U.S. Companies Score Low on Governance Companies Score Low on Governance<p>​<span style="font-size:12px;">Amidst another season of corporate scandals, it's not surprising that U.S. companies are getting low grades on their governance report cards. A new index gives U.S. publicly listed companies an overall grade of C+, with 1 in 10 companies surveyed earning an F for corporate governance.</span></p><p>The IIA and the University of Tennessee's Neel Corporate Governance Center in Knoxville unveiled the <a href="">American Corporate Governance Index</a> (ACGI) this week at press events in New York and Washington, D.C., where speakers discussed the problems it identifies and how internal audit could help companies address them. Based on an anonymous survey of chief audit executives (CAEs), the index grades companies around eight of the <a href="/2019/Pages/A-New-Tool-for-Directors.aspx">Guiding Principles of Corporate Governance</a> (see "The Making of the Index" below), also released this week.<br></p><h2>Beyond the Boardroom</h2><p>Although responsibility for corporate governance begins in the boardroom, "governance is so much bigger than what's going on at the board level," said Terry Neal, director of the Neel Corporate Governance Center, at the Washington event. This is where internal audit, with its enterprisewide perspective, could help companies improve their grades, he said.</p><p>Take the issue of board performance assessments, for example. Principle 8 calls for boards to regularly evaluate "the full system" of corporate governance, yet responding companies received a C- grade — the overall worst grade — with most saying their company didn't formally monitor governance. One takeaway from interviews with CAEs in preparation for the survey is "a lot of CAEs are not doing this, but they are positioned to do it," Neal said.</p><p>But the index indicates that boards have problems of their own. Next to assessing corporate governance, the lowest grade (C) was for Principle 4, where CAEs said organizations were more focused on short-term issues rather than sustainable performance. Contributing to short-term thinking, CAEs say one-third of directors would not challenge the opinions of the CEO, and they gave boards a D grade for questioning whether they were receiving accurate and complete information from management.<br></p><h2>Board Care and Maintenance</h2><p>Christa Steele, a former CEO who serves on several boards, said good dialogue between directors and the CEO is key to a well-functioning board. "If directors are not talking to the CEO in board meetings, they should have those conversations offline," she said in Washington.</p><p>Steele noted it is difficult for boards to capture all the information about technology innovations, new market entrants, and other disruptive risks in what she calls "unprecedented times." Ahead of board meetings, she said she received a staggering 500 to 1,000 pages of information. "Now more than ever, we need to look at the information and scrub it to make sure we get the right information," she said. "But you can have information overload."</p><p>Understanding new risks is one reason "why board refreshment is so important now," she said, because boards often lack the knowledge to provide oversight in an era of greater transparency caused by social media. Although there have been calls for boards to add more specialized expertise — in technology, for example — she says there's a trade-off. "Do you want the technical expert or do you want someone who can ask the right questions?" she asked.</p><p>Board members like Steele increasingly want more insight into how the company is governed, even several levels of management down. That's the information that boards aren't seeing, Neal said. It's also where the ACGI finds some disconnects.<br></p><h2>Areas of Disconnect</h2><p>Principle 5 covers corporate culture, and CAEs gave boards and CEOs a high grade (A-) for setting a strong tone at the top. But CAEs say the board doesn't discuss culture much and that tone isn't communicated well across all levels of the company.</p><p>Fraud reporting is another example. In an era ripe with corporate scandals, CAEs gave their organizations high marks for following up on reports of wrongdoing and ensuring the company doesn't retaliate against employees who speak up. Yet, CAEs say employees aren't familiar with how to report violations. "When there's an event that occurs, you'll see a spike in reports," said Julie Scammahorn, senior vice president and chief auditor at Wells Fargo in New York.</p><p>These disconnects are becoming a greater issue with the rising emphasis on environmental, social, and governance (ESG), an area where companies received a C grade. The ACGI survey was conducted just before the Business Roundtable issued its revised <a href="">Statement on the Purpose of a Corporation</a> in August, in which prominent U.S. CEOs committed to benefiting stakeholders such as customers, employees, suppliers, and communities, in addition to shareholders.<br></p><h2>Auditing Governance</h2><p>While internal audit could be positioned to help boards look at risks deeper down in companies, assessing corporate governance is still a new area for many audit functions. Less than one-fourth of companies evaluate corporate governance annually, and when they do, it goes through the legal function, said Lauren Cunningham, assistant professor and director of research at the Neel Corporate Governance Center. "If legal does it, it's a check-the-box mentality," she said.</p><p>But more internal audit functions are taking on these assessments, Scammahorn observed. "I'm seeing more auditors taking deep dives into the information the board receives to make sure it is accurate and complete," she said. </p><p>Governance audits at the board level should be done by senior audit staff, such as the CAE's direct reports, Scammahorn advised. But they can make a big difference. "If you don't have a formal assessment, there aren't many boards that don't think they're doing a good job," Scammahorn says. "When you put a formal assessment in front of them, they see they have work to do."<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p><strong>The Making of the Index</strong></p><p>The IIA and the Neel Corporate Governance Center developed the AGCI based on eight of the Guiding Principles of Corporate Governance. In turn, the two organizations compiled those principles from guidance and principles from organizations such as the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. </p><p>In preparation for the survey, researchers interviewed prominent CAEs about the principles and their observations of governance practices. They then surveyed 128 CAEs from U.S. companies of various sizes from a wide range of industries. Researchers evaluated these responses and assigned a score and letter grade for each of the principles, as well as elements within those principles. Because responses to the survey were anonymous, the ACGI does not provide grades for individual companies.<br></p><p><em>Principle 1</em> — Effective corporate governance requires regular and constructive interaction among key stakeholders, the board, management, internal audit, legal counsel, and external audit and other advisors. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 2</em> — The board should ensure that key stakeholders are identified and, where appropriate, stakeholder feedback is regularly solicited to evaluate whether corporate policies meet key stakeholders' needs and expectations. <span style="font-size:12px;">Grade: B-</span></p><p>Principle 3 — Board members should act in the best interest of the company and the shareholders while balancing the interests of other key external and internal stakeholders. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 4</em> — The board should ensure that the company maintains a sustainable strategy focused on long-term performance and value. <span style="font-size:12px;">Grade: C</span></p><p><em>Principle 5</em> — The board should ensure that the culture of the company is healthy, regularly monitor and evaluate the company's core culture and values, assess the integrity and ethics of senior management and, as needed, intervene to correct misaligned corporate objectives and culture. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 6</em> — The board should ensure that structures and practices exist and are well-governed so that it receives timely, complete, relevant, accurate, and reliable information to perform its oversight effectively. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 7</em> — The board should ensure corporate disclosures are consistently transparent and accurate, and in compliance with legal requirements, regulatory expectations, and ethical norms. <span style="font-size:12px;">Grade: B</span></p><p><em>Principle 8</em> — Companies should be purposeful and transparent in choosing and describing their key policies and procedures related to corporate governance to allow key stakeholders an opportunity to evaluate whether the chosen policies and procedures are optimal for the specific company. <span style="font-size:12px;">Grade: C-</span></p><br></td></tr></tbody></table>Tim McCollum0
A New Tool for Directors New Tool for Directors<p>​The dictionary defines <em>principle</em> as a fundamental truth that serves as the foundation for a larger system of belief or behavior — a sturdy, versatile thing that, when used correctly, can address a wide range of issues. So it's welcome news that The IIA and the Neel Corporate Governance Center at the University of Tennessee in Knoxville have developed a set of Guiding Principles of Corporate Governance. After all, corporations have a lot of issues that need addressing. </p><p>Shareholders want better returns, even as they preach about long-term stability over short-term results. Regulators want compliance with standards for financial reporting, cybersecurity, business conduct, sanctions, and more. Consumers want low prices, prompt service, and environmentally friendly products, or else they'll flay the company on social media. Employees want a raise and a viable career path, or else they'll quit. </p><p>Those are a lot of constituencies and demands that corporations have to juggle somehow, with a heap of legal liability if boards steer the organization wrong. So, yes,  sound principles of corporate governance are a vital tool for directors to have.</p><p>"It's not like you can read a book and then say, 'Oh yeah, I know exactly what my corporate governance should look like,'" says Steve Albrecht, a long-time business professor at Brigham Young University and elsewhere who has served on the boards of SkyWest Airlines, Cypress Semiconductor, and numerous other public and private companies over the years. He sees the governance principles as a mechanism to help boards hold themselves and their organizations accountable to the various objectives (financial, operational, legal, ethical) they might have. </p><p>Sure, companies also can be held accountable by law enforcement, activist investors, or social media campaigns — but if matters have reached that point, the board is already losing. "All those ways to hold corporations accountable are from the outside, except for corporate governance, which is from the inside," Albrecht says. "And they all have negative consequences except for corporate governance." In other words, good corporate governance is about an organization's self-discipline before outsiders decide to intervene. </p><h2>What Governance Principles Entail</h2><p>The Guiding Principles of Corporate Governance were developed to serve as a foundation for a new <a href="">American Corporate Governance Index</a> on U.S. publicly held companies released this month. The index is based on a survey of chief audit executives at an array of U.S.