Governance

 

 

A Voice in the Boardroomhttps://iaonline.theiia.org/2020/Pages/A-Voice-in-the-Boardroom.aspxA Voice in the Boardroom<p>Most chief audit executives (CAEs) in North America report their findings to the organization’s audit committee. The IIA recommends this practice, held globally to be part of the gold standard enshrined in the three lines of defense model of corporate governance. Per the model’s logic, CAEs sitting on the metaphorical third line have free reign to go anywhere and suggest organizational improvements, without fear of restriction or recrimination.<br></p><p>Getting to this position has been a fight for many CAEs, and some have still not achieved it. But The IIA’s recent research, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, has questioned whether reporting to the audit committee potentially constricts the value internal audit can add to some organizations. As businesses face a growing range of external threats, so internal audit’s remit has expanded. Financial risk, once the mainstay of audit departments, today typically occupies only 20% of their time. Practitioners expend the rest of their effort on a diverse range of issues including cyber risk, disaster recovery, culture risk, climate change, and social responsibility, to name only a few.</p><p>This broadening of internal audit’s remit raises the question of the extent to which a CAE should report to other board committees, and in what circumstances he or she should report to the full board. And, for those wishing to explore that route, how can they get the audience and credibility to play this enhanced role?</p><h2>Expanding Audit Influence</h2><p>Internal auditors are spreading their influence beyond the audit committee via other conduits to the full board, says Jenitha John, former CAE at First-Rand Bank in Sandton, South Africa, member of The IIA’s global board of directors, and former nonexecutive director on several boards. “The heartening aspect is that you see internal audit now not just serving the audit committee but also making submissions to other board committees,” she explains. John has seen internal audit increasingly called on to submit reports and present to risk committees, social and ethics committees, and even remuneration committees. “These meetings pertain to strategic issues that the company faces with regard to such topics as risk data aggregations, cybersecurity, information governance, the veracity of social matters (nonfinancial indicators), risk management, process maturity that influences bonus pool allocations, and so on,” she says.</p><p>Part of the reason for this trend has been the way businesses have approached tackling new guidance, such as sustainability reporting standards issued by the Global Reporting Initiative, and new regulation, such as the European Union’s General Data Protection Regulation (GDPR). “Regulation is causing various disciplines in organizations, which didn’t necessarily work together because they were operating in silos, to now actually converge,” John says. GDPR, for instance, has drawn together a whole range of corporate disciplines — from finance, audit, governance, compliance, risk management, and fraud to human resources and IT — because data is ubiquitous in organizations. “Internal audit has the ability to draw those teams together and collaborate with all of these other counterparts in the organization,” she says. “If you are not coordinating efforts on these matters, you are depriving internal audit teams from really growing and listening and serving the organization properly.”</p><p>To serve this more diverse constituency, internal audit needs to adopt the right approach and clearly communicate to the board the scope and focus of its work.</p><p>“Reshaping negative perceptions about internal audit is absolutely critical,” John says. “As a CAE you have to emphasize the fact that you’re pragmatic in your approach, you’re proactive, you’re collaborative, you’re agile, you focus on integrated risk-based auditing, you are educational, and that you can school your governing body and your management teams on controls, risk management, governance, and organization from a best process perspective. You don’t only focus on communicating audit observations, but you talk about business optimization and efficiencies by leveraging strengths across teams.” That can help open the door to the various board subcommittees and, on critical strategic issues, to the board itself. </p><h2>Establish Credibility </h2><p>Living up to that ideal is not easy. Many CAEs lack credibility because they tend to emphasize box-ticking rather than focus on what matters to the audit committee, let alone the board, according to Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard. Hayes is now chair of the board at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. CAEs must be able to bring matters to the board that are important to its members and demonstrate that the annual audit plan is risk-based and fits closely with the threats relating to corporate strategy. Informal meetings also can be a great place to build credibility, Hayes says. The audit team is invariably closer to the business than members of the audit committee, so it is best placed to detect trends across the organization or in isolated parts of the enterprise.</p><p>“It’s probably not the full board, but the audit committee that is your primary interface as CAE,” she says. “You know you have made it with them when they really care what you think: You’re welcomed in as a strategic partner and, perhaps in a private session, you’re asked your opinion on an issue that has to be handled very diplomatically — such as, do you believe what management has told us?”</p><p>Hayes says the credibility issue is even more important when reporting to the full board because space on its agenda for discussing a specific risk is scarce. But where a strong relationship exists, she suggests it could be valuable for the CAE to be invited to the top table. She says this may be appropriate when the internal audit team is reporting on the results of an investigation that has serious findings, for instance, or on topics of special strategic interest such as mergers and acquisitions. She also has seen this approach taken during an annual discussion of the risk appetite in an enterprise risk management program, a key strategic topic involving the full board. Most of the time, though, she sees the audit committee as the appropriate reporting channel for internal audit’s recommendations.</p><p>But, she warns, the board has its own responsibilities in choosing the right CAE for the role. “The company has to hire an internal auditor who’s got boardroom presence and can basically go toe to toe with folks in explaining how the company and senior management needs to do something differently or better. If they haven’t hired that kind of person, all hope is lost.”</p><h2>Demonstrate Value</h2><p>Karen Brady, corporate vice president of audit and chief compliance officer at Baptist Health in South Florida, became chair of The IIA’s North American Board early in 2018. Her theme for her year of tenure was “Find Your Voice,” and she spent 12 months visiting hundreds of internal auditors across the U.S. and beyond to spread that message. She remains agnostic when it comes to the question of CAEs speaking to the full board, because she saw many different practices and arrangements that worked. In her own organization every member of the audit committee is also on the full board, so she says the reporting line to the audit committee is more than adequate. </p><p>But if internal audit wants to be credible with the board, or a board subcommittee, it has to be able to perform at the highest level. “Executive management tends to have conservative views of what internal audit can deliver, and that view follows through to the board because many executive officers also sit on audit committees in other organizations,” she says. “CAEs need to be able to innovate and do things in ways that are above and beyond expectations to challenge those views. If you want to be perceived as valuable to the organization, you have to <em>be</em> valuable to the organization.”</p><p>For Brady that means being perceived as a professional by sitting for the Certified Internal Auditor exam and following the <em>International Standards for the Professional Practice of Internal Auditing</em>. Implementing Standard 1312: External Assessments, she says, is an important part of this. She is even more convinced now about the need for internal audit departments to have a quality assurance review of their function than before her tenure as chair. “Internal audit’s quality assurance review is objective assurance to the board that your department is effective,” she says. “It adds credibility, especially if on top of that you are prepared to innovate, to identify areas of improvement in the organization, and to focus on strategic risk areas.”</p><h2>Understand Emerging Technology</h2><p>Technology is a key area in which internal auditors can innovate — Brady is preparing for her team to learn robotics. She says almost all businesses are either currently considering or deploying a wide range of emerging technologies, from drones and robots to blockchain and artificial intelligence. It is a subject that Thomas Sanglier, senior director, internal audit, at Raytheon in Waltham, Mass., and author of the book <em>Auditing and Disruptive Technologies</em>, has been focusing on for the past few years. </p><p>“Emerging technologies are a risk and an opportunity for internal auditors,” he says. “They are a risk because if you are unaware that robotic process automation is being used in your business, you are in the unfortunate position of missing an important risk to your organization. If you are adding assurance to the board in such a critical area, on the other hand, you will gain credibility and may even have the opportunity to grow your team and scope of responsibility.”</p><p>One of the challenges for internal auditors is to choose the technologies most relevant to their particular industries, because trying to learn about several new technologies at once can be overwhelming, he says. Raytheon has set up internal working groups — called councils — for each new, relevant technology. Sanglier and his team have participated in those groups to understand how those technologies are being used in the company.</p><p>“If you know what is in your products and processes, you can ask the right questions about risk and risk mitigation,” he says. “If you are lucky to have a subject-matter expert in your business, hitch yourself to them and learn everything you possibly can.” But he warns of becoming overdependent on one person, a criticism leveled at CAEs who were seen to be too reliant on their chief information officers for assurance around IT in The IIA’s OnRisk 2020 research.