Developing the internal audit strategic plan

6 June 2013

Martin Robinson, Chartered Institute of Internal Auditors

David Butler, Head of Internal Audit, Unum
James Paterson, Director, Risk and Assurance, Insights
Setting the scene – IIA guidance and
October 2012 benchmarking survey

Martin Robinson
Training Development Adviser,
Chartered Institute of Internal Auditors
Definition of strategy
Strategy is a means of establishing the
organisation’s purpose and determining the nature
of the contribution it intends to make while
predefining choices that will shape decisions and
actions. Strategy for the internal audit activity
enables the allocation of financial and human
resources to help achieve these objectives as
defined in the activity’s vision and mission
statements.
Steps to be used to develop the internal audit
strategic plan
Factors influencing the frequency of
reviewing the strategic plan
Performing a SWOT analysis
The key variables when developing a
sourcing model
Heads of internal audit benchmarking
report – Internal audit strategic plans
August/September 2012

Key issues
Developing an internal audit strategic plan
Some practical tips and experiences
IIA Heads of Audit Forum
June 2013

David Butler

9
Developing the internal audit strategic plan
TOPIC AREAS

˜ Introduction
˜ The importance of communication
● Understand the importance and reliance placed upon a modern Internal audit function through the
stakeholders eyes
● Ensuring that you are receiving clear messaging from your stakeholders?

˜ Understand the complexity of the matrix management of dealing with diverse and
increasing stakeholder expectations
˜ Elements of the strategic plan:
● What are the top priorities for the Internal audit function?
● Build an internal audit strategy that focuses on stakeholder raising expectations

10
IPPF Practice Guide – Developing the Internal Audit Strategic Plan
CRITICAL SUCCESS FACTORS

The Three P’s

Positioning – Is the internal audit activity strategically positioned and supported?

Processes – Are the internal audit activity’s processes enabling and dynamic in
meeting business needs?

People – Does the internal audit activity have the right people strategy to deliver its
mission?

11
Understand the importance and reliance placed upon a
modern Internal audit function through the stakeholders eyes
THE FOUNDATION STONES

˜ Do you have a stakeholder map for Internal Audit?

˜ Are your team aware of the stakeholder needs or purely focussed upon delivery of the
plan?
˜ Do you and your team understand the different needs of the varying stakeholders?
˜ What does Internal Audit deliver is it assurance or is it protection as has been suggested
by the recent UK IIA consultation document?
˜ How do we maintain credibility with each of these stakeholders – their needs seem to
conflict at one level?

12
Unum UK Stakeholder Map and Offerings
2012 MODEL

13
Ensuring that you are receiving clear messaging from your
stakeholders?
BALANCING YOUR STAKEHOLDERS

˜ Is there strong engagement between the Chief Auditor and the Audit Committee
Chairman and Audit Committee generally?
˜ What role does Internal Audit play in your organisation with the regulator(s)?
˜ Who is responsible for defining and agreeing the Audit Plan?
˜ Are we forward looking or purely retrospective?
˜ Do the stakeholder requirements conflict – which areas are a priority for us to review?
˜ How is that changing or may change?

14
Understand the complexity of the matrix management of
dealing with diverse and increasing stakeholder expectations
CAN AND SHOULD WE ADDRESS ALL STAKEHOLDER REQUIREMENTS?

15
Audit function status and positioning?
ASSESSING THE CURRENT STATE

˜ What is the status of the Chief Auditor and the audit function?
● Organisationally
● By reputation
● Through engagement

˜ Are stakeholders?
● Advocates
● Neutral
● Negative

˜ What style of internal audit does your function deploy?

● Collaborative
● Adversarial
● Combination

˜ Does that style vary depending upon the maturity of the organisation?

16
What methods and techniques will enable you to improve
engagement?
HOW PLUGGED IN IS INTERNAL AUDIT TO THE CORPORATE DNA?

˜ Is the Internal Audit function appropriately engaged with the business and direction of
the business
● Who in the IA function considers their role as stakeholder champions

˜ What is the Internal Audit’s circle of influence ?

● Board and Audit Committee
● Risk Committee
● Executive Committee
● Executive Risk Committee
● Senior management
● Regulator(s)
● Others?

17
What are the top priorities for the Internal audit function?
SCOPE AND IMPACT OF WORK

˜ Are there any audit no go areas

● These can result from management resistance
● Lack of appropriate skills or resources

˜ Is audit engaged in evaluation of all processes?

● Strategy
● Major projects
● Mergers and acquisitions
● Financial reporting
● Operational areas
● Marketing and sales
● IT

˜ Are agreed management action plan promises delivered?

● Does anyone or everyone care?

18
Build an internal audit strategy that focuses on stakeholder
raising expectations
RESPONSIVENESS OF PLAN

˜ What is the time horizon that Internal Audit operates to?

