What kind of internal auditor are you?

One of my audit committee members once told me that when he thinks of a model internal auditor, he thinks of me.

I wasn’t sure how to take that!

I know he meant it as a compliment, but while my business card might say that I was in charge of the internal audit function, that wasn’t how I saw myself.

I saw myself as what Richard Chambers has coined, a Trusted Advisor, but more than that. I provided assurance that the system(s) of internal controls were sufficient to maintain the more significant sources of risk to enterprise objectives at desired levels.

Yes, that’s a mouthful. But each part has meaning:

• I didn’t provide assurance on the actual achievement of objectives. Who can, given that good fortune is often needed? There is too much uncertainty beyond our control.
• I provided assurance on the effectiveness of the system(s) of internal control.
• The measure of effectiveness was reasonable assurance. Not perfect assurance, as that is not possible. (See COSO ICF.)
• It was reasonable assurance related to the more significant risks to the achievement of enterprise objectives. Not business unit or functional objectives; enterprise objectives.
• Those more significant sources of risk should be…