Updated: Feb 27
As we continue through our annual planning process, we reach the part where we need to consider the organisational strategy and external information. The reason for this is to simply understand where risks my exist in the business that need to be considered.
In our planning process, risk is identified at multiple stages; however in this step we are purely focusing on the organisational strategy and background / external information.
The organisational strategy lays out the company's goals and objectives for the future. Additionally, it will spell out what actions the business is going to take in order for it to meet these goals. Its a critical document, and as such, its important that Internal Audit fully understands it.
Through reviewing the strategy, we should be able to understand what some of the key activities are for the year. For our review, we should also be able to understand what activities carry the most risk. When reviewing the strategy, consider the following risk categories:
Through assessing the risk attached with each activity we can have more informed discussions with key stakeholders. We should be able to develop a 'shortlist' of key activities as per the strategy which we may want to include on our annual plan, or at a minimum, use to discuss with key stakeholders such as heads of departments can key executives.
The strategy of the business is often communicated to external shareholders and can contain a significant amount of risk, particularly if the strategy is not achieving results. It's Internal Audits role to ensure that not only is the business achieving its objectives as per the strategy, but it is also maintaining any regulatory compliance and controls are still in place. Furthermore, there is an opportunity here for Internal Audit to 'add value'; providing insight on where the strategy may not be meeting targets, or identifying new opportunities which could enhance the strategy.
There is a range of publicly information which can help you when thinking about what risks may be applicable to your organisation. Its important to not only consider what risks are relevant now, but also any emerging risks or future risks.
We have previously written about the risks identified by groups such as the Chartered Institute of Internal Auditors, the Big 4 and knowledge leadership groups such as Gartner (you can read the whole article here). Guides like these are a huge help when thinking what risks may be applicable to your organisation. Again, these takeaways can be used in discussions with key stakeholders and execs as we progress through the planning process.
Overall, its important to understand the organisational strategy and consider what external information is available which may identify any current or future risks, as all of this information will help ensure you have more meaningful discussions with key stakeholders. This will also go a long way to ensure we have satisfactorily developed a risk based plan which also has the opportunity to provide value for the business.
The purpose of this template is to help guide team members in understanding applicable risks. It should be known that this template is only a guide. There are many different sources of information and many ways to document the work performed. The audit team should do what is best and most applicable to their organisation.
To gain a copy of the Organisation Strategy and External Information template, simply CLICK HERE to download.