Next Article in Journal
Prediction of Greenhouse Area Expansion in an Agricultural Hotspot Using Landsat Imagery, Machine Learning and the Markov–FLUS Model
Previous Article in Journal
Decoding Jakarta Women’s Non-Working Travel-Mode Choice: Insights from Interpretable Machine-Learning Models
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 16
Issue 19
10.3390/su16198455
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing

by
Ahmed Almgrashi
and
Abdulwahab Mujalli
*
Department of Accounting and Finance, College of Business, Jazan University, Jazan 45142, Saudi Arabia
*
Author to whom correspondence should be addressed.
Sustainability 2024, 16(19), 8455; https://doi.org/10.3390/su16198455 (registering DOI)
Submission received: 29 July 2024 / Revised: 13 September 2024 / Accepted: 27 September 2024 / Published: 28 September 2024
Browse Figures
Review Reports Versions Notes

Abstract

:
Risk management exerts a significant influence on the competitiveness of an organization and its operational processes. It presents opportunities for expansion, foresight, and the need to promote sustainability. Many organizations have executed comprehensive risk management processes. Moreover, internal audit has increasingly attracted managers’ attention, forming the basis of modern governance methods. The aim of this study is to examine, from the viewpoint of the agency, the impact of the role of internal auditors, training in risk management, and management support on risk management. Following this, the work examines risk management in terms of the risk-based auditing implementation that is performed by Saudi public organizations. This study encompassed 234 completed and therefore valid questionnaires from the manager and assistance of the internal audit department, internal auditors, accountants, and managers employed in Saudi public organizations. The data collected have been analyzed utilizing Smart Partial Least Squares (SmartPLS). This study’s findings confirmed that there is a significant association between the role of internal auditors in risk management, training in risk management, and between management support and risk management. There is also a significant association between risk management and the implementation of risk-based internal auditing. This study’s findings have significant ramifications for those in charge of public-sector organizations, and sustainability, aiming to enhance the dependability and trustworthiness of the internal audit process and other aspects of financial reports and audits in general. Currently, there is a dearth of published research on the factors that influence risk management and also on risk-based internal auditing. This study contributes to the emerging literature on this subject by examining Saudi public organizations; it also establishes empirical variables through a thorough review of relevant research. Conducted here is an empirical investigation that identifies the factors that affect risk management and then its influence on risk-based internal auditing implementation in the economic system of Saudi Arabia. By focusing on Saudi public organizations, this article highlights other countries that have similar systems of governance rules and procedures in their government-operated entities.

1. Introduction

The importance of sustainable risk management and risk-based internal auditing has grown significantly in the contemporary economic, environmental, and social context [1]. According to Jiménez et al. (2024) [2], the dynamic changes occurring in the environment wield a substantial influence on the financial stability, market trust, and reputation of organizations. Consequently, there is an urgent requirement to integrate sustainability principles into business plans. Business enterprises encounter persistent ambiguity, making it necessary to adopt a sustainable strategy for risk management that not only tackles current obstacles but also guarantees enduring adaptability [3,4]. When implemented in a sustainable way, strategic risk management enables firms to effectively reduce uncertainties and attain their objectives while optimizing value [5]. By incorporating sustainability principles into the framework of risk management, organizations may effectively mitigate the build-up of residual risks that can potentially escalate beyond manageable levels, exposing future stability to significant threats. Following Jiménez et al. (2024) [2], the implementation of sustainable risk management practices contributes to the enhancement of the competitive advantage of an organization through the facilitation of development possibilities, proactive preparedness, and the establishment of a resilient reaction to economic, political, and social challenges. Lois et al. (2021) [6] argue that the use of risk-based internal auditing serves to reinforce the sustainable method by harmonizing auditing procedures with sustainability objectives, so enabling organizations to maintain their flexibility and robustness in a dynamic setting.
Thus, risk management has become widely accepted as a crucial tool for recognizing, evaluating, and mitigating the diverse risks that organizations regularly encounter [5,6,7]. In this modern world, the reality that organizations function in highly unpredictable settings or business markets means that it is necessary to devise and execute policies that enable them to manage risks in a timely and effective way [3,6]. Risk management is deemed to be a contemporary approach to organizational administration that links an organization’s strategy with the administration of daily processes within which risks can appear [5]. It is acknowledged as an essential basis for developing all-encompassing organization management processes [7].
In a similar vein, an internal audit offers a perspective independently and objectively to the management of the organization regarding how adequate its risk management practices are [8]. The main goal of an internal audit is to evaluate the workplace operations of organizations, as well as evaluate the diverse risks they encounter [9]. From this perspective, internal audit could be seen as an ever-changing procedure that adapts to the evolving external and internal conditions of a workplace [6,7]. This has resulted in the need to revamp strategies that are essential for risk management effectiveness. Summarizing the previous point, internal audit can be viewed as a crucial instrument for risk management.
However, the occurrence of organizational failures underscores the inability of organizations to recognize the risks linked to their strategic endeavors [10]. Given that risks pose a danger to the long-term viability of institutional entities, it is of utmost importance to effectively manage risks. The function of internal auditing has significantly changed its methods due to alterations in organizations’ environments, technological advances, and regulatory/legislative frameworks [5]. In due course, the implementation of risk-based internal auditing processes will expand the range of internal operations to include the complete monitoring of all aspects of the organization [6,7]. Essentially, organized risk-based internal audit procedures firstly, enhance the supervision duties and responsibilities undertaken by internal auditing; and secondly, ensure sufficient audits of critical activities and operations are carried out.
The risk-based internal auditing implementation highlights the significance of assessing the risks associated with both operational and strategic goals [3,5,11,12,13]. The function of internal auditing is to, firstly, evaluate risks in a comprehensive and thorough manner rather than examine issues in isolation [6]; and secondly, integrate standardized procedures for risk evaluation into yearly planning for auditing purposes [11,12,13]. The absence of comprehensive monitoring and ineffective evaluation of risks at both the strategic and operational levels results in inadequate identification and assessment of risks at these levels within the audit universe. Furthermore, the failure to consistently execute risk-based auditing approaches across all internal audit procedures will result in internal audit functioning to evaluate the state of internal control instead of the degree of risk involved [5,7]. Furthermore, Lois et al. (2021) [6] propose that the selected auditing method might influence the quality of internal audit work that is carried out. In the end, inadequate adherence to standardized auditing methods and discrepancies can ultimately lead to insufficient audit coverage of critical risk areas and poor execution of auditing tasks [6]. However, more organizations worldwide are putting into place comprehensive risk management procedures. It is evident that internal audit has increasingly attracted managers’ attention, and has become the basis of modern governance systems. The aim of this study is to examine the impact of the role of internal auditors, training in risk management, and management support for risk management. Then, this paper examines risk management in terms of risk-based auditing implementation carried out by public-sector organizations in Saudi Arabia.
Public-sector organizations play a significant role in the economy of developing nations like Saudi Arabia. The government, via its ministries, departments, and agencies, significantly guides and shapes the success of other sectors of the economy and entities operating in them. For this reason it is important to establish oversight mechanisms to guarantee that government budgets are utilized for their intended purpose [14]. According to a basic agency theory, principals (in this case, the government) lack confidence in their agents (the managers of agencies, units, departments, ministries, etc.) due to differences in the desired information and self-interest. The ideal situation is to address these problems by ensuring that the agent’s interests are in line with the proprietor or owner of the system, by minimizing the potential for differences in received information and dishonest behavior or acting for only one’s personal interests. Consequently, numerous governments around the world have adopted audits as a means of diminishing or better controlling expenditures in the public sector. Internal audits play a crucial economic function and are crucial in serving the public interest by enhancing transparency and bolstering confidence and trust in financial reporting [15]. Furthermore, the importance of internal auditing in public-sector organizations should not be ignored, since it is closely linked to budgetary control, sound governance and policy positions, and efficient financial control [14].
Consequently, this study highlights the significance of internal auditing in enhancing risk management. Internal auditing plays a vital role in issues such as risk evaluation and reduction, adherence to standards and regulations, identifying and avoiding instances of fraud, monitoring and reporting, and ongoing enhancement [6,7,16,17,18]. Weekes-Marshall (2020) [19] states that examining and evaluating financial procedures, control mechanisms, and independent assurance can significantly improve the quality of financial reporting.
While extensive research has been carried out on risk-based internal audits in both advanced and emerging economies [5,6,13,20], there is an absence of analysis specifically focused on this topic in Saudi Arabia [21,22]. Saudi Arabia was one of the pioneers in introducing internal auditing operations in public organizations in its part of the world (AL-Rbai, 2020), but a significant number of departments of internal auditing in Saudi public organizations are not active [15,21]. It was stated a few years ago by Almahuzi (2020) [21] that numerous public organizations in Saudi Arabia in fact lack audit committees.
The insufficient research on auditing functions and their impact on public organizations in Saudi Arabia emphasizes the need for work to be done in this area [23]. Some studies [6,7] highlighted the significance of the internal auditor in reducing risks and improving risk management procedures. Meanwhile, Al-Taee and Flayyih (2023) [24] and Mujalli (2024a) [7] identified a research gap in the correlation between the internal auditor’s roles and risk management procedures in the public sector. Also Lois et al. (2021) [6] advised that it is important to investigate the issue of training in risk management in different sectors. In their recent work, Hazaea et al. (2023) [25] identified a research gap in the correlation between management support and risk management. Based on the above discussion, the researcher asserts that the problem revolves around identifying the role of internal auditing, training, and management support in improving risk management and improving risk-based internal auditing in Saudi public organizations.
This study provides numerous original contributions to the existing body of research on risk management and risk-based internal auditing. Initially, this paper presents new evidence pertaining to a developing economy. This study adds to a deeper comprehension of the aspects associated with risk management and their impact on the execution of risk-based internal auditing. Furthermore, this analysis illuminates other nations with comparable governance systems by specifically examining the Saudi public organizations setting. This work offers valuable insights into situations when the Type 2 agency issue is present.

