Risk and Compliance



Don't Manage Risk — Manage Valuehttps://iaonline.theiia.org/2019/Pages/Dont-Manage-Risk-Manage-Value.aspxDon't Manage Risk — Manage Value<p>​Risk management’s traditional focus on adversity is changing. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2017 <em>Enterprise Risk Management (ERM)–Integrating With Strategy and Performance</em> framework now refers to risk holistically as “the possibility that events will occur and affect the achievement of strategy and business objectives.” With “adversely” removed from the definition, a risk is no longer something that must be prevented from happening. In addition, the framework no longer speaks of <em>risk management</em> as a separate process, but defines it in terms of “culture, capabilities, and practices.” </p><p>The updated COSO ERM framework and the International Organization for Standardization’s ISO 31000: Risk Management standard present great opportunities to replace the term <em>risk management</em> with <em>value management</em>. According to both standards, managing risk is all about creating and protecting value. However, they retain the term risk management. </p><p>Business activities always involve uncertainty. To increase success, leadership teams have to take advantage of opportunities and limit threats. Ultimately, they want to increase the certainty they will achieve their objectives and will not get what they do not want. For that reason, organizations need a pragmatic approach to keep key stakeholders satisfied by realizing value for them.</p><p>The value management approach offers intriguing opportunities for internal auditors because it focuses on the quality of decision-making within the organization. Internal audit can help the organization by assessing to what extent decision-makers possess the right competence and integrity to reconcile dilemmas caused by the conflicting interests of stakeholders. </p><h2>Becoming Future-proof</h2><p>Being future-proof requires an organization to continually create and protect value for its core stakeholders. However, terms such as <em>value</em>, <em>result</em>, <em>success</em>, and <em>improvement</em> only gain substance through the meaning that stakeholders attach to them. Stakeholders look at an organization from their own perspective. Based on their interests, they find certain things valuable such as innovation, punctuality, privacy, safety, compliance, integrity, efficiency, and continuity.</p><p>Future viability is about anticipating what might happen. The leadership team wants to know where the organization is expected to end up and to what extent this differs from what the organization’s core stakeholders expect. Is the organization on the right track? Or is there a real chance that it will not achieve its objectives? In that case, is the organization taking appropriate measures? Conversely, the organization may be exceeding expectations, because it is able to deal well with uncertainty. </p><h2>Bringing Experts Together</h2><p>Strategic, tactical, and operational decisions imply making choices and balancing potential pros and cons. Working standards and methods are intended to guide the decision-makers in the right direction. Determining these rules is the domain of specialized departments such as business continuity, compliance, control, information security, privacy, quality, and safety. Typically, all these functions conduct risk assessments, build control frameworks, and produce management reports, which easily can lead to functional silos and value destruction in practice.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Value Management and Internal Audit</strong></p><p>Embracing the value management approach is different from advocating conventional risk management practices. Here are examples of what will change for internal auditors:</p><ul><li>Instead of focusing on the organization’s biggest vulnerabilities, internal audit holistically focuses on assessing the quality of management. Decisions made when planning, executing, monitoring, and improving business activities always have potential positive and negative effects on the interests of key stakeholders.</li><li>Instead of believing the organization should have a separate risk management process, function, or system, internal audit focuses on the organization’s capabilities to become future-proof. Propagating lots of separate risk terms, such as risk manager, risk culture, risk appetite, and risk report, may not lead to the realization of business objectives.</li><li>Instead of seeking to assess whether what COSO’s 2017 ERM framework calls the second line of accountability fulfills its responsibilities for overseeing performance and conformance, internal audit assesses the competence and integrity of decision-makers at all levels of the organization.</li><li>Instead of unilaterally focusing on money, internal audit recognizes that <em>value</em> implies more than cash, profit, stock price, and dividend. Key stakeholders have different interests and attach value to divergent matters.</li><li>Instead of embracing in-control statements oriented to the past, internal audit realizes that the key question is to what extent decision-makers at all levels of the organization are capable of creating and preserving value for key stakeholders in the future. </li><li>Instead of assuming that the future is makeable and perfectible through risk analyses, risk and control matrices, and control testing, internal audit acknowledges that the world is volatile, unpredictable, complex, and ambiguous, requiring a considerable degree of agility and flexibility.</li><li>Instead of assuming that risk management should be a separate item on the agenda for team meetings, internal audit emphasizes that each of the items is about effectively dealing with opportunities and threats.<br></li></ul></td></tr></tbody></table><p>Conventional risk management is a flawed concept (see “Value Management and Internal Audit,” right). Instead of having a separate program, function, or committee for managing risks, organizations should focus on connecting the functional experts. Generating and preserving value is dependent on these specialists collaborating to assist decision-makers at all levels with seizing opportunities and limiting threats. As an independent advisor, internal audit can help reduce organizational complexity and silo-thinking. <br></p><p>To connect the experts effectively, leadership teams should seek answers to five key questions. These basic business questions are the building blocks for the practical analyses that leaders can carry out for a separate business process, project, department, branch, division, value chain, or the entire organization. </p><p>Answering each of these questions requires making choices and balancing opportunities and threats. For example, implementing extensive control frameworks (part of the “how” question) may send the message to those involved that they have flawed judgment or lack integrity. Internal audit should independently assess to what extent leaders answer the questions satisfactorily.</p><p><strong>Who Can Decide?</strong> Value management hinges on the effectiveness of governance: Who is authorized to make which choices? This applies to allocating resources both to daily operations and continuous transformation. The individual responsible for achieving formulated objectives also should be able to decide how best to deal with relevant opportunities and threats. This can be done by optimizing the associated business processes and controls. </p><p>A prominent and practical issue concerns the mandate of the experts in the organization’s staff departments. To what extent are they allowed to prescribe working standards to their colleagues or are they only expected to provide advice? How does the leadership team ensure that the staff specialists keep the line managers in focus? On the other hand, how can leaders prevent the experts from exaggeration caused by enthusiasm? An example is information security specialists who produce unworkable policies and procedures. </p><p><strong>What Do We Do?</strong> Each leadership team benefits from having an integrated overview of the clustered activities of everyone involved within their entity. This structured summary of current tasks shows the organization’s common playing field. The overview of managerial, primary, and supporting processes provides insight into all relevant transaction flows and volumes. It also forms the basis for the IT application landscape for processing the transactions. Hence, it is the foundation for information management, business intelligence, and forecasting. Do those in charge have the right information for making balanced decisions? The advantages of better insight into who does what are evident in initiatives such as integration projects.</p><p><strong>Why Do We Do What We Do?</strong> The organization’s success is determined by the extent to which its core stakeholders are satisfied. They are primarily interested in how the leadership team’s performance affects their interests. That is why the stakeholder analysis is essential. If all goes well, the team’s ambitions fit in with the value that the organization wants to create and protect for specific stakeholders. This value is expressed in the organization’s mission, vision, and strategy, and is translated into concrete success factors, objectives, and indicators. Using clear tolerances for the key indicators and preparing regular forecasts provide ample input for timely adjustment. If the estimated outcomes are not within the bandwidths, the two options are to adjust the controls or to inform key stakeholders that they must accept revised tolerances. <br></p><p><strong>How Do We Do What We Do?