Board Problems Problems<p>Audit committees have a problem: They have too many problems. More precisely, they have too many types of problem — too many <em>types</em> of corporate misconduct to consider these days, because the definition of <em>misconduct</em> has expanded dramatically in the last 15 years. </p><p>That raises questions about the expertise audit committees need, and whether corporate boards have enough of it. Quite simply, if society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards? </p><p>“It’s undeniably true,” says David Greenberg, former chief compliance officer (CCO) at tobacco manufacturer Altria and an audit committee member of International Seaways, a New York Stock Exchange-traded oil and gas tanker business. The definitions of <em>corporate misconduct</em> are expanding, he says, and the consequences of it are deepening. “Put those two things together, and it’s a recipe for needing more of that experience.” </p><p>A recent regulatory enforcement example demonstrates the point. Cognizant Technologies, an IT outsourcing firm, had been accused of violating the U.S. Foreign Corrupt Practices Act when two of its senior executives orchestrated a US$2 million bribe to government officials in India. The involvement of two senior executives would typically leave Cognizant unable to avoid criminal prosecution, according to U.S. Department of Justice (DOJ) policy. Yet when regulators settled the case in February, the DOJ did decline to bring any criminal charges. Prosecutors later said why: “The company voluntarily self-disclosed the conduct within two weeks of when the company’s board learned of it.” </p><p>Confessing egregious corporate misconduct is unquestionably the right thing to do. Still, confession is a big request — especially when doing so invites potentially serious legal and financial consequences, such as monetary penalties or a corporate criminal charge. So Cognizant’s decision to disclose its trouble immediately, without any certainty of favorable treatment, is all the more impressive. </p><p>Where did that ethical commitment come from? It’s worth noting that Cognizant’s audit committee chair at the time was Maureen Breakiron-Evans, who worked as general auditor of Cigna in the 2000s. Also on the committee was Leo Mackay, head of ethics and internal audit at Lockheed Martin. Both still serve on Cognizant’s board.</p><h2>Beyond Financial Expertise</h2><p>Under the U.S. Sarbanes-Oxley Act of 2002, the audit committee of a publicly traded firm needs at least one designated “financial expert” to help the audit committee police against financial fraud. When the act was passed, that might have been enough of a kick in the corporate rear to take internal control more seriously. Today, a strong control environment has become much more important, to address all sorts of issues. Regulators don’t just want swift corrective action; they want strong <em>preventive</em> action. Customers, business partners, or even self-appointed social justice warriors prowling Twitter — all want to see ethical culture taken seriously, translated into tangible policies, controls, and actions. </p><p>“A true auditor on the board, or a true employee relations or corporate compliance person, is important because what’s falling to the audit committee to investigate — it’s gone way beyond what audit committee charters originally said,” says Owen Bailitz, a former risk management and audit quality partner with RSM, who now serves on the audit committee of the American Board of Medical Specialties. “You’re basically expanding the definition of risk.” </p><p>Audit executives could perceive all of this as a virtuous circle. Yes, data analytics captures data about business process outputs, to identify anomalous events or excessive risks. Those insights let directors draw conclusions about how the enterprise is working. We still need the other half of the circle: using those insights to change policy, procedure, and culture, so business processes can stay within ethical parameters more easily. That’s the improvement society wants to see. </p><p>“Across stakeholders, there’s been more engagement with boards on this discussion. Ethics and culture are topics that are relevant to the full board and every committee of the board,” says Tracy Atkinson, audit committee chair of defense and aerospace systems provider Raytheon Co. “Having someone who lives and breathes this on the board adds to the dialogue in a new way.” Atkinson would know; she is executive vice president and CCO at financial services company State Street Corp. </p><p>We see that increased engagement in various ways. For example, the Edelman Trust Barometer, which surveys more than 33,000 people worldwide about their trust in institutions, recently found that 76% say their employers should “take the lead on change” for issues such as sexual harassment, the environment, and discrimination. And 71% said it’s critical for their CEO to respond to challenging issues.</p><p>Then there are regulatory pressures. For example, a board might find itself saddled with a corporate integrity agreement where the audit or risk committee has to certify compliance with the terms. Having a compliance or internal control expert on the board would make that an easier exercise.</p><p>Those are examples at the macro level. At the micro level, chief audit executives (CAEs) have this: <em>The Politics of Internal Auditing</em>, a 2016 IIA study, found that 55% of audit executives had been asked to suppress unwanted findings during their career. That tells us two things. First, that internal audit executives are well-acquainted with the threats of bad ethical culture; and second, that CAEs would be well-suited to serve on boards someday — because they (like CCOs) have seen poor ethical behavior up close, and it’s their job to uncover and eradicate bad behavior anyway, whatever the consequences. </p><p>That skill, of identifying the ethically correct step, taking it, and defending it, will only become more important. As Greenberg says, questions about disclosing misconduct, and whether voluntary disclosure is worth it, can be quite difficult. “You need people with some experience to overcome that.” </p><h2>Meanwhile, the Reality</h2><p>As desirable as ethics, audit, and compliance perspective on the board might be, practical limitations abound. Boards are still desperate to recruit women and minorities; some jurisdictions now require specific quotas for female directors. Boards also are desperate for cybersecurity expertise. And yes, foremost, boards want to recruit current or former CEOs, chief financial officers, and chief operations officers — people who understand the intersection of strategy, operations, and finance. </p><p>That leaves few open seats for other governance expertise. So boards might not rush to the idea of recruiting CAEs or CCOs, unless they’re particularly committed to foresight. As Bailitz put it: “You need to have a change of mindset among the chairpersons of these boards, to say, ‘We lack this expertise, and it’s something we need.’” <br></p><p>The push for cybersecurity expertise is a good parallel. Most executives, audit committees members included, understand cybersecurity at a reasonable level — what it is, why it’s important, and what it should achieve. But they don’t understand  how to assess it, improve it, or weave it through all of an organization’s operations. Only a cybersecurity expert does.</p><p>Ethical culture is a lot like that, Atkinson says. Boards might believe they can master ethics and culture because it seems like a nontechnical issue, but introducing an audit or compliance executive can sharpen the board’s perspective in new ways. “It’s a mindset,” she says. “Having compliance and ethics as your subject matter domain, and bringing that to the board, further serves to emphasize” where ethics and the control environment might need attention.</p><p>So will boards put more audit and compliance professionals on the audit committee or even some other board committee? Will recruiters start calling CAEs and CCOs? That’s hard to say, but it’s not just self-interest for CAEs to want that to happen. This is what the future of boardroom problems looks like, and the future has a habit of arriving eventually.  <br></p>Matt Kelly1
Areas of Deficiency of Deficiency<p>The U.S. Public Company Accounting Oversight Board (PCAOB) is responding to audit committee requests for more information about PCAOB audit focus areas, stated board member Duane DesParte at the 2018 AICPA Conference on Current SEC and PCAOB Developments in Washington, D.C. Internal auditors are in a unique position to support audit committees in understanding and monitoring these key areas. Internal auditors with a solid understanding of PCAOB expectations and findings can advise audit committees, which have primary oversight responsibility for external audit quality and ensuring the independence and objectivity of the audit firm.<br></p><h2>The PCAOB Inspection Process </h2><p>The U.S. Sarbanes-Oxley Act of 2002 formed the PCAOB, creating an independent auditor oversight institution to protect investors, provide reliable financial reporting, and improve audit quality. The PCAOB performs annual inspections of large audit firms and triennial inspections of small audit firms. A report is issued after every inspection that includes a public portion and, if required, a nonpublic portion. </p><p>The public portion describes any significant audit deficiencies and is published on the PCAOB website. Examples of significant audit deficiencies include failure to perform required audit procedures, failure to recognize and address generally accepted accounting principles misapplications, and insufficient testing of the design and operating effectiveness of selected controls. After an inspection, an audit firm may have to modify its audit opinion or prompt the company to issue restated financial statements. </p><p>The nonpublic portion of the report addresses deficiencies in the system of quality control. It may include the firm’s procedures for assuring independence, the tone at the top, or the firm’s internal inspection program. The nonpublic portion of the inspection report becomes public if an audit firm fails to remedy the required quality control deficiencies within 12 months of the report being issued. According to the Center for Audit Quality’s (CAQ’s) Guide to PCAOB Inspections, the remediation steps that a firm takes depend on the type of underlying quality control issues identified by the PCAOB. Remediation examples include changing the firm’s audit procedure manuals and additional training. The PCAOB expects larger firms with complex audits to conduct an analysis of the causes of any identified issues, and adapt its remediation measures to the results of that examination. The CAQ Guide can be helpful to internal auditors by providing guidance on remediation steps and root cause analyses.