IAM004 – 13 Mistakes That Internal Auditors Make

13 Mistakes
To quote Marshall Goldsmith from his book What Got You Here Won’t Get You There, “ Almost everyone I meet is successful because of doing a lot of things right, and almost everyone I meet is successful in spite of some behavior that defies common sense.” Being successful not only means doing things well, it means not making big mistakes.

Here are thirteen mistakes that are common in Internal Audit. There are many more, but these seem to be the most common and the most devastating.   I’ve listed them, but not in any particular order.


Failure to manage/educate the audit committee and management

I see this as the paradox of high level business men – They know a lot, but they are dependent on those below them for details (especially new details). The members of the Audit Committee are busy and important, so we tend to limit what we share.

I remember sitting through an Audit Committee meeting where I wasn’t the Chief Audit Executive. The head of audit literally read his presentation word for word. I was quite surprised for two reasons: 1) He felt compelled to just read a document the board members had received days before, and 2) The board members allowed him to just read the document without giving them any additional information. There were no questions, no discussion. And it shouldn’t surprise you that this head of audit was not in the role for long.

So, what information should we share with the Audit Committee?

The Audit Committee needs to know four things: 1) Your progress since the last reporting; 2) the significant issues identified during the period; 3) the status of significant issues identified in prior periods; and 4) any outstanding risks left to be addressed by management.

Beyond that, you should use your time with the Audit Committee to provide them with information on the internal audit industry. For example, I recently shared a whitepaper on proxy communications regarding governance. I was able to tie this into a discussion about COSO 2013.


Not investing in training

Are you openly encouraging your staff to get additional certifications? Are you supporting them in getting their required CPE? Is that all you’re doing?

I can count on one hand how many times I’ve had a client tell me one of my auditors didn’t know how to audit. But there have been numerous times when the client didn’t feel the auditor had good business acumen. Business acumen is often overlooked in department training programs.

I’d like to quote Richard F. Chambers from Lessons Learned on the Audit Trail, “The average internal auditor receives roughly forty to eighty hours of formal training each year, which is not sufficient if you aspire to become a world-class internal auditor.”   Then jumping ahead, “It’s not enough to be a continuous learner; we must also ensure we are learning the right things. Too many internal auditors concentrate on a narrow range of specialized knowledge, but to advance into internal audit management requires a deep understanding of a wide range of business and industry practices.”

Once per year, I bring my entire department together. This is not a small thing as I have staff in four different countries. We always include business acumen training during this week. For example, we will occasionally include a trip to an O&G museum (history, technology, terminology). I’ve also been known to buy books for my staff to include:

  • English Grammar Workbook for Dummies
  • Essentialism – The Disciplined Pursuit of Less


Not developing soft skills

This may be the single most career limiting mistake internal auditors make. Most of us are introverts by nature. Soft skills don’t come easy.

I remember when I was a young auditor going into my second employee appraisal. I had very high expectations as I felt I had been extremely productive that year. I had more than 2000 billable hours, which was higher than any staff or senior auditor at the firm.

My hours were briefly covered and then the managing partner started talking about how the clients felt about me. The gist was, I was cold and not friendly. I had focus on the work (and only the work) that put a lot of people off. Fortunately, the firm was willing to invest in me. They sent me to the Dale Carnegie course. I highly recommend that course or something like it. But in the interim, I’ll give you the cheat sheet: Read the book How to Win Friends and Influence People by Dale Carnegie.


Micromanaging engagements

I took over an audit group as the Chief Audit Executive and upon reviewing the work from the prior year, I was struck by how few engagements the teams had completed. When I asked a manager about it, he told me how my predecessor wrote every report. Obviously, this caused him to be a bottleneck. But there was more…

His micromanaging every engagement led to a high attrition rate. His staff didn’t feel they were adding value, so they moved on. The attrition further reduced his effectiveness as he was constantly re-hiring.

I’ll admit that I am a recovering control freak. So, it does take me a while to let go. But I always make sure I’m on a path to delegate more and as my team absorbs what I’ve given them, I look for more opportunities to leverage their skills. It is a dance of trust and growth, each feeding the other.


Not doing enough planning

Imagine a surgeon walking up with you lying on the gurney and he asks, “What are we working on today?” I know I wouldn’t want to be the one on the table.

Are you doing the same thing with your client?

Engagement planning is such a critical part of the audit. I have made it a standard operating procedure for my auditors to spend sixty to seventy percent of the engagement time in planning. We expect the auditor to have such a solid understanding of the process and the planned procedures that the fieldwork is very surgical.

If the auditee knows the control is not effective, then the auditor shouldn’t be performing audit work. Instead, they should be performing a consulting engagement to help management get to the root cause. Don’t tell them what they know, help them fix it. This seems like a simple thing, but it takes slowing down and investing in planning.


Scope creep

If you’ve done proper planning, this is a lot easier, but it can still happen. Auditors will often flush out some rabbits. Many of those rabbits, we suspected we would find. But what happens when we flush out a big rabbit and it wasn’t on our plan?

At that point, you have three choices: 1) Ignore it (but not likely if the issue is big enough); 2) Scope it in (but only if it can be done within a reasonable budget tolerance); or 3) Document it and decide with the client where, when and how to address it.


Not getting and keeping client engagement

Here’s a question for you: When does an audit engagement end? Answer: Never.

If you’re only spending time with your client when you’re auditing that client, then you aren’t really engaged. Our clients have issues and risks to deal with each and every day. If you’ll stay top of mind, you’ll have more opportunities to add value.