</strong> To apply judgment, decision-makers need a framework and rules such as working standards and methods. The practical details of these rules are laid down in the charters, policies, guidelines, procedures, protocols, and work instructions. Clear working arrangements streamline decision-making, facilitate work hand-off among colleagues, and provide a clear reference for audits. The “how” question is about autonomy. For example, to what extent are subsidiaries allowed to make their own rules? <br></p><p>The decisive factor in the “how” is the organization’s culture. Is it characterized by managers setting the examples? Are decision-makers willing to face the possible consequences of their choices? Is it acceptable to challenge the assumptions in overly ambitious plans?</p><p><strong>What Can We Improve?</strong> A continuous improvement program helps the leadership team focus on what really matters. When asked about the “best improvements,” people typically mention situations where the risk exposure is bigger or the chance taking is smaller than desired. The necessary improvements are usually about better designing, implementing, applying, and monitoring the organization’s working methods and standards. These renovations explicitly deal with the competencies of those involved — not only their professional knowledge and skills, but especially their personal leadership qualities. <br></p><p>A continuous improvement program can enable the team to identify, prioritize, and realize improvement initiatives. The better the information management is and the more that employees feel free to report issues, the sooner trends can be identified.</p><h2>Value for Stakeholders</h2><p>Conventional risk management can easily turn into a separate, illusory, and compliance-driven system. Alternatively, value management is an integrated approach that can give leadership teams a single platform for all common types of management. It can help decision-makers identify, prioritize, and realize relevant improvements that are needed to satisfy their core stakeholders. <br></p>Marinus de Pooter1
Board Problemshttps://iaonline.theiia.org/2019/Pages/Board-Problems.aspxBoard Problems<p>Audit committees have a problem: They have too many problems. More precisely, they have too many types of problem — too many <em>types</em> of corporate misconduct to consider these days, because the definition of <em>misconduct</em> has expanded dramatically in the last 15 years. </p><p>That raises questions about the expertise audit committees need, and whether corporate boards have enough of it. Quite simply, if society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards? </p><p>“It’s undeniably true,” says David Greenberg, former chief compliance officer (CCO) at tobacco manufacturer Altria and an audit committee member of International Seaways, a New York Stock Exchange-traded oil and gas tanker business. The definitions of <em>corporate misconduct</em> are expanding, he says, and the consequences of it are deepening. “Put those two things together, and it’s a recipe for needing more of that experience.” </p><p>A recent regulatory enforcement example demonstrates the point. Cognizant Technologies, an IT outsourcing firm, had been accused of violating the U.S. Foreign Corrupt Practices Act when two of its senior executives orchestrated a US$2 million bribe to government officials in India. The involvement of two senior executives would typically leave Cognizant unable to avoid criminal prosecution, according to U.S. Department of Justice (DOJ) policy. Yet when regulators settled the case in February, the DOJ did decline to bring any criminal charges. Prosecutors later said why: “The company voluntarily self-disclosed the conduct within two weeks of when the company’s board learned of it.” </p><p>Confessing egregious corporate misconduct is unquestionably the right thing to do. Still, confession is a big request — especially when doing so invites potentially serious legal and financial consequences, such as monetary penalties or a corporate criminal charge. So Cognizant’s decision to disclose its trouble immediately, without any certainty of favorable treatment, is all the more impressive. </p><p>Where did that ethical commitment come from? It’s worth noting that Cognizant’s audit committee chair at the time was Maureen Breakiron-Evans, who worked as general auditor of Cigna in the 2000s. Also on the committee was Leo Mackay, head of ethics and internal audit at Lockheed Martin. Both still serve on Cognizant’s board.</p><h2>Beyond Financial Expertise</h2><p>Under the U.S. Sarbanes-Oxley Act of 2002, the audit committee of a publicly traded firm needs at least one designated “financial expert” to help the audit committee police against financial fraud. When the act was passed, that might have been enough of a kick in the corporate rear to take internal control more seriously. Today, a strong control environment has become much more important, to address all sorts of issues. Regulators don’t just want swift corrective action; they want strong <em>preventive</em> action. Customers, business partners, or even self-appointed social justice warriors prowling Twitter — all want to see ethical culture taken seriously, translated into tangible policies, controls, and actions. </p><p>“A true auditor on the board, or a true employee relations or corporate compliance person, is important because what’s falling to the audit committee to investigate — it’s gone way beyond what audit committee charters originally said,” says Owen Bailitz, a former risk management and audit quality partner with RSM, who now serves on the audit committee of the American Board of Medical Specialties. “You’re basically expanding the definition of risk.” </p><p>Audit executives could perceive all of this as a virtuous circle. Yes, data analytics captures data about business process outputs, to identify anomalous events or excessive risks. Those insights let directors draw conclusions about how the enterprise is working. We still need the other half of the circle: using those insights to change policy, procedure, and culture, so business processes can stay within ethical parameters more easily. That’s the improvement society wants to see. </p><p>“Across stakeholders, there’s been more engagement with boards on this discussion. Ethics and culture are topics that are relevant to the full board and every committee of the board,” says Tracy Atkinson, audit committee chair of defense and aerospace systems provider Raytheon Co. “Having someone who lives and breathes this on the board adds to the dialogue in a new way.” Atkinson would know; she is executive vice president and CCO at financial services company State Street Corp. </p><p>We see that increased engagement in various ways. For example, the Edelman Trust Barometer, which surveys more than 33,000 people worldwide about their trust in institutions, recently found that 76% say their employers should “take the lead on change” for issues such as sexual harassment, the environment, and discrimination. And 71% said it’s critical for their CEO to respond to challenging issues.</p><p>Then there are regulatory pressures. For example, a board might find itself saddled with a corporate integrity agreement where the audit or risk committee has to certify compliance with the terms. Having a compliance or internal control expert on the board would make that an easier exercise.</p><p>Those are examples at the macro level. At the micro level, chief audit executives (CAEs) have this: <em>The Politics of Internal Auditing</em>, a 2016 IIA study, found that 55% of audit executives had been asked to suppress unwanted findings during their career. That tells us two things. First, that internal audit executives are well-acquainted with the threats of bad ethical culture; and second, that CAEs would be well-suited to serve on boards someday — because they (like CCOs) have seen poor ethical behavior up close, and it’s their job to uncover and eradicate bad behavior anyway, whatever the consequences. </p><p>That skill, of identifying the ethically correct step, taking it, and defending it, will only become more important. As Greenberg says, questions about disclosing misconduct, and whether voluntary disclosure is worth it, can be quite difficult. “You need people with some experience to overcome that.” </p><h2>Meanwhile, the Reality</h2><p>As desirable as ethics, audit, and compliance perspective on the board might be, practical limitations abound. Boards are still desperate to recruit women and minorities; some jurisdictions now require specific quotas for female directors. Boards also are desperate for cybersecurity expertise. And yes, foremost, boards want to recruit current or former CEOs, chief financial officers, and chief operations officers — people who understand the intersection of strategy, operations, and finance. </p><p>That leaves few open seats for other governance expertise. So boards might not rush to the idea of recruiting CAEs or CCOs, unless they’re particularly committed to foresight. As Bailitz put it: “You need to have a change of mindset among the chairpersons of these boards, to say, ‘We lack this expertise, and it’s something we need.’” <br></p><p>The push for cybersecurity expertise is a good parallel. Most executives, audit committees members included, understand cybersecurity at a reasonable level — what it is, why it’s important, and what it should achieve. But they don’t understand  how to assess it, improve it, or weave it through all of an organization’s operations. Only a cybersecurity expert does.