A Strategic Plan for Internal Audit

Over the years, I have built internal audit departments from scratch. I have also re-engineered existing functions in response to requests from the board and executive level to “take internal audit to the next level.”

Today, I want to share the approach I have used and ask for comments, stories, etc.
Before you take a single step, it is essential to:
  • Understand the business
  • Determine where the value of internal audit lies – to the board, to executive management, to operating management, and to the organization’s success
  • Frame a vision for the internal audit function
Even though I started each challenge with a set of experiences that tend to bias my thinking (such as a belief that the head of internal audit should provide a formal annual assessment of the condition of risk management and related internal controls), the first thing I did was listen.
I actively listened to management around the company so I could understand the business. I learned about the company’s past, the environment in which it operated (regulatory, competitive, stakeholder expectations, the market for its products and services, the level of margins, its supply chain challenges, etc.), the strength of the management team, and the condition of the major assets (factories, pipelines, etc.).
I listened to people talking about their experience with internal auditing. Where there was an existing internal audit department, had it added value? Did it meet the expectations of the board and management? Was it a department of “no”, or did it take a partnering approach to enhance the management of risk and operation of controls? Did it provide the assurance essential to leaders of the organization? How strong was the team and who were the stars?
I consulted with the external auditors and other assurance providers within the organization. How strong was the system of internal control? How reliable were IT processes, infrastructure, and applications?
I talked at some length to key stakeholders and management that would be key to success, especially the general counsel, the CFO, and the CIO. I learned about the corporate politics and inhibitors for success. I heard and absorbed the corporate vision and strategies, significant capital and IT projects, and more.
I asked about and probed to understand the more significant risks to the organization. What did the board and top management worry most about? (I have yet to lead an internal audit function where there was a separate, established, risk management function.)
I not only listened and learned about risks, but asked and listened to suggestions as to how the internal audit function could add value. In some cases, it was to provide consulting services around major acquisitions, capital projects, or IT developments. In others, it was to help re-engineer processes for improved efficiency and effectiveness. Sometimes, it was simply to provide assurance that certain risks (such as the use of derivatives) were appropriately managed.
Once I had listened to the board and management, I took care to listen carefully to the internal audit staff (where there was one. In one case, the function had been outsourced, so I listened to the outsourcing partner and staff instead.) Even though they were relatively young and experienced, even though they were not always highly respected within the organization, they always had invaluable views and insights.
Now was the time to frame a vision. What were the essential services, assurance and consulting, the organization needed – whether they were aware of the need or not (if not, I would have to sell the need to them)? What was the best way to deliver them?
In one case, I saw that I needed to move the internal audit function from performing a series of audits of major factories (basically one at a time) to delivering assurance on the management of risks across the enterprise. This would require changing from completing at most 15 audits each year to completing assurance engagements covering the company’s more than 100 locations; a significant controls failure at perhaps 80 of the >100 could be material to the company’s results, given the low operating margins.
I considered the need for changes in:
  • Audit approach (as illustrated by the example above)
  • Staffing: perhaps I would need more senior staff, more IT or environmental specialists, etc. Perhaps I would have to change the organization of the department or where staff were located (in two cases, I opened offices in Singapore). Often, I added training in specialized areas, such as lean manufacturing, operational auditing, data analytics, and interviewing skills
  • Process: I frequently streamlined audit reporting, eliminated time reporting and other non-value-add activities, improved the efficiency of working papers, extended reliance on other assurance providers, etc
  • Technology. This is one of the most important, but often overlooked, areas of opportunity. When I had to move from 15 to >100 audit engagements each year, I started the use of data analytics to monitor operational results (KPI) and risks (KRI); I used software for surveys and management self-assessment; and I limited travel by asking remote locations to scan and email me documents to support their self-assessments
Usually, the vision was not something I could make happen overnight. Several changes were needed, each of which would take time. This was especially true when it came to changing the staffing of the function.
So, not only did I frame a longer-term vision, but I identified how the department would transition over the year or two it took to make the change.
I captured the vision, the timeline for actions, and a description of what would be achieved over time (for example, moving from 15 audits in the prior year to 40 in the next, then 80, and finally to about 100 per year). This was first discussed with key stakeholders and allies (such as the CFO, CIO, general counsel and others) and modified. Then I reviewed it with the CEO and finally the board.
The completed strategy document was socialized with staff and management. I also tracked and reported progress to all key stakeholders, including the audit committee of the board.
Do you have an audit department strategy? Are you in the process of changing the function?
If not, why not?

Posted on Nov 10, 2010 by Norman Marks

Share This Article:    

  1. Dear Sir,

    You explained the strategy correctly as I have set-up the Internal Audit Deptt. for my company.

    But, now I am facing problem for further enhancing the value of IA for company, because compliances/ replies are very weak and policy are not still defined and written.

    Employees are very attached with the organisation for a longtime and I can't do anything if they don't cooperate.

    Please suggest some solution.

