Should Your Internal Auditor Be a Subject Matter Expert?
A financial institution’s internal auditor does a lot more than review financial documents. They are a risk management fact checker—someone tasked with independently, objectively assessing the effectiveness of controls. The role of an internal auditor is to assure the board and management systems are working as they should and highlight areas where there are deficiencies so improvements can be made.
Financial risk is just one of the areas requiring internal audits. Risk processes and controls are used in every area of the institution, including compliance, IT, operations, marketing, BSA/AML, business continuity, and lending, among others.
Does that mean your internal auditor needs to be a subject matter expert in each of these areas?
The answer is no. It’s more important to have an internal auditor who is smart, independent, and a strategic thinker than one fluent in regulatory compliance or marketing.
Objectivity is more important than expertise
Objectivity is one of the main assets of an internal auditor. As the third line of defense, the audit function exists to check the work of others to assure everything is functioning as intended. They are a set of fresh eyes, drafting findings and recommendations to show where improvements are needed.
To do this, an auditor must be independent and uninvolved in creating or running the business lines and functions being audited. They shouldn’t enter an audit with preconceived notions of how the business line or function should be structured or expectations of what they will find. If internal auditors are personally invested in the project or the people responsible for their project, it may color their perceptions and introduce bias.
That doesn’t mean internal auditors shouldn’t be familiar with these areas. Auditors benefit from general training in areas like compliance and risk management. They should be familiar with major regulations and regulatory changes, but they don’t need to be experts or involved in the specifics of the financial institution’s programs. There are also solutions with built-in audit templates designed for financial institutions to make the process easier. Ongoing training that addresses emerging risks is also valuable, helping them understand how risks are evolving.
Skills of an internal auditor
Many internal auditors come from an accounting background. It’s a useful skill set since their job typically involves a variety of financial documents, but it isn’t always necessary. It is necessary to have a strong foundation in audit.
Auditors are professional skeptics. Rather than take information at face value, their job is to probe for inconsistencies and oversights. They need the ability to evaluate risk controls and functions. They aren’t afraid to ask hard questions or uncover an error. A smart auditor will quickly learn to fit the pieces together—and report on the missing ones.
In the event an internal auditor has questions, financial institutions have subject matter experts on hand who can lend a hand. Best practice suggests using mid-level experts instead of department heads. Mid-level experts are less likely to view an audit as a referendum on their job performance. That makes them less likely to be worried about finding errors and weaknesses.
While in-house experts can provide insights, they should not lead the audit. They are not trained internal auditors and lack the background and knowledge to determine audit scope or procedures.
Instead of looking for an auditor who is a master of each area they’ll be auditing (a near impossible goal for most institutions), it’s far more valuable to find one who is a strategic thinker. A good internal auditor is capable of analyzing information, seeking out additional information if needed, and determining how accurate and trustworthy the information is.
Have more questions about how to structure audits? Check out our blog post Does Your FI Need an Audit Committee?