Every organization's internal audit department requires a well-planned and structured strategy. This strategy helps guide the internal audit team in providing assurance services and advice to support the organization's success. Although building the internal audit strategy for the first time may seem overwhelming, the final product is certainly worth the effort. The following guide is designed to walk you through each step of building the audit strategy, ensuring you capture all the necessary information while establishing a routine for keeping the audit strategy up-to-date.
This article will cover the following:
To effectively address the internal audit function's strategy, we need to understand the updated Global Internal Audit Standards, which include principles to guide the Chief Audit Executive (CAE) in planning an overall strategy. Principle 9, as outlined in the new Standard 9.2 Internal Audit Strategy (refer to Figure 1), mandates that the CAE must "develop and implement a strategy for the internal audit function" that "supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders,” and includes “a vision, strategic objectives, and supporting initiatives for the internal audit function.” Lastly, the CAE must periodically review the strategy with senior management and the board.
To ensure that internal audit departments can fulfill their various responsibilities, it is essential to have a solid plan in place. We have designed this guide as a comprehensive discussion and commentary on the mandatory elements of an effective internal audit strategy as laid out in the standards, plus many best practices, to assist you in creating and documenting your own custom audit strategy.
Standard 9.2 Internal Audit Strategy RequirementsThe chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders. An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function. An internal audit strategy helps guide the internal audit function toward the fulfillment of the internal audit mandate. The chief audit executive must review the internal audit strategy with the board and senior management periodically.
The world’s leading audit management software - empowering audit departments of all sizes.
As with any strategy, the CAE should define the vision and the audit function’s mission. The vision statement should be far-reaching and set a long-term goal for the audit function. The vision statement captures where you want to be soon, but it is written in the present tense to show that the team is actively working toward a single aspirational goal.
Internal Audit Strategic Plan Example: The internal audit function provides deep, meaningful insight into the most urgent risks within the company.
A mission statement describes what the audit function does now. The mission statement is action-oriented and rooted in the present. The mission statement defines the audit function and lets the rest of the organization know what they expect from the audit team.
Internal Audit Strategic Plan Example: The mission of the internal audit team is to conduct risk-based audits that address high-priority and emerging risks that could prevent the company from achieving its strategic objectives.
Next, the CAE should develop a list of strategic objectives highlighting specific actions for the audit team. The objectives should include measurable targets the CAE expects to achieve that support the audit function’s mission and vision. Recently, there has been a movement away from long-term strategic planning in favor of agility within the audit function, but these two concepts can work together. By establishing future-focused strategic objectives, the CAE can ensure any short-term projects or agile audit plans also work toward achieving a broader audit strategy.
Example:
While internal audit is an independent function, outside of management’s influence, internal auditors need to work closely with other organizational functions. To that end, the CAE should align expectations within the audit team and with stakeholders from other functions. Setting clear expectations and aligning the audit team’s work with other stakeholders, mainly the other assurance functions, is vital to the department’s success.
Audit team | As a member of the internal audit department, it is your responsibility to uphold the standards set by the Institute of Internal Auditors and the policies set by this department and the broader organization. Audits are conducted based on a risk-based perspective and under the guidance of experienced audit managers. If you uncover a reportable issue during an audit, it is essential to alert the manager immediately. It is important to complete audits on time and treat audit stakeholders with respect, open communication, and professional skepticism. |
Senior management | The senior management team will provide valuable insights into the risk and control environment during quarterly risk assessments. When audits are conducted, it is essential to promptly provide any requested documentation to ensure the audit remains on track. If any issues are uncovered, a formal action plan must be developed to remediate the issue within 3-6 months with named responsible individuals and timelines. Attendance in audit close meetings is mandatory to confirm that all action plans have been received and personnel have been identified. After the audit, updates on the action plans are required every quarter. |
Board/ Audit committee | The Chief Audit Executive (CAE) is responsible for providing quarterly updates to the audit committee regarding the department's audit plans, progress, and state. The focus of reporting will be on significant risk and control issues, including fraud risks, governance issues, and any other matters that require the audit committee's attention. The audit committee will approve the budget for the audit department after reviewing proposals and negotiating with the CAE. |
Other internal assurance providers | Work done by internal assurance teams in the 2nd line of defense (e.g., compliance, risk management, quality) may be relied upon by internal audit if the work meets the internal audit team’s quality standard. |
External stakeholders | The CAE (Chief Audit Executive) will furnish the information requested by external parties, such as external auditors, regulators, and others, per the requirements and agreements set with them. Every possible effort will be made to provide work that the external parties can rely on based on the combined standards of both internal and external parties. |
As the world’s leading audit management software, TeamMate has revolutionized the industry, empowering audit departments of all sizes. Join us for a demonstration of TeamMate+ Audit’s most powerful benefits leading audit evolution.
Length: 2 minutes, 54 seconds
Audit teams must possess the necessary knowledge and skills to conduct audits effectively within their organization. The Chief Audit Executive has various options for ensuring the team has the appropriate skill set. The first step is to evaluate the current skills and knowledge of the department. Carrying out a skills assessment can quickly identify any gaps in the team's expertise. The skills assessment should be tailored to the organization and industry. It's important to note that the skills required in a public sector organization will differ from those in a corporation, financial institution, or retailer.
