Non-auditors in the internal audit function: better practices for successful implementation

Gijs Hendrix; Jack Wai; Judith Tjin A Sioe; Martina Hener-Schaminée; Wim Ottema

doi:10.5117/mab.94.48602

Abstract

To bring a high level of expertise on-board Internal Audit Functions (IAFs) increasingly include persons that are not trained as auditor in internal audits. These non-auditors (rotational auditors, guest auditors or subject matter experts) function as part of the IAF for a specific period. This practice ensures the IAF has the expertise and skills required to meet today’s challenges of organizations and their IAFs. However, it provides (professional practice) challenges as these auditors usually have limited experience and knowledge around internal audits and might be conflicted in their objectivity and independence. This article provides better practices to optimize the use of non-auditors and mitigate its risks.

Keywords

Internal audit, internal auditing, guest auditors, rotational auditors, subject matter experts, better practices, non-auditors

Relevance to practice

This article shares better practices regarding the use of non-auditors in the IAF, proven methods that can be used to optimize the use of non-auditors.

1. Introduction

The purpose of this article is to share better practices as described in literature and actually experienced regarding the use of non-auditors in the IAF, practices that will support IAFs to both mitigate the risks around using non-auditors and maximize the benefits of using non-auditors in the IAF. Better practices are real-life examples of the recommended protocols put in place to get the best out of non-auditors and ensure their valuable inputs contribute to the objectives of the audit function without compromising the quality of the audit process and its outputs.

First definitions are provided of (the different types of) non-auditors. Afterwards we present advantages of the use of non-auditors and identify three main topics of interest in the use of non-auditors in the IAF (section 2). The topics have been identified by studying academic literature, the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) and input gathered during a IIA Netherlands’ Committee of Professional Practices (CPP) event held in November 2018. During this event 24 professional practice representatives of IAFs discussed their experiences with non-auditors in internal audits. The design of this research is shared in section 3. Better practices for each of these topics are provided based on interviews conducted and a study of literature (section 4). Conclusions and limitations are provided in section 5.

2. Literature review

2.1 Definitions

2.1.1 Definition of non-auditors

Neither literature nor the IIA’s IPPF provide a clear definition of the concept of non-auditors. Therefore, we developed definitions to be used in this research based on the project groups’ experience in the internal audit field and validated these with part of IIA Netherlands’ network of internal auditors responsible for professional practices (during a IIA Netherlands’ CPP event held on the 8^th of November 2018).

Prior to defining a non-auditor it is considered what defines an auditor in the context of this research:

An auditor is a person working for an internal audit department with an educational background in auditing.

In The Netherlands an educational background in auditing often entails a RA (Registered Accountant), RO (Registered Operational auditor), RE (Registered EDP auditor) or CIA certification. There is also a variety of post-HBO studies as well as internal audit education provided by commercial organizations. This leads to the definition of a non-auditor:

Non-auditors are all persons that do not have an educational background in auditing yet work for an internal audit department.

2.1.2 Types of non-auditors

Throughout the academic literature and IIA’s IPPF¹ different types of non-auditors are mentioned. Three different types of non-auditors derived are:

guest auditors;
rotational auditors;
subject matter experts.

Clear and coherent definitions for the different types of non-auditors are not always provided within literature. In line with Christ et al. (2015) this research will use the following types of non-auditors:

Guest auditor: a person with a career outside of the internal audit profession, temporarily joining an IAF in one or more audits, for a specific period of time. Two subtypes are considered: an internal guest auditor from within the organization and a hired guest auditor from outside the organization.
Rotational auditor: a person with a previous career outside of the internal audit profession, joining an IAF for 1 – 5 years, with the intention to rotate back to a different role outside of the IAF. Two subtypes are considered: an internal rotational auditor from within the organization and a hired rotational auditor from outside the organization. The hired rotational auditor is also called an exchange auditor.
Subject matter expert (SME): a person from another function or organization, who is participating in (part of) one or more audits mainly for his/her knowledge of the subject of the audit. In comparison with the guest and rotational auditor the subject matter expert often does not engage throughout the entire internal audit process. Two subtypes are considered: an internal subject matter expert from within the organization and a hired subject matter expert from outside the organization.