</p><p>The PCAOB currently is revising the risk-based selection process of audit engagements, which procedures to perform, and how to assess a firm’s quality control system and culture, as well as changing the nature, timing, and extent of inspection procedures. In addition, the PCAOB will focus on timeliness and relevance of inspections reports, which will aid investor and audit committee decision-making. Some changes will be implemented as early as the 2019 inspection cycle, said George Botic, PCAOB director of the Division of Registration and Inspections, during a Dec. 12, 2018, speech.<br> </p><h2> Inspection Findings </h2><p><img src="/2019/PublishingImages/Boyle-PCAOB-Audit-Deficiency-Examples.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:495px;" />The three most frequently recurring audit deficiency areas are assessing and responding to risks of material misstatement, auditing internal control over financial reporting (ICFR), and auditing accounting estimates, including fair value measurements (see “PCAOB Audit Deficiency Examples,” right), Botic said. The PCAOB highlighted these deficiencies in its 2018 Staff Inspection Brief, Staff Preview of 2018 Inspection Observations, released in May 2019. <br></p><p><strong>Key Deficiency 1 — Assessing and Responding to Risks of Material Misstatement</strong> Deficiencies related to assessing and responding to risks of material misstatement result in noncompliance with PCAOB Audit Standard (AS) 2301: The Auditor’s Responses to the Risks of Material Misstatement and AS 2810: Evaluating Audit Results. The PCAOB’s 2017 Staff Inspection Brief, Preview of Observations from 2016 Inspections of Auditors of Issuers, notes that some selected firms were not performing substantive tests robust enough to thoroughly assess fraud risk and other risk factors. The 2017 Inspection Brief specifically mentions risk regarding revenue recognition. The 2018 Inspection Brief highlights the need to test the entire revenue transaction, including comparing company-prepared invoices with related contractual obligations and product/service delivery and testing invoice amounts to revenue recognition. Firms should presume there is fraud risk associated with revenue and evaluate accordingly. Audit procedures should be designed and performed to address the assessed risks of material misstatement for each relevant assertion of each significant account and disclosure (AS 2301.08). AS 2301.09 emphasizes that when designing the audit procedures, the auditor should: <br></p><ul><li>Acquire more persuasive audit evidence the higher the auditor’s assessment of risk. </li><li>Consider the types of potential misstatements that could result from the identified risks and the likelihood and magnitude of potential misstatement. </li><li>In an integrated audit, plan the testing of controls to accomplish the objectives of both audits simultaneously to obtain sufficient evidence to support the auditor’s control risk assessments for purposes of the audit of financial statements and to support the auditor’s opinion on ICFR as of year-end.</li></ul><p><br>Some inspections yielded cases where the presentation of the financial statements and completeness of disclosures were not fully evaluated. AS 2810.03 requires external auditors to consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements when forming an opinion on the fairness of financial statements. </p><p>Internal auditors should work closely with audit committee members to address recurring audit deficiencies by creating and monitoring procedures to ensure appropriate tone at the top, auditor independence, risk assessment of material misstatement, and accounting estimates.<br></p><p><strong>Key Deficiency 2 — Auditing ICFR Deficiencies</strong> in this area result in noncompliance with AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. They stem from insufficient testing of estimates related to revenue, business combinations, asset impairments, and reserves. External auditors need to exercise an appropriate amount of skepticism as the 2017 Inspection Brief notes that firms tend to rely too much on management explanation, exhibit bias toward controls being effective, and incorrectly match control testing with control objectives. The 2018 Inspection Brief describes instances where external auditors inadequately tested the design and operating effectiveness of controls, or did not select controls for testing that addressed the specific risks of material misstatement. </p><p>AS 2201 establishes a risk-based approach to the audit of internal control. The auditing standard is intended to emphasize the most important matters in the audit of internal control and avoid procedures that are unnecessary to an effective audit. When choosing controls for testing, the external auditor should investigate controls that are imperative to his or her conclusion about whether the company’s controls appropriately convey the assessed risk of misstatement to each relevant assertion (AS 2201.39). In addition, AS 2201.42 recommends examining the design effectiveness of controls by verifying whether the company’s controls satisfy the control objectives and can effectively prevent or detect errors or fraud. The external auditor should obtain persuasive evidence that demonstrates control effectiveness. As risk increases, so should the obtained evidence. </p><p>Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting presents the application of certain requirements of AS 2201 and PCAOB standards to audits of internal control. This alert offers guidance on the topics of:</p><ul><li>External auditors’ risk assessment and the audit of internal control. </li><li>Selecting controls to test. </li><li>Requirements for testing management review controls. </li><li>IT considerations, such as </li><li> system-generated data. </li><li>Roll-forward of control testing performed at an interim date. </li><li>Using the work of others. </li><li>Evaluating control deficiencies. </li></ul><p>Internal auditors possess overall knowledge and understanding of an organization’s policies and procedures and are a resource for external audit engagement teams. Internal auditors can assist external auditors in gaining an in-depth understanding of organization processes, transactions, and controls.</p><p><strong>Key Deficiency 3 — Auditing Accounting Estimates, Including Fair Value Measurements</strong> Deficiencies related to auditing accounting estimates result in noncompliance with AS 2501: Auditing Accounting Estimates. These deficiencies are generally associated with evaluating impairment analyses for goodwill and other long-lived assets, and the valuations of assets and liabilities attained in business combinations. Other instances of auditing deficiencies observed in the 2017 and 2018 Inspection Briefs include revenue-related estimates and reserves, allowance for loan and lease losses, inventory reserves, and financial instruments. The findings demonstrate that the external auditors did not fully understand how estimates were established or did not adequately test the significant inputs and assess the significant assumptions used by management. The 2018 Inspection Brief recognizes that developing these estimates involves unobservable inputs, complex valuation models, and subjective judgments; therefore, external auditors should exercise professional skepticism and involve senior members of the team throughout the audit engagement.<br></p><p>AS 2501: Auditing Accounting Estimates offers guidance on obtaining and evaluating appropriate evidence to support significant accounting estimates in financial statements. AS 2501.03 highlights management’s responsibility to make the accounting estimates based on subjective and objective factors. Subsequently, management’s judgment is required for accounting estimates. This judgment depends on knowledge and experience, as well as assumptions about current and future conditions and courses of action. AS 2501.05 holds management accountable for creating a process for preparing accounting estimates. While the process may not be documented or formally applied, certain steps should be considered:</p><ul><li>Recognize when accounting estimates are required. </li><li>Identify factors that may affect the accounting estimate. </li><li>Accumulate relevant, sufficient, and reliable data on which to base the estimate. </li><li>Develop assumptions that represent management’s judgment of the most likely conditions and events with respect to relevant factors. </li><li>Calculate the estimated amount based on the assumptions and other relevant factors. </li><li>Determine that the accounting estimate is presented in conformity with applicable accounting principles and that disclosure is adequate. </li></ul><p><br>According to the PCAOB Inspections Outlook for 2019, inspectors are focusing on the design and operating effectiveness of firms’ systems of quality control, assessing and monitoring compliance with independence requirements, and evaluating the audit procedures firms use to identify cyber risks. In 2019, the PCAOB will look at the use and development of firm software audit tools to consider whether firms are using these tools effectively and applying due care, including professional skepticism. It also will assess auditors’ responses to risks associated with digital assets, such as cryptocurrencies, initial coin offerings, and use of distributed ledger technology. In addition, the PCAOB will focus on client acceptance and retention decisions, resource management, and planned audit procedures. </p><p>Revenue recognition is identified as an area of concern in all deficiency areas, so firms need to pay particular attention to assessing risk related to revenue, designing tests of revenue control, and evaluating revenue estimates. Business combinations also are a recurring item appearing under internal control testing deficiencies as an area affected by economic risk and a financial reporting concern. The 2017 Inspection Brief says that firms need to go beyond management inquiry by testing controls related to other controls, gaining an understanding of the basis of client estimates, and using professional skepticism. </p><p>The 2018 Inspection Brief also reports that some audit firms failed to communicate to audit committees significant risks and changes to those risks. Strong communication with external auditors can help audit committee members recognize “the external and company-specific factors considered by the auditor in assessing whether all significant risks have been identified,” as well as assist audit committees in exercising their oversight roles. Internal auditors should take part in communication with the audit committee, as well as external auditors, on any identified PCAOB deficiencies to ensure that all parties involved in the audit engagement have a clear understanding regarding remediation actions.</p><h2>Internal Auditor as Advisor<br></h2><p>The audit committee has a joint oversight role with the PCAOB when it comes to audit quality and engaging in dialogue concerning deficiencies and the PCAOB inspection process. It needs to understand the PCAOB’s recurring audit deficiency findings when fulfilling its supervision responsibility for audit quality and ensure the independence and objectivity of the external audit firm. Internal auditors with sound knowledge of this process can inform and advise the audit committee in this area so it can better fulfill this role.  <br></p>Elena Isaacson1
Auditing Culture: Where to Begin Culture: Where to Begin<p>​<span style="font-size:12px;">Auditing organizational culture is a challenging, multifaceted process. It can touch virtually all parts of the business, including the very top, and span a wide range of risks and topics.</span></p><p>Due to its complexity, many internal auditors interested in auditing culture may be unsure of how to approach it. This installment of my Auditing Culture series helps point practitioners in the right direction, offering some tips that may seem obvious but should not be overlooked. <br></p><h2>Consult With Your Stakeholders </h2><p>Auditors should start by identifying who their stakeholders are and determining what those individuals or groups expect from a culture audit. Examples of stakeholders include the audit committee, regulators, and executives — considerations for each of these groups can differ substantially. <br></p><p><strong>Audit Committee or Similar Oversight Group</strong> Has the audit committee asked for a culture audit? If so, this will help overcome possible resistance at lower levels. Does the committee have any specific expectations regarding which aspects of culture internal audit should examine or how the audit should be conducted? Do the committee members have any concerns about the existing culture? Have any members been involved in culture auditing elsewhere — if so, would they want to share their experiences or insights? Engaging this group in meaningful discussion will be important. <br></p><p>If the audit committee has not asked about auditing culture, internal auditors should initiate the discussion. Practitioners can suggest possible benefits to the organization (e.g., see "<a href="/2019/Pages/The-Right-Path.aspx">The Right Path</a>"), as well as some ways to approach a culture audit, drawing from research on what others have done.<br></p><p><strong>Regulators</strong> If the organization's regulators request or require audits of organizational culture, internal audit should hold the same kind of discussions with regulatory personnel as they do with the audit committee. In particular, what aspects of culture are they most interested in? What are their requirements or expectations for internal audit as it relates to culture? <br></p><p><strong>Executives</strong><strong> </strong>Support from the head of the organization is, of course, essential. Other executives may or may not like the idea, but they might be surprisingly supportive. For example, my first chief audit executive (CAE) reported to a chief financial officer who thought so little of internal audit that he moved the reporting relationship from himself down to the corporate controller. Nevertheless, he once said to the CAE, "I read your audit reports. They're fine. But what I really want from you is this. Your auditors are in our banks observing management's behavior. I want to know what they're seeing and thinking. I know they won't have the same kind of evidence they do for an audit finding, but I want to know what they think of management." <br></p><p>A 2011 IIA research study, Insight: Delivering Value to Stakeholders, provides a more generalized example. It found that 64% of executives surveyed expect that "the CAE provides comments to the audit committee of the board of directors or certain executives regarding the performance of senior leaders in the business, based upon internal audit activities performed within the organization." Only 30% said they experience this from their CAE, representing a 33% expectation gap.<br></p><h2>Know Your Organization </h2><p>A growing array of tools, techniques, and approaches exist for evaluating culture. To succeed, internal auditors must find an approach that will work within the organization's unique cultural environment. <br></p><p>One way to help determine the best approach is to consider where the existing culture fits on a series of scales, like the ones shown below (see "Where Does Your Organization Fall on These Scales?"). This estimation could be performed by the CAE, the audit management team, the entire staff (during a staff meeting), or selected members of management. <br></p><p>Contrasting examples of two hypothetical organizations help illustrate how scales like these can be used:</p><ul><li>The first organization emphasizes innovation more than control, and openness to mistakes rather than zero tolerance. It will likely accept audit techniques that are quite different from anything the auditors have done before. </li><li><p>The second organization leans more toward control and zero tolerance. The auditors in this organization should use techniques that are closer to what they've done in the past so they won't seem too unusual to clients. Auditors might have to start with baby steps and build gradually over time.<br></p></li></ul><p>To select the most meaningful scales for their organization, internal auditors can look to existing sources of cultural insight such as employee surveys and exit interview results. They can also talk with human resources, as well as risk management and others in the second line of defense. The insights that come from these and similar sources will also be valuable in other ways, such as scoping audit projects and supporting cultural audit issues.  <br></p><p>Where different parts of the organization fall along these scales can often vary, and those variations might suggest different approaches for certain areas. They also might suggest problematic cultural inconsistencies that should be examined, as well as identify "low hanging fruit" or possible champions in management for initial efforts. <br></p><h2>Select the Initial Approach</h2><p>With strong support from key stakeholders and a culture that is open to it, a robust approach may be possible right away. For example, a pharmaceutical company performs 5- to 6-week "values assurance" reviews in which internal audit works in a multidisciplinary team that includes psychologists, operational staff, and individuals with Lean Six Sigma experience. Or consider a financial services firm where the audit department uses a cultural model with eight cultural drivers broken into 35 topics. For each of these topics, the department has developed a comprehensive audit program to use during audit projects.<br></p><p>In my experience, and from what I have read, organizations with robust approaches like these usually:</p><ul><li>Experienced a serious scandal whose root cause was in the culture.</li><li><p>Operate within the financial service sector, in which Wall Street's "culture of greed" was a root cause of the 2008 global financial crisis.<br></p></li></ul><p>Most organizations, of course, do not belong to one of these groups. <br></p><p>Unless the audit committee and executive team are willing to devote significant resources to safeguarding against a culture-caused scandal, it is best for internal auditors to start slow. They can then build toward more robust approaches if and when the results indicate that doing so will be worth the cost. <br></p><p><img src="/2019/PublishingImages/auditing-culture-where-to-begin_sidebar.jpg" alt="" style="margin:5px;width:700px;height:603px;" /><br></p>James Roth1
The Healthy Corporate Culture Healthy Corporate Culture<h2>How does an organization develop and maintain a healthy corporate culture? <br></h2><p><strong>Simmons</strong> Implementing a clear mission and company values sets the tone and messaging from the top, and specifying the organization’s desired risk culture in a way that aligns with these values helps solidify the corporate culture. Establishing a collaborative, open communication approach creates a comfortable work environment and is the best way to maintain a culture where people feel valued, respected, and empowered to offer ideas and make good decisions. Having a leadership team that believes in this approach, lives the mission/values, and knows what employees value contributes to an atmosphere where ideas are celebrated and rewarded, which can lead to a more efficient and productive organization. </p><p><strong><img src="/2019/PublishingImages/EOB-Esi-Akinosho.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Akinosho</strong> First, we need to define a healthy culture. A healthy corporate culture is a) connected to the company’s purpose and strategy; b) positive, inspiring, and engaging for employees who live it, customers who experience it, and shareholders who realize returns from it; and c) strong, consistent around the world, and not overly dependent on the effectiveness of a local leader. Developing a healthy corporate culture takes time, focus, and direction from leadership, as well as level support from key functions to help champion that desired culture. A top-down and bottom-up approach is key in not only the development of a healthy culture, but also in sustaining and fostering changes in it. <br></p><h2>What are the top risks to a healthy corporate culture? </h2><p><strong>Akinosho</strong> Risk culture connects the overall organizational culture to specific behaviors set along a defined risk framework. It speaks to culture in terms of the three lines of defense and guides how leadership monitors and responds to cultural stress and the risks of an unhealthy culture. Risks relating to corporate culture include a degraded tone at the top, lack of accountability, and minimized transparency. Cultural stress often takes the form of compliance issues, control failures, audit issues, or poor employee performance, and the typical root cause is often a breakdown in trust. Trust can be the biggest risk or asset to a healthy corporate culture, and the erosion of trust can be hard to control and even harder to earn back. By aligning the corporate culture and pulling certain cultural levers, trust can become the driving force for creating a shared vision and turning that vision into value. </p><p><strong><img src="/2019/PublishingImages/EOB-Charmian-Simmons.