The Influence of Sustainable Risk Management on the Implementation of...

[Full title: The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing]

Citation: Almgrashi, A.; Mujalli, A The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing Sustainability 2024 , 16 , 8455. https:// doi.org/10.3390/su 16198455 Academic Editor: Danail Hristozov Received: 29 July 2024 Revised: 13 September 2024 Accepted: 27 September 2024 Published: 28 September 2024 Copyright: © 2024 by the authors Licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/) sustainability Article The Influence of Sustainable Risk Management on the Implementation of Risk-Based Internal Auditing Ahmed Almgrashi and Abdulwahab Mujalli * Department of Accounting and Finance, College of Business, Jazan University, Jazan 45142, Saudi Arabia; aalmgrashi@jazanu.edu.sa * Correspondence: amujalli@jazanu.edu.sa Abstract: Risk management exerts a significant influence on the competitiveness of an organization and its operational processes. It presents opportunities for expansion, foresight, and the need to promote sustainability. Many organizations have executed comprehensive risk management processes. Moreover, internal audit has increasingly attracted managers’ attention, forming the basis of modern governance methods. The aim of this study is to examine, from the viewpoint of the agency, the impact of the role of internal auditors, training in risk management, and management support on risk management. Following this, the work examines risk management in terms of the risk-based auditing implementation that is performed by Saudi public organizations. This study encompassed 234 completed and therefore valid questionnaires from the manager and assistance of the internal audit department, internal auditors, accountants, and managers employed in Saudi public organizations. The data collected have been analyzed utilizing Smart Partial Least Squares (SmartPLS). This study’s findings confirmed that there is a significant association between the role of internal auditors in risk management, training in risk management, and between management support and risk management. There is also a significant association between risk management and the implementation of risk-based internal auditing. This study’s findings have significant ramifications for those in charge of public-sector organizations, and sustainability, aiming to enhance the dependability and trustworthiness of the internal audit process and other aspects of financial reports and audits in general. Currently, there is a dearth of published research on the factors that influence risk management and also on risk-based internal auditing. This study contributes to the emerging literature on this subject by examining Saudi public organizations; it also establishes empirical variables through a thorough review of relevant research. Conducted here is an empirical investigation that identifies the factors that affect risk management and then its influence on riskbased internal auditing implementation in the economic system of Saudi Arabia. By focusing on Saudi public organizations, this article highlights other countries that have similar systems of governance rules and procedures in their government-operated entities Keywords: internal auditors’ role; risk management training; management support; public sector; risk management; risk-based internal audit; Saudi Arabia 1. Introduction The importance of sustainable risk management and risk-based internal auditing has grown significantly in the contemporary economic, environmental, and social context [ 1 ]. According to Jim é nez et al. (2024) [ 2 ], the dynamic changes occurring in the environment wield a substantial influence on the financial stability, market trust, and reputation of organizations. Consequently, there is an urgent requirement to integrate sustainability principles into business plans. Business enterprises encounter persistent ambiguity, making it necessary to adopt a sustainable strategy for risk management that not only tackles current obstacles but also guarantees enduring adaptability [ 3 , 4 ]. When implemented in a sustainable way, strategic risk management enables firms to effectively reduce uncertainties Sustainability 2024 , 16 , 8455. https://doi.org/10.3390/su 16198455 https://www.mdpi.com/journal/sustainability

Sustainability 2024 , 16 , 8455 2 of 22 and attain their objectives while optimizing value [ 5 ]. By incorporating sustainability principles into the framework of risk management, organizations may effectively mitigate the build-up of residual risks that can potentially escalate beyond manageable levels, exposing future stability to significant threats. Following Jim é nez et al. (2024) [ 2 ], the implementation of sustainable risk management practices contributes to the enhancement of the competitive advantage of an organization through the facilitation of development possibilities, proactive preparedness, and the establishment of a resilient reaction to economic, political, and social challenges. Lois et al. (2021) [ 6 ] argue that the use of risk-based internal auditing serves to reinforce the sustainable method by harmonizing auditing procedures with sustainability objectives, so enabling organizations to maintain their flexibility and robustness in a dynamic setting Thus, risk management has become widely accepted as a crucial tool for recognizing, evaluating, and mitigating the diverse risks that organizations regularly encounter [ 5 – 7 ]. In this modern world, the reality that organizations function in highly unpredictable settings or business markets means that it is necessary to devise and execute policies that enable them to manage risks in a timely and effective way [ 3 , 6 ]. Risk management is deemed to be a contemporary approach to organizational administration that links an organization’s strategy with the administration of daily processes within which risks can appear [ 5 ]. It is acknowledged as an essential basis for developing all-encompassing organization management processes [ 7 ]. In a similar vein, an internal audit offers a perspective independently and objectively to the management of the organization regarding how adequate its risk management practices are [ 8 ]. The main goal of an internal audit is to evaluate the workplace operations of organizations, as well as evaluate the diverse risks they encounter [ 9 ]. From this perspective, internal audit could be seen as an ever-changing procedure that adapts to the evolving external and internal conditions of a workplace [ 6 , 7 ]. This has resulted in the need to revamp strategies that are essential for risk management effectiveness. Summarizing the previous point, internal audit can be viewed as a crucial instrument for risk management However, the occurrence of organizational failures underscores the inability of organizations to recognize the risks linked to their strategic endeavors [ 10 ]. Given that risks pose a danger to the long-term viability of institutional entities, it is of utmost importance to effectively manage risks. The function of internal auditing has significantly changed its methods due to alterations in organizations’ environments, technological advances, and regulatory/legislative frameworks [ 5 ]. In due course, the implementation of risk-based internal auditing processes will expand the range of internal operations to include the complete monitoring of all aspects of the organization [ 6 , 7 ]. Essentially, organized riskbased internal audit procedures firstly, enhance the supervision duties and responsibilities undertaken by internal auditing; and secondly, ensure sufficient audits of critical activities and operations are carried out The risk-based internal auditing implementation highlights the significance of assessing the risks associated with both operational and strategic goals [ 3 , 5 , 11 – 13 ]. The function of internal auditing is to, firstly, evaluate risks in a comprehensive and thorough manner rather than examine issues in isolation [ 6 ]; and secondly, integrate standardized procedures for risk evaluation into yearly planning for auditing purposes [ 11 – 13 ]. The absence of comprehensive monitoring and ineffective evaluation of risks at both the strategic and operational levels results in inadequate identification and assessment of risks at these levels within the audit universe. Furthermore, the failure to consistently execute risk-based auditing approaches across all internal audit procedures will result in internal audit functioning to evaluate the state of internal control instead of the degree of risk involved [ 5 , 7 ]. Furthermore, Lois et al. (2021) [ 6 ] propose that the selected auditing method might influence the quality of internal audit work that is carried out. In the end, inadequate adherence to standardized auditing methods and discrepancies can ultimately lead to insufficient audit coverage of critical risk areas and poor execution of auditing tasks [ 6 ]. However, more organizations worldwide are putting into place comprehensive risk management proce-

Sustainability 2024 , 16 , 8455 3 of 22 dures. It is evident that internal audit has increasingly attracted managers’ attention, and has become the basis of modern governance systems. The aim of this study is to examine the impact of the role of internal auditors, training in risk management, and management support for risk management. Then, this paper examines risk management in terms of risk-based auditing implementation carried out by public-sector organizations in Saudi Arabia Public-sector organizations play a significant role in the economy of developing nations like Saudi Arabia. The government, via its ministries, departments, and agencies, significantly guides and shapes the success of other sectors of the economy and entities operating in them. For this reason it is important to establish oversight mechanisms to guarantee that government budgets are utilized for their intended purpose [ 14 ]. According to a basic agency theory, principals (in this case, the government) lack confidence in their agents (the managers of agencies, units, departments, ministries, etc.) due to differences in the desired information and self-interest. The ideal situation is to address these problems by ensuring that the agent’s interests are in line with the proprietor or owner of the system, by minimizing the potential for differences in received information and dishonest behavior or acting for only one’s personal interests. Consequently, numerous governments around the world have adopted audits as a means of diminishing or better controlling expenditures in the public sector. Internal audits play a crucial economic function and are crucial in serving the public interest by enhancing transparency and bolstering confidence and trust in financial reporting [ 15 ]. Furthermore, the importance of internal auditing in public-sector organizations should not be ignored, since it is closely linked to budgetary control, sound governance and policy positions, and efficient financial control [ 14 ]. Consequently, this study highlights the significance of internal auditing in enhancing risk management. Internal auditing plays a vital role in issues such as risk evaluation and reduction, adherence to standards and regulations, identifying and avoiding instances of fraud, monitoring and reporting, and ongoing enhancement [ 6 , 7 , 16 – 18 ]. Weekes-Marshall (2020) [ 19 ] states that examining and evaluating financial procedures, control mechanisms, and independent assurance can significantly improve the quality of financial reporting While extensive research has been carried out on risk-based internal audits in both advanced and emerging economies [ 5 , 6 , 13 , 20 ], there is an absence of analysis specifically focused on this topic in Saudi Arabia [ 21 , 22 ]. Saudi Arabia was one of the pioneers in introducing internal auditing operations in public organizations in its part of the world (AL- Rbai, 2020), but a significant number of departments of internal auditing in Saudi public organizations are not active [ 15 , 21 ]. It was stated a few years ago by Almahuzi (2020) [ 21 ] that numerous public organizations in Saudi Arabia in fact lack audit committees The insufficient research on auditing functions and their impact on public organizations in Saudi Arabia emphasizes the need for work to be done in this area [ 23 ]. Some studies [ 6 , 7 ] highlighted the significance of the internal auditor in reducing risks and improving risk management procedures. Meanwhile, Al-Taee and Flayyih (2023) [ 24 ] and Mujalli (2024 a) [ 7 ] identified a research gap in the correlation between the internal auditor’s roles and risk management procedures in the public sector. Also Lois et al. (2021) [ 6 ] advised that it is important to investigate the issue of training in risk management in different sectors. In their recent work, Hazaea et al. (2023) [ 25 ] identified a research gap in the correlation between management support and risk management. Based on the above discussion, the researcher asserts that the problem revolves around identifying the role of internal auditing, training, and management support in improving risk management and improving risk-based internal auditing in Saudi public organizations This study provides numerous original contributions to the existing body of research on risk management and risk-based internal auditing. Initially, this paper presents new evidence pertaining to a developing economy. This study adds to a deeper comprehension of the aspects associated with risk management and their impact on the execution of risk-based internal auditing. Furthermore, this analysis illuminates other nations with comparable governance systems by specifically examining the Saudi public organizations

