By Richard Chambers | February 21, 2021
Last week, the globally popular business comic strip “Dilbert” took on management’s perception of/reaction to internal auditors. Like all Dilbert strips, there is enough truth in the punchline to grab our attention and be provocative. I must admit that I smiled. I certainly encountered management officials who didn’t want me, or my internal audit team, poking around in their departments. But we always reached some agreement.
After my initial amusement at the comic strip, I asked myself: Why does management so frequently assume that we are just there to “find problems?” I even had managers look me in the eye and say, “I know you have to find something wrong to justify the audit.” I sometimes felt that they looked at us like we do a traffic police officer. We often wonder if they have a quota on the number of traffic citations they have to deliver. It is my fervent hope that the day will come when we are universally appreciated for helping to “prevent” problems rather than “finding” them.
Our profession has made a lot of progress in overcoming perceptions like the one portrayed in Dilbert. But the stereotype persists. As I explored in a recent blog, we have work to do in helping people understand what we do, and how we do it. A few years ago, I authored a blog post titled “Five Classic Myths About Internal Auditing.” As I considered the message Dilbert conveyed about internal audit, I was reminded of those five myths — especially Myth 2: “Internal auditors are nitpickers and fault-finders,” and Myth 5: “Internal audit is the corporate police function.”
Myths can tell us a lot about ourselves — or, at the least, about how others see the world. But it seems that the most inaccurate myths are the ones most difficult to dispel, particularly if there is a grain of truth buried in them.
The modern internal audit profession has been around for only about 100 years. Yet, it is amazing how many myths and misperceptions have evolved about the profession in such a relatively short period of time. And while each of the “five myths” is generally untrue, that they are so enduring tells us that we still need to take stock of how we are perceived in our own organizations and by the stakeholders we serve. Do we do things to reinforce these myths? Or do we need to do a better job creating awareness of how the profession has changed? You be the judge.
One of the most common misperceptions about internal auditing is that the auditors are “bean counters” who focus solely on their companies’ financial records. There is an obvious grain of truth in this myth: A solid auditing or accounting background can be helpful for a career in internal audit. But a typical annual internal audit plan today dedicates less than 25% of internal audit’s resources to financial-related risks. Instead, internal auditors are more likely focused on fraud risks, compliance issues, and myriad operational issues that are unrelated to accounting, and the auditor’s background is likely to be as diverse as the operations they audit.
An accounting degree is not the only path for career success, and these days, it’s not even the most common path. Repeated surveys by The IIA’s Audit Executive Center indicate that audit executives are now recruiting job applicants with analytical/critical thinking abilities, data-mining skills, business acumen, and IT skills more often than they seek applicants with accounting training.
At the heart of several jokes about internal auditors is the misperception that we are dead set on picking apart processes and ruining the reputations of the people who do the “real work.” According to this myth, internal auditors are viewed as the group that “bayonets the wounded after the battle is over,” distracting management from more important responsibilities.
In reality, of course, internal audit’s focus is on major risks rather than on nit-picking details. Internal audit resources are limited, and when auditors focus too much attention on minor issues, they are limiting the time available for addressing the major risks and controls that are at the heart of internal audit. A good internal auditor would rather report on a $6 million cost savings than on a $6 error!
This myth can be damaging, so it is unfortunate the advice has made its way into more than one “How to Survive an Audit” article. Audit clients are sometimes given this advice by well-meaning friends, but it results in less efficient audits and wastes everyone’s time. If internal auditors believe their clients are purposefully hiding information, whether by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. The purpose of internal auditing is to add value and improve an organization’s operations, and hiding information is against everyone’s best interests.
This myth is less true with each passing year. The IIA’s International Standards for the Professional Practice of Internal Auditing require risk-based plans to determine our priorities, both in developing internal audit plans and schedules and in planning individual audits. Obviously, some risks justify repeat audits, and there are some types of audits — for example, certain compliance reviews required by regulators — in which audit programs and checklists are unlikely to see major changes from year to year. But, in general, internal auditing has become a dynamic profession that must change any time an organization’s risks change.
As Lord Justice Topes once said, “The auditor is a watchdog and not a bloodhound.” In my experience, the best internal auditors are almost always those who create a rapport with their clients. When internal auditors’ behavior is accusing or aggressive, they are far more likely to be met with resistance than when they treat findings as an opportunity to help accomplish objectives and facilitate improvement. Breaking down this stereotype is so important that most internal audit groups actively encourage clients to think of internal audit as a coach, not a cop.
Each of these myths was closer to reality in the 20th century than today. It’s easy to think of a few specific examples in which an action that reinforces those stereotypes might be justified. Unfortunately, there are too many cases in which internal auditors are needlessly perpetuating the myths. Are any of the classic myths true about you or your internal audit function? If so, it might be time to take a good look at what you are trying to accomplish and how you plan to reach your goals.
Changing perceptions takes time, and it often requires the combined efforts of many individuals to break down a stereotype. Our profession’s image is rapidly improving, but more work is needed to enhance our stakeholders’ understanding of the profession. Each of us can help to eliminate the myths and misperceptions — whether through small steps, such as passing along pertinent news to clients, or through larger contributions, such as sharing audit knowledge at a seminar or conference.
Each internal audit function is unique, and your perspective might be different from mine. Has your internal audit department recently made real progress in dispelling any of these myths? If so, please let me know how it worked for you.
I welcome your comments via LinkedIn or Twitter (@rfchambers).