Is Your Internal Audit Strategic Plan Too Tactical and Lacking Vision?

Internal Audit Strategic Planning — Our Achilles Heel? 

Too many internal audit functions are struggling with having sufficient funding to do things like address the highest risks adequately, adopt technology, hire new staff, get the necessary co-sourcing resources, and invest in professional development, among other things. As well, consultants and vendors will line the doorway ready to tell you what’s wrong, and how to fix it if you hire them. In a morass of current and potential tactics, some internal audit functions are in a state of near paralysis. Following from root cause thinking, perhaps the real problem is a lack of strategic vision and a robust strategic plan for the function in far too many organizations. Sorry, but it’s true. 

A Little History 

Many of you reading this have not had the benefit (or the curse) of having a long history in the internal audit profession. But I can tell you we have come a really long way from when I started. (No, I’m not going to name the year.)  

When I started in the profession, we had canned audit programs, we audited the same things most every year, we used columnar paper, bound our workpapers using metal Acco fasteners, and hand prepared and physically mailed confirmations. Standard operating equipment was a Pentel pencil, a metal ruler, a big pink eraser, and a legal note pad. And our first draft of an audit report needed to be pretty darn good, since edits and rewrites didn’t benefit from the technology we have today. I could go on, but you get it. 

It was a lot of… what did we do last year, let’s do that again, find places we could expand scope, issue the report … wash, rinse, repeat. A big report, with lots of findings, regardless of how minor, was a good thing. Oh my! So glad those days are long over. 

But importantly, we didn’t need to be strategic in those days, being day-to-day tactical got the job done … or at least what we thought the job was. We were in a controls-centric view of the world, not a strategic objectives attainment view. We were looking for what was wrong, not looking to be a strategic partner and trusted advisor.  

Clearly, anyone doing anything resembling what we used to do should be booted from their company and, hopefully, the profession. Now change is constant, our audit plans are dynamic, the demands on us developing and enhancing our skills and talents are relentless, and our use (perhaps I should say leveraging) of technology needs to be unparalleled. A day-to-day tactical view of the world won’t cut it anymore. 

So, why do I run into internal audit functions that don’t have a strategic plan?  

Don’t believe me? A straw LinkedIn poll was recently conducted asking internal audit professionals whether their function has a strategic plan, and 35% said NO. And allow me to be bold here, of the 65% that said yes, I would love to audit their strategic plans and question how fit for purpose most of those “plans” really are. 

Why is The Lack of a Strategic Plan a Problem? 

We are faced with unprecedented change. Organizational processes, staffing, risk dynamics, technology advances, leadership change, economic pressures, global and local politics, etc., etc. are all contributing to a constantly shifting landscape where any assumptions you made yesterday may no longer hold today or tomorrow. Creating an annual internal audit project plan is nearly as useless as last week’s newspaper the minute you think you’ve finalized it. And nearly every process, tool, or construct you have in place today could be obsolete by next year, or the year after. A bit dramatic? … Maybe yes, maybe no. 

The profession is talking about things like using drones for remote inventory inspections, leveraging robotic process automation (RPA), moving to agile concepts, navigating a role with ESG, etc., etc., while at the same time we are also scratching our heads at why some functions aren’t leveraging data analytics, aren’t using technology-based tracking systems, and, heaven forbid, aren’t even using electronic workpapers. We want to be an employer of choice, ready to hire and onboard new talent, partially or quite possibly completely remote, while at the same time we are using too many of the same processes we used 5 or 10 or more years ago. 

And, when we go to present a budget, or seek funding for something that is not in the budget, we get a lot of blank stares, and are pressed as to why we need that. Have you heard lately, “can you do a proposal on that (whatever the “that” is) and let me think about it?!?” (I can picture the CFO with their glasses pushed to the end of their nose, giving me that “special look” at this juncture, if you know what I mean.) 

So, the questions become, do all the right people in your organization know, strategically, where you want to take your internal audit function? Do they know the strengths you are trying to capitalize, and the weaknesses you are trying to mitigate? Do they know where you see the opportunities and threats? Do they see how you are aligning with the overall company’s strategic plan? Do they buy into the tactics you have outlined to get your strategic plan done? And do they really see you as a strategic partner and trusted advisor? 

I offer that in many cases the inability to get what you need for your function, or that gridlock you are facing on what technology to implement (or not), or that initiative you aren’t getting support for, is because you don’t have a well thought out strategic plan. A strategic plan that really addresses the strategies to do what you need to do to best serve your organization… now and into the future. If your strategic plan is well thought out, is constituent focused, and positions you to have the highest impact to add value and make a difference, this creates a very powerful document to help you get what you want (and need). Of course, like issuing an audit report at the end of a project, your strategic planning journey doesn’t end with issuing a document. 

