Internal auditor independence as a situated practice: four archetypes

Purpose – This study aims to understand independence in internal auditing by investigating how internal auditor independence is constructed when analysed in its corporate governance context. Design/methodology/approach – A critical discourse analysis (CDA) of the corporate governance reports ofSwedishlargestockmarketlistednon-financialcompanies,forthreeconsecutiveyears,isundertaken,using atheoreticallensoforganisationalembeddednessandoperationalcouplingtounderstandindependenceasasituatedpractice. Findings – The study develops four archetypes of internal auditor independence – autarchic, instrumental, symbioticandsubservient – anddiscusseseacharchetype ’ simplicationsforindependence,relatedtotripartite relations with management and the audit committee, regarding who has the mandate to direct work and how theworkisdone.Itfindsthatinternalauditorsalwayshaveacapacitytobeindependent.Althoughtheyarenot independentinrelationtoagentsinthesubservientarchetype,theyareindependentofthosedowntheorganisationalchainofcommand,suggestingindependenceisbothsituationalandrelational. Research limitations/implications – The analysis contributes a novel approach to the literature and develops a conception of independence using the dimensions of embeddedness and coupling. The archetypes offer an analytical framework for future studies on independence. Practicalimplications – Internalauditorsmayunderstandtheirpracticedifferentlythroughthearchetypes that result from this study. Social implications – Internal auditors ’ power relations within corporate governance further an understanding of the pressures on internal auditors and their role. Originality/value – This study contributes new knowledge on the situatedness of independence by showing how internal auditors are embedded and coupled helps build their independence.


Introduction
Internal auditor independence is elusive and loaded with the promise of trust and quality.It borrows its template from external audit (Power, 1997), where independence essentially concerns the absence of economic interests in the client (Jeppesen, 1998) and other individual incentives to act against integrity (Page and Spira, 2005).This idealised conception of independence has percolated the requirements of laws and regulations and theoretical discourse (Watts and Zimmerman, 1983;Zeff, 2003a, b).Studies on the meaning of independence have been conducted mostly in external audit (Daoust and Malsch, 2020;Gu enin-Paracini et al., 2015;Jeppesen, 1998;Page and Spira, 2005;Power, 1997;Windsor and Warming-Rasmussen, 2009).Internal audit independence cannot easily juxtapose the understanding of auditor independence from the external audit literature.The field is underresearched (Roussy and Perron, 2018;Stewart and Subramaniam, 2010) and merits investigation on its own terms.
Recent developments in corporate governance regulation call for a growing demand for internal auditors, especially the development of control structures in large listed companies and regulators' interest in this function to strengthen trust in corporate reporting (Barua et al., 2010;Burnaby et al., 2009).However, internal auditors have been marginalised in the debate that emerged after the financial crisis (Kotb et al., 2020;Lenz and Sarens, 2012).There is little regulatory guidance on the distribution of internal audit activities (Kehinde et al., 2017), and only a few studies have been undertaken on such practices, including what audit committees should do concerning its internal audit function (IAF) oversight obligations (Abbott et al., 2010).Kotb et al. (2020) note that internal auditors seem to struggle to maintain their organisational position in corporate governance systems.It has been argued that research on internal auditing is largely a neglected area altogether (Gendron and B edard, 2006;Maijoor et al., 2000;Roussy, 2015;Roussy and Perron, 2018).
There are several reasons to study internal auditor independence.Internal auditors are seen as an important assurance provider to the Board (Gramling et al., 2004) but their independence may be at stake since they are part of the control structure assigned to audit.This may "undermine[s] internal auditors" cultural and moral authority' (Nickell and Roberts, 2014, p. 218).Internal auditors work with weak autonomy relative to external auditors because they are accountable to internal agents (audit committees or even managers) due to their position within the organisation (Everett and Tremblay, 2014;Lenz and Sarens, 2012).
This paper extends the question of the position of internal auditors to argue that as they are connected to the corporate governance system in ways unique to each organisation, their independence can be understood as situated in the organisational context.To understand internal auditor independence, how internal audit is situated in the tripartite relationship with the audit committee and management needs to be taken into account.Using a novel approach, this study conducts a critical discourse analysis (CDA).It views the construction of independence as an outcome of how the internal audit is situated due to the operational and organisational aspects of the function and unpacks the multiplexity of the relationship that contributes to the independence.It seeks to answer the research question, "How is internal auditor independence constructed when analysed in its corporate governance context?", to add to the ongoing debate on independence of the audit function.

Internal auditor independence
Independence can be seen as the willingness and capability (Gu enin-Paracini et al., 2015) of the auditor to work with integrity, objectivity and with the required autonomy.Simultaneously, as seen in the literature, internal auditors are always subordinate to elements internal to the organisation, be it the audit committee or management.Thus, the situatedness of the construction of internal audit independence needs be considered; hence, the hegemony of internal auditor relationships is significant.The CDA method is able to uncover the hegemony of discourse and facilitates a study of how economic circumstances are constructs, instead of being mere representations of economic realities (Chouliaraki and Fairclough, 1999).These constructs have the ability to be "talked into being" in practice; that is, a CDA approach studies discourse as socially constitutive with the ability to shape organisational reality.
The CDA examines how the discourse in corporate governance reports of large listed entities constructs the economic reality of the actors that take part in governance.This approach allows for an examination of the power relations implicit within this discourse and serves to illuminate the particular problem of inequalityin this case the construction of independenceshowing how the discourse constructs IAFs as more or less independent, where their independence is expected by The Institute of Internal Auditors (IIA) (IIA, 2013).Such an approach is beneficial due to the difficulty of access to internal auditors (Neu et al., 2013;Roussy, 2015).The CDA develops four archetypes indicating the situatedness of the relative subordination and power relations of internal auditor independence: autarchic, instrumental, symbiotic and subservient.Its findings contribute to the understanding of the different forms of independence in internal auditing, by considering the diverse situations within which they are found.
The rest of the paper is structured as follows.Section 2 presents the literature review on auditor independence in its organisational and operational senses and alternative ways to understand independence by linking these concepts to embeddedness (Callon, 1998;Granowetter, 1985) and coupling (Glassman, 1973;Orton and Weick, 1990;Weick, 1976).Section 3 outlines the methodological underpinnings of the study and the method of data collection and analysis.Section 4 elaborates and discusses the findings, while Section 5 draws the conclusions.

