Five New Year's Resolutions Every Internal Auditor Should Make for 2013

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


Over the years, one of the practices I have followed in writing my blog is to open the year by sharing five New Year’s resolutions that every internal auditor should make. As I noted last year, these are not the typical resolutions about losing weight or exercising more — although some of us could certainly benefit from such resolutions as well.

Instead, the resolutions that I propose are designed to enhance the quality of our performance as internal audit professionals. They are simple resolutions that are powerful enough to enhance our value, but so painless that keeping our resolutions changes from a mere possibility to a probability.

1. Plan more and audit less 

One of the Achilles’ heels for internal audit departments is the amount of time it takes to complete the average internal audit engagement. The problem typically stems from deploying endless audit steps and an undisciplined report writing process. The impact of these poor habits can be mitigated significantly by better planning at the outset of the engagement. Too often, we are in such a hurry to begin the audit that we rush to develop an audit plan/program so that we can get started. But conducting an audit from an inadequate plan is like taking a road trip with an unfinished map. Without a solid plan, you are bound to take wrong turns and circuitous routes throughout the engagement. I’ve found that the keys to effective planning are to: (1) identify the key operating objectives; (2) identify the key risks that will inhibit achievement of these objectives; (3) assess the risks; (4) determine the audit objectives based on the risk assessment; and (5) document the audit steps necessary to test control effectiveness related to each objective.

2. Communicate for impact

Recipients of internal audit reports are often exasperated by the length of the reports, the amount of needless information that’s included, and the difficulty of navigation. As auditors, we have trouble being succinct. We like to tell people “how to build a watch” when maybe all they really want is to know the time. We also tend to shy away from using graphics, but often a picture truly is worth 1,000 words. Essentially, we have to do a better job of cutting to the chase — communicating succinctly and in an impactful way that will compel the reader to take action.

3. Empathize more and gloat less

Too often we tend to take pride in the fact that we found problems or deficiencies in an area we audited. But if we put ourselves in the shoes of the people we’re auditing, we might see things a little differently. In fact, we might realize that they want the same things we do: to do an effective job, to deliver quality, to be service oriented, and to pursue excellence. There just might be extenuating circumstances that impair their ability to do so. One of the things that I think internal auditors always could do better is to demonstrate empathy when we’re doing the audit work. Certainly, that doesn’t mean that we don’t communicate the issues that we discover, but there’s no point in diminishing the value of other professionals to try and make ourselves look better.

4. Embrace technology

We have to recognize that our resources are limited, and they’re not likely to grow significantly in the coming years. Yet, our stakeholders’ expectations continue to grow. One of the ways that we can become more productive and add greater value to our organizations is by leveraging technology — using data mining and analytics tools and techniques and taking advantage of audit management system software to help with documentation of our work and the planning and communications of the results of that work. These tools can be tremendous “capacity multipliers” for internal auditors.

5. Enhance industry/business knowledge

As I’ve observed before, our stakeholders often are concerned that we don’t understand the business well enough to be conducting audits of operations, business risks, and strategic risks. One way that we can become more effective in auditing those areas and enhance their confidence in us is by acquiring and demonstrating an in-depth knowledge of the business and the industry. We have to become students of our own organizations. We need to become more proficient in identifying key risks and threats that face our industries. We can do this by joining industry associations, partaking in industry trade publications, doing Web-based research, and seeking out other resources to enhance our knowledge. We also need to have a better understanding of the issues that face our business. Every internal auditor should analyze any information they can obtain on the organizations they work for, including information released to regulators and investors (such as 10-K filings in the United States) and other publically available information as well as resources available to management within the company/organization itself.

These are only a few of many New Year’s resolutions that might be appropriate for internal audit. In keeping with The IIA’s motto, Progress Through Sharing, please share any additional resolutions that you believe internal auditors should make as the New Year gets underway.

