Post on 07-Apr-2022
Addressing the Challenges of Governing and Auditing Culture
Alan Siegfried, MBA, CPA, CIA, CISA, CRMA, CGAP, CCSA, CFSA, CBA, CGMAMIDATLANTIC FARM CREDIT, ACA — OUTSIDE DIRECTOR AND AUDIT COMMITTEE MEMBER
Adjunct Professor - University of Maryland, Former Director of Internal Audit, and Big Four CPA Firm Partner
This session utilizes Live Polling, join the poll via web:Pollev.com/dl2019
ACCESSING A POLL VIA WEB
To participate in the poll and respond to the multiple choice questions, join the poll via web:Pollev.com/dl2019
dl2019
• NEED FOR MORE EFFECTIVE BOARD CULTURE OVERSIGHT: Recent risk management and governance crises (e.g., Cambridge Analytica, Wells Fargo, Volkswagen, etc.).
• ENHANCE UNDERSTANDING OF BOTH POSITIVE AND TOXIC CULTURES: How the Board can embed Culture into discussions about strategy and risks.
• INFLUENCE OF CULTURE AS DRIVER/ENABLER: How organizational culture affects the Board’s and Internal Audit’s roles, and defines competencies needed in reviewing and monitoring risk management and governance.
• FUTURE TRENDS: Boards and Internal Audit’s role in risk management, governance, and culture: Insights, Future Trends, and Strategy.
Executive Summary
The Iceberg Analogy
Source: CIIA – UK , 2014 "Culture and the Role of Internal Audit: Looking Below the Surface" Report
5 Signs that Your Workplace Culture is TOXICShelly Smith
“Us Against Them” High Staff Turnover, Absenteeism, or Presenteeism Customer Satisfaction NOT Taken Seriously Promotions Based on Length of Service vs. Performance Lack of Acceptance of New Ideas or Change
https://www.youtube.com/results?search_query=5+signs+that+your+workplace+culture+is+toxic
How Poor Leadership Perpetuates TOXIC Culture
Decisions are made by ego; not by business needs Politics is used for own advancement and not for the
organization’s/customers’/employees’ benefit Hard work, results, talents, and people are not appreciated Micromanagement prevails out of insecurity and desires to control others,
sucking the life out of creativity and initiative causing lack of employee development
Managers fail to share information due to lack of trust Lack of integrity, honesty, empathy, and accountability
What Happens When the Culture Is Toxic
Loss of confidence in leadership Groupthink and judgment errors Unethical or illegal behavior Erosion of the brand and
reputational damage Erosion of shareholder value
Remember? “Culture eats strategy for breakfast.”- Peter Drucker
Source: Richard Chambers, CEO IIA —GAM March 2016
What Do Stakeholders Want?
“Demand side” for Governance, Risk Management, Culture, and Strategic Performance audits:
• Board cares more about governance failure risk (value preservation orientation).• Executive management cares more about strategy/performance risk (value creation
orientation).
Majority of Directors of Internal Audit (57%) report that their Board or equivalent supports IA reviews of governance policies (including culture).
North American Internal Audit surveys reveal lowest level of governance reviews globally! IA functions often perform governance audits through a “little bites” strategy. Some IA functions may not be mature enough to do these audits. If governance risk perceived low, then risk-based audits would justify only little
effort being devoted to this area. Soft, Integrity Controls (Intangible, Difficult-to-Measure, i.e. CULTURE).
Culture is both a DRIVER and ENABLER of effective governance!
Source: IIA CBOK Internal Audit Role in Governance Report, 2016
How Culture Influences Talent
If you want to attract “top talent”, you must create a culture that top talent wants to be a part of.
It all starts with TRUST
To attract and keep top talent, you have to let them make many decisions, trust them to do their jobs, and let best ideas win.
Top Talent Stays if they are:
Empowered Supported Involved
Trusted Challenged Mentored
Valued Defended Promoted
What can Internal Audit Bring to the Table?
Provide independent, objective assessments on:• The appropriateness of the organization's governance and culture
structure and process.• The operating effectiveness of entity-level controls and specific
governance activities.
Act as catalysts for change by:• Advising or advocating improvements to enhance the organization's
governance and culture structure and processes.• Providing assurance on the governance processes within an organization.• Facilitating governance and culture best practices.
IA Governance-Related Activities Governance Assurance Engagements:
• Information integrity: relevant, reliable, timely information for strategic decision-making.
