10 lessons I've learned in 50 years on the audit trail

The year 2025 marks my 50th year on the audit trail. I was ambitious, exceptionally practical, and only 21 when I took on my first internal audit assignment. While I’ve dedicated my career to one profession, it has offered continual opportunities to learn and grow.

As I review my career journey, I am gratified and humbled to remember the age-old truth: We are never done learning. If we’re paying attention, there are always new lessons to learn.

I published my first “10 lessons” in a 2014 Audit Beacon blog released around the same time as the first edition of my first book, Lessons Learned on the Audit Trail. I share my updated list in honor of Internal Audit Month, our annual opportunity to remind our stakeholders and ourselves of our value and purpose. I believe that both demand a commitment to learning and evolving.

1. Independence doesn’t mean isolation.

Too often, internal auditors are reluctant to collaborate with management or take on new roles out of fear they will lose their independence. But independence is an organizational attribute that enables objectivity. Objectivity — at the heart of internal audit’s credibility — is what truly matters, and internal auditors can collaborate with first- and second-line teams without compromising their objectivity. Managing risks in silos only creates more risks, so improving how we collaborate is essential for effective risk management.

2. Never underestimate the power of relationships.

You can’t be a trusted advisor or change agent without building and sustaining genuine relationships. Relationships create a foundation for trust. They are critical to proving to our stakeholders that internal audit is not the “police” looking to call out their errors, but rather a collaborative partner committed to helping them be successful. Uniting relationship acumen with expertise is the not-so-secret formula for gaining buy-in, getting things done, earning your seat at the table, and enacting transformative change. This fundamental lesson has been a recurring theme throughout all of my books and the single most important driver of my professional success.

3. Follow the risks — but remember that risk is a moving target.

I’ve been telling internal auditors to “follow the risks” for decades, reasoning that we provide more value by allocating our limited resources to the most significant risks. In permacrisis, we must also improve our capacity to help our organizations anticipate and respond to evolving, emerging, and unseen risks. Continuous risk monitoring can help us adapt focus areas, coverage, audit plans, and action plans at a pace commensurate with the speed of risk.

4. Your stakeholders define your mission.

Your key stakeholders have the last word on whether you are doing your job well. They judge your internal audit function not by how well-run it is, but by the value it generates for them. Stakeholders are subject to the dynamics and pressures of the outside world, and their expectations are another moving target, however, so it’s imperative to regularly reassess stakeholders’ needs and expectations and adapt approaches to fit.

5. Creating value is more vital to our organizations’ success than protecting value.

Organizations don’t exist simply to protect value. You won’t achieve your organization’s critical goals and objectives simply by protecting the value you already have. The worthier and more essential goal is creating value for stakeholders. Making internal audit indispensable in the age of permacrisis and AI requires us to become value enablers, not just value protectors. Seizing this opportunity calls for foresight, creativity, innovation, resilience, adaptability, agility, strategic alignment, and increased collaboration across the three lines.

6. You can audit anything, but you can’t audit everything.

Nobody has unlimited time and resources. You can’t audit everything, so it’s important to follow the risks and focus efforts to have the most impact. What’s more, in the age of AI and other advanced technologies, you most certainly shouldn’t audit everything. Embrace technology as a capacity multiplier while identifying and cultivating the skills you bring that AI can’t (e.g., curiosity, resilience, creative/innovative thinking, ethical judgment, relationships, flexibility).

7. Smart people do dumb things and good people do bad things.

Human beings are flawed. I’ve seen many good people make bad mistakes and many highly intelligent people choose entirely wrong paths. Internal auditors should assimilate this lesson in two key ways: (1) By remaining vigilant of the potential for ethical lapses, fraud, and corruption, and (2) by bringing empathy, staying humble, and learning from our mistakes and others’.

8. Sometimes you have to choose between being right or being liked.

Every internal auditor eventually comes to a crossroads where doing the right thing — ethically, professionally, and objectively — will make them the least “liked” person in the room. It’s human nature to avoid conflict and controversy, but internal audit’s integrity, value, and relevance as a profession require us to choose courage over comfort. As essential stewards of accountability, transparency, and ethical conduct, we must stand firm, speak truth to power, and escalate issues when needed. After all, we make our reputations not by avoiding risk, but by assessing it with integrity.

9. The journey matters more than the destination.

This lesson can be rephrased in countless ways: It’s not where you end up but how you get there. Strategy is more important than tactics. It’s not what you do but how you do it. Don’t pursue the right goals for the wrong reasons. You are more than your job or title, so don’t let your ego get wrapped up in either. My own career didn’t take the course I initially wanted or expected. I’m better, happier, and more grateful because I wrote my own story.

10. The ultimate measure of a leader is how they cultivate other leaders.

Leaders are both born and made. If you’re a leader, other leaders undoubtedly showed you the path and supported you in following it. Every leader should pay it forward. I didn’t fully recognize this lesson early in my career, and I may have had lapses along the way, but I now see it as vitally important. When I look back at my time leading The Institute of Internal Auditors (IIA), I am most proud not of the financial success, uptick in membership, or growth of the profession itself, but of the fact that 11 of the people who worked for me are now CEOs of other organizations.

Pass the torch by sharing your lessons

As the 2025 North American Pulse of Internal Audit showed, CAE ranks are undergoing a generational and gender shift. Millennials are stepping in as Baby Boomers step aside (balancing the two groups alongside dominant Generation X), and 47% of today’s CAEs are female. Wherever you are in your career, you have learned valuable lessons worth imparting to the next generation. What lessons have you learned on the audit trail? Don’t let Internal Audit Month pass you by without sharing them.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.