Strategic obsolescence is a very real threat. Take the high street. Amazon steadily chipped away at physical retail for years, before the advent of smartphones gave shoppers the ability to buy anywhere, at any time and at the lowest prices. This alone was already weakening the proposition of undifferentiated retailers. Then along came the pandemic and made matters even worse, especially for those with poor digital customer channels.
Many established business models across sectors are rapidly losing relevance, and they need to pivot strategically to recapture growth. John Lewis is one of many companies that is branching into uncharted territory. In a fundamental departure from its roots, the co-operative last year decided to become a residential landlord, with plans to build 10,000 rental homes above or beside Waitrose supermarkets around the UK as part of a strategy to bring profits to £400m within five years. In addition, John Lewis (alongside furniture retailers DFS and Sofology) is embracing the “circular economy” by partnering with the peer-to-peer rental marketplace startup Fat Llama. Instead of buying a sofa or kitchen table, shoppers can now have items delivered and rent them for as long as they’re required.
Meanwhile, clothing retailer H&M has launched Resell, a digital platform for the resale of its clothes and other fashion brands are also encouraging shoppers to return used clothes to be resold. Vehicle manufacturers know that carbon commitments are changing the market for petrol, so carmaker Jaguar announced earlier this year that all of its vehicles will be electric by 2025. The list goes on.
The basic premise behind all these rapid foundational transitions is to make businesses more strategically relevant and future-proof them to meet the evolving needs of consumers. Such change creates its own risks, while lack of change may destroy the business’s long-term viability – so where does internal audit fit into this equation?
Traditionally, internal audit focused largely on the technical issues of controls and processes. More recently, however, it has become important for internal auditors to be more strategically minded – they must look more broadly at the external environment and emerging risks, not only flagging up declining markets, but also opportunities for growth. This is a more interesting, but also a more challenging role, asking more of internal auditors and of chief audit executives (CAEs). Done well, it creates far greater value for the business, but requires the CAE to have a high-level profile and a voice that is heard at the top levels of management.
Julie Gooderham, director of audit and risk at John Lewis Partnership, believes that internal audit’s ability to carry out this role depends on how the three lines are established in the organisation and the position of the CAE at the senior table, in terms of trust and access to information. In her case, she oversees both the third and second lines, the latter being very much responsible for challenging the possible impact of strategic decisions on the business from a risk perspective.
“If there was interest at the executive and senior management level to move in a new strategic direction, the second line risk team would challenge them to understand the risks of going down that route and ensure that all aspects of the business are taken into account in thinking about potential risk. For example, that might include the impact on customers, partners and on achieving our ethics, sustainability and wider business purpose,” she says.
“The risk team would generally be involved much earlier than internal audit, helping with the development of senior management’s thinking and why they might move in certain ways,” she adds. “However, if there is high risk change at pace, as we see in the current environment, internal audit may be independently involved in testing management’s operational thinking as it develops detailed plans and communications on change, for example. But early on in strategic thinking I wouldn’t necessarily expect management to have planned for, or really understand, every impact on the control environment.”
At John Lewis Partnership, the second line would also begin to push decision-makers to extract the next layer of detail on risks and opportunities and mitigation planning, Gooderham adds. This helps to join the dots across the business using the risk function’s knowledge of the wider Partnership, how the change will be achieved, what risks need to be mitigated and what the business can learn from past experience.
“The risk team would be asking things like: Have you considered the impact on sustainability plans? Are you confident that you have the right capabilities to manage this type of contract and deliver the service at the pace and quality required? Is it a new market? What is the information security and data management risk? What regulations need to be considered? Have you thought about X or Y?” Gooderham says.
Internal audit tends to come in once a decision on direction and accountability has been made. “Internal audit is best placed internally, because it knows how the business works at a level of detail. It focuses independent challenge on the quality of plans, capability in its broadest sense, controls and mitigations,” she explains. “If some of the objectives were to put new capabilities in the business, I’d want internal audit to understand whether the business has those capabilities and the route to build them. It knows what good looks like, in terms of both operations and the softer stuff.”
At a more tangible level, she says that she’d expect internal audit to review aspects such as risk registers and the clarity of mitigation plans. “They would need to talk to project teams to understand the operational and contractual arrangements in place if we’re moving into a new venture, all of the elements around customer service management, compliance and data. Internal audit needs to kick the tyres and get into the nitty gritty of the efficiency and effectiveness of the control environment.”
Meanwhile, in a very different sector, executives at music streaming provider Spotify made a strategic decision to move into proprietary content. They decided that offering music also available on other streaming platforms is not sufficiently differentiated, whereas exclusively hosting the world’s most listened-to podcast – the Joe Rogan Experience – among a library of other “pods”, attracts an audience for advertisers and converts new subscribers.
