From Conformance to Performance — Understanding the Global Internal Audit Standards (Part 3 of 3) This blog post was authored by Andrew Struthers-Kennedy - Managing Director, Global Practice Lead, Internal Audit and Financial Advisory and Kristen Kelly - Director, Internal Audit and Financial Advisory on The Protiviti View.The Institute of Internal Auditors (IIA) final updated Global Internal Audit Standards provide the opportunity for transformative change.Why it matters: The update requires the internal audit (IA) function to have a strategic plan aligned with the organisation’s strategy and defined performance objectives.Why start now: Defining the IA strategy and performance objectives will require stretch thinking from the IA function, and discussion with senior management and the board, who need to review and approve the IA function’s performance objectives at least annually.Bottom line: IA functions need to establish or update the department’s strategic planning, aligning to the organisation’s strategy, and incorporating measurable performance objectives.In Parts 1 and 2, we focused on the necessity to work alongside the board and senior management as IA stakeholders to agree collectively on the expectations for IA beginning with the function’s mandate, and we highlighted the areas of change that impact the IA function the most. In this concluding Part 3 of the blog series, we focus on one key area — IA strategy — that requires additional collaboration, but also provides an opportunity to elevate the IA function and drive transformative change. Topics Internal Audit and Corporate Governance Risk Management and Regulatory Compliance With what mindset should IA approach strategic planning?To improve the performance of the IA function, the CAE should view the establishment of the strategic plan and vision as an exercise that challenges traditional thinking and stretches the entire team to think outside of its day-to-day activities. In addition to aligning with the organisation’s overall strategy and risk profile, IA’s strategy can help to enable continuous improvement to improve the quality, relevance and value of the services delivered.While more mature IA functions may have long had a well-defined strategy, this remains a gap for many, and all functions can benefit from a fresh and objective look at the direction they have set and a straightforward assessment of historical success on department initiatives — especially in these dynamic times. It is important for less mature functions to understand that an audit plan is not a strategy. The strategic plan, supported by a manageable number of initiatives, should allow for real progress in targeted areas with an objective of collaborating closely with key stakeholders to channel audit resources to their highest and best use and drive the overall performance and capability of the function forward.What is a logical approach IA can follow to set or confirm the IA function’s strategic direction?The following outlines a series of nine steps that IA can take to create a longer-term strategy in accordance with the 2024 Global Internal Audit Standards (Note: For starters, three years might be an appropriate time frame to consider.):Understand the overall company strategy and objectives: The first step toward alignment with stakeholders is a thorough understanding of the organisation’s mission, vision, goals and strategic objectives. This includes identifying risks and opportunities that may impact achievement of these objectives and understanding both short-term operational targets and long-term strategic plans, as well as key initiatives and transformation activities the organisation is undertaking. IA will need to have the right seat at the table and develop strong relationships with stakeholders to obtain this information and maintain a pulse on the organisation’s strategic direction and awareness of changes in the threats to the organisation achieving its goals and objectives. For public companies, the CAE should be aware of the company’s public communications and filings.Engage with stakeholders: Proactively engage with senior management, board members and any other stakeholders to understand their expectations for the direction of the IA function and how it can better support company objectives and deliver with relevance and value. This will help in identifying potential areas of additional focus and aligning expectations.Assess current alignment: Assess how well current IA activities align with company objectives, incorporating the lens of stakeholder expectations. Identify any gaps or areas where alignment could be improved.Define strategic vision: Based on the understanding of company strategy and stakeholder expectations, establish the function’s strategic vision. The vision should be realistic yet have aspects that are aspirational; defining success for the function while focusing on core activities that align with company objectives. Integrating innovation within the function’s strategic planning process is essential to maintaining relevance over time and ensuring the function will be Future Ready.Develop long-term objectives: Define clear objectives and goals to guide the IA function over the next three years. These goals may be related to:Governance of the function (including coordination and alignment with other assurance functions as well as how the function is structured and organised, including talent and resource management)Methodology (risk assessment and audit planning, communications, and reporting, integrating relevant principles of agile methodology), orEnabling technology (e.g., GRC, analytics, automation, AI) to drive overall audit effectiveness and relevanceEstablish supporting initiatives: Develop three to five main initiatives outlining how the function will achieve the objectives and improve itself over this period and what investments, internal and external partnerships, upskilling or other initiatives will help drive the accomplishments of each strategic priority.Set performance objectives: Establish specific measurable goals for the IA function against which the performance of these initiatives and the broader strategic objectives will be measured. Measurement criteria should be sufficiently detailed to support tracking and reporting. Metrics could range from quantitative ones like the level of stakeholder satisfaction to qualitative ones like improved control awareness, or other indicators relevant to the organisation’s goals.Report progress: Develop regular reporting mechanisms (quarterly or biannual reports) to communicate progress made against established performance criteria back to stakeholders including senior management and the board.Continually review and adjust: Regularly review and adjust the IA strategy as necessary based on changes in company strategy and objectives, feedback from stakeholders, developments in the profession, or performance against established measures.It is important to note that this process is iterative; as organisational strategies evolve over time so too should the IA function’s approach to remain aligned with overarching goals.By following these steps, the CAE should be able to develop a robust long-term strategic plan that not only aligns with, but also supports, the organisation’s overarching strategy while fostering a culture of continuous improvement within the audit team.What meaningful and realistic performance metrics do IA functions utilise?A balanced scorecard can be a useful tool to analyse and communicate the multifaceted aspects of IA function performance. In developing a balanced scorecard that effectively assesses the performance of an IA function, the CAE should consider including measures that reflect not only traditional audit metrics but also incorporate innovative aspects that can drive continuous improvement and strategic alignment. While meaningful metrics will vary by function, and the following performance measures are not intended to constitute an all-inclusive list or checklist, they could be impactful and innovative for inclusion in an IA function’s balanced scorecard:Strategic AlignmentAlignment Number of strategic initiatives/committees in which internal auditors are involved (versus target)Proportion of the organisation's strategic priorities addressed in the audit planDegree of alignment between IA recommendations and business strategiesInnovation and ImprovementInnovative audit tools or techniques implementedInnovations contributed to the company by the IA function (e.g., process improvements, cost savings, controls turned over to first- and second-line functions)Governance EnhancementsImpact of IA on improving governance structures within the organisation (e.g., policy revisions influenced by audits)Percentage of recommendations accepted and/or implemented (versus target)Resource OptimisationRatio of productive to unproductive audit time (include target)Alignment of IA personnel competency and skills to areas within IA mandate and audit planCoordinated activities with other lines of defense (e.g., ERM, compliance, ESG)Level of internal audit staff turnover versus targetStakeholder Engagement and SatisfactionStakeholder satisfaction scores via surveys or interviewsExtent of stakeholder engagement in defining audit focus areas Number or percentage of hours aligned to support management requestsRisk Management ImprovementContribution to risk identification and mitigation effectivenessTrends in key risk indicators impacted by IA activitiesExtent of coordination, alignment with other risk management and assurance functions (include consideration of efficiency gains)Performance Against ObjectivesAchievement rate of defined IA strategic objectivesProgress made on key initiatives outlined in the strategic planLearning and GrowthTraining opportunities per auditor for professional development Skills enhancement reflected through certifications or specialised expertise gainedValue CreationQuantitative benefits realised by the organisation from IA interventions (e.g., financial recoveries, efficiency gains)Qualitative benefits such as improved organisational culture toward compliance and control awareness The measures selected by the IA function and affirmed by its stakeholders should provide a comprehensive view of both quantitative outputs (like audit finding implementation rates) as well as qualitative outcomes (like efficiency improvements and enhanced governance practices in target audit areas). It is essential to customise these metrics based on specific organisational contexts while ensuring they support informed decision-making, demonstrate value added by the IA function, encourage innovation within the team, and align with corporate objectives for long-term success.These performance metrics will and should change over time. The IA function may need to shift the focus of its activities to be responsive to evolving stakeholder expectations as well as business conditions and priorities. There may be times when a focus on identifying potential cost reductions adds the most value to the organisation, and others when establishing stronger controls is a collective focus. Beyond conforming with the Standards, it is important for the CAE to revisit the IA function’s performance objectives with senior management and the board at least annually or as the circumstances of the organisation change.Learn more about the Global Internal Audit Standards update by registering for our webinar here.This is part 3 of a 3-part blog series. Read blog 1 and blog 2 to further understand the Global Internal Audit Standards. Find out more about our solutions: Internal Audit Consulting Protiviti’s Internal Audit solution combines industry-centric and technical expertise with leading technologies to deliver world-class internal audit services. Audit Transformation We help establish transformation priorities and plans, and support in their implementation, offering advice on leading practices and strategies to deliver successful outcomes and enable change. Audit Innovation Challenge how you think and operate. Transform your strategy and talent management processes, evolve your delivery and methodologies, enable everything you do with data and technology. Leadership Jeffrey Hau Jeffrey leads Protiviti Hong Kong's risk and compliance and internal audit practices with more than 20 years of experience in regulatory compliance consulting and auditing. As the leader of the financial services practice, his specific areas of focus include advising ... Learn More Elaine Cheung Elaine has over 15 years of experience in consulting and advisory, covering topics such as regulatory compliance, risk management, KYC/AML, internal audit, and business and digital transformation. In recent years, Elaine has expanded her professional career to include ... Learn More Engaging Internal Audit Stakeholders to Build the Base for Adoption — Understanding the Global Internal Audit Standards (Part 1 of 3) The final updated Global Internal Audit Standards become effective January 9, 2025. The update established an emphasis on quality, clarifies responsibilities, provides further guidance, and enhances the role of internal auditing as a business partner. Read more Focusing on Impact Areas — Understanding the Global Internal Audit Standards Updates (Part 2 of 3) The final updated Global Internal Audit Standards require substantive changes within the IA function and stakeholder relationships to remain in conformance and elevate the profession. Increased collaboration among the CAE, the board and senior management is required for the governance of the IA function. Read more