Based on literature and the authors’ own experience an additional dimension is added to the different types of non-auditors: internal versus external. Academic research shows that (part of) Internal Audit services are increasingly sourced through third parties (Mubako 2019), including both auditors and non-auditors (for example by hiring subject matter experts). Other research indicates (Christ et al. 2015) a positive link between outsourcing (part of) the internal audit function and the use or rotational auditors, although a conclusive explanation for this is not provided.

Within this study only externals that qualify as non-auditors are considered. Trained auditors from an external organization joining an IAF do not qualify as non-auditors according to the definition above, even though different IAFs consider these auditors to be a ‘guest’ to the IAF.

Table 1 summarizes the types of non-auditors and their expected contribution.

Table 1.Download as CSV

Types of non-auditors.

Types of non-auditors		Expected contribution
Types of non-auditors		Audit execution support		Subject matter expertise
Source	Internal	Internal guest auditor	Internal rotational auditor	Guest SME
Source	External	Hired guest auditor	Hired rotational auditor	Hired SME

2.2 Advantages in using non-auditors

The use of non-auditors within the IAF brings benefits to the IAF, the organization as well as the organization. Table 2 provides an overview of the advantages found in academic literature.

Table 2.Download as CSV

Advantages of using non-auditors.

Advantages of using non-auditors	For the non-auditor	For the IAF	For the organization
Exports an appreciation of governance, risks, and controls throughout the organization.		X	X
Acquisition of more in-depth knowledge of the respective business area		X
Cultivation of better customer relations		X	X
Heightened awareness of organizational sensitivity and business acumen		X
Improvement of personal and career development	X		X
Infusion of fresh ideas and perspectives, motivation to current internal auditors		X	X
Creates an appreciation of the role of the internal audit function		X	X
Enhancement of specific internal audit skills and competencies	X	X
Evolving view of internal audit as a potential source of talent for the enterprise		X	X

2.3 Practicalities in using non-auditors

Throughout academic literature, the IIA’s IPPF and based on IIA Netherlands’ CPP event of November 2018 three main topics of interest are derived when using non-auditors in the IAF:

Competence and quality;
Independence and objectivity;
Selection and reward.

These topics are explained in detail below.

2.3.1 Competence and quality

Competence

The IIA’s Standard 1210 states that ‘Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities’. Therefore, competence is an important requirement for IAFs. Literature indicates that competence may be a challenge for non-auditors. Internal auditors that view internal audit positions as a stepping stone or temporary step in their career are less likely than career auditors to pursue training and certifications that improve their internal audit competence (Anderson et al. 2010). In addition, the constant rotation out of the IAF diminishes overall IA experience and expertise relative to models with ‘career’ auditors (Christ et al. 2015). The study additionally finds a result that: “suggests that systematic rotation weakens the effectiveness of internal audit’s monitoring of financial reporting within the organization” (Christ et al. 2015). On the other hand literature also indicates a tradeoff between organizational expertise and audit expertise. Interviewees speaking with Christ et al. (2015) mentioned that: “Many of our interviewees believed the gain in organizational expertise could outweigh the loss of audit expertise.”

Internal audit quality

Literature mentions quality compromises in relation to rotational auditors (Mubako and Mazza 2017). Hansen et al. (2013) found “that internal audit functions that use the rotational model have lower internal audit quality, […] This effect is exacerbated when the CAE position is rotational.” The authors define quality as a combination of internal audit experience, certifications, training, size, and objectivity.

Most of the literature focuses on internal audit work related to financial reporting and does not specify the effect on internal audit quality of internal audit work not related to financial reporting.

For guest auditors and SMEs we assume similar risks as these non-auditors similarly have limited internal audit experience, certifications and training. Research is not conclusive on the effects on quality when comparing in-house internal audit departments versus outsourced internal audit departments (Mubako 2019).

Interviewees stated that when (internal/external) non-auditors with different backgrounds and/or specific knowledge are combined with auditors within the IAF a mix of competences is created. The interaction between these auditors and non-auditors can be valuable and of added value and will not only improve the IA-quality based on competences but also the quality of the audits. For example, subject matter expertise, understanding of processes, risk management, and other, can contribute to IAFs being seen as a ‘trusted advisor’.

2.3.2 Independence and objectivity

Literature indicates that the use of non-auditors has the potential to impair independence of the IAF and impair objectivity of the (non-) internal auditor (Christ, et al. 2015). The concepts of independence and objectivity are central in the IIA’s IPPF and at the core of the internal audit profession. These concepts are defined as follows:

“ Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.”

“ Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.”²

The concept of independence is tied to the IAF whereas the concept of objectivity is tied to the Internal Auditor.

Non-auditors (specifically rotational auditors) work in the IAF for a specific period with the goal of moving on in a different (possible managerial) position in the organization. As part of their internal audit assignment they might have to audit the managers that are considering them for a future role. It can open the non-auditor to social pressures and economic interest threatening objectivity. Prior research using experiments has demonstrated this for rotational auditors (Christ et al. 2015).

Regarding external non-auditors different dynamics are in play (Mukabo 2019). As they are not employees of the organization, they do not face the same social pressure and economic interest, thereby being more independent than in-house internal auditors (Bartlett et al. 2017, Loh et al. 2019). Research shows that outsourced internal auditors are less compromised in their objectivity (Loh et al. 2019). On the other hand, outsourcing (part of) the IAF opens up the possibility of other independence concerns especially when the party to whom the IA services are outsourced is also providing other services to the organization, or intents to perform other services in the future.

Other research demonstrates independence impairments of internal auditors’ risk assessments. IAFs without rotational auditors perform risk assessments that do not significantly differ when sending reports to senior management versus sending reports to the audit committee. A difference does occur when the IAF contains rotational auditors: internal auditors’ risk assessments contain significantly lower risks when the IAF reports to senior management than when the IAF reports to the audit committee. Additionally, when the IAF does contain rotational auditors, the internal auditor provides judgments more aligned with management’s preferences than when no rotational auditors are present (Hoos et al. 2014).

2.3.3 Selection and reward

A third topic briefly coming forward in both literature and IIA’s IPPF and IIA NL’s CPP event is the selection and reward of non-auditors. Prior research has been conducted around the factors influencing the recruitment of business professionals into internal audit (Bartlett et al. 2017). It shows that high-performers are more interested in internal audit work if the work would be ‘less boring / tedious’ whereas low performers are motivated by financial aspects.

2.4. Research questions

The central question answered in this research is

“What are better practices in working with non-auditors in the internal audit function, to benefit the IAF, non-auditor and organization?”

Based on the three topics identified above three sub-questions are formulated:

What are better practice controls to optimize competence and quality of non-auditors in the internal audit?
What are better practice controls to optimize independence/objectivity of the IAF and non-auditors?
What are better practices around the selection and reward of non-auditors in the IAF?

3. Research design

This study is an explorative one, it aims to explore the Internal Audit field and present better practices around using non-auditors in the IAF. The better practices have been gathered using two sources:

study of academic research about non-auditors;
interviews with representatives of IAFs.

The results of the study of academic research were combined to develop the literature analysis presented in section 2 and to develop an interview guide to structure the interviews. Both the academic research as well as the interviews brought forward better practices in working with non-auditors.

3.1. Study of academic research

We searched SSRN and Google Scholar databases with a wide range of search terms around internal auditing and the different kinds of auditors. The search resulted in a series of articles found in different publications related to business, organizations and (management) accounting. We have carefully studied the articles and used relevant elements in both section 2 and section 4.

3.2. Interviews

The goal of the interviews was to provide real-life examples when engaging non-auditors. Qualitative data was collected using a semi-structured interview approach with an interview guide prepared to provide focus during the interviews. This approach allowed for rich data to be collected. The interviews have been transcribed in a summarized form and validated with the interviewees to ensure correctness. The interviews have thereafter been coded and analyzed. The results of the interviews and analysis are presented in anonymous form on request of (several of) the interviewees.

3.3. Interviewees

We have approached IAFs that make use of non-auditors. The IAFs were found via personal connections of the authors as well as via IIA Netherlands and its committee of professional practices. We were introduced either via intermediaries or by contacting interviewees directly (by e-mail / LinkedIn).