• Assuring information integrity of decision-relevant inputs, thus allowing Board/executive management to use information with confidence.
• Typically done in “little bites” (the “nudge” approach).
Governance Consulting/Advisory Services:• Providing decision context, interpretation, and insight.• Conducting comprehensive, enterprise-wide reviews to improve
governance structures and processes.• Educating board about and facilitating governance best practices
(e.g., Board self-evaluation).
Risk Appetite Framework Should Be Aligned with Company’s Philosophy and Corporate Culture
Risk capacity
Risk appetite
Risk tolerance
Risk target
Risk limits
Capital
Strategic goals
Aggregate risk level
Risk appetite correlated to risk category
Risk/Reward balanceRisk tolerance correlated to business plans
and metrics
The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
The specific maximum risk an organization is willing to take relating to relevant risks.
The optimal level of risk an organization wants to take in pursuit of a specific business goal.
Thresholds to monitor so that actual risk exposure does not deviate too much from the risk target and stays within an organization's risk tolerance or appetite; exceeding risk limits acting as a trigger for management action.
Credit & Collections
Customer Operations
Technology Marketing HRFinance
Risk targets correlated to controls & authorities at the process level
General Counsel & Corp. Sec.
Source—PwC
Culture Happens by DESIGN or DEFAULT
CULTURE Drives BEHAVIORSBEHAVIORS Drives HABITSHABITS Drives SUCCESS
Auditing Culture Culture—“the way we do things around here” (Bower)—embeds many intangibles, e.g., “soft controls” that
pose audit challenges:• Management and board competence, philosophy, and style.• Mutual trust and openness.• Strong leadership and powerful vision.• High performance and quality expectations.• Shared values and understandings.• High ethical standards.
Strategies for Addressing Culture:• Communicate with senior executives about their views of governance culture.• Develop trust with the audit committee that allows subjective judgments.• Find a champion who supports auditing organizational culture.• Define roles of what IA can realistically do to help improve organizational governance.• Consider incorporating governance audit into IA charter.
Use UNOBTRUSIVE TECHNIQUES™ to audit culture!
Potential Internal Audit Governance/Culture Involvement
Participate in cross functional “what if” discussions to reconsider governance risks and identify action plans.
Help design “how to improve governance and cultural processes” to better address risks. Redirect audit resources to reassess highest risk areas:
• Risk assessment and risk management/monitoring practices.• Complex decision models—relying on information—the relevance of “information integrity risk”.• Culture, strategy, IT governance.• Fraud risk management and loss prevention.• Extended enterprise reviews.
Internal audit review of organizational governance and culture (assurance and advisory engagements).
Strategies for Auditing Risk Management Culture
Identifying culture as the “Root Cause” in Individual conclusions/findings
Audits of culture within lines of service, business units, or geographies
Issuing capstone or theming reports based on multiple inputs
An enterprise-wide assessment of culture
Source: Richard Chambers, CEO IIA—GAM March 2016
Framework for Organizational Culture Assessments
Theme Areas of Emphasis
Mission, Vision, and Values • Tone from the Top• Risk culture and accountability• Communication practices• Policies and procedures
Risk Management • Governance framework and risk orientation (e.g., ethics/whistleblower policy)
• Risk Transparency• Risk Tolerance• Risk Response (e.g., agility and resilience)
People/HR Management • Employee lifecycle management• Incentives and rewards• Training and competence• Crisis response preparedness
Source: Adapted from Protiviti Bulletin Volume 6, Issue 12
Practical Considerations: Lack of Support in Auditing Culture Can Be a Hurdle
Source: Pulse of Internal Audit, 2016. CAEs/Directors, North America - Q12
How an Organization Responds to Internal Audit Says a lot about Culture
How receptive is management to an audit of their area?
How open and cooperative is management during an engagement?
How receptive and responsive is management to findings and recommendations?
POLITICS, or the way power is distributed within and across an organization is a key consideration (e.g., Rittenberg & Smith 2015).
Source: Richard Chambers, IIA CEO—GAM March 2016
How Do You Handle a Toxic Work Culture?
Simon Sinek
How Do You Handle a Toxic Work Culture?Simon Sinek
Assess Internal Audit’s Skills and Fill the Gaps
Need ability to identify and assess hard and soft measures of organizational culture.
Need to combine subjective and objective information.
Be confident in relying on qualitative factors or intuition.
Not be reluctant to think out of the box and share good practices from other organizations.
