The Responsible Organization Responsible Organization<p>In January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn't take immediate steps to help their businesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for organizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakeholders — not just shareholders — continues to gather pace worldwide. </p><p>Companies now report not only on the financial risks to their business, but also the nonfinancial risks they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations' impact on the environment — which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council's <IR> Framework aims to "further embed integrated reporting and thinking into mainstream business practice." </p><p>Yet despite such reporting progress, the consensus view of several experts is that many organizations are paying lip service, disclosing only the bare minimum of detail to comply or satisfy investors, regulators, and other stakeholders. Some organizations, meanwhile, are struggling to get their heads around what exactly they need to report — or how to do it, they add. </p><p>"Sustainability reporting is largely done as a paper exercise," says Lawrence Heim, managing director at audit and consulting firm Elm Sustainability Partners in Atlanta. He adds that "internal audit needs to be more involved in sustainability reporting, or become involved if it is not already part of the process." Such views are shared by other experts. </p><h2>Questionable Disclosures</h2><p>In the U.K., listed companies have a duty to disclose how sustainability risks may impact the long-term viability of the business and what steps management is taking to address them. But research from international accounting firm Mazars found that disclosures around carbon emissions in Financial Times Stock Exchange reports are "not fit-for-purpose" and are "in many cases a box-ticking exercise that does not appear to be integral to the way management runs the business." The Financial Reporting Council, the U.K.'s corporate governance regulator, and the European Union — where sustainability risk reporting has been mandatory for the past two years — have raised concerns about the quality of disclosures around sustainability risks.</p><p> Aside from nonfinancial reporting being voluntary for most organizations around the world, there are several reasons why efforts to improve sustainability reporting and risk management are failing. First, the bulk of all mandatory disclosures is still concerned with financial reporting and most of the effort goes into getting that right. Second, the term <em>sustainability</em> has become an umbrella buzzword for every risk that doesn't have an immediate financial price tag attached to it. Many organizations are either overwhelmed by the scale of work required to report meaningfully on the array of risks included, or are simply confused by the term and the issues being covered under ESG reporting (see "ESG Metrics" below). </p> <img src="/2020/PublishingImages/Hodge-ESG-metrics.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:640px;height:363px;" /> <p><br></p><p>Experts have some sympathy, but they say that organizations — and internal audit — cannot be indifferent to the problem, and they stress the need for deeper audit involvement. </p><p>Heim says organizational sustainability is not clearly understood by either internal auditors or boards, and as a result, levels of assurance are decidedly mixed. Globally, he says there are more than 300 different ratings used by investors to assess ESG reporting, and it is unclear just what criteria they are using to base their assessments. </p><p>"There is no agreed on, single definition of what is meant by organizational sustainability," Heim says. "The term means different things to different sets of people, and to some extent, it's an umbrella term for a lot of nonfinancial risks. This is a nightmare for internal auditors."</p><h2>An Exercise in PR</h2><p>According to Heim, sustainability reporting is often done cheaply and usually by public relations (PR) or marketing people rather than anyone trained in ESG issues to provide an additional narrative to the financial figures. "These reports are not thorough, not validated, and contain inaccuracies, yet boards are happy to put their names on them," he says.</p><p>There are two trends in sustainability reporting that amount to PR and marketing exercises that Heim says internal auditors need to try to prevent their organizations from following. One is "greenwashing." This is when companies play up their environmentally friendly efforts and credentials, while downplaying — or ignoring entirely — the areas of their business that may be damaging to the environment, or that do not conform to stakeholder expectations of what constitutes long-term sustainability. The other is "greenwishing," where they talk about what they hope to achieve versus what they've actually implemented. This includes a reduction in carbon emissions, reduced waste, lower energy and water usage, increased telecommuting, cuts in air travel, and so on. </p><p>Robert Pojasek, senior strategist at risk and ESG consultancy Strategic Impact Partners in Boston, agrees that sustainability reporting leaves a lot to be desired. "The primary focus of the sustainability report is to improve its ranking in rating schemes, such as the Corporate Knights, Newsweek, Corporate Responsibility Top 100, and similar ratings," he says. To ensure accuracy and meaningful disclosure, he says, "auditors need to provide assurance to the board that the information meets their financial, risk, and ESG reporting requirements before it is released to the public."</p><h2>Guidance Is Lacking</h2><p>Organizations are using stand-alone sustainability programs with separate reporting, which means the claims made in sustainability reports cannot be independently verified or appropriately benchmarked, Pojasek says. As such, there is some reluctance to accept them because of a lack of rigor associated with the collection of the information, as well as a lack of internal auditing of the data-gathering activity. Many investment firms, for example, will not accept ESG information in their sustainability report because it is not complete and it is not independently verified. </p><p>Part of the problem, Pojasek says, is that there is little guidance for internal auditors because of the array of functions involved in collecting the data: sustainability teams, consultants, corporate social responsibility teams, and corporate citizenship groups, among others. "It is difficult for internal auditors to understand the sustainability program because there are few practice guides available and auditors are confused by the different kinds of stand-alone sustainability programs," he says. </p><p>Pojasek says internal auditors also may lack knowledge and experience in sustainability reporting because there is no mandatory requirement to do so in disclosures to the U.S. Securities and Exchange Commission, as such information is not often included in Form 10-K and 40-F. As a result, he says, "internal audit knowledge around sustainability programs is probably not as comprehensive as it could or should be as a result of not being involved in this activity." </p><p>Heim adds that voluntary reporting on ESG and sustainability issues often means that while the topics and risks are being discussed, they are not necessarily being audited. "Internal auditors are not looking at any figures around ESG because they're not related to financial results, so these figures are published without challenge or any real assurance," he says. </p><p>"It should be impossible for any company report to be made public without checking that the statements are accurate, so sustainability reporting is certainly an area where internal audit can get more deeply involved," Heim says. "Internal audit has the skills to question the basis of these reports — how they were put together, by whom, and using what information or evidence — and it should have a duty to flag up to the board the risks of publishing material or claims that have not been checked or may be false." </p><h2>A United Front</h2><p>Douglas Hileman, an internal audit, risk, and compliance consultant based in Los Angeles, agrees that internal audit is often excluded from reviewing sustainability strategies and reporting — mainly due to competing priorities and a lack of budget. "There's very little time, energy, or expertise to look at ESG risks, reputation risk, third-party risk management, human rights, slavery, health and safety, cyber risk, and so on," he says. "The audit committee decides internal audit's priorities, and at the moment, sustainability risk is not a top item on their agenda." </p><p>Internal audit can try to address this imbalance. First, Hileman says, internal audit should present sustainability in terms of current and long-term business risks. "Boards and management get risk — a lot of them don't get sustainability. If internal audit approaches sustainability like any other risk assessment, executives will take more notice."</p><p>Second, Hileman notes, internal audit should present a business case to incorporate sustainability into strategy. Executives need to be talked to in a language they understand, and they don't like making investments that don't pay off. "Provide evidence that shows that acting more sustainably adds value — operationally, in assuring compliance, reputationally, and even financially," he says. "The area is dynamic, so by acting strategically now they can get ahead of competitors and be better prepared and more resilient for future risks, including environmental risks."