The internal audit profession has come a long way from when I entered it four decades ago. In the 1980s, a time before PCs, canned audit programs were common, as were manual confirmations, “nth item” samples from green bar dot matrix printed computer paper, and huge folders of workpapers secured with things called ACCO fasteners.
In the years since, internal audit has gone digital, branched out into every facet of the organization, leveraged data analytics, and has made several advancements in quality and efficiency. Yet, as far as internal audit has come, one thing hasn’t changed that much: we often don’t feel like we get our full measure of respect and stature.
As I reflect on where internal audit is as a profession and consider what internal audit still needs to accomplish, eight uncomfortable truths come to mind as we move into the second half of 2024. Now, not all internal audit functions suffer from all of these challenges. But my strong suspicion is that many of you will recognize some of these issues that still vex the internal audit profession after more than 80 years since the Institute of Internal Auditors was first founded, and the profession sought to stake out its own unique place in the business world.
The Uncomfortable Truths About Internal Audit
So, here are eight uncomfortable truths about internal audit in 2024:
1. Internal auditors are not as important as they think they are.
Who, really, wants to be audited? We might be nice, and we might even truly mean that line that goes, “I’m from internal audit, and I’m here to help.” But, if the truth be told, the organization would probably run fine without us, at least over the short term. We still, in some organizations, clamor for that elusive seat at the table, struggle to get more than 15 minutes of audit committee agenda time, have a tough time getting on the CEO’s calendar, and sometimes find out about meetings that we wish we were invited to after they have occurred. Organizational leaders and managers are just trying to juggle their day-to-day tasks, meet organizational goals, and put out the fires that tend to crop up. They might act nice to us, but they really don’t have time for us. Some even call us a “necessary evil.”
It was old-time comedian Rodney Dangerfield who used to joke, “I get no respect!” which some internal auditors may relate to. Now, we have come a long way, and we may not be the Rodney Dangerfield’s of the corporate world anymore, but we’re just not as important as we think we are.
How do we change that? By ensuring that everything we do is adding value in the organization.
2. Internal audit is not as risk-based as it should be.
It has been drilled into us that we need to develop a “risk-based” audit plan, and the IIA Global Standards have supported that view for a long time. So, internal audit undertakes an involved process of risk assessments, generally in great depth annually and sometimes even updated as the year goes on. No matter how objective we try to make the risk assessment process, however, it is still a subjective activity. And it is more often a bottom-up build to create a macro perspective. The reality is that you likely end up with a view on risk that does not equate to the way the senior-most executives view risk.
That’s not the way you do it? Then you are in the minority. Look, there’s nothing wrong with that approach, especially if you have a chief audit executive who has lots of experience with your company and in the sector your company operates. Why? Because that CAE can introduce intuitive subjectivity to the seemingly objective process based on their years of experience and knowledge. But the reality is that our “risk-based” approach is based on risk, however it’s not really about the key strategic and operating risks that are most pressing to the organization. Internal audit is just not as risk-based as it should be.
3. Internal audit follows Standards that do not ensure quality.
We all know the drill—strive to conform to the IIA Global Internal Audit Standards, get an external Quality Assessment Review (QAR) at least once every five years, wash, rinse, and repeat. The irony is that conforming with the Standards might make you a better internal audit function than if you chose to ignore them, but following the Standards does not ensure quality.
Look, we all probably know of some internal audit functions that are not adding a lot of value to their organization, but they do follow and conform with the Standards. And there are some pretty darn good internal audit functions that might not get a “generally conforms” rating when their QAR report is issued.
It’s an interesting conundrum. As beauty is in the eye of the beholder, quality is in the eye of the person expecting and evaluating quality. And most corporate executives don’t care about internal audit Standards (nor should they), they just care that internal audit is adding value.
Don’t get me wrong here, I am not advocating for ignoring the Standards, and I advocate striving for full conformance where it makes sense, but we have to acknowledge that we’re following Standards that do not ensure quality.
4. External auditors don’t view internal audit to be as valuable as it should.
Far too often, external auditors, as they work to do their own important assurance work on the reliability of a company’s financial reporting, look to internal audit to get some work done that they would otherwise have to do. And many CFOs condone and even encourage this activity as a way to keep audit fees as low as possible. Unfortunately, much of this work is beneath the skill level of the people in internal audit and can be somewhat tedious. And the practice does not consider the opportunity cost of these internal auditors doing this work instead of key projects on the internal audit plan. Perhaps that would not be important if resources were plentiful, and CAEs didn’t need to make do with what they have instead of wishing they could have additional resources.
