The International Standards for the Professional Practice of Internal Auditing and The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrating With Strategy and Performance emphasize strategy as the basis for internal audits. Despite this, auditors still often lack the tools and methodologies to audit strategy development and implementation for their organizations. By understanding the needed competencies for tackling a strategy audit, internal audit can help improve governance, risk management, and internal controls in an organization’s strategic management process.
Strategic management process best practices typically consist of four interdependent steps:
- Identify owners’ (key stakeholders) expectations.
- Analyze the broader environment, industry, and organization’s performance.
- Develop a long-term vision (destination) and strategy leading to that vision, as strategies reveal causality between strategic activities and strategic outcomes.
- Implement strategy via communication, performance measurement and control, and review meetings.
While it is not the role of internal audit to validate the content of these steps as performed by the organization’s leadership, there is an important requirement for the internal audit function to confirm that each step is being undertaken, and that the organization is using sensible methods at each stage. It is also important for the internal audit team to confirm that these steps are happening concurrently, with each of them operating consistently and cooperatively.
Question 1: Have Stakeholders’ Expectations Been Identified?
Even though the idea of shareholder maximization is always present, business practice abounds with examples of owners balancing profits (financial goals) with other goals — including corporate social, environmental, and economic performance. The first step of auditing strategy is to assess whether the board and senior management have identified stakeholder expectations of future performance in some practical way and have incorporated a response to these expectations within their strategy development process. In the long term, the achievement of stakeholder expectations is the ultimate measure of the performance of the organization’s senior management team. It should serve as stakeholders’ basis for evaluating whether the organization is being managed effectively. As such, it is vital that the strategy focuses on either meeting stakeholder expectations directly, or building and managing a supportive consensus within the stakeholder community concerning the choices of which expectations to meet over time.
Question 2: Does Strategy Lie on Firm, Analytical Ground?
Internal auditors should focus on the most important methodological aspects of strategic analyses.
Is data reliable, relevant, and sufficient? With information easily accessible via the internet, internal auditors should assess if the information gathered is reliable and from trustworthy sources. They also need to evaluate whether the data is relevant (likely and impactful) and sufficient.
Have managers avoided the risks of overconfidence and confirmation bias? Managers are often overconfident about the accuracy of their forecasts and risk assessments and far too narrow in their assessments of the range of possible outcomes. They frequently compound this problem with confirmation bias, which drives them to favor information that supports their positions (typically successes) and suppress information that contradicts them (typically failures). They might anchor their estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. Internal auditors should use professional skepticism to assess the quality of collected data.
Have potential black swan and black elephant scenarios been considered? Black swan events, such as terrorism or natural disasters, are difficult to predict and have major impact on the organization. Black elephant events, such as financial crisis cycles and climate change, are predictable, detrimental events that people or society choose to ignore. Internal auditors should assess whether the analytical process has addressed these unlikely events.
Have analysts identified historical information and emerging trends? Big data has become a necessity rather than an advantage. Organizations should analyze readily available data from public sources and also use predictive analytics, prescriptive analytics, or autonomous statistics. These approaches go beyond what and why something is happening to address what will happen next.
Have the organization’s current capabilities been analyzed formally? An organization’s ability to satisfy stakeholder expectations is to some extent determined by the capabilities (technological or marketing, for example) of the organization. If the capabilities are sufficient, the challenge is how to deploy them to best satisfy expectations. If the organization does not have the right mix or sufficient capabilities, the strategy will need to include steps to expand and develop internal capabilities or to purchase the required capabilities from elsewhere. How will this support or hinder work to satisfy stakeholder expectations?
Is a strengths, weaknesses, opportunities, and threats (SWOT) examination an appropriate summary of key analytical findings? Internal auditors should assess whether the identified strengths and weaknesses are supported by an objective measurement or assessment, and whether the identified opportunities and threats are related to external factors — such as events from the broader environment or industry.
Question 3: Has Strategy Development Followed Best Practices?
First, strategy development involves clearly articulating the organization’s final destination (vision) at some future date. Internal auditors should assess whether the organization’s vision statement addresses owner/key stakeholder expectations, is achievable and measurable, and focuses on what the organization needs to achieve vs. what it needs to do.
Second, internal auditors should check whether the strategy reflects a business case, the logical causality between strategic activities and strategic outcomes (goals). Best practice strategies include cause-effect connections (strategic linkage models) outlining causality between strategic activities, themselves, and between strategic activities and strategic goals. They also should check whether strategic goals include financial and nonfinancial goals related to the activities the organization will need to implement the changes required by the chosen strategy. This includes short-term outcomes that the organization can track to confirm the actions taken are working as expected. In addition, auditors should assess whether clear, long-term strategic goals are quantified and associated with a specific time frame. Long-term goals help the organization pick and set targets for the amount of activity that needs to be delivered and the time frame for realizing required outcomes.
Third, internal auditors should assess the documentation of strategic activities. This should include at least:
- The owner or person responsible for effective completion of a strategic activity.
- Tasks to be completed.
- Timeline of activity.
- Financial and other resources.
- How to mitigate the main risks.
Finally, internal auditors should check whether managers have ensured strategic alignment or the cascading of a designated strategy throughout the organization. Cascading is the process by which the ultimate goals are broken down into individual departmental activities, allowing for a more engaged and accountable workforce. Internal auditors should assess the responsibilities and ownership of execution plans at lower levels for implementation decisions.
Question 4: Is Strategy Being Implemented?
The last part of a strategy audit is implementation. Empirical research shows that strategy implementation remains elusive regarding effectiveness, with a reported fail rate of 50 percent to 90 percent. Internal auditors should be alert to the main causes of strategy implementation failure.
Communication Effective communication plays a critical role in aligning the whole organization with the strategy and giving employees an understanding of the pace of change that will be required. Internal auditors should: 1) identify communication channels that senior management is using to support strategy execution; 2) assess the appropriateness of communication channels from the perspective of frequency and reach; and 3) check whether any guidelines or a strategy execution model exists. Internal auditors can use a modified approach to COSO’s updated ERM framework to evaluate the strategy communication process.
Performance measurement and control Strategic performance measurement systems support adequate information sharing among individuals or the business units responsible for strategy execution. Internal auditors should identify whether strategic activities and goals have at least one performance indicator and target values (milestones) to keep track of what has been achieved. Then, auditors should assess the appropriateness of key performance indicators to make sure they are measurable, relevant, and informative.
Review meetings Organizations often lack senior management support in strategy execution. To encourage participation and support, senior management should set up and manage the review meetings. Internal auditors should check the frequency of the meetings, assess whether any controls have been put in place to ensure implementation actions are carried out, and evaluate whether any actions have been modified to ensure strategic goals are reached.
Stakeholders — who can directly or indirectly influence the organization’s ability to operate — comprise a mix of interested parties, including financial owners, regulatory bodies, and communities impacted by the organization’s activities. A critical responsibility of senior management is to balance the potentially conflicting interests of these stakeholder groups and direct the organization to maximize the extent to which these interests are satisfied. Organizational strategies document the plan to modify and adapt the performance of the organization in light of these stakeholder expectations. The role of internal audit is not to validate or contest the content of the strategy — which is the responsibility of senior management — but to reassure the senior team that its approach to strategy development and implementation is appropriate and well-controlled.