Organizational aspects of the Internal Audit of Italian corporate groups Текст научной статьи по специальности «Экономика и бизнес»

Organizational aspects of the internal audit of Italian corporate groups

Alessandra Tafuro,

PhD in economics, professor, Department of Management, Economics, Mathematics and Statistics

University of Salento, Italy

alessandra.tafuro@unisalento.it

Antonio Costa,

PhD candidate in economics, associate professor,

Department of Management, Economics, Mathematics and Statistics, University of Salento, Italy, antonio.costa@unisalento.it

Alma Fanelli,

chartered accountant, PhD candidate in economics, Department of Management, Economics,

Mathematics and Statistics, University of Salento, Italy,

alma.fanelli@unisalento.it

Abstract. The objective of the paper is to explore some organizational aspects of the activity of Internal Audit (IA) in corporate groups. Having noted the limited literature on the subject, the authors intend to make a scientific contribution with the intention of reducing the existing gap in said literature, paying particular attention to the Italian context. In addition to expanding the knowledge of scholars and professionals in this sector, the content of the paper may be of support to the governing bodies of a corporate group, offering insights to better organize the function of IA and to ensure that activities are more efficient and effective for all entities of the group. Purpose. The Internal Audit's organizational aspects are particularly complex within corporate groups. The paper focuses on: a) the Internal Audit operating model that can be adopted: in-house solutions rather than outsourcing solutions; b) the organization structure adopted for manage the activities of the Internal Audit Function.

Design/methodology/approach. The research is based on a survey carried out on 56 groups listed on the Italian Stock Exchange and which operate in the industrial and financial sectors. Two case studies are presented: Finmeccanica and UniCredit. The individual case studies are concise, with an explanation of the main benefits and challenges inherent in each approach. Findings. The main survey findings indicate that:

Each business group adopts the IA organizational model most appropriate to its needs. Almost all of the groups adopt the in-house solutions, while the percentage of the groups that outsources the service is very low (10% just in the industrial sector). In either sector, the delegation model is never used.

Finmeccanica adopts an original functional matrix structure for the IA to increase the effectiveness of interventions and the level of control and coordination of the Group's operating companies, and to improve the efficiency of operating costs.

UniCredit adopts the hybrid model: the IA function, structured as a Department, coordinates and monitors the Group's IA activities performed by the competent structures of the Group's entities ensuring control consistency and adequate attention to the different types of risk. The case studies tell us that the corporate groups pay attention to develop and improve the organizational aspects of their own IA function. The goal is not just about keeping costs down but also maximizing the efficiency and effectiveness of IA operational model chosen.

Originality/value. The findings of this study are another element to help managers and governance bodies in their decision making process regarding organizational aspects of IA.

Keywords: Internal Audit Function, In-house Model, Outsourcing, Italian Groups.

Acknowledgments. The authors gratefully acknowledge the valuable feedback provided by all questionnaire respondents and Dr. Laura Palese (Postgraduate University of Salento) for the assistance in processing the data from the completed questionnaire.

Организационные аспекты внутреннего аудита в итальянских корпоративных группах

Алессандра Тафуро,

профессор, Департамент экономических наук, Университет Саленто, Италия, alessandra.tafuro@unisalento.it

Антонио Коста,

доцент, Департамент экономических наук, Университет Саленто, Италия, antonio.costa@unisalento.it

Альма Фанелли,

доцент, Департамент экономических наук, Университет Саленто, Италия, alma.fanelli@unisalento.it

Аннотация. Целью статьи является презентация анализа некоторых организационных аспектов внутреннего аудита в корпоративных группах. Отмечая недостаточность литературы по этой теме, авторы попытались внести свой вклад в существующий пробел в научных исследованиях, уделяя особое внимание условиям экономической деятельности корпоративных групп в Италии. В дополнение к расширению знаний студентов и профессионалов авторы статьи рассчитывают, что ее содержание поможет топ-менеджменту корпоративных групп в лучшей организации функционирования их внутреннего аудита, а также повысить эффективность и действенность работы их подразделений. В статье сосредоточено внимание на следующих аспектах внутреннего аудита: а) на применении оперативной модели внутреннего аудита, опирающегося в большой мере на внутренние русурсы, чем на аутсорсинг; б) на организационных структурах, используемых в управлении деятельностью внутреннего аудита.

Ключевые слова: функция внутреннего аудита, модель "in-house", аутсорсинг, итальянская корпоративная группа.

1. INTRODUCTION

The objective of this paper is to explore some organizational aspects of the activity of Internal Audit (IA) in corporate groups. Having noted the limited literature on the subject, we intend to make a scientific contribution with the intention of reducing the existing gap in said literature, paying particular attention to the Italian context.

In addition to expanding the knowledge of scholars and professionals in this sector, the content of the paper may be of support to the governing bodies of a corporate group, offering insights to better organize the function of IA and to ensure that activities are more efficient and effective for all entities of the group.

In view of the complexity and of the characteristics that distinguish corporate groups, it is

evident that the function of IA in an aggregate takes on an even more significant strategic role. In fact, it must define and manage the various auditing activities—operational auditing, financial auditing, compliance and fraud auditing and management auditing—inside a system of harmonic control that is useful for the whole aggregate.

Until now literature has found:

• different IA operating models, depending on whether the Internal Audit activities are entrusted to internal parties (IA in-house models) or external parties (IA outsourcing models);

• diverse organizational structures with which Internal Audit activities are managed.

Starting from these basic concepts which constitute the theoretical reference framework for these activities, we have chosen to investigate the aspects within corporate groups which, by nature, require the adoption of unique organizational models that are sometimes more advanced than those already used in individual companies. It is evident that the organizational problems related IA arise when the activity of IA is not outsourced. In this case, the organizational structures that can be defined differ essentially in whether the auditing activities are centralized or not within the parent company (centralized model, decentralized model) or whether all IA activities of all of the companies in a group are transferred to a company specifically set up inside the aggregate (consortium model).

From the literature review (Kolaska, 1983; Cullen & Perrewe, 1981; Anderson et al., 2012) and some white papers drawn up by independent auditors (Ernst & Young, 2012) it emerged that the decisions related to the organizational aspects of IA activity in corporate groups reflect the aggregate businesses own complexity. Such choices, in fact, appear to be influenced by: the size of the group and the number of sectors in which holdings and subsidiaries operate; the geographical distribution of the participating entities; the nature and level of risk of the activities carried out; and, the amount of resources allocated to the functioning of IA.

Considering the Italian context, we formulated the following Research Questions (RQ):

RQ1) What is the predominant Internal Audit operating model used in Italian corporate groups?

R02) Which organizational structures are used by Italian groups to regulate the internal activities of the IA department/unit?

To answer the Research Questions an empirical survey was conducted from a sample of Italian listed companies operating in two specific sectors (banking and industrial). This sampling was carried out on the basis of a choice based on arguments that justify the theoretical relevance. This choice, in fact, is based on two assumptions:

a) In the Italian banking sector the activities of IA are affected by special legal provisions, which, even if they are of 2nd level, are often binding;

b) In the industrial sector the majority of groups are multi-businesses, and thus the activity of IA seems to be more complex and problematic.

To further investigate aspects related to RQ2 two cases have been proposed: Fimmec-canica, a group active in the industrial sector and UniCredit which operates in the credit sector.

Finmeccania and Unicredit were chosen not only because they are the groups which, in 2013, invested more resources (human and financial) in the activity of IA, but also because they are the only corporate groups that have recently changed the organizational structure of their IA Departments adapting to the particular characteristics of each group.

The remainder of the paper is organized as follows. The next section presents the literature review analyzing the most important studies regarding internal auditing and, in particular, hightlighting the pros and cons of different IA operating models (in-house, outsourcing) identified in the literature. In the third section, instead, the main organizational structures that can be adopted for carrying out the activities of IA Departments are shown. In section 4, the regulatory context related to Internal Audit relevant to the groups listed on the Italian Stock Exchange has been outlined. Section 5 presents the main findings of an exploratory study focused on the organizational aspects of the Internal Audit of the Italian corporate groups operating in two sectors: banking and industry. In the last section, some final considerations have been proposed.

2. REVIEW OF THE LITERATURE

Over the last decade, the studies on Internal Audit (IA) have increased exponentially. The study on the topic, as detected by Carcello et.al. (2005a) and by Leung et al. (2011), is as a result of numerous financial scandals—i.e. Cirio, Enron, Montedison, Parmalat, Siemens, WorldCom—and, consequently, the global financial crises that followed.