</p><p>Ethical culture is a lot like that, Atkinson says. Boards might believe they can master ethics and culture because it seems like a nontechnical issue, but introducing an audit or compliance executive can sharpen the board’s perspective in new ways. “It’s a mindset,” she says. “Having compliance and ethics as your subject matter domain, and bringing that to the board, further serves to emphasize” where ethics and the control environment might need attention.</p><p>So will boards put more audit and compliance professionals on the audit committee or even some other board committee? Will recruiters start calling CAEs and CCOs? That’s hard to say, but it’s not just self-interest for CAEs to want that to happen. This is what the future of boardroom problems looks like, and the future has a habit of arriving eventually.  <br></p>Matt Kelly1
Auditing Culture: Where to Beginhttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Where-to-Begin.aspxAuditing Culture: Where to Begin<p>​<span style="font-size:12px;">Auditing organizational culture is a challenging, multifaceted process. It can touch virtually all parts of the business, including the very top, and span a wide range of risks and topics.</span></p><p>Due to its complexity, many internal auditors interested in auditing culture may be unsure of how to approach it. This installment of my Auditing Culture series helps point practitioners in the right direction, offering some tips that may seem obvious but should not be overlooked. <br></p><h2>Consult With Your Stakeholders </h2><p>Auditors should start by identifying who their stakeholders are and determining what those individuals or groups expect from a culture audit. Examples of stakeholders include the audit committee, regulators, and executives — considerations for each of these groups can differ substantially. <br></p><p><strong>Audit Committee or Similar Oversight Group</strong> Has the audit committee asked for a culture audit? If so, this will help overcome possible resistance at lower levels. Does the committee have any specific expectations regarding which aspects of culture internal audit should examine or how the audit should be conducted? Do the committee members have any concerns about the existing culture? Have any members been involved in culture auditing elsewhere — if so, would they want to share their experiences or insights? Engaging this group in meaningful discussion will be important. <br></p><p>If the audit committee has not asked about auditing culture, internal auditors should initiate the discussion. Practitioners can suggest possible benefits to the organization (e.g., see "<a href="/2019/Pages/The-Right-Path.aspx">The Right Path</a>"), as well as some ways to approach a culture audit, drawing from research on what others have done.<br></p><p><strong>Regulators</strong> If the organization's regulators request or require audits of organizational culture, internal audit should hold the same kind of discussions with regulatory personnel as they do with the audit committee. In particular, what aspects of culture are they most interested in? What are their requirements or expectations for internal audit as it relates to culture? <br></p><p><strong>Executives</strong><strong> </strong>Support from the head of the organization is, of course, essential. Other executives may or may not like the idea, but they might be surprisingly supportive. For example, my first chief audit executive (CAE) reported to a chief financial officer who thought so little of internal audit that he moved the reporting relationship from himself down to the corporate controller. Nevertheless, he once said to the CAE, "I read your audit reports. They're fine. But what I really want from you is this. Your auditors are in our banks observing management's behavior. I want to know what they're seeing and thinking. I know they won't have the same kind of evidence they do for an audit finding, but I want to know what they think of management." <br></p><p>A 2011 IIA research study, Insight: Delivering Value to Stakeholders, provides a more generalized example. It found that 64% of executives surveyed expect that "the CAE provides comments to the audit committee of the board of directors or certain executives regarding the performance of senior leaders in the business, based upon internal audit activities performed within the organization." Only 30% said they experience this from their CAE, representing a 33% expectation gap.<br></p><h2>Know Your Organization </h2><p>A growing array of tools, techniques, and approaches exist for evaluating culture. To succeed, internal auditors must find an approach that will work within the organization's unique cultural environment. <br></p><p>One way to help determine the best approach is to consider where the existing culture fits on a series of scales, like the ones shown below (see "Where Does Your Organization Fall on These Scales?"). This estimation could be performed by the CAE, the audit management team, the entire staff (during a staff meeting), or selected members of management. <br></p><p>Contrasting examples of two hypothetical organizations help illustrate how scales like these can be used:</p><ul><li>The first organization emphasizes innovation more than control, and openness to mistakes rather than zero tolerance. It will likely accept audit techniques that are quite different from anything the auditors have done before. </li><li><p>The second organization leans more toward control and zero tolerance. The auditors in this organization should use techniques that are closer to what they've done in the past so they won't seem too unusual to clients. Auditors might have to start with baby steps and build gradually over time.<br></p></li></ul><p>To select the most meaningful scales for their organization, internal auditors can look to existing sources of cultural insight such as employee surveys and exit interview results. They can also talk with human resources, as well as risk management and others in the second line of defense. The insights that come from these and similar sources will also be valuable in other ways, such as scoping audit projects and supporting cultural audit issues.  <br></p><p>Where different parts of the organization fall along these scales can often vary, and those variations might suggest different approaches for certain areas. They also might suggest problematic cultural inconsistencies that should be examined, as well as identify "low hanging fruit" or possible champions in management for initial efforts. <br></p><h2>Select the Initial Approach</h2><p>With strong support from key stakeholders and a culture that is open to it, a robust approach may be possible right away. For example, a pharmaceutical company performs 5- to 6-week "values assurance" reviews in which internal audit works in a multidisciplinary team that includes psychologists, operational staff, and individuals with Lean Six Sigma experience. Or consider a financial services firm where the audit department uses a cultural model with eight cultural drivers broken into 35 topics. For each of these topics, the department has developed a comprehensive audit program to use during audit projects.<br></p><p>In my experience, and from what I have read, organizations with robust approaches like these usually:</p><ul><li>Experienced a serious scandal whose root cause was in the culture.</li><li><p>Operate within the financial service sector, in which Wall Street's "culture of greed" was a root cause of the 2008 global financial crisis.<br></p></li></ul><p>Most organizations, of course, do not belong to one of these groups. <br></p><p>Unless the audit committee and executive team are willing to devote significant resources to safeguarding against a culture-caused scandal, it is best for internal auditors to start slow. They can then build toward more robust approaches if and when the results indicate that doing so will be worth the cost. <br></p><p><img src="/2019/PublishingImages/auditing-culture-where-to-begin_sidebar.jpg" alt="" style="margin:5px;width:700px;height:603px;" /><br></p>James Roth1
