Five Things Internal Auditors Should Be Thinking About and Acting On (More Often)

Hal Garyn is an internal audit/risk management and governance leader and an Internal Audit Beacon Award recipient.

As internal auditors, we are a busy group of folks. There are not enough hours in the day and not enough dollars in the budget. But are we maximizing what we have available to us in terms of hours and dollars, or are we running on the same treadmill, feeling like we are making progress but not really going anywhere while expending lots of energy? Here are five things for you to consider, as you take a break between treadmill sessions. 

1. Invest in relationships 

When it comes to money, we know we have a choice: We can spend all the money we have today, or we can invest some of it for future needs. We know it is wise to invest for the future, but we also know there are things we want and need today. How we spend our time is a lot like that. We can put our heads down and execute the audit plan … project, after project, after project. Spend, spend, spend. We got the plan done, but at what cost? While we were grinding away, we did not invest in the future because we didn’t take time out to work on relationships.  

Relationships are key to our long-term success, and they generally make the job better, more engaging, and fulfilling. But those audit projects and that annoying audit plan keeps screaming at us and - even with good intentions - we fall into the trap of neglecting to invest in relationships to get the audit plan done. Some consider this a focus on the “tyranny of the urgent,” meaning we prioritize what feels urgent even if something more important gets ignored or delayed. 

Add on top of that all the remote working and we become what I would call “transactional” – executing projects - and much less “relational” in the approach to our important work. In the end, internal audit needs to be “relational” if it is going to avoid many of the negative stereotypes that persist and have long-term success in any organization. You can’t keep your finger on the pulse of the organization if you are not constantly checking on the vital signs of the company by talking with others. Yes, the work gets done, but internal audit is about a lot more than executing projects (as important as that is). 

So, what to do when you suspect or know you aren’t investing in relationships adequately? Start by auditing your calendar. Over the last few months, how much time have you spent on strategic relationship building? If it is less than 10 percent, it’s time to ramp that up. Be strategic in how you go about relationship building and relationship management: I believe it should make up at least 20 percent of your time over the long-term (remember that 80/20, Pareto Principle!) One idea for those who are working a good portion of their time remotely: Treat your in-office time as “relationship building” days. Keep your head down more when out of the office, and up more when in the office. 

2. Invest in professional development 

Many people have the benefit of their organization paying for, or defraying the costs of, professional development. And that’s great! But your professional development belongs to whom? That would be you. The company benefits from your professional development while you work for that company, but that knowledge walks out the door if, or when, you do. 

Unfortunately, we don’t always look at our professional development as an investment in ourselves and, consequently, we don’t do what we might need to do unless the company will pay for it. Is there some certification, certificate, technical course, and/or skills training that you have had your eye on, and know it’s what you should do, but the company says things like “no, not this year, it’s not in the budget” or “can you write up a justification for why you need that, since it’s not in the plan” or other such stuff? 

The worst scenario - and we are all guilty of it to at least some degree - if we are looking to maintain professional certifications, is chasing free webinar CPE. I equate this to gorging on the high calorie, little value food items at the buffet. You get filled up, but was any of it really all that good for you? Ask yourself if you are accomplishing much from an educational or professional development standpoint as you load up your calendar with free one-hour CPE. (I do it, so I know you do it too). 

Have goals in mind with your professional development plan, seek out what will get you what you need to advance your career in the direction you want, and then pay for as much of it as you need to if you must. In the end, you are investing in yourself and your staff and, with the right strategic investments, you will reap huge dividends in the years to come. 

3. Leverage co-sourcing wisely 

We all know that, per industry standards, we should be establishing a “risk-based” audit plan. But if we are truly considering all the risks the entire organization faces and incorporate that into a comprehensive enterprise-wide risk assessment, the resulting audit plan would be diverse in types of projects, in complexity of projects, and in needed skills and competencies to execute the projects. 

That diversity is where challenges set in:  Do we not do certain projects that should be on the audit plan because we don’t have the skills/competencies to do them? Do we pursue training and development opportunities to “upskill” where needed to get the projects done? That’s a great option, but that takes time, and might not always be very cost-effective. Do we contract with third party resources to help supplement our existing talents, to bring in the needed skills/competencies, also known as co-sourcing?  

