The biggest secrets to being a great internal auditor in 2024 and beyond

woman pointing at computer while writing something down

Two score ago (would we know what a score is if it weren’t for Abraham Lincoln’s Gettysburg address?), I began my internal audit career without knowing exactly what an internal auditor did, how they did it, or what were the keys to success. Heck, I didn’t even know it could be a career. Like many, I kind of stumbled upon it, and stuck with it… in hindsight, it was a darn good choice emanating from a stroke of good fortune back then.

Internal audit has changed a lot since my staff auditor days in 1982, and I, hopefully, have evolved with the profession, and even, perhaps, stayed a step or two ahead. If not in action, at least in thinking about where the profession needs to go, and how to strive to get there.

Why the self-reflection to start this article? Well, what made an internal auditor successful has changed a lot in many respects. Long gone are the days where everything was done manually, audits were done cyclically, and goofy things like stop and go samples were the norm. And, what you need to be good at, as a result, has changed dramatically. (Columnar paper, Pentel pencils, and “ACCO” fasteners, anyone?) Change that has all been for the good.

I was reading the other day of a project that The IIA is embarking on entitled Vision 2035, an effort to predict what internal audit will need to be in 2035 to set the groundwork for the efforts to get from where we are to where that prognostication says we’ll need to be. It made me wonder. As we are trying to predict what the profession would need to be in 2035 (12 years), if we were to flash backwards 12 years, to 2011, would we have predicted 2023 right? Maybe yes, maybe no.

So, let’s shorten the time horizon. What are the keys to success for being a great internal auditor now (2023), and maybe for the next five years… what’s the “secret?” This will not be a list of the obvious, you can read about the obvious in other places. These will be some special secrets… just between us (smile).

Secret 1: Be adept at developing and sustaining relationships REMOTELY.

We all know that internal audit is most successful based on the strength of its relationships throughout the organization. If they know you, there’s a much better chance of trusting you. The likelihood of you, as an internal auditor, really knowing what is going on (both during and outside of audit projects) is because of the trust factor you’ve built-up from having worked hard at relationship building. All (OK, many) of those methods, processes, and habits we honed over the years at building and sustaining relationships were thrown out the window sometime in early 2020 when the pandemic rapidly accelerated a nascent trend toward remote working. Now, most everyone spends some percentage of their time working remotely. For most internal auditors I hear from, it is between 30 to 100 percent of the time being remote. That change does not negate the importance of relationship management, but it sure makes it harder. Those that will be successful as internal auditors will master developing and sustaining relationships remotely, making it second nature for them.

Secret 2: Be good at predicting where technology will be leveraged by your company, and its business sector, and staying ahead of the game.

Companies have been evolving for more than 30 years to the point where most are technology companies delivering a certain product, and those companies that don’t “control” the technologies that are the keys to their success are outsourcing those technologies to third parties. And technology continues to evolve at faster and faster rates. Take customer service, automated phone screening, self-service on the web, and chatbots, let alone where AI will take us, as examples. They have made connecting with a real person nearly impossible at most companies, and artificial intelligence might completely disintermediate live agents entirely. You don’t have to be a technologist as an internal auditor, but you do have to have a sense of what technology does for your company and the trajectory it is on at not only your company, but within your business sector. Key relationships for internal audit’s success will be with the people who are behind the technology that drives your business model, and if you can’t talk with them on their terms then you can’t develop relationships with them. They won’t want to spend time talking to you and will view internal audit as nothing more than a nuisance. What to do to differentiate yourself? Be viewed as the internal auditor who truly understands how the business uses technology now and will in the future.

Secret 3: Be viewed by your audit clients as a businessperson first, and an auditor second.

I’ve said it many times before, and you’ve heard it too if you’ve been in internal audit long enough… the lament that internal audit “just doesn’t understand the business.” Whether or not that’s a justified complaint in all circumstances is, of course, highly debatable. But, if that is the perception of your audit clients, then that is their reality. And, if that is their reality, then that is not going to get you a seat at their tables when you should probably be present. We don’t need to belabor this one much. If your audit clients view you as an auditor that doesn’t understand the (or their part of the) business, then you are not going to be as successful as you could be. So, it doesn’t matter if it is perception or reality, you need to change something. Be viewed as a businessperson first, and an auditor second.

Secret 4: Fully embrace a root cause analysis mindset.

