Internal Auditor Spotlight with Devin Potter of RSM
By Joseph McCafferty
23 March 2017
Devin Potter is a Supervisor in the Risk Advisory Services business at RSM, where he has worked since 2014. We recently sat down with Devin to talk about the internal audit profession.
Q: What do you like most about being an internal auditor?
A. I really enjoy having a sense that I’m improving things. Our primary role is to provide assurance that business risks are managed as management would expect. But if I can finish an internal audit project and at the end of it, we can provide insights that improve the business for my clients, while helping them manage risk at the same time, then I am adding enhanced value.
Another great aspect of being an auditor is that every day is different. To be successful, you have to be comfortable with priorities changing on a dime. An example would be if senior management wants an audit report sooner than originally anticipated. This might require you to rethink your project plan and juggle other action items so you can satisfy that request. Being comfortable with that kind of change is critical. As internal auditors, we are always challenged to get projects completed within a certain time frame. It keeps you on your toes, and I enjoy that challenge.
I also like the combination of technical and interpersonal skills required of successful internal auditors. In internal audit, you're going to be relied on to get the technical work done correctly and accurately, but also to engage with people in the firm—or in my case, my clients. Technical skills could include key accounting or business operation concepts, properly documenting a finding or using data analysis tools accurately. Interpersonal skills would include effective and concise communication, solid presentation skills and the ability to engage with auditees and stakeholders effectively. That is a perfect fit for me. It requires both sides of your brain: the left and right.
Q: What are your opinions on what separates a staff internal auditor from a senior internal auditor?
A: The roles and responsibilities can change from one organization to the next, but generally, as a staff internal auditor, your role will primarily to perform fieldwork procedures and execute testing procedures. You're taking your marching orders from the senior internal auditor and making sure project work is completed accurately, in a timely manner and that follow-up requests and questions from the senior internal auditor are addressed.
As a senior internal auditor, maybe you aren't running the project in its entirety, but at least you're running the fieldwork portion. Your responsibility is to obtain whatever documentation and information you need, make sure the staff internal auditors understand their roles/responsibilities, and make sure that control testing is completed in a timely manner, and that it's accurate and reliable. A staff auditor would likely not track budget or fieldwork milestones and completion rates, while a senior would be responsible for a good chunk of those project management tasks. A senior might also take the first stab at writing the audit report, and then a manager reviews and finalizes it.
Q: What does a typical day look like?
A: I really can't emphasize enough how every day is different. I'm either planning a project, overseeing one or closing one down. My job involves checking in with the senior internal auditors on my projects to make sure we are on budget and schedule, and if not, determining why. So I'm asking, "What are the findings that we are reporting and, more importantly, are we communicating that to management?" If I'm in the wrap-up phase, I could be helping to finalize an audit report and working with senior management to make sure they are comfortable with the language being used.
Another part of my role is to help clients identify and assess enterprise risks to their business and to ascertain whether those risks should be evaluated formally during an internal audit project. I spend considerable time researching my clients' companies to better understand industry trends; macroeconomic factors that could impact their business; and significant changes to the people, processes, and technologies used in their businesses. I then share this information with my senior management team (usually our risk advisory partners and directors), who then use it to facilitate discussions with our clients' CFOs, CEOs, or audit committees.
Q: How should internal auditors plan to develop into internal audit leaders? What does that journey look like?
A: It's about acquiring excellent business acumen. Senior executives can quickly determine if you really know the true risks to the organization and if you know what you're talking about, so you have to know the business and keep learning about it. The people I've seen become most successful in this profession are those who never stop learning. They continue to do industry research, learn as much as they can, attend training events, and continue to build company and industry expertise.
Doing the internal audit work—such as identifying risks, testing internal controls or assessing gaps in internal control—forms the base skill set you need and it's important to do those well. But on top of that, there's a layer of understanding business processes. If you take it a step further and provide a recommendation that is very specific to the industry or the company, then you are adding true value. Internal audit leaders are those who become good at that advisory role.
Q: What do internal auditors struggle with the most?
A: Seeing things from the process owner's perspective, specifically as it relates to understanding the likelihood and impact of an issue based on audit findings uncovered during the audit project, can be challenging. Internal auditors usually are quick to decide a control is broken if one sample transaction tested did not meet management's criteria, and are sometimes quick to dismiss the process owner's views on why something happened (or didn't happen), and why that is okay with them.
People in the business might provide a reason they think the likelihood and impact of an issue will be lower. It's coming to an agreement on those things that can be difficult. This gets back to the importance of knowing the business. The people who are successful at striking the right balance are those who know the business and the industry through and through, and they know how to judge what a process owner is telling them. An example of this would be if an auditor found that a company doesn't recognize revenue once goods are shipped (depending on the freight terms). An auditor might initially find that to be strange. However, certain industries might use contract accounting to recognize revenue as certain contract elements are completed. In that case, you should expect revenue to be recognized in accordance with the contract, and not in the orthodox sense of goods shipped/received.
Q: What's a myth about internal auditors that you don't think is true?
A: A myth is that we are out there to "get" people and write them up for not doing things correctly. Sometimes you find an audit issue where someone is not doing something correctly. But the goal is to find problems with internal controls that could adversely affect the organization and bring them to light. The goal is to help clients avoid adverse financial, operational and regulatory compliance issues. The focus is to find the best path forward for a solution to a problem.
Q: Where do you see internal audit in 5 or 10 years from now?
A: I think there's going to be a bigger emphasis on doing more with less. Companies continue to emphasize cost cutting and operating as leanly as possible. Having excellent project management skills and learning where to best leverage your level of effort among staff, senior and managers is critical. Also, ensuring team members are proficient with data analysis will likely be key. This is one of the best ways to identify high-impact audit findings and, therefore, an excellent way to show the value of internal audit, particularly in the case of smaller audit shops.