International Journal of Finance and Accounting 2013, 2(2): 61-66
DOI: 10.5923/j.ijfa.20130202.02
Internal Audit Function in Relation to Enterprise-Wide
Risk Management (EWRM)Practices
Norlida Abdul Manab1,* , Mohd Rasid Hussin1 , Isahak Kassim2
1
School of Economics, Finance & Banking, College of Business, Universiti Utara M alaysia (UUM), 06010 Sintok, Kedah, M alaysia
Faculty of Information Technology and Quantitative Sciences, Universiti Teknologi M ARA (UiTM ), 40450 Shah Alam, Selangor,
M alaysia
2
Abstract This paper examines the internal audit roles and functions in Enterprise-Wide Risk Management (EWRM )
practices of Public Listed Co mpanies (PLCs) in service sector. A triangulation approach was adopted to obtain an enriched
data collection and analysis for the study. From a survey analysis, the findings showed that 85.7 percent of EW RM programs
in financial co mpanies were under the direct supervision of a risk management department as compared to only 34.1 percent
in non-financial co mpanies. Th is result was quite surprising, as more than half (51.3 percent) of the EWRM programs in
non-financial co mpanies were actually under the supervision of an internal audit depart ment. Ho wever, only 47.2 percent of
the companies were found to have their own internal audit, while 52.6 percent reported that they outsourced their audit
activities. Quite interestingly, the overall result fro m a case study analysis found that the internal auditor plays a dual function,
as an internal auditor and also as a risk manager.
Keywords Enterprise-Wide Risk Management, Internal Audit, Corporate Governance, Triangulation
1. Introduction
Co mpanies’ environ ment of risk and the perception
towards risk have changed over the years. Most of the
organizations now have moved fro m the traditional way of
managing risks to more integrated approach to the
management of risks known as integrated or enterprise-wide
risk management (EWRM). This new trend of risk
management program considers and manages all sources of
risk, regard less of the type. It engages everyone within the
entire organization, starting fro m the very top at the
governance level, right down to the very bottom at the
ordinary level of emp loyees.
The emergence of EW RM had also caused a paradigm
shift in respect of the internal audit function. The Malaysian
Code on Corporate Governance (MCCG) added a new
function to the internal audit ro le of risk management. The
code itself requires the internal auditors to monitor the
potential risk exposures. Such a requirement undoubtedly
brought about a dramatic shift in respect of the internal audit
function fro m a control-based approach to the risk-based
approach.
Th e sco pe and funct io ns o f an in tern al aud it h av e
increased over time in response to the rapid environ mental
changes of today. Its funct ions hav e been developed in
* Corresponding author:
norlida@uum.edu.my (Norlida Abdul Manab)
Published online at http://journal.sapub.org/ijfa
Copyright © 2013 Scientific & Academic Publishing. All Rights Reserved
stages, starting with the review of financial statements and
other accounting functions. This is followed by focusing on
compliance audit, assessing the internal control and
operating process, and eventually adding its role on risk
management. Risk assessment as part of internal auditing is
increasingly used to identify, measure, and prioritise risks so
that the focus is placed on the auditable areas of greatest risks.
Risk-based auditing moves the focus from the past (historical
operation of internal control system) to the future, where
they test the way management mitigate risks[1]. With a new
function, auditors could possibly enhance their existing roles,
provide better services and eventually assist corporate
entities/organizations in formulating the risk management
policies and effectively carry out the risk management
process on the whole.
However, internal audit is independent and has
traditionally been most concerned about internal control.
With a new function, how would its involvement in EW RM
practices ensure that the internal audit activities are not in
contradiction with its original ro les and functions? Also,
what is essentially the internal auditors’ responsibility with
regard to risk management activit ies or specifically leading
the EWRM effort in part icular? Hence, the in answering
these pertinent questions, it is important to look at the
two-fold objectives of this part icular study. First, is to
examine the role of internal audit function in respect of
EW RM practices. Second, is to examine how effective is the
EW RM programme under the supervision of internal audit as
compared to the risk management department. The next
section discusses the review of related works, the
62
Norlida Abdul M anab et al.: Internal Audit Function in Relation to Enterprise-Wide
Risk M anagement (EWRM )Practices
methodology used, and analysis of the findings including
discussion and conclusion.
2. Literature Review
2.1. Enterprise-Wi de Risk Management (EWRM)
Concept
There are four (4) important issues in relation to the
EW RM concept. First, EW RM views risk as being more
complete, consistent, and collective rather than focusing only
on hazard or financial risk[9]. It is engaged with all types of
risk, which are currently faced by business entities. The risks
are common ly categorised as hazard risk, financial risk,
operational risk, and strategic risk ([8],[23]).