We sometimes, as internal auditors, can be faulted by telling people the “what” (what was not being done the way it should be, and what we think should be done about it), without really getting at the “why.” And our initial thoughts as to why some negative condition exists is usually not the real reason why. That’s, as we all know, where root cause analysis comes in. But, even if your audit function has not formalized anything around root cause analysis, that should not prevent you from adopting the mindset. Fixing the root cause has a better chance of the condition(s) being observed not recurring and is more strategic in nature. It’s the way leaders think, it’s the way your CAE should be thinking, and it’s the way you should too. Asking why a lot is not a bad thing!

Secret 5: Be strategic in your professional development choices.

Many internal audit professionals are blessed that their company will financially fund some or all of their training and professional development, as well as afford time away from the job to complete it. Yes, one could argue that that is appropriate because the company you work for benefits from that training. But also keep in mind that if you leave the company, the knowledge stays with you. If you want to pursue something from a professional development standpoint that your boss or your company won’t support, do it anyway out of your own pocket… it’s your professional development and an investment in YOU! And, in the end it’s your career that is at stake. It is very frustrating to me to see people loading up on free webinars to “get their hours in” but they don’t really learn much (if anything). Sure, there are good free webinars, and some are perfect for your needs but, like dessert at the buffet, make free webinars part of your development plan and not the whole meal. Bottom line, know what you want from your career, and align your professional development activities to get you where you want to go. Again, it’s YOUR professional development. Be strategic about it… and differentiate yourself from the pack.

Secret 6: Provide your CAE with intel on things they need to know, but maybe don’t, about what’s happening in the organization.

Intel about what is going on in the organization, both formally and, sometimes even more importantly, informally, can be the life blood to internal audit’s success. Yes, putting your head down and getting the audit plan done is part of the job, but if you never look up and take in what’s going on around you, you will miss out on much. Do that for too long (the looking down part), and the organization moves on without you. So, your CAE probably is extremely well connected and has a good finger on the pulse of the organization, but that does not mean they are in the know on everything. And, in the “executive” level the CAE circulates, there may be a lot of mid-level and grass roots things that they should know, but don’t. You can be a key piece of information flow for your CAE if you have developed a good network in the organization and have your relationships well established. Now, here’s the tricky part, but is a key element to your continued success in internal audit: what do you learn as you go about your activities and conversations, that you both believe the CAE doesn’t know AND, here’s the critical part, it would be important for them to know. Not easy to read those tea leaves, and you don’t want to go running to your CAE with every little tidbit of information you pick up, especially if it is informal. But, with experience, and having a good read of your CAE, you can add tremendous value by catching them up periodically on the things you are “hearing.” And, as a result, be indispensable.

Secret 7: Be the internal audit staff member everyone likes hanging out with.

OK, this one you’ll need to hear me out on. I know many of you will immediately think that it is more important to be respected than to be liked. But let’s assume that you are already respected. So, internal audit is sometimes, but rarely is it ever solely, a one-person activity (unless you are a one-person department, and it is all on you). You will work on teams to get projects done, whether they are assurance or advisory projects, and the people on each project team may change from project to project. So, do you want to just respect the rest of your audit project teammates, or do you want to like them too? If so, and I am assuming that it is so, then don’t you want to be one of the ones that is liked? Now, that doesn’t mean silly things like faking it, or buying people gifts or things, it just means being you and being likable. I mean, do you want to get the, “oh, not Bill again” reaction, or the “awesome, Sally is on our project” reaction. And work is supposed to be fun, so it is always more fun being around likeable folks. So, be one of them. Regardless of what people who aren’t internal auditors think, it can be, and is, a fun job. And, if you are good at what you do, AND likeable, it’s a great job to have.


So, you’ve got all the requisite technical knowledge. You are as intellectually curious as all your other colleagues. You got your college degree and you’ve passed several certifications. And yet, you wonder, why am I not more successful in this chosen profession of internal auditing. You have listened to and read material from all the other “experts” out there about what you should do, and things are just not happening for you at the pace you expected. Should you just give up? If you like what you are doing and not getting the recognition you think you deserve, the answer is… no. Don’t give up.

Rather, tap into these “secrets,” and differentiate yourself from the crowd. If you are good at: developing relationships remotely, anticipating how your organization can and should use technology advancements, understanding the business, leveraging root cause thinking, strategically mapping out your professional development, being a source of intel for your CAE, and being a likeable person, you will be notable and noticed, and different than your peers, who are all trying to get ahead… just like you!

Trust me, you will stand out if you heed this advice. No thank you needed (smile). It will be our little secret.

Hal Garyn is an internal audit/risk management and governance leader and an Internal Audit Beacon Award recipient.

Hal Garyn


Hal Garyn



Learning areas