From Conformance to Performance — Understanding the Global Internal Audit Standards (Part 3 of 3)

This blog post was authored by Andrew Struthers-Kennedy - Managing Director, Global Practice Lead, Internal Audit and Financial Advisory and Kristen Kelly - Director, Internal Audit and Financial Advisory on The Protiviti View.

The Institute of Internal Auditors (IIA) final updated Global Internal Audit Standards provide the opportunity for transformative change.

Why it matters: The update requires the internal audit (IA) function to have a strategic plan aligned with the organisation’s strategy and defined performance objectives.

Why start now: Defining the IA strategy and performance objectives will require stretch thinking from the IA function, and discussion with senior management and the board, who need to review and approve the IA function’s performance objectives at least annually.

Bottom line: IA functions need to establish or update the department’s strategic planning, aligning to the organisation’s strategy, and incorporating measurable performance objectives.

In Parts 1 and 2, we focused on the necessity to work alongside the board and senior management as IA stakeholders to agree collectively on the expectations for IA beginning with the function’s mandate, and we highlighted the areas of change that impact the IA function the most. In this concluding Part 3 of the blog series, we focus on one key area — IA strategy — that requires additional collaboration, but also provides an opportunity to elevate the IA function and drive transformative change.

With what mindset should IA approach strategic planning?

To improve the performance of the IA function, the CAE should view the establishment of the strategic plan and vision as an exercise that challenges traditional thinking and stretches the entire team to think outside of its day-to-day activities. In addition to aligning with the organisation’s overall strategy and risk profile, IA’s strategy can help to enable continuous improvement to improve the quality, relevance and value of the services delivered.

While more mature IA functions may have long had a well-defined strategy, this remains a gap for many, and all functions can benefit from a fresh and objective look at the direction they have set and a straightforward assessment of historical success on department initiatives — especially in these dynamic times. It is important for less mature functions to understand that an audit plan is not a strategy. The strategic plan, supported by a manageable number of initiatives, should allow for real progress in targeted areas with an objective of collaborating closely with key stakeholders to channel audit resources to their highest and best use and drive the overall performance and capability of the function forward.

What is a logical approach IA can follow to set or confirm the IA function’s strategic direction?

The following outlines a series of nine steps that IA can take to create a longer-term strategy in accordance with the 2024 Global Internal Audit Standards (Note: For starters, three years might be an appropriate time frame to consider.):

  1. Understand the overall company strategy and objectives: The first step toward alignment with stakeholders is a thorough understanding of the organisation’s mission, vision, goals and strategic objectives. This includes identifying risks and opportunities that may impact achievement of these objectives and understanding both short-term operational targets and long-term strategic plans, as well as key initiatives and transformation activities the organisation is undertaking. IA will need to have the right seat at the table and develop strong relationships with stakeholders to obtain this information and maintain a pulse on the organisation’s strategic direction and awareness of changes in the threats to the organisation achieving its goals and objectives. For public companies, the CAE should be aware of the company’s public communications and filings.
  2. Engage with stakeholders: Proactively engage with senior management, board members and any other stakeholders to understand their expectations for the direction of the IA function and how it can better support company objectives and deliver with relevance and value. This will help in identifying potential areas of additional focus and aligning expectations.
  3. Assess current alignment: Assess how well current IA activities align with company objectives, incorporating the lens of stakeholder expectations. Identify any gaps or areas where alignment could be improved.
  4. Define strategic vision: Based on the understanding of company strategy and stakeholder expectations, establish the function’s strategic vision. The vision should be realistic yet have aspects that are aspirational; defining success for the function while focusing on core activities that align with company objectives. Integrating innovation within the function’s strategic planning process is essential to maintaining relevance over time and ensuring the function will be Future Ready.
  5. Develop long-term objectives: Define clear objectives and goals to guide the IA function over the next three years. These goals may be related to:
    • Governance of the function (including coordination and alignment with other assurance functions as well as how the function is structured and organised, including talent and resource management)
    • Methodology (risk assessment and audit planning, communications, and reporting, integrating relevant principles of agile methodology), or
    • Enabling technology (e.g., GRC, analytics, automation, AI) to drive overall audit effectiveness and relevance
  6. Establish supporting initiatives: Develop three to five main initiatives outlining how the function will achieve the objectives and improve itself over this period and what investments, internal and external partnerships, upskilling or other initiatives will help drive the accomplishments of each strategic priority.
  7. Set performance objectives: Establish specific measurable goals for the IA function against which the performance of these initiatives and the broader strategic objectives will be measured. Measurement criteria should be sufficiently detailed to support tracking and reporting. Metrics could range from quantitative ones like the level of stakeholder satisfaction to qualitative ones like improved control awareness, or other indicators relevant to the organisation’s goals.
  8. Report progress: Develop regular reporting mechanisms (quarterly or biannual reports) to communicate progress made against established performance criteria back to stakeholders including senior management and the board.
  9. Continually review and adjust: Regularly review and adjust the IA strategy as necessary based on changes in company strategy and objectives, feedback from stakeholders, developments in the profession, or performance against established measures.