In general, the confidence in the independence and in the reliability of audit firms involved in scandals and the trust in financial markets have failed (Ibrahim El-Sayed Ebaid, 2011).

However, in some studies, such as that of Lenz and Sarens (2012), it was intended to demonstrate the absence of a causal link between the activities of Internal Audit and the financial crisis, and between the solution of the crisis and the activities of Internal Audit.

A process was started which has brought significant changes to the philosophy, the intensity and the approach to be followed in the specification not only of the regulated markets but also of the aspects relating to both corporate governance and internal controls.

Italian companies, as those of the rest of the world, are experiencing an ever-changing regulatory environment, marked by the guidelines and recommendations of the European Union and the reform law enacted for the protection of savings (Law no. 262/05, the so called Savings Protection Act) and corporate law. However, it is important to point out that the evolution of the Internal Audit has also been influenced by other variables such as the increase in the size and complexity of the companies or the significant development of information systems (Allegrini et al. 2006; Hass et al., 2006).

The IA has become an integral part of the management process, it is a supervision strategic tool that works closely with government and supervisory bodies and, simultaneously, it has become a tool for the improvement of other company's functions involved in various operational activities. The IA function is moving well beyond its traditional role of ensuring compliance. It is becoming increasingly involved in top level decision making, protecting the organization against risk, and improving control systems. The Internal Audit function has been defined, in the study by Stewart and Subrama-

niam (2010), as a key element for the functioning of the mechanisms of governance, are now entrusted with increasing responsibility. At this point, it is possible to highlight a paradox: while on one side, the conducting of such activities is prescribed to the companies, on the other side, the existence of an internal audit function is not mandatory for the companies.

Hence, the urge to explore, in general, the organizational aspects of the Internal Audit and, specifically, those within the corporate groups.

The correct collocation of Internal Auditing within the company organization and the concrete support granted to it by its management are the determining factors in its position and its value. The audit committees, therefore, should report directly to those who hold a higher position, whose authority is sufficient to ensure a proper consideration of the function.

Internal Auditing is defined as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes". This definition, proposed by the International Institute of Internal Auditors (IIA), states the fundamental purpose, nature, and scope of internal auditing.

According to this definition, the audit committees is responsible for providing advice to senior management evaluations and recommendations concerning the activities examined in order to assess the appropriateness and feasibility of the strategic objectives established in relation to the internal and external conditions to the company.

IA has become the pivot around which the whole control system of the company relies on and being in close contact with government and supervisory bodies it becomes the tool to positively stimulate the strategic orientation of the company and, consequently, the continuous improvement of the corporate functions involved in the various operations. The IA performs, therefore, a large number of interventions: from those relating to accounting and finance (financial auditing), to ensure the regular preparation of financial statements and to prevent any fraud (Caplan & Kirschenheiter 2000, James, 2003) to

those of operations (operational auditing) designed to evaluate and monitor the operation of sub-business systems, ensuring compliance with the principle of efficient, effective and economical use of company resources (Reider, 1994).

These controls also include the assessment of he risks of legal sanctions, financial or reputa-tional losses due to non-compliance with laws, internal and exsternal regulations (compliance audits) (Ratliff et al., 1994).

Finally, the IA carries out a consulting service for top management of the company (management audit) with the aim to improve the process of governance and control through the support in the design and implementation of the internal control system, of Risk Management system and those of the corporate governance system, as well as the elaboration of suggestions that promote the achievement of the intereses of the company an of all the stakeholders.

In fact, as highlighted in the PwC's report (2013), Internal Audit should be in line with the expectations of corporate stakeholders to implement the necessary controls aimed at incrreas-ing business performance and, consequently, the strategic initiatives designeed to preserve and increase business value.

In regard to the strategic importance attribute to the IA, a cultural leap by property and company management is required in order to not perceive such activities as a hindrance to the economic viability and development of the company or as a legal obbligation.

On the contrary, the owners must became aware of the importance of the IA in improving governance process, in the activity of support to strategic planning. They have to consider the IA as a determining variable in the improvement of business results.

These principles have been demostred in the studies carried out by Cohen et al., (2002) and Karagiorgos et al. (2010) which generally showed the increasing role that IA has in corporate governance. In particular, a number of empirical studies have been proposed relating to geographically wider contexts—as in the study of Paape et al. (2003) conducted at the European level—or to a national context such as the Italian case (Marchi & Allegrini, 2012; D'Eri & Regolio-si, 2014) or the Libyan one (Abdul-Nasser et al., 2014).

Cohen & Hanno (2000) and Melville (2003), however, pointed out, respectively, the contribution that the IA can give to the Management control and Strategic management. While, in the study conducted by Allegrini & D'Onza (2003) the role of Internal Audit in the assessment of busioness risks have been enhanced. Studies have not overlooked the fact that there is a positive correlation between corporate performance and the actitivies of IA (Ernest & Young, 2012).

From what has been said, it is evident that the activity of IA requires increasingly specific skills and knowledge in order to provide the necessary advisory support to management to make the control models more adequate, efficient and effective in relation to both the risks and to business needs.

In this regard, the International Standards for the Professional Practice of Internal Auditing (IIA Standards) guide the activities of IA, so that this can be flexible and adaptable to the types of activities carried out by the company, by the size and by the complexity of the organization. It is evident, then, that companies must have specially qualified staff to carry out the activities of Internal Audit. However, the literature has found that the execution of such activities is often hindered by the under-sizing of resources—human and financial—and, in some cases, the limited availability of specific expertise on these issues justify an outsourcing solution.

The Internal Audit actively contributes to governance if it is able to guarantee an active and effective communication with administrative bodies and government (Leung et al., 2011), without renouncing the principles of independence and objectivity which should characterize its choices and its activities as highlighted in the works of Christopher et al. (2009) and Dickins and O'Reiley (2009).

Even with regard to interactions with other business functions, the IA should not be seen as an inspection tool with the function to syndicate the work of individual employees or to find errors, but as an instrument at the service of all concerned, beneficial in operating with awareness and professionalism.

These features assist in the configuration of the IA staff as a specialist staff working in the service of the entire organization, and they emphasize the importance of placing the correct

function of IA within the corporate organization.

It is therefore obvious that a clear and constructive relationship between the Internal Audit Department and the Board is critical for the performance of control activities: support from top management, in fact, can foster collaboration functions which are subject to audit by allowing the completion of the assignment without interference and therefore working more effectively.

The achievement of this goal is also facilitated by the choice of an appropriate organizational structure of the IA Department.

It is evident that the organizational activities of the IA depend on the complexity and the high number of business sectors in which parent company and the subsidiaries operate. For the correct evaluation of the operational model and the determination of the optimal size of the Internal Audit Department, additional factors must be considered: the economic sector of the group, the size and complexity of the subsidiaries, the geographic distribution of the entities participating in the group, the distribution of powers and decisions, the level of risk of the business and the amount of resources assignable to the function (Kolaska, 1983, Cullen & Perrewe, 1981, Carcello et. al., 2005b, and Anderson et al., 2012). Before conducting an analysis on the different operating models of Internal Audit Function, a premise is essential: in Italy there is not a law that imposes the carrying out of the Internal Audit activities within the company performed by its employees. One empirical study that addressed the specific factors associated with organizations' internal audit sourcing decisions is that of Wider & Selto (1990). In their study, they used the Transaction Cost Economics theory to explain the organization of IA. In 2007, the re-

sults of their study was replicated by Spekle et al. reinforcing the importance of the Transaction Cost Economics variables in explaining organizations' internal audit sourcing behaviour.

There are two types of sourcing arrangements for the internal audit function: each organization—as shown in Figure 1—may choose to undertake the IA:

• • in-house, the group maintains its own internal audit department;

• • in outsourcing, an internal audit service provider or an independent accounting firm conducts the internal audit function.

Both solutions provide different alternatives as shown below.

In-house organizational model Allegrini & D'Onza (2003) assert that the activities of IA of a corporate group can be organized according to three different models.

In the first—centralized model—a single function of IA carries out its verification activities for all group companies. In the second—the so-called decentralized model—the IA function is present in the parent company and in each subsidiary. The third organizational model of IA—known as delegated or consortium model— provides for the creation, from scratch, of a company within the group with the exclusive purpose of providing auditing services for all group companies.

Therefore, while the centralized and the delegated model put the IA function within a single company (Parent company or one created from scratch), the decentralized model provides for the establishment of the IA function in each company of the group, or in those companies that are considered to be particularly strategic for the group.

