One myth about internal audit that is easily disproved

For more than a decade, I have been trying to dispel lingering myths that haunt the modern internal audit profession. 

Some of the myths are based on perceptions, such as "internal auditors are the corporate police" and "internal auditors can't succeed unless others fail." I have offered what I believe are compelling arguments on why these are simply myths. But there is one myth that is easily disproved by simply looking at the facts: "Internal auditing is just another corporate 'bean counting' function." This simply isn't true, and a little research will debunk this myth every time.

An essential element of risk management is understanding how risk impacts organizations beyond finances, including operations, competition, regulatory compliance and strategy. Indeed, it would be foolhardy for boards and executive management to focus solely on budgets and financial reporting.

What's more, there is little argument that assurance and advisory services provided by internal auditing are essential to effective risk management. So, why does the myth persist that internal auditors are primarily glorified accountants?

Demystifying the "bean counting" narrative

The reality is that most modern internal audit functions spend less than a third of their time providing assurance over financial risk management, and recent data from The Institute of Internal Auditors bears this out. Financial reporting including internal controls over financial reporting, financial areas excluding ICFR, and fraud investigation make up about 28% of the average audit plan in North America, according to the latest IIA Pulse of Internal Audit report. In contrast, operational, non-ICFR compliance/regulatory, and IT/cybersecurity make up 50%.

It's also important to note that the average North American chief audit executive lists cybersecurity and business resilience as top audit priorities ahead of governance/corporate reporting, according to the recently released Risk in Focus report from The IIA.

And yet, no matter what internal audit gets called to do, there will always be a cadre of misguided executives and board members who think internal audit is just an extension of the finance function. Of course, it doesn't help that too often internal audit reports administratively to the organization's chief financial officer. This unfortunately reinforces the view that internal audit must only be looking at numbers.

I covered the downsides to having internal audit report to the CFO in my September post, but let me address now why thinking of internal auditors as "bean counters" is simply dangerous in a modern risk environment.

The good news is that the data reflect that internal audit efforts are aligned with top risks, with cybersecurity at the top of the list. The bad news is that viewing internal auditors as primarily focused on finance makes an organization susceptible to weakening its audit function.

Key dangers of the "bean counter" bias

The accounting pigeonhole erodes audit priorities: Overemphasizing the need for internal audit services on financial risks while minimizing their value in combating nonfinancial risks is easier when boards and/or executive management think of internal audit as primarily a function of accounting. Whether conscious or unconscious, this bias is simply dangerous in a modern risk environment.

New risks won't emerge from new math: In the 21st century, most new risks have emerged from groundbreaking technologies. Cyberattacks remain by far the biggest threat to organizations, and each innovation that presents new and exciting business opportunities invariably carries new and novel threats, as well. Artificial intelligence is an obvious example here. Even as organizations race to adopt and adapt AI to their processes and strategies, cybercriminals are leveraging the technology to enhance social engineering attacks by making them more convincing, personalized and hard to detect, with phishing and deepfakes being prime examples. These types of threats aren't focused on financial reporting.

An audit team filled with bean counters will undoubtedly be less effective: Because today's internal auditors are more likely to focus on fraud risks, compliance issues and myriad operational issues unrelated to accounting, their backgrounds should be as diverse as the operations they audit. An accounting degree won't help as much as one in IT or computer science when auditing cybersecurity issues. 

The reality is that most audit executives recognize this and prize internal auditors with strong analytic and critical thinking abilities, data-mining skills, business acumen and IT skills more than they do those who are extraordinarily proficient in accounting.

Recruiting internal audit talent is harder if the focus is on crunching numbers: The next generation of internal auditors must possess skills that address modern business risks. This requires recruiting the best minds in data analytics, computer science, engineering and psychology to fill the internal audit talent pipeline. That will be next to impossible if organizations view internal auditing as synonymous with accounting.

My hope is that leaders who understand modern risk management don't buy the bean counter myth. Indeed, 65% of publicly traded companies globally have internal audit reporting directly to the CEO. But I'm deeply troubled that, according to Pulse data,  nearly 8 in 10 (79%) of CAEs in publicly traded organizations in the U.S. still report to the CFO.