Second, EWRM is a framework. As in[5], EWRM
framework involves a process of identifying, defin ing,
quantifying, comparing, priorit ising, and treating all types of
risks facing an organization. Reference[5] added that the
EW RM process requires a wide range of tools and
methodologies, which helps to explain the relationship
between risk profile and its impact on shareholder value.
Third, the EW RM’s definit ion encompass that everyone
within an organisation is responsible for managing risks.
EW RM actually involves the overall human resource, that is,
people at all levels of the entire organizat ion. The successful
implementation of EW RM h ighly depends on the efficiency
and the effectiveness of the management, where it is required
to identify and evaluate the company’s risks and to design,
operate, and control an internal control system to address
those risks[22].
Finally, the EW RM underlying concept is that each type
of organizat ion whether profit, non-profit, or government
agency, provides value for its stakeholders[7]. Th is had been
stressed in the definition of EW RM and in the EWRM
concept itself. The EWRM definit ion as in[10] and studies as
in ([12],[14],[16],[20]) showed the important role of EW RM
in creating shareholder value within the organization.
2.2. Internal Audit Function
The internal audit function and the role of risk
management have been addressed by the Co mmittee of
Sponsoring Organisations of the Treadway Commission
(COSO) in 1992 and specifically to improve corporate
governance through an internal control system. Its function
has moved from a control-based approach to the risk-based
approach by focusing on risk management, corporate
governance, and adding value at the same time[24]. The
reason for the shift of internal audit function is due to the fact
that risk management is too important to be left to the risk
manager alone[4]. Referring to a survey by the Institute of
Internal Auditors Malaysia and Ernst and Young[19], the
involvement of internal audit in risk management is to
provide independent assurance over risk management
practices, and to develop and assist in the development of the
risk management framework.
In accordance with the new role of internal audit function,
Malaysian Code on Corporate Governance (MCCG)
2000[11] added a new function of internal audit role on risk
management. The Best Practices Provision BB VIII in Part 2
states that the internal audit functions must be free fro m the
activities that they audit. This provision is provided to
prevent the conflicting function occurring in performing
their duties. It requires internal auditors to assume
responsibility fo r monitoring enterprise risks.
Although, the role of internal audit function and its
relation to risk management are clearly stated in the M CCG
2000 or in its definition by The Institute of Internal Auditors
Malaysia Code of Ethics or fro m other related sources, there
is no specific duty yet on internal auditors that have been
imposed by security laws[2]. Moreover, according to the
Malaysian Institute of Internal Auditors in[21], only 50
percent of PLCs have their o wn internal audit.
Realizing on the important function of internal audit in
PLCs and as well as its role in risk management, an
amend ment has been made in the Revised Malaysian Code
on Corporate Governance, which was issued in October
2007[15]. The revised code requires all PLCs to have an
internal audit function. So as to preserve the independence of
the internal audit function, the report must be made directly
to the audit committee.
However, there is an argu ment on the ro les and functions
of internal audit in EW RM. The Best Practices Provision BB
VIII in Part 2 of the MCCG 2000 is aligned with the
statement as in[13] (p.7) that “risk management is not a
natural function of audit and is unlikely to become one”.
This means that risk management should not be led by the
internal audit div ision[17].
In conjunction with EWRM implementation, the chief
audit executive and internal audit can play their roles either
as educator, facilitator, coordinator, evaluator or integrator
[17]. Reference[18] suggested that the function of internal
auditors in enterprise risk management can be regarded as
being a consultant to the senior management in order to
improve the overall risk management system and the key
area of business. The audit functions as a control system to
ensure that the management manages the risks in their area of
responsibility and make reco mmendations. The functions
can be described as an independent insider or the in-house
regulator[2]. In modern business terms, internal auditing is
given a dual role in EW RM, it acts as a provider and also as
an advisor[6].
Even though both internal audit and risk management
provide advice and service to the top management, their
functions and perspectives are different. Risk management is
about managing risks as well as maximising the company’s
value, whereas the role of audit is essentially as a monitoring
system[13].
3. Method
The study adopted a triangulation approach, a
combination of a survey and a case study, as the research
methodology. Quantitative and qualitative methods were
International Journal of Finance and Accounting 2013, 2(2): 61-66
adopted in this study in order to provide both descriptive and
interpretive forms of empirical evidence. The survey offered
emp irical evidence on EW RM pract ices fro m the co mpanies’
perspectives, which were derived fro m their knowledge and
experience in the area. Therefore, the case study provided
in-depth investigation of EWRM imp lementation in a
real-p ractice context.
