Adding strategy to the audit plan

Organisations fail. Seldom is it due to control weakness or process inefficiency but because of strategic decisions.

This article takes a positive approach as to why and how internal audit should undertake audits in the strategic arena. In February 2018 in the days after Carillion went into administration, former Institute CEO, Dr Ian Peters, noted that ‘too often internal audit has been preoccupied with detailed low-level risk and has failed to focus on the bigger picture’.

Has the profession improved? What strategic assurance does your function provide?


Strategy is just another process

There are two clear elements to strategy; its creation and its execution. Internal audit should provide assurance across both, although often restricts itself solely to execution; the projects and processes that are familiar territory.

Strategic decisions, the creation of a strategy, set the direction for the organisation; its goals, objectives and business model. If something goes wrong at this level, it permeates through everything, just like culture and the widely acknowledged importance of the ‘tone from the top’.

Psychological research by Franck Schuurmans, Wharton Business School found that people mainly learn by discovery, heuristics, which limits decision making capabilities for complex problems…unless supported by a robust process. He suggests the problem can be resolved with improved framing, bias dissonance and decision feedback.

All strategy is based on a decision and that decision, regardless of whether it is made by an individual or a collective, can and should be subject to assurance for the protection of all stakeholders.

Audit leaders are adept at root cause analysis, getting to the nub of an issue. When auditing a major project, acquisition integration or transforming processes and the analysis leads back to an avoidable strategic decision made months or years earlier how much better would that assurance have been at the time?

 

 

Research by the Corporate Executive Board found that 68% of the reasons for loss of shareholder value were strategic, yet only 6% of audit time focused on this area. What has changed since this was conducted in 2010? The time spent on financial controls may be higher in the US than the UK due to SOX, nevertheless the challenge remains.

The research hasn’t been repeated; however, think about your sector today, maybe the reasons for loss of stakeholder value remain true, but what of your audit activity? Is enough resource directed to the strategic risks that could cause the demise of the organisation?

 

 

With the plethora of data analytics tools available now, including spreadsheets, internal auditors should by now be using technology to make financial audits efficient. The same could be said for the automation of many operational processes and controls. In the years since the CEB conducted their research technology has changed considerably in terms of accessibility and capability. In the Institutes Data Analytics Report, Dublin Airport Authority shows just how effective the use of data analytics tools can be. 


Standards and auditing strategy


The Global Standards require internal auditors to provide assurance, advice, insight and foresight. Is this possible without any strategic auditing?

Audit planning should be risk based and consistent with the organisations goals. Although this places strategic understanding at the heart of internal audit activity it’s not compelling enough to audit strategy itself.

Standard 9.1 is an example of being explicit. To understand governance processes, the CAE must consider how the organisation establishes strategic objectives and makes strategic and operational decisions. 

The role of internal audit is not to supplant management as strategic experts. Internal audit do not determine strategy. Their role is to bring objectivity and independence to challenge the thoroughness of the strategic processes, including the decision making, and the reliability of the subsequent information flows e.g. management information provided by the business that feeds and informs the strategic creation process.


 

Addressing the challenges

Auditing strategy is important but it also needs to be put into context against the challenges that audit leaders face day to day. A phased approach offers a way to address the challenges and initiate realistic engagements building to more defined and targeted audit activity. It is a journey not a destination reflected by the double headed arrow in the graphic; new board members, merger and acquisition, downsizing can lead to re-evaluation. It takes time and may span across chief audit executives. Just because you might not be around to see the end result shouldn’t stop you from starting the journey!

 

Realistic

The planning phase. A needs assessment. Evaluating the scale of the challenge ahead to be able to audit strategy. The capabilities of the internal audit team are important. Less so the technical skills rather the softer skills to work confidently at board level. Also relevant is the positioning of the audit function. On the spectrum of trusted advisor and policeman where does the team sit? It is difficult to add real value at the strategic level without an open door. And finally understanding the risk maturity of the strategic decision makers is imperative. Will they respect the difficult message that you may potentially be delivering? Do they appreciate the importance of risk management?