</p><p>Third, he says, internal audit should collaborate with other assurance functions — compliance, risk management, environmental, and in-house legal — to "push the case for better aggregated understanding and management of sustainability risk. Clear, concise communication of sustainability risk — and opportunities — can attract the attention and resources it deserves and can also offer a vehicle for internal audit to demonstrate how it can add value to the organization."</p><p>There will be greater scope for internal audit to provide assurance on sustainability issues going forward, says Vanessa Havard-Williams, partner and global head of environment at the London office of international law firm Linklaters. "As organizations — particularly large corporations — begin to integrate sustainability impacts at a detailed level into their enterprise risk management frameworks, internal audit will get more closely involved in reviewing them and providing assurance on their effectiveness to the board," she says.</p><p>"Executives are well aware of the damage that a tarnished reputation can have on the company's bottom line and customer base," says Fay Feeney, CEO of emerging risk strategy consultancy Risk for Good and a board member in Hermosa Beach, Calif. "So internal audit should make it clear that an organization's failure to commit to sustainable business practices will damage the corporate brand among a wide variety of stakeholders, including employees." </p><p>Feeney also warns that auditors need to be prepared to acknowledge that board members are overconfident about the organization's capability to manage risks, as noted in The IIA's OnRisk 2020 report. As a result, she says, "internal auditors need to assess their boards' understanding against their knowledge of sustainability risks as there are likely to be gaps in their knowledge and areas where they do not fully understand what needs to be done, and what impact these risks can have on the business, its operations, and supply chains."</p><h2>Speak the Same Language</h2><p>Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to make sure the board — and everyone else in the business — speaks the same language around sustainability so the issues, risks, opportunities, and the organization's long-term goals are understood in the same way. If everyone involved is thinking about risk in the same way, he says, "it will be easier to discuss and appreciate the risks to the organization — and what responses are needed — in the same way, too."</p><p>Sobel adds that internal audit needs to think about the value proposition around sustainability and push the business case for change, rather than follow most boards' leads to consider it as a cost or compliance headache. "Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk management and reporting and push for management and the board to move in line — or ahead — of them," he says. "This means keeping up to date with best practice, reviewing ongoing trends, and engaging more robustly with stakeholders."</p><h2>Changing Priorities</h2><p>When 181 U.S. CEOs signed the Business Roundtable's new Statement on the Purpose of a Corporation last August, they committed to, among other things, "respect the people in our communities and protect the environment by embracing sustainable practices across our businesses." With support from major U.S. companies to adopt sustainable business practices and embed reporting — and practice what they preach — the expectation is that other organizations need to follow suit, if they aren't already.</p><p>Internal audit needs to get more involved and leverage sustainability to find potential business opportunities and use them to offset the business threats, Pojasek says. "Auditors need to look for the upsides of risk." To do that, he says auditors need to raise questions that can help their organizations enjoy enhanced value: Are there ways to turn what looks like a costly threat into sustained value for the corporation? Does this provide a better way to make sustainability a key part of how the business is operated to secure long-term financial growth? Does this structured form of sustainability and uncertainty risk afford a new opportunity to look at the supply chain?</p><p>There is little doubt of the need for organizations to review their long-term viability and resilience in light of external risks, particularly around the environment and climate change. </p><p>If threats such as BlackRock's do not make boards sit up and pay attention — nothing will. And if boards do not make a greater effort to consider sustainability as a key risk issue, it appears likely that shareholders will do so, as evidence shows investors are becoming increasingly activist about how they want companies to be run, and the priorities they want to see in the boardroom.  <br></p>Neil Hodge1
Auditing Culture: Familiar Techniques Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0
The Board and Whistleblowers Board and Whistleblowers<p>In 2018 the CEO of Barclays, Jes Staley, was castigated by British regulators for trying to unmask a whistleblower who had raised concerns about one of Staley's top lieutenants. Barclays' board clawed back a £500,000 bonus from Staley, and regulators fined him £640,000. Regulators in New York then hit Barclays, itself, with another $15 million penalty.</p><p>The year prior, life sciences company Bio-Rad had to pay nearly $8 million to former general counsel Sanford Wadler after he reported fears of possible bribe payments to government officials in China. The company sacked Wadler, who filed a whistleblower retaliation lawsuit. </p><p>Bio-Rad and Barclays are especially noteworthy because in both cases, the whistleblowers' allegations were later determined to be unfounded. An arbitrary approach to handling whistleblowers is what got those companies into hot water. In our highly regulated, highly litigious, highly transparent world, it always is. Hence the need for rigor — and the need for boards to assure that rigor exists. </p><p>"It's important to set up a process [for addressing whistleblower complaints] in advance because you have to take every one of these issues seriously," says Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard and now chair of the board of directors at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. "You can't do it haphazardly." </p><p>That point is true even if the allegation doesn't seem credible, and even if it's proven wrong, Hayes says. The last thing a board wants is to improvise a response.  </p><h2>Be Disciplined; Be Independent</h2><p>The good news is that truly grave whistleblower reports — allegations so serious that the board should oversee them, and should do so immediately — seem to be rare. "In my experience, if you have one or two a year that are significant and require high priority, that's a lot," says David Diamond, former head of internal audit at Lionsgate Entertainment, and now audit committee chair for The Daily Breath, a chain of Pilates studios in Brazil and the U.S. Likewise, Charlotte Valeur, CEO of the Global Governance Group and currently a director on seven boards, says that in 14 years of working in board governance, she has encountered only two instances of whistleblower allegations so serious that only the board could address it. </p><p>Again, so what? Boards don't know the veracity of a whistleblower allegation when the report first arrives. So establishing a consistent, disciplined, objective process to evaluate whistleblower reports is paramount.</p><p>"Independence on boards is key for whistleblowing," Valeur says. "If you don't have independent board members who can deal with it — and <em>will</em> deal with it, truly independently — everybody is at risk. The whistleblower is at risk, and the company is at risk."</p><p>In truth, that triage process is a nuanced tango between board and management. Boards might <em>receive</em> reports, but they should not <em>investigate</em> reports; that duty should go to trained professionals: internal audit, the compliance or legal team, human resources (HR), or even outside counsel. Even in grave scenarios such as allegations of CEO misconduct, the board should oversee that investigations are happening and moving forward — but not <em>participate</em> in the investigation, itself. "The last thing I want to do is be the investigator," Hayes says. </p><p>Conversely, management receives lots of reports, and might even investigate many of them without troubling the board. That's fine, so long as all parties have a clear understanding of which reports <em>should</em> be escalated to the board right away.</p><p>So what should that process look like? Who's involved in the triage? Typically a large company will outsource its whistleblower hotline; that's one layer of independence. A whistleblower might be able to select categories of complaint (accounting fraud, employee bullying, discrimination, theft, and so forth), or specialists at the outsourced hotline provider could assign one based on certain key phrases, issues, or even names the whistleblower might include.</p><p>A critical question is which categories of complaint should automatically go to the board, even if the board then bats the issue right back to audit, legal, or compliance for further action. For example, anything that mentions corporate accounting, compliance violations, or CEO misconduct should go to the board. If the issue involves personal misconduct rather than financial, consideration by a risk or governance committee might be the best option.  </p><p>Should the accused be informed of the allegations against him or her? Generally no, although some privacy rules in Europe can make that a complicated question best left to professional investigators. And should a company try to unmask a whistleblower? Pretty much never, since that action is a whisker away from retaliation and violates the spirit of following the facts wherever they may lead. ("It's irrelevant," Valeur says of the idea.)</p><p>And regardless of how any specific allegation is investigated, boards still need a process to oversee whistleblower reporting holistically. Valeur, for example, says she wants regular briefings on the total number of reports, the issues they involve, substantiation rates, and so forth. </p><p>"All companies over a certain threshold should have a mature process," Diamond adds. "If you don't, in this day and age, you're way behind."</p><h2>Speaking of Substantiation...</h2><p>Boards might also be surprised at this news: Whistleblower reports based on secondhand knowledge — that is, information passed along to the whistleblower from someone else; or that the whistleblower discovers by finding evidence of misconduct, without witnessing the act directly — tend to be more reliable than reports from people with firsthand knowledge. So says research from The George Washington University and the University of Utah, where academics studied 2 million whistleblower reports filed at more than 1,000 companies from 2004 through 2017. They found that management was 48% more likely to substantiate whistleblower reports based on secondhand information. Those reports were more likely to be about accounting and business integrity issues, too; while firsthand reports are more often about HR issues.</p><p>That makes sense when you think about it. People filing firsthand reports are usually claiming that they have somehow been wronged personally — and, yes, some portion of those reports will be false, or based on hot-headed judgments that don't hold up under scrutiny.</p><p>Whistleblowers with secondhand information, however, are claiming that something in the company is amiss. You typically wouldn't do that unless you care about the organization. And if you care about the organization, you're probably not involved in the misconduct, so it's more likely you have fragments of evidence. In other words, boards should welcome whistleblower reports based on secondhand information, even though that means more investigative spadework to find the truth.  </p><p>"Many times the report needs to be ferreted out," Diamond says. "A lot more details need to be derived to understand the full significance of the report."</p><p>True, but investigations are the subject for a different day. The importance of establishing a process to oversee whistleblower allegations in an objective, disciplined way and follow the facts where they lead — that advice is irrefutable. <br></p>Matt Kelly1
Risk in Session in Session<p>Executive sessions should be on the agenda of every audit committee meeting. This means that all members of management leave the room, and the chief audit executive (CAE) has time alone with audit committee members. Executive sessions enable the committee to share risk concerns candidly. Scheduling an executive session at every meeting makes it less unusual when the CAE needs to ask for a session to discuss a specific concern.</p><p>While audit committee agendas can be routine and well-defined, executive session agendas normally are less clear. Although the CAE may have a few prepared remarks, theses sessions typically revolve around one question asked by the audit committee: “Is there anything we need to talk about this time?” Yet, CAEs can make these executive sessions more valuable by engaging committee members in a dialogue about the organization’s risk culture. </p><h3>Set the Agenda</h3><p>As with the full audit committee meeting, having an agenda for the executive session is helpful. This should be a casual agenda that is not distributed; instead, the CAE should use it to ensure the session covers all topics of interest. The executive session agenda can include standard updates and risk topics specific to committee member concerns.</p><p>Because committee members may not know what to ask CAEs during executive sessions, CAEs can engage the audit committee in a variety of topics, including risk culture — how the business understands and manages risk.</p><p>In preparing for executive sessions, CAEs can create a list of ongoing and meeting-specific topics that address risk culture. Examples include tone at the top, corporate culture, governance, or overall risk monitoring. CAEs can provide insight into these areas without the committee having to ask for it, while hearing committee members’ perspectives.</p><h3>Share Risk Perspectives </h3><p>Communication in executive sessions is a two-way street. The committee can provide valuable information to the CAE, while the CAE can share risk information and preferred action steps. During the session, the CAE can ask:</p><ul><li>What decisions is the board contemplating that may represent a strategy change?</li><li>What concerns do audit committee members have about specific strategies or risks?</li><li>What risks should internal audit prioritize? </li></ul><p><br>Additionally, listening to committee member concerns  is valuable for understanding what they view as important. </p><p>For CAEs, targeted questions can yield details that may lead them to update the audit plan or add a project to ensure risk coverage is timely and relevant. For the committee, discussing a specific concern or question can prompt the CAE to share white papers or training information in the materials for future meetings. The better the committee understands risk and its true impact, the better it can influence the risk culture with the board and management.</p><h3>Request Focus or Action</h3><p>Because some topics can be politically charged, executive sessions exclude management to ensure open communication about sensitive topics. In the confidential environment of the session, CAEs can discuss risks that are not receiving necessary management focus along with recommended actions. For example, a change in privacy laws may require specific action by the organization. If the organization is not acting swiftly enough to comply, the CAE can alert the committee. </p><p>CAEs should share the specific requirements or a summary of the risk topic as background information for the committee, along with the potential impact and likelihood of occurrence. They should state whether the discussion is for the committee’s awareness only or if they are asking for action.  </p><p>These situations require tact. Unless the CAE is using the executive session to disclose fraud or wrongdoing by management, a no-surprises approach is best. In the privacy law example, the CAE should exhaust efforts to influence management to take appropriate action before bringing it up to the audit committee. As a courtesy, the CAE should inform management of plans to discuss the matter with the committee. </p><h2>Collaborate for Success</h2><p>Sharing risk culture successes with the audit committee during executive sessions can help it better understand how internal audit impacts the organization’s risk culture. For example, sharing ways that internal audit provided consulting or assurance services to a system implementation demonstrates the function’s key role and proactive risk approach. Moreover, these examples can help committee members see future anomalies with how internal audit may be positioned or used. <br></p>Sarah Duckwitz1
A Voice in the Boardroom Voice in the Boardroom<p>Most chief audit executives (CAEs) in North America report their findings to the organization’s audit committee. The IIA recommends this practice, held globally to be part of the gold standard enshrined in the three lines of defense model of corporate governance. Per the model’s logic, CAEs sitting on the metaphorical third line have free reign to go anywhere and suggest organizational improvements, without fear of restriction or recrimination.<br></p><p>Getting to this position has been a fight for many CAEs, and some have still not achieved it. But The IIA’s recent research, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, has questioned whether reporting to the audit committee potentially constricts the value internal audit can add to some organizations. As businesses face a growing range of external threats, so internal audit’s remit has expanded. Financial risk, once the mainstay of audit departments, today typically occupies only 20% of their time. Practitioners expend the rest of their effort on a diverse range of issues including cyber risk, disaster recovery, culture risk, climate change, and social responsibility, to name only a few.</p><p>This broadening of internal audit’s remit raises the question of the extent to which a CAE should report to other board committees, and in what circumstances he or she should report to the full board. And, for those wishing to explore that route, how can they get the audience and credibility to play this enhanced role?