The sampling frame was obtained from Bursa Malaysia
Listed Co mpanies, wh ich includes the Main and Second
Boards of listed companies of all types of sectors. One
hundred and thirty two (132) listed companies in the service
sector were successfully contacted and 85 co mpanies had
agreed to participate. The questionnaires were mailed to 85
public listed companies (PLCs) in the service sector
comprising financial and non-financial co mpanies. Out of
the 85 questionnaires mailed, only 55 co mpanies responded,
although several follo w-up procedures had been made. The
number of responses is considered high compared with other
studies in EW RM, such as in ([3],[12]).
As for qualitative approach, four (4) co mpanies were
selected and interviewed as case studies. The selection of the
case study was based on the uniqueness of the companies in
terms of the status of EWRM imp lementation; the types of
company; and the department in charge.
63
percent of financial co mpanies placed their EW RM
programme under the risk management depart ment.
Table 1. Internal Audit and Department in Charge on EWRM According
to Type of Company
Com
Department in Charge
(%)
RM
IA
F
O
IA
(%)
Own
IA
(%)
Out
source
(%)
PLCs:
47.27
40.0
9.09
3.64
98.0
55.8
44.2
F
NF
85.7
34.1
7.15
51.3
12.2
7.15
2.4
100
97.4
78.6
47.4
21.4
52.6
*F=Financial/ Finance; NF= Non-financial; RM= Risk Management; IA =
Internal Audit; O= Other; Com= Company
The result was quite surprising, particularly in
non-financial co mpanies where more than half (51.3 percent)
of EWRM programmes were under the supervision of
internal audit department, 12.2 percent under finance
department, and 2.4 percent under other departments. From
the percentages of the companies that assigned the internal
audit department to look after the EW RM efforts, 52.6
percent of them outsourced their internal audit activities. The
result also showed that the rest of 14.3 percent of EW RM
programmes in financial co mpanies were placed under
internal audit and finance departments.
4.2. Case Study Analyses
4. Findings
4.1. Survey Analyses
Almost all co mpanies (98.0 percent) acknowledged that
they had an internal audit. All financial co mpanies reported
that they had an internal audit and similarly, 97.4 percent of
the non-financial co mpanies did the same. Although the
companies mentioned that they had an internal audit, so me
companies actually outsourced external party/consultant for
their internal auditing.
Table 1 shows that from all the companies (100 percent)
that had an internal audit in financial co mpanies, 78.6
percent had their own internal audit and the remainder (21.4
percent) pointed out that they hired a consultant for internal
auditing purposes. But, in non-financial co mpanies however,
the result showed that from the total of co mpanies that had an
internal audit, only 47.4 percent of the companies had their
own internal audit and 52.6 percent of the companies
reported that they outsourced their audit activities.
With regard to EWRM, the study found that 47.27 percent
of the EW RM programmes were placed under the risk
management depart ment, 40.0 percent of the programmes
were under the supervision of internal audit depart ment,
followed by finance department, and other departments.
The result also showed that 85.7 percent of the EWRM
programmes in financial co mpanies were under the
supervision of the risk management department as compared
with 34.1 percent in non-financial co mpanies. The result
indicated that the placement of EW RM programme
depended on type of company, where it appeared that 85.7
Table 2 presents the information on a personnel and
department in charge of EW RM act ivities of the four (4) case
studies conducted. The EWRM act ivities in Co mpany A and
B were supervised by the head of risk management under the
risk management depart ment whereas in Co mpany C and D,
the activities were controlled by the Internal Auditor under
the internal audit department.
Table 2. Department and Person in Charge and Type of Company
Com
Type
Incorporated
Listed
Year
EWR
M
Depart
In
Charge
A
NF
1984
1990
2003
RM
B
F
1973
1981
2003
RM
C
NF
1976
1977
2003
IA
D
NF
1972
1996
2003
IA
Person
In
Charge
Head
of
RM
Head
of RM
Internal
Auditor
Internal
Auditor
*F=Financial/ Finance; NF= Non-financial; RM= Risk Management; IA =
Internal Audit; Com= Company
Co mpany A and B which represented the non-financial
and financial co mpanies respectively, placed their risk
management activities under the supervision of the risk
management depart ment. It is rather convincing to note that
these companies were extremely serious in their risk
management efforts. To effectively imp lement the EWRM,
the companies were very concerned with the selection of the
right people with a specific unit or depart ment to supervise
the risk management activit ies.