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Simmons</strong> First and foremost is culture risk, itself. Well-known corporate scandals related to harassment, fake accounts, accounting errors, and misconduct often are symptoms of culture issues and heighten the profile of culture risk as a growing liability for organizations. Culture risk management should be treated as an integrated process of oversight and monitoring that addresses strategy, performance, and risk, and aligns company values, goals, behaviors, and systems with favorable impacts both internally and externally. Other top risks that can affect a healthy corporate culture include financial, operational, market, and reputation risks. The particulars of each risk, such as ranking, priority, and specific factors, will vary by company/industry/geography and by the awareness level of underlying problems, mitigations, and ongoing monitoring. Some symptoms and behaviors that influence these risks include financial underperformance, inconsistencies in business/personnel performance, communication that leads to misunderstanding, unhealthy comparisons and gossip, demoralized employees, customer backlash, and the feeling of destroyed value.<br></p><h2>What are the indicators of a weak or failing corporate culture? </h2><p><strong>Simmons</strong> Indicators can be broadly classified into top-down and bottom-up. Indicators from a top-down business perspective include inconsistent financial and operational success and being perceived by the public and personnel as not conducting business activities with honesty and integrity. From a bottom-up personnel perspective, indicators may include lack of motivation; overwhelming frustration, such as fear of retaliation in speaking out, not being listened to, or pressured to meet unrealistic internal deadlines; poor customer relations; pending investigations; lack of efficiency or ideas; and lack of innovation. These indicators may be noticed by management, personnel, and internal audit, though one must be open and conditioned to seeing the signs to be receptive to raising the matter and taking active and visible action.</p><p><strong>Akinosho</strong> A weak culture can be characterized by inconsistent programs that deviate from the common goal and vision. Functional groups, including internal audit, that have different strategic objectives or have pockets of opposing forces will create stress within an organization’s operating model and increase the risk of compliance issues, failure to adhere to policies, and internal control breakdowns. Lack of leadership or misaligned tone at the top can hold an organization back and put it at risk for cultural issues. Today, many of these issues are coming to light in very public settings, which is why boards and audit committees are turning to internal auditors, the third line of defense for culture risk management, for insight. </p><h2>What should a formal culture risk management program look like? <br></h2><p><strong>Akinosho</strong> A formal culture risk management program is embedded throughout all three lines of defense, with the first line implementing the mechanisms to drive culture, the second line taking responsibility for defining the risk culture framework and monitoring effectiveness, and the third line performing independent culture assessments to monitor culture throughout the execution of the audit plan. </p><p><strong>Simmons</strong> Recent incidents and news headlines linked to “problematic culture” lead me to say there is no one-size-fits-all program; however, a culture risk management framework should comprise certain key elements that cover all aspects of culture and can be improved and measured over time. First, governance — the mission, values, ethics, policy, board, leadership, strategy, behaviors, and a common understanding of what’s expected. Second, relationships — transparent, honest, and nonthreatening leadership, communications, collaborations, and accountability. Third, environment — the workplace provides for comfortable, productive, inspired, responsive, innovative, rewarded, trusted, engaged employees and supports organizational effectiveness. Fourth, motivation — a fair values system exists surrounding performance, incentive, reward, continuous learning, and clarity of purpose.</p><h2>How does a dynamic, agile workplace affect corporate culture?<br></h2><p><strong>Simmons</strong> One affects the other and impacts the success of both. Many organizations want to be more agile to respond to the demands of customers, the digital economy, and rapidly changing marketplaces; however, most don’t appear to have the culture to support this. Being dynamic and agile means being able to quickly and easily adapt to constant change. A workplace environment like this needs to balance the mindset of change with tools, systems, and processes that support an agile approach and allow the four key culture elements mentioned previously to thrive and positively influence behaviors around cooperation, fast decision-making, experimentation, innovation, empowerment, sustainability, and effective cross-functional teamwork.</p><p><strong>Akinosho</strong> As companies adopt more dynamic and agile approaches and workplaces, they must be aware that the shifting operating models and transient nature of the workforce will have an impact on culture and can even present new risks. When unsuccessfully implemented, an agile operating model can cause a lack of vision or uncertainty in objectives for employees. This cultural stress will work against the achievement of objectives and strategy. Alternatively, an agile workplace can strengthen and foster an existing healthy culture and better advance the people agenda in areas such as development, employee retention, and workforce management.  <br></p>Staff1
How to Audit Social Media to Audit Social Media<p>In today’s business world, practically every organization has a presence on social media, enabling them to reach huge numbers of customers and stakeholders globally. While enhancing sales might be the primary driver for creating a social media presence, social media has a much broader scope. It builds new relationships with customers, employees, and other stakeholders, expanding awareness about the organization and its brand. It influences customer education, engagement, and feedback. And it heightens the organization’s attractiveness as an employer and strengthens its reputation.</p><p>With that broader reach comes new and different types of risks for organizations and their employees, such as reputational, dark web, and data protection risks. For internal auditors, the most relevant questions relate to aspects of how the social media presence is being managed. Organizations must develop policies covering aspects such as who in the organization has the authority to use social media, what gets communicated, and which of its stakeholders should receive the communications. </p><p>Consequently, internal auditors should invest resources to audit compliance with social media policies and guidelines. To do so, auditors need to build an adequate audit approach for the still-developing area of social media-related engagements.</p><h2>Social Media Strategy</h2><p>A good starting point for auditing social media is the organization’s social media strategy. Actually, the first question auditors should ask is whether the organization has such a document at all. </p><p>A social media strategy can help establish the general basis of the organization’s governance, use, oversight, and approach. The strategy also should contain the goals the organization aims to achieve from a long-term strategic perspective, thus setting the foundation for social media implementation. <br></p><p>Another important strategic component that internal auditors should evaluate is the specific channels that influence the organization, including validation of links, social handles, profile and account information, mission statement for the account, and key demographics. Moreover, auditors should assess whether organizational and social media goals are aligned. </p><h2>Policies and Procedures</h2><p>After dealing with the organization’s strategic approach, the next step is to check that the social media strategy has been written into relevant policies, procedures, guidelines, and instructions. Starting with the regulatory framework that is relevant for the organization’s industry, internal auditors should evaluate whether policies and procedures comply with state, local, and national labor laws and protected free speech rights. Ensure that relevant documents are reviewed for consistency and approved by the appropriate experts from different parts of the organization such as senior management and the legal, risk management, and internal audit functions. Finally, the assessment should seek the perspective of the organization’s employees, including those responsible for social media. One concern is whether employees have documented style guides to follow for social media posts.</p><h2>Dedicated Resources</h2><p>Another important aspect of auditing social media is assessing whether it has adequate resources. Once the organization decides to have a social media presence, the organization needs to dedicate employees to manage its presence and establish tools for monitoring it. Appropriate management of social media should include using tools that provide information such as mentions of the organization’s name, relevant post reviews, and audience behavioral patterns. </p><p>To get an understanding of the organization’s social media activities, internal auditors should search the web to identify where the organization has a presence. Additionally, identifying some of the best posts and evaluating the themes that make them popular — such as the topic, pictures, and people focus — can inform management about the relevance of those posts to customers and stakeholders. </p><p>Identifying key metrics can give internal auditors a basis for evaluating the performance of the current social media. This not only includes assessing the current metrics in place, but also whether there should be other or different metrics. Various social media analytics tools can help auditors simplify this step.