2. Literature Review and Hypotheses Development

2.1. The Theoretical Framework

Several comprehensive theories have been established to analyze the importance of auditing in public-sector organizations. Oppong et al. (2023) [26] emphasize the significance of agency, managerial control, signaling, governance, and verification frameworks, among other factors. They contend that agency theory, which was formulated and advocated by Eisenhardt (1989) [27], Fama and Jensen (1983) [28], Mitnick (1973) [29] and Ross (1973) [30], has proved to be widely popular as a theoretical framework. These authors assert that both empirical and historical evidence strongly support the theory. According to agency theory, the divergence in ownership and power that is evident among shareholders and owners/managers results in moral hazard, differences in risk preferences, and unequal access to information [27,28]. Subsequently, the objective of well-constructed information systems, control machines, and supervision systems is to reduce agency costs and provide the greatest possible advantage to all parties involved [27]. From the agency’s viewpoint, the key goal of the internal audit is to report on and evaluate the activities and decisions made by management in implementing plans, attaining performance goals and ensuring sustainability, especially where financial inputs are concerned [5]. Implementing structured risk-based auditing methods as part of internal auditing will efficiently identify and reduce risks associated with strategies, while also ensuring that management behavior is in line with all relevant stakeholders’ interests.

2.2. Risk-Based Internal Audit

Internal auditing is crucial in the world’s contemporary economies to safeguard organizations from a host of risks [31]. Risk-based internal audit enhances the value and internal auditing efficiency by necessitating a deeper comprehension of its procedures to effectively fulfil stakeholders’ requirements [6]. Risk-based internal auditing is implemented to prioritize risk management. This guarantees that, firstly, potential risks that may hinder strategic objectives are promptly discovered and assessed; and secondly, the risk management approach and internal control approach operate effectively. By embracing this approach, the allocation of audit resources is optimized, resulting in improved quality of data that are collected, while minimizing the number of audit procedures that are required [7]. By concentrating on business risk, organizations can enhance their protection against risk. This can be achieved by implementing structured processes for risk evaluation that encompass all procedures, employing well-organized internal audit planning approaches, and regularly assessing the efficacy of the procedures for risk management and internal audit [5,11,13].

2.3. The Role of Internal Auditors in Risk Management

Agency theory suggests that internal auditing is essential for effective company governance. Previous research has determined that possessing comprehensive knowledge of organizations’ operations and the capacity to identify and assess potential risks are crucial skills for implementing risk-based internal auditing properly [5,6]. Risk-based internal auditing is a well-respected technique that has emerged out of internal auditing and is strongly related to risk management. How well a country’s risk management system works determines what an internal auditor is responsible for. A more organized system for managing risks may be put in place when the focus is on improving internal audits, which raises control awareness [6,7]. As part of their yearly audit strategy, internal auditors use results from risk assessments to enhance how well organizations perform.
In order to conduct effective audits, internal auditors must be vigilant in their pursuit of operational and strategic risks. Internal audits have the potential to increase the organization’s value by identifying and mitigating strategic risks and providing senior management with timely insights [32]. An essential criterion is the execution of comprehensive audits by internal auditors, who must acknowledge and comprehend strategic goals as well as the goals of crucial business activities [5,16]. Recent studies conducted by Lois et al. (2021) [6] and Mujalli (2024a) [7] indicate that internal auditors should prioritize the sufficiency and efficacy of risk management mechanisms. This has to be done in order to enhance awareness of risks, correspond internal audit with operational strategy, enhance control procedures, and improve the effectiveness of organizational activities. Based on the above argument the following research hypothesis is formulated:
H1. 
There is a significantly positive association between the role of internal auditors and risk management.

2.4. Training in Risk Management

Agency theory contends that internal auditing plays a crucial role in governance, especially as a monitoring mechanism. Previous research strongly suggests that developing organizational expertise and understanding the organization’s hazards are both important skills for improving risk management [6]. Internal audits can be advantageous to companies in developing an audit system that emphasizes risk management because proper risk management training has been carried out; it is needed based on the links between internal audit and risk management. Several years ago, Arena and Azzone (2009) [33] stated that compared to external auditors, internal ones have a better knowledge of the aspects that affect a company’s performance, identify possible risk concerns, and ensure that the line managers do their jobs properly or are able to implement the auditor’s recommendations. Essential functions of the internal auditors such as improving the internal audit quality and risk management cannot be assigned to employees because they are not trained for this role.
Furthermore, consulting and assurance services are about the monitoring, assessment, and improvement of processes [5]. It is vital for the firm’s management to learn different methods of risk identification and evaluation, such as the threat of deceiving others, as such training is a part of risk management. The present study is limited to highlighting the fact that risk-based internal auditing is a combined and systematic network inside the establishment, which enhances how such auditing is supposed to operate [34]. Staff risk management training is another characteristic that has been recognized as having a positive and significant association with the quality of an organization’s internal control system [35]. Risk management education helps workers notice risks to the company that may arise from compromised internal controls [6,7]. Based on the above, the following research hypothesis is formulated:
H2. 
There is a significantly positive association between risk management training and risk management.

2.5. Management Support in Risk Management

Agency theory emphasizes the importance of self-interest within an organizational context. It plays a significant part in the established system for management oversight. Organizations can invest in an oversight mechanism to monitor and prevent opportunistic managers [36]. The role of management support in risk management is crucial and has a substantial impact on the success of risk management procedures [7]. Prior studies highlight the importance of proactive and consistent support from senior management in order to cultivate a culture that is aware of risks and to guarantee the effective application of risk management systems [3,37]. This support is demonstrated in numerous ways, for instance providing the resources that are necessary, approving risk management legislation, and actively engaging in risk evaluation and reduction activities [7,38]. Research has demonstrated that when management actively participates and demonstrates dedication to risk management, it results in improved detection and control of risks [37], hence strengthening the general resilience of the business. Moreover, the support of management is crucial in inspiring staff and other stakeholders to comply with risk management procedures and actively participate in ongoing improvement endeavors [7]. With reference to the above discussion, the third hypothesis is suggested here:
H3. 
There is a significantly positive association between management support and risk management.

2.6. Risk Management

Agency theory asserts that in order to coordinate and oversee managerial activities and choices, many businesses use a variety of organizational rules and regulations. The risk management system’s formalization shows that management is committed to using the right structures and procedures for risk management [5,6,7,11,39]. Additionally, according to Lois et al. (2021) [6] and Woods (2007) [40], having a codified risk management system increases risk awareness within an organization or business company. It therefore stands to reason that as risk management systems become more sophisticated, internal audit departments will become more involved in risk assessment processes, for instance risk workshops and control and risk self-evaluation [3,40]. The level of risk management execution also determines the type and level of internal audit engagement with risk evaluation activities [5]. An organized method for managing risks lays a solid groundwork for conducting audits based on those risks, according to earlier studies. The following research hypothesis is formulated based on the argument outlined above:
H4. 
There is a significantly positive association between risk management and risk-based internal auditing.