64
Norlida Abdul M anab et al.: Internal Audit Function in Relation to Enterprise-Wide
Risk M anagement (EWRM )Practices
Another two (2) non-financial co mpanies, Co mpany C
and D assigned the internal audit department to monitor the
EW RM activit ies. Even though the role of internal auditor in
risk management was just as a risk coordinator or as in-house
risk management consultant, there was a serious concern
about the internal auditing functions in EWRM. Basically,
both individuals in Co mpany D and C who were responsible
for risk management disagreed that the risk management
programme should be placed under the supervision of the
internal audit department. Conflicting functions occurred
between their original function of internal auditing and the
new function of risk coordination. There were b iases and no
segregated activities when the same person performs both
jobs. Internal Audit Executive of Co mpany D co mmented
the functions of internal audit in managing risks:
“When EWRM is under audit function, it is not a burden,
because it is a simple job. But the problem is in terms o f the
validity of the data. You might be bias if the same person
does both jobs...as a risk coordinator and also as an internal
auditor. If risk management and audit is under one
department, then it is a problem when we do risk
assessment and also audit, because there are no segregated
activities.”
In terms of imp lementation, Co mpany C and D were not
satisfied with their current risk management practices, but as
for Co mpany C, even though it was not satisfactory, the
implementation was in progress. Consequently, both
companies agreed that the risk management programme
should be separated from internal auditing since both
functions were important for the organizat ion. The Internal
Auditor of Co mpany C hoped that by having a separate
department, the work load could be reduced and the risk
management department would have the authority to
effectively implement the EWRM programme. Internal
Audit Executive of Co mpany D stressed the importance of
having a separate department. Through this department, the
risk management imp lementation could be more focused.
However, there was no requirement for co mpanies to have a
separate department.
In fact, the internal audit functions in risk management
were clearly stated in a document of Risk Management
manual or policy and procedure o f both co mpanies as to
validate the results of the EW RM process. For example in
Co mpany C, the Group Internal Audit function was to
provide “independent assurance in preserving the integrity
of risk management framework”. As for Company D, an
internal auditing was defined as “an independent, unbiased
function, which contributes by means of auditing and
consultancy for proper assessment of the risk situation,
vulnerability, value enhancement, and business process
improvement”.
It is therefore important to mention here that in respect of
the overall risk management practices, these companies were
still lacking in terms of EW RM implementation and not
much effort was made to imp rove it, especially at the
subsidiary level. The subsidiaries did not identify their own
risk. Thus, it had to be identified by the audit people. Such a
situation might be due to the conflicting role and function
between internal audit and risk management.
The Internal Audit Executive of Co mpany D mentioned
that “personally, I do not really satisfy with EWRM
implementation because we cannot hundred percents
concentrates on that”. This might be due to the EWRM
programme being taken over by the internal audit people
where they ad mitted that they cannot really focus on it. In
addition, based on the observation and the judgment during
the interviews, the researcher discovered that the internal
auditor and the internal audit executive in Co mpany C and D
respectively did not have sufficient knowledge and relevant
skills to supervise the EWRM programme as compared to
the Head of Risk Management Depart ment in Co mpany A
and B.
Auditing was in fact their original duty and not the task of
managing risks. It was suggested that by having a separate
department, the EW RM programmes in Co mpany C and D
would be more focused and effectively imp lemented.
The findings of this study have assisted the researcher in
obtaining a real picture of internal audit function in EW RM
practices, particularly in the PLCs and generally in Malaysia
through the triangulation approach adopted. In this study, the
qualitative method was applied as a confirmatory method as
established in the quantitative method.
5. Discussion
The effective and successful imp lementation of EWRM
programme depends highly on the person in charge and the
department concerned. The top management requires the
capability in terms of skill and knowledge in risk
management in order to assist them in making effective risk
management decisions and to successfully influence the staff
to be more proactive in respect of risk management
implementations.
However, the study found that less than fifty percent (47.3
percent) of the risk management programme in PLCs are
placed under the risk management depart ment. The
percentages are only slightly higher than those in charge by
the internal audit depart ment (40.0 percent). Co mpared with
type of company, it was found that 85.7 percent o f the
financial companies have risk management departments as
compared to only 34.1 percent in the non-financial
companies. The study also showed that the percentages of
non-financial co mpanies that assign other departments to
supervise the risk management activities are quite high,
which are 65.9 percent. Fro m this figure, 51.3 percent of
them had assigned the internal audit department to supervise
the risk management programme.
