Talk to an Expert
Pricing

Navigating by Outcomes: From Audit Plans to Performance-Driven Programs

Internal audit is increasingly under pressure to demonstrate value rather than merely tick boxes. Traditional audit plans focus on outputs – the number of audits completed, findings reported, or percent of plan covered. Yet outputs alone tell us little about effectiveness. As one expert notes, “performance of internal audit is often measured in terms of outputs…internal audit deals in value, not widgets, so outputs alone usually aren’t a great way to measure performance”. In practice this means shifting from asking “Did we complete all our audits?” toward “Did we improve risk management and governance?” Frameworks and new standards echo this shift: IIA guidance urges measuring risk management improvements and achievement of strategic objectives, not just audit counts. The 2024 IIA Standards explicitly call for internal audit to be “outcome-focused”, emphasizing impact over process. Likewise, COSO’s ERM framework stresses defining risk appetite and aligning controls with enterprise objectives.

A performance-driven audit program treats findings, action items, and risk metrics as signals in a continuous improvement loop (see diagram below). Rather than producing static annual plans, audit teams constantly recalibrate priorities in response to real-time data – such as emerging risk trends, recurring issues, and overdue mitigations. This approach is akin to the Plan–Do–Check–Act cycle in quality management: plan and execute audits, check outcomes (e.g. issue recurrence, risk exposure), then act (adjust scope or resources), and repeat. (Figure: a feedback loop embodies this continuous cycle.)

Traditional vs. Performance-Driven Audit

Traditional audits rely on static annual plans and output metrics. Common measures include “% of audit plan completed” or “number of findings raised”. These outputs are easy to count but can incentivize box-checking: teams push through audits to hit targets, even if work is redundant or misaligned. For example, completing 100 audits means little if the same issues keep resurfacing. By contrast, a performance-driven approach uses outcome metrics – such as reduction in recurring issues, timely closure of high-risk action items, or alignment of audit coverage with current strategic risks. The IIA’s 2010 guidance lists outcome-focused measures like “contribution to improvement of risk management, control and governance” and “achievement of key goals”.

Key differences: Traditional vs. Performance-driven:

  • Goals: Audit activity vs. Audit impact. Traditional plans emphasize completing assigned audits (activity metrics), whereas performance-driven programs measure how audit work reduces risk or supports objectives (impact metrics).
  • Planning: Annual/ad-hoc vs. Dynamic/risk-based. Conventional plans are set once per year and rarely changed. Performance-driven programs continuously adjust scope using real-time risk indicators (new risks, control failures, etc.)
  • Reporting: Tally of reports vs. Insights dashboard. Instead of static reports filed away, teams use live dashboards to monitor issue status and risk trends. For instance, dashboards can show overdue action items and audit outcomes in real time for quick remediation.
  • Stakeholder focus: Compliance vs. Value-creation. Traditional audit may satisfy regulatory checklists. Outcome-focused audit acts as a strategic partner, anticipating stakeholder needs and advising on emerging risks. Only about 16% of audit functions report being seen as a “trusted advisor” by stakeholders; performance-driven practice aims to raise that through deeper business insight.

Adopting performance metrics changes behavior. Instead of rewarding auditors for simply raising many findings, outcome metrics incentivize identifying root causes and driving resolutions. As one practitioner puts it, audit teams that add value become “trusted partners” whom management invites to comment on new initiatives.

Outcome Orientation in Standards and Frameworks

Leading practices and standards increasingly highlight outcomes and agility. The IIA’s new 2024 Standards explicitly guide that internal audit should focus on outcomes and impact. In fact, Plante Moran notes the Standards encourage auditors to be consultative, strategic advisors who improve the organization – not just compliance cops. Chief Audit Executives (CAEs) are expected to define and report on performance metrics (KPIs) tied to value delivered. For example, the CAE should “present [audit] performance metrics for board feedback and approval, gather data and report progress against them”. This underscores a shift: boards and management now expect audit to measure itself by how it advances organizational goals.

Risk management frameworks similarly call for alignment. The COSO ERM framework’s latest guidance emphasizes articulating risk appetite and using it to guide decision-making, resource allocation, and even audit planning. A risk-mature organization “consciously and dynamically” sets risk appetite to clarify what risks it will tolerate in pursuit of objectives. That risk appetite should feed into audit priorities – areas where the business is risk-eager demand more assurance. In practice, Connected Risk ties audit findings directly to enterprise goals and the defined risk appetite, enabling oversight on whether the organization operates within those tolerance levels.

Beyond guidance, real-world surveys show the gap between intention and practice. For example, a PwC benchmarking study found only 16% of audit functions operate as trusted advisors – a role that implies outcomes-focused engagement. Moreover, many stakeholders want internal audit more involved in strategic issues: a global IIA survey found nearly two-thirds of board-level stakeholders expect audit to actively address top strategic risks (cybersecurity, large projects, etc.) These findings underline the need for audit to move beyond routine checklists and towards performance-driven, strategic assurance.

