The Institute of Internal Auditors (The IIA) has recently highlighted the need for auditors to assess organizational culture, but there is very little guidance on how to accomplish the task. In the previous installments on this topic, we defined culture for the purpose of understanding the nature of the audit, and we discussed applying a red flag approach as a methodology to performing the audit. In this third installment, we will discuss a few unique challenges presented by auditing culture.
Adding a culture aspect to our audit plans may be feasible for many departments, but once it’s done, there are many difficult and unique challenges. One of the biggest challenges will be attempting to put cultural issues in writing. We can take a pro/con approach toward writing down culture issues.
For pros, the most basic is that only written issues will ever be addressed. Even from an audit perspective, if we plan to look for patterns and trends we must write down our observations. In the bigger picture, only written issues will be compiled and presented to the audit committee.
The cons can be intimidating, but these can be managed. People become defensive when the issues are written. Even when managers agree with the findings in a discussion, managers may take the written issues personally. Once we start reporting cultural issues, we can expect increased tension between management and audit.
As auditors, very, very few of us are trained to audit attitudes and behaviors, and documenting “soft” issues can be very difficult. Unlike the majority of our work, the basis for the audit is not usually visible or measurable. Gathering any evidence is subjective, and metrics to judge against may not be apparent. If we do not feel we can overcome these challenges, this may be an audit objective we outsource to 3rd party subject matter experts.
Once we have overcome the difficulties and embraced the concept of audit culture, we will be able to include the culture as another issue categorization for summary reporting. The audit committee has a responsibility for the overall governance of the organization, and a troubled culture can destroy even a great organization. When we include culture as an issue type in our root cause analysis summary, we will open the door to increased awareness for the audit committee and ultimately we can begin to affect change to our organizational culture.
As internal auditors, we have a mandate “to add value and improve an organization's operations1 ”. We cannot afford to ignore the risk associated with an impaired organizational culture. Whether we are tracking red flags during every audit, or including specific testing in our engagements, the outcome will add more depth to the value we bring to our organizations.
1The IIA Website - Definition of Internal Audit
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.