ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Internal Auditors: So What Do You Do?

Internal Auditors:  So What Do You Do?

Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS, DipFM, ITIL Foundation, Six Sigma Green Belt, Group IT Audit Manager, An Post
| Posted at 3:08 PM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (5)

If you are an internal auditor, you can picture this scene because it has probably happened to you. You are at a party or some other social event and the conversation turns to work. Someone asks what you do for a living. “I work in internal audit,” you explain. What is that? You explain as best you can, but not everyone gets it. So you try and make your explanation easier to understand—probably too easy. And then someone says it:  “Ah, so it’s like internal affairs...”

Now, I do not know about you, but in every cop show I’ve ever seen, internal affairs are always the bad guys that investigate and get in the way of the good guys, who are busy trying to save the world. Is this really how we are thought of, and if so, how can we change it?

The Institute of Internal Auditors (IIA)1 defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes." I have to admit it sounds a little like internal affairs to me!

However, performing a quick Google search also throws up the following:  “Internal auditors' roles include monitoring, assessing and analysing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures.”2 (The emphases are mine).

So how can we work in partnership with management?

  1. Publish the Audit Plan in Advance
    Unless the element of surprise is a requirement for an audit, publish the audit plan as far in advance as you can. Yes, this means that management might correct things before you get there BUT this a positive—risk has been mitigated. This will be the case even if you subsequently cancel the audit.
  2. Tell Them What Standards You Audit To
    Unless there is a good reason not to, let management know what standards you are auditing to and what tools you will be using. Again, this may mean that they correct things before you get there BUT once again this is a positive—risk has been mitigated.
  3. Have An Open Door Policy
    Let management know that you are available on a consultancy basis—especially for new initiatives. Yes, you will need to be careful with your independence, but you can most certainly discuss any regulations, laws, standards and tools that you would apply to any potential new initiatives. This can help management get it right from the outset. It also has the potential to save your company a lot of money—the alternative being altering a system after it has been implemented. Again, risk will be mitigated.

Each of the above may mean that you as an auditor will have fewer recommendations or findings. However, I would argue that this is a positive, because the risk has already been mitigated. It is NOT my job to have findings—it is my job to help reduce risk.

So what do you do for a living? I help IT management mitigate risk…

1“Definition of Internal Auditing,” The Institute of Internal Auditors Australia,
2“What Is Internal Audit?,” Cornell University, University Audit Office,



Auditors have KPIs or performance measures. It does Not help if "No of Audit Findings" is one of your KPIs.
KenChinSG at 7/27/2016 7:48 AM


Agreed.  "No. of Audit Findings" should NOT be a KPI.
Ian Cooke at 7/27/2016 7:57 AM

Excellent Post

Thank you Ian.

We have certainly all struggled with describing our work/role.

You sum it up nicely, "So what do you do for a living? I help IT management mitigate risk".
Robert506 at 8/2/2016 9:02 AM

Nice Article

Thanks Ian,

I totally agree with the 3 advices to partner with the management.

Ashraf at 8/4/2016 12:00 AM

Ghost writer

I also like  this statement: helping to mitigate risk, recently I  found one more: I'm a kinda ghost writer - helping you write down all good ideas you had about your job; then I send it to the decision makers as a good story. YOUR story.
Marcin Maslowski at 8/26/2016 3:56 AM
You must be logged in and a member to post a comment to this blog.