The Architecture of Objectivity: Internal Audit as Both a Sparring Partner and a Supervisory Body

In the traditional banking world, the role of internal audit was clearly defined: it was the body responsible for looking back. The scrutinising hand that, months after a process had been completed, searched for errors with a magnifying glass.

But this image of internal audit as a ‘lone auditor in an ivory tower’ has long been outdated in an age of disruptive technological leaps, omnipresent regulation such as DORA and the need for agile transformation. Today, internal audit is increasingly expected to be an operationally effective player.

Yet this is precisely where the greatest challenge of modern governance lies: how can internal audit provide valuable advice without becoming hostage to the wishes of the board and business units?

The Pendulum Dilemma: Between Isolation and Involvement

The tension faced by every modern audit management team can be described as a pendulum that constantly swings between two extremes. On the one hand, there is total detachment. Whilst this ensures formal independence, it often leads to a loss of touch with reality. Audit findings arrive too late, are perceived as out of touch with practical realities, and merely trigger ‘audit fatigue’ in the business units – a weariness towards controls that hinder rather than safeguard business operations.

On the other hand, there is maximum proximity. Today, business units and executive boards are increasingly seeking the internal audit function as a ‘sparring partner’. They want assurance right from the outset when establishing new processes, such as when implementing AI systems or putting complex resilience requirements into practice. However, this proximity harbours a risk inherent to the system: those who are too deeply involved in the design lose their objective perspective. Those who advise today will be auditing their own recommendations tomorrow.

The dark side of closeness: The danger of a complacent audit

If the balance tips too far towards ‘collegiality’ and ‘management’s wishes’, the most dangerous phenomenon in auditing looms: the complacent audit. An internal audit that no longer acts independently, but instead anticipates the expectations of those being audited and ‘optimises’ its reporting accordingly, loses its raison d’être.

A compliance audit often creeps in gradually. It begins with critical findings being ‘watered down’ during coordination meetings so as not to strain the political climate within the organisation. It continues when audit plans are designed to omit the truly sensitive issues. The result is a false sense of security. Outwardly, the institution appears ‘compliant’, yet internally the risks grow unnoticed.

An audit function that becomes a mere tool of the business units is no longer a shield, but a systemic risk. It pretends to exercise control that in fact no longer exists, leaving the institution defenceless in the face of genuine crises or supervisory audits (for example, under Section 44 of the German Banking Act).

Operational effectiveness without compromising integrity: the new understanding of the role

How can this tension be managed professionally? The answer does not lie in a return to isolation, but in an architecture of objectivity based on three pillars:

1. A clear separation between advice and decision-making

For internal audit today, operational effectiveness means ‘auditing throughout the project’. Internal audit sits at the table when, for example, new processes are defined under DORA or the new MaRisk amendment. But – and this is the red line – it does not make decisions. Its contribution is methodological support. It assesses concepts against regulatory expectations and identifies best-practice solutions.

However, responsibility for the final implementation and the associated risk remains, without exception, with the business unit. An auditor must always be able to say: “I have highlighted the risks to you; how you manage them is your decision, which I will later assess objectively.”

2. Rigorous communication and expectation management

Independence begins in the mind and in communication. A modern internal audit function must proactively make clear what it can and cannot deliver. The role of a “strict but fair” partner must be lived out. This also means addressing uncomfortable truths early on and directly, before they become an insurmountable problem. Those who act consistently and predictably build trust. Trust here should not be understood as “playing nice”, but as the board’s certainty that the audit function will objectively lay the facts on the table – no matter how uncomfortable they may be.

3. Technological objectification

The future of the audit function lies in data-driven auditing. The more the audit function relies on standardised data streams and automated testing procedures (continuous auditing), the less susceptible it is to interpersonal influence or political agendas. Data does not lie. When algorithms monitor compliance with limits or process chains in real time, this undermines the basis for a complacent audit. In this context, the audit function transforms into a validator of control logic.

Case Study: Resilience – When Internal Audit Becomes a Guide

The example of DORA implementation at banks and savings banks clearly demonstrated what operational effectiveness looks like without compromising independence. When identifying ‘critical and/or important functions’, business units were often under pressure due to limited capacity and tended to adopt a narrow interpretation. An audit function that sees itself as a navigator in this context will not simply rubber-stamp the specialist department’s wishes.

Instead, it will demand methodological rigour: “Have you considered what impact a failure of this function would have on the entire bank or savings bank in the short, medium and long term?” Through targeted questions and the use of regulatory benchmarks, it steers the process without defining the terms itself. In this way, it becomes operationally effective by protecting the institution from wrong decisions, whilst at the same time maintaining the necessary distance to critically validate the final result at a later stage.

The vision: Internal audit as a value-adding factor

The audit function of the future is not a ‘brake on progress’, but a guarantor of sustainable stability. ‘Visionary governance’ views internal audit as a body that business units are happy to approach – not because they expect a lenient audit, but because they seek an honest, professionally sound and independent assessment.

This approach requires courage on the part of audit management. The courage to say “no” to the board, even on high-profile projects, if the risks are unmanageable. And the courage to develop technologically to the point where they can engage with the business units on an equal footing.

Conclusion: The strength of a clear approach

The tension between collegial consultation and independence cannot be resolved – nor should it be. It is this productive friction that is the very essence of good governance. What is crucial is that the pendulum does not settle in complacency.

Financial institutions need an audit function that examines matters clearly and rigorously, yet acts fairly and in a solution-oriented manner. Only those who master this duality make a measurable contribution to the further development of their organisation. Internal audit is most effective when it is valued as a visible sparring partner, yet remains feared as an incorruptible corrective force. This balance is the true art of modern internal audit.