Articles Logan Wamsley Jul 22, 2024
Government internal auditors can state their independence ahead of an engagement, while audit functions can establish controls to prevent bias and conflicts of interest.
Objectivity and independence are foundational for internal auditors — so much so the new Global Internal Audit Standards dedicate a section to them. Yet, these characteristics also can cause the most confusion at least from the perspective of someone just learning about internal auditing. How can an internal auditor be independent and objective when the individual is employed by the organization he or she is auditing?
In the public sector, the conversation can become even more complex. In addition to serving the organization, internal audit also may be legally required to be accountable and transparent to the public, expanding the pool of stakeholders who could potentially influence the perspective of auditors.
Additionally, public sector internal auditors also may adhere to laws, regulations, and standards that do not apply to private sector auditors and could impair their ability to conform to the Standards. In the U.S., for example, the Government Auditing Standards and American Institute of Certified Public Accountants define independence and objectivity in subtly different ways than The IIA’s Standards.
“The new Standards separate objectivity and independence,” says Harriet Richardson, former inspector general of the Bay Area Rapid Transit District in Oakland, Calif. “When you’re using the government standards, they make objectivity an element of independence, but the Standards separate them.”
Richardson notes that in the Standards, objectivity is about eliminating any biases, while independence is about conflicts of interest. “Can you be objective and be influenced by what you’re auditing — your outcomes?” she explains. “Do you have any preconceived ideas about what the outcome should be when you go into an engagement?”
With independence being more nuanced in the Standards, the larger question becomes how internal auditors can be independent — and therefore objective — when it is inherently a stakeholder of the governmental organization it operates within. Would that be a conflict of interest?
Internal audit can overcome the independence challenge in a few key ways. The most common first step is for internal auditors to sign a statement of independence attesting that they do not have any conflicts. “There are two types,” Richardson explains. “One is an annual statement, while the other is issued for each engagement.”
In addition to individual auditor independence, the internal audit function should be independent from an organizational governance standpoint, Richardson notes. “There is a requirement in the new Standards for the CAE to confirm to the board or governing body annually that the audit function is independently placed,” she explains, “meaning the audit function is placed in a way that provides it the independence to do its work without pressures from others.” This is where audit leaders must have a strong reporting relationship with the governing body, she adds.
Indeed, unclear governance structures often can hinder objectivity significantly. For example, in some audit functions, the CAE may report to the chief financial officer. If the audit function reviews financial-related topics, there could be a conflict of interest — another reason for a direct reporting line to the governing body.
“One of the things that makes the public sector so unique is the many different reporting lines,” says Mark Maraccini, an Austin, Texas-based public sector internal audit lead partner at Crowe. “With so many structures, it can lead to confusion about independence. That makes it even more critical for internal audit functions to have documented roles and authority and to have reporting lines that circumvent management and ideally go directly to those charged with governance.”
While internal auditors can clearly attest to their independence, objectivity is more abstract. Auditors typically do not provide a separate statement of objectivity. However, Richardson says auditors can address objectivity in the statement of independence by listing any personal relationships, ideas, or opinions that could limit their ability to perform an engagement.
“With objectivity, it ultimately comes down to your internal audit methodologies,” Richardson explains. “Each auditor has an obligation to report any potential conflicts of interest to the CAE, and then the CAE has a requirement to report to the governing body and management. From there, the governing body can resolve any potential conflicts before initiating the engagement.”
Often, unconscious bias can interfere with objectivity; therefore, auditors should consider all aspects of an engagement to determine their own objectivity. For example, even something as subtle as previous advisory work for a client can influence a future assurance engagement. “If the client is doing something a certain way and it’s not working, you might be reluctant to report that it’s not working when it’s based on your own recommendations,” Richardson says.
In situations where an auditor previously provided advice to a client, internal audit should assign a different auditor to perform an audit, Richardson says. If that is not possible, internal audit should have a policy that sets a time limit during which the same auditor cannot audit an area for which he or she had consulted. According to the Standards, the minimum should be 12 months, although that can be increased should it be warranted.
“There is always going to be some judgment involved,” Maraccini says. “A subsequent audit on the same subject matter where one provided advisory services doesn’t necessarily mean they should be restricted from doing that audit, but it should at least be something that should be looked at. That’s what makes controls and communication so key.”
Independence and objectivity, while specified in the Standards, cannot align with every standard that applies to public sector auditors. As a result, public sector audit functions may not be able to meet the independence requirement needed to conform to the letter of the Standards. However, internal audit does not have to fully conform with the Standards, provided it is aware of the discrepancy and has appropriate policies and controls in place to meet the intent of the standard and the overarching principle.
Indeed, the Standards address this directly for the public sector. It notes, “While some of these situations do not meet the independence requirements in the Global Internal Audit Standards, establishing an audit committee comprising public members, independent of management, safeguards independence and provides ongoing oversight, advice, and feedback.”
The bottom line is internal auditors in the public sector should not let perceived independence and objectivity challenges deter them from maximizing value for their organization. No strategy or safeguard will eliminate these concerns completely, but they should enable internal audit to perform its work effectively.
“Instead of concentrating on conforming to different definitions of independence and objectivity, just focus on having controls and processes in place to make sure that you can remain as independent and objective as possible,” Maraccini says.