2.7. Risk Management as Moderator

In the realm of modern governance, risk management has become a vital component in guaranteeing operational effectiveness and resilience [5,7,11]. The internal auditor’s role in the organization is crucial, as that person is responsible for discovering, evaluating, and minimizing any frauds or risks that may impede organizational goals [6]. Providing auditors with proper risk management training is crucial, since it enables them to acquire the necessary competencies and information required to effectively identify and assess company risks or dangers [7]. Moreover, what is crucial is the management’s commitment to risk management strategies and activities, because this cultivates a culture of risk consciousness and supplies the required resources for efficient risk reduction techniques [3]. By implementing risk-based internal auditing, the business can allocate resources according to its risk profile, thereby improving the overall quality of internal audits [6,7]. This comprehensive approach emphasizes the significance of a harmonious connection between management support, internal auditors, training, and risk- or internal-based auditing. With this in mind the following research hypotheses are formulated:
H5. 
Risk management mediates the association between the internal auditors’ role and risk-based internal auditing.
H6. 
Risk management mediates the association between training in risk management and risk-based internal auditing.
H7. 
Risk management mediates the association between management support and risk-based internal auditing.

3. Research Design

3.1. Data Collection Procedure

The present study’s research approach is cross-sectional, using primary data collected utilizing a questionnaire survey. Each participant in this survey responded to a standardized set of questions in which the circumstances were the same [31,41]. Sekaran and Bougie (2016) [42] consider the questionnaire to be the most essential and efficient method for collecting data. As well, Oppenheim (2000) [43] emphasizes one advantage of employing a questionnaire: it allows respondents to independently reflect on their replies, resulting in more immediate answers compared to those obtained through interviews. Moreover, Saunders et al. (2019) [44] propose that conducting a questionnaire survey makes it ideal to gather a significant amount of data from a specific sample of the population. The present study involves a large population and requires the collection of an enormous quantity of data from Saudi public organizations, the objective being to investigate the factors influencing risk management and how it in turn influences risk-based internal audit implementation.
Before distributing questionnaires to respondents, a pre-test was conducted. The aim of the pre-test was to assess the validity of the factors in the survey, ensuring that the material was properly expressed, legitimate and that the questions were rational or logical. Nine individuals were selected, four of whom had previously worked as internal auditors in public organizations, while the remaining five had academic backgrounds in accounting and auditing. The preliminary feedback assists in improving the content of the survey. During the pre-test, the researchers distributed survey questionnaires to individuals who had shown interest. Only 241 out of the 500 surveys were returned, which amounts to less than half. The existing study employed a total of 234 survey questionnaires for the final analysis, due to seven having shown erroneous data so they could not be used for the analysis.

3.2. Questionnaire Development

A comprehensive study assessment was conducted to ascertain the measures of the variables involved in the analysis. Table 1 displays the inclusion of 20 questions in the conceptual model, which were used to gather structured data. Each item was assessed using a Likert scale of five points, with 1 representing strong disagreement and 5 representing strong agreement.

3.3. Data Processing and Analyzing

Data administration followed the recommendation made by Hair et al. (2019) [45]. Data were analyzed utilizing SPSS version 22 and Smart PLS version 4. Descriptive statistics analysis was conducted using several tests for the variables, including percentages, frequencies, standard deviation, and mean. An extra operation was conducted, involving the transfer of data from the SPSS system to a comma-delimited format, in order to enable the utilization of the data in Smart PLS-SEM. Employing the Smart PLS 4 program to analyze the data, precisely Partial Least Squares Structural Equation Modeling (PLS-SEM) was performed for several significant reasons. Firstly, Roldán and Sánchez-Franco, (2012) [46], propose using PLS-SEM because it incorporates strong predictive powers in understanding a wide range of dependent variables and capturing significant variance. Secondly, PLS-SEM effectively manages both measurement and structural models concurrently and is well suited for assessing intricate path models [47]. Thirdly, it demonstrates efficacy even when working with small sample numbers, providing dependable findings [48]. Therefore, PLS-SEM is the ideal method for conducting this study and it is a process consisting of two stages. The first stage involves evaluating the measurement model to ensure that only reliable and valid constructs are included. The second stage consists of assessing the structural model to determine the predictive relevance of the study model, the path coefficients, and the significance of proposed associations [49]. This investigation adhered to the parameters outlined in authoritative literature on PLS-SEM, utilizing the Smart-PLS 4 software [45].

4. Results

4.1. Descriptive Analysis

Table 2 summarizes the demographic characteristics of the participants of this study. The majority of individuals were in the 30 to 39 age cohort, with females representing 24.8% of the sample while males constituted 75.2%. The data clearly indicated that 69.7% of the survey respondents have a Bachelor’s degree. 50% of the participants are employed as internal auditors, while 35.5% have been in this position for 10 to 14 years.

4.2. Common Method Bias

Common method bias (CMB) is a common occurrence in behavioral research, as highlighted by Madawaki et al. (2022) [31] and Mujalli 2024 [7]. It presents a substantial problem when analyzing self-survey findings, as noted by Podsakoff et al. (2012) [50]. In order to curtail the influence of CMB, two methods may be deployed and these are operational and statistical. Researchers should provide assurance to participants throughout the gathering of data that their particular data are protected, following proper procedure [7]. Furthermore, it is important to provide respondents with reassurance that the survey is devoid of errors and has been formulated using uncomplicated and understandable language [51]. Statistically, Harman’s single-factor test is commonly utilized to test common method variance (CMV) [51].
Harman (1976) [52] proposed utilizing a unidimensional test to evaluate the existence of CMV throughout the constructs. The results revealed that each of the variables in the model were categorized into 20 distinct factors. However, the findings indicated that the model’s items were divided into 20 separate factors, with the first accounting for only 38.235% of the total variance, well below the 50% threshold. In addition, a comprehensive collinearity evaluation test was undertaken employing SmartPLS, a widely acknowledged and reliable approach [53]. It is endorsed by several scholars in the field of social science [7]. The value of the variance inflation factor (VIF) for all variables was found to be below the recommended threshold of 5, demonstrating that common method bias is not a concern in the present study’s data [53].

4.3. Measurement Model Assessment

To evaluate a measurement model that uses first-order reflective constructs, it is necessary to assess the reliability and validity of the constructs [45]. This examination often follows a two-step process: first, examining the reliability and convergent validity of individual items, and then analyzing discriminant validity. The reliability of an item is measured by its factor loadings, and loadings above 0.6 are regarded as acceptable [45]. Convergent validity is evaluated by measuring composite reliability (CR) and average variance extracted (AVE). For a reliable measurement of a construct to occur, the CR values should be higher than 0.7. Indicated here is that the items consistently measure the construct. Additionally, the AVE values should be greater than 0.5, suggesting that the construct explains more than half of the variance in its indicators. These guidelines are based on the research by Hair et al. (2019) [45] and Shmueli et al. (2019) [47]. Discriminant validity is assessed by verifying the uniqueness of each concept, typically through the usage of either the Fornell–Larcker criterion or the heterotrait–monotrait (HTMT) ratio.
The constructs RIA, MS, RBIA, RME, and TRM have been assessed for their reliability and validity, as shown in Table 3 and Figure 1. The item loadings for each construct above the acceptable level (loading > 0.60) suggest strong item reliability. All of the VIF values are below 3, meaning that any multicollinearity problems are absent. In terms of construct reliability, the CR values for all constructions exceed 0.8, therefore satisfying the threshold of 0.7. All constructs have AVE values above 0.5, meaning that there is satisfactory convergent validity. The RIA model has a CR of 0.859 and an AVE of 0.505. The MS model has a CR of 0.895 and an AVE of 0.682. The RBIA model has a CR of 0.875 and an AVE of 0.637. The RME model has a CR of 0.919 and an AVE of 0.792. Lastly, the TRM model comprises a CR of 0.890 and an AVE of 0.731. These findings strongly suggest that the measurement model is both accurate and valid, establishing a strong basis for further study.
The discriminant validity of the constructs was assessed by employing both the HTMT ratio and the Fornell–Larcker criterion. According to Table 4, the HTMT ratio values between constructs are all below the threshold of 0.85, which means that the constructions are clearly different from each other [54]. More precisely, the maximum HTMT value recorded is 0.729 between RME and RBIA, which is inside the permissible range. The distinctiveness of the conceptions is confirmed here.
The Fornell–Larcker standard provides additional proof of discriminant validity by comparing the square root of the AVE for each construct (displayed on the diagonal) with the correlations between constructs, i.e., displayed off-diagonal [55]. As displayed in Table 5, the AVE for MS is 0.826, which is higher than its correlations with other constructs such as RBIA (0.569) and RIA (0.431). Likewise, all other structures conform to this pattern, suggesting that each structure has a greater degree of similarity with its own indicators than with the indicators of other structures. Collectively, the results show that the constructs have sufficient discriminant validity and this guarantees their conceptual distinctiveness.