-listed companies, creating a scorecard for overall corporate governance quality in the U.S. </p><p>The Guiding Principles reflect a compendium of viewpoints on corporate governance from sources ranging from the National Association of Corporate Directors, New York Stock Exchange, and Organisation for Economic Co-operation and Development to the Business Roundtable, The Committee of Sponsoring Organizations of the Treadway Commission, and the King Commission. Read through the nine points of the Guiding Principles, and a few themes emerge. </p><p>First, these principles are meant to establish durable practices — the muscle memory directors can use to guide their thinking, as they confront one issue after another. For example, Principle 3 talks about identifying key stakeholders and soliciting their feedback to make sure the organization's policies meet stakeholders' expectations. That's a practice boards need to be able to perform whether they're deciding on share buyback plans versus new investment (What do shareholders want right now? What will keep us competitive in five years?) or resolving dilemmas about ethical sourcing (Will our reputation among consumers be worth higher supply chain costs?). </p><p>Or consider Principle 6, that boards oversee the corporate culture of the business, assess the integrity of senior management, and intervene when culture and objectives are misaligned. As we keep moving into a more transparent world, where everything is available for all observers to see and dissect all the time, the alignment of values among a corporation and its stakeholders will matter more. </p><p>It won't suffice simply to declare your ethical values and culture of integrity; even Enron did that. Organizations will need to demonstrate their embrace of those things in a visible way. The board bears ultimate responsibility for that, and Principle 6 reminds directors to keep that duty top of mind.</p><p>"There are a lot of things boards have to do," says Taylor Simonton, currently audit committee chair for Master Chemical Corp., Advanced Emissions Solutions, and Surna. "If they don't already have principles in place … some things can get missed." </p><p>Second, the principles also define how the board should govern itself. Principle 4, for example, lists eight criteria about directors' commitment of time, evaluation of performance, director education, meeting in executive session, and even compensation structure. Call all of that guidance about how a board can keep itself in trim and healthy shape, so it can execute all those duties mentioned above or in some of the other principles. </p><h2>Putting the Principles to Work</h2><p>OK, let's say the board has read the principles and likes what it sees. How would directors go about putting the principles to good use? </p><p>One idea is to review the board committee charters and assess how well they capture the spirit of the Guiding Principles. For example, the principles stress the importance of directors devoting sufficient time to their duties, meeting in executive session, and rotating directors as needed to ensure the right balance of institutional knowledge and new perspective. All good points. So how do the board's charters translate those points into specific requirements for attendance, training, meetings without the CEO present, or limits on committee tenure?</p><p>More broadly, the Guiding Principles also can help a board hone its thinking about what committees it should have (beyond those required by law). The principles stress the importance of identifying key stakeholders and monitoring key risks — but those things vary from one company to the next. So can the board articulate why it does or doesn't have, say, an IT risk committee, or a public policy committee? </p><p>Every board would <em>like</em> to say yes, it can; but the Guiding Principles make it much easier for a board to say, "We started by measuring ourselves against the principles, and reached these decisions, which explain why our board is structured the way it is."</p><p>Larry Harrington, former head of internal audit for Raytheon and a past chairman of the board of The IIA, sees the Guiding Principles as a maturity model. Boards can use the principles to plot their location on that model, and map out steps for improvement. </p><p>That idea of a maturity model raises an important point: A board must <em>want</em> to improve to take full advantage of the principles. Otherwise, the principles are just more window dressing, like Enron's fabulous code of conduct. "The folks who really need the guidance don't pay any attention to it, and the folks who generally do a good job use it as a barometer for 'What else can I do better?'" Harrington says. "Because they do want to do better." <br></p>Matt Kelly1
Confronting Climate Change Climate Change<p>​The adverse impacts of rising global temperatures and extreme weather conditions are becoming a front-line risk for businesses. A 2015 Economist Intelligence Unit study estimated that the value of global manageable assets at risk due to climate change could be as much as $4.2 trillion between now and 2100 in discounted, present-value terms. That is roughly on par with the total value of all the world’s listed oil and gas companies. Meanwhile, increased regulation to confront climate change is gaining momentum around the world.</p><p>These trends are leading boards and executives to realize that today’s climate-related decisions may dramatically impact their organizations in the future. Leaders are recognizing that the magnitude of climate change risks warrants a collective action as their impacts are widespread and not just a future threat. As a result, organizations may incur increased production costs, decreased demand, and delayed delivery of goods and services to their customers. </p><p>The growing stakeholder concern about climate change risks is creating demand for climate-competent auditors to help analyze the threats and recommend remedies. Such practitioners can help their organization address financial, process, and governance implications. Through a multipronged approach encompassing both strategic and tactical activities, internal audit can assist organizations in confronting climate change risks. </p><h2>Being Climate-competent</h2><p>Today, audit stakeholders are seeking answers to the basic questions about what climate change risks might impact them and the arrangements in place to mitigate them. Internal audit must adapt to these expectations and demonstrate the “insightful, proactive, and future-focused” characteristics described in The IIA’s Core Principles for the Professional Practice of Internal Auditing. </p><p>Internal audit functions that conform to the International Professional Practices Framework should be qualified to audit climate change risks. To supplement their knowledge, The IIA has published the Practice Guide on Evaluating Corporate Social Responsibility/Sustainable Development.</p><p>Yet, a worrying trend in audit reports is that many auditors do not see climate change risks beyond financial risks to the business. Some internal audit functions may not include climate change risks in the audit plan because they are not considered a principal risk to the business. For example, according to the KPMG Survey of Corporate Social Responsibility Reporting 2017, 72% of large and midcap companies did not acknowledge the financial risks of climate change. This could be because boards, executives, and internal audit lack understanding of climate change risks and their implications. </p><p>In other cases, although internal auditors may consider climate change risks in the audit plan, they may not understand the assumptions and estimates used in preparing the financial statements. Likewise, auditors may not comprehend the implications of climate change risks when applying existing accounting treatments and audit standards. Additionally, standard audit programs may not be helpful in assessing climate change risks, control criteria, and their potential impact. Finally, the audit team may not have climate-change risk specialists to assist the teams in focusing on key areas of concern. </p><h2>Strategy and Risk Management Insight </h2><p>Those internal audit functions can’t ignore climate change for long. With these risks looming on the near-horizon, auditors can advise the board and management by promoting accountability in addressing climate change risks.</p><p>Internal audit can help ensure the organization is identifying, prioritizing, and remedying key climate change risks appropriately. For example, internal audit can advise on strategies for developing a process to define, monitor, and assess climate change risks. Auditors can ask management about the organization’s resilience and sustainability, as well as audit the organization’s sustainability report. </p><p>Another way internal audit can provide value is reviewing whether the business strategy aligns with the applicable regulatory environment. Auditors can facilitate root-cause analysis of potential regulatory noncompliance. Coordinating control self-assessment workshops can identify the areas where the organization’s climate-change response strategy does not align with its business processes.</p><p>Internal auditors also should evaluate the financial and strategic implications of climate change risks. While the changes to carbon-free or low-carbon technology could pose potential financial risks, they also could result in opportunities such as alternative technologies, business processes, services, and products.</p><p>Internal audit should ensure the organization’s enterprise risk management process includes an appropriate focus on climate change risks. Auditors can assist in developing a granular view of risks that can enable management to create appropriate risk management strategies. In addition, they should evaluate whether management has established benchmarks, metrics, success criteria, key performance indicators, and leading practices.