What are the three common core competencies identified in The IIA Research Foundation core competencies report?

After a few years of working in an organization’s finance department, you decided to jump into a new career path, which is in the financial audit industry. What skills do you need to develop in order to succeed in an internal audit career?

What are internal auditor responsibilities? 

In a nutshell, financial auditors examine and analyze a company’s accounting data, financial records, and business operational processes. They are tasked to assess and evaluate an organization’s operations with the objective of identifying opportunities for improvement, reducing waste and production errors, and if needed, reporting fraudulent activities.

In public companies, internal auditors are under the direction of the audit committee of the board of directors. This lends the audit committee full independence from the company’s management team, allowing them to report on operational issues as necessary.

What an Internal Auditor Career Path Looks Like 

In general, financial auditors begin their career in internal audit through a junior position immediately after earning a degree and a professional certification or license. Some of the common jump-off points for an internal audit career include positions in finance, accounting, or information technology.

As for external auditors in public practice, a bachelor’s degree in accounting is required for you to obtain a license as a Certified Public Accountant, which is a general requirement for aspiring external auditors.

Read Next: Should You Outsource Your Internal Audit Function? 

Core Skills and Competencies for Internal Auditors 

In an extensive survey with chief audit executives, internal audit staff, and managers, the Institute for Internal Auditors Research Foundation identified the following knowledge areas and competencies as crucial in the execution of audit work:

1. Communication skills, including oral communication, report writing, and presentation skills
2. Problem-solving skills (i.e., conceptual and analytical thinking)
3. Ability to promote the value of internal audit among key employees within the organization
4. Keeping abreast with regulatory changes and industry standards
5. Knowledge in auditing, internal audit standards, fraud awareness, and professional ethical standards.
6. Knowledge in enterprise risk management (i.e., risk analysis and control assessment)
7. Other competencies that were identified in the survey were organizational skills, change management skills, critical thinking, teamwork, and conflict resolution and negotiation skills.

Summary 

If you want to transition into a financial auditor career path, it is vital to understand the value of continually improving one’s skills and knowledge of various audit tools and techniques. These will help you to adequately address the risks that your organization could be facing. By developing your core competencies, you will be able to serve your organization better.

Get reliable audit support 

Increase the productivity of your current team without the hassle of sourcing, onboarding, and training a new resource. At D&V Philippines, we provide scalable solutions for firms and private companies across various industries.

Download your copy of our whitepaper, Audit Support Group Whitepaper, to learn how our premium audit back-end services can help keep your numbers in solid grounds.

This post was first published 2 October 2018  and edited 12 March 2021.
Edited by: Maria Katrina dela Cruz

Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.

Generally speaking, internal audit competencies fall into one of three broad areas:

1. Technical auditing or accounting skills;
2. Skills relating to critical thinking and business understanding; and
3. Interpersonal and communication skills.

While all three skillsets are important, in my experience the most effective internal auditors are especially good at the second and third areas.

In this article I'll explain what I mean regarding each of these areas and also give some hints and tips to help new internal auditors develop the required skills in order to become more effective. 

Technical auditing/accounting competencies

This first area is one where new internal auditors generally do well. Typically, they are up-to-date with the various technical areas (or are receiving training). As a result, they have a good understanding of the various accounting and auditing standards, as well as familiarity with a range of internal audit topics, including risk-based auditing, types of control, sampling and time (project) management. Depending on their previous experience and training they may also be up to date with cyber security risks and the latest thinking around areas such as lean internal audit and agile audit methodology.  

While the head of the internal audit department will expect you to have these competencies, being proficient in these areas will not, in itself, mean that you’ll add much value as an auditor. Certainly, from your stakeholder’s point of view (the “auditees”), your mastery in these areas will largely be invisible! The most important thing is to use these skills in a pragmatic way and to communicate your findings with management. (See below)

Competencies relating to critical thinking and business understanding

The competencies above involve reviewing processes and controls, performing testing, extracting data and identifying apparent anomalies. The skills in this second section involve building on the work performed and interpreting the information in a meaningful way.  

This is at the heart of what internal auditors do — interpreting the results of testing, to understand whether findings represent an actual control weakness or whether, for example, there are other mitigating controls which “plug the gap”. Where findings do represent a weakness, the auditor needs to be able to assess, in conjunction with business management (and the Internal Audit Manager), the significance of the weakness and its potential impact on the business.

a) Critical Thinking

It is at this point that a number of important factors come into play, including:

• The quality of management in the unit or area being audited. In other words, how credible are they? Do they demonstrate a considered approach to managing their risks, bearing in mind the costs and benefits? What has been the previous experience of internal audit with the managers involved? Do they have a reputation for integrity?  
• How long have they been in their role? New managers are generally more willing to acknowledge issues in their area (especially if they pre-date their arrival). Managers who have been in their role for many years can become defensive and less open with the auditors. 
• The organisation’s culture. It’s important to understand the way the Chief Executive and senior management react to control weaknesses. In some organisations the philosophy is “Get the issues out on the table, fix them and move on”, provided that the managers in question haven’t acted negligently. Other organisations may be more political or thrive on a “good news culture”, where managers may suffer in some way for highlighting problems or for weaknesses in their area. (In such organisations a negative audit report will not be welcomed).   

