in order to eliminate some risk, selecting an appropriate discount rate for a project, and
dealing with foreign currency exposure (Brooks, 2010). Culture risks include factors
related to religion, social stratification, work motivation, risk-taking behaviour,
information processing, and communications, issues that are even more important if
the bank operates or invests in more than one country (Daniels et al., 2011). The
findings of this study regarding the relatively low level of involvement associated with
these risks is an arguably alarming issue because although these risks arguably do not
have comparably large compliance consequences, they are nevertheless very important
to the future of the bank, especially in the current global financial crisis, where any of
these risks alone might be large enough to jeopardise the future of the bank.
In order to further analyse the issue of the level of involvement of internal auditors
in the management of specific risks, the researchers performed a factor analysis of the
risks in order to classify them into groups relative to their importance, and to support
the above findings. Results of the factor analysis are reported in Table V. The factor
analysis was performed on the “average” column results in Table II.
It can be seen from Table V that the risks can be generally classified into two groups.
The first group, which is higher in statistical significance due to the degree of variance it
explains, is dominated by risks related to the content of and compliance with regulations
and financial reporting standards, in addition to risks related to operational effectiveness
and information technology. The second group is dominated by macro-level risks, such
as those related to interest rates, foreign currency rates, and the Jordanian economy and
culture. In general, these results support the findings reported earlier.

5.4 Appropriateness of risk management procedures applied by internal auditors

Table II shows the reported responses to each of the 20 risks. It can be seen that the
level of agreement on the first four responses is relatively similar for each risk. The
ranking of the risks was discussed in the two previous subsections.
However, it is interesting to find that the last two responses (R5 and R6) were seen as
slightly acceptable and being undertaken by internal auditors. These two responses
indicate roles that internal auditors must not perform according to the IIA (2009a), as
they may compromise the internal auditors’ independence and objectivity in providing
assurance, because these roles should be assumed by the banks’ managers, not their
internal auditors (IIA, 2009a). These findings contradict with a recent IIA survey that
found that such roles are generally not being undertaken by internal auditors (IIA,
2009b, cited by Sobel, 2011).
According to the findings of this study, it seems that internal auditors in banks in
Jordan do, to some extent, assume managerial roles that potentially compromise their
independence and objectivity, and the value of their assurance and consulting roles.
 JEAS Risks related to Component 1 Component 2
31,1
1- Compliance with laws and regulations related to the bank’s work 0.953 0.171
2- Compliance with the bank’s internal policies and regulations 0.943 0.168
3- Compliance with the required financial reporting standards 0.721 0.486
4- Effectiveness of bank’s operations (including internal control on them) 0.954 0.065
5- Nature and contents of the required financial reporting standards 0.850 0.464
44 6- Nature and contents of the required governmental laws and
regulations 0.843 0.384
7- Information technology and electronic banking 0.907 0.237
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

8- Granting loans and client default 0.834 0.367

9- Corporate governance of the bank 0.892 0.401
10- The bank’s work environment 0.785 0.512
11- The bank’s objectives and strategies for achieving them 0.712 0.596
12- Investment portfolios 0.337 0.839
13- The nature and reasonableness of the bank’s performance measures 0.759 0.553
14- Interest rates for deposits, loans, and investments 0.431 0.777
15- Human resources 0.719 0.291
16- The availability of financial resources 0.174 0.967
17- Foreign currency rates 0.174 0.960
18- The Jordanian economy 0.498 0.754
19- Efficiency of pricing the bank’s services 0.158 0.943
20- The Jordanian society and culture 0.420 0.789
Notes: Varimax rotated component matrix results. Loadings are italised when the risk shows a
Table V. significant attribution to one component over another. The criteria used here is that the difference
Factor analysis between the loading values for the two components exceeds 0.200

It seems that internal auditors arguably lack full understanding of the nature of their
roles in risk management, and need to be better educated on these issues in order to
improve the quality of their performance. These findings are to some extent similar to
those of Fraser and Henry (2007), who reported that internal auditor independence was
sometimes compromised in practice by making internal auditors responsible for some
risk management roles they should arguably not have been involved in, given the
difficulty of separating an advisory function from a decision-making function.

