OKRs for Internal Auditors
Time really flies, and we find ourselves already midway through the year. It is the perfect time for us to reflect on our OKR (Objectives & Key Results) achievements for the first half of 2023.
For those who may be unfamiliar, OKRs is a goal-setting tool to drive better prioritisation, accountability, and alignment in our workplan processes.
In January, like other divisions, we define our OKRs to articulate our goals (the ‘Os’) for the year and the milestones (the ‘KRs’) we must meet to accomplish them. We then conduct a mid-year review to assess our achievements thus far and, more importantly, reflect on the changes we should make to stay on track in achieving our goals for the year.
When drafting the KRs, we often think about completing a specific number of audit projects. While this is a common KR, I wonder if this truly captures the essence of our achievements as internal auditors. With this in mind, let’s explore some alternative KRs generated using ChatGPT:
KR1: Increase Audit Coverage
Expanding audit coverage to include new areas is a common challenge for all of us. For many of us, this often means having to do more with the same people we already have. To address this, we need a risk-based audit plan that prioritises high-risk areas requiring attention. It’s crucial to seek alignment with our stakeholders to ensure appropriate coverage. Consider adopting a combined assurance approach, coordinating with other assurance providers internally (e.g., compliance and risk management functions) and externally (e.g., external auditors). This collaboration minimises duplication of efforts and ensures comprehensive coverage. It is useful to create an assurance map to facilitate discussions with these assurance providers and to assure Audit Committee that there are no gaps or duplications in audit coverage.
To increase capacity, the internal audit function should implement technology that makes audits more efficient.
KR2: Improve Audit Quality
While this KR is often associated with enhancing audit methodologies and tools to improve the effectiveness and quality of internal audit services, I believe it is more than that. It is also about how we, individually as audit professionals, maintain and continuously develop our competencies to improve our work. The new Global Internal Audit Standards (GIAS) emphasises the need for internal auditors to enhance their knowledge, skills, and abilities through continuing professional development. GIAS further states that “while the CAE is responsible for providing opportunities for education and training for the IA function as a whole, internal auditors ultimately are responsible for developing their competencies and should seek opportunities to learn”. GIAS also provides examples of these learning opportunities, such as attending relevant seminars or training, seeking opportunities for mentorship and guidance from supervisors, and participating in audit engagements involving unfamiliar processes.
I suggest that internal auditors also consider taking on cross-functional training. For instance, request a stint or job rotation in other areas of the organisation, such as finance, HR, procurement, IT, etc. This allows us to further upskill ourselves beyond audit-specific disciplines and grow our career path.
KR3: Enhance Stakeholder Engagement
I once read an article that stated, “Internal audit is a people business”.
As internal auditors, our primary role is to enhance our organisation’s success through strengthening its governance, risk management, and control processes. We cannot possibly perform this role effectively without having good relationships with our stakeholders. Not only that, but good relationships with stakeholders also form the foundation for effective communication, as stated in the GIAS: “Effective communication requires building relationships, establishing trust, and ensuring that stakeholders benefit from the results of internal audit activities”.
Some internal audit units conduct post-engagement surveys to assess satisfaction with internal audit services. Alternatively, we can consider arranging informal catch-ups over coffee. In addition to getting feedback and identifying areas where we can provide a better experience in the next audit, use these sessions to discuss and explore areas where internal audit can collaborate with management beyond audits.
While it would be ideal for these superpowers to come naturally to us, they don't. Our skill sets are our "powers". By continuously honing these skills, we can become "super". It's important to remember that "with great powers, comes great responsibility", as the famous line from the Spiderman movie suggests. How we utilise and apply our superpowers—our skills and knowledge—must allow us to create value for organisations and positively impact our stakeholders.
KR4: Strengthen Compliance and Risk Management
This is about helping management become informed risk owners by promoting risk awareness and proactive risk management.
An analogy maybe helpful here to explain the importance of this point.
The drivers will acknowledge that several factors influence the way we drive. Besides good road and traffic conditions, we will have confidence in speeding up only if we know that various parts of the car are problem-free. For example, the speedometer shows accurate reading, the tyres are at the recommended pressure, the brakes work properly, etc.
Similarly, management who are well informed of risks and effectiveness of internal controls across all activities of the organisation are more likely to confidently pursue business goals, which often include taking calculated risks and seizing opportunities. Internal auditors should therefore aspire to provide management with insight and foresight on how best to pursue business goals while keeping risks at bay. Just like how a GPS navigation system advises driver of the next turn to take and offers alternate route when needed.
In some organisations, the internal audit unit serves as a training ground for those who get promoted into management positions outside the internal audit function. This is a good way to equip business leaders with the necessary skill sets to manage risks.
Internal audit units can also consider inviting colleagues from other departments to join internal audit on a rotation programme, or to participate in some audits as a guest auditor. Doing so, we will have the opportunity to train these business users and equip them with the knowledge to identify, assess, and manage risks. This also helps an internal audit unit expand its resourcing models to tackle issues such as skills gap and talent shortage.
KR5: Foster Continuous Improvement
This is about establishing a process to continuously enhance the effectiveness of the internal audit function. Part of this includes having a quality assurance and improvement programme in place for the internal audit function to undergo periodic evaluations through internal and external quality assessments. Often, the biggest challenge in getting started is not knowing what areas need improvement, as the saying goes “you don’t know what you don’t know”. Therefore, it is useful to tap into the internal audit community, be a part of the professional network, and learn from each other. Over the years, I have learned a lot from many friends and colleagues who generously shared about their audit practices and processes.
As we reflect on our own OKRs, it’s essential to identify goals that go beyond simply completing tasks. Let’s aim for impact, effectiveness, and growth as internal auditors.
Share your thoughts on this topic – I would love to hear your perspective. Feel free to reach out for a chat over coffee.
Norman Kuik is an internal auditor at the Economic Development Board and a Governor of The Institute of Internal Auditors Singapore. He is also an avid coffee drinker.
The Institute of Internal Auditors Singapore blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors Singapore and its committees and from opinions endorsed by the bloggers’ employers.
