Strategic planning at the Swedish National Audit Office: a fresh approach
Strategic planning is a complex task with many challenges for public auditors. There are internal considerations that supreme audit institutions struggle with when it comes to strategic planning, such as organisational and resource implications. And then you have the more ‘external’ elements, such as stakeholders’ needs and expectations, against the background of wider public sector activities and a changing environment. Helena Lindberg has been Auditor General of the Swedish National Audit Office since 2017. Below she describes the strategic planning model for audit focus and operational development at the Swedish NAO.
By Helena Lindberg, Auditor General of Sweden
Far-reaching audit mandate creating strategic obligations
The Swedish NAO has a far-reaching audit mandate protected by the Swedish constitution. This guarantees that within the framework of current legislation I can decide what is to be audited, in what way the audit is to be conducted and the conclusions we can draw from it.
The far-reaching audit mandate places particular demands on our planning and follow-up of audit operations. Our audit must be relevant. We must be transparent in what we audit and why, both internally and externally. It must be possible to work effectively and appropriately.
Importance of strategic planning for supreme audit institutions
Supreme audit institutions with far-reaching audit mandates are in a special situation. To be relevant and perceived by the rest of the world as relevant, supreme audit institutions must build up a strategic planning system that is specific to the profession and which can also be explained. It is also a matter of audit transparency: the choice of audit must be perceived to be legitimate and there should be no possibility of the supreme audit institution being suspected of selecting audits on unreasonable grounds.
One example of the challenge of being relevant is the ongoing Covid-19 pandemic. It has shown how sustainable our social institutions are and how the national systems relate to the EU level and other countries. The crisis has entailed major costs and will have long-lasting economic and other consequences in society. This poses questions as to what we as a supreme audit institution should audit.
I have in mind here that as early as 2008 the Swedish NAO published a performance audit report on national preparedness for managing pandemics. At that time, the subject did not figure much in public debate. Now in retrospect, the report can be seen as highly relevant and we recognise many of its findings on preparedness in Sweden in the criticism now directed at those responsible. One conclusion from this is that the concept of relevance is not so easy to apply. It is not a given that the most relevant thing for a supreme audit institution is to be where everyone else’s focus is at the moment. Other criteria should also govern what we choose to audit. We also need to relate to other reviewing organisations in society. The Corona Commission appointed by the Swedish Government, for example, is tasked with evaluating measures to limit the spread of the disease and its effects.
Our supreme audit institution must also have a long-term and structured method to secure our skills supply and to identify and address development needs. Otherwise, there is a risk that our ability to fulfil our remit will be limited. This may involve, for example, system support or the capacity to audit IT.
Planning needs to be the backbone of the organisation’s operations and we must follow up what we do. This requires good governance and attention to quality so that ultimately our audit will have an effect. We have therefore put a lot of effort into developing a system for conducting strategic and risk analysis, for developing audit proposals and ensuring follow-up.
The Swedish NAO planning system
At the Swedish NAO we work with an annual cycle for planning all activities. Internal and external reporting of operational development issues and audit focus are part of the annual cycle. At the same time, for planning and follow-up, we keep and update a long-term, four-year, perspective (see Figure 1).
Figure 1 — Swedish NAO annual planning cycle
In the long-term plan, we formulate a four-year strategy in terms of both audit focus and the other operations. Developing the long-term plan is a joint project at the Swedish NAO, with contributions from all departments. While the long-term planning indicates the focus in the longer term, annual planning is in the form of an operational plan and an audit plan.
Identifying what the Swedish NAO is to audit
Our work is based on a model for strategic planning where I set the starting points and focus and take the decisions, drawing on our employees’ knowledge and experience. In this model, the areas on which the audit is mainly focused are determined by means of strategic and risk analysis. The areas are presented in the long-term plan and are then specified in the annual audit plan, which is also communicated, primarily to the Riksdag — the Swedish Parliament. During the year, we make recurrent in-depth efforts to identify and take a position on audit proposals. Furthermore, there must be room for flexibility.
Through our annual financial audit, we audit approximately 230 auditees, including the central government (consolidated accounts). The audit follows a standardised risk analysis model that is complemented by the joint risk analysis.
For the focus of the audit, our entire organisation contributes strategic intelligence, analysis and review of the risk areas previously identified. The ambition is that through this arrangement we not only generate ideas but also broaden understanding of and commitment to the assignment.
In the planning process, we must have a common language, a common conceptual structure and common criteria. This helps us to communicate and evaluate ideas within our organisation. This includes establishing forms for effective and regular exchange of experience between financial auditors and performance auditors. For example, financial audit findings have often generated ideas for the performance audit.
In addition, we also want to learn from the experiences of other supreme audit institutions. Within the framework of Nordic cooperation, we participate in the Nordic Foresight Networking Group. There we discuss how to work strategically with strategic intelligence in planning.
Risk model and identified audit areas
The Swedish NAO has for some years planned on the basis of a model in which, through an overall strategic and risk analysis, we have identified the main risks in central government. These form the starting point for the audit focus within both fields of operation. They concern deficiencies in:
- the quality of documentation and information as a basis for stable public finances;
- the governance, follow-up and reporting of central government commitments;
- organisation, responsibility and coordination;
- skills supply.
