Do you have a moment for an interview?

Insights
Key takeaways

Interviews are useful for three things: gauging opinion or perception, building buy-in, and exploring sensitive topics. For everything else — gathering facts, establishing causality, making representative statements — they are the weakest tool in the toolkit. Better alternatives: document review, data availability assessment, targeted survey, or simple observation. The problem is not the interview itself, but the reflexive reliance on it.

(or: "I'm going to take an hour of your life to write up something I could have emailed")

How many hours this month have you spent on interviews you could just as easily have handled with an email or a data check? Hold that number.

The interview is to internal audit what "being busy" is to the rest of the organisation: everyone does it, no one questions it, and if you ask why, you get an answer that makes no sense. "That's how we've always done it." "It's the methodology." "Otherwise you miss context." Right. Or you could have just sent an email.

Sometimes an interview is exactly the right tool. Further on you'll read when. But for most compliance- and risk-focused audits, it is not.

Let's be sharp. Most internal audits are risk- or compliance-focused. There is a standard, there is a control, and your job is to establish whether that control is operating. No philosophy, no depth interview, no therapeutic session about how someone feels about the four-eyes principle. Simply: is it happening, yes or no? That question fits in an email. In one line.

But why do we do it then?

So why do we still do it? Because that's how we were taught. The Big 4 raised an entire generation of auditors on the idea that an audit without an interview isn't a real audit. The interview is the ritual. You schedule it, you turn up in pairs (because otherwise you'll miss something, right?), you ask questions you already know the answer to, you write everything down, and then the real work begins: reviewing, correcting, sending it out, having it validated, receiving comments, adjusting, sending again, having it validated again. For one finding you could have got by simply looking in the system.

And then that "in pairs" business. As if an audit interview were a dangerous undertaking requiring backup. "Yes but the other person watches for non-verbal signals." Excuse me? You're an auditor, not an FBI interrogator. You're establishing whether someone maintains their authorisation matrix. You don't need a behavioural profile for that. If you can't ask the question on your own, you probably don't know well enough what you're looking for. And if you do know, why are there two of you at the table?

The trap of "background" and "root causes"

Then there's that other classic: the interview to uncover the "background" or "root cause". Sounds thorough. Sounds professional. But in a standard compliance or risk-focused audit, the cause is irrelevant. You establish that something isn't working. Full stop. Why it isn't working is a different question, for a different type of investigation, with a different methodology.

Say someone isn't doing their job properly. The control fails. Then the finding is: the control fails. Not: "Jan was busy, the department is understaffed, and the system was down briefly last month." That's not an audit. That's an excuse collection. And that is precisely what interviews produce. Stories. Context. Noise. Everything except the answer to the question you should have asked.

Root cause analyses are valuable. No doubt. But they are different investigations. Cause-oriented rather than problem-oriented. With different techniques, different expertise, a different objective. If you confuse the two, you get audits that take too long, cost too much and deliver too little. In other words: the average internal audit.

What it really costs

Count along. You schedule an interview. The auditee prepares (or doesn't, but blocks an hour regardless). You turn up with two auditors. The conversation takes an hour.

Then you write it up — that's at least another hour. You review it, your colleague reviews it, you correct it, you send it out, the auditee reads it, provides comments ("that's not what I said"), you adjust, send again, and somewhere three weeks later you have a document everyone agrees with.

Cost: six to eight hours of work. Result: exactly the same as what you would have got with one email: "Can you demonstrate that control X is operating? If yes, send the evidence. If no, let me know why not." Five minutes.

What to do instead?

This isn't about abolishing contact. It's about alternatives that achieve the same objective, faster and cheaper. An online walkthrough with screenshots, for example. The auditee shows how the process works, takes screenshots, and you review them in your own time. No meeting room, no write-up, no validation round. Evidence, without the detours.

Or simpler still: look in the system yourself. Want to know whether the authorisation matrix is correct? Open the system and check. Want to know whether reviews are performed on time? Pull a report. Data doesn't lie, doesn't need preparation, doesn't get nervous and doesn't give socially desirable answers.

The interview is not inherently wrong. It is inherently inefficient for the purpose it is usually deployed for. And inefficiency is, for a profession that is supposed to make organisations more efficient, an embarrassing problem.

A bit of theory: what kind of method is an interview, actually?

