Internal Audit has a clear understanding of the strategic direction of the company and the expectations of its stakeholders. It aligns its scope and resulting audit plan with the business direction in the context of these expectations. The function maintains alignment through strategic planning and coordination with other lines of defense.
Internal Audit incorporates stakeholder expectations into its mission and vision and clearly defines the value it will deliver to the organization. Measurement of progress toward the mission and vision and resulting actions to align with the business are communicated. To deliver on this attribute, Internal Audit routinely stays abreast of business goals, objectives and decisions while keeping a pulse on the company through its regulatory filings, competitor and industry information, and insights gained through participation in strategic discussions.
Internal Audit takes a holistic view of risks that considers internal, external and emerging risk factors. The function has a thorough understanding of the company’s risk culture, the risk appetite of the business, and regulatory and legal requirements. Internal Audit invests the appropriate time to perform a dynamic risk assessment that encompasses top-down, strategic perspectives focused on identifying the most critical risks facing the business today and in the future.
This strategic top-down risk focus is often calibrated with a bottoms-up approach centered on where risks are manifesting themselves in the business today. For certain areas, such as IT risks, a second-tier, more specific risk assessment is performed, leveraging subject matter experts to pinpoint where these risks may materialize. In anticipation of business changes and at regular intervals, the risk assessment is refreshed to keep the audit plan focused on the most critical and value added areas.
Internal Audit effectively understands and manages relationships with a broad set of stakeholders. Stakeholder expectations are well understood across the function and communication protocols are in place. The internal audit strategic plan is calibrated to align with these expectations.
A shared definition of value is measured through one-on-one feedback sessions and surveys allowing for timely action on feedback. Internal Audit communicates with impact, leading value-driven conversations. An effective stakeholder management plan often enhances business alignment and elevates Internal Audit’s awareness and resulting focus on critical risks.
Internal Audit optimizes cost by delivering efficient and value-added services through robust, well communicated audit methodology and processes. Methodology is regularly evaluated, the use of analytics is embedded throughout, and processes are standardized and simplified to maximize effectiveness while optimizing cost.
Flexible staffing models are inclusive of: internal and external resources; various staff levels; strategically positioned resources (globally, if applicable); and specialized skillsets (such as IT and sector expertise). Processes are in place, such as time reporting, to measure productivity and cost-effectiveness of services. Investments in internal audit infrastructure are aligned to the same metrics used by other service functions within the business.
Internal Audit possesses the appropriate mix of core internal audit talent, subject matter expertise, business acumen and position parity to align to its mandate and meet expectations of stakeholders, including regulators. The talent model is flexible, balancing the need for specific industry and risk expertise against the likely utilization of that expertise. The model includes the incorporation of regular training and performance feedback to enhance the department and facilitate growth and individual leadership development.
Talent is managed to include the appropriate balance of technical skills and softer skills such as conflict management, intellectual curiosity, critical thinking, relationship development, and overall leadership.
Quality and innovation
Internal Audit promotes quality and innovation through well-defined standards that align to overall IIA standards (and any sector specific regulatory or domain standards). The function performs formal quality and promotes a culture that rewards innovation and continuous improvement of core processes. The audit plan aligns with the company’s risk profile and changes as risks change.
The form and message of internal audit reports and communications are based on facts, support the achievement of Internal Audit’s mission and strategic objectives and influence stakeholders to take action. A function that consistently delivers a quality service and product is also focused on the strategic imperatives of the business. Data analytics, reporting and visualization tools are consistently used to deliver on the core mandate and innovate
Internal Audit leverages technology effectively in the execution of the entire lifecycle of the audit process. Robust audit management systems are either interfacing with or embedded into enterprise wide governance, risk and compliance (GRC) tools. Data analytics are designed and deployed enabling focus on the right risk areas and business issues as well as generating efficiencies throughout the audit process. Analytics and visualization tools are used to enhance the understanding and evaluation of risks and to identify business process and control breakdowns.
Continuous auditing techniques are leveraged to increase coverage or provide early warning of risk indicators to the business. To deliver on this attribute, the internal audit team must understand the complexities of their company’s systems architecture and innovate by using technology to drive audit efficiency.
Internal Audit serves its many stakeholders, while maintaining objectivity, by having a well-defined mandate (mission, vision and scope) and clear reporting lines. The internal audit team and the organization can succinctly articulate Internal Audit’s mandate and brand. A client service plan is in place that drives purposeful engagement with the business, anticipates needs, drives timeliness and responsiveness, and focuses on bringing valuable insight to inform business decisions. Regular feedback is solicited from stakeholders, and the department measures results and develops improvement actions as needed.