Over the past two months, I've had numerous conversations with CAEs about their key focus areas, priorities, and concerns for 2025. After hearing their thoughts and taking notes, I always ask, "How can I be of help?"

And for a number of CAEs, the topic that is most top-of-mind to them recently is in regards to the internal audit strategic plan.

Those currently developing a strategic plan want to understand what strategic initiatives their peers are pursuing. Meanwhile, those who haven't yet started developing a strategic plan are wondering if their peers plan to create one and, if so, how they're approaching the development process.

I relate to many of these questions. For those who are developing strategic plans, comparing your team's work and goals against your peers is an excellent way to validate your internal audit approach. I used this tactic successfully to elevate my department's performance when I was a CAE.

If you haven't yet created a strategic plan, you're in good company. As Richard Chambers, former President and CEO of The IIA, highlighted in December 2023, only 20% of internal auditors have a strategic IA plan (I was among the 80% during my time as CAE).

While much has been written about whether Internal Audit needs a strategic plan, there's little practical guidance on how to develop and document one.

So today, I’d like to share some perspectives on what I have heard and observed others include in their strategic plan, and what I would do as a CAE building out an internal audit strategic plan for the first time.

Document your Internal Audit Objectives

To start, you need a clear understanding of your objectives. These are defined through discussions with the Audit Committee chair and your business leadership about what they expect from your team. For many Internal Audit teams, their objectives could include:

• Providing assurance to management and the Board over key enterprise risks to support the achievement of company goals and objectives through a risk-based audit strategy
• Supporting compliance with Sarbanes-Oxley requirements through internal controls testing, project management, and stakeholder coordination
• Recruit, develop, and manage a high-performing team of employees and consultants to carry out Internal Audit's responsibilities
• Build and maintain partnerships with key stakeholders across risk, control, and assurance functions—including compliance, information security, risk management, finance, and external audit
• Serve as a change agent and leader in improving risk management and control effectiveness.

The CAE’s job description and Internal Audit charter can also be sources to validate your understanding of Internal Audit’s objectives.

Identify Key Improvement Initiatives

A strategic plan helps identify key activities and initiatives that will improve how you achieve your objectives.

To identify and determine strategic initiatives, observe your team's performance and gather input from your key stakeholders.

CAEs and Internal Audit leaders can gain valuable insights through deeper involvement in their department's daily activities. This includes participating in project planning sessions, attending key fieldwork meetings with audit clients, and observing interactions between audit leaders and other organizational leaders.

Internal Audit leaders should proactively gather feedback from key stakeholders on improving their services and meeting stakeholder needs. For teams using a post-audit exit survey, analyzing past survey responses provides a straightforward way to identify areas for improvement.

Here are key questions internal audit leaders can ask stakeholders to identify areas for improvement:

• If you led Internal Audit, what would you change about how we do our work?
• How can Internal Audit deliver greater value to you and your team?
• How can we make it easier for your team to work with Internal Audit?

With this gathered information, along with input from Internal Audit teams and perspectives from your peers, you'll be well-equipped to identify key strategic initiatives and areas for improvement over the next 3–5 years.

Here's another valuable resource: You can learn what other CAEs are focusing on through podcasts by Trent Russell and Jon Taber. Together, they've interviewed more than 75 internal audit leaders in the past 12 months, with strategic planning being a frequent topic of discussion.

Select and Organize

After going through this process, most CAEs discover that potential improvement areas vastly outnumber their initial expectations—and exceed what they can realistically tackle at once.

Working with your Internal Audit leadership team, select 4–8 key areas to focus on in the near future. When choosing initiatives, consider three main factors: your team's maturity level, the potential impact on your team's effectiveness, and most crucially, how these initiatives will contribute to the company's success.

Based on the many strategic plans I've reviewed from other CAEs, I've found that organizing initiatives around foundational pillars makes them easier to communicate and understand. A simple framework uses four key pillars: people, process, technology, and Connected Risk.

For your reference, here are some examples of the strategic initiatives organized by these pillars.

People

• Upskill the team: Invest in team learning and development to enhance both technical expertise and soft skills—including critical thinking, communication, and data analytics—to improve the quality of audit projects and procedures.
• Enlist Subject Matter Experts: For non-routine or complex audit subjects, engage subject matter experts from within or outside the company.

Processes

• Improve audit methodology: Implement a quality assurance and improvement program (QAIP) to optimize audit scope, streamline reporting, and boost timely issue resolution.
• Enhance efficiency: Reduce resources dedicated to SOX compliance each year.

Technology

• Leverage tools: Implement, or improve the use of, an audit management solution to improve audit customer experience working with internal audit, to improve internal audit team effectiveness, and to provide a work experience that will attract high-calibur internal auditors.

Connected Risk

• Create and maintain assurance maps to identify areas to rely on other assurance providers work.
• Collaborate with other GRC functions to consolidate the reporting of similar risks and controls reported to organizational leadership.

When sharing your strategic plan, documenting initiatives at this level should be sufficient to gain consensus and buy-in. However, CAEs should also document detailed "how-to" steps with their leadership team to ensure success achieving their strategic initiatives.

Measure Success

While documenting strategic initiatives is important, establishing key performance metrics ensures your team maintains momentum in implementing these initiatives.

To track progress, establish both current state and target state metrics.

Current state metrics might include:

• 70% of audit resources were allocated to SOX in 2024
• 25% of team members have advanced credentials
• 0% of audits performed leveraged external SMEs

Your target state metrics should use these same measurements but with specific goals that indicate successful implementation of each strategic initiative.

Define Your Mission and Vision

To go above and beyond your v1 strategic plan, I highly recommend documenting a mission or vision statement. Formally documenting these elements can help energize your team and demonstrate that your Internal Audit department is distinctive and worthy of partnership.

When I was a CAE, our team's mission statement was "Internal Audit - Enabling Positive Change." Feel free to use this as inspiration or to help create your own.

Socialize and Refine

With your one-page summary of audit objectives, initiatives, metrics, and mission statement complete, the next crucial step is securing buy-in from everyone who works with your team.

Success hinges on support from these key stakeholders:

• Internal audit team: Ensure the team understands the CAE's vision and their role in achieving the plan's success.
• Senior leadership and the board: Communicate how the plan aligns with organizational goals.
• Other organizational GRC partners: Highlight opportunities for collaboration and mutual benefits.
• Audit customers: Verify that the proposed initiatives address the feedback they provided at the start of the strategic planning process.

Remember that your plan must evolve with business dynamics. Review it regularly and adjust for changes in leadership, priorities, and risk profiles. Keep all stakeholders aligned through consistent communication.

Internal Audit - Enabling Positive Change

Creating a strategic internal audit plan is your chance to transform the function into a powerful driver of organizational value. By aligning with organizational goals, investing in people and technology, and fostering collaboration, you can establish internal audit as a cornerstone of governance and risk management.

The time to act is now—join the forward-thinking 20% who have a strategic plan in place.