Internal audit role, performed by internal auditors, requires core competencies. This post lists seven internal audit core competencies internal auditors should have—beyond internal audit standards—for planning and performing effective internal audits.
I, in this post, do not aim to explain how an internal auditor should conduct data analyses for example, but would give you solid knowledge about core competencies an internal auditor should has—as many of you may aspire to be come one, in the near future.
Also, I hope, this post can be a friendly reminder to fellow internal auditors of subjects that are professionally important to the practice of today’s internal auditing.
Importance of Internal Audit Key Competencies
“What competencies are essential to be a successful internal auditor?” You may ask—as others asked me through email (Sorry I can’t personally reply you one-by-one).
The answer to the question is: There are many. And they include having attained at least a four-year college degree in the area of Financial Accounting, Management Accounting, Financial Management and Operational Management—that will give the new auditor an understanding of the importance of business processes as well as the ability to observe areas of operations and to describe them through written and verbal approaches.
More important and even more fundamentally, though, an internal auditor must have strong personal ethics and a work-related commitment. That is, when sent to some location to perform a review, the internal auditor must maintain a professional attitude and conduct his or her work in an honest and ethical manner. These things are really fundamental and necessary to build a set of internal auditor key competencies.
As I have mentioned on the preface, internal audit core competencies are essential skill to conduct effective internal audits—thus are indispensable. While some professionals may look at the selections differently, adding or deleting some, my personal recommendation for internal audit key competencies includes the followings.
Core Competency#1. Internal Auditor Interview Skills
Internal auditor interviews with members of auditee management and staff are an important first step in the internal audit process. As a key part of these interview skills, the assigned in-charge internal auditor then meets with designated members of the auditee organization for an initial internal audit interview.
That initial interview and all others that follow are key steps in the internal audit process. They are valuable first steps to launch an internal audit and to gather information, but a poorly prepared or organized auditee interview can throw the internal audit so off that it may be difficult to complete the audit as planned.
All internal audit interview meetings, whether with auditee management or team associates, should be based on some internal audit planning and preparation before launching the meeting.
Once an auditee interview has been scheduled, the auditor should begin to focus on interview preparation. An internal auditor should never be fooled into thinking that she can simply walk into an auditee interview and inform them of the planned audit. An internal auditor’s goal must be to demonstrate the objectives of the planned review and his or her knowledge and qualifications for the planned internal audit. Adequate preparation is key.
The next snippet is a list outlining issues to consider when launching a new internal audit in some area that may have been reviewed in a past period. The list has been prepared with assumption that management on both sides is new participants in this review, and thus introductions and explanations all around are necessary.
Internal Auditor Preliminary Auditee Interview Checklist
1. After introductions all around, internal audit should outline the timing and objectives of the planned internal audit.
2. Introduce internal auditors who will be doing actual review as well as expected auditee participants.
3. If this is the first planned audit in this area or if there have been significant changes since the last review, arrange for a walk-through of the operations area to be reviewed.
4. If there had been a past internal audit in this area, check on the status of past findings and recommendations as well as any system changes since.
5. Outline the planned timing of the audit review steps.
6. Request or make arrangements to audit materials, including:
- Access rights to files and IT systems resources
- Temporary passwords, access right to key files, and physical libraries
- Internal audit working space and telecommunication connections
- Plant parking, guard desk badges, and other facility access issues
7. For extended time period reviews, schedule periodic status meetings.
8. Schedule tentative planned audit completion as well as preliminary wrap-up meetings.
9. Make arrangements for resources available to resolve any questions or problems during the course of the review.
10. Explain the expected internal audit process, including any planned draft report, expected response times to audit recommendations, and delivery of the final report.
11. Throughout the interview and certainly here, allow sufficient time for questions.
12. Follow-up interview with a detailed summary memo outlining the potential audit timing and any matters yet to be resolved.
Internal auditors will be involved with auditee and other management group meetings or interviews on a regular, ongoing basis. These meetings are the contact points to launch new internal audits as well as to review the status and continuing progress of ongoing internal audits.
