Inside the Role of an Internal Auditor: Oversight, Risk, and Governance

When Toshiba’s accounting scandal erupted in 2015, investigators discovered the Japanese conglomerate had overstated profits by $1.2 billion across seven years. The fraud, driven by intense corporate pressure to meet targets, led to the resignation of the company’s president and two predecessors. The internal auditor, expected to catch such manipulation, had been unable to withstand management pressure. The case exposed the fundamental challenge: maintaining independence while employed by the very organisation under scrutiny.

This tension defines the profession. An internal auditor tests controls, assesses risk, and reports on whether management’s systems function as designed. The role combines assurance with advisory work, protecting assets while helping improve performance. Done well, it supports the governance structures that institutional investors increasingly demand.

Corporate boards now expect continuous oversight as operational threats materialise faster than quarterly reporting cycles allow. External audit provides annual opinions on financial statements. Internal audit delivers ongoing monitoring, identifying control weaknesses before they escalate into crisis.

Core Responsibilities of an Internal Auditor

The work divides into five interconnected functions, each targeting different organisational risks.

Control testing validates whether operational routines actually work. Do reconciliations catch errors? Do approval processes prevent unauthorised transactions? Does segregation of duties stop fraud? Testing moves beyond policy documents to examine whether designed safeguards function under pressure.

Risk assessment ranks and quantifies threats. A manufacturing firm might face supply chain concentration, cyber vulnerability, and regulatory exposure simultaneously. Internal audit maps these by probability and impact, forcing management to prioritise finite resources.

Compliance review checks adherence to laws, regulations, and internal policies. As jurisdictions multiply disclosure obligations around climate, data privacy, and corporate governance, this function has expanded dramatically.

Operational audit examines whether processes achieve intended outcomes efficiently. The questions extend beyond financial controls into procurement pricing and customer service effectiveness.

Reporting translates technical findings into business decisions. Good practitioners quantify exposure, estimate potential impact, and prioritise remediation. A control weakness becomes actionable when framed with specific financial consequences.

Professional standards from the Institute of Internal Auditors codify these activities globally, though execution varies dramatically by organisation size and sophistication.

Internal Auditor Independence Requirements

Here lies the core problem. You are an employee scrutinising your employer, paid by the organisation you review. Maintaining objectivity demands careful structural design.

Best practice separates reporting lines. The chief audit executive reports administratively to the chief executive for budget and staffing, but functionally to the audit committee and board for audit findings. This architecture preserves information access while limiting management’s ability to suppress uncomfortable truths.

Wirecard’s collapse in 2020 illustrates what happens when this breaks down. The German payments company engaged in massive accounting fraud for years before filing for insolvency. Subsequent investigations revealed management had restricted internal audit scope and access, compromising the function’s ability to detect misconduct that ultimately destroyed the company.

Many organisations now mandate private sessions between audit committees and audit leadership, conducted without management present. External quality assessments every five years provide additional validation that work meets professional standards.

Internal Auditor Qualifications and Skills

Technical competence in accounting and controls forms the foundation. Professional certifications signal baseline capability:

CIA (Certified Internal Auditor): The profession’s primary global credential, emphasising risk-based auditing and governance.

ACA (Associate Chartered Accountant): UK qualification from the Institute of Chartered Accountants, widely recognised for financial reporting expertise.

ACCA (Association of Chartered Certified Accountants): International qualification particularly common in UK roles, covering financial management and assurance.

CIMA (Chartered Institute of Management Accountants): UK management accounting credential, valuable for operational audit and performance measurement.

CPA (Certified Public Accountant): US financial reporting credential, particularly valuable for auditing complex accounting treatments.

CISA (Certified Information Systems Auditor): IT controls focus, increasingly essential as digital systems proliferate.

But credentials alone no longer suffice. Modern practitioners need data analytics capability, IT assurance expertise, and sector-specific knowledge. The Barclay Simpson 2024 salary survey found 53% of employers cite candidates’ lack of sufficient technical or regulatory knowledge as their biggest recruitment challenge, with particular demand for data analytics, model risk management, and financial crime auditing expertise.

Larger organisations maintain specialist teams covering cyber security, third-party risk, ESG reporting, and digital transformation. Smaller firms co-source, bringing in specialists for specific assessments without permanent overhead.

