Once an organisation sets its strategy, there are countless risk factors that could impact whether the goals come to fruition. Sector disruption, supply chain issues, customer disloyalty, a brand reputation incident, cyber-security breach, or even internal fraud, could bring the best-laid-plans unstuck. However, Internal Audit (IA) is in a very unique position to help organisations alleviate the threat of these complexities.
“IA should help management understand what the key risks are to the success of their strategy and should then provide assurance that the key controls to managing those risks are sound,” says Michael Hill, Partner, Internal Audit – Governance and Risk, KPMG Australia.
Every organisation has a different approach to defining and implementing strategy, whether that be in the level of detail, the frequency of review and formalisation of the strategy, its connection to budgets, or the involvement of internal and external parties, for example. Regardless of the approach, IA can help an organisation keep on track to see its strategy succeed.
The role of IA is rarely to help set a strategy, as this is generally the remit of management and the board. Rather, IA’s role should be to audit processes for the developing and implementing of strategy.
KPMG and IIA Netherlands co-authored a discussion paper, Strategy-related auditing, June 2015, which divides the approach to auditing strategy into two distinct categories – strategic risk audits and strategy process audits.
Strategy risk audits focus on the risks that could come from pursuing certain strategically important organisational goals. Strategy process audits assess the formulation, implementation, evaluation and control of the strategic management process or (the content of) the formulated strategy itself.
A strategic risk audit could be designed to validate the considerations and assumptions that the strategy was founded on – and if they are accurate, inaccurate, omitted, or even un-substantiated. It will consider if there is consistency in reasoning in the strategy, and if the calculations that substantiate the strategy are correct.
Hill gives the example of an internationally based business that sought IA assurance that its Australian subsidiary was implementing a realistic strategy. For this client, KPMG reviewed whether the assumptions in the strategy were sound based on past experience and other external data points, and if the business had the necessary resources and appropriate timeframes in place to execute the plan.
Carmel Mortell, Partner in Charge, Internal Audit at KPMG Australia says IA’s role in auditing strategy has been the topic of some industry debate, and is often questioned by boards. Some argue that strategy audits should simply focus on the processes for implementing strategy. Others argue that a strategy audit can apply to both the process and the content.
Mortell is with the former group, expecting that auditing strategy content will become an increasing part of the IA function.
“I do believe that IA should be auditing strategy,” she says. “There are significant risks and assumptions in strategy and if we aren’t playing that important role in strategy, we aren’t meeting the strategic objective of IA.”
Considerations required to make sure this is successful include a relationship of mutual trust between IA and management, as well as ensuring the seniority of the individual auditors so that they can bring deeper insight into analysis.
For all types of strategy audit, Mortell says essential skills for the IA function include communication skills, business acumen, awareness of current industry issues and trends, and knowledge of the process for developing strategy.
Strategy planning can often be a ‘set and forget’ process, so IA can help keep a conversation alive with management about the validity of assumptions embedded in the strategy as internal and external circumstances change. If organisations are open to the content of their strategy being audited, it can be valuable to do so on a quarterly or half-yearly basis, to keep reassessing the company’s priorities, and to ensure the risk controls required to uphold the strategy keep adjusting accordingly.
“IA needs to be agile and to understand all the issues impacting the business and how to provide assurance over those key areas on a regular basis,” Hill says.
Hill says IA is not just there to find where attention must be focused, but it can also highlight areas that are over-controlled, showing where too much time and cost is going into a particular aspect of operations without benefit.
Companies that do not align IA with their strategy may find they are unable to fulfil growth plans due to failing to identify risk. Another issue could be a threat to reputation and losing consumer trust.
“If we work back from customer trust in a brand, one of the things that can go wrong in that respect is compliance breaches, regulatory scrutiny and things taking too long to come to market. These all go back to trying to achieve a strategy that Internal Audit can assure upon,” Hill says.
Internal Audit plays a unique role in auditing organisational culture. Find out more in our article – Company culture in IA – why soft controls make a difference.