5.5 Effects of respondents’ backgrounds on their views

In this subsection, the data were split five times. On each separate occasion, the data
were split according to the respondents’ age, highest education level achieved,
experience in internal auditing, job rank, or possession of an international certificate in
auditing. After merging some groups for some personal background variables due to
their small size (such as the last two for age and the last three for experience), the
Kruskal-Wallis test was applied to see whether views of respondents were affected by
their personal backgrounds. The full results of this test are not reported due to their
very large size (five tables of 120 statements each) and relative insignificance of most of
them, mentioned as follows.
While findings for the personal background variables were relatively random and
showed only very few differences among respondents that can be attributed to their
backgrounds, some conclusions can, to some extent, be drawn from the results. It was
generally found that for some macro-level risks (including risks related to the Jordanian
economy, the Jordanian culture, and foreign currency rates), there were some
 differences in perceptions that can be partially attributed to age and/or education of Internal
respondents. The same applied to risks related to the content of financial reporting auditing
standards and the efficiency of pricing the banks’ services. In general, the older the age
of the respondent and/or the higher the education level achieved by him/her, the more
in risk
likely it was that the respondent would report that the risk is dealt with by internal management
auditors, and that they use acceptable responses in doing so. Apart from risks related
to financial reporting standards, the other risks were ranked low in Table II, suggesting 45
that age and education would make an internal auditor more aware of the importance
of these risks and the need to be involved in their management.
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

5.6 Reliability of findings

Cronbach’s α was used to test the reliability of the findings. It was found to be nearly 99
per cent, a figure much higher than the minimum acceptable value of 70 per cent
(Saunders et al., 2012). Therefore, the questionnaire results are acceptable in terms of
their reliability. Even after splitting the questions into six groups (each group
consisting of responses to a different category of questions: R1, R2, R3, R4, R5, and R6),
Cronbach’s α for each group was also very high, confirming the earlier conclusion.
Table IV reports on the results of the Cronbach’s α tests (Table VI).

6. Conclusions and implications

This study aimed to explore the roles performed by internal auditors in banks in Jordan
as part of the risk management process of the banks they work for. To do so, the
researchers conducted a questionnaire survey that asked internal auditors about
the relative degree of their involvement in the management of 20 different risks their
banks are likely to face, and the likely responses of internal auditors in the existence of
each of these risks.
Findings of the study show that the degree of involvement of internal auditors in
risk management was generally small. The risks that internal auditors were most
involved in managing were those related to the contents of and compliance with
regulations and financial reporting standards, and those related to operational
effectiveness and information technology. While these issues are important and
relevant to a bank’s future, many other risks related to a bank itself (such as objectives
and strategies, and financial and human resources) or to the Jordanian context (such as
the Jordanian economy and culture) and the international context (such as prevailing

Cronbach’s α
Questions for each individual risk concerning value

R1 Evaluating the identification of risks by bank management and their

relevance to the desired risk appetite 0.970
R2 Evaluating the accuracy of the risk value estimation calculated by bank
management 0.973
R3 Evaluating the effectiveness of procedures performed by bank management
in response to the risks 0.965
R4 Providing consulting to bank management on identifying, estimating, and
responding to risks 0.968
R5 Determining the desired risk appetite 0.979 Table VI.
R6 Making decisions on procedures for responding to risks 0.984 Cronbach’s α
All All statements 0.992 test results
 JEAS interest rates and currency prices) were seen as being dealt with by internal auditors to
31,1 a lesser extent. In addition, it was reported that internal auditors do, to some extent,
assume roles they should not undertake (according to IIA, 2009a) that would
potentially weaken their independence and objectivity.
Implications of these findings include that the CBJ, which recommends best practice
of internal auditing, should insist on banks understanding and applying more risk
46 management and involving internal auditors to a greater extent in this process. The
CBJ should also be more involved in monitoring the applications of risk management
by banks (including the role of internal auditors in risk management). In addition, some
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