Literature reviewindependence and its connotations
In external auditing, independence is often discussed as a problem of economic interest to the client, caused by the conflict between performing both auditing and consulting (Jeppesen, 1998;Power, 1997).By contrast, the independence of the internal auditor does not involve similar economic interests as they do not get client revenues and lack commercial interests from advisory services, yet face other challenges in staying independent of the organisation and its management.In such a setting, independence has been discussed in terms of organisational and operational aspects (Power, 1997(Power, , 2007)), which can vary depending on how the IAF is designed, as a situated practice in the specific corporate governance milieu.Wolnizer (1987) argued for an understanding of independence in the organisational context, and Power (1997) further deepened the understanding of independence by emphasising the operational level, what he called "operational independence".Jeppesen (1998) developed these notions further, especially in the context of how external auditor independence is affected while performing consulting services on behalf of the auditee.
Gu enin-Paracini et al. (2015) and Daoust and Malsch (2020) have provided enhanced understanding of the otherwise overlooked field of operational independence by emphasising that auditing is carried out in a particular setting.Gu enin-Paracini et al. (2015) found that organisational and operational independence are both aspects of auditor professionalism and they argue that the power between auditors and auditees is intrinsically relational.In fact, by AAAJ 36,9 emphasising the distinctions between organisational and operational independence we might risk downplaying how relationships affect the auditors' capability to detect misstatements and their willingness to report these anomalies.
There are gaps in the guidance provided to internal auditors as seen in the IIA definition of independence in the Attribute Standards 1100 -Independence and objectivity and 1110 -Organisational independence (IIA, 2013, pp. 16-17).In the latter standard, the organisational concept of independence "is effectively achieved when the CAE reports functionally to the board" (IIA, 2013, p. 17).These standards do not contain a reference to or content on operational independence but may inherently comprise operational aspects through the expectation that the internal auditor be free of such conditions that may threaten an unbiased manner and mental attitude in performing audit responsibilities (IIA, 2013).
Therefore, studying organisational and operational independence in conjunction may further contribute to the knowledge of independence, specifically seen as a situated practice.The next two sections discuss the literature on organisational and operational concepts of independence, followed by how these can be studied as situated independence practices through the theoretical dimensions of embeddedness (Callon, 1998;Granowetter, 1985) and coupling (Glassman, 1973;Orton and Weick, 1990;Weick, 1976).

Organisational independence as embeddedness
Organisational independence has been divided into independence in fact and in appearance (Jeppesen, 1998;Mautz and Sharaf, 1961) to distinguish between the independent mindset of the auditor and stakeholders' impression of how auditors succeed.It captures the auditor's willingness to take action (Page and Spira, 2005;Power, 1997) in circumstances that affect their predisposition to perform a good audit and to evaluate management's operational activities, internal control and financial reporting.This may include a certain auditor mindset formed through organisational technologies that impact the auditor's inclination to work independently, such as procedures for appointment and provision of consultancy services, aimed to guide them and influence their ability to provide assurance (Power, 1997).Christopher et al. (2009) discuss these aspects in terms of threats to the independence of the IAF.Research on internal audit points to the important support chief audit executives (henceforth, CAEs) receive from the audit committee to strengthen their independence (Abbot et al., 2010;Christopher et al., 2009;Gendron and B edard, 2006).It is well acknowledged that "management exerts significant power" over the IAF (Norman et al., 2011, p. 104), by management participation in internal audit planning through the review and approval of internal audit plans and by management support to the IAF in day-to-day activities to get work done.
Internal auditor reporting relationships are significant for their independence and vary depending on their position in the organisation (Sarens, 2009).Arguably, the embeddedness (Callon, 1998;Granowetter, 1985) of the internal auditor with either management or the audit committee is a significant dimension for the study of organisational independence.Such embeddedness takes its form through reporting relationships, organised through reporting lines, with the objective of arranging who among the audit committee or management is in a position to influence the internal audit scope, work performance and communication of results (IIARF, 2003) [1].It has been argued that the guidance on reporting lines from the IIA is vague and internal audit's contribution to corporate governance needs to be clarified (Lenz and Sarens, 2012).Internal audit is important to the audit committee for its source of comfort about the internal control system (Sarens et al., 2009).The internal auditor's relationship with the audit committee is seen as important to the former's independence because functional reporting to the audit committee strengthens their ability to perform their work without interference from others in the organisation and to discuss the findings and follow-up procedures with the audit committee (Christopher et al., 2009;Cohen et al., 2010;Khelil et al., 2016;Norman et al., 2010; Internal auditor independence Read and Rama, 2003;Roussy, 2013).Budget approval by the audit committee is a significant source of its independence because if open to management approval, management could constrain the budget, in turn reducing audit scope (Christopher et al., 2009) and preventing fraud detection (James, 2003).However, there are opposite indications of embeddedness with the audit committee too.For example, internal auditors may perceive higher threats from management when reporting high levels of fraud risks directly to the audit committee (Abbott et al., 2016;Norman et al., 2010;Roussy, 2013Roussy, , 2015)).If management has power over the IAF, internal auditors could experience pressures to obey management's requirements to not report on (or insist on correcting) misstatements found during audits (Abbott et al., 2016;Harrell et al., 1989;Norman et al., 2011).Due to the reporting relationships that distinguish the internal auditor's predisposition, the study of organisational independence can be enriched by adding the theoretical dimension of embeddedness (Callon, 1998;Granovetter, 1985), as discussed next.
2.1.1Embeddednessstructuring organisational independence.The embeddedness perspective tells us that the network of social relationships shapes economic action (Granovetter, 1985).Action is embedded in structures of social relations because actors internalise normative standards of behaviour (Granovetter, 1985).Internal auditors, being part of power relations, are "embedded in networks of interpersonal relations" (Granovetter, 1985, p. 504), found within multilayered relationships with superiors, peers and employees below their rank (Page and Spira, 2005).Embeddedness captures the essential characteristic of agents' dependence on their environment (Callon, 1998).This dimension can thus aid the understanding of how internal auditors are situated in networks of corporate governance, and how their independence is affected by this embeddedness.Such networks define the world of the inhabitants, it configures their ontologies: "the agents, their dimensions, and what they are and do, all depend on the morphology of the relations in which they are involved" (Callon, 2006, p. 277).Callon (2006) explains that agents can orient themselves in radically uncertain environments and make their calculations and decisions because they are part of a web of relations and connections between thesethey contain this network and are "actor-worlds" (Callon, 2006, p. 277).Such a network configures the ontologies of its members (Callon, 2006).Granovetter's (1973Granovetter's ( , 1985) ) arguments on embeddedness includes a notion of the strength of ties between actors.When an actor has ties with a couple of unrelated actors, they will start collaborating, even though such a tie is "weak" (Granovetter, 1973).Callon (1998) interprets Granovetter to say that anything that stabilises the actors in terms of their being and description, varies depending on the form and function of the relations between them: The capacity of an agent to make autonomous choices [. ..], is not inscribed in her nature; it coincides with the morphology of her relationships (Callon, 1998, p. 9).
In attempting to understand agents' relationships, Callon (1998) adds that such ties help decide agents' possibilities to engage in action.It is possible to characterise types of relationships depending on their distribution.When actors are in between networks of relationships, more options for action are available, and if the relations are instead redundant, the actor loses the ability to make choices.We can therefore learn much more about actors' modes of action when considering their embeddedness in triangular relationships because when adding a third actor, the relationship between the first two becomes comprehensible and analysable (Callon, 1998).This literature is therefore suitable as a frame of reference for the analysis of the triadic relationships of internal auditors, being entangled with the audit committee and management.Studying internal auditors' embeddedness in this triadic relationship can aid the understanding of internal auditor independence.Thus, while the literature shows that internal auditors' social relations are torn between the audit committee and management, it is inconclusive regarding how we can understand the forms of AAAJ 36,9 independence from the configuration of these relations due to different situations of triadic organisation between internal auditors, audit committees and management.To analyse forms of independence as situated practice, we need to add the concept of operational independence and how this can be understood through the dimension of coupling (Orton and Weick, 1990;Weick, 1976).This is discussed next.

