Five Classic Myths About Internal Auditing
Internal auditors are accountants by training.
One of the most common misperceptions about internal auditing is that the auditors are all “bean counters” who focus solely on their companies’ financial records. There is an obvious grain of truth in this internal audit myth: A solid audit or accounting background can be helpful for a career in internal audit. But internal auditors commonly address fraud risks, compliance issues, and a myriad of operational issues that are unrelated to accounting, and the auditors’ backgrounds are likely to be as diverse as the operations they audit. An accounting degree is not the only path for career success, and these days it’s not even the most common path: A recent survey by The IIA’s Audit Executive Center indicates that audit executives are now recruiting job applicants with analytical/critical thinking ability, data mining skills, business acumen, and IT skills more often than they seek applicants with accounting training.
Auditors are nit-pickers and fault-finders.
At the heart of several jokes about internal auditors is the misperception that we are dead set on picking apart processes and ruining the reputations of the people who do the “real work.” According to the myth, the auditors are viewed as the group who “bayonets the wounded after the battle is over,” distracting management from more important responsibilities.
In reality, of course, internal audit’s focus is on major risks rather than on nit-picking details. Audit resources are limited, and when auditors focus too much attention on minor issues, they are limiting the time available for addressing the major risks and controls that are at the heart of internal audit. Any auditor would rather report on a $6 million cost savings than on a $6 error!
It’s best not to tell the auditors anything unless they specifically ask.
This myth can be actively damaging, so it is unfortunate the advice has made its way into more than one “How to Survive an Audit” article. Audit clients are sometimes given this advice by well-meaning friends, but it results in less efficient audits and wastes everyone’s time. If auditors believe their clients are purposefully hiding information, whether by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. The purpose of internal auditing is to add value and improve an organization’s operations, and hiding information is against everyone’s best interests.
Internal auditors follow a cycle in selecting their audit “targets” and use standard checklists so they can audit the same things the same way each time.
This myth is less true with each passing year. Our professional standards require risk-based plans to determine our priorities, both in developing audit plans and schedules and in planning individual audits. Obviously some risks justify repeat audits on a regular basis, and there are some types of audits — for example, certain compliance reviews required by regulators — where audit programs and checklists are unlikely to see major changes from year to year. But in general, internal auditing has become a dynamic profession that can change any time an organization’s risks change.
Internal audit is the corporate “police function.”
As Lord Justice Topes once said, “The auditor is a watchdog and not a bloodhound.” In my experience, the best auditors are almost always those who create a rapport with audit customers. When an auditor’s behavior is accusing or aggressive, they are far more likely to be met with resistance than when they treat findings as an opportunity to help accomplish objectives and facilitate improvement. Breaking down this stereotype is so important that most internal audit groups actively encourage clients to think of internal audit as a coach, not a cop.