</p><p>Where management is reluctant to consider climate change risks, internal audit can help change executives’ attitudes by enhancing their knowledge of the risks and demonstrating how to assess and predict their impacts. In addition, internal auditors who have assisted other organizations in addressing climate change risks can share information and analysis of their experiences and promote the use of tools and systems for these purposes. </p><h2>The Way Forward</h2><p>The audit function should understand the climate change risks affecting the organization and be able to add value proactively, timely, and effectively. It is important to assess whether the organization fully grasps the implications of climate change risks. To move forward, internal audit should: </p><ul><li>Develop a consensus with the board and senior management about internal audit’s role. </li><li>Champion a focus on climate change-related risks by participating in the risk analysis process and educating management on the best practices in climate change-related governance, risks, and controls.</li><li>Ensure the audit function has the appropriate skills to evaluate climate change risks and execute related audit engagements.</li><li>Empower audit teams by developing appropriate tools and procedures for assessing climate change risks, capacity building through mentoring and effective onboarding, and including climate experts in the audit teams.</li><li>Incorporate climate change risks into the organization’s risk register and ensure appropriate audit units are contained in the audit universe. The chief audit executive should ensure that the identified risks are embedded in each audit engagement.</li></ul><p>Climate change risks impact all of humanity. Consequently, there is much work to be done. The responsibilities of internal audit and the required skills are changing quickly. As a partner in a good governance process, the modern internal audit function can be pivotal in addressing climate change by positioning itself as an agent of change.  <br></p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { line-height:12.0px; font:10.0px Amplitude; } p.p5 { text-indent:-12.0px; line-height:12.0px; } p.p6 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p7 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { vertical-align:1.0px; letter-spacing:-0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Israel Sadu1
Auditing Culture: Audit Project Surveys Culture: Audit Project Surveys<p>​Internal auditors looking to gauge organizational culture can choose from a variety of assessment techniques. Some are innovative, robust, and resource-intensive, while others are fairly simple. Typically, using a combination of techniques provides a more well-rounded picture of the culture.</p><p>Some of the most commonly used assessment techniques include: </p><ul><li>Entitywide employee surveys.</li><li>Open-ended interviews.</li><li>Structured interviews, in which a sample of employees is asked the same set of questions.</li><li>Combining objective data with auditors' perceptions.</li><li>Focus groups.</li><li>Self-assessment workshops.</li><li><p>In-depth root cause analysis.</p></li></ul><p>One of the simplest tools for auditing culture is an audit project survey — a survey conducted during the course of an audit engagement. There are several advantages to using a survey tool, as well as limitations and challenges that should be considered. Armed with this knowledge, and familiarity with suggested development and implementation practices, auditors may be better positioned to harness audit project surveys as a means of gaining valuable insight on organizational culture.</p><h2>Advantages</h2><p>Employee surveys have several advantages over other techniques for evaluating culture, including:</p><ul><li> <strong>Anonymity. </strong>If employees know survey results will remain anonymous, they may be more candid than they would in an interview.</li></ul><ul><li> <strong>Potentially Greater Validity. </strong>If employees feel safe and believe action will be taken to address their concerns, surveys usually constitute an accurate measure of employee perceptions.</li></ul><ul><li> <strong>Quantitative Results</strong>. Most employee surveys I have seen ask respondents to indicate the extent to which they agree or disagree with statements (see, for example, the "University of Minnesota Employee Survey" below). The percentage of employees who disagree or strongly disagree with a statement is an objective fact, and significant disagreement represents strong evidence that something needs to be examined.</li></ul><ul><li><p> <strong>Efficiency.</strong> Audit project surveys provide an efficient way of gathering input from a large sample of employees. Effective project surveys often yield a response rate of 60-70%, and online survey tools make aggregating and analyzing the responses relatively easy. Unless the audited area is unusually small, interviewing and analyzing responses from a comparable percentage of employees would be prohibitively time-consuming.<br></p></li></ul><h2>Challenges and Drawbacks</h2><p>While the advantages of employee surveys are considerable, internal auditors should be aware of several potential drawbacks. Recommendations for addressing these limitations are also provided. </p><ul><li> <strong>Possible Lack of Candor. </strong>Employees may not be candid, in which case positive results will produce false assurance.<strong> </strong>Although surveys can be anonymous, employees might not believe they are. And if employees fear retribution from their manager, responses are likely to be positive regardless of how they really feel. </li></ul><ul><li> <strong>Potential Blind Spots. </strong>Employees may have blind spots about cultural issues, which can affect their assessments. An often used definition of culture is "how we do things around here." When someone joins an organization, he or she wants to fit in and may accept the way things are done without question. Similar to a lack of candor, this will produce false assurance.<br><em>Recommendation. </em>To address both lack of candor and cultural blind spots, auditors should avoid relying solely on survey results. Some people will be more candid in an interview than on a survey. For example, I think of an objection I received when discussing entitywide surveys at a conference in the Pacific Rim. An attendee who worked for a U.S. multinational company that used this type of survey said, "Surveys don't work here. People in this country will never be honest on a survey. They'll tell us exactly what's going on but they would never write it down." I now tell this story when I teach in that country, and the attendees always agree.<br>No single tool or technique is sufficient. Auditors need to be aware of limitations that exist in a given location and complement surveys with their own observations, available data that reflects the culture, interviews, and whatever other tools might be useful in that context. <br></li><li> <strong>Employee Misperceptions. </strong>Although surveys can be an accurate measure of employee perceptions, employees can be wrong. I think, for example, of a lead auditor who worked for me when I was an audit manager. She would occasionally come into my office, ask to close the door, and say, "What are you managers thinking? Do you have any idea what the staff is saying about this decision you made two weeks ago?" I'd say, "But Pam, they don't understand why we made that decision," and realize that we needed to tell them. Pam did a great service by alerting us to the staff's misperceptions, which we could then correct.<br><em>Recommendation.</em> Auditors should not present negative survey results as an issue unless they find corroborating evidence. However, if they can't find such evidence, or what they find contradicts the survey results, they should report it to local management as a possible misunderstanding it might want to correct.<br> </li><li> <strong>Ambiguity. </strong>Developing survey statements that are clear and unambiguous can be difficult. Take, for example, the statement, "Management is ethical, fair, and open to employee suggestions." This statement asks about three different qualities. A manager might have one or two of these qualities, but not the third. Also, does "management" refer to the employee's immediate supervisor, the head of the organization, or something in-between? <br><em>Recommendation. </em>Auditors can use a couple of methods to prevent survey statement ambiguity. First, they can draw from good models. Examples of effective surveys can be found in internal audit literature, obtained from colleagues, and accessed on the internet. With established models, any initial ambiguity is likely to have already been identified and corrected. Moreover, auditors will be able to approach prewritten survey statements more objectively, and identify any residual ambiguity more easily, compared to statements written by themselves.<br> Auditors can also field-test the survey once it's been developed. Before finalizing the survey instrument, they can give it to several people and ask what they thought each statement was asking. This exercise should identify most or all remaining ambiguity.</li></ul><ul><li> <strong>Scope Limitations. </strong>Surveys are limited to the predefined issues they include. And obviously, culture encompasses much more than a brief survey can assess. <br><em>Recommendation. </em>Internal auditors can address this concern by asking survey participants for explanatory comments. The University of Minnesota Employee Survey below has only 12 statements, but it asks respondents, "Would you like to tell us anything else about the operations of your (college, department, center, or other term as appropriate)?" Respondents can elaborate on any of the 12 statements or include something else they want the auditors to consider. </li></ul><h2>Development, Implementation, and Analysis</h2><p>Audit project surveys should be adjusted to best fit the environment in which they will be applied. Several considerations should be kept in mind when tailoring a survey for use with a particular client or organization, and during survey implementation and analysis. </p><ul style="list-style-type:disc;"><li>Design the survey carefully. Provide clear instructions for completing the survey, and phrase statements carefully using simple, easy-to-understand language.</li><li>Ask for level of agreement/disagreement with statements — such as those shown in the University of Minnesota Employee Survey's Likert scale below — and for explanatory comments.</li><li>Ask managers if they want to add issues they're concerned about. Good managers often wonder what their employees really think about certain decisions they've made or aspects of the environment. This is their chance to get honest feedback that employees might not want to give them in person.</li><li>If the content might be highly sensitive, consider asking the legal department to review the survey instrument. The lawyers are less likely to object if they are consulted up front than if they see the survey once it's underway. And they might have legitimate concerns.</li><li>To demonstrate management's support, ask the head of the audited area, as well as the chief audit executive, to sign the survey invitation email.</li><li>Consider using online survey tools to survey 100% of the population and to facilitate results analysis. </li><li>Stratify responses by level — for example, senior management, middle management, staff — and compare the differing perceptions.</li><li>Remember that surveys measure employee perceptions; they must be substantiated to be reported as audit issues. If they can't be substantiated, they still provide valuable information for the manager. </li><li><p>Involve the "experts" in interpreting the results. Some audit departments review the stratified results with a focus group of experienced employees who know better than the auditors why employees responded as they did. The confidentiality of individuals' comments, of course, must be preserved.</p></li></ul><p>Regardless of the technique or combination of techniques used, auditors and their stakeholders must keep in mind the objective of culture auditing: to continually enrich stakeholders' understanding of the culture through a blend of qualitative and quantitative evidence; the objective is not to reach final conclusions. Without this shared understanding, internal auditors risk giving false assurance when assessment results are positive and assigning unfair blame when results are negative. </p><h2>An Important Tool</h2><p>Project audit surveys can provide key insight on organizational culture. Like other tools used for this purpose, they will not be effective in every situation. But when applied with discretion and in conjunction with other techniques, they can be a valuable asset in the culture auditor's toolbox.<br></p><p><img src="/2019/PublishingImages/auditing-culture-questionnaire-smaller.jpg" alt="" style="margin:5px;" /><br></p><p>Read the other articles in Jim Roth's series on culture:<br></p><span aria-hidden="true"></span><ul><li><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></li></ul><p><br></p>James Roth1
