Audit Independence – The Standards
In the view of the Institute of Internal Auditors (IIA), internal auditors cannot be fully responsible for Enterprise Risk Management (ERM) because this would create a conflict of interest. Section 1100 of the IIA standards requires that: The internal audit activity must be independent, and internal auditors must be objective in performing their work. The supporters of strict independence, arguably the more traditional internal auditors, avoid involvement in management decision making so that they cannot be compromised and can therefore audit the results of those management decisions. These auditors are reluctant to become involved in risk management functions or indeed to become members of the top executive team. This attitude can drive the internal audit function down into an intermediate position in the organisational hierarchy, where, even if independent, the internal auditor becomes ineffective.
To overcome this problem, the auditing profession has created a set of rules regarding internal audit involvement in risk management (see IIA Position Statement, 2009). These rules are based on management retaining responsibility for ERM and internal audit providing underlying support and assurance. This aligns with the traditional role of internal auditors, to audit and attest to the internal control systems for which management is responsible.
The IIA standards, as supported by leading commentators, do allow internal audit into the risk management space, provided safeguards are adopted. The independence issue does however set up a barrier to the clean integration of internal audit and risk management.
Auditor Independence – The Reality
Delving into the concept of auditor independence in more detail exposes some cracks. Christopher, Leung and Sarens (2009) identified the tension that currently exists within internal audit functions regarding independence. The Christopher study identified three areas that impact on and subsequently raised questions over the value of audit independence:
1 Internal audit is a training ground for future managers
The Christopher study found that internal audit is a “training ground or jumping stone” for promising staff to move on to management positions. Can internal auditors raise reports against management, independently, when they are dependent on management for a career in a future operational role?
2 Internal audit budget and planning
The Christopher study found that in 30% of cases, either the CEO or CFO approved the internal audit budget. The study also found that in 64% of cases, the CEO and CFO had a strong influence on audit planning.
3 Partnership with management
The Christopher study indicated that 56% of internal audit functions perceived internal audit to be a partner to management. Christopher argued that: This culture may indirectly put additional pressure on internal audit to work with management to achieve a common goal rather than act as a separate independent body checking on them. In the author’s view the benefits of a collaborative, partnership approach outweigh the traditional independence view. The partnership approach sees auditors working with management as team members, to achieve a common goal. The partnership approach is at odds with the traditional views on independence and objectivity. The traditional role of internal audit was a backward looking model, directed towards assurance over compliance with policy and procedure. This policeman style of role reviewed past events, was non-strategic and was not seen as adding value by management: The contemporary partnership approach aligns with the IIA’s (GAIN, 2009) statement on the Global Financial Crisis: A shift in stakeholder expectations is requiring that internal auditors take on a more strategic role, with risk management activities taking precedence over other controls and compliance auditing. The modern internal auditor is trying to break free of that backward looking mould. Nowadays internal auditors see themselves as having a strategic focus, with a view to the future and with a breadth of audit coverage that adds value to the management team. They see themselves as valued consultants. Strict adherence to independence rules may be keeping CAEs away from the top team, forcing them lower down into the management structure and preventing internal auditors from being involved in key issues such as strategy and risk management. This situation will not be sustainable in the modern, rapidly evolving and mature organisation. To be accepted as a valued part of the contemporary organisation, the lead internal auditor needs to be on the executive team, needs to be a part of management decision making and needs to be both strategically focused and also forward thinking.
Modern mature organisations no longer look at internal audit as policemen / compliance function, but as a valued partner and advisor. The next logical step in this more mature world is for the audit and risk to combine as valued forward looking partners, helping identify opportunities, manage blockers and assist with controls.
CRO from an S&P / ASX 200 financial services company
Strict adherence to audit independence rules is still a barrier to integration.Studies have found that internal auditors, while seeking independence, often operate in an environment that compromises independence. Audit independence may be more of an illusion than reality. Strict audit independence may no longer suit the more mature, partnership model of internal audit / management interaction. If audit independence is a mythical illusion that no longer aligns with a modern business methodology, then audit independence should not be a barrier to the integration of internal audit and risk management.
- Christopher, J., Sarens, G., and Leung, P. (2009). A critical analysis of internal audit’s independence: Evidence from Australia, Accounting, Auditing and Accountability Journal, 22, 2, 200-220.
- Institute of Internal Auditors. (2009). A world in economic crisis: key themes for refocussing internal audit strategy. In Global Audit Information Network Series.
- Institute of Internal Auditors, Position Statement (2009). The role of internal audit in enterprise-wide risk management.
DR STEVEN HALLIDAY, CA is Chief Risk & Audit Officer at Tabreed in Abu Dhabi.