role for other relevant Jordanian regulatory authorities in monitoring risk management
practices of banks might be desirable. Example of such authorities include the JSC and
the ASE (given that all Jordanian banks are public listed companies), since these
authorities may ask for additional disclosure regarding risk management in banks.
Bank executive managers, boards of directors, and internal auditors should be more
aware of the nature of each party’s role in risk management and the importance of each
of these roles. In particular, these parties should be aware of the role internal auditors
should perform in risk management without compromising their independence and
objectivity as providers of assurance and consulting services to the management
and board of directors. Internal auditors should decline to accept any roles in risk
management that contradict with their main roles of providing assurance and
consultancy.
Managers, directors and internal auditors in banks should also be more aware of the
importance of managing many different risks that may face banks, and not only those
related to compliance with regulations and financial reporting standards. As mentioned
earlier, banks face multiple risks of different types (financial and nonfinancial, internal,
and external). Banks should be aware of many different risks in order to adequately
manage them and plan for their long-term and short-term future.
In addition, it can possibly be suggested from the findings of this study that the whole
idea of encouraging or adopting ISPPIA in Jordan is questionable. This argument might
be suggested given that ISPPIA were designed to be used by companies in more
developed countries. The nature of banks and other companies in Jordan, especially being
closely held with no clear differentiation between directors and managers, might suggest
that some different role for internal auditors may be more suitable, due to the low agency
costs. In particular, whether internal auditors in Jordan and other similar developing
countries have to follow the same ISPPIA guidelines regarding risk management and
other assurance and consulting services might be questionable, and is an issue worth
further examination by standard-setters. This argument is not without relatively similar
precedence, as the arguments about applying IFRS, for example, in developing countries
were continuously challenged for requiring extensive disclosure and not being cost
effective in small capital markets (Nobes and Parker, 2012). Indeed, such arguments have
led to the introduction of IFRS for small and medium-sized entities (Drever et al., 2007).
The study faced some limitations. In addition to the usual limitations that accompany
questionnaire surveys, such as the possibility of perceptions of respondents not matching
reality, the small sample size is arguably a limitation to some extent. Although the
researchers made many efforts to increase the sample size, many banks were reluctant
to participate in the study. From the experience of the researchers, such reluctance to
participate in survey studies is generally normal with banks in Jordan, under the
justifications of the time needed for filling questionnaires and the confidential nature of
the requested information. However, the findings may be considered generally reliable
 and representative, given the small size of the defined population itself, and the fact that Internal
the banks that did not participate do not come from a specific group (i.e. some are auditing
Jordanian and some are foreign, and they vary in their sizes). The only exception is that the
four banks specialising in Islamic banking (two Jordanian and two foreign banks) either
in risk
declined to participate or did not return any questionnaires. However, the percentage of management
these banks to the total number of banks operating in Jordan (about 15 per cent) and the
fact that none of the 20 risks included in the questionnaire relates only to the practices of 47
these banks arguably makes the effect of their absence from the study relatively limited.
This study aimed to explore the roles of internal auditors in risk management.
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

Avenues for future research include performing more in-depth studies on the actual
performance of internal auditing departments on this issue, particularly by using case
studies. In-depth research emphasising risk management of different types of risks
individually would potentially significantly contribute to our knowledge. In addition,
several previous studies (e.g. Beasley et al., 2008; Arena and Azzone, 2009; Castanheira
et al., 2010) generally found that factors such as the internal auditor’s experience with
ERM, age and size of the internal audit department, effectiveness of an audit
committee, and the size of the bank may have some effect on the role of internal
auditors in risk management. Exploring such effects in depth, both in Jordan and in
other countries, provides potential areas for future research.

