Modern Management


New skills for today’s internal auditors


By Brian Pye

Internal auditors are responsible for more than reviewing loan files, completing a wire transfer audit or assessing controls over investments. Today, they must have an effective relationship with their audit committee and supervisors, continuous training, and a short- and long-term audit plan that addresses their bank’s changing needs and risks.

An internal audit charter approved by the board of directors that defines the roles and responsibilities of the internal auditor is often helpful.

  • Communicating with the audit committee. Internal auditors should regularly prepare reports for their audit committees, both formally through regular meetings and informally through phone calls or email. Prepare for scheduled meetings by providing the committee with an agenda and a packet of audit reports, a status of work plans, or relevant industry articles and information beforehand.
  • &nbsp

  • Communicating with management. While auditors need to remain independent and objective, they also need to maintain a relationship with management to create effective reports. To gather the necessary information, auditors may need to solicit feedback from management in developing an audit plan, talk to the appropriate management groups at the start of the audit, provide a status update throughout the audit, and schedule an exit meeting with management to communicate the audit’s results. Also consider including the management’s responses in the audit reports—this is a good way for all the report’s users to understand the management’s feedback.
  • &nbsp

  • Well-rounded skills. The most successful audit departments provide ongoing training to develop audit proficiency, key technical skills and industry knowledge of their staff. They also usually have a supervisor who conducts work paper reviews, surveys from management of completed audit areas, and a periodic assessment of audit staff. This work can help determine the specific staff training needs. Independent external assessments also can ensure whether certain standards of organizations like the Institute of Internal Auditors are maintained.
  • &nbsp

  • Short- and long-term plans. Most internal audit departments will prepare a three- to five-year audit plan that is updated annually based on the results of a formal risk assessment. Ideally the audit plan should be developed after a strategic planning session. That allows the audit to address identified operational and strategic risks. When developing audit plans, consider conducting a risk assessment that reviews the risk of fraud. An individual audit plan should also be prepared before initiating any audit. An engagement letter is an effective way to formally communicate the scope of an audit.

Brian Pye ( is a principal with the specialized advisory services group with CliftonLarsonAllen LLP, a public accounting and consulting firm based in Minneapolis.