Sustainability 2024 , 16 , 8455 4 of 22 setting. This work offers valuable insights into situations when the Type 2 agency issue is present 2. Literature Review and Hypotheses Development 2.1. The Theoretical Framework Several comprehensive theories have been established to analyze the importance of auditing in public-sector organizations. Oppong et al. (2023) [ 26 ] emphasize the significance of agency, managerial control, signaling, governance, and verification frameworks, among other factors. They contend that agency theory, which was formulated and advocated by Eisenhardt (1989) [ 27 ], Fama and Jensen (1983) [ 28 ], Mitnick (1973) [ 29 ] and Ross (1973) [ 30 ], has proved to be widely popular as a theoretical framework. These authors assert that both empirical and historical evidence strongly support the theory. According to agency theory, the divergence in ownership and power that is evident among shareholders and owners/managers results in moral hazard, differences in risk preferences, and unequal access to information [ 27 , 28 ]. Subsequently, the objective of well-constructed information systems, control machines, and supervision systems is to reduce agency costs and provide the greatest possible advantage to all parties involved [ 27 ]. From the agency’s viewpoint, the key goal of the internal audit is to report on and evaluate the activities and decisions made by management in implementing plans, attaining performance goals and ensuring sustainability, especially where financial inputs are concerned [ 5 ]. Implementing structured risk-based auditing methods as part of internal auditing will efficiently identify and reduce risks associated with strategies, while also ensuring that management behavior is in line with all relevant stakeholders’ interests 2.2. Risk-Based Internal Audit Internal auditing is crucial in the world’s contemporary economies to safeguard organizations from a host of risks [ 31 ]. Risk-based internal audit enhances the value and internal auditing efficiency by necessitating a deeper comprehension of its procedures to effectively fulfil stakeholders’ requirements [ 6 ]. Risk-based internal auditing is implemented to prioritize risk management. This guarantees that, firstly, potential risks that may hinder strategic objectives are promptly discovered and assessed; and secondly, the risk management approach and internal control approach operate effectively. By embracing this approach, the allocation of audit resources is optimized, resulting in improved quality of data that are collected, while minimizing the number of audit procedures that are required [ 7 ]. By concentrating on business risk, organizations can enhance their protection against risk. This can be achieved by implementing structured processes for risk evaluation that encompass all procedures, employing well-organized internal audit planning approaches, and regularly assessing the efficacy of the procedures for risk management and internal audit [ 5 , 11 , 13 ]. 2.3. The Role of Internal Auditors in Risk Management Agency theory suggests that internal auditing is essential for effective company governance. Previous research has determined that possessing comprehensive knowledge of organizations’ operations and the capacity to identify and assess potential risks are crucial skills for implementing risk-based internal auditing properly [ 5 , 6 ]. Risk-based internal auditing is a well-respected technique that has emerged out of internal auditing and is strongly related to risk management. How well a country’s risk management system works determines what an internal auditor is responsible for. A more organized system for managing risks may be put in place when the focus is on improving internal audits, which raises control awareness [ 6 , 7 ]. As part of their yearly audit strategy, internal auditors use results from risk assessments to enhance how well organizations perform In order to conduct effective audits, internal auditors must be vigilant in their pursuit of operational and strategic risks. Internal audits have the potential to increase the organization’s value by identifying and mitigating strategic risks and providing senior management

Sustainability 2024 , 16 , 8455 5 of 22 with timely insights [ 32 ]. An essential criterion is the execution of comprehensive audits by internal auditors, who must acknowledge and comprehend strategic goals as well as the goals of crucial business activities [ 5 , 16 ]. Recent studies conducted by Lois et al. (2021) [ 6 ] and Mujalli (2024 a) [ 7 ] indicate that internal auditors should prioritize the sufficiency and efficacy of risk management mechanisms. This has to be done in order to enhance awareness of risks, correspond internal audit with operational strategy, enhance control procedures, and improve the effectiveness of organizational activities. Based on the above argument the following research hypothesis is formulated: H 1. There is a significantly positive association between the role of internal auditors and risk management 2.4. Training in Risk Management Agency theory contends that internal auditing plays a crucial role in governance, especially as a monitoring mechanism. Previous research strongly suggests that developing organizational expertise and understanding the organization’s hazards are both important skills for improving risk management [ 6 ]. Internal audits can be advantageous to companies in developing an audit system that emphasizes risk management because proper risk management training has been carried out; it is needed based on the links between internal audit and risk management. Several years ago, Arena and Azzone (2009) [ 33 ] stated that compared to external auditors, internal ones have a better knowledge of the aspects that affect a company’s performance, identify possible risk concerns, and ensure that the line managers do their jobs properly or are able to implement the auditor’s recommendations. Essential functions of the internal auditors such as improving the internal audit quality and risk management cannot be assigned to employees because they are not trained for this role Furthermore, consulting and assurance services are about the monitoring, assessment, and improvement of processes [ 5 ]. It is vital for the firm’s management to learn different methods of risk identification and evaluation, such as the threat of deceiving others, as such training is a part of risk management. The present study is limited to highlighting the fact that risk-based internal auditing is a combined and systematic network inside the establishment, which enhances how such auditing is supposed to operate [ 34 ]. Staff risk management training is another characteristic that has been recognized as having a positive and significant association with the quality of an organization’s internal control system [ 35 ]. Risk management education helps workers notice risks to the company that may arise from compromised internal controls [ 6 , 7 ]. Based on the above, the following research hypothesis is formulated: H 2. There is a significantly positive association between risk management training and risk management 2.5. Management Support in Risk Management Agency theory emphasizes the importance of self-interest within an organizational context. It plays a significant part in the established system for management oversight. Organizations can invest in an oversight mechanism to monitor and prevent opportunistic managers [ 36 ]. The role of management support in risk management is crucial and has a substantial impact on the success of risk management procedures [ 7 ]. Prior studies highlight the importance of proactive and consistent support from senior management in order to cultivate a culture that is aware of risks and to guarantee the effective application of risk management systems [ 3 , 37 ]. This support is demonstrated in numerous ways, for instance providing the resources that are necessary, approving risk management legislation, and actively engaging in risk evaluation and reduction activities [ 7 , 38 ]. Research has demonstrated that when management actively participates and demonstrates dedication to risk

Sustainability 2024 , 16 , 8455 6 of 22 management, it results in improved detection and control of risks [ 37 ], hence strengthening the general resilience of the business. Moreover, the support of management is crucial in inspiring staff and other stakeholders to comply with risk management procedures and actively participate in ongoing improvement endeavors [ 7 ]. With reference to the above discussion, the third hypothesis is suggested here: H 3. There is a significantly positive association between management support and risk management 2.6. Risk Management Agency theory asserts that in order to coordinate and oversee managerial activities and choices, many businesses use a variety of organizational rules and regulations. The risk management system’s formalization shows that management is committed to using the right structures and procedures for risk management [ 5 – 7 , 11 , 39 ]. Additionally, according to Lois et al. (2021) [ 6 ] and Woods (2007) [ 40 ], having a codified risk management system increases risk awareness within an organization or business company. It therefore stands to reason that as risk management systems become more sophisticated, internal audit departments will become more involved in risk assessment processes, for instance risk workshops and control and risk self-evaluation [ 3 , 40 ]. The level of risk management execution also determines the type and level of internal audit engagement with risk evaluation activities [ 5 ]. An organized method for managing risks lays a solid groundwork for conducting audits based on those risks, according to earlier studies. The following research hypothesis is formulated based on the argument outlined above: H 4. There is a significantly positive association between risk management and risk-based internal auditing 2.7. Risk Management as Moderator In the realm of modern governance, risk management has become a vital component in guaranteeing operational effectiveness and resilience [ 5 , 7 , 11 ]. The internal auditor’s role in the organization is crucial, as that person is responsible for discovering, evaluating, and minimizing any frauds or risks that may impede organizational goals [ 6 ]. Providing auditors with proper risk management training is crucial, since it enables them to acquire the necessary competencies and information required to effectively identify and assess company risks or dangers [ 7 ]. Moreover, what is crucial is the management’s commitment to risk management strategies and activities, because this cultivates a culture of risk consciousness and supplies the required resources for efficient risk reduction techniques [ 3 ]. By implementing risk-based internal auditing, the business can allocate resources according to its risk profile, thereby improving the overall quality of internal audits [ 6 , 7 ]. This comprehensive approach emphasizes the significance of a harmonious connection between management support, internal auditors, training, and riskor internal-based auditing. With this in mind the following research hypotheses are formulated: H 5. Risk management mediates the association between the internal auditors’ role and risk-based internal auditing H 6. Risk management mediates the association between training in risk management and risk-based internal auditing H 7. Risk management mediates the association between management support and risk-based internal auditing.

