The Standard states:

The internal audit activity must be independent, and internal auditors must be objective in performing their work.

In practice what processes should the Chief Internal Auditor (CIA) have in place to reasonably ensure and demonstrate that threats to the team’s independence are suitably managed and its work undertaken with suitable objectivity? The following are some ideas:

  • Ensure that internal audit is suitably positioned within the organisational hierarchy; with direct functional responsibility to the Board and administrative reporting line, ideally, to the Chief Executive or other Executive team member which instils and promotes the audit team’s ability to perform their duties without hinderance.
  • Reflecting responsibility to Board; the Board itself should be engaged in the recruitment, selection, performance development review, remuneration and removal of the CIA.
  • Establish and formalise the terms of reference for internal audit, through the development of the Internal Audit Charter; including purpose, positioning, responsibilities and authorities. The Charter should be presented to Board (or typically delegated to Audit Committee) and approved at least annually.
  • The CIA should have the ability to make direct contact with the Chair of the Board (or Audit Committee); through the sharing of direct contact details.
  • The CIA should not have any other current management responsibilities within the organisation; consideration should also be given to whether any recent past responsibility may pose a threat to objectivity due to conflict, familiarity, bias or influence.
  • Ensure that Audit Committee Terms of Reference include clear responsibilities and delegated powers in respect of audit, risk and assurance back to Board.
  • Ensure that agendas, reports and minutes suitably capture core internal audit activities, scrutiny of assurance and performance, recommendations regarding strategic direction of travel, decisions approved and actions to be taken.
  • The CIA should routinely communicate and interact directly with Board via the Audit Committee; through attendance for the duration of meetings to discuss internal audit outputs and performance, and provide contribution to the wider discussion and risk environment.
  • The organisation’s Internal Audit Charter, Internal Audit Strategy, audit plans, resource need and budgets should be considered and approved by the Audit Committee.
  • There should be ‘in camera’ (without management presence) sessions between the Audit Committee and the CIA at least annually; ideally these sessions should be prior to any formal meeting.
  • More frequent, less formal communication should be promoted between the CIA and Chair of Audit Committee; including diarised phone calls or catch up meetings.
  • Establish overarching internal audit policies and procedures typically in the form of an Internal Audit Manual (IAM) which details the organisation’s approach to internal audit, working practices and transparency arrangements.
  • Provide and evidence training for all team members; including induction, development and refresher sessions.
  • Require team members to routinely disclose any potential relationships or interests which could be perceived as impacting upon independence and objectivity; such declarations should be made at least annually and kept up to date.
  • Internal audit team members completing annual statements of good standing and fulfilling continuous professional development requirements.
  • The CIA should consider declarations of interest when allocating audit assignments to team members; where potential perceived conflicts may exist, suitable steps should be taken to ideally remove or at least minimise such risk. Steps could include re-allocation, enhanced supervision or out-sourcing.
  • Ensure that satisfaction and feedback processes provide balanced evaluation of audit practice and results; avoiding the potential for encouraging or fostering poor behaviour for example through linking satisfaction explicitly to reward.
  • The definition of internal audit itself recognises its consulting role; whilst this typically means that someone else retains responsibility for decision making, adoption and implementation, the CIA should be mindful of the potential or perceived potential to pose a threat to objectivity due to conflict, familiarity, bias or influence.

By following the above practical steps, the CIA should be well positioned to discharge and clearly demonstrate their responsibilities (and those of their team) have been undertaken with suitable independence and objectivity.

Be aware of perceived rather than simply actual conflicts at all stages of the audit process; from strategy, to resourcing, performance and reporting. As a rule, conducting your work with openness and transparency will stand you in good stead; if in doubt ask and discuss both internally and with your peers.

Core Evidence Demonstrating Compliance

  1. Organisational Chart
  2. Audit Committee Terms of Reference, Agendas, Papers & Minutes
  3. Internal Audit Policies & Procedures (Internal Audit Manual)
  4. Internal Audit Charter
  5. Declarations of Interest maintained for team members
  6. Continuous Professional Development (CPD) Records for team members

The CIA should ensure that robust arrangements are in place to capture, assess and minimise any potential (or perceived) threats to the team’s independence and objectivity. Records should be maintained, updated at least annually and supported by declarations from team members.  

Specific consideration of any potential threats could be worked into the assignment planning documentation, however, typically the ability to demonstrate that processes are in place to monitor potential threats will be sufficient to demonstrate compliance.