A conversation with Tom O’Reilly, director of internal audit at Analog Devices

It’s an exciting time to be an internal auditor, according to Tom O’Reilly, Director of Internal Audit at Analog Devices. While many organizations are experiencing increased pressure to manage costs and are using new technology to change the way they do business, those trends are particularly magnified within internal audit shops. Internal audit must adapt, says O’Reilly, in order to continue to provide value to the business.

MISTI’s Joseph McCafferty sat down with O’Reilly at Audit World 2016 in Boston last week to discuss the latest trends impacting internal auditors, as well as some areas he suggests these departments should focus on to remain relevant and successful within their organizations.

Among the big sifts O’Reilly sees taking place are cost cutting at most companies, increased use of technology in internal audit, and less experience among audit leaders, such as chief audit executives. “Gone are the days where CAEs have 20 to 30 years of experience,” he says.


O’Reilly advises internal audit to align the resources of the department with the risks of the organization. “We need to remain relevant and credible to the organization. If we are doing the same old audit that internal audit has been known to do and we are not expanding our resources and our time and efforts in areas that are strategically important to the company’s overall success, then we are not going to continue to be relevant in our organizations,” he says.

While a lot of internal audit departments still spend time on Sarbanes-Oxley and other traditional audit areas, like travel and expense reports, he suggest looking at processes that aren’t typically looked at or where internal audit can provide greater insight, such as the sales process, new product development, and protecting intellectual property, for example. O’Reilly also suggests that internal audit must keep up with rapidly changing developments through the use of such online tools as Twitter and the use subject matter experts.

Another thing they can do to add value, he says, is to stop just testing certain control activities regardless of what process they are auditing, and instead focus on determining or assessing how well controlled that process is. “What I mean by that is using the COSO 2013 internal control model as a guide to say ‘OK, yes we know the control activities are one part of internal control, but we are going to start looking at other things,’ like the tone at the top of the department or process they are looking at. What is their ability to assess or focus on areas that matter most to the achievement of their objectives?” O’Reilly advocates a full evaluation of how well-controlled a process is.