</p><h2>Expanding Audit Influence</h2><p>Internal auditors are spreading their influence beyond the audit committee via other conduits to the full board, says Jenitha John, former CAE at First-Rand Bank in Sandton, South Africa, member of The IIA’s global board of directors, and former nonexecutive director on several boards. “The heartening aspect is that you see internal audit now not just serving the audit committee but also making submissions to other board committees,” she explains. John has seen internal audit increasingly called on to submit reports and present to risk committees, social and ethics committees, and even remuneration committees. “These meetings pertain to strategic issues that the company faces with regard to such topics as risk data aggregations, cybersecurity, information governance, the veracity of social matters (nonfinancial indicators), risk management, process maturity that influences bonus pool allocations, and so on,” she says.</p><p>Part of the reason for this trend has been the way businesses have approached tackling new guidance, such as sustainability reporting standards issued by the Global Reporting Initiative, and new regulation, such as the European Union’s General Data Protection Regulation (GDPR). “Regulation is causing various disciplines in organizations, which didn’t necessarily work together because they were operating in silos, to now actually converge,” John says. GDPR, for instance, has drawn together a whole range of corporate disciplines — from finance, audit, governance, compliance, risk management, and fraud to human resources and IT — because data is ubiquitous in organizations. “Internal audit has the ability to draw those teams together and collaborate with all of these other counterparts in the organization,” she says. “If you are not coordinating efforts on these matters, you are depriving internal audit teams from really growing and listening and serving the organization properly.”</p><p>To serve this more diverse constituency, internal audit needs to adopt the right approach and clearly communicate to the board the scope and focus of its work.</p><p>“Reshaping negative perceptions about internal audit is absolutely critical,” John says. “As a CAE you have to emphasize the fact that you’re pragmatic in your approach, you’re proactive, you’re collaborative, you’re agile, you focus on integrated risk-based auditing, you are educational, and that you can school your governing body and your management teams on controls, risk management, governance, and organization from a best process perspective. You don’t only focus on communicating audit observations, but you talk about business optimization and efficiencies by leveraging strengths across teams.” That can help open the door to the various board subcommittees and, on critical strategic issues, to the board itself. </p><h2>Establish Credibility </h2><p>Living up to that ideal is not easy. Many CAEs lack credibility because they tend to emphasize box-ticking rather than focus on what matters to the audit committee, let alone the board, according to Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard. Hayes is now chair of the board at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. CAEs must be able to bring matters to the board that are important to its members and demonstrate that the annual audit plan is risk-based and fits closely with the threats relating to corporate strategy. Informal meetings also can be a great place to build credibility, Hayes says. The audit team is invariably closer to the business than members of the audit committee, so it is best placed to detect trends across the organization or in isolated parts of the enterprise.</p><p>“It’s probably not the full board, but the audit committee that is your primary interface as CAE,” she says. “You know you have made it with them when they really care what you think: You’re welcomed in as a strategic partner and, perhaps in a private session, you’re asked your opinion on an issue that has to be handled very diplomatically — such as, do you believe what management has told us?”</p><p>Hayes says the credibility issue is even more important when reporting to the full board because space on its agenda for discussing a specific risk is scarce. But where a strong relationship exists, she suggests it could be valuable for the CAE to be invited to the top table. She says this may be appropriate when the internal audit team is reporting on the results of an investigation that has serious findings, for instance, or on topics of special strategic interest such as mergers and acquisitions. She also has seen this approach taken during an annual discussion of the risk appetite in an enterprise risk management program, a key strategic topic involving the full board. Most of the time, though, she sees the audit committee as the appropriate reporting channel for internal audit’s recommendations.</p><p>But, she warns, the board has its own responsibilities in choosing the right CAE for the role. “The company has to hire an internal auditor who’s got boardroom presence and can basically go toe to toe with folks in explaining how the company and senior management needs to do something differently or better. If they haven’t hired that kind of person, all hope is lost.”</p><h2>Demonstrate Value</h2><p>Karen Brady, corporate vice president of audit and chief compliance officer at Baptist Health in South Florida, became chair of The IIA’s North American Board early in 2018. Her theme for her year of tenure was “Find Your Voice,” and she spent 12 months visiting hundreds of internal auditors across the U.S. and beyond to spread that message. She remains agnostic when it comes to the question of CAEs speaking to the full board, because she saw many different practices and arrangements that worked. In her own organization every member of the audit committee is also on the full board, so she says the reporting line to the audit committee is more than adequate. </p><p>But if internal audit wants to be credible with the board, or a board subcommittee, it has to be able to perform at the highest level. “Executive management tends to have conservative views of what internal audit can deliver, and that view follows through to the board because many executive officers also sit on audit committees in other organizations,” she says. “CAEs need to be able to innovate and do things in ways that are above and beyond expectations to challenge those views. If you want to be perceived as valuable to the organization, you have to <em>be</em> valuable to the organization.”</p><p>For Brady that means being perceived as a professional by sitting for the Certified Internal Auditor exam and following the <em>International Standards for the Professional Practice of Internal Auditing</em>. Implementing Standard 1312: External Assessments, she says, is an important part of this. She is even more convinced now about the need for internal audit departments to have a quality assurance review of their function than before her tenure as chair. “Internal audit’s quality assurance review is objective assurance to the board that your department is effective,” she says. “It adds credibility, especially if on top of that you are prepared to innovate, to identify areas of improvement in the organization, and to focus on strategic risk areas.”</p><h2>Understand Emerging Technology</h2><p>Technology is a key area in which internal auditors can innovate — Brady is preparing for her team to learn robotics. She says almost all businesses are either currently considering or deploying a wide range of emerging technologies, from drones and robots to blockchain and artificial intelligence. It is a subject that Thomas Sanglier, senior director, internal audit, at Raytheon in Waltham, Mass., and author of the book <em>Auditing and Disruptive Technologies</em>, has been focusing on for the past few years. </p><p>“Emerging technologies are a risk and an opportunity for internal auditors,” he says. “They are a risk because if you are unaware that robotic process automation is being used in your business, you are in the unfortunate position of missing an important risk to your organization. If you are adding assurance to the board in such a critical area, on the other hand, you will gain credibility and may even have the opportunity to grow your team and scope of responsibility.”</p><p>One of the challenges for internal auditors is to choose the technologies most relevant to their particular industries, because trying to learn about several new technologies at once can be overwhelming, he says. Raytheon has set up internal working groups — called councils — for each new, relevant technology. Sanglier and his team have participated in those groups to understand how those technologies are being used in the company.</p><p>“If you know what is in your products and processes, you can ask the right questions about risk and risk mitigation,” he says. “If you are lucky to have a subject-matter expert in your business, hitch yourself to them and learn everything you possibly can.” But he warns of becoming overdependent on one person, a criticism leveled at CAEs who were seen to be too reliant on their chief information officers for assurance around IT in The IIA’s OnRisk 2020 research.