Notes
1. Accessed on 25 August 2013.
2. Information and quotes from the IIA web site (accessed on 25 August 2013).
3. Accessed on 25 August 2013.
4. CBJ web site (accessed on 25 August 2013).
5. While the initial criteria set by the researchers for sufficient experience was a minimum of
five years of internal audit experience that includes dealing with risk management, they had
to settle for accepting less than that, given that banks generally claimed that internal
auditors with less than five years of experience were involved in the risk management
process. As the population size and the sample size were both relatively small, the
researchers had to accept all of the received questionnaires, especially after the results of
the Kruskal-Wallis test proved that experience in internal auditing was not an important
factor in causing the differences among responses of the sample (see Subsection 5.5).
6. The researchers are not aware about any published information or prior research on the size
of internal audit functions in Jordanian banks. The choice of five questionnaires per bank
was made after personally asking the banks about the size of their internal audit functions
and how many of these internal auditors possessed suitable experience that enables them to
usefully respond to the questionnaire.

References
Abdolmohammadi, M.J. (2009), “Factors associated with the use of and compliance with the IIA
standards: a study of Anglo-culture CAEs”, International Journal of Auditing, Vol. 13 No. 1,
pp. 27-42.
Abdullatif, M. (2013), “Fraud risk factors and audit programme adjustments: evidence from
Jordan”, Australasian Accounting, Business and Finance Journal, Vol. 7 No. 1, pp. 59-77.
Abdullatif, M. and Al-Khadash, H. (2010), “Putting audit approaches in context: the case of
business risk audits in Jordan”, International Journal of Auditing, Vol. 14 No. 1, pp. 1-24.
 JEAS Al-Jarrah, I.M. (2012), “Evaluating the riskiness of the banking sector in Jordan”, European
Journal of Economics, Finance and Administrative Sciences, No. 48, pp. 86-95.
31,1
Allegrini, M. and D’Onza, G. (2003), “Internal auditing and risk assessment in large Italian
companies: an empirical survey”, International Journal of Auditing, Vol. 7 No. 3, pp. 191-208.
Arena, M. and Azzone, G. (2009), “Identifying organizational drivers of internal audit
effectiveness”, International Journal of Auditing, Vol. 13 No. 1, pp. 43-60.
48 Association of Banks in Jordan (2011), “The development of the Jordanian Banking Sector
(2000-2010)”, available at: www.abj.org.jo/en-us/developmentofthejordanianbankingsector.
aspx
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

