Internal audit: a key partner

Internal auditors do much more than enforce control procedures: with competencies ranging from risk management to overseeing processes and governance structures, they provide key support to senior management.

Like many other professions, internal audit has had to adapt to a new reality shaped by significant changes in both requirements and expectations over the past decade.

What’s the first thing that comes to mind when you think about internal auditing? Perhaps some sort of financial police? It’s true that, until very recently, internal auditors were expected to play this role, which explains why it is so difficult to shake the label today.

There are many other myths about internal auditing — myths that Richard Chambers, current president and CEO of the Institute of Internal Auditors (IIA), regularly tries to dispel. Here’s what he has to say about the five most common myths:1

Myth #1: Internal auditors are accountants by training.

Reality: Internal auditors commonly address fraud risks, compliance issues, and a myriad of operational issues that are unrelated to accounting. A recent survey by the IIA’s Audit Executive Center indicates that audit executives are now recruiting job applicants with analytical/critical thinking ability, data mining skills, business acumen, and IT skills.

Myth #2: Internal auditors are nit-pickers and fault-finders.

Reality: Internal audit’s focus is on major risks rather than on nit-picking details. Audit resources are limited, and when auditors focus too much attention on minor issues, they are limiting the time available for addressing the major risks and controls that are at the heart of internal audit.

Myth #3: It’s best not to tell the auditors anything unless they specifically ask.

Reality: If auditors believe their clients are purposefully hiding information, whether by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. The purpose of internal auditing is to add value and improve an organization’s operations, and hiding information is against everyone’s best interests.

Myth #4: Internal auditors follow a cycle in selecting their audit "targets" and use standard checklists so they can audit the same things the same way each time.

Reality: Our professional standards require risk-based plans to determine our priorities, both in developing audit plans and schedules and in planning individual audits. In general, internal auditing has become a dynamic profession that can change any time an organization’s risks change.

Myth #5: Internal audit is the corporate "police function."

Reality: The best auditors are almost always those who create a rapport with audit customers. Breaking down this stereotype is so important that most internal audit groups actively encourage clients to think of internal audit as a coach, not a cop.

A brief history

The history of auditing begins with industrialization in the 1800s, when the main purpose of the audit function was fraud detection and financial accountability. As business owners became less able to handle all aspects of their companies, they hired managers to help them. Slowly but surely, the need to monitor operations grew and the role of auditing gradually changed. However, it was only in the wake of the stock market crash of 1929 that audits became mandatory in the United States.2

In Canada, John Lorn McDougall was appointed the country’s first Auditor General in 1878. His main functions were to examine and report on past government operations, and approve or reject the issuance of government cheques. At the time, the Auditor General had to report on each and every government expenditure, and his reports were sometimes up to 2,400 pages long!3

In those days, there was no real difference between internal and external auditing. Although the need for greater internal control emerged toward the turn of the 20th century, internal auditing remained an extension of external auditing.

For some, the birth of modern internal auditing is tied to the creation of the Institute of Internal Auditors (IIA) in the United States in 1941. At the time, internal audit requirements were limited in scope and mainly financial in nature — which contrasts sharply with the broader, more operations-oriented responsibilities of today. Internal auditors now act as advisors to senior management.

In the 1970s, the Certified Internal Auditor (CIA) designation, given by the IIA, helped raise the stature of the profession. (The IIA announced in 2011 that it had reached the milestone of 100,000 professionals with the CIA designation.)4 During this period, internal auditing also strengthened its ties with the audit committee to be closer to the board of directors and promote better governance.5

In the 1990s, some of the more progressive organizations began implementing new types of audits, such as the risk-based audit approach and the methodology based on recognized control frameworks, focusing the internal audit function mainly on controls.

Rapid change

In order to distinguish itself from external auditing and better meet the needs of organizations, the internal audit function began to offer more valued-added services until a number of financial scandals — including WorldCom (uncovered by the organization’s vice-president of internal audit, Cynthia Cooper) and Enron — forced sweeping changes in corporate governance, culminating in the passage of the Sarbanes-Oxley Act in the United States in 2002.

Although many elements of good corporate governance were already in place, Sarbanes-Oxley marked a turning point in the history of internal auditing and, consequently, the auditing profession. Overnight, renewed emphasis was put on financial reporting as a way of helping management comply with the new rules.

Canada also passed legislation similar to Sarbanes-Oxley requiring greater corporate transparency and accountability. For most publicly traded companies in North America, the efforts required to comply with accountability legislation are colossal. In order to adapt, internal auditing has had to become more efficient. Today, ensuring legislative compliance is only part of the responsibilities of the internal auditing function.

Internal audit 2.0

Internal auditing is now more focused on risks than controls, providing corporate executives with the maximum protection they demand. While it generally maintains a functional link to the audit committee, today’s internal audit function works directly with senior management.

In order to better meet the needs of today’s corporations, auditors have more advanced training than ever before. Today, the attributes of the ideal auditor are a desire for process improvement, effectiveness and efficiency; good communication skills; above-average judgment and integrative thinking; an innate sense of curiosity; high ethical standards and unwavering professionalism; and knowledge of industry best practices. And, of course, auditors must have sound knowledge of the International Standards for the Professional Practice of Internal Auditing (Standards) and the IIA’s Code of Ethics, as well as existing control frameworks and audit methodologies.

Ideally, audit departments include specialists in various areas of expertise in keeping with the company’s line of business. These areas often include engineering, finance, risk management, law, business administration, IT and, of course, accounting. Experts in these fields are rare since they require several years of business experience to meet the needs of organizations.

As companies globalize, become more complex than ever and do business in a more heavily regulated environment, it becomes increasingly difficult for auditors to identify emerging risks.

But once the role of internal auditing is clearly understood within organizations and trust builds, auditors can use all their expertise and provide the added value their colleagues expect. By combining their experience with their knowledge of the business, risk management, processes and governance structures, auditors can contribute to achieving organizational goals and safeguard assets.

Today’s internal audit departments also include data mining specialists — experts who use powerful tools to analyze entire populations rather than mere sample data sets. By cross-referencing what were once incompatible files, these tools can detect fraud. For instance, it’s now possible to flag — internally — duplicate cheques or employees who are on the organization’s list of suppliers. Data mining tools can also identify dubious expense reports and unused discounts, potentially saving thousands of dollars for the organization.

Not only do internal auditors know their partners well, they make a point of maintaining good relations with them, as this is the best way to understand each other’s challenges and identify effective, custom solutions.

Lastly, one of the most rewarding aspects of an auditor’s job is to raise awareness. Control procedures that are properly understood will be performed efficiently and make life simpler for the organization.

Still skeptical? Ask your internal audit department what it can do for you.


1. Five Classic Myths About Internal Auditing.

2. AICPA, Evolution of Auditing: From the Traditional Approach to the Future Audit.


4. Scott McCallum, The Institute of Internal Auditors.

5. Sridhar Ramamoorti, Internal Auditing: History, Evolution and Prospect, in Research Opportunities in Internal Auditing, A. Bailey Jr., A. Gramling and S. Ramamoorti, eds., The Institute of Internal Auditors (Altamonte Springs, Florida), 2003.