Independence-The Great Myth

Independence is one of the cornerstone principles of an audit department. It is also one of the biggest excuses used by audit departments to avoid adding value.

Almost all audit departments point to their independence as one of the keys to their success. It is what they reference as the reason that the audit committee can rely on them. But what is independence really? According to Webster's Universal College Dictionary, independence is "the quality or state of being independent." Since this is not very helpful, let's look at the word independent, which Webster describes as "not influenced or controlled by others; thinking or acting for oneself." This definition very much fits with the concept that's flaunted by most audit departments. Since they, at least partially, report to the chairman of the audit committee, they feel that they are therefore not influenced or controlled by others. But let's examine this a little closer.

Yes, the audit department does indeed report to a member of the board of directors. However, in almost every company, the audit director also reports to the company's CFO or CEO (Figure 1-1). In most cases, the budget for the audit department is controlled by this executive, and more important, so is the compensation of the members of the audit department. It is hard to see how a person can feel that he or she is not being influenced by these individuals. In addition, the internal auditors generally work in the same building as their fellow employees, inevitably forming relationships outside the audit department. The auditors have 401k plans just like all other employees, usually consisting largely of company stock. Therefore, the success of the company is of prime interest to the auditors.

image from book
Figure 1-1: Audit committee board of directors


The bottom line is this: You work for the company and report to its management; therefore, you are not independent.

More important, as will be discussed later in this chapter, the most successful audit departments will have at least some people who have rotated into the department from other areas in the company and/or plan to rotate out of the audit department and into another area of the company at some point. You can talk all you want about independence, but these auditors know that if they tick off a lot of people, they're going to have a tough time finding another job in the company. If an IT auditor plans to move into the IT organization, it's probably best if the chief information officer (CIO) doesn't think that he or she is an arrogant, know-nothing idiot.

It therefore seems apparent that internal audit departments are not truly independent. However, the core concept behind the independent auditor idea is valid and very important. An auditor must not feel undue pressure to bury issues and must feel that he or she has the avenues necessary to "do the right thing." This is where the relationship with the board of directors comes into play. On those rare occasions when company management truly refuses to do the right thing, the audit department must have the ability to go to the board with some expectation of protection from management's wrath. However, this should be a tool used only as a last resort because ultimately it is not healthy if the auditors constantly have to go over management's head.

It seems that objective is perhaps a more appropriate word to describe an internal auditor than independent. Webster says that someone who is objective is "not influenced by personal feelings or prejudice; unbiased." Although the internal auditor, by definition, is not really independent, it is fair to expect him or her to be objective. If the right sorts of auditors are hired, they will have the ability and willingness to put their personal feelings aside during an audit and view things in an unbiased fashion.

In order to maximize their effectiveness, internal auditors should capitalize on their lack of independence. In other words, instead of doing their best to sit in an ivory tower and pretend that they're not part of things, they should leverage their knowledge of the business. No external audit firm can bring the depth of knowledge of the company's operations to bear during audits that a properly constructed internal audit group can. If you refuse to be a part of what's going on in the company, and if you refuse to hire auditors with prior knowledge of the company's business and operations, all you're doing is making it easy to be outsourced.


You need to show the board and senior management that they could never hire an outside firm that would have the knowledge of and relationships within the company that you do. You need to show them that having your group of employees as their internal auditors is a competitive advantage for the company. Otherwise, you're just a bottomline cost, and if your management can perform the function for a lower cost with another provider, that is what they'll do.

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: