What makes an internal auditor effective? Some say it’s about technical skills such as accounting, industry knowledge, or regulatory awareness.
Others say it’s about “soft skills” or people skills: how you manage employees, your professional image, or the strength of your relationship with your boss.
Both of these skills are critical, but they alone do not determine the effectiveness of an internal auditor. The key differentiator is the concept of “value and fit”—the value of internal audit and how this fits in with the organization.
Often, the concept of “value and fit” is threatened by a familiar group of factors or “sins” that, sadly, are replicated among many internal audit functions. During our discussion of these factors, we will also lay out some concrete strategies to overcome them.
Following are the seven deadly sins of internal audit.
1. Ineffective planning
In the hierarchy of internal audit activities, risk assessment and planning are right at the top. If we fail at these activities, everything else that follows is meaningless.
It doesn’t matter if we have the best audit staff, the most advanced technology, or the most impressive audit reports. If we don’t choose the right areas to audit based on risk, we certainly won’t be successful at what we do—auditing the wrong area in the right way doesn’t help our cause.
A good internal audit plan:
The most important of these elements is the risk-based aspect. An effective risk-based assessment tells us what area of the organization to audit so our audits are targeted, specific, and efficient.
2. Being self-centered
Internal auditors sometimes believe their function is the most important one in the company. And why not, for surely marketing, operations, and finance feel the same way about their functions!
Unfortunately, studies show that such chauvinism is sadly misplaced. According to a Forbes Insights Global Survey, only 44% of executives and audit committees believe internal audit helps their organization achieve its business objectives.
Even fewer—37%—say they involve internal audit in key business decisions and strategy.
If we, as internal auditors, want a seat at the table, we need to understand that what we do (ensuring good processes and controls) may help the company achieve its objectives—but it isn’t the company’s end goal. Too often, internal auditors engage in “perfect world” or best practice discussions that lead nowhere.
We must also understand that management is truly interested in governance, risks, and controls, but not in theoretical discussions. Members of senior management and the board have told us time and again they want a professional opinion, as well as practical advice that can be implemented in the here and now.
For us to fill that need, we need to:
We also need to work closely with other internal auditors in the company, as well as stakeholders such as the risk and compliance management department, to ensure that internal audits provide optimal value.
3. Losing the truth
We, as internal auditors, deal with many complex issues. What seems like a significant issue at the beginning of an audit could turn out to be trivial at the end, and vice versa.
The road from discovery to conclusion is long and winding. Facts are revealed slowly and in pieces.
Many internal auditors get into trouble by refusing to budge from the conclusions they make early on in the auditing process. They don’t want to be seen as people who continuously change their mind.
But we lose credibility if we hold onto outdated positions that are no longer supported by facts and circumstances. We can, and should, change our minds when new facts are brought to light.
The ability to adapt to changing circumstances is the hallmark of a seasoned business executive. Inability to change, on the other hand, oddly is the main point of many internal audit findings.
NEXT: Ineffective communication