Future Ready: Utilizing OKR for Audit Engagement Planning

Future Ready: Utilizing OKR for Audit Engagement Planning
Author: Noam Koriat, Ph.D., CISA
Date Published: 15 May 2024
Read Time: 13 minutes
Related: Information Systems Auditing Tools & Techniques: Creating Audit Programs

The new demands of the Fourth Industrial Revolution (4IR) have manifested in a turbulent business landscape. Recent research suggests that the internal audit function must transform and adapt to this. In order to keep pace with the rapid changes brought about by 4IR, internal audit teams should adopt digital business agility, which consists of three pillars: hyperawareness, informed decision making, and fast execution.1 To realize fast execution, the internal audit function strives to implement advanced management practices, such as Agile,2 and is constantly seeking to promote teamwork efforts based on measurable goals and outcomes. Embracing these approaches can position internal audit as a key player in driving organizational innovation.

According to the International Professional Practices Framework (IPPF) and IT Audit Framework (ITAF), execution of audits should be carried out following a documented engagement program that encompasses key elements such as objectives, scope resources, and timeline.3

The study herein suggests a practice for implementing objectives and key results (OKR) as means to design, execute, and monitor an audit engagement plan.

Audit Engagement Planning

In accordance with IPPF’s Standard 2200–Engagement Planning 4 and ITAF’s Performance Standard 1203–Engagement Planning,5 audits should be carried out following a documented engagement program. The engagement program should include elements such as objectives, scope resources, and timeline.6

According to IPPF’s standards 2201–Planning Considerations,7 2210–Engagement Objectives,8 2220–Engagement Scope,9  2230–Engagement Resource Allocation,10 and ITAF’s Performance Guidelines 2203–Engagement Planning11 and 2203.2–Objectives,12 objectives should be designed in alignment with the audited enterprise’s strategy, goals, challenges, and risk. Such alignment enables the assurance process to properly evaluate control effectiveness while considering the necessary resources, knowledge, timeline, and appropriate deliverables within the audit engagement project plan.

IPPF’s Standard 2240–Engagement Work Program13 and ITAF’s Section 2203.3–Scope and Business Knowledge14 suggest that objectives should be further developed into a detailed scope or specifications that outline the necessary actions to achieve the desired outcomes. These specifications should then be documented in an audit project plan, which includes areas to be audited, activities, specific timelines, and deliverables as outlined in ITAF’s Section 2203.5— Documenting the Audit Engagement Project Plan and Audit Program.15

This approach embraces a flux-mindset and fosters failure tolerance, which empowers teams to unleash their creativity, ultimately facilitating innovation.

While the general guidelines are evident, various challenges arise when practically designing an audit engagement plan. For instance, the risk of audit effectiveness may be realized when there is a lack of clear alignment between audit objectives and the organizational strategy and risk assessment, potentially resulting in inadequate audit coverage.

Furthermore, inadequately defining audit scope or specifications can hinder the achievement of objectives and impede the fulfillment of the audit’s purpose. Consequently, there is a possibility of encountering communication challenges with stakeholders, especially auditees, which can lead to a misguided perception of audit’s value and result in decreased cooperation.

Therefore, a more specific approach is necessary to successfully design, execute, and monitor an effective audit engagement plan.

OKR’s Basics and Benefits

A quoted passage from author Lewis Carroll’s Alice’s Adventures in Wonderland highlights the significance of setting goals and their close connection to the actions and paths that should be undertaken to attain them:

Would you tell me, please ,which way ought to walk from here?

That depends good deal on where you want to get to,” said the Cat.16

The OKR framework aims to promote teamwork efforts for driving the organization, based on clear goals and measurable outcomes. This methodology is frequently utilized by innovative organizations.17

As illustrated in figure 1, researchers proposed two sets of questions to consider when setting goals.18

Questions to Consider When Setting Goals

Objectives, which express the destination the goal setter aims to reach, should be formulated in a qualitative manner that inspires ambition and fosters motivation to promote the pursuit of new accomplishments, rather than keeping to the status quo. Objectives should be attainable within a specific and reasonable timeframe, such as a quarter. To maintain team focus, it is advised to set a limited number of three to five objectives.19

Organizations often establish objectives as “stretch goals” that surpass current execution capabilities, intending to inspire teams and foster a challenging work environment. This approach embraces a flux-mindset and fosters failure tolerance, which empowers teams to unleash their creativity, ultimately facilitating innovation. In such instances, it is recommended to set a target success rate of 70%, reflecting the ambitious nature of these goals.20

Key results are target outcomes and milestones that drive progress toward achieving the objective. They are specific and measurable, and should not be used to refer to activities. It is advisable to set a limited number of key results, typically two to five, to ensure team focus and clarity. The completion of key results should be easily identifiable and based on tangible evidence.21

Activities encompass the precise tasks or actions that are carried out to accomplish a particular key result and constitute the operational blueprint for achieving that key result.

