Strategic risks are those that pose an existential risk to companies and, while they account for 86% of market share declines, they don’t always get the attention they deserve in audit plans. Most audit departments spend the majority of their time focused on operational, Sarbanes-Oxley-related, financial, and IT audits.
All these areas are certainly important, but it will behove all internal audit teams to incorporate their company’s strategic objectives into their audit plan and find ways to check whether the company is on track or not. There are three frameworks for audit teams to do so.
Bottom-up method: One of the best ways to ensure an audit plan accounts for corporate strategic priorities is to gather data, information, and insight from colleagues around the business so as to identify the business unit-level processes with the biggest impact on corporate objectives.
The audit team at one insurer that CEB, now Gartner, worked with said they made enterprise-level goals the foundation of their annual risk assessment, and then talked to business partners to isolate the strategic processes that should be carefully scrutinized before building out the audit plan (see chart 1).
Chart 1: Making enterprise-level goals the foundation of a risk assessment Source: CEB analysis
Note: Company name redacted.
Top-down method: Corporate strategic objectives are also the starting point here. The audit team at another insurance firm working with CEB, now Gartner decided to make enterprise-wide drivers of strategic value the primary input when it created a new risk assessment and audit planning process.
In this case, Audit chose to begin its analysis by identifying strategies that would increase shareholder value. The function evaluated processes based on how they supported that specific end. The team grouped potential audit projects into strategic themes and aligned the initiatives to enterprise risks (see chart 2).
Senior audit managers were required to state the rationale and strategic link for all proposed audits. All potential engagements were filtered through the value driver analysis for final selection for the audit plan. As a result, the focus of audit engagements throughout the year was on the processes creating the most value to the company.
Chart 2: Grouping audit projects into strategic themes and aligning to enterprise risks Source: CEB analysis
The hybrid method: Some audit teams find that a mixture of both bottom-up and top-down inputs will work the best for their company. The audit team at a financial services company used a blended approach. The team made sure they accounted for company objectives and the strategic plan, and also relied on management interviews to find information that the audit team might otherwise miss (see chart 3).
At a high level, Audit verified whether or not enterprise objectives were likely to be met based on business level strategic plans and project proposals. To drill down further, Audit asked detailed questions during management interviews about specific business-level initiatives to understand business unit strategies. The resulting risk assessment included a weighty section related to enterprise-and business-level strategies.
Consequently, the department’s audit plan was built on an understanding of business-level priorities within the context of broader organizational goals.
Chart 3: Accounting for company objectives and the strategic plan Source: CEB analysis