The Connected Risk Platform: Bridging Audit to Outcomes

Empowered’s Connected Risk® is a modern GRC platform purpose-built to make performance-driven audit a reality. It embeds audit, risk, and control data in one system, enabling dynamic prioritization and real-time monitoring. Key capabilities include:

  • Risk-based audit planning: Connected Risk maintains an auditable universe of entities, each with associated risks. Audit plans are linked to enterprise risk scores and heat maps so priorities automatically adjust as the risk landscape evolves. For example, if a new regulation or business change raises a risk score for a process, the platform instantly flags the need to audit that area next.
  • Embedded issue and action management: Findings and action items live in Connected Risk, not in scattered spreadsheets. Auditors can assign issues to owners, set deadlines, and track status. Crucially, the system flags overdue or stalled mitigations automatically: built-in reminders escalate long-pending actions so nothing slips through the cracks. This “always-on” follow-up keeps management accountable and prevents audit fatigue from endless chasing.
  • Real-time reporting and dashboards: Instead of static, year-old reports, leadership sees live dashboards of audit status, issue trends, and risk alignment. For instance, executives can view charts of overdue actions by business unit or recurring findings over time, on-demand. Reports can be exported instantly, and insights are shareable with the board at a click. As Empowered describes it, the platform lets teams “monitor progress, overdue actions, audit outcomes, and risk alignment…share insights instantly with executives and audit committees”.
  • Control testing with risk linkage: Within each engagement, auditors test controls and map any exceptions back to the relevant enterprise risks and objectives. This tight linkage means that when audit findings occur, stakeholders can immediately see their impact on corporate risk exposure. It closes the loop – audit results (Check) flow back into the risk profile, informing the next cycle of planning (Act).

Because Connected Risk spans the entire GRC lifecycle, it further connects audit to broader risk context. Audit findings automatically feed into the organization’s risk register. Action items from audit (or any remediation plans) become visible to risk and compliance teams, who can coordinate activities. For example, if a recurring audit issue involves IT controls, the IT risk team can see it and allocate resources. The platform’s combinatorial data strategy lets teams blend multiple data sources – policies, controls, assessments, incidents – so audit is no longer siloed from second-line risk management. In short, audit moves from “policing” to partnering: its insights highlight where the organization is moving outside its appetite, and management can act swiftly.

Monitoring Performance: Signals and Dashboards

A core tenet of performance-driven audit is continuous monitoring – treating audit data as an early warning system. Connected Risk implements a true feedback loop. For example: every time an audit uncovers an issue, the platform notes who owns the affected risk and how it’s being mitigated. Over time it can chart issue recurrence (e.g. repeated control failures under one manager) and highlight ownership gaps. If a high-risk finding resurfaces year after year, Connected Risk alerts the audit team and management to revisit the underlying process, not just re-test it. Similarly, summary dashboards reveal trend lines: spike in “past due” action items, or clusters of findings in one department, become obvious signals to pivot audit resources.

This shift can be illustrated by the classic PDCA cycle, adapted for audit (see above). Auditors plan (Plan) and conduct work (Do), then check (in real time via dashboards) how effectively issues were resolved and risks managed. The “Act” step is automated: Connected Risk flags needed changes (e.g. reassigning stale tasks, or auditing a new risk hotspot), feeding them into the next planning cycle. The result is an agile audit process – more like a cockpit dashboard that guides action than a static to-do list.

Case Studies (Composite Examples)

The following composites illustrate the impact of moving to a performance-driven program with Connected Risk:

  • Building stakeholder trust: A large healthcare audit department struggled with finger-pointing: management saw audit as punitive, and internal teams took issue findings lightly. By deploying Connected Risk, the CAE created a dashboard that showed how audit issues linked to the hospital’s goals (patient safety, regulatory compliance). Over several months, audit’s work shifted to focus on systemic problems (e.g. recurrent medication errors) and tracking how fixes reduced risk. Stakeholders began to view auditors as partners. As one senior executive commented, “Audit is finally giving us insights that improve patient care” – trust in audit rose sharply. (This aligns with industry findings: PwC notes only about 16% of audit functions are seen as “trusted advisors” today; demonstrating continuous improvement helped change that perception here.)
  • Accelerating remediation: A financial services internal audit team was notorious for “papering over” control issues due to slow follow-up. Action items languished for months, eroding management confidence. After implementing Connected Risk’s action-tracking, overdue items were flagged and automatically escalated to executives weekly. In one example, a compliance lapse flagged by audit had been ignored twice; the new system pushed it into a director’s dashboard, who immediately allocated resources to fix it. Within two quarters, the average time to close high-priority findings dropped by ~40%. Risk mitigations now progress in near-real time. Senior management noted that audit issues no longer “fall off the radar” – a key benefit of the system’s real-time alerts.
  • Aligning with evolving strategy: A technology company went through a strategic pivot (entering cloud services) mid-year, which made parts of the pre-set audit plan obsolete. With legacy audit tools, the team would have stuck to the old plan and scrambled to add a few cloud audits. Instead, using Connected Risk’s dynamic planning, the CAE immediately reprioritized audits around the new strategic risks (cybersecurity, cloud vendor management) and de-emphasized low-risk legacy controls. The platform’s risk heat map visualizations made the shift transparent to the board. The audit function hit the ground running on the right topics and was seen as proactively supporting the strategy. The CAE observed that audit had become “ahead of the business” in identifying risks – echoing thought leadership advice to blend deep risk knowledge with agility.

