Tim Penrose took a nontraditional path to internal audit, starting his career in a technical role as a computer and systems engineer and then moving into a management associate program at a leading financial services organization. He rotated into different roles across multiple functions — gaining risk and control experience — and then made the move to one of the Big Four. Now he is managing director, internal audit, at TIAA-CREF.
During his 13 years in internal audit and risk-related roles, Penrose has seen the expectations on internal audit increase significantly, which has further elevated the responsibilities and stature of the function in many organizations.
“This has driven an increased demand for talent, such that audit professionals are constantly being recruited,” Penrose says. “By consistently delivering value, internal audit has been able to gain a seat at the table, serving as a trusted business partner while maintaining the necessary independence and objectivity. There is still work to do, but internal audit has seen some positive advances in the last 10 to 15 years.”
Penrose also points out that perception is reality and that it must be managed. “You may think your team is the best in the world,” he says. “But if senior leadership does not see the full value of your role or function, you are responsible for actively managing and improving that perception.”
Today, Penrose says he sees growth opportunities for internal auditors who can flex within and outside of their current roles — such as a senior auditor who proactively volunteers to lead an engagement or the audit director who runs a project outside of his or her scope of responsibilities to successfully complete the audit plan on time.
“There are huge opportunities for individuals who can equally understand strategic and operational risks, critical business processes, technology considerations, and data analytics,” Penrose adds. “These individuals are able to strategically differentiate themselves through the resulting audit work and deliverables.”
One area where Penrose says internal audit should be doing more is in marketing itself within the organization, with boards and audit committees, and within the industry. “By networking aggressively with peers, auditors are able to bring best practices and lessons learned to their functions and organizations,” Penrose says. “This allows them to better anticipate risk areas that may require a heightened level of focus.”
Cross-training is another area where Penrose says internal audit has room to improve. Like any department, internal audit runs the risk of staying within its silos of responsibility. Rotation of personnel across the department — as well as rotating guest auditors into the function and auditors into business areas — serves as a knowledge transfer opportunity for technical skills, best practices, and business understanding, he says.
When it comes to personal development and advancement, Penrose says auditors must be well-rounded while also demonstrating subject matter expertise in their specific areas of interest. Moving up in the profession requires not just breadth of knowledge, but depth of knowledge. His advice for the auditor just starting his or her career is to take personal accountability and make an effort to learn something new every day.
“I learned a great deal within all my roles and would not trade my industry or public accounting experience,” Penrose says. “Having the opportunity to work within leading organizations and with strong leaders has proved instrumental to my career path and progression.”