Social Media Governance Media Governance<p>Social media’s strategic role within organizations has grown exponentially as it has become a ubiquitous juggernaut of nonstop information of varying degrees of accuracy and relevance. But its risks to the organization have accelerated, as well. To keep up, organizations need a strong governance structure that specifically emphasizes social media.<br></p><p>Similarly, social media’s high impact and high risks mean internal audit should look closely at all related activities. Perhaps the most important of these activities for internal audit is ensuring the organization’s social media governance is effective. </p><h2>It Starts at the Top</h2><p>Any aspect of governance starts with the board. As part of its assurance efforts, internal audit should ensure the board understands the broad scope of risks related to social media, as well as the board’s role in establishing an appropriate governance structure. </p><p>Foundationally, the organization already should have an effective governance structure in place. But the fast pace of change related to social media means the board should take a more active role in ensuring the organization’s governance structure addresses unique social media issues effectively. This not only helps the organization successfully achieve these objectives, but also further ensures the organization will not be broadsided by change, irrelevance, and damaging reputation issues.</p><p>The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies — both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment. </p><p>Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” at the bottom of this page). To ensure the board is prepared to successfully oversee social media activities, internal audit should focus on three areas: knowledge, training, and communication. </p><p><strong>Knowledge</strong> The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many boards to focus on the latest YouTube debacle or Twitter mistake, rather than understanding the broader risks. Therefore, internal audit should ensure board members fully understand the risks and opportunities related to social media, as well as the organization’s activities. <br></p><p><strong>Training</strong> Internal audit should ensure the board has been trained appropriately on new and emerging social media technologies, how they are used, the risks to the organization and its industry, and how competitors are using social media. Such training will help the board understand how the organization developed its strategic approach and what it needs to be successful. <br></p><p><strong>Communication</strong> Internal audit should ensure communication channels allow the board unfettered and timely access to the information it needs about social media. In addition to information from executives, this communication should come from committees responsible for social media, departments involved in developing and communicating through social media, and front-line personnel who are dealing with day-to-day issues that can quickly grow into organizational disasters.<br></p><p>Internal audit can provide assurance that board members are prepared by examining activities at the highest levels of the organization. The best way is for auditors to speak directly with board members to gain assurance that directors are providing the best oversight possible. Additionally, auditors should review correspondence and minutes of board meetings, as well as the information received by the board, to ensure that it has been kept in the loop. They also should review training materials to ensure materials cover all appropriate areas and that all board members have participated.<br></p><p><img src="/2019/PublishingImages/Jacka-social-media-governance-at-a-glance-chart.jpg" alt="" style="margin:5px;width:800px;height:562px;" /><br></p><h2>Executive Oversight</h2><p>At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely.</p><p>Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest.</p><p>It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive champion should be an active member of this committee, providing guidance and ensuring necessary communication between the committee and executives.</p><p>Much of internal audit’s review of executive oversight is similar to that outlined for the board — just more detailed. This includes obtaining assurance that executives receive ongoing training that allows them to understand how social media can best be used, and that executives are adequately updated on social media. In addition, internal audit should determine whether executives are actively ensuring their individual departments are using social media appropriately, and that those activities are aligned with other departments and functions.</p><p>Interviews with executives are the best way for auditors to obtain this information. And, while social media-focused interviews can be an important part of the review, an effective alternative is to discuss the topic in meetings about departmental risks, concerns, and upcoming initiatives. Special attention should be paid to the executive champion, who can be a significant source of information about the status and growth of social media. If the relationship is cultivated appropriately, the champion can be a source for potential areas of review.</p><h2>The First Line of Defense</h2><p>A challenge in any governance structure is ensuring coordination among the teams that manage the various aspects of risk. Effective social media governance requires each of the three lines of defense — operational management, risk management and compliance functions, and internal audit — to understand the specific risks and responses that apply to their functions. </p><p>The first of these lines, operational management, owns and manages the risk. These are the operational managers responsible for maintaining effective internal controls and executing ongoing risk and control procedures. Each operational function must understand the impact of social media on its responsibilities, as well as the function’s role in the organization’s social media presence. Although their roles and responsibilities can vary from one organization to the next, the following are functions that could be involved with social media. </p><p><strong>Marketing</strong> This function is responsible for marketing through social media channels, including brand management. Responsibilities include ensuring social media delivers a consistent message to the right customers, brand integrity and standards are maintained in all social media channels — including the activities of agencies and third-party vendors — and the message being delivered matches organizational objectives. <br></p><p><strong>Sales</strong> The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s message, delivery of products and services sold through social media is accurate and timely, and follow-up is taken on leads generated through social media. The department also must keep online sales information updated and accurate, and use social media data to analyze trends related to leads, sales, and returns. Ultimately, the function should ensure social media improves sales efficiencies and costs.<br></p><p><strong>Customer Service</strong> This function ensures complaints received through social media are handled efficiently, customer satisfaction in the online sales process is maintained at the desired levels, and customers are referred to the appropriate goods and services. Customer service also makes sure all online communications maintain the appropriate tone and social media is used to accurately measure customer satisfaction.<br></p><p><strong>Public Relations</strong> Also known as corporate communications or community relations, public relations manages how the public perceives the organization. Its responsibilities include ensuring social media messages related to public relations match the overall messaging strategy and monitoring exists to identify, avert, and mitigate crisis situations. Public relations also should have an effective crisis management plan that includes responding to social media issues and using social media as part of the crisis management process.<br></p><p><strong>IT</strong> This function develops and maintains hardware and software used for social media. IT’s responsibilities include ensuring customers have a seamless experience while using social media and maintaining sufficient backups to reduce or eliminate downtimes. This function implements technology to achieve the organization’s social media objectives and ensures access to the organization’s social media sites is controlled.</p><p><strong>Human Resources</strong> This function uses social media to recruit new employees and potentially uses social media to deliver training. Human resources should ensure that training on the use of social media includes all employees and all facets of social media use. It should ensure a social media policy is developed that complies with existing regulations and the organization’s other policies, and monitor employee satisfaction through external comment boards and websites.<br></p><h2>The Second Line</h2><p>The second line of defense comprises those functions that ensure first line of defense controls are designed appropriately, in place, and operating as intended. Spanning the organization, these functions provide assurance related to their field of expertise. Second line functions need to keep abreast of changes in social media with a particular emphasis on issues impacting the areas they oversee. As with the first line of defense, the specific structure and responsibilities of second-line functions differs among organizations. In reviewing governance, internal audit should ensure that the organization is addressing all of the potential social media oversight roles these functions perform.