At some point in our careers, we’ll all have to audit an area or activity that’s foreign to us. Throughout my career, I’ve had the opportunity to audit companies in the financial services, technology, biopharmaceutical, and government contracting industries, as well as state and local government agencies.
I recall once while interviewing for the Head of Internal Audit role at a company whose primary business was new to me, one interviewer asked how I was planning to audit a business I had no prior experience in. My answer was simple: I approach every audit using The IIA’s Standards for the Professional Practice of Internal Auditing, and I’ve been successful across diverse areas because I’ve mastered one trade: auditing.
As a professional internal auditor, mastering the IIA Standards equips you with a portable skill set that can transcend any audit topic, allowing you to audit new areas, in different companies, and across all industries. In this article, I will share six best practices that have helped me master this skill set throughout my career.
1. Master the Methodology
The first step to becoming a master in the audit profession is familiarizing yourself with The IIA’s Standards, specifically the Performance Standards. These Standards are a tried and true project management methodology and also provide a roadmap for the tactical execution of all aspects of performing audits. Once you’ve mastered this methodology and how to apply it you can confidently tackle any auditing role.
2. Understand the Business
In order to be successful as an auditor, I’ve always believed you have to have a healthy mix of technical abilities, interpersonal skills, and institutional knowledge. While you can bring technical abilities and interpersonal skills along with you from your previous role, when you’re new to an organization you lack institutional knowledge. You need to overcome that learning curve quickly to be able to identify and begin performing audits that will add value to the organization.
In the first 30/60/90 days, depending on the size and complexity of the organization, your priority should be to learn and understand everything you can about that organization, its mission, the major players in management, the organization’s lines of defense model, internal politics, and those risks that can prohibit the organization from meeting its objectives. Gaining this knowledge will allow you to perform a meaningful risk assessment, the fundamental foundation for every audit plan.
3. Articulate Your Value
As you’re getting to know the organization and making connections, I find this to be a great time to articulate your value. I usually begin by presenting my philosophy that internal audit is and should be viewed as a customer service function, not a policing function. I set the expectation that my goal is not to find issues that perhaps will make a process owner look bad to management or others in the organization, but rather to help address their known pain points, streamline their processes, and identify opportunities to make the company more compliant, more profitable, and more efficient.
When stakeholders view you as being on their team and performing your audits with an eye toward making their lives easier, they’re more likely to be forthcoming. They begin to view you as a trusted advisor and this type of relationship makes life better for everyone involved.
4. Engage Leadership in the Risk Assessment
Leading an effective risk assessment is key to your success. As previously mentioned, the risk assessment is the fundamental foundation for developing an audit plan that will be viewed as value-added. You’ll want to spend time identifying areas to audit that will be most impactful to the organization and its critical stakeholders, like executive management — and therefore you need to engage executive management in this exercise. You need to ensure that you’re taking their feedback into consideration, which will ultimately help gain their buy-in once you present the results of the assessment.
The inaugural risk assessment will take time, as you need to engage with senior leaders to understand their perspectives on which risks could prevent the organization from achieving its objectives. How much time it takes to perform an effective risk assessment depends on the size and complexity of the organization, and this process will continually be refined over time with practice and repetition.
5. Build the Audit Plan
The Standards require us to align our audit resources with the audit plan. It’s impossible to audit everything, so the plan should capture the highest risks to the organization while being realistic about what your department can accomplish. I find it helpful to show the actual calculations for how I arrived at the plan to the Audit Committee so they understand the constraints and why the audit plan cannot cover certain areas.
If they feel the audit plan isn’t comprehensive enough, you can take this opportunity to revisit that calculation and articulate that in order to include more audits we’ll need to add additional resources to the team — whether that be expanding the internal team, co-sourcing, or out-sourcing some of those additional audits to consultants.
When the Audit Committee understands how you arrived at the plan, they’re more likely to give you the additional resources needed to successfully complete the planned audits.
6. Execute the Audits
Finally, we come to the tactical execution of audits. When auditing a new area or concept, you’ll need to educate yourself to know what and how to perform the examination. As auditors, we should be resourceful in how we educate ourselves. There’s a wealth of knowledge at our fingertips in the modern technological era.
I like to use the analogy of a quiver full of arrows, where each arrow is a source of information and knowledge. Every auditor carries a quiver with us throughout our career, and over time we accumulate new arrows. Let’s say I’m going to audit mortgage escrow for the first time. Having no previous experience in this area, I need to identify which arrows in my quiver can help me tackle this new type of audit. In this case, I’d obtain regulatory guidance from a data resource like AllRegs.com
There are more resources to be found — if you know where to look. Here are some additional arrows I know I can add to my audit quiver as needed:
- Hiring a new team member with specific skills can quickly add a new skill to your staff.
- People in your network are often happy to have a conversation and provide guidance.
- Training for existing staff may be an option if there is enough time and budget.
- Rotational auditor programs can bring in experts from the organization, as long as they are not auditing their own processes.
- Best practice whitepapers written by subject matter experts provide education.
- Outsourcing to a specialized consultant can fill a skill gap if you have the budget.
The trick is knowing which arrows to use and at what times. For example, going with rotational auditors or outside consultants will provide a short-term solution, while training and educating your team enables the retention of long-term institutional knowledge. You need to know which will ultimately be best for your team and the organization.
The Portable Audit Skill Set
When you master The IIA Standards, you can confidently pursue opportunities in internal audit in any organization because the audit methodology is portable! Your audit skill set is truly industry agnostic as it applies to any organization in any industry.
I’ve been inspired by audit leaders like Kiko Harvey, whose impressive career spans Starbucks, Delta Air Lines, the United Nations, and currently the University of Southern California — and whose success across diverse industries illustrates what can be accomplished when one masters and applies the audit methodology.
Of course, we can never know everything when it comes to auditing. Your job is to know how to apply the audit methodology and ensure you have the right arrows in your quiver or know where to find the ones you need. In my career, like Kiko, I have moved between different industries. By applying the methodology for the past 20 years, I have been able to step into new situations and audit different topics, confident that I would be successful — and I know you can too.
Chris Patrick, CIA, is the Head of Internal Audit and Sarbanes-Oxley (SOX) at Sunlight Financial, and previously led audit teams at Figure and RoundPoint Mortgage Servicing Corporation. He is currently a member of the Board of Governors with the Charlotte Chapter of the IIA, and has served as President of the Northern Virginia Chapter of the IIA. Connect with Chris on LinkedIn.