Over the past two years, I have heard executives complaining with increasing frequency that “internal auditors just don’t understand the business.” My sense is that some of these complaints are legitimate while others originate from business unit managers who simply don’t want internal auditors probing around in their areas of operation.
As I have observed before, many internal auditors were brought into their organizations in recent years to help with enhanced internal audit coverage of financial controls. Many who made up this new generation of internal auditors had little background in their company or its industry. They were proficient in Sarbanes-Oxley related audit support, but had little — if any — experience in auditing operational risks. So, it’s understandable that re-balancing internal audit coverage to include a broader portfolio of risks has exposed some practitioners’ limited knowledge of the business.
A recent IIA Audit Executive Center survey disclosed a number of effective strategies to help internal auditors acquire and enhance their business acumen. Almost 90 percent of those responding to the survey indicated that a means of acquiring more collective knowledge of the business was “internal development of existing personnel,” such as:
I am also confident that — as a profession — we will navigate any temporary gaps in knowledge of the business. But make no mistake: There will always be managers within the business who believe their business units are too complex or sophisticated for a mere internal auditor to understand. They will push back on internal auditing’s risk assessments that indicate their areas of responsibility warrant internal audit coverage. They will dispute findings in audit reports on the basis that we don’t know what we’re talking about.
During my career, I have debated more than a few disgruntled managers who wanted to keep my staff out of their area of operations on the basis of lack of expertise. With very few exceptions, I was successful in refuting their assertions. On those occasions where there was some validity to their concerns, I typically secured the necessary expertise by co-sourcing with a third party. My advice to any CAE faced with such circumstances is to hold your ground and navigate the concerns as appropriate. As one of my colleagues once cleverly responded to a business unit that doubted internal auditing’s ability to assess his operations: “You don’t have to be a clown to audit the circus.”