“The effect of internal audit planning on risk factors: evidence from Yemen’s banks”

This study aims to determine the extension of implicating risk factors in strategic planning for internal audit in Yemeni commercial banks, including inherent risk factors and control risks, whether caused by internal or external influences, and focuses on the strategic purpose of internal audit. A questionnaire instrument, specifically designed for this research purposes, was distributed to 58 respondents comprising internal auditors of commercial banks, as well as auditors of the External Control Department of the Central Bank of Yemen. The study determines whether Yemeni commercial banks include internal auditing in their operational structure. It also determines the risks that internal auditors prioritize while developing their internal audit strategies. This study uses Smart PLS methodologies to evaluate the hypotheses through data analysis. The results indicate that internal audit is considered one of the important operational activities in the structure of commercial banks of Yemen, and that the planning process for internal audit largely takes into account the inherent risk factors and control risk factors, whether the audit process is carried out by internal auditors or auditors of Central Bank of Yemen.


INTRODUCTION
Internal auditing (IA) has gained considerable attention in recent years, both from accounting academics and practitioners.The Sarbanes-Oxley (SOX) legislation was particularly issued to address shortcomings in internal control systems that led to that collapse of some businesses.Perhaps, the Enron energy scandal is the most prominent example of these collapses (Behrend & Eulerich, 2019).As such, the growing interest in internal auditing has led to a shift in IA purpose from simply reviewing activities and operations to providing independent assurance to stakeholders that there are no material deviations from established policies, rules, and procedures (Onumah et al., 2016).It has also led to a focus on partnerships with management rather than emphasizing compliance as a primary goal (Erlina et al., 2020).This evolution in IA purpose has led to a parallel evolution in the nature of internal auditing, which has come to represent, according to Al-Matari and Mgammal (2019) and García-Gusano et al. (2016), a form of internal consulting activity that provides insights to the organization's management about multiple aspects of performance.This activity must be provided with high quality.
IA quality is closely linked to the risks surrounding the audit process, which have increased in recent years with the rapid developments in the contemporary business environment, particularly with regard to technology, management systems, and the flow of information systems.These risks have helped to draw the attention of many professional organizations to the risks surrounding the internal audit profession and the need to assess risk factors in the planning phase of internal audit activities and processes.For example, governmental organizations and professional bodies such as the Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (ICPA), BASEL Committee, and International Federation of Accountants (IFAC) have issued many standards and directives aimed at controlling risk levels and sources.IIA asserts that risk assessment should cover emerging risks in addition to residual risks, and that these risks should be prioritized in a variety of contexts, including corporate governance, vendor governance, cybersecurity, technology risk, regulatory risk, corruption, crisis management planning, and culture/soft control.
The interest of professional organizations in the risks associated with IA stems from the fundamental impact of these risks on IA purpose and role.This has led the Institute of Internal Auditors (IIA) to explicitly emphasize that the core role of internal audit processes in relation to risk is to provide assurance to the board of directors regarding the effectiveness of the organization's key risk management and internal control frameworks (The Institute of Internal Auditors Inc, 2009).This emphasis has created a new approach to IA, namely risk-based auditing.Erlina et al. (2020) argue that this approach ensures the effective implementation of all risk management processes and makes auditing procedures more efficient and effective.In this regard, the Internal Audit Community of Practice (IACOP) provides a theoretical framework for planning risk-based internal auditing, postulating that IA based on two dimensions: individual risks and how these risks may impact the achievement of the organization's goals, and general risk factors that may indicate a higher or lower level of risk.It can be used to set the priority that must be given to a single audit within the audit universe.
The development of a framework that includes both business risks and internal audit risks in the planning of internal audit processes is a result of the focus of the planning process on efficiency and effectiveness, the importance of focusing audit activities during the implementation phase on all critical aspects of performance, and in order to fulfill the advisory role of internal audit, which is imposed by the nature of the evolution of the audit objective mentioned above.The inclusion of risk assessment in the planning of the audit facilitates the transition from the traditional cyclical audit methodology to the risk-based audit methodology, where risk assessment is a means of estimating potential risk factors.Given the relationship between risks and the nature of the activity, financial and banking activities can be among the most economically exposed to risks of various types.These risks increase in developing countries with the decline in the level of economic infrastructure, the spread of corruption, and the decline in the effectiveness of the supervisory role and the efficiency of those who carry it out.Based on the focus of internal audit on risk presented above, this study attempts to examine the role of planning the audit process on risk factors as applied to Yemeni banks as one of the least developed countries, which suffers from political, economic, and civil war crises that make risk factors more obvious and impactful.
In the context of internal audit in Yemeni banks, there are two subgroups related to the internal audit functions of commercial banks: internal auditors of commercial banks, and auditors of the Central Bank of Yemen.This gives rise to an objective for this study, namely, whether there is an effect of the internal audit entity and location on the role of the audit in identifying risk factors.On the other hand, the study of audit risks requires an examination of these risks in the Yemeni work environment.Therefore, a risk assessment model is used, dividing internal audit risks into the main components as inherent risk factors and control risk factors.While the size of this model may be smaller compared to the broader idea of risk assessment in internal audit processes, it appropriately addresses another objective within the scope of this research.