Interviewees all worked as internal auditors within IAFs or recently (within the last six months) left an IAF. A majority of the interviewees were Chief Audit Executives, others were mostly working as professional practice representatives.

A total of 19 interviews were conducted within 17 different organizations. We deliberately targeted organizations in a diverse range of sectors (including but not limited to financial services, manufacturing, professional services, fast-moving consumer goods, semi-governmental, construction and natural resources). The size of the IAFs ranged from less than 10 FTE’s up to several hundreds of FTE’s employed. In our interviews we found examples of all types of non-auditors active. We noted a relatively even split between the use of rotational auditors, guest auditors, and subject matter experts.

4. Analysis and results

Interviews offered insight into the practices IAFs developed to manage non-auditors and the associated risks and to ensure that non-auditors are value adding to the audit function. The research shows there is no ‘one-size-fits-all’ approach. Size of the IAF seems to matter: bigger IAFs have more formalized ways of working than smaller ones. No clear differences between industries were identified.

Literature studied showed a negative link between the use of non-auditors (rotational auditors) and the effectiveness and quality of the internal audits performed. Interviewees consistently had an opposite perception of this link, they indicated the use of non-auditors increases the quality and effectiveness of the IAF. They stated that the increase in organizational knowledge and internal audit team expertise ensures the internal audit team includes the relevant organizational/business context, provides useful recommendations to findings and thereby improves acceptance of the internal audit work. A possible explanation can be found in kind and scope of internal audit work performed: the literature focused around financial reporting while the interviews in this study focused on operational audits.

4.1. Competency and quality

The literature review revealed the following measures used to mitigate competency and quality related risks:

consistency and continuity of IA supervision;
limiting the use of non-auditors to specific phases of the audit.

During the interviews respondents shared the practices and controls they put in place when engaging non-auditors to mitigate these risks and overcome the associated challenges. The five measures identified are shown in Table 3. Items flagged with an asterisk were identified in the interviews as well as the literature review.

Table 3.Download as CSV

Better Practices around competence and quality of non-auditors.

Better practice	Rotational auditor	Guest auditor	SME
Consistency and continuity of IA supervision*	X	X	X
Limiting the use of non-auditors to specific phases of the audit*	X	X	X
On-boarding training and welcome packs	X	X	X
Training courses (ongoing)	X	X
Knowledge sharing and on-the-job learning	X	X	X

Each of these five measures is equally applicable for rotational, guest, and SME non-auditors. Regarding training courses (ongoing) for SME’s differences arise: some IAFs make use of it while others don’t. Due to the specialized nature of their contribution, and relative (expensive) cost, it may not be cost effective for all IAFs to require SMEs to follow training courses.

Consistency and continuity of IA supervision

The literature review reveals that supervision, including quality review, training, as well as training and mentoring on job all contribute to improved audit competency and quality of audit outputs by non-auditors. These factors were confirmed by our interviews as well. Key elements of IA supervision mentioned during the interviews include the following tips:

Provide on-site supervision during audit execution to non-auditors. Ensure they have an audit team leader or supervisor to whom questions and concerns can be addressed. This may include accompaniment during interviews and other key interactions with audit stakeholders such as audit close-out meetings.
Provide coaching to accelerate learning, and quickly reduce the top competency and quality related issues facing non-auditors.
Allocate a quality reviewer for all deliverables prepared by the non-auditors prior to a final review taking place.
In case of larger IAFs, allocate a dedicated Professional Practice Quality leader who reviews all audit deliverables and the Internal Audit methodology to ensure the Internal Audit function is operating in line with recognized quality standards at all times.

Limiting the use of non-auditors to specific phases of the audit

To reduce the risk of compromises to audit quality some IAFs allocate non-auditors specifically to specific audit activities such as audit execution (fieldwork). Other audit activities were taken on by core internal auditors. Such activities include: final say on audit scoping, communications with higher profile stakeholders, report editing and drafting, and remediation monitoring. Some interviewees stated that guest auditors best be allocated to tasks and responsibilities in line with their strengths which may include key language skills, business knowledge and subject matter expertise rather than the full spectrum of audit activities. Typically these strengths are more used in direct interactions with auditees, for example in interviews and closing/report meetings rather than in ‘behind-the-scenes’ work such as internal audit file work or testing of documentation.

