6 June 2013
Martin Robinson
Training Development Adviser,
Chartered Institute of Internal Auditors
Definition of strategy
Strategy is a means of establishing the
organisation’s purpose and determining the nature
of the contribution it intends to make while
predefining choices that will shape decisions and
actions. Strategy for the internal audit activity
enables the allocation of financial and human
resources to help achieve these objectives as
defined in the activity’s vision and mission
statements.
Steps to be used to develop the internal audit
strategic plan
Factors influencing the frequency of
reviewing the strategic plan
Performing a SWOT analysis
The key variables when developing a
sourcing model
Heads of internal audit benchmarking
report – Internal audit strategic plans
August/September 2012
Key issues
Developing an internal audit strategic plan
Some practical tips and experiences
IIA Heads of Audit Forum
June 2013
David Butler
9
Developing the internal audit strategic plan
TOPIC AREAS
˜ Introduction
˜ The importance of communication
● Understand the importance and reliance placed upon a modern Internal audit function through the
stakeholders eyes
● Ensuring that you are receiving clear messaging from your stakeholders?
˜ Understand the complexity of the matrix management of dealing with diverse and
increasing stakeholder expectations
˜ Elements of the strategic plan:
● What are the top priorities for the Internal audit function?
● Build an internal audit strategy that focuses on stakeholder raising expectations
10
IPPF Practice Guide – Developing the Internal Audit Strategic Plan
CRITICAL SUCCESS FACTORS
Processes – Are the internal audit activity’s processes enabling and dynamic in
meeting business needs?
People – Does the internal audit activity have the right people strategy to deliver its
mission?
11
Understand the importance and reliance placed upon a
modern Internal audit function through the stakeholders eyes
THE FOUNDATION STONES
12
Unum UK Stakeholder Map and Offerings
2012 MODEL
13
Ensuring that you are receiving clear messaging from your
stakeholders?
BALANCING YOUR STAKEHOLDERS
˜ Is there strong engagement between the Chief Auditor and the Audit Committee
Chairman and Audit Committee generally?
˜ What role does Internal Audit play in your organisation with the regulator(s)?
˜ Who is responsible for defining and agreeing the Audit Plan?
˜ Are we forward looking or purely retrospective?
˜ Do the stakeholder requirements conflict – which areas are a priority for us to review?
˜ How is that changing or may change?
14
Understand the complexity of the matrix management of
dealing with diverse and increasing stakeholder expectations
CAN AND SHOULD WE ADDRESS ALL STAKEHOLDER REQUIREMENTS?
15
Audit function status and positioning?
ASSESSING THE CURRENT STATE
˜ What is the status of the Chief Auditor and the audit function?
● Organisationally
● By reputation
● Through engagement
˜ Are stakeholders?
● Advocates
● Neutral
● Negative
˜ Does that style vary depending upon the maturity of the organisation?
16
What methods and techniques will enable you to improve
engagement?
HOW PLUGGED IN IS INTERNAL AUDIT TO THE CORPORATE DNA?
˜ Is the Internal Audit function appropriately engaged with the business and direction of
the business
● Who in the IA function considers their role as stakeholder champions
17
What are the top priorities for the Internal audit function?
SCOPE AND IMPACT OF WORK
18
Build an internal audit strategy that focuses on stakeholder
raising expectations
RESPONSIVENESS OF PLAN
˜ What inputs do you have to help define and assess the areas that audit will operate?
● Dynamic audit universe
● Mature risk management
● Trusted compliance and risk monitoring
● SOX or other assurance feeds
● Industrial networking and feeds of emerging issues
19
Build an internal audit strategy that focuses on stakeholder
raising expectations
DELIVERY ENABLERS
˜ How does the resource model refine and match the longer term needs of the function
and the organisation?
˜ Is outsourcing or co-sourcing the answer to the resource squeeze?
˜ What skills does your function have available to it on a day to day basis?
● Qualified accountants / auditors
● IT capability
● Actuarial
● Marketing and sales
● Deep operational experience
˜ How strong are the information feeds within the organisation to Internal Audit?
20
Hierarchy of audit positioning documentation
OFFICIAL DOCUMENTATION
21
Continuing evolution not revolution
CURRENT WORK IN PROGRESS
22
David Butler
david.butler@unum.co.uk
Tel : 0044 1306 874270
Contact via LinkedIN
Twitter @DJBAudit
Questions
23
Other Materials
http://www.iia.org.uk/media/56050/developing_the_internal_audit_stra
tegic_plan.pdf
24
Other Materials
DEVELOPING THE INTERNAL AUDIT STRATEGIC PLAN – JULY 2012 GUIDANCE (EXTRACT)
The following steps can be used to develop the internal audit strategic plan:
1. Understand the relevant industry(ies) and the organization’s objectives.
2. Consider the International Professional Practices Framework (IPPF).
3. Understand stakeholder expectations.
4. Update the internal audit vision and mission.
5. Define the critical success factors.
6. Perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis.
7. Identify key initiatives.
25
Other Materials
ERNST AND YOUNG
26
Other Materials
CHARTERED INSTITUTE OF INTERNAL AUDITORS
http://www.iia.org.uk/media/195007/2._benchmarking_report_internal_audit_strategic_plan
ning_oct_2012_1_.pdf
27
“Because….”