Sustainability 2024 , 16 , 8455 7 of 22 3. Research Design 3.1. Data Collection Procedure The present study’s research approach is cross-sectional, using primary data collected utilizing a questionnaire survey. Each participant in this survey responded to a standardized set of questions in which the circumstances were the same [ 31 , 41 ]. Sekaran and Bougie (2016) [ 42 ] consider the questionnaire to be the most essential and efficient method for collecting data. As well, Oppenheim (2000) [ 43 ] emphasizes one advantage of employing a questionnaire: it allows respondents to independently reflect on their replies, resulting in more immediate answers compared to those obtained through interviews. Moreover, Saunders et al. (2019) [ 44 ] propose that conducting a questionnaire survey makes it ideal to gather a significant amount of data from a specific sample of the population. The present study involves a large population and requires the collection of an enormous quantity of data from Saudi public organizations, the objective being to investigate the factors influencing risk management and how it in turn influences risk-based internal audit implementation Before distributing questionnaires to respondents, a pre-test was conducted. The aim of the pre-test was to assess the validity of the factors in the survey, ensuring that the material was properly expressed, legitimate and that the questions were rational or logical. Nine individuals were selected, four of whom had previously worked as internal auditors in public organizations, while the remaining five had academic backgrounds in accounting and auditing. The preliminary feedback assists in improving the content of the survey. During the pre-test, the researchers distributed survey questionnaires to individuals who had shown interest. Only 241 out of the 500 surveys were returned, which amounts to less than half. The existing study employed a total of 234 survey questionnaires for the final analysis, due to seven having shown erroneous data so they could not be used for the analysis 3.2. Questionnaire Development A comprehensive study assessment was conducted to ascertain the measures of the variables involved in the analysis. Table 1 displays the inclusion of 20 questions in the conceptual model, which were used to gather structured data. Each item was assessed using a Likert scale of five points, with 1 representing strong disagreement and 5 representing strong agreement Table 1. Construct and item measurement Construct Code Item Measurement Dependent Variable RBIA 1 “Risk-based internal audit enables periodic evaluations of the internal audit procedures” [ 5 , 6 ] Risk-based internal audit RBIA 2 “Risk-based internal audit enables the internal audit to meet shareholders’ demands and needs” RBIA 3 “Risk-based internal audit contributes to a better understanding of internal audit processes” RBIA 4 “Risk-based internal audit leads to a more efficient determination of resources for internal auditing”

Sustainability 2024 , 16 , 8455 8 of 22 Table 1. Cont Construct Code Item Measurement Independent Variables IAR 1 “Internal auditors comprehend the strategic objectives and operational goals” [ 6 , 16 , 32 ] The role of internal auditor in risk management IAR 2 “Internal auditors entailed the inclusion of risk assessment results in annual plans for internal auditing” IAR 3 “Internal auditors evaluate the threat of inherent risks to the objectives of key functions of business and the following amendment of audits” IAR 4 “Internal auditors give timely information to senior management regarding threats to the sustainability of the organization, and carry out assessments” IAR 5 “Internal auditors assess reports concerning the efficiency of the system of internal auditing” IAR 6 “Internal auditors assess reports concerning the efficiency of risk management” The training in risk management TRM 1 “The training in risk management helps with the formation of an audit system that is dependent on risk management” [ 6 ] TRM 2 “The training in risk management helps with the documentation and evaluation of work-related risks” TRM 3 “The training in risk management helps to enhance the quality of internal auditing and also the quality of risk management procedures” Management support MS 1 “Support obtained by senior management to internal auditors is measured in terms of auditors’ expectations based on risk assessments and risk-based internal auditing” [ 7 , 21 ] MS 2 “Internal auditors’ executed tasks and accountabilities are based on risk assessments and risk-based internal auditing” MS 3 “Management supports an adequate budget that allows the department of internal auditing to do its work based on risk assessments” MS 4 “Internal auditors gain adequate training in risk management as advocated by senior management” Mediating Variable RME 1 “The current processes and accountabilities of the risk management mechanisms are clearly recognized in the organization” [ 5 ] The risk management RME 2 “The existing risk manager or a separate risk management unit operates in the organization” RME 3 “The mechanism of risk management is in the organization” 3.3. Data Processing and Analyzing Data administration followed the recommendation made by Hair et al. (2019) [ 45 ]. Data were analyzed utilizing SPSS version 22 and Smart PLS version 4. Descriptive statistics analysis was conducted using several tests for the variables, including percentages, frequencies, standard deviation, and mean. An extra operation was conducted, involving the transfer of data from the SPSS system to a comma-delimited format, in order to enable the utilization of the data in Smart PLS-SEM. Employing the Smart PLS 4 program to analyze the data, precisely Partial Least Squares Structural Equation Modeling (PLS-SEM) was performed for several significant reasons. Firstly, Rold á n and S á nchez-Franco, (2012) [ 46 ], propose using PLS-SEM because it incorporates strong predictive powers in understanding a wide range of dependent variables and capturing significant variance. Secondly, PLS- SEM effectively manages both measurement and structural models concurrently and is well suited for assessing intricate path models [ 47 ]. Thirdly, it demonstrates efficacy even

Sustainability 2024 , 16 , 8455 9 of 22 when working with small sample numbers, providing dependable findings [ 48 ]. Therefore, PLS-SEM is the ideal method for conducting this study and it is a process consisting of two stages. The first stage involves evaluating the measurement model to ensure that only reliable and valid constructs are included. The second stage consists of assessing the structural model to determine the predictive relevance of the study model, the path coefficients, and the significance of proposed associations [ 49 ]. This investigation adhered to the parameters outlined in authoritative literature on PLS-SEM, utilizing the Smart-PLS 4 software [ 45 ]. 4. Results 4.1. Descriptive Analysis Table 2 summarizes the demographic characteristics of the participants of this study The majority of individuals were in the 30 to 39 age cohort, with females representing 24.8% of the sample while males constituted 75.2%. The data clearly indicated that 69.7% of the survey respondents have a Bachelor’s degree. 50% of the participants are employed as internal auditors, while 35.5% have been in this position for 10 to 14 years Table 2. Demographic profiles of respondents Category Criteria Frequency Percentage Gender Male 176 75.2 Female 58 24.8 Total 234 100.0 Age Less than 29 14 6.0 Between 30 and 39 79 3.8 Between 40 and 49 135 57.7 More than 50 6 2.6 Total 234 100.0 Educational qualification Diploma or below 33 14.1 Bachelor’s degree 163 69.7 Master’s degree 33 14.1 PhD 5 2.1 Total 234 11.0 Job title Internal audit department’s manager 24 10.3 Assistant manager of the department of internal auditing 22 9.4 Internal auditor 117 50.0 Department manager 31 13.2 Accountant 30 12.8 Employee 10 4.3 Total 234 100.0 Work experiences (Years) Less than 5 43 18.4 Between 5 and 9 69 29.5 Between 10 and 14 83 35.5 15 or more 39 16.7 Total 234 100.0

Sustainability 2024 , 16 , 8455 10 of 22 4.2. Common Method Bias Common method bias (CMB) is a common occurrence in behavioral research, as highlighted by Madawaki et al. (2022) [ 31 ] and Mujalli 2024 [ 7 ]. It presents a substantial problem when analyzing self-survey findings, as noted by Podsakoff et al. (2012) [ 50 ]. In order to curtail the influence of CMB, two methods may be deployed and these are operational and statistical. Researchers should provide assurance to participants throughout the gathering of data that their particular data are protected, following proper procedure [ 7 ]. Furthermore, it is important to provide respondents with reassurance that the survey is devoid of errors and has been formulated using uncomplicated and understandable language [ 51 ]. Statistically, Harman’s single-factor test is commonly utilized to test common method variance (CMV) [ 51 ]. Harman (1976) [ 52 ] proposed utilizing a unidimensional test to evaluate the existence of CMV throughout the constructs. The results revealed that each of the variables in the model were categorized into 20 distinct factors. However, the findings indicated that the model’s items were divided into 20 separate factors, with the first accounting for only 38.235% of the total variance, well below the 50% threshold. In addition, a comprehensive collinearity evaluation test was undertaken employing SmartPLS, a widely acknowledged and reliable approach [ 53 ]. It is endorsed by several scholars in the field of social science [ 7 ]. The value of the variance inflation factor (VIF) for all variables was found to be below the recommended threshold of 5, demonstrating that common method bias is not a concern in the present study’s data [ 53 ]. 4.3. Measurement Model Assessment To evaluate a measurement model that uses first-order reflective constructs, it is necessary to assess the reliability and validity of the constructs [ 45 ]. This examination often follows a two-step process: first, examining the reliability and convergent validity of individual items, and then analyzing discriminant validity. The reliability of an item is measured by its factor loadings, and loadings above 0.6 are regarded as acceptable [ 45 ]. Convergent validity is evaluated by measuring composite reliability (CR) and average variance extracted (AVE). For a reliable measurement of a construct to occur, the CR values should be higher than 0.7. Indicated here is that the items consistently measure the construct. Additionally, the AVE values should be greater than 0.5, suggesting that the construct explains more than half of the variance in its indicators. These guidelines are based on the research by Hair et al. (2019) [ 45 ] and Shmueli et al. (2019) [ 47 ]. Discriminant validity is assessed by verifying the uniqueness of each concept, typically through the usage of either the Fornell–Larcker criterion or the heterotrait–monotrait (HTMT) ratio The constructs RIA, MS, RBIA, RME, and TRM have been assessed for their reliability and validity, as shown in Table 3 and Figure 1 . The item loadings for each construct above the acceptable level (loading > 0.60) suggest strong item reliability. All of the VIF values are below 3, meaning that any multicollinearity problems are absent. In terms of construct reliability, the CR values for all constructions exceed 0.8, therefore satisfying the threshold of 0.7. All constructs have AVE values above 0.5, meaning that there is satisfactory convergent validity. The RIA model has a CR of 0.859 and an AVE of 0.505. The MS model has a CR of 0.895 and an AVE of 0.682. The RBIA model has a CR of 0.875 and an AVE of 0.637. The RME model has a CR of 0.919 and an AVE of 0.792. Lastly, the TRM model comprises a CR of 0.890 and an AVE of 0.731. These findings strongly suggest that the measurement model is both accurate and valid, establishing a strong basis for further study.