4.4. The Structural Model

4.4.1. Explanatory Power of the Model

The PLS-SEM results are evaluated for their explanatory ability using effect size (f2), coefficient of determination (R2), and predictive relevance (Q2), as displayed in Table 6. The effect size, denoted as f2, quantifies the magnitude of the influence that a particular external factor has on an internal factor, as defined by Cohen in 1988. Within this investigation, the dependent construct is significantly influenced by RME, which has a substantial effect size of 0.672. In contrast, MS and RIA have smaller impact sizes of 0.105 and 0.091, respectively, on RBIA and RME. The TRM study shows a very small effect size of 0.023, suggesting that it wields a minor influence on the dependent construct. The coefficient of determination (R2) measures the amount of variability in the dependent variable that can be accounted for by the independent variables [56]. The RBIA model has an R2 score of 0.402, which means that 40.2% of the variability in RBIA can be accounted for by the model. The R2 value of RME is 0.363, revealing that 36.3% of the variability in RME can be accounted for by the model.
The modified R2 values for RBIA and RME are marginally reduced to 0.399 and 0.354, respectively, taking into consideration the number of predictors in the model. The predictive relevance (Q2) approach, created by Geisser (1974) [57], utilizes a blindfolding process. It evaluates the model’s ability to make predictions on data that were not used during the model’s development. Q2 scores over zero reveal the presence of predictive relevance. The Q2 score for RBIA is 0.232, while for RME it is 0.277, suggesting good predictive relevance in both cases. The SSO (sum of squared observations) and SSE (sum of squared errors) values are utilized in the computation of Q2, where the Q2 value is determined by the ratio of the difference between SSE and SSO to SSO. In general, the model has a high level of explanatory ability, as indicated by considerable effect sizes, significant coefficients of determination, and sufficient predictive significance for the components RBIA and RME.

4.4.2. Hypotheses Findings

The findings of the structural model, displayed in Table 7 and Figure 2 below, strongly confirm all the expected relationships in the model. Each hypothesis examines the direct and indirect impacts between the constructs RIA, TRM, MS, RME, and RBIA. Concerning direct effects, Hypothesis 1 (RIA → RME) is substantiated, demonstrating a path coefficient of 0.316, a T statistic of 4.492, and a p-value of 0.000, indicating a substantial and positive correlation between RIA and RM. The validation of Hypothesis 2 (TRM → RME) is confirmed, exhibiting a substantial positive correlation with a path coefficient of 0.149, a T statistic of 2.283, and a p-value of 0.022. The third hypothesis (MS → RME) demonstrates a statistically significant positive correlation, with a path coefficient of 0.287, a T statistic of 5.054, and a p-value of 0.000. In addition, Hypothesis 4 (RME → RBIA) demonstrates a significant and positive correlation, with a path coefficient of 0.634, a T statistic of 14.715, and a p-value of 0.000. Hypothesis 5 (RIA → RME → RBIA) is supported, highlighting a significant indirect impact of 0.200, with a T statistic of 4.321 and a p-value of 0.000. Mediation effects are indicated here. Furthermore, Hypothesis 6 (TRM → RME → RBIA) is supported by a noteworthy indirect impact of 0.095, a T statistic of 2.175, and a p-value of 0.030. Hypothesis 7 (MS → RME → RBIA) is further validated, demonstrating a substantial indirect impact of 0.182, with a T statistic of 4.592 and a p-value of 0.000. In summary, the findings of the structural model strongly suggest that RIA, TRM, and MS exert a major influence on RME, which in turn has a substantial impact on RBIA. The mediating effects of RME highlight the crucial function of RME in the connections between RIA, TRM, MS, and RBIA. The findings provide robust endorsement for the suggested theoretical model.

4.4.3. PLS Predict Results

Using the computation approach for predictive relevance in PLS-SEM given by Shmueli et al. (2019) [47], the researchers initially computed the Q2 values for the latent variables (LVs). When the Q2 value exceeded zero, we computed the predicted performance for each item. Shmueli et al. (2019) [47] state that when the values of PLS-LM for fewer or minority items are less, what is suggested here is a lack of predictive capacity. In contrast, when all items had greater PLS-LM values, it meant that there was no ability to forecast. If the values of PLS-LM for every item were lower, it suggested a higher level of predictive power. The PLS-predict findings displayed in Table 8 demonstrate that the values of Q2-predict for every construct were positive, suggesting their predictive significance. As an example, the value of Q2-predict for RBIA1 was 0.273, with a PLS RMSE of 0.683 and an MAE of 0.501.
These values were marginally superior to the LM (Linear Model) RMSE of 0.682 and MAE of 0.507. RBIA2 had a Q2-predict value of 0.220, surpassing the LM’s RMSE of 0.956 and MAE of 0.686 with a PLS RMSE of 0.936 and an MAE of 0.686, but only slightly. These results demonstrate that the PLS model exhibits superior prediction capability for these items. In general, the PLS model consistently showed lower or similar RMSE and MAE values compared to the LM model for the components RBIA1, RBIA2, RBIA3, RBIA4, RME1, RME2, and RME3. Indicated here is that the PLS model has a greater level of predictive accuracy. More precisely, the values of PLS RMSE and MAE were lower for all constructs, which leads to the idea that the PLS model has a higher level of predictive accuracy compared to the LM model.

4.5. Importance-Performance Map Analysis

The visual depiction of route coefficients, specifically using Importance-Performance Map Analysis (IPMA), is a widely acknowledged and important instrument in SEM (Hair et al., 2017) [45]. IPMA offers a detailed comprehension of the significance and effectiveness of different components in a model, enabling focused enhancements and strategic decision-making. The findings illustrated in Figure 3 confirm the relative effectiveness and significance of the variables being examined. More precisely, when it comes to RME predictions, the concepts of IAR (Incremental Accuracy Ratio), MS (Mean Squared), TRM (Temporal Reliability Measure), and OI (Overall Information) demonstrate significant significance and effectiveness measurements. The IAR scores are (0.315, 77.661), suggesting a significant degree of relevance combined with excellent performance.
Analogously, the values of MS are (0.286, 67.197), stipulating its substantial contribution and acceptable performance in the framework. Among all exogenous constructions, TRM stands out as having the greatest performance measure, despite its relatively lower significance value of 0.149 and a performance value of 77.922. Implied here is that although TRM may not be considered highly significant, its execution and influence are remarkably efficient. The exceptional performance of TRM (77.922) emphasizes its successful integration and usefulness inside the model, whereas the greatest relevance value identified for IAR (0.315) stresses its crucial role in driving results. The insights from the IPMA highlight the strengths and opportunities for development, giving a complete perspective of how the components contribute to the overall effectiveness of the framework.

