Debunking the Myths: The Complementary but Distinct Practices of Internal and External Audit
If everything you knew about doctors came from observing dentists… well, you would probably upset a few doctors for starters. That being said, there are of course overlapping areas of expertise, but one of these professions requires understanding a broader scope of human anatomy.
In some respects, this is similar to how the role of internal audit can get misconstrued. A clipboard-carrying, number-crunching bean-counter is often stereotypically associated with the traditional “auditor.” And in fairness, internal auditors sometimes look like, walk like, and talk like “the [external] auditors.” But when I made the switch from external to internal audit, my role had scarcely changed in the eyes of many of my peers.
The inability to differentiate between the two professions is understandably widespread. But what are the origins of this case of mistaken identity and why does it even matter? Here I share my thoughts on this topic and offer some suggestions for how the profession of internal auditors should be recognised for what they are: their organisation’s trusted advisors.
“Auditor”: what’s in a name?
The term “auditor” derives from Latin and refers to the one who listens. In today’s world, the external auditor will effectively “hear” an organisation’s financial statements. By extension, internal auditors could be seen as the eyes and ears of the board and stakeholders, providing an independent and objective perspective that yields valuable insight and foresight. Beyond a single focus on teeth, but rather exploring the heart and mind of the organisation.
The two roles therefore play a distinct (yet often collaborative) role in the ecosystem of an organisation, but there can be blur. During my career, three of the most pervasive misconceptions of internal audit I have noticed are as follows:
Myth #1: Internal Audit’s role is to primarily examine financial statements.
It is not unusual for many internal auditors to start their career as external auditors (as I did) whose primary role is to provide reasonable assurance on the material accuracy of financial statements for the clients whom they serve.
Internal auditors, by contrast, are employed to serve their organisation, with a particular focus on:
- Processes – the steps taken to achieve an end goal
- Risks – the dangers that prevent the process from not being fulfilled as intended
- Controls – the activities undertaken to detect the risks and prevent them from materialising
In effect, internal auditors may be seen as trusted advisors that help their organisation achieve its objectives by enhancing their controls through assurance and advice. It may be a requirement for specific internal audit roles, but personally, I cannot remember when I last inspected a set of financial statements in my capacity as an internal auditor.
Myth #2: Internal auditors must all be qualified accountants.
As Myth #1 alludes to, internal auditors have historically been drawn from a pool of accountants, but as the profession has evolved, there is much greater importance placed on skills such as critical analysis, professional scepticism and attention to detail. Financial literacy may be particularly relevant depending on the nature of the organisation that the internal auditor serves, but many job advertisements still tend to give undue weight to the importance of an accounting qualification for traditional internal audit positions.
Perhaps this reflects the mindsets of senior leadership teams who entered the profession this way, or HR functions and recruitment agencies that have not kept pace with developments in the profession. Nonetheless, according to the Chartered Institute of Internal Auditors, the top six most desirable skills for internal auditors are:
- Communication
- Business acumen
- Flexibility and agility
- Personal relationships and networking
- Imagination and curiosity
- Persuasiveness
Notably, accounting expertise is not called out in this list. Internal auditors should be able to speak the language of their organisation and have an understanding of their organisation’s objectives, neither of which necessarily means being a native accountant.
Myth #3: Internal audit are responsible for managing risk, implementing controls and tackling fraud.
Under some Chief Audit Executives, the risk management function may be combined with the internal audit function, but (like external and internal audit) making the distinction between risk management and internal audit is very important. IIA guidance stresses that under such conditions, there is a need for “separate, clear and objective messages from each function.”The development and implementation of risk management frameworks and associated controls are the functional responsibilities of the various business units that form part of the organisation. The independence of internal audit from those responsibilities is crucial for its ability to provide objective assurance over the organisation’s ability to manage its risks.
So what does the relationship between external audit, internal audit and risk management look like? The IIA’s Three Lines Model depicts this. Fundamentally, good governance is achieved via collaborative efforts between all of these stakeholders. The model also highlights that internal audit should not be seen as a safety net whose role is to detect the fraud that management fails to recognise, but rather as the facilitators of appropriate behaviour that should encourage their organisation to meet its strategic and business objectives.
Advocating for Our Own Success
Being able to differentiate between external and internal audit is one thing. But beyond that lies a further challenge of demonstrating that internal auditors are on the same side as their organisation. Ultimately, good internal auditors are not motivated by finding fault, but rather inspired by continuous improvement. How can this message be appropriately conveyed?
Firstly, those in the profession have a responsibility to educate. The IIA has a plethora of resources to help facilitate this understanding and celebrates Internal Audit Awareness Month (yes, a whole month), every May.
Secondly, it is the responsibility of senior leadership teams to set the appropriate ‘tone at the top‘ such that the value of their internal audit function is transmitted throughout the organisation, even through to operational level. The concept of continuous improvement needs to be consistently circulated in order for the internal audit function to gain momentum and respect; why just wait until it’s time to surprise the business with an upcoming audit?
Further responsibility lies with recruiters, whether internally or externally employed. Nets should be cast wider, as an over-emphasis on the importance of accounting skills is just under-selling the profession.
An accumulation of the above should not only promote the role and value of internal audit with greater clarity, but ultimately help foster a healthy culture for the internal audit function to thrive in. For those who are naturally inquisitive, motivated by improvement and enjoy dissecting the layers of an organisation, internal audit may be your calling.
Amrit Bains is the Customer Success Manager for EMEA at AuditBoard. Having began his career at KPMG where he trained as Chartered Accountant and external auditor for clients in the UK and overseas, he then worked as a Senior Internal Auditor for a UK-based cooperative. Connect with Amrit on LinkedIn.