Have you got a moment for an interview?

(or: "I'm going to take an hour of your life to write down something I could have emailed")

The interview is to internal audit what "busy" is to the rest of the organisation: everyone does it, nobody questions it, and if you ask why, you get an answer that makes no sense. "That's how we've always done it." "It's the methodology." "Otherwise you miss context." Right. Or you could have just sent an email.

Let me put it bluntly. Most internal audits are risk- or compliance-focused. That means: there is a standard, there is a control, and your job is to establish whether that control is being performed. That's it. No philosophy, no in-depth interview, no therapy session about how someone feels about the four-eyes principle. Simply: is it happening, yes or no? That question fits in an email. In fact, that question fits in a single line.

So why do we do it?

Because that is how we were taught. The Big 4 raised an entire generation of auditors on the idea that an audit without an interview is not a real audit. The interview is the ritual. You schedule it, you turn up in pairs (because otherwise you might miss something, right?), you ask questions you already know the answer to, you write everything down, and then the real work begins: reviewing, correcting, sending it over, getting it validated, receiving comments, amending, sending it again, getting it validated again. For a single finding you could also have obtained by simply looking in the system.

And then that "in pairs" thing. As if an audit interview is a dangerous undertaking that requires backup. "Yes but the other person picks up on non-verbal cues." Excuse me? You are an auditor, not an FBI interrogator. You are establishing whether someone keeps their authorisation matrix up to date. You do not need a behavioural profile for that. If you cannot ask the question on your own, perhaps you do not know well enough what you are looking for. And if you do know — why are there two of you at the table?

The trap of "background" and "root causes"

And then there is the other classic: the interview to uncover the "background" or "root cause". Sounds thorough. Sounds professional. Except: in a standard compliance or risk-focused audit, the cause is irrelevant. You establish that something is not working. Full stop. Why it is not working is a different question, for a different type of engagement, with a different methodology.

Suppose someone is not doing their job properly. The control fails. Then the finding is: the control fails. Not: "Jan was busy, the department is understaffed, and the system was down briefly last month." That is no longer an audit — that is an excuse collection exercise. And that is exactly what interviews produce. Stories. Context. Noise. Everything except the answer to the question you should have been asking.

Root cause analyses are valuable. Absolutely. But those are different types of engagements. Cause-focused rather than problem-focused. With different techniques, different expertise, and a different objective. If you mix them up, you get audits that take too long, cost too much, and deliver too little. In other words: the average internal audit.

What it really costs

Do the maths. You schedule an interview. The auditee prepares (or does not, but blocks an hour anyway). You turn up with two auditors. The conversation takes an hour. Then you write it up — that takes at least another hour. You review it, your colleague reviews it, you correct it, you send it over, the auditee reads it, provides comments ("that's not what I said"), you amend it, send it again, and somewhere three weeks later you have a document everyone agrees with. Cost: six to eight hours of work. Output: exactly the same as if you had emailed: "Can you demonstrate that control X is being performed? If yes, send the evidence. If no, let me know why not." That is one email. Five minutes.

What should you do instead?

This is not about abolishing contact. It is about finding alternatives that achieve the same goal, but faster and cheaper. An online walkthrough with screenshots, for example. The auditee shows how the process works, takes screenshots, and you review them in your own time. No meeting room, no write-up, no validation round. Just evidence.

Or simpler still: look in the system yourself. If you want to know whether the authorisation matrix is correct, open the system and check it. If you want to know whether reviews are performed on time, pull a report. Data does not lie, data does not need preparation, does not get nervous, and does not give socially desirable answers.

The interview is not inherently wrong. It is inherently inefficient for the purpose it is typically used for. And inefficiency is, for a profession that is supposed to make organisations more efficient, a rather embarrassing problem.

A bit of theory: what kind of method is an interview, actually?

