Internal Audit, Standards and Risk Management: A Study of the Standards and Risk Models Used by Internal Auditors

Ask Ransdal Hansen

Student thesis: Master thesis


Internal audit in Denmark appears to be in a strange state. Arena & Jeppesen (2010) showed that the field isn’t that well-defined and seems split between financial and operational audit. This thesis explores the strange state of internal audit in Denmark through multiple case studies, which attempt to capture what standards and risk models internal auditors use as well as why they are used. The inquiry and analysis is framed by new institutional theory (DiMaggio & Powell, 1983; Meyer & Rowan, 1977) and profession theory Abbot (1988). The findings suggest that internal audit, as a profession, more than previously use IPPF as the standard and COSO ERM as the risk model. In parts, the driving force behind this emerging norm are explained by what Meyer & Rowan (1977) calls a de- coupling strategy, which describe that organizations will chose the stand- ards and risk models with the highest ceremonial criteria of worth - being IPPF and COSO ERM. The fact that external audit controls are a part of auditors’ knowledge system results in a wave of normative isomorphism, and explains why some internal auditors adopt external auditor’s standards in their own practices. Regulative isomorphism are also shown to homog- enize the usage of IPPF and ISSAI in financial and public organizations. Finally, there seems to be an ongoing process where internal audit is free- ing from what Abbot (1988) labels intellectual jurisdiction, where internal audit has been subsumed under external audit. Internal audit seems to slowly capture its own knowledge based and thereby jurisdiction, driving the process towards IPPF.

EducationsMSc in Auditing, (Graduate Programme) Final Thesis
Publication date2016
Number of pages157
SupervisorsKim Klarskov Jeppesen