Internal Audit Functions: Strategy requirements under the new Global Internal Audit Standards

Hi everyone, following launch of the new Global Internal Audit Standards (the Standards) I want to focus on the Strategy requirements that are generating commentary on LinkedIn. Thanks to Stephen Horne for his comment on my last article regarding Internal Audit Charters.? I’m sharing Steve's comment here again here as a starting point, and a memory jogger:

Charters are not boring or dry to me. Or perhaps I should express that differently: they shouldn’t be boring or dry. They should be the source of our sparkle.

I agree with your thinking and analysis, but what grieves me most is item 5. Scope of IA activities. To take a better view on it, we might use the term IA strategy. Which very few IA functions have or have even given serious thought to. As a result, Charters are often narrow and bland, not expansive and challenging - a great Charter sets IA up with a stage upon which it can perform, and a landscape within which it can roam freely. The Charter is the beating heart from which our potential emanates (or not).

So, if charters are to be a “source of our sparkle” and “the beating heart from which our potential emanates”, what should we do about Internal Audit's own strategy?? Taking Stephen’s lead, let’s be expansive in our thinking and challenge ourselves to perform better…

Why Internal Audit needs a strategy - to contribute to the growth and resilience of their organisation

In my view, Internal Audit’s (IA's) strategy should be the compass guiding the organisation’s voyage of sustainability and resilience.? The strategy needs to be the critical master plan that maps the course to navigate the complexities of improving risk management, processes and the control enviroment.? This is not just about conformance with the Standards; it is about proactively identifying the objectives of your function, seeking out opportunities for improvement, fostering a culture of continuous learning and adaptation, and ultimately contributing to the mission of sustainable growth and resilience of the organisation.

In this article, I share better practice extracted from existing IA Charters that refer to IA Strategy or 'Scope of Internal Audit Activities' (item 5. of the seven vital IA Charter elements in my last article).? It is certainly true that the vast majority of IA Charters I have seen only mention strategy in terms of alignment with their organisational strategy, objectives and risks.? Following Stephen’s comment, I went back to develop some specific insights for you, from my knowledge of existing IA Charters.

What should the strategy relate to? The IA function itself...

Before we dive into the current state of IA Strategy, let’s differentiate between strategy and annual plans, or even multi–year ‘strategic’ plans.? Both strategy and plans are crucial for the effectiveness of internal audit, but a true IA Strategy operates at a higher level and over an extended timeframe (e.g. 3-5 years).

It’s also important to refer to five specific Standards in the new Global Internal Audit Standards (the Standards) relate to strategy:

First, Standard 4.2 Due Professional Care requires that internal auditors exercise due professional case by assessing and understanding their organisation's strategy and objectives.? Although important, this is not the same as the IA function’s own strategy.

Secondly, Standard 6.1 Internal Audit Mandate requires that the CAE document or reference the mandate in the internal audit charter, and periodically revise that mandate to enable the internal audit function to achieve its own strategy and accomplish its objectives.? This is an important linkage between charter, mandate and strategy.

Thirdly, Standard 8.2 Resources requires that the CAE evaluate their resources and develop a strategy (i.e. a strategic implementation plan) to obtain sufficient resources, informing the board about any impact of shortfalls and how they are to be addressed.? Some practical considerations would be to include documented resource plans, budgets, staffing options, use of technology and cost-benefit analysis in the IA function’s strategy.

Fourth, in Domain IV: Managing the Internal Audit Function I find the responsibility of the CAE for strategic planning are strongest.? Principle 9 Plan Strategically requires the CAE to understand the IA mandate and the organisation’s governance, risk management and control processes; and also to develop and implement a strategy for the IA function to support the organisation’s success.

Specifically, Standard 9.2 Internal Audit Strategy requires that the CAE develop and implement a strategy for their own function that supports the objectives and success of the wider organisation and aligns with the expectations of key stakeholders, including periodic review with the board and senior management.? It states that:

An IA strategy is a plan of action designed to achieve a long-term or overall objective.? The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function.? An internal audit strategy helps guide the internal audit function towards the fulfilment of the internal audit mandate.

Considerations for implementation include alignment to the IA Charter and using a SWOT analysis or Current State / Future State ‘gap analysis’ to determine initiatives to improve the function.

Lastly, Standard 12.2 Performance Measurement requires that the CAE develop performance measures to assess progress against IA’s strategy, evidenced by consideration of the Standards, the IA Charter and the IA function’s strategy.

Let’s use the Current State / Future State gap analysis technique under Standard 9.2 to understand more about what is needed under the new Standards.

Current State of IA Charters - Top 10 takeaways

The better practice statements I identified include the CAE’s responsibilities in existing IA Charters, with words to the effect that:

The CAE must establish policies and a system to direct the management of the audit function and its activities and to design and implement the internal audit strategy and plans.

Please see my 'Top 10' most strategic elements of existing IA Charters I have seen for some better practice examples in outlining a specific IA scope (a proxy for 'IA Strategy') to align with the overall organisation, its risks, and control culture.

These Charters emphasised:

1. Linkage of role, mandate, and scope of the internal audit function, highlighting IA's comprehensive, unrestricted scope across the organisation, prioritising key business risk areas and industry themes.
2. An overall focus on key risks, including emerging and perennial ones, and the intention to not "plan to cover all risk universe areas on a cyclical basis". Hence, each annual audit plan, is to be informed by IA’s independent view of management and risk function opinions and targets higher-risk areas.
3. Provision of holistic, independent and objective internal control assurance (i.e. including all processes, IT systems, modelling, change initiatives, outsourcing, acquisition/divestment for all legal entities). Also including assessment of the adequacy and effectiveness of the 3 Lines of Assurance (e.g. second line Risk Management, and Compliance functions) within the scope of IA's work.
4. Assessment of whether risk appetite has been established, embedded and adhered to within the activities, limits and reporting of the organisation.
5. Evaluation as to whether the organisation's internal governance, policies and supporting processes deliver appropriate outcomes, and that they are in line with the objectives, risk appetite and values of the organisation. This includes an evaluation as to whether the design and control of products, services and supporting processes deliver appropriate customer outcomes.
6. The quality of performance in carrying out assigned responsibilities also being within the IA approach, in the context of protecting the assets, reputation and future sustainability of the organisation.
7. Assessment of whether the information presented to the Board, its Committees and Executive Management for strategic and operational decision-making fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.
8. Regular review and formation of thematic insights being integral to IA's approach.
9. Acknowledgement that in the case of certain arrangements, contractual agreements may tend to limit the scope of IA’s activities, and any such limitations should be reported to the Board Audit Committee appropriately.
10. Follow-up: Assurance that findings raised are addressed and resolved to mitigate the risks reported on a timely basis; or on a risk-basis evaluating management’s attestation, as agreed during the audit report finalisation process, that they have taken the necessary steps to remediate lower-rated observations and their associated risks.

I welcome your comments on this post and article. Please share how your current state aligns to this Top 10, using either SWOT, 'gap analysis' or other method of your choosing.