On-boarding training and welcome packs

The most commonly cited means to improve non-auditor audit competency and thereby mitigate quality risks is to deploy on-boarding training for non-auditors. Interviews cited the following topics to typically be covered in on-boarding classroom trainings:

IA Methodology: including topics such as the internal audit execution approach; key action check lists; audit scheduling approach; and timing and key activities.
Audit techniques: including interview techniques, critical thinking, sampling, risk assessment, control testing, and report writing techniques.
Internal Audit basics: process basics, risk basics, control basics; issue identification; root causes analysis.

Such on-boardings are designed to provide a crash course to non-auditors and ensure that the most critical elements of audit techniques are covered prior to handing over responsibilities to the non-auditors. The length of on-boarding training differs between IAFs from (part of) a day up until a week.

The amount of formalization differs per IAF, with larger IAFs having a more structural training developed and held on fixed periods in time, while smaller IAFs use less formalized methods.

Training courses (ongoing)

Similar to the on-boarding packs, interviewees also shared examples of ongoing training, particularly for rotational auditors and guest auditors that are engaged for longer periods of time (longer than 1 year). Examples of such trainings include summer training programs, annual team learning events, and IIA hosted events. Here again the primary aim of these training courses for non-auditors is to bring them up to speed on the latest and most critical Internal Audit techniques required for the non-auditors to deliver quality audit outputs. The length of the training course again differs per IAFs ranging from (part of) a day up until a week.

Knowledge sharing and on-the-job learning

Interviewees also cited the use of SharePoint and other knowledge sharing portals specifically established for non-auditors to share knowledge, tips and tricks with each other. Such portals aim to provide non-auditors with a forum to collaborate and share better practices. Non-auditors are often well placed to provide training to each other given the similarity of their circumstances, and may, in some cases, be the ideal candidates to know what information is most helpful to another non-auditor at a given stage in their IA development.

4.2. Independence and objectivity

This section provides the answer to the second research question: What are the better practice controls to mitigate the risk of impaired independence/objectivity of the IAF and non-auditors in the audit?

Based on our literature review we identified the following mitigating measures:

consistency and continuity of IA supervision;
Audit Committee oversight;
separation of internal audit staff and staff used for non-audit services;
limiting the use of non-auditors to specific phases of the audit;
prohibition to audit the department for which they have worked before;
conflict of interest statement.

During our interviews we identified the measures included in Table 4 to be used to mitigate the risk of impaired independence and objectivity. Comparison of these two lists revealed the following: While several measures have been identified in both [marked with an asterisk (*) in Table 4], other mitigating measures only were identified in either one, the literature review or the interviews.

Table 4.Download as CSV

Better Practices around independence and objectivity of non-auditors.

Better practice	Rotational auditor	Guest auditor	SME
Creation of awareness	X	X	X
Openness about career developments	X	X	X (internal)
IAF leadership involvement	X	X	X
Supervision / review by lead auditor*	X	X	X
Explicit adaption of IIA Code of Ethics	X	X	X
(Annual) Independence declarations*	X
Independence confirmation letter per audit*		X	X
Application of cooling-off period*	X
Limitation of audit areas/locations*		X	X
Clear communication on role models	X
Audit evaluations	X
External sourcing *		X	X

Audit Committee oversight and limiting the use of non-auditors to specific phases of the audit were not mentioned during our interviews, probably as IAFs are less aware of the mitigating effect of these measures. Specifically with respect to the involvement of non-auditors in the audit execution most interviewees indicated that they do not apply restrictions, on the contrary, non-auditors are usually used throughout the entire internal audit process to harmonize ways of working and optimize the outcome of the internal audit.

During our interviews we identified mitigating measures applying to all types of non-auditors, as well as measures specifically applying to rotational auditors on the one hand or guest auditors and SMEs on the other hand.

We identified several better practices that can be used to prevent the impairment of independence or objectivity of non-auditors independent of the type of non-auditor (see Table 4).