5. Empirical Findings and Discussion

The transition from legislation and adherence to accomplishments, namely strategic planning, has led to a greater understanding that governance systems should prioritize relevant concerns in a strategic manner. From an agency standpoint, the acknowledgment of the internal audit role management support, risk management and risk-based internal auditing methods has been driven by the necessity to effectively monitor the level of exposure to risks inherent in an organization’s strategy. The primary purpose of the internal auditing role is to oversee managers’ actions and behaviors and assess the efficiency and integrity of organizational processes [14,19,25]. At this point, the function of internal audit is primarily using the risk-based internal auditing method as its main audit technique [5,6,7]. Implementing an established and disciplined internal audit methodology will ultimately enhance the effectiveness of internal audit operations [15].
Thus, effective internal auditing is essential in today’s business environment in order to avoid deficiencies concerning the governance and financial reporting issues, as well as to comprehend and pinpoint risks that jeopardize organization goals, processes and strategies [3,58,59,60]. Risk-based internal auditing is a contemporary approach to auditing that successfully combines what were formerly seen as separate roles: internal auditing and risk management [5,6,7,11,61]. This study emphasizes the comprehensive use of risk-based internal auditing methods in internal audit operations, encompassing planning, implementation, and reporting. Moreover, this study presents concrete data regarding the cause and direction of the important factors that impact on risk management and also its effect on the risk-based internal audit implementation. Overall, this study’s findings highlight the significance of having a robust risk culture in mitigating agency issues.
The finding of the internal auditor’s role in risk management has a substantial impact on risk management. This finding aligns with what previous research [3,6,7,16,62] reported. It is suggested that by offering comprehensive risk detection, evaluation, and reduction solutions, internal auditors greatly improve risk management processes. Their knowledge and impartial evaluation support a more organized and efficient system of risk management. According to Abdullatif and Kawuq (2015) [16], internal auditors demonstrate a satisfactory understanding of significant workplace strategies and duties, even though there is still potential for improvement. Lois et al. (2021) [6] have suggested that internal auditors should regularly inform senior management about risks that pose a threat to the organization’s sustainability, therefore highlighting the need for more attention being paid to this matter.
Significant efforts are being made to improve the monitoring, assessment, and reporting of the quantity and effectiveness of risk management and internal control mechanisms [5,6]. By enhancing awareness of control and reinforcing a reliable process of risk management, internal auditing able to fulfill its expanded role in a trustworthy and reliable manner [7]. Moreover, the findings addressing the participation of internal auditors in risk evaluations indicate that they not only provide assurance on procedures for risk management, but also evaluate the reporting of risks. Consistent with the findings documented by Allegrini and D’onza (2003) [62], a considerable number of participants hold the view that management plays a crucial role in establishing the strategy required for successful risk management. The findings of this study demonstrate how important internal auditors are to developing a strong risk management culture and making sure organizations are better able to assess and manage risks. Consequently, Saudi public organizations should make use of internal auditors’ expertise to fortify their risk management procedures and enhance the resilience of their organizations.
The finding of the training in risk management has a significant impact on risk management. This finding aligns with prior research carried out by others [7,33]. The study conducted by Lois et al. (2021) [6] suggests that training initiatives improve staff members’ capacity to recognize, evaluate, and effectively manage risks. Training in risk management facilitates a more proactive and all-encompassing approach to risk management, and it does this by providing employees with the requisite abilities and information [3]. Subsequently, the findings of this study highlight how crucial ongoing risk management education is to developing an effective structure for risk management. Also, they advise Saudi public organizations to make risk management training a top priority and allocate funds on a regular basis to improve their general risk management capacities.
The finding of management support in risk management has a significant impact on risk management. This finding aligns with prior research carried out by Allegrini and D’onza (2003) [62], Drogalas et al. (2018) [3], Lois et al. (2021) [6] and Mujalli (2024a) [7]. The study conducted by Mujalli (2024a) [7] suggests that robust support given by the management improves risk management procedures. It does this by cultivating a culture that gives priority to understanding risk and proactive risk reduction. When management actively participates in and endorses risk management endeavors, it guarantees sufficient resources, transparent communication, and uniform execution of risk strategies [3,37]. This supports the conclusion reached by Abidin (2017) [5], who stated that risk management is essential for establishing a culture in which risk management is seamlessly incorporated into every aspect of the organization. Consequently, Saudi public organizations gain advantages from enhanced risk detection, evaluation, and management, which eventually ends in enhanced resilience of organizations and better performance.
The findings in risk management indicate that it exerts a substantial impact on the risk-based internal auditing implementation, which aligns with previous research conducted by Abidin (2017) [5] Mujalli (2024a) [7], Coetzee and Lubbe (2014) [11]. The procedure for risk management promotes a heightened awareness of risk and fosters a culture that concentrates on managing risk. Establishing a well-defined framework for risk management tasks and processes motivates management to simulate responsibly for implementing more efficient practices for risk management [5]. A culture that is more cautious about taking risks encourages a department’s administration to carefully assess the level of risk involved in all decisions and activities [11]. The results corroborate the perspective proposed by Lois et al. (2021) [6] and Mujalli (2024a) [7]: having an up-to-date system that integrates risk management, fosters a resilient environment for taking risks, and provides a strong foundation for implementing the risk-based internal auditing.
Based on what this study has reported, it is important to support the internal audit’s focus on key risks and the sufficiency of procedures for managing risks, since these are crucial for the effective implementation of risk-based internal auditing. Saudi public organizations appear to have sufficient protocols in place to establish a standard risk management approach. Clearly, significant improvements are necessary to clearly define the responsibilities and obligations, in addition to the procedures, of the risk management system [3]. According to Crawford and Stein (2002) [63], to implement risk management rules, it is essential to have either the administrator of risk management or a distinct risk management unit operating within the department. This body should operate in a way that lets internal auditors successfully carry out their responsibilities [40].
The finding of risk management acts as a mediator between internal auditor’s role and the risk-based internal auditing implementation. The findings support the hypothesis, revealing a significantly positive association this finding aligns with prior research [6,7]. This demonstrates that the implementation of appropriate risk management strategies improves internal auditors’ capacity to carry out risk-based auditing effectively. As stated by Abdullatif and Kawuq (2015) [16] and Lois et al. (2021) [6], internal auditors enhance the kind of work that they do by utilizing their specialized knowledge in identifying and evaluating risks, resulting in a more organized and targeted approach.
The finding of risk management acts as a mediator between training in risk management and the risk-based auditing implementation. The findings support the hypothesis, revealing a significantly positive association that this finding aligns with prior research [6,7,33]. As Lois et al. (2021) [6] pointed out, effective risk management strategies are crucial for connecting these elements to successful risk-based internal audits. Thus, the finding reported in this study demonstrated that effective risk-based internal auditing implementation in Saudi public organizations is facilitated by highly skilled internal auditors, robust managerial support and comprehensive risk management frameworks. This collaboration guarantees that audits concentrate on crucial risks, thereby enhancing the efficiency with which work is done as stated by Arena and Azzone (2009) [33]. In general the findings of this study highlight the significance of combining strong risk management practices with auditor training and management assistance, in order to enhance risk-based auditing results in the public sector.
The finding of risk management acts as a mediator between management support and the risk-based auditing implementation. The findings support the hypothesis, revealing a significantly positive association that this finding aligns with prior research findings [3,7,62]. Thus, the finding reported in this study confirmed the work that was conducted by Mujalli (2024a) [7] and Drogalas et al. (2018) [3]. They concluded that having a robust management support system in place improves risk management practices by cultivating a culture that accords high importance to risk awareness and taking proactive measures to mitigate risks. When management actively participates in and endorses risk management initiatives, sustainability, it guarantees sufficient resources, transparent communication, and uniform execution of risk strategies [32]. Consequently, this enables the effective execution of internal auditing based on risk assessment [6].
This study’s findings emphasize the research conducted by Mujalli (2024a) [7] who support the contention that it is essential to establish an environment in which risk management is seamlessly incorporated into all organizational functions. Thus, the significance of organization management’s dedication to promoting a resilient risk management culture, will enhance the internal audit procedures and overall organizational efficiency in Saudi public organizations. Consequently, Saudi public-sector organizations experience advantages in terms of enhanced risk detection, evaluation, and management, ultimately resulting in enhanced ability to withstand and recover from challenges, as well as improved overall performance.

6. Conclusions

The findings in this paper support the arguments made by agency theory. There is a significant association between the role of internal auditors in risk management, the training in risk management, and management support on risk management, and there is also a significant association between risk management and risk-based internal auditing implementation. A proactive and diligent approach realizes the possibilities for the role of internal auditors as information providers in addressing the problem of information asymmetry in organizations. The aforementioned established risk management system enhances management’s understanding of risk management by providing an efficient and well-working infrastructure.
Thus, the effective cooperation between risk management and the internal audit is crucial for strengthening the organization’s resilience and attaining strategic objectives. Through collaboration, these services guarantee a thorough strategy for recognizing, evaluating, and minimizing risks. This collaboration promotes a strong control environment, wherein risk management generates valuable information on developing risks while internal audit provides independent confirmation on the efficiency of controls. The collective endeavors result in enhanced decision-making, heightened transparency, and augmented stakeholder confidence, eventually propelling the organization to sustainable expansion and operating superiority.
In conclusion, the relevance of risk-based internal auditing deployment as a planned strategy has been clearly shown by this empirical study and earlier research. Adhering to the right risk management strategy and internal control mechanisms, this method enables internal auditors to provide authoritative advisory services and financial statements. The ultimate responsibility for every organization’s success or failure lies with its management.

