Why We Need a New Kind of Internal Audit Professional

Article

November 20, 2024

Why We Need a New Kind of Internal Audit Professional

The world today is moving at a rapid evolution and interconnectivity space, as the role of internal audit changes dramatically. Today, the notion of the internal auditor being solely a compliance monitor or financial overseer is soon to be extinct. Today, they are expected to be strategic advisors who can identify emerging risks, provide actionable insights, and help the organization make its way through the maze of increasing risk complexity.

To fit into these expanded expectations, internal auditors must become more holistic professionals with a broad interdisciplinary knowledge base matching the intellectual versatility of ancient philosophers.

This is a pivot to the professional approach, which couldn’t be more important or urgent in an era where the call for over-specialization is loudly voiced. Narrowly focused experts risk overlooking key broad-based perspectives that can teach an organization a lesson in vulnerability to emerging threats and lost opportunities. It is now time for companies, institutions of learning, and professional societies to fundamentally rethink how they develop and hone internal audit talent.

The Disadvantages of Over-Specialization

For years, over-specialization has dominated many organizations. Employees are encouraged to become experts in a certain domain, such as finance, IT, or compliance, whereas the broader and interdisciplinary knowledge often goes unappreciated. However, though the model fosters deep expertise, there are considerable limitations in this model.

Take, for example, cybersecurity. Many organizations have cybersecurity experts who are capable in managing firewalls, encryption, and intrusion detection. However, these same experts do not have an appreciation of how cybersecurity intersects other business areas, such as supply chain management or regulatory compliance. This narrow focus creates blind spots that expose the organization to hidden risks. The SolarWinds cyberattack of 2020 is a more concrete example. In an attempt to infiltrate thousands of companies and government agencies, the hackers attacked the software update system at SolarWinds. Because most organizations focused fully on securing internal systems, the attack had gone undetected for months, since most have overlooked the dangers brought forth by third-party vendors. This goes to show that a more holistic view – one that takes into consideration all forms of internal and external cybersecurity risks – could mitigate such an impact.

Another consequence of over-specialization is how it manages environmental risks. In September 2024, Hurricane Helene ravaged North Carolina’s coast and destroyed an International manufacturing plant responsible for over 50% of the U.S. supply of IV fluids. While the company was prepared for contingency operations, it wasn’t fully prepared for cascading supply chain and healthcare impacts from an extreme environmental disaster.

Perhaps a better realization of environmental risks and their supply chain consequences could have helped make the necessary plans.

The Strength of a Holistic Perspective

In contrast, a more integrated approach would allow professionals to “connect the dots” across the different domains of finance, technology, risk management, and environmental sustainability. Consequently, it offers a more integrated view of organizational risks and opportunities.

This is a way of thinking that can only be compared with intellectual versatility found in the masses, philosophical thinkers of yore, such as Aristotle and Pythagoras, who excelled in several diverse fields, which ranged from mathematics, ethics, and politics to astronomy. Thus, these thinkers knew that proper critical thinking requires wide-ranging, interdisciplinary knowledge-a message equally valid today as it was in antiquity.

The holistic mindset helps internal auditors to look out for risks that may have otherwise remained hidden. Example:

• Supply Chain Resilience: Local companies reliant on single international suppliers took severe blows by the COVID-19 pandemic when it crippled global logistics networks through its lockdowns. Organizations like Nike and HP, however, diversified their supply chains, using real-time data analytics to keep track of their inventories. Having been attuned to a holistic knowledge of supply chain dynamics with supplementation by data analytics, these companies quickly adjusted their offerings in response to changing consumer needs.

• Activities in Context: Cybersecurity involves the protection of IT systems, but also the protection of an organization’s reputation, regulatory compliance, and operational continuity. Here, the holistic auditor would evaluate not only the technical controls but also the cybersecurity risks for their interconnection with third-party vendors, a case well represented by Solar Winds-regulatory requirements under GDPR, among others, and business continuity planning.

• Environmental Sustainability: Climate change presents several risks, from the disruption caused by extreme weather events to regulatory changes likely to have an impact on long-term objectives of sustainability. A holistic auditor will lobby the assessment of direct environmental impacts against how these risks impact supply chains, customer relationships, and strategic goals.

The Pressing Need for Change

These examples—and many, many more—mean that organizations can no longer count on specialists working in narrow silos. In today’s complex risk world, organizations need professionals who can think across disciplines while remaining deep in key disciplines such as data analytics and cybersecurity.

The question remains: How is this new professional to be developed? This will be the collective work that companies, educational institutions, and professional organizations undertake in order to bring about a change in how these attitudes of interdisciplinary learning and critical thinking are fostered.

1. Cross-Functional Training in Organizations

The business organizations should break down the silos by providing cross-functional training to the internal audit teams. For instance, auditors should be allowed to undertake rotational roles in IT, finance, and operations so they are better equipped to understand the interdependencies in organizations.

Moreover, companies should invest in continuous learning initiatives in the emerging areas of AI governance and ESG reporting. A culture of lifelong learning combined with cross-discipline collaboration can help organizations prepare for the job ahead for internal audit teams.

2. Professional Organizations Must Evolve

Organizations such as the Institute of Internal Auditors, the Association of Certified Fraud Examiners, and the Information Systems Audit and Control Association not only shape the profession but also provide professional education in internal auditing. Certification programs provided by these organizations currently should be strengthened by incorporating interdisciplinary coursework in areas comprising, among others, data analytics, environmental sustainability auditing, ethics in AI applications, and agile risk management.

Secondly, more emphasis should be given to mentorship programs, where experienced auditors are able to guide and support new professions through various challenges, developing the depth and breadth of their expertise.

3. University Curriculum Reimagined

Traditional internal auditor academic pathways focused on either accounting or IT don’t serve the internal audit professional of today, much less the professional of tomorrow living within an increasingly complex and ever-evolving risk environment. Universities must adapt and begin offering interdisciplinary programs that include finance, technology, environmental science, business strategy, and even philosophy to prepare students for future complexities.

The Time to Act is Now

The future of internal audit largely depends upon embracing a new breed of professionals, manifestly those highly expert in key domains like cybersecurity and data analytics, complemented by broad, interdisciplinary knowledge of finance, environmental sustainability, and business strategy. This shift is not important, but a very urgent need derived from risks becoming more complex and interconnected, organizations need professionals who can look at risk holistically and have strategic foresight. These holistic professionals will be developed through interdisciplinary corporate learning, the adaptation of certification programs, and a rethink of educational curricula. They will help businesses navigate uncertainties but simultaneously drive meaningful strategic impact. The time for action is now. Business leaders, educators, and professional organizations must champion this transformation before it’s too late.

Sources: