Building a Better Auditor: The Happy, Non-traditional Internal Auditor
Blogs Ray Kantor, CPA, CIA, and CFE Jul 05, 2022
I've been in audit for more than 28 years — eight as an external auditor and 20 as an internal auditor. When I left public accounting for industry, internal audit was a great place to start, but I didn't think I'd be auditing 20 years later. What happened?
One driver that kept me interested in audit was the U.S. Sarbanes-Oxley Act of 2002, which came out early in my internal audit career and made internal audit much more high-profile, interesting, and valued. But as Sarbanes-Oxley matured and responsibilities appropriately transferred to "management," the luster somewhat faded. Why am I still auditing?
I've had two employers while in internal audit. My first one is where I built my first internal audit function and tackled Sarbanes-Oxley. I loved that job. Building something from scratch and helping the company become Sarbanes-Oxley-compliant was very rewarding. I continue to have a huge amount of respect and appreciation for that company and the opportunity. But after a while, I started to feel like internal audit's scope was being narrowed to be primarily focused on compliance. I felt this limited my opportunities to work on interesting things, to use my creativity, and to add value. So, I left.
My second internal audit opportunity, and where I still work, has been a different experience. I once again had the opportunity to build the internal audit function, and I still do traditional internal audit tasks like testing internal controls over financial reporting, providing financial statement assurance, helping our external auditors, and carrying out operational, compliance, and IT audits — but "special projects" has taken on a new meaning.
Over the years, I have enjoyed co-leading a companywide cost-reduction initiative, serving as our CFO's chief of staff, playing point on selling ourselves to new private equity owners, running the virtual data room for due diligence on sale transactions, partnering with legal compliance to start an enterprise risk management function, leading our finance department's employee engagement survey response team, and most recently leading a taskforce for responding to third-party inquiries about our environmental, social, and governance activities.
These opportunities became available to me for a few reasons. First, the internal audit group that I lead is a fantastic and capable team. The team has developed to such a high level that I can rely on them to semi-autonomously execute many of our traditional responsibilities, creating capacity for me to focus on these other things without concern that we will miss something. Second, I'm not shy about raising my hand. This gets back to the first reason of being able to rely on my team but also speaks to the culture at my company where opportunities are presented to people based on their interests and capabilities without regard to the function in which they reside. Lastly, our CFO and audit committee are open-minded and interested in my professional development and engagement. Importantly, I continually keep our audit committee informed on what I'm doing. And guess what? They are supportive because our traditional audit work is not sacrificed. They also realize these projects make me a more effective auditor because I'm getting insights into more of the risks we face, building relationships with people outside of the context of auditing them, and enhancing my credibility and profile.
Whoa, whoa you say. Auditors can't do those things! Wouldn't that compromise our independence? Well, it's actually okay because none of those responsibilities get assessed by internal audit. We are not auditing our own work. So why am I still the audit guy? Because I continue to grow, the work is really interesting, and I am adding value! So, I am a happy, non-traditional auditor.