Sustainability 2024 , 16 , 8455 11 of 22 Table 3. Reliability and validity results Constructs Items Item Loadings VIF C rho_c AVE RIA 0.803 0.859 0.505 IAR 1 0.683 1.923 IAR 2 0.728 2.319 IAR 3 0.796 2.324 IAR 4 0.758 1.852 IAR 5 0.668 1.657 IAR 6 0.617 1.625 MS 0.842 0.895 0.682 MS 1 0.858 2.438 MS 2 0.885 2.808 MS 3 0.863 2.040 MS 4 0.682 1.392 RBIA 0.813 0.875 0.637 RBIA 1 0.806 1.598 RBIA 2 0.803 2.036 RBIA 3 0.796 2.080 RBIA 4 0.788 1.453 RME 0.869 0.919 0.792 RME 1 0.886 2.232 RME 2 0.884 2.205 RME 3 0.901 2.433 TRM 0.814 0.890 0.731 TRM 1 0.797 1.652 TRM 2 0.915 2.639 TRM 3 0.849 1.995 Sustainability 2024 , 16 , x FOR PEER REVIEW 10 of 22 model’s items were divided into 20 separate factors, with the fi rst accounting for only 38.235% of the total variance, well below the 50% threshold. In addition, a comprehensive collinearity evaluation test was undertaken employing SmartPLS, a widely acknowledged and reliable approach [53]. It is endorsed by several scholars in the fi eld of social science [7]. The value of the variance in fl ation factor (VIF) for all variables was found to be below the recommended threshold of 5, demonstrating that common method bias is not a concern in the present study’s data [53]. 4.3. Measurement Model Assessment To evaluate a measurement model that uses fi rst-order re fl ective constructs, it is necessary to assess the reliability and validity of the constructs [45]. This examination often follows a two-step process: fi rst, examining the reliability and convergent validity of individual items, and then analyzing discriminant validity. The reliability of an item is measured by its factor loadings, and loadings above 0.6 are regarded as acceptable [45]. Convergent validity is evaluated by measuring composite reliability (CR) and average variance extracted (AVE). For a reliable measurement of a construct to occur, the CR values should be higher than 0.7. Indicated here is that the items consistently measure the construct. Additionally, the AVE values should be greater than 0.5, suggesting that the construct explains more than half of the variance in its indicators. These guidelines are based on the research by Hair et al. (2019) [45] and Shmueli et al. (2019) [47]. Discriminant validity is assessed by verifying the uniqueness of each concept, typically through the usage of either the Fornell–Larcker criterion or the heterotrait–monotrait (HTMT) ratio. The constructs RIA, MS, RBIA, RME, and TRM have been assessed for their reliability and validity, as shown in Table 3 and Figure 1. The item loadings for each construct above the acceptable level (loading > 0.60) suggest strong item reliability. All of the VIF values are below 3, meaning that any multicollinearity problems are absent. In terms of construct reliability, the CR values for all constructions exceed 0.8, therefore satisfying the threshold of 0.7. All constructs have AVE values above 0.5, meaning that there is satisfactory convergent validity. The RIA model has a CR of 0.859 and an AVE of 0.505. The MS model has a CR of 0.895 and an AVE of 0.682. The RBIA model has a CR of 0.875 and an AVE of 0.637. The RME model has a CR of 0.919 and an AVE of 0.792. Lastly, the TRM model comprises a CR of 0.890 and an AVE of 0.731. These fi ndings strongly suggest that the measurement model is both accurate and valid, establishing a strong basis for further study. Figure 1. Measurement model. Figure 1. Measurement model The discriminant validity of the constructs was assessed by employing both the HTMT ratio and the Fornell–Larcker criterion. According to Table 4 , the HTMT ratio values between constructs are all below the threshold of 0.85, which means that the constructions are clearly different from each other [ 54 ]. More precisely, the maximum HTMT value recorded is 0.729 between RME and RBIA, which is inside the permissible range. The distinctiveness of the conceptions is confirmed here.

Sustainability 2024 , 16 , 8455 12 of 22 Table 4. Heterotrait–monotrait ratio MS RBIA RIA RME TRM MS RBIA 0.695 RIA 0.502 0.624 RME 0.540 0.729 0.615 TRM 0.362 0.536 0.721 0.499 The Fornell–Larcker standard provides additional proof of discriminant validity by comparing the square root of the AVE for each construct (displayed on the diagonal) with the correlations between constructs, i.e., displayed off-diagonal [ 55 ]. As displayed in Table 5 , the AVE for MS is 0.826, which is higher than its correlations with other constructs such as RBIA (0.569) and RIA (0.431). Likewise, all other structures conform to this pattern, suggesting that each structure has a greater degree of similarity with its own indicators than with the indicators of other structures. Collectively, the results show that the constructs have sufficient discriminant validity and this guarantees their conceptual distinctiveness Table 5. Fornell–Larcker criterion MS RBIA RIA RME TRM MS 0.826 RBIA 0.569 0.798 RIA 0.431 0.526 0.711 RME 0.467 0.634 0.527 0.890 TRM 0.296 0.452 0.588 0.420 0.855 4.4. The Structural Model 4.4.1. Explanatory Power of the Model The PLS-SEM results are evaluated for their explanatory ability using effect size (f 2 ), coefficient of determination (R 2 ), and predictive relevance (Q 2 ), as displayed in Table 6 . The effect size, denoted as f 2 , quantifies the magnitude of the influence that a particular external factor has on an internal factor, as defined by Cohen in 1988. Within this investigation, the dependent construct is significantly influenced by RME, which has a substantial effect size of 0.672. In contrast, MS and RIA have smaller impact sizes of 0.105 and 0.091, respectively, on RBIA and RME. The TRM study shows a very small effect size of 0.023, suggesting that it wields a minor influence on the dependent construct. The coefficient of determination (R 2 ) measures the amount of variability in the dependent variable that can be accounted for by the independent variables [ 56 ]. The RBIA model has an R 2 score of 0.402, which means that 40.2% of the variability in RBIA can be accounted for by the model. The R 2 value of RME is 0.363, revealing that 36.3% of the variability in RME can be accounted for by the model Table 6. Explanatory power of the study model Effect Size Coefficient of Determination Predictive Relevance RBIA RME R-Square R-Square Adjusted SSO SSE Q 2 (=1 − SSE/SSO) MS 0.105 RBIA 0.402 0.399 936.000 718.894 0.232 RIA 0.091 RME 0.672 0.363 0.354 702.000 507.893 0.277 TRM 0.023

Sustainability 2024 , 16 , 8455 13 of 22 The modified R 2 values for RBIA and RME are marginally reduced to 0.399 and 0.354, respectively, taking into consideration the number of predictors in the model. The predictive relevance (Q 2 ) approach, created by Geisser (1974) [ 57 ], utilizes a blindfolding process. It evaluates the model’s ability to make predictions on data that were not used during the model’s development. Q 2 scores over zero reveal the presence of predictive relevance. The Q 2 score for RBIA is 0.232, while for RME it is 0.277, suggesting good predictive relevance in both cases. The SSO (sum of squared observations) and SSE (sum of squared errors) values are utilized in the computation of Q 2 , where the Q 2 value is determined by the ratio of the difference between SSE and SSO to SSO. In general, the model has a high level of explanatory ability, as indicated by considerable effect sizes, significant coefficients of determination, and sufficient predictive significance for the components RBIA and RME 4.4.2. Hypotheses Findings The findings of the structural model, displayed in Table 7 and Figure 2 below, strongly confirm all the expected relationships in the model. Each hypothesis examines the direct and indirect impacts between the constructs RIA, TRM, MS, RME, and RBIA. Concerning direct effects, Hypothesis 1 (RIA → RME) is substantiated, demonstrating a path coefficient of 0.316, a T statistic of 4.492, and a p -value of 0.000, indicating a substantial and positive correlation between RIA and RM. The validation of Hypothesis 2 (TRM → RME) is confirmed, exhibiting a substantial positive correlation with a path coefficient of 0.149, a T statistic of 2.283, and a p -value of 0.022. The third hypothesis (MS → RME) demonstrates a statistically significant positive correlation, with a path coefficient of 0.287, a T statistic of 5.054, and a p -value of 0.000. In addition, Hypothesis 4 (RME → RBIA) demonstrates a significant and positive correlation, with a path coefficient of 0.634, a T statistic of 14.715, and a p -value of 0.000. Hypothesis 5 (RIA → RME → RBIA) is supported, highlighting a significant indirect impact of 0.200, with a T statistic of 4.321 and a p -value of 0.000 Mediation effects are indicated here. Furthermore, Hypothesis 6 (TRM → RME → RBIA) is supported by a noteworthy indirect impact of 0.095, a T statistic of 2.175, and a p -value of 0.030. Hypothesis 7 (MS → RME → RBIA) is further validated, demonstrating a substantial indirect impact of 0.182, with a T statistic of 4.592 and a p -value of 0.000. In summary, the findings of the structural model strongly suggest that RIA, TRM, and MS exert a major influence on RME, which in turn has a substantial impact on RBIA. The mediating effects of RME highlight the crucial function of RME in the connections between RIA, TRM, MS, and RBIA. The findings provide robust endorsement for the suggested theoretical model Table 7. Hypotheses results Hypotheses Relationships Original Sample STDEV T Statistics p Values 2.5% 97.5% Conclusion Direct effects Hypothesis 1 RIA → RME 0.316 0.070 4.492 0.000 0.192 0.463 Supported Hypothesis 2 TRM → RME 0.149 0.065 2.283 0.022 0.010 0.267 Supported Hypothesis 3 MS → RME 0.287 0.057 5.054 0.000 0.175 0.394 Supported Hypothesis 4 RME → RBIA 0.634 0.043 14.715 0.000 0.548 0.717 Supported Mediating effects Hypothesis 5 RIA → RME → RBIA 0.200 0.046 4.321 0.000 0.122 0.303 Supported Hypothesis 6 TRM → RME → RBIA 0.095 0.043 2.175 0.030 0.006 0.177 Supported Hypothesis 7 MS → RME → RBIA 0.182 0.040 4.592 0.000 0.107 0.261 Supported