In research terms, an interview is a qualitative method: designed for open-ended questions, exploring meanings and eliciting stories that cannot be captured in tick-boxes12. You deploy it when you want to understand what people experience, think or feel. Not when you simply want to establish whether something happens13. Closed yes/no questions and hard standards belong to standardised, quantitative methods: checklists, questionnaires, reports, data extracts. Results you can tally one-to-one and replicate145.

The Global Internal Audit Standards (GIAS) similarly require appropriate techniques to gather sufficient and appropriate audit evidence. Not a standard set of mandatory procedures67. The emphasis is on professional judgement: choose the method that fits your question, your standard and the type of evidence you need. Not the method you once learned because "that's just how it's done"62.

When to interview and when not to?

When not to interview

  1. When there is a hard, unambiguous standard and control, and your assignment essentially asks: is this demonstrably happening, yes or no1. Then you have a yes/no question that fits perfectly with standardised, repeatable means (data, records, reports, files), not with an hour of talking12.
  2. When a short, targeted question by email or via a checklist achieves exactly the same result: "demonstrate that control X is operating" or "send evidence of Y"4. Then an interview is mainly an expensive way to get the same answer, with added noise, socially desirable explanations and interpretation problems25.

When to interview

  1. When you want to understand why people do or don't do something: behaviour, culture, unwritten rules, barriers, beliefs829. Then the whole point is that someone tells a story, adds nuance and you can probe what lies beneath the surface.
  2. When you are explicitly conducting root cause analysis or an improvement programme, and you need to go beyond "the control fails" to the underlying drivers89. Then a qualitative conversation, possibly combined with other methods, fits your objective — but then you are also no longer conducting a standard compliance audit.

Interviews are therefore not "bad". They are often misapplied: a qualitative, time-consuming method for a simple yes/no question that calls for hard, repeatable data125.

A moment in the mirror

Be honest: when did you last discover something in an interview you didn't already know? When was it genuinely necessary to have two people at the table? And looking back on your last audit: how many hours went into interviews and interview write-ups? How much of that could you have saved with a targeted email and a screenshot?

Try this: at your next interview, ask yourself one question: "Could I get this by email, with data or via a walkthrough?"2 If the answer is yes — and it almost always is — then do that. Your auditee will thank you. Your planning will thank you. And your report won't be a day later for it.

And if someone tells you "that's just how it's done"? Then you know enough. That's the auditor version of "I'm busy."

How can Audirium help you?

Better auditing starts with better methods. Audirium helps your internal audit function work in a more data-driven and targeted way. Less time on the interview, more time on what really matters.

  • Methodology review — examining your audit approach: when to interview, when to use data analysis, when to observe
  • Work programme coaching — more efficient engagements with less overhead, more focus on risk and findings
  • Peer review — an external perspective on your audit process and reporting in conformance with Standard 12.3

Want to know how much audit time you could reclaim by replacing interviews with data and targeted enquiries? Request a methodology scan.

References

[1] Yasna.ai. (2024). Qualitative vs Quantitative Research Questions Explained. https://yasna.ai/for-research/blog/qualitative-vs-quantitative-research-questions-explained

[2] ATLAS.ti. (2025). Interviews vs. Questionnaire: Comparison and Uses. https://atlasti.com/guides/interview-analysis-guide/interviews-vs-questionnaires-research

[3] Alchemer. (2021). Quantitative vs Qualitative Questions in Surveys. https://www.alchemer.com/resources/blog/quantitative-questions-vs-qualitative-questions-in-surveys/

[4] Informat.org. (2020). Designing research questionnaires. https://www.informat.org/researchmethods/researchmethods-2-08.html

[5] HeySurvey. (2024). 31 Yes or No Survey Questions: Definition, Use-Cases and Tips. https://heysurvey.io/examples/yes-or-no-survey-questions

[6] The IIA. (2025). Getting Started With: The Global Internal Audit Standards: Domain IV. https://www.theiia.org/en/content/podcast/getting-started-with/2025/ep-0022/

[7] YouTube. (2025). Navigating New Global Internal Audit Standards - Recording. https://www.youtube.com/watch?v=6jtwCvUdX7o

[8] Splunk. (2025). Qualitative vs Quantitative: Which Research Method is Right for You? https://www.splunk.com/en_us/blog/learn/qualitative-vs-quantitative-research.html

[9] The Sound HQ. (2023). Qualitative vs Quantitative Research: Better Together. https://thesoundhq.com/qualitative-vs-quantitative-research-better-together/

Back to Insights