Strategy-related auditing

The word ‘strategy’ can nowadays be found in almost every internal audit activity plan. But what does it actually mean? There are many different manners in which organizations and internal audit functions deal with organizational strategy. This discussion paper ‘Strategy-related auditing’ explores the role of Internal

Audit Functions (IAFs) in the strategic management process of an organization. It is based on documentation and desk research, a questionnaire-based survey amongst Chief Audit Executives (CAEs), personal interviews with CAEs and board members (both executive and non-executive), and several round table discussions with CAEs (in charge of both large and small IAFs).

The objective of this research was to assess the degree to which IAFs are currently considering organizational strategy and the organization’s strategic management process in their audit assignments and annual audit plans. Based on this discussion paper we encourage the profession to further explore the topic and for the Institute of Internal Auditors to provide more guidance.

Our exploratory research reveals that there is a wide variety in how IAFs deal with strategic risks and organizational strategy. We found nine appearances of strategy-related auditing during our research. These can be divided into two distinct categories: strategic risk audits and strategy process audits. Strategic risk audits focus on risks that are the result of pursuing certain strategically important organizational goals. Strategy process audits, on the other hand, assess formulation, implementation, evaluation and control of the strategic management process or (the content of) the formulated strategy itself. Four out of nine identified appearances we categorize as strategic risk audits, five we categorize as strategy process audits.