</p><p><strong>Risk Management</strong> This function ensures social media risks are understood throughout the organization and included in risk assessment processes. Responsibilities include ensuring all risk assessments consider social media, departments keep abreast of emerging issues and risks related to social media, and those issues and risks are communicated timely. The risk function also must ensure all departments’ risk assessment and management procedures address social media risks appropriately.<br></p><p><strong>Compliance</strong> The compliance function is responsible for ensuring existing regulations are reviewed for reinterpretations that may impact social media and that new and changing regulations are monitored. It must advise all departments of regulations that will impact their use of social media and ensure that potential noncompliance issues are reported and acted upon.<br></p><p><strong>Security</strong> The security function must ensure appropriate access to and control over social media activities. It ensures general IT security controls such as password, antivirus, anti-malware, and firewalls have been established and are being used effectively. It also makes sure that access to the organization’s social media accounts is restricted appropriately, all accounts are monitored for suspicious activity, and accounts that are no longer in use have been decommissioned. Additionally, the security function should ensure all employees understand the risks related to inappropriate use of social media.<br></p><p><strong>Quality</strong> This function is responsible for ensuring the organization’s use of social media complies with standards related to brand and image. Its responsibilities include ensuring branding and imaging within social media accounts match established standards, and making sure overall quality and professionalism of social media interactions match the desired level. The quality function also should ensure information reported through social media channels is accurate, and the organization takes effective corrective action on identified issues.<br></p><h2>The Third Line</h2><p>Internal audit provides the board and senior management with independent and objective assurance of the other two lines’ efficiency and effectiveness. To that end, auditors should ensure that all entities in the three lines understand social media risks as well as their responsibilities for those risks. Internal audit can use two approaches to provide this assurance.</p><p>The first is to conduct an overall review of social media, focusing on the functions where the greatest risk may reside. This review may entail separate audits of social media for each function — which will provide detail on how the function is performing — or a review of social media risks, adding focus on potential gaps among departments. </p><p>The second approach is to include social media as a risk area in all audits planned for the year. The results should be included in the individual reports, but auditors also should consider providing an overview of organizationwide responses to social media risks.</p><h2>Audit’s Social Impact</h2><p>Social media has become an integral part of any organization’s success and an area that internal audit functions ignore at their own peril. In providing assurance regarding social media, governance can be one of the most impactful areas in which internal audit can provide value. Moreover, reviewing governance establishes a foundation upon which internal audit can begin to build its understanding of, and assurance work related to, social media. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Questions the Board Should Ask</strong></p><p>A well-informed board is equipped to ask the important questions about the organization’s use of social media. To ensure the organization understands its social media strategies and direction, here are some questions board members should be prepared to ask and the organization should be able to answer.</p><p><strong>How are we using social media to engage with our customers, open new markets, and recruit top talent?</strong> </p><p>These three areas are only a small part of how the organization is using social media. But they provide a good foundation to ensure the organization understands the impact of social media, and they may help the organization explore how best to use it.</p><p><strong>How are our competitors using social media?</strong></p><p>Social media is a competitive advantage. Without understanding how the competition is involved, the organization cannot know if it is ahead of or behind the curve. Understanding the competition’s use of social media also provides lessons learned without actually taking the risks. In addition, following competitors on social media provides insights into their strategies and plans beyond social media.</p><p><strong>How are our employees and other stakeholders using social media? What do we allow?</strong></p><p>This question generally will lead to a discussion about existing social media policies. But the primary purpose is to provide assurance that the organization is aware of the risks related to employee and stakeholder use of social media, is monitoring those activities, and is prepared to respond quickly to potential issues.</p><p><strong>What regulations regarding social media does our organization need to be aware of?</strong></p><p>Board members need assurance that the organization understands the impact of regulators on the organization’s use of social media, monitors compliance with those regulations and regulatory changes, and takes appropriate actions.</p><p><strong>How are we monitoring social media activity for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social media activity?</strong></p><p>Monitoring is an important part of the organization’s social media risk management process. Almost every social media fail could have been better controlled had the organization monitored and responded to social media conversations appropriately. Monitoring can provide early warning about public relations, brand, regulatory, or legal issues before they get out of hand. </p><p><strong>How are we interacting with the organization’s followers, friends, etc.?</strong></p><p>The board needs to understand how success is measured related to the investment in social media. The important aspect of this question relates to how any measures of success will be used to positively impact organizational objectives. Board members should be asking for a direct link between social media metrics and broader organizational success.</p><p><strong>What do board members need to do to ensure they keep out of trouble?</strong></p><p>First, the board must be assured that it has the information necessary to understand and respond to relevant social media risks. Second, board members must understand how their use of social media — whether as a representative of the organization or as a private citizen — can impact the organization. While these are questions that should be asked by board members, they also are excellent questions for internal audit to use during its reviews, particularly at a governance level. The questions dig deeply into the knowledge and awareness of all social media participants.<br></p><p><em>Adapted from “Critical Social Media Questions for the Board Room” by Richard S. Levick, Fast Company, 11/27/12.</em><br></p></td></tr></tbody></table><p><em>Jacka and Scott are the authors of Auditing Social Media, Second Edition, published in August by The IIA’s Internal Audit Foundation.</em><br></p>Mike Jacka1
A Limited View Limited View<p>​<span style="font-size:12px;">Boards still largely think of internal audit as a control function rather than a resource they can call upon for help on a wide range of strategic and risk-related issues, say senior internal auditors. Several leading figures from the profession attended the National Association of Corporate Directors Global Board Leaders' Summit last month in Washington, D.C., and all of them were taken aback by the presenters' lack of reference to internal audit and corporate governance. They were surprised at the absence of discussion on contributions the function could make to a range of key emerging risk issues, including cyber risk, corporate social responsibility, and climate risk.</span></p><p>Nancy Haig, head of internal audit and compliance at a professional services firm in New York, and a member of The IIA's North American and Global boards, says that directors are "still missing a trick" by overlooking the contribution internal audit can make to assisting in the governance process. "In most of the talks that I attended, speakers regularly said that they wanted more risk assurance, and they wanted to be better informed, but they rarely said that they sought help from internal audit to deliver this," she says. "It just didn't seem to occur to any of them that internal audit is an excellent resource to call upon for this kind of work."<br></p><p>The audit leaders who attended the event agree that internal audit's capabilities appear largely underappreciated by members of corporate boards. They point to the need for change and for increased board awareness regarding the important role practitioners can play in organizational governance.<br></p><h2>Untapped Potential<br></h2><p>Haig says that directors seem to view internal audit as a function that just checks financial controls, noting that they overlook how much more the profession can provide. "It is a key internal resource that can help review whether there are sound processes in place for determining corporate strategies, and how best to implement them," she says. "Internal audit can help identify future risks to the business and suggest approaches to mitigate them. These are all crucial elements of good corporate governance, but directors may still not be making the best use of the skills that internal audit has to offer."<br></p><p>Haig suggests that, in some organizations, there may be too much focus on determining what directors' responsibilities are rather than on how support functions such as internal audit can help directors, as well as management, achieve their goals. "This is an area that may be ripe for change," she notes.<br></p><h2>Relationship Building</h2><p>Benito Ybarra, chief audit and compliance officer at the Texas Department of Transportation in Austin, Global IIA board member, and chair of The Institute's North American Board, says the relationship between internal audit and the board needs some work to ensure better outcomes. Typically, he says, communication between the two is largely "one-way," with internal auditors working to make the most of the board members' limited time through varying methods of communication and boards not fully understanding the potential breadth of an internal auditor's role. <br></p><p>"Board members understand that internal audit exists within the organization, but it is a function that is assigned to the audit committee," Ybarra says. "It doesn't usually occur to them to call upon the function to do anything that the audit committee has not already agreed upon. The board's primary function is oversight of the organization, with the organization's leadership within its focus — not internal audit."