PG Developing the Internal Audit Strategic Plan

7/30/2019 PG Developing the Internal Audit Strategic Plan

1/20

P Gd

DeveloPinG the internal

auDit StrateGic Plan

July 2012


2/20


3/20

www.globaliia.org/standards-guidance / C

IPPF Practice Guide

Developing the Internal Audit Strategic Plan

Table o Contents

Executive Summary ................. ................ ................. ................. ................ ..... 1

Introduction ................ ................. ................. ................ ................. ................ 2

Strategic Plan Defnition and Development ................. ................. ................ .. 2

Review o Strategic Plan ................. ................. ................ ................. ........... 10

Appendix: Illustrative Example SWOT Analysis ............... ................. ........ 11

Appendix: Illustrative Example Strategic Plan Summary ......................... 12

Authors and Reviewer ............... ................. ................. ................ ................. 14


4/20


5/20

www.globaliia.org/standards-guidance /

IPPF Practice Guide


ex SFor internal audit to remain relevant, it should adapt to

changing expectations and maintain alignment with the

organizations objectives. The internal audit strategy is

undamental to remaining relevant playing an impor-

tant role in achieving the balance between cost and value,

while making meaningul contributions to the organiza-

tions overall governance, risk management, and internal

controls.

A systematic and structured process can be used to devel-op the internal audit strategic plan, helping to enable the

internal audit activity to achieve its vision and mission.

The ollowing steps can be used to develop the internal

audit strategic plan:

1. Understand the relevant industry(ies) and the orga-

nizations objectives.

2. Consider the International Proessional Practices

Framework (IPPF).

3. Understand stakeholder expectations.

4. Update the internal audit vision and mission.

5. Dene the critical success actors.

6. Perorm a strengths, weaknesses, opportunities, and

threats (SWOT) analysis.

7. Identiy key initiatives.

It is important or the chie audit executive (CAE) to vet

the strategic plan with key stakeholders and obtain ap-

proval rom the board1, as this is part o the CAEs obliga-

tion or periodically reporting to senior management and

the board on internal audits purpose, authority, respon-

sibility, and perormance (Standard 2060: Reporting toSenior Management and the Board). It will be necessary

or the strategic plan to be periodically reviewed. Factors

infuencing the requency o reviewing the strategic plan

include:

Changes in the organizations strategy.

Degree o the organizations growth and assessment

o organizational maturity.

Degree to which the organization and its senior

management rely upon the internal audit activitys

independent assessment and/or support regarding

the management o organizational risks.

Signicant change in the availability o the internal

audit activitys resources.

Signicant change in laws and/or signicant changes

to organizational policies and procedures.

Degree o change in the organizations control envi-

ronment.

Key changes in an organizations leadership team and

board o director composition.Evaluation o how the internal audit activity has

qualitatively or quantitatively delivered on its strate-

gic plan.

Results o internal/external assessments o the inter-

nal audit activity.

This Practice Guide was developed to provide the CAE

with guidance on how to develop an internal audit stra-

tegic plan. It also highlights the IPPFs Practice Advisory

2120-2: Managing the Risk o the Internal Audit Activ-ity; while there is no way to mitigate all o the risks, an

internal audit activity can proactively manage its risks by

developing a strategic plan.

1 The term board is used in this guidance as dened in the Standards glossary: A board is an organizations governing body, such as a board o directors, supervisory board, head o an agencyor legislative body, board o governors or trustees o a nonprot organization, or any other designated body o the organization, including the audit committee to whom the chie auditexecutive may unctionally report.


6/20

2 / www.globaliia.org/standards-guidance

IPPF Practice Guide


This guidance will be particularly eective as a guide orrst-time strategic plan preparation or an internal audit

activity. It also provides a good review or a strategic plan

that has been in place and might need to be rereshed.

idThe International Proessional Practices Framework

(IPPF) is the conceptual ramework that organizes au-

thoritative guidance promulgated by The Institute o In-

ternal Auditors (IIA). The IPPF includes the Denition o

Internal Auditing, Code o Ethics, International Standardsfor the Professional Practice of Internal Auditing (Stan-

dards), and strongly recommended guidance such as this

Practice Guide.

