Source: IIA Position Paper: The Three Lines of Defense In Effective Risk Management and Control -January 2013




Public sector auditors operate in organizational structures that are complex and different from one government to another. The ISSAI and the ISPPIA haven’t defined the ideal structural reporting lines that enhances internal audit independence in the public sector. However the general guidance which the standards have provided should help governments, in defining the ideal reporting lines that should enhance the independence of their internal audits.


The IIA Standards and best practice require organisations to establish an independent reporting structure and policies for appointment, termination and remuneration of the HOIA. On independent reporting, the HOIA should have direct and unrestricted access to senior management and the board through a dual-reporting relationship. On policies for appointment, termination and remuneration of the HOIA, the standards provide that the audit committee or the board should provide oversight over these processes.


The dual reporting relationship means reporting to the Audit Committee technically and to the head of the organisation administratively. In the private sector, the head of the organisation is the Chief Executive Officer (CEO) or an equivalent title, while the board is the non-executive directors who are not involved in the day to day running of the organisation  but provide oversight over the management of the organisation’s operations and resources on behalf of shareholders. In the public sector, especially central governments, the head of the organisation called government is the head of state while the board of non-executive directors can be likened to Parliament whose members are not involved in the day to day running of the government but provide oversight over the management of government’s operations and resources on behalf of the citizens. The internal audit in the public sector should therefore ideally report administratively to the head of state or his office and technically or functionally to an independent audit committee or similar body comprising of citizens who are not involved in the day to day running of government. Alternatively, Parliament could create an audit committee or similar body to which both internal and external audit could report. In the private sector both the external and internal auditors report to the board through the audit committee.


What we see in most governments is that internal audit functions report to the head of ministry of Finance.  This is the same as the internal auditor in the private sector reporting to the director of finance. It is not surprising that internal audits of such governments are often not effective. Internal audit findings are not acted upon and audit recommendations are not implemented because those expected to take action are often interested parties. The other reason why internal audit functions that report to Ministries of Finance are not effective is that the functions are inclined to mainly focussing on financial operations instead of looking at both financial and non-financial operations. This results in the internal audit functions failing to achieve their broader role of providing assurance and consultancy over governance, risk management and control processes of the government as promulgated in the definition of internal auditing by the IIA.


The Standards also recommend that the audit committee chair meets privately during the year with the HOIA, and that the audit committee meet at least annually with the HOIA without management present in an “executive session.”




The internal audit function must have sufficient funding relative to the size of its responsibilities. This element should not be left under the control of the organisation being audited, because the budget impacts the audit function’s capacity to perform its responsibilities. Insufficient funding would create a significant barrier to fulfilling the roles and responsibilities of the internal audit function in the public sector. The HOIA should therefore request sufficient funding relative to the size of their audit responsibilities, and decisions relating to such funding should be independent of the organisation being audited. Management of some MDAs may not appreciate the value addition of internal auditing and may end up allocating very little funds to the function


The funding of internal audit functions in most governments is left in the hands of management of the MDAs being audited. This results in the internal audit functions being ineffective because they get insufficient funding for their roles and responsibilities. An ideal mode of funding that can enhance the independence of the internal auditing function is funding that is decided and made by bodies which are independent from the organisations being audited. Governments which intend to improve on good governance, transparency and accountability should subject funding of internal audit functions to Parliament as most governments do with their supreme audit institutions.




Whatever the form of government, the need for independence and objectivity in audit is vital (ISSAI 200/2.3). Independence and objectivity are vital in ensuring that stakeholders view the audit work performed and the results, as credible, factual, and unbiased. The nature of internal auditing and the role of providing unbiased and accurate information on the use of public resources and services require the internal audit activity to perform their duties without restrictions, and free from interference or pressures from the MDAs or areas that being audited. By providing unbiased, objective assessments of whether public sector operations and resources are responsibly and effectively managed to achieve intended results, the internal auditor can help the public sector organisation to achieve accountability and integrity, improved operations, and instil confidence among citizens and stakeholders.