Only 45 percent of CAEs who don’t audit culture agreed that
they are able to identify and assess measures of
organizational culture.
Source: North American Pulse of Internal Audit, 2016
Risk Management, Governance, and Culture Challenges and Opportunities for Internal Auditors
Embrace and execute a risk-based approach:• Availability of resources with relevant subject matter expertise, industry knowledge,
leading practices, tools, and technology.• Boards fear that potential cultural risks may not be addressed.
Better overall process:• Higher expectations from management and AC time/resource constraints on Internal Audit.
Better risk management leadership:• Getting the right input from top management and the Board.• Enhancing top management/Board risk management capabilities.
Better knowledge of limitations:• AC’s and management’s level of understanding of the Internal Audit function.
…Final Thoughts on Culture Oversight and Auditing
Stakeholders will look to the Board and internal audit to help focus on governance and culture improvement; but internal audit needs to be trusted advisor/guide!
Maintaining an ethical organizational culture and tone from the top could be challenging for the board of directors.
Board members need to recognize their oversight responsibilities in this area.
Internal audit can help by educating, providing information on what to look for, and how to recognize red flags related to culture.
Consistency, clarity, communication, and monitoring are critical actions for board members to better reinforce ethical organizational culture.
Source: Journal of Accountancy, July 2018
Additional Useful References
Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset, including Toolkit, available from NACD 2017.
COSO Enterprise Risk Management—Integrating with Strategy and Performance, Compendium Bundle, Framework, Compendium of Examples, available from each of the COSO sponsoring organizations 2017.
Turning Corporate Culture Into a Competitive Advantage, Robert Half/Protiviti 2018.
CIIA – UK , 2014 "Culture and the Role of Internal Audit: Looking Below the Surface" Report.
The IIA Bookstore—Various books, other publications, and thought leadership on Governance and Corporate Culture.
Appendix: Audit Questions for Evaluating Culture
Does your organization have a clear purpose and vision? Does your board place importance on culture and actively discuss it alongside,
or as part of, the strategy? Does your organization place as much importance on employees as it does on
its customers? Does the performance management system recognize both achievement of
objectives (the “what”) and the behaviors used in their achievement (the “how”)?
How does HR use the “defined culture” in setting policies and working practices?
Does your website reflect the organization’s culture?
A Journey Into Auditing Culture: A Story and a Practice Guide Susan Jex and Eddie J. Best — Grant Thornton
Appendix: Audit Questions for Evaluating Culture
Is external media monitored and managed to help support the reputation of the organization and its culture?
When you see your organization’s name in a headline, do you expect the article to be positive?
Does your organization’s marketing material reflect your organization’s culture? How does your organization go about developing, designing, and refining
products, and how is customer feedback utilized? How does the organization assess its service in the context of its defined culture? Is culture recognized as a key risk, and are controls embedded in the risk control
framework? Are you comfortable that processes that you are asked to follow do not
compromise your beliefs and values?A Journey Into Auditing Culture: A Story and a Practice GuideSusan Jex and Eddie J. Best — Grant Thornton
Appendix: Audit Questions for Evaluating Ethics Culture
Code of Conduct Culture Interview Questions: Does the employee understand their role in complying with the standards established by the
Code of Conduct? Does the employee believe the organization is serious about ethics and compliance? If not,
why not? What does the employee think are the organization’s risks regarding culture, ethics, and
compliance?
Hotline Reporting Mechanism Culture Questions: Does the employee know that there is a hotline number that they can use to report concerns? Does the employee know where to find the hotline number? Does the employee know that there will be no retaliation for reporting a concern, even if it
turns out to be unsubstantiated? If they fear retaliation, ask why? Does the employee know the names and contact information of their Ethics Officer, or the
person they can contact to report wrongdoing?Adapted from “Key Interview Questions for Ethics Audits”AuditBoard
Alan N. Siegfried, MBA, CPA, CIA, CISA, CRMA, CGAP, CCSA, CFSA, CBA, CGMA
Current Board/Audit Committee member, MidAtlantic Farm Credit, ACA — Outside Director and Audit Committee Member, and several other organizations
Managing Director Quetzal GRC, LLC
Accounting and Information Assurance faculty, Robert H. Smith School of Business, University of Maryland, MD
Former Director of IA of multiple international financial service organizations, and Big 4 firm partner
410.570.5400 (m)
Email: siegfal@gmail.com
Author/Speaker Information