According to The IIAs denition: Internal auditing is an

independent, objective assurance and consulting activity

designed to add value and improve an organizations op-

erations. It helps an organization accomplish its objectives

by bringing a systematic, disciplined approach to evaluate

and improve the eectiveness o risk management, con-

trol, and governance processes.

In order to adhere to the IPPF, internal audit practitioners

would benet rom applying a strategic approach toward

developing a strategic plan or achieving their internal

audit vision and mission statements, thereby positioning

themselves to meet the expectations o stakeholders.

Sg P Dfd DpDefnition o Strategy

Strategy is a means o establishing the organizations pur

pose and determining the nature o the contribution it in

tends to make while predening choices that will shape

decisions and actions. Strategy or the internal audit ac-

tivity enables the allocation o nancial and human re-

sources to help achieve these objectives as dened in the

activitys vision and mission statements (which contrib-ute to the achievement o the organizations objectives)

This benets the internal audit activity through its unique

conguration o resources aimed at meeting stakeholder

expectations.

The strategy itsel is part o the set o matters to be re-

ported to senior management and the board. This respon

sibility alls under the scope o Standard 2060: Reporting

to Senior Management and the Board, which establishes

that the chie audit executive must report periodically to

senior management and the board on the internal auditactivitys purpose, authority, responsibility, and peror

mance relative to its plan.

A systematic and structured process can be used in devel-

oping the strategic plan to enable the internal audit activ

ity to achieve its vision and mission statements. The ol-

lowing steps are one approach or developing the interna

audit strategic plan:


7/20

www.globaliia.org/standards-guidance / 3

IPPF Practice Guide


The starting point or developing the internal audit stra-

tegic plan should be obtaining a thorough understanding

o the organizations objectives and the industry (or indus-

tries) in which it operates. For the internal audit activity

to deliver value, it should contribute to the achievement

o the organizations strategic, operational, reporting, and

compliance objectives while providing assurance that the

organization maintains an ethical environment and cul-

ture o accountability. Thereore, it is imperative that the

internal audit activity have an in-depth understanding o

the applicable industries (including the applicable regula

tions and laws) and the organizations objectives.

Review the organizations strategic plans prior to

interviewing stakeholders.

Industry &Objectives

Standards &Guidance

StakeholderExpectations

Vision &Mission

CriticalSuccessFactors

SWOTAnalysis

KeyInitiatives

Industry &

Objectives

Standards &

Guidance

Stakeholder

Expectations

Vision &

Mission


SWOT

Analysis

Key

Initiatives

The CAE should consider the IPPF when developing the

internal audit strategic plan. The values the internal au-

dit activitys personnel should adopt are contained within

the rameworks Standards and Code o Ethics (along with

their organizations own values).

Attribute Standards:

1000: Purpose, Authority, and Responsibility

1110: Organizational Independence

1120: Individual Objectivity

1200: Prociency and Due Proessional Care

1210: Prociency

1230: Continuing Proessional Development

1300: Quality Assurance and Improvement

Program

1311: Internal Assessments

1312: External Assessments

Perormance Standards:

2000: Managing the Internal Audit Activity

2010: Planning

2020: Communication and Approval

2030: Resource Management

2040: Policies and Procedures

2050: Coordination

2060: Reporting to Senior Management and

the Board

2110: Governance

2120: Risk Management

2201: Planning Considerations

2210: Engagement Objectives

2230: Engagement Resource Allocation

2300: Perorming the Engagement

2310: Identiying Inormation

2320: Analysis and Evaluation

2410: Criteria or Communicating

2420: Quality o Communications

2500: Monitoring Progress

2600: Resolution o Senior Managements

Acceptance o Risks


8/20


IPPF Practice Guide


Understanding stakeholder expectations and needs is a

critical step in developing the internal audit strategic plan.

It is important to include the key internal and external

stakeholders (e.g., board members, senior management,

external auditors, and regulators).

The CAE should communicate directly with each key

stakeholder to understand his or her expectations or theinternal audit activity. Stakeholders have unique back-

grounds, roles, and responsibilities that help to shape their

expectations, as well as their understanding o internal au-

dit. Thereore, it may be benecial to provide the stake-

holders with a general understanding o internal audits

role and purpose. Through discussions with stakeholders,

the CAE can determine how internal audit can add value

to the organization in both the short term and long term

based on the organizations objectives and goals. The ex-

pectations may vary in the short term versus the long term

based on the level o maturity in the organizations contro

environment. The CAE will need to evaluate stakeholder

expectations to ensure they do not confict with one an-

other and are supported by the internal audit charter. The

weighting placed on each stakeholders expectations wil

vary based on his or her role and responsibilities in theorganization.

