What are the main internal audit competencies needed and how can new internal auditors develop these required skills?
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
Generally speaking, internal audit competencies fall into one of three broad areas:
- Technical auditing or accounting skills;
- Skills relating to critical thinking and business understanding; and
- Interpersonal and communication skills.
While all three skillsets are important, in my experience the most effective internal auditors are especially good at the second and third areas.
In this article I'll explain what I mean regarding each of these areas and also give some hints and tips to help new internal auditors develop the required skills in order to become more effective.
Technical auditing/accounting competencies
This first area is one where new internal auditors generally do well. Typically, they are up-to-date with the various technical areas (or are receiving training). As a result, they have a good understanding of the various accounting and auditing standards, as well as familiarity with a range of internal audit topics, including risk-based auditing, types of control, sampling and time (project) management. Depending on their previous experience and training they may also be up to date with cyber security risks and the latest thinking around areas such as lean internal audit and agile audit methodology.
While the head of the internal audit department will expect you to have these competencies, being proficient in these areas will not, in itself, mean that you’ll add much value as an auditor. Certainly, from your stakeholder’s point of view (the “auditees”), your mastery in these areas will largely be invisible! The most important thing is to use these skills in a pragmatic way and to communicate your findings with management. (See below)
Competencies relating to critical thinking and business understanding
The competencies above involve reviewing processes and controls, performing testing, extracting data and identifying apparent anomalies. The skills in this second section involve building on the work performed and interpreting the information in a meaningful way.
This is at the heart of what internal auditors do — interpreting the results of testing, to understand whether findings represent an actual control weakness or whether, for example, there are other mitigating controls which “plug the gap”. Where findings do represent a weakness, the auditor needs to be able to assess, in conjunction with business management (and the Internal Audit Manager), the significance of the weakness and its potential impact on the business.
a) Critical Thinking
It is at this point that a number of important factors come into play, including:
- The quality of management in the unit or area being audited. In other words, how credible are they? Do they demonstrate a considered approach to managing their risks, bearing in mind the costs and benefits? What has been the previous experience of internal audit with the managers involved? Do they have a reputation for integrity?
- How long have they been in their role? New managers are generally more willing to acknowledge issues in their area (especially if they pre-date their arrival). Managers who have been in their role for many years can become defensive and less open with the auditors.
- The organisation’s culture. It’s important to understand the way the Chief Executive and senior management react to control weaknesses. In some organisations the philosophy is “Get the issues out on the table, fix them and move on”, provided that the managers in question haven’t acted negligently. Other organisations may be more political or thrive on a “good news culture”, where managers may suffer in some way for highlighting problems or for weaknesses in their area. (In such organisations a negative audit report will not be welcomed).
Experienced auditors have usually seen these types of behaviour before and so tend to adopt a healthy scepticism when they are presented with information that does not appear to be consistent.
While the Institute of Internal Auditors (IIA) doesn’t give specific guidance on this topic, it does refer to the concept of “professional scepticism”. This term is used in the accountancy profession and is defined as follows:
“Professional scepticism is an attitude that includes being alert to, for example:
- Evidence that is inconsistent with other evidence obtained.
- Information that calls into question the reliability of documents and responses to inquiries to be used as evidence.
- Conditions that may indicate likely misstatement.” *
*From the International Standard on Assurance Engagements, ISAE 3000, issued by the International Federation of Accountants for engagements on non-financial information.
Personally, I like the advice given by the Roman Emperor and stoic, Marcus Aurelius:
"Learn to ask of all actions, “why are they doing that?” Starting with your own… "“Marcus Aurelius Meditations” – Book 10
b) Understanding the business
One of my roles involves carrying out External Quality Assurance reviews of internal audit functions on behalf of the Chartered IIA. As part of these reviews, the assessors typically interview a range of stakeholders across the organisation. Recurring feedback from both Executive and Non-executive management is that, in order to be a well-regarded internal audit team, auditors need to understand the business and provide meaningful challenge. I’ve actually had senior managers complain to me that audits do not always appear to be particularly rigorous or challenging enough!
To some degree, understanding the business comes with experience, although new internal auditors can always invest time, learning about their company and the industry sector in which it operates. It’s not uncommon to find internal auditors who reviewed the annual report and accounts and researched the company in depth as part of the interview process. However, now that they are in the job, they do not keep up-to-date with the organisation’s strategy or information released to shareholders on a regular basis.
Interpersonal and communication skills
Good (internal) auditors are good communicators. At the detailed testing level, good interpersonal skills help the auditor to build rapport, explain what the audit is trying to do and put those being audited at ease. Being empathetic also encourages those being audited to open up to the auditor and raise any concerns that they might have.
‘Auditees’ will naturally tend to be apprehensive, particularly in organisations where processes may not always be well-documented or adequately explained. This can cause people to worry that they may not be doing something correctly and that they will “get into trouble”. Good internal auditors make it clear that they are reviewing the process and controls, not the individuals who operate them. Strong processes should have a “failsafe” philosophy (i.e. proportionate mitigating controls) rather than simply relying on people remembering to do certain things.
While it’s important not to forget the need for healthy scepticism (as discussed above), an open and friendly manner will usually help ensure a smooth audit process. Indeed, one of the best compliments I received about an internal audit team of mine, who had just completed a review in a South East Asian country, was: “they arrived as auditors and left as friends”.
When meeting more senior management there are a number of other techniques that can be used to help ensure that you are seen as a credible and professional internal auditor. Based on my experience, the main ones are as follows.
Firstly, don’t be afraid to engage with senior management. Sometimes less experienced auditors discuss their findings in detail with lower level management (with whom they feel more comfortable), but are reluctant to engage with the departmental managers and above. This can result in time being wasted, because the auditor only has half the picture. An example might be a weakness in control in one unit, which is offset by a mitigating control (e.g. a review or reconciliation) that takes place elsewhere in the organisation. The clerk who the auditor has been dealing with may not be aware of this control, whereas the senior manager has more of an overview of the total process.
Secondly, try to take a more strategic view when talking to senior management and not get bogged down in too much detail. Senior managers are often inundated with information and so welcome a short précis of the issues. Crafting your message around several key headings, such as the following, can be very helpful:
- What did you find – what’s the problem?
- What’s its significance – why does something need to be done?
- What do you want the senior manager to do about it?
- What’s the benefit (for them) if they do?
Thirdly, it’s important to be pragmatic and to recognise that not all weaknesses will be fixed. Ultimately, managers are paid to manage risks and the auditor’s job is not to act as a “nanny”, forcing management to fix every weakness. Much will depend on the risk appetite, both of the organisation itself and also of the senior manager in charge of the area being audited. The key question is one of transparency: If managers are accepting risks and choosing not to mitigate them, due to cost or other considerations, do they have the appropriate level of authority to make such a decision? Have they alerted the person that they report to? Has the risk been properly identified on their departmental risk register?
A final thought: Internal Audit is about meeting the needs and expectations of your various stakeholders and adding value to the organisation. Stakeholders’ needs will not always be totally aligned with each other. However, the most successful internal auditors are aware of the differing needs/expectations and do their best to meet them.
After 25 years of experience in governance, risk management and audit roles for various multinational organisations, Greg now works as an independent consultant. He runs a variety of internal audit training courses and is an External Quality Assurance reviewer on behalf of both the Chartered Institute of Internal Auditors and their French opposite number, IFACI.