The Institute of Internal Auditors (IIA) final updated Global Internal Audit Standards provide the opportunity for transformative change.
Why it matters: The update requires the internal audit (IA) function to have a strategic plan aligned with the organization’s strategy and defined performance objectives.
Why start now: Defining the IA strategy and performance objectives will require stretch thinking from the IA function, and discussion with senior management and the board, who need to review and approve the IA function’s performance objectives at least annually.
Bottom line: IA functions need to establish or update the department’s strategic planning, aligning to the organization’s strategy, and incorporating measurable performance objectives.
___ ____ ___
In Parts 1 and 2, we focused on the necessity to work alongside the board and senior management as IA stakeholders to agree collectively on the expectations for IA beginning with the function’s mandate, and we highlighted the areas of change that impact the IA function the most. In this concluding Part 3 of the blog series, we focus on one key area — IA strategy — that requires additional collaboration, but also provides an opportunity to elevate the IA function and drive transformative change.
With what mindset should IA approach strategic planning?
To improve the performance of the IA function, the CAE should view the establishment of the strategic plan and vision as an exercise that challenges traditional thinking and stretches the entire team to think outside of its day-to-day activities. In addition to aligning with the organization’s overall strategy and risk profile, IA’s strategy can help to enable continuous improvement to improve the quality, relevance and value of the services delivered.
While more mature IA functions may have long had a well-defined strategy, this remains a gap for many, and all functions can benefit from a fresh and objective look at the direction they have set and a straightforward assessment of historical success on department initiatives — especially in these dynamic times. It is important for less mature functions to understand that an audit plan is not a strategy. The strategic plan, supported by a manageable number of initiatives, should allow for real progress in targeted areas with an objective of collaborating closely with key stakeholders to channel audit resources to their highest and best use and drive the overall performance and capability of the function forward.
What is a logical approach IA can follow to set or confirm the IA function’s strategic direction?
The following outlines a series of nine steps that IA can take to create a longer-term strategy in accordance with the 2024 Global Internal Audit Standards (Note: For starters, three years might be an appropriate time frame to consider.):
- Understand the overall company strategy and objectives: The first step toward alignment with stakeholders is a thorough understanding of the organization’s mission, vision, goals and strategic objectives. This includes identifying risks and opportunities that may impact achievement of these objectives and understanding both short-term operational targets and long-term strategic plans, as well as key initiatives and transformation activities the organization is undertaking. IA will need to have the right seat at the table and develop strong relationships with stakeholders to obtain this information and maintain a pulse on the organization’s strategic direction and awareness of changes in the threats to the organization achieving its goals and objectives. For public companies, the CAE should be aware of the company’s public communications and filings.
- Engage with stakeholders: Proactively engage with senior management, board members and any other stakeholders to understand their expectations for the direction of the IA function and how it can better support company objectives and deliver with relevance and value. This will help in identifying potential areas of additional focus and aligning expectations.
- Assess current alignment: Assess how well current IA activities align with company objectives, incorporating the lens of stakeholder expectations. Identify any gaps or areas where alignment could be improved.
- Define strategic vision: Based on the understanding of company strategy and stakeholder expectations, establish the function’s strategic vision. The vision should be realistic yet have aspects that are aspirational; defining success for the function while focusing on core activities that align with company objectives. Integrating innovation within the function’s strategic planning process is essential to maintaining relevance over time and ensuring the function will be Future Ready.
- Develop long-term objectives: Define clear objectives and goals to guide the IA function over the next three years. These goals may be related to:
- Governance of the function (including coordination and alignment with other assurance functions as well as how the function is structured and organized, including talent and resource management)
- Methodology (risk assessment and audit planning, communications, and reporting, integrating relevant principles of agile methodology), or
- Enabling technology (e.g., GRC, analytics, automation, AI) to drive overall audit effectiveness and relevance
- Establish supporting initiatives: Develop three to five main initiatives outlining how the function will achieve the objectives and improve itself over this period and what investments, internal and external partnerships, upskilling or other initiatives will help drive the accomplishments of each strategic priority.
- Set performance objectives: Establish specific measurable goals for the IA function against which the performance of these initiatives and the broader strategic objectives will be measured. Measurement criteria should be sufficiently detailed to support tracking and reporting. Metrics could range from quantitative ones like the level of stakeholder satisfaction to qualitative ones like improved control awareness, or other indicators relevant to the organization’s goals.
- Report progress: Develop regular reporting mechanisms (quarterly or biannual reports) to communicate progress made against established performance criteria back to stakeholders including senior management and the board.
- Continually review and adjust: Regularly review and adjust the IA strategy as necessary based on changes in company strategy and objectives, feedback from stakeholders, developments in the profession, or performance against established measures.
It is important to note that this process is iterative; as organizational strategies evolve over time so too should the IA function’s approach to remain aligned with overarching goals.
By following these steps, the CAE should be able to develop a robust long-term strategic plan that not only aligns with, but also supports, the organization’s overarching strategy while fostering a culture of continuous improvement within the audit team.
What meaningful and realistic performance metrics do IA functions utilize?
A balanced scorecard can be a useful tool to analyze and communicate the multifaceted aspects of IA function performance. In developing a balanced scorecard that effectively assesses the performance of an IA function, the CAE should consider including measures that reflect not only traditional audit metrics but also incorporate innovative aspects that can drive continuous improvement and strategic alignment. While meaningful metrics will vary by function, and the following performance measures are not intended to constitute an all-inclusive list or checklist, they could be impactful and innovative for inclusion in an IA function’s balanced scorecard:
The measures selected by the IA function and affirmed by its stakeholders should provide a comprehensive view of both quantitative outputs (like audit finding implementation rates) as well as qualitative outcomes (like efficiency improvements and enhanced governance practices in target audit areas). It is essential to customize these metrics based on specific organizational contexts while ensuring they support informed decision-making, demonstrate value added by the IA function, encourage innovation within the team, and align with corporate objectives for long-term success.
These performance metrics will and should change over time. The IA function may need to shift the focus of its activities to be responsive to evolving stakeholder expectations as well as business conditions and priorities. There may be times when a focus on identifying potential cost reductions adds the most value to the organization, and others when establishing stronger controls is a collective focus. Beyond conforming with the Standards, it is important for the CAE to revisit the IA function’s performance objectives with senior management and the board at least annually or as the circumstances of the organization change.
Learn more about the Global Internal Audit Standards update by registering for our webinar here.
Add comment