</p><h2>Roles and Responsibilities</h2><p>The wide scope of influence social media could have on the organization creates the necessity to establish appropriate roles and responsibilities. It would be confusing to have all the departments posting on social media on behalf of the organization at the same time and without any alignment. Likewise, it would be confusing if any employee could provide requested feedback or reply to a comment on social media. </p><p>These issues challenge internal auditors to validate that the roles and responsibilities are documented and are clear to all employees. When it comes to security, auditors should evaluate owners of each account and review security protection measures in place such as tools for controlling passwords.</p><h2>Internal Communication and Training </h2><p>Considering that social media can significantly impact the organization if not managed well, organizations need relevant internal communication and training programs. Employees need to know the rules for representing the organization on social media to avoid potentially negative consequences. For these reasons, internal auditors should review social media-related communication to employees as well as the frequency of training provided. </p><h2>Crisis Scenarios</h2><p>Another important aspect of auditing social media is reviewing whether the organization has developed crisis scenarios and assessing how the crisis would be communicated on social media channels. Generally, a crisis creates opportunities for a wide range of miscommunication throughout the organization. Internal auditors should make sure managers and social media employees are aware that such situations might happen and have a clear plan for managing those situations.</p><h2>Room for Improvement</h2><p>Internal auditors can provide an independent perspective and good insight for management to consider. However, to keep up with the dynamics of social media, the organization always should look for opportunities to improve social media channels as well as the controls around their use. Employees who manage social media should coordinate with other departments within the organization and constantly evaluate new developments and topics of interest in their industry, region, and community. Internal auditors can help those employees make improvements to the structure and design of the organization’s social media approach that can enhance its performance. <br></p>Maja Milosavljevic1
Internal Audit: Are You ESG Ready? Audit: Are You ESG Ready?<p>​<img src="/2019/PublishingImages/People-arrows-shadows.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Expectations of investor groups around the world continue to shift toward environmental, social, and governance (ESG) reporting. While ESG isn't a new topic, the pressure for organizations to provide more ESG reporting continues to grow, and there are more calls for the underlying data in these reports to be scrutinized. This presents an opportunity for internal audit to address a key risk area that is increasingly on the board's radar.</p><p>A recent <em>Forbes</em> <a href="" target="_blank">article</a> included these insights from Tim Mohin, chief executive of the Global Reporting Index:</p><p><span class="ms-rteStyle-BQ">"In the past decade there has been a tremendous upswing in interest coming from the financial sector. With over 90% of the largest companies now filing sustainability reports (85% of the S&P 500), the data is plentiful. But that is not new. What is new is the interest in using the information for investment decisions. A recent study from Oxford University found that more than 80% of mainstream investors now consider 'ESG' — environmental, social, and governance — information when making investment decisions. And the numbers are compelling — globally, there are now $22.89 trillion of assets being professionally managed under responsible investment strategies, an increase of 25% since 2014. This number is so large it needs context — it exceeds the gross domestic product of the entire U.S. economy."</span></p><p>This shift in thinking isn't limited to investors. At least in part, the rapid growth in ESG reporting reflects shifts in consumer and general public expectations. I can foresee two scenarios that could lead to significant reputational and financial consequences for organizations: failing to provide adequate ESG reporting and publishing ESG reports that are incomplete, inaccurate, or unreliable. In both cases, internal audit can and should play a significant role in preventing such undesirable scenarios. </p><p>As the name suggests, ESG covers three broad categories:</p><ul><li><strong>Environmental </strong>– risks and opportunities around greenhouse gas emissions, water usage, and waste and pollution. This category focuses on both the outputs (what and how much the organization produces) as well as the inputs (the sustainability of the resources the organization needs to feed its processes). For example, a beverage producer may be concerned with sufficient, long-term availability of fresh water while also being aware of any environmentally undesirable byproducts of its production processes.<br> <br></li><li><strong>Social</strong> – risks and opportunities around employee relations, diversity, health and safety, and community support. Are employees, including those working for third parties, treated fairly? Are they paid fair wages? Are work conditions safe and free of unnecessary hazards? How does the organization impact and/or support the local community?<br> <br></li><li><strong>Governance</strong> — risks and opportunities around shareholder rights, board diversity, ethical decision-making, and deterring corruption and bribery. More and more, activist investors are looking for organizations that make money while maintaining transparency and high ethical standards. Global organizations such as the United Nations (UN) and the Organisation for Economic Cooperation and Development are particularly focused on mitigating corruption and bribery around the world.</li></ul><p><br></p><p>How can internal audit build awareness and get involved? Two resources that have gained traction in recent years offer opportunities to learn why ESG has become a frontline concern for many investors.</p><p>The United Nations' <a href="" target="_blank">Sustainable Development Goals</a>, "recognize that ending poverty and other deprivations must go hand-in-hand with strategies that improve health and education, reduce inequality, and spur economic growth — all while tackling climate change and working to preserve our oceans and forests." The goals are a culmination of decades of work by UN member countries, and organizations are encouraged to examine how they contribute to the goals.</p><p>Standards developed by the Sustainability Accounting Standards Board (SASB), whose mission is to help businesses around the world identify, manage, and report on the sustainability topics that matter most to their investors, provide a second source. The SASB has developed a set of <a href="" target="_blank">77 standards</a> to "enable businesses around the world to identify, manage, and communicate financially material sustainability information to their investors." The standards include both technical protocols for compiling the data needed for appropriate disclosure as well as accounting-based metrics for each topic within the standards. The SASB also works directly with the investor community, guiding them with questions to consider when evaluating a company's sustainability efforts.</p><p>I found that combining the UN's broader goals with the SASB's more detailed standards delivers an effective way to get grounded in this topic. However you choose to familiarize yourself, it is important that internal auditors understand the state of their organizations' ESG efforts, particularly how those efforts align with board expectations and each organization's unique circumstances in relation to changing expectations in the investor community. Seize the opportunity to build your ESG awareness and understanding and be part of your organization's ESG dialogue.</p><p>That's my point of view; I'd be happy to hear yours.</p>Jim Pelletier0
The Right Path Right Path<p>There are vivid examples of the link between organizations’ ethical behavior and their bottom lines. At press time, Kraft Heinz Co. announced restated earnings involving irregularities in its accounting procedures and internal controls; the initial report of the U.S. Securities and Exchange Commission’s (SEC’s) related subpoena contributed to an almost 20% single-day drop in the company’s stock price. Similarly, cryptocurrency company Longfin’s shares plunged 30% when it disclosed an SEC investigation last year. And following the news of Volkswagen’s now infamous emissions scandal, its stock, too, experienced a 30% decline.<br></p><p>As evidence mounts that ethical business behavior leads to better business performance — boosting stock price performance by almost 15%, according to one estimate — internal auditors need to sharpen their people skills, listen better, and share what they learn with more moving parts in their organizations’ ethics infrastructures. And they need to step up, state their case, and start getting the credit they deserve for doing so. </p><p>Stakeholders may understand that internal audit plays a role in ethics, though they may not fully appreciate the breadth of contributions practitioners can make. Now internal auditors have numbers to show how much value the function actually adds.</p><h2>Reputation and Culture</h2><p>The Ethisphere Institute, a global ethics rating and advocacy firm, names its World’s Most Ethical Companies each year, based on the quality of their ethics and compliance programs, organizational culture, corporate citizenship and responsibility, governance and leadership, and reputation. Ethisphere’s belief that “financial performance and ethics go hand-in-hand” is validated, it says, by its “Ethics Premium.” The organization tracks the stock prices of its publicly traded honorees and compares them to a large cap index — and it says those companies outperformed the index by 14% over five years and by nearly 11% over three years.</p><p>Is the connection really cause–effect? Does ethical behavior lead directly to better business performance? “I firmly believe it does,” says Karen Brady, corporate vice president of audit and chief compliance officer at Baptist Health South Florida, in Coral Gables — a nine-time Ethisphere honoree. She notes that Ethisphere’s reputation criterion is based in part on a Google search of the organization, adding: “Having a good reputation will get you better business. That’s a pretty-well-known fact.” Ethisphere also cites studies showing that millennials want to do business with companies that have solid ethical reputations, and its CEO Timothy Erblich adds that “employees, consumers, and stakeholders value companies that show a commitment to business integrity.”