Sustainability 2024 , 16 , 8455 14 of 22 Sustainability 2024 , 16 , x FOR PEER REVIEW 13 of 22 is con fi rmed, exhibiting a substantial positive correlation with a path coe ffi cient of 0.149, a T statistic of 2.283, and a p -value of 0.022. The third hypothesis (MS → RME) demonstrates a statistically signi fi cant positive correlation, with a path coe ffi cient of 0.287, a T statistic of 5.054, and a p -value of 0.000. In addition, Hypothesis 4 (RME → RBIA) demonstrates a signi fi cant and positive correlation, with a path coe ffi cient of 0.634, a T statistic of 14.715, and a p -value of 0.000. Hypothesis 5 (RIA → RME → RBIA) is supported, highlighting a signi fi cant indirect impact of 0.200, with a T statistic of 4.321 and a p -value of 0.000. Mediation e ff ects are indicated here. Furthermore, Hypothesis 6 (TRM → RME → RBIA) is supported by a noteworthy indirect impact of 0.095, a T statistic of 2.175, and a p -value of 0.030. Hypothesis 7 (MS → RME → RBIA) is further validated, demonstrating a substantial indirect impact of 0.182, with a T statistic of 4.592 and a p -value of 0.000. In summary, the fi ndings of the structural model strongly suggest that RIA, TRM, and MS exert a major in fl uence on RME, which in turn has a substantial impact on RBIA. The mediating e ff ects of RME highlight the crucial function of RME in the connections between RIA, TRM, MS, and RBIA. The fi ndings provide robust endorsement for the suggested theoretical model. Figure 2. Structural model. Table 7. Hypotheses results Hypotheses Relationships Original Sample STDEV T Statistics p Values 2.5% 97.5% Conclusion Direct effects Hypothesis 1 RIA → RME 0.316 0.070 4.492 0.000 0.192 0.463 Supported Hypothesis 2 TRM → RME 0.149 0.065 2.283 0.022 0.010 0.267 Supported Hypothesis 3 MS → RME 0.287 0.057 5.054 0.000 0.175 0.394 Supported Hypothesis 4 RME → RBIA 0.634 0.043 14.715 0.000 0.548 0.717 Supported Mediating effects Hypothesis 5 RIA → RME → RBIA 0.200 0.046 4.321 0.000 0.122 0.303 Supported Hypothesis 6 TRM → RME → RBIA 0.095 0.043 2.175 0.030 0.006 0.177 Supported Hypothesis 7 MS → RME → RBIA 0.182 0.040 4.592 0.000 0.107 0.261 Supported Figure 2. Structural model 4.4.3. PLS Predict Results Using the computation approach for predictive relevance in PLS-SEM given by Shmueli et al. (2019) [ 47 ], the researchers initially computed the Q 2 values for the latent variables (LVs). When the Q 2 value exceeded zero, we computed the predicted performance for each item. Shmueli et al. (2019) [ 47 ] state that when the values of PLS-LM for fewer or minority items are less, what is suggested here is a lack of predictive capacity. In contrast, when all items had greater PLS-LM values, it meant that there was no ability to forecast. If the values of PLS-LM for every item were lower, it suggested a higher level of predictive power. The PLS-predict findings displayed in Table 8 demonstrate that the values of Q 2 - predict for every construct were positive, suggesting their predictive significance. As an example, the value of Q 2 -predict for RBIA 1 was 0.273, with a PLS RMSE of 0.683 and an MAE of 0.501 Table 8. PLS predict PLS LM Constructs Q 2 -Predict RMSE MAE RMSE MAE RBIA 1 0.273 0.683 0.501 0.682 0.507 RBIA 2 0.220 0.936 0.686 0.956 0.686 RBIA 3 0.176 1.036 0.799 1.040 0.802 RBIA 4 0.208 0.833 0.601 0.847 0.610 RME 1 0.263 0.614 0.482 0.641 0.504 RME 2 0.258 0.688 0.534 0.717 0.566 RME 3 0.268 0.621 0.469 0.651 0.478 These values were marginally superior to the LM (Linear Model) RMSE of 0.682 and MAE of 0.507. RBIA 2 had a Q 2 -predict value of 0.220, surpassing the LM’s RMSE of 0.956 and MAE of 0.686 with a PLS RMSE of 0.936 and an MAE of 0.686, but only slightly. These results demonstrate that the PLS model exhibits superior prediction capability for these items. In general, the PLS model consistently showed lower or similar RMSE and MAE values compared to the LM model for the components RBIA 1, RBIA 2, RBIA 3, RBIA 4, RME 1, RME 2, and RME 3. Indicated here is that the PLS model has a greater level of

Sustainability 2024 , 16 , 8455 15 of 22 predictive accuracy. More precisely, the values of PLS RMSE and MAE were lower for all constructs, which leads to the idea that the PLS model has a higher level of predictive accuracy compared to the LM model 4.5. Importance-Performance Map Analysis The visual depiction of route coefficients, specifically using Importance-Performance Map Analysis (IPMA), is a widely acknowledged and important instrument in SEM (Hair et al., 2017) [ 45 ]. IPMA offers a detailed comprehension of the significance and effectiveness of different components in a model, enabling focused enhancements and strategic decision-making. The findings illustrated in Figure 3 confirm the relative effectiveness and significance of the variables being examined. More precisely, when it comes to RME predictions, the concepts of IAR (Incremental Accuracy Ratio), MS (Mean Squared), TRM (Temporal Reliability Measure), and OI (Overall Information) demonstrate significant significance and effectiveness measurements. The IAR scores are (0.315, 77.661), suggesting a significant degree of relevance combined with excellent performance Sustainability 2024 , 16 , x FOR PEER REVIEW 15 of 22 ful integration and usefulness inside the model, whereas the greatest relevance value identi fi ed for IAR (0.315) stresses its crucial role in driving results. The insights from the IPMA highlight the strengths and opportunities for development, giving a complete perspective of how the components contribute to the overall e ff ectiveness of the framework. Figure 3. IPMA. 5. Empirical Findings and Discussion The transition from legislation and adherence to accomplishments, namely strategic planning, has led to a greater understanding that governance systems should prioritize relevant concerns in a strategic manner. From an agency standpoint, the acknowledgment of the internal audit role management support, risk management and risk-based internal auditing methods has been driven by the necessity to e ff ectively monitor the level of exposure to risks inherent in an organization’s strategy. The primary purpose of the internal auditing role is to oversee managers’ actions and behaviors and assess the e ffi ciency and integrity of organizational processes [14,19,25]. At this point, the function of internal audit is primarily using the risk-based internal auditing method as its main audit technique [5– 7]. Implementing an established and disciplined internal audit methodology will ultimately enhance the e ff ectiveness of internal audit operations [15]. Thus, e ff ective internal auditing is essential in today’s business environment in order to avoid de fi ciencies concerning the governance and fi nancial reporting issues, as well as to comprehend and pinpoint risks that jeopardize organization goals, processes and strategies [3,58–60]. Risk-based internal auditing is a contemporary approach to auditing that successfully combines what were formerly seen as separate roles: internal auditing and risk management [5–7,11,61]. This study emphasizes the comprehensive use of risk-based internal auditing methods in internal audit operations, encompassing planning, implementation, and reporting. Moreover, this study presents concrete data regarding the cause and direction of the important factors that impact on risk management and also its e ff ect on the risk-based internal audit implementation. Overall, this study’s fi ndings highlight the signi fi cance of having a robust risk culture in mitigating agency issues. The fi nding of the internal auditor’s role in risk management has a substantial impact on risk management. This fi nding aligns with what previous research [3,6,7,16,62] reported. It is suggested that by o ff ering comprehensive risk detection, evaluation, and reduction solutions, internal auditors greatly improve risk management processes. Their knowledge and impartial evaluation support a more organized and e ffi cient system of risk Figure 3. IPMA Analogously, the values of MS are (0.286, 67.197), stipulating its substantial contribution and acceptable performance in the framework. Among all exogenous constructions, TRM stands out as having the greatest performance measure, despite its relatively lower significance value of 0.149 and a performance value of 77.922. Implied here is that although TRM may not be considered highly significant, its execution and influence are remarkably efficient. The exceptional performance of TRM (77.922) emphasizes its successful integration and usefulness inside the model, whereas the greatest relevance value identified for IAR (0.315) stresses its crucial role in driving results. The insights from the IPMA highlight the strengths and opportunities for development, giving a complete perspective of how the components contribute to the overall effectiveness of the framework 5. Empirical Findings and Discussion The transition from legislation and adherence to accomplishments, namely strategic planning, has led to a greater understanding that governance systems should prioritize relevant concerns in a strategic manner. From an agency standpoint, the acknowledgment of the internal audit role management support, risk management and risk-based internal auditing methods has been driven by the necessity to effectively monitor the level of exposure to risks inherent in an organization’s strategy. The primary purpose of the internal

