Yes, CPAs and CAs Can Be Internal Auditors, Too!

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


One of the things I enjoy most about social media is its ability to stimulate passionate and seemingly endless debates over the most insignificant topics. For many, these debates take place on Facebook or Twitter. For internal auditors, LinkedIn tends to be the platform of choice. For the past few days, internal auditors and others have been chewing on one particular LinkedIn post like a “dog with a bone.”

It all started about two weeks ago with the following post to The IIA’s Official Global Group:

“Should the internal audit profession be the preserve of chartered accountants only? Or should it be opened up to people with diverse professional backgrounds?”

Now, I am quite certain that the individual who posted this question knew that it would be provocative and would stimulate a lot of debate — and it certainly has. As of this writing, almost 40 comments have been posted. Almost all of them have taken the position that modern internal auditing is a profession that mandates a diverse set of skills. A few have derided the very question itself. In fact, a few days after the question was posted, I posted the following response:

“Given the evolving focus of the internal audit profession in recent years (for example in 2013, only about 21% of internal audit coverage is financial-related), the better question might be: ‘Should the internal audit profession still recruit chartered accountants or should it only be recruiting people with diverse professional backgrounds?’”

While the original post and my response might evoke a smile — or frown, depending on your point of view and the credentials you hold — they were both designed to stimulate debate.

To address the more serious topic of internal auditor qualifications, I point you to IIA Standard 1210: Proficiency, which states:

“Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.”

There was a time when internal audit focused almost exclusively on financial risks and controls. However, this is the 21st century, and the profession has evolved dramatically. While a well-resourced internal audit function will include individuals with strong financial backgrounds (such as certified public accountants (CPAs) and chartered accountants (CAs)), it also will include a much broader diversity of skills than internal audit functions of a generation ago. It’s likely to include individuals with expertise in business operations, IT, compliance, fraud investigation, and many other areas. If I were looking for a specific credential that demonstrates knowledge and proficiency in internal auditing, I would look for a professional who is a Certified Internal Auditor (CIA).

So, to summarize, modern internal auditors must follow the risks. That requires more than just financial expertise. But yes, CPAs and CAs can be internal auditors, too.

I welcome your thoughts on this topic.

Posted on Jul 29, 2013 by Richard Chambers

Share This Article:    

  1. When I recruited internal auditors, around 20 years ago, I chose to recruit newly qualified accountants (usually Chartered) or programmers, who went on to gain ISACA qualifications. The reasons for this policy were: chartered accountants were relatively easy to recruit, as many were looking for a first job in industry; they had the financial knowledge required for most audits; they were flexible in their approach to audits, having had to cope with whatever was thrown at them in the profession; they were used to dealing with directors and senior managers. If I wanted specialists, they could be seconded from other departments. If I were recruiting today, I would probably still recruit Chartered Accountants for the same reasons. I would also include CIAs who hopefully are more numerous than they were 20 years ago! I regard good IT auditors as essential and would continue to recruit programmers and train them for the ISACA qualifications, or recruit qualified IT auditors, but with an IT background. The problem with recruiting staff with other expertise (pharmacists, engineers, fraud investigators) is keeping them busy on audits using this expertise. It would therefore be essential that any staff were capable, and willing, to act as internal auditors on audits outside their area of expertise. No reason why they shouldn't be good... how much internal auditing is plain common sense?
  1. Richard, You may recall I once ran a similar survey on the topic of "Should your CAE be a CPA?" After a couple of days I had to take it down as I received over 400 responses. Follow the link above to reach the raw survey results. best regards, Don
  1.  Richard

    What has always worried me are people who suggest internal auditors can have no professional qualifications. This is usually the point of view of someone who has been an internal auditor for some time but never bothered to submit themselves to the learning - and testing - process that comes with obtaining a professional certification. I often hear the cry that "letters after your name does not make you a good auditor". I agree.  But letters after your name suggest one thing: you are sufficiently committed to yourself and your profession that you took the trouble to get them.



  1. Living and working in Armenia I obtained British accounting qualification (ACCA) in 2006, but never worked as public accountant or external auditor. The qualification was helpful for structured knowledge in Accounting, Auditing, Business and Finance. I used that knowledge together with knowledge from Universities in my managerial roles in commercial banking, finance functions in mining and trading, and more importantly in Internal Auditing.

    As CAE, I believe that one should avoid narrow-minded people, and they can be among accountants as well as people of other professions. If a CPA or CA does not want to go beyond and build on her knowledge in accounting standards then she is not a good hire for internal audit. Knowledge of IT (not narrow though) is crucial today and should be supplemented to other knowledge. Business knowledge can be obtained in practice, which is not always supported by qualifications, but very important to establish a right dialogue with our customers.

    When asked the question about right qualification, I point to the IIA standard Richard referred to - internal audit activity collectively must possess the knowledge needed to perform its responsibilities. For me that means having people of diverse backgrounds, in terms of qualifications not only CIAs, but also CISAs, CPAs (or equivalent), CFEs, etc. In fact, any respected qualification is a good sign about person’s commitment to learning and should be welcome.

  1. Hmmmmm....would I go to a podiatrist if I had a heart problem? No! I'd see a cardiac specialist. Even though both specialists are doctors, the area of specialization and demonstrated expertise is what matters.

    So why would I look for a CPA or CA to run an internal audit department? That should be the domain of CIAs who by training and experience are expert in evaluating strategic enterprise governance, business risk, and management control efforts; AND who, by earning the CIA designation, have demonstrated a minimum level of expertise in understanding and applying the IPPF effectively. IMHO, a CIA designation should be a non-negotiable requirement for advancement into any leadership position in a professionally run internal audit department. 

    At the staff level, an IA dept absolutely needs CPAs, CISAs, and CFEs (if its charter requires resolution of fraud allegations). I would add that a professionally trained individual who can write a readable report that busy executives will truly value is another indispensible asset to an internal audit department (but that's an entirely different converstaion).

Leave a Reply