</p><p>“People are looking at emerging technologies as being IT-led; that’s a mistake,” he says. Internal auditors need to be looking at how those technologies are going to operate in the business, and how they may affect products and services. More broadly, CAEs can help the board understand how well the organization is positioned to use emerging technologies. For example, Sanglier points out that many new technologies depend on acquiring and processing clean data from across the enterprise, but data governance is often poor. “If nothing else, internal auditors, as part of every single audit, can look at data governance for whatever emerging technology the business is considering. When the technology comes — and it’s coming — you’re going to run into problems implementing it if the data is bad. It’s an issue the board needs to know about.” </p><h2>Reshaping the Audit Committee</h2><p>While some may point the finger at internal audit for being too focused on detail, or for not exploring emerging threat areas, audit committees may also need to reform. In the U.K., for example, the financial services industry regulators require regulated firms to have an audit committee and a separate risk committee. The requirement has helped raise the profile of risk within those businesses. Plus, recent guidance produced by the Risk Coalition, an industry body that aims to establish consensus on risk management practice, recommends that the risk committee invite the CAE to its meetings “as necessary or appropriate.” </p><p>Hanif Barma, one of the architects of the Risk Coalition and founder of the consultancy Board Alchemy, says many audit committees outside of the financial services sector would benefit from extending their remit to reflect the increased array of risks their organizations face. “Internal audit has changed from being largely focused on financial controls to becoming more concerned with the broader risk landscape,” he says. “The question is, has the body it reports to changed sufficiently as well? In many cases, it has not. They are largely focused on financial control and financial reporting, rather than acting as audit and risk committees.”</p><p>Reformulating the audit committee as a risk and audit committee could help internal audit develop a more strategic, risk-based role, he says. Barma chaired the board of a children’s charity that has made such a transition. The change has helped the organization take a more holistic approach to managing its risks, he says, and it has enabled the reformed committee to take deep dives into selected threats at its regular meetings. He explains that bringing those issues to a full board meeting may not be as effective because of the limited time they would receive. “To do internal audit justice, having a separate committee that gives focus to its work is really important,” he says. </p><p>On the other hand, with issues of strategic importance, CAE presentations to the full board can be worthwhile. “What has been missing in the evolution of corporate governance is that internal audit has not had access to the full board,” he says. “Perhaps the CAE does not have to sit through a full board meeting, but when the chair and company secretary are working on the board agenda, they should be considering whether there are issues on which the CAE could usefully come and give their perspective.”</p><h2>Extending Internal Audit’s Reach</h2><p>Clearly, more CAEs are finding a voice beyond the audit committee. As risk board subcommittees have emerged, auditors have been invited to contribute their expertise. Others have found a voice at other board subcommittees and, less frequently, in full board meetings. For those who have built up the credibility and clout, the opportunities to add value to their organizations have never been greater. <br></p>Arthur Piper1
Auditing Culture: Employee Surveyshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Employee-Surveys.aspxAuditing Culture: Employee Surveys<p>Employee surveys can be a valuable tool for assessing the workplace and spotting potential problems. And while organizations that use them often spend considerable time crafting their survey instrument, internal auditors may find opportunities to improve the content or administration of this key monitoring control. When the survey is tailored appropriately, its results can help auditors develop the periodic audit plan, scope audit projects, and better support audit results. <br></p><p>It is common for organizations to use the employee survey as a "pulse check" on their culture. It is less common for internal auditors to provide assurance on the survey's effectiveness in this capacity, or to use its output to improve their audit work. With the right approach, they can do both. <br></p><h2>Tailoring the Survey for Audit Use</h2><p>The city of Austin, Texas, conducts a citywide employee survey. At one point the city auditors compared its content to the "points of focus" in The Committee of Sponsoring Organizations of the Treadway Commission's <em>Internal Control–Integrated Framework</em>. The auditors found that the survey addressed most of the framework's content, except for ethics. They developed several ethics-related statements and persuaded Human Resources (HR) to add them to the survey. With these modifications in place, the audit team now uses the survey results for audit planning.<br></p><p>Taking a cue from the city auditors' approach, other internal auditors might consider suggesting changes to their own organization's survey. Sources of governance, risk, and control issues that might be addressed include: <br></p><ul><li> <em>The risk factors internal audit uses for audit planning.</em> Could additional survey statements provide insight into cultural risks related to these factors?<br></li><li> <em>Current professional guidance on culture.</em> A few of the cultural topics found in guidance documents are included in "Suggested Culture Topics" below.<br></li><li><p> <em>Survey statements used by others.</em> A selection of such statements appears in "<a href="/2020/PublishingImages/Auditing-Culture-Employee-Surveys2.pdf">Examples of Survey Statements on Cultural Topics.</a>" In addition, audit peers may be willing to share culture-related survey statements from their organizations, and internet searches can help identify more. <br></p></li></ul><p>Getting the survey administrator to add statements to an existing survey may be difficult, especially if the administrator is an external vendor. Internal auditors may want to determine whether the administrator can make changes before taking time to identify or develop additional statements.<br></p><p>Developing meaningful, unambiguous survey statements can be a challenge. Guidelines to keep in mind include: </p><ul><li>Be sure statements are phrased clearly and simply, and provide good instructions (e.g., when referring to "management," specify the level of management). </li><li>Get help. The organization's HR department might have expertise in survey statement development. If not, HR may be able to suggest a good source. Also consider reaching out to peers in the profession for recommendations — and at a minimum, research available guidance online.<br></li><li><p>Field-test the statements. Ask several people to respond to the statements using internal audit's prewritten response options, then ask them what they think each statement was asking. Start within the audit department, then branch out to other willing employees. This process should identify any ambiguity in the statements.<br></p></li></ul><h2>How to Leverage the Survey</h2><p>Even if the organization's survey does not include everything internal audit would like, it almost certainly addresses many important aspects of culture. Because cultural problems can be pervasive, negative survey results may suggest increased risk — perhaps even a substantial increase. Internal auditors should, therefore, factor employee survey results into their global risk assessment for planning which assurance and consulting projects to perform. <br></p><p>Survey results for the affected areas can then be used to plan and scope an audit or consulting project. They can also help support audit findings. The root cause of exceptions, for example, might be a cultural issue identified by the survey.<br></p><p>Some organizations might resist giving internal audit access to survey results with enough detail to be useful. Internal auditors must choose their battles, and the importance of culture suggests this might be a battle worth fighting. With support from the top and tactful communication, access will usually be given.<br></p><h2>Assessing the Survey Process</h2><p>If the business leaders rely on an entitywide employee survey to monitor the organization's culture, it is certainly a key control. And it should be subject to audit. Questions to ask about the process include:</p><ul><li>Is the survey truly anonymous and do employees believe that it is? </li><li>If the survey is not anonymous, is the level of confidentiality sufficient for employees to feel safe being honest?</li><li>Does the survey ask for comments at an appropriate frequency? By the time employees complete the survey, they may not remember issues raised that they want to comment on. Asking for comments several times can generate meaningful, specific information. If the survey is structured into sections, each addressing a broad topic, a comment request at the end of each section is advisable. Comments, of course, are voluntary and must be kept confidential.</li><li>Are the results publicized, with action plans to address issues and explanations when issues can't be addressed?</li><li>Are action plans completed effectively and on time?</li><li>What do employees think of the survey? Do they believe management takes it seriously and that it adds real value?</li><li><p>Is the response rate high? If not, why?<br></p></li></ul><p>If internal audit already knows the survey process well and has full confidence in it, this might constitute sufficient assurance. If not, an audit or advisory review would not take a lot of time and could yield valuable results.<br></p><h2>A Valuable Tool</h2><p>Employee surveys give internal auditors an opportunity to add value to a key monitoring control. They can recommend improvements to the survey content and process. And they can use the results to improve their own global risk assessment, plan and scope audit projects, and enhance and support audit findings. <br></p><p><br></p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <h2 style="letter-spacing:normal;">Suggested Culture Topics <br></h2><p>The following are examples of topic areas, gathered from a variety of guidance documents, that might be suggested for inclusion in an entitywide survey. The list is by no means comprehensive.</p><p>1. Are the following aligned with the desired cultural values and principles?</p><ul><li>The business strategy.</li><li>The risk appetite.</li><li>The recruitment process.</li><li>The onboarding process and training programs.</li><li>The performance management system.<br></li><li>The incentive structures.</li><li>How employees, customers, and suppliers are treated.</li><li>Tone at the top and in the middle.</li><li><p>Behavior of frontline employees.<br></p></li></ul><p>2. Is risk management integrated into all decisions and activities, at all levels of the organization?<br></p><p>3. Are appropriate risk behaviors rewarded and inappropriate behaviors identified and sanctioned?<br></p><p>4. Is constructive challenge of risk decisions encouraged?<br></p><p>5. Is risk event reporting and whistleblowing encouraged, without fear of retaliation?<br></p><p>6. Is there clear ownership and accountability for specific risks and risk areas?<br></p><p>7. Are integrity and ethical values discussed regularly? Does management practice what it preaches?<br></p><p>8. Are assurance functions respected and appropriately resourced?<br></p> <br> </td></tr></tbody></table><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p>James Roth1
