Auditing corporate culture

Richard F. Chambers – President & CEO of the Institute of Internal Auditors (IIA)

Never in the history of human endeavours has it been easier for individual enterprises to reach around the globe for raw materials, labour, financing, market opportunities and economies of scale. But in this exciting world of business prospects also lies new and vexing challenges.

Simply put, the increasingly global marketplace giveth and it taketh away.

While globalisation and new technologies allow even modest enterprises to successfully expand their footprint, it also exposes them to new risks. Cybersecurity is the most obvious example, but there also exists increased vulnerabilities related to compliance, operations, corruption, fraud and – significantly – corporate culture.

Understanding this juxtaposition is imperative for any organisation’s leadership and board, as well as its internal audit function. Many businesses, government agencies and non-profits are well prepared to take advantage of these new global opportunities because they enjoy the benefits of strong internal controls and well-resourced, independent internal audit departments. Depending on their level of maturity and approach to managing risk, organisations can protect assets, comply with regulations and even thrive on new risks that enable growth. However, much depends on an organisation’s ability to achieve a level of sophistication in their culture, operations and internal audit function.

Management and boards must understand and embrace a holistic approach to managing risk through enterprise risk management (ERM). ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to an organisation’s objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress.

Whether the internal audit function is limited to traditional roles of providing assurance on financial reporting and compliance or is tasked with expanded roles up to and including serving as a trusted advisor to management, it and the organisation as a whole benefit from ERM.

I could offer a lengthy examination on how ERM can positively impact all aspects of an organisation, from financial reports to strategic planning, but recent headlines  appropriately illustrate an area of great importance in preserving good governance, effective internal control and ultimately, successful ERM: corporate culture.

The third line of defence

We’ve seen three high-profile scandals that raised serious questions about the influence of corporate culture on internal controls. In rapid succession, troubles at Fifa, Toshiba and Hertz exploded into the public consciousness, drawing not only global media attention, but also sparking speculation about the ability of organisations to withstand inappropriate or misguided top-down pressure.

In each case, we learned about failures in internal control that manifested themselves in prolonged and systemic accounting irregularities or alleged corruption. While the details are critical from a forensic perspective, the bigger lesson these high-profile failings offer is that a strong or inappropriate tone at the top can easily render even viable internal control processes and policies relatively powerless.

In these three cases, we must acknowledge the failures in the system by those in and supporting the C-suite, including internal audit. Unfortunately, we may never know if internal audit or others at Fifa, Toshiba, or Hertz tried, albeit unsuccessfully, to raise red flags about poor internal controls, flawed financial reporting, or inappropriate tone at the top, but that doesn’t preclude our ability to examine how we can best protect organisations from becoming similarly susceptible to an erosion of good governance. The questions we should ask are: how can organisations best serve their external stakeholders, live up to the values expected and correct internal control failings before they get out of hand?

A recently published Group of 30 report, titled Banking Conduct And Culture: A Call For Sustained And Comprehensive Reform provides an interesting laboratory to examine these questions. The report includes a comprehensive analysis of the cultural failures of modern banking that have contributed to a loss of public trust in the finance industry. It calls on the global banking system to identify and focus on desired values and conduct, then introduce steps to engrain those values and conduct into all aspects of the banking system.

It also calls on the industry to adopt the ‘three lines of defence’ model to clearly articulate responsibilities for delivering the desired values and conduct. This includes keeping internal audit’s role as the third line of defence as an assurance provider.

Internal audit’s role in corporate culture

This is not a new concept. Once labelled ‘auditing soft controls’, then ‘auditing tone at the top’ and now being referred to as ‘auditing culture’, internal audit’s role in this has not moved to the forefront. Maybe it is high time it did.

Internal audit is in the position to successfully examine and monitor corporate culture, but only if it can develop skills that combine subjective and objective measures. These quantitative and qualitative skills are a must if we are to take auditing culture beyond a simple checklist of feel-good policies and protocols. Ultimately, the success of auditing culture lies in getting to the root cause of problems that begin with or are fed by weaknesses in corporate culture.

It should go without saying that management and board members must be signed up to this expanded scope of work for the internal audit function. Indeed, one of the biggest challenges may be convincing stakeholders of the value of auditing culture. But the scandals at Fifa, Toshiba and Hertz provide painful examples of what happens when corporate culture runs afoul of tone and leadership that supports good governance.

It is also important to acknowledge that the value in auditing cultures rests with its ability to provide ongoing assurance. In other words, all stakeholders must agree that auditing culture is a constant and continuous endeavour.

What’s more, all players must recognise and agree that auditing culture is more than just putting the C-suite’s tone on internal audit’s radar. Heads of subsidiaries or divisions within an organisation often set their own tone and that may not reflect the desired corporate culture. Organisations with well-resourced and independent internal audit functions can successfully monitor corporate culture at both the macro and micro levels.

The next step is to begin the conversation in earnest about how organisations can move forward on this issue. The fundamental first step is defining what auditing culture means. It must include a deep understanding of both the stated and unstated elements of the organisation’s culture, identifying situations – and individuals – in which behaviour and/or actions may be inconsistent with the desired culture and reporting on those circumstances at the earliest indication of a possible disconnect. It starts with making sure everyone in a position of influence is not only talking the talk, but truly walking the walk.

This challenge is ambitious, not just for internal audit, but also for all levels of the organisation. As the Group of 30 report reflects, it also is a process of transformation within an organisation or profession that must be sustained long enough to take hold and grow.

But the benefits of the effort should be obvious. A corporate culture that grows strong enough to battle poor or misguided leadership and successfully preserves good governance and internal control is worth the effort.

About The Author:

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and chief executive officer of The Institute of Internal Auditors (IIA), the global professional association and standard‐setting body for internal auditors. The IIA serves more than 180,000 members in over 170 countries and territories and is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications.

Richard leverages more than four decades of internal audit and related experience to direct nearly 200 professional staff members at The IIA’s global headquarters in Altamonte Springs and Lake Mary, Fla., achieving agreed‐upon strategies and objectives on behalf of The IIA’s North American and Global Boards of Directors. During more than six years as global CEO, Chambers has led The IIA to record membership and the launch of a number of valuable initiatives to benefit members and the internal audit profession, including the Audit Executive Center; Pulse of Internal Audit; AuditChannel.tv; Internal Auditor Online; the Certification in Risk Management Assurance (CRMA); the Qualification in Internal Audit Leadership (QIAL); The IIA Risk Resource Exchange; the American Center for Government Auditing; and the Financial Services Audit Center.