Strategic audit is one of the most troubling areas of audit. It is just difficult. The difficult thing about it is that most client organisations are not risk or strategy mature. As such it is really difficult to identify strategic risks.
But what is a strategic risk? Ostensibly it’s simple. A strategic risk is one that flows from strategic objectives, it is uncertainty over the achievement of a strategic objective. Most organisations, if they have any strategic objectives articulated, have very high-level esoteric objectives. These I have found are quite hard to audit. To audit something, you need to have a sense of the complex set of coherent actions that deliver on the strategic objective; the roots.
So I tend to think of strategic risks as roots on a tree, where the strategy is the tree trunk, supported by a complex web of interactions, activities and web of challenges reaching far and wide from the original objective. Very few strategies are clear about the coherent set of actions that support them in my experience. For people confuse strategy with simplicity, and brevity. Senior executives, who get promoted on the basis of being normally clever, capable, complex, and really understanding the business, seem, when at the top, to require single side traffic light diagrams. Sure I appreciate they have less and limited time, but that does not make the organisation’s strategic challenge any simpler. So why should auditing them be any simpler?
The other interesting challenge for strategic audit, other than identifying the roots (or routes) of the strategy is the distinction between a strategy’s roots and the tactical frameworks of control. So in other words, the difference between top down (strategy) and sideways in (thematic frameworks of control).
Some are obvious. So financial approvals and delegated financial approvals are a framework of control. Some strategies are obvious, for example, if an organisation is trying to improve its IT systems, a programme of coherent IT change projects could be strategic. What about piecemeal IT change? – so change of a HR system, or ledger system. This does not really feel strategic, nor is it a tactical framework of control.
The reason why all of this matters is because of the risk significance of the area under review. So when internal audit seeks to provide assurance over the key things, strategic things, whether something is connected to a ‘strategic root’ or a strategic sideways ‘runner’ or whether it is a small corporate audit.
This is all the more important where an audit function is limited for coverage and resource. For if you do only a few audits a year, you want to make sure that they make sense. You must hit the ‘roots’ or at least the ‘runners’. So next time you attempt strategic audit I think you need to have a really good grasp of the strategy, a good view of the roots of the risk, and the roots of the strategy. I contend this is difficult and challenging even for an experienced head of audit.