6.1. Implications

The research findings underscore the necessity of regulatory authorities conducting an overview of the policies and regulations that govern internal audits in public-sector organizations. As Saudi Arabia’s public-sector organization continues to modernize its financial infrastructure, regulators may leverage the knowledge gained from sustainable risk-based internal auditing to establish systems that facilitate a proactive approach. In order to improve general responsibility and governance, policymakers may require companies to implement more comprehensive, methodical internal audit processes. This study advocates for auditors to transcend conventional audit structures by emphasizing the necessity of a risk-based internal auditing system that is constantly evolving. Increasing the competency of internal auditors in risk surveillance and management is recommended. A reduced likelihood of operational failures is ensured by more efficient audits that align with organizational objectives through enhanced comprehension of risk-based methodologies. Additionally, the implementation of a sustainable approach to internal audits ensures that audits are not solely reactive, but also forward-thinking, as they assess both current and future hazards that may jeopardize corporate objectives.
This study emphasizes the importance of establishing robust internal surveillance systems that can be implemented on a consistent basis in a variety of sectors. These approaches have the potential to enhance the credibility of financial reporting and safeguard companies from unforeseen risks. By integrating a realistic, real-time monitoring system with more comprehensive internal audits, it is possible to significantly reduce financial deception, thereby enhancing stakeholder confidence. These systems contribute to the improvement of organizational performance and public confidence by reducing financial fraud and mismanagement situations. The research provides managers and administrators with a practical comprehension of how to optimize the factors that influence internal audit performance. By comprehending and optimizing these variables, management teams may execute risk control strategies with greater efficacy. This leads to a more robust organizational framework that can withstand both internal operational hazards and external market demands. The emphasis on executive management engagement also suggests that top executives should be more actively involved in auditing procedures to ensure that audits serve as strategic instruments rather than mere formalities.
This study establishes a foundation for further exploration of sustainability solutions that are based on internal risk. Future research may further investigate the long-term implications of these methods on sector-wide best practices and organizational success. Risk-based internal auditing ‘s scalability and flexibility across various sectors may also be investigated by researchers. This generates novel research avenues and contributes to the evolving discourse regarding audit techniques and risk management. This study also implies the importance of technology solutions that enhance the efficacy and accuracy of risk-based internal audits in light of the rapid digitization of audit processes on a global scale. By combining cloud-based audit solutions, artificial intelligence, and data analytics, internal auditing could be further enhanced. This is especially important for Saudi Arabia’s large public-sector organizations that manage vast quantities of financial data. Real-time auditing, predictive risk assessments, and data-driven insights—all of which would enhance the effectiveness of internal audits could be facilitated by advanced technology.

6.2. Research Limitations, Recommendations for Future Study

It is important to acknowledge and take into account several noteworthy limitations when analyzing and drawing conclusions from the findings of this research. The present investigation is initially restricted in terms of its geographical and thematic boundaries. This study was limited to a specific population, namely public-sector organizations in Saudi Arabia. Consequently, the findings lack immediate applicability to a broader or global context. Future research should aim to broaden its scope beyond the limitations of this specific geographical region, in order to include organizations from diverse sectors and countries. By conducting a comprehensive analysis of risk management practices within different institutional environments and regulatory frameworks, a deeper understanding of these practices can be achieved. This would enable researchers to gain valuable insights into the effectiveness and efficiency of risk management strategies in different contexts. The method of data collection represents a noteworthy constraint in this study. This study made efforts to enhance the response rate by utilizing a concise questionnaire. However, it is important to note that this study primarily relied on survey data, which consequently imposed limitations on the depth of the data collected. The richness of the data is somewhat compromised due to the inherent limitation of short surveys in capturing more nuanced insights. For the purpose of enhancing the comprehensiveness of risk management practices analysis, it is suggested that forthcoming investigations may derive advantages from employing a more extensive survey structure that encompasses a wider range of enquiries and integrates more rigorous variables.
Furthermore, it should be noted that the utilization of a quantitative methodology in this particular investigation, while advantageous, may not fully capture the intricate variables that impact the field of risk management. The utilization of qualitative methodologies, such as conducting in-depth interviews or analyzing case studies, has the potential to provide a more comprehensive understanding of the dynamics of organizational culture, leadership, and external factors that shape risk management practices. For example, a potential avenue for future investigation could involve examining the degree to which managerial attitudes towards risk and the structure of organizational hierarchies impact the implementation and efficacy of risk management policies. Conducting interviews with risk managers and auditors has the potential to offer valuable insights that may not be captured by a quantitative survey. This can enhance our understanding of the complexities and intricacies involved in risk management. Ultimately, this study presents several unique prospects for future exploration. This study highlights the importance of conducting a more comprehensive examination of the policy implications associated with risk management strategies. Further investigation may be warranted to examine the development of bespoke risk management frameworks tailored to the specific circumstances of individual organizations, with the aim of enhancing the effectiveness of policies. The purpose of these recommendations is not solely to bring this study to a close, but rather to act as a stimulus for continuous research, thus driving future advancements in the academic and practical aspects of risk management.

Author Contributions

Conceptualization, A.A. and A.M.; Methodology, A.A.; Software, A.A.; Validation, A.A.; Formal analysis, A.A.; Investigation, A.A.; Writing–original draft, A.A.; Writing–review & editing, A.M.; Supervision, A.M.; Project administration, A.M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Informed Consent Statement

Informed consent was obtained from all subjects involved in this study.

Data Availability Statement

The datasets used during the current study are available from the corresponding author on reasonable request.

