Can internal audit advise management on emerging risks without losing objectivity?
Management wants internal audit to help shape controls for a new technology project before launch. How can the team be useful without becoming responsible for the process?
Yes, but the boundary must be clear. Internal audit can provide advisory services by facilitating risk discussions, identifying control considerations, sharing lessons from prior audits, or helping management think through criteria. Internal audit should not own the project, approve the control design as management, operate the control, or make the business decision.
For example, if management is implementing a new vendor analytics tool, internal audit may ask:
- Who owns the data quality control?
- How will access be approved and reviewed?
- What exception reports will management monitor?
- What contract rights support auditability?
- How will model or rule changes be approved?
Those questions add value without transferring responsibility from management to audit.
If internal audit later performs assurance over the same project, the team should consider whether prior advisory involvement creates an objectivity threat and how to manage it. The CIA answer should protect both usefulness and independence.
Master Internal Audit Practice with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.