What Kind of Internal Auditor Are You?

What Kind of Internal Auditor Are You?

By
Key Takeaways
  • Norman Marks Challenges the Status Quo: In his latest piece, Marks asks internal auditors to critically examine their identity, purpose, and impact within their organizations.
  • Beyond Traditional Auditing: Marks advocates for a shift from backward-looking, compliance-driven auditing to a forward-thinking, risk-aligned, and advisory-focused approach.
  • Self-Assessment Through Contrasts: The article offers a detailed list of auditor archetypes and behaviors, encouraging readers to reflect on which descriptions resonate with them and which don’t.
  • Focus on Enterprise Risk and Agility: Marks pushes for auditing that prioritizes enterprise-level risks over rigid audit plans or traditional audit universe models.
  • Evolving the Audit Mindset: Whether it’s embracing clean audit reports, using AI responsibly, or collaborating on action plans, the piece highlights how auditors can evolve their role to better support organizational success.
Deep Dive

In Norman Marks’ latest piece, he challenges internal auditors to reflect on their role, their mindset, and their real value to the organization. Drawing from personal experience and professional insight, Marks lays out a series of contrasts that help auditors pinpoint where they stand and where they might want to go.

More Than a Job Title: Rethinking the Role of Internal Audit

One of my audit committee members once told me that when he thinks of a model internal auditor, he thinks of me. I wasn’t sure how to take that! I know he meant it as a compliment, but while my business card might say that I was in charge of the internal audit function, that wasn’t how I saw myself.

I saw myself as what Richard Chambers has coined, a Trusted Advisor—but more than that. I provided assurance that the system(s) of internal controls were sufficient to maintain the more significant sources of risk to enterprise objectives at desired levels.

Yes, that’s a mouthful. But each part has meaning:

  • I didn’t provide assurance on the actual achievement of objectives. Who can, given that good fortune is often needed? There is too much uncertainty beyond our control.
  • I provided assurance on the effectiveness of the system(s) of internal control.
  • The measure of effectiveness was reasonable assurance. Not perfect assurance, as that is not possible. (See COSO ICF.)
  • It was reasonable assurance related to the more significant risks to the achievement of enterprise objectives—not business unit or functional objectives.
  • Those more significant sources of risk should be maintained at desired levels, and that includes taking the risks that are justified by business needs: the right level of the right risks for success.

But I also provided proactive, forward-looking advice and shared my insight.

I did what was needed to help the organization succeed.

The word “auditor” sounds like someone who audits the past and then bayonets the wounded. That was never me. It’s just not who I am—although being critical comes very naturally to me.

So What Kind of Auditor Are You?

Which of these descriptions applies to you? It may be more than one:

  • Audits the past and provides an assessment as to whether controls functioned effectively in the past.
  • Aims to do sufficient work to provide an opinion on whether controls will be effective in managing the risks of today and tomorrow. Recognizes that what happened in the past may not be a reliable indicator of what is happening now and will happen in the next period.
  • Sticks to the audit plan and the scope of each audit that has been agreed with management.
  • Is willing to change the audit plan and/or engagement scope at a moment’s notice for any of several reasons—such as the recognition that all or a part of the defined scope is not a significant source of risk to enterprise objectives, or something else has been identified that should be audited based on risk levels.
  • Believes that compliance with IIA guidance is essential to effective internal auditing.
  • Believes that IIA guidance should be considered, but is willing to be in nonconformance if that is the best way to add value to the customer.
  • Audits controls over significant risks to an audit entity that has been identified as high risk (an audit universe approach).
  • Audits controls over significant risks to the enterprise and its objectives (a risk universe approach), which may mean an engagement spans multiple entities. It also means only auditing a few of the risks to any audit entity.
  • Has a standard format for audit reports.
  • Tailors the audit report to the needs of the customer.
  • Loves to report how much auditing they have completed.
  • Loves to report how much constructive change management has completed.
  • Is investing in AI and other tools to enhance the internal audit process and capability.
  • Is more interested in helping management adopt AI and other tools wisely and safely. Use within internal audit can wait—except where it helps provide assurance, advice, and insight on management’s use of AI.
  • Insists that there has to be evidence for any internal audit opinion.
  • Is willing to rely on their professional judgment in expressing an audit opinion.
  • Doesn’t believe in providing opinions.
  • Reports recommended corrective actions and expects management to take them. Informs/tells management.
  • Works collaboratively with management to agree on whether action is needed, what that action should be, who will take it, and when. Reports agreed action items. Listens to management. Gets them to own the need for action.
  • Follows up at least annually on action items.
  • Follows up on actions only where the risk is significant. Works with management to ensure they are following up on all actions.
  • The audit plan has multiple audits of more than a month, each of which covers both high and less-than-high sources of risk. It is less than agile.
  • The audit plan has very few, if any, audits of more than a month. Every audit is focused on one or more significant sources of risk. It is agile, changing constantly.
  • Audits include areas where, should the controls fail, the level of risk to the enterprise would not be significant.
  • Audits do not include those areas.
  • Builds the audit plan based on the level and skills of the audit staff.
  • Builds and/or supplements the staff based on what is needed to complete the audit plan.
  • Hates clean audit reports, as that doesn’t show any value contribution by internal audit (i.e., recommendations).
  • Loves clean audit reports, as that shows management has solid internal controls—perhaps the result of past internal audit work.
  • Has perhaps 20% or less advisory work.
  • Is willing to perform more than 50% advisory work.

To which of the above did you say, “That is me”? Are there aspects you would like to change?

There’s no one-size-fits-all answer. Internal audit is evolving, and the best auditors evolve with it, balancing assurance and advisory roles, adapting to risk, and helping the organization thrive in uncertainty. So again, what kind of auditor are you?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey..

Oops! Something went wrong