Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​7 Deadly Internal Audit Sins

Comments Views

​The vast majority of my blogs are focused on the strategies and practices that internal auditors can deploy to generate value and succeed as professionals. However, it is important to occasionally step back and discuss actions or mistakes that can prevent or derail success. Everyone makes mistakes, but some should be avoided at all costs.

Success in internal auditing rarely happens overnight, and it's never guaranteed. It can take years to develop the requisite knowledge, skills, and expertise, and even then the process of learning and improving never really ends. But the most carefully planned internal audit career can come crashing down in a moment over a serious mistake. Get lazy, careless, or worse, fail to live up to the core principles for the professional practice of internal auditing, and an internal auditor may never recover.

I've compiled a number of what I call "internal audit sins" that have the potential to ruin an otherwise bright career. They are:

  1. Publishing an erroneous report. It's simply incomprehensible to me for anyone to intentionally allow an error – big or small – in an internal audit report. But a mistake can be equally devastating. A single, incorrect observation can forever haunt, not only because of the error itself, but also because a retracted report is rarely forgotten. A retracted or amended report lingers, serving as a stark reminder of not just the one failure, but the prospect that it may not be unique. What's more, chances are good that the erroneous report will embarrass both your client and your boss, and take it from me, one or both will have a long memory.
  2. Submitting incomplete/false workpapers. You may not get caught if you "cheat" on your working papers, but if – when – you are, the outcome will not be good. Purposely submitting incomplete or false workpapers is unethical, plain and simple, and there is no place for it in internal auditing. You can assume your supervisor will react by poring through your previous workpapers in search of similar issues. Regardless of what might be found, your job – and perhaps your career – is clearly at risk.
  3. Losing your temper with a client. When internal audit clients are in distress, they sometimes strike out unfairly. It might seem natural to fight back, even if you feel you are in the right, but it's never appropriate to act out unprofessionally and certainly never productive to lose your cool. Keep in mind that, if you ever raise your voice during a client meeting, everyone will probably remember the shouting match long after they have forgotten the reason for the disagreement. That's not the sort of lasting impression you want to make. And before you respond to an incendiary email from an unhappy client, it is best to wait an appropriate interval or to seek council from your boss.
  4. Auditing with an "agenda." It's a huge ethics breach to undertake an audit with a conflict of interest. Your reputation for fair, unbiased auditing will be lost forever if it appears even for a moment that you might be out to "get someone" or to exonerate a personal friend, regardless of guilt or innocence. It really doesn't matter whether the conflict of interest is real or perceived. It can be nearly impossible to recover – even if you are allowed to stay in the internal audit department.
  5. Betraying a bond of confidentiality. There are certain ways that information gained during an internal audit should never be used. If an auditor inappropriately shares information about a client, for example, trust between the two parties will be destroyed and you can expect word to get around quickly. And once an internal auditor develops a reputation as a gossip monger, any ability to have a candid conversation with management will be greatly, if not completely, diminished. Nobody invites an indiscreet internal auditor for a return visit.
  6. Violating company policies. If a client believes that an internal auditor is flouting company policies, then the auditor shouldn't be surprised if he or she​ lacks persuasiveness when making a recommendation regarding the client's conformance to policies. If a client learns that you are not flying on a company-approved air carrier, or walks past you in the first class section of the plane to get to their coach seat, you can assume they won't forget. I don't mean to imply that internal auditors should never make an exception to policies under any circumstance. But any exception should be well-justified, and it should be rare. Just as police officers should never be "above the law," it's never okay for auditors to act as if company policies don't apply to them.
  7. Issuing internal audit reports that are petty or don't add value. We all know that internal auditing is not just about pointing out what's wrong; it's about helping management to accomplish their objectives and to take advantage of opportunities that otherwise might have been missed. No one benefits if internal audit has a reputation for wasting time on unimportant details. Internal audit reports that contain inconsequential findings or recommendations that are not cost effective will earn you a reputation as a "bean counter," or worse. It also might be tempting to re-use a previous audit program that found several insignificant errors, but re-performing last year's audit is not necessarily the best way to add value.

Any of these seven "sins" can deeply undermine the role and reputation of internal audit, and wield a fatal blow to the perpetrator's career. But I believe there also are ways to overcome blunders that aren't intentional or malicious. In an upcoming blog, I'll talk about seven cardinal virtues that can fuel an internal audit career to soar from the ordinary to the extraordinary.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3