To establish whether an internal audit activity has independence and the internal auditors are objective in their work the following criteria can be used:

a) Assessing whether the environment in which internal auditing operates allows the internal auditor to be sufficiently autonomous and objective to the extent that the external auditor can use the work of the internal auditor in line with ISSAI 1610 and the assessment of internal audit independence within INTOSAI GOV 9140.

b) In addition to the criteria in ISA 610, ISSAI 1610 provides the following criteria that assesses the objectivity of the internal audit function in the public sector:

  • Establishment by legislation or regulation;
  • Accountability to top management, for example the head or deputy head of the government, and to those charged with governance;
  • Reporting the audit results both to top management, for example the head or deputy head of the government, and those charged with governance;
  • Located organisationally outside the staff and management function of the unit being audited;
  • Sufficient exclusion from political pressure to conduct audits and report findings, opinions, and conclusions objectively without fear of political reprisals;
  • Internal audit staff not permitted to audit operations for which they have previously been responsible, to avoid any perceived conflict of interest; and
  • Free access to those charged with governance.

c) Additionally, criteria to assess the independence of the internal audit function in the public sector may include:

  • Clear and formal definition of responsibilities and authorities of internal auditing in an audit charter;
  • Functional and personnel segregation of internal auditing from responsibilities for management tasks and decisions;
  • Adequate freedom for the head of Internal Audit (HOIA) in establishing audit plans;
  • Adequate payment and grading within the salary scale according to the responsibility and significance of internal auditing; and
  • Involvement and participation of the HOIA in recruitment of audit staff.

 d)  Also the ISPPIA require, and leading practices dictate, that the internal audit activity is independent, and that internal auditors are objective in performing their work. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the HOIA should have direct and unrestricted access to those charged with governance. Independence is achieved through organizational status and objectivity (IPPF 1100-1130 Independence and Objectivity).

e)  Under ISPPIA the HOIA should report to a level within the organization that allows the internal audit activity to fulfil its responsibilities. The head of Internal Audit must confirm to those charged with governance, at least annually, the organizational independence of the internal audit. According to the IIA Practice Advisory 1111-1 the HOIA must communicate and interact directly with the board. Direct communication occurs when the HOIA regularly attends and participates in board meetings that relate to the board’s oversight responsibilities for auditing, financial reporting, organizational governance, and control. Such communication and interaction also occurs when the HOIA meets with the board, at least annually. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.

f)  Other criteria include; provisions to ensure that the internal audit activity is empowered to report significant issues to those charged with governance; is supported by management formally and in practice; and is provided with sufficient resources to effectively perform its duties.

g)   The appearance or perception of a lack of independence and objectivity could be as damaging as the actual condition. If internal auditors are involved in developing the internal control systems, it may become difficult to maintain the appearance of independence when auditing these systems.




Clearly, independence and objectivity are key elements of an effective public sector internal audit activity. To comply with the independence and objectivity criteria mentioned above several measures may be considered. Recommended measures are:


  • Appropriate Placement and Organizational Status: The ability to achieve internal audit activity independence and objectivity is contingent on the appropriate placement and/or organizational status of the internal audit activity within the organization.
  • The organizational status of the internal audit activity should be sufficient to allow it to accomplish its activities as defined by its audit charter. The audit activity must be positioned in such a way that it may obtain cooperation from management and staff of the program or organisation being audited, and have free, unrestricted access to all functions, records, property, and personnel – including those charged with governance.
  • Where practicable, those charged with governance (oversight body) should exercise discretion and at least be consulted regarding the appointment, removal, and compensation considerations of the HOIA. Consideration may also be given to appointing an appropriately organised and or independent body to appoint the HOIA.
  • The HOIA should be equal in rank to senior management of the organization. To avoid possible conflicts of interest, the HOIA should report to a level in the organization that would allow the internal audit activity to effectively carry out its responsibilities
  • The HOIA should have direct communication with those charged with governance. This communication reinforces the organizational status of internal auditing, enables full support and unrestricted access to functions, records, property and personnel, and helps ensure that there is no impairment to independence. This provides sufficient authority to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on recommendations.
  • Reporting Relationship: Under IIA Standards theHOIA must report to a level within the organization that allows the internal audit activity to fulfil its responsibilities.
  • The HOIA should report to executive management for assistance in establishing direction, support, and administrative interface; and to those charged with governance for strategic direction, reinforcement, and accountability. Those charged with governance (e.g. the audit committee) should safeguard the independence by approving the internal audit charter and (where applicable) the mandate.
  • The IIA Standards requires, and other guidance strongly recommend, that to help maintain the independence of the internal audit activity, its personnel should report to the HOIA, who reports administratively to the chief executive officer or equivalent and functionally to those charged with governance.
  • Competency: The IIA’s Code of Ethics requires, and leading practices dictate, that internal auditors engage in those services for which they have the necessary knowledge, skills, and experience; perform duties in accordance with the Standards; and continually improve their proficiency and effectiveness. The Standards requires that internal auditors, and the internal audit activity collectively possess or develop the knowledge, skills, and other competencies needed to perform their responsibilities. Competent and professional internal audit staff, in particular those that adhere to the Standards, can help ensure the internal audit activity’s success.
  • Legislative Requirements: Legislative requirements to establish an internal audit activity help protect the funding and independence of the internal audit activity and recognize internal audit as an important function in the public sector.




An internal auditor occupies a unique position within an organization. The auditor is employed by the organization but is also expected to review the conduct of operations by management. This has a potential to create significant tension between management and internal audit. Since the internal auditor's “independence” from management is necessary for the auditor to objectively assess management’s actions, governments should strive to ensure that internal audit functions in the public sector are provided with adequate independence. The internal audit functions independence can be enhanced by properly placing the HOIA in the organisation, establishing and enforcing the dual reporting relationship that requires the HOIA to report functionally to the audit committee and administratively to the head of the organisation, adequately resourcing the function, and properly mandating the function by developing and implementing proper policies and legislation. Benefits of enhancing internal audit independence and making the internal audit function effective as outlined in this paper are quite enormous. Governments that want to enhance good governance and accountability will ensure that they have effective internal audit functions in place.




  • ISSAI 1 The Lima Declaration, Section 3. Internal audit and external audit
  • ISSAI 200 General standards in Government Auditing and standards with ethical significance
  • ISSAI 1260 Communication with those Charged with Governance
  • ISSAI 1610 Financial Audit Guideline – Special Considerations – Using the Work of Internal Auditors
  • INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public Sector
  • INTOSAI GOV 9150 Coordination and Cooperation between SAIs and Internal Auditors in the Public Sector


  • International Standard on Auditing 610
  • Governance in the Public Sector: A Governing Body Perspective, 2001




  • The International Professional Practices Framework (IPPF), including the Definition of Internal Auditing, the Code of Ethics, The International Standards for the Professional Practice of Internal Auditing (Standards), Practice Advisories, Position Papers and Practice Guides
  • The Role of Auditing in Public Sector Governance, 2006
  • Independence and Objectivity: A Framework for Internal Auditors, 2001, American Accounting Association, IIA Research Foundation
  • Internal Auditing: Assurance & Consulting Services, 2009, IIA Research Foundation Internal Auditing in the Public Sector, Gansburghe, Internal Auditor Magazine, August 2005
  • Internal Audit Trends in the Public Sector, Sterck and Bouckaert, Internal Auditor Magazine, August 2006
  • 20 Questions Directors Should Ask About Internal Audit, 2004, Fraser & Lindsay, The Canadian Institute of Chartered Accountants
  • Public Sector Audit Committees (Leading Practices), The Institute of Internal Auditors, Altamonte Springs, Florida, USA, 2013.
  • Research Report: Nine Elements Required for Internal Audit Effectiveness in the Public Sector –The Global Internal Audit Common Body of Knowledge (CBOK).