Internal auditing is an evolving business segment offering new opportunities for professionals with diverse backgrounds and a keen eye for detail. Nick Chavis ’01 found his calling in internal auditing and risk management at cyber-security software firm Sourcefire, Inc. in June 2012. He shares how the role and perception of internal auditors are changing.
What is Sourcefire, and describe your role as director of internal audit and enterprise risk management?
Sourcefire is a cyber-security software firm with international clients and one of the fastest growing companies in the mid-Atlantic. Because of the nature of our products and services, we face unique challenges from combatting the threat of cyber-attacks to complying with federal and international laws. In my role, I ensure we are operating in compliance with all regulations, and I advise executive management on risks associated with strategic decisions.
Why is internal audit and enterprise risk management important to a company’s bottom line?
Internal audit helps increase the efficiency and effectiveness of a company's processes, systems and people by systematically evaluating and making recommendations. Enterprise risk management plays an even more important role by providing the framework to evaluate, monitor and manage all critical risks.
How is the field of internal auditing changing?
In its early stages, internal audit was viewed as the internal police for companies, which made auditing business areas challenging. People and departments being audited usually thought the auditors were trying to get them in trouble. Today, however, the perception of internal audit has changed. It’s now commonly viewed as an advisory process for management, focusing on consultative-type projects that streamline business.
What skills does it take to be successful in the internal audit and risk management field?
These areas require strong technical and analytical skills combined with an understanding of how to design processes to operate efficiently and effectively. One misconception about auditors is that they need an accounting background. When an auditor develops their plan for the year, it’s based on an enterprise risk assessment which defines the high risk areas, but in today's business environment those high-risk areas are often not financial. For example, one of our high-risk areas is IT Security. To audit IT Security, you need technical expertise, not an accounting background.
You currently serve as president of the Institute of Internal Auditors’ Baltimore chapter. Why is associating with organizations like the IIA important as a professional?
Getting involved provides you with an opportunity to stay on top of hot topics within your profession, keep up to date with relevant certifications, network with local executives in your industry and stay abreast of job opportunities. These are all important factors to stay ahead of the curve as a professional.
What advice would you give to current business and accounting students?
The best advice I can give is to work hard at being the best at your craft and spend time developing professional relationships—the rest will come easy. I can't emphasize enough how important developing a professional network is to your career, especially in the Baltimore market. The city nickname is “Smalltimore” for a reason.