Why Internal Auditors Should be Rocking the Boat

Why Internal Auditors Should be Rocking the Boat

“There is only one thing in life worse than being talked about, and that is not being talked about.”

So said Oscar Wilde, and we could say the same about auditing. We may sometimes wish to shun attention, avoid asking difficult questions, submit a safe report, and go for the easy win. That way we know we won’t be making any waves or getting into awkward and potentially combative conversations. But if our work is not the subject of conversation, we’re unlikely to make a difference.

I call the mindset of wanting to keep your head below the parapet “comfort auditing.” Like comfort eating, it satisfies a craving but can lead to a vicious downward cycle and is ultimately counterproductive. So why do auditors and CAEs sometimes end up retreating into their comfort zone?

It’s called a comfort zone for a reason. It’s where we feel at ease and free from anxiety. Management coaches and lifestyle gurus make us feel guilty about feeling comfortable. However, we shouldn’t want to feel discomfort just for the sake of it or to the point where stress and anxiety are damaging to our wellbeing. We have to find the sweet spot of healthy challenge.

How does comfort auditing creep up on us and why is it a problem for our organisations and the profession. What are the signs that someone is just “phoning it in” and what can we do about it? I would like to offer some of my experiences and suggest a constructive way forward.

When Comfort Turns to Complacency

During my 40 years in the profession, I have come across CAEs and auditors who are just happy doing what they do and not challenging the status quo. An auditor who is merely comfortable will do just enough to go unnoticed. They will go through the motions and deliver their findings, avoiding anything controversial and accepting the ready explanation.    

There can be several reasons why this happens. Maybe we have become disenchanted because we’ve seen nothing change for the better regardless of our work. Perhaps we have drifted towards the easier path of least resistance. Or we simply like to please, to be complaisant

Sometimes it’s our clients who don’t want us to rock the boat. I’ve listened to a vocal member of an audit committee say they would prefer a “traditional” internal audit service — by which they mean someone reliable, safe, and predictable, who isn’t going to spring any surprises. 

To which I replied that we’re probably not the right service provider.

Rediscovering Professional Courage

A complacent CAE poses a significant risk to an organisation. Internal auditing is no longer fulfilling its critical function of providing independent and objective assurance and advice designed to add value and improve an organisation’s operations. Instead, we are contributing to a culture of complacency, where significant risks may go unidentified or unaddressed, and opportunities for improvement are missed.

The trouble is, when you’ve been in your comfort zone for too long it’s hard to change — but when you get stuck in a rut, that’s when the wheels tend to fall off.

We stop being tenacious.

We stop being diligent.

We stop being courageous.

We stop being agents of change.

In fact, we become agents of inertia. Such a stance provides inadequate oversight of risk management and control and undermines the principles of good governance.

If we’re not challenging the status quo, then who is?

How can we avoid complacency and ensure our team members remain sharp instruments of continuous improvement in a dynamic, ever-shifting landscape? The Global Internal Audit Standards have come at a good time. One of the innovations I most welcome is this addition to the ethical principles:

Internal auditors must perform their work with…professional courage. They exhibit courage by communicating truthfully and taking appropriate action, even when confronted by dilemmas and difficult situations.

Furthermore, the CAE “must maintain a work environment where internal auditors feel supported when expressing legitimate, evidence-based engagement results, whether favourable or unfavourable.”

Above the Parapet

The CAE plays a crucial role in maintaining a function that offers challenge and advice. We have to support our team and seek the same from our audit committees. Here are some things you can do:

  • As we familiarise ourselves with the requirements of the Global Internal Audit Standards and plan for conformance, CAEs can use the opportunity to emphasise the importance of professional courage. It is a central part of integrity and crucial to our authority and credibility. We must be trusted to “tell it like it is” and offer practical advice for making improvements. CAEs can show leadership with their team and the audit committee in making this point. There are also many resources to help develop these skills, such as this AuditBoard video.  
  • Create the environment where it is safe to challenge management based on findings from systematic and disciplined work. Your team members need to know you will back them up if they raise legitimate issues. Lead by example.  We may not always feel courageous, but the lesson of the Cowardly Lion is that if we challenge ourselves, we find courage when we need it.  
  • Try changing something in your normal routine. I am a strong advocate of agile auditing and flexible practices. Introducing new styles of reporting, additional tools for data analytics, and automated processes for audit management, for example, are not primarily about greater efficiency — although that is one huge side benefit. Mixing it up keeps us fresh, sharpens our resolve, and increases our confidence.

A CAE who is merely “comfortable” and seeks to avoid scrutiny is a liability to the governance, risk management, and compliance framework of the organization they serve. Such behaviour is contradictory to the internal audit standards, which advocate for a proactive, engaged, and continuously improving internal audit function.

Let’s make sure we are always being talked about.


David Hill is the CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, is currently Chair of the Local Authority Chief Audit Network, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.