Internal Audit and its Role in Risk Management Evidence: The Libyan Universities

This paper aims to identify the role of internal audit in contributing to the reduction of risks to the operations of higher education institutions in the Libyan state. The descriptive analytical method was adopted and the questionnaire was used as a tool for collecting and analyzing data related to the study using SPSS. This paper concluded that the internal audit offices and departments of the Libyan universities carry out their activities related to risk management evaluation and add value to the work of the department. In addition, internal audit offices and departments develop, record and communicate reports on the results of their work. Several recommendations have been made, including the need to push internal audit offices and departments towards the adoption of risk-based work plans, technical plans and internal audit programs. Also, more attention should be given to the development of standards, means and programs to identify measure and assess risks.


Introduction
The practice in the public sector has shown that there are risks that vary in severity and importance from one period to another according to the economic situation, also changes in society as a whole, such as risks arising from the regulatory environment, and risks related to non-compliance with accounting or financial rules, those relating to management delegation, risks related to public control and internal fraud, and risks related to lack of services in asset management (Eugeniu & Aurelia, 2009). One consequence of these risks was a world Development Report entitled "World Development Report: Risks and Opportunities: Risk Management for Development", issued by the World Bank in 2014 "They range from job loss and disease outbreaks, to global crises and natural disasters, and one of the serious consequences of mismanagement of risk is that it has led to a severe decline in employment opportunities, as well as the gross output of those countries". Therefore, risk management is one of the most important tools of strategic management of business organizations, in its endeavor to spare the Organization and its stakeholders from the risks to which they are exposed. Whereas, risk management enables the organization to measure, assess and analyze risks, and to identify steps to address them, Reducing its various impacts on the performance of the organization, risk management aims to add value to the organization, through its support towards the achievement of the organization's economic and social objectives. Risk management, according to Wikipedia, is a "process of measuring and evaluating risks and developing strategies for managing them". Risk is defined by the American Institute of Internal Auditors as "the process of identifying, evaluating, managing and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives", risk management in accordance with the Guide on Corporate Governance and Risk Management of MFIs in the Arab World is "the process of identifying, assessing, managing and controlling potential events or situations in order to ensure that the institution achieves its objectives". The risk management process effectively reduces the probability of a particular loss and reduces the amount of loss if it occurs. Risk management includes prevention of potential problems, early detection of problems when they occur, and correction of policies and procedures that have allowed them to occur. Means that risk management includes a set of procedures and processes within a systematic framework, which will support the accountability and transparency of the organization, and works to measure and evaluate performance at all levels of the organization, whether managerial, financial, or operational, etc., which leads to take all necessary actions of any probable risks, also protect stakeholders, including employees of the Organization's rights, in general risks are defined by combining the probability of occurrence of the event and the consequences of it. Therefore, concerned with risks a series of challenges that must be faced when making some key decisions. Nevertheless, risks according of Cohen (2005) are "everything that could interfere with the achievement of the objectives, as some have the cause of financial failure and loss". According to the guidelines for risk management in the public sector in Australia and New Zealand, the risk indicates the possibility of an event and affects the objectives of the organization, and the risk is measured in terms of consequences (Aurelia & Eugeniu, 2009). The Institute of Internal Auditors issued a statement in 2004 confirming that the Board of Directors of the Organization is responsible for the Organization's risk management, by delegating a task force responsible for risk management and reporting the results to the Board. As internal audit provides an efficient and effective assurance of risk management as it identifies and assesses the risks to which the Organization may be exposed, some studies confirm that internal audit has a strong impact on public sector institutions, depending on the quality of internal audit, Early and accurate risk identification (Alexandra, le la, 2015), "Internal audit can play an important role in reducing risk, preventing fraud and corruption in public management, and helping the organization achieve its objectives by adopting a structured and disciplined approach to assess and improve the effectiveness of risk management processes, to add value and improve the processes and performance of the organization" (Maria, 2014 ), this comes in accordance with the modern definition of internal audit issued by the American Institute of Internal Auditors (IIA) as "an independent and objective and consultative assurance designed to increase the value of the organization and improve its operations, and help it achieve its objectives by forming a disciplined approach to assess and improve the effectiveness of risk management, control and governance of the organization.'' Internal audit is one of many risk management controls and is used as an effective tool for managing operational, financial, legal and regulatory risks. Furthermore, internal audit facilitates the formulation of strategic policies to achieve the Organization's objectives (Vijayakumar, 2012;Anghelache, Popescu, Anghel, 2018). The above shows that public sector institutions face multiple and increasing internal and external risks, whether strategic, operational or financial, these risks have negative effects that may reach reduce to the ability of these institutions to achieve their objectives, and focuses risk management on the inventory and assessment of these threats and identify opportunities to avoid potential threats. In addition, internal audit plays an important role in confronting these threats and taking advantage of opportunities. This necessitated the internal auditors to accept greater responsibilities and tasks than in the past, and to direct their efforts to pay attention to the performance and future of the Organization, especially in light of the growing and increasing. Risks of all kinds in the modern business environment.