● 3 months
● Annual
● Two year
● Longer than two years

˜ What inputs do you have to help define and assess the areas that audit will operate?
● Dynamic audit universe
● Mature risk management
● Trusted compliance and risk monitoring
● SOX or other assurance feeds
● Industrial networking and feeds of emerging issues

˜ Does your plan feel predictable or responsive?

19
Build an internal audit strategy that focuses on stakeholder
raising expectations
DELIVERY ENABLERS

˜ How does the resource model refine and match the longer term needs of the function
and the organisation?
˜ Is outsourcing or co-sourcing the answer to the resource squeeze?
˜ What skills does your function have available to it on a day to day basis?
● Qualified accountants / auditors
● IT capability
● Actuarial
● Marketing and sales
● Deep operational experience

˜ How strong are the information feeds within the organisation to Internal Audit?

20
Hierarchy of audit positioning documentation
OFFICIAL DOCUMENTATION

˜ Audit Committee Terms of Reference

˜ Internal Audit Charter
˜ Vision and Values Statement
˜ Mission Statement
˜ Strategic Plan
˜ Audit Manual
● Annual Plan
o Technology and tools
o Resourcing model
o What’s in and what’s not
● Audit Engagements

But …… it never stops………..

21
Continuing evolution not revolution
CURRENT WORK IN PROGRESS

Enterprise Audit 2013

Workstreams

Relationship People and Performance Internal Internal Audit

Management Talent Management Communications Process

22
 David Butler
david.butler@unum.co.uk
Tel : 0044 1306 874270
Contact via LinkedIN
Twitter @DJBAudit

Questions

23
Other Materials

Developing the Internal Audit Strategic Plan – July 2012 Guidance

http://www.iia.org.uk/media/56050/developing_the_internal_audit_stra
tegic_plan.pdf

24
Other Materials
DEVELOPING THE INTERNAL AUDIT STRATEGIC PLAN – JULY 2012 GUIDANCE (EXTRACT)

The following steps can be used to develop the internal audit strategic plan:
1. Understand the relevant industry(ies) and the organization’s objectives.
2. Consider the International Professional Practices Framework (IPPF).
3. Understand stakeholder expectations.
4. Update the internal audit vision and mission.
5. Define the critical success factors.
6. Perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis.
7. Identify key initiatives.

25
Other Materials
ERNST AND YOUNG

Ernst and Young Survey

Develop a well aligned internal audit strategy
˜ http://www.ey.com/GL/en/Services/Advisory/The-future-of-internal-audit-is-now---
Develop-a-well-aligned-internal-audit-strategy

˜ Unlocking the strategic value of Internal Audit - 2010

˜ http://www.ey.com/Publication/vwLUAssets/Unlocking_the_strategic_value_of_Internal_
Audit/$FILE/Unlocking%20the%20strategic%20value%20of%20Internal%20Audit.pdf

26
Other Materials
CHARTERED INSTITUTE OF INTERNAL AUDITORS

Heads of Internal Audit Benchmarking Report

Internal Audit Strategic Plans

http://www.iia.org.uk/media/195007/2._benchmarking_report_internal_audit_strategic_plan
ning_oct_2012_1_.pdf

27
 “Because….”

Developing an audit strategy

Experiences in AZ and to date

What the future might hold..

James C Paterson
Director, Risk & Assurance Insights Ltd.
AZ experiences
Many customers, limited supply = problem
Latest research ~ Booz & Co - 2013
 AZ Strategy – Mark 1 ingredients

Sources of value destruction

Audit Directors Roundtable

Key risks and IA plan

Auditing harder to audit areas

Improving skills mix

Benchmarking /EQA
AZ Strategy – Outputs

IA plan vs risks and assurances

 IA development
Governance
& Risk

Operational
controls

Compliance
& IT controls

Financial
controls

1980s 1990s 2000s Today

Developed from ADR idea
 Strategy for what IA covers
Year 1 Year 2 Year 3 Year 4

Financial 35 30 25 20
Controls
Compliance 35 35 30 25

Operational 20 20 20 25
Controls
Strategic risks 10 15 25 30

TOTAL 100 100 100 100

Setting out, in broad terms the likely shape of the plan

IA planning ~ Lean / Assurance approach

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
IA Coverage (initial views) = Red

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Who is looking at the other areas?

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* 3
4 – OR
5 – FC
7 6 6 – OR
8 7 – OR
10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Capture Other Assurances +

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
 Past coverage?

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Where do you draw the line?

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
 Where do you draw the line?

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
Do you have enough resource?

1 – SR
2* 1 2 – CR
11 5* 3 – SR
4* +3
4 – OR
5 – FC
+7 6 6 – OR
8 7 – OR
+10 9 8 – CR
12 9 – OR
10 – OR
11- OR
12 – OR
 ADR ~ Common misconceptions

Thanks to the ADR

 “Because….”
Skills & experience – before

Experience Minimal 2-5 years 5-10 years 10+ years

Potential

Highest

Senior J Redmond
Management

Middle D Winter G Halliwell

management E Godwin H Smithers
F James

Line A Brown
management C Jones
 “Because….”
Skills & experience – new world?

Experience Minimal 2-5 years 5-10 years 10+ years

Potential

Highest F Johnson J Smith

Senior C Jakes G Heldon H Smythe

Management D Wales E Goodwood K Alwyn

Middle A Brown
management

Line
management
 AZ Strategy – Mark 2 ingredients

GRC strategy

Compliance and responsible business scorecard

Assurance Mapping

Lean auditing

New Key Performance Indicators

 “Because….”
Experience with clients..
 “Because….”
Experience with clients.. over the past 3 years ..

qLean auditing
q Kano techniques on IA customer and value add
q Speeding up delivery / streamlining reporting
q Better use of technology

qClarifying IA role
q Anti-fraud etc.
q Creating a GRC strategy
q Continuous monitoring
q Educating management and the audit committee

qBudget / HC cuts
q Use of
q audit universe
q Overall opinion
….to counter challenges
 Lean Internal Audit: Methodology on one page

Review Phase Assignment Planning Fieldwork Reporting Feedback & Monitoring

Process Learning
Process Audit Opening Mapping Closing Draft Final Customer Review &
Scoping & Key Control Meeting Report Survey
Remit Meeting Report Personal
Testing
Feedback

Mandatory Steps

Framework

Time Line

End of Fieldwork – Personal learning review End of assignment– Overall project learning review
All work papers to be documented in XXX
IIA ~ 3 lines of defence in relation to effective risk
governance ~ 2013
3 lines of defense

Source: Berendsen
 Accountability framework example
Global Level Accountability Framework 1st Line of Defence 2nd Line of Defence 3rd Line of Defence
Business Area Management Compliance Functions Assurance Providers

Key:

Compliance Audit
Division / Region

General/Factory

External Audit &

Group Legal &
R Responsible I Informed

Compliance
Compliance

Regulators
Functions

Functions
Specialist

Specialist
Manager
Function
Iᴱ Informed (by

Heads
A Accountable

Company

GIA
S Support exception)

Secretary
C Consulted
O Oversight

Ethical Culture (Control Environment)

1. Establish Roles & Responsibilities A R R C C O I C Iᴱ

2. Determine Group Level policies* A S S R C/R O I C/I Iᴱ

3. Communicate Policies* A R R C/S C/S O S I Iᴱ

Delivery of procedures, training and action

4. Maintenance of detailed standards and processes O A R C/I C/I Iᴱ I I Iᴱ

5. Training – development and delivery O A R C/S C/S I/C I I -

Monitoring business as usual &

Reporting issues upwaards

6. Monitoring of activities O A R C C I/C Iᴱ I -

7. Reporting issues or risks O A R I I/C I/C I I Iᴱ

Improvement actions and investigations

8. Management of issues & Corrective Actions O A R CS C/S I C/S C/I Iᴱ

9. Ethics Investigation & Disciplinary Action C A R S O C A/C I/C Iᴱ

Audit & Assurance

10 Compliance Auditing S S S C C/I C/I A/R O/R Iᴱ

Plan example ~ Fraud

We will carry out a high level framework

review at a selection of key sites and
support the implementation of CAATs
and fraud awareness within Finance and
Purchasing in key locations
 Example ~ Planning

From To
Based on processes Greater risk focus

Largely Financial and compliance

Informal discussions of value add More explicit discussions of value

add contribution

Little contribution to key risks Greater contribution to key risks

 Example ~ Planning
Essential to consider other lines of defense

From (Business) From IA To (Business) To (IA)

Risk and process Process approach More robust risk and Greater risk focus
thinking not embedded control thinking

Finance and Largely Financial and Strengthen Finance Less need for IA to
Compliance monitoring compliance and compliance look at these areas
mixed monitoring

Role and value add IIA responding to Deeper understanding More explicit
from IA not well requests in an informal of the unique role & discussions of value
understood way contribution of IA add contribution

Culture of trust around Limited work on key Greater assurance Greater contribution to
key risk management risks mindset around key key risks
but some suprises risks to avoid surprises
and disappointments
 “Because….”
Audit Universe – before
Where