Creation of awareness

Several interviewees indicated the importance of continuous and open discussions to be held to ensure adequate mindset regarding objectivity and independence. They require audit team members to challenge each other on an independent and objective mindset and behavior during all phases of the audit. It needs to be clear to all team members that no close relations or career perspectives may be at play to adequately ensure independence and objectivity.

Openness about career developments

In another IAF open and regular communication about the (non)auditor’s next envisioned career steps outside of the IAF is used to prevent impairment of independence and objectivity. Such measure may be less effective in case of external guest auditors and/or SMEs.

IAF leadership involvement

One IAF representative stressed that an independent and objective mindset is not only an individual responsibility; ensuring independence and objectivity ultimately is leadership’s responsibility. Therefore staff should be encouraged to approach leadership in case they encounter potential independence issues. It takes a joined effort from the CAE and each (non)auditor to adequately manage objectivity/independence issues.

Supervision/Review by Lead auditor

Literature as well as our interviews revealed that possible impairment to objectivity may be prevented by having the lead auditor, who is part of the IAFs core team respectively a permanent IAF staff member, reviewing the work performed by the non-auditor. Keeping the overall responsibility for the audit not with the (temporary) non-auditor may be a good measure to mitigate possible independence/objectivity impairments.

Explicit adoption of IIA Code of Ethics

Some interviewees indicated that they prevent limitations to independence/objectivity by requiring non-auditors to explicitly confirm that they will adopt the IIA Code of Ethics.

Rotational auditors

The following better practices have been identified specifically with respect to rotational auditors.

(Annual) Independence declarations

Literature as well as interviews indicate that independence/objectivity may be ensured by requesting rotational auditors to sign an independence declaration when starting within the IAF as well as asking for a periodic (for example annual) reconfirmation and/or an ad hoc reconfirmation in case of any changes. By these declarations rotational auditors explicitly confirm that their objectivity and independence is not at stake due to prior work and/or close relationships.

Application of cooling-off period

Strict application of a general rule prohibiting rotational auditors to audit the area where they have been working previously for a certain period of time (for example 1 year) may ensure independence/objectivity according to literature, the IPPF (1 year) and information provided during our interviews.

Clear communication on role models

A better practice was identified with respect to open communication on the fact that rotational auditors that critically challenged the status quo during their audits respectively performed audits with great impact more likely than not were able to obtain desirable management positions after rotating back into the business. This better practice may mitigate the risk that rotational auditors may be tempted to be less objective during their audits in order to not endanger future career opportunities.

Audit evaluations

One IAF prevents impairment of independence/objectivity by conducting feedback sessions after every audit. In these sessions rotational auditors are challenged on their decisions by their peers.

Guest auditors and SMEs

We noted that often the same better practices applied with respect to guest auditors and SMEs, probably as both types of non-auditors are working within the IAF for only a short period of time.

Independence confirmation letter per audit

Several interviewees stated that guest auditors and SMEs are requested to sign a letter declaring that no conflict of interest applies with respect to the audit they will be involved in, for example no prior work history and/or personal relationships etc. in order to safeguard independence/objectivity.

Limitation of audit areas/locations

Strict application of a general rule prohibiting guest auditors and/or SMEs to participate in audits of the department or processes they work for may ensure independence/objectivity was mentioned by several IAF representatives.

External sourcing

IAF representatives of smaller organizations indicated that internal staffing with guest auditors or SMEs often cannot be arranged for due to independence and objectivity limitations. Their solution to this problem was hiring external resources (external guest auditors and/or external SMEs). A fresh pair of eyes from an outsider, not involved in the processes or departments to be audited can operate more independent and objective.

4.3. Selection and reward

In this section we will answer the third research question: What are better practices around the selection and evaluation of non-auditors in the IAF?

For many IAFs attracting suitable candidates is a challenge. In literature hiring practices are described. The different better practices that were mentioned during our interviews are summarized in Table 5 and differentiated for the different types of non-auditors.

Table 5.Download as CSV

Better Practices around selection and reward of non-auditors.