Problem Statement
Due to the current circumstances that the Libyan state is undergoing from major political and economic changes, one of the main negative consequences was the spread of the phenomenon of financial and managerial corruption, which affected all state institutions, especially the public sector, where a report published (GA N-Business -Anti Corruption) in 2018 Titled "Libya Corruption Report" that corrupt practices such as abuse of office, nepotism and bribery have grown since the 2011 uprising. Moreover, to the deteriorating services at all levels, according to Transparency International's Corruption Perceptions Index 2018, the Libyan state is ranked 170 out of 180 countries included in the report. Thus, Libya is one of the most corrupt countries, which requires more efforts and more effective in combating corruption, also to address the threats and risks facing the public sector. Furthermore, Internal Audit can play an important and effective role in identifying, assessing those risks and threats, also reduce their aggravation, and although the International Organization for Economic Cooperation and Development (OCED) have confirmed according to a document published in 2019 titled "Internal Control and Risk Management for Public Integrity in the MENA Region", most countries in the region, including Libya, suffer from weak internal audit functions, reflecting problems in the scope of the audit.

Research Gap
The topic of internal audit and the role that it can play in the field of risk management in public sector institutions has been addressed through following the spatial research methodology for several considerations, including: • The focus is mostly when dealing with the issue of risk management on the private sector and is rarely studied in the public sector. Therefore, this issue was addressed in public sector institutions through a field study in the higher education institutions sector. • This study is the first of its kind in this field in the Libyan state. As the role of internal audit has not been studied in risk management in government institutions in general and the higher education sector in particular.
• The issue of risks has been addressed through many studies in many countries of the world, and all of these studies have unanimously agreed on the important and effective role that the internal audit can play in reducing those risks that threaten the life of the project and its continuity. Therefore, this paper came to address this role in a country that is considered one of the most corrupt countries, and is in transition in all political, social and economic aspects. Which calls for the following question: "To what extent does internal audit contribute to public sector risk management in Libyan universities?"

Importance of the Study
This study highlights the importance of addressing a very important subject in light of the current political and economic changes witnessed by the Libyan state, the number of risks that affected all aspects of managerial and economic life, and reflected on the social conditions of all segments of society in the Libyan state, In view of the recent tasks entrusted to the internal audit, it should play an active role in the risk management process surrounding the activities of public administrative units, especially in the Libyan universities sector, it also highlights the importance of the study from evaluating the expected role of the internal audit department in Libyan universities towards identifying and evaluating the risks that threaten the conduct of various operations in this sector. In order to assess and improve its effectiveness in the risk management process, in line with international guidelines in this regard, especially the internal audit standards issued by the Institute of Internal Auditors.

Research Objective
The study seeks to verify the following objective: "Identify whether the audit activity at Libyan universities contributes to efficient and effective risk management".