Risk as the Rosetta Stonehttps://iaonline.theiia.org/2019/Pages/Risk-as-the-Rosetta-Stone.aspxRisk as the Rosetta Stone<p>Language determines how people share information, invoke emotion in others, or persuade them to action. The words chosen also frame a listener’s perspective on an individual beyond simply that interaction. How people select and use words appropriately in a situation is important.</p><p>With this as a backdrop, it was no surprise that when my business partner referred to “risk as the Rosetta Stone” for business, the concept rang true. The Rosetta Stone, discovered in 1799, allowed people to decipher once-challenging Egyptian hieroglyphics. Having the key to deciphering the message unlocked understanding and knowledge previously unavailable. </p><p>Using the language of risk offers a similar master decoding structure — in this case, for businesses to leverage for greater understanding. Business demands as varied as resource allocation and product innovation will benefit from the use of a shared risk language that enables the organization to build from a common baseline. Leveraging a common organizational language can increase the organization’s efficiency and heighten value delivery. For auditors, leveraging components of a shared language can not only increase message clarity and enable more effective communications with business partners, but also enhance the understanding and outcomes of audits, projects, and advisory engagements.</p><h2>The Language of Risk</h2><p>Much as a language is made of key components such as vocabulary (shared definition of words and terms), syntax (arranging words in a sentence for meaning), and pragmatic rules for situational use, the language of risk is made of standard components. Ensuring these components are designed, shared, and understood across the organization supports effective communications and decision-making. Internal auditors should consider how these key risk components are structured in their organization and whether modifications or increased awareness might further enable their use as a common language for the business.<br></p><p><strong>Taxonomies</strong> (<em>a common vocabulary</em>) The core of any common language leverages a shared baseline. In risk-speak, this baseline is a taxonomy, naming standard, or universe definition. The risk universe or other classification structure provides a consistent lens to assess operational activities, monitor and compare effectiveness, and frame the scope of project or risk remediation efforts. A defined taxonomy also allows for a common aggregated reporting structure. This structure enables effective business decision-making because there is <br> consistency in comparing and contrasting information over time and across organizational functions.<br></p><p><strong>Measurements/Ratings</strong> (<em>a common vocabulary and a guide on syntax and structure</em>) Prioritization is difficult to define or agree upon without a standard rating scale by which to assess risk. Various functions and teams in an organization often share a scale for rating common risk variables — impact and likelihood. Similarly, internal audit usually defines a rating or prioritization scale for findings and reporting. Other teams, such as enterprise risk or security, also may use rating structures, which may be similar or quite different from others in use. To be able to prioritize and understand risk organizationwide, common scales must be used. When a scale includes metrics that apply cross-functionally — such as financial, operational, regulatory, client, or reputational — it can be better applied and leveraged across functions. For example:</p><ul><li>Apply scale levels to project prioritization based on potential savings or projected revenue increases, or based on customer or marketing impact.</li><li>Apply scale levels to measuring impact and likelihood of audit findings, helping to prioritize resource allocation for remediation efforts.</li><li>Apply scale levels to assessing product opportunities for financial impact, client satisfaction increases, or operational challenge points, aiding in prioritizing focus on go-to-market efforts.</li></ul><p><br><strong>Risk Response/Appetite </strong>(<em>pragmatic rules</em>) Within an enterprise risk management program, the risk response standard, rules, or matrix guide the norms expected for identified risks. The response standards define when a risk is acceptable within organizational parameters, when action is required, or when a risk is out of bounds but acceptable for monitoring for an interim period. This structure can be applied beyond the risk function to identify points for escalating concerns, engaging management approvals, or prioritizing operational activities.<br></p><h2>Business Value of a Shared Language</h2><p>Leveraging components of the risk language as a Rosetta Stone of understanding can quickly provide value to an organization. Focusing on some key components can enhance communication and improve business functions.<br></p><p><strong>Common Language Enhances Communications</strong> Use of a common vocabulary in cross-functional or global communications can ensure the messages reflect a consistent structure and clearly defined operational focus of the organization. The vocabulary should comprise agreed-upon top business risks, common naming, and classification of operational units.<br></p><p><strong>Shared Understanding Improves Efficiencies and Culture</strong> Consistent prioritization processes based on a defined measurement scale can increase understanding and alignment among different teams or operational units. While this doesn’t necessarily mean a shared agreement is always expected, a shared understanding of the “why” and comfort in consistent prioritization efforts may increase the effectiveness of communications and enhance corporate culture.  <br></p><p><strong>Translating</strong><strong> Details to Themes Speeds Decision-making</strong> Use of a defined risk universe structure in operational functions can provide for aggregation of repeated, consistent individual concern points. Use of the standard universe enables comparison across locations or teams and roll-up of reporting and assessments in a framework that is expected and understood by executive management. Enhanced understanding through a common framework can shorten decision-making cycles and produce solutions faster.<br></p><p><strong>Agreed-upon Prioritization for Resources Enables Quick Time to Value</strong> Having standards in place for measurement, response, and escalation can level the playing field, and drive consistent and intentional decision-making for allocating the organization’s resources.</p><h2>Be a Translator</h2><p>In their role as partners across the organization, internal auditors can promote the common communication and benefits associated with a shared risk language. As audit team members interact with stakeholders and partners, they should share their language with the organization with an eye on promoting understanding, improving efficiencies, and enabling the business.  <br></p>Melissa Ryan1
Climate Risk Assurancehttps://iaonline.theiia.org/2019/Pages/Climate-Risk-Assurance.aspxClimate Risk Assurance<p>An article published earlier this year in <em>The Wall Street Journal</em> highlighted investor concern about the impacts of climate change, citing “a record of 75 or more climate-related shareholder proposals” expected at annual company meetings. Dupont investors, for example, proposed disclosure of the company’s risks from expansion of its operations in hurricane-prone areas, and nearly 30% of Starbucks shareholders voted for disclosing the coffee giant’s recycling plans. In addition, more and more institutional shareholders are backing the Sustainability Accounting Standards Board’s standards for corporate sustainability, aimed at helping publicly listed companies disclose environmentally relevant information to investors. Internal auditors, and the organizations they serve, should take note of these developments — particularly in businesses where such concerns may not currently be a priority.</p><p>Within the financial industry, climate risk is not always on the agenda. For example, financial companies, and their internal audit functions, may neglect to consider the credit evaluation risks associated with lending money to companies susceptible to climate-related events. In doing so, lenders overlook impacts that could severely disrupt the borrowing companies’ operations, and possibly hinder their repayment abilities. Even if it’s discussed, resulting impacts to the company’s credit risk rating may not be sufficiently accounted for when calculating the borrower’s credit rating. <br></p><p>By contrast, insurance companies are at the forefront of addressing climate-related risk. Policy calculations, for example, factor in threats to homes and businesses in wildfire-prone areas and flood risk to regions susceptible to hurricanes. Financial institutions, however, typically do not include such considerations when calculating the impact of risk to capital. And even if bank leaders do incorporate climate-related impact in their credit risk analyses, there is no real metric in place for that risk. </p><p>As independent assessors of risk, internal auditors could raise the issue of climate change risk with senior management, and even consider it as a point of concern when challenging the organization’s current risk management framework. Internal audit has the opportunity to create value, facilitate improvement, and execute its mission of providing independent assurance over the effectiveness of risk management. From envisioning the impact of climate-related risk on the bank’s daily operations to the impacts on clients’ operations and ability to perform against their credit risk, auditors can place themselves at the forefront of an important debate. </p><p>The financial industry, with the help of its internal audit practitioners, could get ahead of the curve by promoting a broad discussion about how to consider, monitor, and report climate change risk. If past crises taught us anything, reacting to stressed scenarios is arguably more expensive and takes longer to recover from than acting preventively. Let’s start the debate — the sooner the better. <br></p>Luciano Raus1
