The saying, “a jack of all trades is a master of none, but oftentimes better than a master of one,” provokes debate between specialists and generalists. This discussion extends to many fields, including internal auditing.
As internal audit’s role continues to grow, today’s practitioners are asked to do far more than their traditional responsibilities around operational assurance and regulatory compliance. This paradigm shift is particularly evident in The IIA’s Pulse of Internal Audit survey. The inaugural 2011 report lists fraud investigations, financial reporting, controls, compliance, and ethics investigations as the top areas of responsibility outside of traditional roles. In contrast, the 2019 report illustrates internal audit’s growing involvement in other key areas including cybersecurity, enterprise risk management, cost/expense reduction, and third-party risk.
Internal auditors are not only expected to broaden their scope of services, but also deepen them. Most audit functions believe they are falling short technically in key areas, as evidenced by lower competency ratings (scale of 1–5 with 5 as highly competent) in cybersecurity and IT audit (2.9), data analytics (2.9), and technical accounting standards (2.5-2.9) in Protiviti’s 2019 Internal Audit Capabilities and Needs Survey.
These seemingly conflicting qualities of depth and breadth raise an important question frequently asked by chief audit executives (CAEs) and practitioners alike: Is it better to specialize or generalize?
First and foremost, the practitioner’s interests and career goals should guide any decision on specialization. On one hand, experienced practitioners may become specialists over time, whether intentionally through career planning, mentorship, technical training, and workload, or unintentionally through trial, error, and, ultimately, success within certain disciplines. Alternatively, audit new hires may find generalization appealing as it provides a means to learn various aspects of the business and explore alternate career options, or identify opportunities for future specialization within internal audit.
While audit new hires may be more likely to start their careers as generalists, audit leaders should not deter them from exploring specialization. As academic institutions and continuing professional education providers expand their offerings in highly technical areas such as cybersecurity and data analytics, new hires can enter the audit workforce with skills best suited for specialist roles.
Regardless of experience level, practitioners may already have expressed specific interests or disinterests that will help department leadership better align projects with the appropriate resources. For instance, a new audit staff member may not have a specialization, but wants to limit his or her workload to IT audit and consulting projects. While smaller audit functions may not have the headcount or budget to allow for specialists, audit leadership must continuously engage their staff, understand their career aspirations, and foster their interests through mentorship and continuing education. If leadership does not facilitate these conversations, auditors should initiate the dialogue and ensure they receive opportunities to pursue their career interests.
Every internal audit team is unique with respect to size, role, collective experience, and expertise. Therefore, a prescriptive ratio of specialists to generalists does not exist. Nonetheless, CAEs and auditors should have a clear understanding of their department’s mission, and the current risks and needs of the stakeholders they support. For example, an audit department of four at a mid-sized private company with relatively low compliance risk may emphasize versatility, and operate as interchangeable parts to support one another and respond to the dynamic needs of its stakeholders.
Alternatively, a large international corporation with an audit staff of 50 may have more defined and consistent roles for its team members, including designated subject-matter experts based on country, business unit, or discipline.
Whether the emphasis is on agility, expertise, or some combination, every CAE will have a different vision for the depth and breadth of the department’s workload. Because this vision can be shaped by the goals, interests, and skills of the staff, needs of the organization, and size and role of the function, CAEs should benchmark these items against the long-term goals of the department. For instance, if the department has established itself as a trusted compliance watchdog, but the CAE has longer-term ambitions of growing its advisory wing, the CAE should establish a formal strategy that encompasses recruiting, training, project mix, and stakeholder engagement to ensure these goals are achieved.
Furthermore, an opportunistic CAE with the optimal combination of resources and corresponding organizational needs may counter the specialist/generalist question by asking, why not both? While it seems contradictory to be a specialist and a generalist, CAEs can recruit and develop a diverse staff that includes both to ensure expertise and flexibility to respond to dynamic organizational needs.
As a shared service, internal audit has an obligation to provide value to its varied internal stakeholders. Often, an organization’s copious needs may not be fully met by internal audit’s finite resources. As a result, audit departments should use enterprise risk assessments, materiality, and stakeholder feedback to identify the most pressing organizational needs and impactful project opportunities.
Additionally, organizations without dedicated departments or subject-matter experts in disciplines such as enterprise risk management, data analytics, and cybersecurity may be more inclined to seek out internal audit to help address needs in these areas. This is provided that the audit team has specialists with the requisite expertise and availability. For instance, a large company with a robust data analytics department may be less likely to engage internal audit to perform similar work than a smaller organization without a dedicated analytics function. Nonetheless, internal auditors can still provide value under those circumstances by assisting the analytics department with tasks such as validation of the completeness and accuracy of the data sets used and providing context to analytical results based on their knowledge of the business.
Align Talent With Needs
Internal audit’s expanded role has afforded today’s CAEs and practitioners new opportunities with respect to the depth and breadth of their workload, but it also presents new challenges and decisions around the merits of specialization versus generalization. These decisions should not be made in a vacuum, but rather through careful and informed considerations, including practitioner goals and interests, audit department size, role and vision, and organizational needs. But regardless of whether one is a “jack of all trades,” a “master of one,” or a hybrid of the two, internal auditors can maximize their value by aligning their talents and workload with their stakeholders’ needs.