Resources

Prioritizing Rest to Become a Better Auditor

Blue Logo for ACUA with the text Journal Articles

By Tyler Morgan

“And from that period on, I was in a wormhole. You couldn’t get me out of the room. I would come home from school, sleep for like 30 minutes, go into a room for four hours, and that was it.” 

The above quote comes from Rick Rubin’s interview of singer/songwriter John Mayer on the former’s Tetragrammaton podcast, and Mayer is describing his teenage years when he was learning how to play guitar. Practicing an instrument for four hours a day will tend to result in one becoming rather proficient. But maybe there was something else contributing to Mayer’s aptitude on the guitar. He does not dwell on it, but embedded subtly in the middle of Mayer’s quote may be a key insight into how he became such a generational talent: he took time to rest.

As it turns out, Mayer is not the only highly successful person to benefit (consciously or unconsciously) from the power of rest. There are numerous examples of highly successful people who prioritized rest as a way to achieve peak cognitive performance, including iconic politicians, inventors, business leaders, writers, artists, and musicians. Instead of viewing rest as a waste of time that could otherwise be used to get more things done, these individuals understood that adequate rest was essential to ensure their working time was used effectively and efficiently. While internal auditors are busy people, it is clear from numerous examples of prolific and impactful individuals from outside the auditing world that even the busiest among us can benefit from prioritizing rest.

Perhaps the most likely objection to using rest as a way to become a more effective internal auditor is the belief that internal auditors simply have too much to do to be able to prioritize rest, but history suggests otherwise. Take, for instance, Winston Churchill during World War II. Churchill first served as the British prime minister from 1940-1945, and there clearly was a lot riding on his performance during this time, with each day being filled with a monumental list of items for him to handle. However, Churchill had a longstanding habit of taking an afternoon nap, and he deemed the fate of the free world resting on his shoulders as no excuse for missing his afternoon slumber. The naps continued during the war. He did not consider napping to be a luxury but rather viewed an afternoon nap as an essential way to maintain his legendary daily productivity. Churchill wrote, “Nature had not intended mankind to work from eight in the morning until midnight without the refreshment of blessed oblivion which, even if it only lasts 20 minutes, is sufficient to renew all the vital forces.” Naps were not a decadent activity to be enjoyed solely when little was going on, but they instead functioned as a way for Churchill to stay in tune with immutable biological rhythms and maintain peak cognitive performance during a historical period when every decision was critical. 

Since internal auditors are knowledge workers, they tend to be judged on the quality of their work rather than quantity. And since work quality is positively correlated with cognitive performance, and cognitive performance is enhanced with adequate rest, it follows that rest is a lever internal auditors can pull to increase the quality of their work. University stakeholders likely will not be impressed that an internal auditor regularly works 60-hour weeks or that they never take breaks during the workday. Instead, internal auditors will be judged on the quality of their output and how beneficial it is to their university, especially as artificial intelligence and other technological innovations likely will reduce the amount of time needed to be spent on mundane, low-value administrative tasks. Instead of focusing on work quantity, internal auditors should prioritize producing high-quality, meaningful output that goes far beyond cookie-cutter reports and trite recommendations. In a world where ChatGPT can quickly spew elegant, professional-sounding reports with all the right buzzwords but little substance or original insight, internal auditors who are able to think critically and apply their institutional knowledge to solve tough problems will increasingly stand out from the crowd and be extremely valuable to university stakeholders.

There is strong evidence that prioritizing rest will enhance internal auditors’ critical thinking skills and problem-solving abilities. While a nap to break up the workday may not be a realistic possibility for many, the good news is that rest is not just limited to naps. There are lots of ways to rest, and the remaining paragraphs will explore a few tips, tricks, and key insights backed by science to help you get the rest you need. 

Walk

It may seem counterintuitive to list exercise as a way to rest, but there is plenty of evidence supporting the idea that physical exertion can help boost cognitive performance and improve memory. While countless forms of exercise may achieve these results, many studies have focused on walking in particular. This is great news for higher education internal auditors, as college campuses are often some of the loveliest places to take a walk. A campus walk can also be a great way to become more informed about what is going on at your university, whether by walking through unfamiliar buildings or by having informal conversations with faculty and staff you encounter. Walking outside also provides the added bonus of getting sunlight, which has been linked to better mood regulation and other cognitive benefits. The combination of physical exertion and sunlight exposure may even improve sleep. 

