Internal Audit is one of many organizational groups whose mission is to assess risks, evaluate controls, raise findings and improve processes. Similar groups include Enterprise Risk Management, Security, Compliance and others. With some common objectives and not-so-common approaches, there is value in aligning methodologies, resources and results. However, Internal Audit needs to maintain a certain level of independence, so how does Internal Audit align with these groups while maintaining its independence?
Internal Auditors have an essential need for independence. It’s a requirement for the profession. The Institute of Internal Auditors (IIA) Code of Ethics states, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations”. One of the Code’s principles on objectivity states “Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.” This independence begins at the highest levels in the chief audit executive’s reporting relationship to the organization’s board of directors and filters down.
Alongside the need for independence is a competing priority for IA to be a “partner” with management. As directed by IIA standards, IA reports to the board of directors and senior management. To contrast the Code of Ethics quoted earlier, “Internal auditing is an independent, objective assurance and consulting activity…” The challenge for IA groups is how to strike the right balance between independence and partnership.
The formalization of Governance, Risk and Compliance (GRC) as an operating framework has begun to force the discussion of IA and other oversight functions working together toward common goals, and has increased the opportunities for IA to partner with management. The question for IA is how closely to align their approaches, thresholds, and decision criteria with others. The “right balance” is a relative term that depends on the organization and industry, its place on the maturity spectrum, regulatory issues, management priorities, and many other factors. IA must continue to strike a balance between independence and partnership.
IA and enterprise GRC programs should look to remove as many boundaries between them as possible. However, IA must decide where those boundaries should exist that also enables them to maintain an appropriate level of independence. As the organization proceeds down the path of alignment and moves up the spectrum of group development, the growing pains of alignment will turn into realizable benefits.