Perhaps internal audit is evolving to focus on organisational culture because daily news reports are filled with stories of culture gone awry.
“There have been very big headlines that we all know about, where you could look at organisational culture and say, ‘That was part of the problem,’ ” said Jason Pett, CPA, the US internal audit services leader and financial services risk assurances leader for PwC.
Perhaps the evolution of technology and continuous monitoring has helped internal auditors get a better grasp on controls testing, creating more opportunities for them to assess culture.
“This topic comes up more frequently now, because we’ve tested every control seven ways till Sunday,” said Peter Parillo, CPA/CFF, CGMA, vice president for internal audit for energy services holding company South Jersey Industries. “It’s amazing to see how much testing has evolved, but at the end of the day it does come back down to the organisation’s culture.”
Whatever the reason, the assessment of culture is coming into focus as a key responsibility for internal audit at many organisations. Culture was identified as a high risk to an organisation by more than half (56%) of respondents to a poll by the Institute of Internal Auditors Financial Services Audit Center. The survey of more than 400 respondents represents the views of internal auditors primarily from North American financial services organisations.
Despite the recognition of culture as a risk, half the respondents said it is not audited at their organisations. A little more than one-third (37%) of respondents said culture assessment is embedded in their existing internal audit programmes, and 7% reported having specific audit programmes focused on organisational culture.
Pett and Parillo are proponents of embedding culture assessments into existing internal audit programmes. Parillo said conducting specific audits focused just on organisational culture can put personnel on edge and lead to less-than-accurate responses.
Pett said it can be a challenge to initiate a specific audit programme focused on organisational culture because it requires defining a framework against which culture is going to be evaluated.
“You need to be able to define what good culture is within the specific company environment,” Pett said. “Is that just what the CEO says it is? Is it what the board says it is? Is it what you think it should be? It is a challenge for internal audit functions to audit against something that is a little bit more difficult to pin down.”
Pett said it’s more common for internal audit functions to embed an assessment of culture into the risk assessment and audit process of every audit they perform. Using this strategy, internal auditors should start with a mandate from the board or audit committee to include assessments of culture in the process.
Sometimes that requires internal auditors to take the first step to move the board and senior management towards supporting this kind of auditing. Pett said it’s essential for internal audit leaders to communicate their intentions to perform this kind of audit and ideally gain both board and management support.
This gives internal audit the ability to ask questions and evaluate culture in each audit. Take, for example, a basic audit of a performance bonus or commission structure in a sales channel. In addition to auditing the metrics and the process, internal audit would evaluate cultural questions such as:
- Who establishes the criteria for bonuses?
- Is any part of the compensation structure tied to doing the right thing for the company?
- Do the bonuses incentivise the appropriate behaviours?
- Are messages about expectations properly communicated?
Ultimately, because there is not one “standard” around corporate culture, an internal auditor will need to use professional judgement to make this evaluation of culture based on his or her experiences and an accumulation of multiple data points, Pett said.
“Internal auditors aggregate some substantive findings and some softer findings,” Pett said. “But they’re still facts that you’ve accumulated throughout the year across multiple audits. You then need to aggregate these facts, make sense of them all, and come to some sort of a conclusion.”
How internal audit reports on its conclusion may vary, Pett said. Concerns (or lack of concerns) may be reported in an informal way to the audit committee. More formally, evaluations and conclusions on culture may be included as findings in each individual audit report. And most formally, the findings on culture may be aggregated and presented in an annual report on organisational culture.
Reporting on culture does come with challenges, though. Pett said that leaders of an organisation with a toxic culture may not support internal audit in reporting on culture. Parillo said there also is a danger of retaliation against internal audit. Nonetheless, he said, internal audit cannot allow itself to be influenced by negative reactions to findings.
“You have to make the statement,” Parillo said. “You can’t back down or be intimidated, because the foundation of internal audit depends on you and any head of internal audit standing strong and confident in what they’re doing and what their team is doing.”
Indicators of a successful organisational culture listed by Parillo or Pett include:
- The existence of strong governance, with clear policy and procedures.
- The communication of policy and procedures, upward, downward, and across the organisation.
- Clear and consistent communication from senior management regarding their expectations around control and “doing the right thing”.
- Application of policy and procedures to all levels of management without exception.
- Alignment of the system of rewards to the right behaviours.
Culture also often can be discerned from how individuals or managers respond to internal audit findings, Parillo said. It’s an indication of an honest, trustworthy culture when individuals accept findings and recommendations without confrontation and are prepared to develop a remediation plan with a realistic time frame.
When process owners are confrontational about audit findings, it may indicate a resistance to change. When individuals are flippant about findings, it can indicate that they may not be willing to adhere to controls.
Audit committee members should want to know about those responses, Parillo said.
“When I am in executive session with the audit committee, they ask me straight out, ‘Are there any issues that we need to be made aware of? Are process owners giving you what you want? Are they co-operating with you?’ ” Parillo said.
But he also has seen colleagues and acquaintances at other organisations fail to receive support when they have attempted to call attention to cultural deficiencies. He said those internal auditors have left their employers after realising their organisational cultures were not conducive to a positive internal audit environment.
Pett said the headlines show that there is extreme danger for organisations that resist internal audit assessments of culture, and that a capable staff is key to accomplishing this type of audit activity.
“You need to have the right talent to do it,” Pett said. “It takes very senior-level resources to understand the business, to do this right, and have the respect of senior management to drive those messages home. It is a very big challenge, but I think that internal audit functions can start to pick away at this.”
—Ken Tysiac (firstname.lastname@example.org) is a CGMA Magazine editorial director.