You Got The Wrong Guy, Man! The Internal Auditor’s Case of Mistaken Identity in Corporate America

At the beginning of the Coen brothers’ 1998 movie, The Big Lebowski, the main character, The Dude (aka “Jeffrey Lebowski”), becomes embroiled in a case of mistaken identity with another Jeffrey Lebowski (aka not “The Dude”). What appears to upset The Dude most isn’t having his head slammed into a toilet by two goons looking for the other Lebowski, but that they keep referring to him as “Mr. Lebowski.” He tells them, 

“Nobody calls me Lebowski. You got the wrong guy, man. I'm The Dude, man."  

Even if you’ve never seen The Big Lebowski — and really, you should correct that as soon as possible — you can imagine how frustrating it would be to have your identity repeatedly misunderstood or mischaracterized.  

This author, a proud Internal Auditor, asserts that most (if not all) Internal Auditors experience this case of mistaken identity practically every day. We are mislabeled as “accountants,” “tax auditors,” “finance people,” “the police,” or even “spies!” by the very people who walk by us in the halls every day at work. Making matters worse, most of our family members can’t explain our vocation either. When we are in the wild and a stranger asks us the age-old question, “What do YOU do?” and we respond with “I am an Internal Auditor!”, a frequent retort is “Ah, you do taxes!” 

No man. You’ve got the wrong guy, man.

And yet, clarifications to that answer — presuming the stranger has stuck around for a response — will vary depending on the Internal Auditor. This is part of the problem, you see. Every organization with an Internal Audit function has a different organizational structure. This author argues that this construct is a key contributing factor to THE greatest challenge facing the profession today: being misunderstood or undervalued. This was pointed out by our governing body, The Institute of Internal Auditors (IIA), in their Vision 2035 report.  

In the film, The Dude famously quips, “The Dude abides.” My friend, Internal Audit leader and Big Lebowski aficionado Doug Hardesty, commented to me that in The Dude’s case, 

“To abide means to endure as his authentic self. Perhaps, for our purposes, The Dude encapsulates what the Internal Audit professional of the future can and should be in that simple statement: Know and be true to who you are. Show some spine when people mislabel you, man! YOU are not a tax auditor or the police.”

I agree. And, as cool as it might be to be compared to James Bond, you are definitely NOT a spy.

This is our call to action, Internal Auditors! This author asserts that it is time to do away with outdated notions of Internal Audit’s organizational reporting structure if we are going to change how we are perceived. We can no longer abide by the dated perception of Internal Audit as a compliance-focused Finance function often seen as the police of the organization. 

The CFO Reporting Trap 

I often wonder if Internal Auditors are like that old bumblebee adage — not built to fly, but defying the laws of physics every day and doing it anyway. Like the bumblebee, we fly despite the weight of this bummer-of-an-outdated-reporting-structure to the CFO. 

In The IIA’s 2026 North American Pulse of Internal Audit survey, 78% of respondents in publicly traded companies indicated that the CAE reported administratively to the CFO. That’s up from 71% in 2021. We’re not headed in the right direction.

This reporting line has long been a touchy subject. See here, here, here, here and here for articles and comments dating back to 2007 and as recent as eight months ago. 

Everyone agrees that the CAE must have safeguards to protect their independence within the organization. Some, like this author and The IIA, believe reporting to the CEO is best practice. It elevates Internal Audit as an enterprise function — which it is — and also keeps a C-Suite executive like the CFO from steering Internal Audit’s resources, whether intentionally or not, to non-strategic engagements within their purview (e.g., pet projects or programs). 

Hiring for the Risks of the Past

This administrative reporting line to the CFO unintentionally reinforces a narrow view of Internal Audit as a subset of Finance. This perception is clearly reflected in the current talent market; a quick scan of executive job postings reveals that a CPA or public accounting background is often treated as a prerequisite rather than a specialized asset. 

While financial literacy is undoubtedly a foundational skill for any auditor, an over-emphasis on accounting expertise can inadvertently sideline the broader strategic skill sets (e.g., operational risk, AI, fraud risk management) that a modern enterprise leader requires. 

We must ask if we are hiring for the risks of the past or the complexities of the future. After all, if the function reported to a General Counsel or a COO, we would likely find the requirement of a law degree or a supply chain certification equally narrow for a role that must provide oversight across the entire organizational map.

Is this reporting line some sacred cow? Internal Audit has the widest possible scope, encompassing all aspects of the organization and its activities. Additionally, in a publicly traded organization, the leader of Internal Audit reports directly to the board of directors — typically through the Audit Committee. 