Sleep

Even if workday naps are not a realistic possibility for you, there are many things you can do to at least ensure the quality of your nighttime sleep. In addition to regular exercise, consistently going to bed at the same time each night ensures your sleep is aligned with your circadian rhythm. Limiting screens and other overstimulating devices near bedtime may make it easier to fall asleep, and the same can be said for caffeine consumption. Even if you can fall asleep a few hours after drinking coffee, there is strong evidence that your sleep quality will suffer even if you are unable to perceive it. This is because caffeine typically takes a long time to break down in the body. In his book Why We Sleep: The New Science of Sleep and Dreams, Matthew Walker points out that caffeine has an average half-life of five to seven hours. This means that half of the caffeine you consumed six hours ago may still be circulating in your system, though this amount could be higher or lower depending on your individual caffeine metabolism. Many of us would never drink six ounces of coffee right before bedtime, so it is worthwhile to consider the fact that having twelve ounces of coffee at four o’clock might be functionally equivalent. Therefore, it may be wise to skip that late-afternoon latte.

Play

We live in a golden age for picking up new hobbies. Given the staggering amount of content available on YouTube and similar platforms, it has never been easier to learn to, say, bake a loaf of sourdough, play the drums, or plant that vegetable garden. Maintaining meaningful pursuits outside of work can help reduce the odds of burnout and ensure that your identity is not completely tied up with your occupation. Promisingly, there is evidence that Americans are increasingly prioritizing hobbies and leisure.

Unfortunately, however, the time we spend with others appears to be declining, despite strong evidence that our relationships and a sense of community are correlated positively with numerous quality of life measures. But hobbies do not have to be solitary pursuits, and combining hobbies with socialization and a sense of community likely will augment their restorative effects. One need look no further than America’s current obsession with pickle ball, a sport often played in groups of four. Is it possible that our love of pickle ball has something to do with its ability to bring us together? If you are not into pickle ball, there are plenty of other activities that you can enjoy with others, such as book clubs, board game nights, running and walking clubs, bowling leagues, volunteering for a nonprofit, and playing in a band.

Leave

According to a 2023 Pew Research Center survey, nearly half of all U.S. workers surveyed who receive paid time off from their employer used less leave than they were offered. While this number might be skewed somewhat by the lack of a distinction between personal and sick leave, it is clear that at least some of the unused leave stems from workers being concerned about their work performance, with 49% of those with unused leave citing a fear of falling behind at work as a reason for forfeiting leave. Similarly, about one in five of those surveyed with forfeited leave were concerned about hindering their chances for advancement. However, if we again apply the logic that being a valuable internal auditor relies on peak cognitive performance, and peak cognitive performance demands adequate rest and a lack of burnout, then it does not follow that forfeiting our vacation time will necessarily make us better internal auditors, and it could be doing the opposite.

Whatever You Do, Do Not Unrest

While engaging in fulfilling and restorative rest pursuits is important, it may be even more important to actively avoid activities that keep your brain stimulated at all times. This is because there is strong evidence that our brains perform important functions when they are not busy dealing with a demanding task or trying to find a solution to a pesky problem. This brain state—characterized by introspection during times when an individual is not deeply concentrating on their external environment—is known as the default mode network (DMN), and the DMN likely assists with problem solving and planning for the future.

The DMN was discovered essentially by accident. Scientists researching which areas of the brain were activated during cognitively demanding tasks noticed that these “active” areas of the brain became deactivated in between tasks, as expected, but something else happened during these rest periods that caught them by surprise. Instead of seeing a brain with minimal activity, they noticed that other areas of the brain began to light up, indicating that though participants might have been at rest, their brains were not. This paved the way for a critical insight: just because we may be taking a mental break, our brains continue furiously working away in the background on our behalf.  As we learn more about the DMN—it was only discovered in 2001—it is appearing increasingly likely that our modern digital environments, saturated with numerous distractions that keep us in a state of perpetual stimulation, are holding the DMN back from performing its important functions. Whether it is out of an attempt to maximize productivity, or just to ward off boredom, we rarely allow our brains a moment to rest. Instead, the moments of time that used to be the domain of boredom are now filled with social media scrolling, listening to podcasts, and replying to texts and e-mails. At the time the DMN was discovered, this level of constant mental stimulation would have been almost impossible, but in just a couple of decades we have transformed into individuals who almost never have to be alone with our own thoughts. This should alarm us since it is clear our brains are doing something important during times of mental rest. Therefore, purposefully abstaining from mentally stimulating activities for at least some time each day may be worthwhile. It may seem like you are wasting time, but in reality you are taking a positive step to ensure that your brain can perform at its best, and hopefully you will quickly notice the benefits of a little rest. 