Kenneth Chen, vice-president of finance strategy, operations and risk at Spotify, who was formerly the company’s CAE, says that the idea to move into podcasts was part of company strategy long before the pandemic and had nothing to do with internal audit raising its hand. However, the third line has been deeply involved with the change.
“Internal audit’s role in the grand scheme of things was to ensure that, once these strategic decisions were made, the business didn’t execute them without regard for the risks, and that we were able to provide a point of view on where the execution risk is. Where could we take a wrong turn that might mean the return on investment takes longer, or that we make some serious mistakes that could pull us back? We’re a big part of those conversations,” he says.
As an objective function, internal audit doesn’t need to clamour for a seat at the table at every turn, Chen adds, but it can be a helpful business partner by providing input once decisions have been solidified, and teams are established with responsibility and accountability for the strategic change.
“In a company like ours, ideas are constantly being floated. Teams experiment, test things and throw ideas at the wall to see what sticks. You want to give them space to experiment and figure out what’s the right product mix that fits with our customers and creators,” he says. “If you don’t give them room and are constantly reminding them of all the downsides, it’s suffocating and they’re not going to want to talk to you.”
However, once teams embark on their multi-year journey of executing the strategy, internal audit can come in and give its opinion, evaluating, for example, whether the business has the operational muscle to support the roll-out of the new business model, or the teams and infrastructure to address new risks that arise as a result.
“Podcasts introduce an interesting set of new challenges. They are spoken word, a lot of new episodes come in every day and there are guests on these shows. They open a whole new realm of risks that we didn’t have to deal with when it was just recorded music,” Chen reflects. “And we need to assess the risks from a different vantage point and work together with the teams as they implement different processes and systems to support our podcast strategy.”
In these two examples, internal audit didn’t highlight the commercial opportunities that the businesses have taken up, they came in to check that everything was in place to support the change process once decisions had been taken. But there is also scope for CAEs to flag up whether the business is making adequate efforts to adapt to changes in the external world, says Amy Brachio, EY’s global business consulting leader.
“The pandemic was a wake-up call. It really accelerated the sense of threat, particularly for businesses in sectors that hadn’t been evolving. This has caused boards of directors to ask whether enough is being done to understand existential threats to their organisations, and whether they are sufficiently future-proofing themselves,” she says. “But for internal audit to serve in that role, it has to be viewed as strategic by the organisation. It has to have a seat at the table and you need a CAE with the appropriate business acumen.”
This may be outside some CAEs’ comfort zones. A central question is how do you begin to determine whether strategic or future operational risks are being appropriately analysed by the business when, by their nature, they are hard to quantify? What’s the benchmark?
“It does get trickier than when you are auditing against a compliance standard. But what it gets to is a clarity of understanding of the strategy and then asking what steps are being taken to understand the risks to that strategy,” Brachio says. “Access to external data can be really helpful. That can come in the form of benchmarking data or macroeconomic and sector trends. Internal audit can highlight that it’s seeing these risks and that organisations within the same sector are having significant issues as a result of not adapting fast enough or adopting certain technologies.”
The CAE needs to collate these insights and have a seat at the table when strategic decisions are being weighed up, so they can use them to challenge senior management. That requires confidence and an acceptance that the concerns they raise may not always be well received, says Janet Barberis, managing director in Protiviti UK’s internal audit and financial advisory group.
“CAEs need to understand the industry and the business and use that commercial knowledge to call out the elephant in the room. You might not be popular as a result, but it’s necessary as it’s part of the value creation to the organisation,” she says. “As internal auditors, we always like to have the evidence behind us to back up everything that we do and having that will add weight to your challenge. However, you might not always be in a position to show that evidence and sometimes it’s really about using your own judgment.”
Don’t assume that everyone sees the same information. The broad view that internal audit has across an organisation may mean that the CAE can deliver insights that are not obvious to management, and which may help them to make better strategic or fundamental operational decisions.
“We’re in a unique position to compare and contrast data that individual business units may not be able to, or think to, assimilate,” says Sam Cornish, a director at Protiviti UK. “Internal audit is almost a broker in that way. It could be unpopular, because you might tell the business things they don’t know and haven’t considered. But that can really help with decision-making and it’s something we’re seeing more and more departments wanting to do and being able to do, especially over the past two years with the challenges that companies have faced.”
The world is changing faster than ever and more and more companies in all sectors are making existential decisions about their futures. The unique insights of a strong internal audit team could make all the difference.
This article was published in November 2021.