What Should Be in My Strategic Plan 

This will not be a primer on how to create a strategic plan. There are countless sources on how to do that, and much of it you likely already know. But, considering this is a strategic plan for an internal audit function within a company that already (hopefully) has a comprehensive organizational strategic plan, there are some elements your plan should most definitely address: 

  • What your vision for the function is (remember that your vision should be aspirational and should be something inspirational as well) 

  • How you will position yourself to support the company achieving its strategic objectives 

  • How you will be emphasizing relevance, adding value, and making a difference 

  • What the key strategies are to pursue your vision 

  • What the key tactics are to realize your strategies 

  • What milestones there are along the journey 

  • How you will measure success 

The challenge is making the final document as short as possible, but also making it as comprehensive as it can be. It should be written in such a way that is as much for the organization and key constituents as it is for your current and future staff. It must be a visionary document, and an operational set of guideposts, and a marketing tool, and so much more, whether you have one final document or three or more constituent-focused versions. 

How To Develop That Plan 

Input, input, input. Yes, you can lock yourself away and produce a pretty decent strategic plan without getting input. And, if you do that, when you go to talk to others in the organization about what you propose you will get something between blank stares and complete disinterest (or both!). The organization has, as they say, “no skin in the game.” But, if you give key people a chance to provide input and show them how their input influenced the plan, which they truly will, then you have a better chance of gaining support. 

You need to talk with people, let them know what you are developing, seek their input, and promise to “close the loop” with them later. If you are developing the plan with the broader organization in mind, you have a better chance of getting buy-in for your hard to develop strategic plan.  

You need to, without question, involve your entire staff. But that probably goes without saying. They will be implementing the plan with your guidance and oversight, so they better buy-in too! 

Look, you cannot realize your plan without spending money, right. With scarce investment dollars in the organization, your projects and continuous improvement activities are competing with everyone else’s necessary projects. You will need all the support you can get to fulfill your strategic plan initiatives and related tactics, and it starts (and ends) with broad-based support across the entire organization. So, after that great document is done, what do you do with it? 

What to Do with It Once it is Done 

Hopefully all the key people in the organization that need to know you are developing (or updating) your strategic plan already are aware of you doing this important work, and they have been consulted for their input. And, even better, you have also shared key insights along the way and gotten confirmation you are on the right path (at least from their perspective). You want to have had active dialogue so that your plan is no surprise to them, and they see how what you are proposing will not only help you but help them and help the entire organization. If what you plan to do will further the organization’s quest to fulfill its strategic and operational objectives, then you are going to be in outstanding position to move forward. 

Now the most crucial step comes along. And, doing this will make the biggest difference in your success to move your function forward strategically. What is it you ask? Socialization. 

What I mean by socialization is taking the steps necessary, consistent with your organization’s culture, to broadly share the strategic plan with all the people in the organization that could fit into any of three possible categories: supporters, influencers, and blockers. Supports will speak for you and be in your corner and on your side when you need to get something done, approved, or implemented. Influencers are going to be those folks who have leverage in the organization to get things done. And blockers are the folks who, unfortunately, will try to block you in your quest to get what you need. These folks could overlap. For example, a supporter might be an influencer, and if they aren’t on your side they could be or become an active (or passive) blocker. 

Do this socialization effort consistent with your culture:  that means understanding how things get communicated within your organization for the maximum, broad-based effect and support. It could mean individual meetings, group meetings, sending a document, having lunch and learns, distributing a summary of the document, etc., etc. Get on their terms and talk with people at their level in a way they want to be communicated with. And be respectful of people’s time. Most importantly, as you are socializing your plan remember the WIIFM acronym. What’s In If For Me (but, of course, the “me” in this case is THEM). Failure to do this part well will hurt your chances of success immensely. 

In Conclusion 

This is about getting what you need, when you need it, and having the support and funding for getting it done. You aren’t going to get there without a plan. And your plan can’t be your plan, it has to be the organization’s plan. 

Your plan needs to be robust enough that it acts as a filter for everything that comes down the pike, both within and outside the organization. Your answer to anything that could be a tactic you could undertake (RPA, drones, agile, AI, analytics, etc.) should fit into one of three possible responses:  it is in our plan, it is consistent with our plan, or it is not in (or consistent with) our plan. You will be respected for having the clarity and doing what we are charged to do best:  add value and make a difference. 

Get your tactics approved, make strategic progress, be that trusted advisor, be an employer of choice, and add great value. Your organization, your leadership, and your board need it and are counting on you. And, for once, you might even sleep better at night. 

Happy strategic planning!

Author: Hal Garyn

Internal Audit / Risk Management / Governance Leader / CIA, CISA, MBA, cCAE, cAAP

Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.

June webinar

Auditing Your Cybersecurity Strategy

What Framework is Right For You?

Every company is using some sort of security framework for establishing a cybersecurity strategy. At the most basic level, the framework could have been developed by your CISO. Or your security team may be following NIST, CIS, CMMC, or some other industry-accepted framework.

In this webinar with Jason Claycomb, Cybersecurity Governance Expert, you will learn how to evaluate the reasonableness of your current security approach. The webinar will also help you determine technical areas to do deep-dive audits.