Posted on Jan 4, 2013 by Richard Chambers

Share This Article:    

  1. I would like to add few points to the comments on the above especially in a world where internal auditors are asked to take a very close look on issues that concern stake holders and recepients of the audit reports. Spending more time or adequate time on audit planning and risk assessment by an auditor should be tailor made to specific audit risk at the end of the day. The audit has to be continuous and relevant to the business. It is in this context internal auditor must identify clearly the control points to those associated risks and have a suitable audit universe in the planning presented to the audit committee for review and approval. There is a need for internal auditor to spend adequate time to test and verify those control points efficiently without writing pages and pages of redundant background details on the business risk. The recepients of the audit report are expected to know business risk also based on their own set of criteria and job description in an organization. CAT or computer assisted audit techniques are important part of the audit commitment one should have in an organization where there is audit risk.

  1. Richard: Thanks for highlighting some resolutions for internal audit departments in 2013.  Based on the significant focus you have put on IA's key role assessing and reporting on the effectivess of risk and governance processes I am surprised this area was not included. 

    Based on my 25+ years I can offer three areas I think every IA department should focus on 2013:

    1. More help for management and boards reducing uncertainty key value creation and potential value erosion objectives will be achieved within an acceptable level of retained risk.

    2. More help for boards responsible for overseeing management's risk appetite and tolerance.

    3. Provide an annual opinion to the board on the effectiveness of their organization's risk management processes, including the reliability of information on retained risk they receive from management.

    IIA research suggests that many IA departments are not currently providing formal assurance on the effectiveness of their organization's risk management and governance processes per IPPF Standards 2110 and 2120, much like many of us (including me)  are carrying more weight than we should and not exercising enough. (for a variety of reasons which generally aren't good excuses)

    If the majority of internal audit departments increase their focus on complying with IPPF Standards 2110 and 2120 re reporting on the effectiveness of their organizations' governance and risk processes  in 2013 I will work on the losing weight and exercising more.  Both developments would be positive.  

  1. This is a good summary of some of the things to keep in mind as auditors.  In relation to #1, I think as auditors we tend to focus too much on the details and forget the bigger pictures.  This is why we either over-audit or over-think our audit reports.  It's always a good idea to step back and see how our audit steps relate to the bigger picuture.  More importantly, the impact we want to see should relate to best practices and enhancing internal controls and processes.  It should not be an exercise in fault-finding.

  1. Richard you have made very interesting points,especially note #3, indeed auditors its should not slip our minds that our role is not to act like police men or rather find faults but to add value to the organization together with our colleagues
  1.  Thanks for valuable inputs, every auditor has to take care certain things, which are well defined and say in this message.

    Today, with change of time, auditior needs to migrate once again from Transaction based risk assessment process, and support the business system to grow faster


  1.  Richard, your points are well taken. More often than not, audit departments struggle with differentiating the forests from the trees when executing audit engagements. In my opinion, this new year’s resolution, by far, should be number one that any auditor should strive to achieve. Not being able to see the “big picture” often will lead to labor inefficiencies during the execution of an audit. Moreover, the level of inefficiency will increase for audits that are more complex in nature. Auditors should spend more time making sure the client’s business objectives are well understood before they begin to identify and mitigate the risks associated with those objectives.   

  1. Great content Richard .... maybe there's room for a 5.5 ... deepen relationships.  Maybe this fits int #3, but I think that the real value from internal auditting will flourish colleagues see them as trusted advisors versus the police.

  1. i like your writing Richard. You gave here some important points that i certainly did not think about them before but now i'l take them into consider. Wish for successful 2013 to all
  1. Very good read..

  1. Thank you Richard for the 5 resolutions. I would add the 6th of completing QAIP in 2013. It is a step many Internal Audit Departments are yet to take yet critical.

  1. I like #5. My resolution is to make my audit work mesh with the firm not just at the level of objectives but at the level of 'brand'. What is this firm trying to be? How do its clients see it? Where are the areas where the firm isn't living up to its potential and/or failing its clients? Every time I've ever had problems, it's been because I'm deviating from the fundamental thing the firm's trying to do, without having first married my worldview list with the views of the client.

  1. Merci, très bonne lecture

Leave a Reply