Such meetings are generally not formal. Often they involve an internal auditor just meeting a manager at a nearby office desk or in a canteen over coffee. The real skill and competency need here is that an internal auditor should carefully plan objectives and even expected outcomes from such sessions and should conduct them in a planned, orderly manner.
The last thing a professional internal auditor should do is to burst in on an auditee manager with no warning and just blurt out some concerns. The internal auditor’s objectives will not be met in that situation, and internal audit will lose credibility in the eyes of entity management.
Core Competency#2. Analytical Skills
According to Wikipedia, analytical skills refers to the ability to visualize, articulate, and solve complex problems and concepts and to make decisions that make sense based on available information. Such skills include demonstration of an internal auditor’s ability to apply logical thinking to gathering and analyzing information, designing and testing solutions to problems, and formulating plans.
To test for analytical skills, an internal auditor might be asked to look for inconsistencies in some production report, to put a series of events in proper order, or to critically read a project status report and identify potential errors.
An analytical review usually requires an internal auditor to review some audit evidence materials and then to use logic to pick apart a problem and come up with a solution. Internal auditors are required to use such analytical processes on a regular basis in the course of their audits. The idea is not to jump into an audit with an already assumed conclusion but to break down the elements of whatever data or series of events is being analyzed in order to reach a conclusion. This conclusion may very well not always be the one the internal auditor expected to reach.
To be truly analytical, internal auditors need to think about all of the factors involved in a situation and then evaluate pluses and minuses in order to develop a recommended solution.
Many audit decisions are fairly easy to make. For example, a voucher either is or is not approved or an account either does or does not balance. However, sometimes other decision criteria are not that clear cut. Here an internal auditor should develop establish kind of decision criteria.
Internal audit decisions should be made in a consistent, organized manner. It is for this reason that internal auditors should view analytical skills as a key competency. Too often, some professionals think of the terms analytics or analytical analysis as a detailed, mathematical-oriented process. Internal auditors should use an analytical approach to describe their use of well-documented, well-reasoned processes to arrive at decisions in their internal audit activities.
Core Competency#3. Testing and Analysis Skills
While internal auditors should develop their initial decision approaches analytically, their next challenge and a required key competency is to have the ability to test, review, and assess the materials.
As a key internal audit competency, testing or sampling should be viewed in a broader perspective. For example, the next snippet describes some alternative audit testing approaches.
Audit Testing Approaches
Physical Observation – Testing approach is used for processes that are difficult to formally document or control. For example, stockroom cleanliness or customer service practices are important to the entity’s image but usually are not formally controlled. These factors can be especially important to organizational success when considered in broader contexts, such as assessments of employee morale or the professional tone of an office. Because these areas are somewhat subjective, developing internal audit recommendations can be difficult.
Independent Evaluations – Audit confirmations are an example of independent confirmations. While this technique is more common with external auditors, internal auditors sometimes find it useful as well. For example, confirmation letters can be sent to the entity’s vendors to verify their compliance with some matter.
Compliance Tests – Compliance testing helps determine whether controls are functioning as intended. When conducting compliance tests, internal auditors often use one broad sample to test several items concurrently. However, multiple samples are sometimes very effective. As an example, for disbursement testing, an auditor can use one sample to test documentation and approval of disbursements, another to assess contract approvals and agreement to payments, and a third to test personal reimbursements. Such targeted tests can yield much clearer results than using one sample to test all three items.
Exception or Deficiency Testing – If a reporting system shows deficient performance, exceptions can be reviewed in detail to understand root causes and determine possible resolutions. Many process improvements require coordination with other departments or persons involved in the process; internal audit involvement in deficiency resolution frequently facilitates such coordination.
Accuracy Testing – Tests for accuracy help determine whether a reviewed processes are measuring or assessing the right things and calculating results correctly. Much of today’s reporting contains significant black box elements, where the underlying calculations are embedded in computer programs and intermediate files. By using CAATT procedures and gaining an understanding of the reporting objectives, internal auditors can effectively verify systems reporting accuracy.
