View from the top: Strategy – focus on the process

As Save the Children embarks on its 2022-24 strategic period, the recent extraordinary period of global disruption has become the cornerstone of our strategy. The pandemic has threatened gains made towards the Sustainable Development Goals (SDGs), humanitarian needs are soaring, the pace of technological change challenges our modus operandi, and renewed calls for action on racial justice and inclusion are a moment of reckoning for societies, governments, institutions and organisations alike.

 

As a c.$2bn agency, we might be expected to ride out tumultuous storms, but we aim to thrive, not just to survive. Crucially, we need to examine issues of resilience, societal change and crisis response beyond our own walls. I have been encouraged by how Save the Children is redoubling its efforts on emergency preparedness, use of digital and data, and shifting power to local actors. The litmus test for me as an auditor will be finding innovative and practical means to provide my board with assurance on the effectiveness and pace of these changes.

Any period of great disruption creates seismic economic, technological and societal shifts. Organisations in all sectors need to ask how these will affect their missions and their operations – are their strategies still attuned to the needs and beliefs of their stakeholders? Are the decision-makers fully aware of these shifts and are the decision-making processes comprehensive, nimble and robust? Are risk leaders proactively shining a light on the risks and opportunities these shifts present? These are governance questions that chief audit executives should be asking now. I hope that organisations across sectors – and their internal audit functions – have pressed “pause” to re-assess whether their strategic aims and underpinning activities are aligned in a world that has changed.

Internal audit functions must re-configure their own interventions and work programmes, aligning them deeply to organisational strategy. Going beyond the realm of strategic risks, we must audit the strategy process itself, and its execution, to determine its impact. Research shows that CAEs may be more inclined to assess strategy execution than the process by which strategy is formed. Some boards and audit committees may not see it as internal audit’s role. Auditing the strategy process may seem subjective – it requires exercising professional judgment – but in my view there is a clear risk and internal controls lens and much objective evidence to support this line of enquiry. I see assessing the rigour of the process, data-sets and decision-gates behind corporate strategy as very much part of internal audit’s role.

You may need to trust your instinct as cultures and operating realities vary. You may need to play the role of “foghorn” in an organisation that isn’t tangibly re-aligning to a re-configured world; or be a “critical friend and thinking partner” in an organisation that is. We need to be heard, but we must also have something consequential to say. 

This article was first published in January 2022.

 

I was also reminded of a common challenge for all internal audit teams, which is to ensure that we put ourselves in a position where we are judged just as rigorously as we evaluate our auditees. We all need to know how we are perceived and valued by the organisation and whether we are fulfilling our remit and meeting evolving needs as our organisations and the world they operate in change.

Having read this year’s award entries, I could see there were many exciting projects and transformations going on and I took some ideas away to explore with my team. However, it made me wonder why far more internal audit teams aren’t using the awards as an opportunity to capture and record their most interesting or innovative projects and share these with management and the wider internal audit profession.

We are all under pressure to develop and change and the past couple of years have thrown up huge challenges. If teams have found ways to tackle new and emerging risks, or improved the way they monitor the risk environment and offer assurance, then why not use the awards as an opportunity to reflect on your achievements and record them succinctly as you have to on the nomination form? This is a useful exercise in itself, since, if you conclude that your team has done nothing transformative in the face of so many new risks and opportunities, you should be asking why not.

The nominations also demonstrated some clear themes that are taxing the imaginations of internal audit leaders at the moment. First among these is the challenge to upskill team members and improve the function’s capabilities. We are all looking for internal auditors with business acumen, the ability to use technology, experience with data analytics and a wide range of interpersonal skills, as well as technical internal audit knowledge. Sharing how we are approaching team development with others in the same situation is always helpful.

It was also clear that culture is moving up internal audit’s agenda. It’s always been embedded in what we do, but is often implied rather than explicit. The increasing value placed upon internal audit by its stakeholders is reflected in more demands to get involved in consultancy and advisory work. The ability to meet that expectation and secure the cherished position of “trusted adviser” cannot be done without demonstrating a deep understanding of the culture of the organisation.

Internal auditors can’t be experts in everything, but we do need the capability to provide assurance across a growing range of areas – which is especially problematic when it comes to technology. I was, therefore, surprised not to see more award nominations focusing on how teams are developing their ability to audit technological advances.

Many teams seem to focus on how they use technology, especially data analytics, within their audits. However, while that is important, a broader issue is how internal audit is involved in the organisation’s use of technology and what this means for its risks. This is a huge challenge for internal audit. How do we develop ourselves to ensure we can offer advice and assurance over our organisation’s use of new technologies and the risks this creates? Organisations also continue to increase their reliance on outsourcing contracts for technological support, which adds another layer of complexity and risk that internal audit needs to understand.

It is good that organisations are demanding more of internal audit functions and, as the endorsements for the award nominees show, senior managers are recognising the value they get from excellent teams. However, we face significant challenges to meet this demand and ensure we offer the best service possible.

To do this, we need to take every opportunity to share our experiences, our ideas and our successes, to do so as widely as possible and to learn from each other. The awards are an excellent way to achieve this, so I hope many others will be inspired by the work of the winning teams and will consider entering their own nominations next year. 

 

This article was first published in July 2022.