On the Frontlines: Watch Dog or Guide Dog?

This paradox is central to internal auditing today. On the one hand, internal audit is expected to deliver independent assurance to the stakeholders and the board of directors — stand watch and blow the whistle where governance, risk management, or controls are lacking. On the other hand, we are urged to assist management as trusted advisers — to assist, facilitate, and improve the organization.

Both positions bring value, but they do exist together uneasily.

The IIA Definition of Internal Auditing is straightforward:
"An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations…."

But in practice, the dual character of this mandate has the ability to produce uncomfortable gray areas:

• Internal auditors, as guardians, need to be professionally skeptical and independent of the agendas of management.
• Internal auditors are frequently requested to recommend on projects, serve on steering committees, or assist with control design — potentially compromising independence of mind.

The threat is sneaky but authentic: The more occupied internal auditors are in advisory or consulting activities, the more difficult it is afterward to genuinely provide objective advice on those same things. This mental gap is multiplied where expectations of the audit committees and top management depart. Generally, boards prioritize having a well-managed, self-governing internal audit function and anticipate it will act decisively and with openness.

Certain management groups, nevertheless, might welcome an internal audit function that is more "business friendly," advisory oriented, and less demanding — even an internal audit function that is willing to forgo proper resourcing or scope. With such scenarios, one of the greatest challenges for CAEs is achieving that delicate balancing act. Lacking proper boundaries and organizational maturity, internal audit is in danger of becoming toothless or overly friendly with the business.

To successfully navigate this dilemma, internal auditors need to be self-aware about their positioning by:

• Clarifying role expectations. The internal audit charter should clearly define the scope of consulting versus assurance services and the charter should be approved by the board and periodically reviewed.
• Creating rails. CAEs should adopt a disciplined approach to advisory engagements, ensuring no conflict arises with assurance responsibilities and documenting safeguards.
• Speaking openly. Internal auditors should regularly report to both the audit committee and senior management on how the function maintains its twin roles.
• Safeguarding objectivity. If objectivity is compromised, Standard 2.2 Safeguarding Objectivity states that, “The chief audit executive must establish methodologies to address impairments to objectivity.”

If the general environment routinely compromises the independence or value of the internal audit function — for instance, CEOs or senior management ignoring internal audit’s concerns over resourcing or information access limitations — the CAE will need to consider escalating through proper channels as outlined in the audit charter. In the event those avenues are exhausted, audit leaders will have to seriously consider whether they can continue to be effective in their current role.

This also raises pertinent questions.

• How do we shield CAEs from losing their jobs for simply maintaining audit integrity in immature control environments?
• While laws in several countries mandate having a financial expert on the audit committee, why is there nothing like the equivalent requirement for having an internal audit professional who has a deep understanding of the need for internal audit independence and governance?

Without these governing controls, organizations will risk eroding the transparency and accountability that the internal audit function is intended to promote.

A Call for Maturity and Positioning

Internal audit's capacity for balancing advisory and assurance duties will always be something of a paradox. The discipline cannot avoid it — and should not seek to do so. Internal audit needs both functions for organizational improvements and value protection.

But without conscious positioning, defined boundaries, and top-management support for true independence, internal audit will gradually forfeit credibility in both directions. As Dr. Lenz reminds us, we need to be on guard against the intellectual disconnect that our mandate creates — and discipline it with professionalism and governance maturity.

Ultimately, the integrity of the internal audit function relies as much on the courage of its leaders and the wisdom of its stakeholders as it does on technical standards.