The challenge most internal audit functions face is that there aren’t sufficient dollars in the budget to co-source to the level you probably should. And managing co-sourced resources effectively can be complicated: It’s hard to manage quality control sometimes. In essence, you need a competence in managing third party resources brought on to supplement your staff. 

Our charge is to develop and then execute a risk-based audit plan. Make the case for co-source dollars, build it into your budget, develop the competence to manage these resources, and improve the value you are adding to the organization and your audit committee. We don’t do enough co-sourcing as a profession. 

I challenge you to establish at least 20 percent of your audit plan to be co-sourced, maybe much more. (See, I did say I liked 80/20 rules.) 

4. Treat in-office and remote work differently 

Internal audit is often criticized for two characteristics:  Not knowing enough about the business and taking a “gotcha mentality.” Maybe not fully deserved, but perception is other people’s reality. Before remote work became so commonplace, going into an office created better chances to get to know colleagues across the organization informally and interact more personally, and for them to get to know you. We are not such bad people, right? But being out of the physical workspace more frequently changes the dynamics.(Sorry, electronic communications are not the same in terms of developing, maintaining, and sustaining relationships.) Out of sight can mean out of mind, except when an audit is occurring. And then the “client” just wishes the audit were over and you would go away and leave them alone. 

Out of sight, out of mind can result in those negative perceptions becoming more real for people who do not see you as often, and/or do not see you on a more personal level other than the direct interaction during an audit. It is all about relationships. 

While remote work is not completely going away, more organizations are expecting employees to spend time physically in the office. The challenge I am witnessing is that there are not clear distinctions between the work people are doing in the office versus when they are working remotely. People are treating the time, regardless, of the location, similarly. Yet, in office and remote working lend themselves to quite different opportunities, if approached wisely. 

My suggestion is to treat remote work as a time to be as efficient as possible. Head down, execute audit projects. Treat in-office time as an opportunity to focus more on effectiveness. Meetings with staff, personal chats, and relationship-building in general. Remote work can and should be tactical, and in- office work can be more strategic.  

5. Acknowledge you are not objective and, consequently, biased 

Think back to the day when you were brand new to your current company. You were the new hire, regardless of the level you joined at, and everything around you was brand new. Not only were you a veritable sponge taking everything in with fresh eyes, but you also were like the typical four-year-old asking incessant questions. You had no base of knowledge and were curious about why things were the way they were. Another way to look at this is that you were completely objective, as you had no existing frame of reference for the current organizational context you were new to. You see this in most every new hire you bring on, and it is a good thing. 

Fast forward to today, and consider the amount of tenure at the same organization you may have. Are you accepting certain things as being the way they are because, well, that’s the way they are? We don’t even realize through conscious thought that we are not exercising the same level of critical thinking we might have employed years ago when we were new to the organization. And then, when the new hire you just brought on asks all those innocent questions, you respond with a … “well, that’s the way things are around here” or “hmmm, that’s actually a great question.” Uh oh, blind spots! 

Guess what, you have just confirmed you are no longer completely objective. The longer you work for the same company, the more unconscious bias creeps in. It’s not necessarily a terrible thing most of the time, as you know how to navigate the organization, its culture, norms, and protocols. Things become second nature. But it also does introduce blind spots, and our unconscious awareness impacts our conscious thinking: We are consequently not completely objective. 

Additionally, I run into too many internal audit professionals who wield their objectivity around like a sword, vanquishing the enemy of doing anything operational for their organization. I find this to be a little short-sighted. Yes, preserving our objectivity is important, but not to the detriment of the organization. If you, or your team, are the best available resources to do something, then do it. You can manage the objectivity issues that might arise separately later. (Much more could be said about this, but don’t fall on this sword too often, the result might be near fatal over the long-term). 

So, experience erases objectivity: Try to be cognizant of it and to look at the organization as if you were a new hire. 


While the list of things we could do more of, and think more of, is longer, these are considerations for you as you get on with your busy day, regardless of where the physical location you call work is. Quite simply, invest more in relationships, invest more in professional development, co-source more, treat your remote and in-office work differently, and recognize you are not completely objective (no one is). 

We are members of a very noble, and very demanding, profession. Make the most of your time in the role, whether it is a stint or an entire career. 

Internal Audit

Fill Out the Form to Access On-Demand CPE