Once again, we are celebrating International Internal Audit Awareness Month. Awareness is defined as “knowledge or perception of a situation or fact.” From my experience in traveling around the world, awareness about internal audit is not binary; it falls along a continuum. Some non-internal auditors are very familiar with internal audit and how it adds value, while others are clueless. The most common response I receive from the latter is: “Oh, you guys do taxes — right?”
The vast majority of people have a vague notion of what we do. In other words, they possess limited awareness about internal audit. A few years ago, I authored a blog titled “Five Classic Myths About Internal Auditing.” As we celebrate Internal Audit Awareness Month, I thought it would be a good opportunity to reexamine these myths, which often cloud the awareness of many people about what we do.
Myths can tell us a lot about ourselves — or, at the least, about how others see the world. But at times it seems that the most inaccurate myths are the most difficult to dispel, particularly if there is a grain of truth buried in the origins of the myth.
The modern internal audit profession has been around for less than 100 years. Yet, it is amazing how many myths and misconceptions have evolved about the profession in such a relatively short period of time. And, while each of the following myths is generally untrue, the fact that they are so enduring might be an indicator that each of us needs to take stock of how we are perceived in our own organizations and by the stakeholders we serve. Do we do things to reinforce these myths? Or, do we need to do a better job creating awareness of how the profession has changed? You be the judge.
One of the most common misconceptions about internal auditing is that the auditors are “bean counters” who focus solely on their companies’ financial records. There is an obvious grain of truth in this myth: A solid audit or accounting background can be helpful for a career in internal audit. But a typical annual internal audit plan today dedicates less than 25 percent of internal audit’s resources to financial-related risks. Instead, internal auditors are more likely focused on fraud risks, compliance issues, and myriad operational issues that are unrelated to accounting, and the auditor’s background is likely to be as diverse as the operations they audit. An accounting degree is not the only path for career success, and these days it’s not even the most common path: A recent survey by The IIA’s Audit Executive Center indicates that audit executives are now recruiting job applicants with analytical/critical thinking ability, data-mining skills, business acumen, and IT skills more often than they seek applicants with accounting training.
At the heart of several jokes about internal auditors is the misconception that we are dead-set on picking apart processes and ruining the reputations of the people who do the “real work.” According to this myth, the auditors are viewed as the group who “bayonets the wounded after the battle is over,” distracting management from more important responsibilities.
In reality, of course, internal audit’s focus is on major risks rather than on nit-picking details. Internal audit resources are limited, and when auditors focus too much attention on minor issues, they are limiting the time available for addressing the major risks and controls that are at the heart of internal audit. A good internal auditor would rather report on a $6 million cost savings than on a $6 error!
This myth can be damaging, so it is unfortunate the advice has made its way into more than one “How to Survive an Audit” article. Audit clients are sometimes given this advice by well-meaning friends, but it results in less efficient audits and wastes everyone’s time. If internal auditors believe their clients are purposefully hiding information, whether by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. The purpose of internal auditing is to add value and improve an organization’s operations, and hiding information is against everyone’s best interests.
This myth is less true with each passing year. Our professional standards require risk-based plans to determine our priorities, both in developing internal audit plans and schedules and in planning individual audits. Obviously, some risks justify repeat audits on a regular basis, and there are some types of audits — for example, certain compliance reviews required by regulators — where audit programs and checklists are unlikely to see major changes from year to year. But, in general, internal auditing has become a dynamic profession that must change any time an organization’s risks change.
As Lord Justice Topes once said, “The auditor is a watchdog and not a bloodhound.” In my experience, the best internal auditors are almost always those who create a rapport with their clients. When internal auditors’ behavior is accusing or aggressive, they are far more likely to be met with resistance than when they treat findings as an opportunity to help accomplish objectives and facilitate improvement. Breaking down this stereotype is so important that most internal audit groups actively encourage clients to think of internal audit as a coach, not a cop.
Each of these myths was closer to reality in the 20th century than today. It’s easy to think of a few specific examples where an action that reinforces these stereotypes might be justified, but unfortunately, there are too many cases in which internal auditors are needlessly perpetuating the myths. Are any of the classic myths true about you or your internal audit function? If so, it might be time to take a good look at what you are trying to accomplish and how you plan to reach your goals.
Changing perceptions takes time, and it often requires the combined efforts of many individuals to break down a stereotype. Our profession’s image is rapidly improving, but more work is needed to enhance our stakeholders’ understanding of the profession. Each of us can help to eliminate these myths and misconceptions — whether through small steps, such as passing along pertinent news to clients, or through larger contributions, such as sharing audit knowledge at a seminar or conference.
Each internal audit function is unique, and your perspective might be different from mine. Has your internal audit department recently made real progress in dispelling any of these myths? If so, please let us know how it worked for you.