In many organizations, the audit committee looks to the external auditors as equally important or, unfortunately, more important than the internal audit staff, so there may not be a sympathetic ear among audit committee members when dealing with this dilemma.
Further, if internal audit work were to be relied on, the external audit partner on your company’s engagement should want to be sure you are following Standards and that you get your QAR done. Yet, many engagement partners don’t seem to care all that much about any of that. Not true in some organizations, but we have to acknowledge that far too often we’re not viewed as valuable by external auditors as we should be.
5. Internal audit doesn’t possess enough of the competencies needed to execute many audits.
Companies of any reasonable size are complex, and a truly risk-based plan will result in audit projects that your on-staff internal audit team does not have all the requisite competences to execute. Add to that the fact that the world is not getting any less complex. That’s where co-sourcing and project outsourcing come in handy.
But ask any CAE how things are going with their co-sourcers or if they have enough dollars to do all the co-sourcing they should be doing, and you will not get an encouraging answer if they are being honest. And if training is an option to enhance on-staff competencies, finding what you need at a price your budget can manage, of a quality that makes it worthwhile, is not easy. So, it’s an unpleasant fact with limited staff, constrained budgets, and complex organizations … we do not possess enough of the competencies needed to execute many of the audits that should be on our audit plans.
6. Internal audit doesn’t leverage co-sourcing enough or wisely.
We are still learning as a profession how to best leverage the use of co-sourcing as a competency enhancing lever to pull.
It’s not easy finding a good co-sourcing partner. No single co-source option is going to be good at everything you need to do. And, every CAE that has used co-sourcing to any degree will readily admit that they have had poor and even failed co-coursed projects. Part of the problem is that the likely co-source organizations are interested in winning the work, and then figure out how to deliver the project after the fact. They promise the world, but miss on delivery.
It takes having a solid budget for co-sourcing, relationships with a range of potential co-source partners (never sole source), a competent and honest point person (relationship manager) at the co-courser who will tell you when they are not the right organization for certain jobs, and dedicated time to managing co-sourced projects closely. Many internal audit functions still live in the world of the school of hard knocks when it comes to co-sourcing. Yes, we do not leverage co-sourcing enough or wisely.
7. Internal audit is still viewed as an offshoot of accounting.
When I was an undergraduate student starting my junior year, I began a co-operative education program where I would work a semester, go to school a semester, and rotate back and forth. When I returned to schooling following my first stint, after my first exposure to bank internal auditing, I had to get my Intermediate Accounting professor to sign off on my work experience. He looked extremely disappointed and said, “Why are you wasting your time with internal auditing!” He grumbled as he signed the form, and I never felt comfortable in his classes from then on. While that was many years ago, some things never change (or at least don’t change enough as they should). And don’t get me started about the number of times, like many of you, you tell someone what you do for a living, and they want to know if you can help them with their taxes.
Look, it used to be that being proficient in accounting was crucial to success as an internal auditor, but now that is just not the case. Many great internal auditors have little experience in accounting other than a couple of classes, if that. It doesn’t help that far too many organizations list the need for a CPA or CA designation as a prerequisite for applying for an internal audit job, and there are still enough CFOs who expect that you report to them as part of their accounting and finance responsibilities. Piling on with Sarbanes-Oxley compliance duties doesn’t help. Yes, as frustrating as it is, internal audit is often still viewed as an offshoot of accounting.
8. Internal Audit is not adopting technology fast enough.
This one is a big one. And, except for a few on the leading edge, many internal audit functions just aren’t good at adopting advanced technology. There are reasons (as well as excuses) that are understandable, including: insufficient budget for technology, lack of time, lack of personnel, lack of support from the company’s IT function, and lack of innovative thinking at the leadership level.
The problem is often that each year internal audit is behind, the gap to close grows from a small fissure to a gaping canyon. And the further behind the internal audit function is on technology adoption, the less attractive it is to new hires it wants to recruit. It’s been a perennial challenge but, let’s face it, internal audit is not adopting technology fast enough.
So, What To Do?
