AUDITING CULTURE Kayla Flanders, CIA, CRMA Deanna Bennigsdorf, CIA, - - PowerPoint PPT Presentation

auditing culture
SMART_READER_LITE
LIVE PREVIEW

AUDITING CULTURE Kayla Flanders, CIA, CRMA Deanna Bennigsdorf, CIA, - - PowerPoint PPT Presentation

Sep 12, 2022 258 likes •719 views

AUDITING CULTURE Kayla Flanders, CIA, CRMA Deanna Bennigsdorf, CIA, CRMA IIA Sioux Falls Chapter February 20, 2018 OVERVIEW What is all the talk about culture? What is culture? Why is culture hard to audit? Does Internal Audit

slide-1
SLIDE 1

AUDITING CULTURE

Kayla Flanders, CIA, CRMA Deanna Bennigsdorf, CIA, CRMA IIA Sioux Falls Chapter February 20, 2018

slide-2
SLIDE 2

OVERVIEW

  • What is all the talk about culture?
  • What is culture?
  • Why is culture hard to audit?
  • Does Internal Audit have a role?
  • Audit Approaches & Techniques
  • Parting thoughts

Caveat: The opinions expressed during this presentation are the individual opinions of the presenters.

slide-3
SLIDE 3

WHAT IS ALL THE TALK ABOUT CULTURE?

slide-4
SLIDE 4

IT IS A TOP OPERATIONAL RISK

Source: Protiviti’s Executive Perspectives on Top Risks for 2017

#8 on the Top 10 Risks for 2017

slide-5
SLIDE 5

IT IS THE CULPRIT IN DEBACLES

Source: “When Culture Is the Culprit”, 2016 IIA Leadership Academy, Richard Chambers

16%

slide-6
SLIDE 6

AUDIT LEADERS ARE INTERESTED

slide-7
SLIDE 7

AND BECAUSE...

  • How organizations, and individuals within

them, behave has become a matter of public concern

  • Regulators are expecting internal audit to

review

  • Boards realize there is an increasing need to

focus on the risks toxic culture presents

  • CEOs and CFOs see culture as critical to

success

Source: IIA The Uncharted Territory of Auditing and Organization’s Culture And “Corporate Culture: Evidence from the Field,” Graham, Harvey, Popadak, and Rajgopal; Duke University, 2015

slide-8
SLIDE 8

WHAT IS CULTURE?

slide-9
SLIDE 9

SO…….WHAT IS IT?

CULTURE IS…

“…the reason why great organizations have sustained success. Culture drives expectations and beliefs. Expectations and beliefs drive behavior. Behavior drives habits. Habits create the future.

  • Jon Gordon

COMPANY SPECIFIC

slide-10
SLIDE 10

CULTURE IS NOT…

WHAT IS SAID… BUT WHAT IS DONE

slide-11
SLIDE 11

CULTURE DEFINED

  • Merriam Webster – a way of thinking, behaving, or

working that exists in a place or organization (such as a business)

  • Investopedia - Corporate culture refers to the beliefs

and behaviors that determine how a company's employees and management interact and handle outside business transactions.

  • It is the values and behaviors that contribute to the unique

social and psychological environment of an organization

slide-12
SLIDE 12

CULTURE IMPLIED

slide-13
SLIDE 13

SIMPLY SAID IT IS… “The way we do things round here.”

slide-14
SLIDE 14

IS DEFINING CULTURE THAT EASY?

NO…

slide-15
SLIDE 15

LOOKS CAN BE DECEIVING

slide-16
SLIDE 16

WHY IS A DEFINITION IMPORTANT?

  • So everyone is on the same page -

definition must be shared

  • You understand where the culture gap is
  • KEY in connecting it to critical corporate

elements such as:

– Organizational structure – Incentives – Strategic planning – Brand development

  • With no definition, linking culture to

strategic elements is a challenge

Source: IIA Audit Executive Center Pulse Solutions – Perspectives on Auditing Culture

slide-17
SLIDE 17

IS EVERYONE ON THE SAME PAGE?

slide-18
SLIDE 18

WHY IS CULTURE HARD TO AUDIT?

slide-19
SLIDE 19

CULTURE TALK IS UNCOMFORTABLE

  • Culture is inherently subjective
  • It is perception influenced by people in

leadership positions

  • Things can get personal quickly
  • Emotions fly
slide-20
SLIDE 20

CULTURE IS SQUISHY AND SOFT

  • Soft controls (control environment, tone at the

top, culture) are more difficult to audit

– Strong leadership – Trust and Openness – High expectations – Shared values – High ethical standards

  • There isn’t a standard model audit program
  • r checklist that we can use
  • Auditing culture is a complex and amorphous

concept

slide-21
SLIDE 21

YES, IT SURE DOES

  • Culture will directly impact how successful

an organization is

  • Culture can be a key enabler to meeting

the business objectives

  • It is one way to add value and improve
  • rganization’s operations
slide-22
SLIDE 22

DOES INTERNAL AUDIT HAVE A ROLE?

slide-23
SLIDE 23

YES!

Internal Audit is now in the corporate culture game

slide-24
SLIDE 24

Definition of Internal Auditing (IIA)

Internal auditing is an independent,

  • bjective assurance and consulting activity

designed to add value and improve an

  • rganization's operations. It helps an
  • rganization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

slide-25
SLIDE 25

Internal Audit and Risk Management

  • Risk Management processes are monitored

through ongoing management activities; separate evaluations or both

– Achievement of the organizations strategic

  • bjectives

– Reliability and integrity of financial and operational information – Effectiveness and efficiency of operations and programs – Safeguarding of assets – Compliance with laws, regulations, policies, procedures, and contracts

slide-26
SLIDE 26

AUDIT APPROACHES & TECHNIQUES

slide-27
SLIDE 27

IT IS A JOURNEY

Source: “When Culture Is the Culprit”, 2016 IIA Leadership Academy, Richard Chambers

Use Data Analytics to look for themes Don’t just look at the specific issue and how to correct it Most Challenging

slide-28
SLIDE 28

AUDIT APPROACHES – BABY STEPS

Horizontal – Each Engagement

Assess culture each audit Assess management tone each audit 2nd Line Coordination Annual Summary Report

slide-29
SLIDE 29

AUDIT APPROACHES – GIANT LEAP

Vertical – Enterprise Wide

Massive undertaking All components and elements One culture audit – enterprise wide

slide-30
SLIDE 30

AUDIT APPROACHES – BITE SIZE CHUNKS Risk Cyber Fraud Safety

“Bite-sized Culture Audits”- Jim Pelletier

  • This is not an

exhaustive list

  • Break down into

manageable chunks

  • Pay attention to

what you are already doing

slide-31
SLIDE 31

TOOLS AND TECHNIQUES

  • Supplement with audits of certain key

components of culture, through either vertical or horizontal approaches

– Employee Development – Employee Retention – Whistleblowing/Hotline Activity – Compensation Plans and Strategy

  • Identify culture as a metadata point in root

cause attributes and discussions and be ready to have courageous conversations

  • Perform surveys or host workshops to ascertain

cultural elements

slide-32
SLIDE 32

ASSESS CURRENT STATE

  • Do we have a healthy or toxic culture?
  • Does current culture or sub-cultures promote

behavior alignment?

  • What are the hard controls? Formal

codes of ethics–polices–organizational structure–defined roles–training

  • What are the soft controls? Less Tangible

competence–trust–leadership–expectations–shared values–ethical standards

slide-33
SLIDE 33

EXAMPLE

Source: How to Audit Culture by James Roth

slide-34
SLIDE 34

UNHEALTHY CULTURE

Source: “When Culture Is the Culprit”, 2016 IIA Leadership Academy, Richard Chambers

slide-35
SLIDE 35

WHAT DOES IT LOOK LIKE

Source: “When Culture Is the Culprit”, 2016 IIA Leadership Academy, Richard Chambers

  • Different standards for different people
  • Groupthink and judgment errors
  • Unethical or illegal behavior
  • Poor communication
  • Blaming others & defensiveness
  • The talk isn’t walked!
slide-36
SLIDE 36

TOXIC CULTURE RED FLAGS

Source: IIA The Uncharted Territory of Auditing and Organization’s Culture

slide-37
SLIDE 37

WATCH OUT – SUBCULTURES MAY EXIST

  • Cultures develop locally within business units or

teams

  • Employees will follow actions of their direct

leaders

  • Behaviors may not align with main culture

– Are there systemic failures in controls/compliance? – Is there hotline or whistleblowing activity? – Is there unusual deference to leadership?

slide-38
SLIDE 38

CULTURE AUDIT ENABLERS

Source: IIA The Uncharted Territory of Auditing and Organization’s Culture

slide-39
SLIDE 39

Example from an Iowa Company

Conduct a Post Project Assessment on Management Risk

slide-40
SLIDE 40

Example from an Iowa Company (Cont.)

Conduct a Post Project Assessment on Management Risk

slide-41
SLIDE 41

PARTING THOUGHTS

slide-42
SLIDE 42

SO NOW WHAT?

  • Understand your company’s appetite for

auditing culture

  • Communicate the value
  • Identify the right audit approach
  • Get everyone on board
  • Start small
slide-43
SLIDE 43

OLD CONCEPT – NEW PACKAGE

  • MORE THAN LIKELY, you are already

auditing certain elements of culture.

  • This is not a new concept – just a new

package.

slide-44
SLIDE 44

LAST CHANCE

slide-45
SLIDE 45

RESOURCES

  • IIA – The Uncharted Territory of Auditing an Organization’s Culture (2015)
  • IIA – Auditing Corporate Culture Training and Resources

https://na.theiia.org/standards-guidance/topics/Pages/Auditing-Culture.aspx

  • IIA - “When Culture Is the Culprit” Leadership Academy, Richard Chambers (2016)
  • Financial Stability Board – Guidance on Supervisory Interaction with Financial

Institutions on Risk Culture (2014)

  • Protiviti – The Most Important Risks for 2017 - https://www.protiviti.com/US-

en/insights/bpro-issue-87

  • How to Audit Culture, article by Jim Roth (links to surveys and questionnaires)
  • Global Perspectives & Insights: Auditing Culture – A Hard Look at the Soft Stuff
  • https://iaonline.theiia.org/blogs/Jim-Pelletier/2017/Pages/Bite-sized-Culture-

Audits.aspx

  • https://iaonline.theiia.org/blogs/Jim-Pelletier/2018/Pages/5-Words-That-Should-Be-in-

Internal-Audit-Reports.aspx

  • Report of the NACD Blue Ribbon Commission on Culture As A Corporate Asset, 2017.