/ \

IN-HOUSE OUTSOURCING

> Centralized Model > Total outsourcing

> Decentralized Model > Partial outsourcing

> Delegated Model > Co-sourcing

> Hybrid Model

Figure 1. Two types of sourcing arrangements

It seems evident that the choice of a centralized model allows the IA function to obtain a complete overview of the group's activities and to report directly to senior management without intermediaries supporting coordination between decision-making and the achievement of economies of scale and learning. This organizational choice, therefore, is deemed to be convenient to those groups characterized by firms located in a given territory and whose subsidiaries have homogeneous activities.

In contrast, the decentralized model is used in groups that operate in complex and changing environments and that have subsidiaries distributed in different geographic areas.

As underlined by Child (1984) and Ratliff et al. (1998), the decentralized model allows you to have a greater knowledge of the risks, processes and legislation related to the areas that have to be checked, rather than the more timely intervention related to the high degree of decision-making autonomy of each IA function present in each company.

However, this model has two limits which must not be underestimated.

The first is found in the possibility of compromising the independence and objectivity of the IA function that could be conditioned by meddling from local management, damaging in this way, the independence of judgment required during the audits.

The second limit, however, is found in the possible difficulty in sharing the objectives among the subsidiaries; it is due, in part, to poor or no communication between the manager of each aggregate company and top management of the Parent company.

There is a fourth alternative for the organization of IA in corporate groups: the so-called "hybrid model" that combines the characteristics of the centralized model with those of the decentralized model.

In this case, the structure of IA, present in the Parent company, exercises direction and functional coordination of the Auditing structures of the subsidiaries, ensuring control consistency and adequate attention to the different types of risk.

This choice allows companies to take advantage of the centralized model—better coordination of activities within the groups and the use of common methodologies aimed at achieving

shared goals—and, at the same time, facilitates the work of the local IA team by using the knowledge of the organizational context in which it operates.

Outsourcing organizational model As noted by Moeller (2004) and Spira & Page (2003), the outsourcing of IA is a practice dating back to 1980s. As in the in-house solution there are multiple alternatives also for the outsourced solution of the Internal Audit. As illustrated in the Position Paper of the Institute of Internal Auditors (2009), in fact, there are three forms of outsourcing:

Total outsourcing: the entire internal control activities are carried out by external parties and, usually, on an ongoing basis.

Partial outsourcing: only part of the activities of IA are provided by external parties.

Co-sourcing: the external resources jointly collaborate with internal staff to perform the activities of IA. The external auditors are entrusted with the services where special skills are needed, while the responsibility of IA and supervision of their work is assigned to the internal staff (Thomas and Parish, 1999).

However, regardless of the form of outsourcing that is used, the IIA suggests to always appoint an internal figure to be responsible for the activities of the Internal Audit.

As shown in the Position Paper "Resourcing alternatives for the Internal Audit Function" (IIA, 2005), the empirical results indicate that most of the Internal auditor agrees on the use of partial outsourcing, because the total outsourcing is particularly complex to manage.

The analytical study of Caplan and Kirschenheiter (2000) shows that the decision to outsource the IA is justified by the increased intensity of the stimulus that the professional external companies derive from performing such services. The effort of the co-sourced partner is primarily focused on compliance with legislation and risk identified in IT or accounting, finance.

But the adoption of outsourcing appears to be justified, also, from the greater flexibility in the cost structure and resource allocation. Carey et. al. (2006) found that outsourcing makes it possible to replace the fixed costs of the staff with the variable cost of external consultants obtaining cost savings.

If conducted in a prudent way, outsourcing provides access to the best practices and then to a level of competence that can be expensive and impractical to maintain internally especially in the small corporate groups. In many cases, more extensive checks are required but, as demonstrated in the study of Aldbizer et al. (2003), the right expertise cannot always be found in the business group.

However, outsourcing has limitations. First, the external auditor does not have a deep and immediate knowledge of the business activities as those who work for the company and the objectives of the external auditor do not very often coincide with those of the company.

In regard to this, in order to avoid misunderstandings, the preparation of a detailed letter of appointment, and frequent communications between internal staff and those who are guardians of the Internal Audit assignment may be particularly useful.

Without these elements the following may occur, for example, that the external auditor carries out the Internal Audit Plan in a timely and professional manner, but does not adopt a proactive attitude aimed at improving governance, better risk assessment or process control.

Even though the internal audit function may be completely outsourced, responsibility for the overall efficiency and effectiveness of the internal audit function remains with the entity. It is therefore important for the entity to retain control of the internal audit strategic direction and to actively monitor the performance of the provider.

Where an outsourced delivery model is chosen, assigning a senior member of the entity's management team to oversee the delivery of internal audit services will assist in achieving close alignment between the entity's needs and the internal audit service provided.

In these cases, it is also useful to appoint a staff member as an in-house liaison officer for the provider. Such a person has specific responsibility for activities, such as monitoring the provider's performance. This latter role can be of great assistance to the provider as it can act as a reality check on internal audit findings and recommendations help the provider to understand particular organizational nuances and provide advice on sensitive matters.

The use of outsourcing is not without risks; to externalise the function, in fact, it careful attention is required in evaluating the following:

• Quality risk, related to technical and professional services provided by the supplier.

• Risk to reputation, if the outsourcer's error is reflected on the image and reliability of the group and how it is perceived by the market.

Legal risk, referred to the margins of uncertainty linked to the interpretation and enforcement of the contractual agreements as well as the confidentiality of certain information that, especially in certain sectors, such as the banking sector, is fundamental.

3. ORGANIZATIONAL STRUCTURES FOR IA DEPARTMENT ACTIVITY

The problem with defining organizational solutions for the activities of IA is that IA has particular characteristics compared to the other areas of the company. Behind the term IA, in fact, lie different activities—Financial Audit, Operational Audit, Management Audit, Compliance Audit, Fraud Audit, IT Audit—each of which has different elements with respect to: time horizons, degree of interdisciplinarity, supervision of activities, results and investments made. Overall, the IA is a highly professional labor intensive activity in which the intangible resources, such as technical knowledge, are paramount. Therefore, it is necessary to properly consider the differentiation, on an organizational level, of each sub-activity in IA: for example, the human resources necessary for Operational Auditing cannot be the same as those for Compliance or Fraud Auditing; and likewise, those used in Financial Auditing cannot be the same for IT Auditing.

It follows that the working organizational structure of IA in a company, and in particular, of more complex organizations such as corporate groups, must be able to coordinate and address the different professionalities with the aim of reaching precise pre-fixed internal audit objectives.

There are three main types of structural organization that can be adopted for the organization of the IA Department: functional structure, divisional structure and matrix structure.

Functional Structure

In a functional structure (Figure 2) the activities of the IA Department are grouped on the basis of

the criterion of specialized expertise with a further breakdown into sub-functions or organizational units whose characteristics are well defined.

The criterion of subdivision into sub-areas is the homogenity of expertise, and therefore, the IA activities are structured on the basis of the technical knowledge to be used in order to carry out the different types of controls.

Within a functional structure, therefore, we can find, besides the position of Chief Audit Executive (CAE) who is the one responsible for the IA activity in his/her group, the following organizational units: Financial Audit, Operational Audit, Management Audit, Compliance Audit, and Fraud Audit. The sub-function of IT Audit is often found as a support element for all the other sub-activities.

The main advantage offered by functional structure consists in the economy of specialist resources: the aggregation of resources inside the functional organization allows for the optimization of the use of the same. Such a struc-ture—although it facilitates the achievement of economies of scale and thus, a reduction in costs—is suitable for small groups, mono-businesses whose companies are in the same geographical context.

Divisional Structure

Divisional structure (Figure 3) was created with the aim of overcoming the limits of functional structure regarding organizations characterized by the complexity of their business and by the internal presence of various product lines or markets that are very different from one another. Therefore, such a structure may be adopted to organize the IA activities of large groups whose affiliates operate, for example, in different geographical contexts.

With divisional structure different IA units (or divisions) are created inside the group. Each director is granted vast decisional powers. The IA activities of the group are carried out with greater flexibility: the single divisions, being decentralized, have certain autonomy (decentralization of decision making from the top) and are characterized also by the fact that they have a greater capacity to adapt to the operational context in which they do business. The CAE of the division, therefore, in accordance with the IA plan of the group, can make decisions about matters specific to the context in which the company operates, thereby increasing the efficiency and effectiveness of his/her IA division.

Usually, for IA activity, groups adopt a structural division in geographical areas when they choose to divide the activities based on the geographical areas in which the organization is present.

Each division typically has a functional structure inside itself. It follows that the functions are duplicated from one division to the other. However, often, some functions of a general nature—such as IT Auditing—are centralized at a group level.