Beasley, M.S., Clune, R. and Hermanson, D.R. (2008), “The impact of enterprise risk management
on the internal audit function”, Journal of Forensic Accounting, Vol. 9 No. 1, pp. 1-20.
Boczko, T. (2012), Introduction to Accounting Information Systems, Pearson Education Ltd,
Harlow.
Brooks, R.M. (2010), Financial Management: Core Concepts, Pearson Education Inc., Upper Saddle
River, NJ.
Burnaby, P. and Hass, S. (2009), “A summary of the global common body of knowledge 2006
(CBOK) study in internal auditing”, Managerial Auditing Journal, Vol. 24 No. 9, pp. 813-834.
Castanheira, N., Lima Rodrigues, L. and Craig, R. (2010), “Factors associated with the adoption of
risk-based internal auditing”, Managerial Auditing Journal, Vol. 25 No. 4, pp. 79-98.
Central Bank of Jordan (2007), “Corporate governance code for banks in Jordan”, Central Bank of
Jordan web site (2013), available at: www.cbj.gov.jo/pages.php?menu_id¼2&local_
type¼0&local_id¼0&local_details¼0&local_details1¼0&localsite_branchname¼CBJ
(accessed 25 August 2013).
Chapman, R.J. (2006), Simple Tools and Techniques for Enterprise Risk Management, John Wiley
& Sons Ltd, Chichester.
Daniels, J.D., Radebaugh, L.H. and Sullivan, D.P. (2011), International Business: Environments and
Operations, 13th ed., Pearson Education Inc., Upper Saddle River, NJ.
De Zwann, L., Stewart, J. and Subramaniam, N. (2011), “Internal audit involvement in enterprise
risk management”, Managerial Auditing Journal, Vol. 26 No. 7, pp. 586-604.
Drever, M., Stanton, P. and McGowan, S. (2007), Contemporary Issues in Accounting, John Wiley
& Sons Australia Ltd, Milton.
Elshqairat, M.K. (2007), “The implementation of internal auditing standards for the professional
practice of internal auditing in the Jordanian public sector”, master thesis, The Hashemite
University, Zarqa.
Fraser, I. and Henry, W. (2007), “Embedding risk management: structures and approaches”,
Managerial Auditing Journal, Vol. 22 No. 4, pp. 392-409.
Gelinas, U.J. and Dull, R.B. (2008), Accounting Information Systems, 7th ed., Thomson
South-Western, Mason, OH.
Hashemite Kingdom of Jordan (2000), “Banking Law No. 28 of 2000”, available at: www.cbj.gov.
jo/arabic/pages.php?menu_id=85
Hashemite Kingdom of Jordan (2002), “Securities Law No. 76 of 2002”, available at: www.jsc.gov.
jo/library/633572355246923912.pdf
Holton, G.A. (2004), “Defining risk”, Financial Analysts Journal, Vol. 60 No. 6, pp. 19-25.
Institute of Internal Auditors (2009a), “IIA position paper: the role of internal auditing in
enterprise-wide risk management”, available at: https://na.theiia.org/standards-guidance/
Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%
20Enterprise%20Risk%20Management.pdf
 Institute of Internal Auditors (2009b), “Global audit information network flash survey: internal Internal
auditing’s role in risk management” (cited in Sobel, 2011).
auditing
Jordan Securities Commission (2007), “Corporate governance code for shareholding companies in risk
listed on the Amman Stock Exchange”, available at: www.sdc.com.jo/english/images/
stories/pdf/corporate_companies.pdf management
Kawuq, S.K.I. (2010), “Implementing international standards of internal audit in Jordanian
banks”, master thesis, The Hashemite University, Zarqa. 49
Marais, M., Burnaby, P.A., Hass, S., Sadler, E. and Fourie, H. (2009), “Usage of internal auditing
standards and internal auditing activities in South Africa and all respondents”, Managerial
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

Auditing Journal, Vol. 24 No. 9, pp. 883-898.