On the first point of the above list, “Physical Observation,” is often not thought of in terms of the concept of testing. But if an analytical approach, with established review and acceptance criteria, is used to organize an observation-based testing process, organized physical observations can be viewed as a valid testing process as well.
No matter what method is selected, internal auditors should always take appropriate steps to make certain that the samples they are testing are representative of the overall population they are analyzing.
A related requirement for this key internal audit competency is the analysis of the test results. Once an internal auditor has selected a sample and performed an internal audit test, the results should be analyzed. Having performed a sample per the established audit objectives, an internal auditor should review results for any possible errors detected in the sample to determine whether they are actually errors and, if appropriate, the nature and cause of the errors.
For those that are assessed as errors, the errors should be projected as appropriate to the population, if a statistically based sampling method is used. Any possible errors detected in the sample should be reviewed to determine whether they actually are errors. Internal auditors should consider the qualitative aspects of the errors, including the nature and cause of the errors and their possible effect on other phases of the audit.
Internal auditors should also realize that errors that are the result of the breakdown of an information technology process ordinarily have wider implications for error rates than human error.
Internal auditors should always take care to analyze and document their test sample results. They should devote every effort to making sure that the test results are representative of the overall population of items reviewed.
When audit results just do not “smell” right, as sometimes happens, an internal auditor should take any follow up procedures as necessary. However, the process of establishing audit objectives, pulling a sample of items of interest to ascertain if audit objectives are being met, and then reporting these results is a key internal audit internal audit competency.
Core Competency#4. Recommending Results and Corrective Actions
A very important role—perhaps the most important—of an internal auditor is reporting the results of audit work and developing and making strong recommendations for corrective actions, as appropriate. Internal auditors go through this exercise via their audit reports or when serving as enterprise internal consultants
In all cases, internal auditors need to have the key skills to summarize the results of audit work, to discuss what was wrong, and to develop some recommendations for effective corrective action.
While audit reports and their recommendations are often the responsibility only of senior, in-charge internal auditors or the chief audit executive, all members of the audit team should be able to describe an audit finding and to make a recommendation for improvement.
In some cases, a staff auditor will go through this exercise only as part of a workpaper note, but all internal auditors should think of much of their audit work in terms of these questions:
- What were the objectives of this audit or exercise?
- What was found?
- Why were those audit findings incorrect or not in compliance?
- What can be done to correct this error or control breakdown?
- What are internal audit’s recommendations for corrective action?
This process is very much part of internal auditing. Internal auditors at all levels should develop competencies to think of much of their work along those lines. Of course, it is always important for internal auditors to answer these questions clearly and simply enough that recipients can understand the issue and the nature of the suggested corrective action.
Reviewing evidence and making appropriate audit recommendations can become particularly difficult if the audit finding covers a complex or potentially obscure area. For example, many people will find it difficult to understand an audit finding describing an internal control weakness caused by an incorrect setting in an IT operating system software. Using analogies or other mechanisms, internal auditors should strive to prepare findings and recommendations in a manner that they can be easily understood.
Core Competency#5. Internal Auditor Communication Skills
The preparation of effective internal audit reports, with meaningful findings and recommendations, is a very important competency area for all internal auditors. Internal auditors at all levels should develop the skills to discuss and present audit findings and the related internal audit recommendations. These communications can take place in the workplace at all levels.
Internal auditors typically receive, review, and have access to a large amount of potentially confidential information. For that reason, it is very important that strong security controls be placed over all internal audit files and any retained data. However, internal auditors at all levels should develop the skills and ability to communicate with others in the entity about their work as appropriate and to help others to understand the value of internal auditing.
Whether presenting the results of an internal audit to local management or dealing with others on a day-to-day basis, all internal auditors should develop strong communication skills. This is another internal audit key competency.
Core Competency#6. Internal Auditor Negotiation Skills
If you ever thought of negotiation skill as an essential skill to marketing people, that is not wrong at all but, also not true all the ways. The truth is that negotiation is something that we do all the time, not only for business or internal audit purposes.