Better practice	Rotational auditor	Guest auditor	SME
Structural implementation of a rotational audit model	x
Close relationships throughout the organization	x	x	x
Leadership commitment	x
Offer good roles in the business	x
Maintain an actual knowledge-expertise matrix	x	x	x
Align recruitment of non-auditors with organizations’ practices	x	x	x
Internalize subject matter expertise in the IAF			x
Evaluate rotational auditors in the same way as auditors	x
Define criteria to evaluate guest auditors and SMEs on a case-by-case basis		x	x

Structural implementation of a rotational audit model

During our interviews we noted a limited number of IAFs that applied rotational auditors as a general way of working (100% rotational internal auditors). The majority of IAFs interviewed engaged rotational auditors more on an occasional basis driven by career paths of individuals. Some IAF representatives indicated that a more structural application of a rotation model could be beneficial, even if this would mean ‘accepting’ a higher turnover rate. To make the rotational model work one should consider the ‘inflow’ as well as the ‘outflow’.

Close relationships throughout the organization

To select and recruit capable non-auditor to join the IAF, several interviewees indicated that keeping close relationships within the organization is a key factor for success. Future guest auditors, SMEs or rotational auditors can come from these audited departments. A better practice identified is the sharing of IAF vacancies with these departments.

Leadership commitment

Interviews revealed that commitment from senior leadership is important to the successful implementation of a rotational auditor program.

Offer good roles in the business

Other IAF representatives indicated that it is important to adequately manage the outflow from IAF after the rotational period, in order to attract good candidates. Maintaining good relationships with HR and the business ensures that rotational auditors leave the IAF into roles in line with their career path.

Maintain an actual knowledge-expertise matrix

Another better practice identified relates to the establishment of a knowledge-expertise matrix. By this the IAF can clearly communicate what kind of SME areas are required. This instrument is considered very helpful for recruitment and back-up purposes.

Align recruitment of non-auditors with organizations’ practices

IAF representatives indicated that it is considered important to have a formalized process in place with the involvement of HR when engaging non-auditors.

Internalize subject matter expertise in the IAF

Some IAFs we have interviewed had internalized SMEs permanently into the IAF. This better practice might be feasible for larger IAFs only. This holds for both expert knowledge (for example about the applicable regulations) and business knowledge (for example about the applicable markets for the organization).

Evaluate rotational auditors in the same way as auditors

Most interviewees stated that they evaluate rotational auditors in the same way as auditors by using common evaluation processes and KPI’s. Some IAFs vary based on the role of the non-auditor during the audit, for example if non-auditors are not involved throughout the entire audit.

Define criteria to evaluate guest auditors and SMEs on a case-by-case basis

IAF representatives indicated that transparency about what contribution is expected of the non-auditor should be clarified before the start of the audit. The related evaluation criterion should be defined on a case-by-case basis and evaluated at the end of the audit.

5. Conclusions

Internal audit functions globally increasingly include non-auditors in audit teams to increase quality and to be able to quickly adapt to organizational developments. This brings several advantages to the IAF, the non-auditor as well as the organization (see Table 2).

This research providers better practices around the use of non-auditors in internal audits, measures that can support IAFs in successfully implementing a non-auditor model. The measures are based on academic literature and real-life examples of IAFs successfully working with a non-auditor model.

The measures were presented around three topics: competence and quality, independence and objectivity and selection and reward. Supervision, specific use of non-auditors and classroom training are examples of better practices around competence and quality. To ensure independence and objectivity multiple better practices were shared, including openly addressing the topics, clear supervision by explicit adaptation of the IIA’s code of ethics. Other measures were identified related to specific types of non-auditors (rotational auditors, guest auditors and subject matter experts). Finally, to optimize selection and reward of non-auditors IAFs use both formal (aligning recruitment practices with the organizations’ practices) as informal (maintaining close relationships with leaders across the organization) methods. Additionally specific measures can be used for specific kinds of non-auditors.

5.1 Scope and limitations

5.1.1 Limitation of using interviews

The research is partly based on interviews with representatives of IAFs. The information provided in these interviews was not validated by studying additional documentation such as Internal Audit Charters or Internal Audit Manuals. Further research could add this to validate and enrich the measures included in this article.