The only other individual in the organization with a similar scope and direct reporting line is the CEO. Objectively, it just makes sense for the CAE to report to the CEO. 

Spreadsheets vs. Strategy

But that pesky administrative reporting line really ties the room — or the reporting structure — together… in the wrong way. It often creates an unintended “gravity” toward Finance-centric compliance. Further, whether unintentionally or not, it often tethers Internal Audit to SOX compliance, External Auditor support, and financial statement work. 

Don’t believe me? In publicly traded companies where Internal Audit reports to the CFO 78% of the time, 47% of audit plans are dedicated to SOX, External Auditor support, financial areas, and cost-reduction audits. These are not the most strategic risks to the organization. Certainly not every year.

CFOs are stewards of their organization’s financial outcomes. As such, they often find perceived value in requiring the Internal Audit function to perform work on behalf of the External Auditor. This is called the reliance model. Interestingly enough, KPMG’s 2025 SOX survey noted, 

“Although organizations adjusted their testing approach by using external auditor templates and modifying sample sizes, 90% of organizations cannot quantify fee savings from auditor reliance (programs).”

This also squanders a tremendous amount of Internal Audit’s value. Is providing stacks of accounts payable and revenue recognition spreadsheets to an External Auditor really a better use of Internal Audit’s strategic capabilities than conducting entity-level engagements like an AI governance review, a cybersecurity maturity assessment, or a fraud risk assessment? 

KPMG’s survey also noted that 52% of Internal Audit functions dedicated more than 40% of their total hours to SOX compliance in FY24. This, my friends, is not only a disservice to the organization’s risk management, but also a disservice to our future profession’s talent development.

The Big Payowski: Who Writes the Check?

Whether or not we want to believe Internal Audit has true independence from the CFO’s influence, there is tension there. The leader of the Internal Audit function knows who is writing their performance review, and who is determining their merit increase and incentive plan amounts. 

The IIA’s 2022 study on CAE compensation and performance reviews proved out that this reporting line makes a difference: Audit Committee/Board involvement was consistently lower (in determining CAE goal setting, performance review feedback, and compensation amounts) when administrative reporting was to the CFO vs. the CEO. 

The CAE may “directly” report to the Audit Committee, but they are no fool.

Out of Your Element: The High Cost of the Amateur CAE

This author has observed CFOs treating Internal Audit as a temporary job assignment rather than a distinct profession. They assume staff and leaders can freely rotate between Finance and Accounting into Internal Audit. However, many Internal Auditors have chosen this career path precisely to focus on the Internal Audit strategic risk advisory role rather than financial reporting or accounting. Furthermore, CFOs and Audit Committees in Fortune 100 organizations routinely place non-Internal Audit executives — individuals lacking Internal Audit expertise, certifications, or foundational understanding — directly into CAE roles.

No CFO would appoint a VP of Treasury with zero liquidity management experience, nor would they hire an FP&A leader who had never managed a budget. 

It is equally inconceivable to place an executive with no investor relations background in charge of shareholder communications. These comparisons highlight a persistent blind spot: While other Finance functions require specialized expertise, Internal Audit is often treated as a role anyone can do.

Can someone succeed in the role with no prior experience? Yes. This author has seen it. Can they fail? Yes. This author has seen that, too. In either case, it is demoralizing to the Internal Audit team to have someone placed in the CAE role who has no experience in it. It sends a message of disrespect. It broadcasts a clear message: I don’t have the foggiest idea of what you actually do. 

Ah yes, what was it again that is the greatest challenge facing our profession? Being misunderstood or undervalued?

Transitioning from an operational to a governance role is a significant leap that requires more than just leadership; it requires a fundamental shift in mindset. Executives without an Internal Audit background often struggle with the transition to becoming independent evaluators of their peers. Without the requisite experience in board-level reporting and deep knowledge and understanding of professional audit standards, this independence is easily compromised. In my own experience within Fortune 100 environments, I have seen critical audit findings suppressed or shelved specifically because the CAE lacked the professional standing to withstand peer pressure. 

Those CAEs were out of their element, man.

To be sure, I have seen non-audit executives succeed in the role — but they were the exception, not the rule. These individuals possessed rare "street cred," exceptional diplomacy, and the humility to rely heavily on the technical expertise of their direct reports. However, even these successful leaders viewed the appointment as a temporary detour rather than a career milestone. None were eager to accept the position; in fact, they often viewed it as a "favor" to the CFO. One executive only agreed to the transition on the condition they be named Chief Risk Officer in addition to Chief Auditor — an explicit acknowledgement that the Internal Audit title alone lacked the professional stature they required.