U.S. Companies Score Low on Governancehttps://iaonline.theiia.org/2019/Pages/US-Companies-Score-Low-on-Governance.aspxU.S. Companies Score Low on Governance<p>​<span style="font-size:12px;">Amidst another season of corporate scandals, it's not surprising that U.S. companies are getting low grades on their governance report cards. A new index gives U.S. publicly listed companies an overall grade of C+, with 1 in 10 companies surveyed earning an F for corporate governance.</span></p><p>The IIA and the University of Tennessee's Neel Corporate Governance Center in Knoxville unveiled the <a href="http://www.theiia.org/ACGI">American Corporate Governance Index</a> (ACGI) this week at press events in New York and Washington, D.C., where speakers discussed the problems it identifies and how internal audit could help companies address them. Based on an anonymous survey of chief audit executives (CAEs), the index grades companies around eight of the <a href="/2019/Pages/A-New-Tool-for-Directors.aspx">Guiding Principles of Corporate Governance</a> (see "The Making of the Index" below), also released this week.<br></p><h2>Beyond the Boardroom</h2><p>Although responsibility for corporate governance begins in the boardroom, "governance is so much bigger than what's going on at the board level," said Terry Neal, director of the Neel Corporate Governance Center, at the Washington event. This is where internal audit, with its enterprisewide perspective, could help companies improve their grades, he said.</p><p>Take the issue of board performance assessments, for example. Principle 8 calls for boards to regularly evaluate "the full system" of corporate governance, yet responding companies received a C- grade — the overall worst grade — with most saying their company didn't formally monitor governance. One takeaway from interviews with CAEs in preparation for the survey is "a lot of CAEs are not doing this, but they are positioned to do it," Neal said.</p><p>But the index indicates that boards have problems of their own. Next to assessing corporate governance, the lowest grade (C) was for Principle 4, where CAEs said organizations were more focused on short-term issues rather than sustainable performance. Contributing to short-term thinking, CAEs say one-third of directors would not challenge the opinions of the CEO, and they gave boards a D grade for questioning whether they were receiving accurate and complete information from management.<br></p><h2>Board Care and Maintenance</h2><p>Christa Steele, a former CEO who serves on several boards, said good dialogue between directors and the CEO is key to a well-functioning board. "If directors are not talking to the CEO in board meetings, they should have those conversations offline," she said in Washington.</p><p>Steele noted it is difficult for boards to capture all the information about technology innovations, new market entrants, and other disruptive risks in what she calls "unprecedented times." Ahead of board meetings, she said she received a staggering 500 to 1,000 pages of information. "Now more than ever, we need to look at the information and scrub it to make sure we get the right information," she said. "But you can have information overload."</p><p>Understanding new risks is one reason "why board refreshment is so important now," she said, because boards often lack the knowledge to provide oversight in an era of greater transparency caused by social media. Although there have been calls for boards to add more specialized expertise — in technology, for example — she says there's a trade-off. "Do you want the technical expert or do you want someone who can ask the right questions?" she asked.</p><p>Board members like Steele increasingly want more insight into how the company is governed, even several levels of management down. That's the information that boards aren't seeing, Neal said. It's also where the ACGI finds some disconnects.<br></p><h2>Areas of Disconnect</h2><p>Principle 5 covers corporate culture, and CAEs gave boards and CEOs a high grade (A-) for setting a strong tone at the top. But CAEs say the board doesn't discuss culture much and that tone isn't communicated well across all levels of the company.</p><p>Fraud reporting is another example. In an era ripe with corporate scandals, CAEs gave their organizations high marks for following up on reports of wrongdoing and ensuring the company doesn't retaliate against employees who speak up. Yet, CAEs say employees aren't familiar with how to report violations. "When there's an event that occurs, you'll see a spike in reports," said Julie Scammahorn, senior vice president and chief auditor at Wells Fargo in New York.</p><p>These disconnects are becoming a greater issue with the rising emphasis on environmental, social, and governance (ESG), an area where companies received a C grade. The ACGI survey was conducted just before the Business Roundtable issued its revised <a href="https://www.businessroundtable.org/business-roundtable-redefines-the-purpose-of-a-corporation-to-promote-an-economy-that-serves-all-americans">Statement on the Purpose of a Corporation</a> in August, in which prominent U.S. CEOs committed to benefiting stakeholders such as customers, employees, suppliers, and communities, in addition to shareholders.<br></p><h2>Auditing Governance</h2><p>While internal audit could be positioned to help boards look at risks deeper down in companies, assessing corporate governance is still a new area for many audit functions. Less than one-fourth of companies evaluate corporate governance annually, and when they do, it goes through the legal function, said Lauren Cunningham, assistant professor and director of research at the Neel Corporate Governance Center. "If legal does it, it's a check-the-box mentality," she said.</p><p>But more internal audit functions are taking on these assessments, Scammahorn observed. "I'm seeing more auditors taking deep dives into the information the board receives to make sure it is accurate and complete," she said. </p><p>Governance audits at the board level should be done by senior audit staff, such as the CAE's direct reports, Scammahorn advised. But they can make a big difference. "If you don't have a formal assessment, there aren't many boards that don't think they're doing a good job," Scammahorn says. "When you put a formal assessment in front of them, they see they have work to do."<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p><strong>The Making of the Index</strong></p><p>The IIA and the Neel Corporate Governance Center developed the AGCI based on eight of the Guiding Principles of Corporate Governance. In turn, the two organizations compiled those principles from guidance and principles from organizations such as the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. </p><p>In preparation for the survey, researchers interviewed prominent CAEs about the principles and their observations of governance practices. They then surveyed 128 CAEs from U.S. companies of various sizes from a wide range of industries. Researchers evaluated these responses and assigned a score and letter grade for each of the principles, as well as elements within those principles. Because responses to the survey were anonymous, the ACGI does not provide grades for individual companies.<br></p><p><em>Principle 1</em> — Effective corporate governance requires regular and constructive interaction among key stakeholders, the board, management, internal audit, legal counsel, and external audit and other advisors. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 2</em> — The board should ensure that key stakeholders are identified and, where appropriate, stakeholder feedback is regularly solicited to evaluate whether corporate policies meet key stakeholders' needs and expectations. <span style="font-size:12px;">Grade: B-</span></p><p>Principle 3 — Board members should act in the best interest of the company and the shareholders while balancing the interests of other key external and internal stakeholders. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 4</em> — The board should ensure that the company maintains a sustainable strategy focused on long-term performance and value. <span style="font-size:12px;">Grade: C</span></p><p><em>Principle 5</em> — The board should ensure that the culture of the company is healthy, regularly monitor and evaluate the company's core culture and values, assess the integrity and ethics of senior management and, as needed, intervene to correct misaligned corporate objectives and culture. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 6</em> — The board should ensure that structures and practices exist and are well-governed so that it receives timely, complete, relevant, accurate, and reliable information to perform its oversight effectively. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 7</em> — The board should ensure corporate disclosures are consistently transparent and accurate, and in compliance with legal requirements, regulatory expectations, and ethical norms. <span style="font-size:12px;">Grade: B</span></p><p><em>Principle 8</em> — Companies should be purposeful and transparent in choosing and describing their key policies and procedures related to corporate governance to allow key stakeholders an opportunity to evaluate whether the chosen policies and procedures are optimal for the specific company. <span style="font-size:12px;">Grade: C-</span></p><br></td></tr></tbody></table>Tim McCollum0