Operational independence through coupling
As argued above, operational independence is at the very core of auditingthe audit process and auditors' capability to perform an audit and report findings (Power, 1997;Gu enin-Paracini et al., 2015) and concerns auditors' access to and entanglement in the auditee's information, design of knowledge flows and policy production.Coupling (Orton and Weick, 1990;Weick, 1976) is a significant dimension from which to study operational independence, because it involves disciplining or determining the link between judgment and practice by a commander different from the internal auditor (c.f.Sauder and Espeland, 2009), depending on how the internal auditor's relationship is embedded.
Operational independence is divided into informational and epistemic independence (Jeppesen, 1998;Power, 1997).Informational independence refers to the auditor's dependence on the client to retrieve information, and epistemic independence concerns the auditor's presuppositions for a knowledge base distinct from the client (Page and Spira, 2005).External auditors are almost always informationally dependent because they must trust "at least some of the representations of management and other internal sources of information" (Power, 1997, p. 132).Internal auditors can have a deeper knowledge of the company and its systems and affairs beyond managerial influence.Competence and expertise are important for informational independence because inexperienced auditors need to rely on management's explanations and may have difficulty challenging them (Daoust and Malsch, 2020;Page and Spira, 2005).When informational independence is weak, the audit process may instead be epistemically independent, and an inverse relationship between the two may be discerned (Power, 1997).
It is not only information that needs to be available without managerial involvement; the auditor's knowledge base for building audit conclusions must be detached from management (Jeppesen, 1998).Epistemic independence captures this aspect; it is the core of the audit process (Power, 1997).The auditor needs "clear rules of auditee conduct and robust techniques for determining compliance with these rules", and this determination is to be performed without help from the client for epistemic independence to take effect (Power, 1997).There need to be "clear standards of performance and criteria for determining compliance or breach" as a condition for epistemic independence (Power, 1997, p. 133).The auditor's knowledge base cannot be "biased towards serving the interests of the auditee" (Jeppesen, 1998, p. 530).Internal auditors ought to "set their agenda" and to select "what to audit and when" (van Peursem, 2005, p. 509).Even though management input on planning may perhaps be warranted, given their knowledge of high-risk areas, they cannot be too heavily involved.This is because internal auditors should determine, with opinions from the audit committee, the extent and depth of the audit steps and procedures in the plan to provide independent assurance (Christopher et al., 2009).
In addition to these two operational concepts of independence, policy independence concerns the extent to which the auditors "construct and realize policy objectives in their own image" (Power, 2003, p. 193), thus being able to formulate and set operational standards for the organisations they are part of.Becoming policymakers may impose a threat of selfreview, particularly when internal auditors design internal controls "by becoming directly involved in operations" (Roussy, 2015, p. 252).Such work "compromises the IAF and gives the impression that the internal auditor owns the process, rather than management" Internal auditor independence (Power, 2007, p. 59), and thus their assurance work risks becoming futile.Consulting services give a reason for threats from this viewpoint, when internal auditors become partners to management (Lenz and Sarens, 2012;Roussy, 2013Roussy, , 2015) ) [2].These three operational concepts of independence provide the coupling dimension and is discussed next.
2.2.1 Couplingenacting operational independence.When studying internal auditor independence as situated in governance relationships, organisations can be discussed in terms of coupling (Glassman, 1973;Orton and Weick, 1990;Weick, 1976), to understand the linkages of organisational elements and how they cooperate (Orton and Weick, 1990).Organisational elements can be understood as practices or decision-making performed within organisations (Boxenbaum and Jonsson, 2017).By adding "loosely" to this concept, the presence of spontaneous changes to such elements and their preservation due to degrees of independence and indetermination are included in the explanation (Orton and Weick, 1990).The notion of coupling of systems rests on processes of differentiation and integration in organisations (Llewellyn, 1998;Weick, 1976).A loose coupling has the effect of organisational parts being "sealed-off", which provides organisational actors with a better possibility for self-determination (Llewellyn, 1998).A loosely coupled system has autonomous units, where its actors enjoy high discretion (Weick, 1976).In such a system, internal auditors can enjoy higher autonomy even at the cost of seclusion.Tight coupling, by contrast, involves tight control over a certification of which actor does the work and an inspection of how well it is done (Weick, 1976).
Loosely coupled systems take the shape of well-connected networks where influence spreads slowly, coordination is slow or lacking, or regulations are scarce or absent (Weick, 1976).Loosely coupled systems are difficult to observe by a viewer; decentralisation, as well as a delegation of discretion, mark such a system.A tightly coupled system is instead marked by elements dependent and constrained through their ties.When practitioners perform work in loosely coupled systems, they "pursue their craft according to their schedules and procedures and being controlled by no less than their own peers" (Raelin, 1989, p. 216).Internal auditors need the freedom to make judgments when performing professional tasks and participate in setting goals and authority to make decisions regarding their work (Aghghale et al., 2014;Evans and Fischer, 1992).In this way, coupling is closely related to operational independence.

Analytical construct: organisational embeddedness and operational coupling
Based on the literature review, this study argues for independence to be studied as a situated practice, considering the multiplexity of the relationship between the internal auditor, audit committee and management.To contribute with a deeper understanding of independence, additional theoretical support is needed.This study mobilises literature from organisational theory by drawing on the two dimensions, embeddedness and coupling, to analyse how internal auditor independence is constructed for a situated understanding of independence.This analytical construct is presented in Figure 1.
Organisational independence depicts the auditor's embeddedness in structural forms for their willingness to act independently, such as rules and routines designed for the autonomous execution of the role regarding the ties within the tripartite constellation where the situatedness of the IAF is paramount.The IAF's relationship is embedded with the audit committee or management when significantly tied and reporting to the audit committee, or management.
Operational independence depicts the auditor's capability to perform assurance and denotes how they enact assurance in the presence of coupling, in which forms of coordination of assurance activities and degrees of delegation of discretion are pivotal to achieve results.When the work of the internal auditor is loosely coupled to the chain of command (be it the audit committee or management), they perform the work autonomously.By contrast, when AAAJ 36,9 the work of the internal auditor is tightly coupled to the chain of command, they perform the work in a heteronomous way.
This analytical construct guides the CDA to make sense of the data that this study's findings are built on.Next, the research methodology and design are presented, including the analytical work of constructing codes and categories.

Research design and methodology
This study undertakes a CDA of the "semiotic elements of social practices" (Chouliaraki and Fairclough, 1999, p. 38), that is, narratives on internal auditing in corporate governance.Our literature review has led us to assert that performing a CDA is a novel approach to this field.Weick (1976) suggests a comparative research approach to examine varieties of loosely and tightly coupled systems in organisations, which in a similar vein has been pursued by comparing the Corporate Governance Reports (CGRs) for companies with an IAF in the Swedish market.
There are additional reasons why it is profitable to study the meaning of independence using corporate governance reports, instead of, say, through interviews with the actor groups in action here.The benefit of undertaking an analysis on CGRs is its focus on "observables" to depict "things that are available for empirical inquiry" (Alvesson andK€ arreman, 2011, p. 1123).An official report may be viewed as a valid document for the purpose of scholarly Internal auditor independence study in that it "commands consent, especially among insiders who acknowledge their arbitrary nature" (Chua, 1995, p. 115) [3].Organisational structures of corporate governance disclosed in CGRs might be merely symbolic ways to present the organisation as conforming to demands for accountability, while its operations can be loosely coupled to these structures (Kalbers and Fogarty, 1998).Viewing the contents of CGRs as representing governance practices would ignore the possibility that CGRs complete or supplement an ostensive practice rather than present it again (Robson, 1999).Producing a report such as a CGR can thus be viewed as a form of account "fabrication" performed "by a network of enrolled fact builders and software" (Chua, 1995, p. 113), in its own right.
However, scholars pursuing a CDA argue that it is socially constitutive because it can shape organisational reality (Chouliaraki and Fairclough, 1999).To understand internal auditor independence, which is one discourse among many, it is helpful to critique its hegemony by studying how it constructs the economic reality of actors involved in the governance processes (Chouliaraki and Fairclough, 1999).A CDA brings to light the construction of power structures surrounding internal auditors instead of seeing the concept of independence as just reflecting their economic reality (Chouliaraki and Fairclough, 1999).The focus on CGRs facilitates a study of the discourse of internal audit in large listed nonfinancial entities, which is particularly beneficial considering that it is difficult to gain access to internal auditors (Neu et al., 2013;Roussy, 2015).A study of discourses on CGRs is a way to look into the organisations by attending to the narratives companies provide of their internal auditors within corporate governance.The method and process of this study are discussed next.