</p><p>Of the elements Ethisphere says undergird an entity’s ethical behavior, the one that contributes most to business performance is culture, Brady says. “It has to be,” she stresses. “The whole thing starts with culture. If you don’t have that tone at the top, the organization isn’t going to be committed to good governance or good citizenship.” Indeed, organizations with a culture that encourages concealment of compliance or other issues, she says, risk severe damage to their reputations.</p><p>Jane Keller-Allen, vice president of Internal Audit, Compliance, and Risk at WPS Health Solutions in Madison, Wisc., also stresses culture’s influence on the bottom line, and she agrees that tone at the top is key. “All aspects of an ethics infrastructure are important, but culture contributes the most to business performance,” she says. “The culture of an organization is usually driven by its leaders. If leadership believes in doing things the right way, then compliance programs and corporate citizenship will naturally flourish under that direction.” </p><p>Keller-Allen adds that if the organization’s leaders help establish a culture that fosters trust, then employees will be more inclined to report potential compliance issues. And that, in turn, enables the organization to resolve any issues more quickly.</p><p>At Baptist Health South Florida, internal audit contributes to ensuring that ethical behavior begets profits in several ways. “From time to time, we audit each of the Ethisphere criteria,” Brady says; that includes informal surveys in the departments and locations they audit. And, she says, “ethics is huge when we assess risks,” citing trends in hotline calls and human resources (HR) statistics as potential red flags. She adds: “If there’s an ethical issue in an area, you can bet there’s going to be a business concern — fraud, noncompliance, or weak controls — too.”</p><p>Jeff Dougher, internal audit director at Intel in Portland, Ore., agrees that the profession has an important role in effective assessment of business performance as it relates to ethics — by virtue of being an independent advisor. “That could be as simple as spending time with first-level managers and staff to see how they would raise issues, and teaching individuals how and where to report issues,” he says. Internal audit can help management understand the types of messages business managers proliferate throughout an organization, he adds, and can help “ensure the culture of ethics and compliance is consistently understood throughout each particular group or team.” Intel has been recognized on the Ethisphere list seven times.</p><h2>Teamwork and Partnerships</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Ethics Tech</strong><br><br>Technology that enables compliance and ethics-related information-sharing, including input from internal audit, is becoming increasingly sophisticated, says OCEG President Carole Switzer — and the best may be yet to come. “Technology that incorporates internal audit findings that flag issues — and that sets a process for notifying relevant parties so that they can address deficiencies and respond to the concerns raised — is hugely helpful,” she says. The opportunity for business operations to input their information into the same system as risk, internal audit, and human resources is, she adds, “a bit of a game changer.” <p><br>Recent technological advances have enabled central hubs that pull in data from multiple systems inside and outside an organization and make it available across the enterprise, she explains. “That combined with advanced machine learning, other types of artificial intelligence, natural language processing, and predictive analytics,” she says, “represents the real revolution.” </p><p>The revolution “benefits internal audit’s ability to really dig in and understand what’s being done to address risk on a completely different level,” Switzer adds. “Internal audit can help other stakeholders use those capabilities to create a living, strategic planning process.”<br></p></td></tr></tbody></table><p>In fact, internal audit has all kinds of ways to help drive and assess a company’s ethical behavior, Dougher says. Being independent and keeping individuals’ interviews anonymous allows internal audit to “ask clarifying questions that provide accurate information and valuable insight to help management understand their site cultures,” he adds. Teamwork matters, too. “We partner with the Ethics and Legal Compliance (ELC) program for selected audits,” Dougher explains, “helping ensure management has established appropriate ELC programs throughout their business groups and site programs.” </p><p>Gerry Zack, CEO at the Society of Corporate Compliance & Ethics and the Health Care Compliance Association in Minneapolis, recognizes the value of such practices. He says high performing organizations “have partnerships between compliance and internal audit and between internal audit and other entities in the enterprise that directly affect culture and ethics.” HR is one of them; so is senior management. Zack says this is often part of internal audit’s advisory role. </p><p>Carole Switzer, co-founder and president of OCEG (formerly the Open Compliance & Ethics Group) in Phoenix, also cites the value of cross-functional partnerships. She suggests rotating internal auditors through roles in risk management and compliance to afford them a bigger picture perspective on an integrated governance, risk, and compliance process structure. “The key thing to recognize is any of the moving parts of the ‘ethics infrastructure’ can be the cause of failure,” she says. “You cannot establish strong culture, for example, if you don’t have strong leadership with clear vision and commitment.”</p><p>The key to taking a company’s ethical temperature is finding out what its stakeholders think. Ethisphere says its World’s Most Ethical Companies “cultivate a culture of integrity” — by measuring employees’ comfort with speaking up, for example, and their views of leadership’s trustworthiness, and by “leveraging a broad array of tools and techniques to get a sense of their internal ethical cultures.” </p><p>Some companies use a dedicated ethics survey process, Ethisphere says, adding that “pulse-type surveys to capture small, but frequent, readings of ethical temperatures across the organization are oft-discussed, but rarely used.” Employee engagement surveys are the most popular ethical thermometers, Ethisphere reports; the percentage using them rose 12 points from 2017 to 2018. Ethisphere adds that such surveys are driven primarily by the HR function, with regular frequency and broad distribution. </p><h2>Auditing by Walking Around</h2><p>Surveys themselves won’t provide all the information internal audit needs. In fact, using annual queries in isolation to get a feel for ethical culture is not very useful, Switzer says. “If you have a huge problem, you may find it, but you won’t find the more subtle or complicated things.”</p><p>That more nuanced insight requires what Zack calls “the walking around approach, talking with people.” He adds: “The casual conversation that begins with, ‘How are things going?’ can lead to amazing insights if you let it.”</p><p>That’s true for small companies, too, Brady points out. “For internal audit to have a sense of the organization’s culture, you have to do site visits,” she says, “even if that’s a ‘department’ visit.” </p><p>And that’s what Ethisphere’s World’s Most Ethical Companies are doing; the percentage of those companies conducting site visits jumped 28 points from 2016 to 2018, reflecting what the organization calls “a growing relationship between the compliance function and other control functions, like internal audit, that are regularly in the field.” Indeed, the report that accompanies the Ethisphere listing notes that “more companies arm internal audit with questions to ask during site visits, collaborating more closely with HR and safety.” </p><p>As part of Intel’s annual plan, Dougher’s team evaluates international site coverage to ensure it has the right balance of audits. “The audit program evaluates specific risk indicators — including factors such as growth, location, and spending — to understand any changes to the site to better understand if an audit should be performed,” Dougher says. The site audit program includes interviews with all levels, he adds, “to help understand how ethics is interpreted and help management understand the site’s culture.” His team also has used site-level surveys — working with HR and legal on wording — to reinforce messaging, as well as open forums and workshops. </p><h2>On the Same Page </h2><p>To help standardize information, Dougher says he partners with Intel’s ELC program to ensure all parties are aware of each other’s coverage. “Whether it is asking a site-specific question or evaluating a particular area, we want to ensure all parties are aligned ahead of time,” he explains. To that end, Dougher says Intel has developed a standard test program and a standard set of questions internal auditors use to identify trends and talk about key points with management. The critical factor from his perspective is “ensuring the template is being used across each audit program and documented within our audit methodology.”</p><p>Brady adds: “We all are interdependent.” Part of risk assessment is looking at trends, she explains; internal auditors evaluate hotline data they receive from compliance and may ask why they keep hearing about conflicts of interest, or about a particular compliance issue. “Internal audit needs to make sure the issues are escalated,” she comments, “and thoroughly investigated when necessary.” </p><p>Moreover, trends in turnover statistics may prompt a conversation about a department — or an audit may reveal a potential HR concern — and the same applies to quality improvement. “We give feedback to HR, compliance, quality, and other functions when we identify trends or issues that affect them,” Brady says. “That happens routinely.”</p><p>Sometimes the ethics-related feedback is especially sensitive. A casual interview in an audit may turn up comments about, for example, sexual harassment, raising the question of how to appropriately use casual comments, body language, and other signals as data for assessing a situation and recommending responses.