LITERATURE REVIEW AND HYPOTHESES
This section focuses on the evaluation of risk factors conducted by internal auditors.The research conducted in this study specifically addresses two aspects: identifying risk factors and their impact on internal audit planning.It is important to note that a risk matrix was not utilized in this study; instead, the focus was on the identification and analysis of risk factors.However, the previous studies have overlooked risk factors, which is an essential step of internal audit planning.Some studies assert that a riskbased approach is important for increasing the effectiveness of internal audits; on the other hand, some other studies document that risk factors affect internal audit planning.
Commercial banks play a crucial role in the economic operations of nations and serve as fundamental pillars of their economies.Their primary purpose is to accept deposits, extend loans, and offer a range of financial services ( COSO, 2014).However, commercial banks in less developed countries suffer from many challenges to achieving their objectives, perhaps the most important of which is the volume of cash outside the economic cycle and the multiplication of the risks surrounding their activities.Thus, planning helps add value to organizations by reducing the cost of auditing and optimistic utilization of resources.It also focused on most risk aspects, as well as the improved efficiency and effectiveness of auditing.
Besides, the importance of internal audit planning appears in professional organizations concerned with planning internal auditing, where IIA issued two paragraphs related to planning (The Institute of Internal Auditors Inc, 2017).Regarding the importance of internal audit planning in banks, the Basel Committee issued the first report, which asserts the importance of planning (Basel, Principles 11).
With regard to the basic principles of planning, the Committee Audit County Ohio report (Committee Audit County Ohio, 2003) came up with a set of basic principles of internal auditing that should be considered during planning, as follows: 1) attention must be directed toward excluded cases and circumstances, which means the undoing cycle auditing system shifts to concern more risks; 2) adopting an approach that allows limited financial human resources that prevent auditing all activities (100%); 3) taking into account pervious auditing that executed by others; 4) using assessment risk to classification audit universe emphasis the understanding for internal control system; 5) perceiving that there are inherent risks and determinants related to any method of audit for determining priorities, it is necessary to periodically assess risk factors in order to improve audit planning; 6) risk factors used in selecting the type of auditing must be designed in parallel with the objectives of auditing.
The internal audit planning process is intricate because of its involvement with various objectives, aspirations, and stakeholder preferences.Additionally, the rapid pace of change necessitates a shift in the objectives of internal audits from confirmation to consultation.Given that risks play a crucial role in shaping the structure, substance, and extent of the audit plan, it is imperative for the internal audit plan to encompass and tackle diverse hazards while also considering adaptability and anticipated benefits for management.
Internal audit risk is a significant matter that should be taken into consideration when planning internal audits.Due to its impact on planning, especially when internal audit resources are limited, the standard SIAS No. 9 obligates a chief internal audit to distribute resources based on an internal audit risk assessment.
Atmanegara et al. ( 2021) provide empirical evidence supporting the significance of risk-based internal audits in mitigating the occurrence of fraud as a business risk.According to a research conducted by Tamimi (2021), the primary objective of risk-based internal audit planning is to evaluate risk management and verify the effectiveness of risk management procedures in assessing risk.Griffiths (2015) similarly affirmed that the risk-based internal audit process is an auditing approach that aims to ascertain the adequacy and efficacy of controls pertaining to risk management.The different classifications of risks faced by commercial banks and their levels of exposure to risks make it necessary to formulate potential risks in an appropriate model from the perspective of internal audits.The audit risk model, which classifies risks into three groups: inherent risks, control risks, and detection risks, is sufficient for the purposes of this study, with a focus on the first and second types when planning audits in developing countries for the aforementioned reasons.
These observations lead us to answer the following aim: this current study is to study the condition of planning internal auditing in commercial banks operating in Yemen.
Thus, the following hypotheses are tested: H1: Internal audit planning has a significant positive effect on inherent risk factors.
H2: Internal audit planning has a significant positive effect on control risk factors.

