Should Internal Audit perform a culture audit?
Steve Bruce asks if internal audit should audit culture and highlights the different approaches and challenges when carrying out this audit.
In a previous article he looked at organisational culture and the challenge for internal audit.
Internal Audit can give assurance and confidence to Boards that measures put in place to change culture are working and the tone at the top is reflected across all levels. In 2017 ICAS published an article reviewing the IIA’s Guidance on Effective Internal Audit in the Financial Services Sector which recommended that Internal Audit should include risk and control culture within its scope of work. The IIA also published further useful guidance on Culture and the Role of Internal Audit.
Sometimes management or even internal audit members may be sceptical whether internal audit should audit culture or are sufficiently qualified to add any value. To overcome this, there needs to be an open dialogue between the Head of Internal Audit and the Audit Committee or Board to discuss the importance of auditing culture, what might be achieved from this audit and if required expand the mandate of internal audit by updating the Internal Audit Charter accordingly.
Although not always the case, scandals in a specific industry or regulatory requirements or expectations may help internal audit’s case to push for an audit of culture. This may also depend on a good level of risk maturity existing within your organisation along with the ability and desire to embrace the audit and not see it simply as a box-ticking exercise.
Approaches to the audit of culture?
Once there is agreement with the Board or Audit Committee to proceed with an audit or review of culture, Internal audit departments are taking different approaches to auditing culture as follows:
- Incorporating a culture element into every risk-based audit using a tailored testing programme or survey or both;
- Performing a stand-alone audit of culture; and
- Thematic analysis across all internal audit’s work, for example using root-cause analysis to identify where culture and certain behaviours may have been the main driver for an audit issue and attempting to ‘join the dots’ across many audits to identify any pattern or themes.
Some internal audit functions may implement only one of the above and others may implement all the approaches or a combination.
What resources are required for an audit or review of culture?
An audit of culture will involve reviewing more qualitative information that relies on auditors ‘gut feel’ than a typical risk-based internal audit project. Skills such as developing and analysing surveys and conducting interviews often with senior management are critical to the success of this audit. Therefore, it is recommended that the most experienced and talented members of the audit team carry out this review. A high level of tact and discretion is required as the issues surrounding culture can be subjective, sensitive and often point to the most senior levels of the organisation.
The Head of Internal Audit together with the Audit Committee or Board need to assess internal audit’s capabilities to conduct such an audit, for example, designing and interpreting an effective survey. Surveys and interviews only provide indirect observations of behaviours and some employees may feel unable to speak openly and honestly. Consequently, consideration should be given to co-sourcing or even outsourcing this type of audit dependant on this assessment of capabilities.
A clear benefit of co-sourcing or outsourcing this audit should be the ability of the external firm to help independently benchmark one organisation against competitors and other industries. Internal Audit is part of an organisation’s culture and may have inadvertently adopted the same cultural values and ethics as the rest of the organisation. However, there is always a cost factor of co-sourcing or outsourcing this audit as it is usually the most senior individuals in external firms who can offer the most insight and benefit.
What should internal audit look for when auditing culture?
A key US financial services regulator, the Financial Industry Regulatory Authority (FINRA), published guidance on what information they would look for when inspecting culture within an organisation and this may be useful when internal audit performs a culture audit:
- A summary of key polices and processes by which your organisation establishes cultural values including whether there is a board level function and, if so, what is the Board’s involvement? The summary should also provide a description of any steps in the past one to two years to promote, strengthen or change culture in your organisation.
- A description of the processes employed by executive management, business unit leaders and control functions in establishing, communicating and implementing the organisation’s cultural values. This should include how executive management communicates, promotes and establishes a ‘tone from the top’ as it relates to cultural values. It should also describe the organisation’s approach to ensure its cultural values are adopted and applied by middle management.
- A description of how the organisation assesses and measures the impact of cultural values and if they make a difference in achieving the desired behaviours. Provide a summary of the policy statements procedures and mission statements or other documents to reflect the organisation’s assessments and measures.
- A summary of the processes the organisation uses to identify policy breaches, including the types of reports or other documents your organisation relies on when determining whether a breach of its cultural values has occurred.
- A description of how the organisation addresses cultural value policy or process breaches once discovered. What efforts promptly address these policy or process breaches? What is the escalation process to surface and resolve such breaches?
- A description of the organisation’s policies and procedures to identify and address any subcultures (for example, branches) within the organisation that may depart from, or undermine, the cultural values articulated by the Board and senior management.
- A description of your organisation’s compensation practices and how they reinforce your cultural values.
- A description of the cultural value criteria used to determine promotions, compensation and other rewards. Describe opportunities for promotion to managing director or equivalent to employees in key control functions.
The answers to the above points should help inform the internal audit testing approach most likely using a combination of surveys, interviews and substantive testing.
How should internal audit report the results of the audit?
Again, different approaches are followed by internal audit departments but whatever approach is adopted, it may be sensible to discuss with the Audit Committee or Board prior to starting the audit. Sometimes cultural weaknesses or issues are only reported by internal audit orally which may be for the following reasons:
- Managers may agree with internal audit’s observations orally but get defensive and take it personally especially when they see points written in an audit report of culture; and
- It can be difficult to express the audit issue in words and thus may be open to misinterpretation. Any audit report of culture will naturally be of great interest to regulators and senior management may question and scrutinise some of their direct reports.
However, many internal audit departments will report issues in their normal audit report format with issues, impacts and action plans including owners and deadlines. Due to the heightened sensitivity of auditing culture, extra time may be required over the wording of the report but, somewhat ironically, publishing an audit report on culture may be a good indication of an open and transparent culture within an organisation.
There are many excuses why an audit or review of culture is not undertaken by internal audit but not many valid reasons offered. To perform an effective audit or review of culture may be somewhat dependent on the risk maturity within an organisation, but even in the absence of such maturity, such an audit can act as a catalyst for positive change.