Skip to Content

7 Deadly Internal Audit Sins

Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA Jun 24, 2019

As part of unofficial "Internal Audit Self-awareness Month," I am featuring blog posts from the past that focus on looking inward. This theme is just as vital as any effort to build awareness about our profession. We must take a realistic and hard look at what we do, how we do it, and how we are viewed by those outside of the internal audit function. This week, I'm featuring a previous post on what internal auditors must never do.

The vast majority of my blog posts focus on the strategies and practices that internal auditors can deploy to generate value and succeed as professionals. However, it is important to occasionally step back and discuss actions or mistakes that can prevent or derail success. Everyone makes mistakes, but some should be avoided at all costs.

Success in internal auditing rarely happens overnight, and it's never guaranteed. It can take years to develop the requisite knowledge, skills, and expertise, and even then the process of learning and improving never really ends. But the most carefully planned internal audit career can come crashing down in a moment over a serious mistake. Get lazy, careless, or worse, fail to live up to the core principles for the professional practice of internal auditing, and an internal auditor may never recover.

I've compiled a number of what I call "internal audit sins" that have the potential to ruin an otherwise bright career. They are:

Publishing an erroneous report. It's simply incomprehensible to me for anyone to intentionally allow an error — big or small — in an internal audit report. But a mistake can be equally devastating. A single, incorrect observation can forever haunt, not only because of the error itself, but also because a retracted report is rarely forgotten. A retracted or amended report lingers, serving as a stark reminder of not just the one failure, but the prospect that it may not be unique. What's more, chances are good that the erroneous report will embarrass both your client and your boss, and take it from me, one or both will have a long memory.

Submitting incomplete/false workpapers. You may not get caught if you "cheat" on your workpapers, but if — when — you are, the outcome will not be good. Purposely submitting incomplete or false workpapers is unethical, plain and simple, and there is no place for it in internal auditing. You can assume your supervisor will react by poring through your previous workpapers in search of similar issues. Regardless of what might be found, your job — and perhaps your career — is clearly at risk.

Losing your temper with a client. When internal audit clients are in distress, they sometimes strike out unfairly. It might seem natural to fight back, even if you feel you are in the right, but it's never appropriate to act out unprofessionally and certainly never productive to lose your cool. Keep in mind that, if you ever raise your voice during a client meeting, everyone will probably remember the shouting match long after they have forgotten the reason for the disagreement. That's not the sort of lasting impression you want to make. And before you respond to an incendiary email from an unhappy client, it is best to wait an appropriate interval or to seek council from your boss.

Auditing with an "agenda. "It's a huge ethics breach to undertake an audit with a conflict of interest. Your reputation for fair, unbiased auditing will be lost forever if it appears even for a moment that you might be out to "get someone" or to exonerate a personal friend, regardless of guilt or innocence. It really doesn't matter whether the conflict of interest is real or perceived. It can be nearly impossible to recover — even if you are allowed to stay in the internal audit department.

Betraying a bond of confidentiality. There are certain ways that information gained during an internal audit should never be used. If an auditor inappropriately shares information about a client, for example, trust between the two parties will be destroyed and you can expect word to get around quickly. And once an internal auditor develops a reputation as a gossipmonger, any ability to have a candid conversation with management will be greatly, if not completely, diminished. Nobody invites an indiscreet internal auditor for a return visit.

Violating company policies. If a client believes that an internal auditor is flouting company policies, then the auditor shouldn't be surprised if he or she lacks persuasiveness when making a recommendation regarding the client's conformance to policies. If a client learns that you are not flying on a company-approved air carrier, or walks past you in the first-class section of the plane to get to their coach seat, you can assume they won't forget. I don't mean to imply that internal auditors should never make an exception to policies under any circumstance. But any exception should be well-justified, and it should be rare. Just as police officers should never be "above the law," it's never okay for auditors to act as if company policies don't apply to them.

Issuing internal audit reports that are petty or don't add value. We all know that internal auditing is not just about pointing out what's wrong; it's about helping management to accomplish its objectives and to take advantage of opportunities that otherwise might have been missed. No one benefits if internal audit has a reputation for wasting time on unimportant details. Internal audit reports that contain inconsequential findings or recommendations that are not cost-effective will earn you a reputation as a "bean counter," or worse. It also might be tempting to re-use a previous audit program that found several insignificant errors, but re-performing last year's audit is not necessarily the best way to add value.

Any of these seven "sins" can deeply undermine the role and reputation of internal audit, and wield a fatal blow to the perpetrator's career. But I believe there also are ways to overcome blunders that aren't intentional or malicious. In an upcoming blog, I'll examine seven virtues that can fuel an internal audit career to soar from the ordinary to the extraordinary.

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA

Former president and CEO of The IIA, the global professional association and standard-setting body for internal auditors.