Internal Audit Independence
Let's discuss: is Internal Audit independence a real thing in non-regulated industries? My IA colleagues are not going to like it, but my answer is NO π
ββοΈ. Consider the following (real) scenarios:
1. The company hires a Head of IA, reporting to the Controller. The Head of IA has 5 years of experience after college.
2. The company replaces the CAE and/or the entire IA function every three or so years. The CFO convinces the Audit Committee that it is in the companyβs best interest each time.
3. The company is required to have an IA function. They hire an outsourcer who reports directly to the CFO, who gives them a limited budget.
In scenario 1, will the CAE have the gravitas and support to be able to stand up against the C-suite regarding audit findings and reports?
In scenario 2, it seems unlikely that none of these audit leaders could provide value and effective risk mitigation. Three years is about when a CAE starts to really understand the issues. Coincidence?
In scenario 3, how can a fully outsourced function be independent when they lack the budget to perform proper audits and have to keep the CFO "happy" or risk losing the engagement?
Although the IIA has the Standards, management is not reading them; in non-regulated industries, they are just suggestions. At the end of the day, Internal Audit can be whatever the organization wants it to be. Without quality requirements, management only needs to check the box and say, "Yup! We have Internal Audit".
Then, when issues come up, everyone asks: βWhere were the auditors?!β
If you have thoughts, message me on LinkedIn and let me know!