A New Tool for Directorshttps://iaonline.theiia.org/2019/Pages/A-New-Tool-for-Directors.aspxA New Tool for Directors<p>​The dictionary defines <em>principle</em> as a fundamental truth that serves as the foundation for a larger system of belief or behavior — a sturdy, versatile thing that, when used correctly, can address a wide range of issues. So it's welcome news that The IIA and the Neel Corporate Governance Center at the University of Tennessee in Knoxville have developed a set of Guiding Principles of Corporate Governance. After all, corporations have a lot of issues that need addressing. </p><p>Shareholders want better returns, even as they preach about long-term stability over short-term results. Regulators want compliance with standards for financial reporting, cybersecurity, business conduct, sanctions, and more. Consumers want low prices, prompt service, and environmentally friendly products, or else they'll flay the company on social media. Employees want a raise and a viable career path, or else they'll quit. </p><p>Those are a lot of constituencies and demands that corporations have to juggle somehow, with a heap of legal liability if boards steer the organization wrong. So, yes,  sound principles of corporate governance are a vital tool for directors to have.</p><p>"It's not like you can read a book and then say, 'Oh yeah, I know exactly what my corporate governance should look like,'" says Steve Albrecht, a long-time business professor at Brigham Young University and elsewhere who has served on the boards of SkyWest Airlines, Cypress Semiconductor, and numerous other public and private companies over the years. He sees the governance principles as a mechanism to help boards hold themselves and their organizations accountable to the various objectives (financial, operational, legal, ethical) they might have. </p><p>Sure, companies also can be held accountable by law enforcement, activist investors, or social media campaigns — but if matters have reached that point, the board is already losing. "All those ways to hold corporations accountable are from the outside, except for corporate governance, which is from the inside," Albrecht says. "And they all have negative consequences except for corporate governance." In other words, good corporate governance is about an organization's self-discipline before outsiders decide to intervene. </p><h2>What Governance Principles Entail</h2><p>The Guiding Principles of Corporate Governance were developed to serve as a foundation for a new <a href="https://na.theiia.org/about-us/Pages/American-Corporate-Governance-Index.aspx">American Corporate Governance Index</a> on U.S. publicly held companies released this month. The index is based on a survey of chief audit executives at an array of U.S.-listed companies, creating a scorecard for overall corporate governance quality in the U.S. </p><p>The Guiding Principles reflect a compendium of viewpoints on corporate governance from sources ranging from the National Association of Corporate Directors, New York Stock Exchange, and Organisation for Economic Co-operation and Development to the Business Roundtable, The Committee of Sponsoring Organizations of the Treadway Commission, and the King Commission. Read through the nine points of the Guiding Principles, and a few themes emerge. </p><p>First, these principles are meant to establish durable practices — the muscle memory directors can use to guide their thinking, as they confront one issue after another. For example, Principle 3 talks about identifying key stakeholders and soliciting their feedback to make sure the organization's policies meet stakeholders' expectations. That's a practice boards need to be able to perform whether they're deciding on share buyback plans versus new investment (What do shareholders want right now? What will keep us competitive in five years?) or resolving dilemmas about ethical sourcing (Will our reputation among consumers be worth higher supply chain costs?). </p><p>Or consider Principle 6, that boards oversee the corporate culture of the business, assess the integrity of senior management, and intervene when culture and objectives are misaligned. As we keep moving into a more transparent world, where everything is available for all observers to see and dissect all the time, the alignment of values among a corporation and its stakeholders will matter more. </p><p>It won't suffice simply to declare your ethical values and culture of integrity; even Enron did that. Organizations will need to demonstrate their embrace of those things in a visible way. The board bears ultimate responsibility for that, and Principle 6 reminds directors to keep that duty top of mind.</p><p>"There are a lot of things boards have to do," says Taylor Simonton, currently audit committee chair for Master Chemical Corp., Advanced Emissions Solutions, and Surna. "If they don't already have principles in place … some things can get missed." </p><p>Second, the principles also define how the board should govern itself. Principle 4, for example, lists eight criteria about directors' commitment of time, evaluation of performance, director education, meeting in executive session, and even compensation structure. Call all of that guidance about how a board can keep itself in trim and healthy shape, so it can execute all those duties mentioned above or in some of the other principles. </p><h2>Putting the Principles to Work</h2><p>OK, let's say the board has read the principles and likes what it sees. How would directors go about putting the principles to good use? </p><p>One idea is to review the board committee charters and assess how well they capture the spirit of the Guiding Principles. For example, the principles stress the importance of directors devoting sufficient time to their duties, meeting in executive session, and rotating directors as needed to ensure the right balance of institutional knowledge and new perspective. All good points. So how do the board's charters translate those points into specific requirements for attendance, training, meetings without the CEO present, or limits on committee tenure?</p><p>More broadly, the Guiding Principles also can help a board hone its thinking about what committees it should have (beyond those required by law). The principles stress the importance of identifying key stakeholders and monitoring key risks — but those things vary from one company to the next. So can the board articulate why it does or doesn't have, say, an IT risk committee, or a public policy committee? </p><p>Every board would <em>like</em> to say yes, it can; but the Guiding Principles make it much easier for a board to say, "We started by measuring ourselves against the principles, and reached these decisions, which explain why our board is structured the way it is."</p><p>Larry Harrington, former head of internal audit for Raytheon and a past chairman of the board of The IIA, sees the Guiding Principles as a maturity model. Boards can use the principles to plot their location on that model, and map out steps for improvement. </p><p>That idea of a maturity model raises an important point: A board must <em>want</em> to improve to take full advantage of the principles. Otherwise, the principles are just more window dressing, like Enron's fabulous code of conduct. "The folks who really need the guidance don't pay any attention to it, and the folks who generally do a good job use it as a barometer for 'What else can I do better?'" Harrington says. "Because they do want to do better." <br></p>Matt Kelly1
Recession Resilienthttps://iaonline.theiia.org/2019/Pages/Recession-Resilient.aspxRecession Resilient<h2>​How do boards evaluate the risk and potential impact of a recession — and how can internal audit help? </h2><p><img src="/2019/PublishingImages/dotty-hayes.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />I do my own environmental scanning such as staying current with news sources and updates from professional organizations. I also look for management’s viewpoint on the economy and risks to the business, specifically. In budgeting or forecasting discussions, I expect a dialogue on the range of potential outcomes and am attuned to the risk attitude taken by management. Are they barreling ahead without regard to what is happening in the world? Are they afraid of the dark? Neither extreme is good. In particular, I look for ways in which business plans provide optionality — the quality of being chosen but not obligatory — and escape hatches to increase resilience in the face of uncertainty.</p><p>Internal audit also should be doing environmental scanning as part of its risk assessment processes. As auditors are on the ground with local management teams and having discussions deep within the organization, they may pick up signals before they make their way up the management chain. Developing a process for collecting and communicating this information in a way that is helpful to senior management, but doesn’t leave local management feeling exposed, is critical to success.</p><h2>What should boards be looking at to ensure that the organization is prepared for an economic downturn? </h2><p>As much as possible, make sure the key performance indicators (KPIs) reported to the board are forward-looking. This is harder than it sounds, and will be different for each company, but this should be a focus in the boardroom. It also is helpful to understand the historic patterns behind these KPIs to provide context for analysis. Understand how management, as much as possible, is building resilience and flexibility into the company's operations.</p>Staff0
Confronting Climate Changehttps://iaonline.theiia.org/2019/Pages/Confronting-Climate-Change.aspxConfronting Climate Change<p>​The adverse impacts of rising global temperatures and extreme weather conditions are becoming a front-line risk for businesses. A 2015 Economist Intelligence Unit study estimated that the value of global manageable assets at risk due to climate change could be as much as $4.2 trillion between now and 2100 in discounted, present-value terms. That is roughly on par with the total value of all the world’s listed oil and gas companies. Meanwhile, increased regulation to confront climate change is gaining momentum around the world.</p><p>These trends are leading boards and executives to realize that today’s climate-related decisions may dramatically impact their organizations in the future. Leaders are recognizing that the magnitude of climate change risks warrants a collective action as their impacts are widespread and not just a future threat. As a result, organizations may incur increased production costs, decreased demand, and delayed delivery of goods and services to their customers. </p><p>The growing stakeholder concern about climate change risks is creating demand for climate-competent auditors to help analyze the threats and recommend remedies. Such practitioners can help their organization address financial, process, and governance implications. Through a multipronged approach encompassing both strategic and tactical activities, internal audit can assist organizations in confronting climate change risks. </p><h2>Being Climate-competent</h2><p>Today, audit stakeholders are seeking answers to the basic questions about what climate change risks might impact them and the arrangements in place to mitigate them. Internal audit must adapt to these expectations and demonstrate the “insightful, proactive, and future-focused” characteristics described in The IIA’s Core Principles for the Professional Practice of Internal Auditing. </p><p>Internal audit functions that conform to the International Professional Practices Framework should be qualified to audit climate change risks. To supplement their knowledge, The IIA has published the Practice Guide on Evaluating Corporate Social Responsibility/Sustainable Development.</p><p>Yet, a worrying trend in audit reports is that many auditors do not see climate change risks beyond financial risks to the business. Some internal audit functions may not include climate change risks in the audit plan because they are not considered a principal risk to the business. For example, according to the KPMG Survey of Corporate Social Responsibility Reporting 2017, 72% of large and midcap companies did not acknowledge the financial risks of climate change. This could be because boards, executives, and internal audit lack understanding of climate change risks and their implications. </p><p>In other cases, although internal auditors may consider climate change risks in the audit plan, they may not understand the assumptions and estimates used in preparing the financial statements. Likewise, auditors may not comprehend the implications of climate change risks when applying existing accounting treatments and audit standards. Additionally, standard audit programs may not be helpful in assessing climate change risks, control criteria, and their potential impact. Finally, the audit team may not have climate-change risk specialists to assist the teams in focusing on key areas of concern. </p><h2>Strategy and Risk Management Insight </h2><p>Those internal audit functions can’t ignore climate change for long. With these risks looming on the near-horizon, auditors can advise the board and management by promoting accountability in addressing climate change risks.