James C Paterson
Director, Risk & Assurance Insights Ltd.
AZ experiences
Many customers, limited supply = problem
Latest research ~ Booz & Co - 2013
AZ Strategy – Mark 1 ingredients
Benchmarking /EQA
AZ Strategy – Outputs
Operational
controls
Compliance
& IT controls
Financial
controls
Financial 35 30 25 20
Controls
Compliance 35 35 30 25
Operational 20 20 20 25
Controls
Strategic risks 10 15 25 30
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
IA Coverage (initial views) = Red
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Who is looking at the other areas?
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Capture Other Assurances +
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Past coverage?
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Where do you draw the line?
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Where do you draw the line?
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Do you have enough resource?
1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
ADR ~ Common misconceptions
Potential
Highest
Senior J Redmond
Management
Line A Brown
management C Jones
“Because….”
Skills & experience – new world?
Potential
Middle A Brown
management
Line
management
AZ Strategy – Mark 2 ingredients
GRC strategy
Assurance Mapping
Lean auditing
qLean auditing
q Kano techniques on IA customer and value add
q Speeding up delivery / streamlining reporting
q Better use of technology
qClarifying IA role
q Anti-fraud etc.
q Creating a GRC strategy
q Continuous monitoring
q Educating management and the audit committee
qBudget / HC cuts
q Use of
q audit universe
q Overall opinion
….to counter challenges
Lean Internal Audit: Methodology on one page
Mandatory Steps
Framework
Time Line
End of Fieldwork – Personal learning review End of assignment– Overall project learning review
All work papers to be documented in XXX
IIA ~ 3 lines of defence in relation to effective risk
governance ~ 2013
3 lines of defense
Source: Berendsen
Accountability framework example
Global Level Accountability Framework 1st Line of Defence 2nd Line of Defence 3rd Line of Defence
Business Area Management Compliance Functions Assurance Providers
Key:
Compliance Audit
Division / Region
General/Factory
Compliance
Compliance
Regulators
Functions
Functions
Specialist
Specialist
Manager
Function
Iᴱ Informed (by
Heads
A Accountable
Company
GIA
S Support exception)
Secretary
C Consulted
O Oversight
From To
Based on processes Greater risk focus
Finance and Largely Financial and Strengthen Finance Less need for IA to
Compliance monitoring compliance and compliance look at these areas
mixed monitoring
Role and value add IIA responding to Deeper understanding More explicit
from IA not well requests in an informal of the unique role & discussions of value
understood way contribution of IA add contribution
Culture of trust around Limited work on key Greater assurance Greater contribution to
key risk management risks mindset around key key risks
but some suprises risks to avoid surprises
and disappointments
“Because….”
Audit Universe – before
Where
•Processes
•Locations
•Departments
What
•Compliance
•Financial Controls
•Operational controls
•Business continuity
“Because….”
Audit Universe – developing
Where
•Processes Projects
•Departments Governance
What
•Business continuity
“Because….”
Audit Universe – enhanced
Where
•Processes Projects
•Locations 3rd party providers
•Departments Governance
•Systems Sales force
•Customer relations Non Financial reporting
•Government / regulator returns New business areas
•New markets Emerging risks
•Networks/Applications Other assurance functions
What
•Compliance Value for Money
•Financial Controls Controls design
•Operational controls Data quality
•Business continuity Accountabilities
•Cost/control trade offs Strategy implementation
•Crisis management Reputation management
Enhance audit universe will often reveal
coverage issues
IA effectiveness framework
Remit & scope Strategy Sponsorship Independence
& Plan
Resource management
Scorecard / tracking
Developed after a PwC idea
“Because….”
Future thoughts
• Outcomes of processes
“Because….”
Conclusions
qIA strategy an invaluable tool – engaging stakeholders / Value add
qWhat you are doing / how you do this and with who
qDon’t shy away from sensitive topics – this may be the only way to get on the table:
q Plan coverage
q Staff skills
q Coverage / resources
q Common issues
q Benchmark / EQA
69
J Paterson: Publications / Citations
New year new plan Audit & Risk Magazine, UK January 2012
70
J Paterson: Publications / Citations
71
These slides have been developed for the exclusive use of those attending the
HIAS workshop on 6/6/13 by James Paterson, Risk & Assurance Insights Ltd.
This presentation has been prepared solely for educational and illustrative
purposes. Whilst every effort has been made to ensure the factual accuracy of the
content herein, no representation or warranty is given as to its accuracy.
This presentation should not be relied upon as the basis for making any investment
or other decision and it is not claimed that any of the content or views contained
herein, whether expressly made or implied, represents the views of management.
The slides should not be reproduced or circulated further without permission from
James Paterson:
E-mail: jcp@riskai.co.uk
Web: www.riskai.co.uk
Phone: +44 7802 868914
7
2