  1. As always, a succinct and object-oriented guidance.

    I've a couple of queries:

    (a) How to resolve the perceived variance between what the Audit Committee (to whom the CAE reports functionally) wants of IA, and what the operational management expects?  For instance, AC may want IA to provide assurance on the controls in the whole value chain of processes/functions.  On the other hand, operational management may say "We know there are problems..." but want IA to focus on certain areas (like cost escalation, potential leakages/businiess efficiencies & major potential quality improvement areas) to 'deliver more value'.  Agreed, the two may not be exclusive (you can always focus on some areas yet carry out a holistic audit), but how to resolve when the underlying message is to focus on certain areas ONLY, to the exclusion of others.

    (b) Since IA has the primary responsibilty to provide assurance on processes (again, perhaps an assumption, though a valid one), to what extent can it factor in the 'audit' work carried out by other agencies like ISO auditors (internal), quality auditors (internal), 'statutory'/financial reporting auditors (external) and the like?  Can IA legitimately factor in all the above (without any detailed study of their methodologies and results) and cover only the areas 'left behind' and, if so, should such truncation of scope be expressly included in the preamble to IA reports?

    Responses to above, based on your vast experience, can go some way in clearing the doubts of a 'practitioner'.

    Thanks & Regards.

  1. Dear Amit,

    It is hard to give advice on your situation without understanding far more.

    It sounds like management does not agree with your suggestions for improvement. If they did, then I would expect them to implement them.

    Here's what I would do:

    1. Make sure you are listening to them. If they are disagreeing, why? Do they have an understanding of the business and its risks they are not sharing?

    2. If you have not persuaded them, and are convinced they don't have a good reason not to agree, then spend some time assessing your approach. Are you talking to them in a fashion that resembles a consultant, or are you writing up a recommendation and throwing it over the wall for them to respond.

    3. Do you have any champions within the organization, such as the CFO, with whom you can chat? Ask first whether your suggestions for improvement have merit. If they do, ask why you have not been persuasive?

    4. As a last resort, you should consider going over the head of management to the CEO or board. Only do this if the issues are critical, because you won't be able to do it more than once or twice and retain any ability to work with management.

    Feel free to contact me offline.

  1. Norman,

    I agree with everything in this summary.  While listening to all the key stakeholders is critical, it is more important to use the knowledge gained to improve the internal audit function and add value to the organization.  I would argue, and I assume you would support, is that this approach isn't only for the CAEs taking on new roles but for every CAE wanting to enhance the Internal Audit function.  Just because the current Internal Audit approach has worked well in the past doesn't mean it will work well in the future.  Ours is a profession in which we should always be critical of the ways we do things and search for ways to get better.  

  1. The role of internal auditor is just like a facilitator/supporter and a partner. It is very essential to get confidence of the concerned staff before putting the implementation plan of the recommendations. Usually it is difficult to convince the employees who are working under the old procedures and environment since a long time but it is possible to convince them through step to step help, advises and trainings that how to adopt and follow the recommendations.

  1. I fully agree  with this. The fact that 'No-one wants to be auditee' .. so its obviously very much necessary to discuss.....share.....further discuss with management to make them understand -how important the internal audit function is ? 

    Thanks for such helpfull articles.

  1. Dear Sir, I have been working as an internal auditor for 2 years. Without previous experience in internal audit (previously external auditor), my task was to develop the function of IA from the scratch. I must admit, I failed to develop function that really adds value. I am now analysing the root cause and I am almost about starting again. One of the reasons why the IA function failed is that the company doesn't have very well developed and understood risk management that would be supported from the top. Basically, no one is much interested in risks and audits until some major issue happens and then everyone is asking why this hasn't been picked up on time. Also, the top management is not is not very clear about what to expect from IA function. I feel demotivated now but I don't like giving up without a fight. Would you have some advice for me please? I already don't know where to start. Thanks in advance.
  1. Petra, I would be happy to chat with you offline. Please email me at norman.marks@sap,com and suggest a date and time. I am in the US, UDT - 8 hours.

  1. Dear Norman. Your story is so encouraging. I have been appointed to act as the Head of Internal Audit for a big Broadcasting Corporation. I need to review our process and ensure that we add value to this organization. Our department had lost respect and I need to bring that respect back to the department. Our forensic department was previously used by management and the board to settle scores. Now to try and management the situation, the CEO has sort of diluted the authority and responsibility of the forensic section of the unit in that they will report investigations to the Risk office. The functional reporting to the AC and administrative reporting to CEO has been diluted. Please advice. Thanking you in advance

  1. Dear Sir

    I need help in developing an internal audit strategic plan for my bank for the next 3 year !! pls assist on any suggetions.


  1. Just reviewing this article again (in 2013) for a client.  It's good to note that this article still stacks up with contemporary practice.

    The only difference I would add is that internal audit can be a source of leading practices once initial expecations are understood and met, and (at the risk of being self-serving) it's good to refresh the strategy annually for updated conditions and new practices.

    For the latter part, Norman's blog and twitter feeds are always a good read.

Leave a Reply