</p><p>“It comes down to people skills,” Brady states. “We do our best to train auditors that when they hear something like that in an interview they should ask the next question: ‘What do you mean by that?’” If that individual doesn’t reveal anything else, she suggests asking others in the department if they have any concerns. “It’s the best you can do,” she says. “Ninety-five percent of the time, it’s successful.”</p><p>Zack adds: “Talking to people is an auditing and monitoring step that can be institutionalized. But there’s also a certain percentage of using the information that’s seat of the pants, what your gut tells you.”</p><h2>Make the Connection</h2><p>Too often, what the gut says is, “mind your own business,” Brady says. “I hear from a lot of internal auditors who say they’d never start a conversation about culture or diversity or corporate responsibility with their stakeholders because that’s not their stakeholders’ expectation of internal audit.” Too many internal audit functions, she adds, remain “focused on ‘check the box’ compliance or financial audits, and don’t realize that the important thing is to make sure their stakeholders are aware of all risks — not just the traditional ones.” </p><p>Stakeholder underestimation needs to change, and the profession needs to change it. “It could be a good approach to link elements of audited programs to strategic objectives of the organization, including business performance,” Zack suggests. When the compliance program is audited, for example, each underlying activity — training in a particular area, for example — could be sized up in part by asking, “How does that help the business? How does it contribute to the performance of the organization?” </p><p>Those links then need to be promoted. “We absolutely should talk about it more,” Brady emphasizes, pointing again to the connection between business ethics and performance. “Stakeholders need to understand how important that is and, as chief audit executives, we need to make sure they understand that internal audit has a much broader perspective,” she says. “We need to do more to get that point across.”  <br></p><style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } </style>Russell A. Jackson1
Editor's Note: Culture, Engagement, and Business Success's Note: Culture, Engagement, and Business Success<p>In a recent article on Gallup’s website, “3 Daily Actions That Set the Tone for Workplace Culture,” author Craig Kamins writes, “Some workplace cultures motivate employees and fuel performance.” Others, he says, “drain employees’ motivation and make employees feel as though they have no control over their environment nor an incentive to perform.” </p><p>According to Kamins, employees’ perceptions about their work culture hinge on their leaders’ words and actions. Three daily behaviors that set the tone for the workplace culture, he writes, and lay the “groundwork for exceptional engagement,” are: </p><ol><li>Be respectful toward employees.<br></li><li>Communicate what is happening in the organization.</li><li>Promote accountability and fairness. </li></ol><p>A few years ago, The IIA’s chief marketing officer, Monica Griffin, took on the responsibility of addressing The Institute’s corporate culture. As the organization grew and evolved, it was a task that was long overdue. She and her working group, of which internal audit was a part, identified cultural challenges and developed The IIA’s core values:</p><ul><li>Put Our Members First</li><li>Do the Right Thing</li><li>Commit to Shared Success</li><li>Work Smart</li></ul><p><br>Today, staff — from the top down — are measured by how well we adopt these values. They are part of our annual performance review, and we are recognized for exhibiting them. After all, by engaging in these behaviors we better serve our members, which enhances The IIA’s reputation and business performance. </p><p>In this issue of <em>Internal Auditor</em>, we examine organizational culture from multiple angles and consider internal audit’s role in helping ensure it remains healthy. Our cover story, <a href="/2019/Pages/The-Right-Path.aspx">“The Right Path,”</a> considers how an organization’s ethical culture affects its bottom line. The new IIA North American Board chair, Benito Ybarra, says it is part of internal audit’s job to help drive an effective corporate culture (see <a href="/2019/Pages/Step-Forward.aspx">“Step Forward”</a>). In “Board Perspectives," author Matt Kelly asks, “If society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards?” Plus <a href="/2019/Pages/The-Healthy-Corporate-Culture.aspx">“Eye on Business”</a> considers what it takes to assess, monitor, and report on the organization’s culture. And don’t forget to visit and read Jim Roth’s ongoing series on culture. </p><p>When it comes to organizational culture, we’ve got you covered.<br></p>Anne Millage0
Getting a Handle on Harassment a Handle on Harassment<p>Organizations like to think — and especially say — that sexist and misogynistic behavior has no place in the workplace, and many companies claim that they have a "zero tolerance" approach toward it. Employers also like to shout about the comprehensive policies and complaint procedures they have in place to investigate cases, which are often coupled with a strong ethical culture that shows boardroom backing and leadership. <br></p><p>The reality is often very different, however: Organizations are often unsure about how to pursue complaints, or even understand whether the alleged conduct amounts to sexual harassment. And following the revelations and allegations surrounding Hollywood mogul Harvey Weinstein's behavior on the casting couch, other recent examples show that senior management and directors are not to be excluded from such oversight either.<br></p><p>In March, for example, the CEO and founder of fashion retailer Ted Baker, Ray Kelvin, resigned following allegations of sexual misconduct centering around "inappropriate hugging" and "further serious allegations" made against him last December on the campaigning workers' rights website <a href=""></a>. Kelvin has always denied the allegations.<br></p><p>What's considered appropriate behavior in the workplace is continuing to evolve, whether it applies to the C-suite suite or front-line employees. Organizations must be highly attuned to these changes and prepared to respond accordingly. Moreover, internal auditors have an important role in checking that employees are listened to, complaints are acted on, and that no one is immune from scrutiny — including managers and executives.  <br></p><p>"Sexual harassment occurs in businesses of all sizes, and no single employer should ignore it," says Rita Trehan, CEO at human resource (HR) consultancy Dare Worldwide in London. "Simply taking action when it surfaces is not enough to ensure that you are creating an equal and comfortable working environment for all: The real task for leadership is ensuring that the issues do not surface in the first place by having clear values and a culture that reflects this."<br></p><h2>Defining the Problem</h2><p>Workplace sexual harassment is more common than organizations would like to admit, possibly because the conduct is not always overt — at least not initially. What starts as innocent employee behavior such as office "banter," light-hearted teasing, jokes, and good-natured squabbles can quickly turn sour.<br></p><p>Generally, sexual harassment, or conduct of a sexual nature that is unwanted, can apply to all genders. It has the purpose or effect of violating the dignity of a worker, or creating an intimidating, hostile, degrading, humiliating, or offensive environment for him or her. <br></p><p>Lawyers warn that behavior can still be considered sexual harassment even if the alleged harasser didn't mean for it to be, or if the conduct was not intentionally directed at a specific person — nude or explicit images left displayed on a computer screen, for example. Furthermore, even if an employee has put up with such conduct for years, it does not mean that it is acceptable or that the person sought such behavior — even if that employee went along with the jokes as a coping strategy.<br></p><h2>Policy and Communication</h2><p>Fundamental to any sexual harassment response is the need for a robust and easily understandable policy outlining what is considered sexual harassment, and what the consequences are for noncompliance. It is important not only to have a policy, but to make sure it is communicated organizationwide, according to experts.<br></p><p>Working with HR, internal audit functions should "ensure that complainants know who the complaint should be made to and ensure the person with day-to-day management of the complaint is impartial, objective, and trained thoroughly in dealing with such sensitive matters," says Ed Cotton, partner at U.K. law firm TLT. "Failure to proactively address sexual harassment in the workplace can result not only in costly litigation, but also loss of productivity, negative publicity, damage to employee morale, and high staff turnover rates."<br></p><p>People's understanding of what constitutes sexual harassment often varies from person to person, so it is a priority to educate staff and management as to what kinds of behavior and language may amount to harassment and what the boundaries are. According to Sue Morrison, managing director at employment law advisory firm By Design Group, internal auditors should ensure that organizations provide workplace training on the topic, as well as on equality and diversity. She also recommends that internal audit, working closely with HR, make sure employers have clear and rigorous policies in place that not only act as a deterrent for any potential harasser, but ensure that victims know that they can and should report any conduct and that they would be protected should they do so. <br></p><p>Internal auditors should also review what steps the organization can take following an allegation. Morrison says that if employees have been harassed, or feel that they have, organizations should refer them to a counseling service. Employers should also review their disciplinary processes so that they are sufficient to tackle the issue if misconduct is found to have occurred: For example, the company may need to separate the complainant from the accused or suspend the alleged harasser. <br></p><h2>Training and Culture</h2><p>Ultimately, says Patrick Williams, clinical director at well-being specialists LifeWorks, prevention is the best policy, and internal audit will have a key role in ensuring that expectations about acceptable workplace conduct is both understood and communicated effectively. "All employees need to be made aware of their company's code of professional behavior, workplace harassment policies, and where help is available," Williams says. "All employees — male and female, senior management, and field workers — must be required to take harassment training."<br></p><p>Since the sexual misconduct allegations at Ted Baker, the company has renewed training for all employees on HR policies and procedures and on acceptable workplace conduct. It also now maintains an independent and confidential whistleblowing hotline and has enhanced the oversight of both people and culture matters at the board level. <br></p><p>Creating a culture of inclusivity begins with managers, Williams says, and internal audit must check that the process is reviewed to retain its effectiveness. "Employees need to see that there is zero tolerance for any form of discrimination, bullying, intimidation, or unprofessional behavior," he says. "By doing so, managers can help create a healthy workplace in which all employees feel respected, valued, and safe."<br></p>Neil Hodge1