Sustainability 2024 , 16 , 8455 16 of 22 auditing role is to oversee managers’ actions and behaviors and assess the efficiency and integrity of organizational processes [ 14 , 19 , 25 ]. At this point, the function of internal audit is primarily using the risk-based internal auditing method as its main audit technique [ 5 – 7 ]. Implementing an established and disciplined internal audit methodology will ultimately enhance the effectiveness of internal audit operations [ 15 ]. Thus, effective internal auditing is essential in today’s business environment in order to avoid deficiencies concerning the governance and financial reporting issues, as well as to comprehend and pinpoint risks that jeopardize organization goals, processes and strategies [ 3 , 58 – 60 ]. Risk-based internal auditing is a contemporary approach to auditing that successfully combines what were formerly seen as separate roles: internal auditing and risk management [ 5 – 7 , 11 , 61 ]. This study emphasizes the comprehensive use of riskbased internal auditing methods in internal audit operations, encompassing planning, implementation, and reporting. Moreover, this study presents concrete data regarding the cause and direction of the important factors that impact on risk management and also its effect on the risk-based internal audit implementation. Overall, this study’s findings highlight the significance of having a robust risk culture in mitigating agency issues The finding of the internal auditor’s role in risk management has a substantial impact on risk management. This finding aligns with what previous research [ 3 , 6 , 7 , 16 , 62 ] reported It is suggested that by offering comprehensive risk detection, evaluation, and reduction solutions, internal auditors greatly improve risk management processes. Their knowledge and impartial evaluation support a more organized and efficient system of risk management. According to Abdullatif and Kawuq (2015) [ 16 ], internal auditors demonstrate a satisfactory understanding of significant workplace strategies and duties, even though there is still potential for improvement. Lois et al. (2021) [ 6 ] have suggested that internal auditors should regularly inform senior management about risks that pose a threat to the organization’s sustainability, therefore highlighting the need for more attention being paid to this matter Significant efforts are being made to improve the monitoring, assessment, and reporting of the quantity and effectiveness of risk management and internal control mechanisms [ 5 , 6 ]. By enhancing awareness of control and reinforcing a reliable process of risk management, internal auditing able to fulfill its expanded role in a trustworthy and reliable manner [ 7 ]. Moreover, the findings addressing the participation of internal auditors in risk evaluations indicate that they not only provide assurance on procedures for risk management, but also evaluate the reporting of risks. Consistent with the findings documented by Allegrini and D’onza (2003) [ 62 ], a considerable number of participants hold the view that management plays a crucial role in establishing the strategy required for successful risk management. The findings of this study demonstrate how important internal auditors are to developing a strong risk management culture and making sure organizations are better able to assess and manage risks. Consequently, Saudi public organizations should make use of internal auditors’ expertise to fortify their risk management procedures and enhance the resilience of their organizations The finding of the training in risk management has a significant impact on risk management. This finding aligns with prior research carried out by others [ 7 , 33 ]. The study conducted by Lois et al. (2021) [ 6 ] suggests that training initiatives improve staff members’ capacity to recognize, evaluate, and effectively manage risks. Training in risk management facilitates a more proactive and all-encompassing approach to risk management, and it does this by providing employees with the requisite abilities and information [ 3 ]. Subsequently, the findings of this study highlight how crucial ongoing risk management education is to developing an effective structure for risk management. Also, they advise Saudi public organizations to make risk management training a top priority and allocate funds on a regular basis to improve their general risk management capacities The finding of management support in risk management has a significant impact on risk management. This finding aligns with prior research carried out by Allegrini and D’onza (2003) [ 62 ], Drogalas et al. (2018) [ 3 ], Lois et al. (2021) [ 6 ] and Mujalli (2024 a) [ 7 ].

Sustainability 2024 , 16 , 8455 17 of 22 The study conducted by Mujalli (2024 a) [ 7 ] suggests that robust support given by the management improves risk management procedures. It does this by cultivating a culture that gives priority to understanding risk and proactive risk reduction. When management actively participates in and endorses risk management endeavors, it guarantees sufficient resources, transparent communication, and uniform execution of risk strategies [ 3 , 37 ]. This supports the conclusion reached by Abidin (2017) [ 5 ], who stated that risk management is essential for establishing a culture in which risk management is seamlessly incorporated into every aspect of the organization. Consequently, Saudi public organizations gain advantages from enhanced risk detection, evaluation, and management, which eventually ends in enhanced resilience of organizations and better performance The findings in risk management indicate that it exerts a substantial impact on the riskbased internal auditing implementation, which aligns with previous research conducted by Abidin (2017) [ 5 ] Mujalli (2024 a) [ 7 ], Coetzee and Lubbe (2014) [ 11 ]. The procedure for risk management promotes a heightened awareness of risk and fosters a culture that concentrates on managing risk. Establishing a well-defined framework for risk management tasks and processes motivates management to simulate responsibly for implementing more efficient practices for risk management [ 5 ]. A culture that is more cautious about taking risks encourages a department’s administration to carefully assess the level of risk involved in all decisions and activities [ 11 ]. The results corroborate the perspective proposed by Lois et al. (2021) [ 6 ] and Mujalli (2024 a) [ 7 ]: having an up-to-date system that integrates risk management, fosters a resilient environment for taking risks, and provides a strong foundation for implementing the risk-based internal auditing Based on what this study has reported, it is important to support the internal audit’s focus on key risks and the sufficiency of procedures for managing risks, since these are crucial for the effective implementation of risk-based internal auditing. Saudi public organizations appear to have sufficient protocols in place to establish a standard risk management approach. Clearly, significant improvements are necessary to clearly define the responsibilities and obligations, in addition to the procedures, of the risk management system [ 3 ]. According to Crawford and Stein (2002) [ 63 ], to implement risk management rules, it is essential to have either the administrator of risk management or a distinct risk management unit operating within the department. This body should operate in a way that lets internal auditors successfully carry out their responsibilities [ 40 ]. The finding of risk management acts as a mediator between internal auditor’s role and the risk-based internal auditing implementation. The findings support the hypothesis, revealing a significantly positive association this finding aligns with prior research [ 6 , 7 ]. This demonstrates that the implementation of appropriate risk management strategies improves internal auditors’ capacity to carry out risk-based auditing effectively. As stated by Abdullatif and Kawuq (2015) [ 16 ] and Lois et al. (2021) [ 6 ], internal auditors enhance the kind of work that they do by utilizing their specialized knowledge in identifying and evaluating risks, resulting in a more organized and targeted approach The finding of risk management acts as a mediator between training in risk management and the risk-based auditing implementation. The findings support the hypothesis, revealing a significantly positive association that this finding aligns with prior research [ 6 , 7 , 33 ]. As Lois et al. (2021) [ 6 ] pointed out, effective risk management strategies are crucial for connecting these elements to successful risk-based internal audits. Thus, the finding reported in this study demonstrated that effective risk-based internal auditing implementation in Saudi public organizations is facilitated by highly skilled internal auditors, robust managerial support and comprehensive risk management frameworks. This collaboration guarantees that audits concentrate on crucial risks, thereby enhancing the efficiency with which work is done as stated by Arena and Azzone (2009) [ 33 ]. In general the findings of this study highlight the significance of combining strong risk management practices with auditor training and management assistance, in order to enhance risk-based auditing results in the public sector.

Sustainability 2024 , 16 , 8455 18 of 22 The finding of risk management acts as a mediator between management support and the risk-based auditing implementation. The findings support the hypothesis, revealing a significantly positive association that this finding aligns with prior research findings [ 3 , 7 , 62 ]. Thus, the finding reported in this study confirmed the work that was conducted by Mujalli (2024 a) [ 7 ] and Drogalas et al. (2018) [ 3 ]. They concluded that having a robust management support system in place improves risk management practices by cultivating a culture that accords high importance to risk awareness and taking proactive measures to mitigate risks. When management actively participates in and endorses risk management initiatives, sustainability, it guarantees sufficient resources, transparent communication, and uniform execution of risk strategies [ 32 ]. Consequently, this enables the effective execution of internal auditing based on risk assessment [ 6 ]. This study’s findings emphasize the research conducted by Mujalli (2024 a) [ 7 ] who support the contention that it is essential to establish an environment in which risk management is seamlessly incorporated into all organizational functions. Thus, the significance of organization management’s dedication to promoting a resilient risk management culture, will enhance the internal audit procedures and overall organizational efficiency in Saudi public organizations. Consequently, Saudi public-sector organizations experience advantages in terms of enhanced risk detection, evaluation, and management, ultimately resulting in enhanced ability to withstand and recover from challenges, as well as improved overall performance 6. Conclusions The findings in this paper support the arguments made by agency theory. There is a significant association between the role of internal auditors in risk management, the training in risk management, and management support on risk management, and there is also a significant association between risk management and risk-based internal auditing implementation. A proactive and diligent approach realizes the possibilities for the role of internal auditors as information providers in addressing the problem of information asymmetry in organizations. The aforementioned established risk management system enhances management’s understanding of risk management by providing an efficient and well-working infrastructure Thus, the effective cooperation between risk management and the internal audit is crucial for strengthening the organization’s resilience and attaining strategic objectives Through collaboration, these services guarantee a thorough strategy for recognizing, evaluating, and minimizing risks. This collaboration promotes a strong control environment, wherein risk management generates valuable information on developing risks while internal audit provides independent confirmation on the efficiency of controls. The collective endeavors result in enhanced decision-making, heightened transparency, and augmented stakeholder confidence, eventually propelling the organization to sustainable expansion and operating superiority In conclusion, the relevance of risk-based internal auditing deployment as a planned strategy has been clearly shown by this empirical study and earlier research. Adhering to the right risk management strategy and internal control mechanisms, this method enables internal auditors to provide authoritative advisory services and financial statements. The ultimate responsibility for every organization’s success or failure lies with its management 6.1. Implications The research findings underscore the necessity of regulatory authorities conducting an overview of the policies and regulations that govern internal audits in public-sector organizations. As Saudi Arabia’s public-sector organization continues to modernize its financial infrastructure, regulators may leverage the knowledge gained from sustainable risk-based internal auditing to establish systems that facilitate a proactive approach. In order to improve general responsibility and governance, policymakers may require companies to implement more comprehensive, methodical internal audit processes. This study

