News & Blogs

Beyond Compliance: Auditing for Strategic Impact and Enterprise Objectives

Global · · normanmarks.wordpress.com

Internal audit's focus remains heavily operational, with only 5% of auditors prioritizing strategic issues. This article argues for a shift from mere compliance to auditing what truly matters: the significant risks to achieving enterprise objectives. Internal auditors should assess whether policies and practices are not just followed, but are also effective and aligned with the organization's strategic goals, ultimately framing findings in terms of their strategic consequences.


The Strategic Gap in Internal Audit

A recent poll among 284 internal auditors revealed a striking statistic: only 5% primarily focus their work on strategic issues. This finding, highlighted by Navin Pasricha, underscores a significant tension within the profession. While the most impactful risks to an organization often stem from strategic decisions concerning markets, technology, investments, or business models, internal audit efforts predominantly concentrate on operational assurance. This disparity suggests a need for internal audit to elevate its perspective and align its activities more closely with the overarching strategic direction of the enterprise.

Auditing What Truly Matters

The core argument presented is that internal audit should shift its focus from simply verifying compliance to assessing what truly matters for the organization's success. This means moving beyond whether purchasing approvals are correctly authorized to questioning if purchasing patterns support the company's stated strategy. Similarly, an audit of inventory should not just confirm compliance with existing controls but also evaluate if inventory levels align with strategic objectives, such as reducing holdings. The author emphasizes that the starting point for any audit should be the potential for significant enterprise or strategic risk if controls are inadequate, allowing for a more focused and impactful audit scope.

Framing Findings with Strategic Consequences

To bridge the gap between operational assurance and strategic impact, internal auditors are encouraged to frame their findings in terms of their strategic consequences. This involves understanding the objectives of the CEO, board, and leadership, and then building an audit plan that addresses the most significant risks to those objectives. The audit scope should be limited to controls critical for managing these risks, and the assessment should extend beyond mere compliance to evaluate the appropriateness and effectiveness of policies, standards, and procedures. By connecting control issues to their potential effect on enterprise objectives, internal audit can foster a more strategic dialogue and demonstrate its value in safeguarding the organization's future.

  • Understand leadership's objectives and what constitutes success.
  • Develop and maintain a continuously updated, risk-based audit plan focused on significant risks to objectives.
  • Scope audits to include only controls essential for managing those significant risks.
  • Assess not just compliance, but also the suitability of policies, standards, and procedures.
  • Evaluate control issues based on their potential impact on enterprise objectives and strategic consequences.

Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →