When I first became a CAE more than 30 years ago, I inherited an internal audit department with very limited resources, especially considering the size of the enterprise. With five internal auditors plus myself, we were challenged to provide high-quality internal audit coverage for a $10 billion entity. I knew I had my work cut out for me, and we wouldn’t get more resources unless we demonstrated greater value than the department had in the past.
From that first assignment as a CAE, I would go on to lead internal audit teams of more than 1,000. Yet, the reality is that most internal audit departments today are closer in size to the first one I led. In fact, a recent LinkedIn poll of almost 1,000 internal auditors worldwide found that almost two-thirds of internal audit teams comprise 10 or less employees. More than 40% have five or less. What’ more, fewer than 1 in 5 internal audit departments globally have more than 25 staff members.
As bad as those statistics are, they still aren’t as dire as what was reported in a 2022 research report from The IIA and the Internal Audit Foundation. The IIA found that, globally, 51% of respondents said their internal audit function comprised a staff of five or less. More broadly, 71% overall had 10 or fewer employees on their team.
It’s a sobering reminder, as I wrote last year, of an inconvenient truth: The average internal audit department remains small! I realize that the word “small” is subjective. Many factors go into determining whether an internal audit department is appropriately sized: the size of the enterprise, the location in which it operates, the risks it faces, its sector, its industry, and many more.
If pinned down to a number, I consider an internal audit team of five or less to be a small staff. From experience, I am confident when I say that these teams face the biggest challenges. In preparing to deliver a presentation Dec. 7 to open The IIA’s 2023 AuditSphere: A Virtual Conference for Small Audit Teams, I have identified the top five challenges I believe smaller internal audit departments face when compared with their larger counterparts:
1. Addressing enterprise risks. Let’s face it. Internal audit’s most critical responsibility is to provide assurance on the effectiveness of controls and risk management. The process begins with assessing enterprise risks and deploying an audit plan that focuses on those that are most critical. In an era in which risk velocity and volatility have converged to spawn more risks than ever, a small audit department is at an inherent disadvantage. A comprehensive risk assessment takes time and resources. By the time a small department has completed even an annual assessment, there are few staff days to allocate to the most critical risks.
2. Assembling and leveraging diverse expertise. IIA Standards mandate that an internal audit department “collectively must possess or obtain the knowledge, skills or other competencies needed to perform its responsibilities.” It falls on the CAE to ensure internal audit resources are appropriate, sufficient and effectively deployed. As CAE of a small audit department, I was fortunate to have a team with broad competencies, but honestly, we had no deep expertise. In an age when expertise in such complex areas as cybersecurity, data privacy and data analytics is so critical, small audit departments are often at a distinct disadvantage.
3. Building and sustaining enterprise relationships. To truly excel at its mission, a 21st century internal audit department must build and sustain a powerful network of relationships within the enterprise. These relationships must be based on trust and respect and fueled by effective communication and interactions. To be sure, small departments can develop key relationships, but the number that go deep with key executives is obviously limited by the internal audit staff’s size and the time that can be devoted to sustaining the relationships.
4. Balancing administrative tasks with audit mission. In the final analysis, the number of (what IIA Standards call) “productive hours” is more severely limited for a small audit staff. After considering vacation days, holidays, non-internal audit administrative demands and other factors, a five-person team typically has no more than 6,000 productive staff hours annually to dedicate to internal audit engagements. The lower ratio of productive time further undermines the ability to address enterprise risks. If an average internal audit engagement consumes 600 staff hours, a small audit team might complete only eight or nine audits a year plus follow-ups.
5. Conformance with Standards, regulations and policies. The demands of industry regulations, and even internal audit’s own Standards, often weigh heavily on small internal audit departments. For example, large audit departments are usually able to dedicate staff to manage internal quality assurance – a luxury smaller teams cannot afford. This is one of the factors that concerns me about the more onerous “Global Internal Audit Standards” that were exposed last spring. Time will tell whether these concerns are real.
I have often commented that my most rewarding experience as a CAE was leading a small internal audit department. I was energized by the challenge of demonstrating our value to key stakeholders against formidable odds. Leading teams of 1,000 auditors was much easier. We had ample resources to address risks, build and sustain relationships, dispense with administrative tasks and meet internal audit Standards. But there wasn’t quite as much satisfaction when we delivered the big impacts that separate the good from the great internal audit departments. And make no mistake, there are many small internal audit teams that are great!
I welcome your feedback through LinkedIn or X (formerly known as Twitter). Or feel free to share your thoughts via email at email@example.com.