</p><p>Internal audit can help ensure the organization is identifying, prioritizing, and remedying key climate change risks appropriately. For example, internal audit can advise on strategies for developing a process to define, monitor, and assess climate change risks. Auditors can ask management about the organization’s resilience and sustainability, as well as audit the organization’s sustainability report. </p><p>Another way internal audit can provide value is reviewing whether the business strategy aligns with the applicable regulatory environment. Auditors can facilitate root-cause analysis of potential regulatory noncompliance. Coordinating control self-assessment workshops can identify the areas where the organization’s climate-change response strategy does not align with its business processes.</p><p>Internal auditors also should evaluate the financial and strategic implications of climate change risks. While the changes to carbon-free or low-carbon technology could pose potential financial risks, they also could result in opportunities such as alternative technologies, business processes, services, and products.</p><p>Internal audit should ensure the organization’s enterprise risk management process includes an appropriate focus on climate change risks. Auditors can assist in developing a granular view of risks that can enable management to create appropriate risk management strategies. In addition, they should evaluate whether management has established benchmarks, metrics, success criteria, key performance indicators, and leading practices.</p><p>Where management is reluctant to consider climate change risks, internal audit can help change executives’ attitudes by enhancing their knowledge of the risks and demonstrating how to assess and predict their impacts. In addition, internal auditors who have assisted other organizations in addressing climate change risks can share information and analysis of their experiences and promote the use of tools and systems for these purposes. </p><h2>The Way Forward</h2><p>The audit function should understand the climate change risks affecting the organization and be able to add value proactively, timely, and effectively. It is important to assess whether the organization fully grasps the implications of climate change risks. To move forward, internal audit should: </p><ul><li>Develop a consensus with the board and senior management about internal audit’s role. </li><li>Champion a focus on climate change-related risks by participating in the risk analysis process and educating management on the best practices in climate change-related governance, risks, and controls.</li><li>Ensure the audit function has the appropriate skills to evaluate climate change risks and execute related audit engagements.</li><li>Empower audit teams by developing appropriate tools and procedures for assessing climate change risks, capacity building through mentoring and effective onboarding, and including climate experts in the audit teams.</li><li>Incorporate climate change risks into the organization’s risk register and ensure appropriate audit units are contained in the audit universe. The chief audit executive should ensure that the identified risks are embedded in each audit engagement.</li></ul><p>Climate change risks impact all of humanity. Consequently, there is much work to be done. The responsibilities of internal audit and the required skills are changing quickly. As a partner in a good governance process, the modern internal audit function can be pivotal in addressing climate change by positioning itself as an agent of change.  <br></p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { line-height:12.0px; font:10.0px Amplitude; } p.p5 { text-indent:-12.0px; line-height:12.0px; } p.p6 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p7 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { vertical-align:1.0px; letter-spacing:-0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Israel Sadu1
Auditing Culture: Audit Project Surveyshttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspxAuditing Culture: Audit Project Surveys<p>​Internal auditors looking to gauge organizational culture can choose from a variety of assessment techniques. Some are innovative, robust, and resource-intensive, while others are fairly simple. Typically, using a combination of techniques provides a more well-rounded picture of the culture.</p><p>Some of the most commonly used assessment techniques include: </p><ul><li>Entitywide employee surveys.</li><li>Open-ended interviews.</li><li>Structured interviews, in which a sample of employees is asked the same set of questions.</li><li>Combining objective data with auditors' perceptions.</li><li>Focus groups.</li><li>Self-assessment workshops.</li><li><p>In-depth root cause analysis.</p></li></ul><p>One of the simplest tools for auditing culture is an audit project survey — a survey conducted during the course of an audit engagement. There are several advantages to using a survey tool, as well as limitations and challenges that should be considered. Armed with this knowledge, and familiarity with suggested development and implementation practices, auditors may be better positioned to harness audit project surveys as a means of gaining valuable insight on organizational culture.</p><h2>Advantages</h2><p>Employee surveys have several advantages over other techniques for evaluating culture, including:</p><ul><li> <strong>Anonymity. </strong>If employees know survey results will remain anonymous, they may be more candid than they would in an interview.</li></ul><ul><li> <strong>Potentially Greater Validity. </strong>If employees feel safe and believe action will be taken to address their concerns, surveys usually constitute an accurate measure of employee perceptions.</li></ul><ul><li> <strong>Quantitative Results</strong>. Most employee surveys I have seen ask respondents to indicate the extent to which they agree or disagree with statements (see, for example, the "University of Minnesota Employee Survey" below). The percentage of employees who disagree or strongly disagree with a statement is an objective fact, and significant disagreement represents strong evidence that something needs to be examined.</li></ul><ul><li><p> <strong>Efficiency.</strong> Audit project surveys provide an efficient way of gathering input from a large sample of employees. Effective project surveys often yield a response rate of 60-70%, and online survey tools make aggregating and analyzing the responses relatively easy. Unless the audited area is unusually small, interviewing and analyzing responses from a comparable percentage of employees would be prohibitively time-consuming.<br></p></li></ul><h2>Challenges and Drawbacks</h2><p>While the advantages of employee surveys are considerable, internal auditors should be aware of several potential drawbacks. Recommendations for addressing these limitations are also provided. </p><ul><li> <strong>Possible Lack of Candor. </strong>Employees may not be candid, in which case positive results will produce false assurance.<strong> </strong>Although surveys can be anonymous, employees might not believe they are. And if employees fear retribution from their manager, responses are likely to be positive regardless of how they really feel. </li></ul><ul><li> <strong>Potential Blind Spots. </strong>Employees may have blind spots about cultural issues, which can affect their assessments. An often used definition of culture is "how we do things around here." When someone joins an organization, he or she wants to fit in and may accept the way things are done without question. Similar to a lack of candor, this will produce false assurance.<br><em>Recommendation. </em>To address both lack of candor and cultural blind spots, auditors should avoid relying solely on survey results. Some people will be more candid in an interview than on a survey. For example, I think of an objection I received when discussing entitywide surveys at a conference in the Pacific Rim. An attendee who worked for a U.S. multinational company that used this type of survey said, "Surveys don't work here. People in this country will never be honest on a survey. They'll tell us exactly what's going on but they would never write it down." I now tell this story when I teach in that country, and the attendees always agree.<br>No single tool or technique is sufficient. Auditors need to be aware of limitations that exist in a given location and complement surveys with their own observations, available data that reflects the culture, interviews, and whatever other tools might be useful in that context. <br></li><li> <strong>Employee Misperceptions. </strong>Although surveys can be an accurate measure of employee perceptions, employees can be wrong. I think, for example, of a lead auditor who worked for me when I was an audit manager. She would occasionally come into my office, ask to close the door, and say, "What are you managers thinking? Do you have any idea what the staff is saying about this decision you made two weeks ago?" I'd say, "But Pam, they don't understand why we made that decision," and realize that we needed to tell them. Pam did a great service by alerting us to the staff's misperceptions, which we could then correct.<br><em>Recommendation.</em> Auditors should not present negative survey results as an issue unless they find corroborating evidence. However, if they can't find such evidence, or what they find contradicts the survey results, they should report it to local management as a possible misunderstanding it might want to correct.<br> </li><li> <strong>Ambiguity. </strong>Developing survey statements that are clear and unambiguous can be difficult. Take, for example, the statement, "Management is ethical, fair, and open to employee suggestions." This statement asks about three different qualities. A manager might have one or two of these qualities, but not the third. Also, does "management" refer to the employee's immediate supervisor, the head of the organization, or something in-between? <br><em>Recommendation. </em>Auditors can use a couple of methods to prevent survey statement ambiguity. First, they can draw from good models. Examples of effective surveys can be found in internal audit literature, obtained from colleagues, and accessed on the internet. With established models, any initial ambiguity is likely to have already been identified and corrected. Moreover, auditors will be able to approach prewritten survey statements more objectively, and identify any residual ambiguity more easily, compared to statements written by themselves.