Study Hypotheses
Internal audit at Libyan universities contributes to effective and efficient risk management. Through the main hypothesis of the research, the following sub-hypotheses are: i. Internal audit manages its risk management activities effectively and adds value to management. ii. The objectives and scope of internal audit functions are developed and documented to assess and identify risks and communicate reports on the results of their work.

Study Methodology
This study was based on the descriptive analytical method, by describing the data of the problem, and then obtains the facts associated with the study by collecting the necessary information about the problem of the study by returning to the accounting literature and previous studies. The questionnaire was prepared in the light of the previous studies, and judged by the competent professors. After approval, it was distributed to the study sample in the Libyan universities. Finally, the questionnaires collected were analyzed and tested, the results evaluated and suggest the necessary recommendations.

Literature Review
Risk management has become increasingly important in recent decades for both for-profit organizations and public sector institutions. However, there are unique features that characterize risk analysis and management as applied in the public sector, both in terms of areas of application and implementation being mandatory, with efforts to reduce risk, Strengthening operational processes (László, le al, 2015;Kassim, Baharuddin, & Khalib, 2018). A study by the American Institute of Internal Auditors (IIA) entitled "The role of internal audit in enterprise-wide risk management", It is a working paper produced in collaboration between the Organization Support Committee (COSO), a committee that aims to provide support to organizations' management on internal control, governance and risk management processes, and between the Institute of Internal Auditors and the British, Irish Institute of Auditors. This working paper examined the effective impact of the internal control system on the operational risk management in organizations. Moreover, one of the main findings of the paper is that the senior management of the organization is responsible for establishing and activating the risk management structure in coordination with the Board of Directors. Furthermore, the role of internal audit in risk management is to provide reasonable assurance to senior management and the Board that the risks surrounding the entity are managed effectively and healthy, taking into account that the process of risk management at the organization level will help management to increase its profits and increase the impact and activate the role of internal audit. Whereas (Sarens, & De Beelde 2006;Boutskou, 2014), he described and compared the internal auditors' perception of their current role in risk management within US and Belgian companies. In the Belgian case, the focus of internal auditors on acute deficiencies in the risk management system creates opportunities to demonstrate its value, also Internal auditors play a leading role in creating a higher level of risk awareness and control, and a formal risk management system. While in the case of the United States, objective evaluations and opinions of internal auditors are valuable inputs to the new internal control audit and disclosure requirements mentioned in the Sarbanes-Oxley low.
According to the study, in the Belgian case, the internal audit profession is in reality "transition phase", in order to continue in this transition period, internal auditors need to take an "educational role" towards the various levels of management to make them aware of their responsibilities in risk management after this transition period. Eugeniu and Aurelia (2009) confirm that one of the results of the profound transformations that characterized the public sector, which resulted from the expansion of the European Union, to increase the complexity of activities, it calls for the redefinition of the role of internal audit and risk management in public sector entities. On the other hand, some studies indicate that there is a need to involve public sector entities in the process of risk management and governance, because internal auditors in the public sector are able to play an important role in risk management in the organization. According to Albina and Firdaus, (2018) the state plays a significant role in the economic life of any society through the public sector, the most important risks facing the public sector are the risks of development, internal control, auditing, application of science and technology achievements, Therefore, there is