Selection of companies
The companies were selected using the following procedure.The study's focus is large, listed non-financial companies with Swedish headquarters, complying with Swedish regulations.As of 3 January 2011, 56 companies were registered on the large-cap list of Nasdaq OMX Stockholm stock exchange.While no official record of companies with Swedish headquarters was available, our preparatory analysis found 44 such companies.Second, while no official record exists of companies with an IAF, the reports of all 44 companies was screened to ascertain which ones have an IAF.The presence of an IAF can be discerned by the help of the Swedish Corporate Governance Code for listed organisations, which asks them to state their evaluation of the need for an IAF each year (Swedish Corporate Governance Board, 2010 section 7.4) in the CGR.In this way, 23 companies with IAFs were found (see Appendix Tables A1 and A2) and included in the analysis.Third, based on developments in corporate reporting, Swedish codes and regulations concerning corporate governance and internal auditing in particular, three years from 2008 to 2010 were selected as the period of study.Swedish corporate governance underwent an important development during this time.A CGR was legally mandated in 2010, before which such reports emerged out of the listing agreement on the Stockholm Stock Exchange, following the Swedish corporate governance code on a comply-or-explain basis.From 2010, these reports came to be reviewed by the company's auditor.Selecting this period allowed for comparison of reports two years before the legal mandate and one year after.The reason for choosing this period is that the practice had not yet settled, making reporting more informative on companies' stage activities and offered an opportunity to analyse relevant content regarding the development of IAFs in companies subject to Swedish regulations.

Analysis and coding
Next, an analysis document was compiled to facilitate annual comparisons for each company and between companies.PDFs of the CGRs of these 23 large-cap companies were collected from their websites and came to a total of 600 pages.The analysis document was compiled by AAAJ 36,9 reading the CGRs and copying information with relevant content pertaining to internal auditing into the analysis document; the references to each CGR including page number were also added.The analysis document came to 190 pages.Other "forms of semiosis" were collected (Chouliaraki and Fairclough, 1999) and compiled in a 56-page long PowerPoint document, comprising visual images (charts and tables) related to the governance structure of the companies taken from their CGRs.From these charts, the IAF's position in the governance structure is discernible.The images helped interpret the IAF's embeddedness with audit committees or management, illustrating internal audit reporting lines.
The CDA was informed by the analytical construct developed in Section 2. The classification was developed through many sequential elaborations to refine the analysis for the two dimensions as follows.
3.2.1The organisational embeddedness dimension.The coding of the narratives in the CGRs was performed for the organisational embeddedness dimension, with codes capturing the IAF's ties with the hierarchical level in the governance system to which internal auditors report and which manages their employment and remuneration and sanctions their work.Examples of the codes used reflect the direction of and strength in the ties for reporting to the audit committee or management.
3.2.2The operational coupling dimension.For the operational coupling dimension, the codes captured the IAF's capability to perform an audit through risk analysis, planning, evidence gathering, drawing conclusions and reporting findings.For the loose coupling category, codes were used in the form of verbs, such as develop, improve, ensure, determine, monitor and being proactive, indicating internal auditor self-determination and autonomy to pursue their work at their professional discretion.For the tight coupling category, codes were used in the form of verbs, such as being controlled and supervised, indicating the ways in which internal auditors are subject to domination and control.Verbs were found helpful to capture the activity of the superior body and those used as codes include determine, establish and adopt, representing activities to subordinate the auditors and regulate and constrain their professional autonomy.
The way the codes were classified into each archetype was repeatedly performed to find the best representation of each IAF into a specific archetype.This elaboration was carefully executed, iterating between the coding and the literature through the analytical construct in an abductive approach, where one single archetype could not always be found for each company, and the dominant archetype was given precedence for classifying the IAFs.

Validation of results
To validate and evaluate the dependability (Lincoln and Guba, 1985) of the interpretations made, the preliminary results were presented at a seminar in November 2015 at the headquarters of the Swedish IIA.The five participants in this seminar consisted of a prominent officer at the Swedish IIA, a project leader at the IIA headquarters, a CAE for a state-owned company and two CAEs managing the IAFs of listed companies included in this study.The preliminary conclusions were presented at the seminar and in this way, the interpretations at a late stage in the analysis process were validated through the participants recognising themselves in the interpretations made (following Gu enin- Paracini et al., 2015).The seminar lasted three hours, where its most important part for the validation of results was the participants' discussion of the study's preliminary findingswith a duration of 80 min-which was audio-recorded and later transcribed.The participants at this seminar are to remain anonymous.To further increase the dependability (Lincoln and Guba, 1985) of the findings and conclusions, early drafts of the paper were presented at a conference and a research seminar, and the suggestions given have been used to further develop the paper.