<br> Auditors can also field-test the survey once it's been developed. Before finalizing the survey instrument, they can give it to several people and ask what they thought each statement was asking. This exercise should identify most or all remaining ambiguity.</li></ul><ul><li> <strong>Scope Limitations. </strong>Surveys are limited to the predefined issues they include. And obviously, culture encompasses much more than a brief survey can assess. <br><em>Recommendation. </em>Internal auditors can address this concern by asking survey participants for explanatory comments. The University of Minnesota Employee Survey below has only 12 statements, but it asks respondents, "Would you like to tell us anything else about the operations of your (college, department, center, or other term as appropriate)?" Respondents can elaborate on any of the 12 statements or include something else they want the auditors to consider. </li></ul><h2>Development, Implementation, and Analysis</h2><p>Audit project surveys should be adjusted to best fit the environment in which they will be applied. Several considerations should be kept in mind when tailoring a survey for use with a particular client or organization, and during survey implementation and analysis. </p><ul style="list-style-type:disc;"><li>Design the survey carefully. Provide clear instructions for completing the survey, and phrase statements carefully using simple, easy-to-understand language.</li><li>Ask for level of agreement/disagreement with statements — such as those shown in the University of Minnesota Employee Survey's Likert scale below — and for explanatory comments.</li><li>Ask managers if they want to add issues they're concerned about. Good managers often wonder what their employees really think about certain decisions they've made or aspects of the environment. This is their chance to get honest feedback that employees might not want to give them in person.</li><li>If the content might be highly sensitive, consider asking the legal department to review the survey instrument. The lawyers are less likely to object if they are consulted up front than if they see the survey once it's underway. And they might have legitimate concerns.</li><li>To demonstrate management's support, ask the head of the audited area, as well as the chief audit executive, to sign the survey invitation email.</li><li>Consider using online survey tools to survey 100% of the population and to facilitate results analysis. </li><li>Stratify responses by level — for example, senior management, middle management, staff — and compare the differing perceptions.</li><li>Remember that surveys measure employee perceptions; they must be substantiated to be reported as audit issues. If they can't be substantiated, they still provide valuable information for the manager. </li><li><p>Involve the "experts" in interpreting the results. Some audit departments review the stratified results with a focus group of experienced employees who know better than the auditors why employees responded as they did. The confidentiality of individuals' comments, of course, must be preserved.</p></li></ul><p>Regardless of the technique or combination of techniques used, auditors and their stakeholders must keep in mind the objective of culture auditing: to continually enrich stakeholders' understanding of the culture through a blend of qualitative and quantitative evidence; the objective is not to reach final conclusions. Without this shared understanding, internal auditors risk giving false assurance when assessment results are positive and assigning unfair blame when results are negative. </p><h2>An Important Tool</h2><p>Project audit surveys can provide key insight on organizational culture. Like other tools used for this purpose, they will not be effective in every situation. But when applied with discretion and in conjunction with other techniques, they can be a valuable asset in the culture auditor's toolbox.<br></p><p><img src="/2019/PublishingImages/auditing-culture-questionnaire-smaller.jpg" alt="" style="margin:5px;" /><br></p><p>Read the other articles in Jim Roth's series on culture:<br></p><span aria-hidden="true"></span><ul><li><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></li><li><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></li></ul><p><br></p>James Roth1
Social Media Governancehttps://iaonline.theiia.org/2019/Pages/Social-Media-Governance.aspxSocial Media Governance<p>Social media’s strategic role within organizations has grown exponentially as it has become a ubiquitous juggernaut of nonstop information of varying degrees of accuracy and relevance. But its risks to the organization have accelerated, as well. To keep up, organizations need a strong governance structure that specifically emphasizes social media.<br></p><p>Similarly, social media’s high impact and high risks mean internal audit should look closely at all related activities. Perhaps the most important of these activities for internal audit is ensuring the organization’s social media governance is effective. </p><h2>It Starts at the Top</h2><p>Any aspect of governance starts with the board. As part of its assurance efforts, internal audit should ensure the board understands the broad scope of risks related to social media, as well as the board’s role in establishing an appropriate governance structure. </p><p>Foundationally, the organization already should have an effective governance structure in place. But the fast pace of change related to social media means the board should take a more active role in ensuring the organization’s governance structure addresses unique social media issues effectively. This not only helps the organization successfully achieve these objectives, but also further ensures the organization will not be broadsided by change, irrelevance, and damaging reputation issues.</p><p>The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies — both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment. </p><p>Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” at the bottom of this page). To ensure the board is prepared to successfully oversee social media activities, internal audit should focus on three areas: knowledge, training, and communication. </p><p><strong>Knowledge</strong> The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many boards to focus on the latest YouTube debacle or Twitter mistake, rather than understanding the broader risks. Therefore, internal audit should ensure board members fully understand the risks and opportunities related to social media, as well as the organization’s activities. <br></p><p><strong>Training</strong> Internal audit should ensure the board has been trained appropriately on new and emerging social media technologies, how they are used, the risks to the organization and its industry, and how competitors are using social media. Such training will help the board understand how the organization developed its strategic approach and what it needs to be successful. <br></p><p><strong>Communication</strong> Internal audit should ensure communication channels allow the board unfettered and timely access to the information it needs about social media. In addition to information from executives, this communication should come from committees responsible for social media, departments involved in developing and communicating through social media, and front-line personnel who are dealing with day-to-day issues that can quickly grow into organizational disasters.<br></p><p>Internal audit can provide assurance that board members are prepared by examining activities at the highest levels of the organization. The best way is for auditors to speak directly with board members to gain assurance that directors are providing the best oversight possible. Additionally, auditors should review correspondence and minutes of board meetings, as well as the information received by the board, to ensure that it has been kept in the loop. They also should review training materials to ensure materials cover all appropriate areas and that all board members have participated.<br></p><p><img src="/2019/PublishingImages/Jacka-social-media-governance-at-a-glance-chart.jpg" alt="" style="margin:5px;width:800px;height:562px;" /><br></p><h2>Executive Oversight</h2><p>At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely.</p><p>Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest.</p><p>It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive champion should be an active member of this committee, providing guidance and ensuring necessary communication between the committee and executives.</p><p>Much of internal audit’s review of executive oversight is similar to that outlined for the board — just more detailed. This includes obtaining assurance that executives receive ongoing training that allows them to understand how social media can best be used, and that executives are adequately updated on social media. In addition, internal audit should determine whether executives are actively ensuring their individual departments are using social media appropriately, and that those activities are aligned with other departments and functions.</p><p>Interviews with executives are the best way for auditors to obtain this information. And, while social media-focused interviews can be an important part of the review, an effective alternative is to discuss the topic in meetings about departmental risks, concerns, and upcoming initiatives. Special attention should be paid to the executive champion, who can be a significant source of information about the status and growth of social media. If the relationship is cultivated appropriately, the champion can be a source for potential areas of review.</p><h2>The First Line of Defense</h2><p>A challenge in any governance structure is ensuring coordination among the teams that manage the various aspects of risk. Effective social media governance requires each of the three lines of defense — operational management, risk management and compliance functions, and internal audit — to understand the specific risks and responses that apply to their functions. </p><p>The first of these lines, operational management, owns and manages the risk. These are the operational managers responsible for maintaining effective internal controls and executing ongoing risk and control procedures. Each operational function must understand the impact of social media on its responsibilities, as well as the function’s role in the organization’s social media presence. Although their roles and responsibilities can vary from one organization to the next, the following are functions that could be involved with social media. </p><p><strong>Marketing</strong> This function is responsible for marketing through social media channels, including brand management. Responsibilities include ensuring social media delivers a consistent message to the right customers, brand integrity and standards are maintained in all social media channels — including the activities of agencies and third-party vendors — and the message being delivered matches organizational objectives. <br></p><p><strong>Sales</strong> The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s message, delivery of products and services sold through social media is accurate and timely, and follow-up is taken on leads generated through social media. The department also must keep online sales information updated and accurate, and use social media data to analyze trends related to leads, sales, and returns. Ultimately, the function should ensure social media improves sales efficiencies and costs.