</p><p>“People are looking at emerging technologies as being IT-led; that’s a mistake,” he says. Internal auditors need to be looking at how those technologies are going to operate in the business, and how they may affect products and services. More broadly, CAEs can help the board understand how well the organization is positioned to use emerging technologies. For example, Sanglier points out that many new technologies depend on acquiring and processing clean data from across the enterprise, but data governance is often poor. “If nothing else, internal auditors, as part of every single audit, can look at data governance for whatever emerging technology the business is considering. When the technology comes — and it’s coming — you’re going to run into problems implementing it if the data is bad. It’s an issue the board needs to know about.” </p><h2>Reshaping the Audit Committee</h2><p>While some may point the finger at internal audit for being too focused on detail, or for not exploring emerging threat areas, audit committees may also need to reform. In the U.K., for example, the financial services industry regulators require regulated firms to have an audit committee and a separate risk committee. The requirement has helped raise the profile of risk within those businesses. Plus, recent guidance produced by the Risk Coalition, an industry body that aims to establish consensus on risk management practice, recommends that the risk committee invite the CAE to its meetings “as necessary or appropriate.” </p><p>Hanif Barma, one of the architects of the Risk Coalition and founder of the consultancy Board Alchemy, says many audit committees outside of the financial services sector would benefit from extending their remit to reflect the increased array of risks their organizations face. “Internal audit has changed from being largely focused on financial controls to becoming more concerned with the broader risk landscape,” he says. “The question is, has the body it reports to changed sufficiently as well? In many cases, it has not. They are largely focused on financial control and financial reporting, rather than acting as audit and risk committees.”</p><p>Reformulating the audit committee as a risk and audit committee could help internal audit develop a more strategic, risk-based role, he says. Barma chaired the board of a children’s charity that has made such a transition. The change has helped the organization take a more holistic approach to managing its risks, he says, and it has enabled the reformed committee to take deep dives into selected threats at its regular meetings. He explains that bringing those issues to a full board meeting may not be as effective because of the limited time they would receive. “To do internal audit justice, having a separate committee that gives focus to its work is really important,” he says. </p><p>On the other hand, with issues of strategic importance, CAE presentations to the full board can be worthwhile. “What has been missing in the evolution of corporate governance is that internal audit has not had access to the full board,” he says. “Perhaps the CAE does not have to sit through a full board meeting, but when the chair and company secretary are working on the board agenda, they should be considering whether there are issues on which the CAE could usefully come and give their perspective.”</p><h2>Extending Internal Audit’s Reach</h2><p>Clearly, more CAEs are finding a voice beyond the audit committee. As risk board subcommittees have emerged, auditors have been invited to contribute their expertise. Others have found a voice at other board subcommittees and, less frequently, in full board meetings. For those who have built up the credibility and clout, the opportunities to add value to their organizations have never been greater. <br></p>Arthur Piper1
Auditing Culture: Employee Surveys Culture: Employee Surveys<p>Employee surveys can be a valuable tool for assessing the workplace and spotting potential problems. And while organizations that use them often spend considerable time crafting their survey instrument, internal auditors may find opportunities to improve the content or administration of this key monitoring control. When the survey is tailored appropriately, its results can help auditors develop the periodic audit plan, scope audit projects, and better support audit results. <br></p><p>It is common for organizations to use the employee survey as a "pulse check" on their culture. It is less common for internal auditors to provide assurance on the survey's effectiveness in this capacity, or to use its output to improve their audit work. With the right approach, they can do both. <br></p><h2>Tailoring the Survey for Audit Use</h2><p>The city of Austin, Texas, conducts a citywide employee survey. At one point the city auditors compared its content to the "points of focus" in The Committee of Sponsoring Organizations of the Treadway Commission's <em>Internal Control–Integrated Framework</em>. The auditors found that the survey addressed most of the framework's content, except for ethics. They developed several ethics-related statements and persuaded Human Resources (HR) to add them to the survey. With these modifications in place, the audit team now uses the survey results for audit planning.<br></p><p>Taking a cue from the city auditors' approach, other internal auditors might consider suggesting changes to their own organization's survey. Sources of governance, risk, and control issues that might be addressed include: <br></p><ul><li> <em>The risk factors internal audit uses for audit planning.</em> Could additional survey statements provide insight into cultural risks related to these factors?<br></li><li> <em>Current professional guidance on culture.</em> A few of the cultural topics found in guidance documents are included in "Suggested Culture Topics" below.<br></li><li><p> <em>Survey statements used by others.</em> A selection of such statements appears in "<a href="/2020/PublishingImages/Auditing-Culture-Employee-Surveys2.pdf">Examples of Survey Statements on Cultural Topics.</a>" In addition, audit peers may be willing to share culture-related survey statements from their organizations, and internet searches can help identify more. <br></p></li></ul><p>Getting the survey administrator to add statements to an existing survey may be difficult, especially if the administrator is an external vendor. Internal auditors may want to determine whether the administrator can make changes before taking time to identify or develop additional statements.<br></p><p>Developing meaningful, unambiguous survey statements can be a challenge. Guidelines to keep in mind include: </p><ul><li>Be sure statements are phrased clearly and simply, and provide good instructions (e.g., when referring to "management," specify the level of management). </li><li>Get help. The organization's HR department might have expertise in survey statement development. If not, HR may be able to suggest a good source. Also consider reaching out to peers in the profession for recommendations — and at a minimum, research available guidance online.<br></li><li><p>Field-test the statements. Ask several people to respond to the statements using internal audit's prewritten response options, then ask them what they think each statement was asking. Start within the audit department, then branch out to other willing employees. This process should identify any ambiguity in the statements.<br></p></li></ul><h2>How to Leverage the Survey</h2><p>Even if the organization's survey does not include everything internal audit would like, it almost certainly addresses many important aspects of culture. Because cultural problems can be pervasive, negative survey results may suggest increased risk — perhaps even a substantial increase. Internal auditors should, therefore, factor employee survey results into their global risk assessment for planning which assurance and consulting projects to perform. <br></p><p>Survey results for the affected areas can then be used to plan and scope an audit or consulting project. They can also help support audit findings. The root cause of exceptions, for example, might be a cultural issue identified by the survey.<br></p><p>Some organizations might resist giving internal audit access to survey results with enough detail to be useful. Internal auditors must choose their battles, and the importance of culture suggests this might be a battle worth fighting. With support from the top and tactful communication, access will usually be given.<br></p><h2>Assessing the Survey Process</h2><p>If the business leaders rely on an entitywide employee survey to monitor the organization's culture, it is certainly a key control. And it should be subject to audit. Questions to ask about the process include:</p><ul><li>Is the survey truly anonymous and do employees believe that it is? </li><li>If the survey is not anonymous, is the level of confidentiality sufficient for employees to feel safe being honest?</li><li>Does the survey ask for comments at an appropriate frequency? By the time employees complete the survey, they may not remember issues raised that they want to comment on. Asking for comments several times can generate meaningful, specific information. If the survey is structured into sections, each addressing a broad topic, a comment request at the end of each section is advisable. Comments, of course, are voluntary and must be kept confidential.</li><li>Are the results publicized, with action plans to address issues and explanations when issues can't be addressed?</li><li>Are action plans completed effectively and on time?</li><li>What do employees think of the survey? Do they believe management takes it seriously and that it adds real value?</li><li><p>Is the response rate high? If not, why?<br></p></li></ul><p>If internal audit already knows the survey process well and has full confidence in it, this might constitute sufficient assurance. If not, an audit or advisory review would not take a lot of time and could yield valuable results.