Findingssituating internal auditor independence
This study investigates the meaning of internal auditor independence by analysing how the discourses in CGRs construct internal auditor independence.For this reason, the analysis of the narratives regarding IAFs is guided by the analytical construct.
4.1 Internal auditinga loosely coupled unit embedded in the audit committee Four companies have constructed their IAFs, as found in their CGRs, as loosely coupled units embedded in the audit committee, namely Electrolux, Husqvarna, Lundin Petroleum and Sandvik.They are denominated asindependent: Sandvik; independent and objective: Husqvarna and Electrolux; and objective: Lundin Petroleum.The loose coupling of these IAFs are determined through the ways in which they determine the basis of their work and proactively perform audits, given they were presented in the CGRs as autonomous with high discretion to operate (Llewellyn, 1998;Weick, 1976).Their IAFs, for instance, perform risk analysis as a basis for the audit plan.After its creation, the audit plan is presented to the audit committee, which takes a rather passive role in its establishment.The Group's internal audit function performs an annual risk analysis to identify such items and quantify risks.The result of risk analysis and evaluation are reported to the audit committee and are subsequently taken into account in the annual internal audit plans.(Husqvarna, 2011, p. 54) In this category, it is the IAF that performs the risk analysis.What is important is the narration of ties regarding working practices, such as in Husqvarna, the working relationship for internal auditors being described to be with the audit committee, not the management.In the other companies, a similar self-determination comes through in the reports, to regularly perform risk assessments and coordinate audits (Lundin Petroleum, 2011, p. 49).An IAF in this category does not only maintain, for instance, test plans but can develop its foundations for work.
Within the Electrolux Control System, management is responsible for testing key controls.Management testers who are independent of the control operator perform these activities.The Group's internal audit function maintains test plans and performs independent testing of selected controls.(Electrolux, 2011, p. 96) Here, the division of responsibilities between management and internal auditors is described in line with the IIA Three Lines Model (c.f.IIA, 2020).A table provides details on the type of tests performed: the IAF "performs independent testing of selected controls through desktop reviews and onsite re-performance of tests to ensure the methodology is adhered to" (Electrolux, 2011, p. 96).Maintenance and testing of controls are performed by the IAF, which tests selected controls at its own discretion.The role of management in this category is of an entity being audited, while the IAF's ties to the audit committee shapes its action (Granovetter, 1985).The IAF is loosely coupled with the audit committee, because audit committees are described as rather passive in how to work with the IAF.The audit committee in Electrolux is "[t]o follow up the activities of the internal audit function Management Assurance and Special Assignments as regards organisation, recruiting, budgets, plans, results and audit reports" (Electrolux, 2011, p. 90).Here, the terminology used, "to follow up", means a superior body undertaking "the pursuit or prosecution of something begun or attempted" (Oxford English Dictionary, 2019, no. 5) but not necessarily intervening in how such tasks turn out; instead, these are subject to the IAF's work.These IAFs have autonomy to work with a high degree of indetermination and are loosely coupled with the audit committee that works with them from a distance, leaving them with a high level of discretion to plan and execute their work (Orton and Weick, 1990;Weick, 1976).Another example is Lundin Petroleum (2011, p. 48), in which the audit committee " . . .supervises the efficiency of the internal auditing, . .."To supervise means "to oversee or direct the execution of" (Oxford English Dictionary, 2019, no.2a), which could imply a tighter coupling.However, the IAF has delegated responsibilities to monitor compliance at all levels, not just the operational level (Lundin Petroleum, 2010).Monitoring means to "observe, supervise, or keep under review,. . . to measure or test at intervals, esp.for the purpose of regulation or control" (Oxford English Dictionary, 2019, no. 2c).This responsibility is described in more detail: Monitoring and reporting are also done by the internal audit function, which provides objective support to the Board on matters relating to the internal control by investigating major areas of risk and by doing reviews in defined areas.(Lundin Petroleum, 2011, p. 49) These companies present both their observations and communicate recommendations to the audit committee to improve internal control over financial reporting (c.f.Husqvarna, 2011).IAFs are described as proactive and responsible because they share characteristics of having abilities to conduct their audit assignments autonomously, constituted by some common attributes such as to be "responsible for independent objective assurance", and the mission of their work to "systematically evaluate and propose improvements" (Electrolux, 2011, p. 91).They concentrate their work on internal audits and contribute to improvements in the internal control structure through their findings and recommendations.The embeddedness of the IAF in the audit committee is demonstrated by the head of the unit Group Assurance reporting to the audit committee (c.f.Sandvik, 2010Sandvik, , 2011)).In this category, IAFs are constructed as loosely coupled, with high discretion and self-determination to plan and carry out audit tasks, while the configuration of their relationships indicates embeddedness in the audit committee.

Internal auditinga tightly coupled unit embedded in the audit committee
The IAFs in nine companies are constructed as tightly coupled units embedded with the audit committee in their CGRs.Six of them are denominated as independent in their CGRs: Ericsson, MTG, Skanska, SSAB and Swedish Match and independent and objective: Investor, while the words "independent" or "objective" (or varieties) are not present in the CGRs of Alfa Laval, Kinnevik, or SCA.In this category, the IAF is constrained by the superior body, the audit committee and a lack of ability to determine work with risk analysis: The risk assessment process has been led by the Risk Control function, in cooperation with the Compliance and Internal Control functions [i.e.IAF] . . . the audit committee determines which of the identified risks should be prioritized by the internal control function during the year to ensure correct financial reporting (Investor, 2011, p. 59) This example indicates that a function (the Risk Control function) different from the IAF has a major influence over the performance and execution of the risk analysis that internal audit is based on and that auditors do not themselves control the prioritisation of identified risks, which is determined by the audit committee.The IAF's task is to execute these prioritisations set by the audit committee.The word determine means "to lay down decisively or authoritatively, to pronounce, declare, state" (Oxford English Dictionary, 2019, no.6a) and thus indicates a hierarchical subordination of internal auditors to the audit committee in the way work is performed.The IAF is tightly coupled due to its actions being dependent on and constrained by the superior element (Weick, 1976), the audit committee.In this category, the IAF's subordination is indicated by the audit committee taking an active role in its work and conducting an analysis of the audit's focus and scope: Based on the result of the internal and external risk assessment, the Committee regularly analyses the focus and scope of the audit with the Company's internal and external auditors.Each year, the audit committee adopts an internal audit plan which, among other things, is based on the risks that have arisen in the risk management process described above.(SSAB, 2010, p. 109)

Internal auditor independence
Thus, it is the audit committee that adopts the audit plan, based on its analysis.Adopting means to "accept (a report, proposal, resolution, etc.) formally; to ratify" (Oxford English Dictionary, 2019, no.8), but the audit committee is closely engaged in the work by not only formally adopting the plan but having a direct impact upon both the risk analysis and the resulting plan.The IAF of SSAB is dominated by the audit committee.The board of Alfa Laval determines the scope of internal audits (Alfa Laval, 2010, p. 126); it "has the right to determine the focus of the internal audit" (Alfa Laval, 2011, p. 124) and "establishes the direction, extent and time schedules for the internal audit team's work" (Alfa Laval, 2010, p. 127).Another word stands out, namely to establish the direction, meaning "to fix, settle, institute or ordain permanently, by enactment or agreement" (Oxford English Dictionary, 2019, no.2a).When the audit committee establishes internal auditor work, the internal auditor's self-determination is affected.The committee's involvement is manifested in how CGRs present it as efficient and proactive regarding reporting as the basis for planning: The internal audit team reports the results of the audits performed to the audit committee.On these occasions, the planning parameters for the next six to eight months are also established.(Alfa Laval, 2010, p. 126) Accordingly, audit committees in this category take part in the planning by establishing the parameters of the internal audit work.Another example of the embeddedness of the IAFs is the internal auditor reporting to the audit committee, which is the norm in this category: The head of each Group staff unit, aside from the head of Internal Audit and Compliance, reports directly to a member of the Senior Executive Team.The head of Internal Audit and Compliance reports to the Board via its audit committee.(Skanska, 2011, p. 78) While reporting is made formally to the audit committee, there is a specific procedure for reporting to management, related to management's needs to make the changes prompted by the IAFs findings and observations: The internal audit team also distributes reports from individual audits to the Group Management members concerned.To ensure that the internal audits result in specific measures, a procedure for continuous follow-up of agreed measures has been established.(Alfa Laval, 2010, p. 126) In the companies in this category, IAFs are constructed as tightly coupled units, both controlled and supervised by the audit committee and embedded in the committee, while the management in this tripartite relationship is in the focus of IAF assurance work.The IAF is described as subject to determination and tight processes of integration effectuated by the audit committee (Llewellyn, 1998;Weick, 1976).

