The Myth of Internal Audit Independence: Why It’s Time to Evolve Beyond GRC Thinking
The debate over the true independence of internal audit (IA) has resurfaced with new urgency following the recent high-profile firings of multiple inspectors general (IGs). Government IGs in the United States operate in similar ways to IA in private-sector organizations. Given their similarity, these IG dismissals have sparked controversy within the IA community, with critics arguing they threaten government oversight and accountability. The situation underscores a long-standing issue: IA and IGs are not truly independent, and continuing to believe otherwise does more harm than good.
My former colleague Richard Chambers recently weighed in on this topic in a blog post, expressing concerns about the implications of these firings for the IA profession. I agree with Richard that the “firings are yet another reminder of the illusiveness of audit independence.” Moreover, I believe this moment presents an opportunity to move beyond legacy Governance, Risk, and Compliance (GRC) thinking and embrace a more realistic, effective model—Integrated Risk Management (IRM).
What Is Legacy GRC Thinking?
“The notion that IGs can operate with complete autonomy is not just misleading but also counterproductive to strengthening oversight functions.”
Legacy GRC thinking is a compliance-driven rather than a risk-based approach to governance, risk, and compliance. It is rooted in a policing mindset, where the illusion of independence thrives because oversight functions are viewed primarily as enforcers rather than strategic advisors.
This model emphasizes adherence to rules and regulations over proactive risk management and value creation. Under this outdated framework, internal auditors and IGs are often seen as detached watchdogs rather than integral contributors to organizational resilience. The focus remains on reacting to failures rather than preventing them, making the supposed independence of audit and oversight functions more symbolic than substantive.
The Structural Dependence of IA and IGs
Internal auditors are employees of the organizations they review. While they report functionally to the board or audit committee, their administrative ties to senior leadership create inherent conflicts. If IA were genuinely independent, external audits and regulatory oversight would be unnecessary.
Similarly, IGs—though designed to function as watchdogs—operate within the executive branch and remain subject to political influence. Recent events, including the mass firings of IGs, reinforce this point. These actions are yet another reminder that IGs ultimately answer to the administration in power. The notion that they can operate with complete autonomy is not just misleading but also counterproductive to strengthening oversight functions.
Refocusing on Internal Control Effectiveness Over Fraud Policing
Historically, IA and IG functions have focused heavily on detecting waste, fraud, and abuse. However, this narrow focus limits their ability to drive meaningful governance and risk management improvements. Instead of acting primarily as investigators, IA and IGs should shift their emphasis toward assessing and enhancing the effectiveness of internal controls.
Where waste, fraud, and abuse are uncovered, external auditors or independent bodies like the GAO should be engaged to investigate. This approach helps maintain oversight integrity, as IA and IGs—employees of the organizations they review—cannot claim true independence. IA and IGs can better support proactive risk management and organizational resilience by focusing on control effectiveness rather than acting as internal enforcers.
“If IGs were genuinely independent, agencies such as the Department of Justice (DOJ) and the Government Accountability Office (GAO) would not be required to supplement their oversight.”
Congress’s 30-Day Notice Rule: A Safeguard or a Political Shield?
The 2022 amendment to the Inspector General Act of 1978 was contained deep within the annual National Defense Authorization Act (James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, page 768) and requires a president to provide Congress with a 30-day substantive rationale before removing an IG, among other requirements. The amendment was framed as a safeguard for independence. However, this provision could serve another purpose—giving Congress the information and time to cover its tracks on waste, fraud, and abuse before an IG’s removal takes effect.
Instead of genuinely protecting oversight, this mechanism may allow legislators and agencies to mitigate potential fallout from investigations before a new IG takes over. This raises further questions about the actual function of IGs within the broader government accountability system.
The Limits of Audit Independence in Corporate and Public Sectors
This lack of true independence is not limited to government IGs. In the corporate sector, chief audit executives (CAEs) often face similar constraints. Many internal auditors report to the CFO or CEO, leaving them vulnerable to pressure when audits uncover issues that senior leadership would prefer to remain unexamined.
Even when audit committees provide oversight, they are often composed of board members with financial or strategic ties to the company, creating potential conflicts of interest. This reality has long been an inconvenient truth within the profession. A day rarely goes by when a CAE is not removed by a CEO (or even by a CFO) to check the independence of the function.
Rather than striving for unattainable independence, the proper role of IA and IGs should be that of whistleblowers, ensuring that instances of waste, fraud, or abuse are promptly communicated to an appropriate governance body, like the board of directors or Congress. This approach allows for independent, external investigations by external auditors or oversight entities such as the GAO, ensuring accountability while mitigating conflicts of interest inherent in IA and IG functions.
A More Effective Approach: Moving from GRC to IRM
Rather than perpetuating the illusion of independence, the focus must shift toward ensuring that IA and IG functions operate with maximum effectiveness within their structural constraints.
An Integrated Risk Management (IRM) approach weaves GRC into Enterprise Risk Management (ERM), Technology Risk Management (TRM), and Operational Risk Management (ORM) to give auditors a more comprehensive view of risk—from strategic to tactical. IRM acknowledges compliance as a risk like any other but does not allow compliance to overshadow proactive risk management. By integrating these disciplines, IRM enables organizations to anticipate and mitigate risks before they escalate, rather than merely reacting to compliance failures.
An IRM approach would emphasize the following:
o Risk-Based Oversight Instead of Compliance Policing – Internal auditors and IGs should prioritize identifying and mitigating risks that threaten strategic objectives rather than simply enforcing compliance checklists.
“By recognizing structural realities and shifting toward effectiveness, we can build stronger, more transparent oversight systems.”
o Stronger Governance Structures – Audit committees, regulatory agencies, and legislative bodies must take an active role in ensuring IA and IGs are protected from undue influence while still operating within a realistic governance framework.
o Transparency and Accountability Measures – Instead of superficial safeguards like the 30-day notice rule, a more meaningful reform would involve performance-based assessments that evaluate IG and IA effectiveness in preventing fraud, waste, and abuse.
o Acknowledging Structural Realities for IA – Internal auditors, as employees of the organizations they review, will always be subject to influence. The key is recognizing this reality and ensuring that external, independent reviews validate their effectiveness and objectivity.
o Subjecting IGs to External Review – IGs should be subject to independent review by the GAO or another external oversight body to ensure accountability and effectiveness in their role. This structure would provide an additional layer of scrutiny beyond internal executive branch controls and reinforce public trust in their findings.
Now is the Time to Embrace the IRM Model
The concept of complete independence for IA and IG functions is a relic of outdated GRC thinking. Transitioning to an IRM-based approach acknowledges the inherent constraints of governance structures while enhancing oversight effectiveness.
By focusing on value creation rather than illusionary independence, organizations, and government agencies can strengthen risk management, improve governance, and ensure that audit and investigation functions are truly impactful rather than merely symbolic.
Now is the time to move beyond legacy thinking and embrace IRM as the path forward for internal audit and inspectors general alike. By recognizing the structural realities and focusing on effectiveness rather than unattainable independence, we can enhance transparency, accountability, and, ultimately, the value these functions provide in both the public and private sectors.