In research terms, an interview is a qualitative method: designed to ask open questions, explore meanings and elicit stories that cannot be captured in tick boxes¹². You use it when you want to understand what people experience, think or feel — not when you simply want to count whether something does or does not happen¹³. Closed yes/no questions and hard standards belong to standardised, quantitative methods: checklists, questionnaires, reports, data extracts — things you can tally and replicate one-to-one¹⁴⁵.

The Global Internal Audit Standards (GIAS), in the same vein, call for appropriate techniques to gather sufficient and appropriate audit evidence — not a standard set of mandatory procedures⁶⁷. They emphasise professional judgement: choose the method that fits your question, your standard and the type of evidence required — not the method you once learned because "that's just how it's done"⁶².

When to interview and when not to

When not to interview

1. When there is a hard, unambiguous standard and control, and your engagement essentially asks: is this demonstrably happening, yes or no¹. Then you have a yes/no question that fits perfectly with standardised, repeatable means (data, records, reports, files) — not with an hour of conversation¹².
2. When a short, targeted question by email or via a checklist achieves exactly the same result: "demonstrate that control X is being performed" or "send evidence of Y"⁴. Then an interview is mainly an expensive way to get the same answer, with added noise, socially desirable explanations and interpretation problems²⁵.

When to interview

1. When you want to understand why people do or do not do something: behaviour, culture, unwritten rules, barriers, beliefs⁸²⁹. Then it is precisely the point for someone to tell a story, add nuance, and for you to probe what is going on beneath the surface.
2. When you are explicitly conducting a root cause analysis or improvement engagement and need to go beyond "the control fails" to the underlying drivers⁸⁹. Then a qualitative conversation, possibly combined with other methods, fits your objective — but then you are also no longer conducting a standard compliance audit.

In that sense, interviews are not "bad" — they are often misplaced: you deploy a qualitative, time-consuming method for a simple yes/no question that calls for hard, repeatable data¹²⁵.

A moment of self-reflection

So, dear auditor, be honest: when was the last time you discovered something in an interview that you did not already know? When was it truly necessary to have two people at the table? And looking back at your last audit — how many hours went into interviews and interview write-ups, and how many of those could you have saved with a targeted email and a screenshot?

Try this: the next time you are about to schedule an interview, ask yourself one question: "Can I get this by email, with data, or via a walkthrough?"² If the answer is yes (and it almost always is), then do that. Your auditee will thank you. Your planning will thank you. And your report will not be a day later for it.

And if someone tells you "that's just how it's done"? Then you know enough. That is the auditor version of "I'm busy."

References

[1] Yasna.ai. (2024). Qualitative vs Quantitative Research Questions Explained. https://yasna.ai/for-research/blog/qualitative-vs-quantitative-research-questions-explained

[2] ATLAS.ti. (2025). Interviews vs. Questionnaire: Comparison and Uses. https://atlasti.com/guides/interview-analysis-guide/interviews-vs-questionnaires-research

[3] Alchemer. (2021). Quantitative vs Qualitative Questions in Surveys. https://www.alchemer.com/resources/blog/quantitative-questions-vs-qualitative-questions-in-surveys/

[4] Informat.org. (2020). Designing research questionnaires. https://www.informat.org/researchmethods/researchmethods-2-08.html

[5] HeySurvey. (2024). 31 Yes or No Survey Questions: Definition, Use-Cases and Tips. https://heysurvey.io/examples/yes-or-no-survey-questions

[6] The IIA. (2025). Getting Started With: The Global Internal Audit Standards: Domain IV. https://www.theiia.org/en/content/podcast/getting-started-with/2025/ep-0022/

[7] YouTube. (2025). Navigating New Global Internal Audit Standards - Recording. https://www.youtube.com/watch?v=6jtwCvUdX7o

[8] Splunk. (2025). Qualitative vs Quantitative: Which Research Method is Right for You? https://www.splunk.com/en_us/blog/learn/qualitative-vs-quantitative-research.html

[9] The Sound HQ. (2023). Qualitative vs Quantitative Research: Better Together. https://thesoundhq.com/qualitative-vs-quantitative-research-better-together/