Audit independence vs. objectivity
It is essential to understand the distinction between independence and objectivity, as defined by The Institute of Internal Auditors (IIA):
- Independence: freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.
- Objectivity: unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Requires that internal auditors do not subordinate their judgment on audit matters to others.
In practical terms, this means internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. But internal auditors may provide consulting services relating to operations for which they had previous responsibilities.
Importantly, the professional standards and requirements for internal audit differ significantly from those that apply to external audit, and do not preclude a firm from providing both internal audit and consulting services.
There are several ways that service providers can structure engagements to provide the right level of objectivity. One common approach is to establish firewalls between the core internal audit team and other project teams that enable team members to remain objective while supporting a broad range of services. Independence and objectivity are also enabled by clearly defining that while advice and recommendations are provided to assist management functions in making their decisions, the internal auditor or consultant will not assume management responsibilities or act in a management capacity.
Internal audit objectivity assessment
Thoughtful consideration of the specific circumstances is important. These questions can be used to assess whether there are any risks to an individual’s objectivity when assigning resources to audits:
1. Will the individual be auditing their own work?
- Within the past year, has the individual performed ongoing control activities that affect the execution of transactions?
- Did the individual perform application development or configuration related to the scope of the audit?
- Was the individual responsible for any defect or problem arising out of or related to data processing in any systems?
- Did the individual perform routine activities in connection with the company’s operating processes?
- Has the individual performed bookkeeping or other services related to the accounting records or financial statements within the scope of the audit?
- Did the individual authorize, execute or process transactions?
- Did the individual prepare source documents or transitions?
- Did the individual prepare the financial statements or related financial statement disclosures?
- Does the individual have custody of assets?
2. Within the past year, did the individual act in any capacity equivalent to a member of management within the area being audited?
Was the individual responsible for any key decision over financial information systems design and implementation?
Was the individual responsible for deciding which, if any, recommendations for improving internal control should be implemented?
3. Will the individual’s familiarity of work cause prejudgments?
4. Will the individual be working with a relative or close friend?
If the answer to any of the questions in the assessment is yes, there are threats to objectivity and the team should document all mitigating factors and work with management to assess whether the mitigating factors are sufficient.