The Healthy Corporate Culturehttps://iaonline.theiia.org/2019/Pages/The-Healthy-Corporate-Culture.aspxThe Healthy Corporate Culture<h2>How does an organization develop and maintain a healthy corporate culture? <br></h2><p><strong>Simmons</strong> Implementing a clear mission and company values sets the tone and messaging from the top, and specifying the organization’s desired risk culture in a way that aligns with these values helps solidify the corporate culture. Establishing a collaborative, open communication approach creates a comfortable work environment and is the best way to maintain a culture where people feel valued, respected, and empowered to offer ideas and make good decisions. Having a leadership team that believes in this approach, lives the mission/values, and knows what employees value contributes to an atmosphere where ideas are celebrated and rewarded, which can lead to a more efficient and productive organization. </p><p><strong><img src="/2019/PublishingImages/EOB-Esi-Akinosho.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Akinosho</strong> First, we need to define a healthy culture. A healthy corporate culture is a) connected to the company’s purpose and strategy; b) positive, inspiring, and engaging for employees who live it, customers who experience it, and shareholders who realize returns from it; and c) strong, consistent around the world, and not overly dependent on the effectiveness of a local leader. Developing a healthy corporate culture takes time, focus, and direction from leadership, as well as level support from key functions to help champion that desired culture. A top-down and bottom-up approach is key in not only the development of a healthy culture, but also in sustaining and fostering changes in it. <br></p><h2>What are the top risks to a healthy corporate culture? </h2><p><strong>Akinosho</strong> Risk culture connects the overall organizational culture to specific behaviors set along a defined risk framework. It speaks to culture in terms of the three lines of defense and guides how leadership monitors and responds to cultural stress and the risks of an unhealthy culture. Risks relating to corporate culture include a degraded tone at the top, lack of accountability, and minimized transparency. Cultural stress often takes the form of compliance issues, control failures, audit issues, or poor employee performance, and the typical root cause is often a breakdown in trust. Trust can be the biggest risk or asset to a healthy corporate culture, and the erosion of trust can be hard to control and even harder to earn back. By aligning the corporate culture and pulling certain cultural levers, trust can become the driving force for creating a shared vision and turning that vision into value. </p><p><strong><img src="/2019/PublishingImages/EOB-Charmian-Simmons.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Simmons</strong> First and foremost is culture risk, itself. Well-known corporate scandals related to harassment, fake accounts, accounting errors, and misconduct often are symptoms of culture issues and heighten the profile of culture risk as a growing liability for organizations. Culture risk management should be treated as an integrated process of oversight and monitoring that addresses strategy, performance, and risk, and aligns company values, goals, behaviors, and systems with favorable impacts both internally and externally. Other top risks that can affect a healthy corporate culture include financial, operational, market, and reputation risks. The particulars of each risk, such as ranking, priority, and specific factors, will vary by company/industry/geography and by the awareness level of underlying problems, mitigations, and ongoing monitoring. Some symptoms and behaviors that influence these risks include financial underperformance, inconsistencies in business/personnel performance, communication that leads to misunderstanding, unhealthy comparisons and gossip, demoralized employees, customer backlash, and the feeling of destroyed value.<br></p><h2>What are the indicators of a weak or failing corporate culture? </h2><p><strong>Simmons</strong> Indicators can be broadly classified into top-down and bottom-up. Indicators from a top-down business perspective include inconsistent financial and operational success and being perceived by the public and personnel as not conducting business activities with honesty and integrity. From a bottom-up personnel perspective, indicators may include lack of motivation; overwhelming frustration, such as fear of retaliation in speaking out, not being listened to, or pressured to meet unrealistic internal deadlines; poor customer relations; pending investigations; lack of efficiency or ideas; and lack of innovation. These indicators may be noticed by management, personnel, and internal audit, though one must be open and conditioned to seeing the signs to be receptive to raising the matter and taking active and visible action.</p><p><strong>Akinosho</strong> A weak culture can be characterized by inconsistent programs that deviate from the common goal and vision. Functional groups, including internal audit, that have different strategic objectives or have pockets of opposing forces will create stress within an organization’s operating model and increase the risk of compliance issues, failure to adhere to policies, and internal control breakdowns. Lack of leadership or misaligned tone at the top can hold an organization back and put it at risk for cultural issues. Today, many of these issues are coming to light in very public settings, which is why boards and audit committees are turning to internal auditors, the third line of defense for culture risk management, for insight. </p><h2>What should a formal culture risk management program look like? <br></h2><p><strong>Akinosho</strong> A formal culture risk management program is embedded throughout all three lines of defense, with the first line implementing the mechanisms to drive culture, the second line taking responsibility for defining the risk culture framework and monitoring effectiveness, and the third line performing independent culture assessments to monitor culture throughout the execution of the audit plan. </p><p><strong>Simmons</strong> Recent incidents and news headlines linked to “problematic culture” lead me to say there is no one-size-fits-all program; however, a culture risk management framework should comprise certain key elements that cover all aspects of culture and can be improved and measured over time. First, governance — the mission, values, ethics, policy, board, leadership, strategy, behaviors, and a common understanding of what’s expected. Second, relationships — transparent, honest, and nonthreatening leadership, communications, collaborations, and accountability. Third, environment — the workplace provides for comfortable, productive, inspired, responsive, innovative, rewarded, trusted, engaged employees and supports organizational effectiveness. Fourth, motivation — a fair values system exists surrounding performance, incentive, reward, continuous learning, and clarity of purpose.</p><h2>How does a dynamic, agile workplace affect corporate culture?<br></h2><p><strong>Simmons</strong> One affects the other and impacts the success of both. Many organizations want to be more agile to respond to the demands of customers, the digital economy, and rapidly changing marketplaces; however, most don’t appear to have the culture to support this. Being dynamic and agile means being able to quickly and easily adapt to constant change. A workplace environment like this needs to balance the mindset of change with tools, systems, and processes that support an agile approach and allow the four key culture elements mentioned previously to thrive and positively influence behaviors around cooperation, fast decision-making, experimentation, innovation, empowerment, sustainability, and effective cross-functional teamwork.</p><p><strong>Akinosho</strong> As companies adopt more dynamic and agile approaches and workplaces, they must be aware that the shifting operating models and transient nature of the workforce will have an impact on culture and can even present new risks. When unsuccessfully implemented, an agile operating model can cause a lack of vision or uncertainty in objectives for employees. This cultural stress will work against the achievement of objectives and strategy. Alternatively, an agile workplace can strengthen and foster an existing healthy culture and better advance the people agenda in areas such as development, employee retention, and workforce management.  <br></p>Staff1
3 Lines in Revisionhttps://iaonline.theiia.org/2019/Pages/3-Lines-in-Revision.aspx3 Lines in Revision<p>​The IIA has released a consultation document reviewing the widely accepted Three Lines of Defense model for public comment. The document, available at <a href="http://www.theiia.org/3LOD" target="_blank">www.theiia.org/3LOD</a>, aims to ensure the guidance is more applicable to today's changing organizational environment. It seeks to clarify essential responsibilities in governance, risk management, and control. Comments are welcome by Sept. 19. </p><p>The IIA's Three Lines of Defense task force seeks to "breathe new life" into the model by focusing on organizational success and embracing governance processes. IIA Global Chairman Naohiro Mouri explains that The IIA recognizes that risk "goes beyond 'defense'" and can create opportunity. "We want to ensure organizations can allocate and structure their resources and responsibilities by using the Three Lines of Defense to their advantage," he says.</p><p>To that end, the review considers both a reactive and proactive approach to fulfilling an organization's purpose and value creation. Moreover, the task force is evaluating how the model can be scaled for organizations of different sizes.</p><p>Additionally, the task force is considering how internal audit functions should address the "blurring of the lines" when they are asked to take on responsibilities within areas of the organization. The objective is to stress flexibility among the lines. </p>Tim McCollum0