Acknowledgments

The authors gratefully acknowledge the funding of the Deanship of Graduate Studies and Scientific Research, Jazan University, Saudi Arabia, through Project Number: GSSRD-24.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Yazo-Cabuya, E.J.; Ibeas, A.; Herrera-Cuartas, J.A. Integrating Sustainability into Risk Management through Analytical Network Process. Sustainability 2024, 16, 2384. [Google Scholar] [CrossRef]
  2. Jiménez, A.; Arrieta, Y.; Nuñez, M.A.; Villanueva, E. Management of Strategic Risks for the Sustainability of SMEs in the Manufacturing Sector in Antioquia. Sustainability 2024, 16, 2094. [Google Scholar] [CrossRef]
  3. Drogalas, G.; Eleftheriadis, I.; Pazarskis, M.; Anagnostopoulou, E. Perceptions about effective risk management. the crucial role of internal audit and management. Evidence from greece. Invest. Manag. Financ. Innov. 2018, 14, 1–11. [Google Scholar] [CrossRef] [PubMed]
  4. Jin, J.; Zhou, H. A demand-side inoperability input–output model for strategic risk management: Insight from the COVID-19 outbreak in Shanghai, China. Sustainability 2023, 15, 4003. [Google Scholar] [CrossRef]
  5. Abidin, N.H.Z. Factors influencing the implementation of risk-based auditing. Asian Rev. Account. 2017, 25, 361–375. [Google Scholar] [CrossRef]
  6. Lois, P.; Drogalas, G.; Nerantzidis, M.; Georgiou, I.; Gkampeta, E. Risk-based internal audit: Factors related to its implementation. Corp. Gov. Int. J. Bus. Soc. 2021, 21, 645–662. [Google Scholar] [CrossRef]
  7. Mujalli, A. Factors Affecting the Implementation of Risk-Based Internal Auditing. J. Risk Financ. Manag. 2024, 17, 196. [Google Scholar] [CrossRef]
  8. Turetken, O.; Jethefer, S.; Ozkan, B. Internal audit effectiveness: Operationalization and influencing factors. Manag. Audit. J. 2020, 35, 238–271. [Google Scholar] [CrossRef]
  9. Alazzabi, W.Y.E.; Mustafa, H.; Karage, A.I. Risk management, top management support, internal audit activities and fraud mitigation. J. Financ. Crime 2023, 30, 569–582. [Google Scholar] [CrossRef]
  10. Gupta, H.; Kharub, M.; Shreshth, K.; Kumar, A.; Huisingh, D.; Kumar, A. Evaluation of strategies to manage risks in smart, sustainable agri-logistics sector: A Bayesian-based group decision-making approach. Bus. Strategy Environ. 2023, 32, 4335–4359. [Google Scholar] [CrossRef]
  11. Coetzee, P.; Lubbe, D. Improving the efficiency and effectiveness of risk-based internal audit engagements. Int. J. Audit. 2014, 18, 115–125. [Google Scholar] [CrossRef]
  12. Koutoupis, A.G.; Tsamis, A. Risk based internal auditing within Greek banks: A case study approach. J. Manag. Gov. 2009, 13, 101–130. [Google Scholar] [CrossRef]
  13. Anugraheni, E.P.; Setiawati, E.; Trisnawati, R. Analysis of Risk-Based Internal Audit Planning Implementation and Its Impact on Audit Quality: Case Study at the Inspectorate of Surakarta, Indonesia. J. Econ. Bus. 2022, 3, 5. [Google Scholar] [CrossRef]
  14. Alzeban, A.; Gwilliam, D. Factors affecting the internal audit effectiveness: A survey of the Saudi public sector. J. Int. Account. Audit. Tax. 2014, 23, 74–86. [Google Scholar] [CrossRef]
  15. Mujalli, A.Y.A. Internal Audit Effectiveness in Saudi Arabia’s Public Sector Higher Education System. Ph.D. Dissertation, RMIT University, Melbourne, Australia, 2020. [Google Scholar]
  16. Abdullatif, M.; Kawuq, S. The role of internal auditing in risk management: Evidence from banks in Jordan. J. Econ. Adm. Sci. 2015, 31, 30–50. [Google Scholar] [CrossRef]
  17. Almagrashi, A.; Mujalli, A.; Khan, T.; Attia, O. Factors determining internal auditors’ behavioral intention to use computer-assisted auditing techniques: An extension of the UTAUT model and an empirical study. Future Bus. J. 2023, 9, 74. [Google Scholar] [CrossRef]
  18. Grima, S.; Baldacchino, P.J.; Grima, S.; Kizilkaya, M.; Tabone, N.; Ellul, L. Designing a Characteristics Effectiveness Model for Internal Audit. J. Risk Financ. Manag. 2023, 16, 56. [Google Scholar] [CrossRef]
  19. Weekes-Marshall, D. The role of internal audit in the risk management process: A developing economy perspective. J. Corp. Account. Financ. 2020, 31, 154–165. [Google Scholar] [CrossRef]
  20. Wang, X.; Ferreira, F.A.F.; Yan, P. A multi-objective optimization approach for integrated risk-based internal audit planning. Ann. Oper. Res. 2023, 1–30. [Google Scholar] [CrossRef]
  21. Almahuzi, A.S. Factors Impacting the Effectiveness of Internal Audit in the Saudi Arabian Public Sector. Ph.D. Dissertation, Victoria University, Melbourne, Australia, 2020. [Google Scholar]
  22. AL-RBAI, Z.M. The Effectiveness of Internal Audit in Government Units in the Kingdom of Saudi Arabia and their Obstacles in the Light of the Saudi Vision 2030 and Current Changes. Multi-Knowl. Electron. Compr. J. Educ. Sci. Publ. 2020, 1, 38. [Google Scholar]
  23. Omer, W.K.H.; ALJAAIDI, K.S.; AL-MOATAZ, E.S. Risk management functions and audit report lag among listed saudi manufacturing companies. J. Asian Financ. Econ. Bus. 2020, 7, 61–67. [Google Scholar] [CrossRef]
  24. Al-Taee, S.H.H.; Flayyih, H.H. Impact of the electronic internal auditing based on IT governance to reduce auditing risk. Corp. Gov. Organ. Behav. Rev. 2023, 7, 94–100. [Google Scholar] [CrossRef]
  25. Hazaea, S.A.; Zhu, J.; Khatib, S.F.A.; Elamer, A.A. Mapping the literature of internal auditing in Europe: A systematic review and agenda for future research. Meditari Account. Res. 2023, 31, 1675–1706. [Google Scholar] [CrossRef]
  26. Oppong, C.; Fofack, A.D.; Boakye-Yiadom, E. Efficacy of public sector audits in the provision of quality healthcare in Ghana. J. Econ. Adm. Sci. 2023, 39, 1108–1121. [Google Scholar] [CrossRef]
  27. Eisenhardt, K.M. Agency theory: An assessment and review. Acad. Manag. Rev. 1989, 14, 57–74. [Google Scholar] [CrossRef]
  28. Fama, E.F.; Jensen, M.C. Separation of ownership and control. J. Law Econ. 1983, 26, 301–325. [Google Scholar] [CrossRef]
  29. Mitnick, B.M. Fiduciary rationality and public policy: The theory of agency and some consequences. In Proceedings of the 1973 Annual Meeting of the American Political Science Association, New Orleans, LA, USA, 4–8 September 1973. [Google Scholar]
  30. Ross, S.A. The economic theory of agency: The principal’s problem. Am. Econ. Rev. 1973, 63, 134–139. [Google Scholar]
  31. Madawaki, A.; Ahmi, A.; Ahmad, H.N. Internal audit functions, financial reporting quality and moderating effect of senior management support. Meditari Account. Res. 2022, 30, 342–372. [Google Scholar] [CrossRef]
  32. MetricStream. State of Internal Audit 2018-Impact and Opportunities, MetricStream Research. 2018. Available online: https://info.metricstream.com/Internal-Audit-2018-Impact-and-Opportunities.html? (accessed on 8 April 2023).
  33. Arena, M.; Azzone, G. Identifying organizational drivers of internal audit effectiveness. Int. J. Audit. 2009, 13, 43–60. [Google Scholar] [CrossRef]
  34. Ar’Reza, I.F.; Wardoyo, C.; Putri, S.F. Internal auditors’ fraud detection: A phenomenological study. Int. J. Account. Financ. Asia Pasific 2020, 3, 68–76. [Google Scholar] [CrossRef]
  35. Rae, K.; Subramaniam, N. Quality of internal control procedures: Antecedents and moderating effect on organisational justice and employee fraud. Manag. Audit. J. 2008, 23, 104–124. [Google Scholar] [CrossRef]
  36. Mujalli, A.; Almgrashi, A. A Conceptual Framework for Generalised Audit Software Adoption in Saudi Arabia by Government Internal Auditing Departments using an Integrated Institutional Theory-TOE Model. In Proceedings of the 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Gold Coast, Australia, 16–18 December 2020; pp. 1–8. [Google Scholar]
  37. Sarens, G.; De Beelde, I. Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies. Manag. Audit. J. 2006, 21, 63–80. [Google Scholar] [CrossRef]
  38. Alqudah, H.M.; Amran, N.A.; Hassan, H. Factors affecting the internal auditors’ effectiveness in the Jordanian public sector: The moderating effect of task complexity. EuroMed J. Bus. 2019, 14, 251–273. [Google Scholar] [CrossRef]
  39. Goodwin-Stewart, J.; Kent, P. The use of internal audit by Australian companies. Manag. Audit. J. 2006, 21, 81–101. [Google Scholar] [CrossRef]
  40. Woods, M. Linking risk management to strategic controls: A case study of Tesco plc. Int. J. Risk Assess. Manag. 2007, 7, 1074–1088. [Google Scholar] [CrossRef]
  41. Babbie, E.R. The Practice of Social Research; Cengage Learning: Boston, MA, USA, 2020; ISBN 0357360842. [Google Scholar]
  42. Sekaran, U.; Bougie, R. Research Methods for Business: A Skill Building Approach; John Wiley & Sons: Hoboken, NJ, USA, 2016; ISBN 1119165555. [Google Scholar]
  43. Oppenheim, A.N. Questionnaire Design, Interviewing and Attitude Measurement; Bloomsbury Publishing: London, UK, 2000; ISBN 0826451764. [Google Scholar]
  44. Saunders, M.N.K.; Lewis, P.; Thornhill, A. Research Methods for Business Students, 8th ed.; Pearson.: London, UK, 2019; ISBN 9781292208800. [Google Scholar]
  45. Hair, J.F.; Risher, J.J.; Sarstedt, M.; Ringle, C.M. When to use and how to report the results of PLS-SEM. Eur. Bus. Rev. 2019, 31, 2–24. [Google Scholar] [CrossRef]
  46. Roldán, J.L.; Sánchez-Franco, M.J. Variance-based structural equation modeling: Guidelines for using partial least squares in information systems research. In Research Methodologies, Innovations and Philosophies in Software Systems Engineering and Information Systems; IGI Global: Hershey, PA, USA, 2012; pp. 193–221. [Google Scholar]
