In the aftermath of yet another financial services scandal, heads are turning to the audit committee for answers. What more can or should the audit committee do to help companies lasso cultural problems that can cascade into fraud and costly legal mayhem?
Plenty, in the eyes of some leading corporate governance experts, who believe the time for more focused cultural oversight, even culture audits, is dawning. The Institute of Internal Auditors first proposed the idea earlier in 2016, to which the internal audit profession reacted with a mix of intrigue and circumspection.
With the recent demonstration at Wells Fargo of how a toxic culture can drive otherwise level-headed business people to resort to falsifying account records, the dialogue around audit committee oversight and perhaps even auditing culture is starting to pick up. And it’s not just in the financial services sector.
“In the last six months, it’s gotten more traction,” says Warren Stippich, national managing partner in quality and risk at Grant Thornton. “It’s not mainstream, but leading organizations are adding this to the plan and trying to take steps forward to do some culture audits.”
There’s no manual that tells internal auditors how to audit culture, much less guidance to tell the audit committee how to oversee corporate culture. Stippich says it’s beginning with more deliberate, focused discussion. Are the tenants and drivers of a positive culture in place? What’s the style of the management team? Any evidence of retaliation that should be questioned?
To get the ball rolling, Stippich says audit committees should take note of the fact that they while they don’t own corporate culture, “they certainly have the levers in the form of monitoring and oversight to drive culture.” Audit committees can set a mandate through their charter and their activities that sends a signal to the rest of the company that it’s asking questions and looking for good answers.
“Too many audit committees are asleep at the wheel while corporate culture is careening over the cliff.”
Richard Chambers, President & CEO, IIA
Richard Chambers, president and CEO of the IIA, is even more direct. “Too many audit committees are asleep at the wheel while corporate culture is careening over the cliff,” he said. Ultimately, the board is responsible for the company’s culture “but it’s difficult for boards in many cases to act as a single unit on these things,” he says.
The audit committee is the logical place for culture oversight to rest because the audit committee has a direct line to internal audit, which acts as the arms and legs, eyes, and ears, of the audit committee within the company. “If culture is a visible risk, who can the audit committee turn to that can provide some objective assurance around how that risk is being managed?” Chambers asks. “Internal audit, obviously.”
Assessing or even auditing culture provides yet another reason why internal audit should report to only the highest level within the organization and functionally to the audit committee, says Chambers. “It needs to be organizationally independent enough to assess the culture,” he says.
In his talks with internal auditors and stakeholders to the internal audit function, like audit committees, Chambers advocates for one of three approaches as a starting point to assessing or auditing culture:
“Look at culture as part of every audit you do,” says Chambers. In a straightforward audit of financial reporting controls, look at deviations from policies and procedures, waste, or inefficiency, and get to the root cause. Maybe it’s because someone wasn’t properly trained or didn’t have the right resources. But could it also stem from a misplaced or inappropriate incentive? “Is someone incentivized based on the ends and not the means?”
AUDIT COMMITTEE RECOMMENDATIONS
To help the CEO and management set the proper tone at the top, PwC recommends that audit committees:
Devote more time to understanding the intersection of strategy and risk, with particular attention paid to deterring unethical or inappropriate behavior, such as selling unsuitable products to meet a quota, as well as taking on risks that the organization structure is unable to manage.
Communicate regularly with non-C-Suite employees to help the board better understand the day-to-day routine of the organization. Many BCM audit committees now regularly invite the chief compliance officer (CCO) or line-of business leaders to committee meetings. On the flip side, some committee members occasionally attend meetings with the internal audit staff and lines of business.
Encourage management and the internal audit staff to have open conversations during which everyone feels free to discuss their concerns. Based on these conversations, committee members can refocus their attention as needed.
Discuss areas where management is concerned about the culture.
Encourage internal audit to perform periodic culture audits to identify areas for improvement.
Discuss with management how incentive compensation plans, recognition programs, and other strategies are used to reinforce positive behaviors and where incentives could be viewed as encouraging undesired behaviors.
Provide credible challenges to management’s approach to monitoring risk appetite. This is especially important in situations in which members of the audit committee suspect activity that might expose the institution to excessive risk or in situations that otherwise fail to reflect the firm’s values. It should be noted that regulators now explicitly demand these types of challenges.
“Take on culture in bite-sized pieces,” Chambers says. Audit the culture at a single branch office or a single business unit. Experiment with how to write the audit plan, how to identify the key risks, and how to get to the root causes of errant behavior.
“Connect the dots,” he says. Internal auditors see a lot of behavior across the organization through the course of different audit activity. What are the common themes? “Maybe culture is promoting some kind of ends-over-means approach,” he says.
Bob Herz, former chairman of the Financial Accounting Standards Board who has served on audit committees at Fannie Mae and Morgan Stanley, says the entire board has a role in overseeing culture, but the audit committee has the best seat in the house because of its direct line to internal audit. There’s no simple formula for how to assess or oversee culture, but audit committees should leverage the eyes and ears of internal auditors, he says.
“Surveys, focus groups,” says Herz. “Talk to a lot of people, visit locations, get a sense at different places.” Use the formal tools, but do the informal legwork as well, he advises. Does the company have excessive turnover? How’s employee morale? What do the exit interviews say? “When you go out to a location, meet with people, and not only the senior people, but middle management,” he says. “Sometimes they are a little intimidated, but you get pretty candid feedback.”
Brian Schwartz, a partner in risk advisory services at PwC, says if assessing the total corporate culture is too much to bite off at once, try focusing on a company’s risk culture. “It’s the beliefs and attitudes a company sets when deciding to make risk-taking decisions,” he says. “Risk culture sets the stage for the types of risk decisions being made.” Zeroing in on risk culture enables a more focused view on “good” risk-taking compared with “bad” risk-taking, he says.
That starts with assessing the governance of risk within the company, says Schwartz. “Do you have a chief compliance officer or a risk officer looking at the company’s risk appetite framework?” he asks. “Is management making decisions that align with the risk appetite within the company?”
Other indicators to watch, says Schwartz, include performance management and accountability. Is compensation awarded for good risk-taking or bad risk-taking? Is the first line of the business held accountable for owning the risks they cause to generate revenue? Are risk management functions adequately challenging that risk-taking behavior on the front line?
Banking regulators in particular are getting more vocal in their demands that boards get more proactive in assessing culture, says Schwartz, and that’s starting to trickle out to the rest of capital market players. “Right now, everyone’s talking about it to some extent,” he says.