How to Audit Social Mediahttps://iaonline.theiia.org/2019/Pages/How-to-Audit-Social-Media.aspxHow to Audit Social Media<p>In today’s business world, practically every organization has a presence on social media, enabling them to reach huge numbers of customers and stakeholders globally. While enhancing sales might be the primary driver for creating a social media presence, social media has a much broader scope. It builds new relationships with customers, employees, and other stakeholders, expanding awareness about the organization and its brand. It influences customer education, engagement, and feedback. And it heightens the organization’s attractiveness as an employer and strengthens its reputation.</p><p>With that broader reach comes new and different types of risks for organizations and their employees, such as reputational, dark web, and data protection risks. For internal auditors, the most relevant questions relate to aspects of how the social media presence is being managed. Organizations must develop policies covering aspects such as who in the organization has the authority to use social media, what gets communicated, and which of its stakeholders should receive the communications. </p><p>Consequently, internal auditors should invest resources to audit compliance with social media policies and guidelines. To do so, auditors need to build an adequate audit approach for the still-developing area of social media-related engagements.</p><h2>Social Media Strategy</h2><p>A good starting point for auditing social media is the organization’s social media strategy. Actually, the first question auditors should ask is whether the organization has such a document at all. </p><p>A social media strategy can help establish the general basis of the organization’s governance, use, oversight, and approach. The strategy also should contain the goals the organization aims to achieve from a long-term strategic perspective, thus setting the foundation for social media implementation. <br></p><p>Another important strategic component that internal auditors should evaluate is the specific channels that influence the organization, including validation of links, social handles, profile and account information, mission statement for the account, and key demographics. Moreover, auditors should assess whether organizational and social media goals are aligned. </p><h2>Policies and Procedures</h2><p>After dealing with the organization’s strategic approach, the next step is to check that the social media strategy has been written into relevant policies, procedures, guidelines, and instructions. Starting with the regulatory framework that is relevant for the organization’s industry, internal auditors should evaluate whether policies and procedures comply with state, local, and national labor laws and protected free speech rights. Ensure that relevant documents are reviewed for consistency and approved by the appropriate experts from different parts of the organization such as senior management and the legal, risk management, and internal audit functions. Finally, the assessment should seek the perspective of the organization’s employees, including those responsible for social media. One concern is whether employees have documented style guides to follow for social media posts.</p><h2>Dedicated Resources</h2><p>Another important aspect of auditing social media is assessing whether it has adequate resources. Once the organization decides to have a social media presence, the organization needs to dedicate employees to manage its presence and establish tools for monitoring it. Appropriate management of social media should include using tools that provide information such as mentions of the organization’s name, relevant post reviews, and audience behavioral patterns. </p><p>To get an understanding of the organization’s social media activities, internal auditors should search the web to identify where the organization has a presence. Additionally, identifying some of the best posts and evaluating the themes that make them popular — such as the topic, pictures, and people focus — can inform management about the relevance of those posts to customers and stakeholders. </p><p>Identifying key metrics can give internal auditors a basis for evaluating the performance of the current social media. This not only includes assessing the current metrics in place, but also whether there should be other or different metrics. Various social media analytics tools can help auditors simplify this step.</p><h2>Roles and Responsibilities</h2><p>The wide scope of influence social media could have on the organization creates the necessity to establish appropriate roles and responsibilities. It would be confusing to have all the departments posting on social media on behalf of the organization at the same time and without any alignment. Likewise, it would be confusing if any employee could provide requested feedback or reply to a comment on social media. </p><p>These issues challenge internal auditors to validate that the roles and responsibilities are documented and are clear to all employees. When it comes to security, auditors should evaluate owners of each account and review security protection measures in place such as tools for controlling passwords.</p><h2>Internal Communication and Training </h2><p>Considering that social media can significantly impact the organization if not managed well, organizations need relevant internal communication and training programs. Employees need to know the rules for representing the organization on social media to avoid potentially negative consequences. For these reasons, internal auditors should review social media-related communication to employees as well as the frequency of training provided. </p><h2>Crisis Scenarios</h2><p>Another important aspect of auditing social media is reviewing whether the organization has developed crisis scenarios and assessing how the crisis would be communicated on social media channels. Generally, a crisis creates opportunities for a wide range of miscommunication throughout the organization. Internal auditors should make sure managers and social media employees are aware that such situations might happen and have a clear plan for managing those situations.</p><h2>Room for Improvement</h2><p>Internal auditors can provide an independent perspective and good insight for management to consider. However, to keep up with the dynamics of social media, the organization always should look for opportunities to improve social media channels as well as the controls around their use. Employees who manage social media should coordinate with other departments within the organization and constantly evaluate new developments and topics of interest in their industry, region, and community. Internal auditors can help those employees make improvements to the structure and design of the organization’s social media approach that can enhance its performance. <br></p>Maja Milosavljevic1
Editor's Note: Culture, Engagement, and Business Successhttps://iaonline.theiia.org/2019/Pages/Editors-Note-Culture-Engagement-and-Business-Success.aspxEditor's Note: Culture, Engagement, and Business Success<p>In a recent article on Gallup’s website, “3 Daily Actions That Set the Tone for Workplace Culture,” author Craig Kamins writes, “Some workplace cultures motivate employees and fuel performance.” Others, he says, “drain employees’ motivation and make employees feel as though they have no control over their environment nor an incentive to perform.” </p><p>According to Kamins, employees’ perceptions about their work culture hinge on their leaders’ words and actions. Three daily behaviors that set the tone for the workplace culture, he writes, and lay the “groundwork for exceptional engagement,” are: </p><ol><li>Be respectful toward employees.<br></li><li>Communicate what is happening in the organization.</li><li>Promote accountability and fairness. </li></ol><p>A few years ago, The IIA’s chief marketing officer, Monica Griffin, took on the responsibility of addressing The Institute’s corporate culture. As the organization grew and evolved, it was a task that was long overdue. She and her working group, of which internal audit was a part, identified cultural challenges and developed The IIA’s core values:</p><ul><li>Put Our Members First</li><li>Do the Right Thing</li><li>Commit to Shared Success</li><li>Work Smart</li></ul><p><br>Today, staff — from the top down — are measured by how well we adopt these values. They are part of our annual performance review, and we are recognized for exhibiting them. After all, by engaging in these behaviors we better serve our members, which enhances The IIA’s reputation and business performance. </p><p>In this issue of <em>Internal Auditor</em>, we examine organizational culture from multiple angles and consider internal audit’s role in helping ensure it remains healthy. Our cover story, <a href="/2019/Pages/The-Right-Path.aspx">“The Right Path,”</a> considers how an organization’s ethical culture affects its bottom line. The new IIA North American Board chair, Benito Ybarra, says it is part of internal audit’s job to help drive an effective corporate culture (see <a href="/2019/Pages/Step-Forward.aspx">“Step Forward”</a>). In “Board Perspectives," author Matt Kelly asks, “If society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards?” Plus <a href="/2019/Pages/The-Healthy-Corporate-Culture.aspx">“Eye on Business”</a> considers what it takes to assess, monitor, and report on the organization’s culture. And don’t forget to visit InternalAuditor.org and read Jim Roth’s ongoing series on culture. </p><p>When it comes to organizational culture, we’ve got you covered.<br></p>Anne Millage0