<br></p><p>Internal audit can also face challenges stemming from its reporting relationships. Many chief audit executives find themselves reporting functionally to the board or audit committee, but administratively to the chief financial officer or other members of the organization's management team. "This inhibits the internal auditor from gaining access to the CEO and limits their perspective regarding the organization's strategy," Ybarra says. "This can negatively impact the internal auditor's ability to formulate and position the function's skill set to ensure alignment and focus on advancing the organization."<br></p><p>Another part of the problem, Ybarra says, is that some internal auditors can be reluctant or "too timid" to participate in discussions involving strategy, risk management, culture, and governance. The profession may be associated more with what it won't do rather than what it is capable of doing. <br></p><p>"Boards can be frustrated by internal audit," Ybarra explains. "Executives get tired of hearing that internal audit can help identify risks but can't provide solutions for managing them."<br></p><p>As a result, it's time for the profession to "step forward," Ybarra asserts. He says that internal auditors should focus on "ways it can say 'yes'" more often, rather than saying that something does not fall within their remit, or citing independence, expertise, or resource issues. "Saying 'yes' more often can result in advancing yourself, the organization, and the profession much more than limiting yourself to being in a documentary in which you can't participate," he says.<br></p><p>Ybarra adds that internal audit functions should position themselves to be trusted advisers that can provide ideas and solutions and think about how to add value in the same way that a consultant would do. "Internal auditors need to understand what boards are focusing on, the problems they are facing, and think of ways of helping," he explains. "It is not tenable anymore to take a step back from these kinds of discussions. They need to think more strategically and about the contribution they can bring to the table. In short, they need to do and deliver more."<br></p><p>A recent IIA report, <a href="">OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk</a>, provides insight on how internal audit can make contributions along these lines. Citing misalignment on risk among board members, executive management, and internal audit, the report points to deficiencies in the completeness and quality of information flow to boards as a potential cause. Suggested internal audit remedies include asking board members if they are comfortable that the information provided to them is complete, accurate, and timely, and reviewing certain board materials, such as those involving mission-critical risks, to verify and communicate whether any information is incomplete or inaccurate.<br></p><h2>Demonstrate Value</h2><p>Neil Frieser, senior vice president, Internal Audit, at telecommunications company Frontier Communications in Norwalk, Conn., and IIA North American Board member, says that if internal audit wants to engage board members' hearts and minds, they need to increase awareness about how the organization can leverage its skills. <br></p><p>"Reminding boards what kind of work we already do will only achieve so much," Frieser says. "We need to educate them about where the profession is heading and the new areas of focus that we are interested in working on. We need to demonstrate proficiency in key areas such as data analytics, robotic process automation, cyber risk management, business ethics, corporate reputation, and environmental risk awareness. As a profession, we need to show that we are more than a function that just looks at compliance and internal controls — we need to give them confidence that we understand how the business works, identify obstacles to achieving established business strategy, and how we can help the board fulfill its duties." <br></p><p>He also points out, however, that time allotted for interaction with board members can be very limited and notes the importance of being thoughtful about agenda items and crisp in the delivery of information.<br></p><p>The best way to get the board's attention, Frieser says, is for internal auditors to be thought leaders and advocates for their functions and the profession. "If we want to raise our status, we need to make sure we truly engage the board at a higher level than we have done historically," he says. "We need to show what we can do and be accountable for it." <br></p>Neil Hodge0
6 Myths of Business Ethics Myths of Business Ethics<p>Recent corporate scandals at companies such as Nike, Volkswagen, and Wells Fargo have spotlighted the negative impact of poor ethical cultures. Meanwhile, public trust in business and government is low.<br></p><p>Ethics is a key part of corporate governance. The past three decades have seen several moves to improve business governance and ethics: The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em>, the U.S. Sentencing Reform Act, and the U.S. Sarbanes-Oxley Act of 2002 and similar legislation in other countries.</p><p>Ethics is a cornerstone of internal auditing, as well, both in terms of the ethics of practitioners and the profession’s role in providing assurance of organizations’ ethical practices. The <em>International Standards for the Professional Practice of Internal Auditing</em> Standard 2110: Governance calls on the internal audit function to assess the organization’s ethical climate, and The IIA’s Practice Guide on Evaluating Ethics-related Programs and Activities describes procedures to help auditors review organizational ethics. </p><p>Yet, in addressing ethics, organizations and internal audit often are hindered by several myths. Internal auditors should step back and assess whether these “tacit truths” about ethics are actually helping organizations become more ethical. <br></p><h2>Myth 1: The code of Conduct Supports Ethical Behavior<br></h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } span.s1 { letter-spacing:0.1px; } </style> <p>The first step in planning an audit of ethics is to check whether the organization has a code of ethics or conduct designed to help the organization and its stakeholders behave ethically. In fact, most publicly traded companies around the world are legally required to have a code in place. </p><p>However, the main risk is not whether the code of conduct exists, but how it is used in the organization. There is mixed evidence that conduct codes actually help improve the ethical climate. Implementing a code of conduct could reduce ethical behavior, according to a 2011 study published in <em>Decision Sciences Journal</em>. A 2005 Harvard Business School study shows that the main goal of such codes is not to improve an organization’s ethical climate but to reduce possible legal fines in case of prosecution. Moreover, a 2018 <em>Harvard Business Review</em> study conducted by Hui Chen and Eugene Soltes found that a code of ethics has no impact on ethical decision-making. <br></p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>How to address this myth</strong> Internal auditors should examine the actual practices of their organization’s code of conduct. Employees annually signing the code, checking for specific compliance policies in place to support and provide additional guidance on key components of the code, and conducting focus groups or surveys to assess the code of conduct are not enough. Based on various behavior experiments, the best practice is to require decision-makers to read and sign a statement that they are complying with the code before making every major decision, according to the book <em>The Honest Truth About Dishonesty</em> by Dan Ariely.<br></p></td></tr></tbody></table><h2>Myth 2: The Compliance Program Helps the Organization Become More Ethical<br></h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } span.s1 { letter-spacing:-0.1px; } </style> <p>The average multinational company spends several million dollars a year on compliance, which can be even greater in highly regulated industries such as finance and defense, according to the 2018 <em>Harvard Business Review</em> article by Chen and Soltes. Despite such spending, executives complain that compliance does not offer any tangible ethical benefits. Putting these two trends together, executives are struggling to see how compliance can help improve ethics in the organization. </p><p>Compliance programs are caught in the same dilemma as ethics codes: The primary goal is to satisfy regulatory requirements or reduce penalties, rather than actually help the organization become more ethical. Internal auditors also should keep in mind that compliance issues are not the same as ethical issues — what is legal is not the same as what is ethical and vice versa.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>How to address this myth</strong> For compliance programs to have a meaningful impact, internal auditors need to test what works and what doesn’t. The compliance program should experiment and innovate. One way is to test assumptions about how people actually behave versus what they say they do. Compliance should test which programs or internal controls work — using hypothesis testing or control and testing groups — to see why people do not follow the rules and how rules should be presented to them. For example, some people respond more to visual information, so for them, rules should be presented in a different form than for those who respond more to audio. <br></p></td></tr></tbody></table><h2>Myth 3: Whistleblowing Tolls Reduce the Risks of Unethical Behavior<br></h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } span.s1 { letter-spacing:-0.1px; } </style> <p>The recent case of Nike, which faces gender discrimination lawsuits despite taking steps to alter its culture, shows that sometimes, even if the tools of enhancing ethics in an organization are enforced and communicated, unethical behavior may persist. EY’s 14th Global Fraud Survey finds that people do not want to report wrongdoing and that reporting comes with significant risk. Challenging the status quo in any organization threatens people’s status and relationships with their supervisors and colleagues. Moreover, whistleblowing can be a self-serving tool when combined with the bystander effect — when a person is in trouble, others who are present often fail to intervene because they assume other people will do so or because they think it’s not their place to act. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>How to address this myth</strong> The objective of whistleblowing should be to detect wrongdoing more timely. There are several ways whistleblowing can achieve this goal: </p><ul><li>Establish legal protection for whistleblowing at the national, industry, organizational, and labor contract levels.