Being brave, an intrinsic requirement of the internal audit function
By Marilize van Schalkwyk.
If you read about the latest trends in internal auditing, you will find many articles about agile auditing, robotic process automation, artificial intelligence, and other technologies aimed at improving the effectiveness and efficiency of internal audit processes.
The world is constantly changing, requiring continuous professional development, with a focus on areas such as cyber security, privacy regulations, cloud-based solutions, and emerging technologies. But behind the technology and in the ever-changing environment, an internal auditor is needed to interpret the information, analyze it, highlight risks, and consider how to improve controls or processes.
The definition of internal audit by the Institute of Internal Auditors states that “internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.” Root cause analysis plays an important role in deciding how to improve controls or processes.
Recommendations should address the root cause of the identified weakness or inefficiency, not just the
symptoms, and this can be a dilemma for internal auditors. You need to speak the truth about risks and control failures, possibly upsetting your client and management, and becoming unpopular in the process, thus bringing us to the question: are you brave?
According to the Oxford dictionary, brave (verb) means to endure or face (unpleasant conditions or behavior) without showing fear.
Being an internal auditor can be one of the most difficult roles in an organisation. You need to ask difficult questions and have uncomfortable discussions with clients who might take it personally. You need to maintain a level of professional skepticism (the conduct involving a questioning mind, being alert to conditions that may indicate possible misstatements due to error or fraud, and a critical assessment of audit evidence), even with colleagues.
An internal auditor must be able to tell the stakeholders, whether it is the top management or the Board, what it is that is putting the organisation at risk – and it can be hard to do. Pointing out control failures can be hard, especially if the same opinion is not shared by the client. Internal auditors must be able to speak out and tell the truth if they want to be effective, even at possible great personal risk. They must be willing to face unpleasant behavior, without letting it discourage them and or deter them from the task at hand.
What can you do to be bold when needed, or to endure?
Internal auditors need to be honest, diligent and have strong moral principles. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their opinions.
Build trusted relationships with your clients. Trust is important in relationships. The clients must be able to believe what you are saying and rely on your opinion. Listen to the views of your client, consider their inputs, and show mutual respect.
No surprises. Do not surprise your client, especially relating to failures, in front of others. Discuss identified control weaknesses or deficiencies openly and agree on the way forward.
Internal auditors are required to perform their tasks prudent with diligence, and with professional care, making sure their opinion is supported by facts and evidence. They must act in the best interest of their organization and line with their moral principles.
Marilize van Schalkwyk is an Information Systems Auditor at the Government Institutions Pension Fund, the views expressed in this article are her own and do not represent those of her employer.