The Institute of Internal Auditors (The IIA) has recently highlighted the need for auditors to assess organizational culture, but there is very little guidance on how to accomplish the task. In our first installment on this topic, we defined the term culture for the purpose of performing an audit. With an understanding of culture in place, we can discuss an approach to performing the audit.
The idea of incorporating a topic into every audit to look for early warning signs is not new. We do this already with fraud. Auditors are expected to have a red flag awareness on every audit engagement when it comes to fraud. We are going to explore two ways we can include culture red flags in every audit. The first part of this practice will occur in the basic phases of every audit and the second part will be tailored to specific audit engagements.
Cultural red flags can be incorporated into the main audit phases: planning, fieldwork, reporting, and issue follow-up. Maintaining red flag awareness within the audit process is a great place to start because the results are directly observable by the audit team; repeatable as you will be doing this on every engagement; and as long as you are documenting the observations, you can track the results for trends and patterns.
If we play out a few common scenarios, the red flags in each audit phase quickly jump into focus. Let’s start with the planning phase.
Red flags we may see in the planning phase will typically be related to pushback from management. This is not to say that any pushback immediately rises to the level of a concern, but we should dig a little deeper to find out the root cause.
Once we are deeper into the audit process, we will perform tests and inevitably there will be some discrepancies requiring follow up with the auditee. We may even have some initial issues that we have verified and need management to address.
Red flags we may see in the fieldwork phase include guarded conversation, restricted access to process owners, or lack of follow-up with suspected issues. Just like before, a single red flag does not mean the area has a bad culture, but we can learn a lot about a group by observing their behaviors and attitudes. If the group we are auditing shows complete disregard for any problems we may have uncovered, then we must look deeper as they may have the same disregard for their operations and their employees.
Red flags we may see in the reporting phase include inappropriate reactions from management. For anyone who issues audit reports with a score, an opinion, or a rating; you know that the auditee may lose site of the overall report and focus solely on the score. They want to get a “good score” on the audit and will ask for benchmark comparison against other organizational entities. On the surface, this is a good behavior. We all want to strive to be our best, but when it goes further, we need to be observant of the underlying behaviors. If individuals are singled out for repercussions based on the report (not including fraud), or if management is overly protective of the report distribution, we should note these behaviors and attitudes as a potential cultural concern.
After the audit is complete and the report has been issued, we typically go into a follow-up mode while we solicit status updates from the action plan owners until the issues are remediated. In a perfect world, management would proactively work to close their outstanding issues and notify internal audit when these are complete. Instead, we often find that management needs prompting to provide updates. If you find that management still does not take action to complete the action plan, or if they only do so with more than reasonable reminders, this may expose an underlying disregard of the audit process and for the organization in general.
Taking a red flag approach with auditing culture is a simple methodology that we can apply right away. The key to success is that the approach is repeatable and we can document our findings to look for change. The next hurdle will come when we have to report these issues. In the next installment on the topic of culture, we will explore the unique challenges that come from reporting cultural issues and ways to overcome these confrontations.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.