Every profession evolves as the body of knowledge expands and new tools and technology become available. The best and brightest professionals embrace evolution and leverage new strategies and tactics to enhance their effectiveness. The same is (or should be) true of internal audit professionals.
Several years ago, I adopted a term to describe internal auditors who were not very progressive, who tended to cling to outdated practices. I called them "Jurassic Auditors." The term Jurassic derives from the geologic period that spanned more than 50 million years and ended about 145 million years ago. The vast majority of species from that period are long extinct, because they were unable to adapt. The same could ultimately be true of internal audit professionals who fail to evolve and adapt to changing practices and the environment around them.
It is important to stress that Jurassic Auditor does not denote the age of professionals. Many veteran internal auditors are extremely progressive. At the same time, many younger internal auditors leverage practices from a bygone era. I am referring to those who are simply reluctant to change.
I have maintained my own informal list of obsolete characteristics/practices. Here are seven signs that you might be a Jurassic Auditor:
1. You obsess over the past. In its infancy, the internal audit profession was largely focused on hindsight — what happened last month or last year. Eventually, we began focusing on insight — what is happening now. Increasingly, we are providing foresight — what could happen in the future if key risks are not adequately mitigated. From my experience, Jurassic Auditors dwell on hindsight despite the limited value it often provides. Hindsight is the service that is most susceptible to disintermediation by artificial intelligence (AI). Like the species from the Jurassic period, internal auditors who dwell on only the past are likely doomed to extinction.
2. You build audit plans based on cycles, rather than risks. Another professional practice from the past is the use of predetermined cycles to schedule audits. When I was a young auditor for the U.S. military, I knew full well that we were required to audit the officers' clubs every three years — regardless of how well or how poorly they might be managed. Eventually, risk-based auditing was introduced to the profession. Yet, some internal audit departments still use the outdated practice of conducting audits based on a schedule, rather than a risk assessment.
3. You develop an annual audit plan and stick to it all year. I have written extensively about the imperative to "audit at the speed of risk." Yet, many audit departments still develop a comprehensive annual audit plan and use it as an unwavering road map to guide them through the upcoming year's internal audit coverage. Just as dwelling on the past can undermine internal audit's value, so can failure to undertake a continuous approach to risk assessment.
4. You avoid using technology. As I have written before, technology is the great capacity multiplier for internal auditors. Whether for internal audit management (including electronic work papers), data analytics, or continuous auditing/monitoring, technology is an enabler. It enhances both efficiency and effectiveness, yet some internal audit departments are not just late adopters — they are non-adopters. They cling to 20th century paper-and-pencil methodologies.
5. You avoid auditing technology. Far too many internal auditors are unwilling or unable to audit technology risks within their organizations. Whether cybersecurity, cloud computing, or mobile technology, there is a reluctance to assess the risks and include coverage in audit plans. But these are among the most significant risks that many organizations face. Avoidance of technology audit coverage increases the possibility of hearing those five dreaded words when things go wrong: "Where were the internal auditors?"
6. You enjoy writing about the condition more than recommendations. As a young internal auditor, I found the identification and communication of a problem (condition) to be exhilarating. I felt that I had truly demonstrated my value when I was able to point out a control failure or waste, inefficiency, or mismanagement. In time, I came to appreciate that a finding isn't truly complete unless it also includes cause, effect, and recommendations for corrective action. I sense there are still too many internal auditors who get more satisfaction out of identifying the problem rather than how to solve it.
7. You still call audit clients "auditees." Okay, I admit this one might seem a bit petty compared with the other signs on this list. However, it often denotes an outdated mindset. The IIA hasn't used the term "auditee" in decades. Instead, it refers to those we audit as "clients."
This list represents my personal views on characteristics of the Jurassic Auditor. I know there are many more. While compiling my list, I vetted the idea with several colleagues, and these were some other signs that were offered:
- You talk about internal controls instead of risks.
- You use standard audit programs.
- You think of risk only in terms of impact and likelihood.
- You consider culture something to be addressed through an HR survey.
- You're content sitting on the sidelines (not seeking trusted advisor status).
- You're content with existing resources/skill sets.
- You're satisfied meeting expectations rather than exceeding (or driving) them.
- You think data analytics involve a few extra charts and graphs in your audit report.
- Your audit report is a 60-page summary of everything you've done for the past six months.
I am sure the list could go on and on. I welcome your views.