Studies suggest that the utilization of goal-setting methodology is essential to ensure efficient coordination that fosters productivity among teams. OKR methodology provides a systematic practice to precisely outline mission objectives, enhance planning and prioritization of tasks, and consistently steer missions toward the successful achievement of objectives. These findings specifically apply to the incorporation of OKR within Agile-style project management.22

Adapting OKR in Audit Engagement Planning

To develop a comprehensive audit engagement plan using the OKR framework, it is essential to make necessary adjustments at the outset to redefine the key terms associated with OKR:23

  • Objectives—Express the added value or impact the audit report is expected to achieve, thus answering the questions, “Where do I want to go?” or “What do we want to do?”
  • Key results—Express the goals or milestones that need to be assured to verify the audit objective is accomplished, thus answering the questions, “How will I pace myself to see if I am getting there?” or “How will we know if we have met our objectives?
  • Activities—Express the specific audit execution steps required to complete a key result.

In accordance with Standard 2310 of the IPPF24 and ITAF’s performance guideline 2205–Evidence,25 the internal audit function is required to obtain the relevant information, such as documents or data, necessary to achieve the engagement objectives. Thus, audit is required to be evidence-based and the process of obtaining knowledge resources is to ensure that the audit’s objectives are accomplished. Therefore, a new term is suggested:

Knowledge resources—The explicit knowledge necessary to facilitate the activities; thus, all codified knowledge such as data, information, and documents.26

A Practical Example of an OKR-Style Audit Engagement Plan

To demonstrate the implementation of the OKR methodology within an audit engagement plan, a practical example of a cloud computing audit program, showcasing an objective and its breakdown into key results, activities, and knowledge resources is illustrated in figure 2.

OKR-Style Cloud Computing Audit Engagement Plan Example

As illustrated, the key results serve as actionable milestones that guarantee the attainment of the objective. Activities represent specific audit steps that function as a structured execution algorithm. The overall knowledge resources list can be utilized for preparing an inquiry to the auditees and requesting relevant information and documents.

OKR-Style Audit Engagement Plan Practice, Challenges, and Benefits

When objectives are properly established, they can be utilized to effectively communicate the scope, value, and impact of audits, encouraging auditees’ engagement and collaboration.

It is suggested that objectives for each audit be established during the annual audit planning phase and updated during the preliminary survey, prior to the audit’s initiation meeting. This approach encourages greater participation in the annual audit planning process, not only from the audit management staff members who naturally lead it, but also from the auditors themselves. Despite the extra overhead involved in incorporating audit’s objectives into the annual audit planning process, it is anticipated that the inherent transitions between implicit and explicit knowledge throughout the process will increase knowledge, encourage creativity and innovation, and foster improved knowledge sharing and collaboration within the internal audit function.27

Furthermore, it is suggested to incorporate the objectives into the audit’s initiation memo to improve the auditee’s comprehension of the audit’s purpose. This practice aids to reduce misunderstandings and opposition that can arise from unclear audit goals or scope, while promoting improved auditee engagement and collaboration.

Contrary to the common notion that more is better, the concept of the paradox of choice proposes that less can hold greater value. This concept holds significant relevance in the era of the attention economy, which is manifested in a reality of endless information and distractions competing for our attention. Therefore, it is imperative to maintain a focused approach to achieve a significant impact. Establishing a limited set of objectives within a clear scope ensures that the audit’s outcomes provide concise insights and recommendations and are given due attention by the auditees.28

An OKR-style engagement plan conveys the target reality the audit aims to achieve, while the audit report represents the gaps between the target reality and the reality in practice. Consequently, the phrasing of OKR components, including objectives and key results, may not consistently align with the phrasing of the titles for findings in the audit report.

Throughout the initial steps of research and planning in the audit execution, and as an essential element of developing the audit’s engagement plan, the process of breaking down the objectives into key results, activities, and knowledge resources is conducted.29

This process necessitates a perspective shift based on asking the right questions, as illustrated in figure 1. It is expected that the shift in perspective will evolve gradually through multiple audit experiences, eventually becoming a natural and instinctive method of presenting audit engagement plans and effectively managing audits. Consequently, management expectations should be adjusted concerning the timeframe required to fully realize the benefits of implementing the new OKR approach.

Previous research suggests Agile methodology as a best practice for completing audit projects; improving audit quality, effectiveness, and efficiency; and providing a sharper focus and greater impact while cultivating digital business agility. In that context, an OKR-style engagement plan provides an additional opportunity to fine-tune the audit’s focus, maintain hyperawareness of changes, and take prompt action during the audit process. Therefore, the audit engagement plan should be updated according to changes arising from a sprint execution experience. An audit engagement plan retuning process should be conducted during sprint retrospectives, with a specific focus on key results and activities.30

Conclusion

This study proposes a practical approach for developing the audit engagement plan, utilizing OKR methodology with the required adaptations to fit the unique nature of audits.

By incorporating an OKR-style audit engagement plan practice, the internal audit function takes another stride toward leveraging advanced management methodologies and controls derived from innovative organizations. This practice is an additional step in the transformative journey that internal audit must pursue to maintain relevance and effectiveness within the turbulence of the 4IR and as a key player driving organizational innovation.