an urgent need to effective methods of risk assessment at work, although public sector institutions are generally concerned with providing services or outcomes that are beneficial to the public as a whole of social interest instead of the commercial motivation to maximize profit. However, they are prone to face all kinds of risks that may be internal or external. , the success of these institutions depends on the achievement of their economic and social objectives on the extent to which they predict and manage risks. Consequently, one of many risk management controls is to rely primarily on internal audit as an effective tool for managing operational, financial, legal and regulatory risks. Furthermore, internal audit also facilitates the formulation of strategic policies to achieve the objectives of the organization (Vijayakumar, A. N, 2012). In this context, Maria and Costa (2014) highlights that the internal auditor plays an important role in preventing fraud and corruption in public management, and they explained how the internal audit can contribute to preventing the risk of corruption and related crimes in public sector institutions, Where the internal auditor aims, through his work, to develop an action plan that will help the organization achieve its goals by adopting a structured and disciplined approach to assess and improve the effectiveness of risk management processes in order to add value and improve the organization's performance processes, so the growth of risks would threaten the achievement of the organization's goals and implementation Proper risk management. Moreover, risk management according to Philna and Dave (2011) is a relatively new addition to the concept of corporate governance, where corporate governance requires that the board ensure that there is an effective internal audit based on risk, with formal guidance to be the Institute of Internal Auditors has a starting point for internal auditors when performing their duties, and there is an urgent need for more guidelines and legislation in force and comprehensive in this regard. Quirt (2011) study aimed to identify the extent of the internal audit function and its effectiveness in the risk management process in the Syrian public and private banks, by providing various confirmatory and consulting services during the implementation of the risk management process, among the most important results of this study, is that there is no effective contribution to the internal audit activity in the process of risk management in public Syrian banks, in addition, the study presented some recommendations, the most important of which is the necessity of activating the role of the internal audit activity in the process of risk management in the Syrian public banks, to help it in facing future financial crises. On the other hand, ِ article for Hafizah (2017) aimed to explore the level of risk management practices in public universities in Malaysia and the role of internal audit in risk management practices, to provide insight into changes in internal audit and risk management practices in government universities in response to external and internal forces over the Malaysian education sector. The results indicated that all Malaysian public universities have an internal audit unit, and two-thirds of the participants participate in evaluating the effectiveness of the risk management process. Also, the oldest public universities achieved an advanced level through a set of risk management practices.
As well a study of Agumas (2015) aims to identify the role of the internal audit function in public sector governance, and the challenges that have an impact on this job in the case of the regional government public sector in Amhara, Ethiopia. The study relied on a systematic survey of all internal audit managers and their employees from 35 public sector offices in Amhara National Regional State. The results showed that the role of risk management in the internal audit function is positively related to compliance with professional auditing standards, unrestricted access to data and information, support to senior management, also, is negatively linked to organizational independence, competent employees, and adequate funding. Furthermore, the conclusion reveals that competent employees and compliance with professional audit standards and adequate funding are positively associated with the oversight function in internal audit. Lastly, the results also indicate that the role of the governance process for the internal audit function is positively linked to qualified employees and compliance with professional audit standards and is negatively linked to support from senior management.