Internal audit strategic plan example:
We need to understand the technologies used in our organization, now and in the future, and what digital skills can better equip the audit team to be more efficient and effective and add value. All audit staff will undergo a digital skills assessment.
Once the baseline is established, the CAE should decide which skills must be maintained or developed. Generally speaking, there are three options to build these skills in the department:
Group training is highly cost-effective because it allows you to train the entire team together. Hiring a professional trainer who can teach the entire staff simultaneously may be the most effective option for larger teams. Additionally, the trainer may be able to provide continuing education credits for those with certifications. However, the disadvantage of this method is that everyone will receive the same training, and there is no opportunity for individual specialization among team members. This option works best for establishing a baseline of expected skills.
Some Certified Audit Executives (CAEs) assign a distinct training budget to each team member. This way, every person can choose relevant training courses to enhance their skills within the allocated budget. To cater to the department's requirements, certain guidelines should be established to ensure that the training is focused on topics relevant to the organization's needs. If you choose this approach, providing sufficient time for employees to complete the training is also important.
It is not advisable to leave the entire responsibility of training the audit staff on their own. When the department does not pay for the training, the Chief Audit Executive (CAE) loses control over the quality and type of training provided. Some of the staff may opt for free online training, which may vary in quality. Others may not even consider training due to the associated cost. New members of the profession are always eager for professional development, and not providing adequate training may obstruct their growth, create skill gaps in the team, and lead to staff turnover.
As previously mentioned, employee training significantly impacts your organization's retention rate. As part of the audit strategy, Chief Audit Executives (CAEs) should evaluate whether there is redundancy among team members, the level of trust and responsibility placed on each person, and the likelihood that individuals will leave the organization. It is a common misconception that redundancy is an opportunity to downsize the workforce. However, it is essential to remember that many audit positions are temporary due to planned rotations, and we should also consider the impact of job movement outside of simple recruiting costs. Most employees have critical responsibilities not shared with others, which can increase turnover risk. Organizations may offer regular training options to mitigate this risk to their employees.
Succession planning is typically centered around executive positions. Individuals are selected and prepared for the changes in a clear succession plan. However, most movements in an organization happen in non-executive roles. Therefore, audit teams should assess the risk related to succession planning in audit management positions. For example, it is important to consider the implications if your IT Audit Director decides to leave suddenly. Including a succession plan for critical audit positions in the audit strategy can reduce disruption if someone chooses to leave.
Internal audit teams may be slow to adopt new technology for various reasons – a lack of funding and knowledge gaps within the audit staff are the most common. The internal audit strategic plan should address the fact that technology is advancing faster than ever, and internal audit teams must keep up with changes on multiple fronts. First, the audit team needs to understand the technological advances made within the organization to adjust the audit plan. Next, the team needs an appropriate suite of technology solutions to complete their work, such as audit management solutions, data analytics, and automation tools. An essential step in maturing the audit team’s use of technology is benchmarking against others in your industry. Finally, audit leadership needs to remain aware of the possible solutions coming in the future to plan for addressing the risks to the organization adequately.
The audit technology maturity model should align with the organization's broader technology strategy. The CAE can start by establishing relationships and setting expectations with IT teams. Some organizations expect the CAE to budget for technology out of their allocated budget, while others budget all technology spending within the IT organization. In the latter case, the CAE must build a business case and set expectations on cost, timing, and implementation process. The CAE also needs to work within the organization’s purchasing process, which will likely include gathering proposals, technical evaluations, and legal contract reviews. All these steps add time to the overall process that should be factored into the maturity plan, meaning it is better to start planning early.
The current inventory of solutions should also be considered before purchasing new technology. Others in the organization may already have access to analytic solutions, automation software, or reporting tools. On the other hand, if you find no solutions in-house, you may want to partner with others to find a mutually beneficial solution.
Internal audit strategic plan example:
Internal audit needs a dynamic audit strategy to keep up with changes to the risk landscape, so the CAE should plan for updates. Some events may require more frequent updates, such as organizational changes, leadership changes, updates to policies and procedures, new laws and regulations, the introduction of new frameworks, or results of internal and external assessments of the internal audit function (e.g., QAIP results). Outside of major events, the CAE should consider internal audit strategic plan updates when encountering emerging technologies that fundamentally alter the audit planning, testing, and reporting approach.
Whether the internal audit strategy needs updates, the CAE must review the strategy with the board and senior management. The standards are not specific on frequency, but since the strategy sets the tone for the entire audit function, it may make sense to use the strategic plan as a reference point during all audit committee meetings. The review can include a timeline for reaching objectives in the plan, progress updates on those goals, and any concerns related to achieving specific goals.
Creating an internal audit strategic plan sets the foundation for success. The CAE has always been responsible for the audit plan and the team, and the new standard calls for more formality. By documenting the internal audit strategy, sharing it with the audit team, and reviewing it with the board and senior management, the CAE showcases the careful planning needed to maintain an audit function prepared to assess the organization’s control environment and risk exposure. The documented strategy ensures the audit team is working toward a common mission, guided by the CAE’s vision for the team, and considers the needs of the organization and the individual audit team members. Building the internal audit strategy is essential to planning for future success.