The adoption of an OKR-style engagement plan addresses the essential requirements of both IPPF and ITAF standards, leading to a more precise and distinct audit planning process that highlights the scope, impact, and value of the audit.31

In addition, this approach enables better project control to ensure the accurate achievement of audit objectives and the successful accomplishment of desired milestones. Furthermore, it may aid in fostering auditees’ collaboration and engagement by providing a more focused and transparent view of the audit’s value and impact.

By implementing this advanced approach, the internal audit function can foster effective teamwork, enhance efficiency, and increase productivity, driving progress toward the designated destination by placing a strong emphasis on clear goals and measurable outcomes.

Endnotes

1 Koriat, ; “Internal Audit as a Driver for Innovation,” ISACA® Journal, vol. 4, 2023, https://www.isaca.org/archives
2 Koriat, ; “Future Ready: Toward a Sound Agile Audit Framework,” ISACA Journal, vol. 6, 2023, https://www.isaca.org/archives
3 The Institute of Internal Auditors, “International Standards for the Professional Practice of Internal Auditing,” 1 January 2017, https://www.theiia.org/en/content/guidance/mandatory/standards/international-standards-for-the-professional-practice-of-internal-auditing/; ISACA; IT Audit Framework (ITAF), 4th Edition, 2020, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko91EAC
4 Op cit IIA, 2017
5 Op cit ISACA, 2020
6 Op cit IIA, 2017; Op cit ISACA, 2020
7 Op cit IIA, 2017
8  Ibid.
9  Ibid.
10 Ibid.
11 Op cit ISACA, 2020
12 Ibid.
13 Op cit IIA, 2017
14 Op cit ISACA, 2020
15 Ibid.
16 Carroll, ; Alice’s Adventures in the Wonderland, Macmillan & Co., United Kingdom, 1865
17 Niven, R.; Lamorte, B.; Objectives and Key Results: Driving Focus, Alignment, and Engagement with OKRs, John Wiley & Sons, USA, 2016; Google re: Work, “Making ‘Work’ Even Better,” https://rework.withgoogle.com/jp/
18 Op cit Niven; Op cit Google re: Work; Grove, S.; High Output Management, Vintage Books, USA, 2015
19 Op cit Niven; Op cit Google re: Work
20 Op cit Niven; Op cit Google re:Work; Rinne, ; “A Futurist’s Guide to Preparing Your Company for Constant Change,” Harvard Business Review, 22 September 2021, https://hbr.org/2021/09/a-futurists-guide-to-preparing-your-company-for-constant-change
21 Op cit Niven; op cit Google re:Work
22 Sowkasem, ; Kirawanich, P.; “A Deliverable Delay Management of Software Development in Railway Project using an OKR-Based Scrum Process,” Proceedings of the 2021 The 4th International Conference on Software Engineering and Information Management, January 2021, https://doi.org/10.1145/3451471.3451473; Stray, V.; Moe, N.B.; et al.; “Using Objectives and Key Results (OKRs) and Slack: A Case Study of Coordination in Large-Scale Distributed Agile,” Proceedings of the 55th Hawaii International Conference on System Sciences, 4 January 2022, https://scholarspace.manoa.hawaii.edu/handle/10125/80225; Chen, D.; Chen, J.; et al.; “Research on Enterprise Performance Management from the Perspective of OKR,” Proceedings of the 2022 International Conference on County Economic Development, Rural Revitalization and Social Sciences (ICCRS 2022), 12 April 2022, https://doi.org/10.2991/aebmr.k.220402.019
23 Op cit Niven; Op cit Google re:Work; op cit Grove
24 Op cit IIA, 2017
25 Op cit ISACA, 2020
26 Polyani, M.; The Tacit Dimension, Doubleday, USA, 1966
27 Nonaka, ; Takeuchi, H.; The Knowledge-Creating Company: How Japanese Companies Create the Dynamics of Innovation, Oxford University Press, United Kingdom, 1995
28 Schwartz, ; The Paradox of Choice: Why More Is Less, Ecco, USA, January 2004; Simon, H.A.; “Designing Organizations for an Information-Rich World,” Computers, Communications, and the Public Interest, The Johns Hopkins Press, USA, 1971
29 Galler, S. ; “Internal Auditing Theory and Practice: Internal Auditing,” Nature, Practice and Added Value to Improve Organizational Governance, 3rd Edition, Duhifat Publishing
30 Op cit
Koriat, 2023B
31 Op cit
IIA; Op cit ISACA, 2020

Noam Koriat, PH.D., CISA

Is the director of information systems audit at Discount Bank. Previously, he was global chief information officer of the Israeli Ministry of Tourism. Koriat also serves as an adjunct professor at the Graduate School of Business Administration at Bar Ilan University (Ramat Gan, Israel), where he teaches digital transformation and innovation, knowledge management, and information systems practicum courses. Koriat can be contacted on LinkedIn at https://www.linkedin.com/in/noamkor/.

Additional resources