I recently shared results of an academic research report that indicated companies seek internal auditors who have accounting, information technology, and business systems knowledge after experiencing major control and risk management failures. The report said companies are “more likely to post an internal auditor job after the revelation of accounting and operational failures” and “more severe accounting and operational failure revelations are associated with an increased demand for the CPA and the CISA (Certified Information Systems Auditor) credentials.”
The findings set off a new debate on social media about why accountants are still considered the gold standard for internal audit talent. My response? Such thinking is naïve and outdated. As many seasoned internal auditors (and those who depend on internal audit) will agree, you do not have to be an accountant to be a good internal auditor!
Some of the best internal auditors I have ever met never even took a college accounting class. Instead, they possessed degrees in fields like information technology, cybersecurity, engineering, medicine, law, and the liberal arts. One of the global aerospace companies even posted a rocket scientist as the CAE a few years back. But such diversity of backgrounds is the exception and not the rule when it comes to the vast majority of internal auditors.
I first shared my views on this topic almost a decade ago, when someone posted on social media: “Should the internal audit profession be the preserve of chartered accountants only? Or should it be opened up to people with diverse professional backgrounds?” After initially watching the online debate that followed, I finally weighed in with a rather cheeky blog post titled: ”Yes, CPAs and CAs Can Be Internal Auditors, Too!”
As I noted back in 2013:
“There was a time when internal audit focused almost exclusively on financial risks and controls. However, this is the 21st century, and the profession has evolved dramatically. While a well-resourced internal audit function will include individuals with strong financial backgrounds (such as certified public accountants (CPAs) and chartered accountants (CAs)), it also will include a much broader diversity of skills than internal audit functions of a generation ago. It’s likely to include individuals with expertise in business operations, IT, compliance, fraud investigation, and many other areas. If I were looking for a specific credential that demonstrates knowledge and proficiency in internal auditing, I would look for a professional who is a Certified Internal Auditor (CIA).”
Here we are 10 years later and, according to The IIA’s 2023 Pulse of Internal Audit Report, only 22% of a typical North American internal audit plan focuses on financial risks. Surely by now, there is recognition that good internal auditors come from a multitude of backgrounds – right? Unfortunately, the “accountants make the best internal auditors” myth is still alive and well.
As recently as in 2018, an IIA Pulse survey found that CAEs predominantly look for candidates with accounting and finance degrees (rated “extremely” or “very desirable” by 76 percent of CAEs). In contrast, less than half found other types of business degrees to be extremely or very desirable. More than 55% of respondents to The IIA’s 2022 Pulse survey were CPAs themselves. What’s more, for some internal audit departments and for many government audit functions, an accounting degree or the equivalent remains an absolute requirement to be an internal auditor.
It seems that most CAEs want to hire accountants, but that doesn’t mean they are looking for bean counters. When asked to name the skills they recruit, CAEs in a recent survey identified their top three choices as: analytical/critical thinking, communication, and business acumen. Accounting and finance knowledge barely made it into the top 10.
There’s no doubt that many accountants make outstanding auditors. Accounting graduates are trained in analytical thinking and business, so accounting schools are a logical place to look for talent. But as the IIA’s 2018 Pulse survey pointed out, when seeking analytical/critical thinking, communication, and business acumen competencies, “there is no reason to assume candidates with accounting or finance degrees have a substantial advantage over operational and technical backgrounds.”
Finding the right people isn’t easy. The most significant challenge facing the internal audit profession in 2023 continues to be a festering talent shortage. More than 60% of respondents to a LinkedIn poll I conducted recently indicated that their internal audit function had vacancies they had been trying to fill for more than three months. And 30% had been trying to fill vacant positions for more than six months.
The great majority of CAEs say they have skills gaps on their teams — gaps that can make it challenging to provide needed audit services. In AuditBoard’s 2023 Focus on the Future Report, 27% of CAEs indicated that, when risks aren’t being addressed by internal audit, it’s because they have insufficient resources. Another 17% said it’s because their department lacks expertise.
The consequences for internal audit functions that overload accounting experience to the exclusion of expertise in other critical risks can be significant. Internal audits might be canceled or delayed, or scopes narrowed. Audit departments might lack the agility to respond quickly to new or emerging issues simply because of staffing limitations. Unaudited controls will inevitably break down, leading to the inevitable (and somewhat ironic) question, “Where were the internal auditors?”
We need to ensure that our internal audit functions can competently provide a diverse range of services. To do that, we need a diverse range of skills. To be sure, some of those skills are accounting and finance-related, but others are not. The challenge is to ensure we have sufficiently competent workers to address all of our organizations’ significant risks. It’s not an easy job.
The myth that only accountants make good internal auditors has endured for more than a century. It’s high time we put that to rest. With the rise of new and complex risks such as cybersecurity, artificial intelligence, environmental, and others, we must broaden our reach and attract talent from a spectrum of risk-related backgrounds. I believe the falsehood about internal auditors limits the potential for the profession and is one of the things that keeps our reputation wrongly rooted in the past century. We are still seen as bean counters in an age when beans may not even be the best crop to harvest.