<br></p><h2>A Valuable Tool</h2><p>Employee surveys give internal auditors an opportunity to add value to a key monitoring control. They can recommend improvements to the survey content and process. And they can use the results to improve their own global risk assessment, plan and scope audit projects, and enhance and support audit findings. <br></p><p><br></p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <h2 style="letter-spacing:normal;">Suggested Culture Topics <br></h2><p>The following are examples of topic areas, gathered from a variety of guidance documents, that might be suggested for inclusion in an entitywide survey. The list is by no means comprehensive.</p><p>1. Are the following aligned with the desired cultural values and principles?</p><ul><li>The business strategy.</li><li>The risk appetite.</li><li>The recruitment process.</li><li>The onboarding process and training programs.</li><li>The performance management system.<br></li><li>The incentive structures.</li><li>How employees, customers, and suppliers are treated.</li><li>Tone at the top and in the middle.</li><li><p>Behavior of frontline employees.<br></p></li></ul><p>2. Is risk management integrated into all decisions and activities, at all levels of the organization?<br></p><p>3. Are appropriate risk behaviors rewarded and inappropriate behaviors identified and sanctioned?<br></p><p>4. Is constructive challenge of risk decisions encouraged?<br></p><p>5. Is risk event reporting and whistleblowing encouraged, without fear of retaliation?<br></p><p>6. Is there clear ownership and accountability for specific risks and risk areas?<br></p><p>7. Are integrity and ethical values discussed regularly? Does management practice what it preaches?<br></p><p>8. Are assurance functions respected and appropriately resourced?<br></p> <br> </td></tr></tbody></table><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p>James Roth1
Risk as the Rosetta Stone as the Rosetta Stone<p>Language determines how people share information, invoke emotion in others, or persuade them to action. The words chosen also frame a listener’s perspective on an individual beyond simply that interaction. How people select and use words appropriately in a situation is important.</p><p>With this as a backdrop, it was no surprise that when my business partner referred to “risk as the Rosetta Stone” for business, the concept rang true. The Rosetta Stone, discovered in 1799, allowed people to decipher once-challenging Egyptian hieroglyphics. Having the key to deciphering the message unlocked understanding and knowledge previously unavailable. </p><p>Using the language of risk offers a similar master decoding structure — in this case, for businesses to leverage for greater understanding. Business demands as varied as resource allocation and product innovation will benefit from the use of a shared risk language that enables the organization to build from a common baseline. Leveraging a common organizational language can increase the organization’s efficiency and heighten value delivery. For auditors, leveraging components of a shared language can not only increase message clarity and enable more effective communications with business partners, but also enhance the understanding and outcomes of audits, projects, and advisory engagements.</p><h2>The Language of Risk</h2><p>Much as a language is made of key components such as vocabulary (shared definition of words and terms), syntax (arranging words in a sentence for meaning), and pragmatic rules for situational use, the language of risk is made of standard components. Ensuring these components are designed, shared, and understood across the organization supports effective communications and decision-making. Internal auditors should consider how these key risk components are structured in their organization and whether modifications or increased awareness might further enable their use as a common language for the business.<br></p><p><strong>Taxonomies</strong> (<em>a common vocabulary</em>) The core of any common language leverages a shared baseline. In risk-speak, this baseline is a taxonomy, naming standard, or universe definition. The risk universe or other classification structure provides a consistent lens to assess operational activities, monitor and compare effectiveness, and frame the scope of project or risk remediation efforts. A defined taxonomy also allows for a common aggregated reporting structure. This structure enables effective business decision-making because there is <br> consistency in comparing and contrasting information over time and across organizational functions.<br></p><p><strong>Measurements/Ratings</strong> (<em>a common vocabulary and a guide on syntax and structure</em>) Prioritization is difficult to define or agree upon without a standard rating scale by which to assess risk. Various functions and teams in an organization often share a scale for rating common risk variables — impact and likelihood. Similarly, internal audit usually defines a rating or prioritization scale for findings and reporting. Other teams, such as enterprise risk or security, also may use rating structures, which may be similar or quite different from others in use. To be able to prioritize and understand risk organizationwide, common scales must be used. When a scale includes metrics that apply cross-functionally — such as financial, operational, regulatory, client, or reputational — it can be better applied and leveraged across functions. For example:</p><ul><li>Apply scale levels to project prioritization based on potential savings or projected revenue increases, or based on customer or marketing impact.</li><li>Apply scale levels to measuring impact and likelihood of audit findings, helping to prioritize resource allocation for remediation efforts.</li><li>Apply scale levels to assessing product opportunities for financial impact, client satisfaction increases, or operational challenge points, aiding in prioritizing focus on go-to-market efforts.</li></ul><p><br><strong>Risk Response/Appetite </strong>(<em>pragmatic rules</em>) Within an enterprise risk management program, the risk response standard, rules, or matrix guide the norms expected for identified risks. The response standards define when a risk is acceptable within organizational parameters, when action is required, or when a risk is out of bounds but acceptable for monitoring for an interim period. This structure can be applied beyond the risk function to identify points for escalating concerns, engaging management approvals, or prioritizing operational activities.<br></p><h2>Business Value of a Shared Language</h2><p>Leveraging components of the risk language as a Rosetta Stone of understanding can quickly provide value to an organization. Focusing on some key components can enhance communication and improve business functions.<br></p><p><strong>Common Language Enhances Communications</strong> Use of a common vocabulary in cross-functional or global communications can ensure the messages reflect a consistent structure and clearly defined operational focus of the organization. The vocabulary should comprise agreed-upon top business risks, common naming, and classification of operational units.<br></p><p><strong>Shared Understanding Improves Efficiencies and Culture</strong> Consistent prioritization processes based on a defined measurement scale can increase understanding and alignment among different teams or operational units. While this doesn’t necessarily mean a shared agreement is always expected, a shared understanding of the “why” and comfort in consistent prioritization efforts may increase the effectiveness of communications and enhance corporate culture.  <br></p><p><strong>Translating</strong><strong> Details to Themes Speeds Decision-making</strong> Use of a defined risk universe structure in operational functions can provide for aggregation of repeated, consistent individual concern points. Use of the standard universe enables comparison across locations or teams and roll-up of reporting and assessments in a framework that is expected and understood by executive management. Enhanced understanding through a common framework can shorten decision-making cycles and produce solutions faster.<br></p><p><strong>Agreed-upon Prioritization for Resources Enables Quick Time to Value</strong> Having standards in place for measurement, response, and escalation can level the playing field, and drive consistent and intentional decision-making for allocating the organization’s resources.</p><h2>Be a Translator</h2><p>In their role as partners across the organization, internal auditors can promote the common communication and benefits associated with a shared risk language. As audit team members interact with stakeholders and partners, they should share their language with the organization with an eye on promoting understanding, improving efficiencies, and enabling the business.  <br></p>Melissa Ryan1