Getting a Handle on Harassmenthttps://iaonline.theiia.org/2019/Pages/Getting-a-Handle-on-Harassment.aspxGetting a Handle on Harassment<p>Organizations like to think — and especially say — that sexist and misogynistic behavior has no place in the workplace, and many companies claim that they have a "zero tolerance" approach toward it. Employers also like to shout about the comprehensive policies and complaint procedures they have in place to investigate cases, which are often coupled with a strong ethical culture that shows boardroom backing and leadership. <br></p><p>The reality is often very different, however: Organizations are often unsure about how to pursue complaints, or even understand whether the alleged conduct amounts to sexual harassment. And following the revelations and allegations surrounding Hollywood mogul Harvey Weinstein's behavior on the casting couch, other recent examples show that senior management and directors are not to be excluded from such oversight either.<br></p><p>In March, for example, the CEO and founder of fashion retailer Ted Baker, Ray Kelvin, resigned following allegations of sexual misconduct centering around "inappropriate hugging" and "further serious allegations" made against him last December on the campaigning workers' rights website <a href="http://www.organise.org.uk/">www.organise.org.uk</a>. Kelvin has always denied the allegations.<br></p><p>What's considered appropriate behavior in the workplace is continuing to evolve, whether it applies to the C-suite suite or front-line employees. Organizations must be highly attuned to these changes and prepared to respond accordingly. Moreover, internal auditors have an important role in checking that employees are listened to, complaints are acted on, and that no one is immune from scrutiny — including managers and executives.  <br></p><p>"Sexual harassment occurs in businesses of all sizes, and no single employer should ignore it," says Rita Trehan, CEO at human resource (HR) consultancy Dare Worldwide in London. "Simply taking action when it surfaces is not enough to ensure that you are creating an equal and comfortable working environment for all: The real task for leadership is ensuring that the issues do not surface in the first place by having clear values and a culture that reflects this."<br></p><h2>Defining the Problem</h2><p>Workplace sexual harassment is more common than organizations would like to admit, possibly because the conduct is not always overt — at least not initially. What starts as innocent employee behavior such as office "banter," light-hearted teasing, jokes, and good-natured squabbles can quickly turn sour.<br></p><p>Generally, sexual harassment, or conduct of a sexual nature that is unwanted, can apply to all genders. It has the purpose or effect of violating the dignity of a worker, or creating an intimidating, hostile, degrading, humiliating, or offensive environment for him or her. <br></p><p>Lawyers warn that behavior can still be considered sexual harassment even if the alleged harasser didn't mean for it to be, or if the conduct was not intentionally directed at a specific person — nude or explicit images left displayed on a computer screen, for example. Furthermore, even if an employee has put up with such conduct for years, it does not mean that it is acceptable or that the person sought such behavior — even if that employee went along with the jokes as a coping strategy.<br></p><h2>Policy and Communication</h2><p>Fundamental to any sexual harassment response is the need for a robust and easily understandable policy outlining what is considered sexual harassment, and what the consequences are for noncompliance. It is important not only to have a policy, but to make sure it is communicated organizationwide, according to experts.<br></p><p>Working with HR, internal audit functions should "ensure that complainants know who the complaint should be made to and ensure the person with day-to-day management of the complaint is impartial, objective, and trained thoroughly in dealing with such sensitive matters," says Ed Cotton, partner at U.K. law firm TLT. "Failure to proactively address sexual harassment in the workplace can result not only in costly litigation, but also loss of productivity, negative publicity, damage to employee morale, and high staff turnover rates."<br></p><p>People's understanding of what constitutes sexual harassment often varies from person to person, so it is a priority to educate staff and management as to what kinds of behavior and language may amount to harassment and what the boundaries are. According to Sue Morrison, managing director at employment law advisory firm By Design Group, internal auditors should ensure that organizations provide workplace training on the topic, as well as on equality and diversity. She also recommends that internal audit, working closely with HR, make sure employers have clear and rigorous policies in place that not only act as a deterrent for any potential harasser, but ensure that victims know that they can and should report any conduct and that they would be protected should they do so. <br></p><p>Internal auditors should also review what steps the organization can take following an allegation. Morrison says that if employees have been harassed, or feel that they have, organizations should refer them to a counseling service. Employers should also review their disciplinary processes so that they are sufficient to tackle the issue if misconduct is found to have occurred: For example, the company may need to separate the complainant from the accused or suspend the alleged harasser. <br></p><h2>Training and Culture</h2><p>Ultimately, says Patrick Williams, clinical director at well-being specialists LifeWorks, prevention is the best policy, and internal audit will have a key role in ensuring that expectations about acceptable workplace conduct is both understood and communicated effectively. "All employees need to be made aware of their company's code of professional behavior, workplace harassment policies, and where help is available," Williams says. "All employees — male and female, senior management, and field workers — must be required to take harassment training."<br></p><p>Since the sexual misconduct allegations at Ted Baker, the company has renewed training for all employees on HR policies and procedures and on acceptable workplace conduct. It also now maintains an independent and confidential whistleblowing hotline and has enhanced the oversight of both people and culture matters at the board level. <br></p><p>Creating a culture of inclusivity begins with managers, Williams says, and internal audit must check that the process is reviewed to retain its effectiveness. "Employees need to see that there is zero tolerance for any form of discrimination, bullying, intimidation, or unprofessional behavior," he says. "By doing so, managers can help create a healthy workplace in which all employees feel respected, valued, and safe."<br></p>Neil Hodge1
The Upside of Riskhttps://iaonline.theiia.org/2019/Pages/The-Upside-of-Risk.aspxThe Upside of Risk<p>​Internal auditors characteristically interpret professional requirements to contribute to organizational risk management as helping senior management address weaknesses and threats to achieving the organization's objectives. The tendency to focus on downside factors that can actually or potentially impede organizational success is well-established and provides value that must continue to meet professional and stakeholder expectations. </p><p>But what about the organization's strengths and opportunities and their contribution to organizational goals? The concept of <em>positive auditing</em>, an approach that extends risk-based analyses and plans to improve strengths and opportunities, can enhance the value of independent assurance. While a typical internal audit provides assurances on downside organizational weaknesses and threats needing to be addressed, positive auditing provides assurances on upside organizational strengths and opportunities that need to be sustained. </p><p>Risk-based plans should include assurances on strengths, opportunities, and upside factors deemed critical to achieving organizational objectives. Importantly, this expansion complies with the current Definition of Internal Auditing and mandatory requirements of the International Professional Practices Framework (IPPF). Positive auditing enhances the organization's reputation by addressing the interests of the organization's stakeholders on what is