Regulation Updates: Third-Party Topical Requirement, GRC Reporting, and 529 Plan Changes

Blue Logo for ACUA with the text Journal Articles

By the ACUA Auditing & Accounting Principles Subcommittee

The ACUA Auditing and Accounting Principles Subcommittee is committed to providing members with emerging information in our field. This article features the recently released IIA Third-Party Topical Requirement, clarification on the new reporting requirements on governance, risk management, and controls, plus modifications to the 529 education savings plan that allows tax savings for professional certification expenses.

Understanding the IIA’s Topical Requirements for Third-Party Relationships

Topical Requirements are a new, mandatory component of the Institute of Internal Auditors’ (IIA) Global Internal Audit Standards. Internal auditors must apply the Topical Requirements for assurance engagements in the following situations:

  • The topic is included in your audit plan as an assurance engagement.
  • The topic is identified during the course of an audit engagement.
  • The topic is requested as a new engagement, even if it was not part of your original audit plan.

What’s New?

The Third-Party Topical requirement was finalized on September 15, 2025, and will become effective September 15, 2026. According to the IIA, a third-party is “an external individual, group, or entity with whom an organization (‘the primary organization’) has a business relationship.” In simpler terms, this means any person, group, or business your institution works with.

Importantly, the requirement does not just apply to your direct third-party relationships. It also covers any subcontracted relationships, even those several layers down, such as fourth-level subcontractors, if your contract allows them. This broad scope ensures that risks are managed throughout your entire supply chain.

What does the Third-Party Topical Requirement involve?

Internal auditors need to assess their institution’s contract management throughout the third-party life cycle, consisting of selecting, contracting, onboarding, monitoring, and offboarding. Internal auditors should consider these stages when assessing the requirements for these three key areas:

  • Governance: Internal auditors must evaluate how their institution decides with whom to contract, how these relationships are managed, and who communicates with third parties and stakeholders. This includes assessing whether the organization has clearly defined roles and responsibilities for managing third-party relationships, and whether established policies and procedures align with regulations and are updated regularly. Auditors should confirm there is a formal approach to contracting third parties and there are protocols for communicating with relevant stakeholders.
  • Risk Management: Internal auditors must review how their institution identifies, assesses, and monitors third-party risks. This begins with examining due diligence procedures for onboarding third parties. There should be ongoing monitoring and corrective action for deviations, and risk assessments should classify and rank third-party risk. Check for escalation and remediation processes in place for unresolved issues, including remediation or termination.
  • Controls: Internal auditors should assess the controls in place to manage and monitor the risks associated with third parties. Review procurement controls for appropriate sourcing and selecting of third parties and ensure there is an appropriate approval process. Determine whether there is centralized contract management and verify contracts contain risk mitigation clauses, performance expectations, compliance obligations, and are reviewed and updated periodically. Review ongoing third-party monitoring and periodic evaluation, and the monitoring of contract renewal dates and offboarding plans.

By understanding and applying these requirements, your institution can better manage third-party risks and strengthen its overall governance.

Download the Third-Party Topical Requirement and a user guide from the IIA at:

https://www.theiia.org/en/standards/2024-standards/topical-requirements/third-party/

Other topical requirements to be aware of:

Cybersecurity – effective February 5, 2026

Organization Behavior – public comment period ended, pending finalization.

Organizational Resilience – pending public comment.

https://www.theiia.org/en/standards/2024-standards/topical-requirements

New Reporting Requirements for GRC

The new IIA Global Internal Audit Standards, effective January 9, 2025, introduce more structured and rigorous reporting requirements for Governance, Risk Management, and Controls (GRC). They emphasize clarity, consistency, and alignment with stakeholder expectations.

During an engagement, the Internal Audit function must evaluate the governance processes to ensure the organization promotes ethical behavior, accountability, and transparency. Auditors must identify key risks and ensure they are managed effectively, and review the control framework to identify control deficiencies, weaknesses, and failures.

Standard 14.5 Engagement Conclusions requires internal auditors to develop an engagement conclusion that summarizes the results relative to the engagement objectives. In addition, this standard states “assurance engagement conclusions must include the internal auditor’s judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgment of when processes are effective.”

The considerations for implementation of this standard recommend having methodologies for the internal audit function in the form of a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls. An example is developing criteria for a scale that indicates “satisfactory, partially satisfactory, needs improvement, or unsatisfactory.”

The AAP Committee aggregated the ratings used by the committee members and created the following example of a rating methodology that is applicable to report ratings and GRC ratings:

Example of Report/GRC Ratings

Standard 15.1 Final Engagement Communication states the final communication for assurance engagements must include a “conclusion regarding the effectiveness of the governance, risk management, and control processes of the activity required,” in addition to the continuing requirements of objectives, scope, recommendations, and any action plans. Auditors are encouraged to use their engagement conclusions derived from their methodologies to meet this reporting standard.