Ater communicating with each stakeholder, the CAE

should document and conrm stakeholder expectations

Also, it can be benecial to survey the stakeholders to

help prioritize their expectations ater compiling their in-

dividual perspectives. This will orm a key input or devel

oping the internal audit strategic plan.

Industry &Objectives

Standards &Guidance

StakeholderExpectations

Vision &Mission


SWOTAnalysis

KeyInitiatives

Industry &

Objectives

Standards &

Guidance

Stakeholder

Expectations

Vision &

Mission


SWOT

Analysis

Key

Initiatives

The strategic plan is the means by which the internal

audit activitys vision and mission will be pursued. The

CAE should develop and update the vision and mission

statements based on stakeholder expectations and IIA

guidance. In writing these statements, it is important to

recognize that internal audit cannot be all things to all

people. Thereore, it is necessary or the CAE to make

tough choices recommending to the board what will bepursued and what will not be pursued.

Sharing with senior management and the board what will not

be included is important to ensure ull disclosure.

Vision Statement The purpose o establishing a vision

statement is to articulate the internal audit activitys phi-

losophy and what it hopes to contribute to the organiza-

tion. A vision transcends objectives and goals; it expresses

the desired uture state and is, thereore, loty in nature.

Mission Statement The mission statement, constructed

on the basis o the vision statement, outlines the interna

audit activitys primary business purpose, what it plans to

achieve in the uture, its values, and how it integrates intothe organizations strategic plan. The mission statement

should resonate with all internal audit personnel, as wel

as the internal and external stakeholders. It is rom the

mission statement that the internal audit strategic plan

will be developed, essentially determining how the mis-

sion will be achieved. The mission statement is commonly

the rst statement in the internal audit charter.


9/20


IPPF Practice Guide


Identiying the critical success actors (CSFs) will allow

the internal audit activity to understand the limited num-

ber o elements that should go right or it to achieve its

vision and mission. These actors will provide the depart-

ment with the essential elements that all major initiatives

should be vetted against to help ensure resources are o-

cused on the most important activities. Three questions

that may be helpul in identiying the CSFs are:

Positioning Is the internal audit activity strategi-

cally positioned and supported?

Processes Are the internal audit activitys process-

es enabling and dynamic in meeting business needs?

People Does the internal audit activity have the

right people strategy to deliver its mission?

Monitoring the progress o the critical success actors wil

ensure management is giving them continuous attention.

Industry &

Objectives

Standards &

Guidance

Stakeholder

Expectations

Vision &

Mission


SWOT

Analysis

Key

Initiatives

Industry &

Objectives

Standards &

Guidance

Stakeholder

Expectations

Vision &

Mission


SWOT

Analysis

Key

Initiatives

Perorming an assessment o the current state o the in-

ternal audit activity will help identiy what should be in-

corporated into a strategic plan. One technique is to per-

orm a strengths, weaknesses, opportunities, and threats

(SWOT) analysis against the vision, mission, and critical

success actors. The aim o any SWOT analysis is to iden-

tiy the key internal and external actors that are important

to achieving the strategy. This analysis groups inormation

into two main categories:

Internalfactors The strengths and weaknesses

unique to the internal audit activity.

Externalfactors The opportunities and threats

presented by the external environment to the inter-

nal audit activity. The external environment includes

orces inside the organization (but outside o the in-

ternal audit activity) and outside o the organization.


10/20


IPPF Practice Guide


Topics to consider in perorming the SWOT analysis in-

clude (but are not limited to):

Organizational Structure

The internal audit activity structure should be designed to

ensure an appropriate level o supervision to deliver high

quality while acilitating ecient delivery o services. Ad-

ditionally, the internal audit activity should be ree rom

conditions that threaten the ability to perorm its respon-

sibilities in an unbiased manner. To achieve the degree o

independence necessary to carry out internal audits re-sponsibilities eectively, the CAE should have direct and

unrestricted access to senior management and the board.

