I have been spending a great deal of time lately focusing on corporate culture. The number of high-profile corporate scandals in the past year made very clear for me just how much a toxic culture can undermine good governance, and ultimately destroy shareholder value. This makes it imperative for our profession to "follow the risks" and address culture when carrying out our responsibilities.
I believe many of my colleagues agree that the time has come to assess culture, based on the positive response to my keynote address, When Culture is the Culprit, delivered at last week's IIA GAM conference. This is especially gratifying considering that auditing culture will place a burden on most practitioners to operate outside of their comfort zones.
One observation that I shared during my GAM presentation deserves additional examination. It has become quite clear to me that the relationship between management and internal audit can be a barometer of an organization's culture.
Let's examine what most would consider healthy and poor relationships between management and internal audit and what it says about the organizations in which they coexist.
Ideally, internal audit should operate in an atmosphere that allows it to function independently. It should have the resources to do its job well. It must have separate administrative and functional reporting lines to the CEO and board or audit committee respectively. It should have a clear and positive relationship with management that allows it to communicate openly and confidently without fear of repercussions, and it should enjoy a similar relationship with its audit committee and/or board.
An organization in which management treats its internal audit function in such a way reflects much about its culture. It suggests management has the confidence to have its actions and decisions routinely undergo scrutiny from an informed and independent outside perspective. It reflects that management understands its role and that of the board and audit committee, and one that is eager to identify risks and control weaknesses and improve on those areas. It reveals a commitment to transparency from confident leadership that does not fear that its actions fall outside the lines of established risks appetites, business strategies, or ethics.
Most importantly it sets a tone at the top that signals unequivocally that doing things right are hallmarks of its culture.
Conversely, a poor relationship between management and internal audit is defined by efforts to undermine internal audit's ability to do its job. This signals leadership that shuns scrutiny and will take steps to obstruct or avoid feedback from an independent internal audit function.
Telltale signs include:
- Attitude toward internal audit: Management's response to internal audit's inquiries is to circle the wagons and limit access to information.
- Carousel of chief audit executives: Management cycles through a number of CAEs seeking one it can most easily control or manipulate.
- Pressure to change or hide findings: Management makes clear it doesn't want to hear the truth.
- Redirecting or misdirecting internal audit: Management manipulates the choice of audits based on an agenda other than one based on the organization's risk.
- Manipulating internal audit's budget: Management limits resources in staff, access to expertise (co-sourcing), or travel to limit internal audit's ability to do its job.
- Limiting internal audit's access to the board or audit committee: Management wants to control the message from internal audit to the board.
Each of these reflect a tone at the top of avoiding accountability and transparency. This does not mean an organization is operating unethically or illegally, but it does suggest a fundamental disregard or misunderstanding of good governance and the dangers that accompany a disregard for it. It at least hints at an organization that has work to do on its culture.
If your organization exhibits any of these red flags, internal audit should take steps to address them with management and the board. The sooner they are corrected, the less the likelihood they will create problems with culture.
It is important to remember that the relationship between management and internal audit is a two-way street. Just because there may be disagreement or tension between the two does not necessarily mean there is only a problem with the organization's culture. Such problems may reflect that internal audit itself has a culture that fosters mistrust and friction.
Under either circumstance, it is imperative for internal audit to constantly work to improve its relationships with management, the audit committee, and board. The long-term success of the organization depends on it.
As always, I welcome your comments.