I hear a lot of conversations about Internal Audit independence. These are important conversations, because independence and objectivity are central to the value we provide.

But what I’m not hearing as much as I’d like are pragmatic acknowledgments of how incredibly hard it can be to exercise our independence. 

Say you’re a CAE who’s outperforming in every way. You’re doing everything right, being a true partner to the business. But eventually, someone in management really doesn’t like something that it’s your mandate to communicate. Suddenly you’ve gone from trusted advisor to suspected adversary. 

Getting through it can feel like a nearly impossible balancing act. 

It can also BE an impossible balancing act. We all know stories of Internal Audit leaders who’ve been fired or pushed out in these situations. 

If an Internal Auditor gets a reputation for not being a team player — for being “too independent” — it can make continuing in the job unsustainable.

That’s why today’s newsletter aims to contribute to a less theoretical, more pragmatic conversation about independence. Because theoretical discussions often make it sound like every Internal Auditor always has a straightforward path to maintaining their independence.

Modern Internal Auditors are asked to do more than ever before. To be effective in carrying out their expanded mandate, they’re striving to become trusted advisors and business partners. But they have to do it while upholding their mandate to be independent. Balancing those two objectives can be tricky — and in some situations, downright awful. It’s worth saying that out loud, and talking practically about ways to manage it. 

Yes, The Institute of Internal Auditors’ Global Internal Audit Standards clearly outline the purpose, reporting lines, and escalation procedures that can help CAEs carry out their independence responsibilities. But the balancing act is more complicated than any standard can fully acknowledge. 

So let’s get practical. What’s going on in these situations? More importantly, what can we do about it? 

My Own Untenable Balancing Act

I’ll be candid. As a young, ambitious CAE, I couldn’t do it. I didn’t have the experience or political acumen to manage the balancing act.

Just under three years into my first CAE role, I’d built a good reputation for focusing on meaty, risk-based audit projects that helped the business improve. 

At the time, my company was constructing a massive new building in one of its international locations. So I suggested considering an audit of the expenses flowing through the project. My suggestion was based solely on the fact that construction projects are widely known as fraud hotbeds. The CFO thought it was a good idea, and the audit committee didn’t have an opinion. I got the green light.

We found systemic, ongoing fraud committed by a contractor involved with managing the project. While it wasn’t material from a solely financial perspective, it was significant given the local exchange rate and the fact that it concerned someone directly managing the project. 

However, when I shared the fraud findings with the two executives overseeing the project, I received significant pushback. 

They didn’t want it mentioned in the audit report, and they didn’t want me to make a big deal about it. The underlying messages were, “This happens all the time” and “You’re going to eff up everything.”

To be clear, the executives who were pushing back weren’t implicated in the fraud. But they were senior leaders who’d been with the organization for decades, they weren’t going anywhere — and they weren’t budging, no matter what I said. 

However, management had agreed to the fraud audit, we’d found fraud, and I had to report it. 

I shared the information with the team, which took appropriate actions to resolve the fraud. The contractor was fired. The executives were reprimanded. The audit committee told the CFO they didn’t want it to happen again. 

Another result, however, was that my overall reputation in the business was hampered. 

The report was ultimately shared with the company’s other senior executives. And it changed the entire dynamic of my team within the organization, making it much harder for us to have a positive impact.

The two executives who’d pushed back would only work with us when they had to, and they never gave more information than what was explicitly asked for. Plus, because of all the hearsay about the project, our experience working with other teams wasn’t as positive. More teams kept us at arm’s length. 

I did talk to the audit committee about it. They said they’d mention it to the CFO. They told me to keep doing what I was doing. 

But think about it. When kids fight and you make them apologize and keep playing together, they only do it begrudgingly. It often doesn’t fix anything. They probably won’t want to play together again. 

You can have the best plans in the world. You can carry out your role the right way. But you can still end up in a position where you can’t help the business in the ways you want, because you are deemed “too independent.”

I’ve also seen too many instances where CAEs raise issues like the one I did and lose their roles as a direct or indirect result. Those aren’t my stories to tell, but they all illustrate the same truth: Sometimes, you can’t find your way back from these situations. You just have to find a different job. 

So, what can CAEs do to keep independence from isolating them from the business? I obviously don’t have all the answers. But here’s a place to start. 

Strategies for Balancing Internal Audit Independence 

1. Approach Sensitive Projects With Care

When you identify potentially sensitive audit projects (e.g., fraud, T&E, executive compensation, senior management expenses, whistleblower claims, conflict of interest), you may want to consider:

• Enlisting external resources to lead the project. That could mean outsourcing, co-sourcing, or bringing in an external SME. You’ll still have to provide oversight and assist with project management, but you won’t be the ultimate arbiter in the investigation. If management and/or the audit committee see projects as important — and if you help them understand the risk of such sensitive projects putting your team in a negative light — they may be willing to invest. 
• Automating key processes with analytics. For example, if you’re required to do an annual T&E audit, work like heck to create analytics that review those processes in an automated fashion. Then, evangelize the automated process so stakeholders understand how it works. The increased awareness may help prevent future issues, and when analytics do turn up something questionable, it’s easier for stakeholders to understand why they’ve been called to account. The automated process becomes a check that the whole organization has visibility on. The data does the talking, shifting blame and focus away from the Internal Audit team. 
• Pushing back on the audit project. In exceptional circumstances, it may be worth the CAE pushing back on whether the project is needed to be completed by internal audit, or if it could be done by an outside party. Ultimately it’s not your call. But if you assess that the risk in the area being proposed for audit doesn’t warrant the risk of the audit project itself to Internal Audit’s reputation/ability to collaborate, it’s worth sharing that perspective.

2. Be Proactive in Discussing/Defining the CAE’s Role

From day one, be proactive in helping audit customers understand your role and how you’ll approach it. 

Your overall message is that you want to be a partner to the business: their go-to person for understanding how they’re managing risk, how they can improve processes or controls, and so on. Set the expectation that you’ll typically be able to work together in a spirit of continuous improvement, and report together on plans, progress, and issues. 

But a key secondary message is to set the expectation that on potentially sensitive projects, you may have to operate independently. Make sure they’re clear on the CAE’s mandate to (as the Standards require):

• Remain “independently positioned with direct accountability to the board” and “free from undue influence and committed to making objective assessments” (Purpose).  
• “Communicate unacceptable levels of risk” to senior management, including the requirement to escalate the matter to the board if you assess that management hasn’t resolved it (11.5).

Then, outline and agree on the process you’ll use to handle any matters that Internal Audit and management may not align on. That process should align with the methodology for communicating risk concerns that Internal Audit and the board have agreed on.

Admittedly, this approach is a bit like putting a bandaid on a potential knife wound. But it’s something.

3. Enlist Support From Management and/or the Audit Committee

Who requested the audit project (e.g., CEO, CFO, AC Chair)? Ask them to be proactive in communicating their support of Internal Audit’s work on the project. 

You’re essentially asking them to be more vocal, highlighting their role and backing for the work and positioning Internal Audit as their appointed champions. The idea is that they’ll convey to stakeholders, hey, I asked for this, and I’d like you to treat Internal Audit as an extension of me. 

Yes, you’re asking them to go out on a limb for you. But it’s their job to own risk. That should extend to owning the risks of auditing the risks. 

The Reality: Independence Ain’t Easy

Even if you do all of the above, you can still end up in a very difficult position. That’s what makes the CAE role unlike any other position in Internal Audit.

We have to carry around a very large independence stick — while maintaining stakeholders’ trust that we’ll only use it carefully and sparingly.