Once an organisation sets its strategy, there are countless risk factors that could impact whether the goals come to fruition. Sector disruption, supply chain issues, customer disloyalty, a brand reputation incident, cyber-security breach, or even internal fraud, could bring the best-laid-plans unstuck. However, Internal Audit is in a very unique position to help organisations alleviate the threat of these complexities.
Internal Audit should help management understand what the key risks are to the success of their strategy and should then provide assurance that the key controls to managing those risks are sound.
Every organisation has a different approach to defining and implementing strategy, whether that be in the level of detail, the frequency of review and formalisation of the strategy, its connection to budgets, or the involvement of internal and external parties, for example. Regardless of the approach, internal audit can help an organisation keep on track to see its strategy succeed.
The role of Internal audit is rarely to help set a strategy, as this is generally the remit of management and the board. Rather, internal audit's role should be to audit processes for the developing and implementing of strategy.
KPMG and IIA Netherlands co-authored a discussion paper, Strategy-related Auditing, June 2015, which divides the approach to auditing strategy into two distinct categories – strategic risk audits and strategy process audits.
Strategy risk audits focus on the risks that could come from pursuing certain strategically important organisational goals. Strategy process audits assess the formulation, implementation, evaluation and control of the strategic management process or (the content of) the formulated strategy itself.
A strategic risk audit could be designed to validate the considerations and assumptions that the strategy was founded on – and if they are accurate, inaccurate, omitted, or even un-substantiated. It will consider if there is consistency in reasoning in the strategy, and if the calculations that substantiate the strategy are correct.
An example is that of an internationally based business that sought internal audit assurance that its Australian subsidiary was implementing a realistic strategy. For this client, KPMG reviewed whether the assumptions in the strategy were sound based on past experience and other external data points, and if the business had the necessary resources and appropriate timeframes in place to execute the plan.
Internal Audit’s role in auditing strategy has been the topic of some industry debate, and is often questioned by boards. Some argue that strategy audits should simply focus on the processes for implementing strategy. Others argue that a strategy audit can apply to both the process and the content.
There are significant risks and assumptions in strategy and if we aren’t playing that important role in strategy, we aren’t meeting the strategic objective of Internal Audit.
Considerations required to make sure this is successful include a relationship of mutual trust between Internal Audit and management, as well as ensuring the seniority of the individual auditors so that they can bring deeper insight into analysis.
For all types of strategy audit, Mortell says essential skills for the Internal Audit function include communication skills, business acumen, awareness of current industry issues and trends, and knowledge of the process for developing strategy.
Strategy planning can often be a ‘set and forget’ process, so Internal Audit can help keep a conversation alive with management about the validity of assumptions embedded in the strategy as internal and external circumstances change. If organisations are open to the content of their strategy being audited, it can be valuable to do so on a quarterly or half-yearly basis, to keep reassessing the company’s priorities, and to ensure the risk controls required to uphold the strategy keep adjusting accordingly.
Internal Audit needs to be agile and to understand all the issues impacting the business and how to provide assurance over those key areas on a regular basis.
Internal Audit is not just there to find where attention must be focused, but it can also highlight areas that are over-controlled, showing where too much time and cost is going into a particular aspect of operations without benefit.
Companies that do not align Internal Audit with their strategy may find they are unable to fulfil growth plans due to failing to identify risk. Another issue could be a threat to reputation and losing consumer trust.
If we work back from customer trust in a brand, one of the things that can go wrong in that respect is compliance breaches, regulatory scrutiny and things taking too long to come to market. These all go back to trying to achieve a strategy that Internal Audit can assure upon.
© 2020 KPMG Central Services, a Belgian Economic Interest Grouping ("ESV/GIE") and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.