The Institute of Internal Auditors has published a new white paper encouraging its members to take a closer look at the culture that operates as the undertow to the business. The paper makes the case that too many high-profile compliance failures in recent history can be tied to cultures that somehow encouraged, allowed, or looked past illicit behavior. “Why should culture be added to the workload?” the paper asks. “Because auditing culture helps the organization manage it.”
The paper also provides some suggestions for how internal auditors can pioneer their way into such an uncharted area for the audit profession. Secure support from the board and executive management, especially the audit committee, the paper advises. Leverage available resources, like results from employee surveys or exit interviews, train the audit staff, and supervise auditors closely.
Some audit leaders are quickly embracing the idea as the next step in an ongoing evolution of the role of audit in business. “We are seeing rising expectations of internal auditors,” says Brian Christensen, executive vice president of global internal audit for consulting firm Protiviti. “Auditing culture fits within that. As you look to the audit of the future, it’s not just going into a checklist. It’s taking into consideration some of the qualitative aspects of the business. It can be done in methodical practice.”
Other audit leaders are bit more circumspect. “This is not as easy as if the profession comes out with a new standard,” says Warren Stippich, national GRC leader for Grant Thornton. “It’s so subjective, and it’s going to take some auditors way out of their comfort zone, and rightly so. It could create some significant issues with their executive teams. It’s really becoming subjective when audit is supposed to be objective.”
“As you look to the audit of the future, it’s not just going into a checklist. It’s taking into consideration some of the qualitative aspects of the business. It can be done in methodical practice.”
Brian Christensen, EVP of Global Internal Audit, Protiviti
Tracey Keele, a partner in internal audit, risk, compliance at KPMG, has performed culture audits in her prior role as an internal audit executive at a Fortune 500 company. “We built a program around auditing culture,” she says. “And we saw the benefit that it delivered to the organization.”
Keele says internal auditors are well positioned through traditional audit activities to spot “risk signals” that merit further examination. Auditing culture is one way to dig below the surface to see what's behind those risk signals, she says. “The real benefit of auditing culture is telling the story of what’s happening in the company and providing that organizational context.”
WHAT TO AUDIT & MEASURE
Below is an excerpt from the IIA’s report on auditing culture.
Many considerations can be taken into account when auditing culture, examples of which are listed below. The internal auditor should be sure that the culture aspect of the audit is tailored for the organization and focuses on its specific environment, opportunities, and challenges.
Employee observation of misconduct and reporting of same. ?
Employee perception of his/her peer environment and culture. ?
Employee belief that a strong tone from the top exists.
The existence of a comprehensive training program for new and existing employees, customized for the employee’s role in the organization.
Protection of whistleblower status and rights (e.g., monitor for a downgrade in job title, performance evaluations, or job assignments of employees who have or are believed by others to have blown the whistle). ?
How frequently the organization faced legal problems.
HR Practices, Incentives, and Enforcement ?
How frequently the organization received negative media coverage (including social media). ?
Appropriateness and consistency of penalties for violating policies. ?
Appropriateness of how honest mistakes are dealt with. ?
Evidence of Soft Controls ?
Competence — being adaptable and willing to learn. ?
Trust and openness — teamwork, helping and relying ?on one another to solve problems. ?
Strong leadership — direction and leading by example.
Employee perception of the compliance and ethics program, and the importance of compliance and ethics within the organization.
Employee and customer survey results.
Frequency of training and documentation of attendance.
Mechanism for assessing the effectiveness of training.
Number of risk and control problems identified by internal audit and other assurance groups versus the number self-identified, voluntarily disclosed, and proactively addressed.
Timeliness and effectiveness of corrective actions.
Whether exit interviews are conducted (because?of the opportunity they present to gather an employee’s honest perception of the company?and culture) and whether those exit interviews include questions to assess whether the departing employee was aware of potentially unethical events taking place at the company.
High expectations — striving to improve, to raise the bar.
Shared values — doing the right thing in the right way.
High ethical standards — honesty, equality, and fairness.
Culture is a key contributor to corporate performance, both positive and negative, says Sandy Pundmann, head of Deloitte’s U.S. internal audit practice, so internal auditors should commit themselves to helping address it. “It’s important for auditors to either figure out how to periodically do a corporate culture audit or to incorporate consideration of culture in each and every audit project being done,” she says.
Tom O’Reilly, director of internal audit at Analog Devices, says there are a number of ways internal auditors already look at aspects of culture within the context of their existing audit projects. “We might be hard pressed to look at culture in one audit, but we do it indirectly as part of all the audits we do,” he says.
As examples, O’Reilly says, every audit project looks at the tone at the top of whatever functional area is in scope of the audit, and communication among senior managers, middle managers, and rank-and-file employees is examined to help gauge that tone.
Auditors look at incentives, likes sales commissions. And they look at hotline activity. “Each call on its own may not be indicative of culture, but when you’re looking at multiple calls you can start to identify themes,” he says. It’s not out of line for internal auditors to reach out to former employees, says O’Reilly, and he’s done that a time or two. “It’s a case-by-case basis,” he says.
Bill Watts, a partner with Crowe Horwath in global risk consulting, says there’s no specific framework for auditors to follow to launch an audit of culture, but the COSO Internal Control -- Integrated Framework provides a good starting point. The control environment component of the COSO framework focuses on commitment to integrity and ethical values, oversight responsibility, structure, authority, responsibility, competence, and accountability, all of which can speak to culture. “It’s a new area, and it’s great that the IIA is trying to generate some discussion in the market,” he says.
Internal audit leaders who want to dip their toes into the water on auditing culture should begin by carefully exploring how they would go about performing such an audit, says Rob Kastenschmidt, national leader of risk advisory services for audit firm RSM. “That’s the $8 million question right now,” he says. Auditors have long considered culture as they perform risk assessments, but that’s not the same as performing an audit of culture.
The best place to begin, says Kastenschmidt, is to initiate dialogue with senior management and the audit committee on how to define the culture the company wants to have in place. “Have a thoughtful discussion to say: look, there’s a growing call for culture to be included in the audit plan, potentially in every audit plan,” he says. “In order to audit it, we have to define what we want here to be our culture.”
Auditors might meet some resistance when they take a discussion about culture to the highest levels of the organization, says Christensen. “Chief audit executives should see this as an opportunity in the coming year to really step up and be an ombudsman for management and the audit committee to help them reach into areas that have maybe not been approached in the past,” he says. “That can be highly valuable.”