What does Independence as an Internal Auditor really mean?
The IIA definition positions internal auditing as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” According to Rainer Lenz, Head of Corporate Audit at Villeroy & Boch, independence in internal audit is perhaps one of those ideas that works better in theory than in practice; it poses a challenge in its expectation of the internal auditor to be both “watchdog and consultant”.
Lenz draws attention to what commentators often refer to as the internal auditor’s ‘role dilemma’ and ‘role confusion’, noting the difficulties of internal auditors in striking a balance between being independent from operations while at the same time providing added value and benefit to operations. “Some view internal audit as a schizophrenic function,” he says; “on the one hand it needs to be completely integrated and knowledgeable and on the other hand, it requires a measure of independence from all auditors.” As a result, Lenz ascribes “a built-in cognitive disconnect” to the very purpose of internal audit.
Acknowledging this fundamental inconsistency in the very nature of internal audit within the wider business sphere, which indicates that those at the head of the business food chain are somewhat frustrated with internal audit’s inability to properly define its own role; Lenz notes “there is no congruence between what the board wants, what the audit committee wants and what senior management wants.” Thus internal audit are forever faced with the impossible task of pleasing everybody with no real sense of who to please first, particularly when each party expects something different. Lenz refers again to the IIA, who acknowledge that there may be conflicts when internal audit tries to “serve two masters” and understandably this “who’s your boss?” issue can present problems in terms of allegiances, independence, and effectiveness.
This in turn raises the need for filtering independence from the head down, with most CEOs advocating a free speech approach with their Chief Audit Executives (CAEs) enabling them to work under the understanding that he or she should feel free to voice their opinion, regardless of potentially controversial scenarios. This, Lenz notes, “draws particular attention to the importance of the CAE’s characteristics, which is possibly more important than the debate around the general independence of internal audit.”
One could argue that for internal auditors to do their jobs successfully, this requires full independence from senior management in order that the board is able to rely on their internal audit department for the necessary assurance in relation to internal controls, risk prevention and so on. “Otherwise,” says Lenz, “the risk is that internal audit’s reports to the board and audit committee will be filtered by senior management in such a way that only what is palatable to senior management is communicated.”
If internal audit is to retain its necessary independence in practice, it must take the time to invest in its relationships with the board, audit committee, key business stakeholders and senior management, sustaining a steady and robust dialogue with each party in order to perpetuate its own functional success.