Internal auditinga loosely coupled unit embedded in management
Five IAFs, in Atlas Copco, Securitas, SKF, Tele2 and Trelleborg, are found to be constructed as loosely coupled and with ties foremost with the management by working closer to them than to the audit committee, due to the ways in which the organisational elements are linked and how they operate (Orton and Weick, 1990).In only two of these functions, the words "independence" or "objectivity" (or varieties) are scripted in their CGRs, namely Atlas Copco and Tele2, as exemplified by Atlas Copco's CGRs: . . . the Internal Audit process is intended to add value to each operational unit by providing an independent and objective assurance to its processes, identify and recommend improvements, and serve as a tool for employee professional development.(Atlas Copco, 2011, p. 132) This value-adding capacity is linked to independent assurance to facilitate improvements and employees' professional development.Both the IAFs of Securitas and Trelleborg, neither of which contain the word "independent" (or varieties) in their CGRs, do consulting for AAAJ 36,9 management as well as assurance work for the audit committee.In Trelleborg, the IAF is called the Internal Control Staff Function; in addition to the description of the function (as exemplified by Atlas Copco), its reports emphasise the dual assurance/consulting tasks for the function to not only "ensure" the internal control over financial reporting but also "developing" and "improving" it (c.f.picture in Trelleborg, 2011, p. 49).These reports express procedures such as risk assessments to facilitate prioritisation, development of selfevaluations, and how these are followed up.Likewise, the IAF of Securitas, called "the Management Assurance staff function", developed a "fine-tuning of follow-up procedures and reporting" (Securitas, 2011, p. 51).This is a "coordinating and monitoring function" for "certain internal control activities at Group level" (Securitas, 2011, p. 51).The responsibilities of the IAFs in this category include assurance-and advisory-related activities.Different activities regarding systems for internal control and risk assessments are supplemented with internal audits, such as in Tele2 (2011, p. 9), where processes are assessed by the IAF "to ensure adequate risk management, internal steering and control" and adherence to the internal control framework of the group (SKF, 2011).In Securitas, the IAF's assurance work includes: Determining and planning areas of specific focus and/or control diagnostics based on risk assessments made, discussions with divisional management and audit findings, . . .(Securitas, 2011, p. 51).
The quoted texts indicate that the IAFs have a certain degree of autonomous discretion and self-determination to design and perform operations (Orton and Weick, 1990;Weick, 1976), reflected in words used such as developing, improving, ensuring, establishing, determining, monitoring and being proactive.The relational configuration of internal auditor work is primarily through their ties with management and the distribution of activities is related to managerial tasks.In this category, the organisational elements are linked and they cooperate (Orton and Weick, 1990) in the tripartite relations between the IAF, management and the audit committee.The loose coupling of these functions is visible in the descriptions of the committees' work in the oversight of management and the IAFs, where the last are signified as self-determined with opportunities for autonomous action (Llewellyn, 1998;Orton and Weick, 1990).For instance, the audit committee of Trelleborg (2011, p.48 picture) is "overseeing the effectiveness of the Company's internal control, internal audit and risk management" and focuses on: . . .follow up of annual work plans for the Internal Control Staff function; review of continuous reporting from the Internal Control staff function relating to internal audits and the proactive work on the internal control environment (Trelleborg, 2011, p. 43).
The words, follow up, review and overseeing, indicate that the audit committee does not endeavour to work with the plans the IAF has made and the work is merely sanctioned by the committee.The committees in this category let IAFs organise themselves with high discretion to operate (Weick, 1976)for instance, to prepare an annual plan for its work which "is approved by the audit committee" (Tele2, 2011, p. 9).Its role is more of a supporter than directing work.Its approval does not construct the IAF as heteronomous; instead, these IAFs are signified primarily as proactive and self-standing: The risk assessment is updated on an annual basis under the direction of the Internal Control Staff function and the results are reported to the audit committee.(Trelleborg, 2011, p. 50 picture) The word direction means "the action or function of directing, [. ..] of instructing how to proceed or act aright; authoritative guidance, instruction" (Oxford English Dictionary, 2019, no. 1c).This choice of wording in the CGR constructs the IAF as able to direct the work it performs and signifies it as in charge of the assurance work of the organisation with the Internal auditor independence freedom to govern itself.The close cooperation between management and IAF members enhances this interpretation of embeddedness with management for companies in this category, where the IAF "reports directly to the Senior Vice President Finance with an open line of communication to the audit committee" (Securitas, 2011, p. 51).In this category, the CFO and the CAE have good representation in the committee meeting agendas and participate in all meetings, such as through joint reporting by the CFO and the IAF in Tele2: Tele2's CFO and Internal Control Director regularly report to the audit committee regarding the findings from internal audit and steps being taken to improve internal control (Tele2, 2011, p. 9).
In this category, the audit committee oversees internal audit activities and its working practices include annual assessment of the IAF, such as in Securitas "to ensure that the activities undertaken enable a well-functioning monitoring structure" (Securitas, 2011, p. 51).This monitoring and annual assessment are strengthening the IAF, but it still has delegated discretion (Weick, 1976) to perform its work.In this category, the IAF is embedded with management through these ties, but while its work is sanctioned by the audit committee, the committee exerts particular oversight over work done by management.This in turn ought to strengthen internal auditor independence despite its ties with management.

Internal auditing a tightly coupled unit embedded in management
Five companies are found to be constructed in this category, embedded in the management functions of their companies and tightly coupled in the establishment and execution of audit procedures.In the CGRs of SAAB, Scania and Volvo, three functions are scripted as independent, while an independence denomination of the IAF is not included in the CGR's of Assa Abloy and Telia Sonera.These five companies are constructed as tightly coupled in the CGRs, due to the high coordination (Weick, 1976) of risk assessment and audit planning in which the IAF's impact is described as limited.The CGR of SAAB expresses how this work is carried out: Group Finance continuously coordinates an overall risk assessment of the financial reporting.This process involves self-assessments by the Group functions and business areas.The current risk assessment is reviewed with SAAB's Internal Audit, which adjusts its annual audit plan accordingly.(SAAB, 2011, p. 131) The audit plan is adjusted with the risk assessment the IAF receives from Group Finance, an example of the IAF being coerced in their professional discretion to operate (Weick, 1976).In Telia Sonera, the management has an overarching role for the risk-based testing, review and assessment of internal controls, through meetings chaired by the CFO, who "summons" attendees among finance managers, corporate control, internal audit, and external auditors, depending on the issues to be discussed: At these meetings, the performance of internal controls is reviewed and assessed and corrective actions are decided, if necessary.Risk-based testing of key controls is carried out on behalf of management in order to assess the quality of the internal controls.[. ..]The result of the testing is communicated to all relevant business units, where corrective or improvement actions are initiated and performed, and at least once a year a joint TeliaSonera/auditors report is presented for the audit committee.(TeliaSonera, 2011, pp. 26-27) This quote is an example of the tight coordination and integration between elements (Llewellyn, 1998;Weick, 1976) regarding the internal control activities in this category.The CEO role for directing the IAF's work stands out as particularly strong, for example in TeliaSonera where the IAF reports to the CEO "who decides in consultation with the audit committee on the function's tasks and priorities" (TeliaSonera, 2011, p. 27).The tight coupling is discernible from the audit committee's certification of audit planning, such as in Assa AAAJ 36,9 Abloy where the IAF "carries out annual financial evaluations in accordance with the plan annually adopted by the audit committee" (Assa Abloy, 2010, p. 113), and in TeliaSonera, where audit committee work includes "assessment and approval of the audit plans of external and internal auditors" (TeliaSonera, 2011, p. 22).
There are further examples of the IAFs of these companies being described as embedded in management, in both organisational charts and the CGR texts.In Scania, "Group Internal Audit" is in the organisation chart placed to the right of management, with a dotted line to the audit committee, and "functionally, the unit reports to the CFO" (Scania, 2011, p. 62).In Volvo, "[t]he Head of the Internal Audit function reports directly to the CEO, the Group's CFO and the audit committee" (Volvo, 2011, p. 146).The "Management Assurance function" of Assa Abloy is managed by the Group Controller, and in SAAB, the IAF is embedded in Group Finance and part of the internal control structure.It reviews the efficiency of internal control processes (SAAB, 2011, p. 132) and performs services to the business units and controller organisation: Internal Audit supports locally applied internal controls and the central controller staff.Together they serve as a resource to monitor financial reporting routines (SAAB, 2011, p. 132) The ties between these two actors, management and the IAF, are particularly strong in this category.The IAFs are constructed as embedded with management due to the strengths of their ties through reporting and the magnitude of cooperation in conducting work.Such embeddedness has a certain capacity to configure the ontology of the actors (Callon, 2006), and in this case, the ability of the internal auditors to make their calculations and decisions according to their own professional statutes.At the same time, the morphology of the relationship between the two (Callon, 1998) is decided by the third actor, the audit committee.Despite the embeddedness of these five IAFs in the internal control and financial reporting responsibilities of management, corporate governance in this category facilitates the audit committees to exert firm control over their IAFs.For example, the audit committee in Assa Abloy directs the actors' possibilities of engaging in action (Granovetter, 1985) based on "a review of Management Assurance procedures" (Assa Abloy, 2010, p. 108), and in Volvo, the audit committee is denominated as responsible for evaluating "the quality, relevance and efficiency" of the IAF (Volvo, 2011, p. 145).There are examples of separate meetings between the audit committee, external auditors and Head of Internal Audit, without any members of management being present (Volvo, 2011, p. 145).
In sum, this category presents interpretations of the triangular relationships of the actors where the possibilities of the agents' abilities to engage in action regarding their professional obligations and discretion are affected by the strength of their ties (Callon, 2006).In this category, the IAF is embedded with the management but overseen by the audit committee, and their work is both determined by and dependent upon the discretion of these actors through the tight coupling of the organisational elements (Orton and Weick, 1990).

