Challenges in Internal Audit Strategy Implementation

Only about 5 percent of internal auditors say their work mainly focuses on strategic issues. That was the response when I asked 284 internal auditors this question during a session hosted by the Institute of Internal Auditors Singapore last week. The poll asked where internal audit work mainly concentrates. Only 5 percent selected the strategic option. The result exposes a tension within the profession. The risks with the greatest potential impact on an organisation often arise from strategic decisions about markets, technology, investments, or business models. Yet internal audit effort still tends to concentrate heavily on operational assurance. The questions that followed the poll were revealing. • How do we persuade management that strategic auditing is worthwhile? • How do we convince the audit committee to allow internal audit to examine strategic assumptions? • What happens when the audit committee itself is still developing confidence in areas such as strategy or technology risk? These questions point to something important. The barrier to strategic auditing is seldom technical capability. Most auditors can learn the necessary techniques. The more common barrier is expectation. If internal audit is expected primarily to provide operational assurance, strategic issues will rarely find their way into the audit plan. In practice the shift toward strategic insight often begins in a much simpler way. Operational audits can become strategically valuable when auditors deliberately ask one level higher question. An audit may confirm, for example, that purchasing approvals are properly authorised and that procedures are being followed. A strategic perspective asks something different. Do the purchasing patterns themselves support the company’s stated strategy? In one retail engagement we examined inventory and buying. Controls were operating properly and approvals were consistently authorised. Yet buying decisions continued to support roughly twelve days of inventory worldwide, even though the company’s strategy aimed to reduce holdings to ten days. Operationally everything was compliant. Strategically the organisation was drifting away from its objective. By connecting operational findings with their strategic implications, internal audit can help management and the audit committee see how everyday decisions shape long-term direction. In that sense the 5 percent figure may even understate what is already happening. Many auditors already contribute strategic insight through the quality of the questions they ask, even when the work itself is labelled operational. What is sometimes missing is recognising that those observations carry strategic meaning. When operational findings are framed in terms of their strategic consequences, the conversation gradually changes from operational assurance alone to include strategy.

Building an Internal Audit function from scratch teaches you something quickly. The hardest part is not hiring the team. It is convincing people the function actually matters. Early on you hear things like: “Do you actually understand how the business works?” “We’re trying to grow the business and audit is getting in the way.” “We run a tight ship. There are no problems here.” You mention controls and see a few head shakes. You talk about risks and someone visibly rolls their eyes. Sometimes it is even quieter than that. - Meetings declined. - Emails unanswered. If you are in audit long enough you realise something. People often see you as the person sent to find mistakes not help the business succeed. What changed things for me was not pushing harder. It was changing the approach: - Listen first – understand what the business actually worries about. - Keep it simple – strong controls support growth they do not block it. - Focus on value – helping spot risks early before they turn into big problems. Over time the perception shifts. Good internal audit is not about catching people out. It is about helping organisations move forward with fewer surprises. Curious how others have built trust in Internal Audit? #InternalAudit #RiskManagement #Leadership

Recently, we declined an internal audit engagement after doing it for a good period. The reason was very simple. Effectiveness of an Internal Audit: The issues we were highlighting was not addressed even after multiple meetings making the entire internal audit activity not yielding the intended results to the client and also leading to less work satisfaction to us. From my experience of working on internal audits for the past 11 years, I have observed how the effectiveness of an internal audit(IA) can change with so many factors. A few important factors are: 1. Internal Audit Charter: The internal audit charter is the power given to the internal audit function. It is the way the Board empowers the internal audit function. In many listed companies or companies having independent directors, the internal audit function is properly empowered, and the IA usually has a place even in the board meetings. Unless internal audit is given the right authority and enabled with resources and tools and the findings are properly reviewed, IA effectiveness will decline over time. 2. Tone at the Top: The tone at the top represents the mindset of the Board, Promoters, Senior management who are the decision makers in any organization. Unless, the people at the top are conscious about building an organization with the right controls, mitigate all known risks and build a culture which supports this, effectiveness of IA cannot be ensured. If there is a management override of controls every time, we know that the tone at the top is not strong enough to ensure effectiveness of IA. 3. Resistance to change: The biggest hinderance in ensuring that the suggestions by IA is taken care of is the mindset of resistance to any new change that is proposed. Change management is often a challenge. To ensure that this challenge does not affect the effectiveness of IA, it is important to build a culture of controls and systems and also counsel the staff that building effective controls can only aid him/her in discharging duties and taking them into confidence. 4. Ineffective Monitoring systems: We give an Internal audit report. What next? Majority of the organizations face issue with building a good monitoring system. In most of our audits, we give a follow-up audit report and give a compliance report of the past issues. If the same is not followed up with a proper timeline and personnel responsible for ensuring action, the issue persists. For the IA to focus on bigger things, the past issues must be properly addressed without which the focus will go back to them. We must know that IA is a collaborative activity and the client and the auditors will have to work together in bringing out the effectiveness. Working on these aspects pointed out above can increase the effectiveness of the internal audit leading to better results. What is your take on this? #charteredaccountant #ca #internalaudit #founder #financemanager #cfo

🎯 Auditing the Risk Management Process: From Compliance Check to Strategic Resilience In today’s volatile business environment, effective Enterprise Risk Management (ERM) is no longer a compliance burden—it's a strategic competitive advantage. A deep dive into the principles of auditing the Risk Management Process highlights a fundamental shift in the role of Internal Audit. We must move beyond traditional control reviews to assess how effectively the organisation identifies, manages, and mitigates risk. Six Strategic Shifts for Internal Audit Leaders: 🔗 Integration over Isolation: Risk management must be embedded into strategy, budgeting, and daily decision-making—not treated as a standalone checklist or annual exercise. ⚖️ The Three Lines in Action: Internal Audit (the Third Line) must independently evaluate the design and effectiveness of the First (Management) and Second (Risk/Compliance) lines, ensuring accountability and balance across the entire system. 🧠 Risk Appetite & Culture: Auditing the risk culture—how employees perceive and act toward risk—is as critical as testing policies. Ensure the 'tone at the top' aligns with behaviour at all levels. ⚡ Dynamic Risk Assessment: Move beyond static reviews. Utilise continuous, data-driven assessments, predictive analytics, dashboards, and scenario planning to enhance responsiveness and foresight. 📈 Assurance on ERM Value: Evaluate whether the risk framework (governance, ownership, and escalation) actually enables timely decision-making and adds value, rather than just documenting potential issues. 🛡️ From Detection to Prevention: The auditor's role is evolving: from detecting control failures to helping the organisation anticipate and prevent risk exposure through strong monitoring and risk intelligence systems. ✅ In summary: A mature internal audit function today must audit not only "what went wrong," but also "how we prepare for what could go wrong." Auditing the risk management process is about ensuring resilience, agility, and strategic foresight. 💡 Question for the Community: What is the single biggest hurdle your organisation faces in truly integrating risk management into strategic decision-making? #RiskManagement #InternalAudit #Governance #ERM #BusinessResilience #AuditLeadership #ContinuousImprovement