Sustainability 2024 , 16 , 8455 19 of 22 advocates for auditors to transcend conventional audit structures by emphasizing the necessity of a risk-based internal auditing system that is constantly evolving. Increasing the competency of internal auditors in risk surveillance and management is recommended. A reduced likelihood of operational failures is ensured by more efficient audits that align with organizational objectives through enhanced comprehension of risk-based methodologies Additionally, the implementation of a sustainable approach to internal audits ensures that audits are not solely reactive, but also forward-thinking, as they assess both current and future hazards that may jeopardize corporate objectives This study emphasizes the importance of establishing robust internal surveillance systems that can be implemented on a consistent basis in a variety of sectors. These approaches have the potential to enhance the credibility of financial reporting and safeguard companies from unforeseen risks. By integrating a realistic, real-time monitoring system with more comprehensive internal audits, it is possible to significantly reduce financial deception, thereby enhancing stakeholder confidence. These systems contribute to the improvement of organizational performance and public confidence by reducing financial fraud and mismanagement situations. The research provides managers and administrators with a practical comprehension of how to optimize the factors that influence internal audit performance. By comprehending and optimizing these variables, management teams may execute risk control strategies with greater efficacy. This leads to a more robust organizational framework that can withstand both internal operational hazards and external market demands. The emphasis on executive management engagement also suggests that top executives should be more actively involved in auditing procedures to ensure that audits serve as strategic instruments rather than mere formalities This study establishes a foundation for further exploration of sustainability solutions that are based on internal risk. Future research may further investigate the long-term implications of these methods on sector-wide best practices and organizational success. Risk-based internal auditing ‘s scalability and flexibility across various sectors may also be investigated by researchers. This generates novel research avenues and contributes to the evolving discourse regarding audit techniques and risk management. This study also implies the importance of technology solutions that enhance the efficacy and accuracy of risk-based internal audits in light of the rapid digitization of audit processes on a global scale. By combining cloud-based audit solutions, artificial intelligence, and data analytics, internal auditing could be further enhanced. This is especially important for Saudi Arabia’s large public-sector organizations that manage vast quantities of financial data. Real-time auditing, predictive risk assessments, and data-driven insights—all of which would enhance the effectiveness of internal audits could be facilitated by advanced technology 6.2. Research Limitations, Recommendations for Future Study It is important to acknowledge and take into account several noteworthy limitations when analyzing and drawing conclusions from the findings of this research. The present investigation is initially restricted in terms of its geographical and thematic boundaries This study was limited to a specific population, namely public-sector organizations in Saudi Arabia. Consequently, the findings lack immediate applicability to a broader or global context. Future research should aim to broaden its scope beyond the limitations of this specific geographical region, in order to include organizations from diverse sectors and countries. By conducting a comprehensive analysis of risk management practices within different institutional environments and regulatory frameworks, a deeper understanding of these practices can be achieved. This would enable researchers to gain valuable insights into the effectiveness and efficiency of risk management strategies in different contexts The method of data collection represents a noteworthy constraint in this study. This study made efforts to enhance the response rate by utilizing a concise questionnaire. However, it is important to note that this study primarily relied on survey data, which consequently imposed limitations on the depth of the data collected. The richness of the

Sustainability 2024 , 16 , 8455 20 of 22 data is somewhat compromised due to the inherent limitation of short surveys in capturing more nuanced insights. For the purpose of enhancing the comprehensiveness of risk management practices analysis, it is suggested that forthcoming investigations may derive advantages from employing a more extensive survey structure that encompasses a wider range of enquiries and integrates more rigorous variables Furthermore, it should be noted that the utilization of a quantitative methodology in this particular investigation, while advantageous, may not fully capture the intricate variables that impact the field of risk management. The utilization of qualitative methodologies, such as conducting in-depth interviews or analyzing case studies, has the potential to provide a more comprehensive understanding of the dynamics of organizational culture, leadership, and external factors that shape risk management practices. For example, a potential avenue for future investigation could involve examining the degree to which managerial attitudes towards risk and the structure of organizational hierarchies impact the implementation and efficacy of risk management policies. Conducting interviews with risk managers and auditors has the potential to offer valuable insights that may not be captured by a quantitative survey. This can enhance our understanding of the complexities and intricacies involved in risk management. Ultimately, this study presents several unique prospects for future exploration. This study highlights the importance of conducting a more comprehensive examination of the policy implications associated with risk management strategies. Further investigation may be warranted to examine the development of bespoke risk management frameworks tailored to the specific circumstances of individual organizations, with the aim of enhancing the effectiveness of policies. The purpose of these recommendations is not solely to bring this study to a close, but rather to act as a stimulus for continuous research, thus driving future advancements in the academic and practical aspects of risk management Author Contributions: Conceptualization, A.A. and A.M.; Methodology, A.A.; Software, A.A.; Validation, A.A.; Formal analysis, A.A.; Investigation, A.A.; Writing–original draft, A.A.; Writing– review & editing, A.M.; Supervision, A.M.; Project administration, A.M. All authors have read and agreed to the published version of the manuscript Funding: This research received no external funding Informed Consent Statement: Informed consent was obtained from all subjects involved in this study Data Availability Statement: The datasets used during the current study are available from the corresponding author on reasonable request Acknowledgments: The authors gratefully acknowledge the funding of the Deanship of Graduate Studies and Scientific Research, Jazan University, Saudi Arabia, through Project Number: GSSRD-24 Conflicts of Interest: The authors declare no conflicts of interest References 1 Yazo-Cabuya, E.J.; Ibeas, A.; Herrera-Cuartas, J.A. Integrating Sustainability into Risk Management through Analytical Network Process Sustainability 2024 , 16 , 2384. [ CrossRef ] 2 Jim é nez, A.; Arrieta, Y.; Nuñez, M.A.; Villanueva, E. Management of Strategic Risks for the Sustainability of SMEs in the Manufacturing Sector in Antioquia Sustainability 2024 , 16 , 2094. [ CrossRef ] 3 Drogalas, G.; Eleftheriadis, I.; Pazarskis, M.; Anagnostopoulou, E. Perceptions about effective risk management. the crucial role of internal audit and management. Evidence from greece Invest. Manag. Financ. Innov 2018 , 14 , 1–11. [ CrossRef ] [ PubMed ] 4 Jin, J.; Zhou, H. A demand-side inoperability input–output model for strategic risk management: Insight from the COVID-19 outbreak in Shanghai, China Sustainability 2023 , 15 , 4003. [ CrossRef ] 5 Abidin, N.H.Z. Factors influencing the implementation of risk-based auditing Asian Rev. Account 2017 , 25 , 361–375. [ CrossRef ] 6 Lois, P.; Drogalas, G.; Nerantzidis, M.; Georgiou, I.; Gkampeta, E. Risk-based internal audit: Factors related to its implementation Corp. Gov. Int. J. Bus. Soc 2021 , 21 , 645–662. [ CrossRef ] 7 Mujalli, A. Factors Affecting the Implementation of Risk-Based Internal Auditing J. Risk Financ. Manag 2024 , 17 , 196. [ CrossRef ] 8 Turetken, O.; Jethefer, S.; Ozkan, B. Internal audit effectiveness: Operationalization and influencing factors Manag. Audit. J 2020 , 35 , 238–271. [ CrossRef ]