Climate Risk Assurance Risk Assurance<p>An article published earlier this year in <em>The Wall Street Journal</em> highlighted investor concern about the impacts of climate change, citing “a record of 75 or more climate-related shareholder proposals” expected at annual company meetings. Dupont investors, for example, proposed disclosure of the company’s risks from expansion of its operations in hurricane-prone areas, and nearly 30% of Starbucks shareholders voted for disclosing the coffee giant’s recycling plans. In addition, more and more institutional shareholders are backing the Sustainability Accounting Standards Board’s standards for corporate sustainability, aimed at helping publicly listed companies disclose environmentally relevant information to investors. Internal auditors, and the organizations they serve, should take note of these developments — particularly in businesses where such concerns may not currently be a priority.</p><p>Within the financial industry, climate risk is not always on the agenda. For example, financial companies, and their internal audit functions, may neglect to consider the credit evaluation risks associated with lending money to companies susceptible to climate-related events. In doing so, lenders overlook impacts that could severely disrupt the borrowing companies’ operations, and possibly hinder their repayment abilities. Even if it’s discussed, resulting impacts to the company’s credit risk rating may not be sufficiently accounted for when calculating the borrower’s credit rating. <br></p><p>By contrast, insurance companies are at the forefront of addressing climate-related risk. Policy calculations, for example, factor in threats to homes and businesses in wildfire-prone areas and flood risk to regions susceptible to hurricanes. Financial institutions, however, typically do not include such considerations when calculating the impact of risk to capital. And even if bank leaders do incorporate climate-related impact in their credit risk analyses, there is no real metric in place for that risk. </p><p>As independent assessors of risk, internal auditors could raise the issue of climate change risk with senior management, and even consider it as a point of concern when challenging the organization’s current risk management framework. Internal audit has the opportunity to create value, facilitate improvement, and execute its mission of providing independent assurance over the effectiveness of risk management. From envisioning the impact of climate-related risk on the bank’s daily operations to the impacts on clients’ operations and ability to perform against their credit risk, auditors can place themselves at the forefront of an important debate. </p><p>The financial industry, with the help of its internal audit practitioners, could get ahead of the curve by promoting a broad discussion about how to consider, monitor, and report climate change risk. If past crises taught us anything, reacting to stressed scenarios is arguably more expensive and takes longer to recover from than acting preventively. Let’s start the debate — the sooner the better. <br></p>Luciano Raus1
U.S. Companies Score Low on Governance Companies Score Low on Governance<p>​<span style="font-size:12px;">Amidst another season of corporate scandals, it's not surprising that U.S. companies are getting low grades on their governance report cards. A new index gives U.S. publicly listed companies an overall grade of C+, with 1 in 10 companies surveyed earning an F for corporate governance.</span></p><p>The IIA and the University of Tennessee's Neel Corporate Governance Center in Knoxville unveiled the <a href="">American Corporate Governance Index</a> (ACGI) this week at press events in New York and Washington, D.C., where speakers discussed the problems it identifies and how internal audit could help companies address them. Based on an anonymous survey of chief audit executives (CAEs), the index grades companies around eight of the <a href="/2019/Pages/A-New-Tool-for-Directors.aspx">Guiding Principles of Corporate Governance</a> (see "The Making of the Index" below), also released this week.<br></p><h2>Beyond the Boardroom</h2><p>Although responsibility for corporate governance begins in the boardroom, "governance is so much bigger than what's going on at the board level," said Terry Neal, director of the Neel Corporate Governance Center, at the Washington event. This is where internal audit, with its enterprisewide perspective, could help companies improve their grades, he said.</p><p>Take the issue of board performance assessments, for example. Principle 8 calls for boards to regularly evaluate "the full system" of corporate governance, yet responding companies received a C- grade — the overall worst grade — with most saying their company didn't formally monitor governance. One takeaway from interviews with CAEs in preparation for the survey is "a lot of CAEs are not doing this, but they are positioned to do it," Neal said.</p><p>But the index indicates that boards have problems of their own. Next to assessing corporate governance, the lowest grade (C) was for Principle 4, where CAEs said organizations were more focused on short-term issues rather than sustainable performance. Contributing to short-term thinking, CAEs say one-third of directors would not challenge the opinions of the CEO, and they gave boards a D grade for questioning whether they were receiving accurate and complete information from management.<br></p><h2>Board Care and Maintenance</h2><p>Christa Steele, a former CEO who serves on several boards, said good dialogue between directors and the CEO is key to a well-functioning board. "If directors are not talking to the CEO in board meetings, they should have those conversations offline," she said in Washington.</p><p>Steele noted it is difficult for boards to capture all the information about technology innovations, new market entrants, and other disruptive risks in what she calls "unprecedented times." Ahead of board meetings, she said she received a staggering 500 to 1,000 pages of information. "Now more than ever, we need to look at the information and scrub it to make sure we get the right information," she said. "But you can have information overload."</p><p>Understanding new risks is one reason "why board refreshment is so important now," she said, because boards often lack the knowledge to provide oversight in an era of greater transparency caused by social media. Although there have been calls for boards to add more specialized expertise — in technology, for example — she says there's a trade-off. "Do you want the technical expert or do you want someone who can ask the right questions?" she asked.</p><p>Board members like Steele increasingly want more insight into how the company is governed, even several levels of management down. That's the information that boards aren't seeing, Neal said. It's also where the ACGI finds some disconnects.<br></p><h2>Areas of Disconnect</h2><p>Principle 5 covers corporate culture, and CAEs gave boards and CEOs a high grade (A-) for setting a strong tone at the top. But CAEs say the board doesn't discuss culture much and that tone isn't communicated well across all levels of the company.</p><p>Fraud reporting is another example. In an era ripe with corporate scandals, CAEs gave their organizations high marks for following up on reports of wrongdoing and ensuring the company doesn't retaliate against employees who speak up. Yet, CAEs say employees aren't familiar with how to report violations. "When there's an event that occurs, you'll see a spike in reports," said Julie Scammahorn, senior vice president and chief auditor at Wells Fargo in New York.</p><p>These disconnects are becoming a greater issue with the rising emphasis on environmental, social, and governance (ESG), an area where companies received a C grade. The ACGI survey was conducted just before the Business Roundtable issued its revised <a href="">Statement on the Purpose of a Corporation</a> in August, in which prominent U.S. CEOs committed to benefiting stakeholders such as customers, employees, suppliers, and communities, in addition to shareholders.<br></p><h2>Auditing Governance</h2><p>While internal audit could be positioned to help boards look at risks deeper down in companies, assessing corporate governance is still a new area for many audit functions. Less than one-fourth of companies evaluate corporate governance annually, and when they do, it goes through the legal function, said Lauren Cunningham, assistant professor and director of research at the Neel Corporate Governance Center. "If legal does it, it's a check-the-box mentality," she said.</p><p>But more internal audit functions are taking on these assessments, Scammahorn observed. "I'm seeing more auditors taking deep dives into the information the board receives to make sure it is accurate and complete," she said. </p><p>Governance audits at the board level should be done by senior audit staff, such as the CAE's direct reports, Scammahorn advised. But they can make a big difference. "If you don't have a formal assessment, there aren't many boards that don't think they're doing a good job," Scammahorn says. "When you put a formal assessment in front of them, they see they have work to do."<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p><strong>The Making of the Index</strong></p><p>The IIA and the Neel Corporate Governance Center developed the AGCI based on eight of the Guiding Principles of Corporate Governance. In turn, the two organizations compiled those principles from guidance and principles from organizations such as the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. </p><p>In preparation for the survey, researchers interviewed prominent CAEs about the principles and their observations of governance practices. They then surveyed 128 CAEs from U.S. companies of various sizes from a wide range of industries. Researchers evaluated these responses and assigned a score and letter grade for each of the principles, as well as elements within those principles. Because responses to the survey were anonymous, the ACGI does not provide grades for individual companies.<br></p><p><em>Principle 1</em> — Effective corporate governance requires regular and constructive interaction among key stakeholders, the board, management, internal audit, legal counsel, and external audit and other advisors. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 2</em> — The board should ensure that key stakeholders are identified and, where appropriate, stakeholder feedback is regularly solicited to evaluate whether corporate policies meet key stakeholders' needs and expectations. <span style="font-size:12px;">Grade: B-</span></p><p>Principle 3 — Board members should act in the best interest of the company and the shareholders while balancing the interests of other key external and internal stakeholders. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 4</em> — The board should ensure that the company maintains a sustainable strategy focused on long-term performance and value. <span style="font-size:12px;">Grade: C</span></p><p><em>Principle 5</em> — The board should ensure that the culture of the company is healthy, regularly monitor and evaluate the company's core culture and values, assess the integrity and ethics of senior management and, as needed, intervene to correct misaligned corporate objectives and culture. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 6</em> — The board should ensure that structures and practices exist and are well-governed so that it receives timely, complete, relevant, accurate, and reliable information to perform its oversight effectively. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 7</em> — The board should ensure corporate disclosures are consistently transparent and accurate, and in compliance with legal requirements, regulatory expectations, and ethical norms. <span style="font-size:12px;">Grade: B</span></p><p><em>Principle 8</em> — Companies should be purposeful and transparent in choosing and describing their key policies and procedures related to corporate governance to allow key stakeholders an opportunity to evaluate whether the chosen policies and procedures are optimal for the specific company. <span style="font-size:12px;">Grade: C-</span></p><br></td></tr></tbody></table>Tim McCollum0
A New Tool for Directors New Tool for Directors<p>​The dictionary defines <em>principle</em> as a fundamental truth that serves as the foundation for a larger system of belief or behavior — a sturdy, versatile thing that, when used correctly, can address a wide range of issues. So it's welcome news that The IIA and the Neel Corporate Governance Center at the University of Tennessee in Knoxville have developed a set of Guiding Principles of Corporate Governance. After all, corporations have a lot of issues that need addressing. </p><p>Shareholders want better returns, even as they preach about long-term stability over short-term results. Regulators want compliance with standards for financial reporting, cybersecurity, business conduct, sanctions, and more. Consumers want low prices, prompt service, and environmentally friendly products, or else they'll flay the company on social media. Employees want a raise and a viable career path, or else they'll quit. </p><p>Those are a lot of constituencies and demands that corporations have to juggle somehow, with a heap of legal liability if boards steer the organization wrong. So, yes,  sound principles of corporate governance are a vital tool for directors to have.</p><p>"It's not like you can read a book and then say, 'Oh yeah, I know exactly what my corporate governance should look like,'" says Steve Albrecht, a long-time business professor at Brigham Young University and elsewhere who has served on the boards of SkyWest Airlines, Cypress Semiconductor, and numerous other public and private companies over the years. He sees the governance principles as a mechanism to help boards hold themselves and their organizations accountable to the various objectives (financial, operational, legal, ethical) they might have. </p><p>Sure, companies also can be held accountable by law enforcement, activist investors, or social media campaigns — but if matters have reached that point, the board is already losing. "All those ways to hold corporations accountable are from the outside, except for corporate governance, which is from the inside," Albrecht says. "And they all have negative consequences except for corporate governance." In other words, good corporate governance is about an organization's self-discipline before outsiders decide to intervene. </p><h2>What Governance Principles Entail</h2><p>The Guiding Principles of Corporate Governance were developed to serve as a foundation for a new <a href="">American Corporate Governance Index</a> on U.S. publicly held companies released this month. The index is based on a survey of chief audit executives at an array of U.S.-listed companies, creating a scorecard for overall corporate governance quality in the U.S. </p><p>The Guiding Principles reflect a compendium of viewpoints on corporate governance from sources ranging from the National Association of Corporate Directors, New York Stock Exchange, and Organisation for Economic Co-operation and Development to the Business Roundtable, The Committee of Sponsoring Organizations of the Treadway Commission, and the King Commission. Read through the nine points of the Guiding Principles, and a few themes emerge. </p><p>First, these principles are meant to establish durable practices — the muscle memory directors can use to guide their thinking, as they confront one issue after another. For example, Principle 3 talks about identifying key stakeholders and soliciting their feedback to make sure the organization's policies meet stakeholders' expectations. That's a practice boards need to be able to perform whether they're deciding on share buyback plans versus new investment (What do shareholders want right now? What will keep us competitive in five years?) or resolving dilemmas about ethical sourcing (Will our reputation among consumers be worth higher supply chain costs?). </p><p>Or consider Principle 6, that boards oversee the corporate culture of the business, assess the integrity of senior management, and intervene when culture and objectives are misaligned. As we keep moving into a more transparent world, where everything is available for all observers to see and dissect all the time, the alignment of values among a corporation and its stakeholders will matter more. </p><p>It won't suffice simply to declare your ethical values and culture of integrity; even Enron did that. Organizations will need to demonstrate their embrace of those things in a visible way. The board bears ultimate responsibility for that, and Principle 6 reminds directors to keep that duty top of mind.</p><p>"There are a lot of things boards have to do," says Taylor Simonton, currently audit committee chair for Master Chemical Corp., Advanced Emissions Solutions, and Surna. "If they don't already have principles in place … some things can get missed." </p><p>Second, the principles also define how the board should govern itself. Principle 4, for example, lists eight criteria about directors' commitment of time, evaluation of performance, director education, meeting in executive session, and even compensation structure. Call all of that guidance about how a board can keep itself in trim and healthy shape, so it can execute all those duties mentioned above or in some of the other principles. </p><h2>Putting the Principles to Work</h2><p>OK, let's say the board has read the principles and likes what it sees. How would directors go about putting the principles to good use? </p><p>One idea is to review the board committee charters and assess how well they capture the spirit of the Guiding Principles. For example, the principles stress the importance of directors devoting sufficient time to their duties, meeting in executive session, and rotating directors as needed to ensure the right balance of institutional knowledge and new perspective. All good points. So how do the board's charters translate those points into specific requirements for attendance, training, meetings without the CEO present, or limits on committee tenure?</p><p>More broadly, the Guiding Principles also can help a board hone its thinking about what committees it should have (beyond those required by law). The principles stress the importance of identifying key stakeholders and monitoring key risks — but those things vary from one company to the next. So can the board articulate why it does or doesn't have, say, an IT risk committee, or a public policy committee? </p><p>Every board would <em>like</em> to say yes, it can; but the Guiding Principles make it much easier for a board to say, "We started by measuring ourselves against the principles, and reached these decisions, which explain why our board is structured the way it is."</p><p>Larry Harrington, former head of internal audit for Raytheon and a past chairman of the board of The IIA, sees the Guiding Principles as a maturity model. Boards can use the principles to plot their location on that model, and map out steps for improvement. </p><p>That idea of a maturity model raises an important point: A board must <em>want</em> to improve to take full advantage of the principles. Otherwise, the principles are just more window dressing, like Enron's fabulous code of conduct. "The folks who really need the guidance don't pay any attention to it, and the folks who generally do a good job use it as a barometer for 'What else can I do better?'" Harrington says. "Because they do want to do better." <br></p>Matt Kelly1

  • AuditBoard_Apr 2020_Premium 1
  • Fastpath_Apr 2020_Premium 2
  • IIA Membership Centers_Apr 2020_Premium 3