Summary and discussion of findings
When analysing the organisation of these IAFs with the analytical construct in the two dimensions of operational coupling and organisational embeddedness, internal auditor independence emerges as situated, in the form of four archetypes: autarchic, instrumental, symbiotic and subservient.Figure 2 provides an overview of these archetypes and to which each company belongs.
4.5.1 Autarchic IAF as a loosely coupled unit embedded in the audit committee.In this category, the IAF is a loosely coupled function, where its auditors act as experts to freely execute their internal audits.It displays characteristics of a textbook example of an IAF and shares the ideal of Mautz and Sharaf's (1961) "practitioner-independence" regarding the Internal auditor independence autonomy of the auditor in planning, performing and reporting work.The audit committee has a passive role, receiving internal auditor reports and leaving the IAF to govern itself.The IAF has links to the audit committee, with operational and organisational independence.This category is thus denominated as autarchic, meaning an IAF can exert operational independence over its practice, as sourced from its free-standing relations with the audit committee.Such an IAF is independent in the traditional sense of the concept, further strengthened in relation to the management by its link to the committee.This category thus fulfils the conception of internal auditor independence celebrated by the IIA in the capacity to provide assurance and answers to demands from both audit committee members and external auditors as watchdogs over the internal control system (IIA, 2017; Roussy and Brivot, 2016).
4.5.2Instrumental IAF as a tightly coupled unit embedded in the audit committee.In this category, the IAF is tightly coupled, being controlled, supervised and embedded in its contacts with the audit committee.The committee dominates the IAF and sets its plans, which the IAF executes in conjunction with its directives.Management has a passive role and little part in organising the IAF.The IAF reports first to the audit committee and then to the management.This category is connoted as instrumental, meaning the IAF has an important role even though it performs that through the directives from the audit committee.The committee dominates the IAF and decides on its pre-, intra-and post-procedures.The organisational independence and social-political standing of the IAF vis-a-vis the management is negotiated via the audit committee.Thus, the IAF suffers a loss of operational independence through epistemic and policy dependence on the audit committee.Even though a vibrant audit committee with the technical expertise to understand the work of internal auditors is important for their independence and efficiency, as argued by Christopher et al. (2009), this category indicates a coupling between internal auditors and audit committees that may require the latter to overtake the IAF's knowledge and professional skills.Such a development could indicate risks to the foundation of oversight by audit committee members if they take over the role of internal auditors to provide them with assurance.4.5.3Symbiotic IAF as a loosely coupled unit embedded in management.In this category, the IAF is loosely coupled and can decide its work but has a relationship foremost with the management.These IAFs have self-determination in terms of risk analysis and audit planning, and although the audit committee supports the IAF by means such as sanctioning audit plans, it does not devote work to these plans, in comparison with the instrumental category where it does more direct work on internal audit.IAFs are primarily embedded in the activities of the CFO, with tasks specifically performed for management in the form of consultancy to improve the internal control systems.The IAF reports first to the management and then to the audit committee.This category is denominated as symbiotic because the IAF decides on its work processes and has operational independence, even as it works in close cooperation with the managementthe CFO and the controlling function.This category resembles the IAF's characteristics in Roussy's study (2013), potentially in the internal auditor role as helper of management, with the difference that they also work for the audit committee.The IAF's embeddedness with management in this category may not be appreciated by external auditors, who prefer a distance between these (Roussy and Brivot, 2016).
4.5.4Subservient IAF as a tightly coupled unit embedded in management.In this category, the IAF is subjugated first to the management and second to the audit committee and is thus under the command of both.It is embedded with and works tightly with managerial functions, such as internal control functions.Operational independence in the epistemic sense tends to be weaker than in the other three archetypes, and policy independence is weaker because the IAF is submerged into the internal control system and tends to impact it directly.This category is denominated as subservient because the management, especially the CFO, affects internal auditors' independence.Management has the capacity to decide on the pre-, intra-and post procedures of the IAF, while the audit committee has oversight over management by exerting control by, for example, utilising external auditing and demanding the presence of internal auditors at meetings.Similar to the contributions of Gendron and B edard (2006) where audit committee members construct meanings of effectiveness through interaction, there is close cooperation within the universe of corporate governance in this category.The role of internal auditors resembles what Roussy and Brivot (2016) call eminence grise, meaning audit committees expect IAFs to be of high importance for management to help and support them in the administration of the company.This category informs Roussy's (2015) finding where internal auditors tend to perform management control more than an assurance function within corporate governance.Like the symbiotic archetype, internal auditors' close ties with management may be discrepant with the view of independent internal auditors (Roussy and Rodrigue, 2018), but the governance in the companies studied in the Swedish context is strengthened by the tight oversight of audit committees over both management and internal auditors.Similar to Gendron and B edard (2006), the audit committee members signal effectiveness in their oversight when being "challenging" (p.226).In this category, IAFs are independent vis-a-vis the companies' operational units over which they perform their audit engagements.