In general, negotiation is usually as a compromise method to settle an argument or issue. Internal auditors should communicate in order to negotiate issues/arguments as they often encounter differences of opinion during a review. Auditors can sometimes be wrong, but they always need to have the background and support to explain a proposed audit finding.
Whether it concerns recommendations developed in an audit report or while reviewing audit evidence on the shop floor, internal auditors will encounter many areas where management and others will disagree with their assumptions or potential findings.
Internal auditors at all levels should learn negotiation skills as they complete audit reports and prepare recommendations. Internal auditors should recognize that any type of audit finding, no matter how seemingly inconsequential, may be viewed as a criticism by auditee management.
Sometimes an internal auditor will encounter a situation where auditee management wants to fight internal audit on every point, no matter how trivial or how solid the audit finding. Internal auditors should develop skills to negotiate and compromise on some items or areas but should always reserve the right to say that something is wrong and needs to be reported.
If the auditee disagrees, it can be covered in the responses to the audit report and interactions with the audit committee if necessary. As a cautionary note, when an internal auditor agrees to modify a suggested recommendation or even drop an audit finding, the matter should always be documented in as much detail as possible and with an emphasis on why the internal auditor decided to change the disputed matter.
Core Competency#7. Internal Auditor Documentation Skills
Internal auditors have a major challenge in preparing meaningful and helpful documentation covering all of their work, whether informal notes from a meeting, to audit workpapers, to the final issued audit report. Internal auditors have an ongoing need to develop strong audit work documentation skills.
The next snippet contains some best practice standards for documentation. Internal auditors should always keep in mind that their documentation, at all levels, may be subject to other reviews or disclosures.
Internal Audit Documentation Best Practices
Best practices for increasing the quality of internal audit documentation:
A. Writing Narratives and Descriptions:
- Describe all work in a narrative fashion such that an outsider can review some materials here and understand the activities or processes.
- Document the audit concepts observed or performed but do not describe assumptions or speculative ideas.
- Generate systems-related documentation with use of hyperlinks where appropriate.
- Keep documentation just simple enough but not too simple—this is often an internal audit challenge.
- Write the fewest documents with least overlap.
- Put information in the most appropriate places—that is, allow the reader quickly to grasp the main elements of a documentation package without having to go through multiple addendums.
- Display key information publicly by including summaries and brief descriptions where appropriate.
- Use a whiteboard or internal Web site—whatever is necessary to promote the transfer of information and thus communication.
C. Determining What to Document:
- Document with a purpose. For example, documentation describing test results will have a whole different focus and content from material designed for the audit staff.
- Focus on the needs of the actual intended users(s) of the documentation who would determine its sufficiency.
D. Determining When to Document:
- Iterate, iterate, iterate. Take evolutionary (iterative and incremental) approaches to gain feedback for materials under.
- Find better ways to communicate, recognizing that documentation supports knowledge transfer but it is only one of several options available.
- Keep documentation current. Materials that are not kept up to date are of little value to most users.
- Update documentation regularly but only when it hurts. That is, documentation preparation resources must be balanced with other key internal audit activities.
E. In General:
- Always recognize that documentation is a requirement. It should not be postponed as a “when time is available” activity.
- Require users to justify documentation requests. Check-out and back-in processes should be established.
- Build a recognition throughout internal audit of the need for strong supporting documentation.
- Provide documentation preparation training to all members of the internal audit team
Whether it is a request from an audit committee member, external auditors, court order, or even government action, poorly prepared or inaccurate documentation could embarrass or even endanger the enterprise and professionally damage both the internal audit function and the individual internal auditor
In our electronic world of powerful word processing and database systems, that documentation sometimes can get out of hand. Perhaps every internal auditor has received a documentation-oriented word processing message, describing some area of audit interest with some supporting message attached.
Documentation becomes a challenge when that first supporting attachment has its own attachments, several of which have even more attachments, and on and on. Perhaps this type of a stream of attached documents provides the necessary and supporting information, but all too often such trails of attachments lead to ambiguities and problems.
An internal audit function should establish some best practice standards for its own internal electronic documentation. In some cases, the major office automation software tools—such as Microsoft Office—will make this easy, but in other situations, there is a need to work around vendor-supplied software.
