Independence of Internal Auditors- An Oxymoron

The corporate laws and guidelines of various countries and the Institute of Internal Auditors mandate independence of internal auditors. I wonder is this something really feasible when the Internal Audit Department and Chief Audit Executive (CAE) are part of the organization. The questions which come up are:

  1. Do we really expect the board and C-suite executives to give a pat on the back of internal auditors for a job well done? Is the expectation from CXO’s to judge fairly and impartially correct,  when reports are submitted with strong criticism on the business operations and ethics. In such a scenario do we envisage the internal auditor  losing his/her job or getting promotions and increments ?
  2. Do we assume that all organization cultures are constructive and there will be no retaliation against the internal audit staff for finding critical gaps in which the operation teams face flak and  political wars ensue because of it, and some may end up losing their jobs? On issuing strong reports, the political survival of the internal audit teams could be in jeopardy if the organization has a destructive organization culture.  Hence, the probability is high, that the internal audit teams are only going to issue comfortable reports to safeguard their positions.
  3. In a few companies the Head of Internal Audit reports to the Chief Financial Officer. Here, how can we expect the internal audit team to report financial frauds in which the Chief Financial Officer maybe an accomplice?
  4. The relationships between the Audit Committee and CAE are not strong enough in most cases. In few situations the Audit Committee does not have political power to protect the CAE if he/she upsets the board by issuing candid reports. The percentage of CAEs who were terminated after issuing a critical report is significant. The informal feedback organizations provide regarding the terminated CAE is that “these guys are trouble makers, don’t play ball”. Hence the CAE’s  have a tough time getting another job.

The 2010 KPMG report on “Highlights of the 6th Annual Audit Committee Issues Conference”  shows two points of interest:

  1. 27% of the boards encourage contrarian views and discourage group think. 64% do it somewhat, and 9%  do not do it at all. That is, 73% of the time the Chief Audit Executive maybe at risk for holding a contrary view to the board.
  2. 48% reported that the biggest hindrance to improving governance was the ability/ willingness to challenge management .

 In the report of Crowe Horwath November 2009 – Avoiding the Black Swan: Barriers to Improving Risk Management – 36% of the CFO’s reported that the barrier to risk management is perception of risk management as an unnecessary interference with business activities and 24% stated organizational resistance. However, only 5% stated lack of independence as a barrier. Are we ignoring the relationship between perception and resistance to risk management with the independence issue?

 In such a scenario can we reasonably expect the internal auditor to risk professional death to maintain his/her independence? In the recent financial crises the role of internal auditors was not even significantly questioned. They ideally should have been able to highlight the fallacies of the deals and the extensive mortgage risks taken by the operations team. Is this a subtle acceptance by the legal board that internal auditors do not have the political position to question the real operational and financial risks being undertaken by the organization? The irony is that the internal auditors are in the best position to highlight these risks, but they are only kept as “yes men”.

To protect the economy from further corporate disasters, we really need to give more political power to the internal auditors. The question comes up how to we ensure independence of internal auditors in spirit and culture and not just on paper.

Please share your thoughts on the subject.

11 comments on “Independence of Internal Auditors- An Oxymoron

  1. I suggest

    1) Audit Committe should be given more political power and CAE should be reporting to Audit Committe.
    2) I don’t think Internal Auditors require more political power, recommendations can be given by auditors but final decisions should lie in hand of managment.
    3) Auditors are providing reasonable assurance after reviwing sample of transactions. High political powers to auditors may create unnecassary tension and raodblocks in day to day fuctioning of management.

    • Hi Hardeep,

      Interesting viewpoint. So you believe that if internal auditors have more power they will end up in a way abusing their power. The torch bearers of ensuring ethics may not be considered reliable for using their positions effectively to safeguard the interests of the organization.

      I agree with your point that Audit Committees should be given more power and be more participatory in managing the risks of the organization. However, they generally have a 10,000 ft view of the risk management of the organization, and it is the internal auditors who understand the ground realities. So how does one bring about a balance in the two.

      The recommendations definitely need management buy in for implementation. In your opinion what should the internal auditor do when the recommendation is right from the risk management perspective ( the mortgage risks resulting in financial crises) however, management prefers making high risk deals.

      Would appreciate your thoughts on it.

      Kind regards,


  2. Internal auditing is career suicide. I was terminated last week after two years of providing information regarding indicating financial statement fraud and salary disparity. I used the audit programs provided by the international not for profit and I provided detailed workpapers to substantiate my findings.

    I will never work as an internal auditor again! Reporting fraud to those who are committing the fraud and who hold your economic future in their hands is senseless. Those above ALWAYS get rid of the crook AND the auditor.

    • Hi Donna,

      Sad to hear about what happened to you. Yes, in the present environment there are quite a few risks being an internal auditor/ financial statement auditor or a CFO. The frauds are occuring, the management is powerful and the person/s who bring something to light might or object to the situation can be sacrificied. That is reality.

      It is something like bike racing, one knows that accidents can happen but if you love it, you take the risks. If you don’t then some other profession is better.

      Hope things work out for you.

      Kind regards,


  3. Hi Sonia,

    If an auditor has detect a fraud in a company, but then the audit firm will not tolerate dissent with the company’s issue and the auditor has concerned that he will lose his job if he start to rock the boat, then what should he do?

  4. Linda,

    If you are speaking from an external auditor viewpoint, then the situation is not that bad. If you are part of the audit staff and have conducted the audit properly wh’ich has resulted in fraud detection, then your job responsibility is to write the observations in the audit report. The auditing firm senior management is required to discuss the same with the company’s dorganization. If they do nothing, then from a professional viewpoint you can’t supersede your bosses and still stay in the firm.

    So basically this is a moral dilemma which you will need to think over.
    1) You can stay with the auditing firm and ignore the fraud in client organization
    2) You can leave the audit firm since it does not practice ethical principles and ignore the fraud of the client
    3) You can leave the audit firm and whistleblow regarding the fraud at the client and regarding the unethical practices at the audit firm.

    What maybe ethical may also be very difficult to execute. So you need to think through carefully before you take any further steps.

    Kind regards,


  5. Pingback: The Problem with Questionnaires on GRC Departments’ Functioning « Sonia Jaspal's RiskBoard

  6. Pingback: Images of a Chief Risk Officer « Sonia Jaspal's RiskBoard

  7. Pingback: Corporate Governance in Private Limited Companies « Sonia Jaspal's RiskBoard

  8. Pingback: When Code of Conduct Fails « Sonia Jaspal's RiskBoard

Comments are closed.