Divisional structure, on the contrary to functional structure, does not generate economies of scale often resulting in a duplication of specialized resources distributed in different divisions with an increase in costs.

Matrix Structure

The matrix structure (Figure 4) is a complex structure that combines the characteristics of functional structure with those of divisional structure. It comprises both dimensions: one typically functional and the other specifically tied, for example, to the business sectors of the companies in the group.

Chief Audit Executives

IT Audit

Financial Audit

Compliance Audit

Fraud Audit

Management Audit

Operational Audit

Figure 2. Functional structure

Chief Audit Executives of the Gruop

IT AUDIT

Figure 3. Divisional structure

The peculiarity of this structure is the allocation of different resources in the various sub-areas of the IA Department to the different product lines, projects or business activities of the companies in which the group operates.

Within these structures, therefore, resources are at the crossroads of two distinct lines of governance, one functional and one sector/project related. It is quite obvious that this structure can be adopted in those multi-business groups and companies that operate in an environment characterized by a high degree of instability and uncertainty.

For the use of professional resources this structure is very flexible: auditors, in fact, are employed as needed, to carry out the audits in one area or another.

The scheme can be read in two ways: horizontally, each line form groups of different inter-functional specializations (Financial Audit, Operational Audit, Management Audit, Compliance Audit, Fraud Audit, IT Audit) or vertically, each column represents, instead, a given sector/project offered by the group. At the point of intersection of the horizontal and the vertical lines, each sector/project gets the support and

professionalism of the Internal Audit specialist it needs.

Although the adoption of an organizational structure to carry out the activities of IA is a formal decision that has long-lasting consequences on its internal organization, we must not think of the structure as static and unchanging. In fact, it is possible to make changes to the organizational structure more than once for various factors, but especially due to two main reasons:

when the need to rationalize internal resources is driven mainly by the need to increase their efficiency. In this sense, for example, resources might be reduced due to an overlap of responsibility in two or more areas, creating new organizational units to conduct specific types of audits that, until a given moment, have proved to be critical since they had not been overseen properly;

b) when there is the need to adapt to changes in the activity of IA macro and micro environment in which the companies belonging to the group operate, by establishing, for example, new organizational units which are given the responsibility to oversee specific areas of internal audit.

From what has been stated, it is clear that senior management should periodically assess the adequacy of the IA organizational structure to determine if the same is suitable or not to fulfill the changing goals assigned to internal audit.

4. THE ITALIAN LEGISLATIVE BACKGROUND

In order to contextualize the results of the analysis, it is appropriate to recall, briefly, the Italian regulatory framework that regulates aspects relating to Internal Audit. It is worth pointing out that there are no legal provisions that expressly refer to the Internal Audit activities.

The only reference by law on the subject is found in Article 150 of the «Consolidated law on financial intermediation» (TUF) which provides that «The persons assigned to internal control functions shall also report to the board of auditors at their own initiative or at the request of one or more members of the board of auditors».

Further references and details can be found under the regulations at the second level, where membership is, however, no obligatory.

For example, the Corporate Governance Code set up by the Italian Stock Exchange, updated in July 2014, dedicates a specific article to the system of internal control and risk management that companies should adopt.

In Article 7, in fact, the general system of internal control is defined in an organic way, and the coordination of stakeholders involved in the actual processes is explained. In this context, the Internal

Audit function has become the entity dedicated to the monitoring and independent evaluation of the internal control system in support of the main protagonists in the system of corporate governance.

Internal auditors do not report to any operational area manager, but shall report on their activity to the CEO or to Internal Controls and Risk Committee.

On the other hand, it is desirable that they will enjoy the full support of the Board of Directors, in order to promote and spread a control culture into the company.

The Corporate Governance Code provides for the possibility of entrusting the function of IA, as a whole or by business segments, to outside entities which possess adequate professionalism and independence, to which the role of Internal Control Officer of the entity, who is in charge of overseeing the functioning of the internal control system, can be attributed.

However, the organizational decision to outsource the IA and the related reasons must be communicated to shareholders and the market in the "Corporate Governance and ownership structures" report drawn up in accordance with Article 123-bis TUF.

These regulations on the IA were already in existence for companies operating in the Italian banking and insurance sectors. The supervisory instructions for banks, issued by the Bank of Italy in 1999 emphasize the need that "the activities of internal audit in banks should be carried out by an independent entity (Internal Audit).

Business 1 ■

!

Business 2 : : : :

I ■ !

Business 3

Figure 4. Corporate Governance and ownership structures

The institutions are being encouraged to review their internal audit function in the light of the latest guidance from the Basel Committee on Banking Supervision and to take appropriate action to address any identified material shortfalls or deficiencies. Indeed, the document "The internal audit function in banks" issued on 28 June 2012, updates and replaces the previous document "Internal audit in banks and the supervisor's relationship with auditors" (2001). It is a guide for assessing the effectiveness of the internal audit function in banks and it is based on 20 principles and builds on the Committee's Principles for Enhancing Corporate Governance which require banks to have an internal audit function with sufficient authority, stature, independence, resources and access to the board of directors.

This function—which should not depend on any head of operational areas—is aimed on one hand, to control, even with spot checks, the regularity of operations and risk trends; and on the other hand, to evaluate the effectiveness of the overall internal control system and to submit to the board of directors and senior management proposals to improve the risk management policies and their measurement tools.

Even for banks, the ability to outsource the function of IA is possible, even if—in principle— that option is not recommended in relation to the confidentiality of the information derived from the nature of the businesses activities.

However, as shown in notes drawn up following a consultation by the Italian banking system on the Basel document "Banks' Internal Audit and Supervisors' Relations with Internal and External Auditors", it is believed that partial outsourcing may be feasible:

• In the case of orders requesting an impromptu audit of the bank's activities that do not fall within the business areas that are of strategic importance for the bank;

• Or when they related to particularly specialist audit activities, that are not available within group, and if so, only at very high costs.

In the case of partial outsourcing, it would be appropriate to provide some connection between the IA staff and the outsourcer.

In principle, total outsourcing, is considered possible for the IA function when the bank is characterized by a reduced size of the company

and/or limited operational complexity of the group. In such cases, outsourcing has profiles of convenience both from an economic and organizational point of view. For small banks, in fact, the establishment of an internal function dedicated to IA is costly and, in some cases, it is not even possible for the different skills required.

In general, the decision to outsource the function of IA can be taken provided that the awarding of the task is formalized in an agreement in which objectives, methodology, frequency of checks and reports to be drawn up for the Top management inherent to checks carried out, are defined.

An internal audit outsourcing arrangement is a contract between the institution and an outsourcing vendor to provide internal audit services. On the one hand, outsourcing of internal audit activities, especially when it is done on a limited and targeted basis, can bring significant benefits to banks such as access to specialized expertise and knowledge for a special audit project otherwise not available within the organization. On the other hand, outsourcing may introduce risks to the bank, such as lost or reduced control of the outsourced internal audit activities. Those risks need to be managed and monitored; furthermore, the outsourcing may adversely affect the supervisory authority's powers to gather information or to require changes in the way that the outsourced activity is carried out.

Regardless of whether internal audit activities are outsourced, the board of directors and senior management remain ultimately responsible for ensuring that the system of internal control and the internal audit are adequate and operate effectively.

Each bank should have a permanent internal audit function. In fulfilling its duties and responsibilities, the senior management should take all necessary measures so that the bank can continually rely on an adequate internal audit function appropriate to its size and to the nature of its operations. These measures include providing the appropriate resources and staffing to internal audit in order to achieve its objectives.

In larger banks, and in banks with complex operations, internal audit should normally be conducted by an internal audit department with

a full-time staff. In particular, the internal audit department should evaluate:

• The bank's compliance with policies and risk controls (both quantifiable and no quantifiable);

• The reliability (including integrity, accuracy and comprehensiveness) and timeliness of financial and management information;

• The continuity and reliability of the electronic information systems; and

• The functioning of the staff departments.

The internal audit department should give

adequate consideration to the legal and regulatory provisions covering the bank's operations, including the policies, principles, rules and guidelines issued by the supervisory authority with regard to the manner in which banks are organized and managed.

If a bank has a significant branch abroad, the internal audit department should consider establishing a local office to ensure efficiency and continuity of its work.

As separate legal entities, banking or nonbanking subsidiaries are responsible for their own internal control.

At these subsidiaries, the internal audit function may be performed by the internal audit department of the Parent company. When subsidiaries have their own internal audit departments, they should report to the Parent company's internal audit department. In this situation, the parent company should take all necessary measures, without prejudice to local legal or regulatory provisions and instructions, to ensure that its own internal audit department has unlimited access to all activities and entities of the subsidiaries and that it carries out on-site audits at sufficient intervals.

