There is discussion ongoing at the Belgian federal government level about the (minimal) independence requirements for internal auditors active the Belgian federal administrations. I want to weigh in with some thoughts on that. This article is partly based on a recent position paper by the IIA on independence and objectivity, which I found very clarifying.
A short history of internal audit in the Belgian federal government
Internal audits are not new to these administrations. They existed, some had active audit committees, but the Copernicus reform of the late ’90s and early ‘00 embedded them. Sadly, the control and monitoring pillar of this reform was never implemented.
The initial royal decrees were rewritten from their original 2002 texts to correct for some inherent contradictions and dysfunctions and republished in 2007. Over the course of these years, internal auditors were either embedded into program management offices or maintained their assurance functions by adding a significant amount of consulting activities. The audit committees which had been disbanded because of pending re-establishment in the context of the Copernicus reform were not there to shield the auditors from the management teams of the federal government services … so the auditors protected themselves and created a modus vivendi. Quite often they reported to the president of the federal government service, in absence of the availability of any other structure. This survival strategy is now considered to be a main factor in questioning independence.
An off-topic remark: whatever the criticism thrown at these people and their functioning, I admire the way in which the auditors survived in this often initially quite hostile environment. It’s a sign of their persistence and commitment.
Why independence is important for an auditor
Now, independence is at the core of the internal audit profession. The internal auditor performs what is essence amounts to an oversight activity for the board or its equivalent, and provides that board with a reasonable assurance that the internal controls and the systems of risk management of an organization are under control. In order to be able to provide that assurance in the most objective manner possible, factors which may impede this objectivity need to be reduced as much as possible. The more independent internal audit is from management and operations, the less likely impairments of objectivity become.
The objectivity and thus the need for independence is most relevant in the assessment of the required aspects to cover (establishing the audit universe, performing the risk analysis and the resulting audit planning) as well as in the way in which the internal audit activities will be executed.
For certain operational aspects, internal audit often needs to consult with the management team. An example would be the funding of internal audit activities, as these represent a cost to the organization. The wages and expenses of internal audit are real expenditure and represent an opportunity cost for other projects. For this reason and because it may be used as a weapon against objectivity, the audit committee acts as an advisory committee to the board for two broad roles:
to act as an oversight committee on overall audit activities;
to act as recourse for internal audit in case of disagreement with management.
This may seem to be adequate basis for an as complete independence as possible. However, there are limitations to that independence.
Limitations of independence
The need for independence is not the only relevant need that exists. Given internal audit in itself is a cost to the company, it needs to be relevant. Now, what may impede relevance?
Internal auditors that are too far removed from the operational reality of an organization will operate and audit outside of the true or relevant scope of operations. Quite a few outsourcing projects have borne witness to that in the past. This has little to do with ill will or incompetence. In order to assess the true risk exposures, there is a need for understanding the operational reality in which the organization works.
This is one of the key limitations of independence: the lower the proximity to the day-to-day operations, the lower the true operational relevance of the internal auditor, even if he or she understands the context in which the activities are executed. Understanding is not enough. There needs to be a true proximity to the daily reality. There’s another reason for this as well …
The incremental nature of recommendations
Being the first to audit a process or a function is usually a great experience, especially if you understand how the process is organized and can be improved: process and control deficiencies are easy to identify and recommendations are quite easy to formulate.
However, assuming recommendations are implemented, even if not completely as recommended by the auditors, the more often you audit a process, the more incremental the recommendations tend to become. Small corrections in process and controls which may have significant impacts, but which require a thorough understanding of what can be done in a process to be relevant. After a couple of audits, there is no low hanging fruit left. It’s about understanding not only the process, but also the environment in which it is being executed.
The proximity requirement
In order to be able to provide an organization with relevant recommendations, even after a couple of audits, you need mature, well-trained, objective internal auditors that understand the operations they are confronted with. I am not convinced a centralized internal audit service is the solution. I believe that the audit committee should be one of the major safeguards to ensure that the internal auditors present in the federal government services have adequate independence, not by creating an entity physically separate from the federal government services but by making sure that the active internal auditors can be as objective as necessary while still maintaining a proximity to the daily operations of a federal government service.
Only then will the combination of assurance activities and consulting activities, as described in the definition of internal audit, yield the most optimal results.