With the new Global Internal Audit Standards coming into effect soon, internal audit leaders are implementing many of the updates outlined by the Institute of Internal Auditors (IIA). One new requirement that has garnered much attention is the need to create an Internal Audit strategic plan that encompasses every facet of internal audit, including the use of technology.
In Part 1, we looked at how chief audit executives (CAEs) can develop and implement a technology strategy to ensure the audit function is well-equipped to meet the requirements of the Global Internal Audit Standards.
Below, we’ve created an example internal audit technology strategic plan to help you get started on your own technology planning efforts.
Example strategic plan for technology in internal audit
I. Introduction
The technology strategy component of the Internal Audit Strategic Plan outlines the initiatives and steps to ensure the internal audit function leverages technology effectively and efficiently. The plan aligns with the IIA Global Standard 10.3, which mandates that the Chief Audit Executive (CAE) ensure appropriate technology support, regular evaluation, and ongoing improvement opportunities.
II. Vision and objectives
- Vision: To utilize advanced technology to enhance the internal audit function’s effectiveness, efficiency, and accuracy.
- Objectives:
- integrate advanced technology to streamline audit processes;
- ensure continuous improvement in technology utilization;
- provide comprehensive training to internal audit staff;
- maintain collaboration with IT and information security functions;
- communicate technology limitations and advancements to the board and senior management.
III. Current initiatives
- Audit management software implementation:
- implementing an audit management software to automate and streamline audit processes;
- integration with existing financial and operational systems for real-time data access;
- enable risk management collaboration with other internal assurance providers.
- Data analytics tools:
- utilizing data analytics tools to perform more effective and efficient audit tests;
- partnering with the Information Technology (IT) function to adopt the data analytics software already available through an existing vendor contract to reduce costs and speed adoption;
- training internal auditors in data analytics to improve their ability to detect anomalies and trends, with plans for annual training to expand our scope into more advanced analytics.
- Cloud computing:
- migrating audit documentation and tools to cloud-based platforms for better accessibility and collaboration;
- reducing the workload of internal IT resources while maintaining or reducing current associated costs.
- Cybersecurity tools:
- incorporating advanced cybersecurity tools available through the Information Security function to protect audit data and ensure compliance with information security standards.
IV. Planned initiatives
- Artificial intelligence and machine learning:
- exploring AI and ML technologies to enhance audit planning, risk assessment, and anomaly detection;
- implementing AI-driven audit tools to automate repetitive audit tasks and improve real-time audit monitoring;
- researching advanced predictive analytics to identify future risks.
- Robotic Process Automation (RPA):
- implementing RPA to automate routine audit tasks and increase audit coverage.
V. Training and development
- Comprehensive training programs:
- developing training programs tailored to the new technologies implemented, including the audit management system, data analytics, and AI/ML in the future;
- ensuring all internal audit staff are proficient in using the existing and new tools and technologies.
- Continuous learning:
- providing ongoing education and certification opportunities for internal auditors to stay updated with technological advancements.
- Skill assessment:
- regularly assessing the technology skills and qualifications of the internal audit staff;
- identifying skill gaps and providing targeted training to bridge these gaps;
- encouraging and incentivizing certification in emerging technology areas.
VI. Collaboration with IT and information security
- Joint implementation:
- collaborating with IT and information security functions to ensure proper implementation and integration of technological resources;
- establishing joint teams to oversee technology projects affecting the internal audit function.
- Security and compliance:
- ensuring that all implemented technologies comply with organizational and regulatory information security standards;
- conducting regular reviews to ensure ongoing compliance and security.
VII. Communication and reporting
- Regular updates:
- providing regular updates to the board and senior management on the status of technology initiatives;
- communicating any limitations or challenges in technology that impact the audit function’s effectiveness or efficiency.
- Impact assessment:
- conducting impact assessments of new technologies on the internal audit processes;
- reporting the results to key stakeholders to ensure transparency and informed decision-making.
VIII. Documentation and evidence
- Technology implementation:
- internal Audit collaborates with IT for all technology purchases and implementations;
- follow a Prepare, Design, Build, Deploy, Support model, with a preference for SaaS solutions from SOC1 and SOC 2 compliant vendors;
- maintain records of the vendor selection process, the technology used, the training provided, and the impact on audit processes.
- Policy and procedures:
- comply with the organization’s Information Security Policy, Data Retention Policy, and Acceptable Use Policy;
- prepare to develop policies and procedures for using technology in internal audit, which are documented in our Audit Manual;
- ensure these policies are accessible to all internal audit staff and are regularly reviewed.
IX. Conclusion
This strategic plan aims to position the internal audit function at the forefront of technological advancements, ensuring that it remains effective, efficient, and capable of providing valuable insights and assurance to the organization. The CAE will strive to meet and exceed the technology standards required for a robust internal audit function through ongoing evaluation, collaboration, training, and communication.
Planning for the future of technology
Over the next 10 years, technology will be heavily integrated into every aspect of our work, including internal audit and risk management functions. A well-developed technology strategy is critical for CAEs to identify, acquire, implement, and deploy the right technology at the right time. As we look to the future and plan for advancement, we can anticipate several key developments:
- Artificial Intelligence (AI) will assume the majority of assurance tasks.
- Greater emphasis will be placed on AI governance, data integrity, and culture.
- Assurance teams will leverage advanced predictive analytics to identify potential risks and issues before these materialize.
- Talent strategies will emphasize diverse expertise, including data science and IT proficiency.
- The three lines of defense will blend to expand beyond value protection and foster value creation.
- Virtual reality and advanced communication tools will enable comprehensive reviews without physical presence.
As you document internal audit’s strategic plan and develop the technology strategy component, consider your team’s current technical capabilities and what it would take to incorporate existing technology and the technology on the horizon. If you do not have a technology strategy to deal with these rapid developments and the associated risks – there is no Plan B.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as senior advisor, Risk and Audit at AuditBoard. Connect with Richard on LinkedIn.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. Connect with Tom on LinkedIn.