For branches abroad as well as for subsidiaries, the internal auditing principles should be established centrally by the parent bank without prejudice to local, legal and regulatory provisions and instructions. The parent bank's internal audit department should participate in recruiting and evaluating local internal auditors.

5. EMPIRICAL ANALYSIS

Design/methodology/approach

The Chief Audit Executives (CAEs) of 56 Italian

Stock Exchange listed companies were surveyed

with a questionnaire that had been sent to them via e-mail. The questions were formulated considering the literature on the organizational aspects of an Internal Audit and also considering the Italian legislative background.

In its configuration, the questionnaire allows the making of a univariate descriptive analysis useful in observing the distribution of individually investigated variables.

Comparisons to overseas studies, where possible, have been drawn. Two case studies related to the IA operating model and their IA organizational structure were also presented: Finmec-canica (Centralized Model) and UniCredit (Hybrid Model).

The survey aims to verify:

1) dissemination of alternatives proposed in the literature for carrying out the activities of Internal Audit in the corporate groups (in-house solutions and outsourcing solutions);

2) the model adopted for the organization of the activities of Internal Audit.

To this end, some aspects, considered most influential in the choice of organization, were:

• System of corporate governance adopted by the aggregate;

• Resources (financial and human) allocated to IA;

• Information systems in support of IA.

Sampling and survey conduct

Data was collected through an electronic questionnaire (August-November 2014). The survey design was directed to formulate questions which could be easily answered by the Chief Audit Executive (CAE) and limit possible framing effects.

The questionnaire was sent to 56 corporate groups selected from the list of the Italian group that are listed in Borsa Valori (Borsa Valori web site, accessed on 01 August 2015) and that operate in two sectors: banking (n. 17) and industrial (n. 39), which constitutes our sample frame. From the questionnaires administered, n. 34 usable responses were received, a response rate of about 60.7 per cent.

Before sending the questionnaire, telephone calls were made to confirm whether companies had an internal audit department and who was the person to be contacted to complete the survey, usually the Chief Audit Executive. In some cases, a reminder was given after the established

date for the last sending of the compiled questionnaires.

The non-respondents were contacted in order to understand their motivations. The main reasons for not taking part in the study were: a) the internal audit staff did not have time to dedicate to the survey; b) the company was not interested in the project; c) the questionnaire was considered not applicable to its company; d) company's policy was contrary to the participation in statistical surveys. A total of 12.5% of non-respondents did not provide any feedback on their failure to answer.

Data analysis

Regarding the dissemination of alternatives proposed in the literature for carrying out the activities of Internal Audit in the corporate groups (in-house solutions and outsourcing solutions) the Figure 5 shown that almost all of the groups adopt the in-house solutions, while the percentage of the groups that outsources the service is very low (10% just in the industrial sector).

As shown in Figure 6 (IA Operating Model in Italian Corporate groups), the centralized model of IA prevails in both the banking sector (64.29%) and the industrial sector (83.33%).

The decentralized model is adopted only by 16.67% of the groups of the industrial sector.

The hybrid model is adopted by only 28.57% of the groups in the banking sector and it is justified by the geographical delocalization that characterizes the companies of the group; in these case, it is decided to use the IA centralized

model for Italian companies and the decentralized one for the foreign companies.

In either sector, the delegation model is never used.

The learning organizational model is adopted by only 7.14% of the groups of the banking sector.

In the banking groups that adopt the decentralized model, 75% have appointed an IA contact person in each company in the group. In the industrial sector, the contact person exists only in 33% of the groups.

The matrix organizational structure is adopted in 21% of the groups in the banking sector and in 15% of the groups operating in the industrial sector, who declare, among other things, to be multi-business.

The internal management costs are the main reason that prompted the groups to adopt a centralized model.

The groups which adopt the decentralized model, however, feel the need to have a greater flexibility in the structure of Internal Audit.

Instead, the decision to outsource the IA service is linked to the need to bridge the lack of specific skills, and as noted by some groups of the industrial sector, to the small size of the aggregate.

78.5 % of the groups of the banking sector adopt the traditional system of corporate governance, while the other 21.5% that of the dual system.

However, in 85.7% of cases, the Chief Audit Executives report to the Board of Directors and

i banking ■ industrial

90,00%

in-house

10,00%

0,00%

outsourcing

Figure 5. Adoption of the in-house solutions and outsourcing of services

Banking Sector Delegated Industri

0,00%

Hybrid

Figure 6. IA Operating Model in Italian Corporate groups

14.3% to the chairman of the Management Board and to the Chairman of the Supervisory Board.

64.8% of Chief Audit Executives fulfill, also, the functions of the Designated Internal Control Officer, while 57.1% of them are also members of the Supervisory Board which has the tasks of supervising the operation, effectiveness and compliance of the "Organizational, Management, and Control Model" adopted in accordance to the Legislative Decree n. 231/01.

100% of the groups of the industrial sector adopt the traditional system of corporate governance.

In 50% of cases, the Chief Audit Executives report to the Board of Directors and in 25% directly to the Chairman of Board of Directors, 15% to the Supervisory Board, and 5% reports to the Chairman of the Board of Directors, to the Supervisory Board and to the Designated Internal Control Officer.

50% of Chief Audit Executives fulfill the functions of the Designated Internal Control Officer, while 65% of them are also members of the Supervisory Board.

With regard to internal human resources employed for the Internal Audit activities, it is found that: in the banking sector, the number of employees ranges from a minimum of 19 to over 1,000 people.

In the industrial sector, however, in 50% of cases, only one person is employed for these activities; in 10% of cases, the number of the employees ranges from 20 to 70 people.

With reference to the financial resources dedicated to the Internal Audit function, it is noted that in the banking sector, 71% of the groups

allocate a budget of over € 100,000; 14% of the groups assign a budget of up to € 25,000 and 7% of the groups allocate a budget of between 25 and 50,000 euro. The remaining 8% of the groups did not answer the question.

In the three years (2012-14), 14 % of the groups of the banking sector have maintained a constant budget for the Internal Audit, while 21% of the groups have increased its value. 57% of the groups have changed the budget in accordance with the needs of the entity; 8% of the groups did not answer the question.

In the industrial sector, however, the value of financial resources which groups devote to the Internal Audit function is diverse: 20% of the groups assign up to € 25,000; 15% of the group spend an amount of between 25,000 and € 50,000; 10% of the groups invest an amount between 50,000 and € 100,000; another 20% of the groups invest more than € 100,000. The remaining 35% of the groups of the industrial sector did not answer the question.

In the three years (2012-14), 55 % of the groups of the industrial sector have maintained a constant budget for the Internal Audit; 10% of the groups have increased its value. 10% of the groups have changed the budget in accordance with the needs of the entity; 25% of the groups did not answer the question.

In the banking sector, 50% of the groups have a system of monitoring of costs related to the Internal Audit, while in the industrial sector, only 20% have it.

With reference to the presence of adequate information systems dedicated to the activity of Internal Audit, it is found that 97% of banking

groups are equipped with it, while in the industrial sector they are present in a smaller percentage (35%).

The main reasons why it is useful to have appropriate information systems are linked to: a) the creation of valid reports for the bodies of corporate governance; b) the traceability of the activities carried out by the staff employed for the Internal Audit; c) the general improvement of the quality of the information for the stakeholders.

Survey findings

There is no single model of internal audit: each organization adopts what is most appropriate to meet its needs in relation to the type of activity carried out by the different companies of the group, the size and complexity of the organization.

From the analysis of the data, however, it is possible to highlight some trends.

Regardless of the sector—banking or industrial—almost all of the groups have an internal function of Internal Audit which mainly operates through a centralized model.

The groups that outsource the service are a very low percentage contrary to what happens in other European countries such as Ireland (Ernest & Young, 2014) Netherlands (Spekle et al, 2007), or outside Europe, for example, Australia (Carey et al, 2006; Subramaniam et al., 2004), US (James, 2003; Ahlawat and Lowe, 2004; Dickins and O'Reilly, 2009), New Zealand (Van Peursem and Jiang, 2008) and South Africa (Barac and Mo-tubatse, 2009).

In either sector, the delegated model is never adopted whereas, as noted in the study of Al-legrini and D'Onza (2008), it is used in other groups (e.g. Fiat, Telecom and RCS) listed in Italian stock exchange but which operate in different sectors.

If the size of the entities, as detected in the paper carried out by Allegrini and D'Onza (2003), is one of the driving factors for determining the budget to be assigned to the Internal Audit Function, even the risk level inherent to the activities of the group can be considered a conditioning factor in the amount of resources (human and financial) to be allocated to the function of IA (Moulton, 2009).

