Internal audit plans for the coming year will reflect more consideration of corporate culture and the risks it might pose to the company’s success.
“The continuing saga over the last couple of years is big companies getting in trouble over something that clearly has a cultural component to it,” says Richard Chambers, president and CEO of the Institute of Internal Auditors. “Whether internal auditors want to or not, they have to acknowledge that culture is a risk—a big risk.”
When the IIA first began suggesting that internal auditors should perform audits of corporate culture, the idea met with some skepticism. Internal auditors historically have more experience auditing hard data that produces objective evidence. By comparison, culture is a soft, subjective area.
Now internal auditors are starting to reconsider, says Michelle Hubble, a partner at PwC in internal audit risk management and compliance. “They are warming up to it but they still don’t know exactly how to audit it,” she says.
Internal auditors are starting to conduct polls and surveys that speak to cultural issues in many settings, but they also can look to other indicators of culture, like codes of conduct and incentive compensation. How well does the company live up to its code of conduct? Are incentives aligned with strategy and mission, or do they incentivize bad behavior (e.g., Wells Fargo)? What is the company messaging through its internal communications?
Sandy Pundmann, U.S. managing partner in internal audit at Deloitte Advisory, says culture is a hot topic with internal audit leaders, who are indeed still trying to figure out how to get their arms around it. “If you look at some of the high-impact issues that have come along, culture has been a key element of the control structure that really contributed to the issues identified,” she says.
“The continuing saga over the last couple of years is big companies getting in trouble over something that clearly has a cultural component to it. Whether internal auditors want to or not, they have to acknowledge that culture is a risk—a big risk.”
Richard Chambers, President and CEO, Institute of Internal Auditors
It’s not yet clear whether internal audit leaders will embrace the idea of performing independent audits of culture, or whether they’ll give more consideration to culture within the context of each audit performed. “We are seeing many organizations ask, ‘How do we consider the culture as a control, or as an element we audit?’ ” says Pundmann.
It’s possible internal auditors may be gathering information on culture already without necessarily calling it out or considering it as such. “You can do some very targeted procedures with surveys and targeted testing, but you’re collecting information about culture throughout the entire year,” says Dawnella Johnson, a partner at audit firm Crowe Horwath. “You’re basically auditing culture all year long.”
To be sure, the internal audit plan for 2018 will contain far more than consideration of corporate culture. The list of risks internal auditors need to consider in many settings is varied and growing rapidly. It contains many of the classic concerns—internal controls, cyber-security, geopolitical uncertainty, regulatory shift.
It also includes risks around talent, technology, efficiency, and new accounting requirements, experts say. Rob Frattasio, a partner in audit firm RSM’s risk advisory services, says internal auditors need to cope both with rapid change and the need to see further into the future.
“The time you have to adapt to change shortens all the time,” says Frattasio. “The way companies do business and use tools to do business—the change is fast and furious.” That makes it more imperative than ever for internal audit leaders to not just write an audit plan for 2018 based on current concerns, but to work closely with executives and audit committees to anticipate the future.
Pundmann agrees the pressure on annual audit planning is growing. “The days of saying here’s my plan for the year, then reporting, substituting this project for that—that’s gone,” she says.
Instead, the annual plan is more a way of planning focus and allocating resources. As an example, some audit leaders are planning for the coming year by saying they’ll devote X percent of resources to emerging risks, another X percent to core assurance activities like Sarbanes-Oxley controls and processes, and another X percent to cyber-security and other IT risks, says Pundmann.
Deloitte discusses the focus on risk culture
Regulators and boards are focusing on risk culture because it largely determines decisions, conduct, and risk taking within an organization. Risk culture affects not only day-to-day operational and financial areas but also decisions involving research and development (R&D), development of products and services, and market entry and exit. Excessive risk taking is not always the problem. Often, organizations take too little risk, for example in innovation and technology adoption. A risk culture of informed risk taking can enable performance. Therefore, gauging risk culture within organizations on a periodic basis is becoming more critical across all industries. For example, public sector organizations tend to be sensitive to reputational risk. In life sciences organizations, risks related to R&D, acquisitions, business models and regulatory compliance are of high concern. At senior levels as well as in day-to-day operations, motivations and behaviors around value creation and risk must be clarified and properly directed.
Steps to consider: First, the organization must define risk culture so all parties have the same view. For example, Deloitte defines risk culture as a system of values and behaviors present throughout an organization that shape day-to-day risk decisions. Deloitte identifies a framework with indicators of risk culture. Whatever the framework, indicators should be used to assess the existing risk culture and monitor desirable and undesirable changes. Internal Audit can audit risk culture within standard operational and financial audits by adding interview questions, gathering data, and developing an informal review. Alternatively, Internal Audit can conduct a formal audit of the risk culture management process, metrics, and outcomes. Since risk culture can vary across organizational areas, the results of risk culture reviews should be considered individually and in aggregate. Internal Audit can also make recommendations to strengthen an organization’s risk culture through training, incentives, controls, and other mechanism. Quarterly “pulse checks” (of four to five questions) can assess the ongoing risk culture. While less technically complex than some auditable areas, risk culture demands knowledge of how to measure culture, frame questions, and seek insights.
Frattasio says he sees chief audit executives continue to struggle with persistent shortage of talent, particularly in middle-market and smaller companies. “I hear ‘labor shortage’ everywhere,” he says. That leads to increased risks in areas like segregation of duties and reliance on a remote workforce. It adds to the mix of reason to worry about cyber-security and compliance in various areas across the board.
It also builds the case for turning to new technology, which is also on the internal audit radar for next year, experts say. Audit leaders need to think both about employing new technology in the audit, and auditing areas of the company that are employing new technology.
Most of the new technologies center on automation—using machines to do routine tasks that used to be performed by people. There’s even a new acronym—RPA, which means robotic process automation—to describe the movement toward automation.
Continued strife over internal controls under Sarbanes-Oxley only adds to the incentive for internal audit to move further along the technology continuum. “We want companies to move fast and get cost out of the system, but there has to be some perspective on controls,” says Hubble. “It’s about understanding how RPA is going to change the basic operation of processes and controls.”
RPA will extend well beyond the scope of internal controls, however. Hubble says a lot of companies are engaged in some kind of transformation that has a strong element of technology to it, like adopting a new enterprise resource planning system. “When we do our surveys each year, it’s well over 50 percent that say they have some kind of transformational program within the company,” she says.
Internal audit is likely tasked with providing some kind of program assurance on such events, she says, and the efforts frequently involve some kind of automation. “We’ll see RPA in a lot of internal audits this year,” she says. “Most are saying they’re just trying to figure it out and see how it works.”
Technology will be a key solution to help internal audit leaders continue to answer the demand to “do more with less,” says Pundmann. Whether that means using more analytics to perform audit work, rethinking the approach to cyber-security, or employing other tools, the use of technology to drive efficiency will be a big theme in the coming year, she says.
Internal audit groups also find they’re going to be allocating some time in 2018 to new regulatory requirements like new accounting rules around revenue recognition and leases. New standards on how to recognize revenue in financial statements take effect Jan. 1, 2018, for most public companies, so internal auditors will shift from pre-implementation to post-implementation, says Frattasio.
Also taking effect in 2018 is the General Data Protection Regulation, a pronouncement of the European Parliament that affects U.S.-based multinational companies doing business in Europe. “It feels like companies have not paid enough attention to that,” says Frattasio, so internal auditors likely will need to assess implementation and post-implementation efforts there as well.