Each of these outcomes – increased trust, faster fixes, tighter scope alignment – reflects audit moving from simply “doing audits” to adding strategic value. The CAEs driving these changes noted that they now spend far more time on the biggest risks. In fact, PwC found that leading (“pioneer”) audit functions devote about 66% of effort to strategic areas, versus just 42% for less mature functions. Connected Risk helps achieve exactly that focus by continuously measuring and communicating risk impact.

Final Thoughts: Leading with Confidence

Modern internal audit must navigate a rapidly changing risk landscape. A traditional, outputs-oriented plan can leave blind spots – emerging threats may go unnoticed, and recurring issues unrepaired. By contrast, a performance-driven program treats audit as a continual feedback loop tied to the organization’s strategy and appetite. Real-time signals (overdue actions, recurring issues, risk score changes) trigger immediate course corrections. This shift not only improves controls, but also deepens stakeholder confidence and strategic relevance.

Empowered’s Connected Risk platform empowers this transition. Its integrated dashboards, analytics, and automated workflows turn audit data into actionable insights. Audit leaders who have adopted it report that they now feel like partners to the business rather than observers – aligning resources to what matters most and demonstrating clear results (faster risk mitigation, stronger governance, and ultimately, reduced residual risk).

In short, moving from “audit plans” to performance-driven programs means navigating by outcomes, not checklists. By leveraging tools like Connected Risk and embracing continuous monitoring, internal audit can chart a course that delivers measurable improvement in organizational performance and risk resilience.

Like this article?

Email
Share on Facebook
Share on LinkedIn
Share on XING

Empowered delivers innovative solutions for audit, compliance, and risk management, empowering organizations globally to meet an ever-changing and demanding world.

Linkedin-in Facebook Youtube Instagram

our products

our Solutions

Company info

website disclaimer

Any capabilities or technologies described on this site or shown to you are subject to intellectual property protection, including, without limitation, international copyright laws and treaties (and in some cases patents/patent applications) and all rights are reserved. Any quotation provided must be kept confidential and used only for your purchasing decision. You can share a quotation or proposal with your advisers for that purpose if they have signed an agreement with you covering non-disclosure of such information, but you may not share it with anyone else without Empowered Systems prior written consent. Any supplementary information provided by Empowered Systems shall also be treated as confidential and may only be used in the same way as the information set out in your quotation or proposal (unless otherwise specified). This website is not a quotation or proposal.

This website is provided for informational purposes only. It neither constitute an advice nor an offer capable of acceptance or create any right or obligation between Empowered Systems and the user of this website or anyone associated with the aforementioned user. Any contract will be made based on Empowered Systems standard terms and conditions. Nothing on this site creates any agreement between Empowered Systems and the user of this website.

The information on this site has been compiled with care, but Empowered Systems does not make any express or implied representation or warranty that the information is without errors or omissions and shall have no liability resulting from use of or reliance on the information (except when arising from fraudulent misrepresentation or other matters where liability cannot be excluded or limited under law).

References to Empowered Systems capability may include capability provided to Empowered Systems by third parties.

 AutoAudit® and Empowered Systems are all registered trademarks of Empowered Systems IP Holder LLC.

© 1995-2024 Empowered Systems. All rights reserved.

Empowered Systems is the trade name of Empowered Systems Ltd. in the United Kingdom. Registered Number: 13416888 in England and Wales. Registered office: 6 Lloyds Avenue, Suite 4cl, London, England EC3N 3AX.

Talk to an Expert
Pricing
Talk to an Expert
Pricing

Talk to an Expert

"*" indicates required fields

Are you looking for support?

If you're looking for product support, please login to our support center by clicking here.

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit a Pricing Request

"*" indicates required fields

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit an RFP Request

"*" indicates required fields

First, what's your name?*
Which solution does your RFP require a response on?*
Drop files here or
Accepted file types: pdf, doc, docx, Max. file size: 1 MB, Max. files: 4.
    This field is for validation purposes and should be left unchanged.
    Skip to content