It is important to note that this process is iterative; as organisational strategies evolve over time so too should the IA function’s approach to remain aligned with overarching goals.

By following these steps, the CAE should be able to develop a robust long-term strategic plan that not only aligns with, but also supports, the organisation’s overarching strategy while fostering a culture of continuous improvement within the audit team.

What meaningful and realistic performance metrics do IA functions utilise?

A balanced scorecard can be a useful tool to analyse and communicate the multifaceted aspects of IA function performance. In developing a balanced scorecard that effectively assesses the performance of an IA function, the CAE should consider including measures that reflect not only traditional audit metrics but also incorporate innovative aspects that can drive continuous improvement and strategic alignment. While meaningful metrics will vary by function, and the following performance measures are not intended to constitute an all-inclusive list or checklist, they could be impactful and innovative for inclusion in an IA function’s balanced scorecard:

Strategic Alignment

Alignment Number of strategic initiatives/committees in which internal auditors are involved (versus target)

Proportion of the organisation's strategic priorities addressed in the audit plan

Degree of alignment between IA recommendations and business strategies

Innovation and Improvement

Innovative audit tools or techniques implemented

Innovations contributed to the company by the IA function (e.g., process improvements, cost savings, controls turned over to first- and second-line functions)

Governance Enhancements

Impact of IA on improving governance structures within the organisation (e.g., policy revisions influenced by audits)

Percentage of recommendations accepted and/or implemented (versus target)

Resource Optimisation

Ratio of productive to unproductive audit time (include target)

Alignment of IA personnel competency and skills to areas within IA mandate and audit plan

Coordinated activities with other lines of defense (e.g., ERM, compliance, ESG)

Level of internal audit staff turnover versus target

Stakeholder Engagement and Satisfaction

Stakeholder satisfaction scores via surveys or interviews

Extent of stakeholder engagement in defining audit focus areas 

Number or percentage of hours aligned to support management requests

Risk Management Improvement

Contribution to risk identification and mitigation effectiveness

Trends in key risk indicators impacted by IA activities

Extent of coordination, alignment with other risk management and assurance functions (include consideration of efficiency gains)

Performance Against Objectives

Achievement rate of defined IA strategic objectives

Progress made on key initiatives outlined in the strategic plan

Learning and Growth

Training opportunities per auditor for professional development 

Skills enhancement reflected through certifications or specialised expertise gained

Value Creation

Quantitative benefits realised by the organisation from IA interventions (e.g., financial recoveries, efficiency gains)

Qualitative benefits such as improved organisational culture toward compliance and control awareness

 

The measures selected by the IA function and affirmed by its stakeholders should provide a comprehensive view of both quantitative outputs (like audit finding implementation rates) as well as qualitative outcomes (like efficiency improvements and enhanced governance practices in target audit areas). It is essential to customise these metrics based on specific organisational contexts while ensuring they support informed decision-making, demonstrate value added by the IA function, encourage innovation within the team, and align with corporate objectives for long-term success.

These performance metrics will and should change over time. The IA function may need to shift the focus of its activities to be responsive to evolving stakeholder expectations as well as business conditions and priorities. There may be times when a focus on identifying potential cost reductions adds the most value to the organisation, and others when establishing stronger controls is a collective focus. Beyond conforming with the Standards, it is important for the CAE to revisit the IA function’s performance objectives with senior management and the board at least annually or as the circumstances of the organisation change.

Learn more about the Global Internal Audit Standards update by registering for our webinar here.

This is part 3 of a 3-part blog series. Read blog 1 and blog 2 to further understand the Global Internal Audit Standards.

Loading...