Resource Requirements

The skill set and knowledge o the internal audit team are

critical to its ability to help the organization achieve its

objectives and strategy. The initial step in people planning

is to perorm a skill assessment to identiy the skills and

knowledge required to address items in the internal audit

strategy. It is important to assess the degree to which the

skills and knowledge identied will need to be relied upon

as this will infuence the type o sourcing model selected

Additionally, consideration should be given regarding how

to best leverage technology resources in conjunction with

establishing the most appropriate sourcing model. These

aspects o resource consideration will support priorities

or the department as dened by the CAE.

An assessment o the necessary skills and knowledge can

include: i) the scope o the internal audit activitys respon

sibilities as dened by the charter, ii) expected balance

o assurance and consulting engagements, iii) stakehold

ers expectations and requirements, iv) results o the risk

the ollowinG are DeinitionS o a Swot analySiS inDiviDual comPonentS:

StrenGthS weaKneSSeS

InternalOrigin Internal characteristics o the internal audit activity

that can be considered acilitators o the audit

strategy.

Internal characteristics o the internal audit activity

that, in opposition, can prevent the achievement o

the audit strategy, and can place the activity in an

unavorable position.

oPPortunitieS threatS

ExternalOrigin External elements apart rom the internal audit

activity that can increase the demand or more and

better assurance and consulting audit services and

contributions.

External elements apart rom the internal audit

activity that, in opposition, can decrease the demand

o assurance and consulting services, prevent the

achievement o the audit strategy, and place the

activity in an unavorable position.


11/20


IPPF Practice Guide


assessment, v) the level o coordination with other riskmanagement and assurance unctions, and vi) the long-

term strategic plan or the organization. The IIAs Com-

mon Body o Knowledge publication Core Competencies

for Todays Internal Auditormay be valuable in identiying

what internal auditors need to know to perorm their jobs

with due care while adding value to their respective orga-

nizations.

Technology & Tools

Reviewing the internal audit activitys technology and tools

will help a CAE understand the activitys capabilities. Theuse o electronic workpapers may be helpul to improve

productivity and acilitate quality control, especially in

managing multiple components o single engagements

with multiple sta and or multiple locations. Leverag-

ing work fow tools within such applications to share les

and consolidate ndings may promote eective inorma-

tion sharing to allow or timely quality control o workpa-

pers and reports. Additionally, these tools can enable the

CAE to better monitor the progress o the audit plan and

drill down to the engagement component o each plan.

Such applications also provide a central repository orworkpapers and reduce the risk o multiple le versions,

which allows or eective le sharing. Return on invest-

ment analysis would be needed to support justication to

implement such tools. Some applications primarily ben-

et the internal audit activity; however, many electronic

workpaper applications also provide surveys and certica-

tion templates and accompanying work-fow technology

to manage governance/control initiatives.

Using data analytics and leveraging continuous control

monitoring (CCM) tools can be benecial to a depart-

ments eciency and eectiveness. Data analytics can

better ocus hours spent by resources relative to risk.

CCM leveraged by the broader organization may serve to

provide reliable evidence or the eective unctioning o

detective controls within an application. The presence o

CCM may not be sucient to permit reliance i data de-

livered by such tools is not reviewed by management in atimely and eective manner.

Sourcing Model

An assessment o sourcing models should be perormed to

determine the most cost eective structure or perorm-

ing the expected services or auditable entities within the

audit universe. The key variables to assess related to the

sourcing model include:

Required skills

Specialized skills

Level o centralization vs. decentralization in the

organization

Geographical ootprint

Language requirements

Desired fexibility with stang and cost structure

Upcoming changes to laws and regulations

Budget

Desired level o talent sourcing or the organization

The sourcing options include:

Full in-house stang only using internal resources

Limited co-sourcing internal resources perorm

majority o activity with outsourced resources provid-

ing specialized skills

Signicant co-sourcing CAE is supported primarily

by external resources

Full outsourcing external resources perorm entireactivity

It may be benecial to perorm benchmarking o organiza

tions within the same industry that are similar in size and

in geographical coverage to gauge the number o resources

appropriate or the risk appetite o the organization. Con-


12/20


IPPF Practice Guide


sider the ollowing when determining the appropriatenessand suciency o resources:

Types o risks aced by the organization, and the risk

appetite o its stakeholders.

The internal audit stas experience level expe-

rienced sta may require ewer hours to complete

engagements.

Nature o engagements to be perormed engage-

ments that are complex, new to scope, or require

remediation testing based on risk will require more

time to execute.

Degree to which automated control evaluation is

integrated into the audit plan automated controls

are generally more ecient to test.

Where the internal audit activity is viewed as a source o

talent or the organization, it may be benecial to con-

sider a rotational stang model. This model provides the

organization with individuals who have an extensive un-

derstanding o governance, risk management, and con-

trols. Rotational models provide benets to the internalaudit activity by introducing sta members (rom outside

the activity) with nonaudit backgrounds who may provide

specialized skills along with an independent perspective

on engagements and audit procedures. Disadvantages

to such models include increased training and oversight

o rotational sta, lack o engagement continuity, and a

cooling-o period rom auditing the area they most re-

cently worked (Practice Advisory 1130.A1-1: Assessing

Operations or Which Internal Auditors Were Previously

Responsible).

Coordination With Other Risk Management and As-

surance Functions

Based on stakeholder expectations, IIA guidance, and the

audit charter, the CAE should align resources and priori-

ties, determine how the internal audit activity will work,

and coordinate with other risk management/assurance

unctions.

Organizations oten have separate groups perorming various risk management and assurance unctions indepen-

dently o one another. The internal audit activity should

develop a clear understanding o the other groups objec-

tives and determine how the groups should best coordi-

nate their eorts to minimize duplication and help to en-

sure key risks are being addressed. For urther inormation

on this topic, reer to The IIAs Practice Guide, Reliance

by Internal Audit on Other Assurance Providers.

Methods to Deliver Services

The methodologies or perorming internal audit as-surance and consulting services should be dened and

documented to help ensure there is consistency and high

quality o services or planning, eldwork, reporting, and

ollow-up. There should be both mandatory requirements

and recommended protocols to allow or fexibility in

perorming the work, allowing or circumstances when

requirements are not easible. The methodology should

conorm to the IPPF.

Communication With Stakeholders

The CAE should have a communication plan in place that

ensures senior management and the board are inormed o

the plan or the internal audit activity including resource

requirements (and limitations) and progress against such

plan. It is also valuable to include in this communication

plan the results rom internal audits assurance and con-

sulting engagements, including managements progress in

remediating ndings.

People Development

Building upon the skills identied in the previous sectionResource Requirements, it is vital to have a dened ap-

proach or how the audit team will be developed, trained

and managed. A people development plan should include

clear expectations or each position, including the nec-

essary competencies, knowledge, experience, and certi-

cations. These expectations enable management to work

toward an individuals readiness or his or her current po

sition and uture advancement.


13/20


IPPF Practice Guide


Based on the results o the SWOT analysis, it is possible

to identiy and prioritize the key initiatives that will have a

signicant impact on achieving the internal audit activitys

critical success actors and thereore its vision and mis-

sion statements. For each initiative, it is valuable to iden-

tiy a timeline or implementation, the desired objectives,

the perormance measurements (qualitative and quantita-

tive), and the associated SWOT elements.

Perormance Monitoring

To ensure the strategic plan produces the desired results,

it is critical to monitor its execution and impact. To help in

this regard, it is benecial to establish perormance goals

(qualitative and quantitative) to measure the progress and

perormance o each initiative against expectations. Feed-

back rom key stakeholders on progress against the stra-

tegic plan may also provide a mechanism to support the

assessment process. Additionally, the CAE and his or her

management team can perorm sel-evaluations regardingthe eciency and eectiveness o strategic plan execu-

tion. These goals can be included in reporting provided

to key stakeholders. For urther inormation on this topic,

reer to the Practice Guide, Measuring Internal Audit E-

ectiveness and Eciency.

Feedback and Approval

It is essential to vet the strategic plan with the key stake-

holders prior to its nalization. Communication o the

revised strategic plan will increase awareness and buy-in

across the organization. Final approval should be obtained

rom the board.

Industry &

Objectives

Standards &

Guidance

Stakeholder

Expectations

Vision &

Mission


SWOT

Analysis

Key

Initiatives


14/20


IPPF Practice Guide


r Sg PSimilar to the strategic plan or the organization, the in-

ternal audit strategic plan should be periodically reviewed

and appropriately updated. The requency o review will

be determined by the CAE in conjunction with discus-

sions with the board. Factors infuencing the requency o

reviews include (but are not limited to):

Degree o the organizations growth and assessment

o organizational maturity.

