The Perfect Internal Auditor

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Many years ago, I read a description of the "perfect internal auditor." It was so great I kept it:


The perfect internal auditor

Results of a computerized survey indicate that perfect internal auditors complete the average audit in 15 minutes, the difficult in 30 minutes.

They discover and disclose all weaknesses in the controls, but never upset anyone.

They make $60 a week [which tells you how old this is], drive nice cars, wear good clothes, and contribute $50 a week to various company functions, birthday presents, retirement presents, et cetera.

Perfect internal auditors smile all the time with a straight face because they have a nice sense of humor that keeps them seriously dedicated to their work.

They complete 15 to 30 audits a day, review 10 to 15 new or revised controls, type all their audit programs, produce an annual audit budget that anticipates all company growth and allows for all changes. They maintain a perfect set of working papers that the external auditors use without question. They write comprehensive audit reports that read like a fine novel and are understood by all who read them. They are people with a velvet touch, the perfect answer, diplomat par excellence.

They do all their audit work in the auditees' work area and are always in their offrices when needed.

How has this changed? How would you describe the perfect internal auditor in 2012, perhaps allowing improved efficiency through the use of technology?


Posted on Feb 7, 2012 by Norman Marks

Share This Article:    

  1. Norman:

    I think the perfect "Internal Auditor" in 2012 would be called a "Risk&Assurance Analyst" or similar. The words Internal Auditor have decades of extended supervision/critical parent/child interaction/police/checker/inspector connotations. Regardless of how modern and proficient a person is these connotations will be stigmas that are difficult to overcome. That perfect Risk & Assurance Analyst would focus on the overarching goal of ensuring senior management and the board are aware of the significant residual risks being accepted across the organization and helping senior management and work units better manage risk.

    I believe the sooner "Internal Auditors" give up the notion that their main job is to complete and report point in time audits the sooner the profession will be on a whole new track that adds considerably more value to their organizations. Unfortunately, the paradigm that Internal Auditors' primary job is to do audits is one that is one that is engrained in the profession, the standards, the IIA training and the minds of a large percentage of Internal Audit leaders.

    I don't believe that the "Perfect Internal Audit" is defined by someon that does  "perfect audits". It is defined by looking for innovative ways to add maximum value to the organization and fully meet the needs of the board of directors for reliable information on the effectiveness of risk processes and the true state of residual risk.

    I recognize these are radical ideas but I think you have asked an important question that warrants serious consideration.

  1. Tim, thanks for the great comment.

    One of the fun things I do when I speak to auditors is ask for a show of hands: "is our job to do audits?"

    Then I show them the IIA definition of internal auditing, and it doesn't mention audits. Instead, we are asked to provide assurance and value-add consulting services.

    So, I agree with your statement that the perfect internal auditor is "looking for innovative ways to add maximum value to the organization and fully meet the needs of the board of directors for reliable information on the effectiveness of risk processes and the true state of residual risk." (Although I only ask that they assess whether the risks are at acceptable levels, not be responsible for assessing the risk level - that's a management task).

  1. Norman,

    Great response. There is definitely a misperception as to the role of Internal Auditors as defined by the IIA. I've always enjoyed the light bulbs that you see when individuals study the standards in detail for the first time; generally in preparation for an external assessment. It's only at that time that they realize how many activities they were doing because they had also been done that way versus it being actually required by the standards. Regarding the article, I love the humor in it.  

  1. This internal auditor is very slow.  How about an internal auditor who reviews all core business transactions and controls continuously via mobile device every day providing huge amounts of assurance and cost savings.  They free up time so they can build relationships with the BOD, CSuite and Process Owners on the golf course, tennis courts or poolside and review the risks of new strategies, business transformations, social media and potential external and perhaps unknown risks.  They understand and examine value drivers to make sure initatives are on track.

    Well, what are you waiting for!  The answer is out there.  Get out of your box and explore the possibilities.  If you do not do it, someone will for you.


  1.  Well said, Michael. May I add that the perfect internal auditor provides assurance to the boards and executive management on a continuous basis, when it is needed, and on the risks that matter. It's not only that the auditor is auditing continuously, but that the resulting assurance is shared with stakeholders - in a way that is useful to them, wherever they are, and whenever they need it.

  1. Tim:

    Having said that the IA would be called "Risk and Assurance Analyst", do you mean that the IA should be in charge of risk management in an organization or risk management should be oversight by another officer?

  1. Sometimes, providing information to management regarding "the effectiveness of risk processes", requires taking a look at what is really happening.  That may involve observation, inquiries, tests, etc.  Call it audit or call it investigation or come up with a new, shiny buzz word (e.g., Reality Assurance Analyst). 

    I agree the function termed "Internal Audit" is expansive and therefor can take any number of new forms.  This discussion looks to me like we are splitting the function into an elite, quasi-management function and a grunt-work aspect.  I really like the "How about an internal auditor who reviews all core business transactions and controls continuously via mobile device every day providing huge amounts of assurance and cost savings."  That's a change from the point in time perspective.

  1.  This was posted on LinkedIn:

    The perfect internal auditor is one who can take his place on the executive committee of the company; understand the strategy and challenges of the organisation and through the internal audit function, draw on a number of specialist skills to assist the organisation in mitigating its risks through the implementation of good controls across governance, risk, financial and operational processes.

    He/she should be a strategic thinker; gone are the days of pure cyclical operational audits; a good auditor should these days be able to challenge the effectiveness of the strategy supporting the direction and objectives of the organisation; contribute meaningfully to the process and make the presence of internal audit well embedded at the right level within the organisation. 

  1. CA Ramachandran Mahadevan Bangalore India-Advisory Board Member-24th KSCAA Annual Conference 

    Perfect Internal Auditor coined earlier is not valid in 21 Century.

    We have only Imperfect Internal Auditors all over the world in spite of IIA Standards,Certification of

    Companies..Indian Example Satyam and Governace Failures in many companies globally.

    A truly effective Internal Auditor should acknowledge that the audit is imperfect but feeling

    responsible for what he can do,he replaces criticism of it with constructive action to improve it.

    Further like ISO Quality Certification,IA Certification should be once in six months by an

    external agency as per Global Standards of IIA.

  1. Here is my perfect internal auditor Norman- skill sets to be able to execute the following responsibilities from something I recently saw out of the UK for a Head of Global Assurance

    Direct and lead the strategic and operational development of the internal audit function and develop articulate, fluid and holistic audit plans

    Engage with the board and key stakeholders providing appropriate assurance on the organization's strategies and plans

    Influence and facilitate change across the organization and strengthen procedures and controls, ensuring they remain effective, efficient and responsive to the organization

    Manage and mentor the team promoting a culture of empowerment and pride through own actions and words

    Manage the global assurance worldwide budget

    Drive commercial viable solutions across a range of geographies including some of most challenging

  1. Thong Le:

    Management and business units are "in charge" of risk management.  I believe that the primary end goal of an "assurance function" should be to ensure that senior management and boards are aware of the organization's true residual risk status.  How this is accomplished will vary from organization to organization.  It can include a group that offers risk assessment training, facilitation, quality assurance reviews, direct assessments of risk, and other activities.  In a utopian work business units provide complete and reliable reports on residual risk status related to all key business objectives.  Unfortunately some will do a poor job, some will lie and some will allow human biases to distort the truth.  What is important is continuously seeking the best way to accomplish the end objective of ensuring senior management and the board are aware of the true residual risks status. 

Leave a Reply