From Corporate Cop to Corporate Strategy – The Future of Internal Audit
Among all the corporate functions that have risen to prominence in the past decade, internal audit (IA) has had one of the fastest rides. This is mainly because of the myriad demands on firms to comply with Sarbanes-Oxley legislation.
IA has spent a lot of time and resources to gain internal respect and, by and large, has shifted perceptions away from it being seen as the ‘corporate cop’, and toward it being seen as a useful partner in business decision-making. But it now has a chance to take advantage of the increased interest in corporate risk management, and make long-lasting changes, both to the function and the way it helps the firm that funds it.
Why Audit Should Tackle Strategic Risk
The IA function should move beyond traditional controls and process-oriented work and start partnering with senior management and the line on true ‘strategic risk’. Large firms should rely on audit expertise to turn an early and effective response to a risk into an opportunity to make investments ahead of competitors.
A lot of senior management (and some heads of audit) would scoff at the idea of ‘strategic risk audits’. We disagree. As has been proved time and again in the past 18 months, the ability to see round corners and deal with risk will differentiate the best firms from the rest. Companies will lose out if they don’t make use of the audit function’s ability to drive this advantage.
A Definition of Strategic Risk
Our research into this shift in the function’s focus is just beginning, but we know that getting it right will depend on a strong definition of strategic risk. So here it is:
“A risk is any event that interrupts the fulfillment of an objective along that objective’s lifecycle.”
The most important ‘objectives’ to work on are, of course, the multi-year corporate goals of the firm. Internal audit should be involved in assessing the processes its firm uses to choose and execute on those objectives. This means IA should look at:
- The information used to decide on the objectives
- The strategic planning process used to show how the objectives can be achieved
- The execution of the strategy
- The evaluation of the strategy’s success
Most of our clients do some work on the assessment of strategy execution (stage 3 in chart 1 below) but do not necessarily get involved in the rest of the process.
Chart 1: The Lifecycle of an Objective
Internal Audit Should Not Depose the Head of Strategy
We want to be clear: we are not advocating that Internal Audit should be involved in setting and executing strategy. Rather, IA should play a role in making sure that the processes used to do so are as good as they can be. The table below sets out role distinctions for each part of the process.
What Next Generation Internal Audit Will Require
This evolution will require a fairly large shift in the constitution, skills, and activities of the internal audit team. Chart 2 shows some of the changes required.
Chart 2: The Future Roles and Activities for Internal Audit
These changes will take a number of years, but some of our clients are already making this shift. We believe that if you don’t follow suit, your firm and your function will lose out.
We would welcome any thoughts or questions you may have; please share your comments via the box below, or contact me through the link in the top right hand corner of the page. If you are the head of internal audit at your firm, please sign up for our series of meetings with other heads of IA this summer.
Denotes content for clients in a relevant CEB network. Following the link will log you in automatically or take you to a page to determine whether your firm holds a membership.
Contact us for more detail.
5 Responses to “From Corporate Cop to Corporate Strategy – The Future of Internal Audit”
Whereas I fully agree that strategic risks are important and must be managed closely, I completely fail to see the point of making this an Internal Audit (IA) responsibility.
Sure – if noone else is doing it, it is within the scope of IA to verify that the company will achieve its defined goals by the defined strategies.
However – most major/proficient companies have defined risk management functions or even strategic risk management functions within where this is a core responsibility.
The “problem” of assigning this to IA is one of inherent perspective. IA is a controlling function by nature – whereas proactive addressing risks and opportunities is not. IA is focusing on processes (in most companies), and are not trained to look at external factors such as competitive landscape changes or the like.
Much as I appreciate the desire for IA employees to expand their realm of impact – this is, I believe a wrong track to follow.
Comment made on June 16th, 2010 at 9:45 amTo be clear, I agree that Internal Audit should not manage any strategic risks. Management should own the risks and Internal Audit should provide assurance that risk management is sound.
Three other reasons why Internal Audit should be involved here:
• For Internal Audit to communicate that they are executing a truly risk-based audit program, it must include the greatest risks to the firm (many of which are strategic).
Comment made on July 5th, 2010 at 6:24 pm• Boards, Audit Committees, and Senior Management (not to mention regulators and external auditors) are requesting that Internal Audit take a more active role in providing Strategic Assurance.
• Internal Audit is the only group that can independently and objectively provide assurance that there is sound governance (or not) around the lifecycle of a strategic objective, including the evaluation of 1) the assumptions in objectives setting, 2) strategic planning, 3) strategy execution, and 4) evaluation of strategy outcomes.
It is not the role of IA to manage strategic risk — a proper ERM environment should facilitate the process.
The problem lies in the risk rating process, ERM should bring forward the strategic risks and operational risks impacting strategic objectives. In the same context as James mentioned it above. But where is the problem?
When IA rates a risk as VH, from ERM point of view it might be medium (since ERM keeps an eye on the black swans impacting strategic risks or objectives).
The movement of risks back and forth from ERM to IA and vice versa creates the challenge.
This why ERM should drive the risk environment and IA provides independent assurance but within the risk tolerences set forth by ERM.
Comment made on August 14th, 2010 at 7:31 pmTo me it sounds like a logical extention after going into risk based audits. Strategy also poses a risk to the organisation and under or non achievement of the strategy could be a risk for the organisation.
A review of the strategy can also be a good preventive control. The issue is definitely of the skill required to do a value added review of strategy, currently it is extremely rare maybe in future there will be a resource availabilty to handle this critical task.
Boards/ Audit Committees are now expecting that Internal audit shall provide some assessment on strategy but unless you have the skills it would be a disaster to venture in it as it would affect the other opinions that you are providing as Internal Auditor.
What I have attempted till date is to be a moderator in the strategic risk meetings and throw up issues for discussion that I am not comfortable with as an auditor.
Comment made on December 2nd, 2010 at 12:18 pmI agree with the general direction of this article in relation to the role of internal auditors. As with any other process, internal audit can review how the business strategy is formed, and identify any missing/ineffective controls that mitigate the risks identified by the internal auditor.
Business as usual really. IA need to be able to identify risks in order to make internal control recommendations. There is no rule which says IA can’t be proactive. As a profession we need to be more proactive.
When we say “it is not the role of IA to manage risk” we need to be careful, because when we make recomendations, it could be argued we go some way in helping to manage risks.
KR,
Comment made on December 3rd, 2010 at 3:52 am– Derek Jackson
Leave a Comment