working, as well as identifying areas needing improvement. </p><h2>A Shift in Approach</h2><p>Shifting focus to strengths is consistent with innovations in the fields of social behavior. In 1998, after more than 100 years of primarily addressing the negative aspects of individual and social behaviors, the psychology profession formally expanded its scope to include the now burgeoning field of positive psychology. As noted by C. R. Snyder, Jennifer Pedrotti, and Shane Lopez in their book, <em>Positive Psychology: The Scientific and Practical Explorations of Human Strengths</em>, "positive psychology offers a balance to this previous weakness approach by suggesting that we also must explore people's strengths along with their weaknesses. … Positive psychology seeks a balanced, more complete view of human functioning." </p><p>By making a similar enhancement to how it sees and promotes itself, and how it is seen by its stakeholders, internal audit offers a more balanced and complete orientation to the assurance paradigm, which is a new area for service innovation and professional growth. </p><h2>Balanced Engagement Reporting </h2><p>Internal auditors have taken initiatives to provide more balance in their reports by including positive findings for engagements that normally focus on downside issues requiring improvement. This added balance demonstrates a greater understanding of business operations by internal auditors, motivates managers by recognizing where their efforts are showing results, and, consequently, encourages greater acceptance to address recommendations for improvement. Positive auditing builds on these initiatives and benefits by designing risk-based plans and engagements from the outset that consider the provision of high levels of assurance on positive areas deemed critical to organizational success within the domain of internal audit. </p><h2>More Complete Risk Analyses</h2><p>The IPPF defines risk as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood." This definition is not limited to downside uncertainties; it also includes upside uncertainties, such as opportunities for gains.  </p><p>The concepts of risk and risk management applied by internal auditors characteristically focus on addressing adverse uncertainties that are likely to negatively impact the achievement of organizational objectives. The orientation toward negative risk may be partly explained by the desire to minimize audit risk, such as the risk of making inaccurate assessments. As organizational weaknesses and threats often are known or suspected, there is less risk in accepting an internal audit and its recommendations. Because management makes decisions involving both upside and downside uncertainties, internal audit's risk analyses should be more comprehensive, leading to the development of more complete analytical tools and critical thinking. </p><h2>More Complete Risk-based Internal Audit Planning</h2><p>With positive auditing, risk-based audit planning broadens the scope of risk assessments to consider strengths and opportunities critical to the organization and where independent confirmation adds value. It brings consultations on internal audit plans more in line with management's interests in what is working and where independent assurances address the interests of external stakeholders. There is likely to be wider coverage and fuller alignment with the organization's business priorities. </p><p>There are occasions when independent evaluation and confirmation by internal audit of organizational strengths and weaknesses adds value. Consider three internal audit domains — organizational governance, risk management, and controls processes — which in the examples shown are not given priority in internal audit plans because there are no indications of significant adverse risk.  </p><p><strong>Organizational Governance</strong> This domain can benefit from assurances on organizational opportunities and strengths, as well as threats and weaknesses. Internal audit's objectives might be to:</p><p></p><ul><li>Ensure the organization appropriately administrates complaints concerning social and personal behavior.</li><li>Ensure the integrity of positive performance information supporting year-end bonus payments to management. </li></ul><p><br><strong>Risk Management</strong> This domain benefits from oversight that provides comprehensive, validated information. The internal program of risk management considers strengths and opportunities, as well as weaknesses and threats to organizational success. Internal audit's objectives might be to:</p><p></p><ul><li>Ensure the robustness of the strengths and opportunities reported across the risk management program. </li><li>Ensure the quality of due diligence activities in support of significant organizational initiatives and decision-making. </li></ul><p><br><strong>Examinations of Control Processes</strong> This domain provides operational oversight to keep the organization on track in achieving its objectives. Control processes adapt to evolving organizational needs. Internal audit's objectives may be to:</p><p></p><ul><li>Ensure the continued relevance and quality of performance standards and information relied on by senior management. </li><li>Ensure the continued cost-effectiveness of systems of internal oversight. </li></ul><div><br></div><p>These examples show where positive auditing might provide value-added assurance to the organization's stakeholders, even when the internal audit program and engagement plans are not expected to make material recommendations for improvement. The expanded scope into positive areas has the additional benefit of increasing internal audit coverage to find possible fraudulent behavior within the organization. </p><h2>The Case for Positive Auditing </h2><p>Positive auditing broadens the range of internal audit assurance services by enhancing systematic consideration of upside factors — organizational strengths and opportunities — in support of achieving organizational objectives. It provides a direction for service innovation and professional growth within the current IPPF by addressing upside risks and confirming what is working — both of which are deemed critical to organizational success.  </p><p>It also contributes to organizational improvement by enhancing due diligence of management oversight and confirming the strengths in areas deemed critical to success. Internal audit processes increase analysis and attention to critical factors in the area being examined by all concerned. Should the examination disclose unexpected areas for improvement, management will have shown itself to be proactive and diligent in its pursuit of organizational performance. Either way, the confidence of external and internal stakeholders in management oversight is increased.</p><p>Positive auditing also provides an opportunity to enhance the paradigm of the internal audit profession, expand the range of assurance services in risk-based plans, and tell new stories to our varied stakeholders. The internal audit community should consider the matter together, consult with stakeholders, and determine the extent to which positive auditing offers a viable direction for innovation in the profession.<br></p>Basil Orsini1
Auditing Culture: Bumps in the Roadhttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspxAuditing Culture: Bumps in the Road<p>Internal auditors new to auditing culture should be aware of the challenges they might encounter during this type of assessment. In this latest installment of my "Auditing Culture" series, I present some of these challenges, together with potential ways of addressing them. Although the list is by no means exhaustive, it should give practitioners a few insights into what to expect.<br></p><h3>Culture is multifaceted and complex.<br></h3><p><strong></strong><span style="font-size:12px;">There are many models of culture available today. Those I have seen include anywhere from four to 30 cultural drivers. Moreover, each driver interacts with the others in complex ways. To foster the desired culture, each of these drivers should be well-designed, aligned with the other drivers, and operating effectively.  </span></p><p>It is impossible to deal with all the nuances of this complex web, but we don't have to. Internal audit's goal, as I said in my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">previous installment</a>, is to provide stakeholders insight about the culture and to continually enrich their understanding of it. We do need to be aware of the complexity of culture to avoid jumping to conclusions on limited evidence.<br></p><h3>There are no agreed upon criteria for what constitutes a good culture.</h3><p><strong></strong>The first researchers who studied organizational cultures tried to identify the characteristics of a good culture. Today, the general consensus is that there is no universally "right" or best culture. For example, a venture capital firm takes big risks for potentially big rewards, whereas a commercial bank should have a more balanced approach. Likewise, an internet startup may be almost completely focused on innovation, while an established internet service provider might be more conservative. <br></p><p>Cultural variations will even exist within the organization. Finance could have a more conservative culture, while the sales team's culture may be considerably more aggressive — both within limits, of course. That said, there is probably a "right" culture for each organization — the culture that will best help achieve its strategy and business objectives. The organization's strategy can be the starting point for internal auditors in dealing with this challenge.