529 College Savings Plans Expanded to Cover Professional Certifications

A provision in the One Big Beautiful Bill Act (OBBBA) that was signed into law in July 2025 included changes in 529 education savings plans that may benefit ACUA members. Traditionally 529 plans were reserved for undergraduate and graduate degree programs, but now certain professional certification and credentialing programs are covered as qualifying expenses. This includes several of our most sought-after certifications, including the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), and the Certified Public Accountant (CPA).

This is a great opportunity to invest in your professional development, especially if your department does not cover or reimburse certification expenses. Eligible expenses can include study materials, exam fees, and even continuing education required to maintain your credential.

See Section 70414 of the OBBBA for more information. As always, everyone’s tax situation is different, so please consult with your tax advisor to confirm eligibility. Check with your financial institution for assistance setting up a 529 plan.

Mitigating Bias in Internal Auditing: Strategies for Enhanced Objectivity

Blue Logo for ACUA with the text Journal Articles

By Amaya Beck

Internal auditors are tasked with evaluating organizational processes to ensure compliance with laws and regulations, as well as identifying areas for improvement. However, like all professionals, they are prone to psychological biases that can influence their judgments and decisions. These biases can lead to inaccurate audit findings, undermine the credibility of the audit process, and ultimately affect organizational decision-making. By implementing mitigation strategies, Internal Auditors can implement mitigation strategies and enhance the credibility of their work and contribute to more effective organizational governance.

Common Biases in Internal Auditing

Several biases are particularly relevant to internal auditors:

  • Confirmation Bias: This involves favoring information that supports preconceived notions while disregarding contradictory evidence. It can lead auditors to overlook critical issues or misinterpret data.
  • Anchoring Bias: Auditors may rely too heavily on initial information, which can skew their assessment of subsequent data.
  • Overconfidence Bias: This occurs when auditors overestimate their knowledge or judgment, potentially leading to missed errors or omissions.
  • Availability Bias: Auditors may give undue weight to readily available information or recent events, rather than considering a broader range of data.

Strategies for Mitigating Bias

1. Structured Decision-Making Tools: Six Thinking Hats Technique

The Six Thinking Hats technique, developed by Edward de Bono, offers a structured approach to decision-making by encouraging diverse perspectives. This method involves assigning different colored hats to represent various thinking styles: White Hat for facts, Black Hat for risks, Green Hat for creativity, Red Hat for emotions, Yellow Hat for benefits, and Blue Hat for process management. Auditors should metaphorically don the different hats and systematically consider multiple viewpoints to reduce the impact of personal biases and ensure more comprehensive evaluations.

2. Peer Reviews and Second Opinions

Engaging in peer reviews or seeking second opinions can help challenge assumptions and identify potential biases. This collaborative approach fosters a culture of critical evaluation and enhances the reliability of audit findings.

3. Training and Awareness Programs

Educating auditors about common biases and their effects is crucial. Training programs should emphasize the importance of recognizing and mitigating biases to promote a culture of objectivity within audit teams.

4. Organizational Independence and Reporting Lines

Ensuring internal auditors report directly to the audit committee or an equivalent body helps maintain independence and reduces the influence of organizational pressures that might lead to biased judgments.

Conclusion

Mitigating bias in internal auditing is essential for maintaining the integrity and credibility of audit processes. By employing structured decision-making techniques, fostering a culture of peer review, and enhancing awareness of cognitive biases, internal auditors can significantly reduce the impact of biases on their work. These strategies not only improve the quality of audit findings but also contribute to more informed organizational decision-making, ultimately enhancing governance and compliance. By adopting these strategies, internal auditors can enhance their role as guardians of organizational integrity and contribute to more effective governance and compliance practices.

Resources

  1. https://www.linkedin.com/pulse/psychological-biases-how-affect-internal-auditors-isaac-omosa  
  2. https://www.accaglobal.com/content/dam/ACCA_Global/Technical/audit/pi-banishing-bias-prof-scepticism.pdf 
  3. https://internalauditor.theiia.org/en/voices/2024/august/building-a-better-auditor-beating-behavioral-biases/   
  4. https://abmagazine.accaglobal.com/content/abmagazine/global/articles/2022/nov/practice/the-various-biases-in-audit.html 
  5. https://www.learnleansigma.com/guides/six-thinking-hats/
Avoiding Bias in Your Internal Audit Program