Defined

For most audit leaders a programme of activity will be necessary; potentially already part of a broader continuous improvement plan. It will enable skills to be developed, marketing to raise the profile and understanding of internal audit together with risk education of the decision makers. The guidance suggested in these links provides just a few of the many start points to building solutions.

Targeted

The aspiration for audit leaders should be to have an audit strategy that enables a comprehensive, proportionate, risk-based audit plan that considers strategy equally alongside compliance, operational and financial/reporting components of the control environment. Working collaboratively with others that are intrinsic to strategic governance helps to achieve this, such as risk professionals, company secretary and head of legal. At this phase the evolved risk maturity of decision makers should facilitate internal audit operating effectively in the strategic arena.

 

 

Audit elements

The IPPF again provides a way to frame strategic auditing by using the ‘ACRES’ guidance to  evaluating the adequacy and effectiveness of controls in responding to risks.


A. Strategic planning. What is the process? Where are the controls? Think back to Schuurmans, what was the frame of reference? In principle making a strategic decision is the same as making a widget, there are inputs, mechanics happen and an output is created, however because people are involved and it is subjective it is much more complex. How was the decision reached? What rationale tipped the balance for option (a) over option (b)? What risk evaluation took place? Did it ignore, work within or redefine the risk appetite?

C. Future proofing. Were subject matter experts consulted about changes to law, regulations or contractual arrangements? If trading in new territories do decision-makers understand the risks? Transparency International provides independent data on issues including corruption and slavery.
Diversity. Were all the necessary stakeholders represented in the decision-making? How was group think avoided? Was a decision imposed? How were alternatives and dissonance encouraged in the decision-making process?

R. Strategic assumptions. Does internal audit validate the presentations and/or business cases that management provide to the board to support strategic-decision making? Is the financial and operational data timely, accurate, relevant, complete and valid? It is important to remember that the first line provide much of the assurance that the board relies upon, internal audit know better than to assume it is always free of hidden agenda, politic or error. Are decision-makers made aware of all the risks or is a positive bias presented?

E. Strategic risk. Strategic decisions require consideration of how much risk (risk appetite) the board are prepared to take. Internal audit is the only function capable of providing assurance that this is being effected, if management is too cautious the strategy will not be maximised and if they are more aggressive this could expose the organisation beyond its capacity for risk.
Strategic review/monitoring. What is the process for reviewing the strategy in light of changes to the internal and external environments? How is its effectiveness measured? What assurance does internal audit provide over KPIs and ongoing reporting?

S. Risk capacity. Does the strategic decision exceed the organisations capacity for risk – financial, operational or reputational? Will a critical manual process be scalable? If internal audit doesn’t provide independent assurance for stakeholders who does? Can the organisation afford to implement the strategy; not just financially but also considering reputational damage or the disruption of change?
Foresight. What KRIs need to be put in place to know if the strategy is derailing? Assurance over their appropriateness and accuracy of reporting could make the difference between recovery and failure.

These are not specific audits. The assurance elements could be consolidated into an audit of the strategic process or woven into other audits. Perhaps they are conversations in the first instance. Maybe you are already operating beyond these thoughts, please feel free to share what has worked for you in the comments section at the end of this paper.


Closing Thoughts

Audit leaders should never set out to change strategy. That is firmly outside the remit of internal audit. As independent assurance providers the objective must always be ‘insightful, proactive, and future-focused’ seeking to raise a flag if the strategy is the whim of an eager CEO, totally at odds with the advice of key stakeholders or that the sum of the parts is greater than the budget of the whole!

An Audit Leaders webinar in December 2018 will look at how to develop an audit plan – including strategic audits. It is time to silence critics of internal audit. To make obsolete the assumption that assurance only looks in the rear-view mirror. It is time for audit leaders to look to the future.

 

"If you aren’t in over your head, how do you know how tall you are?"

T.S.Eliot