•Processes

•Locations

•Departments

What

•Compliance

•Financial Controls

•Operational controls

•Business continuity
 “Because….”
Audit Universe – developing
Where

•Processes Projects

•Locations 3rd party providers

•Departments Governance

What

•Compliance Value for Money

•Financial Controls Controls design

•Operational controls Data quality

•Business continuity
 “Because….”
Audit Universe – enhanced
Where
•Processes Projects
•Locations 3rd party providers
•Departments Governance
•Systems Sales force
•Customer relations Non Financial reporting
•Government / regulator returns New business areas
•New markets Emerging risks
•Networks/Applications Other assurance functions

What
•Compliance Value for Money
•Financial Controls Controls design
•Operational controls Data quality
•Business continuity Accountabilities
•Cost/control trade offs Strategy implementation
•Crisis management Reputation management
Enhance audit universe will often reveal
coverage issues
IA effectiveness framework
Remit & scope Strategy Sponsorship Independence
& Plan

Supporting tools – IA & other

Intelligence & Knowledge management

Capability, expertise & influencing
Team/management culture / style

Resource management

Scorecard / tracking
Developed after a PwC idea
 “Because….”

Future thoughts

IIA / FSA guidance

Use of Assurance mapping techniques
 “Because….”
The future? ~ FSA / IIA guidance
Recommendations for IA coverage
• The design and operating effectiveness of governance structures and
processes of the organisation

• The strategic and management information presented to the Board

• The setting of, and adherence to, risk appetite

• The risk and control culture of the organisation

• Risks of poor customer outcomes, giving rise to conduct or reputational risk

• Key Corporate Events

• Outcomes of processes
 “Because….”
Conclusions
qIA strategy an invaluable tool – engaging stakeholders / Value add

qWhat you are doing / how you do this and with who

qIA role ~ 3 lines of defence typically very helpful

qDon’t shy away from sensitive topics – this may be the only way to get on the table:
q Plan coverage
q Staff skills
q Coverage / resources
q Common issues
q Benchmark / EQA

qUse this to flag wider GRC strategy

qDevelop an assurance approach ~ share the assurance load

qDeveloping political savvy to influence key stakeholders in “must win” encounters

J Paterson: Publications / Citations
Topic Publication Month / Year

Internal Audit ~ New rock and Accountancy Magazine, UK January 2005

roll
Forbidden Territory (auditing no IA & BR UK December 2006
go areas)
Meeting the people challenge IA & BR UK February 2007

Garbage in, garbage out Internal Auditor June 2007

The power of priorisation Audit Director Roundtable December 2007

Getting the most from your IA ACCA e-bulletin June 2008

function
Lighting up your blind spots IA & BR Magazine UK March 2010

Mixed Messages Strategic Risk Magazine March 2010

68
 J Paterson: Publications / Citations
Topic Publication Month / Year

Know your business Internal Auditor, US June 2010

Help or hindrance? Risk Management June 2010

Professional
A problem shared (Action IA & BR Magazine UK June 2010
Learning)
Culture & behavior IA & BR Magazine March 2011

Assurance Mapping CFO World March 2011

Assurance Mapping IA & BR Magazine UK April 2011

Psychology of risk and audit ACCA UK e-bulletin June 2011

Lean Auditing CIPFA Audit Viewpoint August 2011

Lean Auditing Audit & Risk W/S UK September 2011

69
J Paterson: Publications / Citations

Topic Publication Month / Year

HIA career paths Symmetry November 2011

Boards and Risk Risk Management Professional, UK December 2011

Audit Planning theiia.org/chapters/500 December 2011

New year new plan Audit & Risk Magazine, UK January 2012

Risk assurance and CIPFA Audit Committee up-date February 2012

assurance mapping

IA KPIs IIA Denmark April 2012

Coordinating assurance Audit & Risk Magazine, UK May 2012

70
J Paterson: Publications / Citations

Topic Publication Month / Year

Eight things you need to www.auditandrisk.org.uk July 2012
know as a new HIA

Dear Audit Committee Linked In ~ CAE sub-group September 2012

Chair www.riskai.co.uk

Lean Auditing Internal Auditor, US December 2012

Audit Committee ACCA IA Newsletter April 12

Effectiveness

Assurance for the Audit ACCA IA Newsletter June/July 12

Committee

71
These slides have been developed for the exclusive use of those attending the
HIAS workshop on 6/6/13 by James Paterson, Risk & Assurance Insights Ltd.

This presentation has been prepared solely for educational and illustrative
purposes. Whilst every effort has been made to ensure the factual accuracy of the
content herein, no representation or warranty is given as to its accuracy.
This presentation should not be relied upon as the basis for making any investment
or other decision and it is not claimed that any of the content or views contained
herein, whether expressly made or implied, represents the views of management.

The slides should not be reproduced or circulated further without permission from
James Paterson:

E-mail: jcp@riskai.co.uk
Web: www.riskai.co.uk
Phone: +44 7802 868914
7
2