Even though the function of internal audit had moved
fro m a control-based approach to risk-based approach[24],
the function only added the control activities. Thus, by
assigning the internal auditor to supervise the risk
management programme not only contradicts with the Best
International Journal of Finance and Accounting 2013, 2(2): 61-66
Practices Provision BB VIII in Part 2 o f the M CCG 2000[11],
which stressed that the internal audit is free fro m act ivities
that they audit, but it also opposed the company statement on
EW RM guidelines and policies. Such findings confirm the
statement in ([4],[13],[17]) that risk management should not
be led by the internal audit depart ment.
On the other hand, there appear to be no regulation
imposed to prevent the Internal Auditor from managing the
risks[2] or fo r co mpanies to have a risk management
department. Although the amend ment has been made on the
MCCG (Rev ised 2007) in the Best Practices Provision BB
VII in Part 2[15] to preserve the independence of the internal
audit function, the Revised Code only stresses on the internal
audit reporting. Based on the result of these case studies, two
non-financial co mpanies have placed its risk management
activities directly under the internal audit department. The
Internal Auditor, who is responsible for the activities, plays a
dual role, one as an internal auditor and the other as a risk
manager. The result nevertheless contradicted with the role
and function of internal audit in EWRM as in The Institute of
Internal Auditors Standards and as suggested by several
authors and researchers ([2],[6],[17-18]).
In respect of EWRM imp lementation, several problems
occur when both functions are under the same depart ment:
● there are no separate activities in doing risk
management and auditing;
● there are biases when the same person does both jobs
of auditing and managing risks;
● as internal auditors, they focus more on internal
auditing rather than managing risks;
● subsidiaries conceal reporting on certain risk
management problems to the risk coordinator, who is also
the internal auditor;
● subsidiaries imp lement risk management for the sake
of requirement but not for best practice; and
● subsidiaries depend on internal auditor in identify ing
risks and preparing a risk management report.
The findings also indicated that 52.6 percent of
non-financial co mpanies used an external consultant for
internal audit, whereby 51.3 percent of the companies assign
an internal audit to supervise the risk management activ ities.
The outcome is in-line with the report made by the Institute
of Internal Audit in[21] that only fifty percent (50%) of PLCs
have their own internal audit. Th is may be due to the Best
Practices Provision BB VII in Part 2 of the MCCG 2000,
which does not stress on the existence of the internal audit
function in companies. Thus, realizing the importance of
internal audit function, the Revised Code on Corporate
Governance (2007)[15] stressed that all co mpanies are
required to have an internal audit function.
Based on the empirical findings on this issue, assigning an
internal auditor to supervise the risk management program
not only contradicts with the internal audit primary functions,
but also conflicts with the Best Practices Provision BB VIII
in Part 2 of the MCCG 2000[11]. Briefly, the findings
provided valuable contribution to the existing literature on
the roles and functions of internal audit in EWRM .
65
6. Conclusions
The emergence of EW RM involves changes in the internal
audit function and introduces a new position of risk
management experts. On a positive note, the new standard of
internal auditors had shifted the paradigm of the internal
audit function fro m a control-based internal auditing to a
risk-based internal audit ing. The Malaysian Code on
Corporate Governance also added a new function of internal
audit role on EW RM practices. The code requires the
internal auditors to assume the primary responsibility for
monitoring enterprise risk exposures.
This particular study adopted a triangulation approach to
evaluate the internal audit function in EW RM practices. The
overall result showed that the primary function of internal
audit actually contradicted with the Best Practices Provision
BB VIII in Part 2 o f the MCCG 2000. The provision stated
that the internal audit functions must be free fro m the
activities that they audit. One of the key findings revealed
that the sentiment is still strong in asserting that the risk
management activit ies on the whole should not be led solely
by the internal audit division. Although internal audit and
risk management provide advice and service to the top
management, their functions are totally different. It is
therefore highly important to note that such findings of
emp irical evidence strongly suggested that risk management
is not supposed to be placed directly under the internal audit
department. The internal auditors should play their role as
internal control in respect of EWRM. EWRM act ivities
should be under the supervision of the risk management
personnel’s who are more knowledgeable and skilfu l in that
particular area.
REFERENCES
[1]
Alijoyo, F. A., “Risk M anagement's Role in Corporate
Governance”, Paper presented at the Panel Discussion on
Corporate Governance: Accelerating The Implementation of
Good Corporate Governance through Board Independence,
Yogyakarta and Bandung, Indonesia, 2002.