For each main risk, we identify concrete risk areas. The risk model contributes structured management and follow-up of the audit operations, to ensure that the two audit types we are tasked with will consider the same main risks during implementation of the audit work. Despite this, I have found that there are reasons to continue developing the model in order to achieve a closer relationship between planned and completed audit.
The model also promotes a more coherent focus of audit work and allows for more comprehensive, long-term conclusions about the effectiveness and efficiency of central government administration. This is important, not least in view of the fact that many decisions are taken in relatively short-term perspectives, without any particular link to the overall and long-term objectives of central government. For example, Sweden’s commitment and efforts towards the 2030 Agenda targets may be an aspect of audits within and between different policy areas.
Strategic operational development
It is crucial to be able to establish a long-term perspective on the organisation’s development needs and use of resources. This is to enable our audit institution — in the long term — to continue to fulfil its statutory function and ensure high quality and efficiency. This involves both the development of operational processes, such as methodology, digital resources and being able to identify future skills requirements. The Swedish NAO’s four-year plan states a strategic focus on how the operations need to develop and how our financial funds are to be distributed in the organisation. The needs generated by how we focus the audit contribute to the strategic focus. Here there is a connection between the different parts of the long-term plan.
Strategic planning is summarised in four long-term goals set out in the long-term plan. For each of the goals, we have identified prioritised development areas that are then translated into concrete assignments in the annual operational plan.
The Swedish NAO’s four strategic goals for the period 2021–2024 are:
- our operations must be relevant to those we target and conducted to the highest quality standards;
- our communication must contribute to the greatest possible operational effect;
- our skills supply must meet the needs of the operations;
- our processes must be clear and effective.
One area of development that I would particularly like to mention is the implementation of the joint development and administrative model. The work of digitalisation and modernisation of our working methods must be done effectively, and the development must provide the greatest common benefit for our operations. It involves significant costs for development and administration. The model therefore needs to be transparent, roles and responsibilities must be clear, and the work needs to be an integral part of the organisation’s planning and follow-up process.
A critical factor in preparing the organisation for future challenges is that we have control over our digital development as well as over our digital heritage. Development is often decentralised and is not coordinated between different parts of the organisation. As a rule, the costs of development are underestimated and the costs of system management are unknown, even though they often exceed development costs. At the Swedish NAO, we have established a centrally located function that is responsible for testing development and investment needs against the strategic requirements for the entire organisation. Maintenance management is integrated into operational planning and thus will also be coordinated with and weighed against other measures.
Digitalisation
In the technological development through digitalisation, I see a force and a source of change that will make great demands on our ability to develop working methods and at the same time offer opportunities to develop both administration and audit.
For our auditing activities, both financial audit and performance audit, it will be critical to build up or acquire expertise in digitalisation in order to conduct audits of high relevance. As government agencies develop their operations with digital tools, the Swedish NAO must also have employees who can define problems and ask the right questions regarding digital environments. Employees must also be able to carry out the audit itself. What happens, for example, when government agencies start using algorithms and artificial intelligence to a greater extent in decision-making? Questions may also concern agencies’ ability to use IT systems in tax collection and transfer systems or how transactions should be taxed on digital platforms, where central government has limited insight.
Basically, it means that the Swedish NAO must have expertise in digitalisation and data. The expertise must be broad and encompass more than technical skills, as digital maturity is as much an approach as the ability to use digital tools.
This is also important from the point of view of information security. We see it as a challenge to continue to develop our understanding of risks associated with increased digitalisation. Data and information are valuable but at the same time sensitive assets, and the Swedish NAO is now developing its ability to move and store information securely, and to assure the quality of the information we send out and take in.
There are also risks that we will not be able to develop at the rate and in the way we wish. I am thinking chiefly of the European Court of Justice Schrems II judgment on the handling of personal data transferred to third countries and the use of US cloud services. The ruling raises many questions regarding our future development that we do not yet have answers to.
Changes in managerial structures
In 2017, together with two colleagues, I was responsible for heading the Swedish NAO. We had clear directions from the Riksdag. Much of our task was to structure and organise the work, including strategic planning. Many procedures were non-existent and there was no clear direction for the operations. At the same time, the managerial structure of the Swedish NAO was under review. Fourteen years after its establishment, what had often been discussed came into being — the Swedish NAO was given an Auditor General and a Deputy Auditor General (DAG), appointed by the Riksdag in 2020.
The change means a model with one Auditor General instead of three, who independently decides on all audits, after consultation with the Deputy Auditor General. In fact, it provides completely different conditions for efficient planning of operations and simpler communication of both focus and outcome. Although one of the three auditors general was formally responsible for the administrative management of the organisation, much of the management took place collectively. This was often a strength but could cause a lack of clarity of leadership.
We have now worked for almost a year under the new model. We continue to shape the role of the Deputy Auditor General and there are probably further possibilities to also develop planning and governance. But we see that we are moving in the right direction towards what was the purpose of the change, also when it comes to strategic planning.
This article was first published on the 1/2021 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.