Sampling and data collection
The survey items included in this study were sourced from the International Internal Audit Standards (IIAS).The items were subject to minimal modifications to align them with the perspective of internal auditors in Yemen.Given that the participants consisted of Yemeni residents, and the first IIAS were devised in English, an Arabic iteration of the survey instrument was created to enhance the response rate and facilitating comprehension for the respondents.A total of 80 items were produced and subjected to a face validity assessment by four professors affiliated with two institutions in Yemen.Following their evaluation, it was advised that six items should be excluded, resulting in a revised survey questionnaire that included 74 items.Prior to the administration of the survey, a random sampling method was employed to select a group of 16 internal auditors for participation.According to the participants, the questionnaire was comprehensible and could be completed in less than 15 minutes.
The questionnaire has an "Introduction" section that comprises a series of inquiries designed to gather demographic information pertaining to the participants of the research.Next comes section 2, which provides an overview of the key aspects of the planning process of internal audits in commercial banks operating in Yemen.The third section of the study consisted of 60 items designed to examine the influence of risk factors on the planning of internal audits.These items were further split into two parts, inherent risk factors and control risk factors, with 30 questions allocated to each category.Furthermore, it categorized the control risk factors according to the components of the control system in banks, as outlined by the Basel Committee.These components include supervision and administration, risk assessment, control actions, information, and communication.
All the aforementioned parts were constructed on an ordinal scale, with the exception of the initial section, which employed the Likert scale known as "Group Ranking" (Aladimi, 2010).The Likert scale consisted of the following answer options: strongly agree (5), agree (4), partially agree (3), do not agree (2), and do not agree at all (1).The present study employed the square root of the stability coefficient to assess the validity of the questionnaire, which is contingent upon performing a stability test simultaneously.

Reliability
The reliability analysis used three common metrics to assess the reliability of the measurement models, as recommended in the literature (Hair et al., 2017;Henseler et al., 2009).As shown in Table 3, Cronbach's alpha evaluated the internal consistency between the indicators of each construct.Values above 0.7 indicate adequate reliability, with higher values demonstrating greater consistency (Hair et al., 2017).All constructs met or exceeded the 0.7 threshold, with alpha values ranging from 0.745-0.909,providing evidence of good internal consistency.Second, composite reliability considers the varying indicator loadings, with values above 0.7 considered satisfactory (Henseler et al., 2009).Composite reliability for the constructs ranged from 0.851 to 0.932, exceeding the recommended level and supporting the reliability.Finally, the average variance extracted (AVE) represents the amount of variance captured by the construct versus attributed to measurement error.The literature suggests that AVE should meet or exceed 0.5 (Hair et al., 2017).The AVEs ranged from 0.564 to 0.735, which surpassed the standard.

RESULTS
In summary, the results across all the three-reliability metrics indicated that the measurement models demonstrated adequate reliability.This provides confidence that the indicators consistently measure the same latent variables to which they are assigned.Establishing reliability is crucial for yielding valid results when analyzing structural model relationships (Henseler et al., 2009;Hair et al., 2017).

Validity
The assessment of construct validity involved the examination of discriminant validity using the Fornell-Larcker criterion and cross-loadings.The findings of the Fornell-Larcker criteria analysis, which was conducted to evaluate the discriminant validity of the constructs, are presented in Table 4. Discriminant validity pertains to the degree to which a particular construct is genuinely separate and distinguishable from the other constructs within the given model.The Fornell-Larcker criterion involves the comparison of the square root of the average variance extracted (AVE) with the inter-construct correlations.
To establish discriminant validity, it is necessary for the square root of the Average Variance Extracted (AVE), as indicated on the diagonal, to surpass the correlations with other constructs, as represented by the off-diagonal parts.As seen in Table 4, the square root of the Average Variance Extracted (AVE) for each construct (highlighted in bold on the diagonal) surpassed its correlations with other constructs.An illustrative example is the average variance extracted (AVE) for internal audit planning, which is calculated to be 0.656.The square root of 0.656 is approximately 0.810.This figure surpasses the correlations of internal audit planning with control risk factors (0.261) and inherent risk factors (0.351).This pattern is applicable to all structures.
The findings presented in this study offer empirical support for the notion that each concept exhibits a greater degree of shared variation with its own indicators than other constructs.The fulfillment of the Fornell-Larcker criterion and the endorsement of the discriminant validity of the measurement models are shown in this evidence (Hair et al., 2017;Henseler et al., 2009).The establishment of discriminant validity demonstrates that the concepts being measured are unique in terms of their underlying ideas.

Inherent risk factors
Internal The analysis of indicator cross-loadings is shown in Table 5 to further evaluate the discriminant validity of the measurement models.Cross-loadings assess the correlations between each indicator and all constructs within a given research study.To achieve sufficient discriminant validity, it is imperative that each indicator exhibit a higher loading on its designated construct than on other constructs, as stated by Hair et al. (2017).
As seen in Table 5, all indicators load most strongly on their associated constructs (in bold) compared to the other constructs.For example, B6 loads 0.835 on internal audit planning, compared to 0.359 on inherent risk and 0.244 on control risk.C7 loads 0.710 for inherent risk versus 0.227 for internal audit planning and 0.346 for control risk.L4 loads 0.905 on control risk compared to 0.197 on internal audit planning and 0.424 on inherent risk.
This pattern holds across all indicators, demonstrating that each item loads more highly on the appropriate construct.Cross-loadings provide additional evidence of discriminant validity and show that the indicators are appropriately mapped to distinct constructs (Hair et al., 2017).The rightmost column shows the VIF values that assess collinearity.All VIFs were well below the five thresholds, indicating that collinearity was not an issue (Hair et al., 2011).
In summary, the measurement model demonstrated adequate reliability and convergent and discriminant validity.

Structural model evaluation
The major findings derived from the analysis of the structural model, which examined the proposed links among the constructs, are shown in Table 6.
Two hypotheses have been examined as follows: H1: Internal audit planning has a significant positive effect on inherent risk factors.
H2: Internal audit planning has a significant positive effect on control risk factors.
The structural model analysis yielded path coefficients (B), estimating the relationships and their statistical significance based on the bootstrapping procedure.For H1, the path coefficient was 0.351 and was significant at p < 0.01.This supports the idea that internal audit planning positively influences inherent risk factors.For H2, the path coefficient is 0.261, which is significant at p < 0.05.The predictive power of the model was examined using the R 2 and Q 2 values.
For inherent risk factors: tive capability.This finding provides evidence that the internal audit planning process has a favorable impact on intrinsic risk factors.Furthermore, the study has discovered a favorable correlation between internal audit planning and the control of risk variables.

