An audit involves more people than the auditor, and the credibility of the result rests on one thing above all: keeping the auditor independent of the work being audited. This guide sets out who does what, how to preserve independence even in a small organisation, and where the line between auditor and management must never blur.
The cast of an audit
A clean engagement has four roles, and confusion between them is where audits lose their credibility:
Role
Does
Must NOT
Auditor
Plans, gathers and evaluates evidence, reports findings objectively
Audit their own work or design the fixes
Lead auditor
Owns the engagement: scope, team, final findings, the report
Let scope or severity be negotiated away
Auditee
Provides access, documents, honest answers
Curate the evidence or pre-select the sample
Management / owner
Receives findings, resources corrective action
Edit or suppress findings
Independence — the non-negotiable
Independence is the property that makes an audit worth anything. An auditor must not audit their own work, their own area, or anything they are responsible for designing or operating. The moment an auditor reviews their own control, they are marking their own homework, and any competent assessor will discount the result entirely.Independence has two layers worth separating:
Independence of mind — the auditor reaches conclusions on the evidence, uninfluenced by who will be embarrassed.
Independence in appearance — there is no relationship (reporting line, authorship, personal stake) that a reasonable outsider would think could bias the auditor. Appearance matters even when the auditor is genuinely objective, because the audience can't see inside their head.
No independence
The compliance manager wrote the access-control procedure, operates the quarterly review, and audits it. Even if every finding is honest, the assurance is worthless on its face — there is no independent check, and the manager is structurally unable to report that their own design is flawed.
Independent
The compliance manager owns and operates access control; the quality manager (independent of IT and security) audits it. Neither has a stake in the other's verdict, so a finding means something.
Independence when you're too small to have it
In a small organisation, true independence is genuinely hard — everyone owns something. This is the most common real-world objection, and there are accepted answers. Use whichever fits:
Cross-audit. Have functions audit each other — finance audits the IT-owned control, IT audits the finance-owned one. Neither audits their own.
Rotate. Change who audits which unit year to year so no one settles into auditing their own neighbourhood.
Audit one level up or sideways. A person can often independently audit a process they neither designed nor operate, even within a small team.
Bring in an external auditor for the areas where no internal independence exists at all — typically the controls the most senior person owns.
Document the independence reasoning. Whatever you do, record why the assigned auditor is independent of the audited unit. That note is the evidence an assessor wants.
The lead auditor
On any engagement larger than one person, one individual is accountable for the audit as a whole. The lead auditor:
agrees the scope and criteria with the sponsor before fieldwork;
runs the team — allocates units, sets the approach, keeps the engagement on its plan;
makes the final call on findings and their severity when the team disagrees;
owns the report and presents it to management.
The lead auditor is the single point of accountability for the engagement's quality — and the person who must hold the line when an auditee tries to negotiate a major finding down to a minor one.
The auditee — your main source of evidence, not a suspect
The auditee is the area under audit: its manager and its staff. Their job is to provide access, documents, and honest answers. The relationship sets the tone of the whole engagement.
Adversarial
The auditor arrives adversarial, withholds the scope, and treats every answer as a confession. Staff get defensive, volunteer nothing, and steer the auditor toward the tidy evidence. The audit gets a polished but false picture.
Collaborative
The auditor shares scope and criteria up front, explains that findings improve the system rather than punish people, and treats staff as the experts on their own work. Staff surface the messy reality — which is exactly what the auditor needs to see.
Management and the obligation owner
Most regulations name a person or role who owns the obligation. The audit interacts with that owner heavily — they are a key interviewee, the recipient of findings in their area, and the person who resources the fix.
GDPR — the Data Protection Officer, where one is required (Article 37);
NIS2 and DORA — the management body itself is explicitly accountable and must be trained;
ISO management-system standards — top management plus a designated function or representative.
Management's role is to receive the report, accept or challenge findings on the evidence, and resource the corrective action — never to edit the findings into something more comfortable.
Who owns corrective action — and why the auditor must not
The auditor reports the gap; the auditee's management owns the fix. Keeping that line bright is not bureaucracy — it protects the next audit. An auditor who designs the remediation has, in effect, created a control they will later have to audit, destroying their independence for that unit.
Auditor states the requirement, the evidence, and the gap — precisely, but stops short of prescribing the solution.
Management assigns a root cause, a corrective action, an owner, and a due date.
The corrective action is tracked to closure and verified — ideally by an auditor, who can now independently confirm the fix because they didn't design it.
How findings convert into tracked corrective actions is the subject of the audit report guide.
This guide explains the method. To apply it across a whole regulation —
every obligation scored and traceable — see the
audit checklists, each with a free Regulatory
Compliance Matrix you can review before buying.