Not engaging upstream and downstream management

I was once documenting controls around inter-company billing. The process was relatively simple and corporate finance felt it was well established and documented. I went out to several of the field finance managers. One of the managers told me he was having to eat the intercompany costs because the support from corporate was not sufficient for his local partner to accept under their contract.

Something like this has happened to me more times than I can count. The client believes they completely understand the process only to find they didn’t know what went into the process before or after them. Once I’d engaged through the full process, I was able to communicate the entirety of it to them.

In documenting a process, I require my staff to track the full set of inputs and outputs to understand how they all interact. The end result is a product (flowchart and narrative) that helps everyone involved know where we stand.

As an added plus, the upstream and downstream management can often provide valuable insight when you’re proposing solutions to issues identified during the audit.


Phoning it in/Audit in a box

I started at a new company where I had existing staff in the US and the UK. Within the first few weeks, I flew out to our office in the UK. During one of my discussions with the local audit manager, he mentioned that local finance management didn’t buy in to some of the new controls pushed down by corporate. I met with them and discussed the pros and cons of the controls. I left the UK knowing that I needed to plan repeat visits.

Less than a month later, I received a call from a whistleblower. He told me he was calling because I was present. I was able to uncover a fraud event merely by being available and demonstrating I care.

The audit you’re doing is a huge opportunity to interact with people in the company. Putting boots on the ground gives you a better opportunity to learn about the business and build relationships. Those relationships are extremely important. Don’t phone it in.


Not properly using data

I was working through a fraud case and trying to understand how the fraud had been able to go for so long without detection. As it turned out, the Database Administrator (DBA) was a collaborator in the fraud. And he had always fed doctored data to the auditors to avoid detection. The auditors had completely relied on the DBA for data and as a result, they missed the fraud.

I’ve also seen situations where an auditor tested one item and concluded the controls were operating as designed. Some call it being lazy, I call it negligence. If you have data, used the data. If you use the data, make sure you do enough work to support the conclusion you’ve drawn. You can’t extrapolate results unless you’ve done enough work.


Massive audit reports

Nobody enjoys reading audit reports. So, why would you write War and Peace?

While you might not be able to get to the meat of an issue with a Twitter post of 140 characters or less, you should ensure your findings are clear and concise.

Reports from the best audit departments start with an executive dashboard that gives a full overview in a single page. The detail is in the back of the report if the reader wants it, but they can get to the core issues on the first page or two.


Shock and awe findings

I was talking to a CFO once shortly after the CAE had been fired. He told me that the final straw was an audit report and more specifically the CAEs presentation to the Audit Committee. In his words, “He threw a turd on the table and just left it there.”

I’ve been in situations where the AC needed some shaking, but you can’t just present the problem without giving them a path to closure. And, when you do drop a bomb of that magnitude, you better be right.


Forgetting to add value

It seems counterintuitive. After all, adding value is a part of the definition of Internal Auditing. But many auditors can’t see the forest for the trees. They get stuck on the execution issues, and lose sight of the greater opportunity.

They look for the easy solution. For example, an auditor will conclude that an issue occurred because the staff were not properly trained and recommend training. Had they taken the time to do true root cause analysis, they may have come to see how the problem was something else entirely.

How many times have you started auditing an area and finding issues management already knew about? Did that work add value? Wouldn’t it make more sense to partner with management to ensure all of your invested time and effort are adding value?


So, there you have 13 mistakes Internal Auditors make. Have you made some of these? What are you going to do to ensure you don’t make them going forward? Take some time to think about each of these. Then design systems that will allow you to avoid them.

I hope you enjoyed this episode. I would like for you to do me a favor. Please go to itunes and rate this podcast. Your rating will help Internal Audit Mastery get noticed by others and reach more people. Thank you.


  1. Sheila Howard said:

    Great article!

    October 16, 2014
  2. Dusan said:

    Very good article and I absolutely agree to several points that you outlined and greatly appreictared for the new tips.

    October 17, 2014
    • allan said:

      Thank you, Dusan. I am hoping to add value to the Internal Audit tribe. If there is something you’re struggling with that I could cover, please let me know. We can all get better together!

      October 17, 2014
  3. Cihan Aktaş said:

    This article is very useful work and stated important points of common mistakes. Thank you !

    October 19, 2014
  4. Andries said:

    This is true!

    October 20, 2014
  5. Mohamed Alam said:

    Good article,
    I am really concern about the massive IA reports sent to senior management and BOD following that might loss creditability of the contents i guess!

    October 21, 2014
  6. Alphonce Muro said:

    Thank you very much.
    My concern is about adding value. The argument that reporting an issue which is already known to management may not be adding value may be missing a very important point about getting the message across to other stakeholders outside members of Management. I considers issues like fraud may be known to the Management but they still worth reporting so as others like Board may be alert and probably take necessary action.

    October 22, 2014
    • allan said:

      Yes, if there is fraud involved and management is failing to respond, the auditor should report it. I was referring to items that management is already addressing and therefore wouldn’t result in any constructive addition.

      October 22, 2014
  7. Farrukh Khan said:

    Indeed, a good article. Thank you for sharing.

    November 1, 2014
  8. Bert-Erik Saluveer said:

    A good article always leaves you thinking – this is certainly one them! Fortunately I have kept some of these points in mind or learned them during time, but I also got new perspectives from this.

    November 7, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *