There is a severe danger that internal auditors, those most innocuous of souls, are about to be caught in a pincer movement in the painful heart of a nutcracker. And what is most galling of all is that it is not their fault. Finance directors need to leap to their defence.

So why are internal auditors in a painful place not of their making and certainly not of their choosing? As ever, it is because the rest of the world has changed, arguably for the worse, around them.

The first issue was Sarbanes-Oxley. Internal auditors probably welcomed it initially. After all, the most notorious part of it, Section 404, was, frankly, current practice in any well-organised company. The bases should be covered and directors sign off on them. Standard practice. Or rather it was standard practice. What happened was that the audit business in the US, aided and abetted by US regulators, suddenly saw this as an opportunity to show a sceptical public that they were as pro-active and rigorous as need be. So the whole business was hyped beyond recognition. Service layer after service layer was introduced. Supervisory staff turned up in their millions. They wanted to be seen as the cavalry arriving to save both companies and the US audit profession’s reputation. And also, of course, to turn more than a few bucks at a time when fees could have started to slide.

So the regulatory side of large US companies became hugely overburdened in spurious process which was, ostensibly, there to ensure the integrity of reporting systems. At first, internal auditors thought this a good thing. It wasn’t quite their core business, but it did boost the importance and role of making sure that all was well in the internal systems.

That is one side of the nutcrackers slowly moving on internal auditors. The other is the risk culture which the corporate world has embraced so wholeheartedly. Once upon a time, risk was something which was assessed and dealt with. It was a relatively simple process and carried great value, particularly in allowing the board of directors to slumber happily of a night.

Then, as we all know, the consultants got a hold of it. They saw an opportunity for new service lines. But even they could not have dreamed of the mass of fees that they would make out of it. Complex risk processes were invented and sold to companies. Gradually, the tentacles wrapped themselves around the whole company. Risk processes turned into a discipline which, the consultants argued, were finally the drivers for the whole corporate model, its strategy and its decision making. From almost nowhere risk management as a whole-company system became the cuckoo in the internal auditors’ nest.

So the internal audit functions have been outflanked. The role of independent auditors at the heart of the organisation ensuring that all was well, healthy and trustworthy with the corporate body was compromised. The processes of Sarbox and risk management were doing similar work and, quite probably, doing it well, though at a far greater cost. The essential difference was that the concept of independence had gone out of the window. The Sarbox process and the risk management work was all done in cahoots with, and designed by, an alliance of consultants and management.

The real value of internal audit is something else. It is the skill, scepticism and rigour of an insider taking an outsider’s view. Under the new model the role moved from being a compliance function to be part of the management toolkit. And its value to the company itself was devalued.

This is a real and genuine threat to independence. It comes down to a simple dilemma ­ are you doing or checking? Are internal audit departments now seeing themselves as helping the effectiveness of the processes rather than being the independent checkers? And that sets in train another doubt. If you are involved in management process then who is doing the checking?

This change has seriously complicated and compromised the role of internal audit within a large company. And internal audit itself needs to get to grips with attempting to clarify the position. In a sense, it is self-preservation. If the board of directors doesn’t have a clear understanding of what internal audit are there for then there is every chance of misunderstandings. If internal audit starts to overlap with other roles, like commenting on the lack of a clear strategic plan, for example, then you may find directors wondering: “Why are internal audit looking at that?” This would swiftly be followed by outraged squawks of: “Are they stepping out of their remit?” Hackles will be raised and the credibility of the internal audit department will be lowered.

This is where the nutcrackers become painful. From one side comes Sarbox and from the other comes the risk processes. And in the middle the very independence of internal audit, its real defining role, is diminished. It is not a very helpful thing to happen within the corporate culture.