Merna, T. and Al-Thani, F.F. (2008), Corporate Risk Management, 2nd ed., John Wiley & Sons
Ltd, Chichester.
Moeller, R.R. (2007), COSO Enterprise Risk Management: Understanding the New Integrated ERM
Framework, John Wiley & Sons Inc., Hoboken, NJ.
Moeller, R.R. (2009), Brink’s Modern Internal Auditing: A Common Body of Knowledge, 7th ed.,
John Wiley & Sons Inc., Hoboken, NJ.
Nobes, C. and Parker, R. (2012), Comparative International Accounting, 12th ed., Pearson
Education Ltd, Harlow.
Pickett, K.H.S. (2011), The Essential Guide to Internal Auditing, 2nd ed., John Wiley & Sons Ltd,
Chichester.
Pike, R., Neale, B. and Linsley, P. (2012), Corporate Finance and Investment: Decisions and
Strategies, 7th ed., Pearson Education Ltd, Harlow.
Romney, M.B. and Steinbart, P.J. (2012), Accounting Information Systems, 12th ed., Pearson
Education Ltd, Harlow.
Sadler, E., Marais, M. and Fourie, H. (2008), “Internal auditors’ compliance with the IIA
standards: a worldwide perspective”, Meditari Accountancy Research, Vol. 16 No. 2,
pp. 123-138.
Sarens, G. and Abdolmohammadi, M.J. (2011), “Factors associated with convergence of internal
auditing practices: emerging vs developed countries”, Journal of Accounting in Emerging
Economies, Vol. 1 No. 2, pp. 104-122.
Sarens, G. and Christopher, J. (2010), “The association between corporate governance guidelines
and risk management and internal control practices: evidence from a comparative study”,
Managerial Auditing Journal, Vol. 25 No. 4, pp. 288-308.
Sarens, G. and De Beelde, I. (2006), “Internal auditors’ perception about their role in risk
management: a comparison between US and Belgian companies”, Managerial Auditing
Journal, Vol. 21 No. 1, pp. 63-80.
Saunders, M., Lewis, P. and Thornhill, A. (2012), Research Methods for Business Students, 6th ed.,
Pearson Education Ltd, Harlow.
Shaqqour, O.F.M. (2000), “The extent of compliance of Jordanian commercial banks with internal
auditing standards”, master thesis, The University of Jordan, Amman.
Siam, W. and Abdullatif, M. (2011), “Fair value accounting usefulness and implementation
obstacles: views from bankers in Jordan”, in Devi, S.S. and Hooper, K. (Eds), Accounting in
Asia, Research in Accounting in Emerging Economies, Vol. 11, Emerald Group Publishing
Ltd, Bingley pp. 83-107.
Sobel, P.J. (2011), “IIARF white paper: internal auditing’s role in risk management”, Institute of
Internal Auditors Research Foundation, Altamonte Springs, Fl”.
 JEAS Soh, D.S.B. and Martinov-Bennie, N. (2011), “The internal audit function: perceptions of internal
audit roles, effectiveness and evaluation”, Managerial Auditing Journal, Vol. 26 No. 7,
31,1 pp. 605-622.
Solomon, J. (2010), Corporate Governance and Accountability, 3rd ed., John Wiley & Sons Ltd,
Chichester.
Spira, L.F. and Page, M. (2003), “Risk management: the reinvention of internal control and the
50 changing role of internal audit”, Accounting, Auditing and Accountability Journal, Vol. 16
No. 4, pp. 640-661.
Stewart, J. and Subramaniam, N. (2010), “Internal audit independence and objectivity: emerging
Downloaded by FLINDERS UNIVERSITY OF SOUTH AUSTRALIA At 07:59 31 January 2016 (PT)

research opportunities”, Managerial Auditing Journal, Vol. 25 No. 4, pp. 328-360.

Suwaidan, M. and Abu Zreiq, B. (2013), “The extent of compliance with international internal
auditing standards in Jordanian electricity companies”, Jordan Journal of Business
Administration, Vol. 9 No. 3, pp. 540-566.

Further reading
Institute of Internal Auditors (2012), “International standards for the professional practice of
internal auditing”, available at: https://na.theiia.org/standards-guidance/Public%
20Documents/IPPF%202013%20English.pdf
Institute of Internal Auditors (2013), available at: https://na.theiia.org/about-us/Pages/About-The-
Institute-of-Internal-Auditors.aspx; https://na.theiia.org/standards-guidance/mandatory-
guidance/Pages/Standards.aspx (accessed 25 August 2013).

About the authors

Dr Modar Abdullatif is an Associate Professor of Accounting at the Middle East University in
Amman, Jordan. He received his PhD in Accounting and Finance from the University of
Manchester, UK. His research interests are in the areas of auditing, fraud, and financial reporting.
Dr Modar Abdullatif is the corresponding author and can be contacted at: mod70a@yahoo.com
Shatha Kawuq is a Lecturer of Accounting at Middle East University in Amman, Jordan.
She received her Master Degree in Accounting and Finance from the Hashemite University,
Jordan. Her research interests are in the areas of auditing and financial reporting.

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com