Experienced auditors have usually seen these types of behaviour before and so tend to adopt a healthy scepticism when they are presented with information that does not appear to be consistent.  

While the Institute of Internal Auditors (IIA) doesn’t give specific guidance on this topic, it does refer to the concept of “professional scepticism”.  This term is used in the accountancy profession and is defined as follows: 

“Professional scepticism is an attitude that includes being alert to, for example:

• Evidence that is inconsistent with other evidence obtained.  
• Information that calls into question the reliability of documents and responses to inquiries to be used as evidence.
• Conditions that may indicate likely misstatement.” *

*From the International Standard on Assurance Engagements, ISAE 3000, issued by the International Federation of Accountants for engagements on non-financial information.

Personally, I like the advice given by the Roman Emperor and stoic, Marcus Aurelius:

"Learn to ask of all actions, “why are they doing that?” Starting with your own… "

“Marcus Aurelius Meditations” – Book 10

b) Understanding the business

One of my roles involves carrying out External Quality Assurance reviews of internal audit functions on behalf of the Chartered IIA. As part of these reviews, the assessors typically interview a range of stakeholders across the organisation. Recurring feedback from both Executive and Non-executive management is that, in order to be a well-regarded internal audit team, auditors need to understand the business and provide meaningful challenge. I’ve actually had senior managers complain to me that audits do not always appear to be particularly rigorous or challenging enough!

To some degree, understanding the business comes with experience, although new internal auditors can always invest time, learning about their company and the industry sector in which it operates. It’s not uncommon to find internal auditors who reviewed the annual report and accounts and researched the company in depth as part of the interview process. However, now that they are in the job, they do not keep up-to-date with the organisation’s strategy or information released to shareholders on a regular basis.  

Interpersonal and communication skills

Good (internal) auditors are good communicators. At the detailed testing level, good interpersonal skills help the auditor to build rapport, explain what the audit is trying to do and put those being audited at ease. Being empathetic also encourages those being audited to open up to the auditor and raise any concerns that they might have.  

‘Auditees’ will naturally tend to be apprehensive, particularly in organisations where processes may not always be well-documented or adequately explained. This can cause people to worry that they may not be doing something correctly and that they will “get into trouble”. Good internal auditors make it clear that they are reviewing the process and controls, not the individuals who operate them. Strong processes should have a “failsafe” philosophy (i.e. proportionate mitigating controls) rather than simply relying on people remembering to do certain things.  

While it’s important not to forget the need for healthy scepticism (as discussed above), an open and friendly manner will usually help ensure a smooth audit process. Indeed, one of the best compliments I received about an internal audit team of mine, who had just completed a review in a South East Asian country, was: “they arrived as auditors and left as friends”.

When meeting more senior management there are a number of other techniques that can be used to help ensure that you are seen as a credible and professional internal auditor.  Based on my experience, the main ones are as follows.

Firstly, don’t be afraid to engage with senior management. Sometimes less experienced auditors discuss their findings in detail with lower level management (with whom they feel more comfortable), but are reluctant to engage with the departmental managers and above. This can result in time being wasted, because the auditor only has half the picture. An example might be a weakness in control in one unit, which is offset by a mitigating control (e.g. a review or reconciliation) that takes place elsewhere in the organisation. The clerk who the auditor has been dealing with may not be aware of this control, whereas the senior manager has more of an overview of the total process.

Secondly, try to take a more strategic view when talking to senior management and not get bogged down in too much detail. Senior managers are often inundated with information and so welcome a short précis of the issues. Crafting your message around several key headings, such as the following, can be very helpful:

• What did you find – what’s the problem?
• What’s its significance – why does something need to be done?
• What do you want the senior manager to do about it?
• What’s the benefit (for them) if they do?

Thirdly, it’s important to be pragmatic and to recognise that not all weaknesses will be fixed. Ultimately, managers are paid to manage risks and the auditor’s job is not to act as a “nanny”, forcing management to fix every weakness. Much will depend on the risk appetite, both of the organisation itself and also of the senior manager in charge of the area being audited. The key question is one of transparency:  If managers are accepting risks and choosing not to mitigate them, due to cost or other considerations, do they have the appropriate level of authority to make such a decision? Have they alerted the person that they report to? Has the risk been properly identified on their departmental risk register?

A final thought:  Internal Audit is about meeting the needs and expectations of your various stakeholders and adding value to the organisation. Stakeholders’ needs will not always be totally aligned with each other. However, the most successful internal auditors are aware of the differing needs/expectations and do their best to meet them.

Greg Coleman

After 25 years of experience in governance, risk management and audit roles for various multinational organisations, Greg now works as an independent consultant.  He runs a variety of internal audit training courses and is an External Quality Assurance reviewer on behalf of both the Chartered Institute of Internal Auditors and their French opposite number, IFACI.

What competencies does The IIA standards require of every internal auditor?

What are three competencies internal auditors must have to be effective in their role and why are they important?

What are auditor competencies?

What are the four principles as stated in The IIA Code of Ethics?