We have work to do on the branding thing.

Internal Audit leaders must advocate for reporting lines that support a modern, risk-based function focused on strategic foresight rather than just financial controls. This shift allows Internal Audit to develop enterprise leaders with a holistic understanding of risk, providing the critical advice management needs.

Let’s Tie the Room Together, Man!

1. Call out Internal Audit’s expanding remit. 

The IIA’s 2026 Pulse indicated that CAEs in publicly traded organizations have an expanding remit outside of their Internal Audit responsibilities (see bar chart). Most CFOs and audit committees don’t even know that SOX is a management responsibility. Internal Audit isn’t even mentioned in the Sarbanes-Oxley legislation. 

It’s time to call out the additional non-Internal Audit activities in the audit plan. Do this in the mandate section when you refresh your audit charter. Socialize this, as you should, with your senior executives and the Audit Committee. This is a crucial element of governance and an important path to edification of your key stakeholders.

CAE Responsibilities Outside of Internal Audit — Sectors

Survey question: In addition to your role as head of Internal Audit, for which other areas are you responsible?

Source: The Internal Audit Foundation’s 2026 North American Pulse of Internal Audit.

2. Execute a high-quality risk assessment and develop a risk-based audit plan. 

This is fundamental to educating your business partners on the opportunity costs of the status quo. Any deviations from what has been risk-assessed and what is on the plan needs to be called out in plain language for the committee.

• Show the percent of plan dedicated to SOX and non-strategic work. 
• Make note of high-risk areas you cannot address and why. 
• Make note of low-risk areas on the plan and why. 
• Maintain a list of projects on your radar.
• Circulate the plan with the executive team for feedback, finishing with the CEO for approval prior to the Audit Committee. As a best practice, the CEO’s approval of the audit plan should be required prior to Audit Committee submission.

3. Position the CEO reporting line as a governance upgrade. 

Review with the Audit Committee The IIA’s best practice guidance regarding the CAE’s administrative reporting line to the CEO. You can do this in an executive session. Explain that updating the legacy CFO reporting structure creates significant organizational value that is currently sidelined. Specifically:

• It is a governance upgrade to protect the CFO from a perception of a conflict of interest. (Show them the percent of audit plan dedicated to finance.)
• It elevates the Internal Audit functional remit to the broader organization and improves the flow of risk information to the committee. (Show them your risk assessment and the number of risk-based strategic audit engagements you cannot resource today due to non-strategic commitments.)
• It modernizes the function by meeting the essential conditions of the updated Standards for position and authority. (Show them the language in the Standards.) 
• It changes the perception of Internal Audit as a Finance function to an enterprise function.

4. Recommend updating the Audit Committee Charter. 

Suggest, if it does not currently exist, an update to the Audit Committee’s Charter to include language which indicates that the committee is responsible for all decisions regarding the appointment and removal of the CAE as well as the remuneration of the CAE. You would be surprised how often the Audit Committee unwittingly cedes that authority to management.  

Three Questions to Ask Your Audit Committee 

1. Does our current administrative reporting structure create a “gravity” towards financial risks at the expense of emerging enterprise threats?
2. How can we ensure that the Internal Audit budget and CAE performance review remain independent of the functions we are tasked with auditing?
3. What specific skill sets does the committee value most in Internal Audit leadership? Financial reporting expertise or strategic risk foresight?

The Dude Abides

Internal Audit has evolved far beyond checking accounting records. We are an enterprise function with a broad, evolving mandate, and we are obligated to aid the board of directors with their governance mandate. 

No matter how others may mislabel us, like The Dude, we must abide by what makes our profession so compelling and interesting — providing risk insights and foresight across the entire enterprise.   

Will changing the organizational reporting structure solve how we are perceived? Every organization will be different. This author believes we must try to do something different. 

You could channel The Dude and say to me, 

Yeah, well, you know, that’s just, like, your opinion, man.

And to that I would say, 

This aggression will not stand.

About the Author

Anne DeTraglia is proud to be a career Internal Audit professional holding senior leadership roles including Chief Audit Executive at companies including Sabre Corporation, Harman (Samsung), Whole Foods Market, Nike, United Airlines, Sears Holdings, and The Home Depot. She is a Certified Internal Auditor and a Certified Fraud Examiner. Anne is a frequent speaker for the Institute of Internal Auditors, the Association of Certified Fraud Examiners, the Institute of Management Accountants, and the Internal Audit Collective, and has spoken for various webcasts, including The Audit Podcast with Trent Russell, Count Me In with Adam Larson, and Ethico with Matt Kelly. And oh yeah, Anne is not a CPA.

‍