Sustainability 2024 , 16 , 8455 21 of 22 9 Alazzabi, W.Y.E.; Mustafa, H.; Karage, A.I. Risk management, top management support, internal audit activities and fraud mitigation J. Financ. Crime 2023 , 30 , 569–582. [ CrossRef ] 10 Gupta, H.; Kharub, M.; Shreshth, K.; Kumar, A.; Huisingh, D.; Kumar, A. Evaluation of strategies to manage risks in smart, sustainable agri-logistics sector: A Bayesian-based group decision-making approach Bus. Strategy Environ 2023 , 32 , 4335–4359 [ CrossRef ] 11 Coetzee, P.; Lubbe, D. Improving the efficiency and effectiveness of risk-based internal audit engagements Int. J. Audit 2014 , 18 , 115–125. [ CrossRef ] 12 Koutoupis, A.G.; Tsamis, A. Risk based internal auditing within Greek banks: A case study approach J. Manag. Gov 2009 , 13 , 101–130. [ CrossRef ] 13 Anugraheni, E.P.; Setiawati, E.; Trisnawati, R. Analysis of Risk-Based Internal Audit Planning Implementation and Its Impact on Audit Quality: Case Study at the Inspectorate of Surakarta, Indonesia J. Econ. Bus 2022 , 3 , 5. [ CrossRef ] 14 Alzeban, A.; Gwilliam, D. Factors affecting the internal audit effectiveness: A survey of the Saudi public sector J. Int. Account Audit. Tax 2014 , 23 , 74–86. [ CrossRef ] 15 Mujalli, A.Y.A. Internal Audit Effectiveness in Saudi Arabia’s Public Sector Higher Education System. Ph.D. Dissertation, RMIT University, Melbourne, Australia, 2020 16 Abdullatif, M.; Kawuq, S. The role of internal auditing in risk management: Evidence from banks in Jordan J. Econ. Adm. Sci 2015 , 31 , 30–50. [ CrossRef ] 17 Almagrashi, A.; Mujalli, A.; Khan, T.; Attia, O. Factors determining internal auditors’ behavioral intention to use computer-assisted auditing techniques: An extension of the UTAUT model and an empirical study Future Bus. J 2023 , 9 , 74. [ CrossRef ] 18 Grima, S.; Baldacchino, P.J.; Grima, S.; Kizilkaya, M.; Tabone, N.; Ellul, L. Designing a Characteristics Effectiveness Model for Internal Audit J. Risk Financ. Manag 2023 , 16 , 56. [ CrossRef ] 19 Weekes-Marshall, D. The role of internal audit in the risk management process: A developing economy perspective J. Corp Account. Financ 2020 , 31 , 154–165. [ CrossRef ] 20 Wang, X.; Ferreira, F.A.F.; Yan, P. A multi-objective optimization approach for integrated risk-based internal audit planning Ann Oper. Res 2023 , 1–30. [ CrossRef ] 21 Almahuzi, A.S. Factors Impacting the Effectiveness of Internal Audit in the Saudi Arabian Public Sector. Ph.D. Dissertation, Victoria University, Melbourne, Australia, 2020 22 AL-RBAI, Z.M. The Effectiveness of Internal Audit in Government Units in the Kingdom of Saudi Arabia and their Obstacles in the Light of the Saudi Vision 2030 and Current Changes Multi-Knowl. Electron. Compr. J. Educ. Sci. Publ 2020 , 1 , 38 23 Omer, W.K.H.; ALJAAIDI, K.S.; AL-MOATAZ, E.S. Risk management functions and audit report lag among listed saudi manufacturing companies J. Asian Financ. Econ. Bus 2020 , 7 , 61–67. [ CrossRef ] 24 Al-Taee, S.H.H.; Flayyih, H.H. Impact of the electronic internal auditing based on IT governance to reduce auditing risk Corp Gov. Organ. Behav. Rev 2023 , 7 , 94–100. [ CrossRef ] 25 Hazaea, S.A.; Zhu, J.; Khatib, S.F.A.; Elamer, A.A. Mapping the literature of internal auditing in Europe: A systematic review and agenda for future research Meditari Account. Res 2023 , 31 , 1675–1706. [ CrossRef ] 26 Oppong, C.; Fofack, A.D.; Boakye-Yiadom, E. Efficacy of public sector audits in the provision of quality healthcare in Ghana J Econ. Adm. Sci 2023 , 39 , 1108–1121. [ CrossRef ] 27 Eisenhardt, K.M. Agency theory: An assessment and review Acad. Manag. Rev 1989 , 14 , 57–74. [ CrossRef ] 28 Fama, E.F.; Jensen, M.C. Separation of ownership and control J. Law Econ 1983 , 26 , 301–325. [ CrossRef ] 29 Mitnick, B.M. Fiduciary rationality and public policy: The theory of agency and some consequences. In Proceedings of the 1973 Annual Meeting of the American Political Science Association, New Orleans, LA, USA, 4–8 September 1973 30 Ross, S.A. The economic theory of agency: The principal’s problem Am. Econ. Rev 1973 , 63 , 134–139 31 Madawaki, A.; Ahmi, A.; Ahmad, H.N. Internal audit functions, financial reporting quality and moderating effect of senior management support Meditari Account. Res 2022 , 30 , 342–372. [ CrossRef ] 32 MetricStream. State of Internal Audit 2018-Impact and Opportunities, MetricStream Research. 2018. Available online: https: //info.metricstream.com/Internal-Audit-2018-Impact-and-Opportunities.html? (accessed on 8 April 2023) 33 Arena, M.; Azzone, G. Identifying organizational drivers of internal audit effectiveness Int. J. Audit 2009 , 13 , 43–60. [ CrossRef ] 34 Ar’Reza, I.F.; Wardoyo, C.; Putri, S.F. Internal auditors’ fraud detection: A phenomenological study Int. J. Account. Financ. Asia Pasific 2020 , 3 , 68–76. [ CrossRef ] 35 Rae, K.; Subramaniam, N. Quality of internal control procedures: Antecedents and moderating effect on organisational justice and employee fraud Manag. Audit. J 2008 , 23 , 104–124. [ CrossRef ] 36 Mujalli, A.; Almgrashi, A. A Conceptual Framework for Generalised Audit Software Adoption in Saudi Arabia by Government Internal Auditing Departments using an Integrated Institutional Theory-TOE Model. In Proceedings of the 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Gold Coast, Australia, 16–18 December 2020; pp. 1–8 37 Sarens, G.; De Beelde, I. Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies Manag. Audit. J 2006 , 21 , 63–80. [ CrossRef ] 38 Alqudah, H.M.; Amran, N.A.; Hassan, H. Factors affecting the internal auditors’ effectiveness in the Jordanian public sector: The moderating effect of task complexity EuroMed J. Bus 2019 , 14 , 251–273. [ CrossRef ] 39 Goodwin-Stewart, J.; Kent, P. The use of internal audit by Australian companies Manag. Audit. J 2006 , 21 , 81–101. [ CrossRef ]

Sustainability 2024 , 16 , 8455 22 of 22 40 Woods, M. Linking risk management to strategic controls: A case study of Tesco plc Int. J. Risk Assess. Manag 2007 , 7 , 1074–1088 [ CrossRef ] 41 Babbie, E.R The Practice of Social Research ; Cengage Learning: Boston, MA, USA, 2020; ISBN 0357360842 42 Sekaran, U.; Bougie, R Research Methods for Business: A Skill Building Approach ; John Wiley & Sons: Hoboken, NJ, USA, 2016; ISBN 1119165555 43 Oppenheim, A.N Questionnaire Design, Interviewing and Attitude Measurement ; Bloomsbury Publishing: London, UK, 2000; ISBN 0826451764 44 Saunders, M.N.K.; Lewis, P.; Thornhill, A Research Methods for Business Students , 8 th ed.; Pearson.: London, UK, 2019; ISBN 9781292208800 45 Hair, J.F.; Risher, J.J.; Sarstedt, M.; Ringle, C.M. When to use and how to report the results of PLS-SEM Eur. Bus. Rev 2019 , 31 , 2–24. [ CrossRef ] 46 Rold á n, J.L.; S á nchez-Franco, M.J. Variance-based structural equation modeling: Guidelines for using partial least squares in information systems research. In Research Methodologies, Innovations and Philosophies in Software Systems Engineering and Information Systems ; IGI Global: Hershey, PA, USA, 2012; pp. 193–221 47 Shmueli, G.; Sarstedt, M.; Hair, J.F.; Cheah, J.H.; Ting, H.; Vaithilingam, S.; Ringle, C.M. Predictive model assessment in PLS-SEM: Guidelines for using PLSpredict Eur. J. Mark 2019 , 53 , 2322–2347. [ CrossRef ] 48 Mujalli, A. The influence of E-auditing adoption on internal audit department performance amid COVID-19 in Saudi Arabia Cogent Bus. Manag 2024 , 11 , 2295608. [ CrossRef ] 49 Ringle, C.; Wende, S.; Becker, J.-M SmartPLS 3 ; Boenningstedt SmartPLS GmbH: Boenningstedt, Germany, 2015; Volume 584 50 Podsakoff, P.M.; MacKenzie, S.B.; Podsakoff, N.P. Sources of method bias in social science research and recommendations on how to control it Annu. Rev. Psychol 2012 , 63 , 539–569. [ CrossRef ] 51 Podsakoff, P.M.; MacKenzie, S.B.; Lee, J.Y.; Podsakoff, N.P. Common method biases in behavioral research: A critical review of the literature and recommended remedies J. Appl. Psychol 2003 , 88 , 879–903. [ CrossRef ] [ PubMed ] 52 Harman, H.H Modern Factor Analysis ; University of Chicago Press: Chicago, IL, USA, 1976; ISBN 0226316521 53 Kock, N. Common method bias in PLS-SEM: A full collinearity assessment approach Int. J. e-Collab 2015 , 11 , 1–10. [ CrossRef ] 54 Henseler, J.; Ringle, C.M.; Sarstedt, M. A new criterion for assessing discriminant validity in variance-based structural equation modeling J. Acad. Mark. Sci 2015 , 43 , 115–135. [ CrossRef ] 55 Fornell, C.; Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement error J. Mark. Res 1981 , 18 , 39–50. [ CrossRef ] 56 Cohen, J. Statistical power analysis Jbr the behavioral Sci. Hillsdale Lawrence Erlbaum Assoc 1988 , 18 , 74 57 Geisser, S. A predictive approach to the random effect model Biometrika 1974 , 61 , 101–107. [ CrossRef ] 58 Drogalas, G.; Siopi, S. Risk management and internal audit: Evidence from Greece Risk Gov. Control Financ. Mark. Inst 2017 , 7 , 104–110. [ CrossRef ] 59 De Zwaan, L.; Stewart, J.; Subramaniam, N. Internal audit involvement in enterprise risk management Manag. Audit. J 2011 , 26 , 586–604. [ CrossRef ] 60 Sunaryo, K.; Astuti, S.; Zuhrohtun, Z. The role of risk management and good governance to detect fraud financial reporting J Contemp. Account 2019 , 1 , 38–46. [ CrossRef ] 61 Wilkinson, N.; Coetzee, P. Internal audit assurance or consulting services rendered on governance: How does one decide J. Gov Regul 2015 , 4 , 186–200. [ CrossRef ] 62 Allegrini, M.; D’onza, G. Internal auditing and risk assessment in large Italian companies: An empirical survey Int. J. Audit 2003 , 7 , 191–208. [ CrossRef ] 63 Crawford, M.; Stein, W. Auditing Risk Management: Fine in Theory but who can do it in Practice? Int. J. Audit 2002 , 6 , 119–131 [ CrossRef ] Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.