  47. Shmueli, G.; Sarstedt, M.; Hair, J.F.; Cheah, J.H.; Ting, H.; Vaithilingam, S.; Ringle, C.M. Predictive model assessment in PLS-SEM: Guidelines for using PLSpredict. Eur. J. Mark. 2019, 53, 2322–2347. [Google Scholar] [CrossRef]
  48. Mujalli, A. The influence of E-auditing adoption on internal audit department performance amid COVID-19 in Saudi Arabia. Cogent Bus. Manag. 2024, 11, 2295608. [Google Scholar] [CrossRef]
  49. Ringle, C.; Wende, S.; Becker, J.-M. SmartPLS 3; Boenningstedt SmartPLS GmbH: Boenningstedt, Germany, 2015; Volume 584. [Google Scholar]
  50. Podsakoff, P.M.; MacKenzie, S.B.; Podsakoff, N.P. Sources of method bias in social science research and recommendations on how to control it. Annu. Rev. Psychol. 2012, 63, 539–569. [Google Scholar] [CrossRef]
  51. Podsakoff, P.M.; MacKenzie, S.B.; Lee, J.Y.; Podsakoff, N.P. Common method biases in behavioral research: A critical review of the literature and recommended remedies. J. Appl. Psychol. 2003, 88, 879–903. [Google Scholar] [CrossRef] [PubMed]
  52. Harman, H.H. Modern Factor Analysis; University of Chicago Press: Chicago, IL, USA, 1976; ISBN 0226316521. [Google Scholar]
  53. Kock, N. Common method bias in PLS-SEM: A full collinearity assessment approach. Int. J. e-Collab. 2015, 11, 1–10. [Google Scholar] [CrossRef]
  54. Henseler, J.; Ringle, C.M.; Sarstedt, M. A new criterion for assessing discriminant validity in variance-based structural equation modeling. J. Acad. Mark. Sci. 2015, 43, 115–135. [Google Scholar] [CrossRef]
  55. Fornell, C.; Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement error. J. Mark. Res. 1981, 18, 39–50. [Google Scholar] [CrossRef]
  56. Cohen, J. Statistical power analysis Jbr the behavioral. Sci. Hillsdale Lawrence Erlbaum Assoc. 1988, 18, 74. [Google Scholar]
  57. Geisser, S. A predictive approach to the random effect model. Biometrika 1974, 61, 101–107. [Google Scholar] [CrossRef]
  58. Drogalas, G.; Siopi, S. Risk management and internal audit: Evidence from Greece. Risk Gov. Control Financ. Mark. Inst. 2017, 7, 104–110. [Google Scholar] [CrossRef]
  59. De Zwaan, L.; Stewart, J.; Subramaniam, N. Internal audit involvement in enterprise risk management. Manag. Audit. J. 2011, 26, 586–604. [Google Scholar] [CrossRef]
  60. Sunaryo, K.; Astuti, S.; Zuhrohtun, Z. The role of risk management and good governance to detect fraud financial reporting. J. Contemp. Account. 2019, 1, 38–46. [Google Scholar] [CrossRef]
  61. Wilkinson, N.; Coetzee, P. Internal audit assurance or consulting services rendered on governance: How does one decide. J. Gov. Regul. 2015, 4, 186–200. [Google Scholar] [CrossRef]
  62. Allegrini, M.; D’onza, G. Internal auditing and risk assessment in large Italian companies: An empirical survey. Int. J. Audit. 2003, 7, 191–208. [Google Scholar] [CrossRef]
  63. Crawford, M.; Stein, W. Auditing Risk Management: Fine in Theory but who can do it in Practice? Int. J. Audit. 2002, 6, 119–131. [Google Scholar] [CrossRef]
Sustainability 16 08455 g001
Figure 1. Measurement model.
Figure 1. Measurement model.
Sustainability 16 08455 g001
Sustainability 16 08455 g002
Figure 2. Structural model.
Figure 2. Structural model.
Sustainability 16 08455 g002
Sustainability 16 08455 g003
Figure 3. IPMA.
Figure 3. IPMA.
Sustainability 16 08455 g003
Table 1. Construct and item measurement.
Table 1. Construct and item measurement.
ConstructCodeItem Measurement
Dependent VariableRBIA1“Risk-based internal audit enables periodic evaluations of the internal audit procedures”[5,6]
Risk-based internal auditRBIA2“Risk-based internal audit enables the internal audit to meet shareholders’ demands and needs”
RBIA3“Risk-based internal audit contributes to a better understanding of internal audit processes”
RBIA4“Risk-based internal audit leads to a more efficient determination of resources for internal auditing”
Independent VariablesIAR1“Internal auditors comprehend the strategic objectives and operational goals”[6,16,32]
The role of internal auditor in risk managementIAR2“Internal auditors entailed the inclusion of risk assessment results in annual plans for internal auditing”
IAR3“Internal auditors evaluate the threat of inherent risks to the objectives of key functions of business and the following amendment of audits”
IAR4“Internal auditors give timely information to senior management regarding threats to the sustainability of the organization, and carry out assessments”
IAR5“Internal auditors assess reports concerning the efficiency of the system of internal auditing”
IAR6“Internal auditors assess reports concerning the efficiency of risk management”
The training in risk managementTRM1“The training in risk management helps with the formation of an audit system that is dependent on risk management” [6]
TRM2“The training in risk management helps with the documentation and evaluation of work-related risks”
TRM3“The training in risk management helps to enhance the quality of internal auditing and also the quality of risk management procedures”
Management supportMS1“Support obtained by senior management to internal auditors is measured in terms of auditors’ expectations based on risk assessments and risk-based internal auditing”[7,21]
MS2“Internal auditors’ executed tasks and accountabilities are based on risk assessments and risk-based internal auditing”
MS3“Management supports an adequate budget that allows the department of internal auditing to do its work based on risk assessments”
MS4“Internal auditors gain adequate training in risk management as advocated by senior management”
Mediating VariableRME1“The current processes and accountabilities of the risk management mechanisms are clearly recognized in the organization”[5]
The risk managementRME2“The existing risk manager or a separate risk management unit operates in the organization”
RME3“The mechanism of risk management is in the organization”
Table 2. Demographic profiles of respondents.
Table 2. Demographic profiles of respondents.
CategoryCriteriaFrequencyPercentage
GenderMale17675.2
Female5824.8
Total234100.0
AgeLess than 29146.0
Between 30 and 39793.8
Between 40 and 4913557.7
More than 5062.6
Total234100.0
Educational qualificationDiploma or below3314.1
Bachelor’s degree16369.7
Master’s degree3314.1
PhD52.1
Total23411.0
Job titleInternal audit department’s manager2410.3
Assistant manager of the department of internal auditing229.4
Internal auditor11750.0
Department manager3113.2
Accountant3012.8
Employee104.3
Total234100.0
Work experiences (Years)Less than 5 4318.4
Between 5 and 9 6929.5
Between 10 and 14 8335.5
15 or more 3916.7
Total234100.0
Table 3. Reliability and validity results.
Table 3. Reliability and validity results.
ConstructsItemsItem LoadingsVIFCrho_cAVE
RIA 0.8030.8590.505
IAR10.6831.923
IAR20.7282.319
IAR30.7962.324
IAR40.7581.852
IAR50.6681.657
IAR60.6171.625
MS 0.8420.8950.682
MS10.8582.438
MS20.8852.808
MS30.8632.040
MS40.6821.392
RBIA 0.8130.8750.637
RBIA10.8061.598
RBIA20.8032.036
RBIA30.7962.080
RBIA40.7881.453
RME 0.8690.9190.792
RME10.8862.232
RME20.8842.205
RME30.9012.433
TRM 0.8140.8900.731
TRM10.7971.652
TRM20.9152.639
TRM30.8491.995
Table 4. Heterotrait–monotrait ratio.
Table 4. Heterotrait–monotrait ratio.
MSRBIARIARMETRM
MS
RBIA0.695
RIA0.5020.624
RME0.5400.7290.615
TRM0.3620.5360.7210.499
Table 5. Fornell–Larcker criterion.
Table 5. Fornell–Larcker criterion.
MSRBIARIARMETRM
MS0.826
RBIA0.5690.798
RIA0.4310.5260.711
RME0.4670.6340.5270.890
TRM0.2960.4520.5880.4200.855
Table 6. Explanatory power of the study model.
Table 6. Explanatory power of the study model.
Effect SizeCoefficient of DeterminationPredictive Relevance
RBIARMER-SquareR-Square AdjustedSSOSSEQ2 (=1 − SSE/SSO)
MS 0.105
RBIA 0.4020.399936.000718.8940.232
RIA 0.091
RME0.672 0.3630.354702.000507.8930.277
TRM 0.023
Table 7. Hypotheses results.
Table 7. Hypotheses results.
HypothesesRelationshipsOriginal SampleSTDEVT Statisticsp Values2.5%97.5%Conclusion
Direct effects
Hypothesis 1RIA → RME0.3160.0704.4920.0000.1920.463Supported
Hypothesis 2TRM → RME0.1490.0652.2830.0220.0100.267Supported
Hypothesis 3MS → RME0.2870.0575.0540.0000.1750.394Supported
Hypothesis 4RME → RBIA0.6340.04314.7150.0000.5480.717Supported
Mediating effects
Hypothesis 5RIA → RME → RBIA0.2000.0464.3210.0000.1220.303Supported
Hypothesis 6TRM → RME →RBIA0.0950.0432.1750.0300.0060.177Supported
Hypothesis 7MS → RME → RBIA0.1820.0404.5920.0000.1070.261Supported
Table 8. PLS predict.
Table 8. PLS predict.
PLSLM
ConstructsQ2-PredictRMSEMAERMSEMAE
RBIA10.2730.6830.5010.6820.507
RBIA20.2200.9360.6860.9560.686
RBIA30.1761.0360.7991.0400.802
RBIA40.2080.8330.6010.8470.610
RME10.2630.6140.4820.6410.504
RME20.2580.6880.5340.7170.566
RME30.2680.6210.4690.6510.478
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Almgrashi, A.; Mujalli, A. The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing. Sustainability 2024, 16, 8455. https://doi.org/10.3390/su16198455

AMA Style

Almgrashi A, Mujalli A. The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing. Sustainability. 2024; 16(19):8455. https://doi.org/10.3390/su16198455

Chicago/Turabian Style

Almgrashi, Ahmed, and Abdulwahab Mujalli. 2024. "The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing" Sustainability 16, no. 19: 8455. https://doi.org/10.3390/su16198455

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop