Designing a formal internal audit strategy

CAE’s vision and mission for internal audit

As with any strategy, the CAE should define the vision and the audit function’s mission. The vision statement should be far-reaching and set a long-term goal for the audit function. The vision statement captures where you want to be soon, but it is written in the present tense to show that the team is actively working toward a single aspirational goal.

Internal Audit Strategic Plan Example: The internal audit function provides deep, meaningful insight into the most urgent risks within the company.

A mission statement describes what the audit function does now. The mission statement is action-oriented and rooted in the present. The mission statement defines the audit function and lets the rest of the organization know what they expect from the audit team.

Internal Audit Strategic Plan Example: The mission of the internal audit team is to conduct risk-based audits that address high-priority and emerging risks that could prevent the company from achieving its strategic objectives.

Internal audit function’s strategic objectives

Next, the CAE should develop a list of strategic objectives highlighting specific actions for the audit team. The objectives should include measurable targets the CAE expects to achieve that support the audit function’s mission and vision. Recently, there has been a movement away from long-term strategic planning in favor of agility within the audit function, but these two concepts can work together. By establishing future-focused strategic objectives, the CAE can ensure any short-term projects or agile audit plans also work toward achieving a broader audit strategy.

Example:

• Utilize a risk-based audit lifecycle that addresses emerging and high-priority risks to the organization.
• Provide continuing education opportunities for the audit staff to ensure the staff possesses adequate knowledge needed to conduct the audit plan.
• Provide senior leadership and the audit committee deep insights into the risk and control environment.

Aligning stakeholder expectations

While internal audit is an independent function, outside of management’s influence, internal auditors need to work closely with other organizational functions. To that end, the CAE should align expectations within the audit team and with stakeholders from other functions. Setting clear expectations and aligning the audit team’s work with other stakeholders, mainly the other assurance functions, is vital to the department’s success.

Planning the approach to team development

Audit teams must possess the necessary knowledge and skills to conduct audits effectively within their organization. The Chief Audit Executive has various options for ensuring the team has the appropriate skill set. The first step is to evaluate the current skills and knowledge of the department. Carrying out a skills assessment can quickly identify any gaps in the team's expertise. The skills assessment should be tailored to the organization and industry. It's important to note that the skills required in a public sector organization will differ from those in a corporation, financial institution, or retailer.

Internal audit strategic plan example:

We need to understand the technologies used in our organization, now and in the future, and what digital skills can better equip the audit team to be more efficient and effective and add value. All audit staff will undergo a digital skills assessment.

Once the baseline is established, the CAE should decide which skills must be maintained or developed. Generally speaking, there are three options to build these skills in the department:

Provide group training

Group training is highly cost-effective because it allows you to train the entire team together. Hiring a professional trainer who can teach the entire staff simultaneously may be the most effective option for larger teams. Additionally, the trainer may be able to provide continuing education credits for those with certifications. However, the disadvantage of this method is that everyone will receive the same training, and there is no opportunity for individual specialization among team members. This option works best for establishing a baseline of expected skills.

Budget for individual training

Some Certified Audit Executives (CAEs) assign a distinct training budget to each team member. This way, every person can choose relevant training courses to enhance their skills within the allocated budget. To cater to the department's requirements, certain guidelines should be established to ensure that the training is focused on topics relevant to the organization's needs. If you choose this approach, providing sufficient time for employees to complete the training is also important.

Require individuals to find their own training

It is not advisable to leave the entire responsibility of training the audit staff on their own. When the department does not pay for the training, the Chief Audit Executive (CAE) loses control over the quality and type of training provided. Some of the staff may opt for free online training, which may vary in quality. Others may not even consider training due to the associated cost. New members of the profession are always eager for professional development, and not providing adequate training may obstruct their growth, create skill gaps in the team, and lead to staff turnover.

Planned redundancy

As previously mentioned, employee training significantly impacts your organization's retention rate. As part of the audit strategy, Chief Audit Executives (CAEs) should evaluate whether there is redundancy among team members, the level of trust and responsibility placed on each person, and the likelihood that individuals will leave the organization. It is a common misconception that redundancy is an opportunity to downsize the workforce. However, it is essential to remember that many audit positions are temporary due to planned rotations, and we should also consider the impact of job movement outside of simple recruiting costs. Most employees have critical responsibilities not shared with others, which can increase turnover risk. Organizations may offer regular training options to mitigate this risk to their employees.

Succession planning

Succession planning is typically centered around executive positions. Individuals are selected and prepared for the changes in a clear succession plan. However, most movements in an organization happen in non-executive roles. Therefore, audit teams should assess the risk related to succession planning in audit management positions. For example, it is important to consider the implications if your IT Audit Director decides to leave suddenly. Including a succession plan for critical audit positions in the audit strategy can reduce disruption if someone chooses to leave.

Establishing a technology maturity model

Internal audit teams may be slow to adopt new technology for various reasons – a lack of funding and knowledge gaps within the audit staff are the most common. The internal audit strategic plan should address the fact that technology is advancing faster than ever, and internal audit teams must keep up with changes on multiple fronts. First, the audit team needs to understand the technological advances made within the organization to adjust the audit plan. Next, the team needs an appropriate suite of technology solutions to complete their work, such as audit management solutions, data analytics, and automation tools. An essential step in maturing the audit team’s use of technology is benchmarking against others in your industry. Finally, audit leadership needs to remain aware of the possible solutions coming in the future to plan for addressing the risks to the organization adequately.

Aligning with the organization

The audit technology maturity model should align with the organization's broader technology strategy. The CAE can start by establishing relationships and setting expectations with IT teams. Some organizations expect the CAE to budget for technology out of their allocated budget, while others budget all technology spending within the IT organization. In the latter case, the CAE must build a business case and set expectations on cost, timing, and implementation process. The CAE also needs to work within the organization’s purchasing process, which will likely include gathering proposals, technical evaluations, and legal contract reviews. All these steps add time to the overall process that should be factored into the maturity plan, meaning it is better to start planning early.

The current inventory of solutions should also be considered before purchasing new technology. Others in the organization may already have access to analytic solutions, automation software, or reporting tools. On the other hand, if you find no solutions in-house, you may want to partner with others to find a mutually beneficial solution.

Internal audit strategic plan example:

• Internal Audit, Enterprise Risk Management, and Compliance may choose a single assurance platform.
• Internal Audit may partner with accounting to use the same data analytics tools.
• Internal Audit may leverage an existing AI/RPA solution the technology team uses.

Planning for internal audit strategy updates

Internal audit needs a dynamic audit strategy to keep up with changes to the risk landscape, so the CAE should plan for updates. Some events may require more frequent updates, such as organizational changes, leadership changes, updates to policies and procedures, new laws and regulations, the introduction of new frameworks, or results of internal and external assessments of the internal audit function (e.g., QAIP results). Outside of major events, the CAE should consider internal audit strategic plan updates when encountering emerging technologies that fundamentally alter the audit planning, testing, and reporting approach.

Whether the internal audit strategy needs updates, the CAE must review the strategy with the board and senior management. The standards are not specific on frequency, but since the strategy sets the tone for the entire audit function, it may make sense to use the strategic plan as a reference point during all audit committee meetings. The review can include a timeline for reaching objectives in the plan, progress updates on those goals, and any concerns related to achieving specific goals.

Planning for success

Creating an internal audit strategic plan sets the foundation for success. The CAE has always been responsible for the audit plan and the team, and the new standard calls for more formality. By documenting the internal audit strategy, sharing it with the audit team, and reviewing it with the board and senior management, the CAE showcases the careful planning needed to maintain an audit function prepared to assess the organization’s control environment and risk exposure. The documented strategy ensures the audit team is working toward a common mission, guided by the CAE’s vision for the team, and considers the needs of the organization and the individual audit team members. Building the internal audit strategy is essential to planning for future success.