Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

10 May 2023

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

 

Chair opening comments | Derek Jamieson | Regional Director, Chartered IIA UK and Ireland

A warm welcome to those of you who are attending the forum for the first time today. I am sure today’s session has relevance for all of you, particularly given the uncertainty in the environment we all work and the challenges this places on the strategic planning process.  

Today’s forum is an informal conversation between Liz Sandwith, Chief Professional Practices Adviser, Chartered IIA and I, with audience participation.

Results of poll questions

Is an audit of your organisation’s strategy on the internal audit plan?

Yes

36%

No

64%

 

Is an audit of the management information that informs strategic decision making on your audit plan?

Yes

48%

No

52%

 

Has the 3 Lines Model been embedded in your organisation?

Yes

79%

No

21%

 

 

Comments on Polls

  • The key for us is source of thinking and assumptions. These can be checked and challenged.
  • We often review the processes and the information to form strategy but we are always clear that IA is not there to question the policy/strategy decision only to ensure that the decision-making processes to make those decisions is sound. We also review the risks.
  • Governance also key - how is the planning orchestrated - where do the rules emanate from and where is governance, sign off and challenge and who joins the dots.
  • We would look at the strategic planning framework/governance and the quality of the data/information used in the process.
  • There is also a place for benchmarking. Some comparable data is available.
  • Same as above - including looking at corporate strategy measures of success - how does the organisation know if it is then securing the outcomes it has planned for.
  • We want to drive 3 lines forward but are always hampered by many of the 2nd Line processes seeing themselves as reporting functions rather than assurance functions.

 

Key Takeaways

DJ

I used to attend the Strategic Planning Society events in Scotland and one event stood out for me.

The event was asking whether there was still a role for Strategic Planning in such a volatile world where the pace of change was so great. The discussion went on to conclude that it was potentially more about upgrading the strategic planning process than discontinuing it. A key conclusion that evening was that the activities and processes supporting Strategic Planning were key to the organisation and should be reviewed on a regular basis. Without it there was an inevitability that the organisation would ultimately fail. This was circa 1995.

Interestingly, at this same time most IA functions would have seen an audit of strategy to be beyond their scope. 

Our conversation today will pick up on the importance of strategy, both for the organisation and the IA function, consider how we are currently addressing it; the assurance we are providing and how we may optimise the value we derive for our organisations. 

Conversation will cover:

  • Reflection on the role of IA and making the link to strategy as logical and appropriate.
  • A reminder as to why strategy and strategic change is critical.
  • A reflection on our volatile world, the impact on strategies and strategic change agendas. Change as a constant and the changing profile of risks facing those responsible for planning and delivering strategic change.  
  • Setting the scene on the discussion and breaking it into three parts:
    • What are the changes to the risk profile e.g., volatility impacting longer term planning, underlying assumptions, confidence and decision making. When and how do we engage to understand, challenge and plan any formal assurance work?
    • When and how do we engage to provide that assurance
    • What have we actually seen, are there changes visible in the planning and delivery of strategic change, how have the risks changed and is there an impact on culture?

Was audit interested in the subject of strategic planning 20 years ago?

LS

Twenty years ago auditing the organisations strategy was rarely on internal audit plans. Today more than ever though it should be on our plan, because we now talk a lot about organisations achieving their strategic goals and objectives. We talk about the risks that will prevent it achieving its strategic goals and objectives, and internal audit is very involved in looking at risk, managing risk and putting actions in place to mitigate risk. But I am not sure how many internal audit functions would have an audit of the organisation’s strategy on their internal audit plan.

Internal auditors in the past have got engaged in auditing strategy, could you share any stories around this?

LS

A HIA appeared at an audit committee and the audit committee went through their report. The HIA then began to talk about the purpose, the mission and the objectives and the strategy of the organisation and that they believed all of these were pulling against each other. So unless you look at how the strategy is going to deliver your mission and purpose, then you are not going to deliver what you are promising your customers. The audit committee’s response to the HIA was this is not a matter for internal audit to be getting involved with. They then spent some time further explaining their thinking which caused the audit committee to have to re-think their position about internal audits involvement.

DJ

Internal audit can add a lot of value by joining the dots and by making some very basic observations for challenge purposes, but this can take a level of courage.

Do you normally hear from members that they are connecting the audit plan to the strategy, maybe not auditing strategy per se but connecting to the strategy?

LS

In my role as chair of an audit and risk committee I don’t see that, and I don’t hear it when I talk to internal audit colleagues. I hear them talk about the internal audit strategy, the strategic plan, and being aware of their organisations strategy and where it wants to go, but sometimes there is confusion as to why there is linkage between the two. For example I have heard CAE’s talk about ‘we need to be using data analytics more, so when we build our (internal audit) strategic plan we think where we are now and where we want to get to. That will include things like strengthening our data analytics use’ for example. But not saying, actually our organisation is not very good with digitisation, its data is perhaps on legacy systems, and therefore the two don’t align; rather than perhaps saying their strategic plan is very much around achieving objectives to grow the business, maybe to diversify into new markets – and then internal audits plan aligns to that.

The strategy of the internal audit function and aligning that to the business to ensure that we are focussing our efforts appropriately – how have you seen that coming about over the last couple of years?