</li><li>Offer financial benefits to whistleblowers.</li><li>Test whether the hotline works and is confidential — for example, by using “mystery tester” reports.</li><li>Conduct a mock performance of unethical behavior, such as deliberately backdating and signing a document in front of employees or staging an act of employee harassment, to test whether anyone reports it.<br></li></ul></td></tr></tbody></table><h2>Myth 4: More Training in Ethics is Better<br></h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } span.s1 { letter-spacing:-0.1px; } </style> <p>The common way to measure ethical training programs is with completion rates, which are normally between 90% and 95%, according to Deloitte and <em>Compliance Week</em>’s 2016 Compliance Trends Survey. The problem is that this metric shows neither the quality of the training nor its effectiveness. Research by Carmel Herington and Scott Weaven shows that more training in ethics is not better and can sometimes reduce the engagement of employees. However, training programs are easy to measure, and managers therefore encourage using them. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>How to address this myth </strong>The organization should strive for the quality or customization of training for each employee. Ethical behavior is not something that is the result of policies but is a practice that, as Aristotle says, becomes part of the person when in use. Organizations should tailor ethics programs to the individual’s specific need, moral development, and character. At the very least, customization should be based on functions and corporate hierarchy, followed by measurement of employees’ moral development, with subsequent training sessions grouped based on the results. Ideally, training should be conducted in person rather than online and use real examples from people and organizations — especially ethical dilemmas that do not have an easy fix. <br></p></td></tr></tbody></table><h2>Myth 5: Individual Unethical Character Can Be Curbed With the Right Internal Controls</h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } span.s1 { letter-spacing:-0.2px; } </style> <p>One outcome of the 2008 financial crisis is that it provided evidence that the character of executives was a contributing factor to the worldwide crisis. For auditors, it should be clear that personality and character are not the same. The main difference is that personality may change over time, but character remains the same. </p><p>Also, personality is the range of distinctive personal qualities and traits of an individual, but character refers to a set of morals and beliefs that defines how the individual treats others or behaves with others and himself. Changing character is not possible, though organizations are spending millions of dollars on these kinds of programs. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>How to address this myth</strong> When an employee is already in the organization, it is fruitless to try to change his or her character to become more ethical. The root cause lies in the hiring process. Human resources practices are normally good at testing or examining the technical competencies of candidates as well as evaluating personal traits. When it comes to testing the ethical character of the candidates, most organizations fall flat. Internal auditors should check whether the organization’s hiring practices examine job candidates’ moral development. One well-established test is the Heinz dilemma, a thought experiment developed by psychologist Lawrence Kohlberg to assess moral reasoning skills, which ranks participants along six stages ranging from obedience to universal ethical principles. <br></p></td></tr></tbody></table><h2>Myth 6: Goals Related to Ethics or Compliance Help Organizations and Individuals Behave More Ethically</h2> <style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } </style> <p>When Enron went bankrupt, both independent investigators and company officials were clear: Enron’s goal-setting practices, which involved setting difficult and specific performance goals for employees, were at the heart of the misconduct. In fact, many of the goals were connected directly to compliance and ethics, such as ethics training completion rates and regulatory fines paid. Moreover, a growing body of academic research demonstrates that giving people specific, challenging performance goals can cause them to cheat on tasks or misrepresent their performance. In addition, pressures that companies face striving for quarterly earnings targets or personal goals in employees’ annual appraisal interviews can contribute to unethical behaviors. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>How to address this myth</strong> If goals can lead to unethical behavior, following the organization’s purpose can help build ethical behavior, according to <em>Nine Lies About Work</em> by Marcus Buckingham and Ashley Goodall. When the organization has a purpose beyond maximizing value or profit, employees develop a sense of belonging and behave more ethically no matter the specified goals. Moreover, strides in ethical behavior result from practice and repetition, which should be integral to the organization’s approach. </p><p>Reflective thinking can help with this process. Reflective thinking is the critical-thinking process that refers specifically to analyzing and making judgments about what has happened. Reading clubs that feature books that deal with ethical issues, regular meetings about ethical decision-making, and ethics “hackathons” — exercises that examine the ethical implications of a particular technology — are some methods to foster reflective thinking in the organization.<br></p></td></tr></tbody></table><style> p.p1 { line-height:19.0px; font:20.0px 'Interstate Light'; color:#e7915a; } span.s1 { letter-spacing:0.3px; } </style> <style> p.p1 { line-height:12.0px; font:10.0px Amplitude; } p.p2 { line-height:12.0px; } p.p3 { line-height:12.0px; } p.p4 { text-indent:18.0px; line-height:12.0px; } span.s1 { vertical-align:1.0px; letter-spacing:0.1px; } span.s2 { letter-spacing:-0.1px; } </style> <h2>Being Courageous</h2><p>In letting go of these well-intentioned but misguided myths about ethics, internal auditors should use critical thinking to challenge principles or practices that seem to be great at first, but actually could only be fads. The foundations of critical thinking are Socratic questioning of evidence, closely examining reasoning and assumptions, analyzing basic concepts, and tracing implications both of what is said and of what is done. Especially where business ethics has challenges and old ways of doing things that do not work anymore, critical thinking becomes essential. </p><p>Courage is another integral part of auditing ethics. To speak up and show where the ethical risks lie sometimes involves going beyond the limits of the organization. Internal auditors should have the courage to go further and not be afraid. </p><p>Ethics is a struggle against human nature. New threats lie everywhere, and sometimes people test the boundaries. It is the auditor’s role to gather his or her courage and say “no” to these temptations, and to believe that sometimes it takes just one individual to change the way people and organizations behave.<br></p>Matej Drašček1
Blue Bell Blues Bell Blues<p>Investor lawsuits seeking to hold directors liable for failures in their oversight duties were bolstered in June by a case involving Blue Bell Creameries. <em>Marchand v. Barnhill</em> did not signal a change in law, but it did affirm a legal standard that boards that fail to make a good faith effort to oversee a material risk area breach their “duty of loyalty.”</p><p>Legalese aside, the Blue Bell case provides a compelling example for directors to examine. While legal standards set a high bar, Marchand demonstrates that, in certain circumstances, ignorance about poor risk management is not a defense against board liability. </p><p>The details around the lawsuit are well-established. A 2015 listeria outbreak linked to three deaths caused Blue Bell Creameries to shut down production, recall all products, and later reduce its workforce by more than one-third. An investor suit alleged senior management disregarded warnings about contamination risks and kept the board in the dark about the issue.</p><p>From 2009 through 2014, regulators identified numerous health safety compliance failures. Yet, even though several positive tests showed the presence of listeria, including one test from an independent lab, board minutes reflected “no board-level discussion of listeria.”</p><p>Despite what would appear to be a glaring lack of board oversight, the Delaware Court of Chancery dismissed the case in fall 2018, ruling the plaintiff failed to show that directors had breached their “Caremark duties.”</p><h2>What Are Caremark Duties?</h2><p>Caremark duties are the result of a 1996 Delaware Chancery Court decision in the derivative action case brought by shareholders of Caremark International Inc., alleging the board of directors breached its duty of care by failing to put in place adequate internal control systems. The Caremark Rule that came from the case, and set a precedent for future director liability claims, states, “a director’s obligations includes a duty to attempt in good faith to assure that a corporate compliance information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.”</p><p>Cutting through the legalese again, Caremark establishes an obligation for directors to at least try to make sure “a reasonable board-level system of monitoring and compliance” is in place. Failing to do so could make directors liable for losses relating to compliance failures. </p><p>In <em>Marchand</em>, the Delaware Supreme Court overturned the lower court’s dismissal, concluding “the complaint supports an inference that no system of board level compliance monitoring and reporting existed at Blue Bell.” The court noted the board failed to establish a committee to monitor food safety or devote time in meetings to discuss food safety compliance. Of significance is the court’s opinion that “... food safety was essential and mission critical.” </p><h2>Protecting Against Caremark Failures</h2><p>Reasonable and informed directors typically should not have to worry about Caremark failures. As the Delaware Supreme Court made clear, boards get into trouble when they ignore their oversight responsibilities.</p><p>There are valuable lessons in the court’s findings in <em>Marchand</em> that can help protect boards and head off behaviors that make them vulnerable to successful Caremark claims. It is important to note that the court’s findings that follow center on the Blue Bell board’s failure to understand its “mission-critical” risk:  food safety. </p><p><strong>Blue Bell had no board committee that addressed food safety.</strong> Boards must understand what is mission critical for their organization, whether it’s food safety at Blue Bell or data protection at Facebook, and assure that it has systems in place to monitor compliance with mission-critical regulations.