Conclusions
This study contributes to the auditor independence literature by analysing how internal auditor independence is constructed when studied as situated in the corporate governance context.It suggests that the understanding of auditor independence can be expanded by developing a framework built on organisational embeddedness and operational coupling and in turn developing an understanding of auditor independence as a situated practice in different governance situations.In this way, the study provides a development of the theorisation of operational independence, studying this concept in conjunction with Internal auditor independence organisational independence.The analysis provides four archetypes of auditor independence, autarchic, instrumental, symbiotic and subservient, which indicate the importance of how auditing is situated within corporate governance for determining its independence.The study approaches independence as a constructed phenomenon owing to the operational and organisational aspects of governance and unpacks the multiplexity of the relationships in which independence is situated.
Four main conclusions are derived.First, an IAF can be independent in the ways in which Mautz and Sharaf (1961) perceive independence, as illustrated by the autarchic archetype.In this archetype, the internal auditors execute their work self-determinedly, with epistemic independence, not only in relation to management but in relation to the audit committee.Independence here provides not only rewards, as the organisation will get independent audits with frank reports, but also risks, while a pure epistemically independent IAF may be less relevant to an organisation that seeks their specific professional capacity, situated on a more or less isolated pedestal.
Second, a degree of tighter coupling of the IAF may benefit an organisation, but in the instrumental archetype, such coupling can become too tight and risk epistemic independence when audit committees tend to take over the auditors' work and neglecting the auditor's professional knowledge in risk analysis, plan assurance activities, drawing conclusions and providing recommendations based on their unique knowledge.The instrumental archetype resonates well with Neu et al. (2013), an audit committee can potentially restrict the audit function from having autarchic uncontrolled powers to perform inspections, which can instead be designed in line with their own idea of what is in the best interest of the organisation.
Third, by considering the situatedness of the IAF, this study indicates that embeddedness with the management is not always critical to independence.This is because the auditors, as illustrated by the symbiotic archetype, can perform their work autonomously despite being primarily tied to management.As long as the audit committee is the stronger party and exerts oversight over management, internal auditors' embeddedness with management may be less of an obstacle to independence.This study, therefore, contrasts the findings of Roussy (2013) and Roussy and Rodrigue (2018) to indicate that internal auditors have the ability to perform their work autonomously as an independent third line of defence.It complements studies that point to the importance of audit committees performing the role of oversight of management (Christopher et al., 2009;Gendron and B edard, 2006).
Fourth, the study shows that in the subservient archetype, the IAF is tightly coupled with and embedded with the management and not independent in relation to this actor, but where the audit committee mitigates an otherwise unhealthy relationship with oversight of both management and the internal audit.It thus aligns with studies that indicate the important role audit committees play regarding internal auditor independence (c.f.Abbot et al., 2010;Gendron and B edard, 2006;Gramling et al., 2004).The subservient archetype illustrates the significance of understanding independence as situated, such as the escalatory feature of internal auditor independence.While the auditors are dependent in their relations to both management and the audit committee, they are independent, particularly epistemically, in relation to the next line of command, from business unit managers of operations and lower.
Where agency theory provides the fundament for understanding corporate governance relationships and auditor independence, auditors need be independent in relation to agents (Christopher, 2010;Watts and Zimmerman, 1983).Independence in the subservient archetype illustrates that internal auditors are not independent in relation to agents.However, looking at this archetype from a management control perspective where the management needs to rely on internal auditors as a control mechanism (Gramling et al., 2004;Mihret, 2014;Mihret and Grant, 2017), it is more important that they are independent of those below them in command.Even though independence may be at stake in situations where management acts AAAJ 36,9 as the principal in the dyadic relations with the internal auditor (Roussy, 2015;Roussy and Rodrigue, 2018), the latter can still be independent in relation to those lower in the organisational hierarchy.To make this system work, a strong audit committee is needed to counter internal auditors' vulnerability to managerial influence.
The findings go beyond a discussion of independence only in the realm of internal auditing.Independence is best described not by what it is but by how it is embedded and enacted in the corporate governance context, and the study contributes a nuanced and more dynamic understanding of independence.Previous literature, not the least on regulation, indicates that independence is an idea that is impossible to be against.It is also a deeply problematic concept because independence is a relational approach where the auditor is to be independent in connection with someone (Gu enin-Paracini et al., 2015;Nordin, 2022;Page and Spira, 2005;Power, 1997).This study shows that independence is an ideal in the making, not least in the ways the companies are narrating the independence of the internal auditors in their CGRs.As these reports illuminate, independence is important and worthy of careful authorship.Drawing on earlier literature and CGR analysis, this study suggests that, depending on how the auditors are embedded in organisations and how tight the operations are coupled, independence can be understood as situated, subject to the specific governance design of each organisation.The four variants of independence (the archetypes presented here) suggest that it is worthwhile to go beyond the classic dichotomy between dependent and independent.To understand independence, it can best be understood in the ways in which the auditor is not dependent.
The study contributes to the literature an understanding of the multiplexity of internal auditor independence in different organisational settings.Its findings have societal implications in that it clarifies the knowledge of the situatedness of independence in the internal auditors' ties in organisations.They are useful to regulators in developing corporate governance systems.For internal audit practitioners, this study brings to light the nature of internal auditor independence in real-world situations in different designs of corporate governance.Understanding internal auditor independence through one of the four archetypes can help auditors in their everyday work; practitioners may look at their practice based on a more nuanced comprehension of independence than has been offered in the literature to date.
Considering the method used in this study, future studies could focus on validating these findings and the four archetypes.Such studies could preferably be conducted using an ethnographic approach, through in-depth interviews and observations where access is established.During the analysis work for this study, many of the companies on the Stockholm Stock Exchange large-cap list (Appendix Table A2) were found to be not utilising internal auditing, and future studies could focus on how their audit committees succeed in finding assurance, in line with the proposition (Power, 1997) that we live in an audit society where assurance ought to be in constant demand.
Notes 1. Reporting lines can be administrative or functional.In functional reporting, the Board should have the authority to set the direction for and approve the policies of the IAF (IIARF, 2003).In an administrative reporting relationship, the CAE reports to the CFO and business unit managers on matters of interest for their responsibilities, such as findings on financial reporting and operations (Bariff, 2003).The administrative unit has the task of facilitating the daily operations of the internal auditors, including approving their budgets (IIARF, 2003).The IIA standard does not stipulate a specific reporting line (IIARF, 2003).The supporting Practice Advisory, however, delineates that the CAE, to achieve independence, should report functionally to the audit committee and administratively to the CEO, but reporting to others, such as the CFO, is not explicitly prohibited (IIARF, 2003).It states that appropriate reporting lines are important for achieving the necessary Internal auditor independence independence and objectivity of internal auditors, not the least for safeguarding access to both information and key informants in the organisation and reporting of findings and recommendations (IIARF, 2003).A functional reporting line to the audit committee or Board has been recommended as "the ultimate source of its independence and authority" (Bariff, 2003, p. 4).This position gives the IAF "the visibility, authority, and responsibility to independently evaluate management's assessments" (IIARF, 2007, pp. 8-3).
2. To circumvent such risks, the IIA states that "[w]hen performing consulting services the internal auditor should maintain objectivity and not assume management responsibility" (IIA, 2017).
3. In conjunction with similar studies of corporate narratives such as in CGRs, authorship of such reports is difficult to ascertain (Garcia Osma and Guillam on-Saor ın, 2011).While the reports are signed by the board members, it is reasonable to expect they have at least sanctioned the inherent narratives.
Figure 1.The analytical construct of the two dimensions, operational coupling and organisational embeddedness Figure 2. The results for each company in the four archetypes