<br></p><h3>Managers create subcultures within their spheres of influence.</h3><p>These subcultures will often be appropriate, as in the example of finance vs. sales. But if they fail to align with the culture adopted by the organization at large, subcultures may be problematic. <br></p><p>While the multiplicity of subcultures can be challenging, it also presents an opportunity for internal auditors. Inconsistency between a subculture and the desired culture often creates risk, and business leaders need to be aware of it.<br></p><p>Before reporting these inconsistencies to higher levels, internal auditors should work with local managers to help resolve them. To help prevent managers from becoming defensive, auditors could try showing them evidence of the problem rather than just stating that a problem exists. That way, managers learn about the problem by seeing the inconsistencies for themselves. Although not always successful, this approach often works with well-intentioned managers who want to improve. When it does work and the risk is not severe, internal audit can monitor the resolution informally in a positive, collegial manner and may not have to embarrass the manager by reporting it to higher levels.<br></p><h3>Management and the board rarely define expectations for the culture.</h3><p>Ideally, expectations should be defined across each part of the business and include observable behaviors that illustrate consistency with, or variance from, the desired culture. Internal audit would then have specific criteria to audit against.</p><p>To deal with undefined cultural expectations, some internal audit functions use a published culture model, tailor the cultural drivers to their organization, and agree it with management and the board. The effectiveness of each driver in helping the organization achieve its objectives becomes their criteria.<br></p><p>Many, if not most, organizations have at least four or five stated values. Although general, these values can sometimes serve as criteria to audit against. One telecom company, for example, had a value of achieving work-life balance for its employees. While auditing a large project, the internal auditors observed people working 60 to 80 hours a week due to unrealistic targets and poor project leadership. After internal audit reported this finding to management, the CEO took prompt action to rectify the situation because it violated a value he believed in.<br></p><h3>Cultural inconsistency exists within the extended organization.</h3><p>Few organizations today are self-contained. They have outsourced functions, suppliers, joint ventures, global operations, and so on. These third parties create risks for the organization, and cultural inconsistencies can magnify those risks.<br></p><p>Internal auditors can help the organization come to grips with this challenge by finding out what, if anything, the organization is doing to address it and assessing whether those measures are sufficient. For example, I know of two organizations that require third parties to give them a report each year explaining how they conform with the organization's values. One of them meets with each third party to discuss the report, and those meetings are considered the most meaningful part of the assessment process.<br></p><h3>Employees are the best source, with a few caveats.</h3><p><strong></strong>In my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">first installment</a>, I proposed three principles for auditing culture, one of which is that an organization's culture exists in the perception of its employees. But finding out what employees really think of the culture can be difficult. Here are a few of the challenges.<br></p><p><strong>They might not be fully candid. </strong>Employees may hesitate to say negative things about their work environment to an auditor, fearing retribution if it gets back to their superiors. Dealing with this challenge depends on the situation. </p><p><span style="font-size:12px;">In a small organization in which auditors are trusted, a personal guarantee of confidentiality might be enough. At the other extreme is an anonymous employee survey, administered in a way that makes it physically impossible for anyone in the organization to know who said what. </span><br></p><p>Internal auditors may not always be able to fully convince employees that an online survey is anonymous. One public sector audit function that contends with this issue devised an in-person, group method of collecting information, tailored for its unique circumstances. The department reviews other agencies believed to have serious problems, heightening the potential for mistrust. To help maximize candor, the auditors gather employees in an auditorium with no managers present and ask them to complete hard copy surveys. The employees then pass their completed surveys to the end of the seating rows, and the auditors collect them with no way to know who completed each one. <br></p><p>Most audit departments fall somewhere between these extremes. They have to find the right balance, keeping in mind that the more they know where information comes from the better they can follow up, but with less actual or perceived confidentiality.</p><p><strong>They may have cultural "blind spots."</strong> A common definition of <em>culture</em> is "How we do things around here." When people join an organization, they want to fit in. They tend to accept the way things are done, assuming there must be a good reason for it — even if it doesn't seem quite right to them at first. <br></p><p>To deal with this challenge, internal auditors can apply their fresh perspective and broad knowledge of the organization to each audit. They are well-positioned to identify cultural inconsistencies that employees might not be aware of. </p><p><strong>They may be subject to cognitive bias and groupthink.</strong> By one count, behavioral economists have identified 188 cognitive biases that hinder effective decision-making. Knowledge of cognitive biases will help internal auditors address them. Jeff Desjardins, founder and editor of Canadian media and news firm Visual Capitalist, identifies a sampling of biases relevant to the business world in his article, "<a href="https://www.visualcapitalist.com/18-cognitive-bias-examples-mental-mistakes/">18 Cognitive Bias Examples Show Why Mental Mistakes Get Made</a>."</p><p><span style="font-size:12px;">Groupthink can also obscure organizational culture. It can infect workshops, focus groups, or similar assessment forums. Facilitation skills should include the ability to recognize and counter groupthink. Also, auditors can use interviews or surveys instead of, or in addition to, group-oriented techniques.  </span></p><p><strong>Internal auditors may have their own blind spots and biases. </strong>When auditors<strong> </strong>conduct surveys, interviews, and workshops, they bring their own baggage to the table. Auditors should be mindful of their potential to influence the assessment process or misinterpret results. One technique that might help is to have one or more "challenge sessions" during an audit, in which a more experienced auditor, independent of the audit team, meets with team members to challenge their thinking.<br></p><p><strong>Clients' response to the results will be influenced by the culture.</strong> This may be true of the overall culture or the subculture created by a manager. Whether preparing to deliver initial verbal reporting on an issue or the final written report, internal auditors should consider how culture might affect the client's response and plan accordingly. </p><p><span style="font-size:12px;">For example, in a company with an aggressive sales culture, managers might be successful in the short term by driving employees to meet unrealistic targets. In doing so, they create a highly stressful, even toxic environment. Neither local nor senior management in such an organization is likely to welcome a recommendation to lower the targets and, in turn, the pressure. Providing concrete examples of the long-term harm this </span><span style="font-size:12px;">environment</span><span style="font-size:12px;"> has caused in some parts of the organization or in other organizations (like Wells Fargo) would not guarantee success but would make acceptance more likely.</span><br></p><h3>Overcoming Roadblocks<br></h3><p><span style="font-size:12px;">Internal auditors experienced in culture audits have likely encountered at least some of these challenges, as well as many others. But for those just starting, or about to start, being alert to culture-related challenges can be critical to success. As daunting as auditing culture may seem, internal auditors who have the courage to meet these challenges usually find the assurance value gained is well worth the effort.  </span><br></p>James Roth1

  • IIA Global 3LOD Exposure_July 2019_Premium 1
  • IIA_Sawyer_July 2019_Premium 2
  • IIA Sepcialty Centers_July 2091_Premium 3