Changes in the organizations strategy.

Degree to which the organization and its senior

management rely upon the internal audit activitys

independent assessment or support regarding the

management o organizational risks.

Signicant change in the availability o the internal

audit activitys resources.

Signicant change in laws or the volume o changes

to organizational policies and procedures.

Degree o change in the organizations control envi-ronment.

Key changes in an organizations leadership team and

board o director composition.

Evaluation o how the internal audit activity has

qualitatively or quantitatively delivered on its strate-

gic plan.

Results o internal/external assessments o the inter-

nal audit activity.


15/20


IPPF Practice Guide


appdx:is exp Swot ass

StrenGthS weaKneSSeS

1. Defned internal audit vision, mission, values, and charter

2. Strong respect and credibility o CAE with senior management

3. Defned and validated audit universe

4. Formal risk-based planning process with management

validation

5. Individual sta training/certifcation plans

6. Independent and objective organization-wide perspective

7. Sta adaptable to change; positive attitude

8. Diverse skills, backgrounds, and business knowledge o sta

9. Process ocus vs. transactional ocus

10. Increased partnering with the business

11. Formalized ollow-up process

1. Skill gaps consulting and raud knowledge

2. Undefned sta development model

3. Limited sta career opportunities not a talent source or the

business

4. Risk assessment not mapped to organizations strategy; limited

identifcation o emerging risks

5. Audit plan limited to one year

6. Limited understanding o stakeholder expectations

7. Inconsistent communication with stakeholders

8. Emphasis on fndings (gotcha and policeman mentality)

9. Limited involvement in organizations strategic decisions

10. Lack o ormal knowledge-sharing program

11. Limited ocus on operational efciency vs. eectiveness

12. Limited use o data analytics and data mining

13. Perormance evaluations only occur annually

14. Long audit cycle time15. Not ully aligned with IIA Standards

16. Audit methodology does not address all types o engagements

oPPortunitieS threatS

1. Improve perception o sta skill, knowledge, and capabilities

2. Confrm and clariy stakeholders evolving expectations

3. Educate stakeholders on internal audits role and capabilities

4. Become involved in new initiatives early to incorporate controls

5. Educate management on recurring/common issues

6. Collaborate with other assurance/risk management unctions

throughout the year and during risk assessment

7. Introduce risk and control sel-assessments

1. Predisposition o board to ocus on fnancial and compliance

exposures without balanced attention to operational risks

2. Implementation o fndings constrained by budgets, stafng,

and governance

3. Reduction in management cooperation

4. Emerging and changing risks increase skill gaps

5. Lack o awareness o business initiatives

6. Adapting to higher IIA Standardsand stakeholder expectations


16/20


IPPF Practice Guide


appdx:is exp Sg P SVision

To be a high-perorming internal audit activity that meets

the expectations o our stakeholders and adheres to The

Institute o Internal Auditors International Standards for

the Professional Practice of Internal Auditing (Standards)

and the attributes o high perormance recognized byleading internal audit activities. This will enable us to be

a business partner and a trusted advisor, recognized as a

driving orce behind a culture o governance, accountabil-

ity, compliance, and execution that helps in the achieve-

ment o the organizations objectives.

Mission

Deliver an independent assessment o nancial, regula-

tory, and operational risks and control eectiveness to the

organizations management and the board. We will provide

control expertise to minimize risks, improve process qual-ity, and enhance operational eectiveness in urtherance

o our business goals.

Critical Success Factors, Initiatives,Objectives, and Key Tasks

CSF 1: Focus on the Organizations Highest Risks

Initiative: Enhance the planning process to identiy the

highest priority strategic, operational, nancial, and regu-

latory risks to the organization.

SWOT Mapping: Weaknesses - 4, 5, 9

Opportunities - 6

Objectives:

A sustainable process that identies the most signi-

cant internal and external risks that could impede

the achievement o the organizations objectives andstrategy.

Collaboration with other control and risk manage-

ment unctions to coordinate coverage o the risks.

Key Tasks:

Benchmark the current risk assessment process

against other organizations o comparable size.

Inventory current processes and sources used to

identiy emerging risks (which have never occurredor not occurred or an extended period).