The More You Say More You Say<p>​Audit committees of U.S. publicly listed companies have had greater disclosure responsibilities since the U.S. Sarbanes–Oxley Act of 2002 took effect. Both the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) have established and enforced audit and disclosure guidelines, including rules for what audit committees must disclose to the public. But those required disclosures are limited in scope.</p><p>Recently, some audit committees have begun providing voluntary disclosure to improve transparency and give further insight into the committee’s composition, activities, and decision-making processes. Voluntary disclosure provides additional context to mandatory SEC disclosures. Some audit committees may be disclosing more in hopes that it will discourage the SEC from expanding disclosure requirements. Moreover, shareholders and other stakeholders can benefit from more information about how audit firms are selected, compensated, and evaluated.</p><p>In light of this development, internal auditors need to understand which audit committee disclosures are required and become familiar with the voluntary disclosure trend. By engaging with the board and audit committee, internal audit can help shape opinions around which voluntary disclosures may benefit the organization and key stakeholders. Moreover, it can give the board a better understanding of disclosure trends. </p><h2>Required Disclosures</h2><p>The SEC has largely defined audit committee disclosure requirements since 1999. Historically, these requirements have been limited to descriptive information and select process assertions, which continued after the passage of Sarbanes–Oxley. Currently, SEC Regulation S-K, Item 407, requires the audit committee to:</p><ul><li>State whether the audit committee has a charter, and if so, provide appropriate disclosure.</li><li>If the board deems an audit committee member is not independent, disclose the nature of the relationship that makes that individual not independent and the reasons for the board’s determination.</li><li>Disclose whether the audit committee has reviewed and discussed the audited financial statements with management.</li><li>Indicate whether the audit committee has discussed with independent auditors matters required in AU section 380 of the PCAOB’s “Communication With Audit Committees.”</li><li>Include that the audit committee has received a letter from the independent accountant, including written disclosures pertaining to accountant independence (per PCAOB regulations).</li><li>Based on the appropriate review and discussions, provide a statement recommending that the audited financial statements be placed in the company’s 10-K or annual report.</li><li>Disclose member independence, including proof that at least one member is a financial expert.</li><li>Provide the names of each audit committee member or those acting in the role of the audit committee.</li></ul><p> <br> </p><p>In 2015, the SEC issued a concept release on possible revisions to audit committee disclosures, but the SEC has yet to change its requirements. In a July 2017 address at the Economic Club of New York, current SEC Chairman Jay Clayton stated that several SEC initiatives are underway to improve disclosures to investors. </p><p>Internal auditors should evaluate whether management has adequate governance to ensure required audit committee disclosures are appropriately identified and made. Creating a disclosure matrix that contains categories of SEC required disclosures can ensure all SEC mandatory items are included in the audit committee’s proxy disclosures. </p><h2>Voluntary Benefits</h2><p>In addition to adhering to the required disclosures, audit committees often voluntarily communicate additional information to their stakeholders. A variety of organizations have advocated for greater disclosure in recent years. In his response to the SEC’s Audit Committee Disclosure concept release in 2015, IIA President and CEO Richard Chambers noted that increased disclosure could support internal audit’s stature, independence, and resources. It also could build trust with investors and other external users of financial information.</p><p>Deloitte’s July 2018 On the Board’s Agenda report notes that Standard & Poor’s (S&P) 100 proxies “help to provide transparency into audit committee oversight activities.” Also, a 2017 Deloitte report stated that “transparency into the audit committee’s oversight activities and performance can provide investors with a better understanding of both the audit committee’s performance and the audit process.” </p><p>In addition to transparency, EY’s 2018 Report to Shareholders notes that although investors say they are confident in publicly listed companies’ financial reporting, some are evaluating company-auditor relationships. Earlier, the firm’s Audit Committee Reporting to Shareholders 2017 pointed out that stakeholders are looking closely at the board and audit committee’s role in “supporting high-quality financial reporting.”</p><p>Two separate publications from EY and the Center for Audit Quality (CAQ) highlight many potential benefits to a company in providing voluntary disclosure:</p><ul><li>Increased transparency with key stakeholders.</li><li>Alignment of all stakeholder expectations, resulting in reduced conflict.</li><li>Trusting relationships among stakeholders.</li><li>Increased investor confidence in the board.</li><li>Increased investor confidence in financial earnings quality.</li><li>Increased investor confidence in the presence of corporate policies.</li><li>Ability to assess top management’s decisions and behaviors.</li><li>Improved insight and assessment of the audit committee’s decision-making process.</li></ul><p> <br> </p><p>Internal auditors can educate the audit committee on voluntary disclosure trends — both overall and within their industry — and the potential benefits to the organization. They can add a voluntary category to their disclosure matrix to list potential voluntary disclosures for their organization to consider. To compile that list, they should consult current disclosure studies and research what S&P 500 companies and other organizations in their industry are reporting. Based on such findings, internal auditors can assist management and the board with recommendations on the extent and type of voluntary audit committee disclosures that their organization should make.</p><h2>Disclosure Types</h2><p>The CAQ’s 2018 Audit Committee Transparency Barometer report provides insight into what companies are voluntarily disclosing beyond the SEC requirements. The barometer provides five-year trend data for four categories of “enhanced disclosure” for each S&P 500, mid-cap, and small-cap company: </p><ul><li>Audit firm selection/ratification. </li><li>Audit firm compensation. </li><li>Audit firm evaluation </li><li>and supervision. </li><li>Audit engagement partner selection. </li></ul><p> <br> </p><p>The sampling frame used in the CAQ’s report was the S&P Composite 1,500 proxy statements of companies in these indices at the end of the filing period. “Voluntary Disclosures Rising” below reveals an upward trend in nearly all analyzed voluntary disclosures between 2014 and 2018. This increase may be driven by two factors. </p><p> <img src="/2019/PublishingImages/Gallagher_sidebar_voluntary-disclosures-rising.jpg" alt="" style="margin:5px;width:750px;" /> <br> </p><p>First, these areas provide insight into how diligently an audit committee is assessing the audit firm’s independence. The SEC cites this responsibility as one of the most important duties of an audit committee. </p><p>A second factor may be a response to recent PCAOB Staff Inspection Briefs that have expressed ongoing concerns with audit firm independence. In December 2018, the PCAOB’s Inspections Outlook for 2019 listed independence among its key areas of focus for inspections in 2019 and beyond. The board’s August 2017 Staff Inspection Brief noted that some firms’ systems of quality control did not provide enough assurance that their personnel understood and complied with independence requirements. Among the deficiencies were impermissible nonaudit services and instances where external auditors performed such services without the audit committee’s preapproval. </p><p>Similarly, a 2018 proxy review by the Deloitte Center for Board Effectiveness found disclosures related to auditor independence increased 10 percent across a sample of S&P 100 companies that reported by May 31, 2018. Given these two factors, audit committees may be increasing voluntary disclosure to provide further assurance that they are taking appropriate action to ensure audit firm independence. </p><h2>Practical Implications </h2><p>With more audit committees opting to provide voluntary disclosures, internal auditors can provide valuable insights on the topic to their audit committee. Practitioners should periodically monitor the audit committee disclosures among the organization’s competitors and any further action that the SEC may take on its 2015 concept release. Additionally, internal auditors should monitor annual publications from the CAQ, PCAOB Staff inspection briefs, and related applicable documents to both understand disclosure trends and provide necessary attention to them. Finally, internal auditors should inform clients that investors are evaluating the relationship between companies and audit firms. One way to communicate about this topic to investors is through voluntary disclosure.<br></p>Craig G. Gallagher1

  • IIA Global 3LOD Exposure_July 2019_Premium 1
  • IIA_Sawyer_July 2019_Premium 2
  • IIA Sepcialty Centers_July 2091_Premium 3