With reference to the 2012-14 years, the financial budget for Internal Audit has remained

constant in both sectors. In contrast, a marked difference with reference to the staff employed in IA activities has been noted in the two sectors: while in the banking sector, the number of people employed in IA activities is variable, also in function of the greater use of the decentralized model, the industrial sector, usually, provides just one person. This finding should give pause, even considering that highlighted by Arena & Azzone (2009) with reference to the importance that external auditors attribute to the size of the IA team in the assessment of the quality of the Internal Audit.

The groups that organize the Internal Audit activities using a matrix structure are those who, while operating in several sectors, have identified common issues affecting the same structure of Internal Audit. However, there are groups that are mono-business and have subsidiaries located in Italy or abroad, which prefer to adopt a hybrid organizational solution rather than a centralized one for the organization of the Internal Audit activities.

With reference to these last two findings, the study continues with the analysis of two case studies related to the Finmeccanica group and the UniCredit group.

As shown in Figure 7, the two mentioned groups have been chosen in consideration of the human resources and financial budget they have assigned for the IA activities. They have resulted higher than the other groups of the sample. In particular, the Finmeccanica Group employs 70 staff and allocates financial resources of over € 100,000, while the UniCredit Group employs 1,100 staff and allocates financial resources of over € 100,000.

In regard to the organization of the IA function, while Finmeccanica adopts a centralized model, UniCredit uses a hybrid model.

Case # 1 The Finmeccanica Group The Finmeccanica Group is one of the major Italian industrial groups. It is made up of about 200 companies directly or indirectly controlled by Finmeccanica SpA. Those companies operate in different sectors—Helicopters, Aeronautics, defense electronics and cyber-security, Defense systems, Space, Transport and other activities— and are among the top ten global players in the Aerospace, Defense and Security Sectors.

< 20

Industrial Sector

30 40 50 60 Internal Audit Staff

Finmeccanica

Figure 7. Human resources and financial budget assigned for the IA activities

Beginning from 2013, Finmeccanica has reorganized the Internal Audit Function of the Group, defining the centralization of the Group's Internal Audit activities with following aims:

• To increase the effectiveness of interventions and improve the efficiency of operating costs through a unitary audit structure;

• To increase the level of control and coordination of the Group's operating companies;

• to optimize the exchange of knowledge inside work groups, through a more transparent dialogue, cooperation of all those involved and sharing objectives with a core training unit;

• To improve the mix of skills through mechanisms of job rotation and career plans structured to allow for the acquisition of the importance of monitoring in management activities.

Through this structure, the allocation of business resources is clear at the corporate group level, the resources can be used at the right time, and the IA structure allows the company to fully manifest its potential.

The Group's new Internal Audit unit set up on 16 October 2013 reports to Finmeccanica SpA's board of directors and its functions are coordinated by the Chairman of the board of directors with the supervision of the risk and control committee in accordance with the provisions of the code of conduct for listed companies that Fin-meccanica SpA has adopted.

The Group's Internal Audit unit is organized on a matrix model (Business Sectors/IA areas of activity).

To ensure the operational implementation of the matrix model, the person responsible of each business area reports its activities to the Head of the Group's Internal Audit and operates in con-

junction with functional referents for the different types of audits. To this end, the following organizational functions report their activities to the Head of the organizational unit "Group's Internal Audit":

• "Operational and Regulation Audit", with the responsibility of ensuring the preparation and monitoring of the Integrated Audit Plan, through the consolidation of the single contributions received from the other organizational units ("Commercial Audit, Fraud Audit e ICT Audit"), as well as directly supervising the implementation of interventions in the competent areas, ensuring also the coordination of the verification activities of the System of Internal Control and Risk Management, with specific reference to the Legislative Decree no. 231/2001 and L. 262/2005;

• "Project Management Office", responsible for planning and defining a correct balance in terms of qualitative and quantitative resource allocation taking into account the different sectors/types of intervention, in order to ensure the efficient and effective implementation of the Integrated Audit Plan as well as the constant alignment of the Group model to professional standards, national and international legislation; he is also responsible for managing and updating the Group Risk Library, in collaboration with other relevant corporate functions;

• "Management Audit", responsible for the implementation of audits required by Top Management and/or by the Boards of Directors and Surveillance Bodies not defined in the Audit Plan of Finmeccanica S.p.A or by the other Group Companies;

• "Commercial Audit", responsible in ensuring the implementation of the checks made in

relation to commercial aspects related to national and international standards, in coordination with the "Compliance" organizational unit (Legal and Compliance Corporate Affairs) and in collaboration with other relevant corporate departments;

• "Fraud Audit", responsible for the implementation of the anti-fraud checks in connection with other competent business functions/units;

• "ICT Audit", with the responsibility of implementing ICT tests, in order to prevent actions which may affect both the value and the functioning of asset/technological infrastructure of the Group, in collaboration with the organizational unit and ICT Security Officer of the Group.

Operational activities are governed by the Interrelation Operating Model. In regard to the aggregate planning of the verification activities to be carried out in each company of the group, the preparation and updating of the Audit Plan shall be drawn up taking into account the reports gathered during the risk-assessment activities and audit, the priorities expressed by Senior management (Finmeccanica S.p.A. and the other Group Companies), by the Audit and Risk Committee and by the Board of Statutory Auditors (Finmeccanica S.p.A. and the other Group Companies). It is established that the Board of Directors, the Audit and Risk Committee and the Board of Statutory Auditors of Finmeccanica S.p.A. are regularly informed by the Group Audit function on the progress of the Audit Plans and semi-annual monitoring of the Action Plan.

It is stated that the Statutory Auditors of all the companies of the group periodically inform the Board of Statutory Auditors of the Parent Company on the progress of the Action Plans mentioned above. The Interrelation Operating Model provides three types of audits:

1. Ordinary Audits that are provided in the aggregated Audit Plan; they involve a single company; the person responsible for its execution is the Sectorial Head of Internal Audit.

2. Cross Audits are carried out on several Group companies and are designed to: a) assess the degree and uniformity of implementation and adoption of Group directives and guidelines; b) analyze the ways in which activities/processes are managed within the Group.

3. Special audits are implemented on one or more companies and are required by the ad hoc bodies of Control and Supervision as well as by the senior management of each entity of the group; they are designed to conduct timely inspections of specific areas identified as particularly critical, for which Management Audit is responsible.

The Interrelation Operating Model regulates the flow of information (reporting), in relation to all three types of audit.

In March 2014, the Director in charge of the internal control and risk management system (SCIGR) of Finmeccanica Spa, prepared the document named "Guidelines for the internal control and risk management system", which, compared with those prepared and approved during the 2013 financial year, led to a more precise definition of risks in the Group Library and a corresponding degree of coverage by means of the existing control mechanisms.

In this document, the Finmeccanica Group's risks are identified and are classified as: Compliance risks (arising from the performance of ordinary business operations, which relate to the failure by the business activities to comply with the relevant contractual clauses, laws, regulations and rules); Strategic risks (affecting the degree of success of the Company's strategies, the processes' ability to achieve the objectives defined by Top Management and the Company's image); Operating risks (concerning ordinary business operations, which affect the efficacy and efficiency of the various corporate areas or processes) and Financial risks (arising from the performance of ordinary business operations, which affect economic and financial figures within the management of accounting and reporting, taxation, cash and credit).

Case # 2 The UniCredit Group The UniCredit Group is a leading global financial group with roots in 18 countries, with representative offices and 8,954 branches in 50 international markets.

As showed in Figure 6, the UniCredit Internal Audit function — structured as a Department — coordinates and monitors the Group's Internal Audit activities performed by the competent structures of the various entities. It also performs third level control activities as well as on-site

inspections on the Parent Company and on the Group's Entities which outsource the internal audit activities to UniCredit ("in-service company").

In addition, the Department can conduct on-site visits on any Entity of the group, as a Group Internal Audit function. The IA Department also plays a role of steering, coordinating and monitoring the audit activities carried out by the Group's Entities Audit functions and continues updating the existing standards and policies in order to better support the audit process in the carrying out, reporting and monitoring phases, as well as the revision of the Group Audit Charter.

The Internal Audit Department of UniCredit verifies the compliance of the behavior of the companies belonging to the Group with the indications of the Parent company, besides the effectiveness of the internal auditing systems.

