Building a Better Auditor: Why Internal Audit Needs a Strategic Plan
Blogs Noora Al Marri, CIA Aug 01, 2023
The first time I heard about developing a strategic plan for internal audit was in 2019 during an external quality assurance exercise. At first, I felt like this concept was redundant, as I thought the risk-based internal audit plan was synonymous with a strategic plan.
I believed that the risk-based plan should be the roadmap to guide internal audit functions throughout the year. After all, this plan is built taking into consideration the company’s strategies and strategic risks, among other things. As it turns out, I was wrong!
I wondered about the reason for requiring a strategic plan and whether internal audit could continue to function without having such a plan. Internal audit can indeed continue without having a strategic plan, but soon the truth will hit hard — the internal audit function will have lost its relevance to the organization.
Why might internal audit become irrelevant to the organization? Consider the risk of reviewing processes or areas the same way, over and over again, irrespective of how these processes or areas are evolving. How can I deliver on the internal audit mission “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight” when the things around me evolve — but I don’t?
If you think about it, internal audit should naturally progress over the years from the traditional role of assurance provider looking at the effectiveness and efficiency of internal controls to more of a trusted advisor providing value-added and proactive strategic advice. But without sitting down and envisioning the future or the desired state, how can one tell if they are making progress?
With only the risk-based plan, internal audit is disconnected with how the organization is evolving. If, for example, the organization has agility and digitalization as part of its strategic initiatives, internal audit, in its traditional role, may not have the capability in terms of people, processes, and technology to understand, challenge, and advise on the relevant risks. It would not be in a position to play the role of strategic advisor. It would remain where it is, reviewing the processes in which it feels the most comfortable — and just like that, become irrelevant to the organization by focusing on risks that are not strategic for the organization.
To me, the difference between having both types of plans versus only having a risk-based internal audit plan means the ability to deliver the kind of assurance expected of internal audit by the board and management. I will continue to deliver the risk-based internal audit plan as my main responsibility, but the way I deliver it is the role of the strategic plan.
Authors Farah Araj and Robert Kuling wrote an article on the topic for Internal Auditor – Middle East magazine, in which they explain that internal audit’s strategic plan is not the same as its risk-based internal audit plan. It is a strategic document that defines the roadmap for internal audit to achieve its vision and mission and increase its maturity in response to how the organization and its risks evolve.
The risk-based internal audit plan and budget are, in fact, the operational plans for the internal audit function and are critical to its success. Both the risk-based plan and the strategic plan help internal audit reach maturity and become a strategic advisor to management and the board.
If I can map out a future state for how the internal audit function should grow in terms of process, people, and technology, I can define a plan with initiatives to reach that goal. I can then move from purely an assurance provider to being a trusted advisor. At a macro and a micro-level (whether you manage a small team or a function), having a strategic plan that defines a roadmap of what you want to achieve is a key success factor.