Understand the scope o other control and risk man-

agement groups responsibilities and their approach

or identiying risks.

Develop a methodology that links the organizations

strategy to the auditable risks.

Validate the methodology with key stakeholders.

Time rame: August November 201X

CSF 2: Provide Impactul Reporting to Stakeholders

Initiative: Increase the transparency o internal audits ac-

tivities through providing timely and impactul communi

cations to key stakeholders regarding the global collection

o risks, audit ndings, and issue-remediation eorts.

SWOT Mapping: Weaknesses 6, 7, 8

Opportunities 3, 5

Objectives:

A relationship map and communication plan or key

stakeholders.

Standardized reports or regular communications.

Key Tasks:

Identiy key stakeholders.


17/20


IPPF Practice Guide


Obtain eedback rom key stakeholders on peror-mance and expectations.

Agree on improvement opportunities.

Design and implement to-be state.

Time rame: March April 201X

CSF 3: Maintain Efcient and Eective Audit

Processes

Initiative: Develop a manual that denes the methodology

or perorming all internal audit assurance and consulting

engagements.

SWOT Mapping: Weaknesses 1, 11, 15, 16

Opportunities 7

Objectives:

Identication o the required and recommended

practices or all engagement types, helping to ensure

a consistent approach that adheres to the Standards.

Key Tasks:

Assess current processes or planning, eldwork,

reporting, and ollow-up o assurance and consulting

engagements against the IPPF.

Rene processes to align with the IPPF, identiying

those that are required vs. recommended.

Develop control sel-assessments tools.

Validate the internal audit manual with all sta.

Time rame: June August 201X

CSF 4: Adequately Skilled and Knowledgeable Sta

Initiative: Identiy the critical skills, create development

plans, and develop a sourcing strategy to deliver on the

mission statement.

SWOT Mapping: Weaknesses 1, 2, 3, 10, 11, 15, 12Opportunities 3

Objectives:

Understand the necessary skills to deliver on the

mission statement or all areas within the audit

universe.

Develop a ormalized training and development pro-

gram or all sta levels.

Key Tasks:

Perorm skills assessment.

Identiy internal and external stang and training

solutions.

Develop continual learning and development pro-

gram.

Time rame: July October 201X

Note: A work plan would need to be developed to identiy

the detailed steps, the necessary timing, and the neces-

sary resources to complete each initiative.


18/20


IPPF Practice Guide


as:Brian Reed, CIA

Erich Schumann, CIA

Princy Jain, CIA, CCSA, CRMA

Rita Thakkar, CIA

r:Steven Jameson, CIA, CBA, CCSA, CFE, CFSA, CGMA,

CPA, CRMA


19/20


20/20

About the InstituteEstablished in 1941, The Institute o Internal

Auditors (IIA) is an international proessional

association with global headquarters in Altamonte

Springs, Fla., USA. The IIA is the internal audit

proessions global voice, recognized authority,

acknowledged leader, chie advocate, and princi-

pal educator.

About Practice Guides

Practice Guides provide detailed guidance orconducting internal audit activities. They include

detailed processes and procedures, such as tools

and techniques, programs, and step-by-step ap-

proaches, as well as examples o deliverables.

Practice Guides are part o The IIAs IPPF. As

part o the Strongly Recommended category

o guidance, compliance is not mandatory, but

it is strongly recommended, and the guidance

is endorsed by The IIA through ormal review

and approval processes. For other authoritative

guidance materials provided by The IIA, pleasevisit our website at https://globaliia.org/standards-

guidance.

DisclaimerThe IIA publishes this document or inorma-

tional and educational purposes. This guidance

material is not intended to provide denitive an-

swers to specic individual circumstances and as

such is only intended to be used as a guide. The

IIA recommends that you always seek indepen-

dent expert advice relating directly to any specic

situation. The IIA accepts no responsibility or

anyone placing sole reliance on this guidance.

Copyright

Copyright 2012 The Institute o Internal

Auditors. For permission to reproduce, please

contact The IIA at [email protected].

Global heaDquarterS t: +1-407-937-1111

247 Maitland Ave. : +1-407-937-1101

Altamonte Springs, FL 32701 USA w: www.globaliia.org

PG Developing the Internal Audit Strategic Plan

Documents

Transcript of PG Developing the Internal Audit Strategic Plan