[2]
Anwar, Z., “The Role of Internal Audit Function in Good
Governance”, Paper presented at the The Institute of Internal
Auditors M alaysia 2006 National Conference of Internal
Auditing, 18 September 2006, Kuala Lumpur, 2006.
[3]
Beasley, M . S., Clune, R., & Hermanson, D. R.. “Enterprise
Risk M anagement and the Internal Audit Function.. Online
A v a i l a b l e : http://www.mgt.ncsu.edu/faculty/accounting/
workshop%20papers/Beasley%20workshop%20paper.pdf.
[4]
Benoit, C., “Corporate Governance and Risk M anagement”,
Price Water House Coopers, 2003.
[5]
Blake, M . A. “Taking a Holistic Approach with Enterprise
Risk M anagement”, Rural Telecommunications, vol. 22, no.
6, pp 58-61, 2003.
[6]
Bonic, LJ, Dordevic, M ., “Potential of Internal Auditing in
66
Norlida Abdul M anab et al.: Internal Audit Function in Relation to Enterprise-Wide
Risk M anagement (EWRM )Practices
Enterprise Risk M anagement”, Facta Universitatis Series:
Economics and Organization, vol. 9, no.1, pp. 123-137, 2012.
[15] M alaysian Code on Corporate Governance (Revised):
Securities Commission, 2007.
[7]
Committee of Sponsoring Organisations of the Treadway
Commission (COSO), “Enterprise Risk M anagement
Framework: Draft”, Online Available: http://www.enterprise
_wide_risk_management+&+De+Loach+html.
[16] M iccolis, J., & Shah, S., “Enterprise Risk M anagement: An
Analytic Approach”, Tillinghast-TowersPerrin M onograph.
Online Available: http://www.tillingast.com.
[8]
D'Arcy, S.P., “Enterprise risk management”, Journal of Risk
M anagement of Korea, vol.12, no. 1, pp. 207-228, 2001.
[9]
Davenport, E.W. & Bradley, L.M ., “Enterprise risk
management: A consultative perspective”. Online
Available ://www.casact.com.
[10] Deloach, J.W., “Enterprise-Wide Risk M anagement:
Strategies for Linking Risk and Opportunity”. London:
Financial Times, Prentice Hall, 2000.
[11] Finance Committee on Corporate Governance M alaysian
Code on Corporate governance: Securities Commission,
2000.
[12] Kleffner, A.E., Lee, R., & M cGannon, B., “The Effect of
Corporate Governance on the Use of Enterprise Risk
M anagement: Evidence from Canada”, Risk M anagement
and Insurance Review, vol. 6, no.1, pp.53-73, 2003.
[13] Knight, K. W., “Risk M anagement a Journey Not a
Destination”, Paper presented at the Executive M eeting 2006,
Hotel Do Frade & Golf Resort, Angra Dos Reis, Brazil, 2006.
[14] KPM G, “Strategic Risk M anagement Survey: A survey of
contemporary strategic risk management practices in
Australia and New Zealand”, Online Available:
http”//www.kpmg.com.au.
[17] Protiviti, “Guide to Enterprise Risk M anagement”, Protiviti
Inc., 2006.
[18] Staciokas, R., & Rupsys, R., “Application of Internal Audit in
Enterprise Risk M anagement”, Engineering Economics, vol.
2, no. 42, pp. 20-24, 2005.
[19] The Institute of Internal Auditors, “The Role of Internal
Auditing in Enterprise-wide Risk M anagement”, Online
Available: http:// www.theiia.org
[20] Tillinghast-TowersPerrin, “Enterprise Risk M anagement in
the Insurance Industry: 2002 Benchmarking Survey Report”,
Online Available: http://www.tillinghast.com
[21] Utusan M alaysia Online, “Separuh PLC Tidak M emiliki
Audit Dalaman”, Online Available: http://www.utusan.com.
my.
[22] Waite, B., “M anaging Risk and Resolving Crisis”, London:
Financial Times Prentice Hall, 2001.
[23] Walker, P.L., Shenkir, W.G., & Barton, T.L., “Enterprise
Risk M anagement: Putting it All Together”, Altamonte
Springs, FL: Institute of Internal Auditors Research
Foundation, 2002.
[24] Walker, P. L., Shenkir, W. G., & Barton, T. L., “ERM in
Practice”, Internal Auditor, Vol.60, pp. 51-54, 2003.