The best internal auditor I ever worked with was a woman named Petra. She was not popular. She was not diplomatic. She did not soften her findings to preserve relationships. And she found more meaningful nonconformities in her first six months than the previous audit team had found in three years.

Petra made people uncomfortable. The production manager dreaded her visits. The quality engineers scrambled when she walked in. The procurement director once asked me, semi-jokingly, if we could assign her to a different area. I assigned her to procurement the following quarter. She found eleven findings.

Every internal audit team needs a Petra. And most teams do not have one, because most organisations do not want one.

The comfort trap

Most internal audit teams are staffed by volunteers — quality engineers who added "internal auditor" to their development plan, people who enjoy the structured nature of auditing, people who are thorough and detail-oriented and well-liked. These are good people. They are also, almost universally, bad auditors.

Not because they lack skill. Because they lack the willingness to make people uncomfortable. And auditing without discomfort is not auditing — it is verification. Verification checks whether documents exist. Auditing examines whether the system works. The difference is the willingness to probe, to challenge, to follow a thread past the point where the auditee wants you to stop.

An auditor who is liked by everyone is an auditor who is not finding anything.

What a rebel auditor does differently

The rebel auditor — and I use the word deliberately — operates differently from the standard internal auditor in four key ways:

They follow reality, not documentation. A standard auditor asks to see the procedure, verifies that the process follows the procedure, and moves on. A rebel auditor watches the actual process, compares it to the procedure, and asks why they differ. The gap between what is written and what is done is where the findings live.

They ask "why" until it hurts. A standard auditor finds that a record was not maintained and writes a nonconformity about record-keeping. A rebel auditor asks why the record was not maintained, and keeps asking until they reach the systemic cause — the process is too complex, the system is slow, the person was not trained, the supervisor does not enforce it. The nonconformity is not about the record. It is about the system that allowed the record to be missed.

They audit across boundaries. A standard auditor audits within the scope they were assigned. A rebel auditor follows the process across departmental boundaries, even when it means auditing someone who did not expect to be audited. Processes do not respect organisational charts. Neither should auditors.

They write findings that cannot be ignored. A standard auditor writes "opportunities for improvement" that are politely ignored. A rebel auditor writes nonconformities that demand action, supported by evidence so clear that disagreement is not possible. Their findings are uncomfortable precisely because they are undeniable.

How to protect your rebel

The problem with rebel auditors is that organisations try to neutralise them. The auditees complain about their tone. The managers question their scope. The HR department flags them as "difficult." And eventually, the rebel either conforms or leaves.

I protected Petra in three ways. First, I gave her a direct reporting line to me, not to the managers she audited. She did not have to worry about performance reviews being influenced by the people she found nonconformities against. Second, I backed every finding she issued. If an auditee challenged a finding, the conversation came to me, and I defended it — unless Petra had made a factual error, which happened twice in three years. Third, I gave her the training she needed to be not just bold but precise. A rebel with poor methodology is a liability. A rebel with excellent methodology is an asset beyond price.

The findings that changed the company

In her first year, Petra's findings led to three significant changes: a redesign of the supplier approval process that closed a gap allowing unqualified suppliers into the supply base, a revision of the calibration programme that identified 47 instruments overdue for calibration, and a complete overhaul of the management review process that transformed it from a status meeting into a genuine governance checkpoint.

The certification body, in their next surveillance audit, found two minor nonconformities. The lead auditor told me privately that our internal audit findings were more thorough than most of their own. That is the standard. That is what a rebel auditor achieves.

Your internal audit team needs a rebel. Not a troublemaker — a rebel. Someone who cares more about the truth than about being liked. Someone who follows the evidence wherever it leads. Someone who writes findings that make people uncomfortable because the alternative — comfortable findings that change nothing — is worse.

If your internal audit programme has not found a significant systemic issue in the last twelve months, you do not have a good quality system. You have a compliant audit team. There is a difference, and it matters.