LS

It has improved significantly. When I was a HIA previously we were aware that we needed to be clear where internal audit was going. You need to be planning, thinking about your teams’ skills, what’s coming down the track, what are the new risks that you need to be looking at and making sure you have the skillset within the internal audit function to provide the assurance the organisation is looking for. We had started to think about the internal audits strategy and what we were planning on doing, and how we aligned better with what the organisation was. But as an attendee said is it about whether internal audit is there to question the policy or the strategic decisions. I think this has sometimes put internal auditors off looking too closely at the organisations strategy in case they are challenged about it not being their place to do so. We must challenge the process that went into developing the strategy and not per se the strategy.

How often do you link back to strategy, consider the impact and if appropriate put some commentary into the report and try and push that point forward?

LS

One of our attendees has talked about looking at the strategic planning framework, governance and the quality of the data information used.

Attendee

We try to make sure we have a good handle on strategic planning and how that’s developed and informed and how the board assurance framework hangs off that, so we can get our planning right. Some of this work is done in a cyclical way. In a large organisation it could be very difficult to unpick a full strategy, so year by year we look at elements of it. We are increasingly using data analytics to help with this. We do not tend to link audits back to the strategy though. Our whole team has recently completed root cause analysis training.

Do you link internal audit planning back to the strategy either in the planning or in the execution phase?

Attendee

We try to align some of the big-ticket items to some of the big strategic priorities and the risks from that.

DJ

Internal audit shouldn’t cover something nobody else is covering. Internal audit is providing assurance on top of everybody else’s work.

LS

There is an opportunity to look more to our second line colleagues to help with some of the assurance in areas that previously internal audit would have done work in, as this would enable us, with limited resources, to focus more on strategic work.

View from the Institute

There are two clear elements to strategy: its creation and its execution. Internal audit should provide assurance across both, although it often restricts itself solely to execution; the projects and processes that are familiar territory.

Strategic decisions, the creation of a strategy, set the direction for the organisation, its goals, objectives and business model. If something goes wrong at this level, it permeates through everything, just like culture and the widely acknowledged importance of the ‘tone from the top’.

All strategy is based on a decision and that decision, regardless of whether it is made by an individual or a collective, can and should be subject to assurance for the protection of all stakeholders.

 

Chair closing comments

Our next advertised session on 7 June has been cancelled and will be replaced by a session on 14 June from 15.00-16.00 with the FRC speaking to us. One of the aspirations for the Chartered IIA is to get closer to the regulators and this session should go some way to demonstrating that.

Dates for your diary 

  • 31 May | LA Forum | Integrated Risk Management
  • 14 June | HIA Forum | FRC Corporate Governance Code
  • 21 June | LA Forum |Trusted Advisor – what is the cost of compliance?
  • 3-4 October | Internal Audit Annual Conference – London/virtual | register here

Chat comments including Q&A

Comment | We looked at the first element of the Corporate Governance code: Guidance on Board Effectiveness. Emphasis on the Model i.e. purpose, strategy and behaviours and how well it was known and lived in the organisation.

Comment | Strategic implications - yes, without over-reaching - in individual engagement reports and reports to management risk committee and audit committee.

Comment | We often review the processes and the information to form strategy, but we are always clear that IA is not there to question the policy/strategy decision only to ensure that the decision-making processes to make those decisions is sound. We also review the risks.

Comment | Adding to what Liz was saying, can we say that if internal audit or for that matter any senior manager sees something which is not correct or an issue in the strategic plan, can they not highlight or communicate it to the required people. Isn’t that what needs to be done as responsible managers - and take it as an argument to put it across

Comment | ERM is inexorable linked to Strategy and informs the annual ANA. That said IA reports and the risks associated with an observation are not currently tied back- it’s a good point and we will look at this area.

Comment | My Accountable Officer insists on any audit piece tying back to one or more priorities in our Corporate Strategy. It’s been a great discipline that she has instilled.

Comment | There are multiple layers here - how the organisation sets and communicates its strategy, how business units align their operations to deliver strategy, and the major changes that are needed to enable delivery of strategic goals.

Comment | When we prepare engagement briefs, we communicate which part (Corporate Priority) of our organisational strategy it links to. 

Comment | We have relegated a number of audit areas to the list that we are unlikely to ever review as they are not really strategically important and even if they fail would be unlikely cause the organisation to fail or be subject to significant criticism.

Question on comment | Out of interest, who is providing assurance in these areas - 2nd line?

Response | 1st line if anything on most of the areas. Some occasional 2nd line assurance but they are often functions we deliver because we have to. We are unusual that we have some statutory functions that we deliver which do not directly link to our key strategy and direction.

Comment | Just picking up on another contributors point, both organisations I cover have a strategic objective about being an efficient/effective/well run organisation this means that the things like payroll and finance are linked to strategy. 

Comment | Shouldn't looking at strategic risks be a constant process being directly linked to risk management

Comment | We often have the Radio 4 moments from ARC members - it’s what they hear on the radio that morning and then there is an immediate "we must look at that" without the assessment of our risk levels. 

Comment | It can be greatly influenced by the board dynamic and relations between the chairperson and the chair of the audit committee, who can connect CEO and CAE