Data Collection Tools
The questionnaire was used to study the role of the internal audit in risk management in the public sector, so a questionnaire was designed and included two parts. The first part was used to collect personal data on the respondents, which is the university the participant belongs to, the academic qualification, years of experience and the function, while the second part of the questionnaire consists of two items to define this role. The first axis: Internal audits manage their activities in relation to managing risks effectively and adding value for the work of the management, the axis consists of (7) paragraphs. The second axis: developing and documenting the objectives and scope of the internal audit tasks to evaluate and identify risks and communicate reports of the results of its work, and the axis consists of (8) paragraphs.

Data Analysis Methods
To reach the research objectives and obtain the planned results, the paper will rely on the following methods: • Frequency distributions.
• One Sample T -test.

Validity of Questionnaire Paragraphs
First: Validity of arbitrators: Whereas, the validity of arbitrators is one of the necessary conditions for structure tests and measures and honesty indicates the extent of measuring the paragraphs of the phenomenon to be measured, and that the best way to measure honesty is the apparent honesty, Which is to present the paragraphs of the scale to a group of experts to judge its , It was achieved ostensibly, validity the scale by presenting the paragraphs to a group of arbitrators who specialize in accounting, all observations made by the arbitrators have been taken into consideration. The results have shown in Table 1: that the value of the correlation coefficient between the total questionnaire and the axis (The internal audit effectively manages its activities related to risk management and adds value to the department's business) is equal to (0.960), and between the total questionnaire and the axis (Develop and document the goals and scope of internal audit tasks to assess and identify risks and communicate reports of their work results) equal to (0.972), the values of the statistical significance were statistically significant at the level of significance 0.05, where the values of statistical significance were all less than (0.05). Stability, which is consistency in the scale results, as it gives the same results after applying it twice in two different times to the same individuals. Stability was calculated using the alpha-Cronbach coefficient method, as the alpha-coefficient is a good estimate in most situations, where this method depends on the consistency of the individual's performance from one paragraph to another, and that the value of the alpha coefficient of stability is acceptable if it is (0.6) and less than that is low. Moreover, to extract stability according to this method, (33) questionnaires were used. The value of the alpha coefficient of stability of the axis "The internal audit effectively manages its activities related to risk management and adds value to the department's business" was (0,822). However, for the axis "Develop and document the goals and scope of internal audit tasks to assess and identify risks and communicate reports of their work results" (0.862), and the stability factor for the total questionnaire reached was (0.918). Thus it can be said that these results are of good significance, it can be relied upon to reach the results of this paper.  in addition, with regard to scientific specialization, it was found that the majority of the sample individuals, with a percentage of 63.6%, are specialists in accounting and (7) of them 21.2% are specialists in administrative and financial sciences, while (5) of the sample individuals and a percentage of 15.2% they had other specializations, and this indicates that the scientific specializations mentioned are in direct contact with the subject of the internal audit. As for the years of experience, this paper found that (4) of the respondents in a percentage of 12.1%, had less than 5 years of experience, also (11) of respondents in a percentage of 33.3%. Their experience ranged from 5 to 10 years, while (6) of respondents and their percentage 18.2% had experience 11 to 15 years. Moreover, (12) respondents 36.4% had experience of more than 15 years, and this gives a positive indication on the high confidence in the data collected, the majority of respondents are from the wide experience category more than 15 years. Furthermore, the majority of the respondents with a percentage of 63.6% were auditors, (6) of them and 18.2% were Director of the internal audit department, and one respondent was head of internal audit department, and (5) of respondents with 15.2% were the unit head, internal audit department. Second: Hypothesis Testing The first sub hypothesis: Internal audits manage their activities in relation to managing risks effectively and adding value for the work of the management. The results indicated that the degree of agreement was high on 4 paragraphs of the axis, and 3 paragraphs the degree of agreement was medium, as it was found that the average response to the total axis is equal to 3.42, it is greater than the mean of measurement (3), and that the differences are equal to 0.004. To determine the significance of these differences, the value of the statistical significance of the test is 0.004 and is less than 0.05, this indicates that the internal audit is managing its activities in relation to managing risks effectively and in a manner that adds value to the department's business, so the first sub-hypothesis is accepted. Second sub-hypothesis: developing and documenting the objectives and scope of the internal audit tasks to evaluate and identify risks and communicate reports of the results of its work. The results showed that the degree of agreement was high on 3 paragraphs of the axis, and the degree of approval was medium on 4 paragraphs, and low on one of the paragraphs of this axis, it was also found that the average response to the total axis is 3.42, which is greater than the mean of measurement (3) and that the differences are 0.42, and to determine the significance of these differences, the value of the statistical significance of the test is 0.011 which is less than 0.05 and indicates the significance of the differences, and this indicates that developing and documenting the objectives and scope of the internal audit tasks to evaluate and identify risks and communicate reports of the results of its work were high, thus accepting the second sub-hypothesis. The main hypothesis: The internal audit of Libyan universities contributes to managing risks effectively and efficiently. To determine the level of the contribution of the internal audit in risk management, the results showed that the average response to the total contribution of the internal audit in risk management is equal to 3.42 which is greater than the average measurement (3), and that the differences are equal to 0.42, and to determine the significance of this differences, the value of the statistical significance of the test is equal to 0.006 which is less than 0.05 and indicates the significance of the differences. Therefore the level of the contribution of internal audit in risk management was high, so the main hypothesis: The internal audit of Libyan universities contributes to managing risks effectively and efficiently. has been accepted.

