Various actions can be taken to try to shield the independence of the internal auditors
- Reporting lines. The head of internal audit may report to the audit committee and not to the finance director or chief accountant.
- Deciding the scope of internal audit work. The scope of work carried out by the internal auditors should not be decided by the finance director or line management responsible for the operations that may be subjected to audit. This is to keep away from the risk that the internal auditors might be assigned to investigations of non-contentious areas of the business. The scope of internal audit work should be decided by the chief internal auditor or by the audit committee.
- Rotation of internal audit staff. Internal auditors should not be allowed to become too familiar with the operations that they audit or the management responsible for them. To reduce the familiarity threat, internal auditors should be rotated on a regular basis, say every three to five years, and at the end of this time they should be assigned to other jobs within the entity.
- Appointment of the chief internal auditor. The chief internal auditor should not be appointed by a senior executive who may have some self-interest in wishing to select a ‘yes man’ who will not ‘cause trouble’. Instead, the audit committee should be responsible for appointing a new chief internal auditor, subject perhaps to approval by the board of directors.
- Designing internal controls. The internal auditors should not be responsible for the design of internal controls within the entity. If they did, they would be required to audit their own work, which is unacceptable. Senior management in accounting and finance or line management should have responsibility for the design and implementation of internal controls, taking advice where appropriate from the external auditors when control weaknesses are identified during the external audit.