If you read about the latest trends in internal auditing, you will find many articles about agile
auditing, robotic process automation, artificial intelligence and other technologies aimed at
improving the effectiveness and efficiency of the internal audit processes.
The world is constantly changing, requiring continuous professional development, with focus on
areas such as cyber security, privacy regulations, cloud-based solutions, and emerging
technologies.
But behind the technology and in the ever-changing environment, an internal auditor is needed
to interpret the information, analyse it, highlight risks, and consider how to improve controls or
processes.
The definition of internal audit by the Institute of Internal Auditors states that "internal auditing
is an independent, objective assurance and consulting activity designed to add value and
improve an organisation's operations."
Root cause analysis plays an important role in deciding how to improve controls or processes.
Recommendations should address the root cause of the identified weakness or inefficiency, not
just the
symptoms, and this can be a dilemma for internal auditors. You need to speak the truth about
risks and control failures, possibly upsetting your client and management, and becoming
unpopular in the process, thus bringing us to the question: are you brave?
According to the Oxford dictionary brave (verb) means to endure or face (unpleasant conditions
or behaviour) without showing fear.
Being an internal auditor can be one of the most difficult roles in an organisation. You need to
ask difficult questions and have uncomfortable discussions with clients who might take it
personal.
You need to maintain a level of professional scepticism (the conduct involving a questioning
mind, being alert to conditions which may indicate possible misstatements due to error or
fraud, and a critical assessment of audit evidence), even with colleagues. An internal auditor
must be able to tell the stakeholders, whether it is the top management or the Board, what it is
that is putting the organisation at risk – and it can be hard to do. Pointing out control failures
can be
hard, especially if the same opinion is not shared by the client.

Internal auditors must be able to speak out and tell the truth if they want to be effective, even
at possible great personal risk.
They must be willing to face unpleasant behaviour, without letting it
discourage them and or deter them from the task at hand.

What can you do to be bold when needed, or to endure? Internal auditors need to be honest,
diligent, and have strong moral principles. The integrity of internal auditors establishes trust
and thus provides the basis for reliance on their opinions.
Build trusted relationships with your clients. Trust is important in relationships. The clients must
be able to believe what you are saying and rely on your opinion. Listen to the views of your
client, consider their inputs, and show mutual respect.
No surprises. Do not surprise your client, especially relating to failures, in front of others.
Discuss identified control weaknesses or deficiencies openly and come to an agreement on the
way forward.
Internal auditors are required to perform their tasks prudent with diligence, and professional
care, making sure their opinion is supported by facts and evidence.
They must act in the best interest of their organisation and in line with their moral principles.
Be brave!
Marilize van Schalkwyk is an Information Systems Auditor at the Government Institutions
Pension Fund, the views expressed in this article are her own and do not represent those of her
employer.