- Internal audit is responsible for evaluating an organization's culture by assessing strategies, processes, and behaviors to determine if they are aligned with values, ethics, and policies. This involves auditing culture through interviews, surveys, and observations.
- A healthy culture has clearly defined values that guide behaviors, ethical decision-making, accountability, and integrity, while an unhealthy culture tolerates cutting corners and different treatment of people.
- Auditing culture presents challenges as behaviors are subjective, but internal audit must develop skills in qualitative methods and act as a role model to provide the board assurance on an organization's ethical climate.
2. Synopsis of Presentation
• What is culture?
• Why is it so important?
• Who is responsible for culture?
• Why is Internal Audit involved?
• How do you audit culture – theory and practice?
• Conclusions
3. What is organisational culture?
Some definitions:
• The values, beliefs and attitudes that characterise an
organisation and guide its practices
• The organisation's values and how these are translated
into everyday actions and behaviours
• How the organisation conducts its business, treats its
employees and customers and the wider community
• The way we do things around here!
4. Why is culture so important? (1)
Libor rate fixing MP’s expenses
FIFA BP ‘Deepwater’ Oil leak
News of the World phone hacking VW
Enron Japanese nuclear disaster
Olympus loss-hiding Panama papers Toshiba
Worldcom Mid-staffordshire health
5. Why is culture so important? (2)
• 2014 Ipsos Mori survey found that c40% of those surveyed believed
that companies were ‘not very’ or ‘not at all’ ethical in their
behaviours!
• 2016 CIIA Survey found that 31% of Boards across the private and
public sectors had not established or articulated what sort of
corporate culture they wanted
• In the private sector, a healthy culture is critical to the ‘bottom line’
• New standards bodies set up to improve behaviours
• In the public sector, greater scrutiny of ethics and behaviours
6. Responsibility for Culture
• Responsibility for corporate culture lies with those in the boardroom!
• Boards and executive management have prime responsibility for
defining and analysing organisational culture by promoting good
ethics and values and behaviours [CIIA Report on Organisational
Culture 2016]
• The Board should articulate their expectations around values
and behaviours [CIIA Report on Organisational Culture 2016]
• Boards should try to embed a ‘just’ culture [CIIA Report on
Organisational Culture 2016]
• Boards should seek assurance that staff are effectively ‘living the
values’ [CIIA Report on Organisational Culture 2016]
7. Culture - Internal Audit’s Role
IA’s role is to provide independent assurance
• Assessing and evaluating the extent strategies and processes, eg
performance management, remuneration, decision making and ‘tone at
the top’ are in line with the values, ethics, risk appetite and policies of
the organisation
• IA can help the Board in judging whether measures put in place to
change culture and thus behaviour are actually working
• IA must also act as a role model and ethics champion
• IA is uniquely placed to give assurance to those in the boardroom -
can provide confidence that there is a strong commitment to good
conduct and that it is translated into daily behaviours!
8. Guidance for Internal Auditors
This guide provides internal auditors with a framework for the
evaluation of ethics-related programs and activities. Because
various countries and cultures have different views of what is
considered ethical behaviour, the guide provides a range of
examples, definitions, and principles that are not meant to be
comprehensive but provide a platform on which internal auditors can
build their evaluations. The principles apply equally to the public and
private sectors.
Practice Guide: Evaluating Ethics-related Programs and activities [June
2012]
9. Definition and IA Standard
Definition
A strong ethical culture is the foundation of good governance. An ethical culture is
created through a robust ethics program that sets expectations for acceptable
behaviours in conducting business within the organization and with external parties.
IIA Standard 2110.A1
Requires that internal audit evaluates the design, implementation and effectiveness of
the organization’s ethics-related objectives, programs, and activities.
This Practice Guide provides guidance for evaluating program effectiveness and
compliance; it includes a potential audit approach, procedures, tools and techniques.
]
10. How can Internal Audit Fulfil this Role?
• Assess the state of the organization’s ethical climate
• Evaluate the design, implementation and effectiveness of the
organization’s ethics programme/ framework
• Provide assurance that ethics programs achieve stated
objectives.
• Be a role model and ethics champion.