Contribution
The scientific contribution comes through focusing on studying the role of internal auditing in the public sector for several considerations that can be summarized as follows: i. The low efficiency and effectiveness of the internal audit department in Libyan institutions of all kinds, whether governmental or public. Therefore the matter needs to know the nature of the roles assumed by these departments, and to identify deficiencies and try to avoid them, in order to advance the internal audit function in the Libyan state, in order to raise the level of its efficiency and effectiveness, especially in facing all the risks that the organization may be exposed to. ii. Evaluating the role of internal audit in Libyan public institutions in light of recent trends in internal auditing, whether in terms of concept or professional and behavioral standards. These constitute the general framework that governs the practical application of the internal audit function.
This is in addition to other considerations accompanying the public sector in the Libyan state, the most important of which are: i. The public sector in the Libyan state drains most of the state budget, whether in the local currency or foreign currency. ii. The public sector swelled both in terms of the number of workers in the public sector or in terms of the amount of resources spent on this sector, where the state expenditures on the salaries of public sector employees in the budget for the fiscal year 2019 reached about 20 billion dinars, equivalent to 50% of the state's general budget. iii. The low services provided by this sector, and if any, they are not at the required level. iv. Increased financial and managerial corruption in the Libyan state. This requires that the internal audit function in the public sector be subject to study and evaluation.

Conclusion
This paper found that the internal audit effectively manages its activities in relation to risk management and adds value to the department's work, as the average response value was (3.42) according to the Likert Scale, In the opinion of the researchers, this is due to taking into consideration the directives of senior management when identifying risks, and to taking into consideration the benefit of implementing strategic tasks in improving the risk management process. In addition, the internal auditors have sufficient knowledge and awareness of the nature and quality of risks surrounding management, as well as their experience, scientific ability and skills in identifying and assessing the types of risks that threaten the conduct of operations in management. This finding is consistent with what Alexandra (2012); Maria & Costa (2014); Vijayalcumar (2012) agreed that internal auditing can play important roles in the field of risk reduction, fraud prevention and assisting management in achieving its goals. Moreover, the level of development and documentation of the objectives and scope of internal audit tasks to assess and identify risks and communicate reports of the results of its work was high, as the average response value reached (3.42), due to taking into consideration the opportunities available for significant improvements in the risk management process. In addition to the internal audit evaluating the effectiveness and efficiency of risk management, as well as supporting them to the management objectives and tasks in facing the surrounding risks. Griffths pointed out that internal audit based on risks is a systematic and structured process, and Attch (2011) emphasized the breadth of the internal audit work and the multiplicity of its objectives in the context of its trend towards adopting risk-based audit. However, the internal audit in the Libyan universities contributes to effective and efficient risk management, as the average response value reached (3.42) according to the Likert Scale, and this is due to the internal audit managing its activities in terms of managing risks effectively and adding value to the management's work. as well, to developing and documenting objectives and scope of internal audit tasks to assess and identify risks, and it is a trend prevalent in many universities in the world. As Hafizah (2017) confirmed that all Malaysian public universities have an internal audit unit, and two-thirds of the participants participate in assessing the effectiveness of the risk management process. Similarly, Agumas (2015) indicated that there is a role for risk management in the internal audit function in the public sector, and this role is positively linked to compliance with professional audit standards, unrestricted access to data and information, and support to senior management. In light of the results reached, this paper recommends the need to support the internal audit offices and departments in the sector institutions, especially the higher education institutions financially and morally, and to push them towards adopting work guides, plans and technical programs for internal audit on the basis of risks. In addition, the trend is towards developing awareness among those in charge of managing the public sector institutions of internal and external risks that could affect the operations of these institutions, and paying attention to setting standards, means and programs to define, measure and evaluate risks, and developing appropriate mechanisms to develop these standards in a manner that is appropriate for all activities State public institutions. Moreover, this paper also recommended increasing the degree of eagerness to assess the sources of risk related to governance, operations and information systems, with the need to verify the risks related to the extent of compliance with laws, regulations, policies, procedures and contracts, as one of the most important sources of substantial risks related to fraud and financial and administrative corruption in the organization.