In the past, the activities of IA were carried out by a company specifically set up within the group, that is, by UniCredit Audit S.c.p.A., which, in 2013, was merged with the holding company. Top management decided to centralize and thus to provide for the managing of the IA within the parent company. The objectives that the management intended to pursue through the aforementioned modification were:

• To assign the task of coordinating and planning of IA activities on a group level to the management of IA, governing, in particular, the budget, the methodology, the IT tools and reporting;

• To delegate to the sub-functions of IA, located in each aggregate company the IA activities specific to each individual participating entity;

• To improve the overall effectiveness and efficiency of IA activities;

• To contain costs through the elimination of IA structures, which in the past overlapped.

The Internal Audit Department acts in compliance with the Audit Charter which defines its mission, responsibility, organizational structure, independency, tasks and powers. In particular, pursuant to the abovementioned Audit Charter, the Internal Audit is an independent function and is an integral part of the internal control system.

The Internal Audit Department, through an objective analysis of the circumstances identified during its control activities, and through the

assessment of the completeness and correctness of the design and functioning of key controls, aims at providing an independent assessment on the adequacy of the internal control system of the Company.

The Internal Audit can also provide consultancy services which aim at bringing added value and support to the Company assisting it in achieving its objectives, without compromising its independency.

The Internal Audit performs its activities in compliance with the Internal Audit Group Standards, which include the Ethic Code.

The Internal Audit Department reports, directly or through the Internal Controls & Risks Committee, to the Board of Directors and it is not assigned with any operational areas but reports hierarchically to the Board of Directors.

The Internal Audit function performs the following tasks:

• To develop a flexible annual audit plan through an adequate risk assessment, submitted to the Board of Directors for approval;

• To implement the annual audit plan—as approved—including the engagements or special projects requested by Management and/or by the Internal Controls & Risks Committee;

• To perform special investigations on operational events;

• To inform the corporate bodies, summarizing the results of the audits performed and the implementation status of the Management action plans.

In particular, in order to provide the corporate bodies and the Senior Management with an overall assessment of the internal controls system, the Head of the Internal Audit function arranges a quarterly report, called "Internal Audit Activities and Results (IAAR)". IAAR includes not only an assessment of the internal controls system, but also summary information on the activities performed, on the main risks which have arisen and on the implementation status of Management action plans.

Furthermore, the Internal Audit function forwards the Audit Reports rated critical directly to the Board of Statutory Auditors; in any case he can also send further Audit Reports which include significant deficiencies to the Internal Controls & Risks Committee and to the Board of Statutory Auditors.

With specific regard to the planning of activities, the Internal Audit function arranges:

• Group Audit Plans, based on the Risk Assessment results, in compliance with the Group Audit guidelines. Group Audit Plans also consider the requests made by Regulators and corporate bodies;

• the UniCredit Audit Plan as part of the Multi-year Audit Plan (5-year plan) based on the mandatory audits and risk assessment of the Audit Universe ("AU") of UniCredit.

The Multi-year Audit Plan—revised annually based on risk assessment—enables an efficient and effective coverage of the AU in line with the risks of the Bank. The above mentioned Plans include IT auditing activities. As of March 1, 2013 UniCredit does not have total or partial outsourcing agreement of the Internal Audit function.

6. CONCLUSIONS

As the company is, by definition, a dynamic system that changes over time in relation to institutional, structural and environmental changes, even Internal Auditing has undergone, over the last decade, an important evolutionary process that has transformed IA from a mere tool of internal control—linked to the accounting and finance fields—to a real business function that invests in a set of sub-systems and enterprise resources dynamically and across the board.

With this study, we have intended to contribute to the scientific literature on the organizational aspects of Internal Audit, with particular reference to business groups. The proposed analysis, however, is not without its limitations: the small size of the sample, in fact, could affect the results. Consequently, it would be wrong to generalize based on the conclusions we have made.

However, it can be stated that there is not an exclusive model for organizing and managing Internal Audit: the administration can choose to have an internal IA (in-house), or it can entrust the same entirely to an outside provider (outsourcing), or it can consider the possibility of combining the two options (co-sourcing). The latter solution allows the organization to acquire specific competence from the outside (for example, of legal nature) that is not present inside the group, thereby allowing for the adequate functioning of IA activity.

The application and weighting of the individual criteria used for choose and assessment the appropriate IA operational model and the organizational structure of the IA Department will depend on the nature, scope, complexity, and risk profile of the institution. Whether in-house, outsourced, or somewhere in between, the internal audit department model should be based on the defining characteristics of the group as well as the specific applicability and potential benefits and challenges associated with each operating model.

Executive management and audit committees should periodically review their group's risk profile and determine if their current internal audit model is optimal for parent company, subsidiaries entities and significant stakeholders. The many challenges internal audit departments face today, coupled with the administrative costs associated with maintaining an internal audit department, have caused many companies to re-evaluate their internal audit operating model.

Each company, therefore, as seen from the cases proposed, adopts the model that is most appropriate to meet its needs and to take advantage of the potential benefits that derive from it in terms of keeping costs low, increasing effectiveness of actions, acquisition of specific competencies that are lacking, or greater flexibility in carrying out audits.

This is true not only with reference to the business groups or firms of a medium or large size but also for smaller ones. These, like the others, should be equipped with an Internal Audit function that enables them to ensure not only the effectiveness of governance processes but also, to address the risks arising from the environmental complexity in which they are con-textualized.

However from the analysis carried out in the Italian context, it was found that within the groups included in the sample and, especially, in those of the industrial sector, there is not a real function of IA, at the most, in terms of human resources, only a few units are assigned to perform this task. However, what emerged was the will not to outsource the function and to centralize the activities of IA in the parent company, especially in order to internally manage its costs.

The complexity and number of activities and sectors in which a business operates, the size of

the aggregate, human and financial resources allocated to IA activity and the geographical location of the companies belonging to the group, all make up the main variables that weigh on the organizational aspects of Internal Audit. In particular, these variables are decisive each time that the group must decide:

• Whether or not to externalize IA activity, having the choice between adopting an in-house model or an outsourcing model;

• Whether to centralize or decentralize in the holding the function of IA, if it should choose to adopt an in-house model

• Which organizational structure (functional, divisional or matrix) to adopt to manage IA activity in a corporate group.

The survey has shown how Italian corporate groups, in the banking and industrial sectors, have chosen to carry out internal audit in different ways. The used approaches aim to inform rather than judge, and the authors hope that the contents of the paper may encourage continuous improvement: some times, the benefits of one

organizational solution may represent issues and challenges for another. The importance of the internal audit function is growing and is creating more and more expectations: as highlighted by Chartered Institute of Internal Auditors (2015), it would not be surprising if new models were to emerge in future.

A research line for the future, which may be an interesting follow up, involves a bivariate or multivariate analysis for testing the relationships between pairs or groups of variables that affect both the choices of the organizational model of Internal Audit and the assigning of the budget that should be allocated to the function. Consistent with previous studies of the importance of internal audits, another research line for the future regards an empirical analysis to examine the effect of the internal audit on group performance. It would also be interesting to see whether or not the choice of in-house or outsourcing for IA activities has an impact on the overall performance of a corporate group.

References

1. Abdolmohammadi, M. (2013). Correlates of Co-Sourcing/Outsourcing of Internal Audit Activities. AUDITING: A Journal of Practice & Theory, vol. 32, no. 3, pp. 69-85.

2. Abdul-Nasser El-Kassar, Walid Elgammal and Bayoud M.M. (2014). Effect of internal audit function on corporate governance quality: evidence from Lebanon. International Journal of Corporate Governance, vol. 5, no. 1/2, pp. 103-117.

3. Ahlawat S.S. and Lowe D.J. (2004). An examination of internal auditor objectivity: In-house versus outsourcing. Auditing: A Journal of Practice and Theory, vol. 23, no. 2, pp. 149-60.

4. Albert L.N. and Cenker W.J. (2002). An assessment of the newly defined internal audit function. Managerial Auditing Journal, vol. 17, no. 3, pp. 130-137.

5. Allegrini M. and D'Onza G. (2003). Internal auditing and risk assessment in large Italian companies: an empirical survey. International Journal of Auditing, vol. 7, no. 3, pp. 191-208.

6. Allegrini M., D'Onza G., Paape L., Melville R. and Sarens G. (2006). The European literature review on internal auditing. Managerial Auditing Journal, vol. 21, no. 8, pp. 845-853.

7. Anderson U., Christ M., Johnstone K.M. and Rittenberg L. (2012). A Post-SOX examination of factors associated with the size of internal audit functions. Accounting Horizons, vol. 26, no. 2, pp. 167-191.