DISCUSSION
Considerable emphasis has been placed on the significance of risk assessment in the context of internal audit planning, as evidenced by notable legislations, such as IIAS and BASEL.While these legislations mandate the application of Risk-Based Internal Audit (RBIA) by internal auditors, it is worth noting that certain firms have not yet implemented RBIA.However, a study conducted by Allegirni and D'onza (2003) revealed that approximately 67% of Italian firms adopted a risk-based approach.Koutoupis and Tsamis (2009) discovered that Greek banks lack formal integration of risk assessment into the process of internal audit planning.The initial inquiry focused on determining whether commercial banks in Yemen implemented internal audit practices.Based on the findings of this study, it is evident that internal auditors employed in commercial banks in Yemen place significant emphasis on conducting internal audits.However, it is noteworthy that the risk assess-ment step is ranked tenth out of a total of 14 steps.This can be attributed to auditors' lack of awareness of their subconscious engagement in the practice of risk assessment.Furthermore, it is worth noting that there is a statistically significant disparity in the viewpoints of the sample population in favor of commercial banks, as determined by the workplace variable.This suggests that some procedures were overlooked by the observers of the central bank.The primary field survey encompasses two steps: evaluating the efficiency and experience of the auditing team for distribution, and assessing the required financial expenditures.Besides, it involves estimating the necessary costs of experts and consultants.The observed discrepancy arises from the fact that central bank observers either fail to adhere to International Accounting Standards (IAS) and Basel principles or depend on prior audit records.Subsequently, an examination is conducted to explore the correlation between risk indicators and decision-making processes in internal audit planning.Several studies indicate that internal auditors are influenced by elements related to fraud risk of fraud (Asare et al., 2008;Norman et al., 2010).Additionally, some studies have indicated that the utilization of risk management strategies such as risk assessment matrices may enhance the efficacy of risk assessment by evaluating a comprehensive range of criteria (Saruhan, 2017;Tay, 2017).

CONCLUSION
This study aimed to assess the extent to which risk variables are included in the planning process of internal audits conducted by commercial banks in Yemen.The results from the analysis of the impact of risk factors indicate that planning an internal audit is highly influenced by assessing risk factors.To be precise, the results asserted that internal auditors are affected by control risk factors more than they are affected by inherent risk factors.Besides, in accordance with the survey responses, CR factors can be ranked based on the components of the internal control system as follows: control activities, environment control, information, and communication.Besides, the results showed no statistically significant difference between the survey responses based on workplace variables; otherwise, the internal auditor and central bank observer are influenced by risk factors.It is noteworthy that this study has limitations.One such limitation is the geographical scope.It was implemented in Yemen, which is a relatively small environment, implying that there might be a need for a larger geographical scope to conduct this study in another country with a bigger banking sector.Besides, this study only dealt with two components of internal audit risk; it did not consider the detection risk factors.Besides, this topic has not been studied in Islamic banks.
Finally, this study limited itself to the banking sector only.

Table 3 .
Reliability results

Table 6 .
Structural model path coefficients and significance

Table 7 .
Model goodness, predictive relevance, and model fit 2) where SSE = sum of squared errors = 221.301(fromoutput); SSO = sum of squared observations = 232 (from output).R-squared (R 2 ) values represent the variance in the endogenous constructs (control and inherent risk factors) explained by the model.R 2 values of 0.068 and 0.123 indicate that the model explains 6.8% and 12.3% of the variance in the control and inherent risk factors, respectively.The findings of the structural model offer empirical evidence in favor of the linkages proposed in the study model.The model has a sufficient predic-Figure 2. Path coefficient Banks and Bank Systems, Volume 19, Issue 3, 2024 http://dx.doi.org/10.21511/bbs.19(3).2024.05