<br></p><p><strong>Blue Bell management was not required to keep the board informed about food safety compliance practices.</strong> Boards cannot assume management will bring all problems to their attention, and, therefore, must be proactive in seeking out information about compliance with mission-critical risks.<br></p><p><strong>Blue Bell had no regularly scheduled discussions about food safety.</strong> Mission-critical risks must be discussed and assessed on a routine basis by the board.<br></p><p><strong>Blue Bell’s board received favorable information about food safety but negative information was not shared. </strong>Boards cannot assume that management will willingly present the bad along with the good. It must establish processes to discover all relevant information from management and seek additional reliable sources of information, including turning to internal audit to provide independent assurance on the accuracy, completeness, and timeliness of the information the board receives, particularly around mission-critical risks.<br></p><p><strong>Blue Bell board minutes reflect meetings were “devoid of any suggestion that there was any regular discussion of food safety issues.” </strong>Traditional approaches to protecting the board include limiting details in minutes, which often only reflect official board actions. In Blue Bell’s case, this strategy backfired in that the official account of business reflected that no time was spent discussing mission-critical issues.<br></p><h2>What’s Next?</h2><p>The <em>Marchand</em> case and its relevant Caremark implications are but one of a growing number of pressure points on boards relating to oversight duties. As the list of governance failures and scandals grows, regulators, investors, and the general public are demanding more oversight and more accountability.</p><p>A February article in <em>Business Law Today</em> eloquently articulates the need for a fundamental change in how board directors approach their jobs:</p><p>“A substantive checks and balances approach addresses the roles, responsibilities, and relationships among the key elements and players in a firm’s governance, controls, and oversight system. Institutional investors, individual investors, and other market and regulatory interests increasingly demand that those involved in corporate governance recognize their responsibilities and are held accountable in addressing these responsibilities. An additional emerging expectation is that senior leaders in an organization, both board and management, recognize that a leader’s role is one of service rather than entitlement.” </p><p>The article goes on to say that governing structures that consolidate power and authority into fewer hands often fail if individuals in power feel entitled to do as they please. It adds that boards must be involved in formulating checks and balances and take active roles in executing them. “Carrying out these active roles will necessarily lead to regular interaction with the CEO and others in senior management as well as with a company’s internal and external auditors,” the authors write. “While tone at the top may sometimes remain only as words that do not actually affect behavior, the institution of checks and balances can exert considerable influence.”</p><p>These fundamental changes won’t happen overnight, especially in organizations with entrenched systems and practices. But clearly the era of boards providing obsequious approval to management is over. To continue to do so is not just counter to prevailing investor sentiment, it also makes boards increasingly susceptible, as demonstrated in <em>Marchand</em>.</p><p>Such a transition cannot happen without a system of effective checks and balances, as described in the <em>Business Law Today</em> article. Given this current environment of increased exposure, boards would do well to seek internal audit’s independent assurance and advice on critical issues. <br></p>Jim Pelletier1
A Lesson in Ethics Lesson in Ethics<p>​Recent reports of the extremes some parents have pursued to get their children admitted into elite colleges have raised questions about what example these parents are setting for their children. In some cases the children were unaware of their parents’ extraordinary efforts, though others allegedly knew about it and therefore may have been complicit. Perhaps the scandal comes as no surprise to many in the audit profession — after all, we see cheating, rule bending, and outright falsehoods regularly. But rather than simply shrugging our shoulders and pretending it has nothing to do with us, internal auditors need to be part of the solution. </p><p>Research suggests that dishonesty among students is common. Donald McCabe, founding president of the International Center for Academic Integrity, analyzed surveys of nearly 71,000 college students conducted between 2002 and 2015. He reported that 39% admitted to cheating on tests, and 68% admitted to some form of cheating. Why do college students cheat? They want a good job and career. </p><p>Think about that last statement — college students cheat to get a job. Many of them obtain their first job as new hires in the audit department. If these students view cheating as acceptable, what can internal auditors do to help them understand their organization’s ethical expectations, as well as those of the internal audit profession? </p><p>Many years ago, a university colleague shared with me the story of a phone call he received from a local employer. The firm’s representative bluntly asked what the university was teaching its students, as his company had just caught an auditor signing off on an audit program for work not actually performed. My colleague privately observed later that he had always thought this individual, as a student at our university, had cheated in his classes, even though he never caught him in the act. From a professional viewpoint this anecdote points to a big risk — students who cheated in college may continue to cheat in their career.</p><p>Efforts to address such risk should begin as soon as students enter the workforce. Internal audit onboarding<br> activities and employee mentoring, for example, should be aimed at helping new hires do the right thing. Encouragement should focus on guidance to help them comprehend what it means to be an internal audit professional — including adherence to ethical standards. Recent graduates should be reminded that behavior they may have viewed as acceptable in college is not acceptable in the workforce.</p><p>We also need to promote success stories of individuals who have not cheated — of those who exemplify high standards of ethical conduct. We should celebrate individuals who stopped a fraud from happening, or who helped prevent the company from erring in judgment. Sending the right message up front will help the next generation of audit practitioners make good choices and maintain the standards of integrity that have long defined our profession.  <br></p>Perry Moore1
A Question of Audit Prerogatives Question of Audit Prerogatives<p style="text-align:justify;">Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate. <br></p><p style="text-align:justify;">How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?<br></p><p style="text-align:justify;">On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the  Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices. <br></p><p style="text-align:justify;">Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.<br></p><p style="text-align:justify;">"We will not be seeking approval of performance audits, but what I will tell you is communication is key,"  Gallion <a href="">told North Dakota lawmakers during a recent hearing</a>.<br></p><p style="text-align:justify;">That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings. <br></p><p style="text-align:justify;">"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing. <br></p><p style="text-align:justify;">The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals <em>and </em>whether it does so in an economical manner.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p style="text-align:justify;"><strong>Putting Differences Aside</strong></p><p style="text-align:justify;">In the corporate world, best practices to avoid these situations abound. Among them: <br></p><ul style="list-style-type:disc;"><li>The chief audit executive should meet with the audit committee chair regularly <em>and</em> informally, between committee meetings, just to build rapport and trust. </li><li>The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.</li><li>Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.</li><li>Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.<br></li></ul><br></td></tr></tbody></table><p style="text-align:justify;">Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company <a href="">Xcel Energy flew Burgum and his wife to Super Bowl LII</a> in 2018. Gallion also <a href="">released an audit earlier this year that raised questions about a powerful state senator</a>, who didn't disclose a conflict of interest while working at a North Dakota state college. <br></p><p style="text-align:justify;">In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill. <br></p><p style="text-align:justify;">Cynics say the provision <a href="">was retribution for an auditor unapologetic about doing his job</a>. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff? <br></p><p style="text-align:justify;"><strong>Lines of Authority</strong></p><p style="text-align:justify;">In the corporate world, an audit committee telling the audit executive <em>not</em> to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it. <br></p><p style="text-align:justify;">Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes. <br></p><p style="text-align:justify;">"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently." <br></p><p style="text-align:justify;">Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit. <br></p><p style="text-align:justify;">That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills? <br></p><p style="text-align:justify;">"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."<br></p><p style="text-align:justify;"><a href="">Generally Accepted Government Auditing Standards</a>, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.<br></p><p style="text-align:justify;">"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."<br></p><p style="text-align:justify;">The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together. <br></p><p style="text-align:justify;">Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.<br></p><p style="text-align:justify;">"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says. <br></p><p style="text-align:justify;">We don't know how North Dakota's impasse over performance audits will end. A proposed <a href="">voter referendum to repeal the restrictions failed to gather enough signatures</a>. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues. <br></p><p style="text-align:justify;">The rest of us can watch and wonder what we might do.<br></p>Matt Kelly1

  • AuditBoard_Jan 2020_Premium 1
  • IIA Integrated BOY_Jan 2020_Premium 2
  • IIA GAM_Jan 2020_Premium 3