<br></p><p><strong>Customer Service</strong> This function ensures complaints received through social media are handled efficiently, customer satisfaction in the online sales process is maintained at the desired levels, and customers are referred to the appropriate goods and services. Customer service also makes sure all online communications maintain the appropriate tone and social media is used to accurately measure customer satisfaction.<br></p><p><strong>Public Relations</strong> Also known as corporate communications or community relations, public relations manages how the public perceives the organization. Its responsibilities include ensuring social media messages related to public relations match the overall messaging strategy and monitoring exists to identify, avert, and mitigate crisis situations. Public relations also should have an effective crisis management plan that includes responding to social media issues and using social media as part of the crisis management process.<br></p><p><strong>IT</strong> This function develops and maintains hardware and software used for social media. IT’s responsibilities include ensuring customers have a seamless experience while using social media and maintaining sufficient backups to reduce or eliminate downtimes. This function implements technology to achieve the organization’s social media objectives and ensures access to the organization’s social media sites is controlled.</p><p><strong>Human Resources</strong> This function uses social media to recruit new employees and potentially uses social media to deliver training. Human resources should ensure that training on the use of social media includes all employees and all facets of social media use. It should ensure a social media policy is developed that complies with existing regulations and the organization’s other policies, and monitor employee satisfaction through external comment boards and websites.<br></p><h2>The Second Line</h2><p>The second line of defense comprises those functions that ensure first line of defense controls are designed appropriately, in place, and operating as intended. Spanning the organization, these functions provide assurance related to their field of expertise. Second line functions need to keep abreast of changes in social media with a particular emphasis on issues impacting the areas they oversee. As with the first line of defense, the specific structure and responsibilities of second-line functions differs among organizations. In reviewing governance, internal audit should ensure that the organization is addressing all of the potential social media oversight roles these functions perform.</p><p><strong>Risk Management</strong> This function ensures social media risks are understood throughout the organization and included in risk assessment processes. Responsibilities include ensuring all risk assessments consider social media, departments keep abreast of emerging issues and risks related to social media, and those issues and risks are communicated timely. The risk function also must ensure all departments’ risk assessment and management procedures address social media risks appropriately.<br></p><p><strong>Compliance</strong> The compliance function is responsible for ensuring existing regulations are reviewed for reinterpretations that may impact social media and that new and changing regulations are monitored. It must advise all departments of regulations that will impact their use of social media and ensure that potential noncompliance issues are reported and acted upon.<br></p><p><strong>Security</strong> The security function must ensure appropriate access to and control over social media activities. It ensures general IT security controls such as password, antivirus, anti-malware, and firewalls have been established and are being used effectively. It also makes sure that access to the organization’s social media accounts is restricted appropriately, all accounts are monitored for suspicious activity, and accounts that are no longer in use have been decommissioned. Additionally, the security function should ensure all employees understand the risks related to inappropriate use of social media.<br></p><p><strong>Quality</strong> This function is responsible for ensuring the organization’s use of social media complies with standards related to brand and image. Its responsibilities include ensuring branding and imaging within social media accounts match established standards, and making sure overall quality and professionalism of social media interactions match the desired level. The quality function also should ensure information reported through social media channels is accurate, and the organization takes effective corrective action on identified issues.<br></p><h2>The Third Line</h2><p>Internal audit provides the board and senior management with independent and objective assurance of the other two lines’ efficiency and effectiveness. To that end, auditors should ensure that all entities in the three lines understand social media risks as well as their responsibilities for those risks. Internal audit can use two approaches to provide this assurance.</p><p>The first is to conduct an overall review of social media, focusing on the functions where the greatest risk may reside. This review may entail separate audits of social media for each function — which will provide detail on how the function is performing — or a review of social media risks, adding focus on potential gaps among departments. </p><p>The second approach is to include social media as a risk area in all audits planned for the year. The results should be included in the individual reports, but auditors also should consider providing an overview of organizationwide responses to social media risks.</p><h2>Audit’s Social Impact</h2><p>Social media has become an integral part of any organization’s success and an area that internal audit functions ignore at their own peril. In providing assurance regarding social media, governance can be one of the most impactful areas in which internal audit can provide value. Moreover, reviewing governance establishes a foundation upon which internal audit can begin to build its understanding of, and assurance work related to, social media. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Questions the Board Should Ask</strong></p><p>A well-informed board is equipped to ask the important questions about the organization’s use of social media. To ensure the organization understands its social media strategies and direction, here are some questions board members should be prepared to ask and the organization should be able to answer.</p><p><strong>How are we using social media to engage with our customers, open new markets, and recruit top talent?</strong> </p><p>These three areas are only a small part of how the organization is using social media. But they provide a good foundation to ensure the organization understands the impact of social media, and they may help the organization explore how best to use it.</p><p><strong>How are our competitors using social media?</strong></p><p>Social media is a competitive advantage. Without understanding how the competition is involved, the organization cannot know if it is ahead of or behind the curve. Understanding the competition’s use of social media also provides lessons learned without actually taking the risks. In addition, following competitors on social media provides insights into their strategies and plans beyond social media.</p><p><strong>How are our employees and other stakeholders using social media? What do we allow?</strong></p><p>This question generally will lead to a discussion about existing social media policies. But the primary purpose is to provide assurance that the organization is aware of the risks related to employee and stakeholder use of social media, is monitoring those activities, and is prepared to respond quickly to potential issues.</p><p><strong>What regulations regarding social media does our organization need to be aware of?</strong></p><p>Board members need assurance that the organization understands the impact of regulators on the organization’s use of social media, monitors compliance with those regulations and regulatory changes, and takes appropriate actions.</p><p><strong>How are we monitoring social media activity for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social media activity?</strong></p><p>Monitoring is an important part of the organization’s social media risk management process. Almost every social media fail could have been better controlled had the organization monitored and responded to social media conversations appropriately. Monitoring can provide early warning about public relations, brand, regulatory, or legal issues before they get out of hand. </p><p><strong>How are we interacting with the organization’s followers, friends, etc.?</strong></p><p>The board needs to understand how success is measured related to the investment in social media. The important aspect of this question relates to how any measures of success will be used to positively impact organizational objectives. Board members should be asking for a direct link between social media metrics and broader organizational success.</p><p><strong>What do board members need to do to ensure they keep out of trouble?</strong></p><p>First, the board must be assured that it has the information necessary to understand and respond to relevant social media risks. Second, board members must understand how their use of social media — whether as a representative of the organization or as a private citizen — can impact the organization. While these are questions that should be asked by board members, they also are excellent questions for internal audit to use during its reviews, particularly at a governance level. The questions dig deeply into the knowledge and awareness of all social media participants.<br></p><p><em>Adapted from “Critical Social Media Questions for the Board Room” by Richard S. Levick, Fast Company, 11/27/12.</em><br></p></td></tr></tbody></table><p><em>Jacka and Scott are the authors of Auditing Social Media, Second Edition, published in August by The IIA’s Internal Audit Foundation.</em><br></p>Mike Jacka1

  • Auditboard_Feb 2020_Premium 1
  • IIA CIA_Feb 2020_Premium 2
  • IIA Training_Feb 2020_Premium 3