Building a Better Auditor: Four Skills Internal Auditors Should Develop Now

Data Analytics – In the Pulse report, among CAEs who say they plan to budget additional money for technology, 68% indicate they will spend it on data analytics software. Sadly, of all skills rated in the IAF competency study, data analytics comes in second to last (only knowledge of IT control frameworks was worse). This is a huge opportunity for auditors who are competent in areas of data literacy, data governance, and the use of data analytics technology. Many internal audit functions have failed to apply data analytics successfully because they thought the technology alone was the solution. For data analytics to be successful, departments must have individuals with the data analytics knowledge and critical thinking skills to get to the right data and know what to do with it.

Fraud – According to Pulse, 32% of CAEs report also being responsible for running the ethics or whistleblower hotline, and 52% are responsible for fraud investigation within their organization. In a joint Center for Audit Quality and Deloitte report from January 2022 (Audit Committee Practices Report: Common Threads Across Audit Committees), 42% of audit committee members indicate fraud risk has increased. Among the top fraud-deterrent measures being implemented, committee members put internal audit increasing its focus on fraud at the top. Internal auditors must rise to the challenge by developing a strong foundation of fraud knowledge to recognize and properly audit fraud. Importantly, that knowledge must be strong enough to combine with skills in data analytics (think fraud analytics) to expand your understanding of fraud risks within your organization and help you to detect potential fraudulent activity.

Cybersecurity – Among CAEs, 85% ranked cybersecurity as a 'high' or 'very high' risk in the Pulse report. However, competency in this knowledge area was in the bottom five in the IAF research study. Once again, this represents a significant gap for internal audit departments, but a tremendous opportunity for internal auditors who dive into this space. In fact, technology cuts across the top three highest risk areas in the Pulse report — cybersecurity, IT (not covered by cybersecurity), and third-party relationships (often including IT services and/or unique security concerns). Clearly, internal auditors who are not actively upskilling in the IT space are quickly becoming irrelevant.

ESG – This is a rapidly evolving landscape with global standards under development and a number of big players influencing the direction of ESG reporting over time. Importantly, the U.S. Security and Exchange Commission will likely be releasing proposed rules for climate change disclosures around the time this blog posts. I anticipate a SOX-like approach to climate-related disclosures and reporting. While final requirements may still be months away, it is important that internal auditors get up to speed not only on these pending requirements and standards, but also on what processes within their organizations will be most impacted by what is to come. This is a great opportunity for internal audit to demonstrate value early on rather than wait and react later.

In the short and medium term, internal auditors must get focused on these four areas to stay relevant. Of course, these are not the only skills internal auditors should be developing. I would encourage you to read through the studies I have mentioned as well as other credible reports to help identify your own competency gaps that you can work on. At the same time, don't forget the fundamentals. Take the opportunity to walk through The IIA's Internal Audit Competency Framework to see where you stand.

To dive deeper, check out:

·       2022 North American Pulse of Internal Audit
·       IAF Study: Assessing Internal Audit Competency: Minding the Gaps to Maximize Insights
·       IIA Learning opportunities can be found here.