• Act as a catalyst for change.
• Provide expert advice and challenge on ethics-related issues
[IIA Global Practice Guide].
11. Is the organisation ready for a culture audit?
• Why are we doing it? Do the Board/ Audit Committee
want it or do IA think it is a good idea?
• How receptive is management likely to be to an audit of
culture in their area?
• Will management and staff cooperate?
• How receptive and responsive is management to
findings and recommendations?
12. Audit of Culture – Typical Questions
• Is there a code of conduct, ethical policy and articulated
set of organizational values?
• Are values communicated and widely understood?
• Do employees see management behaviour as being
consistent with values? If not, are they encouraged to
challenge these behaviours?
• Do performance plans and the compensation framework
align with values? Is bad behaviour penalised (even if
shown to be profitable!)
13. How to audit culture
• The Institute’s research shows that the most popular
methods for auditing culture are conducting interviews
and behavioural observation using staff surveys,
whistleblowing activity; customer complaints handling
and the use of values statements.
• Heads of Internal Audit also reported that reliance on
their professional judgement and experience were key
when auditing culture (85% and 71% of respondents to
the Institute’s survey respectively).
[CIIA Report on Organisational Culture 2016]
14. Types of Culture Audits
Discrete reviews
Standalone audits focussing on culture using surveys, interviews,
metrics, behaviours
Component Reviews
Embed consideration of ethics and culture into audits not dedicated
to culture risks, eg product suitability, new products, incentive
schemes, etc
Consolidation
Extract applicable findings from all audits across the business,
processes, programmes, etc
15. Its not just about written procedures!
“As officers and employees of Enron Corp., its
subsidiaries, and its affiliated companies, we are
responsible for conducting the business affairs of the
companies in accordance with all applicable laws and
in a moral and honest manner.”
[Enron code of Ethics 2000]
16. Audit Approach
• Communicate with senior executives about their views of
culture
• Develop trust with Audit Committee that allows
subjective judgments
• Find and cooperate with other assurance providers
• Consider incorporating auditing culture into internal
audit’s charter
17. A Healthy Culture - Examples
• Ethical tone at the top
• Clearly defined vision, mission, values and expected behaviours
• Decision-making stands up to scrutiny under the ‘ethical microscope’
• Teamwork & collaboration
• Good behaviour rewarded; bad behaviour challenged/ discouraged
• High employee morale
• Honesty, trust & transparency
• Pride in the organisation
• Clear ownership & accountability
18. The ‘Ethical Microscope’
• Goes beyond the normal tests, ie compliance with laws
regulations, policies
• The greatest good for the greatest number
• Who benefits/ who suffers?
• Sustainable benefits not just short term
• Impact on morale
• Consistent with organisation’s values
19. Unhealthy Culture - Examples
• The ends justify the means
• Cutting corners to achieve short term goals
• Different standards for different people
• Poor communication
• Blaming others & defensiveness
• Distracted, unproductive employees
• No confidence in leadership
• Unethical/ illegal behaviour
• The talk isn’t walked!
20. Challenges for Internal Audit (1)
• This is all fairly new – does IA have the right skills?
• How do you gather evidence?
• Whilst an ethical culture can be tracked and measured in visible
ways, the instruments for doing this, eg staff surveys, provide only
indirect observations of behaviour at best. Employee surveys may
be skewed if not underpinned by a culture of being able to speak
openly and honestly!
• IA needs to upskill in qualitative methods such as surveys and
interviews
21. Challenges for Internal Audit (2)
• IA are used to reporting evidence based hard facts; gut feel will also
be needed here! - IAs will need to use root cause analysis, ie going
beyond processes and controls to look at behaviours that influence
decisions
• IA is part of the ethical culture itself!
• IA needs to distance itself from cultural drivers, such as bonuses!
• Perhaps IA should subject itself to a culture audit of itself!
22. Conclusions
• Most corporate failures and public sector scandals can be
attributed to cultural weaknesses
• Audit of culture is becoming increasingly important
• The science/ art of auditing culture is still at an early stage
• Successfully auditing culture will depend on relationship with
the Board and senior management
• Internal Audit must be courageous and influential in promoting
a healthy culture