The next snippet describes some internal audit digital documentation best practices that may help (I am using the term “computer-based” to refer to the many word processing, spreadsheet, e-mail, and other forms of electronic documentation that an internal audit function will need to support its internal audit work beyond formal workpaper binders)
Internal Audit Digital Documentation Best Practices
A substantial amount of internal audit supporting documentation and other activities takes place on computer systems, whether auditor laptops, desktop machines tied to an audit office local area network (LAN), or even on terminals connected to a central server processor.
All of those comprise the e-Office—the use of email, word processing, spreadsheet, database, graphics, and other tools. The following are some best practices that internal audit should consider when implementing an effective internal audit e-office:
- Establish hardware and software standards – Whether internal audit is located in a more remote, developing country regions or at corporate headquarters, all members of internal audit should use the same general hardware and software product suite.
- Use password-based security rules with regular updates – Because of the sensitive information that internal audit encounters, password controls, with requirements for frequent changes, should implemented on all systems—even auditor personal laptops.
- Build a security awareness – All members of the audit team should be instructed in the sensitive nature of audit documents. For example, when documents are printed on a remote office printer, establish rules that the initiator must be present during the printing process. Even better, avoid printing internal audit documents at a remote location.
- Backup, backup and backup – Strong procedures should be established for at least 100% daily backups of internal audit file folders, a rotating stream of several cycles of backups should be established.
- Establish file revision control procedures – Through the use of file naming conventions or software system controls, conventions should be established to identify all documents with a date created and revision number.
- Build templates and establish style protocols – All memos, audit programs, audit plans, and other key internal audit documents should be required to use the same common formats.
- Establish e-mail style rules – While there are many needs and requirements for email messages, some general style rules should be established. In addition, define and recognize areas that should be released as controlled documents rather than e-mail messages subject to forwarding.
- Establish e-mail attachment rules – Attached documents are an easy way to convey information, but the process can get out of hand with attachments attached to attachments and so on. Guidance rules should be established here.
- Actively implement and monitor antivirus and firewall tools – Effective software should be installed, regularly updated, and violations monitored, as appropriate.
- Limit personal use – Whether a laptop brought to the auditor’s home, downloaded music files, or a night school paper written in the office, personal use of e-office resources should be limited, if not prohibited.
- Establish locks and security rules for portable machines – All auditor laptop machines should be configured with locking devices as well as guidance in their use. In addition, security audit guidance should be established for all portable machines.
- Monitor compliance – A member of the internal audit team should periodically review and monitor compliance with auditor e-office procedures. Process and performance improvements should be installed as appropriate.
Whenever possible, these standards should be consistent with IT department standards, but the objective should always be to support the overall internal audit effort.
If all members of the internal audit team use standard practices, such as Word document revision controls, internal audit will have a greater success in controlling its own automation processes. Internal audit standards in such areas as office documentation should try to be at least as good as if not better than their enterprise’s overall standards.
Going beyond effective internal audit digital documentation described above, an internal auditor should develop strong skills and competencies in documenting every aspect of their work.
Internal Auditor’s Commitment to Learning
Some professionals probably include it into the core competencies group while others not. I would rather put it separately for a reason. Not because of it is less important compare to the described competencies but, it is the most important.
I personally (perhaps others too) would recommend that all internal auditors should develop is a strong commitment to learning beyond the 40 hours continuing education requirement for certified internal auditors.
Business and technology are always changing, as are the political and regulatory climates in which entities operate. All internal auditors should embrace this commitment to constant and ongoing learning as a very key competency.
For example, the International Financial Reporting Standards (IFRS) are becoming a substitute for the US-GAAP. International standards have been growing in acceptance around the world, country by country and region by region, with the United States as the only major holdout. Although many internal auditors probably will not need to understand the details of many of these accounting standards rules, they should at least understand their high-level impact on the reporting of financial results in the United States.
All of the outlined internal audit core competencies—including the commitment to learning—are essential to perform effective internal audits, no matter what industry, geographic area, or type of internal audit.