There are no magic wands for these challenges, and some of the macro-level heavy lifting must come from the continued and ongoing efforts of The Institute of Internal Auditors, both globally and locally. From advocacy to training, from insightful conference content to roundtable-like information sharing, all these things help tremendously. And the IIA is in a great position to provide benchmarking data, so you know where you stand in relation to other functions around the world and in your business sector.
Also, the firms all play a role in what they provide as subject matter experts, innovative approaches to co-sourcing, and value added (not transactional) partnerships with CAEs and their staff.
And, for you, you can’t do everything. As they say, you can’t boil the ocean. So, of the eight things here, which one or two struck home a little too closely for you and your function? As part of your ongoing strategic planning activities (remember, with the new Global Internal Audit Standards, you need to have a strategic plan), bake in action steps and assign owners to help move your function up the maturity curve on these items.
Look, in the grand scheme of things, we are still a relatively young profession, and not everyone will spend a career in internal audit. But we must keep chipping away at these uncomfortable truths and continue to mature in how we are viewed. We might be able to provide important input to assist in our organization’s success but, if we aren’t viewed in the right light, our talents and capabilities will continue to be suboptimized.
Importantly, we must celebrate our wins, and we must sell the organization on our ability to add value, but all the telling and selling will only make a difference if we can back it up with what we deliver. Remember, no matter what we think of ourselves, beauty is in the eye of the beholder.
Hal Garyn is Contributing Editor at Internal Audit 360°, and Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
Interesting read I must say
Hitting the nail on the head. Truth be told. These thoughts have crossed my mind several times. Just how much is the profession of Internal Audit valued? Is it conceived to be really adding value? Are we Internal Auditors contributing to the cause? Points to ponder.
Number 2 should read, ‘Internal audit is not as objective focused as it should be’. If internal audit focuses on the organisation’s objectives, the risks and opportunities impacting them and the management of these risks and opportunities to levels acceptable to the board, it will become more relevant.
Yes I agree with your comments, coming from a similar era and thinking back to when I started auditing in the eighties. 4 decades in the profession has certainly shown me how accurate these observations are.
A well-articulated piece taking a realistic stock of shortcomings and perceptions. I specially loved the conclusion that we must celebrate our wins. Great thing will be to align our plans with the strategy and goals of our organization and continuously upskill ourselves in the direction where our company is heading towards to help it overcome the risks and bottlenecks on the way of its success.
1. When your role is to identify and report on shortcomings or missed opportunities in a Company’s processes it’s hard to get onto the Xmas card list of those responsible for those Company processes
2. Choosing audits based on risk helps to employ resources in an appropriate way but there are other considerations and they should not be overlooked.
3. Appropriate training and oversight promote quality. Amazing how much time is spend reviewing work papers for proper referencing, etc with no review of the process used to develop the audit program.
4.I was with one of the largest external audit firms ( conducting internal audits) for the second half of my career and I couldn’t care less what the external auditors think of internal audit. Most external auditors have no expertise or experience in internal audit.
5. Internal Audit can’t do their job in complex organizations without access to subject matter experts. The secret, however, is to corral that expertise to look at the efficiency and effectiveness of key processes rather than focusing only on process improvement opportunities.
6. The right subject matter experts are important. Remember, however, that subject matter experts are not internal auditors and need proper direction and oversight to ensure they focus on areas important to internal audit.
7. We like to think of internal audit as a professional career. However other professional designations have a higher value than the CIA when hiring for senior internal audit positions. That needs to change.
8. Internal Audit was my life between 1980 and 2018. Every year, different organizations would produce a “state of the nation” on internal audit and every year “better use of technology” would be on the list. While technology is important and valuable modern internal audit is not that transactional and data intensive. How often do we hear that CEO’s need more technology to do their work?
Excellent article!.
No. 4 is exactly the conclusion I have after I worked in IA for many years. Interestingly, if you look at external auditing standard, it says external auditor can only give low/medium risk work to internal auditor but most of time, internal auditor is much more experienced and knows the company much better than external auditor.
No. 7 is so true. there ARE so many people working in industry accounting area thinking that internal audit experience is nothing compared with industry accounting experience, which is so sad.
Excellent article. Point number 8 resonates deeply with me; with the rapid pace of technological change, bridging that canyon-wide gap feels increasingly and depressingly unattainable.”