Internal Auditor Salary and Compensation

Compensation reflects the skills premium. US positions for candidates with one to three years’ experience average $84,750 according to Robert Half’s 2025 Salary Guide. Senior roles earn approximately $103,250. UK positions average approximately £51,700 annually. The Barclay Simpson survey notes that 92% of professionals remain optimistic about job prospects despite broader economic uncertainty.

Technology and Internal Audit

The profession has shifted from testing transactions to evaluating algorithmic decision-making. When retailers implement dynamic pricing powered by machine learning, teams must verify that algorithms operate within defined parameters without introducing discriminatory outcomes.

The Institute of Internal Auditors’ Risk in Focus 2025 survey, covering 3,500 practitioners globally, identifies AI governance and digital disruption among the fastest-growing audit concerns. Research by Protiviti shows cyber and IT governance now consume nearly 20% of planned audit work. PwC’s global internal audit study reports that 47 per cent of functions have incorporated supply chain resilience into current plans.

The IIA’s 2024 report shows cyber security ranked as the biggest risk for auditors for the sixth consecutive year. Some 84 per cent of chief audit executives consider it a top five organisational risk. Nearly a third also identify climate change and environmental sustainability as top risks, though few organisations have built corresponding audit capabilities.

Data analytics tools can now examine entire transaction populations rather than samples, identifying outliers and patterns humans would miss. But auditing AI models, cloud architecture, and interconnected digital ecosystems requires fundamentally different expertise than reconciling ledgers.

The Internal Audit Process

A typical engagement unfolds across defined phases. Planning prioritises coverage using management risk registers, prior audit findings, and external intelligence about sector threats. Fieldwork combines interviews, process observation, control testing, and data analytics. Rather than sampling transactions, teams might analyse millions of payments annually, flagging anomalies for investigation.

Analysis identifies root causes and estimates impact. Remediation recommendations must be practical given organisational constraints. Follow-up verifies implementation, tracking whether agreed actions close vulnerabilities or merely generate paperwork.

Recent Internal Audit Failures

Recent cases demonstrate both the role’s value and its limitations. In 2024, US retailer Macy’s discovered an employee had concealed approximately $150 million in delivery expenses through false accounting entries over nearly three years.

Brazilian educational technology company Americanas SA filed for bankruptcy in January 2023 after revealing a $4 billion balance sheet imbalance. An internal review discovered management had manipulated financial records for years using supplier finance arrangements.

China Evergrande’s 2024 accounting scandal revealed the property developer had artificially inflated sales figures by approximately $79 billion across two years before its 2021 default. The China Securities Regulatory Commission found internal control assessments during audits were inadequate.

Limitations and Constraints

The role cannot replace management responsibility or detect every instance of misconduct. Resource constraints force prioritisation. No function can examine everything continuously. Audit committees consistently cite cyber security, enterprise risk management, and talent as top concerns, yet few organisations allocate resources proportional to stated priorities.

The tension between breadth and depth persists. Comprehensive coverage risks superficial review, while deep examination of specific areas leaves gaps elsewhere. Co-sourcing offers partial relief but introduces coordination challenges.

Internal Auditor Career Path

The role provides unusual breadth of exposure across finance, operations, technology, and strategy. This makes it valuable preparation for senior risk, finance, or compliance positions. The US Bureau of Labor Statistics projects 6 per cent growth in auditor and accountant roles from 2023 to 2033, faster than average across all occupations.

Employers prize professional scepticism, the capacity to question established practice diplomatically, and ability to translate technical assessment into business decisions. Protiviti’s 2023 survey noted functions face an ongoing talent crunch, particularly for technology skills. Those combining professional qualifications with data analytics and IT capabilities enjoy particularly strong demand.

Key Takeaways

A competent, independent function has evolved from compliance checkbox to strategic necessity. The modern internal auditor operates as both guardian and enabler, identifying vulnerabilities before they trigger crisis while helping design controls that support rather than constrain growth. In an environment where accounting fraud can destroy billions in shareholder value, catching problems early represents genuine competitive advantage. Yet this requires resourcing functions proportional to their expanded remit. The difference between robust oversight and governance theatre often emerges only when something breaks.