Developing a strategic internal audit plan not only improves internal audit’s alignment to business objectives, it also ensures that the internal audit department remains relevant.
If you were doing an audit of an organization’s governance processes or an audit of a subsidiary and discovered that their strategic planning process had significant gaps or was none existent, would this be an observation in your internal audit report? It most certainly would. Yet internal audit departments themselves don’t always have a strategic plan, let alone a good strategic plan.
Although strategic planning is not part of the IIA’s International Professional Practices Framework’s mandatory guidance, it is part of recommended guidance. It is one of the ways to address the IIA Core Principle “Aligns with the strategies, objectives, and risks of the organization.” Without a strategic plan is difficult to demonstrate the internal audit department’s alignment to the organization’s strategic plans and how they are helping the organization achieve its objectives (as defined by the organization’s strategy). A strategy forms the roadmap for the internal audit department’s mandate, people, processes and technology. This roadmap is what ensures that the internal audit department remain relevant.
A Glimpse at the Current State of Internal Audit Strategic Planning
Take a moment and google “strategic internal audit plan example”. What you’ll get is a mixture of guidance from the IIA and others, examples of internal audit strategic plans, and naturally, irrelevant results. What is surprising at this day and age is the number of examples of strategic plans which have no vision, mission or actual strategy. They are simply the output of an annual internal audit plan that has been mapped across a 3 or 5 year period. What this means is that some internal audit departments do not exercise proper strategic planning. The latest data from the IIA’s global internal audit survey1 supports this conclusion:
- Only 55% of internal audit departments are fully aligned or almost fully aligned with the strategic plan of their organization (this drops to 42% for the South Asia/India region).
- Only 52% of Chief Audit Executives (CAEs) indicated that they have a separate written mission statement for their internal audit department.
- Only 36% of CAEs stated that they have an internal audit strategy description.
When analyzing the results above, one wonders how 55% CAEs can be fully or almost fully aligned with the strategic plan of the organization when only 36% of them have established an internal audit strategy.
An internal audit strategic plan is not a series of audits over a 3 to 5 year period!
Understanding Organizational Strategy
Before going into how to develop an internal audit strategic plan, we should take a step back and look at organizational strategy. Simply put, a strategy is a plan put in place to achieve a long term objective. It is “big picture” thinking which gives an organization a sense of direction. It helps to focus and prioritize an organization’s resources on particular goals since organizations can’t do everything all at once!
An organizational strategy usually answers 5 questions which correspond to 5 major elements of a strategic plan as shown in the table below:
Strategic planning at an organizational level usually takes place annually, although the specific objectives/strategies may or may not change depending on how well they are going as an organization.
So would internal audit strategic planning be any different from the above? Absolutely not!
The organizational strategic plan also impacts internal audit activities (both strategic and operational). Here are 3 examples:
- Risks to Strategic Objectives: The IIA Standards require internal audit departments to address risks to strategic objectives. A percentage of the internal audit plan along with specific audits would need to be identified and addressed and as part of the annual internal audit risk assessment and planning methodology.
- New Organizational Priorities: The organization may have set in motion plans to expand to new countries/regions, to get into new business lines (or exit current business lines), have plans to implement new systems, etc. Internal audit needs to ensure that it is ready to support the business thorough these organizational priorities and gear up to have the resources to audit risks in these new areas.
- Organization Wide Initiatives: There are organization wide initiatives that impact all departments including internal audit. This could be cost cutting, diversity/gender empowerment, virtual offices etc.
All these elements, and more, would need to be addressed by the internal audit department in the long term and as part of the internal audit strategic plan.
Developing the Internal Audit Strategic Plan – In Brief
The process (which is more of an annual cycle) to develop an internal audit strategic plan is largely based on the same process followed at an organizational level. Although CAEs may approach strategic planning in a different way, a proposed process is illustrated in Exhibit A.
The starting point for any internal audit strategic plan is about understanding the expectations of the key stakeholders: the audit committee, the CEO and senior management. These expectations differ from one company to another and could include expectations such as focus on cost recoveries, assurance on key business processes, supporting fraud risk management, being a source of talent for management etc. There may be multiple views from stakeholders and CAEs would need to prioritize them into “non-negotiable” vs. “good to have” expectations. Understanding expectations is not a one off exercise; this should be done regularly and preferably annually.
What comes next is the understanding of the current state of the internal audit department. This could take the form of an analysis of mandate, people, process and technology or take the form of a SWOT analysis. This analysis is the core of any strategic plan. It will determine what your department needs to fix and what is capable of realistically achieving; you’ll need to walk before you start running!
Then based on stakeholder expectations, the current state analysis, and taking into account the organization’s strategy as noted above, as well as developments in the internal audit profession, the CAE will work to develop a vision of what the internal audit department will look like in the next 3 to 5 years. The vision is a concise, forward-looking narrative that provides a high-level strategic direction for internal auditing. This vision defines where we want to go to. The nature of the vision would also depend on the maturity of the internal audit function (identified as part of the current state assessment). A maturing internal audit department vision could be related to conformance with the IIA Standards. While a mature internal audit department could strive to be “the leading internal audit department among its peers.”
Subsequently, the CAE can now identify the gaps between the current state and the future vision and develop objectives and initiatives to address the gap. While the number objectives and corresponding initiatives can be endless, one needs to keep in mind the total amount of time that would be allocated to these initiatives. These initiatives would ultimately feed into the annual internal audit plan as shown in Exhibit B.
The amount of time and resources allocated to initiatives would depend on the importance of the initiative to the internal audit department and organization. Initiatives would be spread out over a 3 – 5 year horizon; i.e. not every initiative would be completed in year one. It is also important to assign measurable targets to each initiative, otherwise it would be difficult to demonstrate progress and/or completion.
Finally, the strategic plan would be presented to senior management for feedback and subsequently to the audit committee for approval. The strategic plan would then be implemented by the internal audit department and performance against the strategic plan would be measured and reported on a periodic basis. By demonstrating that internal audit is aligning to the organization and its department’s vision, internal audit show progress in its internal processes and the value it brings to helping the organization achieve its objectives.
Also remember that the internal audit strategic plan is a living document that would be updated at least on an annual basis, similar to the approach followed by organizations.
A Few Tips
- Engage your team – let them support you in developing the vision and supporting objectives and initiatives.
- Focus on realistic goals and targets; don’t “bite off more than you can chew”.
- Link individual performance goals to the achievement of strategic objectives / initiatives where applicable. Hold them accountable for delivering on these initiatives.
- Communicate with stakeholders and the IA team and keep them up to date on any success and/or challenges to implementing the strategy.
- Course correct where you need to – where an initiative is not practical or where you have underestimated the cost to complete, don’t be afraid to call this out and adjust; the organization does the same!
Developing an internal audit strategic plan is part art and part science. While a structured approach may be followed, it is the CAE’s capabilities that play a big part in determining the quality of the final output. Research from the IIA2 emphasises strategic thinking as one of the key skills needed to becoming a CAE. This strategic thinking will give the CAE a better view of the organization’s future and how the internal audit department should fit into that future.
While this article proposes a brief approach and overview of strategic planning for internal audit, there may be different approaches that CAEs may chose to follow to develop a strategic plan. Regardless of the approach that is chosen, there should be a future state that addresses the organization’s strategy and the expectations of key stakeholders. Without such a plan in place, the internal audit department may lose focus in the long term.
Lastly, the internal audit department will not be able to survive on an annual plan alone. This will result in a reactive approach to organizational changes and stakeholder requirements as opposed to planning for them and anticipating them. It’s time to look ahead and think about what is to come and show your key stakeholders that you are evolving and preparing for the future!
1 Benchmarking Internal Audit Maturity (IIARF, 2016)
2 CAE Career Paths (IIARF, 2016)
Disclaimer: Opinions expressed in this article belong solely to the authors, and do not necessarily represent the views of the IIA or their employer. This article was originally published in the IIA India Quarterly, Vol 3