While the project team has attempted to ensure a broad applicability of results by selecting a diverse range of IAFs, time and resources constraints limited the team to 17 organizations. A larger sample of organizations could further validate and extend the results.

The IAFs interviewed were all (partially) based within The Netherlands, though multiple of the selected organizations also operate abroad. Selecting a different geography might impact results.

The goal of the research was to provide better practices regarding the use of non-auditors and did not intent to extensively research when and why non-auditors are used. This too could be an interesting area for further research.

5.1.2 Definition

The definition of non-auditors used in this study led to discussions with several interviewees and revealed there is no clear consensus between IAFs on how to define non-auditors. The topics of rotational, guest and SME auditors are widely known and in use by internal audit functions, yet often mean different things. While the definitions used in this research attempt to be exhaustive and complete, we noted several examples of non-auditors used during the interviews that challenge the definitions used in here. Further work could be done to detail/finetune the definitions.

Mr. drs. G. Hendrix RO is Internal Audit Leader at IKEA and member of the IIA Netherlands’ committee of Professional Practices (CPP).

Drs. J. Wai RO is a manager in EY’s Internal Audit & Risk Analytics Team and ex-committee member of the IIA Young Professionals.

Drs. J. Tjin A Sioe AAG is working as Internal Auditor at Audit a.s.r. Nederland N.V.

Drs. M. Hener-Schaminée RA EMC is working as Senior Manager at KPMG Advisory, Internal Audit, Risk & Compliance Services.

Drs. W. Ottema RC RO CIA is working as Auditor in the expertise pool Risk Management & Treasury at Rabobank.

Notes

1

See for example the Implementation Guidance for Standard 2030 and 2230.

2

IIA’s International Standards for the Professional Practice of Internal Auditing, Standard 1100.

References

Anderson UL, Christ MH, Johnstone KM, Rittenberg L (2010) Effective sizing of internal audit departments. The Institute of Internal Auditors Research Foundation (IIARF). https://www.iia.nl/SiteFiles/IIA_leden/EFFECTIVE%20SIZING%20ORGANIZATION.DL.pdf

Bartlett GD, Kremin J, Saunders KK, Wood DA (2017) Factors influencing recruitment of non-accounting business professionals into internal auditing. Behavioral Research in Accounting 29(1): 119–130. https://doi.org/10.2308/bria-51643

Bartlett GD, Kremin J, Wood DA, Saunders KK (2016) Attracting applicants for in-house and outsourced internal audit positions: Views from external auditors. Accounting Horizons 30(1): 143–156. https://doi.org/10.2308/acch-51309

Bond R (2011) Internal auditing “rotational” programs: Opportunities for internal audit to add value. Esther R. Sawyer Research Manuscript 2011, IIA Foundation. https://global.theiia.org/iiarf/Pages/Esther-R-Sawyer-Research-Award-Winners.aspx

Christ MH, Masli A, Sharp NY, Wood DA (2015) Rotational internal audit programs and financial reporting quality: Do compensating controls help? Accounting, Organizations and Society 44: 37–59. https://doi.org/10.1016/j.aos.2015.05.004

Hansen J, Starliper M, Wood DA (2013) A rotational model for internal auditors: Academic findings on its costs and benefits. The CPA Journal 83(10): 12–13.

Hoos F, Messier Jr WF, Smith JL (2014) The effects of serving two masters and using the internal audit function as a management training ground on internal auditors’ objectivity. SSRN: https://doi.org/10.2139/ssrn.2358149

Loh C-Y, Coyte R, Cheng MM (2019) Is a fresh pair of eyes always better? The effect of consultant type and assigned task purpose on communicating project escalation concerns. Management Accounting Research 43: 1–14. https://doi.org/10.1016/j.mar.2018.09.002

Mubako G (2019) Internal audit outsourcing: A literature synthesis and future directions. Australian Accounting Review 29(3): 532–545. https://doi.org/10.1111/auar.12272

Mubako G, Mazza T (2017) An examination of internal auditor turnover intentions. Managerial Auditing Journal 32(9): 830–853. https://doi.org/10.1108/MAJ-09-2016-1443