8. Arena M., Arnaboldi M. and Azzone G. (2006). Internal audit in Italian organizations. A multiple case study. Managerial Auditing Journal, vol. 21, no. 3, pp. 275-292.

9. Arena M. and Azzone G. (2009). Internal Audit effectiveness: relevant drivers of auditees' satisfaction. International Journal of Auditing, vol. 13, no. 1, pp. 43-60.

10. Barac K. and Motubatse N.K (2009). Internal audit outsourcing practices in South Africa. African Journal of Business Management, vol. 3, no. 13, pp. 969-979.

11. Bertini U. (2004). Dissesti aziendali e sistemi di controllo interni. Studi e note di economia, vol. 2, pp. 7-13.

12. Caplan D. and Kirschenheiter M. (2000). The effects of internal audit structure on perceived financial statement fraud prevention. Contemporary Accounting Research, vol. 17, no. 3, pp. 387-428.

13. Carcello J., Hermanson D. and Raghunandan K. (2005a). Changes in internal auditing during the time of the major US accounting scandals. International Journal of Auditing, vol. 9, no. 8, pp. 117-127.

14. Carcello J.V., Hermanson D. and Raghunandan K. (2005b). Factors Associated with U.S. Public Companies' Investment in Internal Auditing. Accounting Horizons, vol. 19, no. 2, pp. 69-84.

15. Carey P., Subramaniam N. and Chua Wee Ching K. (2006). Internal Audit Outsourcing in Australia. Accounting and Finance, vol. 46, no. 1, pp. 11-30.

16. Cohen J., and D. Hanno (2000). Auditors' Consideration of Corporate Governance and Management Control Philosophy in Preplanning and Planning Judgments. Auditing: A Journal of Practice and Theory, vol. 19, no. 2, pp. 133-146.

17. Chartered Instititute of Internal Audit (2015). Models of effective internal audit. Available at: https:// www.iia.org.uk (Accessed 28 May 2015).

18. Cohen J., Krishnamoorthy G. and Wright A. (2002). Corporate Governance and the Audit Process. Contemporary Accounting Research, vol. 19, no. 4, pp. 573-94.

19. Comitato Flick, Relazione Finale del Comitato Flick al Consiglio di Amministrazione di Finmeccanica Società per azioni 31 marzo 2014. Available at: http://www.finmeccanica.com (Accessed 25 October 2014).

20. Cooper B., Leung P. & Wong G. (2006). The Asia Pacific literature review on internal auditing. Managerial Auditing Journal, vol. 21, no. 8, pp. 822-34.

21. Christopher J., Sarens G. and Leung P. (2009). A critical analysis of the independence of the internal audit function: evidence from Australia. Accounting, Auditing & Accountability Journal, vol. 22, no. 2, pp. 200-220.

22. D'Eri A. and Regoliosi C. (2014). Good corporate governance and the quality of internal auditing departments in Italian listed firms. An exploratory investigation in Italian listed firms. Journal of Management and Governance, vol. 18, no. 3, pp. 891-920.

23. Dickins D. and O'Reiley, D. (2009). The qualifications and independence of internal auditors. Internal Auditing, vol. 24, no. 3, pp. 14-21.

24. Ernest &Young (2012). The future of internal audit is now increasing relevance by turning risk into results. Available at: http://www.ey.com/internalaudit (Accessed 14 October 2014).

25. Ernest &Young (2014). The Evolving Role of Internal Audit in Ireland. Available at: http://www.ey.com/inter-nalaudit (Accessed 12 October 2014).

26. Finmeccanica. Sustainability Report 2013. Available at: http://www.finmeccanica.com (Accessed 22 October 2014).

27. Giansante P. (2009). Internal Auditing: Contenuto struttura e processo. Edizioni Universitarie Romane, Roma.

28. Hass S., Abdolmohammadi J., M. and Burnaby P. (2006). The Americas Literature Review on Internal Auditing. Managerial Auditing Journal, vol. 21, no. 8, pp. 835-844.

29. Ibrahim El-Sayed Ebaid (2011). Corporate governance practices and auditor's client acceptance decision: empirical evidence from Egypt. Corporate governance, vol.11, no. 2, pp. 171-183.

30. Institute of Internal Auditors (2005). Position Paper. Resourcing alternatives for the Internal Audit Function. Available at: http://www.theiia.org (Accessed 12 October 2014).

31. Institute of Internal Auditors (2009) Position Paper. The Role Of Internal Auditing In Resourcing The Internal Audit Activity. Available at: http://www.theiia.org (Accessed 12 October 2014).

32. James K. (2003). The effects of internal audit structure on perceived financial statement fraud prevention. Accounting Horizons, vol. 17, no. 4, pp. 315-327.

33. Karagiorgos T., Drogalas G., Gotzamanis Â. and Tampakoudis I. (2009). The Contribution of Internal Auditing to Management. International Journal of Management Research and Technology, vol. 3, no. 2, pp. 417-427.

34. Karagiorgos T., Drogalas G., Gotzamanis Â. and Tampakoudis I. (2010). Internal Auditing As an Effective Tool for Corporate Governance. Journal of Business Management, vol. 2, no. 1, pp. 15-23.

35. Lenz R. and Sarens G. (2012). Reflections on the internal auditing profession: what might have gone wrong? Managerial Auditing Journal, vol. 27, no. 6, pp. 532-549.

36. Leung P., Cooper J.B. and Perara L. (2011). Accountability structures and management relationships of internal audit: An Australian study. Managerial Auditing Journal, vol. 26, no. 9, pp. 794-816.

37. Marchi L. (2004). Revisione aziendale e sistemi di controllo interno. Giuffrè, Milano.

38. Melville R. (2003). The Contribution Internal Auditors Make to Strategic Management. International Journal of Auditing, vol. 7, no. 3, pp. 209-22.

39. Moeller R. (2004). Managing internal auditing in a post-SOA world. Journal of Corporate Accounting & Finance, vol. 15, no. 4, pp. 41-45

40. Moulton P. Managing Internal Audit cost, Effectiveness and performance. Available at http://www. protiviti.com (accessed 15 October 2014).

41. Paape L., Scheffe J. & Snoep P. (2003). The relationship between the internal audit function and corporate governance in the EU — a survey. International Journal of Auditing, vol. 7, no. 3, pp. 247-62.

42. PricewaterhouseCoopers (2013). 16th Annual PwC Global CEO Survey. Available at: http://www. pwc.com/internalaudit (Accessed 05 October 2014).

43. Protiviti, 2009. Guide to Internal Audit. Second edition. Available at: http://www.protiviti.com (Accessed 15 October 2014).

44. Razaee Z and Olibe K.O. (2003). Improving corporate governance: the role of audit committee disclosure. Managerial Auditing Journal, vol. 18, no. 6-7, pp. 530-537.

45. Reider H.R. (1994). The complete guide to operational auditing. John Wiley and Sons, New York.

46. Sarens G., Allegrini M., D'Onza G. and Melville R. (2011). Internal auditing in Europe: An analysis of the association between Internal Auditing Practices and the Maturity of the Internal Audit Function. Managerial Auditing Journal, vol. 26, no. 1, pp. 51-64.

47. Selim G. and Yiannakas A. (2000). Outsourcing the internal audit function: a survey of the UK public and private sectors. International Journal of Auditing, vol. 4, no. 3, pp. 213-226.

48. Selim G., Woodward S. and Allegrini M. (2009). Internal auditing and consulting practice: A comparison between UK/Ireland and Italy. International Journal of Auditing, vol. 13, no. 1, pp. 9-25.

49. Sharma D. and Subramaniam N. (2005). Outsourcing of internal audit services in Australian firms: some preliminary evidence. Asian Academy of Management Journal of Accounting and Finance, vol. 1, pp. 33-52.

50. Spekle R.F, Van Elten H.J. and Kruis A.M (2007). Sourcing of internal auditing an empirical study. Management Accounting Research, vol. 18, no.1, pp. 102-124.

51. Spira L.F. and Page M. (2003). Risk management: the reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, vol. 16, no. 4, pp. 640-661.

52. Stewart J. and Subramaniam N. (2010). Internal Audit Independence and Objectivity: Emerging Research Opportunities. Managerial Auditing Journal, vol. 25, no. 4, pp. 328-360.

53. Subramaniam N., Ng C. and Carey P. (2004). Outsourcing internal audit services: an empirical study on Queensland public entities. Australian Accounting Review, vol. 14, no. 34, pp. 86-95.

54. Van Peursem K. and Jiang L. (2008). Internal audit outsourcing practice and rationales: SME evidence from New Zealand. Asian Review of Accounting, vol. 16, no. 5, pp. 219-245.