How the audit committee can be an advocate for internal audit

Across four decades, I’ve had the privilege of working with some outstanding internal audit teams. At their best, they help organisations remain resilient, responsive, and responsible. But even the strongest teams can falter without active support from the top, especially from the Audit Committee.

Today’s internal auditors face rising expectations, increasingly complex risks, and often, constrained resources. When Audit Committees fail to champion the function, internal audit risks being treated as a box-ticking exercise rather than the strategic asset it is meant to be.

This article shares my thoughts on eight practical ways Audit Committees can become advocates for internal audit — ensuring the function is independent, impactful, and aligned with global expectations.

Lesson from Carillion: The cost of silence

The collapse of Carillion in 2018 is a cautionary tale of what happens when internal audit’s voice is ignored. The internal audit team had identified serious failings in risk management and called for a cultural shift — yet their warnings were sidelined. Parliament’s Joint Committee later concluded that the Audit Committee failed in its duty to protect internal audit’s independence or to challenge senior management when it mattered most. This absence of robust governance contributed to unchecked financial practices and the eventual downfall of the company — impacting jobs, pensions, suppliers, and public trust.

The message is clear: a disengaged Audit Committee isn’t just ineffective — it’s dangerous. When internal audit is unsupported, vital insights go unheard, and unmanaged risks multiply. Carillion reminds us why today’s Audit Committees must not only listen, but act.

Best practices for audit committee advocacy

1. Uphold independence and access

The Global Standards stress the importance of auditor independence — and rightly so. The Audit Committee must ensure the Chief Audit Executive (CAE) reports functionally to them and has access to the Board and executive leaders. Regular private sessions between the Audit Committee Chair and CAE help surface concerns early. Without these sessions, audit risks being steered by management and potentially lose its edge and credibility.

2. Ensure sufficient resources and skills

Standard 9.2 highlights the need for a competent and adequately resourced audit function. The Audit Committee should ask: Do we have the right mix of skills — data analytics, cyber, project assurance — in our audit team? Having those honest discussions should ensure investment in training and/or co-sourcing subject matter experts when needed. Often we see investment in internal audit teams reduced, which leaves the organisation exposed and teams falling back to compliance checking.

3. Support a culture of response, not just reporting

An audit is only useful if its findings lead to action. The Standards encourage internal auditors to promote improvement. The Committee should ensure that recommendations are followed up — and that management takes them seriously. Failure to monitor action can lead to weak control environments remaining and stakeholders questioning the value of internal audit.

4. Align audit focus with strategic risks

Standard 8.1 requires audit plans to be risk-based and linked to the organisation’s objectives. Audit Committees should challenge whether the audit plan reflects what really matters, be it transformation projects, financial pressures, or service quality. By using the corporate risk register, key strategic documents, and other corporate and industry knowledge, the audit plan links to the success of the organisation.

5. Defend and promote the role of internal audit

When budget pressures bite or audit opinions are uncomfortable, internal audit can face pushback. The Audit Committee must step up as a vocal ally by explaining to the wider organisation why good audit work matters and sharing audit insights that have led to oranisational improvement.

6. Build committee expertise to champion audit value

The Global Standards highlight the importance of governance bodies fully understanding internal audit’s value. If committee members lack this insight, their oversight becomes passive or misinformed. The composition of the committee is crucial, and at a minimum should include one member with a strong audit or risk background.

7. Clear bottlenecks that undermine audit effectiveness

Internal audit’s value lies in timely assurance and insight, but that value erodes when draft reports sit unanswered or agreed actions remain unimplemented. The Global Standards (Standards 11.1 and 12.1) stress the importance of timely communication and follow-up.

Make report clearance times and recommendation follow-up a standing item on the Audit Committee agenda. Ask for exception reporting that flags aged issues or high-risk items stuck in limbo.

8. Engage the full board to broaden support for internal audit

While the Audit Committee is the primary champion of internal audit, broader Board understanding is essential for sustaining support, resourcing, and follow-through. The Global Standards clarify that internal audit serves the governing body, not just one committee.

Periodically invite the CAE to present directly to the full Board, especially on thematic issues or the annual opinion. This will avoid internal audit being seen as purely operational rather than strategic.

Final thought

The new Global Internal Audit Standards mark a shift from compliance to contribution. Internal audit is expected not just to assure, but to add value and drive improvement. For that to happen, support must extend beyond the Audit Committee. When the full Board is engaged, it can clear bottlenecks, enhance expertise, and empower internal audit to help the organisation govern better, manage risk more effectively, and improve performance.

About the authors

David Hill is the former CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.